Simply Solving Cyber

Simply Solving Cyber - Jeff Ton

Jeff Ton, Aaron Pritz, Cody Rivers Season 2 Episode 1

Cody Rivers and Aaron Pritz reboot Simply Solving Cyber for season 2. 

Jeff Ton returns to the show to talk about the Indy CIO Network and it's expansion to the Indiana CIO Network through acquisition by TechPoint.

Cody, Aaron, and Jeff explore important topics of change management, digital transformation, and how cybersecurity connects throughout.  Jeff also gives some great tips on building soft skills for leaders, which is a person passion of his and foundational to the focus of the Indiana CIO Network.

Jeff Ton:

leadership skills that got many of us to positions of leadership, especially in technology are not the skills that our businesses need today, nor will demand in the future

Aaron:

Welcome to Simply Solving Cyber. I am Aaron Pritz.

Cody:

And I'm Cody Rivers.

Aaron:

And we are here again for season two with Jeff Ton. He is a Indianapolis icon, I would say, and the CIO community

Cody:

icon.

Aaron:

He's a former cio, Head of this Indy CIO network and we want to talk a little bit about your tech point, merger slash acquisition. Yep. And then, uh, also, uh, I guess president, CEO and Grand Pumba Ton Enterprises, a strategic IT advisory

Jeff Ton:

My, my cat would say that she's in charge, but

Aaron:

Very nice. Awesome. So, uh, Jeff, we've caught up before and, uh, for our recurring listeners, they've heard a little bit of your story, but maybe fast forwarding from some of your background and as a CIO of Goodwill and, uh, a long IT. Background. Talk to us about what you're doing now, the CIO network and kind of where that's transit.

Jeff Ton:

Yeah, well, uh, so I've been in it for 40 years here around central Indiana. Seems like that's a long, long time and it is. But one of the things that I did about three or four years ago was I stepped away from the corporate world, um, and founded Ton Enterprises. Again, I was really creative with the name.

Aaron:

You're living large.

Jeff Ton:

Yeah. Yeah. very large. Very heavy. Very heavy. Um, but what I really wanted to dedicate this part of my career to is something I call changing the face of IT. Mm-hmm. Uh, and that means a lot of things. Um, but basically the leadership skills that got many of us to positions of leadership, especially in technology are not the skills that our businesses need today, nor will demand in the future Mm-hmm. So all those things that we used to call soft skills Yep. Are really essential skills. Collaboration, communication, design thinking, some of those things that we just didn't focus on as IT leaders. We got to where we were because we were good technologists.

Aaron:

Yeah.

Jeff Ton:

The other thing that I wrap into changing the face of IT, uh, is diversity and inclusion as you all know, the numbers in the technology field is horrible. Right. Um, and so trying to drive that change within the industry as well.

Aaron:

Awesome. Well, talk to us about the origin of the CIO network and then kind of where the tech point Evolution has taken you. Yeah, absolutely. So the Indy CIO network, which is now the Indiana CIO network, really started as five CIOs got together for lunch 13 years ago, and we had a great conversation and somebody said, well, we should do this again next month. So I raised my hand and said, well, I'll set it up. And so I've been doing that for 13 years now. uh, what started as those five CIOs getting together though has grown into a, a network of 250 plus central Indiana CIOs in IT leaders. They get together, uh, sometimes a couple of times a month and, and some transplants that have moved on. I, I know some have dialed in from California.

Jeff Ton:

Exactly, yeah. They, they don't wanna leave us. Right, right. They, they relocate and, uh, uh, I always ask'em, do you still want to be on the mailing list? And they're like, oh God. Yeah. We wanna stay in touch. the group has really evolved into a community like that word. I saw that in a LinkedIn post, uh, uh, last week about, don't call it your network, call it your community. And I really like the sound of that. Yep. Um, so, we've been going along for 12 or 13 years and being very successful, but was really looking for a way to make it, uh, to, to have a, a bigger impact. Right? Uh, at the same time, TechPoint, who many of your listeners know, is a nonprofit here in, in Indiana focused on promoting the tech sector within, within the state and driving employment in the tech sector. they were pivoting a little bit from more from tech product and service companies to tech enabled. So corporate it, which is where the sweet spot of the ND C network was, is that corporate it, uh, cio at the same time. I'm hitting that stage in my career where it's time to start thinking. Who's gonna take this over? Uh, when, uh, when, you know, I hang up the sneakers ahead of that. I've heard with ceo, CEOs and leaders, it's the give back, the philanthropic Yeah. Portion of your career. That's right. Uh, a dear friend of mine calls it the back nine of your career. I go, gee, thanks. Yeah, Um, but seriously, I was looking for how does it continue? Yeah. Right. How does it get bigger? How does it get. how does it continue? So I was having these informal conversations with a couple of folks at TechPoint and they were like, well, we've been wanting to start networking groups in other communities in the state. Why don't we get together and do this? So, uh, long story short, we, we talked over, uh, October and November and signed a letter of intent and they acquired the, the CIO network, uh, as of January. Rebranded it, the Indiana CIO Network, and we've got some great plans that you'll start to see over the course of the next several months of doing just that. Growing it beyond central Indiana. Yep. Through a variety of means. If a city has a CIO group already, maybe we just partner with them, pick'em up. If they don't have. then maybe we start one. So that's the idea is to grow that the, the Tech point partnership also provides, I think, better access to, uh, facilitators and speakers that can come in and really work with this group. And so the content will improve as well.

