This essay has been submitted by a student. This is not an example of the work written by professional essay writers.
Uncategorized

Phone call conversation on research

Admin 22 Apr 2024

Pssst… we can write an original essay just for you.

Any subject. Any type of essay. We’ll even meet a 3-hour deadline.

GET YOUR PRICE

writers online

Phone call conversation on research

Hello, this is Dave Dickinson.

Hi, Dave is Todd Coury. Nice to meet you.

Hi Todd. Thanks very much for joining the call. I appreciate it. Let me start off by giving you a little bit of background just so you understand what I’m up to here today. Pardon me. I’m a third-party researcher. This is basically what I do, I interview people. I don’t have any vested interest in what we’re going to talk about today. I just want to get your thoughts and opinions. But, pretty much all the work I do is in the tech space. So you can understand I know what you’re talking about unless I ask you for a clarification. And those beeps are … I’ve got a couple of colleagues joining, they’ll stay on mute. If we have time, I’ll give them a chance to ask a question at the end. But otherwise, we’ll just ignore them.

Let’s see, what happens is, I write up a report when I get through with all my interviews and that’s what the recording is basically for. It’s my memory. That’ll get transcribed and I’ll review that. When I get to writing the report, there is no public release of either the report nor the recordings. Nothing will be directly attributed to your name or company name, nothing like that. That’s not what it’s used for. So, I always like to confirm that it’s okay. That we’re recording on with that stipulation.

Of course.

Great. And then the things they asked me to say are, we are not seeking and do not want any confidential information including material nonpublic information. We do not want you to disclose any confidential or proprietary information about your current employer. And we expect you to comply with your existing obligations to your current or former employers or other third parties, including … But not limited to any nondisclosure or confidentiality agreements. So, if at any time you don’t feel comfortable asking a question because it crosses those confidentiality lines, just let me know, I’ll reframe it or we’ll move on. But it hasn’t been an issue for folks basically as you probably know, I just want to get your perspective on the challenges that IT departments in companies like yours are experiencing, and how IT teams are leveraging technology to address those challenges. So, that’s all my preamble. Let’s get started if we could, with a couple of general questions. I’ve got the background that GLG provided on you so I see your role as a CSO, but it also looks like you’re more generally responsible for end-user computing. Is that a correct takeaway?

That is correct. The CSO role is new for the organization. But beneath that falls all the responsibility of server-side and end-user compute.

Super. Well, we’ll touch on a lot of those things. Bust generally before we get into details, can you tell me about technology-based endpoint solution your firm recently evaluated or adopted to help improve the effectiveness of IT operations and service levels. I’m basically interested in what kinds of solutions have caught your interest lately.

Define lately, because we have really been on lockdown the last six months or so it seems.

Well, I’ll ask you some specific questions about the COVID situation. So, let’s say prior to that happening, what were the sorts of things you were evaluating or looking at?

One of the things that we did was, I implemented a software as a service solution with Proofpoint, or our email virus and malware spam filtering. Prior to that … and I’m relatively new with this organization. But prior to that, this is the first and only real thing I got done here. Prior to that, they didn’t really have anything, they were using some of the generic Microsoft tools, but they didn’t have a formal solution in place. I’ve used Proofpoint in the past. We were very happy with the performance of it. So I was able to get that implemented four or five months ago, I guess at this point.

Good. Super. Alright. We’re going to start off at a high level, and I break down the tasks for an IT organization into four functional areas around end-user computing, and that’s my focus today. Is, I will touch on other infrastructure but we’re primarily focused on end-user compute. The four functional areas I talk about are, deployment of new or replacement equipment or software, management of the deployed endpoint ecosystem, securing the endpoint ecosystem, and then, just supporting the end-users of that ecosystem. And my first question is just, does that sound like a valid framework? Does that cover it? Anything missing?

No, that was pretty inclusive.

Good. So we’ll go through each one of these, and we could spend a lot of time talking about them. But basically what I want to know is, for each one of them, what are the top challenges that you face in that functional area? And then, what kind of guiding principles an organization like yours is following to attempt to improve or modernize how they address those problems? So, we’ll talk about deployment of new, and replacement equipment, or software. What’s the top challenges there?

