It’s not always big problems that hurt your business. With today’s complex I.T. systems, there can be small, unseen vulnerabilities just waiting to be exploited, and other dangers that could trip you up or shut you down. Automation and security expert James Schmidt joins us to talk about what you can do today to protect your business from trouble—and how that will ultimately help you get ahead.
Speaker 1:
Welcome to the JMARK Business Innovation Technology Experience.
Todd:
Welcome world to another episode where we’re going to talk about some fun and exciting things. Today we have James Schmidt here from JMARK. James runs the … What do you call yourself? The automation and proactive team?
James Schmidt:
Proactive and health team.
Todd:
Proactive and health team. That sounds way better, but they do lots of automation too. James is here because he’s been involved in a massive number of audits and assessments for many different types of organizations and their networks. What we’ve kind of found over the years … I mean, we’ve found some really surprising things when we’ve gone into companies and looked at their networks. It’s really interesting to find some of these things. We want to make sure today that people listening, you know, this isn’t about scaring you and making you worry about crazy things that can happy in your network because we have that every day. Everybody reads the news, the security alerts that go out all the time, there’s breaches all the time, but hopefully our discussion today will kind of enlighten everyone’s mind to some of the things that can be going on in a business that business owners or leaders may not even know about or could be happening just because people are too busy and not looking. Why don’t we get started with this and start off with James, what are a few of the top things you’ve seen in network audits that kind of were surprising to I guess both us and the businesses?
James Schmidt:
Yeah, there’s a lot. Even I want to hit on technology moves so fast. Every day you’re having to understand a new best practice for that specific tool, new configuration, and so a lot of what we see in these assessments is team members in these companies not being able to keep up with these best practices and configurations. I think one of the biggest pieces that I always look at is patch management. Most clients always think that’s such an easy piece and when you’re dealing with such complexity it’s easy to be overwhelmed when you don’t have proper systems in place and proper processes in place within that organization. We could spend a whole time just talking about patch management for Microsoft alone, let alone third party patching for other line of business apps. That’s probably the one biggest thing that I always look at is patch management. What is your Microsoft patch management program doing? How good is it? Because I can pretty much hit on that every time and it’s going to be huge to go ahead and revamp.
Todd:
Well, let’s talk about that for a minute then. It’s so true when we’ve done these audits that it’s not a few patches that we’ve seen out of date. It’s generally thousands of patches and when you think about it across an organization you have different devices, potentially different operating systems. It is like you said, it’s extremely complex to manage patch management. But the number of patches, while it does open you up to more problems, it only takes how many? One to kind of screw you.
James Schmidt:
Yeah, just one. You look at people spend millions of dollars on security and what are the hackers look for? If you actually looked at some of the pieces that have been released over the last couple years is they’re not looking for some complex piece to get in your network. It’s I need one vulnerability within that to get into your system and to wreak havoc. What does it mean to make sure that patch management system is up to date every time a security patch is released? That’s a lot of work when you’re dealing with let’s say, 100 to maybe 1,000 end points with different connections. Look at what we’re doing right now. I’m working remote due to everything that’s going on in the world right now with COVID. I have a different connection. It’s funny, we were talking earlier in another meeting, I’m tethered. Great technology, but if patches are trying to be pushed to my machine is my tethered line going to accept those patches? That’s just one end point out of 1,000 potentially in an enterprise environment that how susceptible are we in our different environments. That’s huge around that.
Todd:
It also gets even more complicated because the different patch management systems out there whether it’s just Microsoft or whether you’re using third party patch management systems, they often give you different results that can leave you with a false sense of security. One auditing system might show it’s up to date. Another system might show you’re behind by many patches. Then on top of that is you have the internal debates about what patches are important and when they should roll out. Some people say you shouldn’t roll out patches right away. Some people say you should. I can see a business owner and an IT person going, “Why are we behind? Well, we aren’t behind. We’re totally fine. This report says we’re 3,000 patches behind,” and, “Well, no, that’s right because we haven’t gone there yet.” What’s the balance?
