Greg Schaffer: Hi, I’m Greg Schaffer and welcome to the Virtual CISO Moment. We’ve got Jason Makovich on today. He is the founder and CEO of Greenlight Cyber and Port One. He’s a seasoned cybersecurity leader and an entrepreneur with decades of experience spanning MSP growth, secure IT innovation and practical cybersecurity for small and mid-sized businesses. He has built a reputation for simplifying what they may overcomplicate. And I also want to emphasize that as I have a passion for SMBs and their security, Jason emphasized the exact same thing. So Jason, glad to have you on the show today.
Jason: Oh, thanks for having me, Greg. Appreciate it.
Greg: So we’d like to start as we usually do. We’d love to hear your story, how you got started in this crazy technology field and what led you to where you’re at today.
Jason: What a story. What a story. Well, you know, it’s interesting. I think some people kind of share in some of this. But for me, you know, I grew up around it. My dad was in computers back in the seventies and eighties and started his computer company in in nineteen eighty. I was six months old at the time. And so I grew up going to that office and being around all of it. And I was wiring coax cables for networks when I was eight, nine years old. I was building two, three day sixes, you know, four day sixes, all that. when I was, you know, ten or eleven. Awesome. So I was around it.
Greg: I was doing that stuff in college, by the way.
Jason:And what’s weird is, you know, that, you know, you get asked when you’re when you’re young, like, oh, what do you want to do when you grow up? And all I knew was I didn’t want to do anything with computers. I was like the one thing I didn’t want to do.
Jason: And, you know, fast forward, I started going to college and ended up getting a part-time job doing IT at a pretty big company, like kind of desk side support. And I started getting good at it and enjoying it a lot more so than school and kind of fell into that opportunity and kind of hit quite a fork in the road, decided school wasn’t for me and took it on full time to work. It was amazing. I was, you know, nineteen years old flying around the country, going to different companies. This was around YTK. So I headed up a server rollout team for Novell servers. I had to rush to get my CNE. And it was cool. It was great. I suppose it was probably past any sort of statute of limitations. I could say, I had to get a fake ID just so I could rent cars Which actually worked. I’m sure it wouldn’t work now. Everything’s all online and digital. But back then.
Greg: Yeah, because you had to be like twenty one or something to run a car, right?
Jason: I think. Yeah, that’s that’s right. Because a whole bunch of us. I was nineteen with a twenty five year old. And they’d always look at me a couple of times like, all right, who’s going to use a fake ID right in a car, right?
Greg: I remember that there was a whole bunch of us that, and I’m sorry to interrupt for a moment, but how memories are triggered. A whole bunch of us were driving down to Myrtle Beach, South Carolina, and myself and my best friend at the time, we were the only ones that were over like twenty five because I think that was the cutoff. So we had to switch driving back, you know, and we were driving from Buffalo, New York. So it wasn’t like just a two hour drive.
Jason: Yeah. And so they’re all partying and drinking in the van and all that. And we’re like, continue on. It does suck sometimes being in that position. It’s like the friend with the pickup truck, right? They always want to help move. But yeah, so I really kind of chose that path, never looked back. And then became more of a network engineer consultant for many years. Worked with my dad on and off for a lot of that time. And then in twenty ten started Greenlight, Greenlight, now Greenlight Cyber. At the time, it was Greenlight Information Services, very kind of young MSP, you know, had all these plans to be this real innovator for technology and as MSPs end up inevitably becoming turned into a utility department for clients more so than anything because that’s just what it ended up being and then eventually turned into the security department because It all just kind of got thrown at us. And it worked out for me professionally because I really took a huge interest in cybersecurity and got my CISSP and really just dove into that to where as our clients started needing better security, really when I like to say when cybersecurity turned into cybercrime, Um, when the bad guys figured out how to make money off of what they do rather than doing it for kicks. Um, that’s, uh, you know, we were in a position, we were in a good position because, uh, I had, um, interest and, uh, some experience with it, made some strong hires and. scaled up our team and eventually pivoted to Greenlight Cyber. And now I can honestly say the vast majority of new clients that we get are just doing cybersecurity work with us. Every once in a while, we’ll get a client that wants us to do some IT work, but yeah, most of them now we’re kind of working with internal IT and really just coming in with various cybersecurity solutions that will support or co-manage or whatever degree they want. Um, but it’s been awesome. And, uh, uh, working with the best team, I best people I’ve ever been able to work with. So it’s, uh, it’s pretty fun. So.
