June 17, 2024 • 27 mins
What if your career trajectory could change with an unexpected gift? Join us for a thought-provoking conversation with John Charles, the Senior Vice President at ISSQUARED Inc, as he recounts his unique journey from receiving an IBM PC from his parents to shaping the field of IT security and identity management.
From the discipline of the United States Marine Corps to impactful roles at AT&T and Microsoft, John shares how these experiences laid the foundation for his work at ISSQUARED, a company now navigating the complexities of managing access for devices, applications, and data.
Ever wondered how actionable roadmaps can revolutionise IT security? In our discussion, John reveals the power of interactive reporting and how it can lead to immediate corrections and flexible budgeting, helping IT departments become more business-savvy.
We also tackle the future of artificial intelligence, the critical need for private cloud solutions, and effective data management. Tune in to discover how these insights could be vital for insurers assessing risk and the importance of maintaining momentum through dedicated project management.
This episode is packed with invaluable lessons for anyone navigating the fast-evolving landscape of IT security and AI. Enjoy!
ISSQUARED® Inc. | IT Consulting, Managed IT Services, Cybersecurity and Communications (issquaredinc.com)
Contact ABM Risk Partnership to optimise your risk management approach:
- email us: info@abmrisk.com.au
- Tweet us at @4RiskCme
- Visit our LinkedIn page https://www.linkedin.com/company/18394064/admin/
Thanks for listening to the show and please keep your guest suggestions coming!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Anthony Wilson (00:01):
Well, welcome back to the Mastering Risk
Management Podcast.
I'm Anthony Wilson.
Great to have your companyagain and your ears for another
fascinating interview on theprogram.
So today we have John Charlesand John is the Senior Vice
President at IS Squared Now,interesting name.
We might delve into what thatname is all about a little bit
(00:23):
later.
John's customer facing role isthat of a strategic senior IT
architect that works withcustomers upper-level management
in strategic planning andproblem solving.
This entails how to utilisetechnology to meet their
business requirements faster,cheaper and maintaining a future
vision.
John's internal role at ISSquared is as the head of R&D,
(00:46):
managing product development,research on emerging
technologies and complex ITproblem solving.
John started his IT career as ayoung developer coding in C++.
That's probably somethinghistorical we'll ask about as
well.
John then branched out tonetwork engineering and security
and completed the circle withsystem integration on IoT
(01:07):
systems in the manufacturingplace.
John also holds a bachelor'sdegree in computer science from
Cornell University, where hegraduated magna cum laude, which
I think means with highdistinction.
So, john, welcome to theprogram.
Thank you, anthony.
The program, thank you,anthony, great to have you here
(01:27):
and a very interesting bio, andit sounds like lots of things to
explore there, including the ISsquared name, but we'll come
back to that.
So, john, tell us about yourcareer journey.
So how did you go from sittingin high school or grade school,
or whatever school it was, anddeciding to get into information
technology?
John Charles (01:46):
Oh, it's a very interesting road.
I actually was not planning tobe in the IT realm In high
school.
I was thinking about electricalengineering as a major, but
before that I was a normalteenager.
So I believe it started wayback before I actually decided
what my major was going to be.
(02:06):
As a young guy I wanted a videogame and I asked my parents
real nicely, I've gotten somegood grades can you buy me a
video game?
Don't know if my parentsthought that was a joke or they
just have a very peculiar senseof humor, but they bought me an
IBM PC instead.
So a friend of my mother's wasa programmer for the financial
(02:33):
industry and she looked at meand said what's the problem?
Write one.
If you want a video game, gowrite one.
And I proceeded the next coupleof years of just copying video
games that were on the market,trying to reproduce them, and
that's how I got intoprogramming.
Anthony Wilson (02:48):
Yeah right.
John Charles (02:51):
Anybody that's studied electrical engineering.
They understand that anentry-level electrical engineer
is a programmer.
There is no electricalengineering into it.
So I kind of kept on to ITrealm and it kind of switched
off.
So from there I went intoprogramming.
After college I did a stint inUnited States Marine Corps
(03:15):
During.
That time is probably where Ibecame more interested in the IT
realm, seeing where things weregoing and how maybe not as
modernized as I thought the realworld was.
So that led me more into thenetwork engineering and the
security realm of my background.
After my tours in Marine CorpsI ended up working for AT&T
(03:40):
internally in their businessmanagement division IT business
management where I was happilyexposed to a lot of more
advanced networking.
There are early phases of theinternet high capacity, high
bandwidth and with that came allthe strategic planning to be
(04:03):
introduced, with all theplanners, the architects that
were saying, oh, it's not what'shere now, it's where we have to
be in two years.
So that changed kind of what Iwas always focused on.
So it's great to have thetechnology now.
I was always interested inwhat's coming From.
Then I did a stint withMicrosoft as a Microsoft
consultant for a while and thenI worked for some biopharma
(04:29):
companies where I was put in achallenging task of modernizing
their manufacturing facilitieswhich gave me that experience in
the IoT realm.
So that leads me to today.
So a couple of buddies of minedecided that we were going to
branch out, take our knowledgeand start an internet security
(04:53):
company, and that was theformation of IS2.
You quote on, is2 does have ameaning behind the name.
So it was information security,information infrastructure, so
I-S-I-S.
So we happily didn't pick ISISat one point that was on the
(05:15):
list.
Anthony Wilson (05:18):
That could have been a marketing disaster.
John Charles (05:21):
That would have definitely been a disaster.
Anthony Wilson (05:25):
Oh, that's great .
So a very varied path in yourcareer and lots of experience
along the way, by the sounds ofit.
John Charles (05:31):
I definitely didn't take a straight road.
Anthony Wilson (05:34):
Yeah, which is frequently the way with the
guests that I speak to.