I have two very different perspectives on this. Having been at this organization for the last six months, and at my previous organization for 19 years, this new organization is really in its infancy from a technology perspective, although it is a very old company. Whereas, my previous employer, over my 19 years there had worked very hard to make everyone’s life easier by utilizing technology. So, specifically around deployment. Currently, at this current organization, they are doing everything manually. They have no automation whatsoever. And it’s more of me when I came in and started calling meetings with the team to understand how the environment was configured, to see that they literally walk around with a disc or a USB stick to image machines, no automation whatsoever.

Any other examples of … To use your term infancy that floored you when you came in, besides the shoe leather network as we used to call it?

Like I said, they really didn’t have anything standing their email environment, or malware, or viruses, or spam, other than really just a native Exchange tool. So they saw a mark and improvement in mailbox management by the implementation of the Proofpoint solution. I’m trying to think, they really have no onboarding process. There’s no one thing that triggers if a user is getting onboarded, what their new equipment configuration should look like, what their network access should look like. It’s very ad hoc. It could start at a number of locations. HR does not drive the process like I’m typically used to seeing. It could be a manager in a remote office that says, “I hired this guy a week ago. He still doesn’t have a computer, please get him set up.”

There’s no tracking system that they have in place. So, that’s also one of the things that I’m trying to do. And I met with the president a couple of weeks ago that, we really need an onboarding process. You wonder why people are having either access to things that they should not have access to, or don’t have access to data that they require for their day to day jobs. It’s because there’s no process. And you just really leave it to IT, to guess what somebody should be doing, as opposed to having defined roles and responsibilities, and some type of a technology template associated with that role that clearly defined what they should and should not have access to. So, that’s more of a … sort of what our sole focus is right now in general is improving internal processes. But that’s one that I am working with. The designee that the president has sort of assigned to this HR project to share with them the background that I have going through this process, and having done it before.

In that, we’ve kind of transitioned into management as well as deployment. So I’m assuming that obviously from what you’re saying, there’s role-based policies or that sort of thing. What’s your tactic right now? Is it primarily through implementing or changing human processes? Or are you relying on technology beyond Proofpoint to do any of this stuff?

A little bit of both. A lot of it … Again, this is an old company. A lot of people that I’m interacting with have been here for a very long time. And when I say very long time, in 20, 30, 40, some 50 plus years at the same organization. So changing that mindset is difficult. The way they look at is, “Well, we’ve been successful. We’ve been doing this for eons. Why would we need change?” And I tried to get them specific examples of why they need to change. Primarily exposure of confidential client information, either to internal people or to bad actors that are looking to penetrate the network. So, it’s a very slow process. And what I learned is, I came in gung-ho, they need a CSO. I’m your guy, I’ve done networking for decades. Done security as well. I’m going to be able to help you get this going. So I come in with a full agenda and what I learned quickly when I started getting the cold shoulder by several people on the leadership team was that I was coming in a little bit too hot, a little bit too aggressive. And I needed to back off of that and then-

Learn about that.

That side of it. Don’t rock the boat too much. And they’re going to push you overboard and leave you behind, slow it down, try to learn my audience a little bit better, see who is more open-minded to making some improvements to the environment. And that’s one of the reasons that I was able to get the foot point push through, was that the person that they had in charge of it was really a programmer, not an IT person. But he understood the fact that we get a lot of spam, there has to be something we can do about this. And I really approached it more from a, let’s reduce the amount of spam, all the virus and malware protection will just be an added benefit. But I know you don’t want to expand in your inbox, so let’s do something about that. Something behind the scenes would give them additional benefits.

So let me ask you a question about that. I mean, obviously, there was some recognition of pinpoints, spam, and generally, with all of the publicity around cyber intrusion and hacks and whatnot, that management goes like, “Well, I don’t want to be that next person who shows up on the cover of Wall Street or something.” Why aren’t they more concerned? What makes it a slow process, or why are they resistant?

I’ve had a detailed conversation with them on this. It’s interesting the general counsel for the company, is a gentleman that I work with pretty often. And he’s an ex litigator from BigLaw. And every time you talk to him about something, he’s like, “Yeah, we’ll deal with that in court. We’ll deal with that in court.” Don’t spend any money, or if you do it, the minimum we can … And if something comes up, we’ll deal with them in court. So I think he just has that hankering to get back in the courtroom and litigate. So, I’m not going to say he’s looking for a reason to do it. But he is very he’s adamant that-

He’d rather control his risk on the back end than try and prevent it. It sounds like.

