Subscribe
Share
Share
Embed
Matt Huffman serves as the Information Technology Manager for Reinders, Inc, one of the Midwest’s largest full-service distributors of products to the commercial green industry. Matt has both administrated cybersecurity audits during his tenure at Wipfli and navigated them on the customer side. Through the years of seeing both ends, he developed a simple methodology to successfully save time and pass audits when they come around. Today we discuss those tips and tricks to help the IT leader ma...
Matt Huffman serves as the Information Technology Manager for Reinders, Inc, one of the Midwest’s largest full-service distributors of products to the commercial green industry. Matt has both administrated cybersecurity audits during his tenure at Wipfli and navigated them on the customer side. Through the years of seeing both ends, he developed a simple methodology to successfully save time and pass audits when they come around. Today we discuss those tips and tricks to help the IT leader manage what is traditionally a painful process.
Conversation Highlights:
[01:47] Introducing our guest, Matt Huffman
[04:11] How Matt came about his role
[08:38] What makes a good auditor
[11:28] Audit organization strategy
[13:38] Changes within audit processes across decades
[15:14] Challenges in preparing for audits
[23:49] Writing policies with ChatGPT
[30:39] IT career paths for students
[37:10] Matt's thoughts surrounding future tech
[39:55] Matt's message to IT leaders
Notable Quotes:
"You shouldn't have to prepare if you're organized." Aaron Bock [11:25]
"Know your value. No one's gonna do it for you." Matt Huffman [40:35]
Connect With Matt Huffman
LinkedIn: https://www.linkedin.com/in/matt-huffman-47baba18/
The IT Matters Podcast is about IT matters and matters pertaining to IT. It is produced by Opkalla, a technology advisory firm that helps their clients navigate the confusion in the technology marketplace and choose the solution that is right for their business.
Welcome to the Opkalla IT Matters Podcast, where we discuss the important matters within IT as well as the importance of IT across different industries and responsibilities.
About Opkalla:
Opkalla helps their clients navigate the confusion in the technology marketplace and choose the technology solutions that are right for their business. They work alongside IT teams to design, procure, implement and support the most complex IT solutions without an agenda or technology bias. Opkalla was founded around the belief that IT professionals deserve better, and is guided by their core values: trust, transparency and speed. For more information, visit https://opkalla.com/ or follow them on LinkedIn.
Narrator: Welcome to the IT
Matters podcast, where we
explore why IT matters and
matters pertaining to IT.
Aaron Bock: Welcome to the IT
Matters podcast. Aaron, how're
Doing great, Keith. I'm living
the dream, excited for our
you feeling today?
guests today. I think we've got
a great, great set of topics we
have not covered before. In my
in my personal life, and I guess
in my interest this week, I'm
waiting to see if they they
found a real alien, the Mexican
Congress reviewed what some
people are saying is a fake
alien. Some people are saying
it's remains from 2000 years
ago, I saw someone post that
it's actually just a cake
underneath everything. So will
there be aliens on Earth? It
remains to be seen. Wonder what
technology the aliens are using
these days. That's that's what's
new with me. How about you,
Keith?
Keith Hawkey: I haven't
discovered any aliens yet. But
this story is certainly picking
up steam. I think our Congress
actually is passing some
legislation around this which is
very interesting because it's
not just the individuals that
become that have have ideas
about what they think is going
on. But the US Congress is
discussing it, which is a little
more intriguing. And I'm excited
to have my first Alien
relationship so that all, that
Aaron Bock: We will see.
Keith Hawkey: But let's let's
get us here today we have the
pleasure of speaking with Matt
Huffman, who hails from
Milwaukee, Wisconsin, the land
of the finest cheddar. If you're
from England, close your ears.
But the Milwaukee, Wisconsin is
also known for its brilliant
technological ingenuity. Matt
spends his professional time
saving the day serving as the IT
manager or, Matt, actually
helped me with pronunciation
here, reindeers, reindeers?
Matt Huffman: Reinders.
Keith Hawkey: Reinder, Reinders
Inc., one of the Midwest's
largest full service full
service distributors of products
for commercial green, the
commercial green industry. He
previously gained auditing
experience with the Lamacchia
group, and has extensive
experience preparing SOC 1, SOC
2 audits, type one and two. And
we're spending a lot of time
today talking about tips and
tricks to dramatically reduce
the time invested in what is
sometimes a pain, painstaking
process and come up with a
successful result. So Matt,
welcome to the podcast.
Matt Huffman: Thanks. Thank you
for having me.
Keith Hawkey: Before we begin,
after a thorough review of the
Reinders Inc, LinkedIn page, I
am ready to submit my name just
to participate in your lawn
mower race that's advertised on
the company profile. Are you
looking for fresh blood?
