Greg Schaffer: Hi, I’m Greg Schaffer and welcome to the Virtual CISO Moment. Jeremy Krenke joins us today. He is the founder and CEO of Sidewalk Security Advisors and a seasoned security and technology strategist with experience spanning startups, banking, consulting, and advisory leadership. He has built and scaled security Data Protection and Security Operations. He has an executive MBA from Quantic and a CISSP certification. Jeremy, welcome to the virtual CISO moment.
Jeremy Krienke: Hey, thanks, Greg. Glad to be here.
Greg: Glad to have you. Glad to have you in my first time recording this using Linux instead of Windows. And I’ve already messed one thing up. I didn’t quite have you in the virtual studio when I was doing the intro, so I don’t know how much of that you heard, but I think I got it all right. If not, when you listen to this afterwards, just let me know. Anyway, we’d love to start off, appreciate you spending time joining us this morning. We’d love to start off as we always do, because I always love hearing people’s stories and I think it helps other people hear other people’s stories. What’s your story? How did you get started in cyber and take us all the way up to becoming an entrepreneur with the founding of Sideworks Security Advisors?
Jeremy: Yeah, great question. Yeah, thanks again for having me, Greg. I started pretty early on straight in college. I kind of fell into it was electrical engineering, hated just the design work and ended up kind of falling suit into college of business, which then later fell me into being an analyst and a system administrator for a threat Intel shop that the university was doing at the time. So we were working with a couple of three letter agencies and just doing the work that they didn’t want to do to find bad guys really. Kind of fast forward, Deloitte and Touche identified that skill set and decided they wanted to use it. And so I went to a new office geolocated outside the DC Metro in Huntsville, Alabama to really kind of fall suit in what we now call is advanced cyber threat intelligence and source SIM products, right? So all the fun stuff from an exposure management standpoint, we were doing that in the early days. I was part of a team there that helped build that pipeline, working with great computers and doing some net node analysis and things like that from PCAP data. And yeah, that kind of fell me into the security space. That wasn’t what I was looking for, but thoroughly enjoyed the idea of securing infrastructure, securing business, telling a story that most people just miss when they talk about cybersecurity. So that’s, That was the beginnings. And then fast forward many years, I got more into the consulting side of it, working with executive leadership teams and building out full-scale security programs. So that’s kind of where I’m at today.
Greg: So you’ve done a lot working across, of course, you talked about Deloitte and then you’ve been in banking and fintech. And then I believe it was last year you founded Sidewalk Security Advisors. And I think actually it was around that time last year that you were founding it when you and I chatted about it at the Cyber Summit in Birmingham, Alabama, as opposed to the bigger Birmingham in England, I guess.
Jeremy: I don’t have the accent, Greg. I don’t have the travel funds.
Greg: Right. That’s it. But so what led you to to going solo? And what were you trying to what gap are you trying to fill in the market?
Jeremy: Yeah. So going solo, it was kind of a. I always sort of had the itch to be an entrepreneur and go that route. I just didn’t know how it was going to happen or what was going to lead me to it. And so over the years, I just built up as much experience as I could, different areas, working with fintech startups, also in banking, right? So looking at enterprises, the consulting agency in Deloitte. And an opportunity kind of opened up a year and a half ago, actually two years ago now, where I could jump into another practice and sort of build a security program from a consultative type side of the house. They were a true sales and reseller VAR, but they wanted to get into this space of professional services, right? And so unfortunately that didn’t work out, but learned a lot while I was there and super thankful for those guys being able to invest in me and teach me some things I didn’t know. It’s kind of led to this opening last year around the time you mentioned when you and I first met each other and started talking where I could jump into the market from a mid-market small business regulatory kind of environment to fill that gap. Right. The one thing that I saw being a CISO of a small state run bank up in the Midwest was there’s just not a lot of good cyber talent in the rural areas. Right. And they still You still need that executive presence and that storytelling from a security standpoint to build a true program and not just muddy it with a bunch of tools, right? We talk about tool bloat or just even gaps in the space from a technology standpoint, right? We live in a digital age today and it’s ever growing. So how do we match those cyber threats? at these businesses, right? So kind of meet them where they’re at and give them the right tools and experience that they wouldn’t necessarily get otherwise. So that’s kind of what led into Sidewalk Security Advisors.
