¶ IT Security and Identity Solutions
Well , welcome back to the Mastering Risk Management Podcast . I'm Anthony Wilson . Great to have your company again and your ears for another fascinating interview on the program . So today we have John Charles and John is the Senior Vice President at IS Squared Now , interesting name . We might delve into what that name is all about a little bit later .
John's customer facing role is that of a strategic senior IT architect that works with customers upper-level management in strategic planning and problem solving . This entails how to utilise technology to meet their business requirements faster , cheaper and maintaining a future vision .
John's internal role at IS Squared is as the head of R&D , managing product development , research on emerging technologies and complex IT problem solving . John started his IT career as a young developer coding in C++ . That's probably something historical we'll ask about as well .
John then branched out to network engineering and security and completed the circle with system integration on IoT systems in the manufacturing place . John also holds a bachelor's degree in computer science from Cornell University , where he graduated magna cum laude , which I think means with high distinction . So , john , welcome to the program . Thank you , anthony .
The program , thank you , anthony , great to have you here and a very interesting bio , and it sounds like lots of things to explore there , including the IS squared name , but we'll come back to that . So , john , tell us about your career journey .
So how did you go from sitting in high school or grade school , or whatever school it was , and deciding to get into information technology ?
Oh , it's a very interesting road . I actually was not planning to be in the IT realm In high school . I was thinking about electrical engineering as a major , but before that I was a normal teenager . So I believe it started way back before I actually decided what my major was going to be .
As a young guy I wanted a video game and I asked my parents real nicely , I've gotten some good grades can you buy me a video game ? Don't know if my parents thought that was a joke or they just have a very peculiar sense of humor , but they bought me an IBM PC instead .
So a friend of my mother's was a programmer for the financial industry and she looked at me and said what's the problem ? Write one . If you want a video game , go write one . And I proceeded the next couple of years of just copying video games that were on the market , trying to reproduce them , and that's how I got into programming .
Yeah right .
Anybody that's studied electrical engineering . They understand that an entry-level electrical engineer is a programmer . There is no electrical engineering into it . So I kind of kept on to IT realm and it kind of switched off . So from there I went into programming . After college I did a stint in United States Marine Corps During .
That time is probably where I became more interested in the IT realm , seeing where things were going and how maybe not as modernized as I thought the real world was . So that led me more into the network engineering and the security realm of my background .
After my tours in Marine Corps I ended up working for AT&T internally in their business management division IT business management where I was happily exposed to a lot of more advanced networking .
There are early phases of the internet high capacity , high bandwidth and with that came all the strategic planning to be introduced , with all the planners , the architects that were saying , oh , it's not what's here now , it's where we have to be in two years . So that changed kind of what I was always focused on . So it's great to have the technology now .
I was always interested in what's coming From . Then I did a stint with Microsoft as a Microsoft consultant for a while and then I worked for some biopharma companies where I was put in a challenging task of modernizing their manufacturing facilities which gave me that experience in the IoT realm . So that leads me to today .
So a couple of buddies of mine decided that we were going to branch out , take our knowledge and start an internet security company , and that was the formation of IS2 . You quote on , is2 does have a meaning behind the name . So it was information security , information infrastructure , so I-S-I-S . So we happily didn't pick ISIS at one point that was on the list .
That could have been a marketing disaster .
That would have definitely been a disaster .
Oh , that's great . So a very varied path in your career and lots of experience along the way , by the sounds of it .
I definitely didn't take a straight road .
Yeah , which is frequently the way with the guests that I speak to . You know they experience a lot of different things along the journey , which is great , that's great . Thank you for sharing your path . So tell us a little bit about IS Squared . What's the scope of the works and what sort of services do they offer those sorts of things ?
So, in the beginning IS Squared we were formed as an identity boutique shop , so we managed identities back in the days with directory structures , and so forth . We managed complex ADs with mergers and acquisitions and so forth and then we kind of got known as the identity experts , both from Microsoft World and later on with different security vendors .
So that's pretty much the core of it . We built a good practice about web consulting as well as a managed service practice .
Okay , so your speciality , if I understand it correctly , is the identity of people accessing systems and access levels and those sort of things . Is that correct ?
That's how it started . Now we fast forward . Today , identity is everything , so you think it's not only the person's access . Now it's your device , your computer's access , it's your cell phone's access , it is the application's access to even access your data .
Right .
So it's become a lot more complex . It's not as straightforward as just thinking about individuals anymore .
