Tony Quadros -- The Life of an AppSec Vendor Artwork

The Application Security Podcast

Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.

All Episodes

The Application Security Podcast

Tony Quadros -- The Life of an AppSec Vendor

August 08, 2023 • Chris Romeo • Season 10 • Episode 18

Tony Quadros, the AppSec Lumberjack, shares the unique career path that led him to find his passion in Application Security. The discussion delves into the work of an AppSec vendor, with Tony explaining his role and the responsibilities it entails. He emphasizes the importance of understanding the needs and environment of the customer, and whether the product he represents can fulfill their requirements. Tony also shares his philosophy of sales, centered around solving problems and providing business value.

Tony reveals the challenges salespeople face in the cybersecurity industry, particularly the pressure to meet quotas and the need for good company culture. Chris, Robert, and Tony highlight the importance of setting realistic expectations at the executive level to avoid putting undue pressure on customers and prospects.

In addition, the conversation touches on the importance of sales leadership in setting processes and creating a positive company culture. Sales leaders need to educate themselves about their products and market segment. Tony stresses they should provide value to customers through their conversations.

He also talks about becoming involved with OWASP Maine and encourages community involvement for all members of the AppSec community.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Chris Romeo: 0:00

Tony Quadros, a cybersecurity veteran with over a decade of experience, has specialized in application security, aiding various enterprises including top social media and insurance companies in enhancing their application security programs. His work ensures the daily software we use is as secure as possible. Recently, he's taken a leading role in reviving OWASP Maine, an OWASP chapter dedicated to fostering the software dev and security communities in northern New England. Tony joins us to discuss the life of an AppSec vendor. Tony has worked in security sales for years and has perspectives that you need to understand as a security pro. Vendors and salespeople are people too. And Tony helps us to understand how the best salespeople in security connect with their customers, build relationships, and add value. We hope you enjoy this conversation with Tony Quadros. Hey folks. Welcome to another episode of the Application security podcast. This is Chris Romeo. I am the CEO of Kerr Ventures. I'm also the CEO of a stealth startup, but more to come on that sometime in the future. I'm also joined by my good friend Robert Hurlbut. I would say he is also a threat modeling aficionado. That's the new, I'm trying to, I'm trying to come up with a new tagline for Robert, at least one a month, and right now it's threat modeling aficionado. Robert, how do you react to that? Do you

Robert Hurlbut: 2:06

I'll accept it. It sounds great. I like it. Yeah. Robert Hurlbut. I am a principal application security architect at Aquia. And uh, yeah, threat modeling, aficionado, is that, what do I say it right? I think. I think so.

Chris Romeo: 2:20

Yeah, good luck trying

Robert Hurlbut: 2:21

right.

Chris Romeo: 2:21

it. That's gonna be the key. Like, I don't know how to spell aficionado. I could sound it out maybe, but I don't know. So, uh, we're joined for this episode by Tony Quadros, and he apparently goes by the moniker, the AppSec Lumberjack. So we're gonna unpack what that actually means. But Tony, we always like to jump right into people's security origin stories. How'd you get into AppSec, what did your journey look like? And please also tell us how you have become known as the AppSec Lumberjack.

Tony Quadros: 2:52

Yeah, that's a recent nickname given to me by my current manager, uh, Randy Fall, who's amazing. Um, yeah, I kind of fell into security. Um, obviously I'm on the vendor side. I'm, I've been in sales now for over 10 years. Um, and I, I was working right outta college. I didn't know what I wanted to do. I, I was a mechanic. I worked on cars. I think I put the wrong oil filter on a car and it blew up. So I, I lost that job, so I was kind of like, ah, you know, had a history degree, which I really enjoyed, but, You know, candidly, I have kind of expensive hobbies, so I didn't think being a school teacher was gonna be the right fit for me. And I think one of my professors was like, yeah, you'd always be really good at sales. Like you, I think you'd be good at sales or personality. So I applied to any sales job I could find, um, that summer after I graduated school and lost my, you know, mechanic job and I started working at a small software company that sold software to rental car companies and car dealerships. And so I did that for like almost three years. This was when SaaS was still new, right? You had to explain what it was. Um, it was a SaaS solution and two gentlemen I worked with there ended up leaving and, and going to Sophos, um, the endpoint security company, which I knew nothing about cybersecurity, but they tried to recruit me over there. I didn't end up taking the gig there, but a manager there I interviewed with named Brett Samuels, a phenomenal guy. Um, he, uh, left a year later and went to a company called Veracode. Um, and I had no idea what it was. He reached out to me and said, Hey, you know, let's have dinner. I really loved you when you interviewed at Sophos. And, uh, it was the right time for me to move on. And, um, so he recruited me over there. And that was the spring of 2014, um, I think February or March. So still winter. And uh, so I started there and yeah, I cut my teeth in cybersecurity. I was, you know, three years outta school and I learned everything there was to know about static analysis, dynamic analysis. At the time, I don't think software composition analysis was even a thing yet, or at least coined a term much. Um, and I fell in love with it. Uh, I fell in love with the industry. I fell in love with the problem. I fell in love with working with developers and security people and explaining it. Um, and, you know, I bounced around to learn other areas of security, um, on the sales side, but I, I found my way back to, uh, to AppSec.

