Transcript of the conversation with Bruce Hoffman and Fractional Mateo I Fractional CTO I Leadership Advisor
Alyssa Butler
Hello, everyone to another Fireside Chat here at Careful Security. I am here with Fractional Matteo and Bruce the AI guy. We’re having a real fun Fireside Chat for you|; and of course, Sammy Basu is here as well.
Alyssa Butler
So I’m going to hand it right over to our wonderful guests. You guys can take turns. But why don’t you tell us a little bit about what you do where you got your fun names from?
Matt Stroul
Well, I got Fractional Matteo because I used to be motivational Matteo. And I when I wasn’t doing implementations consulting or being a complex technical Project Manager, I got challenged by some really solid top tier CIOs and CTOs who said, you know, you really need to go and start working with some startups and really learn and transition yourself into an executive. So that’s what I’ve been doing the last five years. And now I’m transitioning to being a fractional executive. And that’s where that Fractional moniker came.
Matt Stroul
So instead of helping executives boards and consulting with executive boards, now I’m being a part of executive boards, wherever they may need a spot team filled.
Alyssa Butler
Got it.
Sammy Basu
So Matteo, you turn from the anti establishment guy to the establishment guy,
Matt Stroul
I have always been the establishment guy with the anti establishment music sensibilities, if you’re going to make change, make change from within.
Alyssa Butler
Wow. You got another title there, Alyssa, for the Fireside chat. Thanks.
Bruce Hoffman
Bruce,
Bruce Hoffman
keep on going. So yeah, you know, my, my background comes from working with data products, which really meant that I’ve been working with mathematicians for quite a long time, you know, as viewed by what you see here. And the key element was mathematicians became data scientists who are now AI something and AI engineers, they were ml engineers for a little while. And generally, the math people are the ones that are actually working on building the big models, then everybody’s trying to suck up the good math people these days. But I’m really just focusing on you know, what are the solutions that we can use to help businesses, and I find a lot of it is there’s an opportunity for generative AI tied together with automation. And so that’s the, you know, that’s my current focus of the people that I’m talking to the businesses that I’m working with, and how I’m thinking. And by the way, it’s funny if I was to jump through that personal business or cybersecurity concerns thing, you know, I listened to two guys, and they always ask, you know, is AI going to destroy us? All?
Sammy Basu
Yes.
Bruce Hoffman
And what percentage? What percentage do you put on that? And it’s, there’s been some very interesting answers. But that’s, that’s something that I’m I think about, you know, in my spare time.
Sammy Basu
Bruce, you mentioned like, your mathematical guy, and as you see in the background, how’s that related? How’s your background related to math? Or did I miss?
Bruce Hoffman
The only math that I would think about in the background is that the base of that is at 8000 feet, and the top is a little over 11,000. That would maybe be the the only math that I would apply to it. The background is where I am. I live the year I live here in the mountains, so Oh, 300 plus miles north of Los Angeles.
Sammy Basu
What’s the name of the place? Bruce?
Bruce Hoffman
Mammoth Lakes.
Sammy Basu
Wow.
Alyssa Butler
I’m very jealous. It’s 70 degrees here in LA. And so we’re not really getting much winter, unfortunately. But
Bruce Hoffman
winter is coming. Yeah, it started getting windy. And we’ve been told there’s the next five or six days that we’re gonna get a number like three to five feet of snow and you guys are gonna get like two to four inches of rain.
Matt Stroul
I’ll take Texas, your decks will be event eight of our 12 days of winter already. So
Alyssa Butler
wearing your sweater because you’re soaking up while you can, right?
Matt Stroul
Correct. If it gets below about 72 outside this sweater comes out. You’ll see bugs here at around 68 degrees. The puffy coats come out at about 65 degrees.
Alyssa Butler
I completely understand that. I’m not gonna lie. I want to wear my cute winter stuff. So I’m going to wear whenever.
Matt Stroul
Yeah, what what most people call fall we call winter. Yeah, exactly.
Sammy Basu
There’s another quarter. That’s right. Yes.
Bruce Hoffman
Is the same. I lived in Southern California for quite a long time before before moving here three years ago. I am it was literally just exactly three years ago.
Alyssa Butler
Thank you Right, I deal with the mountains. Well, this is my perhaps favorite question that we asked here in our fireside chats. And it’s what did you do for your first job? So Bruce, let’s start with you.
