Resource-strapped midmarket organizations often have a single IT executive pulling double duty as CIO and CISO. When is it time to put on your CIO hat versus your CISO one, and what is the best way to juggle both leadership roles? John Michael Gross, CIO and CISO of Cascade Environmental, offers his experience and advice on being the CIO and the CISO.
Adam Dennison (00:03)
Hello and welcome to Ready Set Midmarket. I'm Adam Dennison, your host, Vice President of Midsize Enterprise Services, MES, and joining me is my co-host Samara Lynn, Senior Editor of MES Computing. Our guest today is John Michael Gross. He is the CIO and CISO of Cascade Environmental. John Michael, welcome to the show.
John Michael Gross (00:23)
Thanks for having me folks, I appreciate it.
Adam Dennison (00:25)
Appreciate it too. And we're gonna lovingly call you JMG. So that will be throughout the rest of the party.
John Michael Gross (00:31)
Yes, my friends and you are amongst them call me JMG. So that's perfect
Adam Dennison (00:35)
Excellent. think our first question is going to be, us a little bit about yourself, JMG, and Cascade Environmental, what kind of business you guys are in, and then we're going to delve into your role a little bit and how you balance these two roles.
John Michael Gross (00:48)
Sure, so I've been the, I started as a CIO here at Cascade about eight years ago. And with the rise of cybersecurity demand and need and board reporting and those things actually slipped into that role or added that role about five years ago. Cascade Environmental is a, I love Cascade Environmental for two reasons at cocktail parties. Not that you'll find me at many of those, but.
If I want to get rid of people, which being in the IT space is 99 % of the conversations, I just say, we're a drilling company. People are like, I don't want to talk to you anymore about that. So they walk away. But for the, you know, the 1 % that are interested in having that conversation, we're a company that partners with other firms to really protect the nation's groundwater and do groundwater monitoring and things like that. So really, I think it's a super interesting business. So
If you care about your drinking water, we're one of the companies that helps clean it up. some of the bigger things that we've done that you may have heard of, if you've seen any of the Camp Lejeune sort of lawsuit ads that were out there, we completed that cleanup job last year. stepped in and did that.
Adam Dennison (01:48)
Is your business US only or do you you go into other other countries as well?
John Michael Gross (01:53)
We're primarily US only. have a few jobs and things we've done outside of the US, primarily through partners. We have some active work in Brazil right now. And we've had some work in the past in places like Australia, Vietnam, even as nearly out of the country as Canada.
Adam Dennison (02:11)
can you talk a little bit more about, the role, we often, we call it the CIO plus role, right? So you'll be the CIO and you might have plus X. Typically it's not CISO. I've seen that a couple of times, but it doesn't normally elevate to that level. So when they decided or you asked for or were voluntold to be the CISO,
What did that look like and what did the reporting structure look like from your current CIO role? What did security look like under Cascade before you elevated to that CISO role as well? What does your team look like and can you share with us how that transpired?
John Michael Gross (02:49)
Sure,
when we started out, all of us as CIOs had a little bit of good enough security or just enough security. I think I come from that age where I would say we weren't laissez about security, but we didn't really have the emphasis on it that is necessary in today's world with the threat actors that are coming after us.
we're nationwide. We have about 35 offices and just under a thousand people. We don't necessarily have the funding to have two people that have this sort of role. So there's both a need to have both roles. I think every company should have both roles filled. Doesn't necessarily need to be two people. But we certainly couldn't afford to have two people that were strategic and tactical and driving that behavior. And so
It wasn't so much a volunteer or a It was just a business imperative, as it were, that both of those roles get fulfilled. You probably have to check my sanity when I raise my hand and say, great, let's do this. Because it definitely creates some conflicts of interest in terms of what's there. But I think when I'm in meetings or when I'm in things, there's certainly a time when I have to be worrying.