James Schmidt:
Wow. There’s one word I have in that is expectations. You’ll talk to certain business owners that are sometimes more involved in the IT and their expectation is everything is patched. Said, “Perfect. I can patch everything perfectly. Give me a team of 25 and I’ll make sure every machine is patched the moment that that comes out.” Now we talk about realistic in our business and how this affects the profitability in our organization as an external client of how much can you do, what’s realistic, as things are released what is our automated system because you’re even correcting each system reports differently. Part of the function of my team as the proactive [inaudible 00:07:12] health team is I do have an automation team. We’ve spent the last couple months revamped our patch management system because you always find different nuances depending on the software that you’re using. How is it reporting so it says, “Hey, I am missing something,” and then goes and patches that. You always have to even understand the changes in the systems as it updates because they start using different tables in the database to really reflect something different in that system.
James Schmidt:
That’s complexity that you’re layering in beyond the patching that a lot of business owners aren’t taking into effect when they’re saying, “I’m going to take on the IT realm,” instead of utilizing a [inaudible 00:07:58] like JMARK is to really focus. That’s what we do, that’s our core competency. I love the word core competency because that’s what I do every day. This is in my wheelhouse. This is how we patch systems or look when we go in to do an assessment and saying, “Wow, not only is you’re not using proper software, but you’re also not reporting back. Who knows what’s going on in that system. There’s no reporting. Okay, we need to get you reporting so you at least know the risks that you’re taking on in your organization because a big part of it is risk mitigation and then how does this affect efficiency in my organization as well.”
Speaker 4:
I have a question.
Todd:
I think the other thing that- Oh, go ahead.
Speaker 4:
I was just going to ask James, so you just said you come in and do an assessment. Say that this is the first time that a business owner has had this done and they find what their hidden dangers are. How do they know which they need to prioritize?
James Schmidt:
We’ll take a best practices approach. A lot of times when you’re talking about patching there are risk ratings or I’ll get technical, CVSS scores. Those are industry ratings that help you prioritize to say, “Wow, this is a 10. You need to address this right away,” or, “Hey, this is a seven. This needs to be addressed within the next 90 days or 180 days.” So there is a ability to prioritize and that’s where expertise comes in where, “Hey, you don’t have to be overwhelmed. I know it looks really bad. You got 3,000 vulnerabilities. Let’s break that number down so that it’s consumable.” You always talk about how do you eat an elephant. It’s in small chunks. You’re going to take that into patch management or any other item that you come along in in the assessment. It’s, okay, yep, let’s breath. Let’s understand what the risk is. Then let’s understand how to now prioritize over the next 180 days, sometimes maybe a year when you’re rebuilding the whole infrastructure because it just hasn’t been maintained. It’s a great question is how do you prioritize. There’s best practices in there that we layer in to help with that.
Todd:
The other thing that I wanted to mention is that we take the … I think most people when they’re listening they’re probably thinking about just Windows patches, operating system patches. But the real hidden danger lies in so many other areas because you have … There’s software that the marketing team might be using, Adobe software and nobody else in the organization is using. That right there alone could be a big vulnerability. You have somebody plug in an iPhone or an Android into their computer and you install iTunes and software or transfer stuff and right there that alone … There was a big iTunes bug a month or so ago. When you’re going to try to fix something like patch management, it’s not just about the deployment, it’s not just about execution, it’s a full holistic approach to security. What is allowed to be plugged into computers. What softwares allowed on the network. Who is allowed, how are we managing patches for all the other applications. How are these systems with special applications segregated from other systems. It’s a whole strategy discussion that is … It’s complex. That is why so many people fail on patch management because it’s not as clicking a button and then saying update.
James Schmidt:
Yeah, it’s a layered approach to security. When you talk about little things, have you ever had I think it’s called baklava? It’s very, very thin pieces of dough that make that dessert. You look at layering security and they’re just really thin layers, but once you add that up it becomes a huge part of that vulnerability that people say, “Well, I have a good patch management system.” Great. On what piece? As soon as you start layering in you start getting this perspective of, wow, I might have a lot of risk in my organization with what I just was presented with. So absolutely right. It’s all about layering.
Todd:
Let’s take a step back from patch management. I think we beat that dead horse pretty good. What are some of the other things that you’ve seen in networks that business owners might find surprising?