Yeah. He’s confident in his ability to manage his own risks the way I try to look at it. With that being said, I did … They didn’t have any cybersecurity insurance, I said, you need cybersecurity insurance because if you have a breach, you’ve got billions of records that … And there’s a feed per record if you’re breached. So, we had the cyber insurance companies come in, talk to us about it. Unfortunately from my perspective at least, the lady said, typically fines associated with a breach are X, and it wasn’t nearly even in the ballpark of what the maximum fine could be by doing the math, and holding it to the letter of the law. So, that emboldened him that, “Hey, well, this is great, we only need, a couple million dollars in cyber insurance and if that doesn’t work, then we’ll deal with it in court.”

He’s going to be one of those guys. He’s going to be extra tough though. So I really treat him with kid gloves, and I need to meet with him on something else. And I’m making sure that I am ready to go with all the types of questions that I know he’s going to ask because he’s so very, very cost-conscious. And again, he’s been here forever, so he has a lot of influence with the president who is ultimately the one that would approve any budget requests that I make.

Well, let’s flip that around then. You mentioned finding areas where people maybe are more receptive. Any kinds of roles or functional areas that you’ve found greater receptivity to modernizing the approach?

The Legacy IT Leader is pretty receptive to technology. He just has not had a lot of success. And I think it was because he wasn’t the best person to try to propose solutions to leadership. We have recently added another person in IT. That’s a younger man and he is not really technical from an IT leadership perspective. But he’s a smart guy. He much better understands the position that the company he is in, our potential pitfalls, and he has the ear of the owner. I think help drive some of these solutions forward. I have had a little bit of traction with HR because they would actually like to be the initiators and the drivers of onboarding personnel. So I think I had a good conversation with the HR director about how there really is no control when people are brought into the company. And she was pretty receptive to the fact that we really do need to try to clearly define and document what the onboarding process is, so that we can make adjustments to it as we need to. And I was able to get her in conjunction with the president of the company to buy off on the fact that we really needed to start working towards a more formalized onboarding process.

What’s her motivation there? Is it just best practices you recognize as best practices, or is there something she gets if you’re able to implement that?

Both. She gets to implement best practices, but she also gets to not receive those frantic calls. Because if something’s not set up for someone, or she doesn’t … the likelihood … I never say never, but the likelihood of a new person being given access to data that they should not have been given access to, should be greatly reduced by having clearly defined processes and templates that are used for onboarding specific roles in the company. And I think that helps her sleep a little bit better at night or will, if and when we can get it implemented.

Good. Let’s see, you’ve touched on … you’ve already implemented Proofpoint for the security side of things. So what’s your next pinpoint? What are the things you’re looking for to up-level within the security environment? Please pardon me.

No worries. We really don’t have any type … Do you want to grab a cup of water?

I can get up and get one if it keeps going. Thank you though.

No problem.

Normally, I don’t, right at the moment.

We have no SIM right now, which is … You may already know, but it’s just the aggregation of all server log information into a single place so that you can report on it. Look for trends, things like that. It’s a pretty significant security solution to have a SIM in place. So instead of having to go and search 500 servers, you have it all in one place. And you can more easily correlate events specifically around the security major, but even around network performance, user access, et cetera, because it’s all in that single place. We don’t have anything like that right now, we have Arctic Wolf. I was able to put in … They’d actually started it, but hadn’t finished it. I was able to get that finished right after I started for some … it’s mostly North-South, a little bit of East-West traffic analysis. But it did do a pretty good job of log aggregation across the Windows environment, but we also have a very substantial AS/400 environment.

And this was my first experience with an AS/400, and the logs that are generated on an AS/400 are exponentially more detailed and more numerous than any logs, regardless of how high you turn the logging up on a Windows server. I mean, it’s a tremendous amount of information. So, working to try to get that information into our Arctic Wolf solution so that we have all the windows logs and all of the AS/400 logs in a single location to help facilitate any deeper dive that we may have to do. Dr. Wolf said that they do have a solution for AS/400. So I have a couple of people looking into and testing that. And hopefully, that will pan out, and we’ll actually be able to do that because that’s something that’s coming up on a lot of our security assessments, is that we don’t have a centralized log aggregation point.

It may be contained in there but for the management of the end-user ecosystem and the security protection of those endpoints, what are you monitoring, tracking, and what are you using to do that from the endpoint standpoint?

From a management perspective, they do have SCCM, not very well configured I would say. So they do use it for some application deployment. They don’t use it for any image deployment, and they use it for some patching but they’re also using … and they got this set up prior to my arrival. They’re also using Intune to do some of that as well, but I haven’t seen great success with either. And they don’t have a patch management process that they follow. I absolutely-

Is there-

Go ahead.