Bruce Hoffman
So my first job was delivering newspapers in, you know, in a suburb of Philadelphia, where I lived. And so it was, I was kind of fun when it got to be cold, because you still had to deliver the papers. And I had a bicycle that I was riding around on. So you know, I was like, 30, I started when I was like, just under 14 doing it. And I only did it till I was 16. But that was the that was the first first job and you know, getting chased by dogs and angry people. And, you know, that kind of stuff. In early morning,
Sammy Basu
Bruce, you get up to deliver newspapers.
Bruce Hoffman
I had to get up at like, 430 to go pick them up. And then they were supposed to I was supposed to be done by six. That was the goal. But usually I was like, late. Maybe I was done. But you know, it’s done in time to get to school.
Sammy Basu
That’s a lot of discipline. Like you can miss it. You can just say I’m not going to do it today. That’s awesome. All right. All right.
Matt Stroul
Matteo, what about you? Oh, boy. So my first hustle as a kid, that’s not like my first job is I was a full head taller and the other kids my age. So I would go to all of the neighborhood’s around me and offered a rake their leaves or shovel the snow, the two jobs that adults and kids did not want to do. So I kind of cornered the market on that as a preteen, but my first actual, like, paid job. I was an IT consultant at 14 for my mom’s company. I would support their mainframe and their Vax and hack on things when things get broke.
Alyssa Butler
Wow, yes, 14? Yeah, yeah. That’s impressive.
Sammy Basu
Wow, these are the two smartest people. We’ve been in a fireside chat with Elisa. I’m feeling very inspired.
Matt Stroul
Throwing softballs at us, so I can’t wait for a hard question.
Bruce Hoffman
It’s funny, because I moved on to the restaurant work. So dishwasher and then became a cook. You know, learn how to work with knives. That was and cry when I was cutting 50 pound bags of onions.
Alyssa Butler
I love that I think everyone should work in the restaurant business at some point for that experience and learn how to treat people. So then how did you guys end up in your current position? I know, Matteo, you already sort of glossed over that. But yeah, get into a little bit more.
Matt Stroul
No, I’m kidding. So there’s only you know, when you get into engineering, I actually went to school for business because I really had a strong head for computer science and, you know, taught myself a bunch of languages. And that didn’t really excite me, it was actually the hardware, it was the it was the IT and the OT parts of, of technology that really, really excited me. So there’s only so far you can go as an engineer before they start going, Hey, you’re really good with people. You know, do you want to get into sales, we like the way you articulate yourself, you know. So I had to make a choice to to either go into leadership and sacrifice the engineering part. And it was a huge risk. And it took me about a year to decide. And I was really heavily support. I was at Cisco Systems at the time. And I just had some fantastic mentors there. And I was really supported. So I did, I chose to go into the business side, the management side of the house. And that’s, you know, you just keep going and looking for mentors is the number one way is find someone that’s been there before, and then get their pointers and have them train you until you’re ready for your next step.
Sammy Basu
But then, what was the shift in mindset you had to do when you move from technology to business,
Matt Stroul
I kept finding myself being pulled into situations to support strategic decisions for leaders. So it was I be on a team like we created the first business intelligence unit at Cisco Systems, a dedicated Intel unit. And I was the one that was doing the presentation layer of the data. So while I project manage the team, I wasn’t the smartest people to solve that problem and do the like Bruce was saying, we were doing really early ml distillation of things and pulling out all these records all these technical things and then bottling them up to these optics. It needed a person in both worlds needed someone who could be trusted to be technical and academic, but someone who could be literate and understand that that language is different for the audience that you’re presenting. And that just pushed me right out. In front of the management bus,
Bruce Hoffman
I’ll be right back test. Oh,
Sammy Basu
that is awesome. I know, we may have jumped over the first skip the first question. Okay. What are you working on today?
Matt Stroul
Bruce and I are partnered up right now on on a project. We don’t have official business name for it. But it’s circling around fractional executive, basically consulting and helping fractional executives become frack exec so that we see a real opportunity in the market where people need data, like I was saying, Before you hit this plateau, you get stuck, maybe you’re a line manager, and you want to be a senior manager, but you don’t have to get there senior manager, director. But from director to C suite, there’s a real, almost, there’s a real difficult set of challenges to overcome, because you need exposure to MBA level topics, but you still need to deliver on your nine to five, right? You still have your mortgage, you still have all of these other things, you’re not going to quit, like Matteo who’s never been married and doesn’t have kids, and go off and run and join, you know, seven startups in five years. It’s not, it’s not sustainable. That’s not something that that everybody can do. So my half of of this dyad that we have is really kind of encapsulating what are those lessons? Were those transformative things? What are those coaching mechanics? What are those checklists that you need? So that you can start your evolution to go from a D or a V level, and start to get to that EVP or that C suite level somewhere else? And then I’ll let Bruce answer the other half of his contribution to kind of that effort in that versus is far more astute and collegiate at the seat? Well, I’m new to being an executive. He’s been doing this for a minute. Yeah.
