Featuring The Nisos Group
Read Time: 15 minutes
Welcome to Episode 31 of Students vs. Startups. This week, moderator John Gilroy talks with the CEO & founder of the Nisos Group, Sean Weppner. With Sean’s background and degrees in mathematics and computer science, The Nisos Group is able to solve everything from basic network security issues, to helping you get a nation-state off of your network. Read to learn more about The Nisos Group, as well as how “fortune favors the prepared”
If you would like to get weekly updates sent straight to your phone, you can subscribe below on iTunes!
Thanks to our Sponsor:
John Gilroy: Welcome to Students Versus Startups Showdown Potomac. My name is John Gilroy. I’ll be your moderator today. Let’s have a big round of applause for show number 31. Yeah! Actually … applause is for Al Gore, the inventor of the internet. That’s how we’re brought to you in this podcast.
We are sitting in the offices of Eastern Foundry. We kind of took over a conference room. Kind of like Occupy Arlington here. One side of the table we have some students. The other side of the table we have a startup. We have a 26 minute conversation and then we walk out of here all as friends. That make sense boys and girls? I hope so. Good, good, good.
I’d like to start off by introducing our students. Our first student is Chris Davis. Chris Davis is studying for a master’s degree in technology management from Georgetown School of Continuing Studies. Chris, a little bit about your background please?
Chris Davis: I’ve been working at Georgetown University in the information services department for about 19 years. I work in IT support account management, and I’ve just about ready to complete my master’s degree at the School of Continuing Studies.
John Gilroy: Well, that’s good. And our second student or graduate student is Maura Imparato. Your background please?
Maura Imparato: I have a master’s in technology management from Georgetown, and I’m an IT management consultant working for health sciences organizations.
John Gilroy: Interesting. And we have a student named Assad who bailed at the last minute, and so I just grabbed someone off the street. I just said “Hey! You look like you’re smart. Come on in!” And we have Camron. Camron, please tell us about your background please and tell me how you pronounce your last name again.
Camron: Sure. Camron Gorguipour. I … I’m a California native. I have a PhD in bioengineering from Berkeley and undergrad in astrophysics and physics, so you know …
John Gilroy: Pretty good catch on the speaker huh?
Camron: Yeah. Yeah. So any questions related to like dark matter or black holes or anything like that, you can … you can kick them my way.
John Gilroy: Well this is a formidable table we have here. And on the other side of table, we have a gentleman by the name of Sean Weppner and he’s the managing director of client operations at a company called, The Nisos Group. How are you Sean?
Sean Weppner: Doing well today. Thanks for having me here. Really excited to talk to you and the students.
John Gilroy: Well I’m a radio guy have to talk about Nisos and ISOs in case you’re trying to find him on the internet. Tell us a little bit about your background please Sean.
Sean Weppner: My background is degrees in mathematics, computer science. Out of undergrad, I started working at the Department of Defense agencies type of thing. Building some of the first scalable data storage and analytic platforms. More specifically over the last several years, I got into deep learning, building statistical models analyzing image and text for classification as well as some other use cases and most recently at Nisos Group. I helped to head up our client engagement in technical execution across all of our product lines.
John Gilroy: Interesting. Now your website says “A fortune favors the prepared.” Do you agree?
Sean Weppner: Oh completely. I would say that is … the one thing we help our clients do is to prepare, and sometimes, you know, when we weren’t there to help them prepare, it’s remediate.
John Gilroy: I teach students full about LinkedIn and the three skills you have on Linkedin, the primary field’s the software engineering Java and algorithms. You agree?
Sean Weppner: I would say so. You know, it’s been a little while with Java, but that’s certainly was kind of the predominant skill set that I had growing my career so makes sense that it’s there. I’d say probably more so … Honestly, the IT management, especially as it relates to technical teams, bringing the gap between, you know, a lot of language barriers that you see with engineers. Especially, I would say, you know, anything from C Suite board level 2 … kind of VP level.
John Gilroy: Good. So Sean, if you don’t mind in my classroom, my students can raise a hand and say “What business problems have the company solved?” So what do you solve?
Sean Weppner: Sure,
“we solve everything from basic understanding what your network security issues are, to helping you get a nation-state off of your network.”- Sean Weppner, CEO & Founder of the Nisos Group
On top of that, we hope clients answer very difficult problems that they’re having a difficult time solving, using contemporary methodologies that they have … been using data to that date. Everything from open source intelligence gathering as well as some more proprietary methods and data sets that we have access to.
