All right. Thank you for joining us for today’s episode of our TECH Talks. As a reminder, we do these monthly, so keep coming back. This is exciting. This is where we talk about tech. And joining me today is Mike Fisher from Therma, and Kirstin as always. The two of us are hosting these events and we really appreciate you guys joining us.
Mike and Therma are a customer of ours here at DataEndure. And as I mentioned in previous sessions that sometimes we’ll be having customers, sometimes we’ll be having partners, and then keep an eye out for when we do our disruptor series. Every once in a while, we’ll have disruptive tech that we’re talking about and things that are changing the way technology has been done. But today we’d like to talk with you, Mike, about what’s going on in your world and how things are going.
Busy. We’re really busy like everybody.
So just give a little bit of a high level about who Therma is and what you guys have done, and a little bit about the growth through your acquisition strategy today for the audience just so they get a sense of who you are and how tech fits into that world.
That’s a lot.
We’ll finish by the time you’re done.
You’re going to have to help fill in the blanks a little bit. As you guys know, we’re 54 years old. So the company was founded in 1967 by Nicki and Joe Parisi. We are a full service mechanical contractor, full service mechanical solutions provider, if you will. So we touch everything essentially that’s in the building that’s mechanical. We’re headquartered here in San Jose with a division in Southern California, and recent acquisitions in Albuquerque, New Mexico and Baltimore. So we have a national presence now and that’s a fairly recent development. We started on the expansion plans about two years ago. So it’s an exciting time.
So you guys have been the largest regional player in this space, and this expansion, you’re hoping to be what for the company? To give you that footprint growth across the country?
Exactly. Right. And part of our model is kind of the be everything for and do everything for our customers. So most of our blue chip customers are folks like Genentech and Intel, Applied Materials, AstraZeneca. Folks that have critical processes, that’s kind of our niche. They have offices other than here in Northern California. So our model is to go and continue to service them in other locations.
So we’re doing that through acquisition and then organic expansion where we’re opening offices such as Southern California service office is a good example of what we did. Our customer up here is Amgen, they have a big plant in Thousand Oaks. So we were asked to set up shop down there to continue to service them. So that’s why we’re moving outside of the area.
And for your history, you are probably one of the most innovative players in this space that we’ve seen ourselves. We have other customers in a similar space, and you’ve been able to implement technology and integrate technology into your work processes. Can you talk a little bit about that?
Sure. Yeah, I think it – I mean, we kind of break our – let’s call it our workflow into three different components; the design side, the build side, and then the post management of what we build and install side. For us and our customers, the speed of project delivery is key. So we have to weave in the technology tools to be able to expedite those processes. If you look at – let’s just look at drug delivery systems, if you will, right. If you delay the project a day, a week, God forbid a month, you’re talking about millions and millions of dollars of potential revenue for that particular customer. So we need to look at what tools are available that are out there and then make them part of our process.
Specifically on the design side, we have to collaborate with the engineers, the architects, the general contractors. And then of course, ourselves, especially the contractor, you need tools that allow you to be more collaborative during that process. Everybody needs to work from the same model, right? And you need to take that model. You need to be able to share it. You need to be able to have seamless uploads in terms of changes that occur to that model. And then once the model is complete, then you have to start building from it. So we’ll take that model. We’ll need to be able to break it apart and spread it out amongst our different disciplines within Therma, and then start building from it.
So now you start pulling in the detailing side. The detailers will take those different components and figure out how we can build them within our shop. And now we start bringing them the shop technology. Again, how fast can we bring the project in? Whether it’s supporting our lasers, or brakes, or sheers or specialty well tools, all that stuff has to be integrated. Now we go out to the site and now we have to look for tools to, again, to speed up the project and we use various GPS tools for the layout.
No longer do you see mechanics out there with a tape measure and snapping the chalk line. Those are times gone by. We use GPS tools for layout that ties back to the model, back and hit the shop, so we know exactly where the penetrations need to be. And then even if it’s not a ground up type of construction project, if we’re doing like a tentative improvement in a lab or a mechanical space, we don’t have the luxury of sending a mechanic in there detailing the existing conditions.
So we have 3D modeling tools with the laser measuring capabilities where we can essentially set a tripod in the middle of a mechanical room, and then it will actually create a three-dimensional model that now we can take back to the shop, figure out how long the pipe has got to be, the elevation of the pipe. We can make that pipe in the shop and take it out to the job or that customer site, and go ahead and install it to minimize any type of customer downtime, et cetera.
And then lastly, the internet of things, right? How the IoT comes into the picture when we’re maintaining the building systems that we’ve designed and built, then we have to maintain them. Being predictive, being proactive and anticipating any type of critical equipment failures that could be catastrophic to our customer. Those are the tools that allow us to be successful in that space. Was that too much?