I think the analogy is, you know, wearing that hat, if you will. So I have to be wearing the CISO hat after I have to be wearing a CIO hat. And those are two very distinct hats. And so in our organization with the threats we face, about 60 % of our people were out in the field. So on any given day. So I normally have, you know, the network threats that everybody has, but I also have the threats of people that are in hotel rooms, they're traveling around and fleet and all the areas that are being hit with cybersecurity now.
So I needed to be able to focus on those and say, I need to put aside my CIO hat for bit to do this. I think it's just something that emerged over the last five to six years, I'd say. I have a little story as to how I got into it or why it became a big thing. And I don't know if that's, guess we have time on a podcast to go through it, but we had been hit with.
probably our third BEC breach in about two weeks, a business email compromise breach. I used to ride my bicycle back and forth to work as a way to actually get some exercise in as opposed to sitting in front of a computer all the time. And it's about a little over 20 miles going back and forth. So I had a good hour or so to focus on things. And frankly, was pissed off.
I was upset with the end users for falling for what I thought were pretty basic things. I was upset that we were being targeted. I was upset that I didn't have the systems in place to stop it. It just seemed like all these things were going and I thought these people aren't smarter than us. And so, you know, through events like MES and, you know, the IT leadership network wasn't there then, but actually reaching out to some of my peers that are now in that network, but were part of MES.
I started asking how people were solving the problem and it just became, you know, it became apparent to me that I was not putting the focus on security in a way that I needed to because, know, you can't blame the end users if they haven't been educated. and you can't blame the systems if you haven't really tested them and made sure they're all in the place that they need to be. And you can't blame the technology if it's all there and you haven't configured it right. So
All of those elements sort of led me to sort of revamp and, you know, do a little bit of a deep dive on the security side. And, you know, after a couple of months of that sort of deep dive, it became apparent that somebody needed to focus on that security day in and day out. And it was readily apparent there wasn't going to be another person that could step up in the organization to do it. And I wasn't going to be able to hire someone to do it. I sort of had to craft that definition.
inside the organization and say, I'm going to start time splicing and doing these things so that I can do both at the same time. And that's really the impetus that started us down the path.
Adam Dennison (06:29)
Interesting to do you have? Do you have dedicated security team under you as well? And what's the size of that and their roles?
John Michael Gross (06:37)
Well, I've described our IS team, we call it information services, not IT, but as thin to the point of anorexic, I think, to quote that famous movie line. So, you my entire team, including myself, is only five people for all of those locations and all of those resources. That being said, I rely on
I don't have any vendors, I have partners. So I seek deep partnerships with every vendor that I work with. And then I also have an outside partner that took on some of the maybe less IT critical things like help desk and things from us. So help desk, system administration, and that team is much larger. And so maybe our total team is probably measured in the 10 to 15 range when you include all of them in.
but they are outside contractors, what we do. So not quite an MSP model, but definitely a kind of a hybrid of those two models. That team has one dedicated security resource that works with us. Obviously, I moonlight 50 % of my time, I'd say, is in the CISO role. And then when you sort of put that whole team together, that is our security team and what we do, and that's our whole IT team.
Adam Dennison (07:45)
How does a vendor get to partner status with JMG and Cascade?
John Michael Gross (07:50)
Well, think you could ask some of them probably painfully. No, I think it's really very simple. When I first came in, I inherited a bunch of solutions. We're very much an on-prem company, very traditional, no soup for you IT sort of organization.
Adam Dennison (08:10)
That's too janky.
John Michael Gross (08:13)
You know, my feeling was we, you know, I had the same size team. Maybe we had one more person then. And it was apparent to me that we weren't serving the business. We weren't focused on revenue. We weren't focused on EBITDA. We weren't focused on customer satisfaction. We were just keeping the lights on. Very traditional IT. And that isn't how I'm built. I want to ask why we want to do things. I want to do things that enhance the business. At least that's what I aspire to do.