You know they experience a lotof different things along the
journey, which is great, that'sgreat.
Thank you for sharing your path.
So tell us a little bit aboutIS Squared.
What's the scope of the worksand what sort of services do
(05:54):
they offer those sorts of things?
John Charles (05:57):
So, in the beginning IS Squared we were
formed as an identity boutiqueshop, so we managed identities
back in the days with directorystructures, and so forth.
We managed complex ADs withmergers and acquisitions and so
forth and then we kind of gotknown as the identity experts,
(06:21):
both from Microsoft World andlater on with different security
vendors.
So that's pretty much the coreof it.
We built a good practice aboutweb consulting as well as a
managed service practice.
Anthony Wilson (06:35):
Okay, so your speciality, if I understand it
correctly, is the identity ofpeople accessing systems and
access levels and those sort ofthings.
Is that correct?
John Charles (06:45):
That's how it started.
Now we fast forward.
Today, identity is everything,so you think it's not only the
person's access.
Now it's your device, yourcomputer's access, it's your
cell phone's access, it is theapplication's access to even
access your data.
Anthony Wilson (07:03):
Right.
John Charles (07:04):
So it's become a lot more complex.
It's not as straightforward asjust thinking about individuals
anymore.
Anthony Wilson (07:12):
Yeah, no, clearly I hadn't thought about
that perspective either.
So access, and I guess, to theorganization's network systems,
to the data, all of that Stuffthat has to be protected, yeah,
correct.
John Charles (07:28):
So we also specialize in certificate-based
access now.
So we've kind of shifted andonce again moving kind of what's
in the future when we're goingto move away from passwords,
what's more secure, trying tostay two steps in front of the
bad guys.
Anthony Wilson (07:44):
Yeah, yeah, absolutely.
So what is that?
You've thrown out the bait andI've bitten?
What is in the future?
You know ahead of passwords andall of that stuff that we go
through now with multi-factorauthentication and those sorts
of things.
What are some of the thingsthat the future holds, do you
(08:05):
think?
John Charles (08:06):
Well, if you think about it as an individual,
we've tried to fix things withthe multi-factor, with RSA
tokens and so forth.
If you start thinking aboutidentity in that whole holistic
view now, how do you give adevice a password?
How do you give a newapplication a password?
(08:27):
It gets more complex.
However, you can input acertificate into almost most
devices network devices,personal devices so allowing
people to bring their own deviceBYOD, and that's more secure.
The certificate's harder tobreak, so if it's generated from
the banking or a financialinstitute, it's not like it is a
(08:50):
public certificate.
For it to be valid, it had tocome from that organization.
So that kind of eliminates theman in the middle watching you
and trying to find new ways ofcapturing your credentials.
So we see that certificates arealso easily revoked.
So think about it how fast youcan recover or cut off the links
(09:14):
.
It's faster, it's a fastermeans.
Anthony Wilson (09:18):
So if a device is stolen a phone, a mobile
phone, for instance, or a laptop, or whatever, else you report
it and you revoke thecertificate and you don't have
to worry about it.
Okay, that's very interesting.
And how does that affectindividual identity as well?
John Charles (09:37):
So now you think about what's the easiest way to
tie that or grant a person acertificate.
Eventually a person is going togenerate their certificate to
identify them as them and thenactually give that as maybe a
secondary authentication totheir bank, to their school.
So you authenticate one wayfrom the organization and then a
(10:02):
second way back to make sureboth sides of that
authentication is the actualperson.
Anthony Wilson (10:08):
Yeah, okay Interesting Some ideas.
John Charles (10:10):
Yeah, so Some ideas yeah.
Anthony Wilson (10:12):
So that is fascinating.
So I guess a double-barreledquestion here, john.
So what does a typicalISSquared customer need or look
for and what is the problemthey're typically looking for?
And then the second part tothat is what would a typical
(10:32):
engagement look like for guys.
What does a project look like?
How does it start, those sortof things?
John Charles (10:40):
So we're a very unique boutique company.
We have very high-end Fortune100 companies and very
medium-sized large companies.
So we kind of delve in from twokind of entities when it comes
to security and maturity.
So I'll handle like a mid-sizedlarge company and then we'll
(11:03):
talk about like enterprise Froma mid-sized company.
When I say a mid-sized, I'mkind of talking about still,
they have a couple of tens ofthousands of employees.
Possibly they are trying tomake sure they're more secure.
So get to that Okay, come inhere, make sure that you can
assess what we had and make sureit's the best that we can.
(11:27):
So we do a lot of initialengagement with just coming in
and doing an assessment.
They'll say, okay, we want todo a network upgrade and this is
what we're planning.
We're like well, let's stop.
Before we give you any ideas,let's make sure you have a
strong footing of where you areright now.
And that's typically how mostof those engagements start From
(11:50):
the enterprise.
On the different side they aretotally probably a little more
mature, they know exactly whatthey have and the problem is
they probably have too manypieces of the puzzle mixed
around and don't know how to putthem together.
Anthony Wilson (12:03):
Right.
John Charles (12:04):
And you'll find out a lot with security tools
integrating with businessapplications.
Anthony Wilson (12:10):
Yeah, and is that like a legacy issue, that
over time the enterprise hasgrown, they've got more bits of
software and bits of kit andthen they build another layer of
security onto it and it becomesa bit of a jumble?
John Charles (12:23):
That's one of them .
But if you think about it, ifyou talk about and this may be
legacy talk about having likeActive Directory be legacy, talk
about having active directoryin your organization.
And now you have a bunch ofSaaS-based business applications
.
You still have to link thosetogether for single sign-on,
make sure the tokens work, soforth, that they're working
(12:44):
seamlessly for the business.
So those connections also needto be planned out and configured
.
