Building and Selling Cybersecurity Solutions – with Empathy

Transcription

[01:30] Andra Zaharia: Saaim has spent over a decade in cybersecurity. He’s seen how sales processes work in big companies. He’s seen what companies and business people deal with in terms of trying to secure their businesses. He’s seen a lot of this industry. But he’s always been very connected to the people outside of it – the people he’s trying to serve. Now, as the founder of Jumpstart Security, he’s taking a different approach and he’s trying to make this abstract field and these abstract concepts that we work with in cybersecurity. He’s trying to bring clarity, focus, and ease of use into everything so that people can actually feel like they have a handle on their information security program, and that they’re able to stay compliant; and to navigate around all of these pieces of legislation, all of these regulations, and ultimately, all of the must-haves to keep their business safe, their customer safe; and generally, just make sure that everything is on point. So, we talked about a lot of things in this episode, simply because both, me and Saaim, share the same values and the same principles about the human aspect of cybersecurity, and what actually makes a difference when you talk to people and try to get them interested in this topic. And not just interested but, hopefully, motivated enough for them to actually act on what they know is right for themselves and their business. So, I hope that you enjoy my conversation with Saaim. And I’ll hope you get curious to discover his perspective on things and follow his work because he’s doing great things not just in the cybersecurity ecosystem but also for businesses in Australia and beyond. So, enjoy.

[03:45] Andra Zaharia: Saaim, so excited to talk to you today. First of all, because I know that we share the same principles when it comes to cybersecurity, in general, and how things happen in the industry and how people contribute to it. The second of all, because I really like your perspective, in terms of what it takes to build a business in this space and how you do it and how you’re committed to making that contribution, a meaningful one and a valuable one for the industry. So, I wanted to ask you today, how do you use empathy in your work to make sure that that contribution that you’re making to the cybersecurity community and to those who benefit from it is aligned with your principles and goals?

[04:34] Saaim Khan: I think the answer is in itself is if you are part of a community, whether it’s a functional community like cybersecurity or if you’re part of a larger community like the small business community. I’m a small business owner myself. For me, I asked myself one question, which is, if someone was trying to say this to me, sell this to me, communicate this to me, would I buy into it? And if the answer is no, then why should I expect anybody else to buy into what I’m trying to do? So, I always have to think about it from that perspective. And it’s easy to get caught up in drinking your own Kool-Aid, that what I have to offer is the best in the market. People are much more educated right now about things; they know a scam when they see one, which seems to borrow something that happens in the cyberspace quite a bit. So, the guiding principle around empathy that I would use is to really ask that question: Would I buy it? Would I believe it? Would I do this? Would I believe this? And if I can’t honestly answer that, then I have no right to be asking others to buy into it either. So, that’s, I guess, my empathy tool that I use, I suppose.

[05:50] Andra Zaharia: And I think that’s a very fitting one, especially when we find those connection points to people who are like us. Because if we want to, obviously, engage – whether it is to sell, educate, or otherwise support people who need some kind of cybersecurity product or service – you need that bridge, you need that emotional connection, because otherwise, it’s not going to hit home. We all have this challenge of trying to get people to act proactively. And obviously, that is one of the biggest challenge that humanity has to deal with on several aspects. So, you’ve worked with big companies, you’ve worked with huge teams, and so on and so forth. So, what was it like to connect to small business owners, when you started out, when you started building the company?

[06:40] Saaim Khan: A lot of challenging statements to hear, a lot of beliefs being challenged. I say that because having worked a lot in the mid-market space and the enterprise space or the entry-level enterprise space – like 1,500-employee companies or around that size – there’s a process in place, there’s a procurement board in place, there’s a business case process established, there’s change management, and all of those things. And everyone follows the bureaucratic wheels, so to speak, when you’re talking to them and getting things across the line even when it’s a new project or it’s a company need. In small business, it’s not like that. It’s more along the lines of “This looks good or this does not look good, because it’ll help my business or hinder my business, or help me or hinder me.” So, a lot of your core fundamentals that you’re taught when you learn pre-sales or when you learn about how to do solution selling, they go out the window. A small business owner is more concerned about “Okay, how do we secure data on this computer? I don’t care about having backups which are five-nine guaranteed, how do I save data? I don’t get it.” So you have to have that individual personal conversation. Otherwise, you are just another salesperson who’s flogging a different brand of snake oil to them. So, it was a lot of unlearning for me.

[08:05] Andra Zaharia: Yes. And sometimes it takes a lot more than learning new things, at least in my experience. What I really appreciate about your work is that you bring a lot of clarity and simplicity to an area that’s especially complex, convoluted, and generally, plagued by fear, uncertainty, doubt, urgency, and a lot of emotional triggers that kind of point people towards negative emotions. So, I was wondering if you could tell me from your experience what does cybersecurity – data security – look like when it builds on empathy, instead of fear, uncertainty, and doubt or other negative emotions, generally speaking?

