GOTD - Tony Schimizzi
===

Speaker: [00:00:00] Welcome to Guardians of the Data. I'm your host, ward Balza. Each episode will explore the passions, expertise, and real world experiences of security leaders who are helping the future of data security and governance. Guardians of the data is made possible by support from Centro. To learn more about our AI powered data security platform, please visit sentra.io.

Let's dive in.

Ward: Welcome back to another episode of Guardians of the Data. My guest today has almost 20 years of experience in the industry. Like myself, he has been in the corporate world, in consulting, and in the cybersecurity vendor space. Currently a senior cybersecurity consultant, Tony Skimits, welcome to the show.

Tony Schimizzi: Appreciate you having me. Thank you

Ward: So Tony, in your professional opinion, what's the biggest data security challenge that organizations are facing?

Tony Schimizzi: So I was, I was thinking about this, um, I know it's, uh, the key question you guys ask, and, and a couple things come to mind. But I did hear an interesting quote recently that, that I think kind [00:01:00] of starts to answer this, right? And it's, "Companies no longer fully understand or control identity, access, and the data movement across their environments." And that, that, that's a scary statement. But I think to kind of directly answer what the actual challenge is, I, I think it still boils down to companies not doing the fundamentals well,

right?

Ward: Hmm

Tony Schimizzi: Um, and, and it's the, the fundamentals, the, the, the focus on it, right, the, is being accelerated by the sprawl of threats and, and data everywhere and identities, um, have kind of-- It, it, it's just all over the place, right?

So they can't really control it well. Um, so I think sticking to the fundamentals is, is, is-- that are failing to stick to the fundamentals is likely one of the biggest reasons, uh, for data security challenges. Um, and, uh, you and I are always one of those people that's like, "Well, what, what does that mean?"

Right? "What does

sticking to the fundamentals mean?"

Ward: Yeah

Tony Schimizzi: I'd kind of say [00:02:00] respect to data security challenges, right? Some of the fundamentals that come in mind, other, other guests have kind of talked about some of this before, but it's like things, asset management, right? hardware and software.

You gotta, you gotta have visibility, um, in, into what you own from a, from a hardware and software perspective, right? You can't control or protect what you can't see. I think, I think everyone would agree with that. Um, and then on the visibility perspective, right, we're looking at like visibility from the network, visibility from the hosts, right?

Central log management, whether you want to call it a SIEM or whatever you want to, like there needs to be some, at least some sort of central log tool. Um, and then just fundamental security controls around protecting actual data, right? Like DOP, UEBA, and, and the, the overarching con-concept of like zero trust architectures, then just that up with proper access management and data classification, right?

I think, I think those are really kind of the fundamentals, um, and, and people have gotten away from it, and I think that's really kind of like the [00:03:00] big challenge nowadays and, and specifically with data security, but I think higher in, in cybersecurity in general. I think a lot of people are chasing kind of the, the next news story, and they're, they're kind of failing to forget the fundamentals.

Ward: Yeah. Yeah. And, and we joked about this, but that's a wrap, right? That's the entire episode. Like, do the fundamentals, you're good to go. Knock it off, everybody.

Tony Schimizzi: Yep

Ward: uh, let, let's dive into that a little bit, 'cause I, I actually, h- how you ended that statement I think is spot on, right? Like, people are always chasing the news stories because let's be honest, they don't want to be in the news.

Um, but I think I would add to that, you got a lot of people that are chasing just the shiny objects, right? That new thing that's coming out. Uh, you know, five years ago when the proliferation of AI, uh, or, or AI-enabled technologies, you know, really started, everyone's like, "Ooh, I gotta have that." Well, why do you have to have that?

"Well, 'cause it says AI. Of course I have to have it." And, you know, we continue to see that, right? "Oh, I need to have [00:04:00] that Copilot." Uh, why, why? "Well, because Microsoft says I own it, so of course I gotta use it," right? "I need to, I need to use Microsoft Copilot." Um, so totally, totally agree with that. A lot of people doing it.

But let's, let's bring it back to fundamentals. So usually I ask my guests, what are we gonna do about it? And I think the answer is do the fundamentals. But I want to ask you, Tony, because again, like myself, you have been in kind of the, the three personas in your career. You've seen this from all angles.

So my question to you actually is, why do you think that we still, we cybersecurity professionals, still continue to fail at the fundamentals?

Tony Schimizzi: It's a great question. It's not sexy, right? So I think that's, that's kinda like the first thing, right? Is, is, it's it's not, it's, it's, it's not a sexy toy to play with. It's not a buzzword. We're not talking about AI. We're not... We're talking about, like, fundamental stuff like least privilege. Like, make [00:05:00] sure Ward has only access to get to the things that he needs to do to do his job, right? Um, I, I think that's just part of it, right? But then the fundamentals, and, and I'll kinda put my, like, consultative business hat on here, or even, like, my old school, like, back when I was an engineer and architect in- inside the companies. Sometimes the business and, and the business operations and the things that they need to do are going to trump any sort of security initiative control fundamental that you can put in place. And what ends up happening is, is a couple things. One, it starts to set a bad precedent that you can no longer kinda pull back, and two, it starts to create kind of like a slippery slope with it, too. So once that, that's kind of set in stone, or once that precedent is made, the fundamentals start to lax, right?

