September 25, 2025 • 38 mins
What if the single most important skill for success in cybersecurity sales wasn’t technical knowledge, but relentless curiosity? Get insider strategies from Jacob Friedman, Strategic Account Director at 3 Tree Tech, who shares how curiosity, mentorship, and trust are the keys to thriving in cybersecurity sales.
You’ll discover how to navigate the vendor landscape with confidence, build lasting client trust, and transform technical conversations into impactful business discussions. Walk away with actionable tips to sharpen your credibility, elevate client relationships, and grow your influence in the security space.
Takeaways
- Why curiosity and continuous learning help you stay credible in a fast-moving security landscape.
- How finding a mentor and engaging with the community accelerates growth in cybersecurity.
- Why focusing on business outcomes makes conversations with executives more impactful.
- How informed opinions, not blind vendor-agnosticism, create stronger client recommendations.
- Why trust and honesty are the ultimate currency for long-term client relationships.
Quote of the Show
- “ Part being continually curious is you start to understand that is security is achieved through defense and depth.” - Jacob Friedman
Find all episodes, show notes, and resources at: https://www.cdg.io/podcast/
Partner with us: https://www.cdg.io/partner-with-cyber-defense-group/
Links
- LinkedIn: https://www.linkedin.com/in/jfriedmantech/
- Company website: https://www.3treetech.com/
- Infoseclive Youtube: https://www.youtube.com/@infoseclive
Ways to Tune In
- Spotify: https://open.spotify.com/show/1gIKsOyorKMzQA7wxck4dH?si=ff617df387aa401c
- Apple Podcasts: https://podcasts.apple.com/us/podcast/channel-security-secrets/id1826825461
- Amazon Music: https://music.amazon.com/podcasts/8703d3a3-4128-4691-8862-cb847f53f776/channel-security-secrets
- YouTube: https://www.youtube.com/@ChannelSecuritySecrets
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Lou (00:01):
Welcome to Channel Security Secrets. I'm Lou Raban. On this
show, we expose the untoldsecrets and critical insights
from the people shaping thefuture of cybersecurity sales in
the trusted adviser channel. Ifyou're looking to up your game
around selling security, stickaround. Channel Security Secrets
is brought to you by CyberDefense Group on a mission to
shift cybersecurity fromreactive to resilient.
(00:37):
I'm thrilled to chat with
our guest today. He's adisruptive tech evangelist,
technology matchmaker, and awardwinning sales leader. He's an
active member of InfraGard andthe Israeli startup advisory
network. In 2021, he placedsecond in POA Futures Club for
generating the second highestrevenue company wide. Today, he
(00:58):
serves as his company's leadtech scout for cybersecurity,
driving innovation and shapingstrategic partnerships.
He's the strategic accountdirector at Three Tree Tech.
Jacob Friedman, welcome to theshow.
Jacob (01:11):
Awesome. Thanks, Lou. Happy to be here.
Lou (01:13):
Yeah. So Jacob, let's just jump right into it. What's the
biggest secret to your successin security sales in the
channel?
Jacob (01:22):
Well, there's a lot of different ways we can go with
that. I think that one of thefirst lessons that I learned was
that when I used to work at aVAR, the way that you viewed
security was very different.They essentially shoved one MDR
solution in front of us, one SOCas a service solution, and said,
this is security. Top to bottom,this is cybersecurity. And I
(01:44):
think that part of just beingcontinually curious, you start
to understand that security isachieved through defense
in-depth.
There's a lot of layers to it,and there's a lot of different
things that have to work welltogether. Starting to understand
that and understand who existsin the marketplace and how they
feed into each other isimportant for making any sort of
(02:07):
recommendation to any size ofcompany.
Lou (02:09):
So understanding the landscape, essentially?
Jacob (02:12):
Yeah. Like, understanding who exists, how do they compare,
recommending people meet with upand coming vendors all the time
because there's a lot ofinteresting point solutions that
might fly under your radar. Butin terms of if you're gonna be
selling to some sort of securityexecutive and you wanna push
(02:32):
this one specific manageddetection and response company,
you should be prepared to talkabout how they compare to the
other 10 options or even if youcan just reference the top five
other ones that maybe if they'rewell more more well known than
the one you're pushing. Thatwill build credibility for you
with these security leaders thatyou're meeting with. Because
(02:53):
chances are they've probably metwith multiple vendors.
And if you're completely if yourwhole view of security is siloed
to this one vendor's opinion ofit, you might not give that air
of credibility when speakingwith a leader.
Lou (03:10):
Yeah. Okay. So that's for you as someone who's been
selling security for a while,understands it really well. What
about, know, in this channel,there's a lot of trusted
advisors that are just gettinginto security. So how do you
suggest that they maybe operatein a way that they may not
actually understand thedifferences between all the MDR
(03:32):
vendors?
Jacob (03:33):
I would say first, you know, one thing that was helpful
for me is find a champion and ormentor that is in the security
space. Start to understand theiropinions on certain vendors,
why, what has their experiencehas been, start to survey some
of your other customers andrelationships that you have.
What do they think of who existsin the industry? What has their
experience been implementingpeople, etcetera? I think one
(03:58):
thing that a lot of people failto consider is that also the
personality type of people insecurity is often different than
if you're selling telecom orcontact center or many of the
other realms of technology thatyou have access to if you're an
agent within the channel.
And so blunt candor and thewillingness to say I don't know
(04:19):
to certain things rather thanpretending like you do know, I
think also goes a long way.Like, trust is your currency and
security, and you can lose itvery quickly.
Lou (04:30):
That's great advice, and and I think it's a theme that
comes up often in other gueststhat I've I've spoken to, which
is it's acceptable to say Idon't know. And trust being the
currency, I I love that. That'sthat's absolutely accurate. You
mentioned curiosity too when youtalked about kind of the secret
(04:52):
to security sales. So beingcurious about how this all fits
together and what's better andwhat's not, know, what what is
your kind of go to for gettingthat kind of information?
Jacob (05:08):
There's a lot of different resources out there.
Obviously, Gartner has thosequadrants and they have various
vendors in there. There's variedopinions on how valid their
placements are based marketingcontributions, but it still
gives you high level ofawareness of people that are in
mid to late stage of theiradoption journey within
(05:31):
technology. You get to see whoexists in the quadrant. It's not
gonna be the best for earlystage, but in terms of knowing
who's established players, itcan be a good starting point.
A lot of venture capital groups,if you wanna know about what is
hot in terms of the emergingsecurity space, one resource
that a lot of people can formrelationships in is the venture
(05:53):
capital community. And that'sbecause, you know, they're
looking for their next goldenhorse to give a little bit more
investment to and watch the nextrocket ship essentially bloom.
And keeping an eye on who'sgiving money and where and who's
really excited about what canhelp you stay a little bit ahead
of the curve in terms of, wow,we're hearing amazing things by
(06:15):
these people and they just,received a pretty impressive
funding round from these threepeople who have a track record
of investing in success. Itmight be worth taking a demo
with them and just seeing ifthat's something that
partnership wise would makesense for your clients. And so,
I just advocate for people to becurious.
RSA in black hat, they havevarious innovation contests. Pay
(06:40):
attention to who places well,what are they doing, what are
the buzzwords being talked aboutat conferences? Do you know
about who exists in thosespaces? I think that would lend
you to being more aware of thatlandscape of who's shaking and
moving within the space.
Lou (06:59):
Yeah. And and you mentioned, a mentor as well.
Suppliers can fill that roletoo. Right? That's often where
we find ourselves, speaking totrusted advisers that are trying
sell more security.
They have the relationships, butthey may not have the knowledge,
so we try to guide them throughthat, you know, in an agnostic
(07:21):
way, which is, I think, probablyone of the other reasons that if
you don't get a supplier that'sagnostic, then you definitely
wanna find a mentor. To yourpoint, where where would you
recommend if it's not asupplier, you know, that these
these trusted advisers findmentors that can kinda help them
navigate security landscape?
Jacob (07:43):
I would say, like, focus on building positive
relationships. Go to where thecommunity is. The security is a
very healthy community, whetherit's at conferences, whether
it's wherever city you're in,there's local meetups of various
organizations, whether that'sISSA, ISACA. There's a lot of
different groups that bringsecurity people together. And
(08:06):
then don't sell them, just lookto understand their opinion and
perspective on the market.