John Gilroy: Well Chris, you’re no stranger to network are you? Why don’t you go over the first question?
Chris Davis: Yeah, so as I was reading the description of your company on your website, I wasn’t quite sure if you were a technology company or a spy agency. But one question that I had … a lot of what you described, it does seem really germane to network security and addressing security threats. But I’m also noticing you list as a … some of your activities are doing “market sentiment verification” in doing a … market analysis. How does that really tie in with the other work … the security type work your …
Sean Weppner: Sure. I would say things start to bleed over, and again we were talking about his a little before we started recording here, but cyber and kind of the digital domain are really becoming the platform that this is … exists on, and society exists on.
It’s kind of an echo if you will of everything that happens in the physical world. So, what we use is our trade craft that’s really been honed in state crafts in operations with federal government, and apply that to help answer questions using creative Googling and you know the open source research and analysis techniques that really you don’t have unless you’ve done that before. Kind of at that … either state or a very high level.
So we use that, apply that to be able to help a company. If you’re in oil and gas, understand what you’re above the ground risk is if you’re trying to acquire land or tracts of … rights to mineral properties. Or if you’re a company that wants to acquire … a … overseas organization and you want to know what your risk is in terms of key man risk. You know, who’s going to leave? Where are they going to go to? What kind of IP could they take with them? Et cetera How do you figure out or remediate any issues that might exist on that existing network. And then, plug them together.
John Gilroy: Tomorrow, we hear risk management here … a lot of things floating around. You have any questions for Sean?
Maura Imparato: Well you deal with risk a lot and how do you earn the trust of your clients at the outset?
Sean Weppner: Sure. A lot of our clients recommendations comes from existing clients, existing relationships we had based on our previous careers, more or less outside of the commercial space. But a lot of times what happens is they’ll say “Okay. You say you can do this. Here’s a problem.” And you start small and you deliver and you show that you have both the technology know-how to solve the problem but also the tact to be able to handle it with the correct security measures, and kind of proper communication protocol.
Maura Imparato: Wonderful. I have a follow-up question though.
Sean Weppner: Sure.
Maura Imparato: You said your team members have previous career experience. What does that involve? I would assume military . . .
Sean Weppner: Everything from military to operations experiences as relates to a more technology and … I would say for now the vernacular is “hacker”. You know, people who know to leverage and make the best use out of misconfigured technology.
John Gilroy: Camron. Do you want to jump in?
Camron: Yeah. So, you guys obviously have a lot of relevant experience and obviously a very timely, important field that you’re in training to. But there’s a lot of competition in the space that you’re in right? So, what do you see as your key differentiators as a company from other firms that might do the same thing?
Sean Weppner: Sure. I would say its personnel, you know first and foremost. We really tend to have a close circle of trust that we hire from. You know, it’s generally one or two degrees separation roof and beyond that we don’t really bring in any outside sources from that circle, and on top of that, you know, we really … because we only hire from those groups, it’s … it helps us avoid kind of the value proposition of a more traditional pen tester.
“You know, the people who instead of knowing the rules, they know how to bend them.”- Sean Weppner, CEO & Founder of the Nisos Group
A lot of what we see from a network security issue standpoint comes when clients focus on just checking the boxes, when it comes to specific requirements or regulations. Hackers live within those spaces and our guys have very much lived within those spaces as well, so it’s kind of the perspective and being able to recreate an active perspective of a very advanced hacker.
John: So Sean, I was walking through Georgetown about two weeks ago and I saw this store that said, “Bespoke Tailored, Bespoke Suits”. And so at home to my wife I had said “Hey! Is that a brand name like Calvin Klein?” And she said, “No you idiot, it’s custom made!”. “Oh, so that’s what bespoke” … I had no idea what that meant. I go to your LinkedIn profile and guess what it says? It says bespoke intelligence. So, custom-made? Is that the point here?
Sean Weppner: Exactly. Everything is tailor made to the client. Especially when it comes to an expensive service they want to know that you’re not going to come back to them and say, “Okay. You need to spend a $100,000 more. $150,000 more.”. We tend to help them work with what they have to be able to continue to solve and avoid future threats as well as tailoring our recommendations in order of really going back to risk. You know, where their business risk lies.
By taking a look at things from those two perspectives, what tools we already have to work with, where the risk lies with regards to business, not necessarily just the network. We can help our clients benefit from a monetary perspective.
