top of page

EPISODE 1: Greg Notch


This week, we speak with Greg Notch, the CISO of Expel, a recognized leader in managed detection & response. We start with Greg's background and then delve into the world of MDR and what he looks for in new technology.




Welcome to the Cyber Thoughts podcast, where we explore the world of cybersecurity through the eyes of practitioners and leaders in the field. In each episode, we invite a guest from the world of Infosec to share their insights and expertise on the latest trends and developments in the cybersecurity market.


Whether you're a seasoned Infosec professional or just starting in the field, this podcast is for you; our guests will provide valuable insights and perspectives on the challenges and opportunities facing the Infosec market.


Join us as we delve into the world of Cybersecurity and learn from the experts on the Cyber Thoughts podcast.


TRANSCRIPT

[00:00:00] Lucas Nelson: Hi. Welcome to the first episode of Adventures in InfoSec, a podcast where we explore cybersecurity through the people leading the field. Today we, I have the pleasure of bringing out my good friend Greg Notch. I've been lucky to know him for a number of years. He's most recently the CISO of Expel, which is a managed security services provider.

According to Gartner, it is the leading managed security services provider, I believe. So, hi Greg. How are you?

[00:00:24] Greg Notch: Good. How are you doing Lucas? Good to be here.

[00:00:27] Lucas Nelson: Well, thank you for coming. So I thought we might start with, you know, your history, how did you get into InfoSec? And so, you know, start kind at the beginning and I'd love to dive in there.

And then I wanna talk a bit about your current company and what you're seeing in the future.

[00:00:40] Greg Notch: I, I started life in technology as a Unix cisman, like a lot of us. So fixing Solaris boxes and building Linux servers early. And I moved on to building infrastructure for a bunch of companies. In the early years of this stuff, security was sort of part of, at least the defensive side of security was part of the infrastructure and networking teams.

So that background in networking, a background in infrastructure and systems. Was always part of the, part of the role. I think there was that massive sea change in about what, 2013, when the Sony breach happened, where it went from like a side hustle your infrastructure and networking team went to, to something the board was paying attention to.

And at that time I was working for the NHL and I had brought up multiple times, like, Hey, we really need to build a function that's responsible for this. You should probably hire a CISO and this is what they should look like. This is what they're gonna need from a budget perspective. This is what they should buy.

Who's who they should hire that sort of thing. And they said, great. Why don't you do that? And to which I responded, are you sure? Like, do you want to hire somebody who's actually done this before? And they're like, no. You know, our infrastructure, you know, our business. Like, you know, go ahead and build a program.

So really, you know, interestingly, my first real security job was as a CISO and which is a little terrifying. What I'd quickly discovered was that the products in the market and how the market thought about security was different than the engineering background that I was bringing to it.

And I think that's where you and I met and like have had, you know, great fun for the past bunch of years of figuring out how to make this work together.

[00:02:22] Lucas Nelson: Awesome. Okay. So I really do wanna dive into that before we move on to your current role. So you know, gimme an idea of how big the tech team was when you started at the NHL and then, you know, what did the security group look like, kind of when you left..

The NHL is a great brand, but I don't know their technology stack and, you know, how many people do tech there.

[00:02:42] Greg Notch: Sure. I mean, it's a, it's a hundred year old company with 40 years of technology is probably the first thing to note. You know, everything from AS400s to like advanced cloud and streaming infrastructure.

And now I understand NFTs and, and other blockchain initiatives, so it has a gamut of infrastructure as far as team size goes. It was pretty lean, you know, you had a service organization that, you know, sort of was a support function that was maybe a dozen people when I got there, the entire en engineering and DevOps team, and you know, the software development team was definitely a two pizza team. You know, it was not large. There was no dedicated information security team. There was no dedicated DevOps team, and those are, or even really a dedicated networking deamand those are all five to six people now. The security team's about six people now I think. So, it definitely grew in the 15 years that I was there, but it was still not a, you know, it's not a dynasty by any, by any measure.

[00:03:47] Lucas Nelson: No. So you, you, I mean, you got to boot up a security org from scratch. You know, for people who want to know, you know, what things do, you're like, yep, I did that exactly right.

And hey, I wish I had known, you know what I know now back then.

[00:04:01] Greg Notch: Sure. I think the thing that I did right was sort of question the. Status quo thinking on it. Because there's a lot of assumptions that were made for companies that weren't shaped like the NHL. I think the vast majority of security products, I mean, we're going back, you know, over a decade now and, and it's still true in some cases.

