Technical Influencers: Sixto Bernal How to Find Fantastic a Job in Cybersecurity

Sixto Bernal
Conversations with Influencers Sixto Bernal Improve Your Odds of Breaking into Cybersecurity

Welcome to a fascinating exploration into the often-overlooked intersection of security and sales. In this podcast episode, we engage in an illuminating discussion with Sixto Bernal, a seasoned professional who paints a vivid picture of how intertwining these two realms can create a dynamic synergy, driving both business growth and operational efficiency. Delve into this unique perspective and uncover how it might transform the way you view your business strategy.

Interview Transcripts Sixto Bernal

Richard Lowe  00:00

This is Richard Lowe with the technology influencers podcast. Welcome. I’m here with Sixto Brunel. And he’s going to talk about security and sales and the relationship between the two. Sixto take it away. Hi, Richard, thanks for having me. Um, you know, it’s, it’s an obvious thing when you think about it, but at the same time, it isn’t that common that

Sixto Bernal  00:24

salespeople focus on excuse me, security, people focus on sales, we get dragged into the sales cycle, it’s usually late, you know, the salesperson has already made a lot of contacts, he’s had a lot that he or she has made a lot of meetings with the potential client, or customer. And then they bring us in at the last minute because info sack at the at the customer site, or privacy at the customer site has questions for this brand new vendor, or they send us a send over, if you will, vendor questionnaire that security has a section that we need to fill out. So we get dragged into the process that way and dragged into the processes or right way to think about what usually happens. highly inefficient. It makes everybody grumpy. Because getting dragged into a process is not what you do for a living, what you do every day, then disrupts your schedule. So security people privacy people, they get a little annoyed with sales, maybe a lot of noise, because their day is disrupted, their normal workflow is disrupted. Now I have to go deal with this questionnaire from a customer or god forbid, get on the phone with a customer. So you can see it’s not a very healthy relationship. When everybody I think in the company should be focused on winning more sales, in advancing the company helping the top line etc. And so I learned this some years ago, when I first joined SuccessFactors Oh, my God, back in 2008, or something, I worked for a CIO, Randy Womack, and this was his mantra, everybody’s in sales, everything you do, must contribute to the bottom line. It you have to be, you have to think that way. And it took me a while to come to terms with that thinking, because I’d always stayed away from sales, you know, my previous career in IT and operations. God, I spent over 20 years avoiding sales at all costs, right. And here, I was confronted with this new thing, and I needed to adapt, I needed to learn it. And since then, I fully integrated into it, it’s become my become my mantra. And it really does permeate everything that I build in the sale, excuse me, in the security or the privacy realm. It’s now what I do.

Richard Lowe  02:41

Whether, let’s say we’re gonna write a security white paper.

Sixto Bernal  02:46

Well, we’re not just thinking about writing it for other security professionals, we’re thinking about it now. And placing that security white paper in the hands of salespeople, and giving it to them as a tool that they can use to interest a potential customer. So you see, the tone changes slightly.

Richard Lowe  03:04

The the how we, how we communicate, pretty much everything changes when you integrate this other audience. Because after all, security, privacy people we get used to talking to each other, right? We we have jargon, we have nomenclature, we have all we have conferences we go to and we talk to each other. And we forget that we are part of a larger organization. I like to think that my security

Sixto Bernal  03:33

department is a business within the larger business. But it has to be integral, it has to be in a chord in alignment and, and match with the the business side of the house is trying to achieve. And there’s a bunch of different ways. We do that, you know, and I teach people who come to work for me, this whole thing. And so I guess we could talk about that if you’d like.

Richard Lowe  03:58

Yeah. How do you mean security people are going to be resistant to this because they’re not salespeople. I know that I when I was in security, I would have been completely resistant to this out and said no way. So how are you going to convince somebody who has that attitude? Who wants to be an IT person and not a salesperson to be a part partial salesperson? Well, the overall theme is that is a positive feedback loop. It isn’t a negative. Right. So let’s go back to the notion of the security white paper. We all know what that is. You go through you do a description of the system from a security perspective. You talk about the the infrastructure, you’re talking about the measures you put in place to protect water, no access, control, the infrastructure code base, all those things, right. We put that all in a white paper that’s two or three pages long, that usually targeted for consumption by other security people, wherever they might be. Right

Sixto Bernal  05:00

So you write it in a certain tone. Well, okay, so now let’s stop for a minute. Let’s say that we adopt this, this security equals sales viewpoint. And we write it slightly differently, we maybe explain our terms a little bit more, we add a parenthese, where we use an acronym, we use language that might be easier to understand for the non security person. And so in a sense, we’ve made that document, easier to read by everybody. And in fact, you could, you know, picture a salesman sitting in front of a customer, when they say, Well, you know, have you got something to tell us to show us about your security, and the guy hands it over, customer scans it quickly and goes, Oh, this is exactly what I want. That’s the goal. The goal is that during that interaction where the security person isn’t there, and in fact, security per people aren’t even in the room, that it has a positive effect. Okay, so the positive feedback loop happens when the sales guy comes back to the security department and says, Hey, man, you know, that white paper you gave me, that was awesome, it really broke the ice with the customer, we were able to talk to about other things. So now the security people see, oh, it really does work, it really does have a positive effect. It really does add to the conversation. Well, then, no, okay, now you’ve broken the dam a little bit, you know, you got a couple of trickles coming through. And so now you you think about well, what about our knowledge database, or the place where we keep our policy and procedure that would if we gave sales guys read access to that, right? Don’t let him touch anything, but give them a good search engine. So now imagine, the salesperson is out on a customer site, and the customer says, so what kind of encryption do you use between these different stacks of your, your website, blah, blah, blah, salesman, types it in into the knowledge database that we’ve given them access to, that contains all of that information? And he’s has his answer in an instant, doesn’t have to call us back doesn’t have to wait for the exchange of a questionnaire. He’s answered the question that, obviously the customer was given by their security people, right? And so again, the guy comes back, and he says, Hey, that thank you so much for giving me access to the knowledge database, because that was great. I was able to, I was able to answer the customer’s question that a couple more, once he saw I had access to all this information. It was great. And so that adds to the positive feedback loop, which is appropriate, right? That’s what you want. You want in a sense, to push security, material security information, security, answers to questions, as far upstream in the sales process is possible. So now you’re thinking, Well, wait a minute. Well, what if we did this? What if we did that? What if I want to know what if I talked to legal, and we we crafted an attachment that goes out with our contracts? It says, Here’s what we commit to security wise, Mister potential customer? You see, it changes your perspective, once you start thinking about yourself as part of the process, not necessarily a salesperson. But as a department, a group that has input that facilitates the sales cycle changes your whole perspective?

08:28

How does this relate to the end consumer on say, a retail store or something like that retail online store? Does it filter down to them as better security? Do they see any of this and the end result?

Sixto Bernal  08:40

Well, they do. I don’t always know that the the consumer does most of my experience has been b2b in the large enterprise, that kind of thing. And so I can tell you that I’ve worked with a lot of the big banks, in fact, most of them and they’re pretty, they’re pretty tough customers to deal with. Some of them are quite insistent on us following their security protocols, etc. And the way it would filter down is that the customer would get assurances from the end customer, the end user would get assurances that they’re dealing with a company that takes security seriously, and has ensured that all of their vendors do too. So that company, whether it’s Charles Schwab or Wells Fargo, or be of a talking about the banks, right, they can talk to their customers and say, we vet all of our vendors, they pass a stringent evaluation, we talk to them and in deep detail about how they implement security, and that’s who we do business with. And so you see, they don’t get direct knowledge perhaps or direct comfort around security of the company of the vendor that’s giving assurances to their A company that you’re doing business with, but it does flow downward.

Richard Lowe  10:05

Or icy good. That’s interesting. Now, let’s say you’re somebody who is interested in becoming a cybersecurity person, how can you prepare yourself for this kind of interaction with sales and other groups in the company?