Obviously, I don't think there'sany one person with a
unanimously correct view of themarket, but a lot of people have
different lived experiences andmight have a different
perspective to share with youbased on what they've seen,
who's done well, what theirpeers have told them. I think
(08:28):
that's another relativelyuntapped web is that once you
have a champion, a lot of peoplein security hold their cards
very tight to their chest andunderstanding who are their
friends. Because a lot of thesepeople, in addition to where
they look at news source wise,they ask their peers. If you can
leverage that peer network aswell, I think that that would be
(08:51):
a source of value. But onceyou've gotten to a level of
trust though, that is.
Lou (08:55):
Right. Right. So there's an element of kind of self
education in the beginning, youknow, doing kind of the hard
yards of of figuring out, youknow, what is security? What are
the things in the landscape thatI can sell? Who should I go to?
Who are the vendors that I cantrust? You know, what what do
(09:16):
you think when they when theystart to have these security
conversations? I think a lot ofTAs are get concerned that they
might be looked at as the expertor that they might be asked a
question that they can't answer.I mean, going back to your
original answer about, I don'tknow. I think that's probably a
logical thing.
But, you know, what do you sayto the TAs that are, a little
(09:40):
bit nervous about even openingthe conversation because they
they don't wanna get it overtheir heads?
Jacob (09:46):
Yeah. I mean, I think those nerves will settle over
time. I do think those nervesare justified because security
is one of the hardest spaces tosell in based on how technical
it can often be, the risk thatis associated with it, the
tempers that can flare up, howthe business impact. It's a
scary space to operate in bothas an operator and as a seller.
(10:07):
I think that you gotta kind ofown that you don't know, and
this comes back to a differentpoint of caring about the
outcome for your customers.
Because what is your valueproposition? If you're gonna
engage in a securityconversation and you're new to
security, you might not wannatout yourself as the security
extraordinaire mister influencerguy. Right? You might wanna
(10:31):
build your value prop on thefact that, you know, you've been
doing great business withclients for many years. People
love to do business with youbecause you care about the
outcome.
When escalations need to behappened, you know you as a
trusted advisor are all overthat. You are lockstep and key
throughout the entire salesprocess as well as post sale.
They know that you're someonethey can count on to bring the
(10:54):
right people in the room to havethe conversation resolved. You
don't need to I think a lot ofTAs try to be the guy, whereas a
lot of times you can be theconnector of the people.
Lou (11:05):
That's great advice. And, you know, it's it's also
relevant for the supplier side.We we wanna work with trusted
advisers that will, follow-up,that have good relationships,
that are transparent about theprocess, that are not just
trying to get quotes from us,but that want to, look at
solutions. And I think thatthat's another area where, the
(11:28):
traditional trusted adviser has,struggled from what we've seen.
If when I say traditional, mean,if you're looking at, you know,
or CX or things that might havebeen voiced, there's solutions
behind it, but it's prettycommoditized at this point.
So it's kinda like, here are thethree quotes. You know what
you're getting. Security is asolution sale, and, you know,
(11:52):
it's it doesn't really lenditself to here here's a couple
of quotes, especially because,you know, you're talking about
outcomes. That's what we we pushoutcomes based security, and we
wanna know what is the problemthat we're trying to solve.
Like, hey.
We want a pen test. Why? Why doyou want a pen test? What what
is behind that? Because thedeeper understanding will lead
(12:12):
to not only a larger, you know,engagement, but also more trust.
So, you know, the solutions, Ithink, are, that you're talking
about, it's kind of a it'sdefinitely a mindset shift for a
lot of TAs. So, is thatsomething that you've had your
whole career, or is thatsomething that you kind of
developed or came to over time?
Jacob (12:36):
I think I've always been curious. I've always, you know,
wanted to understand what I'mquote unquote selling. Right?
It's really important in myopinion for me to feel confident
to talk about it. I gottaunderstand it.
I might not need to know it downto the protocol level, but
understanding conceptually whatis the goal, is it trying to
(12:57):
accomplish, what are things Ineed to be aware of, how do I
essentially be the facilitator.Those are a lot of areas that
I'm really passionate aboutunderstanding in terms of the
solutionscape. I think thatThree Tree, know, me joining
them almost four years ago,really amped that up because a
(13:18):
lot of the leaders that arestruggling in the security space
is because when you compare itto like a telecom where a lot of
the other agencies start, therate of innovation is a lot
slower. And in security, there'snew acronyms all the time.
There's new solutions.
There's new, you know, platformplays, and there's point
solutions. How does it all fittogether? A lot of the pain
(13:40):
points for these leaders arecutting through the noise
because they have a day job,right? And I think that Three
Tree really emphasized, youknow, to me that, you know, it's
important to understand whoexists and be able to kind of
just be aware of the acronymsoup that is continuously
(14:03):
evolving. Because that's that'spart of our our value prop to a
lot of these leaders is thatthey trust us to advise them,
you know, which directions theyshould potentially pursue, which
ones maybe aren't right fortheir company culture,
operations, etcetera.
And I think that that justoverall industry knowledge isn't
gained overnight, but is superimportant for your success in
(14:25):
long term security.
Lou (14:27):
That makes a lot of sense. By the way, the acronym STOOP, I
I just wanna make a point aboutthat. We're notoriously bad in
security for for having. And,unfortunately, I don't see any
end in sight because we've gotCSPM, DSPM. You know, we're it
just continues, and we're guiltyof it sometimes ourselves.
But, yeah. What what do youthink? What what are some of the
(14:49):
conversations now? I I imaginethere's a bunch of AI popping
out at you, like AIconversations around security.
Jacob (14:58):
Yeah. I mean, AI is popping up across the whole
technology landscape. It's notjust security. You know, you're
seeing it in being able toautomate the entire customer
engagement process from chatbotto customer journey mapping to,
you know, maybe, for example,like a real estate company that
I was working with automatingthe engagement and leasing
process for new residents usingan AI agent. There's a lot of
(15:20):
ways to improve the speed ofprocesses, reduce the risk,
etcetera.
It comes with AI, but acounterpoint on that is that a
lot of times, the AI that'sbeing put in their environment,
it's like, it brings acapability and then it also adds
an additional risk that you haveto govern. And so, I'm seeing
kind of within the securityspace, there's one hot topic is
(15:44):
the automated SOC. You know,there's AI coming in from an
agentic perspective to reallytake off those tier one, tier
two tasks from your internal SOCteam or even MSSPs. Now, with a
lot of these bigger companies,it's okay, well, we see value in
that trimming down our alerts,handling a lot of the surface
(16:04):
level things, but how do we makesure that it stays on mission
and isn't doing things that wedon't want it to do and causing
potential business disruption?So I think there's solutions
coming on both sides in the AIangle across the whole tech
stack of what is something newthat we can do that's better,
faster, cheaper, and then how dowe make sure that it doesn't
(16:24):
light our train on fire whiledoing so.
Lou (16:27):
Yeah. Did you go to Black Hat this year?
Jacob (16:30):
I did.
Lou (16:31):
Actually, I think I saw you. We ran into each other.
Yeah. I mean, did you walkaround the perimeter and see
some of those it it seemed to melike almost every vendor well,
everyone had AI. They had it'sit was obligatory, but also they
had AI stocks.
Like, even vendors just who arejust right next to each other. I
(16:53):
don't know if you walked thisfloor.
Jacob (16:55):
I wasn't able to walk the Expo Forward this year. I did at
RSA earlier in April, and I hadsome colleagues that did walk
the floor at Black Hat thisyear. But I don't doubt it. I
mean, it's whenever there's ahot buzzword that people are,
you know, focused on, you know,there's a lot of funding being
put that way. Boards are sayingwe want capabilities, we want
(17:17):
AI, we want all the differentthings.
Like, you know, where the moneyflows, so does attention. And I
think that, you know, thesevendors in their marketing
departments are doing the bestthey can to kinda ride that
wave.
Lou (17:29):
So what what about some other challenges that AI know,
we gotta speak about AI, but areyou seeing companies evolve past
the kinda like just basic stackof MDR, you know, endpoint,
maybe some compliance regime,and really looking at improving
their programs and, you know,getting deeper, tying it to
(17:51):
business outcomes, things likethat?
Jacob (17:54):
Yeah. I mean, it kinda depends on how mature of
companies we're talking about.Like, there's a lot of
interesting up and comingdisruptors that are maybe in
seed stage, maybe getting to toseries a that are, like one that
I met with earlier today iscreating digital employees that
(18:15):
essentially are, haveverticalized skill sets from an
agentic perspective to emulateone domain of security. So,
that's like a virtual GRCmanager, and then it can
automate the entire lifecycle ofvarious accounts. It can
automate evidence collection andreport generation.
