 From the SiliconANGLE Media office in Boston, Massachusetts, it's theCUBE. Now, here's your host, Dave Vellante. Hi, everybody, welcome to this CUBE conversation. This is part of our CIO series, and Jason Thomas is here. He's the CIO of Cole, Scott, and Cassane. CSK is Florida's largest civil defense law firm. CUBE alum, Jason Thomas, great to see you again. Thanks for coming on. Yeah, thanks for having me. So, let's talk a little bit about the firm. Largest firm in Florida that focuses on civil defense. So, you got lawyers, you got paralegals running around, you got demanding clients. What's the business like that's driving your technology strategy? So, when I, I'm new to legal, so this, I've been here about almost four years now, so I started January, whole different world. It came from startup biotech, that line of business, and a completely different animal. It's some of what you imagine very always on the go, very busy, a lot of business. We open dozens of cases a day, new cases, so a lot of things going on. Really event-driven. Yeah, very, very, very busy, so. And, you know, technologies, the firm has taken the stance that technology is very important to the firm, and we want to use the best technology possible to make it as efficient as possible. That's the chief driver for tech at the law firm. So, tech, you know, 15 years ago, whatever it was like, take an email to SaaS, right? So, but I would imagine you focusing a lot on just attorney and employee productivity, maybe collaboration, document management, compliance, are those sort of hot topics and how are you applying technology to deal with those? No, so that is big drive efficiency. Using technology to be efficient and to make our folks productive, but we don't want to see, and that you see sometimes, you throw a whole bunch of technology at folks thinking that it's gonna make them efficient and productive, and actually, it could be the greatest technology in the world for one place, and you put it in another firm and it makes us unproductive, so that's kind of the magic there, kind of trick to figuring out what is, that actually is gonna make us productive. Well, they're pretty clear swim lanes in your firm or is there a lot of shadow IT going on? Because I would imagine a lot of the frustration of IT folks is you get the shadow IT, they bring in a point product, and then IT is gonna see, I always call that, hey, clean up this crime scene. And is that a problem in your firm specifically or even your industry, or is it pretty much, hey, let the tech folks figure out what the right tool for the job is? So in my mind, the trick here is it's not gonna be any one person or any practice group that's gonna define what's the best ops, the best tech. I mean, thankfully for me, I do try and drive most of the tech at the firm, but the key is you have to understand how the business runs, just because again, just because it's cool tech or it's working at one firm, doesn't mean it's gonna apply or work another. So I spend a lot of time in conversations with a lot of the partners and associates. I try and make myself a bill as much, just to chat, see what they're doing, see what could make them more efficient. Sometimes if you don't ask, they don't even tell you. But if you ask the question, you can learn a lot in 20 minutes from somebody. And that kind of helps me decide, okay, what's gonna make sense or what's the next thing I should be looking at to help folks out? So basically, Colombo questions, for those of you who remember Colombo, kind of ask them basic questions, what about workflow? How do you spend your time? What kinds of questions would you ask attorneys? Honestly, they could be calling about something completely unrelated to what I'm thinking. It just could be simple as, hey, I'm this thing with this program or I'm trying to do X and this is the way we're doing it now. Is there a better way to do it? Or it could be simple as we just kind of fall into the conversation based on other things. They just want to talk to somebody sometimes, but they're not necessarily going to bring it up or just don't have the time. They don't have the time. So a lot of times in theCUBE, we get caught up, we love the tech, we talk about data science and machine learning and blockchains and everything else. But there's this basic blocking and tackling that a CIO has to worry about. I wonder if you could share your perspectives based on your experience, just in terms of some of the advice you might give to organizations that are maybe growing, maybe haven't had the experience of a CIO that's been around the block and maybe in different industries. But some of the basic blocking and tackling that you see that maybe doesn't happen in organizations that really needs to happen. The expectation or when you're thinking about, thinking about what the next thing is for the firm or for your company, you also want to kind of think long term as well. You want to think three to five years out. So if we do this now and based on our current growth projections, will this work for us in three years? Will this work for us in five years? Or what's our game plan? Maybe we start small and expand for there, but you don't want to just plan for the immediate, you want to plan for the future. That's kind of, I think that's what CIO should be doing. It's not just about the tech or was