Sixto Bernal  10:17

Well, you know, it is, as I said, it’s a mindset. It’s like any other lifestyle change or improvement you make in your in your life, once you think that this might be beneficial to you, you start seeing opportunities. And so a lot of what we do to train security professionals, whether it’s the ISC squared, the CISSP, certification, on and on all these things, they’re very much focused on the nuts and bolts of security. And it’s sometimes hard to see how it fits into the bigger picture, meaning the rest of the company that the business that the company is in. And so it takes a bit of outreach, if you will, to go to lunch with a sales guy, or talk to somebody in marketing, understand how you might fit in, and you’ll find those places. You know, for so long security and a lot of other technical operations, is is considered. So back room, right, it’s behind the wall behind the firewall, quite frankly. And so reaching out like that, you’ll find opportunities. And as I have, really, that’s where it all begins, as you begin to develop a relationship outside of your security community. And you talk to legal, you talk to sales, you talk to marketing, those people are forthcoming. And quite frankly, they’re hungry for leverage points that they can use out there in the wide world that might differentiate us, the vendor from others who don’t have this mindset who don’t know, why aren’t even trying to integrate or make more available the security program in a consumable form. So it just sort of has a cascading, like I said, a positive feedback loop. Once you get started, it starts getting more fun as you go along.

Richard Lowe  12:09

I see very interesting. Now, let’s go back to the beginning cybersecurity person or somebody who’s intermediate, and they’re looking for jobs and the markets got a lot of people look for jobs now because of all the layoffs and things. And because it’s it looks like a hot industry, and it probably is. Should they become more up to speed on sales? And how it fits into things? Or should they ignore that when they’re going for their certs and things like that? Or does it give them an advantage in an interview?

Sixto Bernal  12:40

I think it does. It’s good for its own sake. Because in, in America, right? Sales drives business. I mean, business is sales. It’s it’s it’s part of the work that any company does. No company exists in a vacuum. I think there’s very few fortunate companies that have people beating down their door, there’s always going to be some aspect of sales. And to the extent that, quote, the business and sales are synonymous with each other, I think it’s it’s a level of awareness that any person Darren said, should have about how their company works. It’s more than just understanding that we make these widgets. Well, how do these widgets make their way into the marketplace? How do we sell them? Who do we talk to to try to sell these widgets to? I think that expanded perspective, in and of itself is a good thing. Even if you never use this as, as directly as perhaps I have in others. I think it’s always a good thing to understand better how business is done.

Richard Lowe  13:53

Good, good. So somebody’s looking around for a position somewhere. And one of the hard things is is they do their resume, they send it in and it goes through the resume. Blizzard, yeah. And get lost. Now, how does a person who has the sales background that you mentioned or sales knowledge, combined with security knowledge get to somebody like USC a Cisco?

Sixto Bernal  14:17

Well, like I tell everybody, you know, your Your resume should reflect who you are. I mean, yeah, it’s an inventory in many ways of what you’ve done, but it should also portray who you are. And so let’s say your resume version, version, n minus one, and you’re you’re busy writing a new resume, because you know, the world is a new, different place. Where before your resume was I worked here and here’s what I did. I worked here and here’s what I did. Well, if in your last company, you were in on some sales deals, the work that you did was a contributing factor to landing a customer. Put that in your Next version, weave that in to, into what your inventory of experiences is, so that the reader, a manager, or somebody else filtering will look at that and saying, Oh, well, you know, this guy’s got an outward facing face. He’s not just a backroom kind of person. So, again, it’s reflecting the reality of, of you at that point. And I think it’s always important because it, it, it shows it demonstrates that you are more than just a security person, you’ve got a broader perspective, and it never hurts to be able to say you help close the deal.

Richard Lowe  15:40

Well, that’s true. That’s true. But I trusted the question was, Okay, so number one, the resume needs to reflect your, that you have some knowledge of sales, and that you’ve delivered to the business as opposed to the security department. Those are two essentials. But getting in that resume queue, there could be 1000 resumes, they’re waiting for you to look at. How do they get around that? Would that be having a pretty spiffy LinkedIn profile? Would that be knowing people networking? Do they hang out at the library? I mean, what do they do to get to somebody like you, rather than go through that front queue and probably get discarded by the automatic software? Because the resume is not formatted? Right? It’s missing a period somewhere?

Sixto Bernal  16:21

Yeah, you know, it’s, it’s a combination of all of that, I think that in our connected world anymore, your online presence has to be, again, a reflection of who you are. And if you neglect any pieces of that, then you’re you’re not playing all in percentages, right, having a good LinkedIn profile. That’s very reflective of who you are. That’s important. Having a resume, that’s very reflective of who you are, but also is in concert with your LinkedIn profile. Also very important. Networking cannot be neglected, either. Are you a part of professional organizations, Asaka, ISC squared, SSA, you know, all these places where you go to turn over rocks to find security people because security people go there to talk. For instance, I’m going to a dinner tonight myself, where I will be rubbing elbows with other security professionals, and it’s a place to network to let your opinions be known. So that when somebody has something pops into their head or an opportunity, and it’s in your wheelhouse to go Oh, yeah, that guy, let’s get let’s get that guy on the phone or that person themselves will will fire up LinkedIn and go, What was that guy’s name? Oh, Richard. Oh, yeah, there he is. Click. And so you see, it’s a percentage game. You You need to be out there. You can’t neglect any aspect of your outward facing personality. So yes, networking? Yes, a good resume posted on all the right places, right? LinkedIn is a great site to leverage not only with your profile, but you can write articles and post them, you can read up, read what other people are posting. And I don’t know, comment down it, I guess all of it is about putting you in someone else’s mind or triggering them to think of you when they’ve got something that they need done.

Richard Lowe  18:20

So it sounds like a good strategy on LinkedIn would be a, perhaps get your LinkedIn profile done professionally by somebody who knows how to do that. And be write articles that instead of just saying, here’s how you configure a router, here’s how a router contributes to the business? Yeah, absolutely. It’s a simple, simple thing. Yeah, yeah.

Sixto Bernal  18:40

It’s more than security, people will read these kinds of things, right. And, and, and again, it’s targeting, you’re not targeting a specific audience, you’re, you’re shooting for a broader audience. So if you write articles, or whatever postings, wherever they are LinkedIn or otherwise, if they’re focused only on people just like you, well, then you’ll only be interacting with people just like you. But if you alter your language a little bit and and broaden your scope, you might run into other people who would appreciate knowing how a router fits into the business or the selection of a firewall are approved other perimeter defenses, how that has an impact to the to the business overall. Now you’re talking about it in a broader context. It’s like anything else, if you’re a painter, and all you can do is talk about brushstrokes, you’re not going to be that exciting at a party. But if you go to that same party, and you talk about the travel that you took to get to that field, the one where Van Gogh painted the daisies and you know, you had a wonderful dinner. So you see you’re weaving a story instead of just throwing facts on the table. It’s it’s and how you present it

Richard Lowe  19:52

and who you present it to because you have to remember when you’re looking for a job, that the people who are going to hire you are not the same people as you. They’re actually several levels above you in the organization and they’re interested in the business.

Sixto Bernal  20:05

Or they’re looking very often, business people, management executives, they look to people like us to solve their problem for them. They’ve got a problem with security. They don’t exactly know what it is, you know, but security’s been in the newspaper and their customers are banging them on the phone. And they salespeople are coming back and saying that there’s all this stuff. So you’ve got this business problem called security, but you don’t exactly know what security is, you need to hire a security guy to come and fix that problem for you. So you can go back to doing business. So that’s where the connection is, if you’re just a security guy, this business person is never going to find you. But if you play in the same playgrounds, go to the same cocktail parties, or rub elbows with those business people. Two things will happen, they will ask you questions about it. And you will learn what kind of questions business people have management has. So you’ll be able to better communicate what it is and how security helps the business function better. And, you know, you know, we can we insecurity, sometimes we get arrogant about the non security people or the non technical people, their viewpoint is just as valid. And in fact, sometimes more so. Because usually, they’re decision makers. And so the more that we can help, bridge the gap communicate better. Why security is good for the business, just bottom line, well, then, that, that one interaction might bear fruit, but it’s already borne fruit because you’ve been in it. And you’ve learned what the business thinks and how they think because you had that conversation?

Richard Lowe  21:43

Well, not only that, let’s say you’re specializing in pen testing, I’ve been seeing a lot of articles on that. There’s a bazillion pen testers out there. But if you know about the business, you’ve differentiated yourself from the bazillion pen testers that are out there.

Sixto Bernal  21:56

Exactly it and those decision makers, we had managers or executives, if they find you easy to talk to? Well, after all, isn’t business nothing more than personal relationships writ large? I mean, you have a relationship with your vendor, but it’s really with Alex, the representative of the vendor who makes you feel good about that relationship? And has always answers your question and picks up the phone when you have some information or a problem or whatever. It is relationships. And that’s what you’re building, you’re building a series of relationships, and you’re making yourself open to new relationships by being somebody who’s reasonable to talk to.