James Schmidt:
Yeah, it’s going back to little things. As we grow, which we all want to do as a business organization, unless we take a overall a step back and say, “How is my growth rate to my technology that I’m doing?” We’ve seen a lot where they grew into a nice enterprise, 50 to 250 users, and now they have a data center. Well, holy crap. How does that data center connect into your current enterprise solution and is that functioning properly per best practice. Again, it’s just that little piece of a connection from one office to the other. Is that properly set up. Is that the best practice to create efficiencies. When I look at the proactive and health team I look at two things: efficiencies and risk. Efficiencies go into productivity for our end users. As we grow as an organization whether it’s JMARK or one of our clients, is they need to be layering in each piece of risk, so going back to that patch management system and how we’re adjusting for that. Then also the efficiency. Man, are you sure you want to take on a whole data center. Does it work better for not only your expenses, your operating expenses to have that on-site versus going to a data center and having that thought process. It’s a little piece, but it affects the business long term. It’s all about architecture. I think that’s another piece that we’ve found that hasn’t been to best practice.
Todd:
That’s a good point. I think that also brings to light several other connection points so to speak. A lot of businesses have some type of line of business software and oftentimes that software has ports open for the software company to allow them to get in and manage the software or allow them to troubleshoot it or allow them to get logs or something from it. That alone can be a big security risk. You have employees working from home connected to a network, a work computer connected to potentially the same network that kids and others in the household are using. That could connect back into the environment and cause more problems.
James Schmidt:
Let’s hit on line of business apps real quick because that’s probably one of the biggest pieces. When you go into some of these potential clients there’s sometimes I’ve seen as far back as still using server 2000 that has been deprecated for years and years. Some are using 2003. The common piece around those clients are, “Hey, it’s too expensive to switch out of that application.” They miss the quote of well, do you still want your business if you get hacked and lose all that data. They forget that question. They say, “It’s too expensive to switch it out.” I said, “It’s too expensive not to switch it out if you lose your business.” That’s a common piece. Not to be scary, but it’s understanding how you continue to evolve your business because your business continues to evolve. You’re taking on new marketing practices. You’re taking on new sales strategy to increase your business. You need to look at that in your IT environment as well to say, “How am I evolving my key environment with my business.” That’s usually a subset of I forget about it.
Todd:
I think in the-
Dax:
I have-
Todd:
Go ahead, Dax.
Dax:
Oh, I was going to say I think you mentioned James that people do make these changes in every part of their business. I think it’s important to remember that these changes are made continually and over time, but everybody’s constantly planning out those types of changes, the marketing changes or moving into new markets and that kind of thing, finding new opportunities. It’s constant planning: quarterly, yearly, always looking ahead and the same thing needs to be done with your technology. You need to be making these plans on an ongoing basis. Then it becomes what you were talking about earlier, not trying to eat the elephant. It becomes manageable when you’re planning ahead for it.
Todd:
Yeah, I don’t want to across that there always hasn’t been change. There’s always change in business, but the rate at change over the last five to 10 years is exponentially faster. As GDPR happens and the California privacy laws and all the privacy laws and everything that’s changing systems and networks and security and more vulnerabilities [inaudible 00:18:16] if technology is not a primary part of your strategy, it’s not a pillar of your strategy you’re never going to be caught up because you’re just going to get farther and farther behind. You’re opening yourself up to just massive disruption from other businesses and from disruption and risk.
James Schmidt:
Yeah. We’ve talked about the technology side a lot. Can we talk about the people side a little bit? That’s a big component when we go in and do these assessments and understand, “Okay, great. Your technology is where it’s at. We have a plan in place that we can get you back up to that level.” How do you deal with the people piece because either the potential client is a small organization that has the smart person in the office that has been the IT person, so most likely they don’t understand best practices so that’s a, “Hey, this person can’t manage it anymore. There needs to be a revamp,” but you go into a large enterprise that you do have internal IT members that have been in the industry for quite some time and what we find continuously is yes they’ve been in the industry, but they haven’t stayed up with that industry knowledge to keep up with good best practices as that company has expanded into the cloud. They’ve done enough job to get it into the cloud or changed over that technology as it’s changed, but not enough to say, “Wow, what’s the best practice. How should we have secured that better? How should we have made different connections so it’s more efficient,” and how are you dealing with it internally. Who’s pushing that internal IT person to level up their skillset in a specific technology that benefits the organization. That’s always about-
Todd:
I think for clarity’s sake it’s important that people understand we’re not trying to just put down IT people. That’s what most of our company’s made of. One thing that’s a little different with our organization is we work with a lot of clients that have internal IT staff, but the nature of the speed that I was mentioning a few minutes ago plays into this. IT people are rarely bored and rarely don’t have things to do. The speed at which things are coming, it’s not for just arrogance or neglect. It’s just that people get so busy and it’s not being made a part of the strategy of your organization so it never gets talked about. It never gets put to the top of the list.