(18:36):
There's like, there's a lot andthere's like different aspects
of how it's applied to securityoperations versus, you know,
like, it it really kindadepends, but I am seeing a lot
of unique, interestingcapabilities that are coming out
for sure.
Lou (18:50):
I mean, what about, like, just the basics for for your the
customers that you're workingwith? Do you find that they've
got those covered pretty well?You know, I don't I don't know
what area. You're you're midmarket to enterprise. Is that
right?
Or are you
Jacob (19:02):
Yeah.
Lou (19:03):
SMB too?
Jacob (19:04):
You know, we have a couple sellers on our team that
that work with some SMBaccounts, but my personal
primary focus is is low to upperenterprise. And obviously, each
segment of company will havedifferent needs and risk
appetite and different levels ofhow do they even have a security
team versus how big is theirsecurity team. That will really
(19:27):
affect what they're interestedand why. And not to mention just
also by industry, right? Likethere's certain industries that
might be later adopters thanother.
Like Historically, manufacturingisn't necessarily at the
forefront, especially with theiraged OT systems, right? So I
think that conversation kind ofdepends on the client's
(19:47):
positioning.
Lou (19:49):
Traditionally, it's been healthcare and finance, right?
They're regulated. There's avery obvious risk and a very
obvious impact if something badhappens, manufacturing,
etcetera, and especially evenmore, like, oil and gas and
stuff. I I've worked with themmany years, but it's always
(20:13):
been, hey. We pull, deaddinosaur stuff.
We we don't need it. And thenall of a sudden, you ask
questions like, well, do youhave, you know, monitors on the
wells? Do you are there youknow, how are you seeing what's
going on remotely? And they'relike, oh, yeah. Yeah.
We actually do have that. Andthen, you know, as you start to
dig every company is a petcompany these days. So more more
(20:37):
and more are coming to mind. So,you know, as far as, again, with
the the TAs, and and anymessages or or knowledge you
could drop with them, We've gotwe've spoken about how they can
get a mentor. We've spoken abouthow they should be curious.
You know, maybe finding goodsuppliers that can kinda lead
(20:57):
them on the journey as well,understanding the solutions.
Yeah, I mean, getting into localevents, ISSA, Resaca and stuff
like that. Those are definitelygood entry points in any market.
Any other advice you'd give tosomeone listening?
Jacob (21:15):
Yeah, I would say that one thing that you definitely
need to make sure to do and thatwill start to elevate how much
the customer trusts you isunderstanding what is their role
within the organization. Becauseas you move upmarket, the
political landscape and whoreports to who, who gets along
with who, who's in charge ofwhat gets to be a bigger level
(21:40):
of consideration. And sounderstanding, you know, are you
working with the decision makerwho at this point in his career
is nontechnical versus are youmeeting with someone who's
leading the architecture designversus someone who's the hands
on keyboard analyst trying tostop threats? You know, what's
important to them and how youmake them a champion within
(22:00):
their own organization is gonnabe a bit different. So I think
that once again, your primarygoal, and this comes back to
Three Trees, honestly, missionstatement being empower leaders,
go out and figure out how toempower your champion.
At the end of the day, they'reowning the risk, not you. Their
butts on the line, not you. Youneed to make sure that you
(22:23):
understand how are they scoredwithin the organization, what's
really the objective and impactof this project, And what
resources do you have at your,you know, your disposal to make
them look like a hero? Andreally, if you can if you can
consider, you know, consistentlybring them wins that help them
accomplish their vision and bethat kind of enabler, that's how
(22:45):
you build the level of trust towhere maybe, you know, no one's
There's a lot more job hoppingthese days and a lot more people
float between companies and youwanna make sure that you've done
such a good job for them thatyou're clearly gonna be there
for their first call when theygo to a new spot. And I think
that focusing on how you empowerthem is a good way to do that.
Lou (23:05):
Yeah. Yeah. And I think the navigation of that org chart,
that's really relevant becausethat's also another strength for
bringing security into theconversation because one of
those aspects that touchesevery, you know, part of the
organization. Right? So,typically, when we'll go in,
we're going in usually at clevel or maybe director level.
(23:27):
Anything below that, we youknow, there's not really an
influence there. And even ifthey like us, you know, we need
to move up. But when we get tothat director level or even c
level, like a chief informationsecurity officer, a lot of times
people need a help in that area.So we're gonna help them look
like heroes, and, and then youget better exposure to the c
(23:49):
suite, and then you can sellmore stuff as well because they
trust you and you earn thattrusted adviser moniker. So, I
think that's really relevant.
I'm glad you brought that up atat being, understanding the org
chart, understanding how to workit, who are you speaking to, and
then, you know, tactfullygetting up to speak to maybe
(24:11):
higher levels. Do do you haveany kind of tips or secrets
about, let's say, you're cominginto the IT manager and you want
to speak to, you know, the CTO.How do you navigate that?
Jacob (24:24):
Yeah. I think that you gotta elevate past a technical
conversation and more into abusiness discussion. And a lot
of times when you're dealingwith the c level for technology
decision makers, a lot of theirjob in terms of even getting
approval for budget is thenjustifying, okay, we spent this
much money. What did it do? Andin security, it can be
(24:47):
especially hard because whenthings are quiet, that's when
they're good.
Unless it's like, oh, we spentmoney on an engagement to get us
compliant to this benchmarksthat we can win this RFP for
another client that's dependenton us getting to this compliance
standard. Right? Outside ofthat, a lot of CISOs that I work
with, they struggle. They have alot smaller budgets than their
(25:11):
IT peers. And so how do you makethem a champion?
And a lot of times it's there'svarious ways of doing it with
products, etcetera, but how doyou help them create business
cases to justify additionalinvestment as well as doing your
job as a TA during QBRs and kindof justifying, you know, you
spent your money on this, thisis kind of what it's done. You
(25:33):
know, how do you quantify atleast some sort of risk that was
reduced and or, you know,business advantage gained
through whatever investment theyspent? And I think also another
way is once again compliancetends to touch a lot of people's
(25:53):
interests, you know, because youcan talk about, oh, niche
solution within security that inthe invasion state miner helps
re hook your EDR so that it'sspecifically for anti ransomware
disruption, right? And thatmight be really important and
interesting to a securitydecision maker, but you talk to
(26:14):
like a CTO, CIO, like what?Whereas if you're like, okay,
the way that you even talk aboutthat to them is gonna be a bit
different of, okay, on yourworst day ish, a threat actor's
in your environment and was ableto encrypt your systems and
exfiltrate data, how much woulda day of downtime cost?
How much would four days ofdowntime cost? How expensive is
(26:38):
your data? What would happenreputationally if this data
leaked? What if you had asolution that could potentially
throttle the amount of databeing willing to leave your
environment until it wasapproved and or grab decryption
keys the moment they'regenerated so you don't even have
to negotiate with ransomwareactors? There's ways of
(26:59):
approaching that conversationfrom a more of, like, a business
context perspective than just atechnical capability.
That makes sense.
Lou (27:06):
Yeah. And absolutely. And then it's also wins less. I
mean, to the tabletop to todetermine that. And yet, also,
the sales pipeline, there's somany soft costs that are not
accounted for in breaches, andwe've done a calculator.
The hard costs are you gotta getlegal. You gotta get an IR firm.
You got, you know, maybe an ITfirm to do recoveries, blah blah
(27:28):
blah. But then there's a Howhard is it as a salesperson to
build pipeline, and how easy isit to lose it to your
competitors? Especially, theythey jump all over that.
Like, oh, did you see, you know,Widgets Inc. Just got hacked?
You know, you might have beenlooking at them as a solution.
Here know, we'll give you adiscount if you jump over to us,
and you're probably able tobreak your contract or, you
(27:50):
know, not sign that, etcetera.So we've seen it.
And so there's a lot of, youknow, quote, soft cost, things
that are not gonna they're gonnahit the bottom line, but they're
not necessarily gonna be a lineitem in your, p and l. You know?
That's that's a good goodconversation to have, and you
wanna have it proactively. Theworst days for any of the c
(28:12):
suite are when it's reactive,and then they're like, shoulda
coulda won out or, you know,they may even come to you and
say, you know, why didn't we dosomething about this sooner as a
trusted adviser? I mean, thatthat's another question, Jacob.