And I think that, over time, has kind of like snowballed into you could some consider like, "Oh, this is corporate culture," right? "This is the

thing we [00:06:00] do." Um, also have to remember this, too, and this is gonna hurt for most of our security friends, right? But, like, to remember that security people within an organization are a double negative, right?

And I'll tell you what I mean by that. IT people are, are, uh, like a, uh, an operations expense, right? They cost the business money, but they can justify it, right? Because they're like, "Oh, the network's up," right? "Oh, the application's up. The backend database server is good. The thing you need to make money that I run is up and running," right? So organizations will look at that as like a, "Oh, okay, they cost me money, but they definitely make me money," right? me where security makes you money, right? That's, that's another tough part, is being that double negative, where you're like, you are getting a pretty decent salary, right? And you arguably are not actually generating revenue, right? Now, you can, you can enable the business to generate revenue in a safe way,[00:07:00]

Ward: Mm-hmm.

Tony Schimizzi: but likely there is no security initiative that I can think of in the 20 years that I was doing things that directly generates revenue. So I think those are a couple big things, right? It's hard to stick to the fundamentals when the business needs to make money. Um, had this slide of, of corporate culture, um, and then just really understanding your position as a sec- as a security professional, right? You, you are inside of an organization. You are a double negative to that company

Ward: Yeah. Yeah. I mean, I, I agree on both points. Uh, I'd like to go back to your first point, 'cause I, I think that one's really, really important. Um, the whole idea of, of business trumping, it's gonna happen, right? It, it's why there's a term called exception, right? It's why exception and exception management's incredibly important.

But, um, and, and I remember saying this to a leader once upon a time, um, if everything's an exception, you no longer have a standard, right? Like, you're, you're literally just flying by the seat of your pants, which is kinda what I, I heard you say in that statement. It's like, "Look, like, I need to do this [00:08:00] thing.

I need to do that thing." And, and, you know, um, i- if you're not actually tracking them or pushing back or able to push back, that culture becomes do what you need to do as long as you justify it, air quotes, right? Justify. Who knows what the justification actually is. Maybe the justification is I said so, or, you know, Sue said so, Johnny, whatever.

Um, and you no longer have a standard, right? Which is one of those core fundamentals, right? Have security standards or system standards. So now I'm gonna ask you to put your consulting hat back on. Like, how, how do folks actually look to solve it? I mean, certainly having a standard, no kidding, right? People have to have a standard.

But how do you think folks should pragmatically solve this everything deserves an exception piece?

Tony Schimizzi: I think the most successful way I've seen this in the past, and I, I've seen it-- I [00:09:00] would have loved to seen it in certain, certain organizations that I worked at. I've seen it work well in, in some of the organizations that I worked with, right, as a, on the consultant side, is w- I wouldn't call it like a change management board 'cause that's really under- undervaluing what they are.

But I would call it like a, a risk council, right?

A, a group of, of leaders from specific departments, organizat- whatever it might be, right? You're taking the head of IT, you're taking the CISO, you're taking the head of marketing, head of HR, maybe a CIO and some other person, right, that may be related to the business. when these big sit- situations come up, right, they talk it out, right? Because w- when you're the engineer or the manager or you're actually the person inside the business trying to, trying to push the business faster, or the security person that's trying to understand the risk, right? We're not trying to slow things down.

We're just trying to understand the risk as much as possible. And then always say it's a yes, and right? Never say no, but [00:10:00] right? It's yes,

and right? Like, "Yes, we can do this, and this compensating control or something has to come in place." Those legal councils or risk councils, whatever you wanna call them, that's where I've seen the most success.

Because what ends up happening is you have enough people from different departments with different motivations that all technically are aligned to the, underlying umbrella of the whole business they work for, and they kind of hash it out. Um, and I look at it from two ways. It's I'm not getting involved, um, in, in those specific decisions, right?

Uh, there's no tool to do this, right? This isn't a tooling problem. This is a, a risk appetite, risk acceptance, uh, risk evaluation conversation that nine times out of ten is, is at least CISO and higher. Um, so that's where I've seen it be successful and, and tends to work out well because you, you have two things.

You can kinda go, uh, let's say I'm the engineer or the manager or the architect, right? And I'm like, "Well, a decision was made above my head. We've, we've [00:11:00] talked-- They've talked about it. They've notated the risk. We just move forward," right? Don't,

Ward: Right

Tony Schimizzi: learned in my career is early on, I'd be like, "What? What is this guy... What do they mean? Like y- this traffic can't be flowing to that country," or, "We can't be doing this. Like, what are they talking about this has to be allowed?" This, uh, like a great example is remember like when like Box and Dropbox and all that stuff came out and people were losing their mind, like getting access to that stuff and s- like those kind of things.

And then eventually it kind of became like these people are just trying to do their job. I'm just here to mitigate risk. If the people above me are s- or have the risk appetite to allow this, it's-- I'm, I'm the, conductor of the train. I'm just, I'm just driving it, right? If you guys are building the tracks, I'll take it wherever you want me to go.

