October 9, 2025 • 44 mins
In this episode of Channel Security Secrets, Lou sits down with Melanie Thomas, Vice President of Cybersecurity at Bridgepointe Technologies, to explore how to succeed in one of the most complex and fast-changing industries. From harnessing chaos and mastering long sales cycles to navigating AI hype and cyber insurance, Melanie shares practical insights that every founder, advisor, and leader can put into action.
You’ll learn how to turn complexity into opportunity, communicate effectively with clients, and stay resilient in a high-pressure environment, all while keeping identity and data protection front and center.
Takeaways
- Why transforming cybersecurity chaos into structured solutions builds trust and long-term success.
- How teaching teams to communicate clearly with non-practitioners drives better client engagement.
- What it takes to endure long sales cycles and win deals in cybersecurity.
- Why AI is both an opportunity and a risk in shaping security strategies.
- How identity and data-centric security are becoming the new front lines of defense.
Quote of the Show
- “ Security is complex. There's hundreds of ways to do it, and everyone does it differently, so it's not one size fits all. Jump in, get someone to back you up and go from there.” - Melanie Thomas
Find all episodes, show notes, and resources at: https://www.cdg.io/podcast/
Partner with us: https://www.cdg.io/partner-with-cyber-defense-group/
Links
- LinkedIn: https://www.linkedin.com/in/themelaniethomas/
- Company website: https://bridgepointetechnologies.com/
Ways to Tune In
- Spotify: https://open.spotify.com/show/1gIKsOyorKMzQA7wxck4dH?si=ff617df387aa401c
- Apple Podcasts: https://podcasts.apple.com/us/podcast/channel-security-secrets/id1826825461
- Amazon Music: https://music.amazon.com/podcasts/8703d3a3-4128-4691-8862-cb847f53f776/channel-security-secrets
- YouTube: https://www.youtube.com/@ChannelSecuritySecrets
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Lou Rabon (00:01):
Welcome to Channel Security Secrets. I'm Lou Raban.
On this show, we expose theuntold secrets and critical
insights from the people shapingthe future of cybersecurity
sales in the trusted adviserchannel. If you're looking to up
your game around sellingsecurity, stick around. Channel
Security Secrets is brought toyou by Cyber Defense Group on a
mission to shift cybersecurityfrom reactive to resilient.
(00:38):
I'm stoked to chat with ourguest today. She's an award
winning cybersecurity leader,educator, and customer advocate
with over thirteen years ofexperience in the field,
recognized as one of CloudGirl'srising women to watch and named
among the San Diego BusinessJournal's leaders of influence
in technology. Former thecybersecurity principal at Level
Blue, she led key services likemanaged threat detection and
(00:58):
response and managed endpointsecurity. She's currently an
adjunct professor at theUniversity of San Diego as well
as serving as the vice presidentof cybersecurity at Bridgepoint
Technologies. Melanie Thomas,welcome to the show.
Melanie Thomas (01:12):
Hello. Thank you so much.
Lou Rabon (01:13):
Yeah. Great. Like, all this stuff that you have,
we're gonna have such a goodconversation. I love it. But,
you know, I always like to startthe show with what what the
biggest secret is.
So so what's the biggest secretto your success in the channel?
Melanie Thomas (01:27):
So my biggest secret to success in the channel
is harnessing the chaos andcomplexity that is the cyber
industry. Right? Products,services, vendors, all this
craziness into something that'sreally meaningful and obtainable
and structured.
Lou Rabon (01:45):
Okay. So that I'm gonna go deeper on that one.
What how do you especially for alot of people in this channel
are nonpractitioners. When youspeak to customers, obviously,
they if they're practitioners,they get it. But how do you get
to the ones that don'tunderstand, like, what is
meaningful and how and and tomake, you know, order out of
(02:07):
chaos?
How are you doing that?
Melanie Thomas (02:08):
We do that in a couple different ways. And this
is also what we train ourstrategists and teams here at
Bridgepoint to look at, andwe're kind of thinking about
cybersecurity and what does itmean to get in these
conversations. So a lot of whatwe coach around, top three
things would be that nuancematters. Right? So we're
thinking about what are whattechnologies do they already
have?
(02:28):
Right? What how their teams liketo function more so than just
how many endpoints or servers dothey have? Right? How do we
actually can operationalize allof those different technologies
to work together? Becausecybersecurity is really just a
team effort.
It's really just a lot ofeverything's connected kind of
conspiracy theory kind offeeling sometimes where it's the
firewalls are connected and howwe choose different vendors.
(02:49):
Right? The nuance matters. Whatwe also tell them is that
endurance is one of the keys tosuccess here in cybersecurity as
well. So it's not just inlearning cyber and being
familiar with the differenttypes of solutions that are out
there, vendors, theories on howto structure cybersecurity and
(03:11):
secure architecture.
It's also remembering that whenwe do get in these conversations
and customers are makingdecisions about their budget or
making decisions aboutpartnerships or tools they wanna
use, there are a lot ofstakeholders. Right? So it's not
necessarily that you're gonnaget a sale off your first call
because it happens to be theCISO, for example. It's also
endurance, and there might be 10stakeholders that we have to win
(03:34):
over. And how you talk to anengineer is different than a
CRO, right, or different than aCFO.
And we wanna kind of make surethat we're explaining all of
this and strategizing for that.
Lou Rabon (03:43):
I love it.
Melanie Thomas (03:44):
It's a lot of strategy at the end of the day.
Lou Rabon (03:46):
Yeah. I wanna go into deeper into some of that
because, I mean, it's just greatstuff. First, it's like you're
you're talking about the why.Right? Like, you're not just
saying, oh, you need an EDR?
You need an endpoint detectiontool? Sure. Okay. Here are three
vendors. Here are the quotes.
Pick one. Have a nice day.You're you're going deeper, and
you're asking why.
Melanie Thomas (04:05):
Absolutely. Absolutely. Because we can be
transactional, and that's alsothe Bridgepoint way is we're not
necessarily transactional,right, on security. You can
replace, you know, EDR vendorsall day. You can throw something
over the fence to say, hey.
Here's the Gartner top five orwhatever it is. It happens to be
that that quarter, that year,however they do that. It matters
on what do they wanna do for aroadmap, right? What do they
(04:28):
need to worry about for datasecurity? What is their plan
for, right, their MDR, theirEDR?
What is their insurance thatthey have to do? Right? What
rules do they already have toplay with? So I'm not I don't
always love a check-in the boxconversation where it's like,
well, let's just pick an EDRbecause this list says that we
have to have an EDR. Let's bemindful of it and make sure that
(04:49):
we're picking something andimplementing something, and
we're using the resources thatwe have, money, humans,
technology, in a good direction.
Right? It's gonna save us time.It's gonna save us a lot of
frustration. Ideally, it's gonnasave some careers, so you're not
spending a significant amount ofmoney just to have it blow up in
your face at the end of the day.Right?
So it's also what are we makingsure that we're mindfully
(05:10):
suggesting and mindfullyselecting the customers to
really make sure it moves theneedle for security?
Lou Rabon (05:17):
Yeah. It's looking at the big picture, and it's also
going back to that why we we'reoften getting inbound requests
from from trusted adviserssaying, hey. We want a pen or
customer wants a pen test. Andwe're like, why? I mean, we had
one that was, you know, lookingfor just a really kind of
textbook pen test when theydidn't even have one person
(05:38):
dedicated to security.
It's like, sure. You can findout that maybe the things that
you know that are gonna gettested have enough controls, but
is that gonna tell you that you,don't have a proper off
offboarding process for, youknow, a user that has admin
privileges? Probably not. Imean, if they're one of the
people that we're testingagainst, but, you know, a pen
(05:59):
test often is not gonna tell youthat.
Melanie Thomas (06:01):
Right. And it's a corporate document. You gotta
be risky whenever you get thosein because you have to do
something with those results.You can't just let it sit there.
Lou Rabon (06:07):
Yeah. Which is also a a reason why I think a lot of
companies are, you know, kind ofhesitant. Certain ones because
they're like, okay. For thesmaller ones that are just
getting into security, maybethey're not regulated. They're
like, okay.
Do we really wanna do a pen testor an assessment? Because now
we're gonna have a bunch ofstuff to do. And, you know, just
as a side note, what one of theways that we handle that is we
(06:29):
we get them into a twelve monthcontract. We say, we'll do the
assessment, but not as aproject. And if you don't like
it, afterwards, you can exit.
But the thing is we want them toknow that this is not something
that they should put on a shelfbecause data is, like, you know,
good a good baguette. It getsstale after a couple days.
Right? So the assessment after,you know, they let it sit and
(06:51):
collect dust for three monthswhile their analysis paralysis
about what to do next and whatto attack, all of a sudden,
that's not even theirenvironment anymore. Right?
Melanie Thomas (07:01):
Absolutely. I think it's a very funny similar
conversation when people arelooking for MDR or MXDR or
source solutions. Right? Andthey want it managed. So it's
like, you still have to havesomeone on your team as a
customer giving them feedbackand helping them provision and
facilitating requests andreading alerts and things like
that.
Right? It's not necessarily thatyou hire a third party MXDR
provider and you can fire yourentire security team. Right? You
(07:24):
still have to have that back andforth. So it's interesting when
people are like, well, we knowwe have to do it.
It was in the news. Right? Itwas someone mentioned they can
do this. You're like, well,let's let's talk about it. Like,
I always have at least threequestions to anything.
So let's let's this is for thisa little bit more and see if
that's really what we wanna doright now.
Lou Rabon (07:40):
Yeah. So dive in, dig deeper. I mean, you're a
practitioner. You you come froma a really storied security
background, so it's easy for youto have those conversations.
What about the trusted advisersthat may not?
I know that you you are theperson for security essentially
at Bridgepoint. You have someother people that that hold
(08:00):
that, but, like, it's theMelanie show. So what you know,
how do you empower those othersellers that might not be
comfortable, like, kinda doingthose deep dives, like, big
picture conversations with thecustomers?
Melanie Thomas (08:13):
That's great. Every once in while, I'm very
uncomfortable getting into someof those conversations as well.
So I get it. One of things thatI love about it is when we're
getting into, like, learningsomething that's very new.
Right?
Kind of similar to what I I talkto my my students about as well
at USD, where it's, you know,knowing that you don't know
everything is fantastic. Right?No one in security knows
(08:34):
everything. And so, yes, you canwalk into Black Hat, for
example. You can go to DefConand talk to who might be the
smartest person in the room, butthat's different context,
different experience.
Right? And it really is a teameffort. So doing some due
diligence. Right? Take somecourses, some free courses.
Right? Go online. There's lotsof vendors who will provide kind
of free training. Keep your mindopen. Right?
(08:55):
Some ups guided. But, right,find something that you also
enjoy. Right? Find somethingthat maybe lit a little bit of
fire that you wanna investigatea little bit more and do some of
your own kind of research. Spendsome time learning security.
Eventually, it's, you know, it'sreally, I say addictive, but
it's really contagious. Right?It's this is really super
(09:16):
interesting. You start seeing itin the news and you wanna
continue digging deeper. Also,for help.
I lean on my teams all the timebecause they have, right,
different experience, differentways of doing things, different
approaches. So ask questions,ask for help, get somebody else
in the room with you. Butdefinitely, you know, learn a
little bit on your own and beable to write know a little bit
(09:38):
of acronyms, and it takes time.So don't beat yourself up if you
don't get it after your firstcall, after your first month,
maybe after your first year.Right?