Greg: So, and, and then what is, what is port one?
Jason: Yeah. So, you know, it’s funny after doing this for now, but at the time about or so, um, fourteen fifteen years when i decided to start for one um so late twenty twenty four um it came out of um basically a lot of friends of mine or other owners of msps and just kind of know a lot of folks in this space and you know they saw what we were doing at greenlight and some of the things we were doing at greenlight were working with more enterprise grade cyber security solutions like zscaler island enterprise browser things like that, things that you’re not going to see traditionally in the MSP channel. And then really just taking a different approach. And a lot of MSPs will layer on a bunch of security. We’re going to re-architect an environment with zero trust principles. We’re not going to have as many security products in place, but it’s going to be a lot better security outcomes out of that. And so we started working with other MSPs. And we saw, I really saw an opportunity to really do something with that. And it was inspired out of a book I read called The Go-Giver, which really the synopsis of that was the impact that one makes Basically, I took from it that by scaling the impact that I can make, I would be far more fulfilled professionally and personally in what I get to do as a leader of a business. And as an MSP, you can directly help so many small businesses. But as a vendor to MSPs, as a partner to MSPs, now I have a force multiplier. Now I think you’ll help MSPs go be better for all of their small business clients. And I feel like such a huge purpose around that. So decided to build something out there and it turned into something very different than my initial vision, but a lot better because my vision was abstract, I suppose. But it’s turned into a really, really cool business. where we’re coming in and bringing in some really great solutions for MSPs that they otherwise wouldn’t really have access to.
Greg: Well, I think that that’s like one of the most most overlooked secrets that people need to realize for success, and that’s to be flexible, to pivot. You mentioned early in your intro that while you were in college, you took on a part-time job in the IT, I think you said it was the service desk field. at the time. And that ended up being a pivot for your career. And same thing with me. When I was in college, I started to work at the computing center. That’s when I was making coax cables and all that stuff. But my degree was in mechanical engineering, but my career, I never touched on it. So one of the takeaways, both for career as you’re going through it and also in business, is that always be flexible. Always consider pivoting. Um, I mean, does, does it scare you to think about pivoting or does it scare you more to think about not pivoting?
Jason: Probably the latter for me. I’m, um, yeah, I, I think the majority of people out there are more risk averse than I am. Um, probably for very good reason. They’re probably a lot smarter than me, but, uh, I like to, I, I’ve, I, for the most part, I’ve enjoyed that rollercoaster, um, that it’s been, um, uh, Sometimes it’s hard. I’ll be honest. Running a business, it’s not easy every day. It’s a lot of work. It’s probably taken some years off my life. Especially during tax season.
Greg: Yeah.
Jason: I mean, there’s so many different things. It’s one thing if you love tech and you want to go do tech. It’s any business. It doesn’t matter if it’s IT. You could be a baker and you want to start a bakery. And then all of a sudden, you’re running a business.
Greg: Mm-hmm.
Jason: last thing you’re getting to do is bake or if you are baking you’re not enjoying it anymore right because you’re baking you’re you’re you’re you’re kind of a slave to the business at that point and and it’s um the book emit the emit very good book for anyone interested in kind of starting a business and it’s very much around that but the trick is It’s so cliche and you see it in any interview or business book out there is surrounding yourself with the right people. You got to find the right people that match your values and your passion and your vision. And that’s what I’ve been able to do, not without maybe kissing some frogs along the way. here we are. So that’s really such a huge part of it is that.
Greg: So you have mentioned and I pulled this from your LinkedIn profile, I believe. Maybe it was on a post. I don’t remember exactly. My vast staff here that helps me prep for the podcast actually assisted me on this. That would be ChatGPT. And I will be completely transparent about using AI to assist me in my business. I believe that, you know, what is there like a saying out there right now? It’s like AI is not going to take away people’s jobs. AI is going to replace… the jobs of people who don’t know how to use AI as a tool or something like that. I said it too complicated. I think it could be distilled down to a few words, but I don’t want to talk AI. I want to talk cybersecurity, particularly with SMBs. And the thing that was brought up, the quote that I was getting to with this incredibly long intro to the question, that you talk about how cybersecurity feels like duct tape on duct tape. Please expand on that, particularly how it applies to SMBs.