Robert Hurlbut: 5:15

Very cool. So you mentioned, uh, about sales and, uh, and also AppSec. And so really wanted to explore today if we can, the, this life of an AppSec vendor. And, uh, you know, what is your role, um, as, as that, and then what does the life of an AppSec vendor entail?

Tony Quadros: 5:42

And I'm sorry, let me go back and explain the AppSec Lumberjack thing too. I almost forgot about that. So I live in New Hampshire, um, and I have a wood stove to heat my house. Um, which. I really don't need, but I have, and I enjoy, um, you know, I have fires in the winter. It gets really cold here in New Hampshire. So instead of buying wood, I try to source it from areas that, you know, there's trees that need to be repurposed, right. That are cut down or fall down. So I actually cut and split all my own firewood and my current manager made a joke and said I was the AppSec Lumberjack. And that kind of stuck. So that's, that's the origin of that almost.

Robert Hurlbut: 6:22

No problem.

Chris Romeo: 6:23

I was working on a tagline for that too, Tony. I'm still, it's, I'm still noodling it, but you know, the AppSec Lumberjack taking people, I don't know. I'm taking people out of the knees. I'm, I'm struggling to find like a, a good connection for you there, but yeah. I'm curious to get a little more context on your sales perspective here too.

Tony Quadros: 6:40

Sure. Splitting vulnerabilities one at a time.

Chris Romeo: 6:42

There you go. I like that. That's good.

Tony Quadros: 6:45

So yeah, so sales, you know, it's, it's, hard. This is a hard, it's hard, right? Because. As a salesperson and, and at a vendor you have extreme pressure. Like it, it's, you know, I know CISOs are under a lot of pressure. I get that right. They are, but like when you sit in the seat of a salesperson, you have a quota that you're supposed to hit or you will lose your job. That is the mantra in this, this gig. And it's, it's interesting'cause like it is outta your control. Like you cannot make anyone buy your product ever. You just can't. Right? It's, it doesn't work that way. So the pressure is tough. It's a mental battle every day. And that pressure candidly comes from the top down, right? So, you know, investors invest a lot in the company and then there's board made up of those investors and. They have a lot of high expectations that may or may not have been oversold by, say, the founders of a company. Then the founders have a high expectation on their VP of sales or CRO. The CRO then goes down to the, you know, first line managers and then to the reps, and then that boils over. Some reps boils over to the end users. So when you think about it, you know, everything kind of rolls downhill in terms of expectations and pressure. And as a salesperson, I look at myself as, I'm a catalyst between the customer and the company I'm working for, representing at the time. So I'm trying to balance satisfying my company's requirements and needs, right, for production and for lending new logos and for revenue, but also ensuring, which in my opinion, is more important, the customer's needs and requirements. So that dynamic makes your life as a seller not the easiest. And I think sometimes, um, practitioners and, and security leaders, a lot of'em understand that and are great. Uh, I know there was a gentleman I saw from, uh, the ciso, I think his name is Brian McGowan from Shark Ninja. I saw him make a post about this, how the vendors are your partners, right? They're a part of your team and that's The way I look at how I've always sold is I'm here to help you, right? I'm not here to hurt you or sell you really on anything. What I'm here to do is help you solve problems and I'll be the first to tell you if the product I'm selling is not the right fit to solve that problem. And let's be real, like all these solutions on the market for, for app, let's just say apps.'cause that's the space we're in. Of course, all of us. All of them are good, all of'em are bad. It depends what you need. It depends your environment. It depends on what your objectives are like. You know, Veracode, check marks, GitHub, advanced Security, NY Contrast, you know, white Hat, you name it. They all have a lot of customers, so they must be doing something right. Right. So I think when you look at it, my job or as a seller, I think our job is to consult people, to understand what their environment is, understand what their current process is, what are they trying to achieve, and then show them how the product I represent can or cannot fulfill that requirement. So they make the best choice for them at the time. And that is the way I've always done it. Um, and yes, have I sent people to other solutions? Yeah, I have. But long term it, it seems to be the right way to do it. And I think as a seller though, we also have a bad rap,'cause some sellers look at it as like, well, I don't care. No matter what. I wanna try to sell them on the product I'm selling. Um, which I understand, right? You know, you have a quota to hit, right? Remember like, you have to hit that quota or you might be out of a livelihood. And so that pressure racks up. And with that pressure, some salespeople get desperate or get pushy or get aggressive. Um, and I think it comes with experience to realize that like that short term gain is not the right approach versus the long term gain.