Aaron:

So within that network, what are some of the topics that are bubbling into the top of your list?

Jeff Ton:

Oh, man. The, the, so we do a survey every year. Mm-hmm. about, Hey, what do you, what do you all wanna talk about next year? Um, and, uh, the, the, the top three, I, I found these really interesting because typically when you survey this group, the number one and number two are cybersecurity and attracting and retaining talent. Mm-hmm. those for years. Right. Those have been number. Not this year. Number one was creating change in our organization or driving change in our organization. Number two was digital transformation, whatever that means. we'll talk about that later. Yeah. Uh, and number three was cybersecurity, which as you guys know, is a broad topic. Yep. And

Aaron:

really spans all three of those

Jeff Ton:

topics. That's, well, they, they, all three are kind of related, right. Because, uh, to do digital transformation, you, you must drive change. and what change are you trying to drive if it's not digital transformation in cybersecurity, right?

Cody:

Well, speaking enough too. So in your background, you know, as a cio, when did you see cyber start rising on that list of priorities in compared to then to, to now

Jeff Ton:

probably a lot later than I should have. I was thinking about that as we were preparing for this conversation and thinking, so my, my first CIO gig was with, uh, lot property group, uh, commercial real estate developer. Great organization, and I can't remember having that many conversations about cybersecurity at the. I'm sure we did, but it wasn't like bam, right there at the top. Right? Were

Aaron:

attackers not after punch cards.

Jeff Ton:

It was not that far back. Come on, come on, come on. We'd graduated to to paper tape by then. All right. Right. So, um, no, this was, uh, 2004. So, you know, it was internet, but it was early days of, of internet. Sure. Uh, and a lot of businesses weren't that connected yet to the internet. You had your, you had your wide area network to connect your own, uh, organization together, but you, you really weren't doing that much, uh, on the internet itself. Right. Uh, email maybe. Right. But you, that was all. So we did a strategic plan back then, and I'm trying to remember, I'm sure there was a security project or or two in there. Uh, but again, it wasn't like it is today that is so front and center that, as I was mentioning the surveys, cyber is usually the top one or two items, uh, in there that are on the minds of the cio. It's what keeps you up at night. Yeah. Uh, as an IT leader, is that breach because at the end of the day, If you get breached, it's the CIO that loses their job.

Aaron:

Well, and I, I think on, on that piece, part of that is whereas cybersecurity owned and, and a lot of times it's owned by it or that's the default. Right. But a lot of times, like protecting information has broader ownership. So I think, yeah. Maybe your first topic being change management and transformational change, I think. IT community has missed the influence piece of cybersecurity and even broader IT initiatives. Yeah, yeah. Whatever. Some of the stories that you have are the inquiries that are coming into your group on things that need to be different as we approach our business

Jeff Ton:

community. Well, to that end, one of the things that I thought was really interesting was, um, when I, when I went to Goodwill as their cio, they had a risk manage. department. Now Goodwill has, has a big retail presence. So you would think that they would have loss prevention and risk management, but that group was also involved in cyber. They were also involved in disaster recovery and business continuity. Yep. So they were taking that responsibility much broader and it did not report up through me as the cio. Mm-hmm. Um, so I think, I think that's a good, uh, a good point, Aaron, is that. Uh, it is a company problem. It is not just an IT problem and because it has traditionally owned it. it's seen as an IT problem, and I think that's part of the change that we have to drive. Yeah, so I

Cody:

think a lot of times they see as, you know, cyber means tools and tools means it, you know, they forgive the the people and process part of cyber, which oftentimes is one of your most valuable. assets to

Jeff Ton:

a cyber program and, and also the wink is link. Right? True. The people

Aaron:

also true attackers know this well. I don't know that all business leaders know this. That's word

Jeff Ton:

social engineering. Yeah, yeah, yeah, yeah. Here's this email. My, my, uh, long lost uncle from Nigeria wants, uh, once a million dollars Why not?