If they had SCCM, was there a strategy about why they brought Intune in? It looks like also just a basic config manager. It looks like.

I don’t know. Ultimately, their goal was to replace SCCM with Intune and try to get … position themselves a little better for a cloud presence. I’m not really sure what the driver was. What I’ve also discovered is, it’s very hard to get answers from people. The technical lead that they have … they haven’t been there very long. And I don’t think he’s very happy there. So he’s a little resistant to share information. I’m not sure if it’s job security or just being difficult. And the person that he reports to, his manager, he’s also very difficult to get information out of. And I don’t know if they’re feeling intimidated by me having joined the company and asking questions that maybe they feel like I shouldn’t be asking. I’m certainly not trying to step on anybody’s toes, I’m trying to understand what we have. I had yet to even get a network diagram. I’ve been asking for a network diagram since I landed and had yet been able to get one from them. So I don’t know if they just don’t have one, or just don’t want to share it because they’re not happy with the design. I don’t know what the reasoning is. It just falls on deaf ears when I make the requests either on a phone call or an email, they won’t respond to. It’s a little frustrating.

So let me ask this quickly, you mentioned that HR, you’ve gotten some traction there. So I asked about roles, where, maybe things were more open-minded. Are there certain topics where you tend to get more traction? If you talk about certain types of improvements or activities that people tend to be more open versus more resistant?

They are more open to policy changes as opposed to technology changes because there’s no cost associated with a policy change other than my time to generate those policies. But technologies, they can certainly get expensive sometimes. And this may be a very unique time. I mean, it’s unique for all of us. I certainly understand that. So it could just be really bad timing for me to want to spend money on solutions to help improve the company’s posture. But I get the impression that it’s more of a cultural thing than specific to the pandemic or whatever else may be impacting them. I think they don’t care to spend a lot of money on it. A tremendous amount of their end-user base is customer service focused. So they’re pretty low demand from a technology perspective. They don’t generate a lot of support tickets. You know what I mean? For lack of a better word, you got to set them and forget them. I don’t want that to sound negative, but I have to use that analogy.

No. I understand you.

And so, I think that with such a large portion of the user base being, that lower-level technology requirement they don’t realize that the data that those individuals are accessing is highly confidential. And a breach would be potentially catastrophic. Like you said, you don’t want to be on the front of the New York Times.

That is good, I get that. Let me ask something, look at it from a different lens. I think you said when they recruited you for this, they had about 20 remote workers using PCs. I’m assuming that’s prior to COVID. What have you had to do … How much has remote working impacted things in the current situation, and are you doing things you maybe didn’t think you would have to do or weren’t going to be able to do because of the pandemic?

Yes. You’re absolutely right. The 20 remote workers, that is real leadership. They don’t really support a remote work, telework culture but obviously, as a result of the pandemic, they had to make that move. One of the requirements that we have in our industry is that all computers that access the network must have full disk encryption on those endpoints. So what we did for the pandemic was, people took their workstations home with them. We obviously can’t ask people to encrypt their personal computers to work from 8:00 to 5:00. They may not want to do that. I wouldn’t want to do that. So we took each of the machines that they had in the office and loaded them up, and sent them home with people and provided them VPN access through our Cisco AnyConnect, applying it to be able to work remotely. They took Meraki home with them because we do have a Cisco IP phone system. And the only way to get the IP phone to work is through the Meraki environment, which builds its own little tunnel from the phone back to the main Houston office.

And I think you mentioned that you’re using outside service to manage your Cisco equipment. Did they manage that part of it as well?

They manage the configuration of the Meraki, there is a gentleman that manages the phone system. But I think he really may just do admin changes, anything any deeper than that. And I can’t remember what group it is, but they do have a group that uses that. Even myself … I sort of considered myself part of the leadership team. I’m not sure if they did, but I stayed in the office. So I never really worked from home. I do have a laptop at home with a VPN connectivity that is a firm issued machine that I was using. But just this week actually, I did bring home my IP phone. And it took about a day for our partner to turn around the Meraki configuration so that they could provide Meraki to me to be able to bring it home and get my IP phone connected back to the network.

I was going to ask when you when the pandemic hit, and people took their work assets home with them and you did the Meraki setup, how did that whole process go? How has it worked out for you in this situation?

