August 7, 2025 • 46 mins
Ready to demystify cybersecurity and lead stronger, smarter conversations with clients? In this episode of Channel Security Secrets, I sit down with Rick Mischka, Cybersecurity SME at AVANT Communications and former U.S. Army Special Forces professional. Rick brings a unique perspective on translating complex security concepts into business-aligned value for trusted advisors and their customers.
We explore how asking the right questions, focusing on people and processes over just tools, and embracing continuous learning can elevate your cybersecurity approach. From simplifying security language to promoting mental health in high-stress roles, Rick’s insights are a must-hear for channel leaders looking to deepen their impact.
Takeaways
- How translating technical jargon into business language creates more effective client conversations.
- Why services and process-driven solutions reduce alert fatigue and improve security outcomes.
- What asking open-ended, business-focused questions reveals about true customer needs.
- Why mental health and self-awareness are critical for sustainable leadership in cybersecurity.
- How AI can be used thoughtfully for smarter automation and data correlation.
Find all episodes, show notes, and resources at: https://www.cdg.io/podcast/
Partner with us: https://www.cdg.io/partner-with-cyber-defense-group/
Quote of the Show
- “ My biggest push to the market is stop talking about technology, the technology changes every 18 months. Talk about the humans. ” - Rick Mischka
Links
- LinkedIn: https://www.linkedin.com/in/rick-mischka/
- Company website: https://goavant.net/
Ways to Tune In
- Spotify: https://open.spotify.com/show/1gIKsOyorKMzQA7wxck4dH?si=ff617df387aa401c
- Apple Podcasts: https://podcasts.apple.com/us/podcast/channel-security-secrets/id1826825461
- Amazon Music: https://music.amazon.com/podcasts/8703d3a3-4128-4691-8862-cb847f53f776/channel-security-secrets
- YouTube: https://www.youtube.com/@ChannelSecuritySecrets
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Lou Rabon (00:01):
Welcome to Channel Security Secrets. I'm Lou Raban.
On this show, we expose theuntold secrets and critical
insights from the people shapingthe future of cybersecurity
sales in the trusted adviserchannel. If you're looking to up
your game around sellingsecurity, stick around. Channel
Security Secrets is brought toyou by Cyber Defense Group on a
mission to shift cybersecurityfrom reactive to resilient.
(00:38):
I'm excited to welcome today'sguest. He's a respected security
thought leader, army veteran,and cybersecurity cybersecurity
expert with over a decade ofexperience in technology and
cybersecurity. He served as aspecial forces sergeant in the
US army. In 2024, he wasfeatured in the top 100
innovators in Entrepreneursmagazine. He's the founder and
former host of the Cyber Propodcast, cohost of the Avant
(01:01):
Technology Solutions podcast,and currently slays it as a
cybersecurity SME at AvantCommunications.
Rick Mischka, welcome to theshow.
Rick Mischka (01:10):
Thank you, Lou. How are how are things going? I
think you're probably more of asubject matter expert than I am,
but I appreciate the intro.
Lou Rabon (01:16):
I don't know. I don't know. I I think it it depends on
which subject we're talkingabout. And under pressure, I
don't know who can I thinkyou've probably got the the jets
to operate a little bit betterunder pressure? But one of the
first things I wanna ask you,Rick, is what's your biggest
secret since this is channelsecurity secrets?
(01:39):
The biggest secret to success,your success in the channel.
Rick Mischka (01:42):
It's really demystifying and simplifying
that security doesn't have to bea security conversation. I think
in the last year that I've beenin the channel because I've only
been in the channel for a year.That's crazy to think about.
Lou Rabon (01:56):
But in
Rick Mischka (01:57):
the last year, I've really taken a different
take on how to position securityfor trusted advisors, sub
agents, partners, and that's youall know how to have a sales
conversation. You all know howto have a business operations
conversation because you'reselling connectivity or unified
(02:17):
communications, why are you soafraid to have a security
conversation? Really, all you'redoing is asking them what are
you doing to protect your data?What are you doing to support
your employees so both of thoseand continue to give the best
service to their customersthemselves? And when you phrase
(02:41):
it like that, when you use theterm resilience or operational
advantage, the channel just getsit and the customers love it
because now you're having thatbusiness conversation and it's
no longer this cost center.
Oh, I gotta spend it becausesomebody's telling me to spend
it. It's I get to actually makea difference for my
(03:02):
organization. So it's kind of afun trip.
Lou Rabon (03:05):
Yeah. And so so you think that translating that is a
secret, like, being able to havethe courage, I guess, to to open
the the door to thatconversation.
Rick Mischka (03:15):
Yeah. Yeah. I think I think if you can
translate that, if you can havejust enough of an understanding
about all of the acronyms in ourworld. Right? There's so many
And not worry about what theacronym does, but ask the
follow-up question, Oh, you needan identity access management
tool, IAM.
(03:36):
Why? What is that going to do toallow your business to continue
to grow revenue? Oh, well, it'sgonna allow us to do x y z.
Those are the questions you ask,and when you ask those
questions, every customer goes,I wanna have another
conversation with you becauseyou're making me think.
Lou Rabon (03:52):
Yeah. That's a good point because we often are
getting calls from TAs that arelike, okay. They need a pen
test. And so we're like, why?Why do they it doesn't matter.
Customer wants a pen test. Canyou do a pen test? And we've
been increasingly turning thosedown because we're saying, hey.
Listen. If that's all they'reinterested in, if they don't
wanna get better, if they're notlooking to improve something
(04:15):
about their program, then it'sprobably not a good fit for us.
Not saying there's otherproviders that wouldn't do it,
but I think to your point, Rick,it's like when they don't when
the TAs are not asking thosequestions of the customers, then
they're missing an opportunity,really.
Rick Mischka (04:31):
Yeah. And I know you guys are great at the
Pentest side. You guys have abunch of other solutions like
the cybersecurity consulting armthat you guys do. I always ask
the trusted advisor around thosepro services, oh, they said they
wanted a pen test. I need twothings from that.
Right? I need a budget and Ineed to know what the outcome of
it is because if you can't giveme those, then our providers,
(04:54):
the cyber defense groups of theworld, they're going to decline
this. They're not going tosupport you because they need to
know that there's somethingmeaningful going to come out of
it. Is it going to be continuousexposure management? Is it going
to be some form of cybersecuritysupport?
Whether it's consulting orwhether it's a future state or
maybe it's artificialintelligence readiness build.
(05:14):
Those are the future of acompany, and just because
somebody says my insurancecompany says I need a pen test,
unless they tell you that thatbudget's 50 k or higher, I don't
know. That's probably not agreat use of everybody's time,
so.
Lou Rabon (05:27):
Yeah, yeah, big time. So, you know, you're throwing
out a lot of really advancedconcepts. How do you speak to
someone that's been selling, youknow, broadband? They've been
selling, you know, voicecommunications, and now they're
seeing the opportunity insecurity, but they're just,
like, mortified to even, youknow, to your point, throw out
the acronyms and really starthaving that conversation.
Rick Mischka (05:51):
Yeah. You know, I think I think if we have two
arms. Right? A lot of people inthe partner community have come
from selling connectivity orselling communications. And I
tell them that those are fairlycommoditized.
They understand that if I askthis question, they're going to
say yes or no, and then I canask them the next question. And
(06:12):
I said, in this case, you're nolonger asking the yes or no
questions. You have to go backand ask them the open ended
question. And so think about thequestion you're about to ask.
Don't ask them what keeps themup at night.
Right? Everybody asks them that.That's such a you know, it's
such a question that's known.Them something that you know
already. Did you sell themconnectivity?
(06:34):
Then ask them, hey. You know, Iknow that we've been partnering
together for a while. I've beenable to get you great
connectivity rates or I'vehelped you with your network arm
of your operations. What's thenext iteration of your company
and how are you securing it?Man, that's an easy question.
And I said the word secure,yeah, I get it, but ultimately
(06:55):
that was what I do. And then theother thing I always tell
trusted advisors to ask, and Ithink this is this could be used
for everything. Doesn't matterwhat it is, is Tell me what
you're doing really well todaywith your security posture.
Everybody likes to talk abouttheir good things. They're very
positive.
(07:16):
And it tells you what they thinksecurity means to them. They
say, oh, I just bought, youknow, x, y, z firewalls, and we
love them. They're super easy towork with. They're a network
first company, and they haven'tthought about their user data.
They haven't thought about theircloud posture.
There's your next question.Right? And cloud's an easy word.
(07:38):
It's a five letter networkadjacent word. And so same thing
with unified communication.
You've had a conversation withthem about communication. Most
likely, it's for internal andpotentially external customer
experience, but now you can takethat one step further and say,
well, how is your internalemployees communicating about
(08:02):
what they need to get their jobdone, and then how can you help
support securing that. You'renot having a security
conversation. You're having anemployee conversation, an
efficiency conversation. So Itry to take it down the journey
that they know, and then I justI will tell you that I've been
on a number of calls withpartners where I've actually
done role playing with them, andI just don't think that the
(08:26):
partners are used to that.
You and I, when we were younger,man, when I was in the military,
man, they'd stick to you in aroom and they'd be like,
alright. Let's role play thisout. You're about to go talk to
this warlord and, you know, youguys for me, it was Yugoslavia,
but, you know, and they're like,how would you do this? And then
you get feedback. And so thebest TAs, the best trusted
(08:46):
advisers have been those thatrole played out.
Lou Rabon (08:49):
Yeah. What what you're talking about is
preparation. It's funny becauseYeah. You know, you've been a
special forces operator. We dotabletops, you know, incident
response tabletops, and a lot ofcompanies are like, oh, well,
you know, once a year orsomething.
And, you know, as of being, youknow, special operations, what
do you do? What's 80% of yourtime or 90% of your time? It's
training. Right? You know, youthe ops part is 10% probably,
(09:13):
and most people don't realizethat.
It's not like you just just areso superhuman that you get
dropped into an environment.It's that you're so resilient,
and you can deal with boredomand discipline. You know, you
have the discipline to repeatthe same thing over and over
again until it becomes secondnature. And I think what you're
saying is the preparation forTAs. It's it's important.
(09:34):
I mean, you and I have beenaround long enough, me much
longer, to to remember when, youknow, you could take a Cisco
SKU, mark it up, like, 200,300%, or maybe a thousand
percent where, you know, sellingit through Ingram or something.
Be like, okay. Here you go,mister customer. And they had no
idea. This is like odds even,you know, pre odds.
(09:56):
But now you gotta put a littlemore effort into it. So that, I
think, is one of the secrets is,you know, if you wanna sell
security, it's not just assimple as saying, hey, MDR, and
then pulling in three vendors.You wanna understand the pain
point, the actual pain point ofthe the customer.