it going to work in our environment but is it going to work for us down the road? Because we don't want nobody, CFOs don't want to hear and CEOs don't want to hear that, hey, you know, we just bought this thing last year, but yeah, we're going to have to buy something new now because it doesn't work anymore. But it does happen sometimes, right? It happens all the time. I mean, I remember. I've done, you know. Right, I remember this goes away, it weighs back now, but the federal rules of several procedure, I think it was 2006 and everybody was rushing to plug holes because the courts ruled that electronic material was evidentiary for whatever, seven years or something. So everybody was like, okay, we need to have a system that allows us to comply. So they went out and bought email archiving systems, which they knew that we were going to have to throw away in three or four years. So how do you deal with that? Do you face that, especially in a compliance oriented world and you just try to sort of balance the cost and the throwaway nature of that initiative with something more strategic? How do you deal with that? How do you communicate that to the powers that be? No one likes to be held at gunpoint at number one and especially my boss. So I mean, he gets it, right? I mean, there's regulations, but I will say nothing happens as fast as everyone says it's going to happen. So there's always that. You know, there's always like this panic, oh, we got to put this in it. Honestly, I feel like tech folks use an excuse and of course I do it too. You know, they're like, oh, this is awesome. You know, we get to put something new in and no one's going to say no. And it's not always the best approach. And again, you kind of have to look at it longterm, holistically for the businesses. You know, what is really going to happen in a few years? Is this technology going to even be a thing in a few years or is it just like to just a satisfied immediate solution? Because again, I don't want to, the last thing I hate doing is putting something in and telling my boss that it has to be replaced. He hates hearing that. It's not, I don't want to tell him that either. It's quite frankly, it's embarrassing. I don't blame your boss, right? Yeah, it's embarrassing. You know, it's just, let's do it right the first time. How do you do planning? I mean, obviously there's a technology component planning, but I'm inferring from what you said there, technology is kind of the last thing you should be worrying about. You should worry about, you know, the direction of the firm, the business, the growth plan. How do you do as CIO planning and how do you align that with the business? Conversations, so lots of conversations. Lots of conversations with the attorneys. Continuous conversations with my boss, the CEO. And sometimes I'm not really great about it sometimes and you know, we still go by and I won't even have a conversation with them about what's going on and he wants to know what's going on. He doesn't understand all of it, but in those 15, 20 minute conversations, you'll be surprised what you'll learn and what's going on in the business that you didn't or I didn't know about and from there I can make decisions about, you know, six months from now or next year or during budgeting season, what it is that we need because budgeting season is not really the time to try and figure out what it is you want to do for next year. You want to have a plan months before that. You know, you already want to have kind of an idea of what you want to do. I mean, I've been talking to my CFO since the beginning of summer about things that we want to do for 2020, you know, six months, nine months ahead of time. So. So do you do basically annual planning? Do you try to look out further? Do you formally document that stuff? Every quarter. So we have, we kind of have most of the conversations with our, with my CFO and COO. Every quarter we have kind of a list of projects slash what is it we want to do for the next couple quarters and we just kind of track that. And based on what we're seeing and how we do, then we, we basically plan each quarter is how it comes down to. And we have a, we'll call it a whiteboard, virtual whiteboard of what we're doing and what we want to do. But relatively near to midterm planning, you're not doing like five year planning or something. No, no. Just waste of time to try to do that or at least in your business, maybe in pharmaceutical or healthcare. It's hard, it was hard for us to do that because of how quickly we grew over the last, again, I've only been here almost four years, but even when I started in 2015, I think we had somewhere around 300 plus attorneys and I were somewhere in the 475 range. I'm not saying no one saw that happening, but I don't think we, I don't think we expect that. I mean, business has been great and we're happy and we're fortunate to have it, but you can only plan so much, but you do the best you can with the data you have. And your organization structure, you report to the CFO, is that correct? CEO. CEO, okay, so your peer essentially of the CFO, is that right? So you say you talk to the CFO about budgeting, so you've got the CEOs. More of the nitty gritty, you know, the details, the details of the numbers. What's that conversation like? Is it obviously you got to justify it, show a business case, or