Todd:
Then you get to situations where new regulations come out, new risks develop, and the IT people are just behind and behind and behind because they haven’t had the opportunity or the time to stay up to date with the moving technology. The other thing that’s really important to understand is that … One of the things we talk about at JMARK is that we have something like 65, 70 IT people. We can stay on top of technology because of the breadth of our footprint, the number of people, but there are so many areas of technology it is impossible, literally impossible for one person to have all of the network knowledge, all of the system knowledge, all of the software knowledge, all of the security knowledge, all of the regulation knowledge of the privacy laws. It’s impossible. It just can’t happen. So, I think business owners are putting too much weight on their IT people thinking that they have it handled. I don’t need to worry about it, they have it handled. That’s not the case.
Speaker 4:
That makes me think of a question. Say that basically you’re really speaking to someone right now and they’re like, “That’s me. I have a small internal IT staff and they’re already too busy. We have no idea what our hidden dangers are.” What’s a next step that they could take as far as getting a full thorough evaluation of their network? Not all at once.
James Schmidt:
Todd, you want to take that? I could take that, either one.
Todd:
Well, I mean at JMARK we have network assessment services where we go in and review the networks. We look at it at a standpoint, and I don’t want this to come across as selling JMARK. We’re doing this to provide information to the business owners. But the point of saying that is you need a third party to evaluate what’s going on because even as business owner you could be doing something wrong that is greatly impacting the risk of the network. We’ve seen lots of cases where business owners, they want full access to everything. They want certain things and something gets on their computers and bam, it can destroy the network. That’s why it’s important that a third party that doesn’t have really a stake in the game come in and review the network and understand what’s really going on and how it’s working.
Todd:
I want to mention … I haven’t thought about mentioning this before, but there’s a difference between paid network assessments and free network assessments. That’s really important for business owners to understand because lots of IT companies out there do free network assessments for companies. Their goal is to come in, find pain, find ugly stuff, present it to you in a way that it looks horrible like the sky is falling so that you will hire them to do their business … technology. Whereas the way JMARK does it is we only do a paid service generally. There’s very few exceptions where we do a free assessment, but we do a paid service so when we come in we’re completing the scope of the agreement for the paid network assessment. There might be certain stipulations in it. We have to look at this, we have to look at this, we have to talk to this many people, we have to look at this many things. JMARK is coming in with a predefined agreement and working towards the scope of the agreement and then presenting the whole solution or the full results to businesses so they can see the good and the bad because often it’s generally a mixed bag.
James Schmidt:
Yeah, and I approach it always as a consultant. Hey, at the end of the day I want you to be successful. If this engagement, whatever level that is, I’m going to go in and say, “Hey, this is where you can improve. This is how I want your internal IT team to level up.” I approach it very much as a partner of how to improve your business because at the end of the day that’s what we want businesses to be able to do. That’s what we want to empower them to do. Hey, how can you look at best practices whether hey, maybe you need some more training for your team or maybe you just need to spend a little extra time in your architecture to hammer out some fundamentals of best practices. That’s where any good IT team should be approaching that as a consultant with that. Good question, though.
Dax:
I’ve got a question. Todd, something you said that made me think of this. You talked about regulations. We work with companies in different industries, have different compliance audits at certain times. I’d like to hear what Todd and James, both of you have to say about the idea that some business owners get that I’m compliant so everything is good. I passed my audit. An auditor came in and looked at all of our network and systems and we got a good score on the audit so that must mean I’m safe and there’s nothing to worry about, right?
Todd:
Yes, I’ll start this one and James, you can close it. We’ve gone in and done a lot of audits where that was exactly the case especially in the banking industry where you would think things are the most tightened up and frankly, they should be. But we’ve gone into banks that have passed their audits and we’ve found rouge network devices, rouge wireless access points, patch management in the thousands. We’ve found potential for tons of breaches. We actually look at the vulnerabilities and give an estimated cost for how much these would cost if they were breached. Thousands upon thousands … I remember with one bank we printed out a report that had something like 9,000 vulnerabilities, known vulnerabilities that were sitting on the network externally and internally. This is somebody who’s passed their audits.
