Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


[Podcast] I’m Brian Vecci, Technical Evangelist at Varonis, and This is How I Work

Data Security


Leave a review for our podcast & we'll send you a pack of infosec cards.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

If you’ve ever seen Technical Evangelist Brian Vecci present, his passion for Varonis is palpable. He makes presenting look effortless and easy, but as we all know, excellence requires a complete devotion to the craft. I recently spoke to him to gain insight into his work and to shed light on his process as a presenter.

“When I first started presenting for Varonis, I’d have the presentation open on one half of the screen and Evernote open on the other half and actually write out every word I was going to say for each slide,” said Brian.

From there, he improvises from the script.

“I’d often change things up while presenting based on people’s reactions or questions, but the process of actually writing everything out first made responding and reacting and changing the presentation a lot easier. I still do that, especially for new presentations.”

According to Varonis CMO David Gibson:

Brian’s high energy, curiosity, and multi-faceted skills – technical aptitude, communication skills, sales acumen, and organizational capabilities -make him an exceptional evangelist.

Read on to learn more about Brian – this time, in his own words.

What would people never guess you do in your role?

I’m really lucky that my role at Varonis lets me engage with people all over the company, including Marketing, Sales, Support, Engineering, and Product Management, so I’m not sure that there’s anything anyone would never guess about what I do.

When it comes to the more public aspects of what I do, like press, Connect events, and customer meetings, I spend more time drilling and practicing what I’m going to say so that when I’m on stage or in front of a camera, I can improvise off a script rather than trying to remember what I’m supposed to be talking about.

What did you learn about yourself after working at Varonis?

That I need to spend more time listening and less time talking. One of my first trips I made at Varonis was going to a few customer meetings in California and before I left David Gibson reminded me to “make the meeting about them,” meaning the people I was meeting with. It’s still something I’m working to get better at and have to consistently remind myself of.

How has Varonis helped you in your career development?

It would be hard to come up with ways that Varonis hasn’t helped me in my career.

I’ve become way more confident in front of audiences. I’ve gotten better at confidently talking about things I know well and I’ve gotten more comfortable with saying, “I don’t know.”

I was always in technical roles before coming to Varonis and sometimes it’s hard to admit that you don’t know something when it’s your job to.

What advice do you have for prospective candidates?

Varonis more than anywhere else I’ve ever worked rewards energy, enthusiasm, and hard work.

We’re much bigger than we were when I joined back in 2010, but there’s still so many things that we’re learning how to do well as a company.

The people who succeed here are the ones that do, fail, and get better.

What do you like most about the company? 

I admire how much of our leadership has been here for so long, and I think that’s reflective of everyone having the same goal.

It’s been rare in my career before coming to Varonis to feel like a part of an organization on a mission. That’s never been an issue here.

I know what it’s like to work somewhere where the leaders have no vision, let alone the ability to execute on it.

What’s the biggest data security problem your prospects are faced with?

When I first got here we were spending a lot of time just teaching our prospects that security on file systems was possible!

Making sure the right people had access to what they were supposed to was an impossible problem to solve for so many people for so long that we had to spend a lot of time just education people that we understood the root of their problems and could actually fix them.

These days everyone seems to know it’s a problem and the biggest challenge our prospects face is knowing how to get there.

“I get what you (Varonis) do, but tell me how we can actually get there” is something I hear a lot. That’s probably because I spend a lot of time talking about our Operational Journey these days.

What certificates do you have?

I’ve got a CISSP, which is the only certification I ever put a lot of work into.

Fave book?

I love to read and have a bunch. I read The Count of Monte Cristo every few years, so that’s up there. Dune is another one that I try and read every now and then. Gateway by Frederick Pohl as well. The book that helped me most with my job is Working with Emotional Intelligence by Daniel Coleman.

What is your fave time hack?

Adding my flights and hotels to my wife’s Gmail calendar because what do you mean you didn’t know I was going to be in London this week?

What’s your favorite quote?

Decisions are made by those who show up. I’m not sure who to attribute it to, but the first person I remember saying it to me was my father.

Interested in becoming Brian’s colleague? Check out our open positions, here!

Brian Vecci

Hi, my name is Brian Vecci and I’m currently a technical evangelist at Varonis, and this is how I work.

Cindy Ng

Thanks, Brian, for joining us today. How long have you been with Varonis?