Sometimes we do A lot of timeswe actually build custom
connectors to make sure that theuser experience is more
seamless or more secure.
You're not sending outpasswords on both ends or
anything, things like that.
Anthony Wilson (13:02):
Right right.
John Charles (13:04):
So the engagements are similar but kind of
different on how we implement.
Similar but kind of differenton how we implement One's more
planning and help walking themthrough, and the other one's
more integration and making sureeverything works good
collectively.
Yeah, okay.
Anthony Wilson (13:18):
That's good, thank you, and I'm hoping the
answer is 90% of clients arebeing proactive in thinking
about their security environmentand how they could improve it,
or, you know, or be on some sortof continuous improvement
journey.
But is there the case wheresome clients have just had an
(13:43):
incident, or they've just had anear miss and you know, they've
had a bit of a fright andthey're now saying, oh, by golly
, guys, we need some help.
Is that the case?
John Charles (13:54):
I would say about a year and a half ago, maybe 18
months ago.
That was probably more of thecase.
Anthony Wilson (13:59):
Right.
John Charles (14:00):
I would say now they're more secure, aware, and
there's two things drivingespecially the mid-sized large
companies.
It is they are becoming moreaware of compliance and they're
becoming more aware of theircertifications.
So whether they want to makesure that their clients are
asking vendors to make sure thatthey are SOC 2 compliant, so
(14:22):
forth, and that's kind ofdriving their security.
Another big driving factor,whether it's midsize large
enterprise, is insurance.
The insurance cybersecurity isdriving security awareness.
They want to make sure I meantypically you didn't have
insurance questionnaires saying,okay, show me that you have
(14:44):
multi-factor installed, you haveprotect physical security on
your data centers, you haveprotect physical security on
your data centers.
These are valid questions thatevery organization is getting
these days.
Anthony Wilson (14:56):
Yeah, that's a really good point, john.
Thank you for bringing that upand just having a few of our
clients going through theprocess of filling out that
cybersecurity renewal form, yeah, there's some white faces, let
me say, as they sit there andthe blood drains away and they
think, oh, my goodness, how do Ianswer that?
John Charles (15:17):
It's become more aware that finance, accounting,
or that side of the back officebusiness, is becoming very
friendly with IT.
They're like hi, I need you tohelp me answer this.
Anthony Wilson (15:31):
Yeah, you're right, there's some strange new
bedfellows, as they say, as theywork together to work through
that.
But listen, it's a good thing,I think broadly, for uh end
consumers to know thatorganizations are absolutely
taking this seriously.
Yes, and it's a good outcomefor insurers as well.
So if they benefit, then thenyou know clients benefit with
(15:51):
better premium and those sort ofthings as well, because the
market's been pretty tight, aswe've seen.
John Charles (15:57):
Yes, definitely.
Anthony Wilson (15:58):
Yeah, so that's good.
We can get clients that areproactive and you know, and
we're moving away from clientsthat are responding what does a
typical engagement looks like?
You start with a bit of anassessment of their current
state.
Is it normal that this lookslike a you know, massive project
(16:22):
that's going to take 12 monthsto put all the elements in and
people are scratching theirheads and saying, oh my God,
this is going to take forever?
Or can the uplift I supposeyou'd call it to get to a happy
place in terms of their security, environment or posture?
Can that be done relativelyquickly?
What sort of length does atypical project take and what
(16:44):
does it look like?
John Charles (16:46):
So our typical assessment and we have network
assessments, we have your cloudassessment, we can have your
internal infrastructureassessment Either of those we
try to keep them within like twoto three weeks so that we can
get them a response and they geta good footing.
We like to be interactive so wedon't just take a report, give
(17:06):
it to them like there you go.
It's more of okay, we want topresent what we found so that
one, you can say, oh no, youmissed a piece and we can
correct it.
And then, two, give them kindof options.
I mean, the worst thing is foran IT director to say, oh yeah,
we just paid for the assessmentand his manager wants to see it.
(17:27):
He has no way of respondingoptions.
A roadmap timeframes is betterfor him.
It makes him look like he'swell-prepared for his
environment as well as saying,okay, from a budgeting
standpoint, we are looking atthis.
(17:48):
So kind of, tell me what I cando now and what we need to get
done at a stage so he's moreprepared.
It's actually getting your ITside of the house more business
savvy.
Anthony Wilson (18:01):
Right and I gather that the report roadmap
prioritizes sort of you knowurgent, do now.
You know important, do soon andyou know nice to have, do later
type stuff.
Does it give it that sort ofprioritization?
John Charles (18:17):
Yes, and it also gives them flexibility on
spending.
So, okay, we're tight right now.
However, we can get this done,and this may also be good on the
insurance side, because thatroadmap can flow into there.
Talking to the insurance agentsaying, okay, here's our roadmap
on security.
These are all outlined for thenext two to three years, and
they're happy with theirpremiums too, and then,
(18:40):
typically, off of that, thatgives them the opportunity of
saying, okay, based on yourexpertise, we would like to work
with you on these projects.
Do you mind either being thearchitect or a consultant on
these projects?
These will handle in-house,these will do externally.
It gives them all thatflexibility do externally.
Anthony Wilson (19:04):
It gives them all that flexibility and you can
provide a service from hey,here's the report.
Good luck, see you later.
Right through to projectmanaging the whole thing, I
gather exactly yeah, oh no,that's great, that's great.
Um left field one, J john foryou.
Has ISS isquared ever beenengaged by insurers to make an
assessment of somebody beforethey take on a risk?
John Charles (19:24):
Actually.
No, that's actually a very goodidea.
We've never actually took itfrom that side before.
We've taken it from financialbut not from any insurers.
Anthony Wilson (19:36):
Yeah, just a thought that just occurred to me
.