Aaron:

It used to be that, that that transparent now it's like now it's not reset your Zoom password and yes, it's a lot

Jeff Ton:

easier to fail. Oh yeah. They've, they've gotten more sophisticated in the way that they're going after, uh, people to get their opening in. Right. And, uh, one of the areas that I, that I know you guys focus on as well, is they're not just focused on you for you, they're focused on you for. Supply chain. Mm-hmm. Mm-hmm. uh, up and down your supply chain. Right. You may think, oh, I'm just this small little boutique firm who would want my data. They may not want yours. Yep. They want your clients. You a pivot point. Yeah, yeah, yeah. Law,

Aaron:

law firms, accounting firms. Yes. CPAs. HVAC firms. There you go. To name, to name a few.

Jeff Ton:

Yeah.

Cody:

Speaking of that, you know, when you, you tie tools and people and everything when rolling out tools, you know, we see a lot of folks and, and companies that push the tool out right away. Again, it's pushing this tool out. You spoke of change management earlier. Mm-hmm. um, thoughts on, you know, what we think is, you know, aligning the process and the why and the people Yeah. Behind the tool to maximize that kind of, you know, um, symbiotic relationship, but mm-hmm. talk about what

Jeff Ton:

you've seen there. Well, I, I think across the board we have a, we have a problem with, with projects that get labeled as it, we were talking about this earlier. Um, John Thorpe is a, is a internationally known thought leader on helping businesses obtain the value out of their initiatives. Um, and he, he talks about it as a labeling problem. We say this is an IT problem just like cyber we were talking about a second ago. Um, and then kind of the next piece that they failed to realize is, there is change involved anytime you implement a new tool. Mm-hmm. processes change, people's jobs change, and we take change management too lightly. Right. I, I was talking the other day that, uh, uh, I was CIO for Lost Property Group, commercial Real Estate Construction. We always talked about this concept called value. Hmm. What value engineering is in the construction industry is how can we make it cheaper? Right. And that's what, and and, and so you look at a lot of IT initiatives, and I was guilty of, of this myself when I was in leadership role. You see this project and you see this line item called change management. Mm-hmm. It's like, oh, we're gonna value engineer that puppy out. Right? Right. We don't need to spend the money on change management. We can, we can implement change. Yep. And the fact of the matter is you can't. Yep. It's, it's complex. It takes a lot of time and a lot of effort, and it has to start at the beginning. Before you roll out the tool, what's that called? Strategy? Yeah, yeah, yeah, yeah. We were talking about strategy earlier too. What? What's that? Yep. Yeah. Strategy is what you come up with after you implement something. Yeah. should have done that. So

Aaron:

have technology leaders changed from like he, who has he or she who has the most tools to more of understanding the value of process and scale and getting the results? Or are we all geeks at heart where we want more and more and more of the best? Coolest technology, and is that, are we defeating ourselves with volume? Well, we

Jeff Ton:

are all geeks at heart. That's why we went into this. But I, I would like to think that we have changed and we've taken a more business focused approach and, and spent the time to understand the why. um, the strategy, why are we doing this? What value are we gonna derive from it, and how do we measure that value? Uh, and then how do we hold ourselves accountable to, to that value rather than just stacking up the tools?

Cody:

I know one thing right now that we see a lot of, um, is information classification or data classification. And, and part of that protecting is, is knowing what we're protecting and, and knowing what information we have. But to start there, even the CIO's not gonna know where all my data is. And so it's teaching the, and the employees of, you know, how to classify information, where's it at? And then once you can see it, you can protect it better. But the first thing is to know where, where is it? Yeah,

Aaron:

I guess your next topic was digital transformation. So what, I mean, that can mean a lot of things for a lot of people. What does it mean for Jeff Ton?

Jeff Ton:

Ah, that, that is such a great question. I love that topic. Um, I'm a, I'm a fellow for the Institute of Digital Transformation and we, we obviously talk about this all the time, uh, in fact, just short plug, we just released a new book, uh, digital Transformation Demystified, right? Uh, it's, uh, co-authored by, uh, 10 of the Fellows. Uh, I wrote the chapter. Leadership in Lewis and Clark. All right.

Aaron:

That's not a surprise at all. And

Jeff Ton:

digital

Aaron:

transformation. So can I get that on Amazon?

