In this interview, PeerWise spoke with Adam Erstelle. Adam has worked as a programmer and software analyst, a web developer, a software engineer, and is currently the VP of technology at Sercante. Sercante’s mission is to make marketing & sales teams wildly successful on the Salesforce platform. Adam gives us insights into the challenges involved with managing security in a small business and how he manages his own with the aid of tools. He also talks about inherent trust that small businesses have to rely on in the tools, vendors, and MSPs they are using, for better or worse.

Nick Zeckets:

Adam, thank you so much for being part of this interview series that we have at PeerWise around cybersecurity. What I want to do is just start out by getting a little bit of a background on who you are, the work that you do, and where you do it.

Adam Erstelle:

Right now I am leading a team at Sercante, which is a Salesforce consulting firm where we help marketers be wildly successful on the Salesforce platform. And we primarily do that by working with companies who are looking to implement Pardot.

Nick Zeckets:

That’s great. So, you’re working within the Salesforce ecosystem which is enormous. And we’ll talk a little bit more about that here in a bit, but tell us a little bit more about your background as a developer and engineer. Has it always been within the Salesforce ecosystem? Are there other stacks that you’ve had a lot of exposure to or different types of industries that you’ve been in?

Adam Erstelle:

I guess you could say I grew up in the telecommunications industry. I was building applications that allowed people to self-serve their TV package or their internet package so they can go onto a website and make changes. And the telecommunications industry is super complicated. So taking the complexities and making it easy for the end user to make their picks, and then our applications would actually end up talking to the technologies and provisioning the changes relatively live. You could say, “I want to sign up for HBO max” and within a few minutes you would actually have HBO max.

That’s kind of like where I grew up, so to speak, and I moved around to a few different places within the telecommunications industry. Then about three or four years ago I thought to myself that it’s probably good to branch out a little bit. So I met up with Andrea, who’s our CEO. And I started diving into the Salesforce ecosystem. I was pretty naive at the time thinking, oh, Salesforce is just another CRM (customer relationship management software). And I’m still being proven wrong every day. Now I’ve been helping Sercante on the technical side of things. I learned the Salesforce platform fairly quickly and now I’m just looking to share that knowledge with our many clients.

Nick Zeckets:

That’s great. And that’s interesting that you moved from an environment where you were creating user experiences that enabled access to what I imagine are fairly high security required environments. Environments that have massive data stores, massive amounts of consumer data. And now you’re over in the Salesforce ecosystem. 

I would imagine that you guys very much are operating B2B and they’re also really concerned about their own customers’ data and navigating what Salesforce can and can’t do. That would actually be a really interesting place to start when we think about cybersecurity and the environments that people operate within. Assuming that within telecom, what you were building from was not on Salesforce. It was on some other kind of stack?

Adam Erstelle:

Totally.

Nick Zeckets:

How do you think differently about how it is that you can and have to approach security requirements now that you’re within the Salesforce ecosystem, as opposed to a home grown stack that you might have had when you were outside of the ecosystem?

Adam Erstelle:

Yeah, it’s funny because back when I was in the telecom industry we just had to worry about our data and our customers and our security. It was our tech stack. It was all on premises. So the landscape is just so much different. There’s security teams and network teams that are working together. And it’s kind of within our little house. 

When I moved to Sercante, not only were we only dealing with cloud software. But now we’re also dealing with a hundred, 200 different clients. For me there’s two new things going on. What’s nice about it being cloud software is that we trust that those cloud software providers have their security in check. I mean, any cloud software that we sign up for, there’s gonna be some inherent trust that they have their stuff together. And then as an organization, all that we have to do is make sure that we are using it responsibly.

Nick Zeckets:

I really appreciate the comment about the level of trust that you just kind of have to have in cloud software providers. The age of SAS where nothing’s on prem anymore. It really changes where the trust has to live.

Adam Erstelle:

There’s just an inherent level of trust for startups. That’s pretty much as far as you’re going to go. You trust them or you don’t. You use it, or you don’t. Now larger enterprises might have a security team. They may have the capacity of actually working with that cloud provider and saying prove to me that you’re secure either by having some sort of standards compliance or answering our security questionnaire. Right. And then there is a discussion afterwards based on those results. And then the security team can then say yeah, we think we trust them.

Nick Zeckets:

That’s really fascinating. Okay. So that’s a really compelling framework too, for how it is that an organization based on its size can reasonably expect to navigate cloud provider cybersecurity. Basically, the smaller that you are at a certain point you simply have to have trust in the provider on some level.

That then kind of brings into question whether or not companies/software providers that work with small or medium size businesses, if growth in those organizations as it pertains to security is more a marketing problem than it is a technology problem. There’s the people behind the scenes on the product who would say, wait, hold on. It’s a problem for us, for sure. 