Chris Romeo: 10:51

Yeah. And you're on, you're only as good as your last quarter. That, that's part of being in sales. You just, you just have to know it doesn't matter what you did last year, five years ago, nobody caress. It's, it's, what'd you do for me this quarter? How did you line up against your quota? And so I think what, as I was listening to you, Tony, describe kind of your philosophy of, of how you approach sales. I think it's, I think it's really the only way that people should do it is to really think about what does the customer need. And I love the fact that you said sometimes you've sent people to prospects to other solutions that are gonna better solve their needs. I think that just, it speaks to the relational nature of how sales works today. I. But also to just the overall honesty of you saying, Hey, my, my solution's really not the best one for you. Lemme give you an example from the real world.'cause this just happened to me in the past week and I, I'll tell you, this was a golden salesperson and has nothing to do with tech. So I had an a, uh, a piece of property i, I had a, a insect spraying company. Come and they were gonna gimme an estimate on, on doing some, some spraying for insects. And the guy gets there and he walks around for a couple of minutes and then he comes back over and he said, okay, listen. He said I could take your money, but I'm not going to. He said, my what? The solution that I have. It's just, it's it, you're, you're not gonna be happy with it. Because of there were some other, uh, extenuating factors about the property like that was gonna make the solution not work. And he goes, I could take your money, but I won't do it because one, it won't, I can't sleep. I won't be able to sleep at night.'cause I know you're not gonna get the best overall solution here. And you know what, you know how many people I've told. I'm telling now everybody that listens to our podcast, like I've told this story five times in the last week. This, this company really made an impact on me that they had that, that this is a salesperson that was operating with integrity, operating with honesty, and he was just looking for my best. He, he wanted my best interest to be served. Sales seems like it should be such a complicated thing, and there's so many people that are, especially when you start thinking about across the realms of security and engineering. Oh, I'm not in sales. Oh, I could never, I couldn't do that. But it really just comes down to as simple as what I just described. Being honest with people, operating with integrity and, and, and solving the customer's needs, putting their, their, their need first in front of you. So, um, so Tony, I mean, we all know there's, there's lots of posts that go across LinkedIn about all the dumb things that salespeople do, and people in security get all riled. Some people get riled up about it, and I can't believe these people reached out to me in this way and whatever. And so, in general, If you ask the average AppSec person, what's your opinion of sales? They're gonna have, give them a couple options. Positive, neutral, negative. I think most people are gonna say negative.

Tony Quadros: 13:41

Sure.

Chris Romeo: 13:42

So in, in what you've seen, in your experience, what are salespeople doing wrong? Like why are they, what are they doing that's ticking security people off?

Tony Quadros: 13:53

Yeah, that's a good question. I, yeah, I think it comes with like experience, right? So like a lot of these companies, the playbook has been hire relatively young. Um, inexpensive resources to do the initial outreach, the cold outreach to these folks to try to get meetings for the more experienced reps, right? Or more experienced sellers. So those, they call business development reps, right? So they're like setting appointments or meetings and I think those folks, are inexperienced, so they don't understand, right, like the impacts of their actions. Um, and so I think that that formula that a lot of companies traditionally have taken, which that's starting to change with product-led growth strategy, right? You'll get like a sneak super successful PLG. Um, you know, other companies are, are taking the PLG motion, which is like opposite of that, but that traditional approach I think is pissed a lot of people off because you get a lot of emails from a lot of people who don't know anything about, you know, in this case, AppSec or whatever they're selling'cause they're young, right? It's not their fault. Like they're right outta college. They're, they're learning and they learn with every conversation they have with a customer or they, they should be. Um, but I think that's a, a thing. And I think, I think when you meet a rep who in the end it comes down to one thing, do they wanna help you or do they wanna sell you, right? Like, it's all about wanting to help. And I think when you meet a rep, It's clear as day when you meet a rep who really is just trying to like, make money off you or sell you that rubs people the wrong way. Just had lunch yesterday with an AppSec manager up here in Maine and you know, they're moving away from an AppSec solution and moving on to another one. And I think one of their divisions had a separate license of the product and, and he was trying to leverage the story he told me was that rep was trying to leverage basically that subsidiary. Like, Hey, if you don't renew the main contract, we're gonna up your other contract. There's no need for that. There's no need for that. But again, he's under a lot of pressure, right? So like, you know, I, I blame him, but I also understand where some of these reps come from is like, they got feed their kids too, right? So I think it's an industry problem. It's a vendor problem. Um, and I think the vendors that understand the leadership at vendors that understand the right way to take it, it takes longer to sell some of these deals. It takes longer to produce the results and maybe the results won't be as high short term. The long term is better. So yeah, I think that's, um, that's what I'm seeing I think in the space. Um, and just some reps who just candidly don't care, they don't have a lot of passion for the space, and I think it shows.

Robert Hurlbut: 16:34

And so talking some more about sales, um, and in particular for application security as a vendor, what are some of the most significant challenges that you faced, and then how did you overcome them?