Richard Lowe  22:37

So it sounds to me like a good strategy for somebody who wants to find a new job or get into the business would be to take some maybe go on Udemy, or one of the other places that have courses and take some sales courses and business courses, even just a couple of simple ones. So at least know the terminology.

Sixto Bernal  22:52

Didn’t know yes. Because now you’re now you’re in the conversation, it isn’t a foreign thing to you. Right it? You know, you know, I see security people over time, they sit the back of the room with their arms crossed and waiting for sales guys to finish their spiel, instead of sitting forward and sit and thinking, what what is the message here, or B of marketing or whatever? So it’s it’s incumbent, I think, you know, it’s the reverse is also true. A few years ago, the organization that advises boards of directors came out with some advice for boards of directors across the United States, that boards board members shouldn’t become as conversant in security topics, as they are in financial topics. Why? Because security has become such an important thing, that it really needed to happen. And it has slowly to be sure. But I’ve watched it over the last three, four years where the people I talk to now get a better understanding. And of course, the news helps a lot breaches here and there. And a week doesn’t go by that we don’t hear something about data privacy, and some new company be you know, getting hacked and 1000s or millions of records. So it’s more in the, the average person’s mind and, and we’re all average in some respect that we all go home and watch the six o’clock news or whatever. And so that that bubbling up of security topics into common thought occurred to all of us and so I think we need to meet that challenge by speaking in a way that’s more easily understood by anybody.

Richard Lowe  24:32

And it sounds like another strategy would be to find somebody, say at a business level of any business and set up a, you know, a zoom call or a coffee meeting or something and talk to them and then pick their minds not about security, but about the business about business and sales in general, maybe their business without being like begging for a job but just talking to them.

Sixto Bernal  24:53

That’s exactly right. Because you’re looking to make that connection and you’re getting an education, right you’re that is the value of that kind of conversation because you’re growing it professionally, by virtue of that anything that you can do to educate yourself about what it is you or your company does is always a positive.

Richard Lowe  25:16

Well, Sixto, it’s been great having on board, why don’t you spend a few minutes and talk about your background and why people should be listening to you on this podcast? Well, you know,

Sixto Bernal  25:26

I came out of retirement in 2005, or so on this side of the fence, I’d spent 23 years in it and operations, working for all the big companies that are are in the valley, sun and Oracle, and oh, a bunch of others. And, and then when I, I came back to work in 2005, it was on the compliance and audit side, and I learned a whole nother language, I was able to leverage all of my experience because I was talking to people like me, and I never looked back, right, I jumped into this side of the house with both feet, I’ve got just about every security and privacy certification that you can name, but it was all in the, in the service of me becoming a security professional, I’ve always been a lifelong learner. So that aspect of it was easy for me. And I worked for a succession of internet companies, SAS companies, and so I’ve been cloud native, ever since 2005. And so that is my bailiwick. And, of course, sales drives the SAS businesses, and, and so ever since then, that’s what I do. And I still do that I’ve been able to operate in this way across large enterprises, and, and absolutely raw three person fresh startups. I keep learning more and more about what it is to do, not only my specific security work, but also how to integrate it new and different ways into the business. The outreach that I’ve done with marketing, and sales, and HR, and legal, especially legal, has really benefited me. And so I bring, I bring all of that to the table, not only to be a better employee, candidate, whatever. But I also teach this to the people who come work for me. So I feel like I do a lot of evangelizing a lot of mentoring on this topic. And I believe it’s done, those people who’ve listened and take, you know, taken up that those lessons, I think it’s done a good thing for them, it’s been a positive. So that’s kind of who I am, I’m, you know, I’m a professional security guy. I’m at a leadership level now. And I’m able to craft security and privacy programs more in accordance with this kind of thinking that we’ve been talking about for the last few minutes. And so I’ve gained a little bit of a reputation. That’s what I do, I’m not just a security guy, I am the guy that understands where it fits into the overall picture.

Richard Lowe  27:58

Very cool. And I think a takeaway that I like to leave people with is that this has to be an ongoing process, you can’t just, you shouldn’t just pick up networking when you’re about to be laid off. Or if you’re laid off, because then you’re coming from behind, you shouldn’t be doing it all the time. Just set up meetings with people, talk to them, especially people above you in the organization or other organizations, learn from them, learn about security, of course, learn about the other parts of the business, learn about AI, you know, learn about all these how these things all hooked together. And then you’re gonna find that these people will become your advocates and your mentors. In a way. They may be minor, maybe major depending. But if they see that you have a business savvy and you’re interested in helping the company through sales, by helping the company sell using security, they’re going to be behind you all the way. Oh, absolutely.

Sixto Bernal  28:48

It has been such a facilitator, besides the fact that it’s helped me expand my experience, I have to say that it’s made my my work and security so much easier when you have allies. You know, when it comes to the budget time or projects are being integrated into the business, it it you become part of the business instead of this outlier, that everybody wonders what you guys do with all that money we give you you just buying firewalls and equipment. know, when you’re when you’re integrated into the whole thing. You are less of a mystery and more of a partner.

Richard Lowe  29:21

Yeah, you become more than just Joe or Sally, the, the security person, you become a person, a real person to them, and that makes it more likely that you’re going to be a valuable part of their team, and less likely to be the person the first person laid off.

Sixto Bernal  29:40

Yeah, that’s, uh, you know, that’s sort of a gamble. And it always is, but if you’re considered part of, you know, the money making end of the business. Well, yeah, it’s, it’s, that was

Richard Lowe  29:53

my point. Now, none of this is guaranteed, of course. Well, thank you Sixto. It’s been awesome having you on board. Good information. I think it’ll be very helpful to people.

Sixto Bernal  30:03

Excellent. Well, I was very happy to be here. Hope to see you again soon.

Richard Lowe  30:07

You will. Thank you. Good day. I’m here with Sixto Brunel for the let me start that over. This is Richard Lowe with the technology influencers podcast. Welcome. I’m here with Sixto Brunel. And he’s going to talk about security and sales and the relationship between the two. Sixto take it away.

Sixto Bernal  30:30

Hi, Richard, thanks for having me. Um, you know, it’s, it’s an obvious thing when you think about it, but at the same time, it isn’t that common that salespeople focus on excuse me, security, people focus on sales, we get dragged into the sales cycle, it’s usually late, you know, the salesperson has already made a lot of contacts, he’s had a lot that he or she has made a lot of meetings with the potential client, or customer. And then they bring us in at the last minute, because info sack at the at the customer site, or privacy at the customer site has questions for this brand new vendor, or they send us a send over, if you will, vendor questionnaire that security has a section that we need to fill out. So we get dragged into the process that way and dragged into the processes or right way to think about what usually happens. highly inefficient. It makes everybody grumpy. Because getting dragged into a process. That’s not what you do for a living, what you do every day, then disrupts your schedule. So security people privacy people, they get a little annoyed with sales, making a lot of noise, because their day is disrupted, their normal workflow is disrupted. Now I have to go deal with this questionnaire from a customer or god forbid, get on the phone with a customer. So you can see it’s not a very healthy relationship. When everybody I think in the company should be focused on winning more sales, in advancing the company helping the top line etc. And so I learned this some years ago, when I first joined SuccessFactors Oh, my God, back in 2008, or something. I worked for CIO, Randy Womack, and this was his mantra, everybody’s in sales, everything you do, must contribute to the bottom line. It you have to be, you have to think that way. And it took me a while to come to terms with that thinking, because I’d always stayed away from sales, you know, my previous career in IT and operations. God, I spent over 20 years avoiding sales at all costs, right. And here, I was confronted with this new thing, and I needed to adapt, I needed to learn it. And since then, I fully integrated into it, it’s become my become my mantra. And it really does permeate everything that I build in the sale, excuse me, in the security or the privacy realm. It’s now what I do. Whether, let’s say we’re going to write a security white paper. Well, we’re not just thinking about writing it for other security professionals, we’re thinking about it now. And placing that security white paper in the hands of salespeople, and giving it to them as a tool that they can use to interest a potential customer. So you see, the tone changes slightly. The the how we, how we communicate, pretty much everything changes when you integrate this other audience, because after all, security, privacy people we get used to talking to each other, right? We we have jargon, we have nomenclature, we have a lot of conferences we go to and we talk to each other. And we forget that we are part of a larger organization. I like to think that my security department is a business within the larger business. But it has to be integral it has to be in a chord in alignment and and match what the the business side of the house is trying to achieve. And there’s a bunch of different ways. We do that, you know, and I teach people who come to work for me, this whole thing. And so I guess we could talk about that if you’d like.