Yeah , no , clearly I hadn't thought about that perspective either . So access , and I guess , to the organization's network systems , to the data , all of that Stuff that has to be protected , yeah , correct .
So we also specialize in certificate-based access now . So we've kind of shifted and once again moving kind of what's in the future when we're going to move away from passwords , what's more secure , trying to stay two steps in front of the bad guys .
Yeah , yeah , absolutely . So what is that ? You've thrown out the bait and I've bitten ? What is in the future ? You know ahead of passwords and all of that stuff that we go through now with multi-factor authentication and those sorts of things . What are some of the things that the future holds , do you think ?
Well , if you think about it as an individual , we've tried to fix things with the multi-factor , with RSA tokens and so forth . If you start thinking about identity in that whole holistic view now , how do you give a device a password ? How do you give a new application a password ? It gets more complex .
However , you can input a certificate into almost most devices network devices , personal devices so allowing people to bring their own device BYOD , and that's more secure . The certificate's harder to break , so if it's generated from the banking or a financial institute , it's not like it is a public certificate .
For it to be valid , it had to come from that organization . So that kind of eliminates the man in the middle watching you and trying to find new ways of capturing your credentials . So we see that certificates are also easily revoked . So think about it how fast you can recover or cut off the links . It's faster , it's a faster means .
So if a device is stolen a phone , a mobile phone , for instance , or a laptop , or whatever , else you report it and you revoke the certificate and you don't have to worry about it . Okay , that's very interesting . And how does that affect individual identity as well ?
So now you think about what's the easiest way to tie that or grant a person a certificate . Eventually a person is going to generate their certificate to identify them as them and then actually give that as maybe a secondary authentication to their bank , to their school .
So you authenticate one way from the organization and then a second way back to make sure both sides of that authentication is the actual person .
Yeah , okay Interesting Some ideas .
Yeah , so Some ideas yeah .
So that is fascinating . So I guess a double-barreled question here , john . So what does a typical ISSquared customer need or look for and what is the problem they're typically looking for ? And then the second part to that is what would a typical engagement look like for guys . What does a project look like ? How does it start , those sort of things ?
So we're a very unique boutique company . We have very high-end Fortune 100 companies and very medium-sized large companies . So we kind of delve in from two kind of entities when it comes to security and maturity . So I'll handle like a mid-sized large company and then we'll talk about like enterprise From a mid-sized company .
When I say a mid-sized , I'm kind of talking about still , they have a couple of tens of thousands of employees . Possibly they are trying to make sure they're more secure . So get to that Okay , come in here , make sure that you can assess what we had and make sure it's the best that we can .
So we do a lot of initial engagement with just coming in and doing an assessment . They'll say , okay , we want to do a network upgrade and this is what we're planning . We're like well , let's stop . Before we give you any ideas , let's make sure you have a strong footing of where you are right now .
And that's typically how most of those engagements start From the enterprise . On the different side they are totally probably a little more mature , they know exactly what they have and the problem is they probably have too many pieces of the puzzle mixed around and don't know how to put them together .
Right .
And you'll find out a lot with security tools integrating with business applications .
Yeah , and is that like a legacy issue , that over time the enterprise has grown , they've got more bits of software and bits of kit and then they build another layer of security onto it and it becomes a bit of a jumble ?
That's one of them . But if you think about it , if you talk about and this may be legacy talk about having like Active Directory be legacy , talk about having active directory in your organization . And now you have a bunch of SaaS-based business applications .
You still have to link those together for single sign-on , make sure the tokens work , so forth , that they're working seamlessly for the business . So those connections also need to be planned out and configured . Sometimes we do A lot of times we actually build custom connectors to make sure that the user experience is more seamless or more secure .
You're not sending out passwords on both ends or anything , things like that .
Right right .
So the engagements are similar but kind of different on how we implement . Similar but kind of different on how we implement One's more planning and help walking them through , and the other one's more integration and making sure everything works good collectively . Yeah , okay .
That's good , thank you , and I'm hoping the answer is 90% of clients are being proactive in thinking about their security environment and how they could improve it , or , you know , or be on some sort of continuous improvement journey .
But is there the case where some clients have just had an incident , or they've just had a near miss and you know , they've had a bit of a fright and they're now saying , oh , by golly , guys , we need some help . Is that the case ?
I would say about a year and a half ago , maybe 18 months ago . That was probably more of the case .
Right .