The tools are made for big security teams and big companies that have big budgets and large teams to manage. And if you don't have those things, the problems look different to you. Like every tool you buy, you need somebody to manage it at some level and if you need to buy eight tools to cover your risk, like all of a sudden you're staring down the barrel of these really large organizations and you know, so I think that was one thing that I got right away was to not just go with, I'm gonna build a SIM and like hire an MSSP to run this for me because that was not a model that was gonna work for us.

I think things I got wrong were being a little too conservative on the staffing too early. I probably should have hired some more help earlier. There was a lot like it, it extended the runway. It extended how long it took. To really get, you know, up on my skis. And I was lucky that I had found some good vendors to help me along with that.

I think also understanding early like I think every technical CISO makes this mistake, which is trying to explain deeply technical problems and risks to people that are not technical. I had a moment where I was trying to explain a malware kill chain to our CFO and general counsel, and that's not recommended. Don't do that. So I think, you know, early, early growing pains in all those areas.

[00:05:41] Lucas Nelson: So you just mentioned MSPs and, and how you weren't using them then you started to use one and now you're at one. Do you want to talk about that journey?

[00:05:51] Greg Notch: Sure. Well, at the time that I had, As that I was looking for an MSSP, your choices were effectively, you know, larger state organizations who dictated your security control set as well as, and sort of the implementation of it.

And it makes perfect sense. The reason they had to, they had huge staffs of SOCs and so their training costs to implement a new technology were big. They needed to, they needed to have a homogenous security stack across all of their customers in order for the economics of running that business to work.

This is of course something I didn't understand then, but now, you know, intimately understand now that I work in the business. But it, from a customer perspective, that was not what I wanted. I wanted to pick the tools that I wanted to use, and I wanted to find a company that was gonna help me leverage that.

And I didn't wanna staff a 24/7 SOC because hackers don't sleep. And so this was the business problem I was solving. You know, early on that was one of the things that I came to venture specifically you and others for like, Hey, this is a problem I need to solve. What do you got?

And so the incumbents didn't meet my needs that, you know, they're perfectly fine companies, but they just, they weren't gonna meet the needs that we had. And we, I, I don't think you and I spent a lot of time talking about this, but have ultimately found the, the folks that were starting expel and said, You know, this is kind of, our visions are, are aligned.

This is what I know, I wanna work on this. And we ended up becoming Expel's first customer. And that's how I got to know them and, to really intimately understand the space. And you know, much like the Remington ads from the nineties, I liked it so much I joined the company.

But that moment was really more driven out of like, I want to figure out how to help as many other companies who were in the same position that I was in at the NHL. Like, hey, look, whether you use Expel or you use someone else, it doesn't matter. Like I'm driven by the desire to see companies improve their security posture. Not in a compliance checkbox way, but in a, like, let's, let's make this real for you. And so you know, I was lucky enough to be able to join and continue the mission here.

[00:07:58] Lucas Nelson: Awesome. So you've done a bunch of work with startups. There are a bunch of advantages to that.

I know them, but, you know, for the audience, you know, why work with startups? Especially when you might be a smaller team as opposed to the IBMs or Ciscos of the world that are, they're giant.

[00:08:14] Greg Notch: It's a force multiplier. You get to work with the founders. If you're willing to put the effort in, you can work with founders to help shape their product and help it be valuable to your business.

I mean, there's economic reasons. Usually, you get a good deal if you buy early, but that's sort of secondary to the. The virtuous cycle of, Hey, I work with venture capitalists to find and refine companies that are building solutions that I actually need, because I'm a real customer. And if you can kind of get in that loop, everyone's a winner.

Like, I mean, the Venture Capitalists make money. You get a good product and you improve your security posture. You don't have to hire people because you're effectively getting the benefit of the teams of experts that work at these companies and, you know, the, the company gets a customer and, and you all get to grow together.

Anytime I find a scenario where I can put a bunch of smart people, whether it's mentoring people on my own team or putting a bunch of people together and we can all grow together, that's a that's a position I want to be in.

[00:09:18] Lucas Nelson: Awesome. All right, so let's, let's talk about Expel. You've just recently taken a new job.

So why don't you tell us about Expel, kind of what they do? Because I mentioned broadly it's an MSSP, but that doesn't really specifically say and then, you know, tell us about your role there. And last but not least, you're one of the most technical CISOs I get to hang out with. So, you know, how have you managed to stay kind of technically on top of things as you've gone through this?