It's security is complex.There's hundreds of ways to do
it, and everyone does itdifferently. So it's not a one
size fits all. Jump in. Right?
Get someone to back you up andand go from there.
Lou Rabon (09:58):
Yeah. Big time. And I think saying I don't know,
that's really important. I'vespoken to other TAs that are are
you know, they say, hey. Listen.
That's one of your biggeststrengths is being able to say,
hey. I don't know, but I'll getyou the answer. And another
point on that is when it's kindof a a a ancillary service. So
(10:19):
for instance, if you're sellingcircuits or bandwidth, it might
be, DDoS protection. That's kindof an ancillary service,
something that's complementary.
So you're still speaking in yourkind of lane because, you know,
as a trusted adviser, thatperson may understand that. But
it's and they may not understandDDoS protection, but they
understand denial of service.They you know? So that's, I
(10:41):
think, where a lot of them entertoo.
Melanie Thomas (10:43):
That's a great point. Yeah. Find something
that, yeah, it's it'stangentially related. Right?
Something that you can kinda befamiliar with, and maybe that's
a great breadcrumb, right, towhere you might be learning
something completely different,right, in three months from now.
Lou Rabon (10:56):
Exactly. Exactly. You you also mentioned I wanna go
back endurance because I think Imean, listen. I think a lot of
life is about endurance and alot of success in life at least.
Right?
Melanie Thomas (11:08):
So Yes.
Lou Rabon (11:09):
What tell me more about that, about the endurance
in a sale for security.
Melanie Thomas (11:14):
I wanna say, I think one of the recent
statistics that I've heard, Idon't know who said it. I'll
find some more research on that.But one of the things that we've
seen a lot of vendors also say,I should say, is that it could
be up to eighteen months orlonger, right? That a customer
is looking at replacing some ofthese key pieces of security.
And so if they don't sign inthirty days from talking to you,
(11:36):
from filling out a demo requestrandomly online, from maybe a
lead that you purchased from aB2B lead marketing, for example,
and they'll buy the first timeyou talk to them, that's okay.
You're competing againsthundreds of other people,
thousands of differenttechnologies and combinations of
that. And so that's gonna taketime just to weed through,
right, get to that first phase.And so our trusted advisors is
(11:57):
also where we help. Right? It'slike, let's go through, let's
talk about some of the top onesthat we have experience with
that we know are gonna be legit,right, as we move forward with
that.
Mhmm. But it's also looking at,you know, these are not
transactional services, to usethat word again. So these aren't
something that's really easy torip and replace. It's gonna take
one day to change an API token,things like that. Those aren't
(12:19):
these kinds of services, right?
Security services are reallyingrained, not just in your
security stack, it's in yourprocesses, it's in your company
policy, it's in your businessimpact analysis, your backup and
recovery, your disasterrecovery, incident response,
right? And so all these matter.And so it matters. We can't just
rip and replace an EDR. Right?
So for example, when CrowdStrikehad that very unfortunate
(12:41):
development incident last year,not we didn't see a lot of shift
in CrowdStrike usage. Right?Because they're still a very
legit company. They just happento have made a very unfortunate
mistake and got themselves inthe news. Yeah.
And so it's not just it's easyto rip and replace. Even rip and
replace could take six months bythe time you get a vendor
depending on, right, how youaccess your devices and things
(13:03):
like that. So It gets reallycomplicated and sometimes that's
where people just kind of glazeover. They're like, yeah,
there's no way I can rememberany of this. That's also fine.
People like me are nerds. Welove the details and we love
getting into that. And teameffort, right? It takes all of
us to get through these. Buthaving the endurance to say, you
know what?
This might take six months. Wemight be talking next quarter by
(13:24):
the time we can look into theirvendor, and that's okay because
that's how long some of thesesystems take to really mindfully
implement something that's gonnastick.
Lou Rabon (13:32):
Yeah. So be prepared. Right? Be prepared that it's
going to be a longer salescycle. So endurance and patience
would be, part of it.
So that's that's really goodadvice for anyone selling
security. And for sellingsolutions, it's even harder,
meaning, like services, likewhat we do. It's like if you're
selling a services sale, oftento your point, it's not just
(13:54):
that it's so hard to rip andreplace a vendor for EDR or a
service vendor, but it's also ifyou make the wrong, you know,
choice, it really could be yourjob, and it could be a couple
people's jobs because it couldrisk the company's reputation if
you make the wrong choice. Sonot like if you get an IT
(14:15):
vendors I I think the same forIT vendors, but that's another
story. You you definitely wannachoose the right one or it could
be disastrous.
Melanie Thomas (14:22):
Oh my gosh. Right.
Lou Rabon (14:23):
But I mean yeah. Like, let's say printers or
whatever. Like, if you're gonnaor toner, you know, if you wanna
get a new toner, if you make theyou know, maybe a company lost a
couple, you know, $100 or somethousand bucks, but that's
that's something that you canjust do on accounting and and
recover from, save some money,whatever. But you make the wrong
choice of a vendor and you get,you know, the the hacked,
(14:45):
basically, the worst thing thatcould happen. There's there's
real impact there.
So I think it's definitely andand that leads to my you were
talking about these you know,all these vendors, and you go to
Black Hat and you see this, thethe big security conference.
It's scary how badly the vendorsare misleading everyone. I think
that's part of the the the bigproblem that we're having in
(15:07):
cybersecurity because everyoneis trying to market that they've
got the silver bullet that'sgonna solve all the problems,
and you know very well what'sbehind that. You know, what are
some of your experiences withthat?
Melanie Thomas (15:20):
Oh my gosh. I think the prime example is AI.
Oh, we have AI. AI can do allthese things. And it's like, no.
I have I have questions. AI isshiny data science. It's data
science with software. It's nota magic bullet, and it matters,
right, how they train it, howthey implement it. Is it AI for
security or security for AI?
Right? There's a lot ofdifferent ways that you can do
(15:41):
that. So we see a lot of peoplesaying, well, it has to have AI.
Luckily, think we're starting tosee that tide turn where we're
starting to question like, whatdoes that really mean? And do I
really wanna pay more for itbecause I don't really
understand it.
Right? So it's not the steep orshiny thing. Another thing that
we're also seeing is not beingtransparent with the total cost
(16:02):
of that vendor, of thattechnology. So sure, you could
be an MDR provider, but if youdon't tell them, well, now you
have to deploy collector at 31different sites, and it's a
physical Collector, your teamhas to go do it, but we have to
have it. You don't find that outuntil afterwards.
Well, now you just it's asignificant cost to you and your
teams. Microsoft Sentinel is abig one too since we're seeing
(16:23):
more companies wanting toleverage Microsoft and consume
more in the Microsoft ecosystem.That's not free. Just because
you have an E5 license, that'snot free. There's extra cost
behind that.
I think if we start going backto some of the fundamentals, if
we think about IT fundamentals,security fundamentals, as you're
designing an environment, thetotal cost absolutely makes
(16:43):
sense. It's not just what you'repaying that vendor. It's the
ingress egress, right? It's thebandwidth in your network. It's
servers they have to set uptheir services on and all that
comes at a cost.
So as we get more and more intovery economic uncertain times,
customers are having to reducebudget or freeze budget. They
can't absorb like they used to,right, significant extra costs
(17:04):
on the back end that they didn'tplan for.
Lou Rabon (17:05):
Oh, yeah. Big time. So many good things in there to
unpack. I mean, first is thecloud model, which is this
elastic amazing you know, I'mI'm old enough to remember that
the cloud was like the threeservers that were so loud in my
you know, under my desk, andthat was my cloud. Now you can
go you know, you can dobasically anything.
(17:26):
We we are now, you know, movingto forensics in in the cloud,
having a forensics lab. Supersecure, easy to get, huge data,
you know, transfers. Don't haveto then download that data. It
stays up there. It's awesome.
However, the cost for that areridiculous. I mean, you know,
just to have a cloud based onebig, forensic workstation in the
(17:50):
lab is, like, probably about$200 a day. And when it's idle,
it still costs money, you know,because you're not completely
destroying the instance. Sothat, like, thing about, yeah,
the the the customer's notreally taking into account that,
okay. Here's the licensing cost.
Cool. But it's like, wait asecond. What's the compute cost
for all that and the story? Andthen you get all, yeah, the
(18:12):
ingress, egress of data, thebandwidth. There's that.
And then there's you know, theother thing that's really
interesting is the vendors whenyou were talking about the AI
vendors. And what's you knowwhat kills me is and that most
people don't realize is you'llgo online and and every time I
see a new AI vendor and they'relike, give us all your data and
then our AI will tell you, youknow, first look at the privacy
(18:34):
policy, which is probably like,we're gonna use your data to
train our model because now datadata is not the new oil anymore.
Data is like the new diamondsbecause they've just basically
exhausted all content that theycan get other than, you know, a
now they're paying API fees forReddit and stuff like that. But,
you know, there's just no wayfor them to to find the amount
(18:54):
of data that they need. Sothey're using your data,
usually.
It's usually they're usingsomeone like Claude or Chad, you
know, OpenAI or, you know, Grockin behind the scenes, so they're
just paying a a cost there. Thisis a whole startup ecosystem
based on this stuff. And thenthird, the worst part is go on
to LinkedIn. Look at their, youknow, the people in their
(19:16):
company. There's usually 10people, and they're all either
sales and or tech.
There's no one that doessecurity. And you're it's like
but you go to their securitypage, and then they paid Vanta
$20 and some, you know, fly bynight auditor to give them green
checks all over everything. Sosorry. I had to get on a
soapbox.
Melanie Thomas (19:34):
That's good. No. I agree.
Lou Rabon (19:35):
You know, the the AI this whole AI bubble, it's just
like, you know, 2,000 all overagain. It's crazy.
Melanie Thomas (19:41):
Right. And all the regulations are gonna come
in. So, yeah, you sign let yourusers sign up for all these free
AI accounts. Now when we get tothe accountability part of it,
and that's added to your thirdparty risk, and now you have to
figure out what of all yourtools use AI and how, and how do
they report that and how do theyuse your data. It's a whole
other piece of third partythat's going I think, become
more relevant in 2026.
(20:02):
And there are, of course,vendors out there that people
can connect with and do allthese things, it's attestations,
right? It's a whole extra set ofsurveys that you send your
vendors on top of what you'realready doing. So especially if
you're a vendor yourself, right?What are you up to now? Because
now you have to send it to allof your customers.
It's a whole thing. So I thinkit's we're starting to see now
when people jump to emergingtech, it's great. It's
(20:23):
innovation, but it it all comesat a cost, especially if they
said it's a free service.
Lou Rabon (20:27):
Big time. Big time. We're getting a a ton of
inbound, you know, inbound AIgovernance requests. So which is
great because we've got, youknow, we've got the capability
there. But I don't know.
I've I'm on the fence. You know?It could be like privacy. I was
in privacy before people reallyknew back in, like, 2013 for a
big company. And, as I started,you know, my practice, CDG, I
(20:50):
was like, alright.
I'm gonna lead with privacy, andI got a lot of inbound in the
beginning when GDPR came out andstuff. But then it just went to
the lawyers, basically. And itjust became kind of a pay paper
exercise. So I kind of feel likeAI is gonna go that could go
that way where it's like youhave a lot of stuff to do, but,
you know, maybe you can templateit out and then just have a the
(21:11):
the challenges for securityteams, so back to, you know,
what's relevant to us, how doyou control that within the
environment? But, you know, Ithink there's certain companies,
at least from our experience inthis channel, where they they
don't even have the basics down.