Ward: And security folks need to understand that. I mean, s- similar, um, you know, o- on that, you know, similar story I have, I had an engineer in my last job, um, what we were dealing with a lot of, um, you know, proxy [00:12:00] rules, right? And I always directed my team like, "Let's, let's definitely ask questions. W- you know, push back lightly where necessary.

Don't just let the floodgates open. But if, you know, the business agrees we're gonna do it, if they're gonna accept the risk, then we're gonna do it." And o- one of my engineers, um, a couple times took it upon themselves to say, "No," right? Digging his feet. And I was like, "Man," like, "all right," like, "I get it. Thank you.

Uh, you are thinking security-wise. Yes, we can agree the decision that's already been made, to your point, well above your pay grade, um, is not the best. But guess what? It's the decision that was made, and we got the proper sign-offs. We have the proper paperwork. Just do it," right? "Just do it." Um, so yes, I think i- in some cases, some security folks need to put...

May- maybe it's an ego thing, I don't know, but put that aside and just become business enablers, essentially.

Tony Schimizzi: yeah, I th- I think, I, I think cybersecurity, like, and I've been one of [00:13:00] those people that I, I kinda grew up in it, right? I think some people, some pe- There, I think there's, like... And I think, and we'll get into this later, but, like, there's, like, three tracks, in my opinion, of people that g- are, are in cybersecurity today, like, as we, as we talk today in, in 2026, right? There's the people that were migrated into it, right? They were kind of like the IT people,

the infrastructure people, like those kind of people that are like, "Hey, you know, you know, I, they asked me to do a bunch of security stuff, and I just kinda migrated over, and now I'm a security person," right? And, and I should preface, there is no wrong or right answer here.

All these people are equally important, right? Um, there's the track that I took, right? Which was right out of... I went to college, got a degree in cybersecurity and just kind of one at 20, 21, and that's what I've been doing since, right? Um, and then there's this kind of like new wave of, of where it's like, "Hey, you know what?

Like, I did 10 years as a business something," or whatever it is, and they're, like, cracking into cybersecurity now. Um, my [00:14:00] hat's off to them because now it's, is a little bit tougher to get into and, and really differentiate yourself. But, like, those three different groups, um, all kind of have that same, like, once you get into it, they kinda have this, like... I, I, it's not ego, right? It's, I, I, I can't ca- I can't put it on ego, but it's like this, um, like we know best,

Ward: Mm-hmm.

Tony Schimizzi: And, and we know how to evaluate risk better than you do, so that's kind of the pedestal some will stand on, right?

Ward: And that's fair. I think that's fair because honestly, like we, from, from a technology risk perspective, generally we do, right? Generally we know the ins or outs. As long as we understand the technology, I think that's the key, right? As long as we understand what's actually happening, a cybersecurity professional, it's kind of part of our job, should be able to assess the security risk better than anybody else.

But where we generally suck is understanding business risk

Tony Schimizzi: No, 100%. [00:15:00] And I think that comes with maturity, right? I think both sides of that comes with a maturity. If you were to ask me 15 years ago when I was doing some of the cybersecurity work that I was doing, I would've been that guy that's like, "No, we're not doing this. The, the policy states this, the standards state that. Nope, I'm not doing it. Go talk to my manager," right? And that doesn't create like, work environment at all. Like, nobody wants to work with you, right?

Ward: Great

Tony Schimizzi: I, I, y- I think over time, and understanding, to your point, like being a, be a business enabler, be somebody that people wants to come and work with and, and figure out the problem, um, comes with time.

And I think as, as you mature in that space, then you start to understand risk evaluation a little bit better too, because then you start to understand how the business operates. Like, one great thing for anyone listening to this, or like if you're just trying to crack into cybersecurity, or you've never even thought about it this way, like very simply, if you wanna understand how a business works, just [00:16:00] literally d- ask AI, or if you don't know, just go, "How does this business make money?" Right? "How does this business generate revenue?" And, and once you understand that, right, any, any risk that aligns to that, you're, you're gonna start to understand that you likely don't have that much of a say if you're gonna slow down that process

Ward: Totally. And actually, so funny, we've been, we've been talking about the first piece, which you said, you know, business trumping, and I wanted to get to your second one, which was you, you called it security is a double, a double negative, right? Or, or I- I'll call it, 'cause I've heard it called this many times, you know, security is a cost center essentially, um, i- instead of, you know, actually an income generator.

So, uh, I'd love to talk about that and pick your brain a little bit on there 'cause I've, I've worked within a few organizations where folks have tried, right, to figure out a way to make security, e- either directly make security part of, uh, the, the [00:17:00] revenue generation or, um, at least show how security tightly aligns with the revenue-generating processes, doesn't hinder them and actually, you know, makes it happen.

So in, in your experience, Tony, um, how have you seen, how have you or how have you seen organizations, good security organizations, be able to show that, "Hey, we're, we're not a black hole of funds. We're actually, we're actually helping"?

Tony Schimizzi: the example that comes, like, directly right to the front of my head right now is, is when I was actually back on the customer side, probably a little bit before I jumped to the consulting side, so let's just say I was a little bit more mature as, like, an engineer and architect, uh, we, we were asking these questions.

