(upbeat music) >> From the SiliconANGLE media office, in Boston Massachusetts, it's theCUBE. (upbeat music) Now, here's your host, Dave Vellante. >> Hi everybody, welcome to this cube conversation. This is part of our CIO series and Jason Thomas is here, he's the CIO of Cole, Scott, and Kissane. CSK is Florida's largest civil defense law firm. Cube along Jason Thomas, great to see you again, thanks for coming on. >> Yeah, thanks for having me. >> So, let's talk a little bit about, the firm. largest firm in Florida, the focus is on Civil Defense, so you got lawyers, you got paralegals running around, you got demanding clients. What's the business like that's driving your technology strategy? >> so when I I'm new to legal, so this, I've been here about almost four years now, so I started January. a whole different world. I came from, from Startup Biotech, that line of business and a completely different animal. it's some of what you imagine, very always on the go, very busy, lot of business, we open dozens of cases a day, new cases, so a lot of things going on. >> Really event driven? >> Yeah very, very busy, so and you know technology's, you know the firm has taken stance that, technology is very important, to the firm and, we want to use the best technology possible, to make us as efficient as possible, so that's the chief driver, for tech at the law firm. >> So tech, you know, 15 years ago, whatever it was like, take an email to SaaS, right? So, but I would imagine you're focusing a lot on just attorney and employee productivity, maybe collaboration, document management, compliance. Are those some of the hot topics? And how are you applying technology to deal with those? >> Yep, so that is a big drive, efficiency, using technology to be efficient, and to make our folks productive. What we don't want to see, and that you see sometimes, you throw a whole bunch of technology at folks thinking that it's going to make them efficient and productive, and actually, it could be the greatest technology in the world for one place, and apply it, and you put it in another firm, and it makes us unproductive, so that's kind of the magic there. Kind of a trick to figuring out, what is it that actually is going to make us productive? >> Are there pretty clear swim lanes in your firm? Or is there a lot of shadow IT going on? Because I would imagine a lot of the frustration of, you know, IT folks is, you get the shadow IT, they bring in a point product, and that IT goes, "CIO's calling clean up this crime scene," and is that a problem in your firm specifically? Or even your industry? Or is it pretty much hey, let the tech folks figure out what the right tool for the job is? >> so in my mind the trick here is, it's not going to be any one person, or any practice group that's going to define what's the best option, what's the best tech. I mean thankfully for me, I do try and drive most of the tech out the firm, but the key is, you have to understand how the business runs. Just because it's cool tech, or it's working at one firm, doesn't mean it's going to apply or work in others. So, I spent a lot of time, in conversations with, a lot of the partners and associates. I try to make myself available as much, just to chat, see what they're doing. see what could make them more efficient. Sometimes if you don't ask, they don't even tell you, but if you ask the question, you can learn a lot in 20 minutes from somebody. And that kind of helps me decide, okay, what is going to make sense, or what's the next thing I should be looking at, to help folks out. >> So basically, Columbo questions, for those of you who remember Columbo, kind of ask your basic questions? What about work flow, how do you spend your time? What kinds of questions would you ask attorneys? >> honestly they could be calling about something completely unrelated to what, you know, what I'm thinking. It just could be as simple as, "Hey I'm this thing with this program where I'm trying to do X and this is the way we're doing now. Is there a better way to do it?" Or, it could be as simple as, we just kind of fall into the conversation based on other things. You know. They just want to talk to somebody sometimes. But they're not necessarily going to bring it up, or just don't have the time, they don't have the time. >> So a lot of times in theCUBE we get caught up, We love the tech, we talk about data science, and machine learning, and block chains and everything else, but then there's this basic blocking and tackling, that the CIO has to worry about. I wondered if you could share your perspectives based on your experience, just in terms of, some of the advice you might give to, organizations that are maybe growing, maybe haven't had the experience of a CIO that's been around the block, maybe in different industries? But some of the basic blocking and tackling that you see, that maybe doesn't happen in organizations, that really needs to happen. >> the expectation, or when you're thinking about, thinking about what the next thing is for the firm, or for your company, you also want to kind of think, you want to think long term as well. You want to think three to five years out. So, if we do this now and based on our current, growth projections, will this work for us in three years? Will this work for us in five years? Or what's our game plan? Maybe we start small, and, expand from there, but you don't want to just plan for the immediate you want to plan for the future. That's