John Gilroy: So Chris, my guess is that those suits in Georgetown, those bespoke suits are going to be a lot more expensive than some kind of suit in the suburbs, so do you think these services are more expensive and then how can they garner that extra dollar. That’s how I’m understanding it here.
Chris Davis: I would guess they’re probably more expensive, but the … hopefully you’re bringing great value to customers and actually I’m curious. Who are your customers? Can you provide value at really any industry that approaches you? Or do you really find yourself narrowing on a specific ones?
Sean Weppner: Sure. I mean I would say we most likely could, but our customers are everybody from … in a manufacturing companies to banking and financial institutions to Silicon Valley startups. Really, anybody who has kind of forethought to start investing a little bit more on the upfront and you know sometimes even people who have been hit by issues, they bring us in.
“We help them solve the problem that they have and then they say “Well, you know, we’d like to try and avoid this happening in the future.”.”- Sean Weppner, CEO & Founder of the Nisos Group
John Gilroy: Well Camron, now you of all people in this room have a good idea of different customers in the federal government. Can we talk about … or can’t talk about. So my question is, if you can answer this is that you can’t very well get an ad in the Washington Post. I mean, advertising and promoting the company is got to be difficult for Sean. Don’t you think so?
Camron: You mean in the federal space?
John Gilroy: Yeah.
Camron: Yeah. I mean the federal government … pretty much announces what it needs. I think that the harder part is probably finding the right contracting input to get into. But I guess my question to you is … having sort of grown-up in the defense space where the regulations are somewhat challenging and often nonsensical and then going out into sort of the non-federal space. Do you find it easier, harder … sort of the transition from federal to private sector?
Sean Weppner: Sure. I would say easier. Again, my previous eight, seven years of experience was on the federal, so working, capture on proposals as well, as delivering technology products and capabilities from a business development capture perspective, it’s … I don’t know if I can say it, but a . . . of a lot easier.
John Gilroy: Whoa, whoa whoa… ((laughter))
Camron: So what about the types of services that you deliver to federal customers versus private sector customers? So you have some insight to the federal process, which I’m sure helps
Sean Weppner: Sure.
Camron: But, that process can be debilitating to the quality of service you can offer, right?
Sean Weppner: Very much so. So, I would say we focus on partnerships, and really try to be a value add and a differentiator for companies that really dig into the federal space. Like you said, you know, it’s a big investment to try and engage in business capture within the federal space. I think, you know, an average … I would have said maybe a year plus … then that’s not even including the shaping for a contract. That’s RFP’d to delivery to capture. And then you’re getting paid net 90 … if you know, if not longer.
You know, so we try to focus on companies that have built a footprint within the federal space for those clients that we do support in the federal space and then in the commercial space, obviously, you know, it can be off of a conversation and then they say, you know, “Send us something over that we can sign and let’s get going.”.
Maura Imparato: And I’m wondering about your budget. These are long timelines. There’s a long RFP process, proposals, and then the payment cycle. Very long. The penetration test cycle I’ve heard is several months often to do your work. How did you get started?
Sean Weppner: Yeah. So I mean … we really focused on supporting the commercial clients, at least in terms of the investment that we make. You know, we re-invest a lot of the profits that we have into the business to continue to build out our footprints. So, when you’re talking about issues with timeline and, you know, we really try to minimize that by focusing on retainers and, you know, especially in the commercial space, it’s not just single gig. You know, we build that out and we, you know, grow that trust and we grow that value propositions so that somebody wants to engage with us on a multi-year, kind of multi-project, two approaches, as opposed to just one-offs.
And beyond that, you know, speaking openly, we’ve had engagements where we’ve been able to take down very large companies in a matter of days. So, it’s really … it all depends.
Maura Imparato: That’s amazing and the retainer model is very effective. I know the lawyers like it. It works.
Sean Weppner: For sure. . . And that would be another … you know, we partner with law firms to support both litigation as well as, you know, instant responses are very sensitive process and, you know, it’s been a good way for us to both gain trust as well as break into multiple streams of business.
John Gilroy: You know Chris, you certainly work for a big organization, Georgetown University. I mean, it’s hard to get them to move and change. I mean, it’s like big elephant trying to move down the road and so just dealing with change in large organizations, that’s tough. I mean, you can understand some of the challenges Sean has then just change and bigness and going through from different bureaucracies. It’s gotta be tough.
