Hello, and thank you for joining DataEndure for our June TECH talk session. As always, I am joined by Shahin Pirooz. I am Kirstin Burke. And we are absolutely delighted today to be joined by John Thompson, who is the global CIO of Reiter Affiliated Companies, better known as RAC. Welcome John.
Thank you, Kirstin. It’s nice to be here. Nice to chat with you and Shahin again.
Good to see you and have you.
I was just going to say what better month to have a global producer of berries join us than in June, when we’re all about the strawberries and the blueberries and the raspberries. John, you’ve got a great story. You’ve got an amazing company and we’re just delighted to have you join us today.
No, thanks. And this is a good time of year. Berries are good for us in general, but they’re definitely good at breakfast, lunch, dinner, and snacks in between. Most of us are all working from home, right, so go out and buy the Driscoll’s berries, that’s our berry.
There you go. There you go. Well, John, we’ve been engaged with you and RAC for several years now, and just love having you guys as a customer. And you’ve got a very interesting story just around your company, your brand, your global transformation activities, and really how security came to play a very important part in that. And so we’d love to just have you spend the first couple of minutes just talking about you, your role, the company, and then we’ll take it from there.
Thank you. I’d love to do that. So again, thank you for inviting me. It’s great to be able to participate in this chat. And I am very excited to [inaudible 00:01:51] the security journey over the last 18 months. So as Kirstin said, my name’s John Thompson. I’m fortunate enough to be the global CIO for RAC, which stands for Reiter Affiliated Companies.
In September, this year, I’ve been here for two years. And I sincerely say this, I’ve never enjoyed my job so much as working for RAC. And anyone who checks me out on LinkedIn, I’ve traveled a fair amount. And this has to be probably the best contract I’ve worked in. As I said, it’s wonderful.
Part of that is we are a family owned business since 1868. It’s owned by the Reiter family. And RAC are proud to be the largest fresh multi-berry producer in the world and the leading supplier for all of those fresh berries that you mentioned earlier, Kirstin, strawberries, raspberries, blueberries, and blackberries in all of North America. Your viewers will know our brand, it’s Driscoll’s. So RAC had a farming arm or predominantly farming arm. Of the Driscoll’s brands – all of our berries, go exclusively to one customer, which is Driscoll’s. And you’ll find those in the shop.
We have a mission for the relentless pursuit to delight our consumers. So it’s all about quality and the taste, in particular of those berries. And we like to enrich the lives of our employees and the communities we work in. So really giving back to the local communities who we get a lot of those [customers 00:03:15] from. And currently, we have operations in Europe, Africa, Canada, US, Mexico, Peru, and China.
At our peak, we can have over 30,000 employees and the peak is kind of these last few months that we’ve been, Kirstin. With those 30,000 in the journey that we’ll talk about in a second, we have a significant cyber security footprint or threat, I suppose to manage, now given that digital footprint that extends across all of those geographies, but all the way into the farms in each of those geographies, with those harvester applications and sort of the [IoT 00:03:50] devices that we have deployed. This is a very exciting space. Agriculture is still [inaudible 00:03:55] is very much involved with technology.
John, one of the things I’ve spent battling for the last 20 years of my career is the old school notion that you can’t go wrong if you pick big blue. So you pick one of the giant players in the industry and they’re going to be – you won’t lose your job, they’re going to do your right and they’ll take care of you. And I’ve spent my career trying to prove that wrong. And I feel like I’ve accomplished that over the last two decades.
Can you talk a little bit about your journey with us specifically, because we were not the biggest player that was in front of you as we were going through the sales cycles and you ended up selecting us as your partner. Can you talk a little bit about what that meant to you, and what your decision process was around the type of company you were looking for and why you selected a company like DataEndure?
Yeah. Well, let me start first a little bit just before that, in terms of why security is so important for us? When I joined nearly two years ago now, we did have a security [inaudible 00:05:10] but based in the infrastructure team. And the guys are doing the best job that they could possibly do. But as we decided on the strategy with the executive management team in terms of that digital transformation, bringing in a lot of those applications to the front line, it became clear and paramount that we needed a much better security profile and doing some changes very, very quickly.
So with that in mind we – I think my journey with DataEndure started a few months before I actually started with RAC. I attended a seminar and I met some of the DataEndure team at that seminar. They obviously left an impression in my mind because at that point we decided we needed to go out there and look for a potential partner.