It's a good way for them toself-assess, I suppose.
John Charles (19:44):
It makes sense.
I mean, you have financialinstitutes that want an
assessment done to make surethat it's viable to loan this
money or work with this company.
It makes sense.
Anthony Wilson (19:56):
Yeah, no, it's just a thought that could be a
service that you could providedefinitely.
John Charles (20:02):
Thank you yeah yeah, that's fine.
Anthony Wilson (20:06):
No, that's good.
So is is in a project that goesover a period of time.
So you know, if there's a fairbit of work to do and those sort
of things, is there a risk thatthe organization loses a bit of
that focus or the urgency, andis there a way to keep them
engaged or keep them on thestraight and narrow, as it were,
(20:29):
to rectify any security issues?
John Charles (20:32):
That is a very big problem and we've actually
implemented a project managementoffice within our company,
which we for these types ofengagement.
We always say we would like toput a PM on the project to make
sure or help you keep track, andsometimes it is just they are
(20:55):
busy resources and things getput to the side and come at the
last minute and it's like, oh,where's the status on this?
Anthony Wilson (21:02):
now that's good.
That's good, yeah, becauseobviously organizations have a
lot of stuff on their plate andthings can drift or other things
can take priority and be goodto help them keep a bit of focus
or at least keep momentum.
John Charles (21:16):
Nothing worse than something stopping and trying
to restart it again and it isfamous for doing a lot of things
at one time.
Anthony Wilson (21:23):
Yeah absolutely, john.
Tell me and I'm not sure if youcan answer this or you've come
across it live, as it were butwhat about artificial
intelligence in this space?
Is there something thatorganisations now need to think
about differently because of AI?
Is there potential gaps now inenterprise or organizational
(21:47):
security postures that they'rejust not aware of?
With AI coming on?
Is there something that you'recontemplating in that space?
John Charles (21:54):
That's actually a very large discussion.
One of the products that weoffer is a hosting solution, a
private cloud, and after, oractually during, covid, a lot of
customers wanted some kind ofedge solution where their
computes weren't totallyinternally in their data centers
but wasn't totally on thepublic cloud that has branched
(22:18):
out.
When you think about AI and nowthat they're talking about
where to keep their data Rightis definitely the meat and
potatoes of everything.
(22:39):
It can expand, it can take onthat big blast, but sometimes
you want the same kind offlexibility in a more controlled
manner.
Anthony Wilson (22:47):
Right.
John Charles (22:48):
And so we definitely see that we have a
couple of customers that havebeen asking to see more of the
private cloud solutions, howthey're going to model this, and
then the other one isdefinitely asking more about the
data.
How do we manage my data?
How do I do my data engineering?
How do I do my data analytics?
(23:09):
I know the big buzz, but I wantto say, yes, we are moving
towards AI, but I don't know how.
So it's a little more of okay,let's kind of make sure we get
all your requirements and giveyou a practical way of showing
this.
I mean, the good thing about AIis it's been around a while.
(23:30):
The reason we're talking somuch lately is we're fortunate
or maybe not fortunate that wehave hardware that can actually
spit those answers outrelatively quickly now.
So we've definitely jumped upthe curve and we're having fast
response and we're even movingfaster because of it.
It's just going to beexponential from now on.
Anthony Wilson (23:53):
Yeah, absolutely .
It's amazing how quickly it'sprogressing.
But there you go, modern times.
It's progressing, but there yougo, modern times.
Yes, john, just before I letyou go, just one question I like
to ask all my guests, and thatis if a young person was
contemplating getting into thisfield, even IT more broadly, I
think it's pretty clear thatgetting into IT is not a bad
(24:16):
general choice.
But getting into IT is likesaying, well, getting into
medicine, there's so manydifferent areas and different
fields, um, but you know, if ayoung person listening was
contemplating getting into it,or it security specifically, or
something like that, what sortof advice would you give them as
they contemplate entering thefield?
John Charles (24:38):
I would definitely say IT security is a good
jumping start.
However, that ocean is very big, so maybe remember to take
sidesteps and learn smallerskill sets like network and
basic networking.
So knowing that, maybeunderstanding, taking some
database classes so that youunderstand where the data flows.
(25:00):
So I would definitely recommendthem branching out, not just
focusing dead on what theybelieve they want to do, because
those take so many pieces toput the whole thing together.
They may actually find out the.
I want to specialize in thissmall particular area and this
is where I like it.
I can work on this night andday and never be worried, and it
(25:22):
pays very well.
The second one is a kind of aside off.
I would say while you're doingyour IT, maybe take a business
class Because, like I said, itis now being talked to more from
, like the backend businessmanagement.
Understanding what they needhelps you design, understand,
(25:46):
protect better.
Yeah.
Anthony Wilson (25:48):
Yeah, it's.
It is a very broad church,isn't it?
And I think well, it'sreflected in your career journey
you know lots of differentexperiences in different
organizations and comes togetheror culminates in you know your
expertise in your currentbusiness.
So that's no, that's greatadvice.
(26:09):
Thank you for that.
Well, john, listen, reallyappreciate your time today and
you spending the time with usand sharing your knowledge and
experience with the audience.
It's much appreciated.
If people want to get in touchwith IS Squared, how do they do
that?
What's the address they need togo to?
John Charles (26:27):
That would be wwwissquaredinccom.
Anthony Wilson (26:34):
Excellent ISsquaredinccom.
Well, I'll put that in the shownotes as well.
So, once again, thank you, Jjohn, much appreciated.
So, once again, thank you, Jjohn, much appreciated.
Thank you for having me!Excellent.
Well listeners.
That was John Charlesgenerously sharing his
experiences in IT security andthose of the work that he and
the team do at IS Squared.
