NextLink Labs CEO Jordan Saunders talks about the basics of DevOps to drive digital transformation across IT projects.

Transcript

Interviewer (Jonathan Kersting): You are listening to the Digital Transformation series, this is Johnathan Kersting with TechVibe Radio in the Pittsburgh Technology Council, hanging out with Jordan Saunders from NextLink Labs. NextLink is the owner of this series and we get to have a lot of fun and talk about all the different issues and trends and things you got to be thinking about when it comes to all things digital transformation. So, Jordan, I love hanging out with you, these are such important things that we are talking about, I just love it.

First Interviewee (Jordan Saunders): Yeah, I had a great time on the first one and I am happy to keep recording a bunch of more, it is exciting to talk about some of the work we are doing and get the name out a little bit and hopefully provide some value to our listeners.

Jonathan Kersting: Absolutely, you got one of your partners calling in from Philadelphia, from the four other side of a great commonwealth of Pennsylvania, we have Will from Zaviant in here… Will, Thanks for taking the time and dialing in with us today.

Second Interviewee (Will): It is great to be here, thank you for having me.

Jonathan Kersting: Absolutely. So, quickly, let our listeners know a little bit about who is Will, and what is Zaviant up to these day?

Will: Sure. So my business Zaviant, we started a couple years ago, we focus on data storage and privacy, my background, I started out as the external auditor for KTMG, working with them to do all types of reviews which is financial statement audits, looking at the IT controls and financial statement, what we were doing is a 7-year report –which have now kind of turned into [inaudible 01:37] report and from there I moved on and worked on podcast for an advisory group, we would do a variety of different projects around anything from security internet response to ITS and management, reviews and solving engagement, and most recently, prior to starting Zaviant and working with IBM, a data security and privacy group, we were helping both commercial and external clients to implement security controls, to protect critical infrastructure in their business, we worked with a lot of different companies in the healthcare space, we worked in [inaudible 02:25], we worked in mostly regulated spaces and towards the end of my time with IDM, moved on to picking up this new thing called GDPR when I started my business, has been a very focus on emerging data privacy regulation.

Jonathan Kersting: That is super cool. So, how did you and Jordan cross paths, seems like you guys have some seriously cool strengths and synergies and bringing you guys together is pretty cool. Jordan, how did you guys find each other.

Jordan Saunders: Yes. So, I have known Will for a long time, and just knowing how brave he was and how focused he was on servicing his clients, I found out in the field that cybersecurity and privacy were these two areas that were just becoming a growing concern with all of our clients and to me, it wasn’t enough to just be a digital transformation services company without really considering all the security and privacy requirements that are out there and you know, we understand that most companies, it is a team support, and so we really felt the need to form a partnership with someone, with Will’s expertise and his company’s expertise to really fill in the gap that we have, we are a cyber-secure organization, we follow the best practices here, but there are some things that we need to lean on a true expert, the same way our clients lean on us for the things that we are experts in. So, I was really fortunate to have crossed paths with Will, and realized kind of the synergy and the benefit we both get from working together.

Jonathan Kersting: It seems like an awesome partnership and as you mentioned, cybersecurity is just so crucial, it is not something that you can just sprinkle on at the end of a project.

Jordan Saunders: Exactly.

Jonathan Kersting: It is got to be forced up on and everything has to be built around that, so bringing in a guy like Will is just absolutely amazing. So, maybe go over kind of ways you guys are partnering up and how you are working with some clients here, in order to kind of bring this whole focus across every project.

Jordan Saunders: Sure, I mean… like I said, we are a cyber-secure layer as a company, NextLink is, but we don’t have the level of expertise that Will has when it comes to the fine knowledge of all the different regulations that are out there. So, that’s where it really comes in handy to have someone like Will, where we can partner together and he can provide his deep expertise on the different compliance regulations and exactly what they mean, and when it comes to the actual implementation, you know, some of that end up being in his field, some of that end up being in ours, together we have some great coverage and I will let Will try to tell us how it has been like from his side.

Jonathan Kersting: Yeah, tell us Will, for sure, what is going on there?