But for a smaller organization, is there anything that pops up in your mind? If a company says that they have SOC 2 compliance, or if they proclaim that they’ve invested in penetration testing? What are some of the ways that as a technologist who’s worked across both large and smaller organizations that you can get to a place of trust pretty quickly? That would make you feel like, yeah, I’m willing to work with this software on some level without having to have a lot of concern or feel like I’ve got to pull other resources to validate this security?

Adam Erstelle:

I don’t know that we even go to that level of security vetting. We more just say hey, there’s a tool that we need to use. And what we tend to do is we try to stick with the slightly bigger and well known companies. We make the assumption that other companies have established that trust. 

Even for Salesforce, I don’t know what level of compliance they are. I don’t know how they handle cyber security at all. I know that there’s places that I could go to look. And I know that there’s large companies that are using them that likely have stronger security concerns than I do. And for me, that’s good enough.

Nick Zeckets:

That’s interesting. I’ll ask a specific question here. What would convince you as a developer more in looking at a potential software vendor and their security- recognizable customer logos or a security compliance badge of some kind

Adam Erstelle:

It would be the logos. Because I would assume that those logos have the security teams that have looked at the badge and that have asked all the right questions. Now experience also tells me that’s not always the case. Because it could be a little rogue department within that big logo that just is using their tool just to get the job done. Unbeknownst to the security teams that I’m placing the trust that all that stuff happened. But you know, if a software vendor has a bunch of logos, what are the odds that all of them are using that software in the rogue way.

Nick Zeckets:

Right. That’s really fascinating.

Adam Erstelle:

You know it’s like I have trust in other people’s trust to trust the vendor. As a startup we just can’t invest all that time and figure out all the processes to establish what security purists suggest that we should have. In an ideal world. Yeah, sure. Let’s do all that stuff. But I’m trying to piece together a company here and I’ve got to move quickly.

Nick Zeckets:

Yeah. And I think that we’re hearing that from technology leadership at organizations big and small alike. That cybersecurity is one of those things where pragmatism is your most likely path to some reasonable, durable level of security. You can’t ask too much of your coworkers who are evaluating the tools that they need to use in order to do their jobs. You can’t ask too much of your own staff which in smaller organizations are also wearing hats like customer success and product development and all these other types of things. At a point too much cybersecurity brings lots of other things to a grinding halt. I think that that’s a really fair statement and it’s true. 

It sounds like from what we’re hearing from organizations of all sizes, which then brings me back to your point of saying I don’t know if I can put my trust specifically in this vendor, but I do trust Disney, Toyota, and IBM. Those guys are all customers of that vendor. So it gives me this really easy, consistent shortcut to establishing some sense of cybersecurity approval.

When you think about any other ways in which you guys consider and operationalize anything related to security within your technologies, both those that you have internally and what it is that you’re doing for your customers, and the answers can be different for both. What are some other things you find yourself regularly doing, or depending upon that you feel like establishes an environment that you’re comfortable working within?

Adam Erstelle:

At Sercante, pretty much all of our tools are cloud-based tools. So we don’t really have any internal systems. We don’t have our own data center, nothing like that. We are a 100% remote company. All of our tools are remote, cloud based, et cetera. So again, we’re relying on each one of them individually to pass all the musters of security, which leaves, from a cybersecurity perspective, just the behaviors of each one of our people. That’s the thing that makes us think, how can we help our people make all of the smart security decisions just as they’re interacting with these cloud systems. 

Foundationally that boils down to one simple thing. And that’s downloading and uploading information. Because we are a consulting agency we have access to a lot of customer systems and data through usernames and passwords. That’s probably the thing that is our weakest link. How do we protect all of those logins to all of those customer systems that have their own data? 

For us how we mitigate that is we use a password manager, which shouldn’t really come to any surprise to any of your readers. We use last pass, we’ve got shared folders set up in such a way that reduces the exposure. But again it’s still going to boil down to some level of trust. We trust our employees behave smartly and are not sharing these things where they shouldn’t. We trust them to only use the credentials on the websites that they’re supposed to be for. Right. Lucky for us, our tools help us enforce that. So from a security perspective for the most part, that’s where we think. Data and credentials.

Kevin Perez:

That’s interesting. How do you disseminate that info to your employees? Do your tools tell them, or do you send out a newsletter to say, you know, make sure you’re not using this password anywhere else? How do they get that information?

Adam Erstelle:

With our password manager management tool you can only auto fill the passwords on the right websites. So for example you can’t take your Google password and fill it into Salesforce. So there’s very low risk of cross contamination unless you’re extremely purposeful. And it takes a little bit of effort and luckily, most humans are lazy. 

If it’s not easy, then it doesn’t happen. So we try to take advantage of that mindset. If so, it’s not really a security best practice, but if it’s hard for someone to do something bad it’s a lot less likely that bad things are going to happen by accident.