You'll have to ask my end users if I do that all the time. the goal was, how can I be better? So I actually went to every one of my vendors that was incumbent at the time. And I said, I'm brand new here. And I'd like to know, I'll give you 30 days, I'd like to know how you're adding value to Cascade Environmental. And if you're adding value, we'll seek ways to deepen that partnership and become better partners together. And if you can't answer that question,
you're gone. And honestly, I think every vendor sort of was like, we've never had anyone ask us that before. And I said, well, I'm asking and I mean it. And there were a couple of vendors that didn't take that seriously. And frankly, they were gone. I got rid of them and found vendors that they could help us. And then the ones that did help us, many of them are still with us. Others, maybe their tools set wasn't as complete. when I'm interviewing a new vendor, the first thing I ask them is,
Everybody is going to sell me something that works if it fits. That's day one. But when you start looking at configuration drift or company drift away from the configuration business, you know business changes day in and day out. How can we ensure that we're getting the best value out of this whole? Day over day, month over month, year over year, and so with all of my vendors we now have sort of a monthly review and.
That review is not me coming in and saying, is what I like or don't like about the product. I'm trying to get what they're learning from their other customers. Because again, if we're a small business or a mid-sized business, but we have enterprise problems, especially on the cybersecurity space, they are seeing many other companies at the same time. If I can steal, i.e. learn from what they're learning from other vendors, I'll be better as a result. So.
having that sort of consistent feedback loop. I know with a lot of my vendors, they weren't used to it. They would do the annual review with a quarterly review. And it's mostly, it was a business thing. It was about how do we ensure the contract stays in place next year? But this is very much a, what are you learning from other customers that we could learn from, that we're not doing? What about our configuration? In your opinion is not ideal. That doesn't mean we accept everything that comes in, but it means
we're going to be partners on this. All of my partners at this point, as I said, I don't call them vendors, have really stepped up to do that. What I do in return, and this is one of the reasons I'm on the advisory board for MES, is to help introduce them to my peers, to my peer network, to encourage them to become part of things like MES. That's my partnership side because if you're a good solution for us,
There's a very good chance you're a good solution for the other vendors that, or the other companies that are in that space.
Adam Dennison (11:07)
Absolutely. Samara, I don't want to dominate all the questions. something to ask JMG?
Samara Lynn (11:11)
I mean, this is a great conversation, JMG, what I want to know is from an IT professional standpoint, the CIO and CISO roles are very different. Did you have to obtain any additional certifications or skill sets to step into that CISO role?
John Michael Gross (11:28)
Well, I think anyone wants to do it should probably have some sort of sanity check done. That would be the first thing I would do beyond the professional things that you want to do. But yes, I come from a software development background. So I certainly had a lot of cybersecurity training and things in the past. So I think when I started down the path, it became readily apparent to me, started down the path of adopting, heading toward that CISO role that
I was not really qualified to hold that title, professionally qualified to hold that title. So I actually went and started working through the certifications. I certainly had a lot of practical knowledge. I had the experience of malware breaches and bad software design and bad network design. I certainly had all of that experience, but I hadn't gone through and gotten the certifications. And so I think it's important to have that.
Just as it's important in the CIO role to make sure that you have the certifications at a certain level, know, high level certification, I don't think you need to be the best technical person on your team. In fact, all of my technical people are certainly deeper than I am at this stage. But it's important to make sure that you're understanding, you know, getting to know what you don't know, I think is how I would describe it. So yes. So continuous learning, you know.
I think it could start with if you're intellectually curious, you can do these roles. If you're not intellectually curious, it's probably very difficult to go through the training and be anything more than book smart. And I think as we know, book smart probably doesn't work in either of these roles. You have to be intellectually curious and really want to be able to own the persona of, you for talking about cybersecurity, have to own the persona of the end user and how they do things and own the persona of the CISO and.
what needs to be done and own the persona of the hacker and how they're going to come after you. And if you can't slip into those roles, then it's hard to make sure you're sort of being comprehensive in what you're doing. And I think every day is a challenge to do all those. And I think the same would be true on the CIO role as well.
Adam Dennison (13:19)
So let's talk some about you said being in the role of the end user, And you mentioned that you guys have been hit a few times because of email compromise from your end users.