Chris Davis: Mm-hmm (affirmative). Yeah and I’m kind of wondering, like how big is your team? It sounds like you’re a pretty nimble operation, but you mention that you’re … it’s not like you’re putting ads out on LinkedIn and Monster dot-com to bring folks in. How big is your team and how are you able to keep up with growth and business?
Sean Weppner: Well … I would say tens of people right now, but we doubled in the past six months, as has our business. You know, I think we’re about to triple this year, if not a little bit more. It’s kind of a leap for our game with pipeline and support and we test people out, prospective new employees by engaging in 10-99s and bringing them in. Helping them feel us out as a company, as a culture and, you know, vice versa, you know, us being able to test and see how they work with our team, and what value proposition they have as an employee.
Chris Davis: And to kind of follow on to that, are you able to leverage any, let’s say technology as a multiplier to help you be more efficient and deal with more business than you couldn’t, than you normally could with a small team?
Sean Weppner: Certainly. We have some proprietary technologies that enable our operators to be able to access securely and in a very controlled fashion. The multiple engagements that we have been operating on and be able to control that so that, you know, somebody comes in as part of the trusted circle, they don’t even have access to everything. So, you know, we’ve built in-house organically as we’ve grown our infrastructure, means of both measuring and controlling as well as allowing them to scale up their operations without having to, you know, SSH over here and over there and just have 15 different, you know, kind of Bloomberg style terminals up, really minimizing the footprint they have to engage in from an action perspective and the les you have to do, the more you’re able to do.
John Gilroy: Camron. There’s no secret that you were director of transformational innovations for the Air Force for a while. And, so how would you evaluate a company like his? And what questions would you ask him if came and knocked on your door?
Camron: When I was with Air Force? . . .
John Gilroy: Yeah.
Camron: Well, when I was with the Air Force, it was probably “What? Are you crazy?” ((laughter)) . . . .Yeah, I know. I think that the … again a company like his has like a, when it comes to dealing with federal customers, because that’s where you came up from. I think that there’s plenty of companies out there who come and try and interface with the federal government and other related agencies that might have very talented staff that don’t necessarily have the wherewithal to really navigate the bureaucracy. So, you know, I think if I were approached. Really honestly, the first question would be are you sure you wouldn’t rather work in a commercial space because it’s way easier to do? But yeah.
John Gilroy: Yeah, you’d think so too. I think the myth of Sisyphus. I mean you’re pushing this big boulder up the hill. I mean, that’s a tough job.
Camron: The question I think is, you know in dealing with cyber … just certainly on your private sector clients that come to you. They’re specifically looking for help or advice and in some regards so you have a little bit of an advantage in that sense. Especially big companies, people don’t necessarily always want to hear or see as things may be. All the things that are going wrong and so what are some of the challenges you’ve had dealing with surprise clients?
Sean Weppner: Sure. I would say the key is to make sure that they’re not surprised, first and foremost. You know, ongoing communication back and forth with whoever the POC (point of contact) is. I think measuring what the dynamic is, in sensing what that is, what you’re going into if you’re working with a new CISO who just inherited network.
You know, he’s got a little bit of a better valid proposition coming in saying “Hey. There’s problems.” because he inherited them. If you’ve got somebody who is in there for a while helping them kind of change the narrative from its an issue that related to, you know, whoever that owns that, him or her. And for of a “Hey.” You know, this is justification to get an increase in budget and investment to be able to migrate the network from where it is and there are people who process these technologies from where they are to a place where it really protects our IP and our value as a company.
John Gilroy: Maura, one of my favorite jokes is that the Department of Homeland Security puts the “no” in innovation. ((laughter)) And so, I always thought it was true until I went to an event today sponsored by the Department of Homeland … and they have a whole Silicon Valley innovation program. What about innovation and does Sean represent innovation? Does he represent the old boy network or what do you think is in here?
Maura Imparato: Well I was very fascinated, speaking of innovation that you have in-house technology and I want to know how it grew and who you had on your team and what makes it different from other technologies?
Sean Weppner: Sure. Without getting too much in the weeds, you know, it grow out of necessity, really. You know, both that need for trust of our clients to say “Hey. You’re going to be connecting into our networks, if you’re going to be possibly pulling data to prove that data can be pulled. You know, we want to make sure that this is done safely, securely and in a way that, you know, depends if we’re supporting legal counsel can be considered part of chain of evidence.”