Like, the the simple blockingand tackling, they're they're
not doing any of that stuff, orthey've been misled by a vendor.
(21:32):
You know, we're we're seeing thesecond and third generation of,
like, b c so, you know, an anoverused term where in the
beginning, they were justgetting the one person that was
telling them what to do and thencomes back a month or two later
and says, did you do that? Andnow they're evolving to our
model, which is we bring a teamand we execute, you know, and
and actually operationalize it.So I think it's the same with AI
(21:52):
where we're going to your point,we're going through that, like,
kind of everyone's excited,Dutch tulips. You know?
Right? But NFTs, best thingsince sliced bread. Yeah. And
then and then it's gonna, yeah,kinda even out probably.
Melanie Thomas (22:06):
Then something else will come along, and we'll
have this all over again, and AIwould be the new privacy.
Lou Rabon (22:10):
Voila. It totally you know, that's that's a fun roller
coaster that we've jumped on.
Melanie Thomas (22:15):
I love it. Never boring.
Lou Rabon (22:17):
Yeah. Seriously. And by the way, you did mention
about being curious, and so it'ssuch a an important part of
being a cyber practitioner, andI think that that's really
relevant for salespeople too.And and any you know, if you're
the person that, to your point,is going out there looking at,
you know, reading, you know,Brian Krebs and, trying to
figure out, how did that happen?Who's getting hacked?
(22:39):
You don't have to be technical.You don't have to be, like, the
guru. The fact that you'realready asking those questions
and kinda going down thoserabbit holes is a good indicator
that you'll be a good securitysalesperson, I think. So I I
think that's good advice too anda good app call out. You
mentioned insurance too.
That's one thing I wanted tokinda dig into a bit. Cyber
(23:01):
insurance. So what are youseeing in the cyber insurance
market right now?
Melanie Thomas (23:05):
Rates are gonna go up. That's an easy one. So I
think across the board, everyoneneeds it. Right? Everyone's
everyone should have cyberinsurance.
If you don't already, like, weshould talk about it. Right? We
should talk about cyberinsurance. We're seeing a lot of
need for claims coaching rightnow, which I've been in a lot of
really good conversations about.So we're kind of also looking at
(23:25):
connecting the dots.
So in claims coaching, right,sure you have cyber insurance.
Ideally in your incidentresponse plan or something,
someone knows how to call thosepeople. So when something does
go bad and go wrong, right, youcan call them and they know what
to do. But it's also should youfile a claim, right? So we want
to think about cyber insurancethe way we think about
homeowners insurance, about carinsurance.
(23:48):
The more you use it, it's notnecessarily going to be
beneficial for you as a company,right? But we see largely in the
industry, everyone's using it.It's paying out most of the
time. And right, because theydon't have to approve the claim.
They can walk away and say, no,this is your fault.
We're not paying out. But shouldyou even file that claim? Right?
Is it something that you alreadyhave measures in place for? Is
(24:09):
it something that you guys canrespond to or burn something
down and start over instead offiling a claim?
It's unfortunate, right? We wantinsurance to be a parachute. We
want insurance to come in andhelp out. Typically with the
FBI, just because you call themdoesn't mean they can help you
out with an incident. They'll dowhat they can, but more likely
than not, they might notactually be able to help.
(24:29):
And then how do we reducepremiums, knowing that we're
probably going to have to useit, we're probably going to know
how to file a claim and when,but all of that's going to make
our premiums continue to go up.Underwriters are getting more
technical. They're getting morescrutinized. It's not just, hey,
we're gonna check a box andthat's what it's gonna be. You
can attest to it and we'll walkaway.
They wanna see proof. It's likea whole other audit that you
(24:51):
have to do. And so, yeah, youneed to actually be doing these
things and also prove it. Sowhen they, when you do need to
file a claim, they pay it. But alot of what we're talking about
too is also the strategy aroundreducing premiums.
Talking with your insuranceprovider, letting them know when
you deploy new technology foryour security, maybe that can
bring a premium down. Makingsure that your NDR, your IR
(25:13):
provider, whoever it is, is onyour insurance policy as your
preferred vendor so you can usethem and they can jump in and
help from this time. So a lot ofthe conversations that I think
were largely siloed before. Likeyou mentioned, you hand it off
to the lawyers and that's kindof if you need it, it's there.
But more conversation and morecoordination is really gonna
help everyone at the end of day.
That's gonna help, right, makesure that you're validated, make
(25:35):
sure that your premiums ideallycan come down or at least be
contained as much as possiblewith that better communication
with your insurance provider aswell.
Lou Rabon (25:44):
Yeah. Great. Great points. And and it's interesting
too. We're seeing where if wehave an IR retainer we had one
client recently that we were onretainer, but because we hadn't
been approved by the insurancecompany prior, they didn't force
the the, you know, claimant, butthey were just like, hey.
(26:04):
Use our provider. They alwayswanna use their providers. We're
not on the panel on purpose.It's actually something we're
moving away from. It's just it'sa IR is a whole different
animal.
As you know, we we won't go downthat rabbit hole on this
podcast. It's probably a topicjust that we could cover in a
full podcast. But, you know, asfar as people and salespeople
that are trying to speak totheir customers about cyber
(26:26):
insurance, yeah, there's no youcan't mess around anymore
because back in the day, Iremember when the policies they
would just cover it, and theywouldn't really look like you're
saying. Then they were like,okay. Have these things.
And they started some of the Idon't know if they still do it,
but some of them had these,like, useless web browser
extensions that they wouldn'tsay, okay. If you install these,
your premium will go down orsomething.
Melanie Thomas (26:46):
Because they're monitoring everything you're
doing. Yeah. Yeah. There's stillsome that do that.
Lou Rabon (26:50):
It was still not you know, that's not really. I guess
that's for really, really smallcompanies. And then, now they're
saying, yeah. You've gottaattest to this stuff. And if you
even, you know, are if there'sanywhere that we can drive a a
hole, a gap through this or atruck through this gap, we're
gonna do it.
You know what I mean? And andthat's what happens. I think
(27:11):
that there's policies that arenot getting claimed. And and
finally, you're talking aboutmaybe you don't even, file a
claim. I mean, it reallydepends.
If it's a huge hack, you're notgonna have a a choice.
Melanie Thomas (27:20):
Yeah. You don't have the cap you won't have the
money to pay it out. Yeah.
Lou Rabon (27:23):
Exactly. But we do talk to them about, you know,
our our our clients aboutlisten. When you're writing your
IR plan, make sure that noteveryone's calling it a breach.
I mean, you you know this. Thethe the most amateur move, and
this is why that's a danger ofnot doing tabletops and not
having a written plan.
And, also, if you get companiesthat don't know what they're
(27:44):
doing, like, vendors that arelike, oh, yeah. Here's a plan,
and they just download it fromNIST or something and just, you
know, throw in the blanks. Forfor practitioners that have done
this, there's certain thingsthat we know. Like, don't call
it a breach. It can only becalled a breach by the IR lead,
and it's gotta be an officialyou know, so you call it an
event.
There's a security event. Let'stalk about the event because
there's the shot clock thatstarts, especially for some of
(28:06):
the privacy regulations,especially overseas. CMMC now,
the the twenty seventy two hour,shot clock and and things like
that are even it's probably evengotten smaller now.
Melanie Thomas (28:17):
That's a great point. Yeah. We we actually I
coach that to my to mystrategist as well in our CAs
where because we'll have cupcalls you know, customers will
call up our strategist and thenmeet, like, in the middle of the
day, and we can do a little bitof coaching. But, right, we're
not an IR firm. But they'll sendan email or send a text and be
like, hey, they're having asecurity breach.
I'm like, you guys, we talkedabout this. Never use that word.
Only use security event. Neverput it in writing because it's
(28:40):
not our responsibility. Right?
We don't want to have to, like,attest to that later on because
it was a breach two weeks beforethey actually reported it.
Lou Rabon (28:46):
Exactly.
Melanie Thomas (28:47):
But yeah. The words we use matter.
Lou Rabon (28:50):
Yeah. Big time. And especially there's there's
liability associated with that.But there are there are
circumstances, and this is whatwe're trying to drive towards,
which is a word everyone's usingnow, thankfully, which is
resilience. Right?
So cyber resilience. So cyberresilience means you can
actually be, breached or have amajor security event or, you
(29:12):
know, at least moderate securityevent and and get over it and
then not have to use yourinsurance because you've put up
the detective and preventivecontrols and responsive controls
to be able to, you know, detect,prevent prevent, detect, and
respond in a way that, you know,you isolate it. Maybe the
endpoint is gets isolated,either automatically or by the
(29:32):
MDR firm, etcetera, etcetera. Sothere are circums for anyone out
there that's listening thathasn't been through a breach or
doesn't understand how thesethings work, it is actually
possible to be breached and nothave to report it and not have a
huge downtime incident. That'swhat we're all working towards.
That's that's what a realsecurity program, people
process, and technology can getfor you, and that's not just a
(29:56):
point pen test. That's not justa couple vendors thrown together
in a package on a per seatlicense basis. Right? It's a
real strategy and road map toover multiple years towards
security. Yeah?
Melanie Thomas (30:09):
So yeah. And it works. We've seen it work all
the time Our customer's like,yeah. We we contained it. Our
EDR code was was able to containit because we've got the the
logs from whatever.
Right? And it it actually works.It doesn't have to be this full
blown, you know, spend a week ofyour life doing that thing but
digging into logs. Like, it'sit's ad it 100% works. You said
this you know, mindful.
Right? It's strategy. It'sbuilding that program.
Lou Rabon (30:31):
Big time. Yeah. No. That totally true. And then,
yeah, with the insurance, youjust I think having, you know,
you're you'll help yourcustomers when they're like,
hey.
We wanna get cyber insurance. Isthat something you do? You'll
help them kinda go through that,or do you even recommend
carriers or brokers?
Melanie Thomas (30:50):
We do to a point. We don't have, like,
partnership agreements withanything because there's a lot
of gray area. Right? There's alot of reasons why you can't be
in partnerships with certaininsurance providers and things
like that. There's rules tothat.
A lot of what we do isfacilitate. We'll talk about the
need for cyber insurance. We'llsuggest some things to look
into. More often than not, we'redoing it via a provider. And so
it's because we're looking at,right, an MDR provider.
(31:13):
It's because we're looking atidentity solutions or managed
identity solutions. And by theway, this vendor also works
really well with x y z insurancecompany and kind of facilitate
the conversations that way, andkind of help leverage some of
those partnerships. The vendorsthat do have partnerships with
in with insurance providers,right, that are already on those
lists really help withexplaining to the customer if
(31:34):
they don't have it, why theyneed it, but also why that proof
is important and the reportingback is important and just
maintaining that communicationwith them. So we do it a couple
different ways. It's it's aprogram that I'd like to build
out more, but there's lots ofrules around why you can't.
So I get it. I'll follow therules, but a lot of nuance.
Yeah.
Lou Rabon (31:54):
Liability and all that fun stuff. So, yeah, you
gotta be, it's just more aboutjust giving the information and
then pointing them in the rightdirection, I think.
Melanie Thomas (32:03):
Mhmm. Absolutely.
Lou Rabon (32:04):
Yeah. And, you know, with all this AI stuff, we and
and, you know, all the the waysthat security moves so quickly,
what what are you excited about?What excites you about the
future of, like, what's going onin cyber?
Melanie Thomas (32:18):
What I love so much, it makes me super excited
to see a shift in the industry,and maybe it's just because I'm
a very hopeful person, a veryoptimistic person. What I love
to see is more of this, like,converged idea of focusing on
identity and data security,especially with AI. That's
really where it lives. Right? Wedon't have to buy solutions for
(32:40):
everything.