James Schmidt:
Yeah, I love the word passing. I’ll go back to school. What was a passing grade? Passing grade was technically a D. Not saying I was in that boat, but a passing grade was a D. So, when we come into some of these clients and we help them, whether it’s an assessment or … Obviously some of these you have to have a third party come in and do the audit to show a successful pass. You have PCI, GDRP, HIPAA and then the banking environment has whole different regulations. So, what does a pass really mean. Todd hit on there.
James Schmidt:
It’s yeah, they passed but they still have 9,000 vulnerabilities. Is that a pass and a D or a pass and an A. I want my clients to get an A. That’s just me being selfish because I want them to be winners and really be able to clean it up. But beyond passing is we always forget when we finish the audit or the assessment the next day you’re going to start prepping for next years audit and what is your maintenance plan in between because you can do all this work and push hard on your team members to get in and run them into the ground in the last 30 days before the assessment, but what is that doing to you. What is that doing to your organization. That is not fun, and that’s not where our team members want to be is what’s a continuous maintenance plan that you do. At the end of the day, the passing is, “Oh, you guys are coming on Tuesday, no problem. We’ll be here. Go into your assessment.” I know I’m going to get an A because we’ve had a continuous maintenance plan throughout the year that facilitates the outcome that we want. At the end of the day it’s the result of passing with an A is what we want. How do you facilitate that? Continuous maintenance and having the right architecture. That’s what gets you every time.
Todd:
Also along with that one of the things that JMARK does for clients is that we create five year technology plans. Then we review those technology plans every quarter and we’re looking at the future. We know when things are going to be non supported. We know when certain vulnerabilities are going to need to be addressed. We know when there’s going to need to be … We’re watching the regulations throughout this five year tech plan and watching changes that happen. Then we’re communicating that on a monthly or quarterly basis based on what’s happening. So, it’s a constant strategic outlook on … it’s this pillar of technology that you’re constantly looking at and making sure you’re mitigating risk and using it to capitalize and make the organization better and more productive and more profitable. I think also-
James Schmidt:
And also who-
Todd:
Oh, go ahead.
James Schmidt:
You’re absolutely right. We have that five year tech plan. But also as we watch the industry we want to come back and say, “You know what? We put this in the five year tech plan. This technology has changed. Let’s change with you and discuss what it means to do a different hosted solution. Maybe go to a different line of business app because it’s better for your organization and be agile to change in that timeframe because nothings set in stone as we see that nothing has a guarantee at the end of the day.”
Todd:
Also, I want to mention too one of the things that a lot of companies don’t have with James with your team, the one thing that we have is we’re looking … You guys are looking at all of these threats and when you find a threat you often, or a vulnerability, you will go back often and create an automated way to prevent that threat or to remove that threat. So, in creating this automation there maybe something in the healthcare industry or something in the banking industry then [inaudible 00:33:01] comes in and we can now roll that out across our entire client base no matter what industry they’re in and make all of our clients more secure and less vulnerable to all of the dangers even if it’s not in their industry. That is huge. You are hitting things … Because often the vulnerabilities start in one place. Then they start traveling around whether it’s applications or systems or what. By this massive amount of automation we perform … What’s the number? Do you have it off the top of your head? The number of automated scripts we roll out in a year. It’s in the millions.
James Schmidt:
In the millions. Health checks in the millions, so we’re constantly checking on the devices that we manage and saying, “Hey, how are you doing? What are your stats?” All of that. Then when you talk about scripts or automation that runs on our networks it’s close [inaudible 00:33:59] millions as well. You talked about one client is probably running about 100 to 200,000 scripts a month depending on the size. You multiply that between all of our clients and you got a healthy amount of automation. It’s always that collective collaboration that, okay, even though we have multiple clients what we always take in to is we’re one large enterprise.
James Schmidt:
You think of the clients differently when you think of one large enterprise and how are solving problems both security or automation and then we look at, okay, can we do automation and roll this out across all networks or if we can only do a certain amount of automation, what’s the monitoring and ticketing that we can generate so that somebody can now go in manually and do the operation because not everything can be automated. I love automation, but I also know when everybody says, “Let’s just automate it,” I’m like, “Hold on. What do you want to automate?” We have to understand not everything’s perfect in that process, but we have such more of an advantage when we’re looking at all of our clients across the networks and saying, “Oh, this is found here. This is how we’re pushing it to all our clients.” Let me hit on one piece around that.
