Dave Nuti, Head of Channels North America at OpenSystems, on How to Execute Security Like a Fortune 100 Company

Businesses have a core responsibility to protect their user’s information and employee information. When it comes to security, oftentimes, business leaders tend to believe that they are not at risk of a security breach. In this episode of the podcast, Max Clark speaks with Dave Nuti, the Head of Channels North America at OpenSystems. Dave offers insight on how the OpenSystem Platform can help ensure that companies’ environments and their investments are protected and that they are doing it as efficiently as possible so they can execute like a Fortune 100 Company without having to endure the expense.

Episode Transcript:

INTRO: [00:00] Welcome to the Tech in 20 Minutes podcast, where you’ll meet new tech vendors and learn how they can help your business. At ITBroker.com, we believe tech should make your life better, searching Google is a waste of time, and the right vendor is often one you haven’t heard of before.

Max: [00:18] I’m Max Clark and I’m with Dave Nuti, with Open Systems. Dave, thanks for joining.

Dave: [00:23] Thanks for having me, Max! I appreciate it.

Max: [00:26] So Dave, what does Open Systems do?

Dave: [00.29] Open Systems at a macro level, we solve some heavy problems for the enterprise. We solve the vendor sprawl, we solve talent shortage, we essentially allow our customers, when it comes to security and network operations, get to desired and required outcomes. And in many cases, avoid having to do construction and building silos and empires of technology and talent technology management at a very high level for the mid-large enterprise. 

Max: [01:00] So, what is vendor sprawl?

Dave: [01.03] When it comes to being able to execute to well when it comes to cybersecurity and network management, on average there’s as many as forty-five to fifty different technology suppliers in the average enterprise environment that teams within the company are then responsible for. Service chaining and unifying and patching together and having expertise on staff to be able to continually manage and update and evolve, and it has become – it’s the reason that managed services and IT security is the fastest growing space in all of IT right now, is the challenges that are associated with that and the expectations on an individual company to execute on that are almost completely unrealistic at this point.

Max: [01:44] So when you say, I mean – forty-five suppliers in an IT environment, I think like, “oh, security: firewall, antivirus, maybe you’ve got a centralized logging system.” What are you guys actually displacing or augmenting when you say forty-five to fifty suppliers?

Dave: [01:58] Yeah, oftentimes where the conversation immediately runs to in your mind is the traditional endpoint solution; preventing people getting int a firewall, antivirus, et cetera. Really what’s happened is as companies have moved to embrace managed services, cloud services, software as a service, remote users as opposed to being physically in the office, especially around this point in time, there’s such a diversity of endpoints that need to be accounted for when it comes to the network from a security posture, that the conversation is far beyond “I have a new firewall”. This is the sophistication of threats and the threat types that are out there now require not only to be able to button up and secure your physical edge and your office where you have people, but how are you delivering that same set of rules, requirements and policy to every user, to every type of centralized information resource that they’re utilizing, without compromise. And so, when you start trying to accommodate all those variances, where a user can be in the application they’re trying to access, it takes a very – they’re all excellent technologies. There’s not a worthless set of technology out there within the ecosystem that needs to reform, what becomes incredibly difficult is allowing those separate point solutions to see each other, share policy, make sure patching one doesn’t break another, installing one doesn’t open a threat for another. And so, these services like in Open Systems, we solve all that. We’ve pre-architected that for our customers. They don’t have to do any of that in a platform that not only continually manages that environment for the customer to get them to the outcomes, not the noise, but where they need to be, and then continually monitor and support that for them going forward. If you really boil down to how a company is evaluated on their security posture, it has nothing to do with how many different boxes they can buy, how many people of diverse talents they can hire, and staff and try to maintain this day and age. Those aren’t the requirements, the requirements are around protecting IP, the environment, being compliant to government and industry requirements and delivering an efficient environment for employees to execute within. Those are the meaningful desired outcomes that we help our customers get to.

Max: [04:14] So, are you managing customer solutions or are you replacing what they have? If I have a Palo Alto firewall, are you managing the Palo Alto firewall, do you replace the firewall? If I have antivirus, do you manage that, do you replace it? What does this actually mean for somebody, talking to or thinking about Open Systems?