Jason: I can make assumptions, but I love that analogy. First of all, duct tape’s amazing. You can pretty much do anything with it. I have a little folded roll of duct tape that I have in my car. I have one in my backpack. I gave one to my daughter to carry. It saved Apollo XIII back in nineteen seventy. There you go. It’s freaking amazing. You can patch a boat with it. So, you know, I’m not conducting, but what’s really happened out there in this field, and you can look at it from an enterprise scenario down to SMB, MSP, anywhere. Every time you turn around, there’s some new threat, there’s some new risk. And then there’s usually some sort of product or solution to that. So what happens is, that each product, each point solution out there that would protect from certain risks is just another piece of duct tape that you’re putting on. And at the end, eventually whatever that chip is that you’re patching, you’re not even gonna see it. It’s just gonna just be pieces of tape everywhere, but it’s gonna weigh it down. it’s going to get to be a problem. Because with duct tape as you’re patching it, you’re going to have a lot of overlap. So the duct tape on duct tape is really, I see it as all that overlap of you don’t really have anything truly cohesive there. And I had mentioned I’m a big believer in zero trust architecture, secure by design. it kills me that that companies are still implementing technology that’s not hardened that’s not secure by design that is not like they’re willing to implement the technology and then add security as as if it’s this layer bolt-on or something yeah and in fact if you architect the environment right i’m not saying you don’t need cyber security products we we certainly do but be surprised how much you can save and ultimately what better outcomes you can have by just having the right architecture in place and it just makes a world of difference so yeah i’ve just seen it especially in the MSP space. I know MSPs out there that are using, you know, ten to fifteen different cybersecurity tools out there to try to protect their clients. It’s too much. I mean, the labor burden of it alone would be too much. The cost of goods would be too much. The burden on the client and their bill and Then you’ve got the technology burden and the agent, you know, too many agents on the machine. The list goes on and on.
Greg: Yeah, I mean, this comes to the concept of like stacking technology and adding technology. And I know I’ve seen this with clients that we get into when we first start working with them. One of the first things we’d like to do is to get an inventory of not only their information, but also their systems. And you get some that have technology that has been implemented that you got two or three different pieces of technology that can do almost the same thing. And yet you have a gap here where you’ve not addressed it at all. And they don’t realize it. They thought that with this, the more technology they added, the better off they were, which… which that can be true, but to your point, it has to be architected correctly. So from my perspective, I think about risk. I think about that incorrect assumption of security with all these tools. But seriously, when you’re stacking tools like that, what do you see as like the biggest risk to the SMB?
Jason: I mean, it’s a combination of things. I think that the challenge with it is it’s being that it can be a dangerous approach. I think that there’s a fundamental risk around maybe not having the right advice, not having the right decision making in place. is that kind of fundamental flaw that’s going to probably inevitably lead to something bad happening. If it’s an afterthought, sort of, you know, method of protecting systems, then one would assume it’s an afterthought to plan for incident response or disaster recovery. And so I think it all correlates to where everything’s very reactive and we just can’t afford to be anymore. We have to be very prepared. And I think business leaders want a resilient business. They need a seat at the table for the right person, and they need to actually have someone they can trust. It could be a good MSP. It could be a good CISO, virtual CISO. There are many ways you can do it. But it’s got to be the right one. And there are probably some really telltale signs as to who is right. But that’s why we have best practices and frameworks as well. If you ask your MSP, hey, how do we align to CIS or NIST, CSF, and their eyes glaze over, pull the old pages out. Because yeah, they’re probably not going to be the best partner. It’s just everything changed and people have to understand that just because people are IT professionals doesn’t make them information security professionals. They don’t necessarily know how to do it right. They’re not trying to- And it’s the same way the other way too. Just because I’m an information security professional, I used to say this back in the day, I don’t know how to fix your VCR from blinking twelve. And I dated myself there.