It went pretty well. Certainly, there were going to be hiccups. A lot of the customer service people used headsets. We didn’t have that many headsets for people to take home because some of them didn’t use them in the office, so they wanted them at home. So it was a lot of screwing around. We didn’t really have a DR business continuity plan in place. Which was one of the things that I asked when I came in, I was surprised that they didn’t have anything. And they didn’t really have an environment that was conducive to remote workers. So when this happened, I was a little bit nervous. There were certainly a lot of hunting around trying to find appliances. Things like Meraki were in short supply. Certainly, because everyone else was doing the same thing we were doing.

So there was a lot of hunting trying to find a hardware, and then getting it shipped to the partner who had to then configure them for us, and then shipped them to us who would then, in turn, utilize them internally, and deploy them or ship it to some of the other offices where people also needed to be able to take their equipment home and work. So it was done pretty fast and loose. But ultimately, I think we actually did a good job. One of the concerns, especially from the operations side is, they still don’t have any really good reporting on productivity so-

Productivity for the IT team or more generally?

For the general users; their concern is or at home, it doesn’t do anything. So all we can generate right now is log dumps out of the Cisco AnyConnect VPN appliance for when they connect, how long they stay connected, and how data gets transferred. So we did start looking at other solutions that would actually allow us to monitor an in great detail productivity. Part of it would capture screenshots periodically, would report on if they were accessing network resources as opposed to internet resources applications that they were running. So if they called up solitaire, it would report on that. And we went through that process. I was deeply involved in it and then I was completely dropped out of the loop.

So about two weeks ago, I started calling up, asking, have we made any progress on this solution? And I heard, “Oh yeah, they bought a solution.” So then I reached out to the technology team, “Yeah, we bought it, but we haven’t done anything with it yet.” So, their sense of urgency is not where mine would be, and things like that. That’s a concern for the Chief Operating Officer who was the one that was worried about the operational piece of it, it seemed as if they would be all over getting that deployed so that she can better track … I think what happened was they started to loosen the restrictions for work at home here in Texas. And people started … we started slowly bringing people back in, but then they had the spike. We had cases in the office where they were having to vent around then the floor home.

And so, I think it almost fell through the cracks because they thought they were ultimately not going to need it. But now, we may be in the situation for a while. So I’m hoping that they picked back up on it because I do tend to nudge them. And from my personal perspective, there was a hiphop component to it that I thought was very slick for the screenshot that would analyze the screen, determining things that looked like PII, and would redact that from the specific screenshot since it was a cloud-based solution. So I was pretty insistent that they take advantage of that. And when I asked specifically on it, the only response I got back was, “Yes, we got it. But there seemed to be some issues.” And no detail of what the issue is and what they’re doing to remediate the issue they’re working with. It’s crazy.

Let me ask a couple of detail questions here and then we’ll move on. You’ve touched on a bit, but overall, what’s the role of cloud adoption including SAS? But more broadly, cloud in helping to improve the entire endpoint ecosystem? Is it a key element or not?

It’s not a key element yet but I’m trying to make it one. I have gotten them to stand up an Office 365 Exchange environment and start to do some mailbox migration testing moving the Exchange environment off-prem and into the cloud. And my sell on that is Microsoft, I use them as the example since I’m a fan of Microsoft. That they will spend exponentially our annual revenue on security where we would never be able to do anything close to that. So other than the fact that there’s going to be a much more substantial security presence with the move to the cloud, it also turns us into just one drop in the ocean of data as opposed to, “Well, there’s company X, let me try to penetrate them because they have a specific data set that I’m looking for.” And if I’m just intermingled with a hundred thousand other groups, then I will likely see just that less appealing.

You’re one fish in the school as opposed to-

Yeah, exactly.

All right. And then we didn’t really touch on this but in terms of technology enablement for supporting the end-users, what technology if any are they using? I’m thinking of things like ServiceNow, or whatever. What sorts of things are they using if anything, and what’s the trajectory there?

They have a ticket tracking system. They use Track-It, which I have yet been able to get myself access to it for some reason. But I’m going to press on that next week because I need to do some reporting on it. But they don’t use that for any remote desktop assistance. They use logging in as their remote desktop assistance tool. And they have it configured in such a way that they can access the end-user’s computer without any type of a prompt that notifies the end-user that somebody is attempting to gain access. And allow them to allow or deny that. That for me from a security perspective is just a little unnerving when I had to call into support and they said, Well, let me reach out to your machine. And then my mouth starts moving and I never get prompted that somebody is attempting or requesting access to my machine.