Matt Huffman: Yeah, that one,
you'd have to talk to the
marketing people because that's
new to me. We have so much going
on here. I've been here about
six months. We're currently in
the middle of an ERP, ISM, and
CSD rollout, oh and a new
website, all this week. So busy
busy.
Aaron Bock: Yet you're here with
us. We really appreciate that.
Matt Huffman: Yeah, no, no
worries.
Keith Hawkey: Yeah, we certainly
do. All right. Well, we'll table
the lawnmower race for now. But
if you do, if an opening does
open up, I'm willing to travel.
And I have most of my experience
in my adult years. I have to do
with a push mower but I can
revert back to the riding
lawnmower from when I lived in a
small town a long time ago.
Matt Huffman: Yeah, we'll have
to do it soon because it'll be
snowblower races pretty soon
here.
Keith Hawkey: Yeah. Yeah, that's
right. So Matt, can you tell us,
share the audience a little bit
about your background, history,
how you came about being a
sensei when it comes to reducing
the audit, the time that's spent
on audits and coming out with
successful results?
Matt Huffman: Yeah, I was
brought on board at a prior
organization who was prompted to
look into getting a SOC 2 by a
potential customer and they
looked internally and did not
see that they had all the
answers for that. And they were
using MSP so they thought we
need to bring someone in. I had
no experience and they just
thought we're bringing in our
own guy, our sys admin. He will
work with the facilitator of the
audit and you know, get it done
for us. And they gave me, you
know, about six months, a lot of
leeway for that. And the
auditors were, were very good,
they had a lot of stuff in
place, you know, I did have a
consultant that I was using as
well. So that first year, I got
it done, you know, the audit
took about 8 to 10 hours. And,
you know, they, they taught me a
lot, I learned a lot, and they
kind of just said, like, you
know, kudos to me for picking it
up and everything like that. The
customer was no longer
interested, they ended up using
us anyways, they didn't really,
you know, they were forward
thinking, but it didn't matter
to them, they just brought it up
as maybe a discussion point. But
the organization thought, hey,
we're dealing with a lot of
financials, let's keep this
going. So with that, knowing
that I was going to have to do
this again, I started looking at
a lot of the stuff that I had to
do, you know, and the, the type
of audit that we were going to
through was just a point in time
audit. So they come in, and it's
the type two, where they just
come in, no SOC 2, type one,
where they come in, and it's
like on this day, everything was
XY and Z. Whereas the type two
is they give you a period of
time, and all your examples, and
all your samples all have to be
within that period and work. So
knowing that I had to keep
everything going, I started
putting things out there as far
as you know, reminders,
upgrading documentation, always
looking at policies and
procedures. And the auditors
were, were very good about
allowing me to stay in touch
with them and ask them
questions. You know, when the
new things were changing, they
were letting me know, so I kind
of get ahead of some of that.
And then over the years, really,
it's it's set it and forget it,
you start doing this stuff, and
it becomes just sort of part of
your job, you're building the
documents. You know, some of my
first policies were very crude
and rudimentary, they might have
been two or three bullet points.
But over the years, you start
learning to build and you find
another document and Hey, I
could use this for this and you
start to you know, intermingle
some of the wording and you
poach from different things that
you see online. It's a lot
easier nowadays with ChatGBT.
I've just started using that for
other smaller things, using it
as a tool, less of an out of the
box solution, which I think it
has its place for things like
that. But yeah, I ended up doing
those audits for almost a decade
and passing them and getting
them down to only a couple
hours, you know, the auditors
were very happy when they saw
our company come up to do
because they knew it was going
to be an easy fast job, and that
I'd have everything. Eventually,
I parlayed that into a job as an
auditor. And I saw how difficult
and how bad a lot of clients
were. And especially with it was
hard for me to go to an
organization and see that they
had an IT team of 10 to 12 and
they could not give me
everything I needed where I knew
like hey, I've done this, I
could do this. But eventually,
you know the love of IT and
problem solving and turning an
organization around brought me
back to the field and to
Reinders.
Aaron Bock: Matt, you, Matt
shared with us before we
actually jumped on and were
recording that he listens to
podcasts at 1.7x. So I sense
efficiency in your life and the
ability to condense down, which
is great. I was also previously
an IT auditor back, way back in
the day, big four. And I did
some SOC 1, SOC 2s, I was doing
some of the SOCs work with post
post Enron. And auditors have
for years gotten a bad rap. And
there's a lot of reasons why.
What do you think makes a good
auditor?
Matt Huffman: One of the things
that kind of surprised me, when
I went was not a lot of the
auditors for IT, have a full IT
tech background. And that kind
of threw me off when I would
talk to these guys and they you
know, they they have SISA you
know, they've gone through
something like that, or, you
know, they, they might have a
net plus or an A plus if you're
lucky. But they have no tech
background, no working, you
know, ins and outs of the
actual, you know, organizational
environment and you know, the
day to day stuff. So that really
threw me off. And it surprised
me because I would see guys
doing things like, you know,
they could just do this or this
and get away with it with this
or that and, you know, find the
ins and outs and that surprised
me the most, you know, seeing
that they weren't really full on
IT people, where the
organization would reserve those
kind of people for their
pentesting or for you know,
their their MSP services. So
that really threw me off from
that. The amount of searching
and documentation and just the
leeway that they give people.