[00:09:44] Greg Notch: Sure. So Expel is, I guess Gartner would call it an MDR. We're a little bit more than that. We take telemetry from all kinds of different you know, technologies, be them networking or Cloud or SaaS. So the categories are a little weird. But notionally we're what you would call an MSSP. We take in telemetry from your security tooling and we enrich investigations. We respond to incidents in your environment, and we sort of co-manage stuff with your security team. And we are the line that is, well, the thing that I really, I think, sets us apart is how we define where that boundary is between what we do and what you do is flexible.

If you want us to do remediation for you containing endpoints, like we'll do it. If you just want us to be your tier one SOC, we can do that too. If you're, if you're looking for something more full service that spans your endpoints, your cloud, your SaaS, like we've got you covered there too. And I think, you know, we, we try to meet people where they are, and I think that's a really big differentiator from some of the.

Folks that are doing it. You know, again, no knocking on our competitors, it's just we have a very broad view about how to help people improve their posture. So coming here, it's a sea of change from the NHL right? Like it's a, it's a different kind of company in every way. The problems they have, I mean, we're born in the cloud, we have SaaS platforms, so SaaS security is big for us as a company. Not just, you know, for our customers.

So there's a lot of. It, it's just a different kind of place to try to secure. And the way that we view our customers' data is way different. I mean, our customers trust us with access to the security tools in their environment, period, full stop. And that is an awesome responsibility. And I view that it, it's raised the degree of difficulty for the, for the kind of work that you need to do as a CISO because you're not just defending, you know, the NHLs borders in our arenas and our teams and our customers and our fan data. It's like these are, and we have 200 customers that span a huge number of industries and we have deep access into their network and their security telemetry and all of that.

And that's a thing that securing is, you know, it's, it's important to be very thoughtful about how we do that. So that's the difference and I think the degree of difficulty. What do I do to stay sharp? I mean, I have always maintained a lab in my basement, in the cloud and, you know, to sort of test new security technologies. Make sure that I'm, you know, still writing code a little bit here and there to make sure that I have the ability to understand the security technologies as they're being sold and to be able to tell if they work or not or how they work and be able to understand how they stitch together.

That's always been an engineering passion of mine. And I feel like if you're on the technical side of security, you kind of have to do that otherwise it's very difficult to tell whether a product does what it says on the box and if it's gonna work for you and more importantly, if it's gonna work for you and your environment.

[00:12:59] Lucas Nelson: Awesome. So, let's talk about buying first. I do wanna get to what keeps you up at night, but, you know, as you're evaluating, you know, startups or, or you know, more state companies, you know, how do you do it? What do you, what do you look for? What you know is the thing that you're like, yep, that thing, you know, scratches my "it". What, are you looking for during the sales cycles?

[00:13:21] Greg Notch: I spend a lot of time thinking before I even get to whether I wanna buy something or not, I really try to get crisp on the problem. A good one that I'm thinking about now is sort of the interplay between all of the, the various SaaS platforms that I have stitched together in my environment.

Slack to Monday to that kind of thing. And so there's a lot of aspects to that problem. There's a ton of noise in that space. There's a ton of companies that are doing things in that space, so I really try to get crisp on. Well, what are the security boundaries that I'm concerned about? Are they operational?

Is it technical? Is it a people problem? Like how are there workflows that I need to think about? Are there, you know, processes inside the company? Like if I, if I put up guardrails is like, how is that gonna impact the end users? Like, I put all of this stuff down and I try to use like a, like a vision document for like, okay, here's my deep understanding of the problem.

And then what would good look like for solving that problem? Like before I even get to the, before I even get to what products are available, and then, and then I start picking at like, well, I need something that will. Do this. And it's, it usually people have gotten there before me and have thinking, have thoughts about it, right?

So there's companies that are being incubated and they're already solving pieces of this. And then I try to build like a model of all of the companies that are in the space that are doing that type of work and how they address the, the problems as I, as I see them. And then, you know, usually a startup will address like 20% or 30% of one aspect of the pro of a problem.

And then I try to figure out what the overlap between them are. And then, you know, figure out which ones, you know, you prioritize, like which things are the most important? Like, do I really care about OAuth tokens in SaaS, or do I really care about my company's data in SaaS? Cool. Let me think about how I'm gonna approach this. And then, you know, often I partner with my friends in venture too to like, well, what are you guys seeing? Like, how do you, how what's, what's the investment thesis? You know, we snicker at sort of the categorization that happens from the analysts, but frankly it's a useful input.