Bruce Hoffman
So you want me to go back and talk about my, how I got here? Yeah,
Alyssa Butler
I’d love that. Okay.
Bruce Hoffman
So you know, following the cookery that I was doing, I slung pizza. In college, while I was getting a degree in operations management, which was basically statistics from the business school, rather than from the engineering school. So it was, it was a bit of an easier, easier degree, you know, and my favorite classes, though, were quantitative business analysis, and business law was kind of those were the combined, you know, out of everything that I had done. So I was set to actually open a restaurant, open a pizza restaurant, right after I, you know, in State College where I was at Penn State. And just, you know, on a whim, I was like, you know, it’s like, guy, you know, IBM is coming to town, they’re having this big, you know, auditorium, you could submit resumes at three locations. So I went in there, I found two locations that, like, would be interested in an operations manager, and one who wanted it like I just was wandering around, it was like, Hey, we’re gonna we’re looking for programmers. I’m like, program, right? Like, I did take a class in PL one, which was a language that really no longer used, it was kind of like the, in a way, the predecessor to COBOL, Fortran and things that were kind of in use at that time. And they’re like, Yeah, you seem like a good fit. Give us your resume. And well, you know, and next thing, you know, I was hired to go work at IBM and I gave up my dreams of opening up pizza restaurant. We know it kind of had changed years ago to open up a bed and breakfast, but now that’s gone too. Now, I just want to be a ski bum. That would be my, my remaining dream after you know. Yeah. Yeah. So I, I, you know, I went on, I worked as a programmer, that’s what we were called back then, on the low level languages for quite a few years. And I got into consulting, I didn’t feel like IBM was the right fit for me. And as I was consulting over the years, I kept being the person that like, could talk to the engineers that could talk or the developers and talk to the business and so I kind of moved into the business side of things. And most of my career I just shifted back and forth between being a tech leader and being a you know, a business product leader. So I kind of today in my fractional work, I’ll choose to either do fractional Chief Technology Officer or fractional Chief Product Officer. So either crack and I’ll help you develop the products that you’re working on, where I will bring you solutions that come help you help your business operate better.
Alyssa Butler
You know that you care We were just this morning, Sam and I were talking about the importance of communication and cybersecurity and both of your backgrounds didn’t necessarily it seems like you’re such smart men, but what ties you guys together is your communication and the way that you can just communicate with your teams. And with people around you, I find that very interesting. And speaking, what ties you together? How did you guys meet? How did you get started on on this project together?
Bruce Hoffman
So well, well, let me I’ll take my side of the fractional business really quick, just so that, and then we can talk, we can tie that together. So I, you know, through the years, I’ve made just a ton of connections with engineers, engineering managers, product managers, you know, and they’re all many of them that are either and the number that I mentored or in either a director or, you know, senior positions across. And so a lot of them are potentials that don’t even really need a ton of training, but they need expense exposure to working the full business, because at a corporation, they tend to be siloed, right, you’re gonna work in this one function, and that’s all you’re really going to learn. But if you’re going to work in a small business as a fractional, you know, Chief Technology Officer or product officer, you need to be able to, like, understand the sales side, the business, you know, across the entire product suite. And so part of the idea was for us to get those that group, you know, that are coming from my cohort and others that I meet into this opportunity to now go work in this space and learn from those smaller companies, or learn, you know, at the smaller companies, and that’s how you know, and then really meditate and I met, and I’ll let you use, I’m glad to hear what you have to say. So you put that in there,
Matt Stroul
I gotta find the most positive way to say this. So for for about three and a half years, after a few products, failures, products that we designed that we couldn’t get to market because of COVID, lack of funding, things like that we started out, we actually got hired to be a technical project. And then eventually a program manager for a startup that was supposed to be the global supplier for a company called Accu bits out of India very at the time, top three, AI blockchain company in the world. So Bruce and I met almost a year ago, on a project that that, unfortunately, went south as most projects do, I have no problem saying that, where we had a founder that had a certain set of visions and expectations, but a lack of both vocabulary of technology, and then the experience and wisdom of having to put technology projects into the water. So there, there ended up being a bit of a mismatch on on the resources and the time and things like that, which has a lot of downward pressure, which is not uncommon. But yeah, that’s how Bruce and I met was on that project. And then I got pulled into being the technical program manager for a Smart Cities project in Belize. So for the feasibility study I conducted with them, what would be the visibility of this group to support Belize? And then there were, there were future opportunities where Bruce and I would have been a dyad relationship. Had that project move forward with that previous company, where Bruce would be managing again, the Bruce I was going to be more ot more operational technology, more infrastructure, Bruce would be handling more of the software side of things. Because a smart city every single Smart City project I’ve been involved in, which is now to four that had been a part of scoping or or were helping lead or helping just do some solutioning for they all have some manager, man, man level of management for blockchain. And then AI, which is, you know, people are just now figuring out to that, but you know, Bruce and I have been in AI for multiple decades now. We’ve been doing AI or AI like things for a long time. Wow.