Dave: [04:29] Yeah, think of Open Systems as – we sell one product, it’s the Open Systems platform. This platform is in an environment that we manage. It’s our cloud native environment, where we have already unified things like firewall, web proxy, email gateways, EDR, MDR, CASB, SIM, whether you know those acronyms or not isn’t as important as understanding that… When we engage with a customer, we’re not building something for them from scratch, we have already built and designed that environment to be delivered as a managed service, and then also have the management and monitoring and maintenance that comes along with it. Now, most customers that we engage with have a jagged edge attached to them – they’ve already made a recent capital investment, they have a subscription that they’re committed to living out, so we’re able to co-exist with these things. So, to circle back to the question, we’re not going to take over management of hardware that a customer already has on site, but we will provide a very clear and very valuable opportunity – a fork in the road – when something like an existing firewall goes end of life, to tell our customers that they don’t have to continue down that cycle. There’s no reason to continually buy boxes and maintenance agreements and upgrade or rotate those every few years, when you can implement a platform that not only delivers as a managed service that never goes end of life and never becomes obsolete, but also is fully unifying that technology stack with everything else within the security and that environment. The return on investment on efficiencies and hard costs and execution are enormous for our customers. 

Max: [06:09] So, I mean we got into this talking about vendor sprawl, right? But ultimately, you’re a security company. So, your problem that you’re solving is that you’re improving security for your customers and you bring a lot of auxiliary benefits. Those benefits are that they don’t have to manage multiple vendors, they don’t have to buy boxes, they don’t have to integrate systems anymore. I mean, is that correct, am I understanding this properly?

Dave: [06:29] It is, I like the way that you structure the question, because ultimately, we are what we are because of our customers. This security as a service platform at Open Systems began in 1999, so when a new enterprise engages with us, what they’re looking at is over twenty years of accumulated, large enterprise and mid-size enterprise feedback. Automation and best practice are already fully matured in this single environment. So, this started off – we start off selling firewalls in the nineties to global enterprises, and our customers began asking us, can we just deliver that as a fully managed service? So, the team of Dev Ops Engineers from Open Systems went to work in ’99 and cannibalized a hardware business and started doing firewalls as a managed service, and then as that began to grow, our customers began asking us, can you do a web proxy for us? Absolutely, we can. Can you do a secure email gateway? And so, thus began the twenty-year journey of continually adding in capability and what ended up happening about ten, twelve years ago, is they started asking us, can you do our network routing for us? Can you do path selection? Can you do hybrid networking? We’d like to do less private network, more internet-based networking because of application origins. Can you put this capability in the cloud for us? And so, we grew up alongside our customers and alongside all these migrations to where the modern enterprise executes today, so when a customer comes and talks to us today, we’re actually – this isn’t a closed off echo chamber of what we think you should do. They’re actually looking at twenty years of accumulated best practice, fully refined, automated and matured – ready to go out of the gate immediately, for an end customer it’s – if you’ve held out until today to talk to Open Systems, you’re a beneficiary of that result. 

Max: [08:26] I don’t think that most business leaders really are thinking about security in the sense of “I need to replace what we already have,” or “we’re not protected,” or you know, “we already have this equipment.” So, what would be something for them to self-diagnose or to be able to ask their teams, to qualify? Do we need to talk to Open Systems? How would they know by looking at their organization or their company, that this is something that they should address or think about?

Dave: [08:50] Yeah, it’s interesting and you’re exactly correct. I love it, just a few weeks back we had a CISO come visit us at our SOC in California and he sat in the room and said, “I have no business being in the security business,” and this person is in charge of 35,000 concurrent users. I asked him to qualify what that meant, he said – look, we touched on this previously – I’m not measured by how recently I bought boxes. Do I need to buy new ones, or how often am I patching. Those aren’t the conversations I have on an executive level with the CFO and CEO. They want to know and be able to see very clean and desired outcomes that we are protecting our intellectual property, we’re protecting our environment, our users, and we’re compliant to things like – in California, CCPA or GDPR – and that the way we’re executing that. I have an audit trail that – in many ways, cybersecurity is an insurance policy, in many ways it’s protection, it’s something that’s consistently working for you, but when it’s working really, really well, you don’t hear about it. It’s because it’s taken care of what needs to be taken care of. So, the business owner like you said, isn’t necessarily losing sleep over “boy, I should really go and buy new firewalls,” as much as it is that they want to know that their environment and their investment is protected and they’re doing it as efficiently as possible, and leveraging it in a way that for us, with a customer utilizing us, we allow that mid-size company to execute like a Fortune 100 without having to go and endure the expense and time of having to go and do it. 

Max: [10:28] I mean, what are the stakes? What happens if somebody doesn’t solve this problem of security and you know, continues their status quo?