Will: Yeah, so, kudos to Jordan, I think one of the things that I see very often is, sometimes folks who are more on the implementation side, a lot of times, they do this, and they want to be able to do everything with for their clients and help their clients in every way possible, and a lot of times, it is kind of a situation where without having some subject knowledge expertise in an area, you are not going to be as successful as someone else who spends their entire career on that. It is very similar, going in the other direction, for me, there’s areas in my business where I will run into a situation where a client needs a technical solution to a problem and that’s not necessarily in my role, it is great for me to go back to a guy like Jordan who I know, he can come in and take the technical requirement and go ahead and get that done for our client, it is a very nice end-to-end solution, but again, I think it is just important, when you are doing an IT implementation, or even securing a business more generally, it is important to know where your skills kind of begins and ends and Jordan and I are both deep subject matter experts in the things that we are great at, and we are really fortunate to have each other…

Jonathan Kersting: Very cool stuff, I just get excited, like I said, it is like the chocolate and the peanut butter kind of coming together. And the person that benefits the most honestly is the client at the end of the day because they are getting, like you said, the best, they are not getting someone who dabbles around in cybersecurity, they are going to the absolute pros. So, what I find absolutely daunting, I am sure it keeps you up at night too, both Jordan and Will, is the technology is evolving so quickly, that as you develop solutions, you need keep redeveloping them to address the fast change of pace. Am I correct in being freaked out and staying up at night Jordan?

Jordan Saunders: Hopefully not, as far, as keeping you up, because me and Will are on it, but I would say that your worries are definitely a little founded, it is not just the technological changes that are frequently changing, but there’s also change around the regulations, which I know Will mentioned GDPR and how that’s kind of been dragging kind of the cybersecurity requirements along with it, because that’s kind of a heavily privacy-focused regulation, but there is a large cybersecurity component of it. And so, it has been really interesting to see how between the technological changes and the regulatory changes, how fast everything is changing, it is really tough for businesses to keep up without internal subject matter experts or engaging a third party expert like me or Will.

Jonathan Kersting: For sure. Now, I can imagine many companies would at first try to tackle this at first and they realize they are in too deep, how often are you called out in the middle of an engagement to kind of pull the beacon out of the fire as opposed to you being on the front-end… I keep encouraging our listeners that as you spin these projects up, talk to the experts and the pros first by all means.

Jordan Saunders: Sure. I will let Will take this from a security standpoint.

Will: Yeah, this is a great point. We actually were engaged recently by a guy who is an IT systems administrator and this CFO of this business basically said to him, hey, I need you to get the GDPR compliance, I mean that’s just the monumental, for an IT systems guy… it is not a realistic request for someone with that skillset and it is not to say he is not a very capable or smart guy, and I am sure the CFO saw that and trusted that he would be the guy that could get it done, but he started to reach out and we had some very basic conversations, to try to understand what the actual requirements were and he very quickly realized that this was not something he would not be able to accomplish by himself. There are a couple things that apply there, I think as new businesses emerge, they are using a lot more stack-based technologies, and they are using a lot more sophisticated approach, just to build the technology stack, which is helping companies in a lot of ways, but, you know, if you are a company that has been around for a while and you have been doing things for a certain way for a while and maybe it is not a sophisticated way, you are using the [inaudible 09:54] breaking technology, you are going to have a very heavy lift to get some of these requirements in place not just from a data privacy perspective, but from a general IT security perspective as well.

Jonathan Kersting: Very well said. What are some of the typical mistakes you are seeing as you are kind of brought into these engagements? Jordan, do you want to take a lead on that?

Jordan Saunders: Sure, so I mean, like Will kind of outlined there is, a lot of times, it is just putting a team or a couple of individuals on this initiative when they are not really well suited with the skillset. There’s a lot of skills, so for instance, if I were to take a cybersecurity initiative and there’s a lot of things I know and we do kind of establish best practices in the I.T industry. But it wasn’t really until working and focusing and doing some work with Will we realized that so many of our best practices are really based on security compliance regulations. And so, these are things that have just taken a long time for us to learn, and I think again, like a common mistake, is just putting on the wrong type of role, the wrong resources towards this sort of initiative and they make the same sort of mistakes you think are for any security naïve organization trying to improve their security there.

Jonathan Kersting: So, obviously, bringing the right resources in upfront is going to lower your total cost of ownership. It might seem a little more daunting upfront, because I know this is going to cost more to put out now, but if you actually run that over a course of three, four or five years, you are going to see it is actually going to streamline things, making things a whole lot easier as far as that goes.

Jordan Saunders: Absolutely.

Jonathan Kersting: So, maybe give us an example how you guys have brought in from the get-go, in order to step things up right, to really make it fast running, super quick projects.