Sammy Basu
What’s the smart city for? For the people who are not so smart?
Matt Stroul
Well, I wouldn’t say that, um, I would say as smart as smart city is basically a connected or an interconnected city. Instead of having your fire department only and then your fire, police, water, water treatment, power generation, power distribution, they’re all of these islands that aren’t necessarily connected together and how they connect together are one person hands off a report or a damn Excel spreadsheet to somebody else in a budget office versus a smart city is hyper connected. So you as a citizen In a smart city, you would be using applications on one of these little guys to pay for things to transact with things to, you know, having quick access to your medical records, all of that stuff, but also mainly having a very well organized government. So if you’ve ever if you’re a homeowner, and you’ve ever tried to get a permit for anything, digitizing that process, if you’ve ever sold a home, if you’ve ever bought a car, and you just see the mountains of paperwork, a smart city digitizes a lot of that work for you. Got it? That’s the simplest explanation. Oh, that’s a great,
Bruce Hoffman
good.
Sammy Basu
Yeah. At an organization level, I’m working with a client who’s trying to, you know, put together all the separate apps and services and the locations to centralization, and cloud first approach, it seems like Smart City is that at the city level, it
Matt Stroul
is it’s the complex systems of complex systems is a system of systems approach. Yeah.
Sammy Basu
When you see that happening,
Matt Stroul
all over the place right now in real time, there are about 11 Major Smart Cities projects that are happening throughout the world right now. Yeah, every city will eventually be a smart city, America will be last.
Bruce Hoffman
Oh, part of it part of it ties into the blockchain adoption, though, right and exposing, you know, the, the transactional nature of the city on the on the blockchain while at the same time, you know, recording things permanently so that, you know, when needed, they can actually be looked up rather than destroyed.
Matt Stroul
You say blockchain now and immediately everyone thinks, you know, chimps with different outfits on or they think, you know, Bitcoin, they have no idea that that’s maybe 8% of the entire blockchain capability. So, yeah, we were in and Bruce and I are capable of atomic level transaction building and architectures, you know, on blockchains. And, you know, you really need AI and machine learning. And if you want to talk about security, there’s a ridiculous amount of robust security involved when you’re locking things down on a blockchain even though some things can be public or private.
Sammy Basu
Right. Yeah. What’s, uh, was full, like, most advanced Smart City at this point, Dubai. Oh.
Matt Stroul
And they’re the oldest, they were the they were probably the NOC, they were certainly not the first, but they are the most dedicated to it. The UAE in general, it’s the most dedicated to it. Yeah. Abu Dhabi, a UAE province. Just put two and a half billion dollars last year in two. I don’t know, a mutual fund or whatever you would call it but a fund to help startups or companies do blockchain adoptions in the UAE?
Sammy Basu
thing of the future? Not so much. Yeah. That’s awesome. The
Bruce Hoffman
Future The future is now? Yes. It’s it’s already happening.
Matt Stroul
Yeah, we certainly live in an age where anything and everything can be done. So really, the questions now are, are we are we should we do it? And is there a market for it? It’s no longer can it be done? It’s should we and what?
Bruce Hoffman
And when it happens? Will we be part of it? Or will be or will be be eliminated? As part of that.
Matt Stroul
Right? The AI robots that are coming to your job?
Bruce Hoffman
Yeah, or even not the area, the AI, the AI software, that’s going to be your job, especially if you’re in the in the tech world. I talked to so many people recently who were and weren’t really ever developers, but they were really smart, you know, and now they’re like, Okay, techy peds right now, my code for me, and I just plug it in, I just had to learn how to use the environments, and I could actually go build things. And so that’s a that’s a it’s an odd shift, but it’s happening.