No, that was perfect. Surprisingly it’s when you think about the contractor space, people don’t think about all the technology you guys have implemented. And one of the challenges that I know that you guys have dealt with and continue to deal with as you grow and as you acquire is, how do you integrate the technology across the acquisitions and how do you secure it? Little nub for us, that’s where we come into picture. But ultimately, as you have continued to add technology and capabilities, and have systems talking to each other, the criticality of the systems now helps your ability to meet timelines and meet schedules, but it also is the risk for that timeline and scheduling. So can you talk a little bit about how you dealt with that risk and what you guys are doing?
From an acquisition standpoint, it is probably one of the most challenging aspects of a transaction, starting at what are you buying? And then how can you connect it into what you already have? Obviously, you’ve got different components of that, you’ve got the finance side, which has got its challenges. And then you have the engineering and design side as well.
For us, we don’t have the internal resources to be able to do all that, those things that need to be done. So, we partnered with firms such as DataEndure to help us through that process. The two acquisitions that we recently started working with require security risk assessments and that’s something that we’ve contracted with you to do. So we’ll take your recommendations and then figure out how to weave it back into the mothership, if you will, and then provide the necessary security components to protect the data.
Yeah. I think there’s some of our listeners who are acquisitive and are very familiar with what we’re talking about. But for those that aren’t, we kind of look at acquisitions as a three-legged stool. There is the financial attribute of it, which is doing the financial due diligence and figuring out, does this acquisition make sense? Are they profitable? Are we willing to take on the risk of any debt they have, and all that? Then there is the business operations side of it, which is, does this fit into our model? Does it expand something we do? Does it add capability we don’t have?
And then the last side of it is that technical due diligence and that is, does the technology mesh? How much of a forklift is it to try to make it mesh if it doesn’t dynamically mesh? And then, obviously, the security side of that, which plays across all three attributes.
Right. Yeah, exactly.
So we’re working on right now the CSO assessment with you guys, which is effectively going into these acquisitions and running a set of purple team activities that helps to validate whether the security controls they put in place are doing what they think they do, and identifying gaps for you so that you know the forklift upgrade you have to do, or the gaps you have to close to get them to a secure standard similar to what you have in house. Can you talk a little bit about the benefit of something like that for a team of your size from an IT perspective?
So you’re talking about the benefit of the actual assessment itself?
The outcome. So for example if DataEndure wasn’t in the picture trying to accomplish that with your existing –
Oh, with our current – yeah, with our current IT resources. Well, it wouldn’t happen, right? I mean, we’re challenged because of the type of business that we have to be able to support just our ongoing business operations, then there’s no way it would happen. So we have to lean on a partner to be able to do that for us.
And for us, security managing risk is paramount. Without doing that, we put ourselves at risk and we can’t afford that risk with our clients, protecting the data, whether it’s as simple as an email phishing exercise, and we’ve done plenty of those, is key. We have contracts with our clients that specifically spell out we cannot have any data breach. So it’s a huge priority for us. That’s why we’re leaning on you to perform that.
So as you continue to look forward and you guys continue to grow through acquisition, and some of the things you’re doing in your space, what are some of the – how do you stay ahead of the innovation curve and continue to innovate as you have? It was one thing to be in a single region and be able to bring everybody together and do things. How do you spread that across all these different locales now and states?
How do we spread the – ?
That innovation concept?
Well, that’s a good question. Again, that’s a challenge. It starts with the leadership team of the acquisition and making sure that we’re all on the same page in terms of what are the priorities from an IT perspective. And once they understand what the overall risk and the importance of protecting what we have, it’s not a hard sell. And then we’ll – again, we’ll be pulling in DataEndure to help support those activities. And the nice thing about it, of course today, you don’t need to be in Albuquerque and you don’t need to be in Baltimore to be able to provide those services. And then we had a discussion just the other day in how are we going to deploy the sensors for the SOC or for those remote locations? And the nice thing is, is nobody’s got to get on an airplane to do it because we can do it from here.
That’s one of the advantages. We’ve created a model for – we have customers that are international in scope. And the challenges they had is, how do I deploy this quickly? Every other SOC company we’re talking to has to put people onsite and they got a project plan that’s a year long to implement. We can’t wait that long. And when we put our proposal together for this one particular company I’m thinking about, they said everybody else was nine months to a year. You guys are saying 30 days. How is that possible? And we’ve been able to accomplish that because of similar innovation on the technology side, in automation, in a cookie cutter approach to deploying things, so that we don’t reinvent the wheel for each customer.
I was just going to say if we could rewind just a second. You mentioned the SOC, you kind of started to talk about that. And just for the audience out there, we’re talking about security operation center as a service, and that’s something Therma has deployed and is now employing as one of the security measures that you’re taking to further protect your company.