Like, how when you're trying toyou're getting in let's say
you're having lunch with a a CFOor or even a CTO, and they're
(28:34):
like, oh, we don't we've gotother priorities. We're working
on other projects. How do youget them to, say, well, okay.
Maybe we need to look at thisproactively, you know, avoiding
that that discomfort of areactive situation.
Jacob (28:48):
I think that there's two parts to it this. I mean, being
good at storytelling and havingreal stories that you can
reference, whether it's in themedia or it's even more
impactful when it was a clientof yours and how a delayed
decision led to some sort ofoutcome. But now, you know, post
engagement, they what kind ofpositive effects they've seen.
Being able to tell the story ina convincing and compelling way
(29:10):
of why it would be worth, itwould be in their best interest
to pursue it, I think is oneangle. I think the other thing
that a lot of people mess up onis at the end of the day, you're
not the decision maker.
They are. You can lead a horseto water, but you can't make him
drink, and your job is toempower them. What is important
to them and how do you help themget to their goals? You can give
(29:33):
your opinion and your advice,but if you're trying to,
especially if you're notintimately familiar with their
business and what it takes tokeep it afloat, if you're just
pushing that you should approachsecurity some this way because
you think it's optimal way, Itjust comes across as like you're
a salesman trying to hit quota.Right?
(29:55):
So leverage stories, real worldexamples that you can that
illustrate that it's in theirbest interest, but also know
when to back away. And I wouldsay never die on a hill for
anyone. If anything, if you dieon a hill for it and then they
(30:15):
go with you and then they justkind of you kind of ruin the
relationship over it, that's notgood. Whereas, whereas if you're
like, hey man, I gave you arecommendation but I totally
respect it's not a priority ofyours, you know, I'm here when
you need me, and then somethingdoes happen, they're gonna call
you and they're gonna be like,hey man, you're right. Sorry.
What can we do? Right? Soknowing that line and knowing
(30:36):
when to walk away is important.
Lou (30:38):
We've seen it, you know, and it's, it's unfortunate that
it often takes that. However,when, it does happen, the, you
know, the TA gets called, andthey're like, yeah. You know,
you've been talking to us aboutthis. Sorry. We didn't do it
sooner to your point.
So I think, you know, it's greatadvice to say don't die on the
(30:59):
hill because if you do, thenyou've closed the door. You've
possibly burnt a bridge where,you know, you're too pushy.
Let's move to someone else orlet's we'll talk in six months,
and and they're like and thenthey're maybe even embarrassed
to call you if it happens. Butif you leave the door open,
you're not too pushy. They'regonna call you.
You know, if they don't listento your advice to your point,
(31:20):
it's frustrating sometimesbecause, you know, for us, you
know, we know the consequenceshaving done, you know, tons of
incident response, but you can'tto your point. Let's let's not
force their end because they'regonna just resent you for it,
and you may be closing a doorthat later on would be, pretty
lucrative, and it's theirposition.
Jacob (31:42):
One other side note that I was thinking about, I was
talking with our new CEO, KarekStanwyck, about this today or
the other day was that, youknow, a lot of people throw
around the word agnostic. And Ipersonally don't like that word.
I used to use it all the timebecause it's like, oh, yeah, no,
we're not bound or beholden toanyone. But I feel like saying
that you're agnostic to anysolution means that you don't
(32:05):
care about the outcome. Becausein my opinion, once again,
opinion, my soapbox, is that ifyou really do due diligence and
you meet with a lot of differentvendors, you might and you start
to do projects with them and yousee that the way that they run
projects, what escalations looklike post sale, those types of
experiences over time will startto shape who you recommend to
(32:28):
who and why.
And I think leveraging thatlearned experience is really
powerful. And I tell a lot ofour customers, know, because
they're like, oh, you'reagnostic, right? I'm like, yes,
to a degree, but a human being.I have my opinions and I'm gonna
tell you, Oh, I mean technologywise, yeah, they're very
similar, but in terms of when,forgive my friend, shit hit the
(32:52):
fan and something needed to beescalated, the response was
drastically different at thiscompany versus this company. And
I think that's important andworth knowing for these buyers.
So one thing I would say isdon't also die on the hill to
say you're agnostic. You know,there's certain, in telecom,
it's a lot more reasonable to betruly agnostic because they're
(33:13):
all so similar, and you can havejust like a pricing discussion.
But in security, when thesubject is as sensitive as it
is, I think it's okay to have anopinion based on who you're
seeing do good business.
Lou (33:28):
Agnostic with an opinion, basically. Exactly.
Jacob (33:32):
Long winded summary.
Lou (33:34):
No. That's great. It's important. It's funny because we
are agnostic from a technologyperspective, but we've got our
our preferred vendors as well. Ithink that it's you're right.
It's almost abdication of adecision to pay, you know, we're
agnostic. Pick who you want.We're not gonna force your hand.
That's actually not whatcustomer is looking for, I
think.
Jacob (33:54):
No. They want that guidance, and they wanna feel
like the person they're engagingis helping to get them the
optimal outcome. And if youtruly don't care what vendor
they pick, you know
Lou (34:07):
That's not really advises. That's good. I that's great
advice. I mean, this is this hasbeen a lot of really, really
good, feedback and advice forpeople that are listening. Let's
pivot from, you know, nuts andbolts of work to more of a
personal side.
(34:27):
You know, who's Jacob Friedman?Like, what what's your you're
you're in Chicago. Yeah?
Jacob (34:33):
Yep. Moved out here just over a year ago to open up and
establish kind of the three treepresence out in this region. As
you can see from the cat behindme, I'm a cat dad. But, you
know, outside of work, you know,I've always been into mixed
martial arts. I'm a big fan ofthe UFC.
(34:53):
I'm, know, into fitness. I'm afoodie in Chicago. But, you
know, coming back to, you know,kinda three tree life is you
know, I've I've been worth themfor a long time, seen a lot of
ebbs and flows and changes inthe industry. And I lead a lot
of our engagements with thebiggest global accounts and and
their security teams, etcetera.That's kinda that's kinda me in
(35:15):
a nutshell.
Lou (35:16):
Yeah. And how'd you get, like, from doing sales? Did you
do security at the beginning, orwas that something you you just
that your passions led you to?
Jacob (35:26):
No. I mean, I started in door to door sales when I was
15, and I got bamboozled by acompany called Trailblazers
Marketing, where I was soexcited for my first marketing
internship. And it turned out onthe day of you show up in a suit
and then they change you into akhaki and t shirt in the back,
and then you go door to door andsell CenturyLink. And that was
(35:48):
one, that was a starting pointfor my sales career, but then
I've held a lot of differentpositions. Throughout college,
was one of the founding membersfor the Oregon State Sales Club,
so I traveled all over The US toemulate and role play in various
situations to win these salescompetitions.
And then got an internship whenI was in college at my first
(36:10):
kind of tech sales role at anamazing company called Pacific
Office Automation. And they sellthey're a value added reseller,
and they sell a bunch ofdifferent things. And so surface
level, I did get an introductionto security through them selling
Arctic Wolf as an MDR service,but primarily, I was doing like
printers, copiers, phonesystems, security cameras, stuff
(36:33):
like that. All like SMB officelevel technology. And that was
kind of how, yeah, I got mystart.
Lou (36:42):
That's great. And it's so so really kind of from selling a
vendor thing, wait. How doesthis vendor work? Going back to,
you know, comment at thebeginning of the podcast, which
is be curious. You're like, waita second.
What what's the security thing?And then you were like, wow.
This is there's a lot to thisrabbit hole. And where can
people find you, connect withyou?
Jacob (37:02):
Yeah. You can find me on linkedin.com/jfreedmantech and
or, I'm on a couple of the,podcasts over at infosec.live.
They're a great group of people.They have their own podcast.
Simon Lundstedt, the founder,has been super generous to let
me cohost on there from time totime.
They have a big cyber communityspanning the The US and The UK,
(37:24):
etcetera. I'm in between thoseplaces as well as, you know, I'm
here local in Chicago trying tohead to the various events, as
well as the big conferences. Sofeel free to reach out. Always
happy to to to have a chat.Yeah.
Lou (37:38):
Jacob Freeman, it's been a real pleasure really getting
your insights into security. Iknow you're one of the the the
big hustlers out there withsecurity getting it done. So
thank you very much for forjoining.