Dave: [10:36] I mean, it’s devastating in a number of ways. Right now, there are clear compliance requirements, and if you don’t satisfy them you will be fined. There’s a monetary result that doesn’t even involve being breached, but there’s a core responsibility to understand from a certification point that you are doing what you’re required to do to protect user information, employee information, et cetera. But when it comes to security itself, everyone loves to believe that the bad guys aren’t interested in them. That’s always one of the most painful hindsight conversations you can have, because once something has already happened, it’s happened. And that’s where that kind of, insurance conversation comes into play. So, oftentimes people mischaracterize what the bad actors are out there doing. The bad actors are collaborating like crazy on how to breach your environment. They’re working together, they share their tools online, they have communities and pooling their expertise and we have a product manager that put it great, he said “why aren’t the good guys collaborating? Why isn’t an enterprise collaborating with someone like Open Systems that’s been doing this for over twenty years for thousands of deployments all around the world, and you can immediately leverage that kind of expertise in protection, and have that ongoing on a collaboration for you, without trying to build it yourself.” So, bad actors aren’t out there – the movies make it look very interesting – they’re not out there trying to break into people’s bank accounts. Sometimes I’ve seen, you’re just locked out of resources that you already own. How would you like to not be able to access your customer database? Not be able to generate quotes? Not be able to – in the city’s case – close real estate transactions, or use your voicemail system? Imagine the disruption that causes, it’s oftentimes something simple like that because security has gone unchecked and they’ve allowed someone to loiter long enough in their environment to execute something like that.

Max: [12:36] So, Open Systems has an approach of your own platform, your own integration, your own tooling, your own intellectual property that you’ve built. There’s other security companies in the market that are integrators, they’ll go out and they’ll take and buy the boxes, they’ll help companies splice all these pieces together. Why advocate for the Open Systems’ approach? Why is your way better than other ways?

Dave: [12:56] We deliver it as a sole provider. There are plenty of companies out there that ill try and construct something from scratch for you, and that’s no different from trying to go and do it yourself at the end of the day. For Open Systems, the word ‘unified’, when we use that, you’re talking about something incredibly innovative when you use that word with Open Systems. This environment already fully exists. Like, we just want to know how to configure it for our customers and what they need at the level they need it, but what we also deliver – and this is critical – is a cooperation model that goes along with it. This is not configuring technology and dumping it on site and having a customer up and running. We are co-managing that environment and bringing to the table the ongoing monitoring and support that goes along with it. Within any system, the technology alone is not enough. You are only as good as the day you put that technology on the ground, if you don’t have the ability to continuously monitor what’s happening in the environment and take what you learned, and re-=apply it back to the technology layer, on a continuous cycle. Monitoring and detection, security operations centre – SOC, as it’s called – that’s what that is. The only way for that to effectively be in place is number one, it’s done 24×7, it’s being done by security expertise, and that expertise is heavily enhanced by automation tools that we hear about: AI, machine learning. Those things are very real in the cybersecurity space. They help security experts to isolate the general noise of the environment and have those things auto-resolve by automation and understand what is a unique bad behaviour, a unique occurrence on the network that needs to be contained, stop, investigated, shut down, and then have that learning re-applied back to the technology. So, the next time it shows up, it can’t get through. These are the things like – zero-day threats – that we hear about all the time. So, that fresh technology you’ve just put on the ground is as good as the last software patch that was made for it, but those bad guys are collaborating on how to get around that all the time, until you can get that next patch in place. We get to give that knowledge on an aggregate basis, and that’s the advantage to our customers.

Max: [15:16] I mean really, what you’re talking about is all of your customers benefit from all of your other customers and the experiences that they’re seeing, and what’s happening across the entire Open Systems platform? So, this is an aggregated, rolled up, improving everything kind of story?

Dave: [15:31] Absolutely correct, and when you look at our customers – you’re talking about global financial companies, global manufacturing, pharmaceuticals, et cetera. When you see the NASCAR slide of companies that utilize Open Systems, you’re going to realize very quickly that there’s no compromise. They’re not compromising the quality of their security and capabilities by utilizing Open Systems, it’s actually just the opposite. They’re getting the absolute best bang for their investment by using expertise – I like putting it this way: for those that are out there looking to do this themselves, I have bad news for you. The best cybersecurity people in the world want to come and work for Open Systems, not for you, because as they’re looking to build their value, working in this environment and bringing their talents to an environment that specializes and focuses on cybersecurity, that’s incredible valuable for them. The good news is that our model is designed for you to have them as a resource without having to go and try and hire and build it yourself. It’s a beautiful aggregate model where all those best practices are just constantly refined.

Max: [16:37] So today, post-COVID remote work and distributed workforce has become very important. It has always been important but now it’s really important right, for everybody overnight? You guys, what do you do for a remote or distributed workforce? Is this something that you can still protect, now that people have moved out of their offices?