That was to me, like you said,
I'm very efficient. So I'm just
like, what are we doing here?
Let's go.
Aaron Bock: Yeah, yeah, and I
can empathize with you or
sympathize whatever the,
whatever the correct word is for
the customer. But I remember
asking for, I think we call them
PVC lists or request lists like,
here's, here's the number of
things I need. And you knew on
day one, how bad was that going
to be. Because it was like,
yeah, four weeks, we'll have
this to you. It's like four
weeks?
Matt Huffman: Yeah, and that
next four weeks, and you might
have two weeks where you're just
waiting and waiting. And then
now this next week, here's a big
job, and they're ready. But now,
so is the other client, and
you're just like, Oh. Now you're
extra swamped. And, yeah, that
kind of stuff, I just, not my
forte. You know, I like being
busy in a good way. Having 80
hours of work of just searching
documentation was not fun.
Aaron Bock: But would you agree?
So you, you kind of said before
that last statement, you talked
about being prepared the
documentation, having things
ready. I think a lot of people
associate that with audits. But
wouldn't you agree, that's kind
of part of being a good in an
organization that documents and
has great process and control
like, that's part of what makes
the audit easier is if you're
organized, and you document and
you retain documents correctly,
that makes audits easier, but I
think people view audits as
like, I get prepared and do all
this stuff. You shouldn't have
to if you're organized.
Matt Huffman: No, I mean, it's
when you set, when you're doing
this audit in the end, you're
going to upload everything to a
single folder. And you know,
that's gonna be all your
evidence. You could copy that
folder and make, you know,
reminders on every piece of
evidence that you've provided,
you know, whether it's, Hey,
this is a screenshot of an
application, I just got to make
sure this application runs
weekly, I get this report daily,
I create a work order or a
change management, you know, I
get this approved through this
person, I get that approved
through that person. And it's
really just once you get it
going, it runs itself. But you
have to recognize that and want
to keep doing that. Like you
said, I mean, it's it's not
difficult, no audit is
difficult, the auditor doesn't
want to fail you, you know,
they're there to work with you,
when you talk to these auditors
and you go over your controls.
That's one of the things that I
learned, you know, through, you
know, a few years in is, the
control is really and you can,
you can mold those and
manipulate those to fit your,
you know, maybe you don't want
to go so tight on the screws for
security. As long as you're able
to mitigate and you know, have
those risk appetites and things,
you can you can loosen up a
little bit and still meet the
control. But a lot of people
when they see that might get
frightened and think, Oh, I've
got to have xy and z like, Well,
no, you can have x and z and you
just, you know, you mitigate y
with this. And you just have to
document it and show that.
Aaron Bock: Yeah, I tend to
agree with you. Well, one other
question on just like auditing
in general, and like where we're
at in 2023. You know, and my
experience may be different, but
I did a lot of the
organizational level monitoring
or auditing and general controls
auditing. I know cybersecurity
auditing is a totally different
beast. But like, with all the
requirements now for continuous
monitoring, logging, active
remediation and review, do you
think that some portions of
audits are really not as valid
anymore as they used to be
because we have so much real
time monitoring? Or do you still
think that like some of that,
like, log review controls and
continued like, you know,
signing off on things, do you
still think that that's valid in
2023?
Matt Huffman: Yes and no, I
mean, there's always going to be
low hanging fruit, and you want
to give the client you know,
more bang for the buck so you
want to keep that in, because if
you really streamlined it, I
think you would lose some of
that. And then there's also, you
never know what is going to be
the attack vector. You want to
be able to have that insight,
you want to be able to have
those policies, those
procedures, because you don't
know what tactics are going to
be used against you. So the more
visibility into environment is
not going to be, I don't ever
find that being something that's
going to be a negative. The one
thing that I would say is that
there are a lot of IT people out
there who will stay in an
environment where they're not
getting, you know, the
nourishment they need, and
they're okay with that. And to
me, that's a I don't understand
that, you know, I put value on
what I do and what I bring, and,
you know, it may not be here and
it may not be there, but it's
going to be somewhere and, you
know, I'm always investing in
myself and you know, we talked
about those efficiencies. You
know, I was at a spot where I
feel like I could have coasted,
I had it like I said running
autopilot. And you know that
could have been the end for me,
but it wasn't, it wasn't. I
wasn't ready for that, you know,
and here I am taking on a new
challenge where I've got a place
that is in the spot that needs a
lot of help. And my goal is to
get us audit ready. So if we
ever did have any kind of audit,
we're ready to go.