So I’m hoping that I will be able to do something to at least allow a prompt. I think what the reason they don’t have it is because historically, they’ve done their patching manually and they will either walk the floor, log you out, log in as an administrator, apply patches manually by running an automatic update and then logging themselves off, or they’ll use something like logging in to log into the machine remotely and apply patches to it manually. So I think that was probably the impetus for the use of that tool with no prompting.

They’re basically just using it to provide access. They don’t have anything that’s providing automation or systemization of the patch in the management.

Correct.

Good. And then, How do you evaluate, or how do they evaluate the end-user experience? How do they gauge satisfaction? Is there a formal process for that or?

Well, there is not. Honestly, I don’t think they measure it at all. What I’ve mentioned to them is based off of what they have. Really the only thing they can do, which is not very effective, but is better than nothing is to monitor tickets and look for trends in ticket count per day. And see if they’re seeing any market increases in those counts. And to be more … there’s … it’s a Wild, Wild West when it comes to the categorization of tickets. So based off of that, there’s really no way for them to be able to report on specific issues or even be able to determine if a specific problem has started to occur. Because there could be eight different categories for the same problem, and I’m going to use what I’m familiar with, and somebody else may use what they’re familiar with. So other than actual raw ticket numbers, they have no good way of measuring those.

Interesting. And what’s your general orientation about using some sort of formal scoring process to evaluate its performance?

Now, when you say scoring process, would that be like a post-service survey that you would send to someone?

That could be one element of it. Certainly. Yeah. It could be a combination of things potentially, but certainly, a survey or monitoring time to resolution or all those sorts of things could play into it. But something where you’ve got a formal scorecard for the IT organization.

Exactly. And that’s what I have done in the past. Our previous ticketing system was just like that. We had times on hold, we had hang-ups after receiving a please hold for the next technician. We’ve had random surveys that went out I think to every seventh or every eighth tickets’ completely randomized. So it wasn’t just leadership. It wasn’t just customer service. It would be whomever, and to be able to get those surveys back in. It was brief because then, an extensive survey, nobody’s going to fill it out. Even on five questions or less, click one through five, as you had mentioned. People tend to be pretty responsible and especially if they see you respond to that, to them on an individual basis. If they had a poor experience or on a more company-wide basis saying, “We’re keeping up with the information, we have seen a trend in this direction, as a result, we’re going to provide additional training around this particular technology because people seem to be having issues with it.”

And they just don’t have anything like that here. So, I’m hoping that they … what I consider my great breadth of knowledge and all these types of solutions, because when I started at my previous company, we were in the same boat but over almost two decades, we improved it and put something in place that was very successful. So I want to be able to share that knowledge here and try to get them to that same place. Hopefully, not take 20 years to do it, but it’s just really a slow road with them.

So let me ask two quick questions, then I’ll need to move on to a different topic. I’m back on the formal scorecard kind of thing. There are third party benchmarks or scores available out there? As an example, Microsoft’s got a new one called Microsoft Secure Score. Do you leverage those sorts of external benchmarks in order to judge your effectiveness or would you?

I don’t today, but that’s actually a good suggestion. That may be something that I look into because that may be a less intrusive way of potentially being able to gather some of that data.

And then you mentioned that when you started your prior job where you were for a long time, you were in a similar boat. Especially, you can think across that time period, what was the most effective thing you did, or what was the behavior or the characteristic that you employed in order to move them along to a more mature posture?

The biggest thing that I did, I had a lot of significant projects there. But I would say probably the one that was the most long-lasting and useful and I was able to sell it by showing how much money we were going to save and man-hours. Was the implementation of a zero-touch SCCM image deployment solution that we were in the same boat of going around discs then hand and imaging machines one-by-one. So I worked with … from leadership explained to them what the headaches were, what the pitfalls were, unreliable installations, not consistent configurations, excessive calls to the help desk, and just poor end-user experience. Explained what the cost is going to be. It was not going to be any expensive, we’d have anything at the time.

And I wanted to get Microsoft themselves in to help us get it configured. But once we did, and we rolled out … we were on Windows 95 at the time. When we rolled out a windows 7 Office 2010 image, and we were able to roll out a hundred machines a night per floor or per section without users having to go touch the machines, they were amazed. And that solution stayed in place for 10 or 12 years. Until I left, it was still in place and working very, very well.

It sounds like what the motivating thing was, it was efficiency, but it was cost-reduction and efficiency. Those were the factors that tip to people to be supportive.