DataEndure were on the list to start with, as were some of the big boys and girls in town, as well, Shahin. It’s kind of like an insurance policy, right, if I go [inaudible 00:06:06] models. The board and the executives, well, at least you tried your best kind of. That’s not always true. And then certainly at RAC, I mentioned that culture that’s really important to us. And we were looking for a company that mirrored our values and our culture.
And so I think, too, the conversations that we had, the initial conversations, it sort of demonstrated that DataEndure did have the end customers in mind. So for instance, our own consumers, our communities, and our people. You’re a smaller family owned business as well as, as we are. And I think through those discussions that you just hit that tone that, hey, this is a kind of a company that we’d like to work with.
So we did do our due diligence with a number of other partners as well. But I think if I would sum it up in my mind, I did want, actually I wanted a company with a smaller scale. So someone where we would be recognized, and we’re not just another customer and part of their revenue. I wanted executive connections, because I needed urgent attention. I wanted a cost effective solution that provided all of our operational and technical requirements.
And I wanted – and this is really broad. I wanted a flexible arrangement initially, because at that point in time, we hadn’t at RAC appointed our head of cyber security. So I needed to give that person, whoever that would be in the future, the flexibility to make a final decision around our partnership with DataEndure. Of course, we went through all of that and DataEndure. We signed a one year contract with you at the time. And then our cyber security lead joined, Hugo. And he’s worked with you very closely now for the past nine months and then signed a three year agreement. So it’s testament to the working relationship that we’ve developed over the last year.
I would say that for us, it’s reciprocated in that we love working with people in a similar culture and trying to accomplish. The key here is, for us, it’s what we do isn’t rocket science. It’s important to get all the right pieces and parts together and integrate them and make sure you’re looking at the right telemetry to find the bad actors. But it does take time and it takes you away from what’s core to your business and what differentiates you from your competition. And we equally have tried to differentiate ourselves against the competitive landscape here. And to your point, we thank you for the renewed confidence in our capabilities and our services, and to help you globally secure your platform.
But let’s talk a little bit about that. Because John, when you started out the conversation, you joined RAC with a very specific mission and goal in terms of what you were going to do across this global landscape. And you had mentioned that cybersecurity kind of became front and center to you as you started peeling the layers of the onion, not to bring a vegetable into the mix, but there you go. Talk to us about what was going on and you’re a very distributed organization already. I’m sure with what we see from all the threat vectors out there today, that’s a big deal for your business. So tell us a little bit about what the challenge looked like.
I think you’ve hit the nail on the head. When we talked about it’s not our core business, our core business is to grow the best tasting berries in the world, and that’s really our focus. So in terms of that [inaudible 00:09:51] and sort of taking the company on the digital transformation. So we needed a security operation, we needed security trade works, we needed [inaudible 00:10:02] that we would have the expertise to do ourselves.
And indeed, even if we had the funding to do that ourselves and set up and establish all of that, a security operations center, there’s so much change and threats and vulnerabilities change, keeping on top of that as a smaller organization, it’s just not feasible. Having a great partner that would work with us, the threat landscape is truly global. And it’s right down to that frontline.
And one thing that I’ve learnt a lot over these last 18 months with that landscape has increased immensely. It’s really around keeping those front lines safe and a lot of that is around communication to that front line. So [inaudible 00:10:42] Hugo now to the teamwork is we look after all that monitoring and you’ve done a lot of hard work there in terms of how you monitor and how we’ve filtered some of those alerts, so now only the real critical alerts come through to Hugo and his team 24/7. And Hugo’s actually been able to spend a lot more time with our front line to actually train them on what [inaudible 00:11:05] look like, how can you pick it up? Why should you, or should you not click on links that you might get in a text message.
So again, this is information that we give to our front lines. Huge for us, but also they can take that into their personal lives as well. In their personal email they can detect a potentially threatening email. So we’re spending a lot more of our time sort of communicating and training our frontline teams, which hopefully, makes it even more safe with you doing all of the monitoring in the background. We had to go here. We will really had to go here for our security maturity was very low initially, we needed to improve that.
One of the challenges we had upfront was you had a very aggressive timeline to go live, knock on wood today, we were able to meet that timeline. But can you talk about one of the value propositions when you’re looking at a service provider like us is the ability to ramp quickly. And you mentioned that at the beginning. Can you talk a little bit about that timeline and the aggressive nature of it, and what some of the decision process was that made it have to be moved so quickly?