Jacob (37:50):
Of course. Thanks, Lou. Appreciate your time.
Lou (37:52):
Of course. So, thanks also to those that are watching and
who are listening. If youlearned something today, or
laughed, please, tell someoneabout this podcast. Thanks
again, Jacob, and this has beenanother exciting episode of
Channel Security Secrets.
That's a wrap for this episode of Channel Security
Secrets. Thanks for tuning in.For show notes, guest info, more
(38:14):
episodes, visit us at channelsecurity secrets dot com.
Channel Security Secrets issponsored by Cyber Defense
Group. When it comes toprotecting your business, don't
settle for reactive.
Partner with experts who buildresilience from the ground up.
Welcome to Channel Security Secrets. I'm Lou Raban. On this
show, we expose the untoldsecrets and critical insights
from the people shaping thefuture of cybersecurity sales in
the trusted adviser channel. Ifyou're looking to up your game
around selling security, stickaround. Channel Security Secrets
is brought to you by CyberDefense Group on a mission to
shift cybersecurity fromreactive to resilient.
(00:37):
I'm thrilled to chat with
our guest today. He's adisruptive tech evangelist,
technology matchmaker, and awardwinning sales leader. He's an
active member of InfraGard andthe Israeli startup advisory
network. In 2021, he placedsecond in POA Futures Club for
generating the second highestrevenue company wide. Today, he
(00:58):
serves as his company's leadtech scout for cybersecurity,
driving innovation and shapingstrategic partnerships.
He's the strategic accountdirector at Three Tree Tech.
Jacob Friedman, welcome to theshow.
Jacob (01:11):
Awesome. Thanks, Lou. Happy to be here.
Lou (01:13):
Yeah. So Jacob, let's just jump right into it. What's the
biggest secret to your successin security sales in the
channel?
Jacob (01:22):
Well, there's a lot of different ways we can go with
that. I think that one of thefirst lessons that I learned was
that when I used to work at aVAR, the way that you viewed
security was very different.They essentially shoved one MDR
solution in front of us, one SOCas a service solution, and said,
this is security. Top to bottom,this is cybersecurity. And I
(01:44):
think that part of just beingcontinually curious, you start
to understand that security isachieved through defense
in-depth.
There's a lot of layers to it,and there's a lot of different
things that have to work welltogether. Starting to understand
that and understand who existsin the marketplace and how they
feed into each other isimportant for making any sort of
(02:07):
recommendation to any size ofcompany.
Lou (02:09):
So understanding the landscape, essentially?
Jacob (02:12):
Yeah. Like, understanding who exists, how do they compare,
recommending people meet with upand coming vendors all the time
because there's a lot ofinteresting point solutions that
might fly under your radar. Butin terms of if you're gonna be
selling to some sort of securityexecutive and you wanna push
(02:32):
this one specific manageddetection and response company,
you should be prepared to talkabout how they compare to the
other 10 options or even if youcan just reference the top five
other ones that maybe if they'rewell more more well known than
the one you're pushing. Thatwill build credibility for you
with these security leaders thatyou're meeting with. Because
(02:53):
chances are they've probably metwith multiple vendors.
And if you're completely if yourwhole view of security is siloed
to this one vendor's opinion ofit, you might not give that air
of credibility when speakingwith a leader.
Lou (03:10):
Yeah. Okay. So that's for you as someone who's been
selling security for a while,understands it really well. What
about, know, in this channel,there's a lot of trusted
advisors that are just gettinginto security. So how do you
suggest that they maybe operatein a way that they may not
actually understand thedifferences between all the MDR
(03:32):
vendors?
Jacob (03:33):
I would say first, you know, one thing that was helpful
for me is find a champion and ormentor that is in the security
space. Start to understand theiropinions on certain vendors,
why, what has their experiencehas been, start to survey some
of your other customers andrelationships that you have.
What do they think of who existsin the industry? What has their
experience been implementingpeople, etcetera? I think one
(03:58):
thing that a lot of people failto consider is that also the
personality type of people insecurity is often different than
if you're selling telecom orcontact center or many of the
other realms of technology thatyou have access to if you're an
agent within the channel.
And so blunt candor and thewillingness to say I don't know
(04:19):
to certain things rather thanpretending like you do know, I
think also goes a long way.Like, trust is your currency and
security, and you can lose itvery quickly.
Lou (04:30):
That's great advice, and and I think it's a theme that
comes up often in other gueststhat I've I've spoken to, which
is it's acceptable to say Idon't know. And trust being the
currency, I I love that. That'sthat's absolutely accurate. You
mentioned curiosity too when youtalked about kind of the secret
(04:52):
to security sales. So beingcurious about how this all fits
together and what's better andwhat's not, know, what what is
your kind of go to for gettingthat kind of information?
Jacob (05:08):
There's a lot of different resources out there.
Obviously, Gartner has thosequadrants and they have various
vendors in there. There's variedopinions on how valid their
placements are based marketingcontributions, but it still
gives you high level ofawareness of people that are in
mid to late stage of theiradoption journey within
(05:31):
technology. You get to see whoexists in the quadrant. It's not
gonna be the best for earlystage, but in terms of knowing
who's established players, itcan be a good starting point.
A lot of venture capital groups,if you wanna know about what is
hot in terms of the emergingsecurity space, one resource
that a lot of people can formrelationships in is the venture
(05:53):
capital community. And that'sbecause, you know, they're
looking for their next goldenhorse to give a little bit more
investment to and watch the nextrocket ship essentially bloom.
And keeping an eye on who'sgiving money and where and who's
really excited about what canhelp you stay a little bit ahead
of the curve in terms of, wow,we're hearing amazing things by
(06:15):
these people and they just,received a pretty impressive
funding round from these threepeople who have a track record
of investing in success. Itmight be worth taking a demo
with them and just seeing ifthat's something that
partnership wise would makesense for your clients. And so,
I just advocate for people to becurious.
RSA in black hat, they havevarious innovation contests. Pay
(06:40):
attention to who places well,what are they doing, what are
the buzzwords being talked aboutat conferences? Do you know
about who exists in thosespaces? I think that would lend
you to being more aware of thatlandscape of who's shaking and
moving within the space.
Lou (06:59):
Yeah. And and you mentioned, a mentor as well.
Suppliers can fill that roletoo. Right? That's often where
we find ourselves, speaking totrusted advisers that are trying
sell more security.
They have the relationships, butthey may not have the knowledge,
so we try to guide them throughthat, you know, in an agnostic
(07:21):
way, which is, I think, probablyone of the other reasons that if
you don't get a supplier that'sagnostic, then you definitely
wanna find a mentor. To yourpoint, where where would you
recommend if it's not asupplier, you know, that these
these trusted advisers findmentors that can kinda help them
navigate security landscape?
Jacob (07:43):
I would say, like, focus on building positive
relationships. Go to where thecommunity is. The security is a
very healthy community, whetherit's at conferences, whether
it's wherever city you're in,there's local meetups of various
organizations, whether that'sISSA, ISACA. There's a lot of
different groups that bringsecurity people together. And
(08:06):
then don't sell them, just lookto understand their opinion and
perspective on the market.
Obviously, I don't think there'sany one person with a
unanimously correct view of themarket, but a lot of people have
different lived experiences andmight have a different
perspective to share with youbased on what they've seen,
who's done well, what theirpeers have told them. I think
(08:28):
that's another relativelyuntapped web is that once you
have a champion, a lot of peoplein security hold their cards
very tight to their chest andunderstanding who are their
friends. Because a lot of thesepeople, in addition to where
they look at news source wise,they ask their peers. If you can
leverage that peer network aswell, I think that that would be
(08:51):
a source of value. But onceyou've gotten to a level of
trust though, that is.
Lou (08:55):
Right. Right. So there's an element of kind of self
education in the beginning, youknow, doing kind of the hard
yards of of figuring out, youknow, what is security? What are
the things in the landscape thatI can sell? Who should I go to?
Who are the vendors that I cantrust? You know, what what do
(09:16):
you think when they when theystart to have these security
conversations? I think a lot ofTAs are get concerned that they
might be looked at as the expertor that they might be asked a
question that they can't answer.I mean, going back to your
original answer about, I don'tknow. I think that's probably a
logical thing.
But, you know, what do you sayto the TAs that are, a little
(09:40):
bit nervous about even openingthe conversation because they
they don't wanna get it overtheir heads?