Let's strat let's start well.Right? Let's lock things down.
Let's classify our data. Let'smake sure people need to access
it, and that only helps you witheverything.
So sure, it'll help you with AIand deployment of AI tools and
whatever. It's also gonna helpus with everything else down the
line. Right? As you implementnew technology, you deploy new
software, things like that, allof that continue to be
(33:02):
controlled. I'm also lovingmobile solutions becoming more
of a conversation.
It's usually something thatpeople wanna avoid because it's
a nightmare to talk aboutacceptable use and BYOD and
whatever. Even since COVID,people don't wanna talk about
it. But I love so much that alot of our customers are now
asking. And they're like, you'reright. If we're talking data
(33:23):
security, mobile devices havejust as much access to all that
data if you don't control it,and that's such a big vector.
So I'm really loving moreemphasis on mobile security. I
think we'll probably see moreideally, see more big vendors
putting more of an emphasis onmobile support and not just
laptops and servers, right, anddesktops. We really have to look
(33:45):
at mobile platforms and tablets.
Lou Rabon (33:48):
Oh, yeah. Big time. Yeah. MVM. And yeah.
Because think about it. Thatphone now has become the keys to
the kingdom, really, becauseit's like you're biometric
proof, which I'm glad pass keysare are now exist. It's much
stronger than, you know, doingSMS for two factor and stuff.
But it's also yeah. Once you getin there I I've had a couple
(34:11):
calls.
We often get, like, personalpeople personally calling to,
and we don't help them,unfortunately. We we just
obviously don't have the time,and they can't pay what we would
be charging anyway. But, youknow, and I feel bad. Sometimes
I'll I'll send them otherplaces. But, one guy, he had his
everything.
Like, he his he had, like, apassword vault that also was,
(34:33):
like, just everything was hosedbecause he had everything on his
mobile device, like hisCoinbase, all his crypto was
taken. You know, like Yeah. Itwas really and then we're
talking pretty big numbers. So,yeah, those mobile devices are
not just you know, we can'ttreat them like they were you
know, in my era, there was aphone with a cord attached, and
that was your device. My my coolfriend had the one with the
(34:57):
suitcase, you know, that, like,you it was portable that you
could take in the car, but ithad battery of, like, a a, you
know, thirty minutes, and itwas, you know, $15 a minute just
to, like so, anyway, it's thesethings are not the same.
You know? They're they'rebasically basically everything.
So
Melanie Thomas (35:15):
Everyone has at least one of them. Yeah. So and
your kids have it. Right? Yougotta lock down the kids too.
So we have some providers,right, that'll be like, here's
your company. Like, here's youryour company use. That's what
you buy it for. And I think I'veseen a few providers recently
also say, here's a personal useversion. So the company buys,
right, the licenses for that,but the employees can also break
it off and have as part of it, acompartment of it that's also
(35:37):
personal to be able to managethat because just same, right,
their personal stuff gets hackedif they have, you know, saved it
forward anything from theirpersonal email.
Right? All that can still be,attacked as well, unfortunately.
Lou Rabon (35:48):
Yeah. Or if they're letting their kids play Fortnite
on their business computer.Yeah.
Melanie Thomas (35:53):
$20,000 from a business card?
Lou Rabon (35:55):
Yeah. You know? Or they just wanna, like, get the
latest wall hacking orsomething, and then they
download, you know, malware, andthere you go. So, tell tell me a
little bit more. Bridgepoint hasa very unique it's like a hybrid
TSD TA firm.
What what what can you tell meabout and and listeners, people
that might be not be as familiarwith Bridgepoint?
Melanie Thomas (36:17):
The Bridgepoint, we are not and that's but the
fun of learning Bridgepoint,because I've never been in the
channel before, We are not a TSDand we're not a VAR. So for the
consulting kind of services weprovide, right? So these
relationships that we'rebuilding that our strategists
have, we don't charge for ourservices, right? So the customer
isn't signing a contract withus. They don't buy licensing
(36:38):
from us.
They don't buy services from us.It's all through the vendor. And
so it's one of the things I lovetoo, it helps us be agnostic. So
we're not fighting forcommissions or whatever. Right?
It's we get paid by the vendorwhen the customer buys. And so
it also helps us be, you know,the advocate, like a really true
advocate for our customer.Because we'll get paid
regardless, right, whoever wesend them to, but let's make
(37:00):
sure that's actually a goodmatch, not just because they
have a bigger commissionpercentage or whatever. There's
no shame. People do that all thetime, and I'm not trying to
shame anybody.
Do your thing. But in myperspective, it really helps us
and the customer see that we'rewe're really just looking out
for the best solution for themin a really holistic way. So we
are very mindful when we havedirect partnerships with
(37:22):
different vendors, and we buildup those relationships to give
them access, right, to all ofour strategy space for our
client advisors, right, to allof our customers. And a lot of
our customers are our partnersalso. So it's been really fun.
So we do have the two servicesof Bridgepoint that are direct
contractual and our CXimplementation side. Those are
(37:44):
we're actually boots on theground, installing stuff and
things like that. With the restof our practices, the advisor
that we do, it's for thebetterment of the customer.
Right? And then it's justconnecting them and and
matchmaking really at the end ofthe day.
So to get really deep with it,right, we want to do all of
their stack, just transactional,not just their connectivity, not
just the firewall project that'sgonna replace it or whatever. We
(38:07):
really want to know what do theyuse across their stack, how can
we help them roadmap, and howcan we help build that out. So
we're in it for the long run.Right? We want to see what that
looks like and roadmap with themand create some of these
projects with them and supportit at the end of the day.
So since we maintain thoserelationships, we care about how
our vendors are servicing ourcustomers. We care about
(38:29):
escalations. We jump in withescalations also. Right? We're
saying, hey, maybe that servicewasn't provided like you said it
was.
Let's let's talk about this on aQBR. I've helped customers with,
like, incident reporting or justnormal, this is what our SLA was
for this month. You're like,well, that didn't meet your
contract. How are we gonnaremediate that? How are we gonna
make sure that you meet yourSLAs and give that credit that
(38:49):
your contract says you need togive them?
Right? So we can jump in on someof those relationships as well.
And really, it's about helpingit stick. It's helping maintain
and keeping the customer gettingwhat they're paying for, and and
getting those best services.
Lou Rabon (39:02):
Yeah. Yeah. It's long term. It's long term
relationships over a long periodof time versus, yeah, that
transactional, which I guess ifyou had a theme other than all
the cool cyber stuff we'vespoken about today, it's like,
don't be transactional.Transactional is not you know,
that's going the way of thedinosaur.
Melanie Thomas (39:20):
Yeah. It's trust in relationships and and long
term planning. Yeah.
Lou Rabon (39:25):
Yeah. Yeah. So so who's Melanie? Let's let's, you
know, kinda transition a littlebit to personal stuff. I see
that you've you know, you'reyou're down in San Diego.
Yeah. And and you're, you know,being a professor at use USD.
That's pretty cool.
Melanie Thomas (39:40):
I love it.
Lou Rabon (39:41):
UCSD. You know, what tell tell me about, like, what
you're you've got a lot of stuffgoing on. I'm looking at this
list here. It's it's prettyamazing. Yeah.
What what do you wanna talkabout about some of the stuff
you do outside of work?
Melanie Thomas (39:55):
I am really big about giving back to the
communities and every communitythat I'm a part of. So I do a
significant amount of volunteerwork, on boards, right, with
other nonprofit agencies. Andthat's just always been really
important to me to volunteer. Sowe'll volunteer with, like for B
Sides, for example, also. So I'mthe president for B Sides here
(40:16):
in San Diego.
Very fortunate, amazing group ofpeople. And we have, you know,
one annual conference a year.It's a really big conference.
Super fun. That attractseverybody, practitioners, you
know, C levels, things likethat.
You know, we want hands on, wewant talk tracks, students,
things like that. But we alsomaintain presence with all the
(40:38):
other nonprofits in San Diego.And San Diego has an incredibly
robust cyber and technology,just in general community. And
so we have, I don't know, 13,maybe different nonprofits here
in San Diego. I would say thatboard members and I make sure
that we're members ofeverything.
We try to go as much as we canto keep connection with the
community so we can support,right, from the b side side,
(40:58):
whenever they have events orwhen they need sponsors. And
it's really about, like, acollective action, to help
everybody out. So we havevendors, right, that wanna do
some partnerships. I've referredthem to, like, ISSA chapter, for
example, or YSYS. We're we wecan't use them for b sides
because we're a once annualevent.
But look at how many otherpeople also need, right, money
for events and sponsorships andthings like that. So it's
(41:21):
fantastic.
Lou Rabon (41:22):
That's awesome.
Melanie Thomas (41:23):
There's one coming up for Girl Scouts, which
is really fun. And their cyberbadge and Girl Scouts can
volunteer with that. I have that
Lou Rabon (41:28):
so many.
Melanie Thomas (41:29):
But then we have San Diego CCOE, which is the San
Diego Cyber Center forExcellence, which is a fantastic
organization that helps, samething, right, boost cyber. Our
InfraGard chapter is really,really big as well. So I can
nerd out about cyber all day,every day, whether I'm at work
or at USD or out in the world.There's so much to do with it,
(41:51):
and it's such a great group ofpeople.
Lou Rabon (41:53):
So That's awesome.
Melanie Thomas (41:54):
It's a great community.
Lou Rabon (41:55):
Yeah. And you've got, you know, the I used to spend a
lot of time in San Diegovisiting my marine buddies. So
there's the marine and navypresence, the military presence
down there, which has a lot offormer, cyber people from that
area, you know, practitionersand the the federal government
and stuff. So and it's, like,the most laid back, I think,
city in California, you know,made perhaps in the country.
(42:19):
Just, like, super cool.
Very yeah. I always love comingdown there. So
Melanie Thomas (42:23):
I love it. I think they were voted, like,
friendliest city in the countrymaybe.
Lou Rabon (42:27):
Oh, really?
Melanie Thomas (42:28):
Yeah. It's beautiful. It's gorgeous almost
all the time.
Lou Rabon (42:30):
Yeah.
Melanie Thomas (42:30):
Yeah. It's super friendly people. There's just
awesome awesome vibes all thetime.
Lou Rabon (42:36):
Yeah. Like, for those that are listening and can't see
the cool, you know, Californiaflag with the surfer behind
Melody, it's so cool. So, that'sawesome. And where can people
connect with you?
Melanie Thomas (42:47):
LinkedIn. I try to keep track of my LinkedIn as
much as I can. We also haveBridgepoint Technologies, and I
have a page on BridgepointTechnologies as well. We're
gonna go through, right, kind ofhow the Bridgepoint way is, what
it looks like as we're talkingto different vendors, things
that we're kind of highlightingfor our practice as well. So,
like, best places orbsidessandiego.org to give a
shout out to b sides.
(43:09):
Great. If you're gonna be in thespring, we have our spring camp
here in San Diego every year.
Lou Rabon (43:14):
Great. Well, Melanie Thomas, thank you so much. This
has been, like, a true pleasureto take this this route through
cyber with, you know, all thethings that you know and all the
things you've experienced. Sothank you for sharing your your
thoughts with us.
Melanie Thomas (43:29):
Oh, thank you so much. It was really fun. I
appreciate the sign. Thank you.