Rick Mischka (10:14):
Yeah. And I think you guys have a mini secret in
that you guys you just mentionedit. Right? Tabletop exercises
are preparation for recovery.And I I just think you guys I
would love to hear how you guysare doing it and what feedback
you're getting.
But every time I've put somebodyin front of, you know, a
(10:36):
customer that says, let's do atabletop or an incident response
plan before we even talk aboutthe rest of your pen test or
cybersecurity needs, there's somany more good things that come
out of it. What are you seeingon that?
Lou Rabon (10:49):
Oh, yeah. Big time. I mean, I I'm I have an
embarrassing story where I gotreally frustrated with a
customer that came through thechannel, and the TA probably is
not very impressed with mebecause I kinda lost it because
the customer was just like, hey.We wanna do we wanna drop USBs
in the parking lot. And I'mlike, well, have you had an
assessment?
Have you tested your incidentresponse plan? Things like that.
(11:10):
So, yeah, we what we're seeingis when we get in to do a
tabletop, actually, the firstthing we do is a capabilities
assessment because unless theyneed to do a tabletop for, you
know, compliance purposes andthey're interested in doing a
little bit more obviously tosay, okay. Let's figure it out,
and then let's work together asa team. We're we're not we're
(11:31):
trying to avoid the one offs,obviously, one off projects now.
But anyway, when we do that, wefind that there's a lot of
behind that because they'relike, woah, we didn't know that
we needed, you know, to have anexternal counselor. We didn't
know there was a gap in ourcyber insurance, or we didn't
realize that we don't haveimmutable offline backups and or
(11:53):
we thought this vendor wascovering x and they're not. So,
and then with the capabilitiesassessment, we're like, well, do
you even have visibility of, youknow, a tabletop is is not
useless. A tabletop is alwaysreally useful, but incident
response, you can have a plan.But if you haven't you don't
have the visibility to know whenan incident happens, you're
basically getting involved onceit's, you know, a a disaster
(12:16):
scenario.
And the goal of an incidentresponse is to catch it early,
obviously. So we're seeing theorganizations. It's it's funny
because now, you know, goingthrough multiple iterations,
multiple generations of, youknow, bad experiences for
everyone. They're finallycatching up with our model,
which is let's do thisproactively. You know, they
might have already been throughan incident.
(12:36):
They might have had, you know, aprovider that didn't really know
security that said they knewsecurity, but then they got into
some trouble or overlookedsomething really simple. And so
now they're finally comingaround to, okay, we want someone
that does this, knows how to dothis, and then is going to make
us better because they're seeingit. You said it earlier. It's
it's, you know, you're it's ait's not a just a cost center.
(12:58):
It's an investment.
And, you know, we've we'vebanged that drum, and and Stefan
has as well, I'm sure when whenyou guys speak. So you work with
Stefan, who's who's the man. Iknow he's moved on to cloud now.
But
Rick Mischka (13:11):
Yeah. He kinda hired me to take over the
security so he could go play inbigger, better things. So
Lou Rabon (13:16):
Yeah, man. Well, you're you got big shoes to
fill, but, you know, you'reyou're more than capable, so
you've been doing a good job.
Rick Mischka (13:23):
No. That's wonderful. You know, will add
one thing that I think isinteresting, and you guys do it
really interesting as well. But,you know, post COVID, I saw this
huge This is the quote I use.VCSO is dead.
Long live VCSO. Right? So I makefun of this quote, but solar
(13:44):
winds happened, and now we'reseeing the chief information
security officers could beliable because they're negligent
if they knew something. Andwe're seeing all of these folks
go, well, we went away from thisvirtual or fractional
cybersecurity consultant tohiring internal, and now we're
seeing this trend to go back toit. But if you say the word
(14:04):
desisto, everyone is like, no, Idon't want an advisor.
I actually want somebody who isgoing to white glove give me
what I need, tell me what I'mdoing well, show me, not just
tell me, but show me how to fixthe bad. And I I think I think
that's the pivot, and I'm seeingmore more providers take that
(14:29):
approach when it comes to thatconsulting arm.
Lou Rabon (14:31):
Yeah. That's obviously what we're doing. And
that's that's really importantbecause bringing the team, not
just saying, hey. Do this. Dothat.
The armchair, you know, visasowed saying, I'll come back in a
month and check if you did this.That that doesn't work anymore.
So, I mean, it's a scary worldout there. I hate doing the sky
is falling, right, becauseeveryone knows everyone's got
(14:53):
breach fatigue, etcetera. Butjust recently, Microsoft had
this SharePoint, you know, zeroday vulnerability.
It didn't affect their cloud,but for the on prem stuff. But
we know there's a ton of onprem, you know, servers and
things like that. So, also, it'snontraditional industries that
are getting hit now. Whereas,you know, health care finance,
(15:15):
they've always been big targets.They've always invested more
than others because they wereregulated.
But now everyone is you know,there's there's if you're
connected to the Internet,you're a target. And especially
with AI leveraging, you know,they they can send bots out, and
it's it's an it's crazy. So,anyway, all that to say that
having the the holisticprogrammatic approach, there's
(15:38):
no other way to do it. You know?What whatever any vendor says,
this this is your silver bullet.
Do this, or all you need to dois alerting. All you need to do
is MDR. That doesn't those daysare gone. You know, if it all it
takes is one misconfiguration oreven if you have your con your
configuration set, one person tochange it because some
(15:59):
executives said, hey. Can youopen that port, or can you can
you temporarily take off MFAfrom this portal?
And then you're popped. So
Rick Mischka (16:07):
Yeah. I I will say, you you talk I love the I
love the idea of this podcastbeing for the channel and the
the, you know, the secretsaround, you know, security
because every time a trustedadviser comes to me, they say, I
need somebody who has a securitytitle because this customer
won't talk to me because theysaid that their security is
(16:30):
secret. And then you put me oryou or another one like us on a
call, and it's just like openingthe floodgates. They tell us
everything. And I go, Juan, whyis that the case?
Are you hearing somethingsimilar? Because I'm hearing it
all the time. Like, it's it's sosecretive insecurity, but does
it need to be?
Lou Rabon (16:51):
I think they just it's tough. And and that's one
of my questions for you is thenonpractitioner. You know,
that's why TAs, I think, are alittle bit reluctant, and it's
also why customers arereluctant. It's it's always been
a hypothesis of mine that youit's really hard for a
nonpractitioner to sellsecurity, but it's necessary.
(17:12):
So, you know, TAs are there, inmy opinion, to open the door and
say, hey.
I know you you have a problem. Iknow people that can help you
solve this problem. I think itwould be difficult for the TAs
to say because even if they hearit, unless they are
practitioners, they're not goingto necessarily know when they
you know, what where the gapsare. So, I I think it's normal.
(17:32):
I I don't think it's it'sstrange, but I also think that
the TAs just have to know whereto get the answer, who to bring
in to give the answers to havethe call.
And their main job, in myopinion, is to open those doors
and then help, you know, findthe best solution. Obviously,
that's that's a whole trustedadviser. But for you, you know,
question back to you, Rick, isas a nonpractitioner, how do you
(17:56):
suggest a TA kind of open thosedoors for for the practitioners?
Rick Mischka (18:01):
Yeah. And you're spot on about the trusted
advisers not having to bepractitioners and probably
aren't gonna be able to sell 75or 80% of security solutions
without being a practitioner. Ithink the non practitioners have
something that you and I don'thave. And that's ultimately the
(18:24):
ability to ask a question, andit's okay if they don't know the
answer. But if you or I get thequestion and I don't know the
answer, man, it's like I knowhow to own that.
Like, oh, you know what? I don'tknow about that. I'm going to go
learn that. But it's okay forthe trusted adviser to say, I
don't have that answer, butthank you for making me think
about it because I will find itfor
Lou Rabon (18:45):
you. Right.
Rick Mischka (18:47):
And and that's great. That's something that I
wish I I still had, which Istill could say, I don't know.
But in most cases, I have tosay, I think it's this, you
know? And kind of squint alittle bit, you know, kind of
have some fun with it. But Ireally do think that the trusted
advisors forget that they don'thave to know it all.
They didn't know everything theyneeded to know about whatever
(19:08):
they were good at selling beforethis. They don't need to know
everything, and it's okay.
Lou Rabon (19:13):
Big time. Yeah. So so why do you think that TAs should
sell security?
Rick Mischka (19:19):
Yeah. I always tell trusted advisers, it might
not be their biggest sale.Right? It's not gonna go close,
you know, a full SD WAN across athousand sites, you know,
million dollars a month type ofthing. But it's sticky, and it
leads to trust that just sellingcircuits doesn't give you.
And that's the trust that willallow you to sell all of the
(19:42):
other things, even if it's goingback to your base. I also truly
think that selling security,especially if you sell it as
business resilience, is allabout what's right for the
business, not just what thebusiness thinks they need for
the day. And so I could sellconnectivity all day. I could
(20:03):
sell UC all day. But I wouldalso argue that if I'm selling
both of those, I'm providingsomething that the customer
needs to do business.
Security is no different. Andthat's the mindset you have to
get ready for.
Lou Rabon (20:17):
Yeah. It's I think in those sales, you totally hit
this all the time where it'slike, yeah, why would they spend
a complex security sale to getto know the customer, understand
the pain points, put somethingtogether that's not just a, hey.
Here's a quote for x amount ofwidgets or whatever, x amount of
data centers or compute that andthe numbers are much bigger.
(20:40):
They get a nice commissioncheck, and it's maybe three
years. You know, they they signa a three year deal or
something.
Definitely, the numbers add upto say, hey. Those are more
interesting. But to your point,it's a transactional sale. Once
that's done, you you maycheck-in with the customer or
take them out for some dinnersor whatever. But at the end of
the day, that's that you're notgoing to to have any other
(21:02):
conversation around that, and italso doesn't necessarily build
trust.
If you did a good job, thatbuilds trust, but it's not
something that's so you know,once they get that bandwidth,
it's kind of like, who do youtrust more? The guy that sold
you the car or the guy that'sfixing the car. Right? So, I
think that when you can bringyour really, you know, problems
(21:23):
to a company like where securityis and where the numbers may be
lower, when you gain that trustwhere yeah. Okay.
Wow. You they solved a bigproblem for us. I can sleep
better at night, etcetera,etcetera. Then it's like, oh, by
the way, we have anotherproject. And it's not bandwidth,
and it's not security.
It's data center or whatever. SoI I'm with you, and we've seen
(21:44):
that consistently where we'renot necessarily the biggest
commission check they're gonnaget, but they're they're it's
definitely the trust that theyget with their customers so they
can they they sell more of whatthey're trying to get in there.