Richard Lowe  34:15

Yeah. How do you mean security people are going to be resistant to this because they’re not salespeople. I know that I when I was in security, I would have been completely resistant to this out and said no way. So how are you going to convince somebody who has that attitude? Who wants to be an IT person and not a salesperson to be a part partial salesperson?

Sixto Bernal  34:37

Well, the overall theme is that is a positive feedback loop. It isn’t a negative. Right. So let’s go back to the notion of the security white paper. We all know what that is. You go through you do a description of the system from a security perspective. You talk about the infrastructure, you’re talking about the measures you put In a place to protect, access, control the infrastructure code base, all those things, right, we put that all in a white paper, that’s two or three pages long, that usually targeted for consumption by other security people, wherever they might be, right. And so you write it in a certain tone. Well, okay, so now let’s stop for a minute. Let’s say that we adopt this, this security equals sales viewpoint. And we write it slightly differently, we maybe explain our terms a little bit more, we add a parenthese, where we use an acronym, we use language that might be easier to understand for the non security person. And so in a sense, we’ve made that document, easier to read by everybody. And in fact, you could, you know, picture a salesman sitting in front of a customer, when they say, Well, you know, have you got something to tell us to show us about your security, and the guy hands it over, customer scans it quickly and goes, Oh, this is exactly what I want. That’s the goal. The goal is that during that interaction where the security person isn’t there, and in fact, security per people aren’t even in the room, that it has a positive effect. Okay, so the positive feedback loop happens when the sales guy comes back to the security department and says, Hey, man, you know, that white paper you gave me, that was awesome, it really broke the ice with the customer, we were able to talk to about other things. So now the security people see, oh, it really does work, it really does have a positive effect. It really does add to the conversation. Well, then, no, okay, now you’ve broken the dam a little bit, you know, you got a couple of trickles coming through. And so now you you think about well, what about our knowledge database, or the place where we keep our policy and procedure? That what if we gave sales guys read access to that? Right? Don’t let him touch anything, but give them a good search engine. So now imagine, the salesperson is out on a customer site, and the customer says, so what kind of encryption do you use between these different stacks of your, your website, blah, blah, blah, salesman goes, types it in into the knowledge database that we’ve given them access to, that contains all of that information. And he has his answer in an instant, doesn’t have to call us back doesn’t have to wait for the exchange of a questionnaire. He’s answered the question that, obviously the customer was given by their security people, right? And so again, the guy comes back, and he says, Hey, that thank you so much for giving me access to the knowledge database, because that was great. I was able to say, able to answer the customer’s question that a couple more, once he saw I had access to all this information. It was great. And so that adds to the positive feedback loop, which is appropriate, right? That’s what you want. You want in a sense, to push security, material security information, security, answers to questions as far upstream in the sales process as possible. So now you’re thinking, Well, wait a minute. Well, what if we did this? What if we did that? What if I want to know what if I talked to legal, and we crafted an attachment that goes out with our contracts that says, here’s what we commit to security wise, Mister potential customer? You see, it changes your perspective, once you start thinking about yourself as part of the process, not necessarily a salesperson. But as a department, a group that has input that facilitates the sales cycle changes your whole perspective?

Richard Lowe  38:45

How does this relate to the end consumer on say, a retail store or something like that a retail online store? Does it filter down to them is better security? Do they see any of this and the end result?

Sixto Bernal  38:57

Well, they do. I don’t always know that the the consumer does. Most of my experience has been b2b in the large enterprise, that kind of thing. And so I can tell you that I’ve worked with a lot of the big banks, in fact, most of them and they’re pretty, they’re pretty tough customers to deal with. Some of them are quite insistent on us following their security protocols, etc. And the way it would filter down is that the customer would get assurances from the end customer, the end user would get assurances that they’re dealing with a company that takes security seriously, and has ensured that all of their vendors do too. So that company, whether it’s Charles Schwab or Wells Fargo or be of a talking about the banks, right, they can talk to their customers and say, we we vet all of our vendors, they pass a stringent evaluation, we talk to them and In deep detail about how they implement security, and that’s who we do business with. And so you see, they don’t get direct knowledge, perhaps, or direct comfort around security of the company of the vendor that’s giving assurance as to their company that they’re doing business with. But it does flow downward.

Richard Lowe  40:22

Or icy. Good. That’s interesting. Now, let’s say you’re somebody who is interested in becoming a cybersecurity person, how can you prepare yourself for this kind of interaction with sales and other groups in the company?

Sixto Bernal  40:34

Well, you know, it is, as I said, it’s a mindset. It’s like any other lifestyle change or improvement you make in your in your life, once you think that this might be beneficial to you, you start seeing opportunities. And so a lot of what we do to train security professionals, whether it’s the ISC squared, the CISSP, certification, on and on all these things, they’re very much focused on the nuts and bolts of security. And it’s sometimes hard to see how it fits into the bigger picture, meaning the rest of the company that the business that the company is in. And so it takes a bit of outreach, if you will, to go to lunch with a sales guy, or talk to somebody in marketing, understand how you might fit in, and you’ll find those places. You know, for so long security and a lot of other technical operations, is considered. So back room, right, it’s behind the wall behind the firewall, quite frankly. And so reaching out like that, you’ll find opportunities. And as I have, really, that’s where it all begins, as you begin to develop a relationship outside of your security community. And you talk to legal, you talk to sales, you talk to marketing, those people are forthcoming. And quite frankly, they’re hungry for leverage points that they can use out there in the wide world that might differentiate us, the vendor from others who don’t have this mindset and who don’t know, why aren’t even trying to integrate or make more available the security program in a consumable form. So it just sort of has a cascading, like I said, a positive feedback loop. Once you get started, it starts getting more fun as you go along.

Richard Lowe  42:25

I see very interesting. Now, let’s go back to the beginning cybersecurity person or somebody who’s intermediate, and they’re looking for jobs and the markets got a lot of people look for jobs now because of all the layoffs and things. And because it’s it looks like a hot industry, and it probably is. Should they become more up to speed on sales? And how it fits into things? Or should they ignore that when they’re going for their certs and things like that? Or does it give them an advantage in an interview?

Sixto Bernal  42:57

I think it does. It’s good for its own sake. Because in, in America, right? Sales drives business. I mean, business is sales. It’s it’s it’s part of the work that any company does. No company exists in a vacuum. I think there’s very few fortunate companies that have people beating down their door, there’s always going to be some aspect of sales. And to the extent that, quote, the business, and sales are synonymous with each other, I think it’s it’s a level of awareness that any person dare I said, should have about how their company works. It’s more than just understanding that we make these widgets. Well, how do these widgets make their way into the marketplace? How do we sell them? Who do we talk to to try to sell these widgets to? I think that expanded perspective, in and of itself is a good thing. Even if you never use this as, as directly as perhaps I have in others. I think it’s always a good thing to understand better how business is done.

Richard Lowe  44:10

Good, good. So somebody’s looking around for a position somewhere. And one of the hard things is is they do their resume, they send it in and it goes through the resume. Blizzard, yeah. And gets lost. Now, how does a person who has the sales background that you mentioned or sales knowledge, combined with security knowledge get to somebody like USC Cisco? Well,

Sixto Bernal  44:36

like I tell everybody, you know, your Your resume should reflect who you are. I mean, yeah, it’s an inventory in many ways of what you’ve done, but it should also portray who you are. And so let’s say your resume version, you know, version, n minus one, and you’re you’re busy writing a new resume, because you know, the world is a different place where we For your resume was I worked here? And here’s what I did. I worked here. And here’s what I did. Well, if in your last company, you were in on some sales deals, the work that you did was a contributing factor to landing a customer, put that in your next version, weave that in to, into what your inventory of experiences is, so that the reader, a manager, or somebody else filtering will look at that and say, Oh, well, you know, this guy’s got an outward facing face. He’s not just a backroom kind of person. So, again, it’s reflecting the reality of of you at that point. And I think it’s always important because it, it, it shows it demonstrates that you are more than just a security person, you’ve got a broader perspective, and it never hurts to be able to say you help close the deal.