Keith Hawkey: Matt, what are
some of the challenges that
organizations face in preparing
for SOC 1 or SOC 1, type two,
SOC 2 audits? What are some of
the basics of?
Matt Huffman: I've think it,
it's like Aaron alluded to, it's
that fear of an audit. I think
you get, you get caught up in
those headlights, and you start
thinking, how am I going to do
this? What am I going to do? And
we've all been there, whether it
be you know, on a school
assignment or a project, it just
seems so daunting and huge. And
when you just decide to nibble
around the edges, it takes
forever, whereas, hey, I'm just
gonna go right up the middle
with this thing. And sometimes
it's like, oh, that was nothing.
You know, it's, it's literally,
you know, it's like, oh, we've
got to get this giant security
policy, well, not really. Start
it small, your auditor is going
to be able to, you know, you're
going to have some time to send
that to them and say, Here,
here's this, and they're gonna
give you some feedback and let
you know what it's missing. And,
you know, it's like anything,
you take that feedback, and you
make the adjustments. And I
think it's just, it's about
tackling it. There's, you know,
like I said, some of these IT,
people, I mean, I've been on
audits where they've, I've asked
them about, you know, two
factor. Well, we don't have that
turned on. Well, why not? Well,
they haven't sent me up for
training for that. You don't
need to train for that, you
know, I mean, it's, it's pretty
simple to set that up and turn
it on. And it's really it comes
down to, I think there's still a
lot of old school mentality out
there with IT as well, a lot of
keeping things to ourselves, you
know, things are siloed. So
there's, there's a big change
coming, and you know, people are
going to fall by the wayside,
and other people are going to
either grow and learn, and some
are just going to take off. So I
think the fear is the biggest
thing for the audits, the fear
and the, the fear of the
unknown, and like I said, it's
really not unknown, it's
starting small and it grows, you
just keep going.
Keith Hawkey: Yeah, that that
makes a lot of sense. Have you
noticed any technology trends in
cybersecurity that can help
organizations prepare and pass
some security audits?
Matt Huffman: Yeah, there are
some systems out there,
software, I want to say. I took
notes on a lot of these and I
don't have them with me at the
moment. Like ServiceNow will
offer a lot of reports. You can
get things out of you know, if
you have enough visibility, you
could use Lansweeper, or you
could use NET RyX. You know, you
can get reports out of anything,
as long as you've got the got
them fleshed right and
configured to monitor what you
need, send to who needs to
approve them, who needs to do
what. You're, you're creating,
and documenting, you know,
tracking work orders is huge,
you know, having those, you
know, security incident
categories, change management
categories, having, you know, if
you are a solo IT person, don't
make all the decisions, you
know, send that off to, you
know, the CEO or the CIO to make
that final decision, because
then it shows, you know,
there's, there's a process, you
know, and, and it can just be
documented, you know. When XYZ
happens, it goes through me, and
then it goes to this person for
approval. And it's as small as
that sometimes you don't need a
board and you don't need, you
know, meetings every month and
people to go through certain
things it can, again, this has
that flexibility and the
controls where you can make some
of that happen yourself. Yeah,
Aaron Bock: I love it. I mean, I
just wish more people had this
view because, I mean, I don't we
don't get audited now but we
work with a lot of customers and
companies that are going through
audits. And the ones that, I
think the ones that view it as
like I said a burden earlier,
they don't understand the
purpose. And so what's
interesting is like what you're
basically talking about, it's
just good IT and honestly,
business practices of document,
prepare, plan, remediate, work
on fixing things, like that's
just the whole point of an audit
is just check in at a point in
time and say, Where are we,
right? So I love what you're
saying. I've seen more recently
and I'm curious, your thoughts
on this trend. We're seeing a
lot of, especially in the
cybersecurity auditing space,
which, you know, for those of
you who have not gone through
it, the listeners out there, a
lot of this is being driven from
insurance at this point, cyber
insurance questionnaires, maybe
audits. We're seeing, at least
in in in some subsets of
customers, using cybersecurity
audits as a as a jump off point
basically to ask for better
processes, more investment in
certain things and I think what
we see is a lot that you
mentioned, I forget if it was
pre-recording or after we turned
on recording, but you're working
with a kind of turning around IT
and, and making it better. In
that situation, one of the
easiest ways to do that is show
a bad audit, show a bad result
and say, Hey, here's what we
need to do to do that. And I'm
curious, like what you think of
that, that using an audit as
that jumping off point? And then
where do you go from there, when
you do go to try to turn around
and make things better?