So, really taking all those things into consideration, and again, leveraging the fact that we have these great operators who understand how to best detect flaws within a system. We started to build a kind of an amalgamation of hardware that we … designed proprietarily in terms of the hardware, but loaded proprietary software on, to be able to then create a network that, you know, was a complication of appliances that we could spin up or spin down based on existing … you know, we could have an appliance for, you know, working with Company A and Company B. Another one for Company C and maybe not the other two. But, just really to be able to dynamically stand up tools. Connect those to remote operators. They might generally work from home, and then enable them the ability and access to use those tools on networks that we were then able to VPN into.
Maura Imparato: Sounds innovative.
John Gilroy: He takes the “no” out of innovation. ((laughter)) Chris and then we’ll go to Camron.
Chris Davis: Yeah. Without getting too deep in the weeds, and spilling the secret sauce, are you completely dedicated to just using human resources going forward or do you … what . . .
John Gilroy: Oh. The “AI” question. (Artificial Intelligence)
Chris Davis: Yeah. Exactly. Do you actually see value? Is that on your roadmap?
Sean Weppner: It certainly is. I think, you know, there’s kind of a forking it and boozing on. You know, we came up with a lot of IP around this … just, you know, to share with people to say “Hey.” You know, we’ve helped to build these kind of capabilities. Here’s what we think and … they’re field guided data science was actually really good in that it has got some great visualizations to help understand the progression of, you know, going from being able to ingest data to visualize and understand it. To be able to then, measure it. To be able to then try and, you know, quantify in some statistical anomaly, but format and then, you kind of go down the line to prediction and then prescription. Prescription being you should do this prediction being we think that this is going to happen.
So kind of extrapolating that down to an answer, you know, we’re focusing first on enabling our operator’s engagements and then being able to help them minimize their activities by facilitation. Helping them hone in, you know, I should focus on this computer and not that computer or provide them better lists of passwords to use, or hashes, or, you know, whatever the requirements is of the engagement but really trying to go down and minimize the amount of search they have to do to be able to destroy or access.
John Gilroy: Camron.
Camron: I got two completely unrelated questions. One is sort of built off of the last question. As a company what’s your growth model? Cause it seems like your business model is very manpower intensive.
Sean Weppner: Sure.
Camron: And so, as you experience great success and everybody hears the podcast and decides today we’re going to …(Call up Sean) Because you’re focused on sort of your one level of separation hiring, how do you handle that when you need to scale up when you’re actually successful?
Sean Weppner: Sure. I would say we have pretty big trough of people who are looking to come on. In fact, we’ve been taking our 1099s and converting them to full-times. So, I would say for the next year or two, we’re good. So it’s really trying to build up that portfolio work, but certainly it will be an issue in the future, but hopefully, you know, continue to grow that circle of trust just over time organically, but again, part of this is going to be technology facilitation. I hate to say automation because it’s just an overused word when it comes to machine learning or artificial intelligence. Whatever. But really trying to minimize the amount of grunt work that is necessary to be able to bring value to the client.
John Gilroy: Camron, you have a follow-up question?
Camron: Yeah. A separate question that’s more defense related. One thing that occurred to me when you mentioned the Silicon Valley innovation stuff. I know that the Defense Department’s doing a lot more work trying to engage sort of … I don’t know, the “hacker” community or the programmer community at large so like that hacking for defense and a few other similar programs like that where invite people into come and help identify problems. You guys … do you have any visibility in that participation?
Sean Weppner: Not yet.
Camron: You know, I think everybody’s so … everybody has their heads down as kind of, you know, when you’ve got multiple fires around you. Which one do you choose? It’s not just, you know, I can do this and then do that. It’s just everything is going out.
Sean Weppner: It’s the startup life, you know? So, I think we’ve got too much to be able to think about that but it certainly has been on my radar.
John Gilroy: Great job students and great job Sean. If people are listening and want to have more information on your company, what website should they go to?
Sean Weppner: www.nisosgroup.com .
John Gilroy: And it’s “N” as in Nancy, I … S-O-S. Nisos, right?
Sean Weppner: Correct.
John Gilroy: Well good, good, good. Well we’re running out of time here. I’d like to thank our sponsor, the Radian Group. If you are interested in getting involved in geo-geospatial projects, contact the Radiant Group.
We are hosted by Eastern Foundry, a community of government contractors who are bringing innovative solutions to the government marketplace. For more information, go to eastern-foundry.com .
If you would like to participate as a student or a startup, contact me, John Gilroy at theoakmontgroup.com. Thanks for listening to Students Versus Startups Showdown on the Potomac.