Brian Vecci

That’s an interesting question. I’ve been with Varonis since March of 2010. But as some or many people may know, I actually left for about 10 months before coming back. I’m in my second term at Varonis, and I’ve been here now for…in my second stint for about two and a half years. But when I introduce myself I say I’ve been here since 2010.

Cindy Ng

What was your background prior to joining Varonis?

Brian Vecci

I went to college and studied computer science and music. And I came out of college and immediately went to work as a web developer. So I was an engineer, and I spent time doing web and applications development. And I discovered that I’m generally better at talking about the kinds of things that I was doing and helping other people understand the technology that I was building than actually building the technology which people that know me probably won’t surprise anybody.

So I was an engineer, an applications developer then I moved into project management. I was a project manager for a while, a systems architect. And right before I came to Varonis, I was in desktop architecture for an investment bank. And before that I had done project management at a law firm and I’d been in a publishing company. So I’d kind of been in IT and IT applications and a few different roles and hopped around a few different industries before coming to Varonis.

Cindy Ng

And how did you know that Varonis was a good fit for you?

Brian Vecci

I knew immediately that Varonis was a good fit for me because I needed a job and they offered me a job. So the fact that I got a job offer was the first big clue but really I connected with an old manager of mine at a law firm, Chadbourne & Parke who’s one of the best managers that I’d ever had up until that point, introduced me. He know I was looking for a job and introduced me to a friend of his at another law firm who had a friend who worked for this tiny startup company called Varonis who was looking for someone to do what they were calling technical marketing which is something that I’d never done before.

And so I interviewed with this guy, his name is David Gibson, and he was a former SE and was looking for someone technical, and I met him and we got along great. And then a couple of days later I met a guy named Mark Wilcox and we got along really well, and a couple of days later I sat in a windowless conference room in New York City, then a couple of guys named Ken Spinner and Jim O’Boyle and a few. About 30 minutes into that meeting I met a guy name Yaki Faitelson, and every single person that I met along the way was passionate and enthusiastic and super intelligent and seemed to work really hard and really believed really strongly in what they were doing, and I had no idea what we were doing at that point. I didn’t really know what Varonis did. I had some kind of inkling.

So it was less the company itself and more the people that I was about to start working with that made me pretty confident that this was gonna be a good fit and it turned out to be right.

Cindy Ng

And what did you learn about yourself after working at Varonis?

Brian Vecci

That I need to spend way less time talking and way more time listening. It’s one of the first lessons that David tried to impart on me. I remember before in one of my first trips out to do some customer meetings, he said to me, “You know, Brian, you’ve got to always remember make the meeting about them not about you.” And anybody who knows me well will hear me say that out loud and laugh at me because they realize that’s still something that I struggle with sometimes.

But learning how to shut up and listen, have a little bit of empathy and think about the people that you’re talking to and what they care about was one of the hardest lessons for me to learn because it’s something that I’m not naturally good at but it’s something that stuck with me for eight years and something that I continue to work on. I think about it as something that I’m hopefully a little bit better at than I used to be and that I continue to improve on. And every time I’m mindful and focused on listening to others I find that I get better at what I do and feel better about what I do.

Cindy Ng

And when you go to a meeting, when you talk to them, what is the biggest data security problem your prospects are faced with?

Brian Vecci

Well, I spend a lot of time in meetings talking these days about our operational journey. And that means the biggest data security problem, the prospects that I’m talking to when I’m talking to, the biggest problem that they face is, they know they have a big problem. They know they have a ton of data.

They may know that some of it is sensitive, they may not, they may have some ideas of where it is, they may have some sense of the scale of the problem that they’re facing trying to help the right people have access to the right data but the biggest problem they face is, “All right. We know we have these huge problems, we get it. How do we get there? How do we go from the state where everything is chaos to this vision that you’re talking about where only the right people have access to just what they’re supposed to and everything’s monitored. When something goes wrong we know about it?”

So the biggest problem these days is just how to get there. It’s less about a specific technical problem and more about, “I don’t know what I need to do first, second, third or fourth,” which is really different like even when you and I started here. Like seven, eight years ago the biggest problem that we faced was that our prospects had no idea that they had these problems. We spent so much time just educating people first of all, unstructured data or data on file systems is important and it was exposed and they had no idea how big of a problem they had, let alone what they needed to do to fix it. That’s changed. These days most people know that they have a big problem, they just don’t know how to get there.