Jeff Ton:

Uh, I think so. All right. I think so. I'll have to, I'll have to, I'll give you the link. All right. Well, I know you can get it from the Institute's website. Okay. I know you can order it there. What about Audible? I'm a big audiobook guy. Um, I don't think it's come out on audio yet. Audible, audible yet.

Cody:

If you need a

Jeff Ton:

voice, I'm happy to you've, you've got the voice. The voice, the voice you got, man. Um, so. One of the, one of the things that we talk about in this book is that trying to define digital transformation. Is kind of a red herring. Mm-hmm. because it's different for every organization. Um, uh, one of our, uh, one of the folks at the institute is, uh, Frank Granito. Frank is our chief scientist, which means he's a real data geek, uh, but he's also a chef and he talks about the difference between a cook and a chef, a cook. is great at following a recipe or hopefully they're great at following a recipe. I've been in some restaurants that maybe not so much, uh, but they're great at fires. Yeah. Um, they follow a recipe. On the other hand, a chef understands the flavors and the chemistries in the food that how they blend together to create the dishes we all love. Well, if you're running digital transformation, You need to be a chef, not a cook, because there is no recipe. Uh, and so it, it really, uh, one of the things that, that digital transformation to me really boils down to is this convergence between IT operations and the rest of the business. Those three coming. Um, and you know, you can talk about customer first and some of the other nuances of digital transformation, but if you don't have those three converging, you're never gonna be successful.

Aaron:

Yep. Speaking of chefs and cooks, I'm getting hungry, so I'm gonna move on to the next question. And Cody, let's say it together, Saturday Night Lifestyle. Who he's not gonna do it. He can't do it. He's, he's who should own digital transformation. Are technology leaders in IT best equipped to do it, or does that need to be owned by somebody in the business?

Jeff Ton:

Well, yeah, good question. Well, and you warned me you were gonna ask this question and, and I really struggle with this because as a former cio, I, I want to say the CIO needs to. Um, but it really, if you don't have a strong partner within the business that you're partnering with mm-hmm it's gonna be really hard to drive the change that you need to change. Uh, throughout the organization. So, um, I guess I'll answer it kind of twofold. Yes, they can, they can drive it, but they've gotta have a partner in the, in the business that really understands what they're doing. And, and back to what Cody, you were talking about earlier, the why mm-hmm. they're doing it. Mm-hmm. Yeah, we, we,

Cody:

we see a lot of things too, you know, that driving that, like functional ownership, right? So it, to your point earlier, leader can, can help drive security and, and help, you know, automate it and influence it. But the, the functions are gonna know they're in the business every day. They're gonna know where the crown jewels are. They're gonna know how, how to best talk to their, and to socialize those things too. So when the policy comes up, that may not come from it. instead of it being the bad guy. Yep. You've gotta functional leader say, Hey, this is a real

Jeff Ton:

thing to do. Absolutely.

Aaron:

So, so digital transformation, pulling away from cybersecurity, or is cyber security pulling away from dig digital transformation, or do they need to be one in the same?

Jeff Ton:

Oh, great question. Great question. On a roll today, um, I, to me, cybersecurity has to be built into everything you do. as an organization. Mm-hmm. not just technology perspective. Right. But also, uh, the rest of the org from cyber responsibility, making sure your organization is cyber resilient, all those kinds of things. But if it's a line item in a project plan mm-hmm. yeah. It's not gonna work, right? It's gotta be embedded from the start. And I'm not suggesting that you don't need a cyber group headed by a cso. I think you need those, uh, within your organization to help you drive the strategy. Um, but it really has to be pervasive in everybody in the organization that, Hey, we're gonna digitally transform whatever that means for your organization. Yep. But we're gonna do it securely.

Aaron:

kind of bridges all three topics from the CIO group together. Yeah. Change, manage. that hasn't been embedded in the past. How do you get it more embedded? Mm-hmm. I'll tell you for damn sure. It's cheaper if you embed it versus trying to clean up the dumpster. Oh, absolutely. After the fact. We've seen that countless times. Yeah. You, you, you lose,

Cody:

you lose the, uh, the trust and now they're frustrated and now they're more resistant to, to the

Jeff Ton:

change. Well, and as we were talking earlier right, 70 to 90% of it projects fail. Yep. And that number's held true for decades. Why does it fail? you're not driving the change in the organiz. and scope creep. And scope creep, Yeah, it's similar. Yeah. Yeah, yeah.