Tony Quadros: 16:49

Yeah, I think, um, education, it's amazing. So just, I'll just speak in my current role, right?'cause that's the most relevant experience right now. Um, you know, I work for Contrast Security. You know, the, the qua, you know, founders of IAST and RASP technology. I think, um, for me right now, my biggest problem is like just educating people. Like I, you know, people, you know, have heard of IAST, but then when you really start talking to'em, and I'm talking, AppSec managers have been in the industry a long time. They just really don't understand how it works. And you know, as a seller, they inherently aren't trusting you right from the get go. Right? Like you, when you meet a salesperson, the first thing you're like in your mind is like, I don't trust this person. Right? So establishing trust, especially on a technology that isn't adopted, you know, as well as a static and dynamic that is like really hard and takes a really long time and takes doing things unconventional to what typical sellers will do. Um, so I'd say that's probably my biggest challenge is building trust and educating people on technology that the, the industry has kind of, I don't wanna say poo-pooed, but they, they didn't, you know, the other vendors didn't really push and and the analysts haven't really pushed.

Chris Romeo: 18:12

Uh, let's, uh, unpack this idea of building trust a little bit more because I'm curious to, to get your take on how, how, what do you do to build trust and, yeah, just let's just leave it there. What, how, how do you, what do you do? What are you, what are your methodologies for building trust?

Tony Quadros: 18:29

Yeah. Again, it always comes back to one thing trying to help, right? Like, so one thing I've done to try to break the the trust wall down, right, is the way I look at it is, Um, if I see someone's hiring for a security role or AppSec role in, in, you know, a CISO that I'm, I'm starting to work with, I'll try to help them find a good candidate. I'm in a unique position as a seller, right? So I talk to a lot of different AppSec teams. I'm have relationships with a lot of AppSec teams. I have a really good kind of, you know, network of talent. That is beneficial for other companies. So, and sometimes those folks are looking for new roles. So what I'll do is I'll make referrals and, and help recruit in a way, um, you know, without being like, Hey, I'm a recruiter now, you know, I'm gonna charge you 10% of the cost, right? Like, like I recruiting agency. Um, that was one thing I started doing and, and I think as well received by CISOs, you know, without ever even trying to sell'em on my product, I'll, I'll try to help'em fill roles. Um, I think just being involved in the community any way you can. Um, I kind of fell into running OWASP Maine or help running OWASP, Maine, but when I thought about it, I was like, this is going to be good for me to help build trust. And honestly, I'm having a lot of fun doing it. Like it's rewarding for me. Right. Um, so just being involved and like, you don't have to run an an OWASP chapter to, to help. You can sponsor one. You can. Help share their posts of their meetups. Like there's so many things, little things you can do as a seller to, to be a part of the community. Um, so I think those are, those are big things that I've tried to do. Um, and then like individual customers, it's just, do what you say you're gonna do. Like, it is so rare these days, but, and it shouldn't be, but it's like you tell someone, Hey, we're gonna help you get, you know, this integrated or we're gonna help you. Add this feature, like follow through. And if you have to get your team to do that, make sure your team follows through, right, that the company you work for and just always do what you say and say what you do. Um, and long term customers will remember that and realize like, you're a really good person to work with and you're a partner, not a seller.

Chris Romeo: 20:44

Yeah, I think with sales in general, but specifically the technical discipline, the relational nature of it is so important. So the relationships and, and being part of the community is a big, big, uh, advantage for you as well. And being part of the community doesn't mean. Just sitting on the sidelines and being a consumer means looking for ways you can jump in. Um, I mean, I just speaking of what, what you guys are doing at contrast, like we did an interview with Steve Wilson who's created, I'm gonna, I'm gonna go, I'm gonna call it the fastest top 10 that's ever come together. In the history of OWASP,'cause he's done it in like four months or so. We did an interview with him when he was just kicking it off because it was just interesting. It's done. The 1.0 version released it this morning. I saw it pop across LinkedIn. So, uh, but that's an example where Steve was more of a product manager product. He has more of a product background, but he saw need, he jumped in and filled it. And he's, he's a part of the community Now. If he wasn't before, he may have been before. If not, he is now you're the, the project lead of a, of the fastest ever top 10 project in an area with large language models that is so hot right now. And everybody's trying to figure out, like that's part of building a relationship with the community. And that's how you build that trust. And that's how, that's how sales folks should see the, the, the, the community. You should try to be doing those things because that's, It's, it's you, you're almost giving things back. You're giving things away to, just to make the community better. And that's really what we want, is we just want a community of people, uh, that are doing it, do, doing that type of thing, that are just willing to give back. That's, that's powerful for all of us.

Tony Quadros: 22:26

Yeah, yeah, every day. And I was just about to do it before I jumped on. Um, I, I manage the OWASP main LinkedIn page. And every day I started doing this, I thought it was just a good idea and I've been sticking to it, is I'll post a new app sec or software development open role I find on the OWASP main page. I call it the opportunity of the day.

Chris Romeo: 22:46

Okay.