Dave: [16:52] Yeah, that portion of our platform we call mobile entry point for the remote users is coming in, and this is actually a really good part of the conversation. Over the last month or so I think we’ve enabled another hundred thousand remote users to access their corporate assets through mobile entry point on Open Systems. Here’s the real key thing to this: it’s not just about providing a VPN connection for a user to dial-in, it’s that when you shift eighty percent of your security monitoring from what is usually on-prem at physical office or plant locations, whatever it may be, and all of a sudden all those endpoints become wildly distributed and the monitoring and detection needs to shift to put eyes on that type of traffic as opposed to the other. That’s why it becomes so valuable to have the security layer see the network layer, and understand when those shifts takes place and be able to dynamically move, awareness that I have a lot more traffic coming in from users from their living rooms and bedrooms than I used to. And so, for us, for our customers, that was seamless. It’s a core part of what we do that we treat a user coming from their house with the exact same set of ruleset and requirements as a user sitting in their corporate headquarters. There’s no difference, but that is the great challenge, also. It’s how do I have an equal, identical set of rules and policy for every user coming into our most valuable information, and that’s what Open Systems solves. It doesn’t matter where the user is coming from, it doesn’t matter where the end destination is for the information that they’re trying to utilize to do their job. Everyone passes through the same set of rules and everyone gets the same set of you know, scrutiny, investigation and monitoring for nefarious bad action, bad behavior, et cetera, that’s part of a SOC operation.

Max: [18:49] When you say “the largest global brands”, and after seeing your slide deck of customers, my immediate reaction is that Open Systems must be very expensive, and that you have to be a big company in order to engage and become an Open Systems customer. So, what does this mean actually in the real world? What size organizations do you support? How small can you support, how do you price? I mean, how does this work?

Dave: [19:14] That’s such a great question, and it’s so important to look at this from a market level. When you look at market disruption, and you look at really what I consider to be the two biggest pillars of disruption when it comes to a purchase. Number one, it’s service convergence: can I deal with one company instead of fifteen. There’s obvious returns there. Secondarily, it’s as a service. The as a service piece is what I circle back to on the pricing model. That’s the beauty of using as a service models – they can be scaled to your requirements. Whether you are mid-size, whether you are large, global enterprise, we do… To directly answer the question, our pricing depends on users and locations. So, just by definition, we scale our service to the exact size of the customer, this is not out of reach for our customer. So, where we rest in a BAS is – if I had to put guardrails on it – I’d say ten or more locations, five hundred or more users, and there’s some on the very low end, and there’s no caps on the high end in the way that we scale for our customers.

Max: [20:21] I mean, what’s the pricing range. If for a ten location, thousand user company… What’s the kind of range I should be thinking about or be prepared for?

Dave: [20:29] I mean, the other component that goes into the pricing is what you’re using us for. We’re not going to charge you for service capabilities that we deliver but that can range anywhere from ten bucks a user to sixty bucks a user; it will vary quite a bit, but I think the most important thing is that it’s going to be precisely right sized to the amount of services that you’re using from us, and which particular services you’re using from us, completely configured to the outcome. And what’s usually interesting when we engage with a  customer is that they have in their mind what they think that they know and then when we get to sit down and say “well, here’s some best practices, viewpoints and how we’ve been doing this for customers for years, and the way that – don’t leave the mobile users behind, don’t leave an email gateway or O365 behind that we can integrate with the web proxy.” They’ll start to discover other areas where they can get a very quick, large return on being able to aggregate some of the intelligence into a single platform that’s actually using – in many cases – some of the suppliers out there they’re actually familiar with. We’re all about that end outcome and making sure that from a pricing and configuration perspective, it’s exactly right sized to what the customer wants. We don’t lose anything on price, so to speak. If you’re a really small company, you’ll generally have a tolerance level of being willing to deal with it yourself until you discover pain points that you just can’t accommodate, and we’re doing some things that may move us downstream, but there are other solutions out there that are a little lighter lifting than Open Systems for the small businesses to go after.

Max: [22:05] Last question, Dave. So, can an enterprise try you before signing a contract, do you have an evaluation period, proof of concept, demo? I mean, what does that look like from an engagement standpoint?

Dave: [22:16] Proof of concept for us is standard operating procedure. Once we’ve identified – and this ties nicely into your price question – is that we don’t even want to go to proof of concept until you fully understand what the pricing model is going to look like on Open Systems, because we want to go to proof of concept with enthusiasm on both sides for it to be effective and work and do what we say it’s going to do with the objective of quickly transitioning to full deployment because we’re totally transparent on what the pricing model’s going to look like at the end of the day. 

Max: [22:49] Awesome, Dave. Thank you very much.

Dave: [22:50] My pleasure Max, thanks for having me.

OUTRO: [22:52] Thanks for joining the Tech in 20 Minutes podcast. At ITBroker.com we believe that tech should make your life better, searching Google is a waste of time, and the right vendor is often one you haven’t heard of. We can help you buy the right tech for your business. Visit us at ITBroker.com to schedule an intro call.