Greg: So you mentioned that you always had sort of this entrepreneurial spirit. And I think you and I had this conversation last year. And if we did, I know what I would have said, because I always say this is like I did not when I started. I felt a calling, but I had I had never had any desire to want to be an entrepreneur, to do my own business. And I like the idea of having a steady paycheck that somebody else had to worry about. But first of all, I say that, I’ll preface the rest of what I’m going to say with, I wouldn’t change a thing. It’s been a great nine years so far. But during those nine years, I’ve learned an awful lot, even to the point of, I’m trying to share that now, I’m working on a book called, So You Want to Be an Information Security Consultant. And it’s not a technical book. It’s more about those things that I’ve learned about running your business as a consultancy. And I’m curious, What are a couple of the things that you learned being a business owner that maybe you didn’t think about before as you started this journey?
Jeremy: You don’t have to have everything perfect and correct the first go around. I’m a very much a type A person, right? And my wife has gotten onto me many a times and I’ve worked on this, but I typically have a contingency plan for a contingency plan. And you can’t have that as a business owner, right? You can kind of have a goal in mind and you can have those backup plans just in case. but everything’s iterative. Like everything, if you want to stay competitive, if you want to stay in the space, learn new things, you’re going to fail, right? So picking up the pieces, moving forward, making decision, fail at it, learn the lesson, try it better next time, right? It’s one of those iterative things. So just know, I guess my learnings was I waited too long because it had to be perfect. And it doesn’t have to be perfect. You can just jump in and iterate as you go. I mean, I can’t tell you how many times I’ve redone my proposals and, you know, what service offerings and bundling and, like, what makes sense, what doesn’t make sense. And, you know, it’s just a continuation.
Greg: Yeah, one of my early ones that I pivoted on was I found out early on, and you may disagree because it may work better for you, but I just couldn’t do cold calling. I couldn’t do it. I don’t know how well it works in our industry because it seems like that those who are looking for executive trusted advisor security risk management advice, the key word is they’re looking for it. You can’t prompt someone to say you need to have this. They only recognize the need when they recognize the need. Do you cold call? I’m just curious.
Jeremy: no i did not
Greg: Okay good um part of that is you know my so i use a coach i use an executive coach too for my business and this is one thing we’ve been talking about is is cold calling or more so the sales process right um it differs i think you’re spot on like one thing i’ve noticed in our sort of industry right was you can’t we’re inundated as CISOs for product this, product that, product this. It’s hard. And so I think a lot of that bleeds over to the other executive teams. And so you don’t really understand what you’re missing until somebody puts it in front of you from a pain point standpoint. And so that’s really the story that I try to dig into is, hey, this is the pain. Am I spot on? And more so that that stems from conversations or a network that I’ve built up, right? So we have those, I wouldn’t say cold, they’re warm, they’re soft, right? Of, hey, here’s the problem. Here’s the pain that I think you’re seeing. Are we right? Am I right? And then that kind of opens up into other aspects of the conversation.
Greg: It sounds like that you’re suggesting the strategy of position yourself to be known and in that available position when the potential client, the prospect, when they realize that there’s a problem now that, hey, I know a person, Jeremy says he can solve this for me. Is that where you’re getting at?