Richard Lowe  45:57

Well, that’s true. That’s true. But I trusted the question was, Okay, so number one, the resume needs to reflect that you have some knowledge of sales, and that you’ve delivered to the business as opposed to the security department. Those are two essentials. But getting in that resume queue, there could be 1000 resumes, they’re waiting for you to look at. How do they get around that? Would that be having a pretty spiffy LinkedIn profile? Would that be knowing people networking? Do they hang out at the library? I mean, what do they do to get to somebody like you, rather than go through that front queue and probably get discarded by the automatic software? Because the resume is not formatted? Right? It’s missing a period somewhere?

Sixto Bernal  46:38

Yeah, you know, it’s, it’s a combination of all of that. I think that in our connected world anymore, your online presence has to be, again, a reflection of who you are. And if you neglect any pieces of that, then you’re you’re not playing all the percentages, right, having a good LinkedIn profile. That’s very reflective of who you are. That’s important. Having a resume, that’s very reflective of who you are, but also is in concert with your LinkedIn profile. Also very important. Networking cannot be neglected, either. Are you a part of professional organizations, Asaka, ISC squared, SSA, you know, all these places where you go to turn over rocks to find security people because security people go there to talk. For instance, I’m going to a dinner tonight myself, where I will be rubbing elbows with other security professionals, and it’s a place to network to let your opinions be known. So that when somebody has something pop into their head or an opportunity, and it’s in your wheelhouse to go, oh, yeah, that guy, let’s give let’s get that guy on the phone or that person themselves will will fire up LinkedIn and go, What was that guy’s name? Oh, Richard. Oh, yeah, there he is. Click. And so you see, it’s a percentage game. You need to be out there. You can’t neglect any aspect of your outward facing personality. So yes, networking? Yes, a good resume posted on all the right places, right? LinkedIn is a great site to leverage not only with your profile, but you can write articles and post them, you can read up, read what other people are posting. And I don’t know, comment down. And I guess all of it is about putting you in someone else’s mind or triggering them to think of you when they’ve got something that they need done.

Richard Lowe  48:37

So it sounds like a good strategy on LinkedIn would be a, perhaps get your LinkedIn profile done professionally by somebody who knows how to do that. And be write articles that instead of just saying, here’s how you configure a router, here’s how a router contributes to the business? Yeah, absolutely. It’s a simple, simple thing. Yeah, yeah.

Sixto Bernal  48:57

It’s more than security, people will read these kinds of things, right. And, and, and again, it’s targeting, you’re not targeting a specific audience, you’re, you’re shooting for a broader audience. So if you write articles or whatever postings, wherever they are LinkedIn or otherwise, if they’re focused only on people just like you, well, then you’ll only be interacting with people just like you. But if you alter your language a little bit and and broaden your scope, you might run into other people who would appreciate knowing how a router fits into the business or the selection of a firewall or approved other perimeter defenses, how that has an impact to the to the business overall. Now you’re talking about it in a broader context. It’s like anything else. If you’re a painter, and all you can do is talk about brushstrokes, you’re not going to be that exciting at a party. But if you go to that same party, and you talk about the travel that you took to get to that field, the one where Van Gogh painted the daisies, and you’re Have you had a wonderful dinner. So you see, you’re weaving a story instead of just throwing facts on the table. It’s, it’s and how you present it,

Richard Lowe  50:08

and who you present it to, because you have to remember, when you’re looking for a job, that the people who are going to hire you are not the same people as you, they’re actually several levels above you in the organization, and they’re interested in the business.

Sixto Bernal  50:22

Or they’re looking very often, business people, management executives, they look to people like us to solve their problem for them. They’ve got a problem with security, they don’t exactly know what it is, you know, but security has been in the newspaper and their customers are banging them on the phone, and the salespeople are coming back and saying that there’s all this stuff. So you’ve got this business problem called security, but you don’t exactly know what security is, you need to hire a security guy to come and fix that problem for you. So you can go back to doing business. So that’s where the connection is, if you’re just a security guy, this business person is never going to find you. But if you play in the same playgrounds, go to the same cocktail parties, or rub elbows with those business people. Two things will happen. They will ask you questions about it. And you will learn what kind of questions business people have management has. So you’ll be able to better communicate what it is and how security helps the business function better. And, you know, you know, we can we insecurity, sometimes we get arrogant about the non security people or the non technical people, their viewpoint is just as valid. And in fact, sometimes more so. Because usually they’re decision makers. And so the more that we can help, bridge the gap communicate better. Why security is good for the business, just bottom line, well, then, that, that one interaction might bear fruit, but it’s already borne fruit because you’ve been in it. And you’ve learned what the business thinks and how they think because you had that conversation?

Richard Lowe  52:00

Well, not only that, let’s say you’re specializing in pen testing, I’ve been seeing a lot of articles on that. There’s a bazillion pen testers out there. But if you know about the business, you’ve differentiated yourself from the bazillion pen testers that are out there.

Sixto Bernal  52:13

Exactly it and those decision makers, be it managers or executives, if they find you easy to talk to? Well, after all, isn’t business nothing more than personal relationships writ large? I mean, you have a relationship with your vendor, but it’s really with Alex, the representative of the vendor who makes you feel good about that relationship, and has always answers your question and picks up the phone when you have some information or a problem or whatever. It is relationships. And that’s what you’re building, you’re building a series of relationships, and you’re making yourself open to new relationships by being somebody who’s reasonable to talk to.

Richard Lowe  52:54

So it sounds to me like a good strategy for somebody who wants to find a new job or get into the business would be to take some maybe go on Udemy, or one of the other places that have courses and take some sales courses and business courses, even just a couple of simple ones. So at least know the terminology.

Sixto Bernal  53:09

Didn’t know yes. Because now you’re now you’re in the conversation, it isn’t a foreign thing to you. Right it? You know, you know, I see security people over time, they sit in the back of a room with their arms crossed and waiting for sales guys to finish their spiel, instead of sitting forward and sit and thinking, what what is the message here, or B of marketing or whatever? So it’s it’s incumbent, I think, you know, the reverse is also true. A few years ago, the organization that advises boards of directors came up with some advice for boards of directors across the United States, that boards board members shouldn’t become as conversant in security topics, as they are in financial topics. Why? Because security has become such an important thing, that it really needed to happen. And it has slowly to be sure. But I’ve watched it over the last three, four years where the people I talk to now get a better understanding. And of course, the news helps a lot breaches here and there. And a week doesn’t go by that we don’t hear something about data privacy, and some new company be you know, getting hacked and 1000s or millions of records. So it’s more in the, the average person’s mind and and we’re all average in some respect that we all go home and watch the six o’clock news or whatever. And so that that bubbling up of security topics into common thought occurred to all of us and so I think we need to meet that challenge by speaking in a way that’s more easily understood by anybody.

Richard Lowe  54:49

And it sounds like another strategy would be to find somebody say at a at a business level of any business and set up a you know, a zoom call or a coffee meeting. or something, and talk to them and then pick their minds not about security, but about the business, about business and sales in general, maybe their business without being like begging for a job, but just talking to them. That’s exactly

Sixto Bernal  55:11

right. Because you’re looking to make that connection and you’re getting an education, right, you’re that is the value of that kind of conversation, because you’re growing it professionally. By virtue of that. Anything that you can do to educate yourself, about what it is you or your company does, is always a positive.