Rick Mischka (21:56):
Well, I think there's two other added
additives to that. Right? Thefirst one is if you're having
that security conversation, youare going to learn so much more
about the rest of their businessbecause they're going to tell
you. They're going be like, oh,well, why do you need this tool?
Well, because it's actuallyhelping over here.
Oh, well, tell me about what'sgoing on over there. The other
(22:17):
additive that I find, and thisis an interesting stat, security
services, both professional andmanaged, the average long term
revenue play is somewhere to thetune of a customer will buy from
a trusted security provider,nearly seven and a half years'
(22:39):
worth of recurring revenue.Versus cloud, it's like four and
a half. We're seeing network isabout five and a half, right?
It's like one cycle plus arenewal.
And in security, it's two cyclesplus at least one or two
renewals. And so we're justseeing a lot longer play, which
(23:00):
means that you just get to staywith that customer longer. Final
thing, and this is like thebonus, is security providers or
it's not security providers,security professionals like us,
we tend to not have thementality of we're gonna stay
with an organization for thirtyyears. Right? That's great.
(23:21):
It's awesome. There's a lot ofIT directors that have done
that. But for the most part,we're super excited to help
another company and move on andmove on and continue to grow.
And so right now, it's everyfour to five, four to six years
is roughly the transition for asenior leader in security,
except for the Fortune 500s.That's a different story.
But every four to six years,they they move. And if they
(23:44):
trusted you at their last place,you just got a new sale.
Lou Rabon (23:47):
Yeah. That's a great point, and it's true too because
that just like everything, youbring your team, right, whenever
you move and and and stuff likethat. Also, a great thing that
you just reminded me of asyou're talking about that is
security practitioners, we areconstant learners. You know? We
I think people are drawn tosecurity.
It's funny because people areconstantly probably asking you
(24:08):
the same way they're asking me.Man, you can make a lot of money
in security. How do I get intoit? And I'll say, you can make a
lot of money roasting chickens,you know, if you're really
passionate about it. And so so Ithink the people that are most
successful at security and thethe the most gifted are the ones
that are having the constant,you know, into the constant
learning cycle.
So by seeing differentenvironments, jumping around,
(24:31):
it's it's one of the reasonsthat I started, you know, my
company, Cyber Defense Group,because, I I was like, I wanna
see different things. I don'twanna just be part of one team,
a cog in a wheel of a Fortune500 company that, you know, I'm
kinda pigeonholed to one littlearea. We see everything, and we
we do a lot. So, I think thatthat's important too where to
(24:53):
your point, you know, movingaround, seeing a lot of
different environments, that's aplus for for cyber
practitioners.
Rick Mischka (25:00):
No. And and I'm gonna we've pulled back tons of
curtains for the secret thing,but I'm gonna pull back another
one. I also tell trustedadvisers that they don't have to
go knock on an enterprise doorevery time. And and a lot
Lou Rabon (25:16):
of times, like, well, we
Rick Mischka (25:17):
want the big whale.
Lou Rabon (25:18):
And I
Rick Mischka (25:19):
get it. Everybody wants the big whale, the big
wave, whatever you want. Butrecently, I did the math, and I
I I I looked at some data. Over99% of all companies in The
United States are 450 or lessemployees.
Lou Rabon (25:35):
Yeah. Yeah. There's that's what drives the economy.
It's small, small businesses,small and mid sized businesses.
Yeah.
It's pretty crazy. Now they'renot gonna be, you know, SMB is
too small for a lot ofofferings. They're they're
concentrating on other things.But, like, midsize, mid market
is is, like, I think that'swhere the yeah. Because you've
(25:56):
got what?
Fortune 500. That's 500companies. Fortune 1,000,
whatever. Maybe let's say 2,000enterprise companies. Below
that, to your point, there's,you know, hundreds of thousands,
maybe millions.
Yeah. So yeah.
Rick Mischka (26:09):
Yeah. The numbers that I saw was companies that
have over 10,000 employees inThe United States are a touch
over 10,000. So there's a numberthere. Right? That's a big
close.
But everybody is knocking ontheir doors. And then you have
almost it's almost a millionSMB. Right? That four fifty or
(26:30):
less. And and you're right.
They don't always have a bigsales cycle, but it is a good
place to practice. Right? Hey.Can I go close one of those big
managed detection responseacronyms? It's quick.
It's easy. Go close it. Butyou're right. The sweet spot is
that mid market, 450 to justless than a thousand, and
there's nearly 200,000 of thosecompanies in The United States.
(26:50):
So there's plenty of room to gotackle.
Go close an enterprise, go closethe 10,000 employee or bigger.
That's fine. Don't knock on thedoors and practice your voice
with the SMBs because they'relistening and they have to make
quick decisions, but whereyou're to see the biggest spend,
where you're going see thebiggest provider lean in is that
(27:13):
four fifty to a thousand, maybe2,000. It depends on the
provider.
Lou Rabon (27:16):
So Yeah. And the sales cycles are so much more
interesting, you know, becausebeing in the enterprise, it
could you could spend a year anda half trying to close a deal.
You get to the, you know, endpoint, and then everything is
done by committee. It it takesso long. Maybe one of your
stakeholders leaves, and thenyou gotta restart.
You know, there's just so manyvariables, in that equation.
(27:40):
Whereas when you're in the midmarket, you're usually speaking
to the top of the chain foodchain, and the procurement
process is easier. I mean, I midmarket is much more interesting,
from a just a day to daystandpoint. Obviously, getting
one enterprise customer that'sgonna, you know, do a
multimillion dollar, multiyearcontract, that's great. But to
(28:01):
get there, you know, you youmight be able to make that same
amount of revenue off of 10 midmarket clients that have a, you
know, 80% quicker sales cycle.
So
Rick Mischka (28:12):
Yeah. I know it's great.
Lou Rabon (28:14):
Yeah. So so what's what's a challenge that you've
had? You're you've got, like,the whole channel coming to you
saying, hey, Rick. We we have awhatever. You know?
Something security related. Canyou help us? What's a big
challenge that you've helped youand the team have helped solve
recently?
Rick Mischka (28:30):
Changing the mindset that everything can be
fixed with technology. That isthe biggest if I stand on a
soapbox and have a loudspeaker,that's the biggest thing that
I'm really driving changetowards. And I was part of a
research study through the RSA,through IBM, through Comcast,
through Verizon, and we'veproven that if a firm focuses on
(28:56):
just buying technology, it's notactually helping their security
posture, it's actually making itworse, right? There's the stats
that we saw were 78% of firmsthat have more than 30
technologies and security haveso 78% of them have alert
fatigue and are still gettingbreached.
Lou Rabon (29:14):
Oh, yeah, man. That's crazy.
Rick Mischka (29:16):
And so changing it to the service model. What can
you do with a pro service, animplementation service, and a
managed service that's going toallow your employees to do
something efficient for yourcompany, but lower the number of
technologies that they have. Andand the first question I get
(29:37):
from customers is, well, thetechnology is easy. No. It's
not.
How many staff do you have tothrow at that technology when
other people, all of you, me,all of our professional
brethren, brothers, sisters,they're going to the service
providers because they get toplay with all the cool
technology. They're not going toa mid market customer. They
might go to Google. We did it.Right?
(29:58):
They might go to Apple. Right?That's fine. Whatever. But we
see that this trend actuallysaves the customer money if they
spend more on services.
And then when a technology likeCarbon Black kind of goes away,
another technology, anotherendpoint detection response tool
can replace it, and the serviceprovider doesn't have to do
anything besides retrain on theproduct. So that is my biggest
(30:21):
push to the market is stoptalking about technology. The
technology changes everyeighteen months. Talk about the
humans.
Lou Rabon (30:31):
I'm standing on that soapbox right next to you, bro,
because it's like people andprocess, you know, that and
that's what we bring. I mean,that's basically our value prop.
Because to your point,technology, it hasn't solved the
problem. If if you believedevery vendor that says that
their solution is going to solvethe security problem for the
(30:51):
last twenty, thirty years, youknow, look at the stats. They're
going in the wrong direction.
So and and again, to your point,you know, that obviously
breaches are a big thing that wewe work incident response
reactively. We go in there. Ican't tell you how many times
they've actually had endpointprotection, but at certain
(31:11):
endpoints weren't covered. Itwasn't configured correctly. We
just did one breach that was aprovider that had it was a
customer that had hired a thirdparty MSP who put up an
additional they were chargingthem more money for email
filtering beyond what Microsoftm three sixty five offers.
(31:31):
Guess what? If they got phishedand and popped, you know,
hacked, If they had not paidthis provider for extra email
filtering, they would haveprevented the phish because m
three sixty five caught it, butthen their solution, who I won't
name names, said no, releasethat. It's not, you know, a
phishing email. And next thingyou know, you know, big incident
(31:55):
response, hundreds of thousandsof dollars later, not covered by
insurance, you know, becausethey weren't, they didn't have
it, and they weren't looking atit like that. Now it's a
different story.
They've got their house inorder, but this is the problem
because they relied ontechnology. They were like, oh,
this is our IT provider. Theymust know what's going on, and I
I don't wanna get on thatsoapbox because but Woah.
(32:19):
Really, big problem right nowbecause this is where everyone's
finding, the issue. And that'swhere the, you know, back to the
channel.
This is where the trustedadvisers have an enormous
opportunity if they understandthat no longer is it, hey. You
want eight eight of those, eightwidgets that are going to or,
you know, how many seats youhave? 700 seats times, you know,
(32:40):
these these tools, and thenyou're good. It's not like that
anymore. It's yeah.
I think asking the why. So soyou guys have solved that. You'd
or not solve that, but you'veyou've you've come close to,
like, say, hey. Let's take astep back. Let's ask some
questions.
Rick Mischka (32:56):
Yeah. Yeah. I think I think there's a time and
place for the actual, what Iwould call the actual technology
or the platform. Unfortunately,I think customers lean in with
that, and the first question Iask them is how is this going to
actually solve your problem?Right.
Right? And if they don't have ananswer for me, man, I can solve
(33:20):
your problem. Let's get theright people. Let's get you the
right process. The technology,you don't you don't even care
about the technology once we gotthe rest of
Lou Rabon (33:26):
it in play. Exactly.
Rick Mischka (33:28):
And that's that's the big solve.
Lou Rabon (33:29):
So. Yeah. Yeah. Makes sense. What what excites you
about the future?
Rick Mischka (33:36):
I think the blanket answer would be
artificial intelligence, but Itell people that in security,
artificial intelligence has beenaround in the form of machine
learning since twenty five yearsago.