Jordan Saunders: Yeah, I mean the extra cost comes into just where you think, if we brought up from the start, we are able to go in and assess where they are at, we are going to make a plan to move forward, we are going to execute on that plan, and then continue to maintain that plan, I think me and Will both kind of operate all of our engagement under that same sort of process, maybe slightly different names, but that’s basically how we define our process. And when you are able to do that, with the proper planning, execution, you don’t have to do things twice, and I think that more often than not, when you talk about…

Jonathan Kersting: We like doing things twice…

Jordan Saunders: I don’t think anyone likes doing things twice.

Jonathan Kersting: Yeah.

Jordan Saunders: But you know, when you come in for a second and you do things and maybe you make a few mistakes, a lot of times you are engaging experts, you are not really sure where you are at, so it is really tough, I know especially Will being with all these regulatory compliances, it’s not possible for him to come in just half way and just trust that, okay, this stuff is done and now we need to move forward, I mean he has to come in and actually assess where things are and go through this full process from the start, so… you can imagine that a lot of that work goes down that might have just been thrown away.

Jonathan Kersting: Yeah, that’s just complete time and money lost at that point.

Will: Yeah, a lot of times too what we will see is, companies will have some of the things that they need to have in place, they may not always be in the right area, may not always be done correctly, but they have made an effort and so our first step with many of our cases and Jordan’s point is to go in and do a gap assessment and understand the current state of the company, the current state of affairs and take inventory of what are the problems that exist in the business and if it is a specific project, what are the problems that exist within that specific project? From there, we will really kind of craft a solution that is unique to the client, and that’s another thing that I think is a little bit difficult for people to understand, like why do we have so many problems with cybersecurity, you know, larger companies with this a lot, and the truth is, there is really not a one-size-fit-all approach, like what Jordan said… you really need to understand the environment, every environment is different and there’s different characters involved, there’s different infrastructures involved, they are using software, some solutions and you know, it is a situation where you really need to go in and fully understand that before you start to build a solution out of it, what we find is that the in-house people who try to tackle these problems, they don’t have the global context around what solutions are available to that, so they are a little bit myopic in their approach, they will do what makes sense to them, they will use technologies that makes sense to them. But one of the benefits to being with a consultant and I know not everyone likes working with consultants, but one of the benefits of being with a consultant is certainly that you get more of the global perspective, and you get to see what other companies are doing it and how they are tackling problems and then you get to apply those elsewhere and spread that around and help everyone to achieve what they are trying to achieve, with their cybersecurity goals.

Jonathan Kersting: I think the biggest takeaway that I keep hearing from you is the fact that there is just no one particular solution that gets layered in or intertwined, it is all 100% customized, you know, based on the unique needs in the environments in which these companies and systems are operating on, that’s…

Will: That’s definitely the case. You know, you take an example of a client that may have regulated healthcare data, now we know that client’s needs… [inaudible 15:46] well say, 16 months or 20 months, that client then decides, hey, we also want to be able to settle employees and their healthcare data, that’s a different categorization and they are called tri-care, they are all separate set of requirements that you need to think about in order to handle tri-care data, so, there really is, no one-size-fit-all, and it really kind of evolves with the business and evolves with the risks that are unique to each business and each business has it’s new market and is going to consider, how do I actually make sure that I am compliant, how do I actually make sure that the best practices that I need to have in place are in place, that’s really a two prong approach, you have security control certainly, but you may be using outdated infrastructure, you may be on a platform that currently does not support the requirement and you have to make a determination, is the value of that new market really actually worth updating my infrastructure to support the solution and that’s again an area where it is very nice to have a guy like Jordan who can explain the requirement to that client, explain to them what they need to have in place, to get to where they need to be and actually help them to get there from a technical communication perspective.

Jonathan Kersting: Very cool stuff. So, wondering if we could switch gears a little bit, there is something in my talking points here that I think we really need to discuss, and it is about a 30-million-dollar contract that was lost out on, I was meaning to change the names and not using this to protect the guilty and the innocent. But, fill us in on saving a 30 million dollars’ project.

Will: We actually see this a lot, and it is becoming a situation where the companies do not just want to work with companies they actually have the appropriate controls in place and have a secure environment that they feel comfortable sharing their database with that other company. A great example of this is [inaudible 17:51] FPG and SPG have been previously breached and it ended up impacting [inaudible 17:59] breach and things were stored on like card information, password information and it made a lot of sense, we had to find who reached out to us and we had this potential contract that we were trying to get up, but we don’t have any of the security control values we need to meet the obligations of that contract and that situation where you have to make an internal determination of, you want to adapt to getting all of these things in place in order to be able to service this business, which in this particular case is a very sizeable contract. We are seeing that these requirements are leading the ways into feasible contracts if you can’t agree to them, then you can’t service them, and even worse, we are seeing situations where we have clients who have agreed to things in contracts and then they turn around and realize, oh crap, I actually don’t have any of this stuff, I haven’t done any of this stuff… How do I get out of it? I am in big trouble here.