Matt Huffman: Yeah, I think from
the cybersecurity insurance,
that too, a lot of people don't
realize that the cyber, the
insurance companies, they really
don't know what they're doing as
well. You know, they're throwing
a bunch of things on paper and
when it comes down to it, and
you have to call that in, that
is when they're going to
actually do their due diligence
and look for something that you
might be out of the loop on that
you didn't know, that's not on
that paper and really, really
going back to them asking them
the questions. You know, it's
that's not a to me, those are
also controls. When we got that
cyber insurance paperwork, I
sent that back, I had questions
I had, you know, what are you
doing for this? What are you
covering for that? What are you
asking by with this question.
But using, using that if you if
you aren't part of an
organization that is doing an
audit, use that cyber insurance
document as your audit, use
that. Come back to the
organization and be like, Look,
they're saying this, which
doesn't cover that, you know.
You might have an organization
that decides, hey, you know,
we're, we're selling widget ABC
here, we want to throw in this
little other tool that has
nothing to do with the
organization, but we think
companies will like it. But that
company and that division is run
by, you know, a family member
and it's not following any of
the rules and you want to make
sure you have that locked in,
you know, if you're going to say
like, look, that's none of that
is covered under our audit, and
that is wide open, they're
running their own devices,
they're doing their own stuff.
Like, you have to be able to
recognize that and you know,
like you said, utilize that
cyber insurance, to say like,
look, we want to get this in
place, we want to put these in
place, we want to start building
policies, procedures, software
security. I think that is a good
jump off. And even, you know,
one of the things that I would
do too, is my my CIO at the
time, I was, well not CIO, I
have a CIO here, but the CEO and
the COO, I would send them
notifications every week, Hey
look who got breached, look who
got breached. And it didn't have
to be big breaches, it was
little breaches, because a lot
of times you'll get that
mentality from the C-levels and
the execs like, well, we're only
a $30 million company, why would
they come after us? Well,
they're not coming after a $30
million company, they went to an
IP range or a scope of IPs and
they found what they could get,
what was vulnerable. And a lot
of times, you could be a pivot
point. And I had to explain to
them like we are, maybe they
don't come to us, but we are a
pivot point to all our clients
who are larger than us. You
know, so they, they need to see
some things like that sometimes.
Aaron Bock: The number of
stories out there around what
you just said is incredible.
The, "We're not big enough." For
anyone listening, that is that
is a completely invalid
statement in 2023 and probably
will be forever from now on
because of AI and all the
different reasons. Like people
aren't targeting like a certain
size company, they're targeting
whatever's out there and they're
targeting it because it's just
part of a, like you said, it's a
block of IPs or it's something
easy. One of our favorite topics
on this podcast with just all of
our guests is the theme around
AI. You mentioned it earlier,
like writing policies with with
ChatGBT or Bard. How should
people consider using AI for you
know, policies? What are some
other ideas people can use AI
for in helping them with audits?
Unknown: Yeah, definitely. It's
funny as I, I recently, probably
in the last five months have
turned around on AI. I was very
proud of all my documentation
that I created. I won an award
at school for a paper that I
wrote because of it, you know,
they turn it into a system that
will scan it for any kind of
plagiarism. And, you know,
you're allowed, you know, 10 to
30% based on citing and
everything. I had a 0.0 so I was
just like, oh, this is good,
they're gonna flame out or it's
gonna be great. And it was good.
So I was very proud of it, you
know, I put a lot of work in.
But then yeah, I got to a
position like this again and I'm
just like, you know, where were
these emails? You know, you want
to, you wish you'd go back and
find your old stuff because
you're like, I've spent so much
time on it and I worded at it
and so you make a rough draft
and then it wasn't cutting it
and I'm just like, Alright, let
me give it a go. So I started
throwing things into ChatGPT.
And, you know, whether it be an
email telling everybody Hey,
this is how we're going to start
doing our phishing training or,
you know, a small mobile device
policy, you don't want to start,
you know, you can finagle, you
know, you can, it's, it's
awesome what you can do. You can
say, hey, less words, more
words, put in three bullet
points, take out five, you know,
and it's, it really is a good
tool, but what I do, you know, I
haven't gone where it comes
right out of the box. I will
create what I want, throw it in
there, have it zhuzh it up, then
I'll clean it up. And then, you
know, I still I have the final
oversight on it. So I think
people need to use it like that,
I think that's going to be the
best way. I do see people using
it for coding, I have not done
any of that yet. For auditing,
it's definitely good to, like I
said the policies and
procedures, I guess I really
would have to look more to see
what else I could do with it.
You know, I don't know if it
does reminders for you, if you
want to have ChatGPT, create
some kind of scheduling, you
could have it do something like
that, you know, maybe put in
your team, their skill set and
see if they can do any kind of
assigning. That would be a good,
a good way to test it out as
well.
Keith Hawkey: You mentioned that
you had tested it out with some
of the, against some of the
policies and procedures that you
came up with. What did you
notice that ChatGPT produced,
compared to what your
methodology had arose to?