Lou Rabon (43:32):
Yeah. Yeah. And thanks to everyone that's
watching and or listening. Ifyou learned something today or
laughed, please let us know andlet someone know about this
podcast and, you know, reach outto us as well. Thanks again,
Melanie.
Melanie Thomas (43:45):
Thank you so much.
Lou Rabon (43:46):
This has been another exciting episode of Channel
Security Secrets. See you nexttime. That's a wrap for this
episode of Channel SecuritySecrets. Thanks for tuning in.
For show notes, guest info, andmore episodes, visit us at
channelsecuritysecrets.com.
Channel Security Secrets issponsored by Cyber Defense
Group. When it comes toprotecting your business, don't
(44:07):
settle for reactive. Partnerwith experts who build
resilience from the ground up.
Welcome to Channel Security Secrets. I'm Lou Raban.
On this show, we expose theuntold secrets and critical
insights from the people shapingthe future of cybersecurity
sales in the trusted adviserchannel. If you're looking to up
your game around sellingsecurity, stick around. Channel
Security Secrets is brought toyou by Cyber Defense Group on a
mission to shift cybersecurityfrom reactive to resilient.
(00:38):
I'm stoked to chat with ourguest today. She's an award
winning cybersecurity leader,educator, and customer advocate
with over thirteen years ofexperience in the field,
recognized as one of CloudGirl'srising women to watch and named
among the San Diego BusinessJournal's leaders of influence
in technology. Former thecybersecurity principal at Level
Blue, she led key services likemanaged threat detection and
(00:58):
response and managed endpointsecurity. She's currently an
adjunct professor at theUniversity of San Diego as well
as serving as the vice presidentof cybersecurity at Bridgepoint
Technologies. Melanie Thomas,welcome to the show.
Melanie Thomas (01:12):
Hello. Thank you so much.
Lou Rabon (01:13):
Yeah. Great. Like, all this stuff that you have,
we're gonna have such a goodconversation. I love it. But,
you know, I always like to startthe show with what what the
biggest secret is.
So so what's the biggest secretto your success in the channel?
Melanie Thomas (01:27):
So my biggest secret to success in the channel
is harnessing the chaos andcomplexity that is the cyber
industry. Right? Products,services, vendors, all this
craziness into something that'sreally meaningful and obtainable
and structured.
Lou Rabon (01:45):
Okay. So that I'm gonna go deeper on that one.
What how do you especially for alot of people in this channel
are nonpractitioners. When youspeak to customers, obviously,
they if they're practitioners,they get it. But how do you get
to the ones that don'tunderstand, like, what is
meaningful and how and and tomake, you know, order out of
(02:07):
chaos?
How are you doing that?
Melanie Thomas (02:08):
We do that in a couple different ways. And this
is also what we train ourstrategists and teams here at
Bridgepoint to look at, andwe're kind of thinking about
cybersecurity and what does itmean to get in these
conversations. So a lot of whatwe coach around, top three
things would be that nuancematters. Right? So we're
thinking about what are whattechnologies do they already
have?
(02:28):
Right? What how their teams liketo function more so than just
how many endpoints or servers dothey have? Right? How do we
actually can operationalize allof those different technologies
to work together? Becausecybersecurity is really just a
team effort.
It's really just a lot ofeverything's connected kind of
conspiracy theory kind offeeling sometimes where it's the
firewalls are connected and howwe choose different vendors.
(02:49):
Right? The nuance matters. Whatwe also tell them is that
endurance is one of the keys tosuccess here in cybersecurity as
well. So it's not just inlearning cyber and being
familiar with the differenttypes of solutions that are out
there, vendors, theories on howto structure cybersecurity and
(03:11):
secure architecture.
It's also remembering that whenwe do get in these conversations
and customers are makingdecisions about their budget or
making decisions aboutpartnerships or tools they wanna
use, there are a lot ofstakeholders. Right? So it's not
necessarily that you're gonnaget a sale off your first call
because it happens to be theCISO, for example. It's also
endurance, and there might be 10stakeholders that we have to win
(03:34):
over. And how you talk to anengineer is different than a
CRO, right, or different than aCFO.
And we wanna kind of make surethat we're explaining all of
this and strategizing for that.
Lou Rabon (03:43):
I love it.
Melanie Thomas (03:44):
It's a lot of strategy at the end of the day.
Lou Rabon (03:46):
Yeah. I wanna go into deeper into some of that
because, I mean, it's just greatstuff. First, it's like you're
you're talking about the why.Right? Like, you're not just
saying, oh, you need an EDR?
You need an endpoint detectiontool? Sure. Okay. Here are three
vendors. Here are the quotes.
Pick one. Have a nice day.You're you're going deeper, and
you're asking why.
Melanie Thomas (04:05):
Absolutely. Absolutely. Because we can be
transactional, and that's alsothe Bridgepoint way is we're not
necessarily transactional,right, on security. You can
replace, you know, EDR vendorsall day. You can throw something
over the fence to say, hey.
Here's the Gartner top five orwhatever it is. It happens to be
that that quarter, that year,however they do that. It matters
on what do they wanna do for aroadmap, right? What do they
(04:28):
need to worry about for datasecurity? What is their plan
for, right, their MDR, theirEDR?
What is their insurance thatthey have to do? Right? What
rules do they already have toplay with? So I'm not I don't
always love a check-in the boxconversation where it's like,
well, let's just pick an EDRbecause this list says that we
have to have an EDR. Let's bemindful of it and make sure that
(04:49):
we're picking something andimplementing something, and
we're using the resources thatwe have, money, humans,
technology, in a good direction.
Right? It's gonna save us time.It's gonna save us a lot of
frustration. Ideally, it's gonnasave some careers, so you're not
spending a significant amount ofmoney just to have it blow up in
your face at the end of the day.Right?
So it's also what are we makingsure that we're mindfully
(05:10):
suggesting and mindfullyselecting the customers to
really make sure it moves theneedle for security?
Lou Rabon (05:17):
Yeah. It's looking at the big picture, and it's also
going back to that why we we'reoften getting inbound requests
from from trusted adviserssaying, hey. We want a pen or
customer wants a pen test. Andwe're like, why? I mean, we had
one that was, you know, lookingfor just a really kind of
textbook pen test when theydidn't even have one person
(05:38):
dedicated to security.
It's like, sure. You can findout that maybe the things that
you know that are gonna gettested have enough controls, but
is that gonna tell you that you,don't have a proper off
offboarding process for, youknow, a user that has admin
privileges? Probably not. Imean, if they're one of the
people that we're testingagainst, but, you know, a pen
(05:59):
test often is not gonna tell youthat.
Melanie Thomas (06:01):
Right. And it's a corporate document. You gotta
be risky whenever you get thosein because you have to do
something with those results.You can't just let it sit there.
Lou Rabon (06:07):
Yeah. Which is also a a reason why I think a lot of
companies are, you know, kind ofhesitant. Certain ones because
they're like, okay. For thesmaller ones that are just
getting into security, maybethey're not regulated. They're
like, okay.
Do we really wanna do a pen testor an assessment? Because now
we're gonna have a bunch ofstuff to do. And, you know, just
as a side note, what one of theways that we handle that is we
(06:29):
we get them into a twelve monthcontract. We say, we'll do the
assessment, but not as aproject. And if you don't like
it, afterwards, you can exit.
But the thing is we want them toknow that this is not something
that they should put on a shelfbecause data is, like, you know,
good a good baguette. It getsstale after a couple days.
Right? So the assessment after,you know, they let it sit and
(06:51):
collect dust for three monthswhile their analysis paralysis
about what to do next and whatto attack, all of a sudden,
that's not even theirenvironment anymore. Right?
Melanie Thomas (07:01):
Absolutely. I think it's a very funny similar
conversation when people arelooking for MDR or MXDR or
source solutions. Right? Andthey want it managed. So it's
like, you still have to havesomeone on your team as a
customer giving them feedbackand helping them provision and
facilitating requests andreading alerts and things like
that.
Right? It's not necessarily thatyou hire a third party MXDR
provider and you can fire yourentire security team. Right? You
(07:24):
still have to have that back andforth. So it's interesting when
people are like, well, we knowwe have to do it.
It was in the news. Right? Itwas someone mentioned they can
do this. You're like, well,let's let's talk about it. Like,
I always have at least threequestions to anything.
So let's let's this is for thisa little bit more and see if
that's really what we wanna doright now.
Lou Rabon (07:40):
Yeah. So dive in, dig deeper. I mean, you're a
practitioner. You you come froma a really storied security
background, so it's easy for youto have those conversations.
What about the trusted advisersthat may not?
I know that you you are theperson for security essentially
at Bridgepoint. You have someother people that that hold
(08:00):
that, but, like, it's theMelanie show. So what you know,
how do you empower those othersellers that might not be
comfortable, like, kinda doingthose deep dives, like, big
picture conversations with thecustomers?
Melanie Thomas (08:13):
That's great. Every once in while, I'm very
uncomfortable getting into someof those conversations as well.
So I get it. One of things thatI love about it is when we're
getting into, like, learningsomething that's very new.
Right?
Kind of similar to what I I talkto my my students about as well
at USD, where it's, you know,knowing that you don't know
everything is fantastic. Right?No one in security knows
(08:34):
everything. And so, yes, you canwalk into Black Hat, for
example. You can go to DefConand talk to who might be the
smartest person in the room, butthat's different context,
different experience.
Right? And it really is a teameffort. So doing some due
diligence. Right? Take somecourses, some free courses.
Right? Go online. There's lotsof vendors who will provide kind
of free training. Keep your mindopen. Right?
(08:55):
Some ups guided. But, right,find something that you also
enjoy. Right? Find somethingthat maybe lit a little bit of
fire that you wanna investigatea little bit more and do some of
your own kind of research. Spendsome time learning security.
Eventually, it's, you know, it'sreally, I say addictive, but
it's really contagious. Right?It's this is really super
(09:16):
interesting. You start seeing itin the news and you wanna
continue digging deeper. Also,for help.
I lean on my teams all the timebecause they have, right,
different experience, differentways of doing things, different
approaches. So ask questions,ask for help, get somebody else
in the room with you. Butdefinitely, you know, learn a
little bit on your own and beable to write know a little bit
(09:38):
of acronyms, and it takes time.So don't beat yourself up if you
don't get it after your firstcall, after your first month,
maybe after your first year.Right?
It's security is complex.There's hundreds of ways to do
it, and everyone does itdifferently. So it's not a one
size fits all. Jump in. Right?
Get someone to back you up andand go from there.
Lou Rabon (09:58):
Yeah. Big time. And I think saying I don't know,
that's really important. I'vespoken to other TAs that are are
you know, they say, hey. Listen.
That's one of your biggeststrengths is being able to say,
hey. I don't know, but I'll getyou the answer. And another
point on that is when it's kindof a a a ancillary service. So
(10:19):
for instance, if you're sellingcircuits or bandwidth, it might
be, DDoS protection. That's kindof an ancillary service,
something that's complementary.
So you're still speaking in yourkind of lane because, you know,
as a trusted adviser, thatperson may understand that. But
it's and they may not understandDDoS protection, but they
understand denial of service.They you know? So that's, I
(10:41):
think, where a lot of them entertoo.
Melanie Thomas (10:43):
That's a great point. Yeah. Find something
that, yeah, it's it'stangentially related. Right?
Something that you can kinda befamiliar with, and maybe that's
a great breadcrumb, right, towhere you might be learning
something completely different,right, in three months from now.
Lou Rabon (10:56):
Exactly. Exactly. You you also mentioned I wanna go
back endurance because I think Imean, listen. I think a lot of
life is about endurance and alot of success in life at least.