I would say now they're more secure , aware , and there's two things driving especially the mid-sized large companies . It is they are becoming more aware of compliance and they're becoming more aware of their certifications .
So whether they want to make sure that their clients are asking vendors to make sure that they are SOC 2 compliant , so forth , and that's kind of driving their security . Another big driving factor , whether it's midsize large enterprise , is insurance . The insurance cybersecurity is driving security awareness .
They want to make sure I mean typically you didn't have insurance questionnaires saying , okay , show me that you have multi-factor installed , you have protect physical security on your data centers , you have protect physical security on your data centers . These are valid questions that every organization is getting these days .
Yeah , that's a really good point , john . Thank you for bringing that up and just having a few of our clients going through the process of filling out that cybersecurity renewal form , yeah , there's some white faces , let me say , as they sit there and the blood drains away and they think , oh , my goodness , how do I answer that ?
It's become more aware that finance , accounting , or that side of the back office business , is becoming very friendly with IT . They're like hi , I need you to help me answer this .
Yeah , you're right , there's some strange new bedfellows , as they say , as they work together to work through that . But listen , it's a good thing , I think broadly , for uh end consumers to know that organizations are absolutely taking this seriously . Yes , and it's a good outcome for insurers as well .
So if they benefit , then then you know clients benefit with better premium and those sort of things as well , because the market's been pretty tight , as we've seen .
Yes , definitely .
Yeah , so that's good . We can get clients that are proactive and you know , and we're moving away from clients that are responding what does a typical engagement looks like ? You start with a bit of an assessment of their current state .
Is it normal that this looks like a you know , massive project that's going to take 12 months to put all the elements in and people are scratching their heads and saying , oh my God , this is going to take forever ? Or can the uplift I suppose you'd call it to get to a happy place in terms of their security , environment or posture ?
Can that be done relatively quickly ? What sort of length does a typical project take and what does it look like ?
So our typical assessment and we have network assessments , we have your cloud assessment , we can have your internal infrastructure assessment Either of those we try to keep them within like two to three weeks so that we can get them a response and they get a good footing
¶ Navigating IT Security and AI Transition
. We like to be interactive so we don't just take a report , give it to them like there you go . It's more of okay , we want to present what we found so that one , you can say , oh no , you missed a piece and we can correct it . And then , two , give them kind of options .
I mean , the worst thing is for an IT director to say , oh yeah , we just paid for the assessment and his manager wants to see it . He has no way of responding options . A roadmap timeframes is better for him . It makes him look like he's well-prepared for his environment as well as saying , okay , from a budgeting standpoint , we are looking at this .
So kind of , tell me what I can do now and what we need to get done at a stage so he's more prepared . It's actually getting your IT side of the house more business savvy .
Right and I gather that the report roadmap prioritizes sort of you know urgent , do now . You know important , do soon and you know nice to have , do later type stuff . Does it give it that sort of prioritization ?
Yes , and it also gives them flexibility on spending . So , okay , we're tight right now . However , we can get this done , and this may also be good on the insurance side , because that roadmap can flow into there . Talking to the insurance agent saying , okay , here's our roadmap on security .
These are all outlined for the next two to three years , and they're happy with their premiums too , and then , typically , off of that , that gives them the opportunity of saying , okay , based on your expertise , we would like to work with you on these projects . Do you mind either being the architect or a consultant on these projects ?
These will handle in-house , these will do externally . It gives them all that flexibility do externally .
It gives them all that flexibility and you can provide a service from hey , here's the report . Good luck , see you later . Right through to project managing the whole thing , I gather exactly yeah , oh no , that's great , that's great . Um left field one , J john for you .
Has ISS isquared ever been engaged by insurers to make an assessment of somebody before they take on a risk ?
Actually . No , that's actually a very good idea . We've never actually took it from that side before . We've taken it from financial but not from any insurers .
Yeah , just a thought that just occurred to me . It's a good way for them to self-assess , I suppose .
It makes sense . I mean , you have financial institutes that want an assessment done to make sure that it's viable to loan this money or work with this company . It makes sense .
Yeah , no , it's just a thought that could be a service that you could provide definitely .
Thank you yeah yeah , that's fine .
No , that's good . So is is in a project that goes over a period of time .
So you know , if there's a fair bit of work to do and those sort of things , is there a risk that the organization loses a bit of that focus or the urgency , and is there a way to keep them engaged or keep them on the straight and narrow , as it were , to rectify any security issues ?