Maybe talk a little bit about that, just because we haven’t really talked about what that is or maybe why that’s something that your organization is looking at. Because I think that’s interesting too, because we’ve got a lot of folks out there that know that there’s security risk out there. They maybe have deployed a couple tools, but are they doing what they need to, and is that enough? Can I find the people? People are really expensive. So why did you come to think about the security operation center in the first place?
Well, without getting into the details, we had an event that kind of shook us to our core. And I mean, IT for us, historically, has been in the back room, making sure that our computers turn on when we hit the start button. In post event, it was evident to us that we needed to really, really invest into protecting the data. And we quickly found out that it’s not a single layer approach. It has to be a multi-layer approach.
Unfortunately, I’ve learned a lot about IT in a short period of time. But that was the biggest takeaway after we started discussions with DataEndure is you can have passive systems that sit there and will detect activity, but then you need something more than that, right? You need something that can stop the activity and then report the activity. I think we have three layers right now and looking to add a fourth. But it’s the biggest threat to our business and it was the least resourced prior to this event that we had.
And it’s not uncommon. We see a lot of places. And the challenging thing to it is we see places that security is one of the many hats that the IT team wears. And it happens to be because it’s not prioritized, and there’s not budget allocated to it that it is the least one paid attention to. And I’ve had conversations with a lot of customers over the last year where their tune has changed from “We’re not a target. We’re not a threat,” to “Oh my God. We keep seeing articles every week. And are we really a threat? I didn’t realize we were a threat, but maybe we are.”
And the reality is, if you look at the media and you look at what’s going on out there, there is an awful lot of attacks happening. And what’s going on is people are not targeting. They’re doing a shotgun approach and that splatter, if it hits anybody, they get notified that they hit somebody and they go on attack and try to take advantage of it.
So our approach to the SOC – I’ve been in the CSO position for about 20 years of my career and our approach to the SOC is what I would want if I was sitting inside a company and somebody was bringing a service to me. And so we’ve made that defense in depth approach, which is what you were talking about, the multi-layer approach. It’s one thing to have firewalls and endpoint protection, that does a lot to protect your borders, but especially a company like you or anybody who has people in the field, how do you protect the people in the field? How do you know they’re getting protected? And how do you know that the firewall is doing what you want?
And so we’ve put layers in that do behavior, like you said, that understand what’s happening on your network from a behavioral perspective, behavior at the endpoint. And then we also do a – similar to the CSO assessment, we’re doing that automated pen testing or purple team activity every month to see if your security controls work. And that way you get a sense of, “We actually have our controls in place. They’re doing what we think they are. We didn’t just spend all this money on these expensive firewalls and these expensive antivirus solutions, but they do what we expected.”
For me, there’s a sense of security, sense of comfort because it’s – I have visibility into it, right? And it’s kind of disturbing to see but it’s also comforting to see the reports or the notifications that I get, which is the same as the IT team gets to show, “Hey, you got this activity happening on this particular endpoint. Go investigate.” Fortunately, nine times out of 10 it’s something benign. But there’s that one time and we’ve seen it on several occasions that there’s something malicious starting. Prior to engaging DataEndure and deploying the SOC, we wouldn’t have known. And you don’t know for months and months until somebody decides to hit the start button and then by then it’s too late.
It’s funny. I had a similar conversation recently with a customer who said, “I’m not sure you guys are doing anything for us.” And we did a quarterly business review with them and walked through, here’s the 65 million events that have happened in your environment since we went live. And of those, here’s the number of alerts we’ve escalated to your team. We take care of the rest of that.
Yeah. I didn’t know what white noise meant until you shared some of it. Yeah. We recently added two executive positions, to our team, a new CEO and a new CFO, and both of them have been able to witness the effectiveness of it and were highly impressed with it.
Thank you. We certainly appreciate your business and the relationship.
Yeah. No, it’s been good.
So I think we’re coming up to time. And again, really appreciate you joining us here. It’s a good conversation. And for our audience, thank you for joining us. And we look forward to seeing you on the next TECH Talk. Any closing thoughts?
I would ask you to provide one closing thought to our audience. So we talked about it earlier, while what you’re doing in your industry is unique, your systems, your processes, your tools. For probably anyone in your position, independent of the industry, their challenge today is how do I balance this need for innovation and this need to be able to balance risk? So it’s tricky. What would you say, what would be one recommendation or one thought that you might leave with individuals in your position as they think about how to balance this, how to think about it? Anything interesting you might leave with our audience?
Well, I mentioned it earlier, right? We have this event. And that was something that I struggle all the time with is that balance. It’s not a balance. It’s really you need to look at the risk and the safety and security of your data is your number one priority when you’re planning your business, because if there’s an interruption to it, you have no business. You cannot under-resource that, and you need to make that – especially now, since we’ve gotten as large as we have, there’s governance issues, we’re constantly audited on what are our safety and security procedures. And it’s paramount. It is one of the most important parts of our business. Did that answer your question?