Hope you found that veryinteresting I certainly did and
(26:57):
lots of things to consider therefor all enterprises and
organizations.
This stuff isn't going away.
You've got to get on top of it,and you might as well do it
well with the help of experts.
So don't forget to look up ISSquared Inc as a potential
partner or someone that can giveyou the advice that you may
need in that space.
Thanks again for listening tothe program today.
(27:19):
This has been Mastering RiskManagement.
I'm Anthony Wilson and it'sbeen great to have you along
again, so we will talk soon.
Cheers.
Well, welcome back to the Mastering Risk
Management Podcast.
I'm Anthony Wilson.
Great to have your companyagain and your ears for another
fascinating interview on theprogram.
So today we have John Charlesand John is the Senior Vice
President at IS Squared Now,interesting name.
We might delve into what thatname is all about a little bit
(00:23):
later.
John's customer facing role isthat of a strategic senior IT
architect that works withcustomers upper-level management
in strategic planning andproblem solving.
This entails how to utilisetechnology to meet their
business requirements faster,cheaper and maintaining a future
vision.
John's internal role at ISSquared is as the head of R&D,
(00:46):
managing product development,research on emerging
technologies and complex ITproblem solving.
John started his IT career as ayoung developer coding in C++.
That's probably somethinghistorical we'll ask about as
well.
John then branched out tonetwork engineering and security
and completed the circle withsystem integration on IoT
(01:07):
systems in the manufacturingplace.
John also holds a bachelor'sdegree in computer science from
Cornell University, where hegraduated magna cum laude, which
I think means with highdistinction.
So, john, welcome to theprogram.
Thank you, anthony.
The program, thank you,anthony, great to have you here
(01:27):
and a very interesting bio, andit sounds like lots of things to
explore there, including the ISsquared name, but we'll come
back to that.
So, john, tell us about yourcareer journey.
So how did you go from sittingin high school or grade school,
or whatever school it was, anddeciding to get into information
technology?
John Charles (01:46):
Oh, it's a very interesting road.
I actually was not planning tobe in the IT realm In high
school.
I was thinking about electricalengineering as a major, but
before that I was a normalteenager.
So I believe it started wayback before I actually decided
what my major was going to be.
(02:06):
As a young guy I wanted a videogame and I asked my parents
real nicely, I've gotten somegood grades can you buy me a
video game?
Don't know if my parentsthought that was a joke or they
just have a very peculiar senseof humor, but they bought me an
IBM PC instead.
So a friend of my mother's wasa programmer for the financial
(02:33):
industry and she looked at meand said what's the problem?
Write one.
If you want a video game, gowrite one.
And I proceeded the next coupleof years of just copying video
games that were on the market,trying to reproduce them, and
that's how I got intoprogramming.
Anthony Wilson (02:48):
Yeah right.
John Charles (02:51):
Anybody that's studied electrical engineering.
They understand that anentry-level electrical engineer
is a programmer.
There is no electricalengineering into it.
So I kind of kept on to ITrealm and it kind of switched
off.
So from there I went intoprogramming.
After college I did a stint inUnited States Marine Corps
(03:15):
During.
That time is probably where Ibecame more interested in the IT
realm, seeing where things weregoing and how maybe not as
modernized as I thought the realworld was.
So that led me more into thenetwork engineering and the
security realm of my background.
After my tours in Marine CorpsI ended up working for AT&T
(03:40):
internally in their businessmanagement division IT business
management where I was happilyexposed to a lot of more
advanced networking.
There are early phases of theinternet high capacity, high
bandwidth and with that came allthe strategic planning to be
(04:03):
introduced, with all theplanners, the architects that
were saying, oh, it's not what'shere now, it's where we have to
be in two years.
So that changed kind of what Iwas always focused on.
So it's great to have thetechnology now.
I was always interested inwhat's coming From.
Then I did a stint withMicrosoft as a Microsoft
consultant for a while and thenI worked for some biopharma
(04:29):
companies where I was put in achallenging task of modernizing
their manufacturing facilitieswhich gave me that experience in
the IoT realm.
So that leads me to today.
So a couple of buddies of minedecided that we were going to
branch out, take our knowledgeand start an internet security
(04:53):
company, and that was theformation of IS2.
You quote on, is2 does have ameaning behind the name.
So it was information security,information infrastructure, so
I-S-I-S.
So we happily didn't pick ISISat one point that was on the
(05:15):
list.
Anthony Wilson (05:18):
That could have been a marketing disaster.
John Charles (05:21):
That would have definitely been a disaster.
Anthony Wilson (05:25):
Oh, that's great .
So a very varied path in yourcareer and lots of experience
along the way, by the sounds ofit.
John Charles (05:31):
I definitely didn't take a straight road.
Anthony Wilson (05:34):
Yeah, which is frequently the way with the
guests that I speak to.
You know they experience a lotof different things along the
journey, which is great, that'sgreat.
Thank you for sharing your path.
So tell us a little bit aboutIS Squared.
What's the scope of the worksand what sort of services do
(05:54):
they offer those sorts of things?
John Charles (05:57):
So, in the beginning IS Squared we were
formed as an identity boutiqueshop, so we managed identities
back in the days with directorystructures, and so forth.
We managed complex ADs withmergers and acquisitions and so
forth and then we kind of gotknown as the identity experts,
(06:21):
both from Microsoft World andlater on with different security
vendors.
So that's pretty much the coreof it.
We built a good practice aboutweb consulting as well as a
managed service practice.
Anthony Wilson (06:35):
Okay, so your speciality, if I understand it
correctly, is the identity ofpeople accessing systems and
access levels and those sort ofthings.
Is that correct?
John Charles (06:45):
That's how it started.
Now we fast forward.
Today, identity is everything,so you think it's not only the
person's access.