Jeremy: Yeah. Yeah. It’s word of mouth, right? And so, yeah, a lot of it is, you know, one thing I’ve been reading, I’ve actually got a book over here that, you know, I’m digging through at the moment, but, you know, a good proposal can be the wrong proposal if it’s the wrong client, right? So, That’s one thing to keep in mind when you’re proposing and you’re searching for those is, yeah, you could cold call all you want, and that could lead into maybe two, five actual conversations, which is great. I still think that’s an avenue of sales, but a lot of the success I’ve seen is just from networking and having the conversations, being open and just trying to meet them where they’re at. Right.
Greg: I recall, well, first of all, I think that imitation is the sincerest form of flattery. Maybe we’ll say that. Maybe plagiarism is, I don’t know. But when I was before my consultant days, of course, you know, I was Bank CISO as well, too. And on that side, you have the… the opportunity to read proposals from other service organizations and all that, whether they do like audits or pen testing or that sort of thing. And I remember this one, they always had a section in there that had the headline, understanding your needs. And basically the understanding your needs is parroting back, okay, this is from our discovery call. This is what I think it is that you’re asking of us. Let’s verify that. So I’ve never mentioned this before on the podcast, but that’s one of the things we do. We have a section that is understanding your needs because that’s the most important thing. You want to write the right proposal to the right client and not mess that up in that area.
Jeremy: Yeah. I mean, otherwise you’re missing the mark. You’re wasting their money. You’re wasting their time. You’re wasting your time. It’s not going to be a successful engagement. And that could potentially hurt your reputation down the road, right?
Greg: Yeah. Yeah. And they have a lot of misconceptions, um, on the other side, as far as like what a fractional CISO or virtual CISO advisor, um, what, what are some of those biggest misconceptions that you’ve come across? I mean, this is your time to shine. I don’t want to learn about all the things that I hear. It’s just that as you’re talking about, I’ll probably be going, yep. Yep. Been there, done that. Go ahead.
Jeremy: yeah no and and i appreciate the candor back and forth actually um so it helps me it sharpens my iron right so um but you know what i what i have continuously seen um and experienced is having those conversations and i was one of those seesaws right like hey i don’t need another virtual see so like what is this right um and so i did some digging and a lot of misconceptions come from the term right of a virtual cso is becoming more operationally challenged right we’re going to jump in we’re going to be the security operations team and we’re going to do all those aspects of the security program at the smaller you know organizations and a lot of times that’s not what i’m bringing to the table right so it’s almost like a re-story branding that i have to do with these these clients or these prospects is hey, I’m a fractional CISO, do you know what that means? And then let’s talk through that. And once again, go back to the pain of, are you spending money frivolously? Do you have regulatory uncertainty? Do you know how your security program and your MSP and MSSP actually are working together to help you? Are you getting value out of the things that you already have in place? And a lot of times out of not, they don’t. And they’re just kind of like, well, no, we haven’t looked at that contract in a while. And actually come to think of it, we haven’t heard from them in like two quarters. Like it might be good if we have a touch point. And so, you know, it’s retelling that I’m a fractional CISO to come in and provide that transparency from a higher level at the executive team and board room level. So that we can provide clarity into how your program is actually functionally operating and identify if we’re building towards the right program fit for that client at that time.
Greg: It sounds like that you’re trying to draw out, like, whether it be a formal statement or not, their risk appetite. What are they willing to understand their risk appetite? And are they willing to match up against that? How do you draw that out?
