The Benefits and Concerns of Free Trials & POVs of Cybersecurity Products | Nick Ryan

Interested in sponsoring an episode like this with your target buyer?

→ Reserve your sponsorship here. ($2,575)

Guest at a Glance:

💡 Name: Nick Ryan

💡 What he does: Nick is the the Director of Enterprise Security, Governance, Risk, & Compliance (CISO) at Baker Tilly US, the 9th largest Accounting Firm in the world.

💡 Noteworthy: Nick lives in San Diego, California and is a new father to a beautiful, 10-month old! Welcome to the club! Nick actually started out his career in sales and has compassion for sales pros doing their job. He is also a passionate learner and equally motivated to help others grow in their career and life.

💡 Where to find Nick: LinkedIn

Episode Description

Free trials and proofs of value are key factors in deciding whether or not to purchase a cybersecurity solution.

But there are concerns with them too.

CISOs and security practitioners have to be real smart and careful about which products they allow within their environments.

In this episode, I had a brutally honest conversation with Nick Ryan, Director - Enterprise Security, Governance, Risk, & Compliance (CISO), Baker Tilly US, about his challenges, goals, what vendors do that piss him off, and the alternatives.

Episode Insights:

Nick’s motivation for working in cybersecurity:

After he worked in sales, he made his way out to California and into the accounting industry where he worked for a firm of about 600-700 people. The firm merged with Baker Tilly, when he then took over all of security, governance, risk and compliance for the 7500-employee organization.

“It's been a great shift and I finally realized this is why I've always been naturally drawn to security. It just comes easy to me. I love it. It's exciting. There's always something new. I'm a forever student, forever learner. The more that comes out, the cooler problems we get to solve. Being able to connect with so many different people at the board level and the risk committee, all these different walks of life, and talk security with them, break it down for them - it's pretty cool. So, that's why I do it.”

Recruit a board of directors for your personal life

Nick recommends creating your own board of directors for your personal life.

“A new concept somebody brought up to me was they have what they call a board of directors for their personal life. So, they have kind of a mentor or somebody that they go to in like 10 different lanes - from practical, like a lawyer to an accountant to finance person to emotional wellbeing. It's a good concept, making sure that if you're not the expert or you need help and guidance in some way, connect with those people that can help out. There are a lot of willing people out there.”

What Nick hates most about the cybersecurity industry:

• Buzzwords - because they’re used by non-technical people.
• Slides that just look pretty and sexy but are just “market-ecture,” as he puts it.

“Just trying to abuse buzzwords, like zero trust or SASE, you know, things like that, it's annoying. It’s almost like it's a disingenuous undertone to it, right? You're coming up with what you think is this new space and you're trying to call it something that is attractive, which I understand. I don't necessarily like it. ‘Cause if you get into those conversations and deeply pull those topics apart, you'll find out that most of the people that are saying them don't actually understand what it really means.”

What’s the real deal with the use of “zero trust” that pisses off security buyers?

What zero trust really is at the core of it is trust, but verify.

If you had zero trust, literally no one would get into the system, ever.

“I think that's the problem with it, right? It's this absolute term.

The tools that claim, ‘we do zero trust’ - you have to gimme more than that.

Does that mean micro segmentation? Or does it mean that you're doing least privilege? What does it really mean?

It's a fun sounding word, but then once you break it down more, there's so much more to it, so many more layers.”

Nick’s bleeding neck challenge:

Managing of data.

There are so many tools out there being used and data that’s being brought in - it is hard to stay on top of the data sources, make sure things are getting tagged properly.

“That's a real challenge and it's only getting more and more so when you have new tools popping up every single day, it's pretty insane how quickly they come to the party.”

Nick’s ultimate goal as a CISO:

To protect the firm's revenue, keeping the firm out of financial harm.

“I would feel like the biggest failure if we had an incident that led to Baker Tilly being on the front page of some newspaper or Security Weekly. You don't ever want to be associated to that.

We have to worry about CCPA and things like that. That would be a real bad time if we had to pay out millions and millions of dollars. That would be the ultimate failure.”

Tools helping Nick achieve his current goal right now:

Carbon Black - “A fantastic tool that we have a lot of great things come out of it. It helps us have a lot of control.”

SecureCircle (Acquired by CrowdStrike) - “They offer transparent encryption on every single file in the environment. That's not even just like PDFs and Word docs. It's literally DLLs…everything gets encrypted. The idea is that if something were to get compromised, it doesn't matter to the firm because it's not on an approved device and approved user. It's just going be gibberish. It's gonna be encrypted. That's super cool to solve that problem of data - making sure it's in the right place at the right time and the right users. So, that's a really cool product.”