And what we ended up kind of figuring out, because the board was asking these questions. They were like, "Hey," like, "we understand there's these security risks, and we've had these audits," and they're like, "Well, what's going on?" Like, "How are we getting better," right? So I, I say this and it's not related specifically to cybersecurity, but it should, [00:18:00] should resonate in, in all aspects of life.

If it matters, it should be measurable, right?

Ward: Hmm

Tony Schimizzi: that's where KPIs come in, right? So we-- I think it's more the second piece, right? So we can, we can deliver KPIs to leadership to show them that the risk mitigation and the things we're doing to control the potential threats from hitting us or the potential vulnerabilities from being exploited, whatever you wanna, uh, coin it or term it, we were using those KPIs to take to the board quarterly to kind of show like, "Hey, look, like we're still essentially enabling the business because these things didn't happen."

Or you could even take it a step further, um, I'm sure most people have, have sat behind a desk and, and, "Oh crap, like so and- so and so's got a ransomware thing, and we heard about it, and it's a complete fire drill." We talked about that too, and we're like, "Hey, look, we had controls in place that, that isolated that machine.

It, it got completely [00:19:00] kicked off the network. It-- all network traffic was killed, like it, it wasn't able to propagate. And oh, by the way, we could see the denies on the firewall from a visibility perspective to, to reassure you that this thing did not get out," right? Um, so it's those kind of things, right? Is, is being able to have something that's measurable that you're, you're, you almost go to the board, right?

The C-level people above your CISO, 'cause your CISO is gonna be arguably nine times out of 10 the lowest hanging person on that, on that, uh, in that room, on, uh, talking in that, in that room to the board members. And they w- they wanna know. So they just need something measurable. So in the past, I, I've seen that, is just really try to lean into the KPIs that you have. Um, sometimes, like I said, maybe if it, you have a little bit of a fire drill or a incident that, that you can reflect back upon and, and talk about how it didn't negatively impact the business and business was still operating despite the [00:20:00] chaos going on, right? The, the factory was still running even though we were fighting a fire over here kind of thing.

Ward: Right

Tony Schimizzi: sometimes that resonates to them. But to, to really, know if I can think of a scenario o- off the top of my head with, where security directly enabled revenue generation of M&A conversations. That, that's

Ward: Yeah.

Tony Schimizzi: Can think of

Ward: I mean, I guess the only thing I could think of, just trying to brainstorm with you on that, is really more on the vendor side of the house, right? Like, obviously if, if you're a vendor selling into a corporation, uh, your stuff better be secure. So technically speaking, those security initiatives or whatever is revenue generating, air quotes.

I know it's a stretch, but I'm, I'm trying to think with you on where it is. I'm sure there's others out there. Yeah. Yeah.

Tony Schimizzi: ' cause

Ward: Um,

Tony Schimizzi: gets us thinking

Ward: y- you know, something else I'd like to bounce off you, and, and I don't remember where this was, and it doesn't matter, but I remember [00:21:00] working with an organization and I was talking to some of their senior leaders, and I was kind of doing the same exercise you described about the board, like talking about, you know, "Here's our KPIs, but also here's things we avoided," right?

You know, this might've been back during SolarWinds actually, that, that SolarWinds fiasco, you know, many moons ago. Yeah. Yeah. Everyone-- Uh, that was exciting times for sure. But I remember bringing up something like that to some leaders and basically them saying, you know, "Ward, I, I hear you, but for us, it would actually be cheaper to let ourselves get compromised and deal with whatever than to spend, you know, X, Y, and Z on technology people and, you know, time essentially to prevent against that."

Um, which for me, I think I might've been in consulting at the time, was like, "Oh man," like, "hate to hear that."

Tony Schimizzi: Yep

Ward: what, what are your thoughts around that? 'Cause that's, that is definitely, you know, you think about risk acceptance, like that's risk acceptance to a T right there. [00:22:00] Like, "I'm gonna accept not doing this because it, we can't, it's too expensive," whatever.

What say you?

Tony Schimizzi: Yeah, it's a tough one, right? So I, I think about it as like, uh... So I'll, I'll start with kind of like a bit of an, of an analogy, right? So obviously you can see the car stuff in the background. I'm a, I'm a big car guy, right? So it'd be like having your, your car, your baby, and you're like, "Okay, wait, we have to do this thing.

We have to fix the engine or whatever." And somebody being like, "It's-- I'm not gonna do it. It's not worth it anymore. That, that thing's not gonna run." And you're just like, "Hey, it, it hurts," right? Um, what, what you're defining is, is arguably probably what most of your listeners and, and most of us in the industry, at least that have some, some years behind us, right? Is, is the typical business impact analysis calculation, right? Um, anyone that's like a CISSP or CISM or anything like that, right? It's like annual loss expectancy equals rate of occurrence, time... I mean, that's all they're doing, right? At times the compensating control. So I don't [00:23:00] fault them for it, um, as long as, as long as it's a trust but verify scenario, right?

So I don't, I don't want somebody to kind of tell me that's like, "Oh yeah, we looked at it. It's just too expensive and, and, and we're, we're not gonna do it," right? I, I would push back and be like, "Hey, like, who did the actual calculations," right? 'Cause sometimes this stuff is really hard to quantify, right?