Now it's your device, yourcomputer's access, it's your
cell phone's access, it is theapplication's access to even
access your data.
Anthony Wilson (07:03):
Right.
John Charles (07:04):
So it's become a lot more complex.
It's not as straightforward asjust thinking about individuals
anymore.
Anthony Wilson (07:12):
Yeah, no, clearly I hadn't thought about
that perspective either.
So access, and I guess, to theorganization's network systems,
to the data, all of that Stuffthat has to be protected, yeah,
correct.
John Charles (07:28):
So we also specialize in certificate-based
access now.
So we've kind of shifted andonce again moving kind of what's
in the future when we're goingto move away from passwords,
what's more secure, trying tostay two steps in front of the
bad guys.
Anthony Wilson (07:44):
Yeah, yeah, absolutely.
So what is that?
You've thrown out the bait andI've bitten?
What is in the future?
You know ahead of passwords andall of that stuff that we go
through now with multi-factorauthentication and those sorts
of things.
What are some of the thingsthat the future holds, do you
(08:05):
think?
John Charles (08:06):
Well, if you think about it as an individual,
we've tried to fix things withthe multi-factor, with RSA
tokens and so forth.
If you start thinking aboutidentity in that whole holistic
view now, how do you give adevice a password?
How do you give a newapplication a password?
(08:27):
It gets more complex.
However, you can input acertificate into almost most
devices network devices,personal devices so allowing
people to bring their own deviceBYOD, and that's more secure.
The certificate's harder tobreak, so if it's generated from
the banking or a financialinstitute, it's not like it is a
(08:50):
public certificate.
For it to be valid, it had tocome from that organization.
So that kind of eliminates theman in the middle watching you
and trying to find new ways ofcapturing your credentials.
So we see that certificates arealso easily revoked.
So think about it how fast youcan recover or cut off the links
(09:14):
.
It's faster, it's a fastermeans.
Anthony Wilson (09:18):
So if a device is stolen a phone, a mobile
phone, for instance, or a laptop, or whatever, else you report
it and you revoke thecertificate and you don't have
to worry about it.
Okay, that's very interesting.
And how does that affectindividual identity as well?
John Charles (09:37):
So now you think about what's the easiest way to
tie that or grant a person acertificate.
Eventually a person is going togenerate their certificate to
identify them as them and thenactually give that as maybe a
secondary authentication totheir bank, to their school.
So you authenticate one wayfrom the organization and then a
(10:02):
second way back to make sureboth sides of that
authentication is the actualperson.
Anthony Wilson (10:08):
Yeah, okay Interesting Some ideas.
John Charles (10:10):
Yeah, so Some ideas yeah.
Anthony Wilson (10:12):
So that is fascinating.
So I guess a double-barreledquestion here, john.
So what does a typicalISSquared customer need or look
for and what is the problemthey're typically looking for?
And then the second part tothat is what would a typical
(10:32):
engagement look like for guys.
What does a project look like?
How does it start, those sortof things?
John Charles (10:40):
So we're a very unique boutique company.
We have very high-end Fortune100 companies and very
medium-sized large companies.
So we kind of delve in from twokind of entities when it comes
to security and maturity.
So I'll handle like a mid-sizedlarge company and then we'll
(11:03):
talk about like enterprise Froma mid-sized company.
When I say a mid-sized, I'mkind of talking about still,
they have a couple of tens ofthousands of employees.
Possibly they are trying tomake sure they're more secure.
So get to that Okay, come inhere, make sure that you can
assess what we had and make sureit's the best that we can.
(11:27):
So we do a lot of initialengagement with just coming in
and doing an assessment.
They'll say, okay, we want todo a network upgrade and this is
what we're planning.
We're like well, let's stop.
Before we give you any ideas,let's make sure you have a
strong footing of where you areright now.
And that's typically how mostof those engagements start From
(11:50):
the enterprise.
On the different side they aretotally probably a little more
mature, they know exactly whatthey have and the problem is
they probably have too manypieces of the puzzle mixed
around and don't know how to putthem together.
Anthony Wilson (12:03):
Right.
John Charles (12:04):
And you'll find out a lot with security tools
integrating with businessapplications.
Anthony Wilson (12:10):
Yeah, and is that like a legacy issue, that
over time the enterprise hasgrown, they've got more bits of
software and bits of kit andthen they build another layer of
security onto it and it becomesa bit of a jumble?
John Charles (12:23):
That's one of them .
But if you think about it, ifyou talk about and this may be
legacy talk about having likeActive Directory be legacy, talk
about having active directoryin your organization.
And now you have a bunch ofSaaS-based business applications
.
You still have to link thosetogether for single sign-on,
make sure the tokens work, soforth, that they're working
(12:44):
seamlessly for the business.
So those connections also needto be planned out and configured
.
Sometimes we do A lot of timeswe actually build custom
connectors to make sure that theuser experience is more
seamless or more secure.
You're not sending outpasswords on both ends or
anything, things like that.
Anthony Wilson (13:02):
Right right.
John Charles (13:04):
So the engagements are similar but kind of
different on how we implement.
Similar but kind of differenton how we implement One's more
planning and help walking themthrough, and the other one's
more integration and making sureeverything works good
collectively.
Yeah, okay.
Anthony Wilson (13:18):
That's good, thank you, and I'm hoping the
answer is 90% of clients arebeing proactive in thinking
about their security environmentand how they could improve it,
or, you know, or be on some sortof continuous improvement
journey.
But is there the case wheresome clients have just had an
(13:43):
incident, or they've just had anear miss and you know, they've
had a bit of a fright andthey're now saying, oh, by golly
, guys, we need some help.
Is that the case?
John Charles (13:54):
I would say about a year and a half ago, maybe 18
months ago.
That was probably more of thecase.