Sammy Basu
So do you support that or you don’t support that?
Bruce Hoffman
That’s an interesting question. I support it in the fact that I don’t see a way around it. And so that I think people just have to accept and not move on Accept and adopt. You know, but like said that other question of like, you know, will AI destroy us? I think it’s less likely that the AI itself will destroy us, but more likely that the people that use AI will create the issues so it will be the humans. Not not the machines
Matt Stroul
in your in your invite you asked for a nugget of wisdom. Here’s I’m gonna Taylorism for you. The robots are not coming for their jobs. Let me let me let me say it right. It’s my own saying and I just screwed it up. Robots are not coming for your job, they’re coming for theirs, we need to stop doing the job of the robots. Right? So if there’s something that if there is something that they can do better than you, or no human could ever possibly do, calm down. You weren’t ever no human was ever going to be able to do that. Okay, we have a border crisis in our country, because it’s a political issue. Every one with a border has a dang border crisis, right? But the problem really is, how are you going to educate your populace to take advantage of these tools, okay, and be a better version of themselves, or scale their awesomeness 10 fold, so that you’re a greater value to your community or to the brand that you’re choosing to support? I would say that, in many cases, especially the last two years, until very recently, the code that that was being written by GPT was somewhere between and are you kidding me right now, it can get better, it kind of 100% get better. But as soon as you run it through a fuzzy logic tool, which is another AI tool, it’s gonna bomb out on security, or it’s got bad calls, you can’t just take what it gives you. And then call it a day. So you’ve got uneducated employers, Now, assuming Chechi, PTT can do 36 hours work there, and a human’s only going to work for four hours. So now they want everybody in the office at their desk, so they know exactly what they’re working on at all times, you’re now going to drive away all of Gen Z and Gen Y, coming in from working at your company, if you do that crap. And on the flip side, anyone who thinks they’re going to coast, they’re never going to progress. It’s the same thing as my friend who’s a math teacher in Florida. And he also teaches computer science. And he caught one of the kids writing code using chat GBT. And he pulls him in with the parent and the parent goes, he’s just using the latest tools. My teacher friend said this. He’s not learning how to troubleshoot what happens when that code doesn’t work. Or that code violates some quarters security protocol. Or what happens when that software goes to the client and that clients, the United States government, and because they GPT their code, somebody else found a vulnerability. I teach your kids how to troubleshoot. I’m not teaching them I’m not mad at him for for using the tool to get the code. Now he doesn’t understand why the code works. So now he can’t solve any problems. All he can do is type some stuff into GPT. There’s no market for that.
Sammy Basu
Yeah, I agree with you. 100%. Some people even said, It’s not my fault. GPT is for
Matt Stroul
someone who hires and fires dozens of people a year in it, right? Like, my response would be then why am I paying you? Right? Yeah. Right. Yes, there’s some other jobs, you could do that. You know, I’m okay with them taking the code. I’m okay with them asking GPT for help them, okay. It’s fantastic that the generative and the writing of things, but what they don’t understand is, who here has been on LinkedIn this week, everyone can raise their hands, how many 10s of 1000s of messages in the last two years if you’ve gotten that all start the same way. But since chat GPT went public last year, in understand I’m seeing 100 versions of the same scripts that GPT is generating. Coming into my inbox, now I’m an IT leader. I am immediately brands, I’m immediately downgrading you. If you’re if you’re allowing your marketing teams and your sales out teams to do that, I’m a senior executive, you are now going on the backburner automatically because you didn’t care enough to read my name. correctly. Right?
Sammy Basu
That’s a great point. You know, like,
Matt Stroul
it’s, it’s, the human brain is really good at understanding the difference in things and seeing seeing things that are the same and things that are different.
Bruce Hoffman
Right. It’s, it’s interesting, seeing the different messaging that I’m receiving from, you know, a barrage of new contacts every day with some other, you know, it sourcing company from somewhere, you know, in the world, and it’s, it’s constant, and it’s interesting. Yeah, they’re like, oh, no, the latest thing is like, you know, how can we I collaborate, you know, or, you know, I love I love what I see on your LinkedIn. You know, can we talk, you know, everybody, but it’s just kind of funny because it’s all the same thing. It’s all just an entry point for the tech companies. Because my title says fractional Chief Technology Officer. They’re like, Oh, okay, he can use our services. So we’re gonna, we’re gonna barrage him with multiple emails, or messages, or, you know, put in a message along the time when I’m trying to make a connection with them. So
Matt Stroul
my favorites, the phone company, the phone companies like, Who are you using for your phones? We don’t use phones anymore, man. We’re doing this for 20 years now. We’re VoIP friends, we’re, we’re WebEx resume. But what’s a phone? You know, like?