kind of, I think that's what CIO should be doing. It's not just about the tech, or is it going to work in our environment, but is it going to work for us down the road. Because we don't want, nobody, CFOs don't want to hear, and CEOs don't want to hear that, hey, yeah we just bought this thing last year, but, yeah we're going to have to buy something new now because it doesn't work anymore. >> But it does happen sometimes? >> It happens all the time, you know. >> Right, I remember, it goes a ways back now, but the federal rules of civil procedure, I think it was 2006, and everybody was rushing to plug holes because the courts ruled that electronic material was evidentiary, for whatever, seven years or something. So everybody was like okay, we need to have a system that allows us to comply. So, they went out and bought email archiving systems, which they knew they were going to have to throw away in three or four year. So how do you deal with it? Do you face that? Especially in a compliance oriented world, and you just try to sort of balance the cost and the throw away nature of that initiative with something more strategic? How do you deal with that? And how do you communicate that to the powers that be? >> Number one, no one likes to be held at gunpoint, number one, and especially my boss, so. I mean he gets it right, I mean there's regulations. But I will say, nothing happens as fast as everyone says it's going to happen. so there's always that idea. There's always this panic, oh we've got to put this in, and honestly I feel like tech folks use an excuse, and of course I do too. Say like, oh you all this is awesome. You know, we get to put something new in and, you know no one's going to say no and, it's not always the best approach, and again you kind of have to look at it long term, holistically for the business. You know, what is really going to happen in a few years? Is this technology going to even be a thing in a few years? Or is it just like, just to satisfy an immediate solution? Because again, I don't want, the last thing I hate doing is putting something in and telling my boss that it has to be replaced. He hates hearing that, and I don't want to tell him that either, quite frankly it's embarrassing. >> I don't blame your boss. >> Yeah it's embarrassing, it's just, let's do it right the first time. >> How do you do planning? I mean obviously there's a technology component, of planning, but I'm inferring from what you say that the end of technology is kind of the, the last thing you should be worrying about. You should be worried about the direction of the firm, the business, the growth plan, how do you do, as CIO, planning and how do you align that with the business? >> conversations, so lots of conversations. Lots of conversations with the attorneys. continued conversations with my boss, the CEO, and sometimes I'm not really great about it sometimes. And, you know, weeks will go by, you know, and I won't even have a conversation with him, about what's going on, and he wants to know what's going on. He doesn't understand all of it, but in those, you know, 15, 20 minute conversations, you'll be surprised what you'll learn. What's going on in the business that you didn't, or I didn't know about, and from there I can make decisions about, you know, six months from now, or next year, or during budgeting season, what it is that we need because, budgeting season is not really the time that you need to try and figure out what you want to do for next year. You want to have a plan months before that. You know, You already want to have kind of an idea of what you want to do, I mean, I've been talking to my CFO since, the beginning of summer about things we want to do for 2020. you know, six months, nine months, ahead of time, so. >> So, do you do basically annual planning? Do you try to look out further? Do you formally document that stuff? >> Every quarter, so we have, we kind of have most of the conversations with our, with my CFO and COO. every quarter we have kind of a list of projects/ what is it we want to do for the next couple quarters. We just kind of, track that and based on what we're seeing and how we do, then we, basically we plan each quarter, is how it comes down to. And we have a, we'll call it a white board, a virtual white board of what we're doing and what we want to do. >> But relatively near the midterm planning, you know doing like five year plannings though right? >> No. >> Waste of time to try to do that, or? At least in your business, maybe in pharmaceuticals? >> At least for us it was really, it's hard for us, to do that because of how quickly we grew over the last, again I've only been here almost four years, but even when I started, in 2015, I think we had somewhere around 300 plus attorneys. Now we're somewhere in the 475 range, I'm not saying no one saw that happening, but I don't think we expected that. I mean business has been great and we're happy, and we're fortunate to have it, but you can only plan so much. but do the best you can with the data you have. >> And for organization structure, you report to the CFO, is that correct? >> CEO. >> CEO? Okay so the, so you're a peer essentially of the CFO, is that right? >> Yeah. >> So you talk to the CFO about budgeting? >> Yeah. >> So you've got the CEO's >> More of the nitty gritty you know the details and numbers. >> What's that conversation like? Is it obviously you've got to justify, show a business case, or is it more sort