Anthony Wilson (13:59):
Right.
John Charles (14:00):
I would say now they're more secure, aware, and
there's two things drivingespecially the mid-sized large
companies.
It is they are becoming moreaware of compliance and they're
becoming more aware of theircertifications.
So whether they want to makesure that their clients are
asking vendors to make sure thatthey are SOC 2 compliant, so
(14:22):
forth, and that's kind ofdriving their security.
Another big driving factor,whether it's midsize large
enterprise, is insurance.
The insurance cybersecurity isdriving security awareness.
They want to make sure I meantypically you didn't have
insurance questionnaires saying,okay, show me that you have
(14:44):
multi-factor installed, you haveprotect physical security on
your data centers, you haveprotect physical security on
your data centers.
These are valid questions thatevery organization is getting
these days.
Anthony Wilson (14:56):
Yeah, that's a really good point, john.
Thank you for bringing that upand just having a few of our
clients going through theprocess of filling out that
cybersecurity renewal form, yeah, there's some white faces, let
me say, as they sit there andthe blood drains away and they
think, oh, my goodness, how do Ianswer that?
John Charles (15:17):
It's become more aware that finance, accounting,
or that side of the back officebusiness, is becoming very
friendly with IT.
They're like hi, I need you tohelp me answer this.
Anthony Wilson (15:31):
Yeah, you're right, there's some strange new
bedfellows, as they say, as theywork together to work through
that.
But listen, it's a good thing,I think broadly, for uh end
consumers to know thatorganizations are absolutely
taking this seriously.
Yes, and it's a good outcomefor insurers as well.
So if they benefit, then thenyou know clients benefit with
(15:51):
better premium and those sort ofthings as well, because the
market's been pretty tight, aswe've seen.
John Charles (15:57):
Yes, definitely.
Anthony Wilson (15:58):
Yeah, so that's good.
We can get clients that areproactive and you know, and
we're moving away from clientsthat are responding what does a
typical engagement looks like?
You start with a bit of anassessment of their current
state.
Is it normal that this lookslike a you know, massive project
(16:22):
that's going to take 12 monthsto put all the elements in and
people are scratching theirheads and saying, oh my God,
this is going to take forever?
Or can the uplift I supposeyou'd call it to get to a happy
place in terms of their security, environment or posture?
Can that be done relativelyquickly?
What sort of length does atypical project take and what
(16:44):
does it look like?
John Charles (16:46):
So our typical assessment and we have network
assessments, we have your cloudassessment, we can have your
internal infrastructureassessment Either of those we
try to keep them within like twoto three weeks so that we can
get them a response and they geta good footing.
We like to be interactive so wedon't just take a report, give
(17:06):
it to them like there you go.
It's more of okay, we want topresent what we found so that
one, you can say, oh no, youmissed a piece and we can
correct it.
And then, two, give them kindof options.
I mean, the worst thing is foran IT director to say, oh yeah,
we just paid for the assessmentand his manager wants to see it.
(17:27):
He has no way of respondingoptions.
A roadmap timeframes is betterfor him.
It makes him look like he'swell-prepared for his
environment as well as saying,okay, from a budgeting
standpoint, we are looking atthis.
(17:48):
So kind of, tell me what I cando now and what we need to get
done at a stage so he's moreprepared.
It's actually getting your ITside of the house more business
savvy.
Anthony Wilson (18:01):
Right and I gather that the report roadmap
prioritizes sort of you knowurgent, do now.
You know important, do soon andyou know nice to have, do later
type stuff.
Does it give it that sort ofprioritization?
John Charles (18:17):
Yes, and it also gives them flexibility on
spending.
So, okay, we're tight right now.
However, we can get this done,and this may also be good on the
insurance side, because thatroadmap can flow into there.
Talking to the insurance agentsaying, okay, here's our roadmap
on security.
These are all outlined for thenext two to three years, and
they're happy with theirpremiums too, and then,
(18:40):
typically, off of that, thatgives them the opportunity of
saying, okay, based on yourexpertise, we would like to work
with you on these projects.
Do you mind either being thearchitect or a consultant on
these projects?
These will handle in-house,these will do externally.
It gives them all thatflexibility do externally.
Anthony Wilson (19:04):
It gives them all that flexibility and you can
provide a service from hey,here's the report.
Good luck, see you later.
Right through to projectmanaging the whole thing, I
gather exactly yeah, oh no,that's great, that's great.
Um left field one, J john foryou.
Has ISS isquared ever beenengaged by insurers to make an
assessment of somebody beforethey take on a risk?
John Charles (19:24):
Actually.
No, that's actually a very goodidea.
We've never actually took itfrom that side before.
We've taken it from financialbut not from any insurers.
Anthony Wilson (19:36):
Yeah, just a thought that just occurred to me
.
It's a good way for them toself-assess, I suppose.
John Charles (19:44):
It makes sense.
I mean, you have financialinstitutes that want an
assessment done to make surethat it's viable to loan this
money or work with this company.
It makes sense.
Anthony Wilson (19:56):
Yeah, no, it's just a thought that could be a
service that you could providedefinitely.
John Charles (20:02):
Thank you yeah yeah, that's fine.
Anthony Wilson (20:06):
No, that's good.
So is is in a project that goesover a period of time.
So you know, if there's a fairbit of work to do and those sort
of things, is there a risk thatthe organization loses a bit of
that focus or the urgency, andis there a way to keep them
engaged or keep them on thestraight and narrow, as it were,
(20:29):
to rectify any security issues?
John Charles (20:32):
That is a very big problem and we've actually
implemented a project managementoffice within our company,
which we for these types ofengagement.
We always say we would like toput a PM on the project to make
sure or help you keep track, andsometimes it is just they are
(20:55):
busy resources and things getput to the side and come at the
last minute and it's like, oh,where's the status on this?