Tony Quadros: 22:46

And just'cause like there's a lot of folks up here in Northern New England that don't realize like, yeah, they could work for Facebook, right? You can work remote, right? You could work for Tinder. And so I, I do that again, it's a little thing, but you know, to me it, it's helped, it makes me feel good when I've had multiple people message me like, Hey, thanks so much. I'm gonna apply. Can you introduce me and I'll make an introduction. Um, so I think that's, um, you know, those are things that they're little but they go a long way.'cause it means you really care and, and want to help. Um, I was gonna say something else, and I can't remember now, but yeah, I think those, the, that's, that's kind of really the, the key to it and oh, you know, not to give away too many secrets and not have salespeople flood it, but, um, like I'm active on the OWASP slack globally, right? Like, but you get do it the right way. You can't go on there and just like, Hey, here's Contrast, like views I ask you. Like, but if someone has a question on it, like I'll help'em, right? I'm like, Hey, here's how it works. Or, I know something about Veracode'cause I've worked there for a long time. Or an integration here or there, or you know, I'll someone, I'll, I'll monitor some of the channels and I'll answer questions and it's, it's about the mantra of trying to help, right? And not trying to sell, but trying to help. And then the selling's actually easy when, when it all comes together.'cause you know, people will wanna buy what you're selling if you're helping. So,

Chris Romeo: 24:07

Yeah, I think that's a I, I'll second your warning to these salespeople do not go onto the OWASP Slack and go to the general main channel, the OWASP community channel, and say, Here's my fa my product that you should sign up for a demo because people will, the flame will flame on is what they used to say kind of in the, in the olden days of, uh, you know, when before trolls and everything on the internet, but when people would just start piling on like, so yeah. I mean, but once again, be part of the community, be part of give back. If you give back, it will come back around in, in the, in the security community. I've seen it happen so many times.

Tony Quadros: 24:44

It's a delicate balance though. Real quick, just one more comment on that. Like and candidly though, the practitioners and security leaders. I think they need to be a little bit more open to working with, with salespeople that wanna help. Right? Because I'll give you an example on the OWASP Slack. Um, I think I shared like a community edition of our, of the IAST tool, right? I was like, listen, this is not a, like you don't have to buy this. This isn't a selling thing. But if someone wants to try IAST, here's a community edition we offer. Have fun, right? Like that was kind of the thing. There was a project leader of a very well-known OWASP tool that I don't think took a liking to that, and he was pretty upset about it. I'm like, listen, it's fine. Like, what do you want me to do? Like, I won't, I deleted the post, uh, or the, the, you know, the slack comment. And, um, a bunch of people chimed in and, and I think they settled on, the community settled on, Hey, let's make a new channel for like community editions. So I went out and I created the channel and I opened it up, and now other people can post community edition tools. So, you know, I, I would like to see more practitioners, more security leaders, not just inherently hate salespeople right away, because a lot of us like it's, we're trying to help you and you gotta remember, we are trying to do our job too, right? And we have a lot of pressure coming down on us. So, You know, we're not, um, just machines and robots, you know, and, and you know, sometimes I feel like we're the punching dummies for a lot of these teams, um, when they're frustrated. Um, and sometimes well deserved, right? But, um, but overall it's like I'm trying to help you. Like, let me help you like, you know, and if you don't want the help, that's fine, but like, try and help. That's all.

Chris Romeo: 26:34

Yeah. So let's, let's build a framework now as a vendor. How do you build trust and establish strong relationships with your clients? Like what, what's some actionable things? I think we mentioned a couple of them, but like, I want, I want like is there a framework We talked about, you know, being relational, building community, sending, you know, using social media and whatnot, using Slack. Um, Is there anything else that we, are there any other best practices that, that a salesperson listening to this, like, let's, let's, let's, lemme do this, I'm gonna, after all that long intro, I'm gonna turn, uh, turn around the corner. Let's start with kind of the, the, uh, world of BDRs or SDRs, business development representatives, sales representatives. From your perspective, Tony, like what, what could they do outside of product-led growth to Not just appear to be randomly looking up people on LinkedIn and, and sending them 27 messages over. You know, we all, anybody that knows how, um, You know, sales, marketing, tech stacks work. You know, you've got all these programs that tell you you need to send this message on day one, this message on day four and all that type of stuff. Um, but what, what could the, what can SDRs and BDRs do to be better in, to just to be, to be to, to not be hated by people that feel like they're being spammed by them.