We deal with it all the time. We deal with it on text. deal with it all the time. I don't know if you took it yet, but we just had to go through our education training. I passed both, I will tell you, with 80%, which is what was needed, which is higher than my college scores. But how do you, in today's world, JMG, how are you educating and getting it across to your end users? Because look, again,
I don't want anything bad to happen to my company, but I can't stand taking some of these courses and classes that we have to take and it's thrust upon you and there's a deadline and you're like, well, I've got these other things to do that which are revenue generating. But what does that world look like today and how can that? How can that be better for end users, folks like me? What are your thoughts around that?
John Michael Gross (14:13)
Well, I think, I don't know that there was an epiphany moment for me, but there certainly was a lot of education for me because as you heard earlier, I sort of come from the no soup for you background a little bit. That's that's it. In a nutshell, if you can't pass the test, you shouldn't be allowed to use any of the systems. Well, that's not practical. I would say that's, that's deep in my DNA. That's how I was brought up. I grew up in a military household, so I very much have learned an order is an order and these are the way that you do things. And I don't understand sometimes when people can't do that. And so I think something that I probably have, you know, a skill that I'm always working on is having more empathy is really understanding why people don't understand why this is important or understand maybe the magnitude of the threat.
that's out there or the the prevalence of the threat that's out there. And so I think for me getting into getting to my end users to stop being frustrated because I certainly when I first came into the company was very frustrated when people did what I thought were silly things. Of course there's not a bag full of money waiting in some Nigerian prince's apartment that you need help with. Of course the CIO or the CEO is not asking you to send gift cards. But
for end users who aren't used to seeing that sort of thing, or maybe have never had anyone had to have a conversation with them about it. They view it as, this seems logical. I think even now today, and I don't know if this has happened to the two of you, but the most recent sort of smishing scam that's been going around, which is about tolls, right? Right? So we're both getting the tolls, right? And you're in Boston.
Adam Dennison (15:44)
I'm getting it all the time.
John Michael Gross (15:49)
Samara, I can't remember where you live, you're in New York, so you're used to seeing tolls, right? And it's just natural. Like, I can't remember if I was driving there, but I must have been driving there, therefore I will do that. So I actually, I went up on Grok and I actually asked because we had a kickoff meeting internally a couple of weeks ago inside the company. And I asked about what was the scope and scale of the toll threat?
Grok responded and said, you know, I can't tell you how big or bad it's going to be in the US right now, but this same thing happened in Australia last year. So again, any of you can look this up yourselves. And I think the numbers, if I remember it off the top of my head, is they, it was about a $750,000, $750 million threat, something like that, out of Australia.
for the scope and scale of Australia. they were, Grok was estimating what the size would be in the US. So clearly there's incentive for the hackers to do this sort of thing. And you know, what is it? It's a $1.99 for the toll and a dollar for the late fee, whatever it is that the latest text that you got that came through. So they're hitting millions of people and hoping they get 10 % or 1 % or whatever the number is that comes through. So it was pretty clear to me that
going back to the empathy piece that not everybody is going to have the education or understand what's there. In fact, my wife just sent me a text yesterday and said, is this real? It's a toll from a toll place inside of Seattle, legitimate toll place inside of Seattle. But of course, looking at it, the URL is bad. Well, I deal with URLs every day. So it's logical to me that it's bad, but to my wife, she sees all the verbiage in there and it seems reasonable. So developing some empathy, but then also
And again, another skill that I would say I wasn't necessarily developed as a young, you know, IT professional or software developer, actually talking with the end users and saying, what are you seeing and what are you thinking when you see this? And really sorting to go and doing one-on-one education. So our phishing program, I probably shouldn't disclose this because it will end up, you know, I'll be attacked as a result of it. so we phish every month.
It's guaranteed that everybody gets phished every month. And if you fail the test, I, course, the old me would have said, fired, fire them. Failed the phishing test, you're fired. You're a threat to the company. that's not reasonable because everybody's going to fail a phishing test. so then we, we, we took that phishing test, that monthly phishing test, what I would say is in sort of the medium to hard level. And then we do a bi-weekly, they will drop into an every two week phishing test.