So what I’m finding is when I am talking to a prospect it’s because they wanna learn about, you know, what our operational journey looks like. Those are words that we use, but what it really means is, “I know I have big problems. I have a sense that you can help me. How can we actually get to the state that you’re talking about?” If that makes some sense

Cindy Ng

Yeah. Take us through an operational journey from start to finish that you think might be helpful for our listeners to understand the important work you do. Let’s start with verticals. Do verticals matter? Does this journey apply to every company?

Brian Vecci

I think the journey applies to every company because every company has data but that doesn’t mean that verticals don’t matter. Verticals do matter because the ways a bank thinks about their data because they’re so highly regulated, because they know they’ve got, for instance, customer information, that if it was exposed or leaked improperly could result in big fines, the kinds of things highly regulated industries think about when it comes to their data are a little bit different than, for instance, a media company or somebody who’s not as regulated.

Everybody’s got the same problems but the vertical can really dictate sometimes how a prospect thinks about or even talks about their data. That said, the operational journey, it’s pretty much the same. We don’t have to change what our journey looks like depending on the vertical. Everybody gets a lot of data, and if they’ve never worked with Varonis before I’m pretty sure they don’t really have a handle on what kind of data they have, meaning what sensitive and what’s not. They really don’t have a handle on where it all is.

They’re probably not monitoring how it’s used. There’s a sound bite that I use often, you can’t catch what you can’t see, and you can’t manage what you don’t monitor, which sounds trite but are absolutely true. It’s really difficult to make decisions about something when you know nothing about it and so many companies know nothing about their data.

So the journey starts with, and this is gonna sound kind of sales-y because we spend a lot of time building content for Salesforce to learn, but turning on the light, just helping somebody understand, “Listen, here’s where your data is. Here’s who got access to it. Here’s what’s sensitive, here’s where it’s exposed, and look, here’s how it’s being used.” And when you do that, when you just start with that you’re often so much further ahead than you were before.

The journey then kind of moves on to not only understanding what you’ve got but fixing the biggest problems. When you turn on the lights you can start to prioritize and understand where you’re exposed and where you’re at risk.

One of the things that I talk a lot about, many of the presentations that I give is that risk is a pretty simple equation. It’s how valuable is something and how likely is it that something’s gonna go wrong with that asset or that data? So how valuable is our data? What’s the likelihood that it’s gonna get lost or stolen or misused? And our operational…a big part of our operational journey is helping our prospects to quantify that.

How many folders do you have that have sensitive data that are exposed to many people, that are exposed to global access groups? That’s easy for us to put numbers behind, very hard for someone to do without Varonis. But once you understand where you’re exposed, we call it prevent. We detect and then prevent, but preventing disaster means reducing exposure, making sure only the right people have access to what they’re supposed to, locking down sensitive data, getting rid of global access, and starting to figure out who this data belongs to so that you can get them involved in making decisions.

Finally, the last step of the journey is to automate things like entitlement reviews. Why should somebody at the helpdesk or somebody in security or somebody in IT be making regular decisions about who should and shouldn’t have access? It’s the data owners, it’s the people who understand and have real context that should be.

So automating entitlement reviews, automating authorization workflows, automating quarantining and retention and disposition, these are all kind of technical ways of saying, “Once you understand your data and you lock it down, you can start to treat it like you would anything else that’s valuable,” and Varonis can help you do that in an automated way so that you’re not going through endless projects for annual clean-ups and things like that, which is what we see our prospects either are doing or have done in the past in trying to solve some of these problems.

Cindy Ng

So how can you turn on the lights for our customers? How do they acknowledge their problem? Do they know that they have problems? How do they respond?

Brian Vecci

Customers who or prospects, I should say, who we do risk assessment for and we’re completely shocked by what we found. I hear stories a lot of sale teams being kicked out of the room when somebody says, “You know what? We had no idea that this much sensitive data was this exposed, that you can’t see this, like we could all get in a lot of trouble, you have to leave the room.” So sometimes it’s really surprising.

Other times and this is becoming more common these days, a prospect will know that they have a big problem but they didn’t realize maybe the extent of it or they’ve never seen it presented in such a comprehensive way. Our risk assessments are so valuable, and it’s one of the reasons we talk about or evaluations or our proofs of concept as a risk assessment these days because that’s really what they are.