Yeah, and I think from the moment that we did sign the contract, Shahin, our teams worked very collaboratively together. We agreed on a 30-day timeframe to go live. I think we all agree that that was pretty aggressive from both aspects, from my organization as well as yours. But we did, we worked collaboratively. On day 30 we were live. But there was still quite a bit of work that we needed to do in terms of then learning and filtering alerts and putting some of the processes in place between the two groups.
But we hit it through working collaboratively, and I was going to say, well, be careful what you wish for, because once you’ve done that switch, the amount of data that the DataEndure team was sharing with me and my team, it was quite overwhelming, shall we say. But having that data allowed us as two organizations to focus on what’s really important. If I reflect now on that last 18 months, aggressive rollout, working collaboratively together, it was the right decision to implement a security operation center with DataEndure.
Hugo and the DataEndure team did a great job. I do have exposure through our own committee to the board and they are very keen to know what we’re doing. So some of those statistics that we’ve got, I don’t present those to the board, but I can share things with them that we’ve moved from what we think is a 30% maturity, to right now to be in a 40% maturity. And we use a formal process to do that. And we’re really on track for our journey of 50% maturity for the end of this year.
I can confidently say that we’re in a much healthier cybersecurity position than we ever have been. And we [inaudible 00:14:18] the digital footprint that we now have. I think what’s really a good testament to this, and these are probably the only stats I’ll throw out, this year alone there’s been 116 million events that we’ve detected, the operation center detected. 156 of those have required investigation. And only two of those have actually led to a confirmed incident, but both of which we jumped on quickly as agreed [inaudible 00:14:50] margin. We caught both incidents early. There had been no impact to the business or our data.
It was a fantastic outcome, so we’re very confident that we need to continue to evolve. We need to make sure that we manage those vulnerabilities. We have seen a reduction by about 70% overall vulnerabilities that we had when we started 18 months ago to where we’re at now. And we continue to stay on top of that as we move through again, with that close working relationship. Yeah, I do positively think that had we not hired Hugo and joined [inaudible 00:15:28] those two incidents that did get through may not have been as well maintained. It could have been pretty disastrous for us.
Yeah, it’s been a pleasure working with your team and working with other practitioners in the space is really helpful for us. Because it’s easier to get from an identification and investigation of an incident to being able to really be able to respond to something and stop it in its tracks. We have a lot of this space – this managed security services space, the competition calls themselves SOC or SOCaaS, or managed SOC or MDR. There’s all kinds of acronyms out there for what it is we try to accomplish.
You mentioned two things in that last bit that number one, when we started up there was an influx of information. And one of the challenges that I think that we’ve had is we’ve gone into customers and we end up winning those relationships over, but we’ve gone in and they have a very bitter taste in their mouth from another player in the space. They became a help desk triage of events, and that was it. So they saw the event, they sent it to the team and the team had to really do the investigation and discovery.
You mentioned something that I think is important. A lot of players won’t do the proactive side, they just do the reactionary I see events, I’m going to send them, there’s a problem, without too much more thought than that. Some are better, some are worse, but generally speaking, that’s what the space has become. When you talked about the influx of data in the beginning, we lovingly call it the honeymoon phase ourselves. It’s the first 90 days we go live and it’s the number of events they get passed along are higher, but the intent of that honeymoon phase is to learn each other and learn your environment and then fine tune it down to what are meaningful events.
But also in parallel to that, the proactive side of what we offer is we do the penetration testing every month, and we do the continuous vulnerability assessment. And part of that is about, and what I love about what you guys have been able to do is as we give him those reports, we continuously see the vulnerability numbers coming down. And it’s like you’re in the Bay Area, the Golden Gate bridge is the biggest thing. And we see people all year long, painting the Golden Gate bridge. Part of the year, they’re going in one direction, and when they get to the end, they go back and they start again. And they’re back at the beginning and coming all the way around.
And patching and closing security gaps is just like that, it’s a never ending job. But what we try to do is we try to put in front of our customer teams the things that are most important to patch first. So prioritization and classification of here’s the biggest threats, here’s the ones that the hackers are going to take advantage of first. And then in parallel to that, we also run the security controls validation, which is testing those controls to see if we use the tactic techniques and procedures that hackers do, would they be able to penetrate your environment?
And can you talk a little bit about how – you talked about your maturity level approaching 50%, but while tools and technologies are a part of that, that painting of the bridge is a significant part of that. Can you talk a little bit about what we’ve been able to help in that space to help you close those gaps, if you will?