Greg: Yeah, a little bit. But you mentioned something, though, about reactive versus proactive. But it seems like, and particularly with SMBs, there’s such a resistance, or maybe it’s not so much a resistance as it is an ignorance or what have you. And you have this mountain you have to climb to get them to want to put the resources in, partially because information security, cybersecurity, it doesn’t have any obvious payoffs. It’s insurance. It prevents loss. or prevents bad things from happening when you do have loss. So how do you work with like the SMB leadership team to try to get their mindset shifting from reactive to proactive?
Jason: Yeah. Part of it is moving the conversation from the server room to the boardroom. Being able to not talk so much about the technology and talk more about the business and about them and what’s important to them. Helping them understand what the realities are out there, what the impact could look like, sharing with them stories of folks that have gone through it. It’s interesting. Over the years, I’ve become a I think I’ve become the guy that people call when something is going on, right? Like, hey, I have a friend that I think just got hacked. Can you talk to him? And I get more and more and more of those calls. It’s just really gotten alarming how many. I’ll always gladly take them and help all I can. It’s the same story every time. I hear the same things every time. Usually it’s, I had no idea they could do this. I didn’t know that this could happen. It’s like, right. But you, you do, but you don’t, you don’t understand like business leaders, not technical business leaders are going to understand there is risk and they believe that most of the time that they’re okay. And it’s a false sense of belief. They have to have that seat at the table. They have to have a real conversation. The goal shouldn’t be to to go invest a bunch in cybersecurity. The goal should be to build a resilient business. And part of that part of that has to be to protect from cybercrime and the impact that it can have on your business, because you can lose everything potentially, especially small businesses. So we as cybersecurity advisors, we need to be able to speak to business. We can’t just come to them with like all this technical gigamumbo jumbo, as a former boss of mine once said. And I know that the MSP field has helped extraordinarily with translating technology information. into business needs and vice versa. And in my experience over my career, the most successful MSPs have been the ones that can do that, that aren’t coming in to want to initially sell me a product, but that are interested in understanding my business and my problems, the ones that ask the questions up front.
Greg: And there’s been interesting evolution of MSPs over the years. What had started I think from, this is just my perspective, from a place to get technology that was supported in case something goes wrong, but we’d work with it all, to a place where it’s a true technology partner. Now, I see you as kind of like an expert of MSPs. You were talking a little bit more about port one beforehand. Where do you see this evolution heading in the next several years with MSPs, just in general?
Jason: I’m definitely worried about it. I think the MSP field right now is going through an identity crisis. And those that have been through it, those that started, those that have been in MSP prior to ransomware, let’s say, cybercrime really become prevalent in the SMB space and therefore MSP space out of necessity. those have been through that that and have had to adapt and potentially like we like we did a green light transform um they they know what it takes to do that well what’s happening now is almost every single conversation you said it earlier i don’t want to talk about ai i want to talk about cyber security the problem is everyone else out there all they want to talk about is ai right right and I’ve been to some trade shows in the MSP space over the last year or so. That’s all they talk about now is AI. And it’s almost like, oh, well, we’re done with security. Now we’re on AI. Oh, you’re not going to be an MSP anymore. You’re going to be a managed intelligence provider. And you’re going to be a business consultant to your clients to help them. And that’s great. But it doesn’t replace, like you could add a whole department to your team, but you can’t get rid of or overlook what is so critical. And I’m worried about it because you have MSPs that are having a hard time spelling AI, where others are just amazing at it and kind of bleeding edge and some in between. And I know this because I talked to a lot of MSPs. I’ve probably talked to over a hundred different MSPs in the last four or five months. And I’ve heard their stories about what they’re doing with AI, what they’re doing with security, and I’m seeing that shift. And so that’s concerning to me, but this goes back to keep it simple. architect the environment smart. Let’s use best practices here. Let’s not try to reinvent the wheel just because there’s some shiny product out there that, ooh, that does this and that vendor is telling me. That’s the problem. MSPs often learn about cyber risk through software vendors. That’s a main channel for their knowledge. That’s a problem. And that really contributes to it. But now, what are all the vendors out there? What are the loudest vendors out there that are AI? And there’s some great, cool stuff. AI governance, definitely important, like DLP. But that’s not everything. And it’s a big part. MSPs are going to have to really figure out that AI strategy. There’s no question. But I do worry about the security play there.