Jordan Saunders: I was going to say that we have seen the same thing and a lot of times, that’s how we end up really engaging Will and his company is, we have clients we have been working with for a long time, and their businesses are growing and they are looking to engage new partners on their side, and just like Will said, they would get a contract that would be a massive gain for their business, but you know, buried in there is a few lines about the level of cybersecurity compliance that they need to be at and it is kind of like, oh crap, what are we going to do? We need to get up to speed, otherwise we cannot sign this contract, and so I think for a lot of companies, that’s why cybersecurity and privacy is really coming into focus and if you ask me, I think it is only going to increase.

Jonathan Kersting: How can it not? It is only going to get bigger and bigger, and it is important we are having these types of conversations. So, Jordan, tell me a little bit about the synergy between DevOps and security and how that kind of comes together, because there is a number of ways to start explaining it at that level.

Jordan Saunders: Sure. So, I think that Will kind of touched on it a little bit when he mentioned how certain companies’ infrastructure doesn’t really support making some compliance easy, and so for DevOps, it is really getting the concept of developers and the operations teams involved and working together from the start of a project, just like you mentioned Jonathan, we want to bring security in and have that be a focus from the start of the project. So, there’s actually being this new term that gets thrown around, another buzz, Dev sec Ops, where it is really from the start of the project, bringing in security folks with the development team and the operations team to kind of all work together in synergy and make sure that all the different aspects are taken care of and security is, like we said, a major aspect that needs to be considered and so a lot of the new tools and the new processes that you see happening in the industry around DevOps are now down with the goal to make compliance and auditing much easier, and if you… let’s say are very DevOps-naïve, chances are becoming compliance is going to be a little bit more of a challenge for you.

Jonathan Kersting: Absolutely. So, where can people learn more about you and all your expertise?

Jordan Saunders: Yeah, so we are at Zaviant.com and definitely check us out on our website, I am on LinkedIn as well, but you will get a quick… some of the things that we work in, and obviously if you have any question… if you are working through a problem and you want to [inaudible 22:06] my team, I am happy to help and point people in the right direction. One of the things that I found with my business is, having some of these questions and a lot of times we get so many of these questions from technical and very smart people. So, they are a little bit reluctant to reach out to us because they feel they can do it themselves, but you know, we really do have an approach where we want to work with you and we want to understand what problems you are facing and come up with a real practicable solution to that problem, we are not looking for an opportunity to upsell you on a bunch of different things that you don’t need to do, we just want to make sure we do the right things to protect you and your business.

Jonathan Kersting: You guys are here to help, and of course NextLinkLabs.com. And you have an assessment tool on there as well, do you Jordan?

Jordan Saunders: Yes, we have assessment tools to kind of make technological readiness to identify gaps and how companies’ technology departments are operating and suggestive improvements and it is great because people that visit that and do that get some value out of it, and understand kind of where the gaps are and where they can make improvements and then if they want to engage just after that, it is a good baseline so we kind of know what…

Jonathan Kersting: You set the foundation, right?

Jordan Saunders: Exactly. And make those initial conversations a little easier and hopefully for some people, they will get some value out of it without ever talking to us.

Jonathan Kersting: Without a doubt, I think at the end of the day, don’t be shy, if you know you are stuck in a little project, give a call and if you are thinking of a project, even more importantly, or preparing, this is the perfect opportunity to call these two guys in and really make sure you are on to a sound footing as far as that is. So, Jordan, so much fun hanging out, talking about digital transformation.

Jordan Saunders: Yeah, it is always a good time.

Jonathan Kersting: It is a cool company, you just started this thing up and once again the website is NextLinkLabs.com, lots of great information there on how you can connect and learn more about these types of things. And Will, thanks again for calling in, we so much appreciate it.

Will: Thank you for having me guys, it was a pleasure talking to you.

Jonathan Kersting: Great stuff everybody, this is Jonathan Kersting, with the Pittsburgh Technology Council and TechVibe Radio at Huntington Bank podcast studio.