Tony Quadros: 28:03

Yeah, I think you gotta think outside the box, right? Like, I'm a true believer. I'm a, I'm a big into car racing, right? Is big. My big hobby. And like if you wanna be faster than everybody else, you have to do something different. You can't do the same thing the other fast guys are doing'cause you just only will be as fast as them if at best. So I always look at it as like, you wanna think creatively right about it and like try to put yourself in the customer's shoes. Um, I don't really like a lot of those tools to be honest with you. I I think there're tools for like, to just sell to salespeople'cause they think it'll make their job easier. I've, I've kind of abandoned using them as much as I, I used to. Um, I think, but the number one thing as a BDR, like, educate yourself on what you're selling and the space you're in, right? Like, so when you do end up getting someone on the phone, you do talk to someone at a conference, like you can give value in a conversation, right? The worst thing is like when you get on the phone with one of these like BDRs, You like, you can clearly tell they have no clue like anything about the space. I'm not saying they need to become, you know, like you Chris and you Rob, like, you know, AppSec experts, but know what SASS and DAS stands for. Know what RASP and IAST is, you know, know what threat modeling is. Know that there's security champions programs. Like do a lot of research, right? Like it's public knowledge. Like I can look up on LinkedIn. How many developers work at your company? Me. Why not? I'll look that up and I'll know, Hey, you have approximately two or 300 developers. You know, I saw you guys are, you know, from job descriptions, you're using static and dynamic. Like, tell me more about that. So like, those are all things I think if you can like be more educated and have a stronger conversation, I think customers will appreciate that and have more value. And then I think it's all about like, when you first meet with a customer, it's about them. It's not about you. That like when I learned that in selling, it really started like clicking. So I'll give you an example. When I have a first meeting selling Contrast or any solution I've ever sold, I don't even show our website. I show the customer's website when they come into the Zoom, it's a subconscious thing, but I want them to understand like, this meeting's about you. This isn't about me. And so like typically a first meeting, I don't even show any product I'm selling. It's all a conversation to learn about their current tech stack, their current process, their environment for application development, their, their, their environment and process for securing those applications and where, where are they trying to improve? And then it's like, great, we can potentially help you or we can't, and then let's schedule a deeper dive. But yeah, I think as a, as a BDR or even an AE always think like it's about the customer. It's not about you. And if you have that mindset in everything you do, I think you'll do a lot better.

Chris Romeo: 31:03

Yeah. Any, uh, any other thoughts on the AE side as we think about, um, you know, we talked a, we, we talked, I feel like we talked most of our time about kind of specifically AEs and relationships and community building and that type of stuff. But, but anything else you can think of from, from, if we're, if we're attaching a framework to this, something actionable that an AE that hears about this could potentially do that we haven't talked about already?

Tony Quadros: 31:31

Um, Nothing comes to mind. Um, you know, I think have a, have a really good process, right? Like explain to the customer like, Hey, this is typically the next step. Don't force'em down that next step. Like that's the worst thing you can do. But like, explain to'em like, typically our customers will go from, you know, this first meeting to an overview to then a POC if it's the right fit. Um, I think kind of have that defined, I think sales leaders need to have that defined for their sellers for the product they sell. Right? So like your CEO or CRO of a security vendor. Like don't leave it up to each sales rep to just figure it out, right? Because they're gonna spend six months figuring it out. Right? And those six months could be, you know, six months of not, you know, executing well. So yeah, try to have a really good, tight sales process that you can explain to customers. This is the typical process, but don't ever force it on them. Right. Explain it. If there is a need and you can prove that need, do it. And then I think the other thing that, especially in, in this economic climate, you really need to explain how your product will will provide business value, right? So how will it make us more secure? How can you prove that? How will it save us time and money over the process we have today? And if you can't explain that, it's gonna be really hard.'cause this is like I equate the cybersecurity vendor landscape to the Gold Rush, 1849, right? Everyone is now starting a cybersecurity company trying to get a piece of gold of the industry, right? So there's so much noise than there was even 5, 6, 7 years ago when I started in the space. And like you really need to be able to explain the value to set yourself apart. If not, it's you're just gonna be another vendor and another sales rep that they talked to.

Chris Romeo: 33:17

Yeah. What about sales leadership? Like you mentioned them here in regards to the process, kind of setting the process, but what else can a CRO or a VP of sales. Do to what, what are their best practices outside of just telling their people to do what we, what we've already described here? Is there, is there something they can be doing more strategically to approach the industry and to approach the community?

Tony Quadros: 33:43

Yeah, I think, I think company culture in Internally, it should be a big top, top of list item for like a CRO and a CEO of a security vendor because like you could be the best salesperson in the world if like the company is, has issues, it's gonna be hard to sell. Right. And that will be negatively reflected on the, like, the customers will get a negative perception too. Like candidly, sometimes I, I pers like, I look at my job, I'm kind of like a jockey. You gotta pick a damn good horse to get on if you wanna win. Like, you can't just get on a bad horse and and win the race, right? So I think as a CRO or like a VP of sales or even a CEO of like a tech startup, like I'd really focus on like, how is our company culture? Like, do our people not like salespeople? Do our people not like, think our salespeople are bad? I've worked at companies where like the culture was like, the sales team is the reason why we're not successful. And so when you have that culture and, and it's usually subconscious, right? It's not like they're coming out and saying that, but you can get that sense of the culture of like, Hey, our tech's so great, like, it's'cause we have bad salespeople. And then they go through three or four sales teams over the course of six, seven years and like, well, okay, well what's the problem? Like there's other parts of this company, like everyone in the end is a salesperson at a vendor, right?'cause you're selling products. You need like your processes in place to be streamlined, to be efficient if you want your salespeople to be efficient and successful, like, and really you need a culture of, hey, everyone's in this together to help the customer. And the salesperson is typically just the tip of that spear. So we need to help that salesperson too.