Anthony Wilson (21:02):
now that's good.
That's good, yeah, becauseobviously organizations have a
lot of stuff on their plate andthings can drift or other things
can take priority and be goodto help them keep a bit of focus
or at least keep momentum.
John Charles (21:16):
Nothing worse than something stopping and trying
to restart it again and it isfamous for doing a lot of things
at one time.
Anthony Wilson (21:23):
Yeah absolutely, john.
Tell me and I'm not sure if youcan answer this or you've come
across it live, as it were butwhat about artificial
intelligence in this space?
Is there something thatorganisations now need to think
about differently because of AI?
Is there potential gaps now inenterprise or organizational
(21:47):
security postures that they'rejust not aware of?
With AI coming on?
Is there something that you'recontemplating in that space?
John Charles (21:54):
That's actually a very large discussion.
One of the products that weoffer is a hosting solution, a
private cloud, and after, oractually during, covid, a lot of
customers wanted some kind ofedge solution where their
computes weren't totallyinternally in their data centers
but wasn't totally on thepublic cloud that has branched
(22:18):
out.
When you think about AI and nowthat they're talking about
where to keep their data Rightis definitely the meat and
potatoes of everything.
(22:39):
It can expand, it can take onthat big blast, but sometimes
you want the same kind offlexibility in a more controlled
manner.
Anthony Wilson (22:47):
Right.
John Charles (22:48):
And so we definitely see that we have a
couple of customers that havebeen asking to see more of the
private cloud solutions, howthey're going to model this, and
then the other one isdefinitely asking more about the
data.
How do we manage my data?
How do I do my data engineering?
How do I do my data analytics?
(23:09):
I know the big buzz, but I wantto say, yes, we are moving
towards AI, but I don't know how.
So it's a little more of okay,let's kind of make sure we get
all your requirements and giveyou a practical way of showing
this.
I mean, the good thing about AIis it's been around a while.
(23:30):
The reason we're talking somuch lately is we're fortunate
or maybe not fortunate that wehave hardware that can actually
spit those answers outrelatively quickly now.
So we've definitely jumped upthe curve and we're having fast
response and we're even movingfaster because of it.
It's just going to beexponential from now on.
Anthony Wilson (23:53):
Yeah, absolutely .
It's amazing how quickly it'sprogressing.
But there you go, modern times.
It's progressing, but there yougo, modern times.
Yes, john, just before I letyou go, just one question I like
to ask all my guests, and thatis if a young person was
contemplating getting into thisfield, even IT more broadly, I
think it's pretty clear thatgetting into IT is not a bad
(24:16):
general choice.
But getting into IT is likesaying, well, getting into
medicine, there's so manydifferent areas and different
fields, um, but you know, if ayoung person listening was
contemplating getting into it,or it security specifically, or
something like that, what sortof advice would you give them as
they contemplate entering thefield?
John Charles (24:38):
I would definitely say IT security is a good
jumping start.
However, that ocean is very big, so maybe remember to take
sidesteps and learn smallerskill sets like network and
basic networking.
So knowing that, maybeunderstanding, taking some
database classes so that youunderstand where the data flows.
(25:00):
So I would definitely recommendthem branching out, not just
focusing dead on what theybelieve they want to do, because
those take so many pieces toput the whole thing together.
They may actually find out the.
I want to specialize in thissmall particular area and this
is where I like it.
I can work on this night andday and never be worried, and it
(25:22):
pays very well.
The second one is a kind of aside off.
I would say while you're doingyour IT, maybe take a business
class Because, like I said, itis now being talked to more from
, like the backend businessmanagement.
Understanding what they needhelps you design, understand,
(25:46):
protect better.
Yeah.
Anthony Wilson (25:48):
Yeah, it's.
It is a very broad church,isn't it?
And I think well, it'sreflected in your career journey
you know lots of differentexperiences in different
organizations and comes togetheror culminates in you know your
expertise in your currentbusiness.
So that's no, that's greatadvice.
(26:09):
Thank you for that.
Well, john, listen, reallyappreciate your time today and
you spending the time with usand sharing your knowledge and
experience with the audience.
It's much appreciated.
If people want to get in touchwith IS Squared, how do they do
that?
What's the address they need togo to?
John Charles (26:27):
That would be wwwissquaredinccom.
Anthony Wilson (26:34):
Excellent ISsquaredinccom.
Well, I'll put that in the shownotes as well.
So, once again, thank you, Jjohn, much appreciated.
So, once again, thank you, Jjohn, much appreciated.
Thank you for having me!Excellent.
Well listeners.
That was John Charlesgenerously sharing his
experiences in IT security andthose of the work that he and
the team do at IS Squared.
Hope you found that veryinteresting I certainly did and
(26:57):
lots of things to consider therefor all enterprises and
organizations.
This stuff isn't going away.
You've got to get on top of it,and you might as well do it
well with the help of experts.
So don't forget to look up ISSquared Inc as a potential
partner or someone that can giveyou the advice that you may
need in that space.
Thanks again for listening tothe program today.
(27:19):
This has been Mastering RiskManagement.
I'm Anthony Wilson and it'sbeen great to have you along
again, so we will talk soon.
Cheers.
Popular Podcasts
Bookmarked by Reese's Book Club
Welcome to Bookmarked by Reese’s Book Club — the podcast where great stories, bold women, and irresistible conversations collide! Hosted by award-winning journalist Danielle Robay, each week new episodes balance thoughtful literary insight with the fervor of buzzy book trends, pop culture and more. Bookmarked brings together celebrities, tastemakers, influencers and authors from Reese's Book Club and beyond to share stories that transcend the page. Pull up a chair. You’re not just listening — you’re part of the conversation.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.