Triggers to evaluate SecureCircle:

• Nick knew that data loss prevention (DLP) wasn't cutting it because it's all rules based stuff.

“It's only as good as the rules are, it's a lot to manage and things fall through the cracks.”

• He and his team started looking for new solutions and as far as Nick recalls, SecureCircle was referred to him.

“Either way, we got in and they did a really good job of trying to understand the problem, but also what I liked about 'em too, is they were more focused on, here's how we're solving it for other people. And not trying to say, ‘Nick, we're gonna fix all your problems for you. And this is gonna be the best time ever.’

Or making me feel bad about it because sometimes sales people will kind of put the FUD back into security and be like, ‘you have to do this. If you're not doing this, things are so bad.’”

• They then we started a trial and the experience was “fantastic”.

“And it really works. But also they were upfront about some of their shortcomings and that's been cool too, just to see the growth from initially when we started talking of the product to now, it's grown a lot.”

What changed that Nick decided now is the time to go with SecureCircle:

There is a strategic roadmap that Nick follows, which had to be approved by the risk committee and blessed by the legal teams.

When he came into the role, the first thing he had to do was onboard and integrate new tools, putting a really robust stack in place.

Then, they could focus on the next step in their roadmap, which was to protect their data.

“I was super, wildly unhappy with using a built in Microsoft DLP. We were ready for something much more advanced.”

How Nick separates the wheat from the chaff:

Nick is huge on vulnerability and transparency when he speaks with vendors.

“If I ask them, which I ask every single vendor, what makes your competitor product better than yours? What do they do better than you do? What do you think that you do better than them? If they give me a real softball BS answer about what the competitor does better, I don't wanna hear that crap.”

He is interested in hearing where vendors and their competitors lose out. He takes this with a grain of salt but it helps him evaluate solutions because he can then go to a competitor and discuss those weaknesses with them and ask them if and how they solve those.

“That's part of my own process of going through this. And then, being a larger organization, we're not massive, but 7,500 people, there is an element of, how do you implement something like this? That's a question for all products, because generally speaking, just enabling something or installing something across the entire company organization, that's a big lift.”

Are free trials and POVs a key factor in deciding whether or not to purchase a solution or not?

They are. But there are concerns with them too:

Connecting solutions to tenants and viewing all the permissions technologies want do not sit well with Nick.

“You look at the permissions it's requesting and they want to see literally everything. They'll try to say, ‘oh, we have an NDA in place and that's gonna protect you’ and it's like, if you're just doing this one component for me, why do you need everything in my tenant? Why do you need these permission sets?”

Things are also difficult to unwind after they are in environments.

“You gotta be real smart and careful about which stuff you allow to do that trial, the proof of value.

I think ultimately, it is good that companies offer proof of value or free trials because to me that shows that they're willing to stand behind their product.”

Cardinal rules cybersecurity vendors, marketers and/or sales are breaking:

• 15 minutes of a buyer’s time doesn’t really mean 15 minutes.

“Integrity matters. If you reach out to me and say you want 15 minutes of my time, that's bullshit. I've never had a 15 minute meeting in my life. Unless I'm cutting it early. Integrity goes so far in our industry. So that's a big one. Don't break that.”

• If someone is posting a problem they have on LinkedIn, do not comment back claiming you can solve their problem.

“If you go on as a vendor and you write that you can solve this problem, you're just kind of being an asshole. That's not the point of this. That's not the opportunity to get in.”

• Cold calling

“I've never once purchased anything from anybody that cold called me. I get why it worked in the past. I used a cold call for sure. So, I know all about it. The success rate on that can't be good. I feel like that when you're cold calling, you're shooting in the dark. You're almost catching them off balance and trying to see if you can rope 'em in for a quick sale while they're off balance. And to me, that's not genuine and that's not long lasting.”

A request from Nick to security leaders:

Loosen up on the sales people.

“I really feel like as an industry on the internal side, they just go off on sales people and that's unfair. If you're a security executive give 'em the time of day. You could still hold your line and tell them what works for you, what doesn't, but at least respond, just be an upstanding person.

A request from Nick to cybersecurity vendors and sales:

“Get religion” on your sales structure and how you focus on things.

“It's not a traditional business. There's a longer play here.”

Interested in sponsoring an episode like this with your target buyer?

→ Reserve your sponsorship here. ($2,575)