It is like, Hey, how are we categorizing those things? And then, you know, when it gets down to a purchasing decision, it's like, well, how well do you execute against the criteria that we think are yours? And then we go.

[00:15:37] Lucas Nelson: I think you just touched on one of them, but you know, what are the problems that a) keep you up at night and then what are the things where you're like, yeah, I would love someone to go solve that problem.

Right. Like, I'm, I'm curing for whoever goes after that.

[00:15:51] Greg Notch: A couple. There's a couple. I think the biggest one is I, and, it's a broad bucket, but I'll clarify as SaaS security. And when I say that, I mean, there's a large amount of integrations. If you're a company that looks like Expel or you know, even an older company who's moved a lot of their technology to SaaS, you're inundated with requests from your users to integrate these various SaaS platforms and install plugins. And it's all in the name of like great productivity, but you really have like, you know, a ton of like data interchange. I would say is like a, is like, is a mapping all of the data flows between all of the platforms and, you know, there's a few core ones that you tend to use. You have an HRIS system like Workday. You probably have Slack or Teams or something like that. You have some other core business platforms like Salesforce and data is flowing. People are writing bots to interchange data between them. You have other tools that are layered on top of it for project and program management. And when you take a step back and you look at this like the well, How would I know if a user – I mean, you could pick a look at it from a couple ways.

How, if I was doing incident response and I wanted to know what a malicious user did in my environment, how would I figure that out? Or you could look at it from the perspective of, well, how, how is this particular type of data exposed in my environment? Or, you know, you could take a bunch of views of this problem and it worries me because.

You know, you don't wanna have a scenario where you just say no to all of your users all the time, right? You want to be able to enable them to do, use the tools that they want to use, but it's really hard to evaluate the risk of those decisions, because you can look at them in a vacuum with a three PA process, but you can't like the, oh well I just linked up Jira to Slack.

Well, what's the implication of that? It's like, are there retention policies? So I'm looking for tools that solve pieces of that. I don't think anybody's boiling the ocean on that one yet. Those are, those are things that worry me because I think a lot of those decisions are made without, even by people who really know what they're doing are made without a full understanding of the risk between those of that area.

So that worries me. The second area that I'm thinking a lot about is off. And I think you've seen Microsoft, Apple, and Google come out and talk about how, you know, phones is tokens and you know what that means for both, I think. There's like Aktas has been sort of owned the market in this one area, and I think there's room for a next version of that. I think there's room for you know, iteration on how we think about auth. You know, especially in the context of Zero Trust and I, I'm sort of waiting to see how that shakes out over the next, you know, year and those, so those are two areas that I'm sort of keeping an eye on and, and, and worry me a little bit cuz we have heavy reliance on those things than not a clean understanding of the risk.

[00:18:42] Lucas Nelson: Awesome. All right, so with the last minute or two here I'm gonna ask a couple rapid fire questions. And they should be easy, but what's your favorite book?

[00:18:49] Greg Notch: The Count of Monte Krista.

[00:18:52] Lucas Nelson: Oh, that's an awesome answer. What is your favorite, information medium, like Twitter or podcasts or like what, what do you, how do you get information in and what do you use it?

[00:19:02] Greg Notch: I like talking to people. I mean, the, the, I like, I like the, the, the gathering of minds.

I like the, I like conversations that are in person and back and forth. I, I mean, I consume passively Twitter and LinkedIn and, you know, a whole bunch of blogs and podcasts and that stuff. But if you ask me what I think is the most efficient way to find out about new things is put a bunch of smart people in a room and, maybe give them a meal and then talk about it.

[00:19:34] Lucas Nelson: All right, so then with that is the answer. Last thing you know, where's your favorite place to do that? Is it a convention? Is it just, Nope, I'm gonna invite people over? Like, how, you know, how do you do that?

[00:19:43] Greg Notch: I think it's a lot. I think it's all of it.

You know, a quick beer with some friends after work let's go to Defcon and, you know, have the souped up version of that for, you know, four days in a row. Conferences, you know, are good for that as long as you have like the critical mass of people that you want to talk to. I think all of it is, is good.

Awesome.

[00:20:07] Lucas Nelson: Well, that's everything I've got. Any ads you want to run at the end of this?

[00:20:12] Greg Notch: No, I think we covered it. We did the thing. Awesome.

[00:20:16] Lucas Nelson: Well, thank you my friend. It was excellent to have you on.

[00:20:18] Greg Notch: I appreciate your time. Likewise. Good to see you Lucas.

bottom of page