Sammy Basu
So I want to ask another question. You know, like cybersecurity works on the principle of least privilege. From time immemorial to time in the future? What are some of the principles that you apply in your job as a CTO? Like, what do you think companies as a transformational leader? What’s the philosophy? And what’s the transformational outlook?
Bruce Hoffman
It’s interesting, because when I what least when I think about security, a lot of it now the conversations tie into what kind of information is being used and collected? And how can I keep that information out of my system? You know, so a lot of people when we talk about PII, right, and trying to secure it, you know, a lot of the lot of the groups are saying, well, you know, let’s find a way to not accept it, you know, if they’re using my chat bot, don’t, they can’t, if they put in a social security number, or even an address, I’m going to reject it unless I actually had designed the chat bot to collect those things. So a lot of it is more around the security design, in the actual applications and thinking about, you know, and so if I do need to collect data, then making sure that I’m doing it in a way that is got the highest levels of security, encryption, and at all times, you know, you know, rotating passwords, all the things that, you know, you would expect, you know, I know, some of you know, in your business that you would expect people to do, you know, you know, having using authenticators for, you know, getting into the systems. So I haven’t spent as much time on the back end security design, but focus more on the application security, from where I’ve been, from the lens that I’ve been putting on and the and the physical security, you know, like not sharing your passwords and not sharing, you know, all of that kind of stuff. That’s just you think is just basic intelligence but requires lots of training.
Matt Stroul
I come from a, from a different perspective in that, because I do more infrastructure, I’m more of a solutions or a systems architect than I am a software architecture I had to learn. I’m more of a fundamental traditionalist guy. And I used to be a very non ethical hacker when I was a teenager, and I got my life righted by the right personality. So I didn’t get in really big trouble. I only gotten a little bit of trouble. The there is, I mean, the director of the FBI literally went on air this afternoon, saying how concerned he is about state actors. I’m not going to say the actual country. But it is a single country, and it’s to our west, somewhere across the Pacific, who had where, where they are deeply concerned, not just about the typical types of scams that you see out of like North Korea, Pakistan, you know, all these people actually just trying to do criminal stuff, remove criminality out of it. And now think state actor, there are a ridiculous number of systems where people simply are either too lazy or do not care about security. You look at people who don’t lock their home. So I’m sitting right next to my front door. Yet, packages get stolen off the porch all the time. Right. Right security is you’ll never you could never spend enough money and you will never ever be 100% secure. Right? So you were talking about lease privilege. I’m a zero trust person. I treat my employees as hostile AF, or their own protection. Why do you need to see this? How long do you need to see it? How much of it do you actually need to see? When did you see it? And when I when did I remove permissions from you seeing it? Yeah, those things are critically important. Blockchain is a fantastic intermediary because even on enterprise Private blockchains like Bruce was talking about what a lot of people do when when they’re identifying personalities like know your business, know your customer, anti money laundering those types of principles, when we apply those to things like certificates now, where I’m authenticated to the platform, your system is authenticated to the platform, the you know, the cam, or the PAM issues, the certificate out, no human could possibly know what the handshake is, no human was in between, it’s nearly impossible now. So now you can go to that executive and stand in that boardroom and say it is a mathematical impossibility that a human being could do in it, you know, a person in the middle attack, calm down, you’re secure. Or if you don’t do these things. The next person that has BYOD, bring your own device at your company, the next person that’s that’s logging in on a Chromebook and leaving it open and going to the bathroom in a Starbucks and not logging into your VPN. Now, that is how the state actors are getting in, right? You have all these phishing problems, you have all these authentication problems. So we’re going to start to see a lot of practical kind of blockchain tools that say this person’s authenticated at these levels. Think of it is like ad kind of domain, control level, group level and controls, but just in time, so it’s constantly being refreshed, and you don’t have to think about it. And you can be hyper forensic afterwards. That’s the real key to hardening yourself. So if you’re enterprise grade, or small to medium enterprise, and you’re trying to get really serious about security, it’s real simple. You make everybody change their passwords randomly between 30 and 45 days, that’s about 80 to 90%, of your threat vector, the rest is going to be a lazy CISSP. Or not having a CISSP I can be your best friend, Security Security, folks, I love you. And I can be your worst enemy. All you have to do is just tell me, tell me what your weaknesses are friends, and I’m there to help you. God help you, if you try to cover your tracks or lie about your policies. Or say you’ve got a policy, when you don’t have one, it is so much better. That’s when when when executives talk about vulnerability, that’s the kind of vulnerability that we need when we’re standing in a boardroom together. Or we’re sitting in a conference room, we’re trying to figure out how to protect or how to recover from a penetration or from a failure of security. You know, you need to be honest and vulnerable. We don’t have a policy for that. Awesome. Let’s go right one,
Bruce Hoffman
that’s a better perspective. In Endless endless implemented.