Chris Romeo: 35:29

Yeah. And your, your explanation or your use of the, kind of the, the terms about culture just has made me remember a couple of things. Like, you know, in, in, in my previous startup I was very careful to brief, as the CEO, brief, all of my new salespeople and my new SDRs, BDRs about the perception in the industry of, of salespeople and what, and, and I shared different experiences. Like I would paste things that people sent me on LinkedIn messages, I'd paste'em into a channel and say, here, and I give them some analysis. I say, here's why we don't do this. Read the message that they sent me and here's my, here's what's going on in my head because I'm a security practitioner first. Before I was ever a startup, CEO and I think that way, like a lot of, a lot of the customers that we're trying to reach. And so I, I was able to build a culture of not being those type of salespeople because I told my sales teams, I'm like, I'm not gonna, I won't, I won't accept, anybody saying that we are like all the other salespeople that are out there or that they're used to, and we were able to build a very relational sales team, very community oriented sales team who our customers felt like we were in it for them. We're here for you. You tell us what you need. And sometimes. We weren't the right solution to your earlier point, and we were able to say, we're not the right, we're not the right person. We're not the right company to help you. Our product's not what you need. You need something else, more compliance oriented or whatever. So, um, yeah, so that's, that's all good stuff then. I'm glad you, I'm glad you, you shared that perspective because often in these conversations, nobody ever goes to the CRO, VPS, VP sales, level to think about it. They kind of say, well, these SDRs are just You know, just communicating with us. And that's what's so wrong. But once again, if you set a culture at the executive level, CEO, CRO, VP sales that says, we don't do that. We don't do those things that annoy security people. We do the things that Tony's been talking about here about process and, and communication and, and solving the people's problems. So I think that's, that's really powerful. So,

Tony Quadros: 37:35

I think it needs to go higher. I think you go to the board. I think investors need to understand that. I think that's candidly where the biggest issues are, is like it all stems from the expectations you set to try to produce don't, don't set expectations for your company. The company that are unrealistic like that, that's, that's where it starts, right? Because then all that just'cause like we talked about the beginning, all just kind of, kind of comes downhill and then in the end you get, you know, the pressure now goes onto your customers and your prospects to buy.

Chris Romeo: 38:07

So often in startups, those numbers are hard and fast, and you feel like there is only the one number, and that's everybody's expectations. And one of the things I learned in my travels at Cisco, Cisco had this idea of stretch goals all the time. You could not have a goal without a stretch goal, so the goal is what you thought you could really do. Not completely comfortably, but pretty comfortably. And the stretch goal was always about, okay. Where could you really go? What's your biggest dream that you think you could do? And people never landed. When you always, when you had stretch goals, people didn't land at the, at the minimum line. They didn't always hit the stretch goal. Often they fell somewhere between, but they were above where they thought they could get to and, and that mentality. But you didn't feel like you were gonna lose your job if you didn't hit the stretch goal. So what that did is it was a positive motivator for any employee to say, okay, we have a big goal. We're going after. And we're gonna do everything we can to hit it.'cause we wanna be able to say we hit our stretch. But we also knew I wasn't gonna be in the unemployment line if I didn't. So I didn't have that negative pressure hitting me. The, you know, the carrot and the stick. It was all carrot. There was no stick that was gonna be smacking me in the back of the head. Right?

Tony Quadros: 39:16

That's a great strategy. For sure. I recommend a lot more security vendors do that, and you're back to your point of showing your BDR is the right way to do it. Just have them follow Chris Roberts on LinkedIn and they'll probably.

Chris Romeo: 39:30

He's very, very good at, at providing insight to,

Tony Quadros: 39:34

Yes. Pretty direct insight.

Chris Romeo: 39:36

direct. But I mean, that's what you need though. Like, I mean, if I'm, if I'm in role of SDR, I wanna be the best SDR in the world. And you, you become the best SDR in the world by learning from other people's mistakes and not doing what other people do. And that, to your point, Chris Roberts is a great person to give you that insight.

Tony Quadros: 39:53

He's a great guy. I, I love Chris.

Chris Romeo: 39:55

Yeah. Um, Robert, why don't you take us through the lightning round and we gotta the lightning round. We gotta be pretty quick, so we're gonna put Tony on the spot. I wish we had some type of clock sound effect, but we're not that, we're not that, you know, we don't have that all together. But Robert, take us through this lightning round segment and then we'll wrap it up with a call to action.

Robert Hurlbut: 40:11

Sure. First question, what is your most controversial take on application security?