That is a very big problem and we've actually implemented a project management office within our company , which we for these types of engagement .
We always say we would like to put a PM on the project to make sure or help you keep track , and sometimes it is just they are busy resources and things get put to the side and come at the last minute and it's like , oh , where's the status on this ?
now that's good . That's good , yeah , because obviously organizations have a lot of stuff on their plate and things can drift or other things can take priority and be good to help them keep a bit of focus or at least keep momentum .
Nothing worse than something stopping and trying to restart it again and it is famous for doing a lot of things at one time .
Yeah absolutely , john . Tell me and I'm not sure if you can answer this or you've come across it live , as it were but what about artificial intelligence in this space ? Is there something that organisations now need to think about differently because of AI ? Is there potential gaps now in enterprise or organizational security postures that they're just not aware of ?
With AI coming on ? Is there something that you're contemplating in that space ?
That's actually a very large discussion . One of the products that we offer is a hosting solution , a private cloud , and after , or actually during , covid , a lot of customers wanted some kind of edge solution where their computes weren't totally internally in their data centers but wasn't totally on the public cloud that has branched out .
When you think about AI and now that they're talking about where to keep their data Right is definitely the meat and potatoes of everything . It can expand , it can take on that big blast , but sometimes you want the same kind of flexibility in a more controlled manner .
Right .
And so we definitely see that we have a couple of customers that have been asking to see more of the private cloud solutions , how they're going to model this , and then the other one is definitely asking more about the data . How do we manage my data ? How do I do my data engineering ? How do I do my data analytics ?
I know the big buzz , but I want to say , yes , we are moving towards AI , but I don't know how . So it's a little more of okay , let's kind of make sure we get all your requirements and give you a practical way of showing this . I mean , the good thing about AI is it's been around a while .
The reason we're talking so much lately is we're fortunate or maybe not fortunate that we have hardware that can actually spit those answers out relatively quickly now . So we've definitely jumped up the curve and we're having fast response and we're even moving faster because of it . It's just going to be exponential from now on .
Yeah , absolutely . It's amazing how quickly it's progressing . But there you go , modern times . It's progressing , but there you go , modern times .
Yes , john , just before I let you go , just one question I like to ask all my guests , and that is if a young person was contemplating getting into this field , even IT more broadly , I think it's pretty clear that getting into IT is not a bad general choice .
But getting into IT is like saying , well , getting into medicine , there's so many different areas and different fields , um , but you know , if a young person listening was contemplating getting into it , or it security specifically , or something like that , what sort of advice would you give them as they contemplate entering the field ?
I would definitely say IT security is a good jumping start . However , that ocean is very big , so maybe remember to take sidesteps and learn smaller skill sets like network and basic networking . So knowing that , maybe understanding , taking some database classes so that you understand where the data flows .
So I would definitely recommend them branching out , not just focusing dead on what they believe they want to do , because those take so many pieces to put the whole thing together . They may actually find out the . I want to specialize in this small particular area and this is where I like it .
I can work on this night and day and never be worried , and it pays very well . The second one is a kind of a side off . I would say while you're doing your IT , maybe take a business class Because , like I said , it is now being talked to more from , like the backend business management .
Understanding what they need helps you design , understand , protect better . Yeah .
Yeah , it's . It is a very broad church , isn't it ? And I think well , it's reflected in your career journey you know lots of different experiences in different organizations and comes together or culminates in you know your expertise in your current business . So that's no , that's great advice . Thank you for that .
Well , john , listen , really appreciate your time today and you spending the time with us and sharing your knowledge and experience with the audience . It's much appreciated . If people want to get in touch with IS Squared , how do they do that ? What's the address they need to go to ?
That would be wwwissquaredinccom .
Excellent ISsquaredinccom . Well , I'll put that in the show notes as well . So , once again , thank you , J john , much appreciated . So , once again , thank you , J john , much appreciated . Thank you for having me ! Excellent . Well listeners .
That was John Charles generously sharing his experiences in IT security and those of the work that he and the team do at IS Squared . Hope you found that very interesting I certainly did and lots of things to consider there for all enterprises and organizations . This stuff isn't going away .
You've got to get on top of it , and you might as well do it well with the help of experts . So don't forget to look up IS Squared Inc as a potential partner or someone that can give you the advice that you may need in that space . Thanks again for listening to the program today . This has been Mastering Risk Management .
I'm Anthony Wilson and it's been great to have you along again , so we will talk soon . Cheers .