Matt Stroul
Yeah, and let’s go for it. You know,
Bruce Hoffman
don’t just write it because they have Yeah,
Matt Stroul
cuz if you lie in that moment, you really challenging you lie. In that moment, I’m going to a steak dinner with the rest of your your C suite. And I’m going to be like, I’ve got some problems here. So do you want me to say your CISSP is engaged, and wants to be a part of the solution and help you evolve? You need to pay attention to what they have to say? Or do you want me to say, this person isn’t really qualified, they’re scared to talk to you. They’re scared to present these things. You know, security is vigilance. You know, you’re gonna need to coach them up or find somebody else. You know, there’s two different kinds of conversations we have at that kind of executive level.
Sammy Basu
That’s a great perspective. Elisa, you can add that to our list of skill sets where you go up and not, you know, hold back, there will be people like Matteo with whom you have to butthead sometimes,
Matt Stroul
but please, for the greater good. It’s important. It is important debate, and going back and forth, and being challenging, it’s not being hostile, it’s not being attacking, it’s us being passionate about the problem we’re trying to solve together. You know, it’s so often people can get defensive. And it’s not about that it’s about it’s about us being animated about solving problems together. You know, that’s
Sammy Basu
awesome. One another question. This is so interesting. And I’m sorry, if it’s going on more than expected, but like, let’s say you have a concept and you want to develop that concept, and you have, like, how do you design the it, but that can infrastructure for that? Like,
Matt Stroul
I think I can answer that in one sentence. And then Bruce can talk about the front end, but from the back end, it all comes from the front end requirements.
Sammy Basu
Okay, Bruce, over to you.
Bruce Hoffman
Thanks for Thanks for the soft pass. Yeah, I mean, when you think about the security architecture, you know, and again, it’s really about, you know, how are people building things and then making sure that all of the software you know, is going through scanners and really, you know, looking at how people are are, you know, you know, are there potential injections of, you know, from something that was used that was open source that people didn’t realize the on the next version. So it’s a lot of hygiene that you need to instill in the teams that are building more that it’s, you know, more than it’s like the actual, like architecture itself. It’s more about, you know, making sure that people are consciously understanding what the what are the challenges, what are the things? What are the things that could be open, right, you know, in your website, in your application, right, there’s, whether it’s ports, whether it’s, you know, code op code openings that have just by default been left open, that you need to go turn off, it’s really sort of keeping that and teaching that within the within the teams that you’re building with the teams that are already there.
Matt Stroul
I think that’s a fantastic answer. Bruce, the, there was a time in, where we transition to visual editing tools. So 98 to 2002, is when we saw, you know, C sharp dotnet, that kind of framework come forward. And it forced everybody to up their level of IDE game. So their internet, you know, their their development interfaces and environments needed to come of age, because we saw cloud happening back then, you know, I remember we weren’t calling it cloud in 1988. We were calling a virtualized data centers, right. So. But the DevOps components that came in the late aughts in the early teens, you know, that’s what really kind of pushed back on the developers teams that they needed to start to understand they can’t just deploy code, and then oh, we’ll just patch it and all would just patch it. There. There’s responsibility there. The fantastic thing, from a leadership perspective, is higher power. Right? It’s the ultimate thing. But when you’re a C, or V or a D level, you are their higher power. So how do you push back and say, not that your code is crap, but that there are opportunities? Are there loops? Are there holes that we need to fix, that’s where a lot of these fudgy laws it logic and scanning tools and vulnerability scanning, you may not necessarily need a blue team, but you definitely need a red team, you need an external team, that’s just going to hammer it in your QA folks are just trying to tick boxes, they’re not thinking about make sure that it works. Now they’re just trying to make sure that works in the use cases are signed off, and they can go get on another project and right, so having that kind of red team mentality because I was the teenage jerkface doing that to small companies and other companies when I was a teenager, I grew up with that. Oh, my God. These are these are my threat vectors. So when I moved into leadership, I get to ask those leadership questions like, Oh, this is interesting. Have you thought about what’s going to happen when. And then they pull their hair out for two more weeks, and they come back with something a lot more complete with less holes. So from a security perspective, the things I always start with, Bruce hit it right on the head, it’s ports. Only use the ports you need. If we’re talking infrastructure, what’s your security container? Like? Because it’s all cloud? Right? So So what’s what what containers? Are we putting? How many layers? Are we putting? Are we over encumbering or under? You know, under serving our security rules? Why does anybody need direct access to a database anymore? That’s easy coding, right? Why are you are you hard coding variables? Is there any kind of access information in there where we should be using a certificate or some type of handshake that’s external? You know, it’s the simple, most fundamental things that can absolutely derail your app.