Absolutely. I mean like any company, they were very cost-conscious. So if I could show them hard real numbers, this is what we spend today, per machine. We image X number of machines a week, month, year. This is what it’s going to cost us up-front. But two or three-year return on that investment, you’re doing nothing but making money at that point.

Good. All right. So you just said something we’ll branch into my next topic. When you think about achieving some of these objectives, there can be three mindsets or approaches. You can do it yourself using your own internal IT resources. You can partner with somebody like you described partnering with Microsoft to get it done, to help with the lifting to make it happen, but not an ongoing thing. Or you can discharge it, have a third party do it for you I guess. Similar to like outsourcing or your Exchange administration. Overall, would you say that there’s a predisposition towards one of those three models versus the other within your organization?

Yes. Me personally, and I think this current organization is similar. I’m much more of a do it yourself if … But there’s a caveat and a big asterisk if you can do it yourself. If it’s not your strong suit, don’t undertake a significant project that could have a material impact on the company’s ability to do business, or to profit by trying to bite off more than you can chew. So even in my previous position, I took the same approach. 90% of the work we would do internally. But big projects that had high exposure, high risk, even though we could probably do it ourselves. It was worth the extra costs to utilize a partner that only performs that specific job and have that level of competence improved. And knowing that if something does go South, they’re on-site, they’ve done this a thousand times. They know exactly what to look for, where the pitfalls may be, and can help resolve it. Didn’t really do much in the way of discharging all of it. Other than some of the … as a service solution like the point in my current and previous positions and potentially this move to exchange, but even the move to Exchange Online in Office 365, you still manage it yourself. They just handle the backend software, hardware side of it. which can certainly be a time saver.

And so let me just hit on this. There are models you hear out there these days about the device as a service where you basically have a third party take over all of that day to day, low-level management stuff, and maybe even some higher stuff. What’s your perception of that?

I can see the need for it in certain organizations. I think smaller organizations mom-and-pop type shops where they really don’t have a technical team. And don’t want to incur the costs of, either an hourly rate for some type of a service company to manage their environment or the cost of bringing out a full-time person. I think that’s a great solution. But in larger organizations where you have a technology team, that’s what they do. That’s their bread and butter day in, day out. And that’s what people are getting paid to do. To me, it just makes sense to utilize them. Systems are getting complex and at the same time, they’re getting more simple if that, parody makes any sense at all. But I don’t see a cost of benefits from the big picture perspective, having people that understand your legal vertical or your company vertical is key. And I think you just can’t outsource some of that and expect to get the same level of support that you get from your on-prem badge engineers that work, live, and breathe within that ecosystem day in and day out.

And let’s see, I’ve got a few minutes left with you. Let’s talk for a moment about tools that the hardware OEMs provide. And your… the Dells, the HPS, the Lenovo’s of the world, are you using any tooling that they provide in order to manage the end-user compute assets?

We are not. We are an HP shop. But when they entered the machine, they do not re-install any of the HP tools. So they’re not using any of the native tools. In my previous life, we didn’t use it for the endpoint so we used SCCM for all the endpoint pieces? But we did not have SCCM on the server-side. So I would use some of the more rudimentary tools that were available with the servers for more of hardware, software management if you will, or the drafts for remote access to the servers or the … I can’t remember the name of it now, but the software that you would use to actually go in, manage the RAID array, manage the discs within the environment, be able to configure alerts for predicted failures, for drives and things like that.

It sounds like there are two approaches. These companies can provide a portal that a user or a manager like you could go into and access the tools through that portal. Or they can provide a suite of APIs, and you can integrate it with something like SCCM. If you move more towards that API approach, is there more value for you in that, or is that too much work?

I can certainly … I mean, if we were to get to a point where SCCM is going to be the management tool of choice, then having integratable API to that single pane of glass if you will, is a benefit to me. But the fact that we have SCCM, we have Intune, there may be something else out there I’m not aware of yet. I don’t know that I would want to go down the API road unless I knew that that was going to be my single source on-prem management solution. I do like the portal approach. But because I try to keep things as simple as possible, if I have a portal even if it’s able to use … if you find a third party portal where you can access HP, Dell, different vendors within that single portal and be able to manage them individually or as a group, that’s more of an ideal situation from my perspective.

Yeah. So let me play devil’s advocate there, a moment ago you said you were an HP shop. What does it matter if it did just HP dedicated tooling?