Ward: Right?

Tony Schimizzi: The risk that you're talking about, um, from a business perspective and, and whatever it might be. So just understanding that process, not, not to be essentially a pain in the butt, but to more understand how, okay, oh, okay, that's how they're calculating risk here, right? And just being more in tune with how the business is running, um, is, is, is likely how I would unfortunately have to deal with it, right?

I don't, I don't think there's been a time where I was able to overcome cost, like being the [00:24:00] main concern. Like it's very hard. Like if the risk is potentially a 500K impact, but the control to stop it is two million dollars, it, it doesn't make sense. Right?

Ward: Yeah, unless it was, you know, 500K per year, right? And it was a two million over a bunch of years. I mean, there, it-- To, to your point, there's, there's different things you gotta look at. You definitely have to do a trust but verify to really dig in and say, "Okay, I hear you, but let's take a second or third look at your calculations and make sure we're thinking about this."

Tony Schimizzi: I want to see the numbers. I want to see where you got them, right? Because you'll hear some people nowadays, I don't even know what it is l- as of, as of lately, but like, I was on a call recently where somebody was like, "Oh, like a breach will cost you $12 million."

And I was like, "Where did you get that number?" " Oh, well, I just, I like... That's what Google says." I was like, "Well, I'm not saying Google's wrong, but like y-y-you need to kind of like tell like what kind of breach, like wh- where are you, what state? Or do you have international operations?" Like, there's so many like pieces to that puzzle or variables that like people don't talk about.

So like, [00:25:00] yeah, I mean, where did you get that number, right? That's

Ward: Right

Tony Schimizzi: like, where, where are you evaluating that risk?

Ward: Well, I think a lot of it, you know, bringing it back to, to data security for a second, I think a lot of it goes back to also understanding the criticality of just that, your data, right? So an analogy one of my early mentors gave me is, you know, "Look, I'm not gonna put a $1,000 fence around a $10 horse," right?

Like, if the system, the data, the whatever really isn't worth it, then why, right? Why, why do all that? Maybe, you know, a basic firewall is good enough for that one system over there, but maybe you need a full zero trust program for this other environment because, oh my goodness, you know, all, all the crown jewels are in there.

Like, that definitely needs to be part of the, the calculation for sure.

Tony Schimizzi: Yeah, I mean, you've, you've, you've said a couple interesting things, right, right, right out of the gate. So like zero trust obviously, uh, a pretty loaded acronym or, or

Ward: Oh, that's why that's why I [00:26:00] said program, Tony. I knew you were gonna catch me if I said zero trust like architecture.

Tony Schimizzi: No, it's, it's fine, but it's like that's one of those words nowadays where I'm just kinda like how, how like AI might kinda like right now make some people squirm, like zero trust for probably like the last five years like is, is something that I'm always like, I love talking about it.

I love getting into workshops and, and things like that with customers and, and identifying like what it truly means to them and stuff like that. But I, I feel like it's just a term that's thrown around so much that like means so many different things to so many different people and so many different organizations that it's really hard to align on a, on a, a definition. Um, but the-- One of the other interesting things you said, right, is like talking about, the data security problem, right? And I, think we're starting to see in, the conversation that we've had so far, this isn't just a cybersecurity problem anymore. this is literally becoming a large-scale business operations and kind of governance problem, as well.

Because [00:27:00] most companies we led with, they don't even, know where all their data is, and Like the crown jewels, right? in most of my consulting days, and even when I was on the inside, you ask that question, most people don't know. And if you get an answer, you get kind of like, this is where we think it is," right?

But with, SaaS products services apps and everything being like the sprawl, good luck. good luck exactly being confident and being able to verify, where-- not only where all your data is, but just, tell me where the crown jewels are. know how you're protecting them

Ward: Well, and, and to have the consulting skills to, to really dig in. I, I remember one organization I, I worked for, I was talking to developers, and developers are always fun to talk to, and they're like, "Well, our source code is super critical." And I said, "Okay, okay. Um, the whole thing?" And I kinda got blank stares.

I'm like, "You're telling me literally the entire code repo is, is our intellectual property?" [00:28:00] And I kinda started getting some nods. I'm like, "Or is it, you know, certain functions or certain ways that code's built up? Maybe it's a, a certain, um, you know, snippet in there." And, and that's-- I mean, y- I, I'm using source code, but that could be the other, o- other sorts of data as well.

Like, is it really that whole bucket over there that's sensitive, or is it just that piece? Or if you're in, I don't know, um, chemical manufacturing, right? Is it every single formula you have, or is it a super secret formula for that one thing you produce? Like, as a data security practitioner, you have to be inquisitive enough and consultative enough to actually be able to sit there and be like, " And then?"

right? Almost that and then over and over again. Like, "All right, cool, I hear you, and then what? And what's next?" Um, so you-- I mean, you, you've been in that space yourself. I mean, shoot, you, you and I met originally as you were on the [00:29:00] consulting side. So how, how have you, 'cause I know you've had this discussion, how have you framed up those discussions to really get to that no BS, here is what we truly care about

Tony Schimizzi: I think with respect to me, uh, and I'm gonna use this as a small pat on my back, I, I, I think I just-- My natural authenticity, curiosity, and, and capability to build trust, um, relatively easy because I don't feel most people, when we communicate back and forth, like it's like a, "Okay, like this, this guy's-- he's not wasting time.