Matt Huffman: Sometimes it adds
a few things, it's a little more
thorough, it could be too
thorough, too in depth, too many
steps. It will do that, you
know, one of the things that I
kind of liked from being an IT
manager, and what I've done
throughout my career, I feel
like I remember what, I didn't
grow up in computers. This is
like my third career. You know,
I've been in it for about 15-17
years now. You know, and I, I
remember my first laptop I had
for school. I was in school for
firefighting, and I've had that
thing in a sleeve inside another
sleeve in a backpack. Like it
was my first computer, I, you
know, didn't know what to do
with it, I treated it with, you
know, like gold. And you know, a
year later, I'm pulling it apart
and doing everything I can. So I
still remember how it felt. And
I remember, you know, looking at
a computer not knowing what to
do. So I tried to break things
down for my users, and I try not
to get too far above their
heads. And I want them to feel
comfortable with technology. So
that's one thing I've always
done. And one thing that ChatGPT
does, it doesn't know how to do
that. So I do know how to myself
tone it down and kind of put it
in, you know, take out some of
the, you know, the the buzzwords
it likes to use and things like
that or any like I said when it
gets too far down any lane.
Aaron Bock: But to your point, I
think like I mean, this isn't a
question, this is a statement.
When you know Keith and I
interview a lot of customers
about specific problems, broad,
we talk to CFOs, CTOs, CIOs, all
the way down to a system admin.
Something that in this day and
age like to me, it's like, I
hear people and they're like,
well, we don't have a policy for
that. I mean, at a minimum, put
something into ChatGPT, write a
policy, even if it's not the
best, like you've got a lot of
experience, put something in
place so that you have it and
you can at least go back and say
like, I have this like my
framework. Yeah. Yeah, like I
mean, it's crazy. You can ask
you, like you said, you can ask
it to say, map to blank control
and write a policy and just
reference it and yeah check it
but like, it's going to do it
for you.
Matt Huffman: You could I mean,
there is, I don't know if people
know how to use it well enough,
but like, you can tell it out
the gate like, Hey, here's who I
am. Here's my views on things,
it's going to ask you a couple
of things, you can load that in
ahead of time so it starts to
try to learn as you talk. But
yeah, literally, you could say I
need an MDM policy for 50 cell
phones on Verizon, I would like
to keep the users to using our
devices, if they're going to use
email on their own devices we're
going to lock it down. And you
could just say what you want to
say to it and it will put it
where you want to go. It'll take
you to that policy, it'll create
it and then you know, obviously
you'll read it over and you
could even just write after you
see it, less words, more bullet
points, you know, friendlier,
sterner, you know, you could do
things like that and it's going
to keep spitting it out till you
get what you want. You're like,
I don't like that line, I don't
like that line, but everything
else is gold.
Aaron Bock: I know I'm using,
I'm using ChatGPT on how to
better communicate with my kid.
No, I'm just kidding, I'm not.
Matt Huffman: But I coach my
daughter's softball and I had it
put together a practice schedule
for us. I said, I need, you
know, I need, give me 20 minutes
of conditioning, give me 20
minutes of fielding. I knew I
wanted to do a scrimmage and
give me you know, 20 minutes of
this and then you know it set
everything up. It gave me the
times it broke it down. And I
knew all right, we're good.
That's what we're gonna use.
Aaron Bock: That's awesome. I,
Keith I know you probably have a
question. Real quick, I want to
transition back a second away
from the AI conversation because
we have this a lot and you have
a lot of kind of interesting
experience. Shifting back,
you're an IT manager and you're
doing you know, you're trying to
help create better policies,
procedures, make sure controls
are in place for IT, have
efficient systems. What has made
you, how has an IT auditor, that
experience and dealing with
audits made you a better IT
manager one? And then two, for
those students that are in
college, because IT audit has
always been something where
there's a lot of jobs typically
coming out of college. Like,
would you still recommend
students go to that? Is that a
good career path to get where
you're at? Just kind of share
your thoughts on what makes you
better at your job from your
experience?
Matt Huffman: Yeah, one of the
things I mean, it definitely
reaffirmed my love of IT. You
know, and it did show me that,
hey, I am, I am that dude, I'm
the guy that goes, you know and
I keep going, I don't settle,
you know, I'm always going
forward. And, you know, a year
of auditing, say, 100 different
companies and IT departments,
you see a lot, you don't see a
lot of people like yourself, you
know. And then like I said, you
see some of those issues and
you're like, man, you could just
do this, or you need to do that.
Or you just tell them, you know,
you guys got to do this, you
know, and you're seeing all
these holes, and no one's doing
anything about it. And you
realize there's a lot of bad IT
out there. And, you know, this
isn't what I want to see, I
don't want to be in this
negativity. So it definitely
reaffirmed my love. It made me
realize that like, Hey, I like
making changes, I like getting
problems, I like to be hands on.