Yeah, that’s an interesting one because I do believe that security upgrade – what we refer to as a security operations center, it’s not a center. It’s the process. It’s that heartbeat that sits behind those alerts, and then the process that you follow. It’s okay detecting a threat, but what then do you do with that threat? And as you said, how do you manage it? Some of those players just hand it over the fence to my team and then deal with it themselves.
We have a lot more proactive relationship we do there where we do that filtering, we look into [inaudible 00:19:35] and then pass with some insight for our team. So I think it really is the benefit, it shouldn’t be viewed as essential as a standalone unit and then a department. It’s a process, it’s an inheritance. If it’s important it’s the heart of sort of that whole way that data traverses in and out of our network.
For me, as you said, I mentioned we’ve decreased our vulnerabilities by 70%, but we always will have some vulnerabilities because patching is really – the vendor patches come out in a cycle, we just happen to see that cycle and over a month, our vulnerabilities go up a little bit every three months and then they drop back down again. But as you said, we make sure that we have no critical, very few high vulnerabilities left. The majority are in the really low or the moderate that don’t really post too much of a security threat, but we know that and we’ll get to them. But the critical and the high threats, we deal with straight away.
And of course, like you said, it’s like painting the Golden Gate bridge. It’s a process, it’s continuous service improvement to talk about the different process management works. And that’s what we have to continue to do. The sophistication of the threats that we’re seeing now, it’s been [inaudible 00:20:45] a lot now with two very high profile recent issues where malware was pushed out and ransom was paid. We’ve got to avoid that. So we can’t take our eye off of that continuous service improvement across [inaudible 00:21:02] analogy of painting the Golden Gate Bridge. We check it, stay on top of it as much as we can.
It also reminds me of hiking with my dad when I was young. We’d be hiking and I’d say, are we almost there? And he’d say, it’s just around the bend. And we’d go around the band and then I’d say we went around the bend. He said yes, just around the bend. And it was always another bend. It’s out of sight out of mind, I guess. Yeah, the patching is exactly the same story. Kirstin, you looked like you were about to say something and I’m monopolizing time.
That’s all right.
Did I cut you off?
You didn’t cut me off. But I was thinking, so you did see the wheels spinning. It’s just been interesting hearing John talk. Just being in this space, of course, we hear a lot, we see a lot. We see a lot of statistics and data. John, what you’ve been able to do within RAC is I think what so many leaders like you are trying to do, that you spent all this money on tools. In theory, the tools you’ve bought are working, yet surveys will say over 50% of leaders like you are uncertain whether what you’re doing is really going to hold up when push comes to shove.
And so what you’ve been able to implement between your third-party relationships, like a DataEndure, and having very strong people, you’re able to test and affirm on an ongoing basis that what you have is working. So it’s not kind of the yep, I went out and bought the tools and hopefully they stand up when something happens. You’ve got the insight and the intelligence to tell you.
And like you said, you know the things that you’re going to set aside and say, nope, not important yet. But having help finding those needles in the haystack, bringing you down from millions to hundreds to two, that time value and that focus value for your team, I think you’ve been able to implement what so many people would hope to, yet they’re not quite there yet.
Yeah, it’s really important to link, as we said, the people with the process and the system. I call you there in terms of our process in the security operations that now there’s technology, there’s people behind that as well. But that process then translates into our people. I’m not talking about my teacher, I’m talking about the business, an awareness of how they can limit those number of threats and vulnerabilities is really important. That’s why Hugo and his team focus on that.
And yes, Hugo does have a number of other tools and systems that’s in place that sit alongside the security operations center to keep us all secure. So a real sort of component that it shouldn’t be disclosed as a vendor relationship or a [inaudible 00:23:57] sits over there. It’s actually embedded in the DNA of what the business is, and with DataEndure we’ve got that now working with Hugo across our people and our systems that keep us safe every day.
I was going to say those berries behind you are making me hungry. Sorry Kirstin.
I was just going to ask John, you’ve had a great deal of experience, both at RAC and elsewhere. As we start to close down our time together, what would you share if you had one piece of advice or insight, you’ve got likely some of your peers listening to this segment, what would you share as a piece of advice or takeaway?
I think it’s very short and sweet to [inaudible 00:24:54]. If you’re not already on the cybersecurity journey, [inaudible 00:25:02], with the number of threats and outbreaks, it’s only a matter of time now you see the hackers and really those big financial organizations to pretty much anybody that’s out there. There’s ransom to be paid from anybody like [inaudible 00:25:15] is critical of the board. So if you’re not on the journey, you probably need to rethink your strategy now and start on that journey.