Like we, uh, he, we got stuff to do, we got places to go." Like, I'm not kind of like a, a fluffy conversationalist. Um, but when it comes like specifically in, in kind of the consulting space and, and dealing with these problems, like I leverage that a little bit because like you talked about, right? I've, I've practically done this as, as an operations person, an engineer, and all the way up to an architect of [00:30:00] deploying this across Fortune 500 cus- uh, Fortune 500 cus- co- uh, companies.

Geez, sorry. Uh, it's Friday. Starting to,

Ward: Oh, yeah.

Tony Schimizzi: And then taking that expertise, right? And then being able to kind of provide the consultative side to it as well, I think, I think is where that trust strengthens because it's like, "Oh, like th- okay, he's done this," right? And, and there's little-- There's lingo, there's language, there's right?

That like companies have to follow that when you kind of hear like the, "Okay, so are you gonna deploy via whatever," like whatever the tool is, but yeah, you have a change management window. And, and once you start talking about that, like most salespeople or most consultative people are like, "Why can't you like just go, just go do the thing?"

Ward: Right.

Tony Schimizzi: Right? But they don't understand, like especially Fortune 500 companies, like the processes that need to be put in place and stuff like that. So that's allowed me to be successful in, in, in opening up those conversations and then being [00:31:00] able to solve the problems is, is just kind of encompassing all of that. And then to your point, kind of having that like, "And then?" Like, or, "Deeper, please." Like where it's like I don't want to hear some operational efficiency, s- risk mitigation, abstract comment. I'm like, "What do you mean by that?"

Ward: Mm-hmm.

Tony Schimizzi: If, if you can't drill it down to one of two things, a legitimate use case or a problem you're actually trying to solve inside your organization, I, I, I'm gonna be honest, I don't know what I'm here for, because then I'm just here for discovery questions. Um, and I think, I think that's what it, it's allowed me to do is, is I, I think I can just very quickly navigate that, that space because of past experiences, um, the technologies that, that I've touched, the, the places that I've worked, um, the people I've, I've been around, the people I've learned from. I've had great mentors.

Um, I try to mentee some people as well. So like [00:32:00] just, just learning from, from other people I think is, is, has been helpful too in the consultative role.

Ward: I love it. I love it. Well, I mean, we, we've danced around it. We've, we've teased it out. Um, man, you, you've been in the industry almost 20 years. You've seen a lot. You've done a lot. What's been your journey? Like how, how did you get to where you are today?

Tony Schimizzi: Yeah, so I, I, I hinted at it a little bit, right? I was that second tier of people that probably within the last decade or 15 years that kinda like started getting into cybersecurity as it, as it was getting hot. Um, initially I didn't even... I, I, I'll give you a little bit of a background story 'cause I think most people I talk to that are at least in this field or around IT, like they're like, "Oh, yeah, I grew up, like my dad or mom was a big, uh, computer person," or so-and-so worked at IBM or Intel, right?

Like, I, I was computer illiterate until probably the age of 19 when I went to, went to college. Like, I, I played with AOL Instant Messenger. I'm dating myself, right? Trying to, trying to see if my girlfriend was down the street or something like [00:33:00] that. Uh, but that was, that and video games were the ex- extent of what I knew anything about computers, um, or IT or networks or anything in general. Um, I went to college, uh, there was a great admissions person, and I still chat with her every now and then, um, Dr. Sylvia Perez Hardy at RIT. And she sat me down, and she was like, "Look, I, I see you wanna come into this," the, I think it was like IT security and administration. I can't remember the exact degree.

But she was like, "This thing..." She's like, "We will be the first school to be NSA accredited with an actual cybersecurity degree." And this was like '06 '08 or '09, I can't remember. Um, and I took a chance. was like, "Okay." I mean, she, she seems like she knows what she's doing. I know I don't want to do what I was doing before, which was like engineer- engineering work, and I really actually wanted to be, uh, like a...

See the cars out there? Like, I wanted to be a, a engineer with an automotive focus. Um, [00:34:00] I got it, I got in there. I went to RIT, graduated, and I mean, the rest was just kind of like it hit the ground running with a, with a decent exponential curve in, in learning and stuff. So I spent probably thirteen, fourteen years across four Fortune 500 organizations in, in Florida. Went to the consulting side, spent five years there. Uh, loved it. Uh, I, I... Every- everything about it was awesome. It was the exact jump I needed. Um, a leader at one of my previous companies, um, that I worked for actually was the one kinda, kind of to expose me to it. I never e- I actually knew the was there or how you infiltrated it, right?