Nick Zeckets:

Yeah. That makes a lot of sense. And the inverse is true too, right. That it’s really easy to mess up. Your exposure really increases quite a bit. This is great. I think there’s really interesting stuff that comes in there. And I wonder, and Kevin asked the right question, which is how you manage against that stuff. 

The tools that manage your passwords, policies and procedures around uploads and downloads of information, provisioning about who has access to what environments on behalf of which customers. Those are all practices that I think any organization of any size and any set of resources could easily execute. And, and those are the ones that I think we continue to fall in love with. 

If you had a day to ponder nothing but cyber implications for Sercante and its customers over the course of the year to come, what kinds of questions do you think that you would be asking yourself and writing down on a piece of paper to say, this is stuff that I should probably try to find an answer to, or that I’d like to find an answer to at some point?

Adam Erstelle:

Actually we are starting to think through some of those questions right now. We are going to start trying to find a third party to help us with our own cybersecurity journey and things like that. We don’t have that expertise in house, and unfortunately I don’t have the time to spend that hypothetical day that you just described. 

So we’re trying to do our best in thinking through what are the questions that need to be answered. And then saying, hey company, can you come help us with your expertise and A. are our questions even helpful and can you help us answer these questions? Then B. can you run it for us? So I might be dreaming in my expectations right now, but that’s what I’m hoping that we can find with a managed services IT provider.

Nick Zeckets:

Yeah. A hundred percent. We were just in conversations with some of these folks and we’ve written a little bit about MSPs in the past. And I think that there’s an immense amount of opportunity. What is most interesting about what you just said is the very first piece about what questions am I even supposed to ask?

It’s saying I can’t even spend enough time to design those questions, which to me I can a hundred percent empathize with. And I think that that kind of a problem affects leaders across all functions. If I knew all the questions to ask, I probably wouldn’t be looking for a third party services provider to help me with all of that stuff. But then it gets back to the chicken or the egg question of if I don’t know what questions I’m supposed to be asking, how do I evaluate those MSPs.

That’s a really interesting thing to consider. It sounds like you’ve at least started some to some degree, but I don’t know if you’ve gotten far enough into the consideration to have some kind of a rubric that you’re using to figure out what MSP might be a good fit for you guys, knowing that you don’t know what you don’t know. You know that cybersecurity matters and you would just like somebody to come in and pick that one open question up and turn it into specifics.

Adam Erstelle:

Yeah. So as an MSP who has been around for, I think for four and a half years, we fairly regularly get security questionnaires from our customers or our prospects. So we have a good understanding of what’s important to our customers. We’re trying to leverage that in creating our rubric while keeping in mind that we don’t necessarily want our customers’ questions to drive our entire strategy. So what I’m trying to do is say how can we improve our security posture so that these questionnaires that are coming at us are a lot easier to answer, and then can that manage services IT provider answer it for us.

Nick Zeckets:

Yeah, I think that’s huge. And I continue to kind of come back to this idea that in a lot of organizations, what we hear is that cyber security is a bit of a limitation, right? It’s a limiter to business. And I think this idea that if an organization has phenomenal answers and phenomenal resources, that it actually can speed things like closes and win rates and things like that on the revenue side of the business.

I know you have got to go, Adam. I’ve learned a ton. If you have any parting thoughts, shots, questions that you’d love us to try to go out there and answer, you know, happy to hear it here or in a follow up email or anything like that.

Adam Erstelle:

I think the only parting thought I would have is just summarizing so much about cyber security and especially when it’s B2B it’s based on trust and honesty. There’s been times where we’ve answered security questionnaires saying, no, we don’t do this. And this is why we have a little bit of a discussion and we still win the business. So much of it is trust, which is kind of unfortunate from the security perspective. It’s unfortunate that so much of it is based on trust.

I don’t know if there’s a way that could be automated in some way. Imagine that there was an API you could call into Salesforce and say, what’s your security rating right now. And in the API it would say this is how secure we are. I mean, that would be pretty kick ass. But it is a huge double edged sword with that. So I don’t know, maybe that’s more a dream than a parting thought, but

Nick Zeckets:

I love that. I think there’s a very good business in there. Okay Adam, it’s been a delight as it always is. And thank you for spending time with us.

The Takeaways

  The struggle small businesses’ tech teams have with managing security while having to deal with other responsibilities is one we hear about often. Adam’s perspective gives us a good insight on the level of trust which these smaller businesses need to have in vendors they use. In an ideal world, Adam thinks perhaps an API would exist that reveals the risks associated with each vendor so that small businesses can properly gauge whether that vendor is the right fit for them. In practice logos are more often relied on, where small businesses need to have faith that larger businesses with more resources have properly vetted these vendors.