of hate space? >> So here's the good news. I got lucky again. the CFO is very technology forward and so he understands that it drives a lot of efficiencies within the firm. So he gets it but he's been in the history long enough to get it and knows that we can, again he's efficiency a lot, but there's just a lot of efficiencies, and a lot of inefficiencies seen in a lot of what folks do in law firms that no one takes the time to sit down and say okay why do you do it like this? there's got to be a better way. Well this is the way I just do it, and so, we've been able to kind of adjust a lot of those work flows, or change those work flows to make it more cost effective for the business. Like even things simple as, just manage print service, you know, do we store 100 toners in the back somewhere and then wait for someone to, say that they're out of toners? That's not very efficient. and it's very expensive actually, so you put in a much more efficient process in place for toners. Because we're a paperless firm, but you know, I mean we still have to print, so. >> So, the joke about the paperless office was something like paperless bathroom. So, the other way around, I want to ask you about security. Are you the defacto Chief Information Security Officer, or do you have a CISO, or? >> I do not have a CISO that is me, so that'll be me. >> So, that is you. Alright so let's talk security. So, what is the state of security and as you see it? it's constantly evolving. Security practitioners tell us that they got so many tools, they got, they might have a SEC ops team, you may or may not, it may be something embedded in your team, but they've got to respond, they've got to respond, sometimes it's hard to figure out what they should respond to, prioritization, the data, keeping up with the bad guys, all that stuff. What's your state of security? >> so I think these days, it's not really, it's not really about having the best firewall, or the best, outside protection, so I think a lot of the attacks that are happening now, not that they don't happen form the outside, but a lot of it is a lot of social engineering, and a lot of everything. They're taking advantage of the the ignorance of the users, for lack of a better way to say it, so a lot of it's coming in through email, malicious links, and they're taking advantage of the inside, and bad practices, and bad policies, and/or lack of So, I think based on what we see in the news now, and what you read about, it seems like there's a breech every week somewhere. And when it comes down to it you find out that X company didn't, didn't use a strong hashing. For assaulting, on the hashes for their passwords. Like simple simple, just basic basic stuff. It's not like some massive operation like you see in a movie where you know, they're making this big plan to break in a building and it pans out and they're sneaking in you know, from the ceiling and all that kind of stuff. They're just basic stuff, they're just passwords. How can passwords, reused passwords, just databases of passwords everywhere, out in the dark where you can just buy, and they're just utilizing simple stuff like that. It's not even complicated anymore, it's just, it's a lot of social engineering. >> Often times I say that bad user behavior trumps good security every time, I wanted to ask you about the state of the self security in the industry. So you are reinforced, we were there, and Steven Schmidt stood up and he said, "Look at this narrative from the vendor community that says security is broken, isn't productive. It hurts the industry at the same time." I was at VM world recently a couple months ago, last month actually, Pat Kelsinger basically stood up and said security is broken and we're here to fix it, they bought, you know made a big acquisition of carbon black a local company, so you have these two different, you know, polarizing opinions, I don't necessarily feel like the state of security is great. I look back every year I say do I feel more secure or not, you know remember art cove yellow, every year RSA would write his letter. but what are your thoughts on that? Are you basically saying hey, it's, a lot of times it's user behavior, it's things that maybe, you know it's education, is security a do over? I guess is my question. >> A do over in the sense that I think it just comes out to basic education. I have, you'd be, we're in tech and we understand security and we have all these grand ideas and technologies and vendors and software that we use to do different things on all these fancy dashboards. But, if you ask the basic person off the street about, I think I saw a skit on Twitter the other day and you know there was this guy going around asking them, asking people, you know, what's your Facebook password, or you know how complex is it and they'll just give them their passwords and stuff you know, and I mean there's just a lack of basic education, so all us security buffs walk around, and they don't understand what we're talking about, but they don't need to understand what we're talking about. We just need to be able to look, to just have a basic security awareness and training with folks. I have a friend who works in industry, or in a nonprofit that does, that helps folks who've been you know kind of, harassed or abused online. And she's saying, she's telling me, she's like, "Look you guys are great you're really smart, but these folks, they don't know the basic stuff like hey you know someone