Right?
Melanie Thomas (11:08):
So Yes.
Lou Rabon (11:09):
What tell me more about that, about the endurance
in a sale for security.
Melanie Thomas (11:14):
I wanna say, I think one of the recent
statistics that I've heard, Idon't know who said it. I'll
find some more research on that.But one of the things that we've
seen a lot of vendors also say,I should say, is that it could
be up to eighteen months orlonger, right? That a customer
is looking at replacing some ofthese key pieces of security.
And so if they don't sign inthirty days from talking to you,
(11:36):
from filling out a demo requestrandomly online, from maybe a
lead that you purchased from aB2B lead marketing, for example,
and they'll buy the first timeyou talk to them, that's okay.
You're competing againsthundreds of other people,
thousands of differenttechnologies and combinations of
that. And so that's gonna taketime just to weed through,
right, get to that first phase.And so our trusted advisors is
(11:57):
also where we help. Right? It'slike, let's go through, let's
talk about some of the top onesthat we have experience with
that we know are gonna be legit,right, as we move forward with
that.
Mhmm. But it's also looking at,you know, these are not
transactional services, to usethat word again. So these aren't
something that's really easy torip and replace. It's gonna take
one day to change an API token,things like that. Those aren't
(12:19):
these kinds of services, right?
Security services are reallyingrained, not just in your
security stack, it's in yourprocesses, it's in your company
policy, it's in your businessimpact analysis, your backup and
recovery, your disasterrecovery, incident response,
right? And so all these matter.And so it matters. We can't just
rip and replace an EDR. Right?
So for example, when CrowdStrikehad that very unfortunate
(12:41):
development incident last year,not we didn't see a lot of shift
in CrowdStrike usage. Right?Because they're still a very
legit company. They just happento have made a very unfortunate
mistake and got themselves inthe news. Yeah.
And so it's not just it's easyto rip and replace. Even rip and
replace could take six months bythe time you get a vendor
depending on, right, how youaccess your devices and things
(13:03):
like that. So It gets reallycomplicated and sometimes that's
where people just kind of glazeover. They're like, yeah,
there's no way I can rememberany of this. That's also fine.
People like me are nerds. Welove the details and we love
getting into that. And teameffort, right? It takes all of
us to get through these. Buthaving the endurance to say, you
know what?
This might take six months. Wemight be talking next quarter by
(13:24):
the time we can look into theirvendor, and that's okay because
that's how long some of thesesystems take to really mindfully
implement something that's gonnastick.
Lou Rabon (13:32):
Yeah. So be prepared. Right? Be prepared that it's
going to be a longer salescycle. So endurance and patience
would be, part of it.
So that's that's really goodadvice for anyone selling
security. And for sellingsolutions, it's even harder,
meaning, like services, likewhat we do. It's like if you're
selling a services sale, oftento your point, it's not just
(13:54):
that it's so hard to rip andreplace a vendor for EDR or a
service vendor, but it's also ifyou make the wrong, you know,
choice, it really could be yourjob, and it could be a couple
people's jobs because it couldrisk the company's reputation if
you make the wrong choice. Sonot like if you get an IT
(14:15):
vendors I I think the same forIT vendors, but that's another
story. You you definitely wannachoose the right one or it could
be disastrous.
Melanie Thomas (14:22):
Oh my gosh. Right.
Lou Rabon (14:23):
But I mean yeah. Like, let's say printers or
whatever. Like, if you're gonnaor toner, you know, if you wanna
get a new toner, if you make theyou know, maybe a company lost a
couple, you know, $100 or somethousand bucks, but that's
that's something that you canjust do on accounting and and
recover from, save some money,whatever. But you make the wrong
choice of a vendor and you get,you know, the the hacked,
(14:45):
basically, the worst thing thatcould happen. There's there's
real impact there.
So I think it's definitely andand that leads to my you were
talking about these you know,all these vendors, and you go to
Black Hat and you see this, thethe big security conference.
It's scary how badly the vendorsare misleading everyone. I think
that's part of the the the bigproblem that we're having in
(15:07):
cybersecurity because everyoneis trying to market that they've
got the silver bullet that'sgonna solve all the problems,
and you know very well what'sbehind that. You know, what are
some of your experiences withthat?
Melanie Thomas (15:20):
Oh my gosh. I think the prime example is AI.
Oh, we have AI. AI can do allthese things. And it's like, no.
I have I have questions. AI isshiny data science. It's data
science with software. It's nota magic bullet, and it matters,
right, how they train it, howthey implement it. Is it AI for
security or security for AI?
Right? There's a lot ofdifferent ways that you can do
(15:41):
that. So we see a lot of peoplesaying, well, it has to have AI.
Luckily, think we're starting tosee that tide turn where we're
starting to question like, whatdoes that really mean? And do I
really wanna pay more for itbecause I don't really
understand it.
Right? So it's not the steep orshiny thing. Another thing that
we're also seeing is not beingtransparent with the total cost
(16:02):
of that vendor, of thattechnology. So sure, you could
be an MDR provider, but if youdon't tell them, well, now you
have to deploy collector at 31different sites, and it's a
physical Collector, your teamhas to go do it, but we have to
have it. You don't find that outuntil afterwards.
Well, now you just it's asignificant cost to you and your
teams. Microsoft Sentinel is abig one too since we're seeing
(16:23):
more companies wanting toleverage Microsoft and consume
more in the Microsoft ecosystem.That's not free. Just because
you have an E5 license, that'snot free. There's extra cost
behind that.
I think if we start going backto some of the fundamentals, if
we think about IT fundamentals,security fundamentals, as you're
designing an environment, thetotal cost absolutely makes
(16:43):
sense. It's not just what you'repaying that vendor. It's the
ingress egress, right? It's thebandwidth in your network. It's
servers they have to set uptheir services on and all that
comes at a cost.
So as we get more and more intovery economic uncertain times,
customers are having to reducebudget or freeze budget. They
can't absorb like they used to,right, significant extra costs
(17:04):
on the back end that they didn'tplan for.
Lou Rabon (17:05):
Oh, yeah. Big time. So many good things in there to
unpack. I mean, first is thecloud model, which is this
elastic amazing you know, I'mI'm old enough to remember that
the cloud was like the threeservers that were so loud in my
you know, under my desk, andthat was my cloud. Now you can
go you know, you can dobasically anything.
(17:26):
We we are now, you know, movingto forensics in in the cloud,
having a forensics lab. Supersecure, easy to get, huge data,
you know, transfers. Don't haveto then download that data. It
stays up there. It's awesome.
However, the cost for that areridiculous. I mean, you know,
just to have a cloud based onebig, forensic workstation in the
(17:50):
lab is, like, probably about$200 a day. And when it's idle,
it still costs money, you know,because you're not completely
destroying the instance. Sothat, like, thing about, yeah,
the the the customer's notreally taking into account that,
okay. Here's the licensing cost.
Cool. But it's like, wait asecond. What's the compute cost
for all that and the story? Andthen you get all, yeah, the
(18:12):
ingress, egress of data, thebandwidth. There's that.
And then there's you know, theother thing that's really
interesting is the vendors whenyou were talking about the AI
vendors. And what's you knowwhat kills me is and that most
people don't realize is you'llgo online and and every time I
see a new AI vendor and they'relike, give us all your data and
then our AI will tell you, youknow, first look at the privacy
(18:34):
policy, which is probably like,we're gonna use your data to
train our model because now datadata is not the new oil anymore.
Data is like the new diamondsbecause they've just basically
exhausted all content that theycan get other than, you know, a
now they're paying API fees forReddit and stuff like that. But,
you know, there's just no wayfor them to to find the amount
(18:54):
of data that they need. Sothey're using your data,
usually.
It's usually they're usingsomeone like Claude or Chad, you
know, OpenAI or, you know, Grockin behind the scenes, so they're
just paying a a cost there. Thisis a whole startup ecosystem
based on this stuff. And thenthird, the worst part is go on
to LinkedIn. Look at their, youknow, the people in their
(19:16):
company. There's usually 10people, and they're all either
sales and or tech.
There's no one that doessecurity. And you're it's like
but you go to their securitypage, and then they paid Vanta
$20 and some, you know, fly bynight auditor to give them green
checks all over everything. Sosorry. I had to get on a
soapbox.
Melanie Thomas (19:34):
That's good. No. I agree.
Lou Rabon (19:35):
You know, the the AI this whole AI bubble, it's just
like, you know, 2,000 all overagain. It's crazy.
Melanie Thomas (19:41):
Right. And all the regulations are gonna come
in. So, yeah, you sign let yourusers sign up for all these free
AI accounts. Now when we get tothe accountability part of it,
and that's added to your thirdparty risk, and now you have to
figure out what of all yourtools use AI and how, and how do
they report that and how do theyuse your data. It's a whole
other piece of third partythat's going I think, become
more relevant in 2026.
(20:02):
And there are, of course,vendors out there that people
can connect with and do allthese things, it's attestations,
right? It's a whole extra set ofsurveys that you send your
vendors on top of what you'realready doing. So especially if
you're a vendor yourself, right?What are you up to now? Because
now you have to send it to allof your customers.
It's a whole thing. So I thinkit's we're starting to see now
when people jump to emergingtech, it's great. It's
(20:23):
innovation, but it it all comesat a cost, especially if they
said it's a free service.
Lou Rabon (20:27):
Big time. Big time. We're getting a a ton of
inbound, you know, inbound AIgovernance requests. So which is
great because we've got, youknow, we've got the capability
there. But I don't know.
I've I'm on the fence. You know?It could be like privacy. I was
in privacy before people reallyknew back in, like, 2013 for a
big company. And, as I started,you know, my practice, CDG, I
(20:50):
was like, alright.
I'm gonna lead with privacy, andI got a lot of inbound in the
beginning when GDPR came out andstuff. But then it just went to
the lawyers, basically. And itjust became kind of a pay paper
exercise. So I kind of feel likeAI is gonna go that could go
that way where it's like youhave a lot of stuff to do, but,
you know, maybe you can templateit out and then just have a the
(21:11):
the challenges for securityteams, so back to, you know,
what's relevant to us, how doyou control that within the
environment? But, you know, Ithink there's certain companies,
at least from our experience inthis channel, where they they
don't even have the basics down.
Like, the the simple blockingand tackling, they're they're
not doing any of that stuff, orthey've been misled by a vendor.
(21:32):
You know, we're we're seeing thesecond and third generation of,
like, b c so, you know, an anoverused term where in the
beginning, they were justgetting the one person that was
telling them what to do and thencomes back a month or two later
and says, did you do that? Andnow they're evolving to our
model, which is we bring a teamand we execute, you know, and
and actually operationalize it.So I think it's the same with AI
(21:52):
where we're going to your point,we're going through that, like,
kind of everyone's excited,Dutch tulips. You know?
Right? But NFTs, best thingsince sliced bread. Yeah. And
then and then it's gonna, yeah,kinda even out probably.
Melanie Thomas (22:06):
Then something else will come along, and we'll
have this all over again, and AIwould be the new privacy.
Lou Rabon (22:10):
Voila. It totally you know, that's that's a fun roller
coaster that we've jumped on.
Melanie Thomas (22:15):
I love it. Never boring.
Lou Rabon (22:17):
Yeah. Seriously. And by the way, you did mention
about being curious, and so it'ssuch a an important part of
being a cyber practitioner, andI think that that's really
relevant for salespeople too.And and any you know, if you're
the person that, to your point,is going out there looking at,
you know, reading, you know,Brian Krebs and, trying to
figure out, how did that happen?Who's getting hacked?