We can go in and give somebody a pretty clear picture of what their environment looks like without a whole lot of work. We can tell them concretely, “Here’s how much data you have, here’s how much of it is sensitive and here’s how much of it is open. Here’s literally how much risk you’re facing right now and here’s how you can kind of fix all these problems.”

So, to answer it, I think your question is, “Do they know it’s a problem?” Sometimes they do, sometimes they don’t. Oftentimes they have no idea of the real scale of the problem or even if they do know they have a big problem it’s still eye-opening for us to do a risk assessment and show them really specifically exactly where the problems are and how they can actually fix them.

Cindy Ng

So after they kick you out and hopefully they bring you back in and that you try to convince them that our methodology is the right one to follow, how do you convince them that there’s so many solutions to a problem? Why is the Varonis way the right way?

Brian Vecci

I’m going to disagree with you that there’s so many solutions to a problem because this particular problem, especially when we’re talking about a data stores like file systems that are pretty chaotic, there aren’t a lot of solutions to that problem.

What we’re very fortunate in that Varonis has technology that’s unique. Nobody else does what we do the way that we do it. And I can speak from personal experience. Having spent some time at one of our competitors, nobody else does what we do the way that we do it. So when we can come in and present not just, “Hey, look, we showed you, you have a big problem, but we showed you you have a big problem and we have the technology to help you solve it, and we have the track record and experience to show you that we’re good at actually doing this.” Our methodology, it’s not pie in the sky, it’s not in theory. We’ve got more than 6250 as our last earnings call.

That’s a lot of customers who have used Varonis to actually solve some of these problems. So our methodology is based on experience and that carries a lot of weight. There’s lots of ways to solve this problem, it’s really, in our experience, there’s very, very few ways to solve this problem, and we’re fortunate enough that if you wanna solve it you need not only a methodology to do it, you need an approach, you need technology to enable that approach to actually work.

And I speak honestly in my experience, Varonis is the only way to do it, which it’s a lot of fun to work for a place where you can not only identify a big problem but help people solve it and you’re the only ones that can do it. We’re in a really unique situation.

Cindy Ng

What do they initially buy when they decide that Varonis is the only way?

Brian Vecci

Everybody has Windows data or CIFs data, whether it’s NAS or on Windows File Servers. So, most commonly it’s DatAdvantage for Windows because that’s what gives you the ability to not only monitor everything but map all of the identities and all of the permissions. That’s pretty critical to turning on the lights. Another big part of turning on the lights is understanding where sensitive data is. So data classification. And our data classification engine is kind of a no-brainer. So that’s a big…that’s a pretty common piece of that initial package.

And then the great thing about DatAlert and DatAlert suite is that it becomes more powerful the more ingredients, the more we call them behavior streams or metadata streams that you give it. The more information the DatAlert has to analyze and alert you the more valuable it is. So with DatAdvantage for Windows you’re mapping permissions, you’re monitoring Windows data and access activity for the users on that data. Data classification gives you some context in what’s sensitive and what’s not which is really important.

And Directory Services allows you to monitor Active Directory too, everybody has Active Directory. So those I think are the most common but I wanna be careful about saying what are, you know, our most common package is.

Cindy Ng

And then how do you quantify the improvement so that customers know that you’ve helped them and they wanna continue the journey with you?

Brian Vecci

It’s a really excellent question. And it’s a big part of our risk assessment, is to quantify what their risk is, what their risk profile is. And we quantify that by how much data do you have? How much of that is sensitive and how much of that is open? And if you just track those things, “All right. How many folders do I have? How many of those folders are open to everybody or, you know, open to lots of people? How many of those folders that are open are also contain sensitive information?”

If you take that number and you start tracking it over time and you see the number of, you know, folders that are sensitive and open and you see that number going down, you see the number of folders that are stale and you see that number going down because you’re deleting or archiving it, you see the number of things like users who are enabled but not active, or users that have passwords set not to expire or the number of file system artifacts like orphaned SIDs or individuals on access control lists or the number of issues that we find in Active Directory, there’s lots of really specific metrics that only we can measure, and I say only we because we’re the only ones that have the ability to scan every single folder and subfolder and every single sharepoint site and sub-sites, and we monitor every single data touch. We’re the only ones that can really do that especially at scale.

We can start to put really specific metrics behind, “All right. Here’s what you’ve got. Here’s where you’re at risk, and here’s how you can measure the improvement over time.” And that’s what we show our prospect in a risk assessment, and hopefully, that’s what we’re tracking as they go through our operational journey.