Lou Rabon (33:47):
Yeah. It's not new. Yeah.
Rick Mischka (33:49):
And so for me, I actually this is why I think
artificial intelligence is sokey to the security
conversation, because it'smaking people think, how can I
be ready to use artificialintelligence? And if they do it
correctly, they go, well, let'sfirst look at your systems. And
(34:09):
then let's look at your data.And then let's look at what you
want to get from your systemsand data, and then let's build
the AI model. And when you dothat, you've just built a
security posture before you'veeven gone the artificial
intelligence route.
You got it. And so for me,artificial intelligence is the
answer, but not for the reasonpeople think. Yeah.
Lou Rabon (34:31):
Exactly. And what we're seeing is artificial
intelligence. I mean, this isobviously a huge bubble. I was
speaking to someone recently,and they were like, what, you
know, what do I have to thinkabout with AI? I'm like, data.
That's that's what it's about.AI today is about data. Like,
can it do really cool stuff? Isit going to it's it's a complete
game changer. It's kinda like itit definitely is one of those
(34:54):
techno technological milestoneslike, you know, airplanes and,
the Internet and computers andautomobiles.
You know what I mean? We willlook back and be like, wow. That
was the a a you know,delineation, basically. But
today, it's in the beginning.It's like you're not gonna just
as you wouldn't have gotten on aplane right after the Wright
(35:16):
Brothers flight, you're notgonna, like, I don't recommend
you put your whole business onAI today because it's it's not
gonna end well.
But to your point, we are,seeing where the paradigm is.
Let's start thinking about whatwhat does AI need? What does
that mean? And that's data toyour point. You know?
So that is exciting. I thinkit's gonna it's definitely
(35:38):
changing things. I use ChatGPTon an almost daily basis. No. I
don't have a relationship withit, and I don't believe it's God
or I don't.
But it's a great tool. I mean, Iuse it to to, review a contract.
It's definitely gonna putlawyers out of, you know, junior
lawyers at least out ofbusiness, because I was able to
(35:59):
just run a contract through itand said, you know, what are the
points I need to pay attentionto where I had already done my
pass having read a bunch ofcontracts. And and, you know, it
pointed out things that I didn'thave to go to council about
because it was prettystraightforward. So it's got its
uses, and it is pretty exciting.
Rick Mischka (36:16):
Yeah. I think the big uses are automation and
correlation. That that's you cancorrelate a lot of things. You
don't have to have structureddata to do it, and it just it
helps me automate some of mytasks during the day.
Lou Rabon (36:27):
Oh, yeah. Oh, yeah. Big time. Let's transition to
personal. So, I mean, you'reyou're out there in Montana.
You know? Like, I haven't beento Montana yet, but it's on the
list. I definitely wanna get toBig Sky. You're you're the
Smeeav. You were at with,Maesergy before you had your
(36:48):
own, consulting company.
Prior to that, you've you'vebeen working with volleyball. I
didn't know this about you, butyou were actually a volleyball
coach. Yeah. You know, manyyears ago, the, I don't know if
they still exist, theAssociation of Volleyball
Professionals, AVP. Yeah.
They were they were a client ofmine back in the nineties in LA.
(37:10):
Nice. It's I lived in LA in thenineties and late nineties, and
they were they were one of mythey were based in, if I
remember correctly, like, MarinaDel Rey or something. And
Rick Mischka (37:20):
Yeah. Yeah. Yeah. AVP is still around. When I
before I got into coaching andas I was getting into coaching,
I actually played on the AVPtour for a while.
I played professionally inFinland. Yeah. So I had a good
career in volleyball.
Lou Rabon (37:32):
That's awesome.
Rick Mischka (37:33):
I had a great run coaching, coached the men's
national programs for a while,so it was a lot of fun.
Lou Rabon (37:37):
Dude, that's amazing. You know, you've got the hype
for it. So it's good, man. I Ishould get my sons interested
and introduce you. They've gotlittle hype there.
I I didn't get the same gene. Igave it to him, but I didn't get
it. But that's awesome.Volleyball is great workout too.
Beach volleyball.
Very cool. But, you know, tellme about how you transitioned
(38:00):
from the the military into kindof private sector.
Rick Mischka (38:04):
Yeah. So I joined the military as a reservist and
never saw a reserve unit. Iactually got into the military
and became part of what is nowcalled direct entry for special
forces. I was one of the firstx-ray classes to go through it.
And I got put onto a tier oneoperating team, and so it was a
great experience for me.
I was in for just shy of sevenyears. Then when I got out, I
(38:26):
didn't know what I wanted to be.And I said, well, I did all this
really high speed stuff. Ishould probably stay into some
field that's high speed. Andwent into firefighter paramedic
world.
My grandmother reached out andwas like, hey, you have a chance
to go back to college. You'd bethe first person in our family
for the last five generations toever go and get a college
degree. So I chose to take ascholarship in volleyball, play
(38:50):
college volleyball, and turn itinto a career but get my
bachelor's degree. And thenbecause I was coaching at the
university level, I was able togo back and get a bunch of
master's level courses and got adegree. And I was able to kind
of just move that forward.
At one point, I'd always thoughtI was gonna be in technology.
Right? You know, I was highschooler when the Internet was a
(39:12):
thing, so I can date myselfthere. The gray beard does have
some ownership there. I remembermy buddy and I, we won a
programming contest, and then Ijust never used it.
So I went back and nontraditionally found four
certifications in cybersecuritythat I really felt I could do
through a boot camp. Passed allfour, and reached out to my
(39:35):
network and was like, hey, whereshould I go? What opening should
I take? And I was given anopportunity to become a mix of a
compliance engineer and also dodigital forensics and
investigations. And from there,it just that's where I went.
Right? I was an architect for awhile, and then I went into
product management, and now, youknow, fully sit on that
(39:58):
consultary side of things, and Ican't imagine a better life.
It's so much fun. So
Lou Rabon (40:04):
Yeah, man. And it's it's been a really interesting
journey for you from, you know,special forces paramedic, you
know, firefighter, that's crazy,volleyball, and then going into
cyber. Yeah, that's really cool.And and, you know, doing
forensics is really, reallyinteresting. I think having that
kind of background is reallyimportant.
(40:26):
They used to say, like, youdidn't have to be technical to
be in cyber. I'm sorry, but I Ithere are aspects you can do
GRC. You can do some otherstuff, you know, privacy.
There's definitely areas thatyou can do where you don't have
to necessarily be technical. Butto really be effective, you need
that that technical background.
So it doesn't get much moretechnical than than doing
(40:46):
forensics.
Rick Mischka (40:47):
Yeah. It's true.
Lou Rabon (40:48):
Yeah. That's cool. That's really cool.
Rick Mischka (40:51):
Oh, you'll have to come up to Montana. You'll come
hang out. We'll go on theYellowstone River because I do
live about five minutes awayfrom the river. So.
Lou Rabon (40:57):
Man, that's amazing. I've never been out there. I'm
absolutely gonna take you up onthat for sure. I definitely
wanna see Yellowstone. Youyou're also speaking of
Yellowstone.
I remember you telling me, areyou now a licensed pilot, or
what's where are because yousaid you flew over the park.
Right?
Rick Mischka (41:16):
I did fly over the park. By the, you know, by the
end of this year, I will be alicensed private pilot, and I'll
be starting working on mycommercial hours. I have enough
hours to test, but it's one ofthose where I just want to make
sure I pass it on the first go.Right? I think most
cybersecurity professionals arekind of perfectionists, so I'm
kind of doing the perfectionistthing.
(41:37):
And so I will have my pilot'slicense by the end of this year.
And it's super exciting becauseI get to go up went go up about
two to three times a week, andmy flight view are mountains and
rivers. You can't complain aboutthat.
Lou Rabon (41:51):
Like, of the best in the in the country, basically.
Yeah. Yeah. It doesn't get muchbetter than Yellowstone, man.
That's crazy.
Rick Mischka (41:59):
No. It's amazing.
Lou Rabon (41:59):
That's cool. So, you know, if do you have a personal
story of, anything thatdemonstrates where cybersecurity
had kind of a, an impact on yourlife?
Rick Mischka (42:12):
Yeah. So this is a mix of impact of being in the
military as well ascybersecurity. Two years ago, I
really was and I still am verypassionate about cybersecurity,
and I had been working with anonprofit that was heavily
focused on transitioningmilitary folks out into
(42:35):
cybersecurity. What I was seeingwas that these military folks,
while they were well trained,had mental toughness and
resilience, still had some formof PTSD, and so I really started
focusing on that. And that ledme down the path of of
identifying that cybersecurityprofessionals are actually one
(42:58):
of the highest burnout rates inall careers.
And so I went back and appliedand got in to get my PhD. I'm
almost done with thedissertation, and I'm going to
be defending it this fall. AndI'm focusing on how
cybersecurity professionals,through their organizations, not
(43:18):
as individuals, but throughtheir organizations, can be
provided with mental awarenessand preparedness training,
because ultimately acybersecurity professional is no
different than a militarysoldier. The only difference is
there's not bullets coming attheir heads. There's bits,
right?
There's bites. There's attacks.And, I'm I'm putting together a
(43:39):
really cool research processaround how I can take that
burnout in the cybersecurityprofession and extend it so we
have less of a skill set.
Lou Rabon (43:49):
Rick, I mean, that's so impressive. You're with your
background and everything, I hadno idea about the PhD. You're
just a badass, man. Like, madrespect, and it's great too. I
mean, there's no doubt thatthere's a a real issue with
mental health.
I mean, in many ways, I think inin a lot of professions, but
(44:12):
definitely cyber has its ownunique challenges, and, that's
great. That's gonna be a gooddissertation.
Rick Mischka (44:19):
Yeah. I'm excited. The research is done. Now I just
gotta and the paper's mostlydone. I just gotta defend it.
So
Lou Rabon (44:24):
Yeah. Oh, so you've you've wow. That's a lot of
work, man.
Rick Mischka (44:28):
Yep. The research is done. I I'm in final peer
review for, you know, just beingable to say, yep. It's done. It
can go to bed, and then and thendefense happens probably in
December year.
Lou Rabon (44:40):
Wow. Well Yeah. Good luck with that. I know you'll
kill it. Like, you haveeverything else in your life.
So, you know, in a good way.Cool. I mean, I think we've
we've covered just abouteverything here. It's been, a
real pleasure. Where can peoplefind you?
Rick Mischka (44:59):
Yep. I'm on LinkedIn. You know, I I
typically stay off the othersocials, but you could find me
on LinkedIn pretty easily. Andthen look for me at Avant. You
know?
I'm obviously available, and Iam happy to just sit down and
and nerd out over almosteverything, even cheese. I'm
from Wisconsin. So if you wannatalk cheese, I'll talk cheese
too.