I don't want to see a problem
and just give someone an answer
and that's it, I'm out the door.
I want to be a part of that I
want to see it to, you know, to
the finish. As far as new people
coming out of school, it really
depends. You know, I mean, if
you're in IT, I would not want
to be in that because you're not
going to get the full IT
experience. You know, as you're
moving your way up in your
career, and you need a stopping
point, probably mid level, it'd
be nice. But then I don't know,
I think it takes a real special
person to want to sit, you know,
the, the best part of it was
only about 5-10%, where you're
really involved. I mean, there's
so much documentation and so
much, you know, the
interviewings when you're
interviewing other IT people is
good to talk to them, to meet
people, you know, I can do all
that all day. But there is a
solid chunk where you are alone
with a document, looking through
controls, and you're looking
through this, and you're looking
at that. Does this meet this?
And then finding the evidence
and then waiting for it or
requesting it. There's a lot of
follow up there and a lot of
stuff, if that's your if that's
your forte, jump in, you know,
feet first head first, whatever
you want to do. But if you're
new, and you want to be in this
and you have that inquisitive
mindset and you're you know that
IT tech detective, and you want
to fix things, and you're a
people pleaser. Like I have
never been the IT guy was like,
ugh users, like no, these are my
people like I'm here to make
them better. My goal is for
everyone who ever leaves here to
go, that was the best IT
department I've ever worked
with, you know. So that's always
my goal. So if if that's you,
then, you know, probably not
jump in there. But don't be
afraid of it too.
Keith Hawkey: What do you, do
you guys hire graduate students
from universities at your
organization, have you had
experience of that?
Matt Huffman: I did have a
little turnaround here, you
know, change of culture coming
in. I did have one person right
now who is still in school. And
helping him and mentoring him
has been rock steady. And
actually I've got a new guy
starting today as well, and I've
had a new one start last week.
So my team is now set. I've got
people who have that same
mentality and buy in as myself
and we're ready to just, you
know, I was done pulling this
and I'm ready to just run with
this with everybody else. So I I
look at it as any level if
you're, if you're into it, like
I'm going to be into it too.
Like I run a local IT group. You
know, I'm always looking to
mentor people and help people
and I think that was big for me
early in my career. And I want
to keep helping that because you
know, it's, you know, read it,
write it, do it, teach it that
whole thing just keeps
re-solidifying. And I always
learn from them, they learn from
me and I don't want to stop yet.
Like I said I'm not ready to
cruise.
Keith Hawkey: To those IT
leaders that are looking to hire
younger talent, particularly
fresh out of college, what can
they expect in a new generation?
How do they, how do you motivate
them? How do you, what skill
sets should you look for? What
gets them ticking and in sync
with the organization? What do
you say to that?
Matt Huffman: Yeah, that's
that's a difficult one because
you know, through the process of
me hiring people, you know, the
pandemic didn't help, a lot of
people getting overpaid, a lot
of people jumping around didn't
help. So you got a lot of people
with inflated ego thinking that
they have the need that you
want. And me, I look for a
particular personality trait, a
particular, you know, I want
someone who wants it, who's
going to get it, who's going to
put in the time, I'm looking for
someone like me, and that's hard
when you, you know, I inherited
a group of people who were not.
People who were the coasters who
were, you know, the social
loafing was the norm, you know,
we get put on a group project
well the group will do it. And
you know, if you have four
people in the group, and all
four think someone else in the
group is going to do it, it's
not going to get done. You know,
I want people that are like,
I'll just do it myself. Like,
no, we'll put you in a team and
you'll all get it done, but I
think it's, there is a mentality
out there with this younger
generation that you know, they,
they've earned it before they
work for it. They'll work hard
after you pay them or, you know,
they're not here to work hard,
because they want that balance.
And they don't know what the
balance is yet, but they think
it's earned and already given to
them. Now, that's just my two
cents.
Keith Hawkey: Yeah, yeah, that
certainly speaks to us. We hire,
typically a younger audience as
well at Opkalla. And it's, it's
definitely a different mindset,
we try to lean on the, the urge
to try new things, and encourage
that. For one, whenever ChatGPT
came out, we encourage everyone
to try to find ways to leverage
this tool in your job. Yeah,
from day one as an initiative.
So I think the new and the fresh
attracts, is attractive toward
the younger audience. And we
certainly lean on those types of
initiatives to encourage them to
grow and develop, at least at
least from our side of the
organization, Opkalla.
Aaron Bock: The question I have,
for our listeners, we always ask
about kind of future tech, and
it feels like the last five or
six guests have been, we've
talked a lot about like
generative AI, predictive AI,
etc. I want to, I want to kind
of exclude AI, it could be a
tool that's sort of around AI
and has some components. But
from your perspective, as an IT
leader, what tech are you most
excited about over the next five
years or so, that is not
specifically AI? I mean, I know
it's hard to find one anymore,
but like, what are you most
excited about that you feel like
it's gonna make a big change for
you.