I was just kind of here like, "Oh, I'm just a security engineer, security architect for these companies. Like, that's what I do." Um, he told me in a, in a annual review one time, he goes, "Y- you're too smart to be here." He was like, "You, you need, you need to go, you need to go do consulting. You need to go do so- like something, something else," right? Um, once again, another [00:35:00] great, uh, mentor and, and person I worked for, and, and we still communicate to this day. But if it wasn't for him, I wouldn't have made that jump to consulting, which I then think is, is really what opened up my, my ability to help customers, right? We talk about this, just problem-solving. I could sit here and brainstorm on, on problems with customers for 30 minutes to an hour. Like, it's, it's, it energizes me. It gets me exciting. Like, the, the, the conversation's flowing, the brainwaves are going. Like, that's what I really love. Um, and and I, I was good at it, right? And I think that just kind of parlayed into, into where I am now on the vendor side. Um, being able to still kind of use those, those skills from the consultative side, but then also kind of still resonating with my customers and saying like, "Look, like you're going through. Like, I've been there. I've done that," right? And especially with all this stuff with like AI and Mythos and everyone freaking out about vulnerabilities and urgency and all that kind of stuff.

Like, I've told multiple customers, I go, "Just stick to the fundamentals." Like, the speed and the [00:36:00] urgency is gonna change, but the fundamentals have not.

Ward: And they probably won't at the end of the day. I mean, it's why they-- that's why they're called fundamentals, essentially

Tony Schimizzi: Yeah, I mean, you look at the la- I mean, just think about it, right? I mean, once again, love a good, good brainstorm ex- exercise. Over the past, let's say, 10 years, right? about all the major a- attacks and, and things that ended up in the news from a se- security perspective, right? If the fundamentals were in place, would they have happened? Maybe. But I bet the likelihood would've went down, right? It ha- it would've had a bit of maybe a more sophisticated attack or, or something else. But the fundamentals are in place and, and you have kind of... I mean, that's why the SANS top 20 doesn't really ever change, right? It's like, know your hardware, know your software, know where everything is, right?

It doesn't change

Ward: And isn't that funny, right? I, uh, I haven't even thought about the Sans Top 20 in a few years now, but you're, you're right, it has not changed since I looked at it, at least to your point, not much. Maybe something [00:37:00] moved up

Tony Schimizzi: Yeah, the

Ward: down a little bit.

I mean, think, think about how technology has changed though.

I mean, shoot, you and I started around about the same time. So, um, you know, back when we started it was, you know, data center focused and then, you know, cloud kind of started, so people started shifting, figuring out what that was, then proliferation of SaaS. Um, a- and then I, I guess, I- I'm sure there's a few things between then and now, but now AI, right?

But, and, and still the top 20 is the top 20. are the fundamentals

Tony Schimizzi: between SaaS and AI is probably, uh, Kubernetes a-

Ward: Oh, yeah. Yeah. Good point.

Tony Schimizzi: A huge explosion. Like, it

Ward: Good point

Tony Schimizzi: years ago, only maybe a small percentage of the world even knew the word, and

Ward: Yeah.

Tony Schimizzi: Now it's everywhere

Ward: Yeah, everyone, everyone knows it now. So I mean, uh, quite a really cool background and, and story there. So if you could go back in time, um, I don't know, maybe before you were going to that, that [00:38:00] first program, and you can give yourself some advice, right? So if you can go from today back to, uh, a younger self, what, what would you have told your younger self?

Anything? Any, any changes?

Tony Schimizzi: With all the knowledge that I have today,

Ward: Yeah

Tony Schimizzi: to talk to my like let's call it 20-year-old

self?

Ward: Sure. Yes

Tony Schimizzi: Part of me wants to say, like, you're on the right track, right? Like, don't, don't, don't deviate from what you're doing. Um, like, it's short and sweet, and some people might be like, "Okay, I got it." Like, but I'm tr- I'm trying to think of, like, if anything really s- like self-reflect. Like, I, I took a lot of risk.

Like, I w- I was one of those ki- and I-- this is one of the things I talk to, like, the, the younger generation, like, just getting out of college kind of thing. Um, you, you have a decision to make in your, in your 20s, right? 20, let's call it 20 to 30, somewhere in there. You can grind it out and really accelerate and, and try to separate yourself that from 30 and beyond. You can, you can kind of, I don't wanna say coast, but you can, you can [00:39:00] slow down. You don't have to grind it, any of that kind of stuff. Or you could have a ton of fun between your 20s and 30s, and there's nothing wrong with that, right? But you're probably gonna have to work a little bit harder and a little bit longer, right? Um, and like I said, there's no right or wrong answer here. Um, I went with the, the, the first one. I said, "Hey, I'm gonna take some, a little bit of risk here." I, I moved all over. Grew up in New York, lived in California for a while, now down in Florida. Um, was like 19 or, uh, 20, being like, "All right, I'm going to California. Like, I'll just see what's out here." Um, just, just staying on the track that you're on. Take risks when you're young, when you can. Um, it's, it's, it's, it's worth trying and experimenting with, with kind of other things and, and learning every day. But don't always think the grass is greener on the other side.

Ward: Oh, boy. Yeah.

Tony Schimizzi: th- I, I talk to people a lot of times that kind of like jump companies every three, five years and, and, and chase- chasing money and stuff like that. Like, it just, it just becomes a [00:40:00] point where you're just, find what makes you happy. Um, have purpose, have some independence and, and just kind of work with that. Like,

Ward: I think that's some great insight.

Tony Schimizzi: Like the big thing for me.

Ward: I think that's some great insight. Hopefully, you know, the, the 20s you would've actually listened if you had told right?

Tony Schimizzi: I wanna say he, he, he pa- he partially did,

Ward: Yeah

Tony Schimizzi: did spend a lot of time like, working and, and kinda grinding it out. Didn't do a ton of like travel or, or fun things in, in my early 20s. But everyone, everyone's different, so I'm not saying my path was the right path. I'm not saying, uh, your path is the wrong path.

I'm just saying everyone has their own path. And, there's a, there's a great quote... Oh, it's gonna... Give me a second. It's, um, "The irony of life is you have to live it forward, but it only makes sense in reverse."

So if you think about that,

Ward: It's an interesting thing to think about

Tony Schimizzi: the decisions you, you kind of have made in your life, you kinda go back and go, [00:41:00] "Okay, I guess I kinda made sense of why I did that there." But like, you don't, you don't get that moving forward. So it's, it's just something I always kind of think about too, is just like continue to live life moving forward and, and focus on the things that matter

Ward: Yeah, I, I had a mentor, um, very similar to what you just said, actually, um, very much similar to what you just said. You know, the, the advice I had gotten is the decisions you make today will either open or close doors to you tomorrow. Kind of the same thing, right? Okay, cool, I'm gonna make this decision.

You don't really know, right? In, in the moment, like what's gonna close or what's gonna open, but looking back it's like, oh, okay. Like if I hadn't done that thing right there, I wouldn't be doing this thing here right today. So

Tony Schimizzi: And whether it

Ward: good insight.

Tony Schimizzi: Or the right move,

Right.

That, that's another thing is, is, uh, learn fast from mistakes, right? I mean, I've made a lot of mistakes in, in my career, not only from a personal and professional development, but like also from a technical development. Like, I used to [00:42:00] be that guy that would occasionally, well, I can't get in trouble for it now, make changes without change, like change control process, right?

Ward: Oh, no

Tony Schimizzi: because I would see like active threats or, "Oh my God, why is this, why is this thing happening?" Or, "What's, what's going on here? Like, this shouldn't be doing it that way." And I had such a, a good understanding of how data flowed in and out of networks that I knew with relatively high confidence that could usually make these changes, and nine times out of 10, I make it and nobody even knew, right?

So going back to like an earlier point, like reducing risk of the company at like the speed of operations, like I did it, but without change control, right?

Um, you did it, but you didn't follow process.

correct, right? And, and, and, and there's like the bad cybersecurity, uh, uh, operations or engineer guy. But there were a few times, I will be honest, there were a few times I did it, and within a couple of minutes, you started hearing some screaming,

Ward: Oh, yeah.

Tony Schimizzi: Like,

Ward: Yep. But, but, but

Tony Schimizzi: know what happened. I know exactly what happened." Like, "Go roll it back, go roll it [00:43:00] back real quick." Um, and, uh, at, at that point, depending on the what happened, right, you'd, you'd kinda be like, "Yeah, my bad." Like, "I was, I was just testing something," or whatever. But, um, I've always been one of those people that kinda like find the, find the very edge of, of what, what it can do, what it can perform. Um, I remember sometimes peop- vendors back when I was on the customer side being like, like talking to you or your organization because like you guys are really beating the heck out of this, this tool or whatever," right? And I was like, "Oh, yeah, I'm throwing as much data or whatever I can at it.

Like, I wanna see what it can do."

Ward: Gotta do a real test for sure. For sure.

Tony Schimizzi: right? Go

Ward: Yeah.

Tony Schimizzi: Yeah, it's

Ward: Yeah. Well, Tony, you, you mentioned earlier, uh, you've had some great mentors. You also mentioned that, uh, that you mentee a few folks. So, I mean, if, if folks wanna find you, reach out to you and connect, what's the best way to do so?

Tony Schimizzi: Yeah, LinkedIn's probably the easiest. I'll, I'll be honest, I'm not like a, like a super, super active person. Um, but usually couple times a [00:44:00] week I'm, I'm logging in and kinda paying attention to some things. Probably easiest spot to find me. Uh, outside of that, I don't really have much social media. Um, not because I'm a cybersecurity guy, I just, that's a whole different, that's a whole different podcast.

Ward: Yeah. Yeah, absolutely

Tony Schimizzi: LinkedIn, LinkedIn's probably the best way to find me

Ward: Perfect. Well, hey, Tony, this has been a great episode. Thank you so much for joining me today

Tony Schimizzi: No, I appreciate it, man. It's always nice, nice to see you again

Ward: big thank you to the audience. Really hope you enjoyed the episode and learned something today. Please tell others in your network to follow and listen. This has been another exciting episode of Guardians of the Data. See you next time

Speaker 2: That's a wrap on another episode of Guardians of the Data. Thanks for tuning in for show notes and more Visit Guardians. The data do show Guardians of the data is made possible by support from Centro to see how we help organizations discover and classify all of their data accurately and automatically while quickly achieving scale data protection without the fuss, please visit [00:45:00] sentra.io.

Catch you next time.