Lou Rabon (45:17):
That's a fun fact too. Alright? For sure. Thank
you, Rick Mischka.
Rick Mischka (45:24):
Thank you, Lou.
Lou Rabon (45:26):
And thank you to everyone that's watching and or
listening. If you had fun,learned something today, or
laughed, please tell someoneabout this podcast. And, yeah,
thanks again, Rick. This hasbeen another exciting episode of
Channel Security Secrets. Seeyou next time.
That's a wrap for this episodeof Channel Security Secrets.
(45:47):
Thanks for tuning in. For shownotes, guest info, and more
episodes, visit us atchannelsecuritysecrets.com.
Channel Security Secrets issponsored by Cyber Defense
Group. When it comes toprotecting your business, don't
settle for reactive.
Partner with experts who buildresilience from the ground up.
Welcome to Channel Security Secrets. I'm Lou Raban.
On this show, we expose theuntold secrets and critical
insights from the people shapingthe future of cybersecurity
sales in the trusted adviserchannel. If you're looking to up
your game around sellingsecurity, stick around. Channel
Security Secrets is brought toyou by Cyber Defense Group on a
mission to shift cybersecurityfrom reactive to resilient.
(00:38):
I'm excited to welcome today'sguest. He's a respected security
thought leader, army veteran,and cybersecurity cybersecurity
expert with over a decade ofexperience in technology and
cybersecurity. He served as aspecial forces sergeant in the
US army. In 2024, he wasfeatured in the top 100
innovators in Entrepreneursmagazine. He's the founder and
former host of the Cyber Propodcast, cohost of the Avant
(01:01):
Technology Solutions podcast,and currently slays it as a
cybersecurity SME at AvantCommunications.
Rick Mischka, welcome to theshow.
Rick Mischka (01:10):
Thank you, Lou. How are how are things going? I
think you're probably more of asubject matter expert than I am,
but I appreciate the intro.
Lou Rabon (01:16):
I don't know. I don't know. I I think it it depends on
which subject we're talkingabout. And under pressure, I
don't know who can I thinkyou've probably got the the jets
to operate a little bit betterunder pressure? But one of the
first things I wanna ask you,Rick, is what's your biggest
secret since this is channelsecurity secrets?
(01:39):
The biggest secret to success,your success in the channel.
Rick Mischka (01:42):
It's really demystifying and simplifying
that security doesn't have to bea security conversation. I think
in the last year that I've beenin the channel because I've only
been in the channel for a year.That's crazy to think about.
Lou Rabon (01:56):
But in
Rick Mischka (01:57):
the last year, I've really taken a different
take on how to position securityfor trusted advisors, sub
agents, partners, and that's youall know how to have a sales
conversation. You all know howto have a business operations
conversation because you'reselling connectivity or unified
(02:17):
communications, why are you soafraid to have a security
conversation? Really, all you'redoing is asking them what are
you doing to protect your data?What are you doing to support
your employees so both of thoseand continue to give the best
service to their customersthemselves? And when you phrase
(02:41):
it like that, when you use theterm resilience or operational
advantage, the channel just getsit and the customers love it
because now you're having thatbusiness conversation and it's
no longer this cost center.
Oh, I gotta spend it becausesomebody's telling me to spend
it. It's I get to actually makea difference for my
(03:02):
organization. So it's kind of afun trip.
Lou Rabon (03:05):
Yeah. And so so you think that translating that is a
secret, like, being able to havethe courage, I guess, to to open
the the door to thatconversation.
Rick Mischka (03:15):
Yeah. Yeah. I think I think if you can
translate that, if you can havejust enough of an understanding
about all of the acronyms in ourworld. Right? There's so many
And not worry about what theacronym does, but ask the
follow-up question, Oh, you needan identity access management
tool, IAM.
(03:36):
Why? What is that going to do toallow your business to continue
to grow revenue? Oh, well, it'sgonna allow us to do x y z.
Those are the questions you ask,and when you ask those
questions, every customer goes,I wanna have another
conversation with you becauseyou're making me think.
Lou Rabon (03:52):
Yeah. That's a good point because we often are
getting calls from TAs that arelike, okay. They need a pen
test. And so we're like, why?Why do they it doesn't matter.
Customer wants a pen test. Canyou do a pen test? And we've
been increasingly turning thosedown because we're saying, hey.
Listen. If that's all they'reinterested in, if they don't
wanna get better, if they're notlooking to improve something
(04:15):
about their program, then it'sprobably not a good fit for us.
Not saying there's otherproviders that wouldn't do it,
but I think to your point, Rick,it's like when they don't when
the TAs are not asking thosequestions of the customers, then
they're missing an opportunity,really.
Rick Mischka (04:31):
Yeah. And I know you guys are great at the
Pentest side. You guys have abunch of other solutions like
the cybersecurity consulting armthat you guys do. I always ask
the trusted advisor around thosepro services, oh, they said they
wanted a pen test. I need twothings from that.
Right? I need a budget and Ineed to know what the outcome of
it is because if you can't giveme those, then our providers,
(04:54):
the cyber defense groups of theworld, they're going to decline
this. They're not going tosupport you because they need to
know that there's somethingmeaningful going to come out of
it. Is it going to be continuousexposure management? Is it going
to be some form of cybersecuritysupport?
Whether it's consulting orwhether it's a future state or
maybe it's artificialintelligence readiness build.
(05:14):
Those are the future of acompany, and just because
somebody says my insurancecompany says I need a pen test,
unless they tell you that thatbudget's 50 k or higher, I don't
know. That's probably not agreat use of everybody's time,
so.
Lou Rabon (05:27):
Yeah, yeah, big time. So, you know, you're throwing
out a lot of really advancedconcepts. How do you speak to
someone that's been selling, youknow, broadband? They've been
selling, you know, voicecommunications, and now they're
seeing the opportunity insecurity, but they're just,
like, mortified to even, youknow, to your point, throw out
the acronyms and really starthaving that conversation.
Rick Mischka (05:51):
Yeah. You know, I think I think if we have two
arms. Right? A lot of people inthe partner community have come
from selling connectivity orselling communications. And I
tell them that those are fairlycommoditized.
They understand that if I askthis question, they're going to
say yes or no, and then I canask them the next question. And
(06:12):
I said, in this case, you're nolonger asking the yes or no
questions. You have to go backand ask them the open ended
question. And so think about thequestion you're about to ask.
Don't ask them what keeps themup at night.
Right? Everybody asks them that.That's such a you know, it's
such a question that's known.Them something that you know
already. Did you sell themconnectivity?
(06:34):
Then ask them, hey. You know, Iknow that we've been partnering
together for a while. I've beenable to get you great
connectivity rates or I'vehelped you with your network arm
of your operations. What's thenext iteration of your company
and how are you securing it?Man, that's an easy question.
And I said the word secure,yeah, I get it, but ultimately
(06:55):
that was what I do. And then theother thing I always tell
trusted advisors to ask, and Ithink this is this could be used
for everything. Doesn't matterwhat it is, is Tell me what
you're doing really well todaywith your security posture.
Everybody likes to talk abouttheir good things. They're very
positive.
(07:16):
And it tells you what they thinksecurity means to them. They
say, oh, I just bought, youknow, x, y, z firewalls, and we
love them. They're super easy towork with. They're a network
first company, and they haven'tthought about their user data.
They haven't thought about theircloud posture.
There's your next question.Right? And cloud's an easy word.
(07:38):
It's a five letter networkadjacent word. And so same thing
with unified communication.
You've had a conversation withthem about communication. Most
likely, it's for internal andpotentially external customer
experience, but now you can takethat one step further and say,
well, how is your internalemployees communicating about
(08:02):
what they need to get their jobdone, and then how can you help
support securing that. You'renot having a security
conversation. You're having anemployee conversation, an
efficiency conversation. So Itry to take it down the journey
that they know, and then I justI will tell you that I've been
on a number of calls withpartners where I've actually
done role playing with them, andI just don't think that the
(08:26):
partners are used to that.
You and I, when we were younger,man, when I was in the military,
man, they'd stick to you in aroom and they'd be like,
alright. Let's role play thisout. You're about to go talk to
this warlord and, you know, youguys for me, it was Yugoslavia,
but, you know, and they're like,how would you do this? And then
you get feedback. And so thebest TAs, the best trusted
(08:46):
advisers have been those thatrole played out.
Lou Rabon (08:49):
Yeah. What what you're talking about is
preparation. It's funny becauseYeah. You know, you've been a
special forces operator. We dotabletops, you know, incident
response tabletops, and a lot ofcompanies are like, oh, well,
you know, once a year orsomething.
And, you know, as of being, youknow, special operations, what
do you do? What's 80% of yourtime or 90% of your time? It's
training. Right? You know, youthe ops part is 10% probably,
(09:13):
and most people don't realizethat.
It's not like you just just areso superhuman that you get
dropped into an environment.It's that you're so resilient,
and you can deal with boredomand discipline. You know, you
have the discipline to repeatthe same thing over and over
again until it becomes secondnature. And I think what you're
saying is the preparation forTAs. It's it's important.
(09:34):
I mean, you and I have beenaround long enough, me much
longer, to to remember when, youknow, you could take a Cisco
SKU, mark it up, like, 200,300%, or maybe a thousand
percent where, you know, sellingit through Ingram or something.
Be like, okay. Here you go,mister customer. And they had no
idea. This is like odds even,you know, pre odds.
(09:56):
But now you gotta put a littlemore effort into it. So that, I
think, is one of the secrets is,you know, if you wanna sell
security, it's not just assimple as saying, hey, MDR, and
then pulling in three vendors.You wanna understand the pain
point, the actual pain point ofthe the customer.
Rick Mischka (10:14):
Yeah. And I think you guys have a mini secret in
that you guys you just mentionedit. Right? Tabletop exercises
are preparation for recovery.And I I just think you guys I
would love to hear how you guysare doing it and what feedback
you're getting.
But every time I've put somebodyin front of, you know, a
(10:36):
customer that says, let's do atabletop or an incident response
plan before we even talk aboutthe rest of your pen test or
cybersecurity needs, there's somany more good things that come
out of it. What are you seeingon that?
Lou Rabon (10:49):
Oh, yeah. Big time. I mean, I I'm I have an
embarrassing story where I gotreally frustrated with a
customer that came through thechannel, and the TA probably is
not very impressed with mebecause I kinda lost it because
the customer was just like, hey.We wanna do we wanna drop USBs
in the parking lot. And I'mlike, well, have you had an
assessment?
Have you tested your incidentresponse plan? Things like that.