Aaron:

So on the cybersecurity front, what are the things that have bubbled to the top of your list or the conversations that you're

Jeff Ton:

having? One of the things I'm really looking into right now, um, uh, I'll, I'll put in a, another shameless plug. Uh, I host a podcast called Status Go. Um, and, uh, I'm gonna be interviewing a guest coming up on zero. as a strategy for cyber. Uh, so this is a new, a new area for me. I know it's been around for a long time, but it seems to be getting a lot of interest and a lot of traction. So I've been trying to learn about that. I think that's a, that's interesting. An another thing that I've seen in the last, uh, several months is the concept of continuous pen testing. Mm-hmm. penetration testing or penetration testing as a service. I think those are, those are interesting to help, uh, companies. Um, drive cyber security within their organization who may not have all the resources to do it. Uh, and, and with, especially with, uh, continuous pen testing, right? Too many times it's a check the box. Mm-hmm. Yep. We did our pen test this year. Uh, we don't have to worry about that again. Um, and. 20 minutes later, you're not secure anymore because something

Aaron:

else is, and what is a PIN test? Is it a commodity scan? Is it a white hat hacker that you know, knows what they're doing? Is it a red team? Yeah. Lots of depth there. Lots of variety in the market. Absolutely. Which makes it tough for CIOs to kind of know what they're, what they're doing getting

Jeff Ton:

right.

Cody:

Yeah. And a lot of things you see, it's like playing whack-a-mole, right? Like there's always gonna be findings on it, but if you. Instead to solve the finding, solve the program that, that, you know, you know, fixes that. So then ongoing, you're getting better as a company versus

Jeff Ton:

just Yeah, absolutely. I love the visual on that. Yeah. Right. One more pops up, Great

Aaron:

game. So, Jeff, what are, what are some of the things that you'd recommend for all the leaders listening to, to better themselves and to be. Uh, of an influencer within their

business

Jeff Ton:

community. Well, I think the top thing they need to do is listen to simply solving cyber Just, just saying go. Just saying That's perfect. I think that's gotta be number. No, I'm serious. You guys, you guys put together a good program. I, I think, uh, it, it is important for CIOs, IT leaders to continuously learn mm-hmm. uh, and explore. One of the reasons we got into. Uh, field to begin with is we were curious. Yep. We love to solve problems, so don't stop learning. Um, whether it's podcasts, whether it's books, whether it's audible books that we were talking about earlier. Um, any of that you have to keep learning because the landscape keeps changing.

Cody:

Do you see a lot of folks, and I know when you get the large enterprise, you know, the strategy and, and. The investment in that is, is more prevalent than at the smaller mid-market size. They kind of wanna just, you know, ready, ready, fire, aim type thing. But, um, talk about real quick too, just the importance of strategy and, and defining. It may not be in six months or 12 months or 24 months, but if you have all these tools and you're putting things, you're getting better. How do you know if you're getting better? If you don't have a strategy, if you're just putting things in and then as a CIO or or a CISO or Seso have you, your choice of pronouncing it, but then how do you report back on, Hey, I've done this, I've moved needle this much. If there's no strategy, how do you report back? what you've done and, and how you moved the

Jeff Ton:

needle. That, that is such a great question and, and I'm gonna take it back even a step and say, Simon Sinek was right. It starts with why. Yep. Why are we even doing these things to begin with? Then you can define how do we do them? And those become your strategies, right? You, you, what are we in business to. um, uh, John Thorpe would say, what is value? What is value to us? Right? It may not be, um, uh, just the bottom line. There may be other things in your business that create value that, that, that you value. So starting with your why, and then let's talk about the ways that we can get there. You'll have multiple strategies mm-hmm. to implement. And then the third piece of that is, How are we gonna measure it? Yep. Because if you don't do that at the beginning, you end up with this nebulous thing that just runs amuck. You've gotta have the discipline to have your why and have it very simple that this is what the company does and why we do it. Now, if our goal is this, then we're going to use strategy A, strategy B, strategy C for strategy A. We're gonna measure it in this way, strategy B, we're gonna measure it in this way. Yep. You've gotta, you've gotta do all that. Right. Or, or you won't know when you get there. Yep.

Aaron:

Awesome. Well, Jeff, we'd like to thank you again for coming on the show. I know we are off to our reveal risk, uh, networking event that we have. Area CIOs and CISOs that we do every other Friday. So we're looking forward to talking to you more and hope that some of our listeners, uh, come out to the networking event as well.

Cody:

Yeah, and thank you for, you know, being on the

Jeff Ton:

inaugural reboot. So yeah, there you go. There you go. Happy to be here, man. Happy to be here. Awesome. Thank you. Thanks Jeff.

People on this episode