And those phishing tests are a little easier with a little more education involved, whether it's a video or a short, short little snippet to see if they fail those or pass those. And the goal is to educate them on these are coming at you all the time. If they fail one of those tests, then they, then that sort of ends up on my desk. This is where the CISO steps in. And the conversation is very much, are you ignoring this or do you just not understand?
what's happening here. And so that's where the empathy comes in. I'm having the conversation and a lot of people say, well, I just wasn't really paying attention to it. Well, that's a chance to talk to them and say, well, you need to pay attention and here's why. And one of the infographics I love to show people is, and you can find this on, you you could Google it and find it anywhere, but how much personal information is on your phone? Credit cards, driver's license, social security, there's so much information stored in your phone. For people to understand, well, there's no threat anywhere, but if you think about all the personal data that's involved on your phone, all of a sudden they're like, wow, this device actually does have something that has something that people want to get to. So getting that connection between people who maybe were, care, they didn't have that culture of, I would guess you call it being a little paranoid or being aware but also understand that they have something that's very valuable in their hand. All of a sudden they start making that connection.
Samara Lynn (19:38)
And users are the biggest threat vector, right?
John Michael Gross (19:41)
Well, they're certainly the easiest to attack, right? It's a volume play, right? They're going after the volume because you don't need to breach the entire company. You just need to breach one person. you know, it's really about understanding how you can best impact on your end users that they are the frontline and they're not attacking me. And I've noticed this. If any of you are looking at your impersonation logs and seeing who's impersonated in the organization. What you'll find is that your CISO and your CIO typically are not high on that list. It's actually the CFO, the controller, AP, AR. All of those people are high on the list because those are the people that maybe haven't adopted that culture of cybersecurity. And so you have to sort of bring some, without making them paranoid like we all are, you have to bring some of that to them to make them aware.
And more importantly, what I've tried to do is tie that and say, look, we can do what we can do to protect our business. I think we can do what we can do. Please, hackers, don't like target me, especially just because I said we can do what we can do. But we think we do a pretty good job. We're consistently ranked pretty high. We run pen tests every two weeks, really every week when you think about the different tools that we're running. We're constantly evolving what we're doing.
Adam Dennison (20:55)
So I want to be respectful of time, Samara. Do have any final questions for JMG before we let him go?
Samara Lynn (20:59)
No, I just want to thank him so much for being a guest. Great conversation, John. Thank you.
John Michael Gross (21:04)
Thank you guys. appreciate you having me in. I think, you know, I joked about not, not, know, checking your sanity if you, if you want to do both of these roles, but I think just sort of in closing, I think it's important for these two roles to be fulfilled in every organization. So however you do it, they need to be fulfilled. I think taking that on, you know, whether it's at a board level or at an executive team level, in my case, it's important for me. And I will actually come in and say, this is the persona that I'm adopting in this meeting. This is the CISO speaking now, which I mean, the CIO doesn't necessarily agree with everything the CISO wants to do, right? But that helps my team understand and my team, really they're great partners inside of Cascade. They've really stepped up and you know, help me work both of those perspectives. But to say this is good for the CISO, but this is probably bad for the CIO. It's bad for the business from this perspective.
And to have that dialogue and I think being able to say that you're playing both of those roles allows the team to contribute in ways that I wasn't doing when I was just serving one of those roles. So if you can't do both, if you can't have both roles filled by individual resources, adopt both of them and step into both roles. But make sure you're talking to the rest of your team about which one of those roles you're offering your perspective on.
And I think if you have a great executive team, they'll work with you on it. It'll work to your benefit.
Adam Dennison (22:28)
John Michael, thank you so much for taking the time out today. We are embarking on MES land coming up here with the next couple of months. We'll see you at our events. Samara, thank you as always as well. So thanks everyone for.
for joining us at Ready Set Midmarket and we will see you next time.
John Michael Gross (22:44)
Thanks. Have a great day. Thank you.