Tony Quadros: 40:18

I think static analysis is not going to be responsible, and I think it already is not responsible for by security. I think you're gonna, and I, I think you're gonna see the whole industry take a 180 from shift left to going back to security AppSec teams focusing on testing the application in its complete form and, and runtime analysis and going even more earlier to educating developers, threat modeling, secure design. So I think you're gonna see that shift left, just actually not be responsible by security at all going forward.

Robert Hurlbut: 40:54

What would it say if you could put a single message on a billboard ad inside of the RSA or Black Hat Conference?

Tony Quadros: 41:04

I dunno. That's a good question. Um, uh, I don't know. AppSec Lumberjack. I have no idea. Um, I asked the school, yeah, I asked the cool, like, actually learn about it. I don't know. I, I didn't know

Robert Hurlbut: 41:19

by AppSec Lumberjack, uh, most recommended book about security.

Tony Quadros: 41:26

Um, I just picked up this one from, uh, Derek Fisher. He's the head of AppSec

Chris Romeo: 41:32

Previous. Yeah, he, uh, previously on the podcast here as a

Tony Quadros: 41:35

Yeah. I like this one. Again, I've been in the industry a long time. A lot of stuff I kind of already knew, but I picked up a lot of new things. But like, there's a lot of companies out there just trying to figure out AppSec for the first time like this. This is like a, a Gods spell. And then I think the Phoenix project was really good for me to, to learn about like what's it like to be a developer and, and things like that. So I think those were, uh, those are the two books I'd recommend. And I think the one thing that we skipped was the, the memorable experience, um, you know, working with a customer. And I just wanna share one story'cause it, it relates to the one we talked about earlier. This was when I was at Veracode. Um, I had a, a customer reach out, an inbound kinda lead. This was a very well-known website, um, and a gentleman named Chris, um, awesome guy who's now at many different AppSec uh, AppSec roles. And, um, it was a Ruby on Rails application at the time. Veracode didn't support right. He didn't support that version of Rails and check Marks had just come out. And Bob Brennan and Chris myself are probably gonna like roll their eyes when they hear his story, but, I actually sent him the link to check Marks' website and their phone number'cause they had support for that version of Rails. And he, they bought check marks. And then a year later that gentleman randomly called my cell phone and was like, Hey listen, we didn't really like the integration with Jira and I saw you guys support now that version of Rails. And all I had to do was send him a quote and they, and he went forward with us. So that's just kind of the mantra, right? Like, and it, it really does pay dividends, um, long term.

Chris Romeo: 43:08

Very cool. Very cool. Well, let's, uh, why don't we conclude our conversation there. Tony, I wanna thank you for providing this perspective. I think this is valuable for security people, for AppSec people, but security people in general need to, to, to see a little bit about how things work on the other side of the table. And we talk about empathy all the time. That's something that Robert and I have been talking about for the last couple of years, and we've been talking primarily about empathy between development and security. But I'm realizing now as I'm listening to you in this conversation, there's some empathy required between salespeople outside the company and the security teams that are working inside the company. And it goes, it's both directions because you were describing solving people's problems and doing these types of things, which is showing empathy towards them. You know, you're putting yourself in their shoes, you know? Tell me about your tech stacks and tell me about the challenges that you have there. And you're almost helping To understand better, which is then preparing you for, you know, being able to help them find a solution. But I think there's some empathy that could go the other way as well. Like, I think security people should be, there's no reason to be nasty to anybody on earth. That's, I, that's what I believe. I mean, I don't, there's a lot of people that pinging me that I just don't respond to. But I'm not, I'm not gonna be nasty about it. I'm not gonna be, and, and I don't, maybe I don't agree with the philosophy that they're using. I'm not gonna go call'em mean names and stuff like that, or, you know, but, um, because, but I think we, there, there's an opportunity for all of us to have for, for empathy both directions. I think that's, that's a big part of what we can do.

Tony Quadros: 44:39

For sure. And I think the, the key is like, I'm trying to help them to under help them understand their own problems, right? Like, Sometimes when they say it out loud, like, wait a minute. Yeah, the way we do this today really isn't that great or efficient. So yeah, I think as, just to speak to all the practitioners and leaders out there, like, you know, salespeople are trying to help you, right? And, um, there's nothing that makes me more happy when I see someone buy a product that I sold them that we knew was the right fit together through evaluation. And then they get it integrated, they get it automated, and they see tremendous value from it. That's what gets me going, right? That's what keeps me going. It's not the money, it's not the prestige, it's the, I really helped somebody right, in their program. And I think there's a lot of salespeople out there like that. There's a lot of bad salespeople too. But um, you know, hopefully customers realize that we're here to help.

Chris Romeo: 45:32

Very cool. Thanks Tony for sharing these insights and uh, we'll definitely follow up in the future with another conversation on this topic because I have a feeling there's more that we can unpack as we start to dive deeper into it. So once again, thanks for sharing your insights.

Tony Quadros: 45:47

Thanks for having me on guys. I really appreciate it.