(22:39):
You don't have to be technical.You don't have to be, like, the
guru. The fact that you'realready asking those questions
and kinda going down thoserabbit holes is a good indicator
that you'll be a good securitysalesperson, I think. So I I
think that's good advice too anda good app call out. You
mentioned insurance too.
That's one thing I wanted tokinda dig into a bit. Cyber
(23:01):
insurance. So what are youseeing in the cyber insurance
market right now?
Melanie Thomas (23:05):
Rates are gonna go up. That's an easy one. So I
think across the board, everyoneneeds it. Right? Everyone's
everyone should have cyberinsurance.
If you don't already, like, weshould talk about it. Right? We
should talk about cyberinsurance. We're seeing a lot of
need for claims coaching rightnow, which I've been in a lot of
really good conversations about.So we're kind of also looking at
(23:25):
connecting the dots.
So in claims coaching, right,sure you have cyber insurance.
Ideally in your incidentresponse plan or something,
someone knows how to call thosepeople. So when something does
go bad and go wrong, right, youcan call them and they know what
to do. But it's also should youfile a claim, right? So we want
to think about cyber insurancethe way we think about
homeowners insurance, about carinsurance.
(23:48):
The more you use it, it's notnecessarily going to be
beneficial for you as a company,right? But we see largely in the
industry, everyone's using it.It's paying out most of the
time. And right, because theydon't have to approve the claim.
They can walk away and say, no,this is your fault.
We're not paying out. But shouldyou even file that claim? Right?
Is it something that you alreadyhave measures in place for? Is
(24:09):
it something that you guys canrespond to or burn something
down and start over instead offiling a claim?
It's unfortunate, right? We wantinsurance to be a parachute. We
want insurance to come in andhelp out. Typically with the
FBI, just because you call themdoesn't mean they can help you
out with an incident. They'll dowhat they can, but more likely
than not, they might notactually be able to help.
(24:29):
And then how do we reducepremiums, knowing that we're
probably going to have to useit, we're probably going to know
how to file a claim and when,but all of that's going to make
our premiums continue to go up.Underwriters are getting more
technical. They're getting morescrutinized. It's not just, hey,
we're gonna check a box andthat's what it's gonna be. You
can attest to it and we'll walkaway.
They wanna see proof. It's likea whole other audit that you
(24:51):
have to do. And so, yeah, youneed to actually be doing these
things and also prove it. Sowhen they, when you do need to
file a claim, they pay it. But alot of what we're talking about
too is also the strategy aroundreducing premiums.
Talking with your insuranceprovider, letting them know when
you deploy new technology foryour security, maybe that can
bring a premium down. Makingsure that your NDR, your IR
(25:13):
provider, whoever it is, is onyour insurance policy as your
preferred vendor so you can usethem and they can jump in and
help from this time. So a lot ofthe conversations that I think
were largely siloed before. Likeyou mentioned, you hand it off
to the lawyers and that's kindof if you need it, it's there.
But more conversation and morecoordination is really gonna
help everyone at the end of day.
That's gonna help, right, makesure that you're validated, make
(25:35):
sure that your premiums ideallycan come down or at least be
contained as much as possiblewith that better communication
with your insurance provider aswell.
Lou Rabon (25:44):
Yeah. Great. Great points. And and it's interesting
too. We're seeing where if wehave an IR retainer we had one
client recently that we were onretainer, but because we hadn't
been approved by the insurancecompany prior, they didn't force
the the, you know, claimant, butthey were just like, hey.
(26:04):
Use our provider. They alwayswanna use their providers. We're
not on the panel on purpose.It's actually something we're
moving away from. It's just it'sa IR is a whole different
animal.
As you know, we we won't go downthat rabbit hole on this
podcast. It's probably a topicjust that we could cover in a
full podcast. But, you know, asfar as people and salespeople
that are trying to speak totheir customers about cyber
(26:26):
insurance, yeah, there's no youcan't mess around anymore
because back in the day, Iremember when the policies they
would just cover it, and theywouldn't really look like you're
saying. Then they were like,okay. Have these things.
And they started some of the Idon't know if they still do it,
but some of them had these,like, useless web browser
extensions that they wouldn'tsay, okay. If you install these,
your premium will go down orsomething.
Melanie Thomas (26:46):
Because they're monitoring everything you're
doing. Yeah. Yeah. There's stillsome that do that.
Lou Rabon (26:50):
It was still not you know, that's not really. I guess
that's for really, really smallcompanies. And then, now they're
saying, yeah. You've gottaattest to this stuff. And if you
even, you know, are if there'sanywhere that we can drive a a
hole, a gap through this or atruck through this gap, we're
gonna do it.
You know what I mean? And andthat's what happens. I think
(27:11):
that there's policies that arenot getting claimed. And and
finally, you're talking aboutmaybe you don't even, file a
claim. I mean, it reallydepends.
If it's a huge hack, you're notgonna have a a choice.
Melanie Thomas (27:20):
Yeah. You don't have the cap you won't have the
money to pay it out. Yeah.
Lou Rabon (27:23):
Exactly. But we do talk to them about, you know,
our our our clients aboutlisten. When you're writing your
IR plan, make sure that noteveryone's calling it a breach.
I mean, you you know this. Thethe the most amateur move, and
this is why that's a danger ofnot doing tabletops and not
having a written plan.
And, also, if you get companiesthat don't know what they're
(27:44):
doing, like, vendors that arelike, oh, yeah. Here's a plan,
and they just download it fromNIST or something and just, you
know, throw in the blanks. Forfor practitioners that have done
this, there's certain thingsthat we know. Like, don't call
it a breach. It can only becalled a breach by the IR lead,
and it's gotta be an officialyou know, so you call it an
event.
There's a security event. Let'stalk about the event because
there's the shot clock thatstarts, especially for some of
(28:06):
the privacy regulations,especially overseas. CMMC now,
the the twenty seventy two hour,shot clock and and things like
that are even it's probably evengotten smaller now.
Melanie Thomas (28:17):
That's a great point. Yeah. We we actually I
coach that to my to mystrategist as well in our CAs
where because we'll have cupcalls you know, customers will
call up our strategist and thenmeet, like, in the middle of the
day, and we can do a little bitof coaching. But, right, we're
not an IR firm. But they'll sendan email or send a text and be
like, hey, they're having asecurity breach.
I'm like, you guys, we talkedabout this. Never use that word.
Only use security event. Neverput it in writing because it's
(28:40):
not our responsibility. Right?
We don't want to have to, like,attest to that later on because
it was a breach two weeks beforethey actually reported it.
Lou Rabon (28:46):
Exactly.
Melanie Thomas (28:47):
But yeah. The words we use matter.
Lou Rabon (28:50):
Yeah. Big time. And especially there's there's
liability associated with that.But there are there are
circumstances, and this is whatwe're trying to drive towards,
which is a word everyone's usingnow, thankfully, which is
resilience. Right?
So cyber resilience. So cyberresilience means you can
actually be, breached or have amajor security event or, you
(29:12):
know, at least moderate securityevent and and get over it and
then not have to use yourinsurance because you've put up
the detective and preventivecontrols and responsive controls
to be able to, you know, detect,prevent prevent, detect, and
respond in a way that, you know,you isolate it. Maybe the
endpoint is gets isolated,either automatically or by the
(29:32):
MDR firm, etcetera, etcetera. Sothere are circums for anyone out
there that's listening thathasn't been through a breach or
doesn't understand how thesethings work, it is actually
possible to be breached and nothave to report it and not have a
huge downtime incident. That'swhat we're all working towards.
That's that's what a realsecurity program, people
process, and technology can getfor you, and that's not just a
(29:56):
point pen test. That's not justa couple vendors thrown together
in a package on a per seatlicense basis. Right? It's a
real strategy and road map toover multiple years towards
security. Yeah?
Melanie Thomas (30:09):
So yeah. And it works. We've seen it work all
the time Our customer's like,yeah. We we contained it. Our
EDR code was was able to containit because we've got the the
logs from whatever.
Right? And it it actually works.It doesn't have to be this full
blown, you know, spend a week ofyour life doing that thing but
digging into logs. Like, it'sit's ad it 100% works. You said
this you know, mindful.
Right? It's strategy. It'sbuilding that program.
Lou Rabon (30:31):
Big time. Yeah. No. That totally true. And then,
yeah, with the insurance, youjust I think having, you know,
you're you'll help yourcustomers when they're like,
hey.
We wanna get cyber insurance. Isthat something you do? You'll
help them kinda go through that,or do you even recommend
carriers or brokers?
Melanie Thomas (30:50):
We do to a point. We don't have, like,
partnership agreements withanything because there's a lot
of gray area. Right? There's alot of reasons why you can't be
in partnerships with certaininsurance providers and things
like that. There's rules tothat.
A lot of what we do isfacilitate. We'll talk about the
need for cyber insurance. We'llsuggest some things to look
into. More often than not, we'redoing it via a provider. And so
it's because we're looking at,right, an MDR provider.
(31:13):
It's because we're looking atidentity solutions or managed
identity solutions. And by theway, this vendor also works
really well with x y z insurancecompany and kind of facilitate
the conversations that way, andkind of help leverage some of
those partnerships. The vendorsthat do have partnerships with
in with insurance providers,right, that are already on those
lists really help withexplaining to the customer if
(31:34):
they don't have it, why theyneed it, but also why that proof
is important and the reportingback is important and just
maintaining that communicationwith them. So we do it a couple
different ways. It's it's aprogram that I'd like to build
out more, but there's lots ofrules around why you can't.
So I get it. I'll follow therules, but a lot of nuance.
Yeah.
Lou Rabon (31:54):
Liability and all that fun stuff. So, yeah, you
gotta be, it's just more aboutjust giving the information and
then pointing them in the rightdirection, I think.
Melanie Thomas (32:03):
Mhmm. Absolutely.
Lou Rabon (32:04):
Yeah. And, you know, with all this AI stuff, we and
and, you know, all the the waysthat security moves so quickly,
what what are you excited about?What excites you about the
future of, like, what's going onin cyber?
Melanie Thomas (32:18):
What I love so much, it makes me super excited
to see a shift in the industry,and maybe it's just because I'm
a very hopeful person, a veryoptimistic person. What I love
to see is more of this, like,converged idea of focusing on
identity and data security,especially with AI. That's
really where it lives. Right? Wedon't have to buy solutions for
(32:40):
everything.
Let's strat let's start well.Right? Let's lock things down.
Let's classify our data. Let'smake sure people need to access
it, and that only helps you witheverything.
So sure, it'll help you with AIand deployment of AI tools and
whatever. It's also gonna helpus with everything else down the
line. Right? As you implementnew technology, you deploy new
software, things like that, allof that continue to be
(33:02):
controlled. I'm also lovingmobile solutions becoming more
of a conversation.
It's usually something thatpeople wanna avoid because it's
a nightmare to talk aboutacceptable use and BYOD and
whatever. Even since COVID,people don't wanna talk about
it. But I love so much that alot of our customers are now
asking. And they're like, you'reright. If we're talking data
(33:23):
security, mobile devices havejust as much access to all that
data if you don't control it,and that's such a big vector.
So I'm really loving moreemphasis on mobile security. I
think we'll probably see moreideally, see more big vendors
putting more of an emphasis onmobile support and not just
laptops and servers, right, anddesktops. We really have to look
(33:45):
at mobile platforms and tablets.