Jeremy: See, I knew you were smart, Greg. Yeah. So that’s, that’s, that’s what, uh, that’s exactly what I do. Right. And a lot of it too, is it’s trying to get them to understand I’m actually building a proprietary tool at the moment. Um, and then launching two, two or three of my clients onto this tool, um, where it’s, it’s, it’s doing just that, like that first portion is the risk appetite. Like, and it’s not just the cybersecurity and technology risk, but it’s, the understanding of the business risk. What’s the business scope? Do you even know what your mission and vision, your scope is as the organization? If you do great, what’s the risk appetite? Like, do you understand your thresholds and how you operate in business? Because that’s gonna tell a story for me as a security professional to understand what can we do from a technology and security standpoint to further that mission and be aligned with that risk appetite framework, right? And a lot of times they don’t know. They don’t understand it’s an education session, which is great because it gives me validation to them and they see immediate value. So why should we work with this guy? Well, he knows what he’s talking about, right? And he’s bringing it back to the dollars and cents of the business. And then we can start building towards that gap and maturity type framework to understand, okay, how do we build the security program? Well, I’m going to have to take a little divergence into the weeds here because you said something that really, really piqued my interest. You said you are building a proprietary tool to help you. And the reason why that that piqued my interest is that I’ve done, I’m doing the same thing, different problem trying to solve. What I’m trying to solve with the tool that I’ve built for vCISO services is basically a way to better manage the consultancy, the business. So it’s more like a business risk platform type thing, communication between vCISOs and management and all that. But I’m not a coder. And so I have embraced vibe coding using the bubble platform. Are you following sort of the same path? I’m not asking you to divulge anything about your proprietary application. I’m just curious about your experience as building one.
Jeremy: Yeah, yeah. I’m thinking we need to put an MNDA in place there, Gray. That’s what I’m starting to think.
Greg: Yeah.
Jeremy: Yeah, no, I’m not a developer. I mean, you know, hey, I played around with code back in college, right? And then with some of the analyst work that I did, but I by no means am a developer.
Greg: Yeah, I mean, I’m not either. That’s why the abstraction layer that Bubble provides for me is like awesome, you know?
Jeremy: Yeah. It’s great. You know, Claude is my friend, right? I have fully embraced that. And, you know, that’s a whole nother conversation we could get into is AI and the security of AI. And then some of the things I’m doing there as well. But yeah, I mean, it’s leveraging those tools to stay competitive, right? So, you know, very similar to yours. Mine is building that tool and process for the assessment onboarding. But then it’s also the client relationship handoff after that, right? And so it’s a two-phase client admin portal type deal, right, where I’m trying to increase the involvement and engagement from the client and make it a lot easier for us to have these engagements. And so it’s a transparency layer so that we both feel value straight out of the gate.
Greg: Yeah, I think that that’s wonderful. And I think that, you know, without diving into the AI portion of it, because obviously I use, I use chat to chat GPT to talk about, well, how’s the best way to do this and bubble and this and that. The bottom line is that it gets folks like you and me to rapidly develop something that we know can help the way that we do business. Because we understand the way we do business, but we’re not coders. And if you were to spend all the time trying to code, you would lose the momentum you have in order to get to where you’re getting at. So I’m sorry for going down that rabbit hole, but you got me excited for a second.
Jeremy: Hey, I could go down that all day long.
Greg: Well, I want to get back to risk appetite, though, because you said… Risk appetite is something that I think people sometimes don’t understand too well, both in the security space and particularly in the business area. It’s like a lot of times when you ask the board or the CEO, it’s like, what’s your risk appetite? It’s like, we don’t want to take risk. Well, no, you do take risk. You have to take risk in order to to have a successful business. But speaking about finance, so this is where I want to kind of dig into your unique background for a moment. You’ve been in that role as a risk advisor in both banking and fintech startups. What is the difference that you see in risk appetites from the banking side or the FI side and the fintech startup side?