Jacob (09:46):
Yeah. I mean, I think those nerves will settle over
time. I do think those nervesare justified because security
is one of the hardest spaces tosell in based on how technical
it can often be, the risk thatis associated with it, the
tempers that can flare up, howthe business impact. It's a
scary space to operate in bothas an operator and as a seller.
(10:07):
I think that you gotta kind ofown that you don't know, and
this comes back to a differentpoint of caring about the
outcome for your customers.
Because what is your valueproposition? If you're gonna
engage in a securityconversation and you're new to
security, you might not wannatout yourself as the security
extraordinaire mister influencerguy. Right? You might wanna
(10:31):
build your value prop on thefact that, you know, you've been
doing great business withclients for many years. People
love to do business with youbecause you care about the
outcome.
When escalations need to behappened, you know you as a
trusted advisor are all overthat. You are lockstep and key
throughout the entire salesprocess as well as post sale.
They know that you're someonethey can count on to bring the
(10:54):
right people in the room to havethe conversation resolved. You
don't need to I think a lot ofTAs try to be the guy, whereas a
lot of times you can be theconnector of the people.
Lou (11:05):
That's great advice. And, you know, it's it's also
relevant for the supplier side.We we wanna work with trusted
advisers that will, follow-up,that have good relationships,
that are transparent about theprocess, that are not just
trying to get quotes from us,but that want to, look at
solutions. And I think thatthat's another area where, the
(11:28):
traditional trusted adviser has,struggled from what we've seen.
If when I say traditional, mean,if you're looking at, you know,
or CX or things that might havebeen voiced, there's solutions
behind it, but it's prettycommoditized at this point.
So it's kinda like, here are thethree quotes. You know what
you're getting. Security is asolution sale, and, you know,
(11:52):
it's it doesn't really lenditself to here here's a couple
of quotes, especially because,you know, you're talking about
outcomes. That's what we we pushoutcomes based security, and we
wanna know what is the problemthat we're trying to solve.
Like, hey.
We want a pen test. Why? Why doyou want a pen test? What what
is behind that? Because thedeeper understanding will lead
(12:12):
to not only a larger, you know,engagement, but also more trust.
So, you know, the solutions, Ithink, are, that you're talking
about, it's kind of a it'sdefinitely a mindset shift for a
lot of TAs. So, is thatsomething that you've had your
whole career, or is thatsomething that you kind of
developed or came to over time?
Jacob (12:36):
I think I've always been curious. I've always, you know,
wanted to understand what I'mquote unquote selling. Right?
It's really important in myopinion for me to feel confident
to talk about it. I gottaunderstand it.
I might not need to know it downto the protocol level, but
understanding conceptually whatis the goal, is it trying to
(12:57):
accomplish, what are things Ineed to be aware of, how do I
essentially be the facilitator.Those are a lot of areas that
I'm really passionate aboutunderstanding in terms of the
solutionscape. I think thatThree Tree, know, me joining
them almost four years ago,really amped that up because a
(13:18):
lot of the leaders that arestruggling in the security space
is because when you compare itto like a telecom where a lot of
the other agencies start, therate of innovation is a lot
slower. And in security, there'snew acronyms all the time.
There's new solutions.
There's new, you know, platformplays, and there's point
solutions. How does it all fittogether? A lot of the pain
(13:40):
points for these leaders arecutting through the noise
because they have a day job,right? And I think that Three
Tree really emphasized, youknow, to me that, you know, it's
important to understand whoexists and be able to kind of
just be aware of the acronymsoup that is continuously
(14:03):
evolving. Because that's that'spart of our our value prop to a
lot of these leaders is thatthey trust us to advise them,
you know, which directions theyshould potentially pursue, which
ones maybe aren't right fortheir company culture,
operations, etcetera.
And I think that that justoverall industry knowledge isn't
gained overnight, but is superimportant for your success in
(14:25):
long term security.
Lou (14:27):
That makes a lot of sense. By the way, the acronym STOOP, I
I just wanna make a point aboutthat. We're notoriously bad in
security for for having. And,unfortunately, I don't see any
end in sight because we've gotCSPM, DSPM. You know, we're it
just continues, and we're guiltyof it sometimes ourselves.
But, yeah. What what do youthink? What what are some of the
(14:49):
conversations now? I I imaginethere's a bunch of AI popping
out at you, like AIconversations around security.
Jacob (14:58):
Yeah. I mean, AI is popping up across the whole
technology landscape. It's notjust security. You know, you're
seeing it in being able toautomate the entire customer
engagement process from chatbotto customer journey mapping to,
you know, maybe, for example,like a real estate company that
I was working with automatingthe engagement and leasing
process for new residents usingan AI agent. There's a lot of
(15:20):
ways to improve the speed ofprocesses, reduce the risk,
etcetera.
It comes with AI, but acounterpoint on that is that a
lot of times, the AI that'sbeing put in their environment,
it's like, it brings acapability and then it also adds
an additional risk that you haveto govern. And so, I'm seeing
kind of within the securityspace, there's one hot topic is
(15:44):
the automated SOC. You know,there's AI coming in from an
agentic perspective to reallytake off those tier one, tier
two tasks from your internal SOCteam or even MSSPs. Now, with a
lot of these bigger companies,it's okay, well, we see value in
that trimming down our alerts,handling a lot of the surface
(16:04):
level things, but how do we makesure that it stays on mission
and isn't doing things that wedon't want it to do and causing
potential business disruption?So I think there's solutions
coming on both sides in the AIangle across the whole tech
stack of what is something newthat we can do that's better,
faster, cheaper, and then how dowe make sure that it doesn't
(16:24):
light our train on fire whiledoing so.
Lou (16:27):
Yeah. Did you go to Black Hat this year?
Jacob (16:30):
I did.
Lou (16:31):
Actually, I think I saw you. We ran into each other.
Yeah. I mean, did you walkaround the perimeter and see
some of those it it seemed to melike almost every vendor well,
everyone had AI. They had it'sit was obligatory, but also they
had AI stocks.
Like, even vendors just who arejust right next to each other. I
(16:53):
don't know if you walked thisfloor.
Jacob (16:55):
I wasn't able to walk the Expo Forward this year. I did at
RSA earlier in April, and I hadsome colleagues that did walk
the floor at Black Hat thisyear. But I don't doubt it. I
mean, it's whenever there's ahot buzzword that people are,
you know, focused on, you know,there's a lot of funding being
put that way. Boards are sayingwe want capabilities, we want
(17:17):
AI, we want all the differentthings.
Like, you know, where the moneyflows, so does attention. And I
think that, you know, thesevendors in their marketing
departments are doing the bestthey can to kinda ride that
wave.
Lou (17:29):
So what what about some other challenges that AI know,
we gotta speak about AI, but areyou seeing companies evolve past
the kinda like just basic stackof MDR, you know, endpoint,
maybe some compliance regime,and really looking at improving
their programs and, you know,getting deeper, tying it to
(17:51):
business outcomes, things likethat?
Jacob (17:54):
Yeah. I mean, it kinda depends on how mature of
companies we're talking about.Like, there's a lot of
interesting up and comingdisruptors that are maybe in
seed stage, maybe getting to toseries a that are, like one that
I met with earlier today iscreating digital employees that
(18:15):
essentially are, haveverticalized skill sets from an
agentic perspective to emulateone domain of security. So,
that's like a virtual GRCmanager, and then it can
automate the entire lifecycle ofvarious accounts. It can
automate evidence collection andreport generation.
(18:36):
There's like, there's a lot andthere's like different aspects
of how it's applied to securityoperations versus, you know,
like, it it really kindadepends, but I am seeing a lot
of unique, interestingcapabilities that are coming out
for sure.
Lou (18:50):
I mean, what about, like, just the basics for for your the
customers that you're workingwith? Do you find that they've
got those covered pretty well?You know, I don't I don't know
what area. You're you're midmarket to enterprise. Is that
right?
Or are you
Jacob (19:02):
Yeah.
Lou (19:03):
SMB too?
Jacob (19:04):
You know, we have a couple sellers on our team that
that work with some SMBaccounts, but my personal
primary focus is is low to upperenterprise. And obviously, each
segment of company will havedifferent needs and risk
appetite and different levels ofhow do they even have a security
team versus how big is theirsecurity team. That will really
(19:27):
affect what they're interestedand why. And not to mention just
also by industry, right? Likethere's certain industries that
might be later adopters thanother.