Richard Lowe  55:33

Well, six doors been great having on board, why don’t just spend a few minutes and talk about your background and why people should be listening to you on this podcast? Well, you know,

Sixto Bernal  55:43

I came out of retirement in 2005, or so on this side of the fence, I’d spent 23 years in it and operations, working for all the big companies there are in the valley, sun and Oracle, and oh, a bunch of others. And, and then when I, I came back to work in 2005, it was on the compliance and audit side and I learned a whole nother language, I was able to leverage all of my experience because I was talking to people like me, and I never looked back, right, I jumped into this side of the house with both feet, I’ve got just about every security and privacy certification that you can name, but it was all in the, in the service of me becoming a security professional, I’ve always been a lifelong learner. So that aspect of it was easy for me. And I worked for a succession of internet companies, SAS companies, and so I’ve been cloud native, ever since 2005. And so that is my bailiwick. And, of course, sales drives the SAS businesses. And, and so ever since then, that’s what I do. And I still do that I’ve been able to operate in this way across large enterprises and, and absolutely raw three person fresh startups. I keep learning more and more about what it is to do, not only my specific security work, but also how to integrate it new and different ways into the business. The outreach that I’ve done with marketing, and sales, and HR, and legal, especially legal, has really benefited me. And so I bring, I bring all of that to the table, not only to be a better employee, candidate, whatever. But I also teach this to the people who come work for me. So I feel like I do a lot of evangelizing a lot of mentoring on this topic. And I believe it’s done, those people who’ve listened and take, you know, taken up that those lessons, I think it’s done a good thing for them, it’s been a positive. So that’s kind of who I am, I’m, you know, I’m a professional security guy. I’m at a leadership level now. And I’m able to craft security and privacy programs more in accordance with this kind of thinking that we’ve been talking about for the last few minutes. And so I’ve gained a little bit of a reputation. That’s what I do. I’m not just a security guy, I am the guy that understands where it fits into the overall picture.

Richard Lowe  58:14

Very cool. And I think a takeaway that I’d like to leave people with is that this has to be an ongoing process, you can’t just, you shouldn’t just pick up networking, when you’re about to be laid off, Rafter laid off, because then you’re coming from behind, you should be doing it all the time. Just set up meetings with people, talk to them, especially people above you in the organization or other organizations, learn from them. Learn about security, of course, learn about the other parts of the business, learn about AI, you know, learn about all these how these things all hooked together. And then you’re gonna find that these people will become your advocates and your mentors. In a way. They may be minor, maybe major depending. But if they see that you have a business savvy and you’re interested in helping the company through sales, by helping the company sell using security, they’re going to be behind you all the way. Oh,

Sixto Bernal  59:05

absolutely. It has been such a facilitator besides the fact that it’s helped me expand my experience. I have to say that it’s made my my work and security so much easier when you have allies you know, when it comes to the budget time or projects are being integrated into the business it it you become part of the business instead of this outlier that everybody wonders what you guys do with all that money we give you you just buying firewalls and equipment. Know when you’re when you’re integrated into the whole thing. You are less of a mystery and more of a partner.

Richard Lowe  59:39

Yeah, you become more than just Joe or Sally the security person, you become a person, a real person to them and that makes it more likely that you’re going to be a valuable part of their team and less likely to be the person the first person laid off.

Sixto Bernal  59:58

Yeah, that’s a you know, that’s sort of Have a gamble. And it always is. But if you’re considered part of, you know, the money making end of the business. Well, yeah, it’s, it’s,

Richard Lowe  1:00:09

that was my point. Now none of this is guaranteed Of course. Well, thank you Sixto. It’s been awesome having you on board. Good information. I think it’ll be very helpful to people.

Sixto Bernal  1:00:20

Excellent. Well, I was very happy to be here. Hope to see you again soon.

Richard Lowe  1:00:24

You will. Thank you. This is Richard Lowe with the technology influencers podcast. Welcome. I’m here with six Dober now. And he’s going to talk about security and sales and the relationship between the two Sixto take it away.

Sixto Bernal  1:00:40

Hi, Richard, thanks for having me. Um, you know, it’s, it’s an obvious thing when you think about it, but at the same time, it isn’t that common that salespeople focus on excuse me, security, people focus on sales, we get dragged into the sales cycle, it’s usually late, you know, the salesperson has already made a lot of contacts, he’s had a lot that he or she has made, had a lot of meetings with the potential client, or customer. And then they bring us in at the last minute, because info sack at the at the customer site, or privacy at the customer site has questions for this brand new vendor, or they send us a send over if you will, vendor questionnaire, and that security has a section that we need to fill out. So we get dragged into the process that way and dragged into the processes or right way to think about what usually happens. highly inefficient. It makes everybody grumpy, because getting dragged into a process. That’s not what you do for a living, what you do every day, then disrupts your schedule. So security people privacy people, they get a little annoyed with sales, maybe a lot of noise, because their day is disrupted, their normal workflow is disrupted. Now I have to go deal with this question here from a customer or god forbid, get on the phone with a customer. So you can see it’s not a very healthy relationship. When everybody I think in the company should be focused on winning more sales, in advancing the company helping the top line, etc. And so I learned this some years ago, when I first joined SuccessFactors Oh, my God, back in 2008, or something. I worked for CIO, Randy Womack, and this was his mantra, everybody’s in sales, everything you do, must contribute to the bottom line. It you have to be, you have to think that way. And it took me a while to come to terms with that thinking, because I’d always stayed away from sales, you know, my previous career in IT and operations. God, I spent over 20 years avoiding sales at all costs, right. And here, I was confronted with this new thing, and I needed to adapt, I needed to learn it. And since then, I fully integrated into it, it’s become my become my mantra. And it really does permeate everything that I build in the sale, excuse me, in the security or the privacy realm. It’s now what I do. Whether, let’s say we’re gonna write a security white paper. Well, we’re not just thinking about writing it for other security professionals, we’re thinking about it now. And placing that security white paper in the hands of salespeople, and giving it to them as a tool that they can use to interest a potential customer. So you see, the tone changes slightly. The the how we, how we communicate, pretty much everything changes when you integrate this other audience. Because after all, security, privacy people we get used to talking to each other, right? We we have jargon, we have nomenclature, we have a lot of conferences we go to and we talk to each other. And we forget that we are part of a larger organization. I like to think that my security department is a business within the larger business. But it has to be integral it has to be in a chord in alignment and and match what the the business side of the house is trying to achieve. And there’s a bunch of different ways. We do that, you know, and I teach people who come to work for me, this whole thing. And so I guess we could talk about that if you’d like.

Richard Lowe  1:04:24

Yeah, how do you I mean, security, people are going to be resistance to this because they’re not salespeople. I know that I when I was in security, I would have been completely resistant to this out and said no way. So how are you going to convince somebody who has that attitude? Who wants to be an IT person and not a salesperson to be a part partial salesperson?

Sixto Bernal  1:04:47

Well, the overall scene is that is a positive feedback loop. It isn’t a negative. Right. So let’s go back to the notion of the security white paper we all know That is you go through, you do a description of the system from a security perspective. You talk about the the infrastructure, you’re talking about the measures you put into place to protect, access, control the infrastructure, code base, all those things, right? We put that all in a white paper, that’s two or three pages long, that usually targeted for consumption by other security people, wherever they might be, right. And so you write it in a certain tone. Well, okay, so now let’s stop for a minute. Let’s say that we adopt this, this security equals sales viewpoint. And we write it slightly differently, we maybe explain our terms a little bit more, we add a parenthese, where we use an acronym, we use language that might be easier to understand for the non-security person. And so in a sense, we’ve made that document, easier to read by everybody. And in fact, you could, you know, picture a salesman sitting in front of a customer, when they say, Well, you know, have you got something to tell us to show us about your security, and the guy hands it over, customer scans it quickly and goes, Oh, this is exactly what I want. That’s the goal. The goal is that during that interaction where the security person isn’t there, and in fact, security per people aren’t even in the room, that it has a positive effect. Okay, so the positive feedback loop happens when the sales guy comes back to the Security Department says, Hey, man, you know, that white paper you gave me, that was awesome, it really broke the ice with the customer, we were able to talk to about other things. So now the security people see, oh, it really does work, it really does have a positive effect. It really does add to the conversation. Well, then, no, okay, now you’ve broken the dam a little bit, you know, you’ve got a couple of trickles coming through. And so now you you think about well, what about our knowledge database, or the place where we keep our policy and procedure? That what if we gave sales guys read access to that? Right? Don’t let him touch anything, but give them a good search engine. So now imagine, salesperson is out on a customer site? And the customer says, so what kind of encryption do you use between these different stacks of your, your website, blah, blah, blah, salesman goes, types it in into the knowledge database that we’ve given them access to, to contains all of that information? And he has his answer in an instant, doesn’t have to call us back doesn’t have to wait for the exchange of a questionnaire. He’s answered the question that, obviously the customer was given by their security people, right? And so again, the guy comes back, and he says, Hey, that thank you so much for giving me access to the knowledge database, because that was great. I was able to, I was able to answer the customer’s question that a couple more, once he saw I had access to all this information. It was great. And so that adds to the positive feedback loop, which is appropriate, right? That’s what you want. You want in a sense, to push security, material security information, security answers to questions as far upstream in the sales process as possible. So now you’re thinking, Well, wait a minute. Well, what if we did this? What if we did that? What if I want to know what if I talked to legal, and we crafted an attachment that goes out with our contracts? It says, Here’s what we commit to security wise, Mister potential customer. You see, it changes your perspective, once you start thinking about yourself as part of the process, not necessarily a salesperson. But as a department, a group that has input that facilitates the sales cycle changes your whole perspective?