is it more, sort of, hasty? So here's the good news. Got lucky, again, CFO is very technology forward and so he understands that it drives a lot of efficiencies within the firm, so he gets it, but he's been in this for long enough to get it and knows that we can, again, use efficiency a lot, there's just a lot of efficiencies and a lot of inefficiencies that, inefficiencies you see in a lot of what folks do in law firms that no one takes the time to sit down and say, okay, why do you do it like this? There's got to be a better way. Well, this is the way I just do it. And so we've been able to kind of adjust a lot of those workflows or change those workflows to make it more cost effective for the business. Like even things simple as just manage print services, you know, with DOA, do we store 100 donors in the back somewhere and then wait for someone to say that they're out of toner, it's not very efficient and it's very expensive, actually. So, you know, we put in much more efficient process in place for donors, because we're a paperless firm, but you know, I mean, you still have to print. So, joke about the paperless office, but paperless bathroom, or the other way around. I want to ask you about security. Are you the de facto chief information security officer? Do you have a CSO? Do you not have a CSO? That'll be me. So that is you. All right, so let's talk security. So what is the state of security? And as you see it, it's constantly evolving. Security practitioners tell us that they've got so many tools, they might have a SecOps team, you may or may not, it may be sort of embedded in your team, but they've got to respond. They've got to respond. Sometimes it's hard to figure out what they should respond to, prioritization, the data, keeping up with the bad guys, all that stuff. What's your state of security? So I think these days, it's not really about having the best firewall or the best outside protections. I think a lot of the attacks that are happening now, not that they don't happen from the outside, but a lot of it is a lot of social engineering and a lot of, everything's, they're taking advantage of the ignorance of the users for a lack of a better way to say it. And so a lot of it's coming in through email, malicious links and they're taking advantage of the inside and bad practices and bad policies and or lack of. So I think based on what we see in the news now and what you read about, it seems like there's a breach every week somewhere. And then when it comes down to it, you find out that X Company didn't use a strong hash or salting on the hashes for the passwords, like simple, basic, basic stuff. It's not like some massive operation like you see in a movie where they're making this big plan to break in the building on the plans out and they're sneaking in from the ceiling and all that kind of stuff getting in. They're just basic stuff. They're just passwords, hacking passwords, reused passwords as databases of passwords everywhere out in the dark where you can just buy and they're just utilizing simple stuff like that. It's not even complicated anymore. It's just a lot of social engineering. Oftentimes I say that bad user behavior trumps good security every time. I want to ask you about the state of this of security in the industry. So you were reinforced that we were there and Stephen Schmidt stood up and he said, look at this narrative from the vendor community that says security is broken, isn't productive. It hurts the industry. At the same time, I was at VMworld recently a couple months ago, last month actually, Pat Gelsinger basically stood up and said, security's broken, we're here to fix it. They made a big acquisition of Carbon Black, local company. So you have these two different polarizing opinions. I don't necessarily feel like the state of security is great. I look back every year and I said, do I feel more secure or not? I remember Art Coviello every year, RSA would write his letter. But what are your thoughts on that? You're basically saying, hey, a lot of times it's user behavior, it's things that maybe it's education. Is security a do-over, I guess is my question. Do or in the sense that, I think it just comes out to basic education. I have, we're in tech and we understand security and we have all these grand ideas and technologies and vendors and software that we use to do different things and all these fancy dashboards. But if you asked the basic person off the street about, I think I saw Skit on Twitter the other day and there's this guy going around asking people, what's your Facebook password or how complex is it? And let's just give them their passwords and stuff. You know what I mean? It's just like, there's just a lack of basic education. So all security busts walk around and they don't understand what we're talking about, but they don't need to understand what we're talking about. We just need to be able to just have a basic security awareness and training with folks. I have a friend who works in industry or in a nonprofit that helps folks who've been kind of harassed, abused online. And she's telling me, she's like, look, you guys are great, you're really smart, but these folks, they don't know the basic stuff. Like, hey, someone keeps logging into my internet and I keep seeing some of these weird things in my yard, like cameras in my yard and can I do this with