Lou Rabon (33:48):
Oh, yeah. Big time. Yeah. MVM. And yeah.
Because think about it. Thatphone now has become the keys to
the kingdom, really, becauseit's like you're biometric
proof, which I'm glad pass keysare are now exist. It's much
stronger than, you know, doingSMS for two factor and stuff.
But it's also yeah. Once you getin there I I've had a couple
(34:11):
calls.
We often get, like, personalpeople personally calling to,
and we don't help them,unfortunately. We we just
obviously don't have the time,and they can't pay what we would
be charging anyway. But, youknow, and I feel bad. Sometimes
I'll I'll send them otherplaces. But, one guy, he had his
everything.
Like, he his he had, like, apassword vault that also was,
(34:33):
like, just everything was hosedbecause he had everything on his
mobile device, like hisCoinbase, all his crypto was
taken. You know, like Yeah. Itwas really and then we're
talking pretty big numbers. So,yeah, those mobile devices are
not just you know, we can'ttreat them like they were you
know, in my era, there was aphone with a cord attached, and
that was your device. My my coolfriend had the one with the
(34:57):
suitcase, you know, that, like,you it was portable that you
could take in the car, but ithad battery of, like, a a, you
know, thirty minutes, and itwas, you know, $15 a minute just
to, like so, anyway, it's thesethings are not the same.
You know? They're they'rebasically basically everything.
So
Melanie Thomas (35:15):
Everyone has at least one of them. Yeah. So and
your kids have it. Right? Yougotta lock down the kids too.
So we have some providers,right, that'll be like, here's
your company. Like, here's youryour company use. That's what
you buy it for. And I think I'veseen a few providers recently
also say, here's a personal useversion. So the company buys,
right, the licenses for that,but the employees can also break
it off and have as part of it, acompartment of it that's also
(35:37):
personal to be able to managethat because just same, right,
their personal stuff gets hackedif they have, you know, saved it
forward anything from theirpersonal email.
Right? All that can still be,attacked as well, unfortunately.
Lou Rabon (35:48):
Yeah. Or if they're letting their kids play Fortnite
on their business computer.Yeah.
Melanie Thomas (35:53):
$20,000 from a business card?
Lou Rabon (35:55):
Yeah. You know? Or they just wanna, like, get the
latest wall hacking orsomething, and then they
download, you know, malware, andthere you go. So, tell tell me a
little bit more. Bridgepoint hasa very unique it's like a hybrid
TSD TA firm.
What what what can you tell meabout and and listeners, people
that might be not be as familiarwith Bridgepoint?
Melanie Thomas (36:17):
The Bridgepoint, we are not and that's but the
fun of learning Bridgepoint,because I've never been in the
channel before, We are not a TSDand we're not a VAR. So for the
consulting kind of services weprovide, right? So these
relationships that we'rebuilding that our strategists
have, we don't charge for ourservices, right? So the customer
isn't signing a contract withus. They don't buy licensing
(36:38):
from us.
They don't buy services from us.It's all through the vendor. And
so it's one of the things I lovetoo, it helps us be agnostic. So
we're not fighting forcommissions or whatever. Right?
It's we get paid by the vendorwhen the customer buys. And so
it also helps us be, you know,the advocate, like a really true
advocate for our customer.Because we'll get paid
regardless, right, whoever wesend them to, but let's make
(37:00):
sure that's actually a goodmatch, not just because they
have a bigger commissionpercentage or whatever. There's
no shame. People do that all thetime, and I'm not trying to
shame anybody.
Do your thing. But in myperspective, it really helps us
and the customer see that we'rewe're really just looking out
for the best solution for themin a really holistic way. So we
are very mindful when we havedirect partnerships with
(37:22):
different vendors, and we buildup those relationships to give
them access, right, to all ofour strategy space for our
client advisors, right, to allof our customers. And a lot of
our customers are our partnersalso. So it's been really fun.
So we do have the two servicesof Bridgepoint that are direct
contractual and our CXimplementation side. Those are
(37:44):
we're actually boots on theground, installing stuff and
things like that. With the restof our practices, the advisor
that we do, it's for thebetterment of the customer.
Right? And then it's justconnecting them and and
matchmaking really at the end ofthe day.
So to get really deep with it,right, we want to do all of
their stack, just transactional,not just their connectivity, not
just the firewall project that'sgonna replace it or whatever. We
(38:07):
really want to know what do theyuse across their stack, how can
we help them roadmap, and howcan we help build that out. So
we're in it for the long run.Right? We want to see what that
looks like and roadmap with themand create some of these
projects with them and supportit at the end of the day.
So since we maintain thoserelationships, we care about how
our vendors are servicing ourcustomers. We care about
(38:29):
escalations. We jump in withescalations also. Right? We're
saying, hey, maybe that servicewasn't provided like you said it
was.
Let's let's talk about this on aQBR. I've helped customers with,
like, incident reporting or justnormal, this is what our SLA was
for this month. You're like,well, that didn't meet your
contract. How are we gonnaremediate that? How are we gonna
make sure that you meet yourSLAs and give that credit that
(38:49):
your contract says you need togive them?
Right? So we can jump in on someof those relationships as well.
And really, it's about helpingit stick. It's helping maintain
and keeping the customer gettingwhat they're paying for, and and
getting those best services.
Lou Rabon (39:02):
Yeah. Yeah. It's long term. It's long term
relationships over a long periodof time versus, yeah, that
transactional, which I guess ifyou had a theme other than all
the cool cyber stuff we'vespoken about today, it's like,
don't be transactional.Transactional is not you know,
that's going the way of thedinosaur.
Melanie Thomas (39:20):
Yeah. It's trust in relationships and and long
term planning. Yeah.
Lou Rabon (39:25):
Yeah. Yeah. So so who's Melanie? Let's let's, you
know, kinda transition a littlebit to personal stuff. I see
that you've you know, you'reyou're down in San Diego.
Yeah. And and you're, you know,being a professor at use USD.
That's pretty cool.
Melanie Thomas (39:40):
I love it.
Lou Rabon (39:41):
UCSD. You know, what tell tell me about, like, what
you're you've got a lot of stuffgoing on. I'm looking at this
list here. It's it's prettyamazing. Yeah.
What what do you wanna talkabout about some of the stuff
you do outside of work?
Melanie Thomas (39:55):
I am really big about giving back to the
communities and every communitythat I'm a part of. So I do a
significant amount of volunteerwork, on boards, right, with
other nonprofit agencies. Andthat's just always been really
important to me to volunteer. Sowe'll volunteer with, like for B
Sides, for example, also. So I'mthe president for B Sides here
(40:16):
in San Diego.
Very fortunate, amazing group ofpeople. And we have, you know,
one annual conference a year.It's a really big conference.
Super fun. That attractseverybody, practitioners, you
know, C levels, things likethat.
You know, we want hands on, wewant talk tracks, students,
things like that. But we alsomaintain presence with all the
(40:38):
other nonprofits in San Diego.And San Diego has an incredibly
robust cyber and technology,just in general community. And
so we have, I don't know, 13,maybe different nonprofits here
in San Diego. I would say thatboard members and I make sure
that we're members ofeverything.
We try to go as much as we canto keep connection with the
community so we can support,right, from the b side side,
(40:58):
whenever they have events orwhen they need sponsors. And
it's really about, like, acollective action, to help
everybody out. So we havevendors, right, that wanna do
some partnerships. I've referredthem to, like, ISSA chapter, for
example, or YSYS. We're we wecan't use them for b sides
because we're a once annualevent.
But look at how many otherpeople also need, right, money
for events and sponsorships andthings like that. So it's
(41:21):
fantastic.
Lou Rabon (41:22):
That's awesome.
Melanie Thomas (41:23):
There's one coming up for Girl Scouts, which
is really fun. And their cyberbadge and Girl Scouts can
volunteer with that. I have that
Lou Rabon (41:28):
so many.
Melanie Thomas (41:29):
But then we have San Diego CCOE, which is the San
Diego Cyber Center forExcellence, which is a fantastic
organization that helps, samething, right, boost cyber. Our
InfraGard chapter is really,really big as well. So I can
nerd out about cyber all day,every day, whether I'm at work
or at USD or out in the world.There's so much to do with it,
(41:51):
and it's such a great group ofpeople.
Lou Rabon (41:53):
So That's awesome.
Melanie Thomas (41:54):
It's a great community.
Lou Rabon (41:55):
Yeah. And you've got, you know, the I used to spend a
lot of time in San Diegovisiting my marine buddies. So
there's the marine and navypresence, the military presence
down there, which has a lot offormer, cyber people from that
area, you know, practitionersand the the federal government
and stuff. So and it's, like,the most laid back, I think,
city in California, you know,made perhaps in the country.
(42:19):
Just, like, super cool.
Very yeah. I always love comingdown there. So
Melanie Thomas (42:23):
I love it. I think they were voted, like,
friendliest city in the countrymaybe.
Lou Rabon (42:27):
Oh, really?
Melanie Thomas (42:28):
Yeah. It's beautiful. It's gorgeous almost
all the time.
Lou Rabon (42:30):
Yeah.
Melanie Thomas (42:30):
Yeah. It's super friendly people. There's just
awesome awesome vibes all thetime.
Lou Rabon (42:36):
Yeah. Like, for those that are listening and can't see
the cool, you know, Californiaflag with the surfer behind
Melody, it's so cool. So, that'sawesome. And where can people
connect with you?
Melanie Thomas (42:47):
LinkedIn. I try to keep track of my LinkedIn as
much as I can. We also haveBridgepoint Technologies, and I
have a page on BridgepointTechnologies as well. We're
gonna go through, right, kind ofhow the Bridgepoint way is, what
it looks like as we're talkingto different vendors, things
that we're kind of highlightingfor our practice as well. So,
like, best places orbsidessandiego.org to give a
shout out to b sides.
(43:09):
Great. If you're gonna be in thespring, we have our spring camp
here in San Diego every year.
Lou Rabon (43:14):
Great. Well, Melanie Thomas, thank you so much. This
has been, like, a true pleasureto take this this route through
cyber with, you know, all thethings that you know and all the
things you've experienced. Sothank you for sharing your your
thoughts with us.
Melanie Thomas (43:29):
Oh, thank you so much. It was really fun. I
appreciate the sign. Thank you.
Lou Rabon (43:32):
Yeah. Yeah. And thanks to everyone that's
watching and or listening. Ifyou learned something today or
laughed, please let us know andlet someone know about this
podcast and, you know, reach outto us as well. Thanks again,
Melanie.
Melanie Thomas (43:45):
Thank you so much.
Lou Rabon (43:46):
This has been another exciting episode of Channel
Security Secrets. See you nexttime. That's a wrap for this
episode of Channel SecuritySecrets. Thanks for tuning in.
For show notes, guest info, andmore episodes, visit us at
channelsecuritysecrets.com.
Channel Security Secrets issponsored by Cyber Defense
Group. When it comes toprotecting your business, don't
(44:07):
settle for reactive. Partnerwith experts who build
resilience from the ground up.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
CrimeLess: Hillbilly Heist
It’s 1996 in rural North Carolina, and an oddball crew makes history when they pull off America’s third largest cash heist. But it’s all downhill from there. Join host Johnny Knoxville as he unspools a wild and woolly tale about a group of regular ‘ol folks who risked it all for a chance at a better life. CrimeLess: Hillbilly Heist answers the question: what would you do with 17.3 million dollars? The answer includes diamond rings, mansions, velvet Elvis paintings, plus a run for the border, murder-for-hire-plots, and FBI busts.