Richard Lowe  1:08:56

How does this relate to the end consumer on say, a retail store or something like that a retail online store? Does it filter down to them as better security? Do they see any of this and the end result?

Sixto Bernal  1:09:07

Well, they do. I don’t always know that the consumer does most of my experience has been b2b in a large enterprise, that kind of thing. And so I can tell you that I’ve worked with a lot of the big banks, in fact, most of them and they’re pretty, they’re pretty tough customers to deal with. Some of them are quite insistent on us following their security protocols, etc. And the way it would filter down is that the customer would get assurances from the end customer, the end user would get assurances that they’re dealing with a company that takes security seriously, and has ensured that all of their vendors do too. So that company, whether it’s Charles Schwab or Wells Fargo would be a talking about the banks, right. They can talk to their customers. and say, we vet all of our vendors, they pass a stringent evaluation, we talk to them and in deep detail about how they implement security. And that’s who we do business with. And so you see, they don’t get direct knowledge, perhaps, or direct comfort around security of the company of the vendor that’s giving assurances to their company that they’re doing business with. But it does flow downward.

Richard Lowe  1:10:32

Or icy. Good. That’s interesting. Now, let’s say you’re somebody who is interested in becoming a cybersecurity person, how can you prepare yourself for this kind of interaction with sales and other groups in the company?

Sixto Bernal  1:10:44

Well, you know, it is, as I said, it’s a mindset. It’s like any other lifestyle change or improvement you make in your in your life, once you think that this might be beneficial to you, you start seeing opportunities. And so a lot of what we do to train security professionals, whether it’s the ISC square, the CISSP, certification, on and on all these things, they’re very much focused on the nuts and bolts of security. And it’s sometimes hard to see how it fits into the bigger picture, meaning the rest of the company that the business that the company is in. And so it takes a bit of outreach, if you will, to go to lunch with a sales guy, or talk to somebody in marketing, understand how you might fit in, and you’ll find those places. You know, for so long security and a lot of other technical operations, is is considered. So back room, right, it’s behind the wall behind the firewall, quite frankly. And so reaching out like that, you’ll find opportunities. And as I have, really, that’s where it all begins, as you begin to develop a relationship outside of your security community. And you talk to legal, you talk to sales, you talk to marketing, those people are forthcoming. And quite frankly, they’re hungry for leverage points that they can use out there in the wide world that might differentiate us, the vendor from others who don’t have this mindset, who don’t know, or aren’t even trying to integrate, or make more available the security program in a consumable form. So it just sort of has a cascading, like I said, a positive feedback loop. Once you get started, it starts getting more fun as you go along.

Richard Lowe  1:12:36

I see very interesting. Now, let’s go back to the beginning cybersecurity person or somebody who’s intermediate, and they’re looking for jobs and the markets got a lot of people looking for jobs now because of all the layoffs and things. And because it’s it looks like a hot industry, and it probably is. Should they become more up to speed on sales? And how it fits into things? Or should they ignore that when they’re going for their certs and things like that? Or does it give them an advantage in an interview?

Sixto Bernal  1:13:08

I think it does. It’s good for its own sake. Because in, in America, right? Sales drives business. I mean, business is sales. It’s it’s it’s part of the work that any company does. No company exists in a vacuum. I think there’s very few fortunate companies that have people beating down their door, there’s always going to be some aspect of sales. And to the extent that, quote, the business and sales are synonymous with each other, I think it’s it’s a level of awareness that any person Darren said should have about how their company works. It’s more than just understanding that we make these widgets are how do these widgets make their way into the marketplace? How do we sell them? Who do we talk to, to try to sell these widgets to? I think that expanded perspective, in and of itself is a good thing. Even if you never use this as as directly as perhaps I have and others. I think it’s always a good thing to understand better how business is done.

Richard Lowe  1:14:20

Good, good. So somebody’s looking around for a position somewhere. And one of the hard things is is they do their resume, they send it in and it goes through the resume. Blizzard, yeah. And get lost. Now, how does a person who has the sales background that you mentioned or sales knowledge, combined with security knowledge get to somebody like USC a Cisco? Well,

Sixto Bernal  1:14:46

like I tell everybody, you know, your Your resume should reflect who you are. I mean, yeah, it’s an inventory in many ways of what you’ve done, but it should also portray who you are. And so, uh, Let’s say your resume version, version, n minus one. And you’re, you’re busy writing a new resume, because you know, the world is a different place, where before your resume was I worked here, and here’s what I did, I worked here. And here’s what I did. Well, if in your last company, you were in on some sales deals, the work that you did was a contributing factor to landing a customer, put that in your next version, weave that in to, into what your inventory of experiences is, so that the reader, a manager, or somebody else filtering will look at that and say, Oh, well, you know, this guy’s got an outward facing face. He’s not just a backroom kind of person. So again, it’s reflecting the reality of of you at that point. And I think it’s always important because it, it, it shows it demonstrates that you are more than just a security person, you’ve got a broader perspective, and it never hurts to be able to say you help close the deal.

Richard Lowe  1:16:08

Well, that’s true. That’s true. But the thrust of the question was, Okay, so number one, the resume needs to reflect that you have some knowledge of sales, and that you’ve delivered to the business as opposed to the security department. Those are two essentials. But getting in that resume queue, there could be 1000 resumes, they’re waiting for you to look at. How do they get around that? Would that be having a pretty spiffy LinkedIn profile? Would that be knowing people networking? Do they hang out at the library? I mean, what do they do to get to somebody like you, rather than go through that front queue and probably get discarded by the automatic software? Because the resume is not formatted? Right? It’s missing a period somewhere?

Sixto Bernal  1:16:49

Yeah, you know, it’s, it’s a combination of all of that, I think that in our connected world anymore, your online presence has to be, again, a reflection of who you are. And if you neglect any pieces of that, then you’re you’re not playing all in percentages, right, having a good LinkedIn profile. That’s very reflective of who you are. That’s important. Having a resume, that’s very reflective of who you are, but also is in concert with your LinkedIn profile. Also very important. Networking cannot be neglected, either. Are you a part of professional organizations, Asaka, ISC squared, SSA, you know, all these places where you go to turn over rocks to find security people because security people go there to talk. For instance, I’m going to a dinner tonight myself, where I will be rubbing elbows with other security professionals, and it’s a place to network to let your opinions be known. So that when somebody has something pop into their head or an opportunity, and it’s in your wheelhouse to go Oh, yeah, that guy, let’s get let’s get that guy on the phone or that person themselves will will fire up LinkedIn and go, What was that guy’s name? Oh, Richard. Oh, yeah, there he is. Click. And so you see, it’s a percentage game. You You need to be out there. You can’t neglect any aspect of your upward facing personality. So yes, networking? Yes, a good resume posted on all the right places, right? LinkedIn is a great site to leverage not only with your profile, but you can write articles and post them, you can read up, read what other people are posting. And I don’t know, comment down. And I guess all of it is about putting you in someone else’s mind or triggering them to think of you when they’ve got something that they need done.

Richard Lowe  1:18:47

So it sounds like a good strategy on LinkedIn would be a, perhaps get your LinkedIn profile done professionally by somebody who knows how to do that. And be write articles that instead of just saying, here’s how you configure a router, here’s how a router contributes to the business. Yeah, absolutely. It’s a simple, simple thing. Yeah,

Sixto Bernal  1:19:07

yeah. It’s more than security, people will read these kinds of things, right. And, and, and again, it’s targeting, you’re not targeting a specific audience, you’re, you’re shooting for a broader audience. So if you write articles or whatever postings, wherever they are LinkedIn or otherwise, if they’re focused only on people just like you, well, then you’ll only be interacting with people just like you. But if you alter your language a little bit and and broaden your scope, you might run into other people who would appreciate knowing how a router fits into the business or the selection of a firewall or approve other perimeter defenses, how that has an impact to the to the business overall. Now you’re talking about it in a broader context. It’s like anything else? If you’re a painter and all you can do is talk about brushstrokes, you’re not going to be that x citing at a party, but if you go to that same party and you talk about the travel that you took to get to that field, the one where Van Gogh painted the daisies and you know, you had a wonderful dinner. So you see, you’re weaving a story, instead of just throwing facts on the table. It’s

Richard Lowe  1:20:17

it’s an, how you present it, and who you present it to, because you have to remember, when you’re looking for a job, that the people who are going to hire you are not the same people as you, they’re actually several levels above you in the organization, and they’re interested in the business.