my phone and oh, I can't use my dog's name from my Facebook password? Like, this is just basic stuff that nobody knows. It's not because they're stupid, it's just, they just don't know. And so we're up here and you're average everyday person. It's just on this level. How about ransomware? Obviously a hot topic in the business. What should people be, what should they know and what should they be doing? At a basic level, security wear is training. It's very simple to do. There's a lot of, not that I'm pushing products, there's plenty of products out there, security great ones that kind of help your user or teach them what not to do or what to look for. We run a phishing campaign at our firm every once in a while and at this point, no one clicks on anything without asking. I mean, I get direct emails and I was like, hey, how does this look? Does it look like I should click it? Or, you know, does it look legit? I mean, it's great. They ask now, they know not to do it. Whereas, I mean, that's how they get you. That's how they get mostly displayed. Especially from, we get a lot of, we constantly hear about smaller firms or smaller clients and companies getting hacked. We'll constantly get emails from them all the time. They'll get hacked and then we'll get the, you know, we'll get the emails with the links, whatever. That's one on the user side, on the IT side. I think we just really need to take it back to the basics. Let's make sure we have backups and a backup policy and a data protection policy and an instant response plan. You know, let's have a plan here and let's not react when something happens. Let's just have a plan. Honestly, at our firm, we do have backups and we have layered strategy, but there's just some basic things that we don't do. Like, no, IT folks, we don't keep things on our desktop. Let's start with us, you know, we're supposed to be the leadership in this regard. So let's not keep stuff on our desk, keep stuff on the network, let's keep it protected. Make sure it's part of the backup schedule. Things like that. I think you need to start there because I was just reading about, there's an article that came out yesterday. I think it was Washington Post. And it was talking about the ransomware incident Baltimore a few months ago. They're just now finding out that the, even the IT folks had stuff on their local computers that couldn't be recovered. Important documentation. So this is just data protection 101. You know, we got to take it back to the basics. Take it back. All right. Last question is just kind of your career. So you mentioned before you were in, I think you said healthcare. Yes, I work for MSP. So I work with a lot of startups. So how'd you get here? How'd you become a CIO? People out there maybe young people in tech, they aspire perhaps to stay in tech, but they want maybe more of a management role. What was your path? And what kind of advice would you give them? What I would say is, so it worked out where I was a lead at the company I was out in here in Mass at the time. And so long story short, my wife had an opportunity in Orlando. We moved. And I said I would never work for a law firm ever because I was, when my current boss found out I was coming, we have a long relationship. And when I was, we grew up in Florida. And so part of that, yeah. Okay, so I was in the right place at the right time. And I knew somebody. That's why it's important to stay on top of networking, always be networking, not for any other reason, just get to know people, you know, the tough thing that I had growing, kind of growing in the industry. No, I didn't get involved early on, which I should have. I should have gone to events, things like that and get to know folks. Cause if the people don't know you, why are they, you know, why are they gonna hire you? It's easier to get in somewhere or get an opportunity if they at least know you or know your name or know somebody who knows you. That's that's number one. So I'm big on that. Soon as I moved back here, I've already started. I have quarterly lunches with some of the CIOs at different firms here. I just put myself out there as, hey, I'm here, we wanna get together for lunch. So that's, that's, that's simple. Number two, make sure you, this is what you wanna do. It's a lot of it. And you hear this all the time is true. It's a lot of it has to do with personalities and people. You are managing personalities and people half the time. You're not just doing the tech. If you think you're just gonna be doing tech or doing cool stuff, not the case. So make sure you can, you know, make sure you know what you're getting into because it's, it's very challenging. Yeah, that's great. Great advice. So network, it's not, I like to say, it's not who you know, it's who knows you. So get out there and then love it. It's a lot of times it's, I would imagine it's thankless, right? You hear, you hear a lot of the chatter when something goes wrong. It's like the, it's like a defense of a football team, you know, it's fine until. So somebody scores on it. Yeah, some of it gets sacked, you know what I mean? So otherwise no one cares. All right, Jason, well, thanks for the update. Really appreciate you coming on theCUBE again. Thank you. All right, you're welcome. All right, keep it right there, buddy. We will be back with our next segment right after this short break.