(11:10):
So, yeah, we what we're seeingis when we get in to do a
tabletop, actually, the firstthing we do is a capabilities
assessment because unless theyneed to do a tabletop for, you
know, compliance purposes andthey're interested in doing a
little bit more obviously tosay, okay. Let's figure it out,
and then let's work together asa team. We're we're not we're
(11:31):
trying to avoid the one offs,obviously, one off projects now.
But anyway, when we do that, wefind that there's a lot of
behind that because they'relike, woah, we didn't know that
we needed, you know, to have anexternal counselor. We didn't
know there was a gap in ourcyber insurance, or we didn't
realize that we don't haveimmutable offline backups and or
(11:53):
we thought this vendor wascovering x and they're not. So,
and then with the capabilitiesassessment, we're like, well, do
you even have visibility of, youknow, a tabletop is is not
useless. A tabletop is alwaysreally useful, but incident
response, you can have a plan.But if you haven't you don't
have the visibility to know whenan incident happens, you're
basically getting involved onceit's, you know, a a disaster
(12:16):
scenario.
And the goal of an incidentresponse is to catch it early,
obviously. So we're seeing theorganizations. It's it's funny
because now, you know, goingthrough multiple iterations,
multiple generations of, youknow, bad experiences for
everyone. They're finallycatching up with our model,
which is let's do thisproactively. You know, they
might have already been throughan incident.
(12:36):
They might have had, you know, aprovider that didn't really know
security that said they knewsecurity, but then they got into
some trouble or overlookedsomething really simple. And so
now they're finally comingaround to, okay, we want someone
that does this, knows how to dothis, and then is going to make
us better because they're seeingit. You said it earlier. It's
it's, you know, you're it's ait's not a just a cost center.
(12:58):
It's an investment.
And, you know, we've we'vebanged that drum, and and Stefan
has as well, I'm sure when whenyou guys speak. So you work with
Stefan, who's who's the man. Iknow he's moved on to cloud now.
But
Rick Mischka (13:11):
Yeah. He kinda hired me to take over the
security so he could go play inbigger, better things. So
Lou Rabon (13:16):
Yeah, man. Well, you're you got big shoes to
fill, but, you know, you'reyou're more than capable, so
you've been doing a good job.
Rick Mischka (13:23):
No. That's wonderful. You know, will add
one thing that I think isinteresting, and you guys do it
really interesting as well. But,you know, post COVID, I saw this
huge This is the quote I use.VCSO is dead.
Long live VCSO. Right? So I makefun of this quote, but solar
(13:44):
winds happened, and now we'reseeing the chief information
security officers could beliable because they're negligent
if they knew something. Andwe're seeing all of these folks
go, well, we went away from thisvirtual or fractional
cybersecurity consultant tohiring internal, and now we're
seeing this trend to go back toit. But if you say the word
(14:04):
desisto, everyone is like, no, Idon't want an advisor.
I actually want somebody who isgoing to white glove give me
what I need, tell me what I'mdoing well, show me, not just
tell me, but show me how to fixthe bad. And I I think I think
that's the pivot, and I'm seeingmore more providers take that
(14:29):
approach when it comes to thatconsulting arm.
Lou Rabon (14:31):
Yeah. That's obviously what we're doing. And
that's that's really importantbecause bringing the team, not
just saying, hey. Do this. Dothat.
The armchair, you know, visasowed saying, I'll come back in a
month and check if you did this.That that doesn't work anymore.
So, I mean, it's a scary worldout there. I hate doing the sky
is falling, right, becauseeveryone knows everyone's got
(14:53):
breach fatigue, etcetera. Butjust recently, Microsoft had
this SharePoint, you know, zeroday vulnerability.
It didn't affect their cloud,but for the on prem stuff. But
we know there's a ton of onprem, you know, servers and
things like that. So, also, it'snontraditional industries that
are getting hit now. Whereas,you know, health care finance,
(15:15):
they've always been big targets.They've always invested more
than others because they wereregulated.
But now everyone is you know,there's there's if you're
connected to the Internet,you're a target. And especially
with AI leveraging, you know,they they can send bots out, and
it's it's an it's crazy. So,anyway, all that to say that
having the the holisticprogrammatic approach, there's
(15:38):
no other way to do it. You know?What whatever any vendor says,
this this is your silver bullet.
Do this, or all you need to dois alerting. All you need to do
is MDR. That doesn't those daysare gone. You know, if it all it
takes is one misconfiguration oreven if you have your con your
configuration set, one person tochange it because some
(15:59):
executives said, hey. Can youopen that port, or can you can
you temporarily take off MFAfrom this portal?
And then you're popped. So
Rick Mischka (16:07):
Yeah. I I will say, you you talk I love the I
love the idea of this podcastbeing for the channel and the
the, you know, the secretsaround, you know, security
because every time a trustedadviser comes to me, they say, I
need somebody who has a securitytitle because this customer
won't talk to me because theysaid that their security is
(16:30):
secret. And then you put me oryou or another one like us on a
call, and it's just like openingthe floodgates. They tell us
everything. And I go, Juan, whyis that the case?
Are you hearing somethingsimilar? Because I'm hearing it
all the time. Like, it's it's sosecretive insecurity, but does
it need to be?
Lou Rabon (16:51):
I think they just it's tough. And and that's one
of my questions for you is thenonpractitioner. You know,
that's why TAs, I think, are alittle bit reluctant, and it's
also why customers arereluctant. It's it's always been
a hypothesis of mine that youit's really hard for a
nonpractitioner to sellsecurity, but it's necessary.
(17:12):
So, you know, TAs are there, inmy opinion, to open the door and
say, hey.
I know you you have a problem. Iknow people that can help you
solve this problem. I think itwould be difficult for the TAs
to say because even if they hearit, unless they are
practitioners, they're not goingto necessarily know when they
you know, what where the gapsare. So, I I think it's normal.
(17:32):
I I don't think it's it'sstrange, but I also think that
the TAs just have to know whereto get the answer, who to bring
in to give the answers to havethe call.
And their main job, in myopinion, is to open those doors
and then help, you know, findthe best solution. Obviously,
that's that's a whole trustedadviser. But for you, you know,
question back to you, Rick, isas a nonpractitioner, how do you
(17:56):
suggest a TA kind of open thosedoors for for the practitioners?
Rick Mischka (18:01):
Yeah. And you're spot on about the trusted
advisers not having to bepractitioners and probably
aren't gonna be able to sell 75or 80% of security solutions
without being a practitioner. Ithink the non practitioners have
something that you and I don'thave. And that's ultimately the
(18:24):
ability to ask a question, andit's okay if they don't know the
answer. But if you or I get thequestion and I don't know the
answer, man, it's like I knowhow to own that.
Like, oh, you know what? I don'tknow about that. I'm going to go
learn that. But it's okay forthe trusted adviser to say, I
don't have that answer, butthank you for making me think
about it because I will find itfor
Lou Rabon (18:45):
you. Right.
Rick Mischka (18:47):
And and that's great. That's something that I
wish I I still had, which Istill could say, I don't know.
But in most cases, I have tosay, I think it's this, you
know? And kind of squint alittle bit, you know, kind of
have some fun with it. But Ireally do think that the trusted
advisors forget that they don'thave to know it all.
They didn't know everything theyneeded to know about whatever
(19:08):
they were good at selling beforethis. They don't need to know
everything, and it's okay.
Lou Rabon (19:13):
Big time. Yeah. So so why do you think that TAs should
sell security?
Rick Mischka (19:19):
Yeah. I always tell trusted advisers, it might
not be their biggest sale.Right? It's not gonna go close,
you know, a full SD WAN across athousand sites, you know,
million dollars a month type ofthing. But it's sticky, and it
leads to trust that just sellingcircuits doesn't give you.
And that's the trust that willallow you to sell all of the
(19:42):
other things, even if it's goingback to your base. I also truly
think that selling security,especially if you sell it as
business resilience, is allabout what's right for the
business, not just what thebusiness thinks they need for
the day. And so I could sellconnectivity all day. I could
(20:03):
sell UC all day. But I wouldalso argue that if I'm selling
both of those, I'm providingsomething that the customer
needs to do business.
Security is no different. Andthat's the mindset you have to
get ready for.
Lou Rabon (20:17):
Yeah. It's I think in those sales, you totally hit
this all the time where it'slike, yeah, why would they spend
a complex security sale to getto know the customer, understand
the pain points, put somethingtogether that's not just a, hey.
Here's a quote for x amount ofwidgets or whatever, x amount of
data centers or compute that andthe numbers are much bigger.
(20:40):
They get a nice commissioncheck, and it's maybe three
years. You know, they they signa a three year deal or
something.
Definitely, the numbers add upto say, hey. Those are more
interesting. But to your point,it's a transactional sale. Once
that's done, you you maycheck-in with the customer or
take them out for some dinnersor whatever. But at the end of
the day, that's that you're notgoing to to have any other
(21:02):
conversation around that, and italso doesn't necessarily build
trust.
If you did a good job, thatbuilds trust, but it's not
something that's so you know,once they get that bandwidth,
it's kind of like, who do youtrust more? The guy that sold
you the car or the guy that'sfixing the car. Right? So, I
think that when you can bringyour really, you know, problems
(21:23):
to a company like where securityis and where the numbers may be
lower, when you gain that trustwhere yeah. Okay.
Wow. You they solved a bigproblem for us. I can sleep
better at night, etcetera,etcetera. Then it's like, oh, by
the way, we have anotherproject. And it's not bandwidth,
and it's not security.
It's data center or whatever. SoI I'm with you, and we've seen
(21:44):
that consistently where we'renot necessarily the biggest
commission check they're gonnaget, but they're they're it's
definitely the trust that theyget with their customers so they
can they they sell more of whatthey're trying to get in there.
Rick Mischka (21:56):
Well, I think there's two other added
additives to that. Right? Thefirst one is if you're having
that security conversation, youare going to learn so much more
about the rest of their businessbecause they're going to tell
you. They're going be like, oh,well, why do you need this tool?
Well, because it's actuallyhelping over here.
Oh, well, tell me about what'sgoing on over there. The other
(22:17):
additive that I find, and thisis an interesting stat, security
services, both professional andmanaged, the average long term
revenue play is somewhere to thetune of a customer will buy from
a trusted security provider,nearly seven and a half years'
(22:39):
worth of recurring revenue.Versus cloud, it's like four and
a half. We're seeing network isabout five and a half, right?
It's like one cycle plus arenewal.
And in security, it's two cyclesplus at least one or two
renewals. And so we're justseeing a lot longer play, which
(23:00):
means that you just get to staywith that customer longer. Final
thing, and this is like thebonus, is security providers or
it's not security providers,security professionals like us,
we tend to not have thementality of we're gonna stay
with an organization for thirtyyears. Right? That's great.