Matt Huffman: That's a good one.
I'm not too keen on the cloud. I
just, I feel like a lot of
people are relying on that for
security, thinking it's someone
else's device, and they're not
realizing that it's not. Maybe
it's not tech, but maybe it's
more of a process. Maybe I'm
more excited that more people
are going to start getting into
security, and figuring out
security. We're gonna start
seeing a lot of, for that to
happen, though, we're gonna see
a lot of bad too, you know. You
can't have all the tightening
and all the the figuring of
things out and the good products
without bad things happening. So
I think we're gonna see a lot of
stuff. We're gonna see a lot of
people, you know, like this MGM
thing, all the different sides
of it coming out. I like that
there's information, you know,
that, you know, you're going to
hear people, you know, I have
older relatives, like, Oh, my
God, these people hack that
company. It's like, well, that's
not really what happened, you
know, they were in the middle of
negotiating with them. And the
company kind of did it
themselves a little bit. So
it's, you're gonna see a lot of
bad practices blamed on, you
know, other people and other
things. But being that we're in
kind of an information age, who
knows. I mean, kind of back to
your early stuff, like, maybe we
get some stuff released. And we
figured out how to make that
paper thin saucer, right. Some
of that technology, some of that
no fossil fuel energy, and we
all get jet bikes and stuff like
that, that'd be nice. Motorcycle
in the sky.
Aaron Bock: There we go.
Perfect. I love it. That's, if
that's the new tech we're
looking forward to, I'm excited.
Matt Huffman: Yeah, I really
don't think a lot about the
future in that aspect. I just
kind of roll with everything.
And, you know, I do try to go to
a lot of events and conferences
and see what's coming out there
and, you know, I get excited
when I see it, you know. Pipe
dreams, you know, I don't really
chase that. You know, let me see
what you have done. Let me see
what's really coming.
Keith Hawkey: Yeah, I think I
couldn't agree more. We're
coming up to about the end of
the podcast, Matt. And one thing
we like to do is ask if you
could disseminate a message to
the wider tech industry, could
be about some personal advice
that you have, it could be about
a philosophy of going about
work, could be about a lot of
things. What would you tell an
eager audience looking for
advice, when it comes to how to
be a more effective IT leader?
Matt Huffman: Definitely believe
in yourself. You have to put
yourself out there, you have to
be your first fan, you have to
be the one putting you out there
and doing everything for
yourself. Know your value. No
one's gonna do it for you. So
you have to definitely do that
for yourself and invest in
yourself, keep putting it back
into you, it's going to come
back and, and if it doesn't, you
still invested in yourself, you
put that time in for you. So I
definitely, always feel like,
you know, continuing education,
you know, keep tinkering with
toys, and different, you know,
little doodads and events, you
know, not events, devices, and,
you know, go to events, learn
those things. To me, it's that.
It's just putting back, you're
gonna get back what you put in,
you know what I mean. If you're
a plant, keep watering yourself,
keep keep out in the sun. Keep
doing that. Don't expect, oh, I
got hired here, they're going to
send me to an event, they're
going to train me, they're going
to do this. They're not going to
do that. They don't care. I
mean, unless you've got it
worked in or you have a manager
like me, who wants to send you
somewhere. You can't always
assume that. So do it yourself,
get it done. Find those things
that motivate you and keep you
going.
Aaron Bock: I love that. That's
great life advice in general.
And it can be applied to any
team, any individual, any
career. I love it. Matt, this
has been an awesome episode.
Thank you for sharing all of
your knowledge. For those
listeners out there, what's the
easiest way to connect with you?
Matt Huffman: Wherever you can
find me. LinkedIn. I don't
really like hang out on
Facebook. I don't do the Tik Tok
thing that much because you just
get sucked down that hole for an
hour or three. But no, LinkedIn,
email, mhuffman@reinders.com. My
personal email is
mhuffman23@gmail.com, if anybody
wanted to reach out to me. I'm
an open book. I'm willing to
talk to anybody, help anybody
out, do stuff. So, all good.
Aaron Bock: Yeah, we appreciate
it. This has been awesome. And
you took time out of your day,
which we appreciate and I know
our listeners will appreciate
it. So thank you, Matt, Keith,
another great episode. To all
our listeners out there thank
you for joining us again on the
IT Matters podcast. Remember to
subscribe on your favorite
podcast platform. Leave us a
review. Hopefully it's five
stars, although I know our jokes
sometimes might bring a star
down. But please leave a good
review for us and we hope you
have a great rest of the day and
week.
Narrator: Thanks for listening.
The IT Matters podcast is
produced by Opkalla, an IT
advisory firm that helps
businesses navigate the vast and
complex IT marketplace. Learn
more about Opkalla at
opkalla.com.