Jeremy: Yeah, that’s a great question. And most individuals will probably put two and two together, but being in fintech, I mean, your basis is technology, right? Most of these organizations have started out of the last decade Um, and so they were, they were cloud first, right. They were, they were technology driven and, and so they’re utilizing the best and greatest. And so they have a different risk profile, um, because they want to get speed to market quicker. Right. So they need to build these things. And with AI it’s, it’s increased. Right. And so now we have all this technology that we’re building towards. Um, and then from the banking side, it’s very much legacy driven. Right. And so. There’s legacy core, there’s legacy infrastructure. A lot of the clients that I’ve dealt with, even the bank that I was at, right? We started out as everything, we still have domain controllers, right? We were all on prem still, right? And share drives, right? Network drives. So it’s, okay, let’s make the migration happen where it makes sense for certain cloud and SaaS tooling so that we can leverage these new tools, right? And we can leverage efficiencies and we can look at costs, you know, swap from a CapEx to an OpEx, right? But here’s the fun thing about this is that the banks, right, and this is one area that I really saw, was the banks are still having to provide services to these fintechs. If they want to stay competitive and not just bleed out, right, is going through an M&A process or they have to leverage some sort of partnership by providing core banking operations for these fintechs. Right. And so that was one thing when I came on to the bank that I was a CISO for that is why they brought me in was I had this fintech experience. I had worked with a big enterprise bank that launched an API suite previously. And so I kind of understood that middle ground as they were trying to grow their fintech sort of presence. Right. And so it’s building the APIs infrastructure layer. It’s building the cloud infrastructure. aspects of this. It’s trying to get all of those things together so that they can provide those services as another revenue stream to these fintech clients. And so with that, that risk exposure changes for the bank, right? Now we’re doing more technology. We’re leveraging different things. We have to think through this strategically, but we have to do it in a way that makes sense for our regulators. And so that was one of the reasons why banks brought me in to kind of be a consultant on that front.
Greg: So as a fractional virtual CISO advisor, how do you maintain, how do you attain and maintain that flexibility between different organizations having different risk appetites? Because you can’t go and apply one template across all different clients, as you were just talking about the different type of risk appetites. How do you manage that internally and externally?
Jeremy: Yeah, a lot of it was manual before, right? I mean, and going through that process and understanding, okay, what, from a risk profile standpoint, where are we? How do we, how do we measure this? How do we understand it and how do we build the right tools and the controls in place to mitigate. Now with what we were talking about before, the dev process and speed to market, like we can build that tool. So I built that process that’s been in my head for years. into a platform. It’s in a process, it’s coded. And so now I go through my standard questions, my standard process, and it kind of formulates that profile, just like NIST CSF, right? When we talk about threat and risk profile for NIST CSF, same sort of deal, right? We’re trying to understand how do we build the right controls for the threat profile that the organization is going to have, right? Whether that be regulatory, nation state, activists, right? It’s all those threat aspects. But then we also look at the impact. And so all of this changes based off of those first initial steps. And that’s why I dig into the business composition as well as the risk appetite framework of the organization so that we know later down the pipeline, how do we need to inform them?
Greg: Well, it can be stressful just trying to draw that out of the businesses, what their appetite is. And it can be stressful being in our field just in general, because we always got to keep up with new stuff. Some of it’s cool, some of it’s a challenge, but it’s also layering onto that stress. It can be stressful being an entrepreneur or a business owner. We talked a little bit about some of the challenges of that beforehand. So I think it’s so vitally important that people decompress in a healthy way because if you keep it all in, you know, inside. I think we’re both like type A personalities. You just keep on going, going, going. You need to have an outlet for it. So I’m curious, what’s one of the things that you do, Jeremy, to kind of decompress from the stress?
Jeremy: Yeah, yeah. My wife would tell me to stop. I mean, I’m also launching another business as we’re speaking. So it’s just a It never stops, right, that type A. But going back to your question for decompression, I mean, there’s a couple of things I do, right? I’ve got three kids, even though that probably brings on more stress, all under the age of five. So it’s a madhouse over here. But they really are my rock and my root, right? And spending time with them to let them know that they are more important in this life, right? And so that helps me kind of reset and rebalance priorities. But I’m also a CrossFitter, right? So I take health. And fitness, you know, very important is very important to me. Um, it’s scheduled on my calendar. Don’t interrupt that time. Like I’m going to go there. I’m going to be there. I’m going to bang it out. Um, and that’s, I mean, that keeps me moving, right. It keeps my mind fresh. It keeps me kind of stable, um, before I have to reenter whatever that next phase is, right. Whether it’s coming home and trying to be a family man, right. Or I’ve got to go to a client meeting, right. And just have that clarity of mindset. Um, but those, Those are two really big, important ones. The other one is, you know, I’m a man of faith as well. So I lean on my faith very heavily. And so that’s that’s also another important aspect to me.