(23:21):
It's awesome. There's a lot ofIT directors that have done
that. But for the most part,we're super excited to help
another company and move on andmove on and continue to grow.
And so right now, it's everyfour to five, four to six years
is roughly the transition for asenior leader in security,
except for the Fortune 500s.That's a different story.
But every four to six years,they they move. And if they
(23:44):
trusted you at their last place,you just got a new sale.
Lou Rabon (23:47):
Yeah. That's a great point, and it's true too because
that just like everything, youbring your team, right, whenever
you move and and and stuff likethat. Also, a great thing that
you just reminded me of asyou're talking about that is
security practitioners, we areconstant learners. You know? We
I think people are drawn tosecurity.
It's funny because people areconstantly probably asking you
(24:08):
the same way they're asking me.Man, you can make a lot of money
in security. How do I get intoit? And I'll say, you can make a
lot of money roasting chickens,you know, if you're really
passionate about it. And so so Ithink the people that are most
successful at security and thethe the most gifted are the ones
that are having the constant,you know, into the constant
learning cycle.
So by seeing differentenvironments, jumping around,
(24:31):
it's it's one of the reasonsthat I started, you know, my
company, Cyber Defense Group,because, I I was like, I wanna
see different things. I don'twanna just be part of one team,
a cog in a wheel of a Fortune500 company that, you know, I'm
kinda pigeonholed to one littlearea. We see everything, and we
we do a lot. So, I think thatthat's important too where to
(24:53):
your point, you know, movingaround, seeing a lot of
different environments, that's aplus for for cyber
practitioners.
Rick Mischka (25:00):
No. And and I'm gonna we've pulled back tons of
curtains for the secret thing,but I'm gonna pull back another
one. I also tell trustedadvisers that they don't have to
go knock on an enterprise doorevery time. And and a lot
Lou Rabon (25:16):
of times, like, well, we
Rick Mischka (25:17):
want the big whale.
Lou Rabon (25:18):
And I
Rick Mischka (25:19):
get it. Everybody wants the big whale, the big
wave, whatever you want. Butrecently, I did the math, and I
I I I looked at some data. Over99% of all companies in The
United States are 450 or lessemployees.
Lou Rabon (25:35):
Yeah. Yeah. There's that's what drives the economy.
It's small, small businesses,small and mid sized businesses.
Yeah.
It's pretty crazy. Now they'renot gonna be, you know, SMB is
too small for a lot ofofferings. They're they're
concentrating on other things.But, like, midsize, mid market
is is, like, I think that'swhere the yeah. Because you've
(25:56):
got what?
Fortune 500. That's 500companies. Fortune 1,000,
whatever. Maybe let's say 2,000enterprise companies. Below
that, to your point, there's,you know, hundreds of thousands,
maybe millions.
Yeah. So yeah.
Rick Mischka (26:09):
Yeah. The numbers that I saw was companies that
have over 10,000 employees inThe United States are a touch
over 10,000. So there's a numberthere. Right? That's a big
close.
But everybody is knocking ontheir doors. And then you have
almost it's almost a millionSMB. Right? That four fifty or
(26:30):
less. And and you're right.
They don't always have a bigsales cycle, but it is a good
place to practice. Right? Hey.Can I go close one of those big
managed detection responseacronyms? It's quick.
It's easy. Go close it. Butyou're right. The sweet spot is
that mid market, 450 to justless than a thousand, and
there's nearly 200,000 of thosecompanies in The United States.
(26:50):
So there's plenty of room to gotackle.
Go close an enterprise, go closethe 10,000 employee or bigger.
That's fine. Don't knock on thedoors and practice your voice
with the SMBs because they'relistening and they have to make
quick decisions, but whereyou're to see the biggest spend,
where you're going see thebiggest provider lean in is that
(27:13):
four fifty to a thousand, maybe2,000. It depends on the
provider.
Lou Rabon (27:16):
So Yeah. And the sales cycles are so much more
interesting, you know, becausebeing in the enterprise, it
could you could spend a year anda half trying to close a deal.
You get to the, you know, endpoint, and then everything is
done by committee. It it takesso long. Maybe one of your
stakeholders leaves, and thenyou gotta restart.
You know, there's just so manyvariables, in that equation.
(27:40):
Whereas when you're in the midmarket, you're usually speaking
to the top of the chain foodchain, and the procurement
process is easier. I mean, I midmarket is much more interesting,
from a just a day to daystandpoint. Obviously, getting
one enterprise customer that'sgonna, you know, do a
multimillion dollar, multiyearcontract, that's great. But to
(28:01):
get there, you know, you youmight be able to make that same
amount of revenue off of 10 midmarket clients that have a, you
know, 80% quicker sales cycle.
So
Rick Mischka (28:12):
Yeah. I know it's great.
Lou Rabon (28:14):
Yeah. So so what's what's a challenge that you've
had? You're you've got, like,the whole channel coming to you
saying, hey, Rick. We we have awhatever. You know?
Something security related. Canyou help us? What's a big
challenge that you've helped youand the team have helped solve
recently?
Rick Mischka (28:30):
Changing the mindset that everything can be
fixed with technology. That isthe biggest if I stand on a
soapbox and have a loudspeaker,that's the biggest thing that
I'm really driving changetowards. And I was part of a
research study through the RSA,through IBM, through Comcast,
through Verizon, and we'veproven that if a firm focuses on
(28:56):
just buying technology, it's notactually helping their security
posture, it's actually making itworse, right? There's the stats
that we saw were 78% of firmsthat have more than 30
technologies and security haveso 78% of them have alert
fatigue and are still gettingbreached.
Lou Rabon (29:14):
Oh, yeah, man. That's crazy.
Rick Mischka (29:16):
And so changing it to the service model. What can
you do with a pro service, animplementation service, and a
managed service that's going toallow your employees to do
something efficient for yourcompany, but lower the number of
technologies that they have. Andand the first question I get
(29:37):
from customers is, well, thetechnology is easy. No. It's
not.
How many staff do you have tothrow at that technology when
other people, all of you, me,all of our professional
brethren, brothers, sisters,they're going to the service
providers because they get toplay with all the cool
technology. They're not going toa mid market customer. They
might go to Google. We did it.Right?
(29:58):
They might go to Apple. Right?That's fine. Whatever. But we
see that this trend actuallysaves the customer money if they
spend more on services.
And then when a technology likeCarbon Black kind of goes away,
another technology, anotherendpoint detection response tool
can replace it, and the serviceprovider doesn't have to do
anything besides retrain on theproduct. So that is my biggest
(30:21):
push to the market is stoptalking about technology. The
technology changes everyeighteen months. Talk about the
humans.
Lou Rabon (30:31):
I'm standing on that soapbox right next to you, bro,
because it's like people andprocess, you know, that and
that's what we bring. I mean,that's basically our value prop.
Because to your point,technology, it hasn't solved the
problem. If if you believedevery vendor that says that
their solution is going to solvethe security problem for the
(30:51):
last twenty, thirty years, youknow, look at the stats. They're
going in the wrong direction.
So and and again, to your point,you know, that obviously
breaches are a big thing that wewe work incident response
reactively. We go in there. Ican't tell you how many times
they've actually had endpointprotection, but at certain
(31:11):
endpoints weren't covered. Itwasn't configured correctly. We
just did one breach that was aprovider that had it was a
customer that had hired a thirdparty MSP who put up an
additional they were chargingthem more money for email
filtering beyond what Microsoftm three sixty five offers.
(31:31):
Guess what? If they got phishedand and popped, you know,
hacked, If they had not paidthis provider for extra email
filtering, they would haveprevented the phish because m
three sixty five caught it, butthen their solution, who I won't
name names, said no, releasethat. It's not, you know, a
phishing email. And next thingyou know, you know, big incident
(31:55):
response, hundreds of thousandsof dollars later, not covered by
insurance, you know, becausethey weren't, they didn't have
it, and they weren't looking atit like that. Now it's a
different story.
They've got their house inorder, but this is the problem
because they relied ontechnology. They were like, oh,
this is our IT provider. Theymust know what's going on, and I
I don't wanna get on thatsoapbox because but Woah.
(32:19):
Really, big problem right nowbecause this is where everyone's
finding, the issue. And that'swhere the, you know, back to the
channel.
This is where the trustedadvisers have an enormous
opportunity if they understandthat no longer is it, hey. You
want eight eight of those, eightwidgets that are going to or,
you know, how many seats youhave? 700 seats times, you know,
(32:40):
these these tools, and thenyou're good. It's not like that
anymore. It's yeah.
I think asking the why. So soyou guys have solved that. You'd
or not solve that, but you'veyou've you've come close to,
like, say, hey. Let's take astep back. Let's ask some
questions.
Rick Mischka (32:56):
Yeah. Yeah. I think I think there's a time and
place for the actual, what Iwould call the actual technology
or the platform. Unfortunately,I think customers lean in with
that, and the first question Iask them is how is this going to
actually solve your problem?Right.
Right? And if they don't have ananswer for me, man, I can solve
(33:20):
your problem. Let's get theright people. Let's get you the
right process. The technology,you don't you don't even care
about the technology once we gotthe rest of
Lou Rabon (33:26):
it in play. Exactly.
Rick Mischka (33:28):
And that's that's the big solve.
Lou Rabon (33:29):
So. Yeah. Yeah. Makes sense. What what excites you
about the future?
Rick Mischka (33:36):
I think the blanket answer would be
artificial intelligence, but Itell people that in security,
artificial intelligence has beenaround in the form of machine
learning since twenty five yearsago.
Lou Rabon (33:47):
Yeah. It's not new. Yeah.
Rick Mischka (33:49):
And so for me, I actually this is why I think
artificial intelligence is sokey to the security
conversation, because it'smaking people think, how can I
be ready to use artificialintelligence? And if they do it
correctly, they go, well, let'sfirst look at your systems. And
(34:09):
then let's look at your data.And then let's look at what you
want to get from your systemsand data, and then let's build
the AI model. And when you dothat, you've just built a
security posture before you'veeven gone the artificial
intelligence route.
You got it. And so for me,artificial intelligence is the
answer, but not for the reasonpeople think. Yeah.
Lou Rabon (34:31):
Exactly. And what we're seeing is artificial
intelligence. I mean, this isobviously a huge bubble. I was
speaking to someone recently,and they were like, what, you
know, what do I have to thinkabout with AI? I'm like, data.
That's that's what it's about.AI today is about data. Like,
can it do really cool stuff? Isit going to it's it's a complete
game changer. It's kinda like itit definitely is one of those
(34:54):
techno technological milestoneslike, you know, airplanes and,
the Internet and computers andautomobiles.