Cindy Ng

And describe what utopia would look like in a company’s file system?

Brian Vecci

I would say, here’s what utopia looks like, and this is part of a lot of the presentations that I give these days. Like what is the Varonis’ vision for how you can think about your data? And it’s pretty straightforward. You know where all your sensitive data is, you can make sure that only the right people have access to it, and really, people, users only have access to what they’re supposed to, that everything is monitored. Every time someone touches data it’s monitored and recorded.

So just like how a bank has a pretty good idea when your credit card is being misused because they know a lot about you, right? They know who you are, they know where you live, they know what you shop for, they know in the amounts that you shop for and where you shop, and really, really critically, they watch every dollar that goes in and out of your account because that’s their business.

Well, you can start to treat data that way if you know everything about your users and what they have access to and where sensitive data is and really critically, you watch every time someone opens, creates, moves, modify it and deletes data, you can start to treat your data like a bank treats your credit card, and that means you know when something goes wrong.

So not only do you know where your sensitive data is and you can make sure the right people have access to it but you also watch everything that every user in every service account does. So you know what’s normal and then you know what’s abnormal, and if something goes wrong you can respond to it intelligently and really really quickly. And then you can automate things like retention and dispositions.

And what that means is, when you don’t need data anymore you can delete it, archive it, move it somewhere else. If somebody put something sensitive where it’s not supposed to be, you’ve got automation in place to quarantine it. Somebody drops a sensitive file in an open share, it automatically gets moved somewhere else, that’s locked down and properly protected.

You know who data belongs to and you’ve got those owners involved. So when someone needs access to data it’s your data owners that are saying yes or no, and that whole process is recorded. The data owners are reviewing access on a regular basis. They’re doing access recertification, we call them entitlement reviews.

So once a quarter your owners are looking at who has access to the data and they’re making decisions about who should and shouldn’t have access to data. And then from a compliance standpoint, not only do you know what’s happening to your data and you know what’s sensitive, and you can make sure that it’s locked down, but when someone needs access to it you’ve got a record of who asked for it, who approved it, when they approved it, why they approved it because you’ve got DatAvantage monitoring everything for every single thing that they did while they had that data.

The vision is just to start treating data like a smart company treats anything else that’s valuable. And the biggest journey that we’ve been on as a company over the last…since I’ve been here since the last…in the last eight years, it’s helping the rest of the world understand just how valuable this data is and that it’s possible to put the kind of controls and protections and processes around file systems as they do anything else that’s really valuable in the company.

Cindy Ng

What other byproducts have you been able to help our customers find since they were looking to achieve these privilege model? Where they able to find other solutions that they didn’t initially realize that Varonis helped them with?

Brian Vecci

As for the kinds of things that companies tend to discover and the kind of use cases that gets opened up, but once you start treating data this way you can start connecting things like your SIM to your file systems, which is a…it’s really, really difficult to do unless you’ve got Varonis, by sending alerts from DatAlert off to the SIM for instance or connecting identity management to your file systems.

Cindy Ng

Outside of work when you’re not presenting or traveling to another meeting, what do you like to do?

Brian Vecci

I like to read a lot and I spend a lot of time on planes so I spend a lot of time reading. I play the guitar and I’m pretty confident that’s one of the reasons that David Gibson hired me, was that I was a guitar player. I have a little home studio in my basement. I recently moved from Brooklyn out to New Jersey. And I’ve been joking with a lot of people that I bought a farm. I didn’t actually buy a farm although I looked at it, but I’m just spending a lot of time learning what it’s like to own and run a house.

Having a house and having a kind of a big piece of property is something that’s new to me. So over the last year, really, the last six, eight months since I’ve done that, I’ve been learning a lot about what it means to kind of be a homeowner, which is exciting and fun and may sound l kind of pedestrian and not as exciting as some of the other stuff that I get to do, but for me, it’s been really, really interesting.

Cindy Ng

Well, thank you so much, Brian. And we wish you the best.

Brian Vecci

Thank you. It’s been great talking to you. And, Cindy, it’s been great working with you for the past eight years. And when did you join Varonis? You were the first person that was hired in our team after I joined.

Cindy Ng

It was 2010.

Brian Vecci

Yeah, 2010. So we’ve been here for a while. It’s been great working with you and I look forward to lots more in the future.

Cindy Ng

Cindy Ng

Cindy is the host of the Inside Out Security podcast.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.