James Schmidt:
Even some of the vendors that we are taking on and working with their technology, a specific AV company that we work with, and one of the cool technology pieces that they’re just starting to roll out is, okay, if this can look at this vulnerability and sees this and then it can correlate that information to other clients it can start shutting down different services. There’s that technology out there that we’re now starting to apply. Now it’s very advanced technology that’s come in the industry, but that’s something that we as an organization already starting to bring in to our clients because we found, wow, now we’re not just correlating [inaudible 00:36:15] to one client that let’s say has 150 end points. We’re correlating to all of our clients and you’re getting the benefit of that because it can start shutting down those services that are improper or malicious as a whole. That’s really cool to see how that works across all networks. I want people that are watching this to understand that’s a specific skillset, people start looking at that automation utilizing the technology. It’s out there, but somebody has to understand it to apply it into your business.
Todd:
If you can’t tell James gets real excited about automation and all that stuff.
James Schmidt:
It’s just funny. I never thought I’d be in tech.
Todd:
Let’s change the conversation a little bit and talk about from the perspective of a business owner one, why some of these things aren’t being looked at and what can the business owner do short of just hiring somebody to do a network assessment, what can they do to determine if there potentially is some issues in the network? We’ve talked about … Actually, we’re going to talk about, and we touched on it in some other episodes, in a few weeks I think we’re talking about being held hostage by your technology. That kind of plays into this discussion of how does the business owner know if they’re kind of being held hostage?
James Schmidt:
Yeah, and it’s assuming they have some type of internal person that’s managing that, and as a business owner is how do I not feel overwhelmed with everything that’s going on and still ask the right questions to the right person on board. One, first you have to always assess as a people person, do I have the right people on the bus as they say. Once you’ve said, “Yep, I have awesome team members. They believe in what we do,” then as a technology piece from a high level, hey, you need to start asking the right questions of, “What is your security protocol,” and then allowing them to come back and say, “This is how we’re protecting the organization.”
James Schmidt:
I think some of the pieces that you’ve heard on this call will allow you to have that litmus test. Are they giving me the runaround because I don’t know that much about technology or are they actually looking at different systems to make sure our organization is secure? Then you take it to that next level is, are they thinking through efficiencies because with everything going on there are some businesses have been very heavily hit in certain industries. Are we pushing forward with the right efficiencies in the organization? You’re asking your internal team members, “Hey, what can we do different with our line of business app that brings more efficiency,” because I know everybody wants to say, “Well, this brings up 10% for productivity.” Sometimes that’s really hard to measure. It’s what are you guys doing with a process or with our technology right now that is bringing us more efficiency that translates into more profitability in the organization because that benefits everybody right now. It’s asking those questions and then seeing what they answer. And-
Todd:
So, when-
James Schmidt:
Go ahead.
Todd:
I was going to say well let’s think about these questions. A business owner … When I think through this some of the things that would potentially give me a red flag would be something like what’s our back [inaudible 00:40:08] disaster recovery plan? Can you show it to me? What are we doing to address this regulation? What are doing to address this security threat? Can you tell me who has access to such and such and who has access to this system and that system? Asking some of those questions not in a drilling type of way, but asking some of those questions will immediately or very shortly potentially set off red flags. If they start walking around or dancing around and, “I’ll get back to you,” and they don’t back to you or they don’t have answers asking about what’s the Windows patch status and what are doing to update Adobe software and what are we doing to update Apple software and all of these different questions business owners need to have answers to them. It’s that kind of thing that you ask and based on the response if you don’t have good answer and you don’t have answers that fill you with warm fuzzies then it’s possible that somethings off in the network.
James Schmidt:
Yeah. Here’s a great question. Earlier we were talking about internal people being overwhelmed with so much work. We can all fall in this trap where we have a lot of work and let’s say we’re working on a lot of projects. The business owner can come to their internal team and say, “Okay, tell me all the projects that you’re working on. I want you to give me the top three that would increase our revenue right now.” If our internal people can’t say, “Hey, I can shift my workload to these top three that will bring more revenue into the organization,” because they’re not thinking about that, are they the right person that’s leading your technology well. That can be a red flag of, “How are we adjusting to the current conditions in our business.”
Todd:
It may not be revenue. That’s just an example. It may be what are the top things to reduce security or whatnot. There’s always something.
James Schmidt:
Yep, I always look at efficiency and risk. It goes hand in hand. The top three projects can be reducing security. Whatever that business owner wants to focus on, but asking those qualifying questions of, “What is my IT environment look like?”