You know what I mean? We willlook back and be like, wow. That
was the a a you know,delineation, basically. But
today, it's in the beginning.It's like you're not gonna just
as you wouldn't have gotten on aplane right after the Wright
(35:16):
Brothers flight, you're notgonna, like, I don't recommend
you put your whole business onAI today because it's it's not
gonna end well.
But to your point, we are,seeing where the paradigm is.
Let's start thinking about whatwhat does AI need? What does
that mean? And that's data toyour point. You know?
So that is exciting. I thinkit's gonna it's definitely
(35:38):
changing things. I use ChatGPTon an almost daily basis. No. I
don't have a relationship withit, and I don't believe it's God
or I don't.
But it's a great tool. I mean, Iuse it to to, review a contract.
It's definitely gonna putlawyers out of, you know, junior
lawyers at least out ofbusiness, because I was able to
(35:59):
just run a contract through itand said, you know, what are the
points I need to pay attentionto where I had already done my
pass having read a bunch ofcontracts. And and, you know, it
pointed out things that I didn'thave to go to council about
because it was prettystraightforward. So it's got its
uses, and it is pretty exciting.
Rick Mischka (36:16):
Yeah. I think the big uses are automation and
correlation. That that's you cancorrelate a lot of things. You
don't have to have structureddata to do it, and it just it
helps me automate some of mytasks during the day.
Lou Rabon (36:27):
Oh, yeah. Oh, yeah. Big time. Let's transition to
personal. So, I mean, you'reyou're out there in Montana.
You know? Like, I haven't beento Montana yet, but it's on the
list. I definitely wanna get toBig Sky. You're you're the
Smeeav. You were at with,Maesergy before you had your
(36:48):
own, consulting company.
Prior to that, you've you'vebeen working with volleyball. I
didn't know this about you, butyou were actually a volleyball
coach. Yeah. You know, manyyears ago, the, I don't know if
they still exist, theAssociation of Volleyball
Professionals, AVP. Yeah.
They were they were a client ofmine back in the nineties in LA.
(37:10):
Nice. It's I lived in LA in thenineties and late nineties, and
they were they were one of mythey were based in, if I
remember correctly, like, MarinaDel Rey or something. And
Rick Mischka (37:20):
Yeah. Yeah. Yeah. AVP is still around. When I
before I got into coaching andas I was getting into coaching,
I actually played on the AVPtour for a while.
I played professionally inFinland. Yeah. So I had a good
career in volleyball.
Lou Rabon (37:32):
That's awesome.
Rick Mischka (37:33):
I had a great run coaching, coached the men's
national programs for a while,so it was a lot of fun.
Lou Rabon (37:37):
Dude, that's amazing. You know, you've got the hype
for it. So it's good, man. I Ishould get my sons interested
and introduce you. They've gotlittle hype there.
I I didn't get the same gene. Igave it to him, but I didn't get
it. But that's awesome.Volleyball is great workout too.
Beach volleyball.
Very cool. But, you know, tellme about how you transitioned
(38:00):
from the the military into kindof private sector.
Rick Mischka (38:04):
Yeah. So I joined the military as a reservist and
never saw a reserve unit. Iactually got into the military
and became part of what is nowcalled direct entry for special
forces. I was one of the firstx-ray classes to go through it.
And I got put onto a tier oneoperating team, and so it was a
great experience for me.
I was in for just shy of sevenyears. Then when I got out, I
(38:26):
didn't know what I wanted to be.And I said, well, I did all this
really high speed stuff. Ishould probably stay into some
field that's high speed. Andwent into firefighter paramedic
world.
My grandmother reached out andwas like, hey, you have a chance
to go back to college. You'd bethe first person in our family
for the last five generations toever go and get a college
degree. So I chose to take ascholarship in volleyball, play
(38:50):
college volleyball, and turn itinto a career but get my
bachelor's degree. And thenbecause I was coaching at the
university level, I was able togo back and get a bunch of
master's level courses and got adegree. And I was able to kind
of just move that forward.
At one point, I'd always thoughtI was gonna be in technology.
Right? You know, I was highschooler when the Internet was a
(39:12):
thing, so I can date myselfthere. The gray beard does have
some ownership there. I remembermy buddy and I, we won a
programming contest, and then Ijust never used it.
So I went back and nontraditionally found four
certifications in cybersecuritythat I really felt I could do
through a boot camp. Passed allfour, and reached out to my
(39:35):
network and was like, hey, whereshould I go? What opening should
I take? And I was given anopportunity to become a mix of a
compliance engineer and also dodigital forensics and
investigations. And from there,it just that's where I went.
Right? I was an architect for awhile, and then I went into
product management, and now, youknow, fully sit on that
(39:58):
consultary side of things, and Ican't imagine a better life.
It's so much fun. So
Lou Rabon (40:04):
Yeah, man. And it's it's been a really interesting
journey for you from, you know,special forces paramedic, you
know, firefighter, that's crazy,volleyball, and then going into
cyber. Yeah, that's really cool.And and, you know, doing
forensics is really, reallyinteresting. I think having that
kind of background is reallyimportant.
(40:26):
They used to say, like, youdidn't have to be technical to
be in cyber. I'm sorry, but I Ithere are aspects you can do
GRC. You can do some otherstuff, you know, privacy.
There's definitely areas thatyou can do where you don't have
to necessarily be technical. Butto really be effective, you need
that that technical background.
So it doesn't get much moretechnical than than doing
(40:46):
forensics.
Rick Mischka (40:47):
Yeah. It's true.
Lou Rabon (40:48):
Yeah. That's cool. That's really cool.
Rick Mischka (40:51):
Oh, you'll have to come up to Montana. You'll come
hang out. We'll go on theYellowstone River because I do
live about five minutes awayfrom the river. So.
Lou Rabon (40:57):
Man, that's amazing. I've never been out there. I'm
absolutely gonna take you up onthat for sure. I definitely
wanna see Yellowstone. Youyou're also speaking of
Yellowstone.
I remember you telling me, areyou now a licensed pilot, or
what's where are because yousaid you flew over the park.
Right?
Rick Mischka (41:16):
I did fly over the park. By the, you know, by the
end of this year, I will be alicensed private pilot, and I'll
be starting working on mycommercial hours. I have enough
hours to test, but it's one ofthose where I just want to make
sure I pass it on the first go.Right? I think most
cybersecurity professionals arekind of perfectionists, so I'm
kind of doing the perfectionistthing.
(41:37):
And so I will have my pilot'slicense by the end of this year.
And it's super exciting becauseI get to go up went go up about
two to three times a week, andmy flight view are mountains and
rivers. You can't complain aboutthat.
Lou Rabon (41:51):
Like, of the best in the in the country, basically.
Yeah. Yeah. It doesn't get muchbetter than Yellowstone, man.
That's crazy.
Rick Mischka (41:59):
No. It's amazing.
Lou Rabon (41:59):
That's cool. So, you know, if do you have a personal
story of, anything thatdemonstrates where cybersecurity
had kind of a, an impact on yourlife?
Rick Mischka (42:12):
Yeah. So this is a mix of impact of being in the
military as well ascybersecurity. Two years ago, I
really was and I still am verypassionate about cybersecurity,
and I had been working with anonprofit that was heavily
focused on transitioningmilitary folks out into
(42:35):
cybersecurity. What I was seeingwas that these military folks,
while they were well trained,had mental toughness and
resilience, still had some formof PTSD, and so I really started
focusing on that. And that ledme down the path of of
identifying that cybersecurityprofessionals are actually one
(42:58):
of the highest burnout rates inall careers.
And so I went back and appliedand got in to get my PhD. I'm
almost done with thedissertation, and I'm going to
be defending it this fall. AndI'm focusing on how
cybersecurity professionals,through their organizations, not
(43:18):
as individuals, but throughtheir organizations, can be
provided with mental awarenessand preparedness training,
because ultimately acybersecurity professional is no
different than a militarysoldier. The only difference is
there's not bullets coming attheir heads. There's bits,
right?
There's bites. There's attacks.And, I'm I'm putting together a
(43:39):
really cool research processaround how I can take that
burnout in the cybersecurityprofession and extend it so we
have less of a skill set.
Lou Rabon (43:49):
Rick, I mean, that's so impressive. You're with your
background and everything, I hadno idea about the PhD. You're
just a badass, man. Like, madrespect, and it's great too. I
mean, there's no doubt thatthere's a a real issue with
mental health.
I mean, in many ways, I think inin a lot of professions, but
(44:12):
definitely cyber has its ownunique challenges, and, that's
great. That's gonna be a gooddissertation.
Rick Mischka (44:19):
Yeah. I'm excited. The research is done. Now I just
gotta and the paper's mostlydone. I just gotta defend it.
So
Lou Rabon (44:24):
Yeah. Oh, so you've you've wow. That's a lot of
work, man.
Rick Mischka (44:28):
Yep. The research is done. I I'm in final peer
review for, you know, just beingable to say, yep. It's done. It
can go to bed, and then and thendefense happens probably in
December year.
Lou Rabon (44:40):
Wow. Well Yeah. Good luck with that. I know you'll
kill it. Like, you haveeverything else in your life.
So, you know, in a good way.Cool. I mean, I think we've
we've covered just abouteverything here. It's been, a
real pleasure. Where can peoplefind you?
Rick Mischka (44:59):
Yep. I'm on LinkedIn. You know, I I
typically stay off the othersocials, but you could find me
on LinkedIn pretty easily. Andthen look for me at Avant. You
know?
I'm obviously available, and Iam happy to just sit down and
and nerd out over almosteverything, even cheese. I'm
from Wisconsin. So if you wannatalk cheese, I'll talk cheese
too.
Lou Rabon (45:17):
That's a fun fact too. Alright? For sure. Thank
you, Rick Mischka.
Rick Mischka (45:24):
Thank you, Lou.
Lou Rabon (45:26):
And thank you to everyone that's watching and or
listening. If you had fun,learned something today, or
laughed, please tell someoneabout this podcast. And, yeah,
thanks again, Rick. This hasbeen another exciting episode of
Channel Security Secrets. Seeyou next time.
That's a wrap for this episodeof Channel Security Secrets.
(45:47):
Thanks for tuning in. For shownotes, guest info, and more
episodes, visit us atchannelsecuritysecrets.com.
Channel Security Secrets issponsored by Cyber Defense
Group. When it comes toprotecting your business, don't
settle for reactive.
Partner with experts who buildresilience from the ground up.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Herd with Colin Cowherd
The Herd with Colin Cowherd is a thought-provoking, opinionated, and topic-driven journey through the top sports stories of the day.