Sixto Bernal  1:20:32

Or they’re looking very often, business people, management executives, they look to people like us to solve their problem for them. They’ve got a problem with security. They don’t exactly know what it is, you know, but security has been in the newspaper and their customers are banging them on the phone, and the salespeople are coming back and saying that there’s all this stuff. So you’ve got this business problem called security, but you don’t exactly know what security is, you need to hire a security guy to come and fix that problem for you. So you can go back to doing business. So that’s where the connection is, if you’re just a security guy, this business person is never going to find you. But if you play in the same playgrounds, go to the same cocktail parties, or rub elbows with those business people. Two things will happen. They will ask you questions about it. And you will learn what kind of questions business people have management has. So you’ll be able to better communicate what it is and how security helps the business function better. And, you know, yeah, we can we insecurity, sometimes we get arrogant about the non security people and the non technical people, their viewpoint is just as valid. And in fact, sometimes more so. Because usually they’re decision makers. And so the more that we can help, bridge the gap communicate better. Why security is good for the business, just bottom line, well, then, that, that one interaction might bear fruit, but it’s already borne fruit because you’ve been in it. And you’ve learned what the business thinks and how they think because you had that conversation?

Richard Lowe  1:22:10

Well, not only that, let’s say you’re specializing in pen testing, I’ve been seeing a lot of articles on that. There’s a bazillion pen testers out there. But if you know about the business, you’ve differentiated yourself from the bazillion pen testers that are out there.

Sixto Bernal  1:22:23

Exactly. It and those decision makers, be it managers or executives, if they find you easy to talk to? Well, after all, isn’t business, nothing more than personal relationships writ large? I mean, you have a relationship with your vendor, but it’s really with Alex, the representative of the vendor who makes you feel good about that relationship? And has always answers your question and and picks up the phone when you have some information or a problem or whatever. It is relationships. And that’s what you’re building, you’re building a series of relationships, and you’re making yourself open to new relationships by being somebody who’s reasonable to talk to you.

Richard Lowe  1:23:04

So it sounds to me like a good strategy for somebody who wants to find a new job or get into the business would be to take some maybe go on Udemy or one of the other places that have courses and take some sales courses and business courses, even just a couple of simple ones. So at least know the terminology.

Sixto Bernal  1:23:19

To note Yes, because now you’re now you’re in the conversation, it isn’t a foreign thing to you. Right it? You know, you know, I see security people all the time, this tobacco room with their arms crossed and waiting for sales guys to finish their spiel, instead of sitting forward and sit and thinking, what what is the message here or be of marketing or whatever? So it’s it’s incumbent, I think, you know, the reverse is also true. A few years ago, the organization that advises boards of directors came out with some advice for boards of directors across the United States, that boards board members shouldn’t become as conversant in security topics as they are in financial topics. Why? Because security has become such an important thing, that it really needed to happen. And it has slowly to be sure. But I’ve watched it over the last three, four years where the people I talk to now get a better understanding. And of course, the news helps a lot breaches here and there. And a week doesn’t go by that we don’t hear something about data privacy, and some new company be you know, getting hacked and 1000s or millions of records. So it’s more in the, the average person’s mind and and we’re all average in some respect that we all go home and watch the six o’clock news or whatever. And so that that bubbling up of security topics into common thought occurred to all of us and so I think we need to meet that challenge by speaking in a way that’s more easily understood by anybody.

Richard Lowe  1:24:59

And it sounds like Another strategy would be to find somebody, say, at a business level of any business, and set up a, you know, a zoom call or a coffee meeting or something, and talk to them and then pick their minds not about security, but about the business, about business and sales in general, maybe their business without being like begging for a job. It’s just talking to them.

Sixto Bernal  1:25:21

That’s exactly right. Because you’re looking to make that connection, and you’re getting an education, right, you’re that is the value of that kind of conversation, because you’re growing it professionally. By virtue of that. Anything that you can do to educate yourself about what it is you or your company does, is always a positive.

Richard Lowe  1:25:43

Well, Sixto, it’s been great having you on board, why don’t you spend a few minutes and talk about your background and why people should be listening to you on this podcast? Well, you know,

Sixto Bernal  1:25:52

I came out of retirement in 2005, or so on this side of the fence, I’d spent 23 years in it and operations, working for all the big companies there are in the valley, sun and Oracle, and oh, a bunch of others. And, and then when I, I came back to work in 2005, it was on the compliance and audit side, and I learned a whole nother language, I was able to leverage all of my experience, because I was talking to people like me, and I never looked back, right, I jumped into this side of the house with both feet, I’ve got just about every security and privacy certification that you can name, but it was all in the, in the service of me becoming a security professional. I’ve always been a lifelong learner. So that aspect of it was easy for me. And I worked for a succession of internet companies, SAS companies, and so I’ve been cloud native, ever since 2005. And so that is my bailiwick. And, of course, sales drives the SAS business. And, and so ever since then, that’s what I do. And I still do that I’ve been able to operate in this way across large enterprises, and absolutely raw three person fresh startups. I keep learning more and more about what it is to do, not only my specific security work, but also how to integrate it new and different ways into the business. The outreach that I’ve done with marketing, and sales, and HR, and legal, especially legal, has really benefited me. And so I bring, I bring all of that to the table, not only to be a better employee, candidate, whatever. But I also teach this to the people who come work for me. So I feel like I do a lot of evangelizing a lot of mentoring on this topic. And I believe it’s done, those people who’ve listened and tick, you know, taken up that those lessons, I think it’s done a good thing for them, it’s been a positive. So that’s kind of who I am, I’m, you know, I’m a professional security guy. I’m at a leadership level now. And I’m able to craft security and privacy programs more in accordance with this kind of thinking that we’ve been talking about for the last few minutes. And so I’ve gained a little bit of a reputation. That’s what I do. I’m not just a security guy, I, I’m the guy that understands where it fits into the overall picture. Very cool.

Richard Lowe  1:28:25

And I think a takeaway that I’d like to leave people with is that this has to be an ongoing process. You can’t just, you shouldn’t just pick up networking when you’re about to be laid off, or if you’re laid off, because then you’re coming from behind. You shouldn’t be doing it all the time. Just set up meetings with people, talk to them, especially people above you in the organization or other organizations, learn from them. Learn about security, of course, learn about the other parts of the business, learn about AI, you know, learn about all these how these things all hooked together. And then you’re going to find that these people will become your advocates and your mentors, in a way maybe minor, maybe major depending. But if they see that you have a business savvy and you’re interested in helping the company through sales, by helping the company sell using security, they’re going to be behind you all the way.

Sixto Bernal  1:29:15

Oh, absolutely. It has been such a facilitator besides the fact that it’s helped me expand my experience. I have to say that it’s made my my work and security so much easier when you have allies you know, when it comes to the budget time or projects are being integrated into the business it it you become part of the business instead of this outlier that everybody wonders what you guys do with all that money we give you and you’re just buying firewalls and equipment. Know when you’re when you’re integrated into the whole thing. You are less of a mystery and more of a partner.

Richard Lowe  1:29:49

Yeah, you become more than just Joe or Sally the security person, you become a person a real person to them and that makes it more likely You’re gonna be a valuable part of their team, and less likely to be the person the first person laid off.

Sixto Bernal  1:30:08

Yeah, that’s a, you know, that’s sort of a gamble. And it always is. But if you’re considered part of, you know, the money making end of the business. Well, yeah, it’s, it’s,

Richard Lowe  1:30:20

that was my point. Now, none of this is guaranteed, of course. Well, thank you Sixto. It’s been awesome having you on board. Good information. I think it’d be very helpful to people.

Sixto Bernal  1:30:31

Excellent. Well, I was very happy to be here. Hope to see you again soon.

Richard Lowe  1:30:35

You will. Thank you

Richard Lowe
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments