#230 Beyond the Firewall: Exploring Cybersecurity and the role of Sales Engineer with Jason Mar-Tang

0:00:01 - Mehmet
Hello and welcome back to any episode of the CTO show with Mehmet Guys. Today I'm very happy and you are seeing me smiling. Why? Because it's first time on the show I get someone who we share the same I would say career path, because I've done this job for a long time for more than 10 years as an SE. Today I have with me Jay, who's based in Los Angeles working for Pantera. Jay, thank you very much for being and I'm very happy to have someone from an SE background with me. So we'll come to the show. Tell us a little bit about yourself and what you do. 

0:00:38 - Jason
Mehmet, thank you so much. I'm also very excited to be here. We're cut from the same cloth. So a little bit about me. I've been in technology since I was 17,. So 20 years now, at this point, 37. 

Born and raised in New York City, that's where I started my career. I was working in law firms in the financial district in New York City, crossing ground zero every day, and ended up in after going through that, went through college, got a computer engineering degree, worked for an insurance company for a little bit outside of once. I got out of college and then ended up in the cybersecurity realm as a SE, a sales engineer, solutions engineer, and I've been doing that ever since. So my background has been engineering solutions such as DLP, data loss prevention, mfa, multi-factor authentication, ndr, network detection and response, edr, endpoint detection and response, pam, privileged account management and, just recently, in my current role, doing red teaming and automated security validation. So I've seen the gamut. I've worked with many different industry verticals and have consulted with many different clients, seeing all different types of challenges in the cybersecurity world and, believe me, there's a lot of challenges. 

0:01:57 - Mehmet
Oh, of course. Of course you know it's kind of a traditional question, but I'm curious because everyone especially us who works in tech you know there's something or maybe an event that happened. Sometimes you get inspired by someone, so you decided to go into the tech, right? So what brought you to the tech industry at J? I'd love to hear from you. 

0:02:27 - Jason
Yeah, yeah, yeah, it's a great question. So I was always, and I still am, a self-proclaimed nerd, right? I love all different types of tech and all different types of things regarding computers and technology. But growing up, specifically what got me into cybersecurity was I remember as a kid back in the 90s, right when AOL started becoming a thing for us in the States. I remember getting an email from one of my buddies in high school and I thought it was his email and he sent me an attachment and I downloaded it and it just wrecked my machine. It was classic, classic phishing email and it was malware and I had to like reformat everything. It was such a pain and it was so painful that I said, man, this sucks. And since then that intrigued me the whole, like why would somebody want to do that, why would attackers do what they want to do and how can we stop them? Like that really influenced me not only just to get into technology, but to get specifically into cybersecurity, which is a whole realm in itself. 

0:03:32 - Mehmet
Yeah, indeed, indeed, and of course it's not. You know people think, jay, sometimes that being in cybersecurity is something fun and you know you are the guy who's. You know, like playing with all the hacking tools, but people they don't see. Actually, you know what is underneath and you know how hard it is to secure. You know your first, your own assets, like your machine, your email, and you know your stuff and then get it to the broader thing. Now, before we go into your, you know, like, as SE, we're going to talk about the SE role, the solution engineer or CS engineer role. Yeah, but let's go one step back, because you mentioned, you know, the event that triggered you. You received an email and then it was a phishing email and you know the machine was wiped out. 

Now, if we can put a kind of framework and say, okay, cybersecurity 101, right. So what is the whole thing is about? Because for some people, cybersecurity is like you know this mysterious thing where you know there's a guy sitting in the in the garage wearing a hoodie, trying to do things right. And I love to, you know, get your opinion on this and get your say on that, because unfortunately, people think that cybersecurity okay, we know it's something interesting. It's like, yeah, it's real, but it's only for, you know, the big guys, you know the guys who has the money, like why I should care, right? So what you can tell us about? 

0:05:12 - Jason
that. Yeah, I think what we need to understand is something that I talk about a lot now, especially in my current role is the attacker's mindset. And the attacker's mindset really could be anything right. It could be they're attacking you or an organization for financial gain, or they're attacking you just to get it build a name for themselves, or they're attacking you just because they want to. They're bored Like. 

All these different reasons would cause attackers to do something nefarious, something bad, and it's relevant, because, whether or not you're working for a big organization or you're just someone with a small business or it's just yourself, there's, there could be reasons that someone is looking to get after you and compromise you, and at the very I always talk about this. I spent so much time in the identity realm, but really your identity is so valuable. Think about just who you are as a person, the money that you might have, the privileges you might have, the people that you know. All that is valuable to an attacker because you may be part of a larger scale attack. Maybe you know someone important, or maybe you know someone who's performing a certain job function and with your identity or with them, with attackers pretending to be you, they can potentially do more. So it's always important to understand that, because people get into the mindset of oh why would they come after me? You shouldn't be thinking that way. You are valuable, your identity is valuable, no matter what. 

0:06:47 - Mehmet
That's 100%, and this is also what I tell people. And now I'm not talking also about individuals. Individuals should take care because, at the end of the day, everyone has a digital identity nowadays. Now, the reason I asked you this question, jay, on purpose and you mentioned identity I tell this to startups because I focus some of my work that I do with startups, companies like founders, who are just building things from scratch, and I tell them, guys, one of the things that you should care about in cybersecurity is actually your identity, as you mentioned, and your IP, intellectual property. 

So, because usually this is what these guys are after and the reason they do it is they want to cause the maximum damage possible to you. So, whether it's like a reputation loss, financial loss and all of these other motives, I would say Now, jay, you are on, if I am correct, if I'm mistaken, but the field you are in today with your current role, is more into the let's call it, can we call it like a defensive or is it the aggressive? I mean, let's say you are on the offensive sorry part of the game, because in cybersecurity, you have the defensive methods and then you have the offensive ones, where you try yourself to take the step ahead of the attackers. So, with your current role today, where in this spectrum you are, yeah, yeah, that's a great question. 

0:08:25 - Jason
So in my current role in the company I work for Pantera we are more on the attacker side more than the defender side, and it's important because for so long, when you think of cybersecurity, you think of defense, defense layer, defense layer, defense, which is all correct, right, it's an absolute, necessary part of your security posture. But how do you know those levels and the things that you, those walls and controls that you put up? How do you know they're working right? You have to test them. How do you test them? You have to attack yourself, and you don't want to wait for attackers to do it, because then it's too late If you can proactively attack yourself and understand ah, this worked, this worked, but this one didn't work, but this worked okay. So we only have one thing we need to fix. Well, you're in a much better position after knowing and being proactive than if you were just waiting for an actual attack, and that's what we do. 

0:09:17 - Mehmet
So, basically, you know the pen testing is. You know like it's the act of trying to hack yourself in. I mean, it's like not hacking in the bad way, but it's in the testing more than check for the readiness. Now, from what you are seeing, jay, a lot of issues when it comes to cybersecurity in general, like we hear a lot of stories. You know the news was full the past two, three weeks about you know what happened in the entertainment, for example, with HM and with other places. So what are, you know, the biggest challenge you are seeing happening currently, and are you seeing this continuing to rise or is it something that can reach some kind of a plateau and then maybe decrease? What is your? I? 

0:10:11 - Jason
can tell you right now, nothing's decreasing, nothing is stopping, right, I mean, it's only been getting worse over the years and those of us in the cybersecurity industry we laugh, we say, oh, it's job security, right, but the reality of it is. It can be a little disheartening because you see things happening all the time, and I tell you what. The people who are being affected are regular civilians, people every day who are just trying. So, for example, those in Las Vegas, right, which is very close to me, right, I mean, I was there not too long ago for the Black Cat Conference. Those are the people getting affected. Right, and it's challenging, but, to answer your question, I don't see it decreasing and what's? 

I think what's challenging for security professionals is that organizations can fall into the trap of this can't happen to us, or we're not a target, and it's hard because security is not a revenue driving activity of any organization. Right, you don't get money from saying I'm gonna implement all these controls. In fact, that's the opposite. Usually, there's operational pushback and it can be challenging because you're implementing controls that can stop people from sometimes from being productive, and that's not good either. 

However, look at what's going on at any attack that has happened within the last three, four years or whenever the damage that resulted, whether it was damage from brand, like you said, or just monetarily, because either systems are going offline or, in the worst case scenario, there's a ransomware attack and now things are encrypted. Now you have to pay. Just to continue operations, you have to pay. It's that's very tough. So what would be ideal is if organizations took this as they said, oh, or ran through assessments and then, okay, this is a critical line of our business. If this were to go away, would it spell certain doom? What could happen? Oh, ransomware or anything else. And you treat a cyber attack the way you would treat any other risk incident and then you try and mitigate appropriately. 

0:12:20 - Mehmet
Yeah, 100%, and I know the challenge because I was doing the consulting part also as well. And the biggest struggle that usually sees those chief information security offers they face is, you know, when you buy any product in any organization, so usually you have the ROI and the total cost of ownership and all this stuff, while with cybersecurity products because you're trying actually to prevent a loss from happening so it's not like a tangible one, and I always used to make the similarity. So when you sell or you're dealing with cybersecurity from a commercial perspective, you're dealing actually with kind of a life insurance or insurance, the scheme, because yeah, but because, okay, I can say, okay, why I'm paying X thousands of dollars, x grand per year for my car insurance and I would never make an accident, but you never know right, and say for the life insurance, say for the insurance, and so on and so forth. So, yeah, this is why it's important. 

But now sometimes I hear this from people as well. They say, okay, look like we have really invested in security. So we brought the best firewalls, we brought the best inbred I don't know what. We have our ADRs, xdrs, this that you know. So and really they've spent really big amounts of money on this, but still these attacks happen. Why? You know, it's kind of an education message here, guys, and I wanted you to hear from Jay why, but it's, you know, it's like it's not a one-time task, it's not like just a marathon, it's a sprint. Why do they need to keep actually investing in their cybersecurity infrastructure? 

0:14:07 - Jason
It's a it's extremely challenging, right? I said this recently on a different podcast, I really feel, for anybody in the industry, because you need to have the ongoing support. And why, right? What's the key where they're ongoing? The program, the security program, needs to be exactly that. It needs to be continuous, whether that's continuous testing and just continuous, you always have to be vigilant in that mindset that you can't take your foot off the gas, because as soon as you get complacent, this is where there's drift in your posture, or drift in your security posture, where gaps tend to happen. And then things tend to happen. 

And that is essentially the biggest challenge, because it's not just technology, it's people, process and technology. It's part of a trifecta. And you can have all the technology in the world, but if you don't have the right processes, you're going to fail. And if you have technology and process but your people don't care, you haven't advocated within your organization for security, it's going to fail. So you need to have it's extremely challenging. This is why attacks keep happening. And I'm not saying that attacks don't happen because of negligence. Sometimes that's the case as well, but this is why we continue to see this, because nothing is 100%, never. You never bring risk down to zero and that's challenging and I think to be as ready as possible so when something happens, you can respond quickly and understand and know. That's the best situation you can hope to put yourself in. 

0:15:47 - Mehmet
That's 200% Now, and I'm not challenging Jay. I'm just trying to tell you a few of the thoughts that I used to hear. Now people come and say, ok, fine, we understand this, we need to keep this like it's an ongoing process, we need to keep training our stuff, we need to keep investing, we need to keep, as you said, the ongoing support and so on. But they said you know what? Now we are into a kind of reach a fork where we have a bunch of decisions to make and we don't know, because everyone is coming to us and say, hey, you need to have my solution because you would be in a better position, and now, like, prioritization became a big issue. So what are you seeing? You know, because you talk to customers, of course, like all the time, Jay. So what are you seeing them doing to kind of prioritize these decisions? And if you can advise anyone who might be listening to us today how they should prioritize, you know, okay, which projects go first or which technology should go first? 

0:16:56 - Jason
Yeah, it's a great question because, yeah, if you've ever walked the trade show floor, there are so many tools and technologies and companies out there. How do you prioritize what you should do first? And whenever I talk to organizations, I always bring the conversation back to risk and what's critical to the business, and that's going to vary depending on the industry vertical that you're in. So, if you're in retail, the ability to process credit cards and sell is going to be your priority, as opposed to if you're in healthcare, the priority is going to be the health and safety of your patients and their information, as opposed to if you're in finance or you're a financial institution, it's going to be that financial information. So what you need to first understand is what is your business and what is critical to your business and what would be, like I mentioned earlier, if something were to be on that critical path. If, let's say, go again retail right, I'm selling, I don't know I'm selling light bulbs. Right, because I'm looking at a light bulb here in my studio, I'm selling light bulbs is if something is going to prohibit the sale of those light bulbs. Well, that is what I need to prioritize first. That's the criticality, that's what I need to make sure. 

When we talk about security right, we're always talking about the CIA triad, right? Confidentiality, integrity and availability. Well, I need to make sure that I the availability of me to sell those light bulbs is always on 100%. That's what I'm going to prioritize and I'm going to focus on that first, because that's critical. If that goes down, my business goes down. That's what I focus on, that's what I always talk about. I say what's critical to your business? Okay, oh well, we need to. And sometimes it's driven by compliance. That's a separate topic, because compliance will tell you to do certain things and I don't necessarily feel that just because you're compliant means you're secure. But if you're secure, usually you can also be compliant right. But to answer your question, that is where I would advise organizations to do. That's what I see as well that they are prioritizing what is important for their business to keep their business flowing and making sure that those assets, those critical parts of the business, are protected and always on and available. 

0:19:10 - Mehmet
Great exactly, I agree with you on that point, jay. Now let's talk a little bit about being a sales engineer, or SE, as people know us. Some people they know us as technical consultants, free sales consultants we go by different names, guys, so of course I still have my own thing, but I call myself the lead consultant because I love being this. First, what attracted you? Okay, you told us about how you get attracted to tech and cybersecurity, but what attracted you to be an SE actually? 

0:19:51 - Jason
Yeah, I think it was the fact that I, like you, know being an SE, sales engineer and you're correct so many different titles for it. It allows you to get exposure to many different environments and many different clients. So in this role it's and what's interesting is that I'm noticing, at least here in the States there's been a lot of interest in being an SE, being a sales engineer, and I've seen it grow over the last couple years, as opposed to, again, I've been doing this for so long, like 14 years at this point, but just recently I'm seeing more. So, for anyone who wants to get in, it's a role in which you need to, of course, have some technical acumen so you can, because you need to be able to advise your customers to make the appropriate choices. 

Now, usually, right, if you're a sales engineer, you have a product that you're helping to engineer, so it's going to be related to whatever product that you're for, the organization that you're working for. But, to answer your question, what really drawed me to it was the ability to try and solve problems and solve what we call pain in the industry, right? Oh, my gosh, like going back to my light bulb, I can't see anything. All right, I got this light bulb here and, by the way, this light bulb is going to be a certain brightness, it's going to be a certain color and, as a result, this light bulb is going to help you do X, y and Z Right. I want, we want to solve problems and we can solve problems with tools and with process and by advising. And that's what this role is all about is really trying to help customers and clients solve the pain that they're experiencing with the technology. 

0:21:33 - Mehmet
Yeah, so they call us guys the trusted advisors for customers. Jay, how much do you agree with me? And I share this multiple times and sometimes even I copy paste the same post and I have no shame of repeating this. I compare, you know, sales engineers to startup founders, because, exactly the same things that you mentioned you're looking for problems to be solved, you try to evaluate this with your customer and then you prove that your solution works and then you show the results like okay, you tell the customers, mr Customer, you, you know, previously you were on doing this in X amount of time. Look, now we are making it much, much faster. Or you were having like 10 people to do this task. Now you can have only two staff and the rest of it you can allocate them to do something else. How you know, do you think this is accurate of you feel like you are in kind of always startup mode when you are in SE. 

0:22:38 - Jason
Yeah, I mean yes, because every you're always encountering something new and it requires you to think out of the box in many different times. Like I said, no environment's different. So you're going to see you know this in some situations. You're going to see that in other situations, and you have to think quickly because you want to make sure that you're doing the right thing for your customer, and that does require you to first understand what's happening, make decisions, engineer a solution, prove it out right, so it's not just snake oil, right, it's not smoke and mirrors like this. The solution actually works and then make sure that you know, moving forward, that they're going to be in a better situation. Like you said right, hey, now, with this solution, you're going to be X times better or faster or whichever. 

So, yeah, I mean that the ingenuity and thinking on your feet that never stops, and it is almost like being, you know, a CEO, or you have to, because you can't be complacent. You always have to be learning and growing with the industry as well, because you will encounter customers that have the latest technology or right. I've encountered so many smart people in my time with clients and I smart people always motivate me because, oh man, I need to get smarter right, and it requires you to challenge yourself. It really does. 

0:23:58 - Mehmet
Right, and how much important and you know this is for anyone who's considering to be an SE. How much also you put because you are actually you lead the team in Americas with Pentera today right? So, and from a leadership perspective, I'm asking this question to you, jay how important is not only to focus on the technical aspect of the job, which is, yes, indeed, it's needed. You need to understand what you're saying like. Tell me a little bit more about the soft skills that a good SE should have? 

0:24:33 - Jason
It's an excellent question because the in my experience and, like I said, I've worked with a lot of talented people, including on the sales engineering side the most talented SEs that I've encountered in my career were able, had those soft skills, and it's a very it's a generic term. So what are some of them? Are you asked? Well, the ability to, of course, discuss and articulate the importance of whatever your just whatever your engineering, but also having the discernment to listen and take information and not just speak, speak, speak, speak. You have to listen to your clients and understand what's happening. You have to be able to think on your feet, and I think the greatest trait that an SE can have is agility. And why do I say that? Agility is a myriad of all different Um Aspects rolled into one. 

When you're agile, you can. You can be like water, as Bruce Lee used to say. Right, you can fit Into any object, you can go this way, you can go that way, you know this way, and it allows you to be flexible, because Oftentimes, right, these soft skills, which includes teamwork, are you want to be able to talk with your sales rep and you want to be, have a game plan coming in. That game plan might go out the window because your client may say, yeah, but I have XYZ requirement. Oh, I didn't think about that. Okay, well, let's, let's move in, let's go this way. 

So those soft skills to have discernment, to listen, to think on your feet, be agile are all what's really Important when you're with your clients, because you want to make sure your clients and your customers are Getting the the best of you and the best of your technology, whichever your, whatever solution you're trying to engineer for them. But it requires you to to listen and and articulate and communicate properly and Take your time and it's it's a lot of things put together. I don't know if that answers your question or not. It does. 

0:26:38 - Mehmet
Indeed, and you know it. You know it's like articulating, which is barely you know, everything goes into communication in, in my opinion, and when I say communication maybe it's a broad board, I know it's a broad term, but you know, but you covered it all actually today Like it's actually how to articulate the business requirements to technical terms, when you talk to the customer. And then you mentioned something which I think it's underrated it's about the communication between your. So for the guys who doesn't know, in in in enterprise sales, so do you have the sales rep and you have his se or her se or he or she In, vice versa, and they, they have, they are a team right. 

So so you have someone who's just on the business side, he do the page, you know he talked to the customer, manage the deal, you know commercially, and you have the real hero who is the se, who does the job actually right, and and it's important, because the se, in my opinion and you know I want to hear your opinion also as well Actually I'm not and, by the way, I, in my last role I was an ae, I was not an se. Okay so, and I'm not saying this too to underrate a ease. But Se is plays a major role actually to, let's be honest, like to to get all the Elements of the deal almost done together. Of course, like the, he has to to build the relationship and, you know, work on the commercials and so on, but really the se is is usually who's sitting in the driving seat, right. 

0:28:21 - Jason
Yeah, I would say, I would say it's, it's almost where you know you can relate it to professional sports. Think, think of, you know, a football team, and by football I'm talking soccer, for if there's any Americans. 

0:28:39 - Mehmet
Okay. 

0:28:41 - Jason
But, but notice, right, you're trying to score goals and win as a team. It requires people in different positions, and I would say that the way. If you want to also relate it to your driving analogy, right, you're trying to get to the destination. Well, the sales, the sales rep, might identify hey, okay, here's the car and they're gonna get, they're gonna drive a certain part of the way, but, yeah, then you're gonna switch and the se is going to drive a good portion of the way, and then you're gonna switch again and the sales rep is going to to to finish things. Why? Well, because you need to understand, you have to find clients that are looking for a solution, but then the engineering of that solution is going to be on the se, the sales engineer's responsibility, and then Then all everything else that comes along with that. At the end, after what we in the industry call technical win or technical validation, once your client goes, yeah, you know what the solution does do, what I wanted to do, great, everything else that follows, um, the paperwork, and and Logistics and contracts, your sales rep will handle right, but that's at the end. So it's almost like you know. 

Again, you're on a team, I have a ball. I'm gonna pass the ball or they're gonna pass it to me. I'm gonna do some things and I'm gonna pass it back. But it requires both individuals to be in lockstep with each other. And I'll tell you, the worst thing that can happen Is, as an se or as a sales rep, you're not getting along with your sales engineer, or vice versa, you're not getting along with your account executive. That's rough, it's just not gonna work. It's rough. 

0:30:13 - Mehmet
So you put two, two, two people, two people in the field who never met before, and you tell them you have to play as a team now. 

0:30:23 - Jason
Well, you know it's, it's challenging, but here's where I challenge, and this is where I challenge all s e's To take ownership of that relationship Meaning. You're right, it's tough. I don't, I don't know, like I don't, I don't know who this person is. That's okay, I'm gonna. I'm gonna make sure I take the responsibility to get to know that person, because I it's in my best interest as a team to understand what makes this person tick. What do they? What do they? What do they like? What? What annoys them? What? How do you like to communicate? Your style of communication? Do you like to communicate on a regular basis? Once a week, I've had sales reps say, no, I don't want that. Call me. Okay, I'm gonna. I have to be flexible, right, I have to work with this person. I have to make this work and I'm gonna do everything I can to make it work, because it's in my best interest to make it work. 

0:31:11 - Mehmet
Right 100% now, because we cover here on the show sometimes you know startups, and Some of these startups will be tech startups, right, and they would need to have people on the ground like yourself or myself back in the days as s e's. How important, from your experience j because you've been doing this for a long time is to have this communication between the field and you know the engineers, and what I mean the engineers here, the people who write the code, and you know, like the, anyone who's reporting to the cto of the company, and Maybe we are discussing it because we have experience in it, but for any technical founder or someone new to this, I believe they need to to learn about this part about getting the feedback from the field through s e's. So what's? 

0:32:06 - Jason
your experience. Now it's very important because you're, if you're in the, the cto role, your s e's are your troops. They are in the front lines and they're in the battlefield and they're going to be seeing things that you may not see because you're just not at that. You know, if you're, you're and again, everyone has their function enroll right. So the s e's function is really to get in front of clients and test and and do proof of values where you're doing the technical validation. But as a result, because, like I mentioned, the s e's are seeing many different environments, they're going to get exposure to things that the the team in hq may not just may not see. So you're going to want to get that feedback, not only about the technology but about your clients and customers, because, again, the needs of someone in health care is going to be different from the needs of someone in in retail, who's going to be different from the needs of someone in in industry or or whichever, and getting that feedback will allow you to make the appropriate business decisions. So, for example, maybe to hit a certain industry vertical, that industry vertical is giving feedback to your s e's that we need function a, b and c. You can now make a decision of well, is function a, b and c A viable path to integrate into this tool or technology? 

Well, it's going to cost this much? Okay, it's going to cost this much and take this amount of time. But if we do that, the amount of Potential revenue that we can get from this industry vertical is large. Well, then it's worth the investment. But if it's not, then maybe we don't do it yet, maybe we, we, we, we deprioritize it. So all that information is going to be coming through your s? E's, because they're going to be the ones Interfacing with customers and clients on a continual basis. 

0:33:51 - Mehmet
100 and I always have. You know something I keep repeating and telling If you are a cto into a b2b space, you know you're lucky because you have, or you will have, hopefully s e's, which are, as you mentioned, j your troops in the field who are Getting you all the feedbacks. And you know, because in a b2c it's very hard to do it because you can't really you need to do like market research. You need, you need to to send someone you know Do mystery shopping and you need to do all these things and you're not sure actually, because you're you know you're talking to. You know like it depends on the sampling that you are using. You know you, you never know right, so so it takes more time. 

And you know you need to do a lot of a b testing, while in b2b s e's they are filtering all this to you because you know, after a while, especially if you are a new product, you know in couple of months that you start to get the same feedback as you mentioned. 

For example hey, listen, people are asking for this feature and now it's not like not one, not two, not three. I have like six customers which say, if you have this feature, I would consider buying your product right, and then this will help the CTO to prioritize. It will have the product management team to prioritize and, by the way, this is maybe one thing we didn't mention, jay is like the SES communicate not only with the I mean from internal perspective, not only with the sales rep and the CTO, whoever like. You talk to product managers, the people who are responsible for the product roadmap, and you speak to you know other colleagues as well. Yeah, so it's a fun one. I would say so from career path perspective, jay. If someone decides to become an SE, like where is the top thing that he or she can reach? 

0:35:45 - Jason
Yeah, it's a well, it's a great question. Is your question more in regards to entering the industry, or where do you go once you are an SE? 

0:35:55 - Mehmet
So once, you are an SE, so where they can see themselves in the future. 

0:35:59 - Jason
Oh yeah, I mean there's a couple of different things. You could grow into leadership, which is leading a team, and that has two different aspects as well, right, whether you're inheriting a team, which is a unique challenge, or if you're building a team, which is also a unique challenge, that's one thing. Or you can end up growing into what's called like organizations typically have like a specialist role, meaning you are the man or the woman or whatever. You are the person, right, that is the subject matter expert. You are the person that everybody goes to, all the SEs go to, right, that could be I've heard that called principle in certain organizations a principle SE, advisory, se, so you can be the top person. And that is also unique, because sometimes these roles are global, right, like you have so much expertise and you know the product so well that, again, you're in a global role now and you help the and you try and work with the largest clients and the most complex environments, and that is another potential path for individuals. 

And sometimes, right, sometimes maybe you just wanna stick to your patch, meaning in the industry. Right, your patch is, again, I'm in California, so it could be the West Coast, it could just be California. Maybe you don't wanna travel so much, you only wanna stick to your region. That's okay, too right and that's. And you can still add a lot of value by working in an individual region, because there's still a need there, right For SE and for technical support and technical sales validation Great great, and I agree with you also as well here, jay, like okay, so we talked about how it's similar to be in a startup mode when you work as an SE. 

0:37:58 - Mehmet
But from also personality perspective, I would say how you know, especially for you because you live on the West Coast and majority of the time these startups would be there. So how that, I can say, shaped also your choices when joining companies, like, did you prefer to be in established places where everything is set up and everyone knows how things go and there are processes and so on, or do you prefer to have, say, not the challenge but let's say, the struggles and these all nice things that happen in the startup? So where did you see yourself more? 

0:38:44 - Jason
Yeah, it's absolutely. There's differences and I don't think that one is better than the other. It's all what's good for you at your current point in your life to make that decision right, and I had never I'm working for. You can consider Pintera almost a scale up now, like we grew tremendously in the last two years that I've been here. Those, like I said, they're unique challenges for each. There's challenges in each case. 

If you are working or you go to work for as an SE for a very established company, that means that that company has processes and procedures already established. But it also may mean that the technology that you're engineering and telling may be in a saturated market, right, which is its own challenge. Because now, every time you go into a client, you're gonna get into a knife fight with competitors, and that's that could be. That's challenging, right? As opposed to you work for a startup, right? Okay, now you're in a new world. But also the challenge there is that no one you're maybe working with such a new technology that no one knows what you even do, and that's a challenge in itself. So it all depends on what challenges you want. I think that if you're looking to really push the limits of what you can do from a creativity perspective and understand exactly and you wanna be, you wanna have more of a say or more of an impact. 

Moving into a startup or a smaller organization gives you more of an opportunity to do so, because things that you create or the processes that you develop, or just the work that you do, may have a bigger impact because there's not that many people there in the organization to begin with, and that can be very rewarding and it can also be very stressful because there's not many people. Everyone can be strapped right. It could be like everyone could be in many different directions. So it's a double-edged sword, as we say. Right, there's benefits and there's also challenges, but I don't think there's any. I don't think there's a wrong answer. 

Right For someone. Here's what I would say, though right For someone entering and trying to first become an SE. I wouldn't necessarily go to a startup, because startups do require you to have more experience, but, again, because there's not many things established as processes, procedures established. So I would, if you were first getting into the industry, I would go to somewhere, an organization that's a little bit larger, that could. You could take your time with onboarding and just get a little bit more flexibility with learning the ropes of being a sales engineer, wherever that is. 

0:41:27 - Mehmet
Yeah, and just to the point, because I remember, you know and there's another story here so you, we talked about startup scale ups and you are in the US, so usually when these startup scale ups comes to our region here, so we are starting up all again, right? So, because you have to start from zero and I remember myself on many occasions in all the you know the companies that I had the honor and privilege to work with. You know, I was not only the SE, so, yeah, I joined as an SE, but I found out myself being the marketing guy, I found myself to be the sales rep, I found myself being even, you know, the, the, the white paper guy who's writing a white paper to be published on the company website, and I found myself to be the speaker on the stage and it's is it. Was it stressful? Like I was getting tired, yeah, sometimes, but it was very, very rewarding actually, because you know, and you know when, to your point, when you start to build also yourself things, because you know you don't have time to do many things at the same time, so you need to start to automate or delegate, I would say so I was lucky enough, you know, to say okay, if I spot something which is, you know, getting repeated money, many times the first question I ask how I can automate this. Can I build something that I can automate this, whether maybe it's a simple script, you know that I can run and I keep it on autopilot, or maybe it's something more advanced that I can build, and this was always my motivation. Yeah, like, okay, I'm getting tired, but this will be rewarding. I'm learning new things. 100% on this. 

Now, you know, I know, like we talked about the place you work at today pay Pantera and you know what, when I go to the website, the thing that I see is automated security and we are just I just mentioned automation. So what is the story of automation? And you know where do you see that? Only with Pantera. So where do you see the automation in the whole cybersecurity? Coming back, you know to the roots, as they say, and you know the thing that everyone talks about today, the AI. What's happening? 

0:43:31 - Jason
Tell me yeah, yeah, it's. 

It's a very unique time that we're living in in regards to cyber and, again, AI automation. I think that the AI let's talk about AI first and then I'll say why it's relevant for automation in general. And just trying to be quick, I think what we're seeing with AI AI is really cool. Right, I can go on, I could generate cool images, I could do all this stuff, but we're already seeing cases of AI generating polymorphic malware, malware that changes on a man and things like that. And my gosh, like if I'm a CISO, I am nervous because that means my team that's already working hard now have to deal with everything that comes along with AI and the quickness that happens with AI. 

And in the industry, we have something that's called dwell time. Dwell time is the point at which an intrusion or attack begins up until which that intrusion is found or discovered, and trying to minimize that dwell time is is the goal of a security practitioner. Why is it relevant for the discussion? Well, now think about it. If you have AI and attackers are going to be using AI or processes to speed them up, they're going to be doing and performing things much more quickly, which means that the dwell time is going to increase. If you're trying to protect your organization, that's tough Now, where orchestration, automation and things like that can help. 

And this is my founder for Pentara, ark Liebersen. He had this. He called the Eureka moment, where he was on the red team for the state of Israel performing these red teaming tests, and he said you know, I could wrap this up in automation and the things that I had been doing time and time again. I can. I can wrap up and automate it and help teams become quicker in their testing. So let's bring it back to our conversation about dwell time. So if attackers are now speeding up their processes and they're being quick, and we need to speed up our testing as well, because if we test and we wrap automation into testing and we're continuously testing, we now have the ability to understand. 

It goes back to are those layers working right? And yes, it is, yes, it is, yes, it is, yes, it is. We know we're in a better place. I could, I could sleep a little bit better at night knowing that, but this is exactly the challenge. Ai is here, it's not going anywhere, and now we need to leverage the same type of automation and speed and agility in our own testing, whether it's defensive or offensive, to make sure that our security posture is keeping up to speed with the attackers. We don't want to fall behind. Falling behind I think we're already behind. Attackers do a very good job of working together and doing stuff on the dark web. It's kind of crazy, true? We, as security practitioners, need to make sure we're running as fast as possible, and it's hard. It's very, very hard. 

0:46:24 - Mehmet
Yeah, 100%. And again, I always feel with because I have some of them that are my friends, I feel, with CISOs or anyone who works in the cybersecurity, on the customer side. Guys, you know, like, really and I'm not making here any joke about it Really you guys, you deserve a, you know, appreciation from everyone. I know that usually your efforts are not seen, but to chase point, like you know, sometimes, yes, you don't sleep well at night because you're always thinking what could happen and you know, always, this is why we try to get these new technologies, leverage the technologies. And you mentioned something very good, just kind of a fun, and you know my old boss. He used to, you know, to make joke when he's used to start discussion with the customers and he used to say you know, like these hackers, actually they are like us, they are, they have families and you know they have kids and they need to bring income to the home, right, so they need to be one step ahead of everyone else. And actually he was saying it as a joke, but it's a fact. 

These guys always are trying and they leverage the technology and actually, because they are, they fall in in in the famous chart in the early adopters, by the way. So once they see something, they are the first ones to go and try it out. Like, as organizations, we we don't adopt technologies as you would be fast. We wait for the early adopters to tell us, okay, this is a tested technology, trusted technology, and wait sometimes one, two, three, four years until we say, yeah, let's try this. But now, with AI, I think things are changing, jay, dramatically I would say dramatically and let's see what will happen. Jay, like we are almost done. I'm just thinking did I miss something? Is there anything that I should have asked you? 

0:48:19 - Jason
No, I don't. I don't think so. I think this is a. It's been a great conversation chat with you about, about these different topics. I think you know where I would close this out is just encourage everyone to remain vigilant with with their own, with their own cybersecurity, meaning you know, make sure that you're not clicking link, doing the basic stuff. But the basic stuff goes a long way, right, even when we look at social engineering goes a long way. Remember that you could be the entry point into the organization. Remember that your identity matters. Remember that what you do can have a large impact on on things. So I would conclude with that. I really appreciate you taking the time out and asking me a bunch of these questions. It's been. It's been a. It's been great. 

Where people can find more about you, Jay, you can find me on LinkedIn. So on LinkedIn, my name is Jason Martang. My name is very unique, so it's mar-tang. I again, I work for Pentara security. You can find Pentara at pentaraio and I'd love to chat more, whether it's about technology, anything else, or about Pentara or anything, even your security posture. Let's have a chat, because the more we talk amongst ourselves as security professionals, the better off we'll be because there's always something to learn and we can always be doing a better job 100%. 

0:49:43 - Mehmet
I will make sure that I will keep the links in in the show notes and you know this is how I usually end my episodes. First of all, jay, I really appreciate you took out the busy time. You're on a busy schedule, so you took out the time this morning for you in in Los Angeles and for my audience. Guys, like, really I'm appreciating and I'm loving reading the feedbacks and reviews. Keep them coming. 

Don't be shy. Like if you, if something you don't like it, like let me know about it. Like if you want me to focus on something, I never get a guest about it. Also, don't worry, you know I have now the capacity to to you know, to get my hands on anyone, I would say, to talk about a topic which, for instance, so for you, which related, of course, to the show. And, of course, thank you very much for, as I said, leaving the feedback, leaving the reviews and also don't hesitate to reach out, even if you want to be a guest. Like, time zones are not a any issues. Like there's 11 hours between me and Jay. I had a guest who's in New Zealand, japan, you know, all over the world. So time zones is not the issue and thank you very much for tuning in and we'll meet again very soon. Thank you, bye, bye. 

Transcribed by https://podium.page