Greg: Yeah, I see some of this as being almost like a rhyme, if you will, how history sometimes rhymes with what we were talking about, say, with the cloud like, fifteen, twenty years ago. Traditionally, folks like me, we didn’t want to move stuff from on-prem to cloud. But everybody was talking about the cloud. And what is the cloud? Nobody can define the cloud. It’s this amorphous thing and all that. And eventually we got to the point where everybody pivoted, everybody adjusted. All it is is a tool, the cloud. And you have some different rules and things with it. And I think hopefully the same thing with AI. But to your point… A lot of worry, a lot of stress in our field is already stressful as it is anyway. I encourage folks to be proactive in managing their stress and positive in managing their stress. So I always like to ask folks, what’s one of the things that you do to manage the stress of not only being in this incredibly stressful field, but also being an entrepreneur?
Jason: Yeah. Um, yeah, you gotta have downtime. Um, for me, it’s family, uh, spending time with family. I’ve always, I love to travel too. Um, but I’ve always found that like, it’s funny. Um, I remember many years ago, my friends, uh, and I all went to, um, I won’t name the town because I don’t want to knock a town in the US, but it’s a flyover state, we’ll say. And it’s a place, it’s not a destination city. And we were joking like, oh, that’s where we’re going to go spend the week. A friend was getting married there. We’re the best time, right? Because it wasn’t, and the place was fine, but it wasn’t about that town. It was about us. It was about having fun with the people that enjoy each other’s company. For me, that’s everything. It matters very little what I’m doing as long as I’m doing it with the people that I want to be around. A lot with friends, a lot with my girlfriend, a lot with my daughter who’s in college. Family and friends. Travel is definitely my favorite. Try to take at least a couple really cool trips a year. Probably planning maybe another European vacation for this late summer, early fall. So that’ll probably come. We’re just trying to figure out where and yeah, we’ll see. But yeah, I enjoy traveling a lot.
Greg: You are completely opposite of me in that sense. I don’t like traveling. I’ll stay local to my area, but it’s like, it’s just something that, no, it’s like, oh, you’re going to retire. You can go travel to Europe and this and that and Africa and all that. I’m like, I don’t No, I don’t care. I’ve traveled enough. I’ve been to Europe. I’ve been to Africa. It’s like, I don’t know if I want to go again. But those are my future non-plans. What are your future plans?
Jason: I can’t envision maybe at some point in my life I won’t be working. I hope to get to the point where the work that I do is you know, not necessary for me that I get to do it completely out of, you know, just fun and the desire to do it. The good thing is I at least get to do those things now. It just so happens that, you know, if I stopped doing it, probably have a hard time surviving for very long. So I’d like to get to that point to where where it could just be almost like, you know, an avocation. But uh, that said, I, I have a passion for cyber and, you know, I just, we lost someone really, um, dear to the cybersecurity world, um, Easter Sunday, uh, Dr. Stan Stahl. And, uh, he was a dear friend of mine and he worked all the way up to the end in his eighties. Wow. And one of the most beautiful souls I’ve ever known in my whole life. Um, a lot of folks in the space knew him and, um, But he worked not to go make money. He actually, for the last several years, ran his nonprofit, Secure the Village, which is still going to carry on. And it’s something that I’m still going to be a big part of, as well as many other good people that Stan inspired. Stan was a mentor to me, a role model. And I aspire to be like he was.
Greg: Yeah, I don’t think that I’ve ever met him. I could have connected with him or chatted online or something over the years. But I’m sorry for your loss. Sorry for the industry’s loss, but glad to hear that that nonprofit is going to continue on. And I will say that, yes, when getting to that point of where you do it for the love of the game and for giving back and you don’t have to do it, it’s a fun feeling. I can shut this down anytime I want and I have no desire to. It’s fun. That’s why I do this podcast. This is just like I get to talk to great people like you, get to learn about you and learn great stories and all of that. And, you know, there’s no monetary stuff involved. It’s just for the love of the game and for the love of people and for maybe helping the industry a little bit. So, Jason, I so much appreciate you coming on today.
Jason: Well, thank you. I appreciate you having me and I appreciate you doing this too, Greg, because it’s important. You’re doing important work. So keep it up.
Greg: Well, I appreciate that. And everybody, stay secure.