[08:49] Saaim Khan: It’s an enabler. It’s something that gets you from point A to point B. So, call it an enabler, call it a conduit, call it a catalyst, wherever you want; it’s a means to an end. And if you start looking at it, in that perspective, a lot of opportunities come up. With the fear, uncertainty, doubt, I mean, it’s not just fear, uncertainty, doubt. It’s kind of like if you’ve ever seen one of those tele-shopping ads; “But wait, there’s more.” That’s not a negative emotion, that’s a positive emotion, but that’s saying “Oh, we know this is too good to be true.” I think it’s better if I explain it in an example. When I talk about compliance, for example, ISO 27001 certification. The way that I talk about how it’s beneficial is when I have a conversation, it is, “Are you tired of filling out the security questionnaires with the 100 odd questions? You know what’s the first question they ask, right? ‘Are you certified?’ And if yes, you can skip question 2-99. You can just proceed to the last question. It’ll help you save time.” And secondly, “In whatever space you’re working, how many of your competitors are ISO certified? It gives you an edge. That’s an enabler. It saves you time and it wins your business.” That’s how I talk about cyber. When we talk about, let’s say, data backup and data security, hackers will use your network storage to propagate CryptoLocker and ransomware. My response to that is, do you follow what’s normally quite common in our industry called the three-to-one strategy? Three sources across two locations. For the love of mankind, remember what three-to-one stands for [10:29 inaudible] saying, “Oh, you know, it’s in our industry.” It’s also important to be humble. And sometimes you forget things. I forget things half the time. I am a subject matter expert but I’m also human. So, you tend to forget things as well. And you need to have the humility to accept that in front of a customer saying, “I’m actually not sure about that,” or “That escapes me right now, can I get back to you?” But then you build trust by then going back to them, you say what you say you do.

[10:53] Andra Zaharia: Exactly. Just sticking to the promise and making sure that people have the trust in you. I find that one of the key things around cybersecurity is for people to have someone they trust, whether it’s a friend, or a family member, or a business partner, or an employee even, or a provider of services or products; I feel that having that person to trust because they know they empathize with them, they know that they have their best interests at heart. That’s where change starts to happen actually, that’s where good habits come into play. And it makes it so much easier to navigate this industry or simply a range of tools and choices that have so much complexity and so many decisions associated with them. So, I really liked that. You talked about this specifically. And I also wanted to ask you, how did you end up in cybersecurity? And what attracted you to this industry? What made you want to pursue building a business which is one of the most difficult things that we can do, specifically in this area that is one of the most difficult to tackle, to be honest?

[12:06] Saaim Khan: So, I actually started my career in the early 2000s. Software Developer by qualification, and naturally fell into the Business Analyst route. Did a lot of technology consulting with small and micro businesses in the microfinance space. At that time, Grameen Bank was the region, a lot of small microfinance organizations spreading up around Asia. So, that’s how it started. Then the GFC happened, had to figure out what to do. The best thing to do in the time of the global financial crisis was to go back to uni. So, that’s what I did. And I migrated to Australia and I came here. Here’s where I fell into cybersecurity. And there’s a little bit of empathy here as well. I had no intention of applying for any jobs in cyber. A friend of mine had just been made redundant at his role at a visa immigration firm. And he was very, very down in the dumps. And I said, “Hey, I’ll help you apply for jobs. Look, I’m doing it as well.” So, I took my laptop, sat next to him. And I saw this job saying, “Cybersecurity project manager role.” And I’m like, “Oh yeah, I’m studying Project Management at UTS right now, I could probably do this. And I’ve got an IT background.” So, just to motivate my friend to keep applying for jobs, I applied for cyber, I applied for that job. And then I forgot about it. A couple of days later, I got a call from the CEO of that company, saying that he wanted me to come in for an interview. And I had no idea what he was talking about, so I was like, “Oh, wait, no, I did apply for this. So, I should go in. I should probably read the cover letter I wrote.” And then when I went in, I understood the nature of the work. I’m like, “Yeah, that’s pretty straightforward.” And that’s how I got into it. This was 2009-2010. And here we are, helping someone, motivating someone to apply for jobs kind of is how I got into cybersecurity. There’s nothing glamorous about it, that’s literally how it happened.