Well, it’s HP at the endpoints. On the back end, like I said, we’ve got an IBM AS/400, we’ve got windows servers, I think they’re all HP. I’m not completely sure. I swear I thought I saw some Dells in there but I can’t be 100% sure because my card does not get me into the server room. I know that they have … I think they have the Medat storage that they’re utilizing. So, there’s several different players the Cisco environment for the phone system and for the IP networking. So being able to have a portal that could access, each of these different components of a network would be convenient for sure.

And this may just be a snarky thought on my part. I apologize.

That’s okay.

You’re the CSIO. So why doesn’t your badge get you into the server room?

That’s a good question.

All right? We won’t go there. I started to rub a sore point there, but it just seems like there’s no obvious reason.

I have my opinions on it. But I don’t have any good definitive answer.

Good. All right. Let’s see. In that time I’ve got left-

And just so Dave, if we need to go a little bit longer, I am open after this. So if we’d go long, hope it isn’t so.

Yeah, it’s partly GLG role. So I can’t go more than a couple of minutes over but let’s see. We’ve talked about that. We’ve talked about that. You said you’re a Microsoft fan, but you’re using some things that are non-Microsoft, What’s your orientation trying to keep everything, all your tooling within the Microsoft stack versus going best of breed for certain point solutions.

I’m keen to go the best of breed. But I like Proofpoint, as an example, I strongly prefer their solution over what Microsoft offers for spam filtering. It’s probably a little bit simpler to let Microsoft manage it. Certainly, if we move to an Exchange Online model. But I’ve had great success with Proofpoint in the past. I like to hang on to things that have served me well until they stopped serving me well. So I am a big fan of Microsoft, especially for things like operating systems and endpoints. But when it comes to some of the ancillary tools to help support and protect those environments, I certainly lean towards best of the breed.

Alright, good. Well let me ask these questions and then I’ll give a minute to see if the team wants to ask anything. But so, obviously, we’ve got a current situation that’s going on. Factor that in, but also broader than that, at the stage of maturity that your organization is, what’s the thing you worry about the most? And what are the things that you do celebrate or feel success at?

The things that I worry about the most right now … so much. Public exposure of confidential data, either be an external hack or even physical security is very subpar. So, either of those avenues of accessing my data are alarming to me. And I’m sorry, I think there’s a second part to your question.

Yeah. The second part … So that’s the worry. What are the things that where you do celebrate or feel some success? Where are you making positive headway?

That looks pretty short so far. I think the implementation of Proofpoint was significant. I also … I had forgotten I did also implement KnowBe4. I’m not sure if you’re familiar with them.

Would that be N-O-V-I?

KnowBe4. K-N-O-W, and then the letter B-E, and then the number four.

KnowBe4, I get it now, I don’t know that one.

They are a training solution. And they allow me to craft as professionals or as rudimentary phishing campaigns. As I want to be able to send out to the company and be able to report back on our success and failure. That’s been very helpful for people to see-

An intrusion task or tiger team kind of thing.

Because you can send it out, and if somebody clicks on a link and they get a landing page that says, you’ve selected something you shouldn’t, these are the things to look out for. And this email that you just received, they cause you to do this, and we can report to leadership and HR what those numbers look like. Sometimes, I’ve actually had our general counsel not want to know what the numbers were. I think maybe he was looking for plausible deniability if somebody asked him because they weren’t very good.

Good. Team, we’ve got a minute. Anyone want to ask a question? We’ll take that as a no, I guess.

We’ll take the silence as a no.

Either that or they can’t find the mute button, one of the two. But I want to-

That happens sometimes.

All the time to me. I want to thank you very much for taking time with me today. It sounds like you’ve got an interesting set of challenges for yourself there. So, my best wishes for you. And again, thanks very much for taking time to chat with us.

Absolutely. If you do come up with some followup questions or things like that, you reach back out to GLG and schedule some more time.

We’ll do. Take care.

All right. Y’all have a great weekend.

Thank you. Bye-bye.

Bye-bye.

  Remember! This is just a sample.

Save time and get your custom paper from our expert writers

 Get started in just 3 minutes
 Sit back relax and leave the writing to us
 Sources and citations are provided
 100% Plagiarism free
GET CUSTOM ESSAY
Copyright © 2019
error: Content is protected !!
×
Hi, my name is Jenn 👋

In case you can’t find a sample example, our professional writers are ready to help you with writing your own paper. All you need to do is fill out a short form and submit an order

Check Out the Form
Need Help?
Dont be shy to ask