Like Historically, manufacturingisn't necessarily at the
forefront, especially with theiraged OT systems, right? So I
think that conversation kind ofdepends on the client's
(19:47):
positioning.
Lou (19:49):
Traditionally, it's been healthcare and finance, right?
They're regulated. There's avery obvious risk and a very
obvious impact if something badhappens, manufacturing,
etcetera, and especially evenmore, like, oil and gas and
stuff. I I've worked with themmany years, but it's always
(20:13):
been, hey. We pull, deaddinosaur stuff.
We we don't need it. And thenall of a sudden, you ask
questions like, well, do youhave, you know, monitors on the
wells? Do you are there youknow, how are you seeing what's
going on remotely? And they'relike, oh, yeah. Yeah.
We actually do have that. Andthen, you know, as you start to
dig every company is a petcompany these days. So more more
(20:37):
and more are coming to mind. So,you know, as far as, again, with
the the TAs, and and anymessages or or knowledge you
could drop with them, We've gotwe've spoken about how they can
get a mentor. We've spoken abouthow they should be curious.
You know, maybe finding goodsuppliers that can kinda lead
(20:57):
them on the journey as well,understanding the solutions.
Yeah, I mean, getting into localevents, ISSA, Resaca and stuff
like that. Those are definitelygood entry points in any market.
Any other advice you'd give tosomeone listening?
Jacob (21:15):
Yeah, I would say that one thing that you definitely
need to make sure to do and thatwill start to elevate how much
the customer trusts you isunderstanding what is their role
within the organization. Becauseas you move upmarket, the
political landscape and whoreports to who, who gets along
with who, who's in charge ofwhat gets to be a bigger level
(21:40):
of consideration. And sounderstanding, you know, are you
working with the decision makerwho at this point in his career
is nontechnical versus are youmeeting with someone who's
leading the architecture designversus someone who's the hands
on keyboard analyst trying tostop threats? You know, what's
important to them and how youmake them a champion within
(22:00):
their own organization is gonnabe a bit different. So I think
that once again, your primarygoal, and this comes back to
Three Trees, honestly, missionstatement being empower leaders,
go out and figure out how toempower your champion.
At the end of the day, they'reowning the risk, not you. Their
butts on the line, not you. Youneed to make sure that you
(22:23):
understand how are they scoredwithin the organization, what's
really the objective and impactof this project, And what
resources do you have at your,you know, your disposal to make
them look like a hero? Andreally, if you can if you can
consider, you know, consistentlybring them wins that help them
accomplish their vision and bethat kind of enabler, that's how
(22:45):
you build the level of trust towhere maybe, you know, no one's
There's a lot more job hoppingthese days and a lot more people
float between companies and youwanna make sure that you've done
such a good job for them thatyou're clearly gonna be there
for their first call when theygo to a new spot. And I think
that focusing on how you empowerthem is a good way to do that.
Lou (23:05):
Yeah. Yeah. And I think the navigation of that org chart,
that's really relevant becausethat's also another strength for
bringing security into theconversation because one of
those aspects that touchesevery, you know, part of the
organization. Right? So,typically, when we'll go in,
we're going in usually at clevel or maybe director level.
(23:27):
Anything below that, we youknow, there's not really an
influence there. And even ifthey like us, you know, we need
to move up. But when we get tothat director level or even c
level, like a chief informationsecurity officer, a lot of times
people need a help in that area.So we're gonna help them look
like heroes, and, and then youget better exposure to the c
(23:49):
suite, and then you can sellmore stuff as well because they
trust you and you earn thattrusted adviser moniker. So, I
think that's really relevant.
I'm glad you brought that up atat being, understanding the org
chart, understanding how to workit, who are you speaking to, and
then, you know, tactfullygetting up to speak to maybe
(24:11):
higher levels. Do do you haveany kind of tips or secrets
about, let's say, you're cominginto the IT manager and you want
to speak to, you know, the CTO.How do you navigate that?
Jacob (24:24):
Yeah. I think that you gotta elevate past a technical
conversation and more into abusiness discussion. And a lot
of times when you're dealingwith the c level for technology
decision makers, a lot of theirjob in terms of even getting
approval for budget is thenjustifying, okay, we spent this
much money. What did it do? Andin security, it can be
(24:47):
especially hard because whenthings are quiet, that's when
they're good.
Unless it's like, oh, we spentmoney on an engagement to get us
compliant to this benchmarksthat we can win this RFP for
another client that's dependenton us getting to this compliance
standard. Right? Outside ofthat, a lot of CISOs that I work
with, they struggle. They have alot smaller budgets than their
(25:11):
IT peers. And so how do you makethem a champion?
And a lot of times it's there'svarious ways of doing it with
products, etcetera, but how doyou help them create business
cases to justify additionalinvestment as well as doing your
job as a TA during QBRs and kindof justifying, you know, you
spent your money on this, thisis kind of what it's done. You
(25:33):
know, how do you quantify atleast some sort of risk that was
reduced and or, you know,business advantage gained
through whatever investment theyspent? And I think also another
way is once again compliancetends to touch a lot of people's
(25:53):
interests, you know, because youcan talk about, oh, niche
solution within security that inthe invasion state miner helps
re hook your EDR so that it'sspecifically for anti ransomware
disruption, right? And thatmight be really important and
interesting to a securitydecision maker, but you talk to
(26:14):
like a CTO, CIO, like what?Whereas if you're like, okay,
the way that you even talk aboutthat to them is gonna be a bit
different of, okay, on yourworst day ish, a threat actor's
in your environment and was ableto encrypt your systems and
exfiltrate data, how much woulda day of downtime cost?
How much would four days ofdowntime cost? How expensive is
(26:38):
your data? What would happenreputationally if this data
leaked? What if you had asolution that could potentially
throttle the amount of databeing willing to leave your
environment until it wasapproved and or grab decryption
keys the moment they'regenerated so you don't even have
to negotiate with ransomwareactors? There's ways of
(26:59):
approaching that conversationfrom a more of, like, a business
context perspective than just atechnical capability.
That makes sense.
Lou (27:06):
Yeah. And absolutely. And then it's also wins less. I
mean, to the tabletop to todetermine that. And yet, also,
the sales pipeline, there's somany soft costs that are not
accounted for in breaches, andwe've done a calculator.
The hard costs are you gotta getlegal. You gotta get an IR firm.
You got, you know, maybe an ITfirm to do recoveries, blah blah
(27:28):
blah. But then there's a Howhard is it as a salesperson to
build pipeline, and how easy isit to lose it to your
competitors? Especially, theythey jump all over that.
Like, oh, did you see, you know,Widgets Inc. Just got hacked?
You know, you might have beenlooking at them as a solution.
Here know, we'll give you adiscount if you jump over to us,
and you're probably able tobreak your contract or, you
(27:50):
know, not sign that, etcetera.So we've seen it.
And so there's a lot of, youknow, quote, soft cost, things
that are not gonna they're gonnahit the bottom line, but they're
not necessarily gonna be a lineitem in your, p and l. You know?
That's that's a good goodconversation to have, and you
wanna have it proactively. Theworst days for any of the c
(28:12):
suite are when it's reactive,and then they're like, shoulda
coulda won out or, you know,they may even come to you and
say, you know, why didn't we dosomething about this sooner as a
trusted adviser? I mean, thatthat's another question, Jacob.
Like, how when you're trying toyou're getting in let's say
you're having lunch with a a CFOor or even a CTO, and they're
(28:34):
like, oh, we don't we've gotother priorities. We're working
on other projects. How do youget them to, say, well, okay.
Maybe we need to look at thisproactively, you know, avoiding
that that discomfort of areactive situation.
Jacob (28:48):
I think that there's two parts to it this. I mean, being
good at storytelling and havingreal stories that you can
reference, whether it's in themedia or it's even more
impactful when it was a clientof yours and how a delayed
decision led to some sort ofoutcome. But now, you know, post
engagement, they what kind ofpositive effects they've seen.
Being able to tell the story ina convincing and compelling way
(29:10):
of why it would be worth, itwould be in their best interest
to pursue it, I think is oneangle. I think the other thing
that a lot of people mess up onis at the end of the day, you're
not the decision maker.
They are. You can lead a horseto water, but you can't make him
drink, and your job is toempower them. What is important
to them and how do you help themget to their goals? You can give
(29:33):
your opinion and your advice,but if you're trying to,
especially if you're notintimately familiar with their
business and what it takes tokeep it afloat, if you're just
pushing that you should approachsecurity some this way because
you think it's optimal way, Itjust comes across as like you're
a salesman trying to hit quota.Right?