Bruce Hoffman
Right, you know, tying that together with the whole GPT side of that conversation. And, you know, and developers using visual tools, if the visual tools have not been completely certified, now, likely, you know, when you build something using the visual tools, it’s gonna have those holes in it that, you know, can easily be attacked. So I think it’s kind of, it’s interesting, because, you know, when you go on, you put together the budgets for the projects, you know, and you say, Okay, well, I’m going I need this budget for security, you know, I need this budget to deal with ethics. You know, I need this to deal with privacy. And they’re like, Okay, well, how much I have left to build the product. And I’m like, Well, this should only be 25% of the budget yet. The budget you created is way under because you didn’t incorporate all of the things you need to do before you put it to production.
Matt Stroul
Yes, yeah. Before you try to take that single dollar you didn’t factor in the fact you need a minimum of $50,000 in a merchant account somewhere. You know, there’s there’s a lot of this these. That’s why a fractional executive is so powerful on a project Even if we’re, the function is technical program management or product owner or something along those lines, you’re getting that full stack, leadership perspective that end to end, now functioning at the head or being a consultant level and considering security concerns, 360 degrees sphere, you know, your projects in the middle, we’re seeing it all.
Sammy Basu
So other than security, what other things do you consider, like, scalability, or, like, what do you call
Bruce Hoffman
all and then it’s across the board, you know, and one of the things I like to push on lately, as ethics is, you know, is whether or not what we’re building? You know, you know, there’s that always question, is it legal? Right, that’s like, the first side of it, but then, you know, really isn’t ethical. And, you know, and ethics is not a forced item, but it’s really desired. So, you know, if I, if I’m building something, and I’m talking about, okay, well, I want to do data sales. As a result, all this data, I’m going to collect from this, you know, medical product that I just created, well hold on a second, you know, what, you know, it’s, it’s ethical. If you say to the, you know, the customer, yeah, I’m going to use your data, and I’m very clear about it, and you know, you have the opportunity to opt out of it, you may lose some functionality from the product. But now, that means I need to build the product in a way that allows you to still get that, without me being able to use the data, you know, the end the other side, you can set it up. So pay, you know, we want to be able to pay you for the use of your data. But again, it’s always you have to, it’s clear opt in, it’s not like these, like 40 page long documents that all of the major players put together, you know, you need the you need the short summary that says says this, this, this and this so that anybody can understand it. So, you know, it’s like, it’s like every site you go to the haven’t been to lately has a cookie policy, right? And it’s like manage cookies accept or reject. All right? You know, you don’t know what happens if you do reject, all right, you’d have to go in and read on every single one, what you’re going to actually lose if you go down that path. So what do people do, they just press Accept all. So it didn’t really help? It didn’t help at all, that this, you know, that CCPA stuff got implemented, or GDPR. Because people are not recognizing it. And I don’t know how much people care really, I think that might be part of the issue. But really, it’s still not ethical to just go take the data and use it without really making sure that people understand what it is that you are, you know, putting together. I do actually have a stop. So at least I’m closing. Yeah,
Alyssa Butler
no, thank you guys so much. This is you’ve given us so much information, so much to think about and talk about where can people find you? They want more information on becoming a frack Exec. How can they find you all of that?
Matt Stroul
Bruce runs at a group. Yeah.
Bruce Hoffman
Well, I was gonna say I just right now I would just use my LinkedIn is probably the easiest way to find me and it’s Bruce a Hoffman.
Matt Stroul
Right. Sam, LinkedIn is fractional Mateo.
Alyssa Butler
Great. We’ll also link that but so thank you guys, both of you so much for joining us and for all of your insights and smart thoughts. It was wonderful to talk with you. Thank you, Sammy, and we’ll talk to you guys later. Have a good day.