For those that are on the journey as we have been, there was a big wild moment for us when we got those first reports through. So if you are on that journey, don’t be afraid. Be ready for those inevitable surprises that use that data, use that wealth of [inaudible 00:25:37] as we did with our relationship to really quickly move from that maturity, we moved from 30 to 40 really quickly. And then we have been plotting that journey to 50 or 60% for next year, by just small incremental pieces at work now. Which take a little bit longer and that’s they’re sort of collaboration, communication with our people in the organization to how they can help keep us safe.
So, yeah, you should be if you’re not on the journey. Once you are on the journey, don’t be afraid of all that data that comes in. There’s a lot we can do with that to make sure that your people and your data are safe.
John, I think there’s something that I’d like to tease back a little bit. You’ve mentioned the maturity level, the percentage of maturity you feel you’re at today, and to your peers listening, I think it’s important to tease that back because when somebody hears 30% maturity, they think unprotected. You have never been, in the whole time we’ve met, even from the beginning unprotected. As Kirstin said, you had the tools, technologies, services. Can you talk a little bit about when you say maturity, what you mean specifically? Because you’ve hinted at it throughout the conversation, but I think to be a little more explicit. What I don’t want folks listening to feel is that, you know what? I don’t have all the tools I need, but he started at 30, so I’m okay.
Yeah. And it’s about that journey and it’s about the risk your business is prepared to take as well. So we have a heat map that we present again to our board. Hugo introduced the NIST, the National Institute of Standards and Technology into RAC. And we use that really as our framework for our governance model in effect. And so they basically lead to five areas and that’s identify, protect, detect, respond, and recover. So we’re able to measure our maturity against each of those five pillars.
And there’s various elements that stick in those five pillars. There’s governance at one end, and policies at the other, and just the day-to-day operations. But certainly in terms of respond and recover, it’s the less sexy part. It’s where you put in your business impact analysis. You look at your business continuity. The real fun bit is the bit that we do in review, it’s about that identify, protect, and detect. So we get all of those millions of alerts and what’s actually going to hurt is how do we get the engineers on dealing with that – that’s the fun stuff, right? But it covers the whole spectrum.
We have still an 18 month plan that we have yet to deliver, that we’re committed to. Of course, that 18 months will then turn into another 18 months and another 18 months. We did it in small bite-sized chunks that’s looking at the risk capita of our business. So I knit that into that capital investment or investment that we need to achieve those outcomes. And then how can we deliver that as an ongoing practice within marketing with our partners.
So for our listeners, what I hear you saying is that it is less about the tools and technologies, although some of the controls explicitly say you should have endpoint security. You should have log aggregation. You should have – those are the simple ones. But this maturity level you’re talking about is much more about the processes and procedures and the evaluation of the things that you have implemented.
Yeah, absolutely. That’s exactly right. And then it’s good to wait every six months, which is why 30, 40, and we’re on track to 50. We actually go there and audit it ourselves. So we do it internally. And then at the end of the year, we get someone else to come in order to confirm that we have reached where we hoped to or not. We take it really seriously. It’s a really important part of the whole business, not just in IT.
Thank you for that. Yeah, I couldn’t agree more.
I was just going to say pretty remarkable that all of that needs to go into growing and delivering berries. Right? Did the Reiter family ever think 150 years ago that this would be something that they would have to be able to figure out how to do well in their organization?
Probably not then, but they’re heavily involved in the business on a day-to-day basis. They were pivotal in signing off the strategy that I did with the business when I first started. They were very, very happy to support – for us, significant investments in the cyber area. So, no, I don’t think in 1868 that they would have envisaged this. But certainly it’s tools and technology that we use to help automate that whole efficient process from, actually, it’s a manual process, we hand pick all those berries.
There’s no way around that. I’m trying to do something with that, not technology, but a big tool that can actually shake the blueberries, for example, the blueberries drop off, you will lose quality. So for those in the supermarket, we don’t do that. They’re all handpicked. But that’s really expensive to do, so we need to make sure that [inaudible 00:30:51] the rest of it is as automated and efficient as possible. Technology plays a lot bigger role than you have in house now.
Back in the 1800s, ransomware meant something entirely different.
Yeah, a lot more scary, I think.
John, we thank you so much for joining us today. It’s just great having you. It’s great hearing your story. And of course, we absolutely love your company and your product. So thank you.
For breakfast, lunch, and dinner. I appreciate it to chat to you like this.