(29:55):
So leverage stories, real worldexamples that you can that
illustrate that it's in theirbest interest, but also know
when to back away. And I wouldsay never die on a hill for
anyone. If anything, if you dieon a hill for it and then they
(30:15):
go with you and then they justkind of you kind of ruin the
relationship over it, that's notgood. Whereas, whereas if you're
like, hey man, I gave you arecommendation but I totally
respect it's not a priority ofyours, you know, I'm here when
you need me, and then somethingdoes happen, they're gonna call
you and they're gonna be like,hey man, you're right. Sorry.
What can we do? Right? Soknowing that line and knowing
(30:36):
when to walk away is important.
Lou (30:38):
We've seen it, you know, and it's, it's unfortunate that
it often takes that. However,when, it does happen, the, you
know, the TA gets called, andthey're like, yeah. You know,
you've been talking to us aboutthis. Sorry. We didn't do it
sooner to your point.
So I think, you know, it's greatadvice to say don't die on the
(30:59):
hill because if you do, thenyou've closed the door. You've
possibly burnt a bridge where,you know, you're too pushy.
Let's move to someone else orlet's we'll talk in six months,
and and they're like and thenthey're maybe even embarrassed
to call you if it happens. Butif you leave the door open,
you're not too pushy. They'regonna call you.
You know, if they don't listento your advice to your point,
(31:20):
it's frustrating sometimesbecause, you know, for us, you
know, we know the consequenceshaving done, you know, tons of
incident response, but you can'tto your point. Let's let's not
force their end because they'regonna just resent you for it,
and you may be closing a doorthat later on would be, pretty
lucrative, and it's theirposition.
Jacob (31:42):
One other side note that I was thinking about, I was
talking with our new CEO, KarekStanwyck, about this today or
the other day was that, youknow, a lot of people throw
around the word agnostic. And Ipersonally don't like that word.
I used to use it all the timebecause it's like, oh, yeah, no,
we're not bound or beholden toanyone. But I feel like saying
that you're agnostic to anysolution means that you don't
(32:05):
care about the outcome. Becausein my opinion, once again,
opinion, my soapbox, is that ifyou really do due diligence and
you meet with a lot of differentvendors, you might and you start
to do projects with them and yousee that the way that they run
projects, what escalations looklike post sale, those types of
experiences over time will startto shape who you recommend to
(32:28):
who and why.
And I think leveraging thatlearned experience is really
powerful. And I tell a lot ofour customers, know, because
they're like, oh, you'reagnostic, right? I'm like, yes,
to a degree, but a human being.I have my opinions and I'm gonna
tell you, Oh, I mean technologywise, yeah, they're very
similar, but in terms of when,forgive my friend, shit hit the
(32:52):
fan and something needed to beescalated, the response was
drastically different at thiscompany versus this company. And
I think that's important andworth knowing for these buyers.
So one thing I would say isdon't also die on the hill to
say you're agnostic. You know,there's certain, in telecom,
it's a lot more reasonable to betruly agnostic because they're
(33:13):
all so similar, and you can havejust like a pricing discussion.
But in security, when thesubject is as sensitive as it
is, I think it's okay to have anopinion based on who you're
seeing do good business.
Lou (33:28):
Agnostic with an opinion, basically. Exactly.
Jacob (33:32):
Long winded summary.
Lou (33:34):
No. That's great. It's important. It's funny because we
are agnostic from a technologyperspective, but we've got our
our preferred vendors as well. Ithink that it's you're right.
It's almost abdication of adecision to pay, you know, we're
agnostic. Pick who you want.We're not gonna force your hand.
That's actually not whatcustomer is looking for, I
think.
Jacob (33:54):
No. They want that guidance, and they wanna feel
like the person they're engagingis helping to get them the
optimal outcome. And if youtruly don't care what vendor
they pick, you know
Lou (34:07):
That's not really advises. That's good. I that's great
advice. I mean, this is this hasbeen a lot of really, really
good, feedback and advice forpeople that are listening. Let's
pivot from, you know, nuts andbolts of work to more of a
personal side.
(34:27):
You know, who's Jacob Friedman?Like, what what's your you're
you're in Chicago. Yeah?
Jacob (34:33):
Yep. Moved out here just over a year ago to open up and
establish kind of the three treepresence out in this region. As
you can see from the cat behindme, I'm a cat dad. But, you
know, outside of work, you know,I've always been into mixed
martial arts. I'm a big fan ofthe UFC.
(34:53):
I'm, know, into fitness. I'm afoodie in Chicago. But, you
know, coming back to, you know,kinda three tree life is you
know, I've I've been worth themfor a long time, seen a lot of
ebbs and flows and changes inthe industry. And I lead a lot
of our engagements with thebiggest global accounts and and
their security teams, etcetera.That's kinda that's kinda me in
(35:15):
a nutshell.
Lou (35:16):
Yeah. And how'd you get, like, from doing sales? Did you
do security at the beginning, orwas that something you you just
that your passions led you to?
Jacob (35:26):
No. I mean, I started in door to door sales when I was
15, and I got bamboozled by acompany called Trailblazers
Marketing, where I was soexcited for my first marketing
internship. And it turned out onthe day of you show up in a suit
and then they change you into akhaki and t shirt in the back,
and then you go door to door andsell CenturyLink. And that was
(35:48):
one, that was a starting pointfor my sales career, but then
I've held a lot of differentpositions. Throughout college,
was one of the founding membersfor the Oregon State Sales Club,
so I traveled all over The US toemulate and role play in various
situations to win these salescompetitions.
And then got an internship whenI was in college at my first
(36:10):
kind of tech sales role at anamazing company called Pacific
Office Automation. And they sellthey're a value added reseller,
and they sell a bunch ofdifferent things. And so surface
level, I did get an introductionto security through them selling
Arctic Wolf as an MDR service,but primarily, I was doing like
printers, copiers, phonesystems, security cameras, stuff
(36:33):
like that. All like SMB officelevel technology. And that was
kind of how, yeah, I got mystart.
Lou (36:42):
That's great. And it's so so really kind of from selling a
vendor thing, wait. How doesthis vendor work? Going back to,
you know, comment at thebeginning of the podcast, which
is be curious. You're like, waita second.
What what's the security thing?And then you were like, wow.
This is there's a lot to thisrabbit hole. And where can
people find you, connect withyou?
Jacob (37:02):
Yeah. You can find me on linkedin.com/jfreedmantech and
or, I'm on a couple of the,podcasts over at infosec.live.
They're a great group of people.They have their own podcast.
Simon Lundstedt, the founder,has been super generous to let
me cohost on there from time totime.
They have a big cyber communityspanning the The US and The UK,
(37:24):
etcetera. I'm in between thoseplaces as well as, you know, I'm
here local in Chicago trying tohead to the various events, as
well as the big conferences. Sofeel free to reach out. Always
happy to to to have a chat.Yeah.
Lou (37:38):
Jacob Freeman, it's been a real pleasure really getting
your insights into security. Iknow you're one of the the the
big hustlers out there withsecurity getting it done. So
thank you very much for forjoining.
Jacob (37:50):
Of course. Thanks, Lou. Appreciate your time.
Lou (37:52):
Of course. So, thanks also to those that are watching and
who are listening. If youlearned something today, or
laughed, please, tell someoneabout this podcast. Thanks
again, Jacob, and this has beenanother exciting episode of
Channel Security Secrets.
That's a wrap for this episode of Channel Security
Secrets. Thanks for tuning in.For show notes, guest info, more
(38:14):
episodes, visit us at channelsecurity secrets dot com.
Channel Security Secrets issponsored by Cyber Defense
Group. When it comes toprotecting your business, don't
settle for reactive.
Partner with experts who buildresilience from the ground up.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
CrimeLess: Hillbilly Heist
It’s 1996 in rural North Carolina, and an oddball crew makes history when they pull off America’s third largest cash heist. But it’s all downhill from there. Join host Johnny Knoxville as he unspools a wild and woolly tale about a group of regular ‘ol folks who risked it all for a chance at a better life. CrimeLess: Hillbilly Heist answers the question: what would you do with 17.3 million dollars? The answer includes diamond rings, mansions, velvet Elvis paintings, plus a run for the border, murder-for-hire-plots, and FBI busts.