[13:57] Andra Zaharia: It doesn’t have to be glamorous to help people. I think that that’s one of the things that we need to sometimes emphasize simply because we live in such a world where everything is hyped up and everything has to be so polished and perfect. And well, 99% of the time, it’s fake. So, I’m all for real stories. And I think that we discover a lot of things about ourselves when helping others or when trying to explain things to others. It brings so much clarity. And to me, at least, having this type of conversation that I’m having with you right now is usually one of the richest sources of ideas and inspiration and energy that I ever get. So, I’m very thankful to be able to learn from these stories. Looking forward, how do you feel that empathy could drive the industry forward, drive cybersecurity forward? Because we have a bunch of challenges to tackle, it feel like this industry is one of the critical industries that has to ensure stability, not just in technology, but further looking into geopolitics and other complicated stuff. So, I think that the conversation that I’m trying to start is how do we use empathy to move the industry forward in a way that’s beneficial, and that attracts people who are kind and committed just like you.

[15:21] Saaim Khan: If I think about it, and the more I started thinking about it, the more I started to feel that it’s a little bit of a paradox. And I’ll tell you why. If you look at this industry, you have to look at it from three particular perspectives. So, you have to look at it from the commercial perspective, where you’ve got the vendors, you’ve got the solution players, you’ve got the value-added resellers, you’ve got the consulting companies, you’ve got the academics who are contributing to research, and you’ve got the ethicists who are coming up with new dilemmas that cyber is venturing into. I mean, cyber is nascent compared to engineering and medicine and all that, so we have got new ethical issues. The paradox exists because the first group of people are motivated by commerce and growth. In today’s world, where everything is a multiple of something, there’s no empathy over there. The academics, there are some great academics out there doing some great work, but the academics are too far removed from realities. And the ethicists are caught up in the moral dilemmas of their own creation. There’s a fourth group here, which is the rest of us. And it’s the rest of us that have to help each other.

[16:39] Saaim Khan: So, as simplistic and John Lennon-esk as it may sound, be kind to each other, smile, imagine. Obviously, what does that mean in a practical perspective? I think society is judged by how it treats its most vulnerable. In a cyber context, that actually translates to individuals, especially disadvantaged individuals – whether it’s economically disadvantaged, or physically disadvantaged, or at some disadvantage – it’s smallest tiers of business and commerce, which is a problem I’m trying to address. I can’t realistically, at this stage, go and help individuals at scale, but I can help small-tier commerce organizations, which is what we’re doing with Jumpstart. But only when we secure our most vulnerable is when we would actually feel empathy because they are the ones who are actually facing the biggest brunt of issues because they are the closest to the coalface, so to speak. That is how I think we can get out of this paradox. Now, at the same time, the first group of people I refered to – the corporates, and the vendors, and the big players – they are also now starting to branch out and do some social conscious efforts by making available tools, or by investing in education, by contributing to STEM; trying to get more and more people climatized to digital and cyber. But that’s not enough, because that’s only application. So, like I said, only when we start addressing the most vulnerable in our society will we actually get to a point where empathy is commonplace, otherwise, till then, it’s individual efforts. And sometimes you manage to make a big impact, sometimes it’s small – usually, it’s small. I hope that doesn’t sound very pessimistic, but this is based on my understanding and my interpretation of where I see cyber and where I see the world right now.

[18:46] Andra Zaharia: I don’t think it’s pessimistic at all. I think that it’s realistic. I really believe in being realistic about how things are, so we can actually do something about it because, otherwise, pessimism will drive our energy down. And being overly-optimistic will probably determine us to not be truly in tune with what people need. And as you mentioned, and I loved that you shared this perspective because this is a difficult thing to think about. And I think that we are so inclined, nowadays, to escape difficult things and to try to fill our minds with something else so we don’t have to deal with certain issues that can be very painful, either on a personal level in your close circle or just society-wide. So, I think that you spoke to a very important issue here, and I value your contribution. And thank you for taking the time to talk about these things and to share your perspective. So, honestly and candidly, it makes a world of difference. And really looking forward for listeners to connect with you and your work with this message and take it further. So, thank you, Saaim.

[20:01] Saaim Khan: Thank you so much, Andra. Thank you for the opportunity. And it leaves one with positive energy and a general positive feeling when we’re able to have open and frank conversations. So, I really appreciate what you’re doing here. And I’m going to follow with interest, the other speakers that come on. These are important conversations that we need. These don’t happen often enough. So, good on you for kickstarting this initiative.

[20:25] Andra Zaharia: Thank you. So, as you know, we’ve talked a lot about empathy and self-empathy on this podcast. And that means giving ourselves a break. Which is what I’m going to do over the holiday period that’s coming up. I will come back in January 1st with new episodes. There are a bunch that are just waiting to be released. And I’ll be more than happy to renew my excitement for this podcast and for reconnecting with you once we’ve had a good rest, once we’ve given ourselves a break, and once we’ve enjoyed some offline time where we just let our brains just breathe, just sit, just process everything that’s happened this year. So, I hope you have a few calm, peaceful weeks that replenish you with everything that you need. And I’ll be back with a new episode in January. So, enjoy, and I hope you have your best year yet.