keeps logging into my internet, and I keep seeing someone, you know, these weird things in my yard, like cameras in my yard and, can I do this with my phone, and oh well I can't use, like, my dogs name for my Facebook password? Like this is just basic stuff that nobody knows. It's not because they're stupid it's just, they just don't know." And so, like we're up here, and your average everyday person is just on this level. >> How about ransom ware? Obviously a hot topic in the business. what should people be, what should they know and what should they be doing? >> at a basic level security ware is training, it's very simple to do, there's a lot of, no that I'm, pushing products there's plenty of products out there. Secure great ones that kind of help your user, or teach them what not to do, or what to look for. we run a fishing campaign in our firm every once in a while and at this point no one clicks on anything without asking. I mean I get direct emails and I say hey, how's this look? Does it look like I should click it or, you know, does it look legit, I mean it's great. They ask now, they know not to do it. Whereas, I mean that's how they get you. That's how they get most of these places. Especially from we get a lot of, we constantly hear about small firms or smaller clients/companies getting hacked, we constantly get emails from them all the time. They'll get hacked and then we'll get the the emails with the links or whatever. that's one on the user side. On the IT side, we just really need to take it back to the basics, let's make sure we have, backups, and a backup policy, and a data protection policy, and an instant response plan. Let's have a plan here, let's not react when something happens, let's just have a plan. Honestly at our firm, we do have backups, we have layered strategy, but there's just some basic things that we don't do, like you know, IT folks, we don't, we don't keep things on our desktop. Let's start with us, you know we're supposed to be the leadership, in this regard, so let's not keep stuff on our desk let's keep stuff on the network. Let's keep it protected. Make sure it's part of the backup schedule. things like that, I think you just start there, because I was you know, I was just reading about, there's an article that came out yesterday, I think it was Washington Post, and it was talking about the ransomer incident in Baltimore a few months ago. They're just now finding out that the, even the IT folks had stuff on their local computers that couldn't be recovered, important documentation. So, this is just data protection 101. You know, we've got to take it back to the basics, take it back. >> Last question, is just kind of your career, so you mentioned before, you were in, I think you said health care, or? >> Yeah so I worked with MSP, so I worked with a lot of start ups. >> So, how'd you get here how'd you become a CIO? People out there may be, you know people in tech, they aspire perhaps to stay in tech, but they want maybe more of a management role. What was your path, and what kind of advice would you give them? >> what I would say is, so it worked out where, I was I was a lead at the company I was at here in Mass at the time, and so long story short my wife had an opportunity in Orlando, we moved, and I said I would never work for a law firm, ever. because I was, when my current boss found out I was coming we have a, a long relationship. When I was in, grew up in Florida and so part of that yeah, okay so I was in the right place at the right time and I knew somebody, that's why it's important to stay on top of networking. Always be networking, not for any other reason, just get to know people, you know. the tough thing that I had growing in the industry, I didn't get involved early on, which I should've. I should've gone to events, things like that. Get to know folks because if the people don't know you, why are they going to hire you? It's easier to get in somewhere, or get an opportunity, if they at least know you, or know your name, or know somebody that knows you. That's number one, so I'm big on that. as soon as I moved back here I've already started, I have quarterly lunches with some of the CIOs at different firms, I just put myself put there. Just hey I'm here, want to get together for lunch? It's that simple. number two make sure this is what you want to do, it's a lot of it, and you hear this all the time, a lot of it has to do with personalities and people. You're managing personalities and people half the time. You are not just doing the tech. If you think you're just going to be doing tech, or you're just going to be doing cool stuff, not the case. So, make sure you can, you know, make sure you know what you're getting into because it's, it's very challenging. >> Now that's great, great advice, so network, it's not, I like to say it's not who you know it's who knows you, so get out there. And then, Love it because, a lot of times I would imagine it's thankless. Right, you hear, >> Yep. >> You hear a lot of the chatter when something goes wrong, >> It's like a defense of a football team, you know, it's fine until, >> Until somebody scores. >> And someone gets sacked you know what I mean, otherwise no one cares. >> Alright Jason well thanks for the update, really appreciate you coming on theCUBE again. >> Thank you. >> Alright you're welcome, alright keep it right there buddy. We will be back with our next segment, right after this short break. (mood music)