Todd:
Many people translate profitability to just above the line revenue. But profitability can come into play in risk as well in terms of by not doing this we are opening ourselves up to this much risk. That of course, is going to reduce profitability if we end up having to go down that route. It’s important to take that into account especially with everything, with the constant motion of business and the world and economics and everything that’s going on. It’s vitally important to have a handle on that and really understand the potential threats that could affect the profitability.
Todd:
Business owners can have these questions. Anything else that you found, James, in your discussions whether bank audits or whether it’s network assessments or HIPPA or anything that might provide value to this discussion?
James Schmidt:
Yeah, going back to the theme that these small things that can cause big problems, obviously I’m in the technology piece. I focus a lot on the technology even in your [inaudible 00:44:19] directory environment some clients still to this day don’t have it. Depending on what they’re doing is how does this drive efficiency, but one piece is the cleanup. So many items we’re not spending time on the cleanup of the small things that really affect when you spend five, 10 years now doing that same process what are the inefficiencies that you’ve garnered within your environment by not doing that. So going back to that overwhelmed piece is yeah, you think at a top level things are taken care of, but peel back that onion and go to the little pieces as simple as setting up a user account appropriately with a standard across the board of how you do it. We go into client’s environments that actor directory user got was literally first name, last name and email address.
James Schmidt:
Well, if you start going into data mining, which a lot of clients are going into today, and you start getting that contact information or different pieces within the organization and you didn’t have a standard to really put data in in the first place you’re going to get screwed on the backend by now not being able to data mine it. It’s always that input in, input out that you’re either going to be wonderful because you have all the data at your hands and you could manipulate to understand what’s going on or you didn’t because the last five, 10 years you didn’t take the little pieces and the minutia to really put that into the system. Again, it’s best practice and standards. That’s one of the things I think [inaudible 00:46:05] JMARK that I’ve seen so much is we focused on standards so that we are capturing these items. So, term down the road we can data mine it if needed to affect outcomes in the organization whether that’s efficiencies or risks. That’s something that I see constantly in the organizations that we do assessments on. That they’re just staring to do data mining, they’re like, “Well, we don’t really have the right data.” It’s like, “Oh, okay. Well, let’s start putting in best practices and standards to get that data in there. Then you can mine it. Then it’s awesome.”
Todd:
Well I think we’ve had a really good discussion. Like I said at the beginning of this, this discussion is not about scaring people even though that’s probably an unintended outcome. But there’s a lot of things in life that scare you. Hopefully technology … Technology definitely should not be one of those. As we wrap this up I think the biggest takeaway that I had on this is it’s just so vitally important that we have a strategy. It’s not looking … just all of the muck and the ugliness of a network and just looking at the threats. It can be easy just to look at all the threats on the internet and just feel like you need to lock yourself up and unplug your computer and not connect to anything.
Todd:
But by having a strategy where you’re constantly talking about it and where technology is a pillar to that strategy you’re essentially slowly making progress. It is true, and you kind of touched on this James in the sense of passing versus all of the vulnerabilities. There are times when the risk is acceptable. Business is business and you have to do the best you can. Sometimes there’s priorities that are more important, but that’s why it’s important to make sure that that technology is a part of the strategy so that you’re constantly moving something forward and not getting to a point where everything’s so far behind that you’re in danger of a big risk to the organization. But thanks everybody for joining us on Facebook and on the podcast. James, you have one last thing you want to say?
James Schmidt:
Yeah, can I finish one last thing? I always look at as we want to always be honest. Find that colleague. Find that third party that can tell you the truth because if you don’t have the story and the truth of what’s going on, you can’t fix it. So, whether that’s a trusted colleague in your organization or a third party, find that person that can tell you the truth. Is that-
Dax:
Once you hear the truth it’s never as scary as you’re afraid it’s going to be because you can make the vow to fix it. Or just start fixing it.
Speaker 4:
Good point.
James Schmidt:
Yep.
Todd:
Very true.
James Schmidt:
Awesome. Thank you.
Todd:
Thanks everybody. Take care.
Speaker 4:
See you.
James Schmidt:
Thank you. Bye.
Speaker 1:
Thank you for attending this podcast. We hope it has been informative and help convey that at JMARK we are people first and technology second. To learn more and discover additional content relevant to your business please visit us online at jmark.com or at LinkedIn, Twitter, Facebook and Instagram. You may also call us at 844-44-JMARK. Thank you for your time and we look forward to seeing you again.