Greg: Amen to that. I mean, it’s I have been very open about my faith and how I was led to start this business. And I was resistant. But, you know, usually when God asks you, I should say always when God asks you to do something, to correct. I hear you on that. So, so, so future, future plans. Um, what do you have, what do you have in store? Do you want to talk about your, your upcoming new business or is that ready for prime time yet?
Jeremy: It’s not quite ready for prime time. And I do have a couple other co-founders. Um, however, um, they would be very upset if I didn’t at least plug it a little bit. Um, we’re actually looking at, um, an area of the security program that’s not, uh, I wouldn’t say it’s a big issue. Right. And it revolves around third party risk and incidents. And so that’s our big area. And our ideal client right now is going to be those heavy regulated industries. But it’s really great for any organization. Right. So we’re probably going to start off with banks, credit unions, the like, just because of that reporting aspect. But yeah, it’s an early signal warning, um, to give indications and then help kind of resolve or remediate those, those incident response activities. So we’re super excited about kind of where that’s going to go. Um, we definitely think there’s a market for it. Uh, we both, you know, I’m launching with another CISO, uh, as well as, uh, um, uh, threat Intel guy. Uh, and you know, the other CISO and I have seen this in the marketplace. We’re both financial, uh, former financial CISOs. We know this is a gap. We know this is an issue. And we continuously see it. I had two clients last week have an issue that this tool could probably be of service and help to. So I’m excited to kind of see where that goes. But yeah, just continuing to build sidewalk as well. I’m trying to get my clients beefed up. I got a couple more spots there that I’m trying to secure as far as prospects. But yeah, looking strong, excited. I’m excited for the future.
Greg: Well, we made it a year, Greg. Like most businesses fail after, you know, before that year mark. So congratulations on that. I mean, that is a big, big deal. And there’s a I mean, it’s the first year is always the roughest. I mean, from from my perspective, that was that was just just speaking for me. That was the year that even though it was a God walk for me, there were times when I’m like, what did I just do? What did I just do? What am I going to do now? I’m not sure. But yeah, keep us advised on, that sounds like it. I’m not going to dig into it anymore, but I am curious that once you guys are ready to release more information on that, we’d love to hear about it. We’d love to bring you all on and talk more about it because yeah, third-party risk management, we’re not doing it right. And it’s just my ten-second soapbox thing on that is that we’re putting too much emphasis, I think, on the big companies that, you know, you’re not doing TPRM right, but it’s like, are we really focusing on the actual risk of the third party? That’s really where the problem lies. And if we can help with that communication somehow or another, the end goal is just to help reduce risk so that obviously everybody tends to stay secure more. So fascinating stuff. Promise me you’ll come back on and talk about it.
Jeremy: Hey, man, you hit it on the nose, right? It’s that conversation. It’s being proactive in the third-party risk management space where a lot of us are reactive and we’re just reviewing documentation, which doesn’t really help, right? And so, yeah, I would love to. We’re actually putting together probably in the next – month or two early adopter program. So we’d love, you know, if anybody’s out there and interested and wants to be a part of an early adopter phase and, uh, we can get you on and give us feedback, um, so that we can iterate this thing and get it out to market quicker. So yeah.
Greg: Awesome. Awesome. Well, hey, Jeremy, thank you so much for joining us today. It looks like that the little Linux experiment has actually worked better than I thought it would. Less like little Windows buffering type things. So appreciate your time. Best of luck with everything else going on. And yeah, just let us know when you’re ready to come on and talk about it again.
Jeremy: Awesome. Thanks, Greg. Appreciate it.
Greg: And everybody stay secure.