Ep.07 Jim Kowatch | Infosec learning and the growing EDU space
In this episode of the Cybrary Podcast, we sit down with Jim Kowatch the founder and President of infosec learning, a virtual lab platform that has focused on the EDU space. Joined by Cybrarys CEO Ryan Corey and Chief Product Officer Trevor Halstead Jim explains how infosec learning got started in the education sector and the changes they are helping to make.
Share it with friends now!
In this episode of Cybrary podcast, we have Jim Kowatch, President at InfoSec Learning, Ryan Corey, CEO and Co-founder of the Cybrary, and Trevor Halstead, CPO of the Cybrary talking about the Information Security and what Jim has been doing through all this time working in this industry.
Jim is the founder of InfoSec, founded in 2011, who has been working in the business of higher education for almost 15 years. He had already worked for about 6.5 years at Pearson Education, and then he left to build his own business. He came up with the idea of founding InfoSec Learning after interviewing 200 members of the faculties, some folks in governments, and hiring managers as he states. Then he built the initial design and shared the idea with others, he got a lot of nos, though. But, he kept working on it. According to Jim InfoSec Learning’s goal is to provide Cyber Information Security training to companies, schools, organizations and its core goal is to provide services to the customers and take away the burden from them. During all this time in InfoSec Learning, the outcomes are working with 150 schools and businesses, industry certificates on hands-on skills, virtual labs focusing on different aspects of InfoSec, and some custom works based on the customers' needs. One of the custom works, for example, is a project where a company wanted to screen their applicants and evaluate their skills, so they can get to the interview which they build an incredible tool for that. He, then, speaks about the latest works they have done. The initial one is a dashboard designed for instructors that have a spectacular capability to track every user who wants to capture the flag, get the time limit, and verifies the result. This tool enables the instructors to pinpoint the mistakes each user has and help them specifically in that aspect. The second new thing is the challenge arena which is just like a game having the scoreboard, tracking system, and automated stuff. It is just a fair play of the red team, blue team, which is fun and educational. Jim says he and his team are always seeking a new idea, they are regularly asking their customers what new features they want, or what should be done as an example, to build the fastest and the best product out there helping people in the educational aspect.
The speeches end with the news of InfoSec services’ integration with Cybrary and the contact of InfoSec Learning. InfoSec Learning team is about to publish a new website of themselves, but they can be contacted through firstname.lastname@example.org and will normally send out a response within 24 hours.
Ryan: Our very special guests here today at Cybrary, pumped to do this episode, but a good friend of mine and a great entrepreneur, Jim Kowatch of InfoSec learning. Welcome, man.
Jim: How you doing? Thanks for having me.
Ryan: Good. Why don't we start this off by just give us a little intro background on yourself.
Jim: Sure. Well I founded a InfoSec in 2011. I've been in the business of higher education and the K-12 space, delivering products and sales, oh God, for 15 years now.
And, you know, we founded InfoSec in 2011 and we'll, I'm sure we'll get into some more of those questions later, but yeah, that's a little bit about me.
Trevor: What got you into the education side of the house?
Ryan: Yeah, so, oddly enough, the summer before I graduated college, I was an intern for Pearson education. And they published textbooks, and after that summer, I thought, man, why was I even considering law school? I want to go work for a textbook publisher. Oddly enough, that's true. And I did, and I spent the next six and a half years with Pearson. And then I left because I wanted to start a consulting business. And, you know, through that whole process, when I was working with schools, they were asking for more content in Cyber and Information Security. They wanted a whole bunch of things that they, you know, that they did.
Ryan: What year was that?
Jim: That was 2010.
Ryan: Yeah, it's right at the start
Jim: 2010. And when you hear something over and over and over again, you. You know, you realize, you know, there's something there.
Ryan: Pattern recognition sets in and you're like, wait, it's probably a business that needs to be built here.
Jim: There's something here. Right? So, you know, we went out and hired a company to interview about 200 faculty members, hiring managers, some folks in the government and in the business space, you know, we asked them what's the most important part of any Cyber Information Security or a really computer training. And the overwhelmingly common response was a hands-on virtual environment, that was cloud-based that the users and the, and the companies and businesses and schools didn't have to manage. They wanted everything packaged up. They wanted to be able to pick apart certain things and customize, and they didn't want to have to manage it. I'm racking and stacking servers as things, you know, it's a business, it's a tough way to go and managing that is, difficult. So, in 20, after you hear some things. So, so long, you know, we went out, and we tried building out some content in the continuing ed space. And as we continued to go down the road, we realized that the focus really does need to be on the virtual platform.
Jim: So in 2016 we went out and we raised some money because it turns out this is super expensive thing to build.
Jim: And, we, we basically, I made a design and I drew it up initially, no joke, on a cocktail napkin. And then I expanded on that, and I brought a team of super smart people together.
Ryan: You taped together additional napkins
Trevor: multiple names.
Jim: I did. There was actually multiple napkins. And so, ultimately, uh, I brought these folks together. I said, here's the user experience. This is what I want, not only the users to do, but I want, this is what our cus, I want our customers to experience this. I want it to be the best thing that anyone has seen. Can we build this? And there was a lot of nos and an unending amount of nos, but, you know, I said we have to work through it, so we kept working through it, and we found ways to at least get this vision created.
Ryan: Yeah. So that's a good, that's a good point there. So why don't you give us the tagline on what is InfoSec learning? You know, and then, so we've got the, kind of how it came about, but that's what officially, like if you had to give the two, three liner.
Jim: Right. I can even shorten it down to less than that. InfoSec learning, I mean, we are a company that provides Cyber Information Security and computer training to companies, to organizations, high schools, and that's what we do at our core level. You know, our whole goal is to be able to give , you know, the Ritz Carlton level service to folks that want this training. We want to focus on the actual training and we want to take the burden away from our customers of racking and stacking gear, setting things up, writing labs. We want to take care of all of that.
Trevor: So you mentioned there that the companies and the schools that you're working with and wanting to give that Ritz Carlton experience. What are some of these, the outcomes that you've been able to give to some of these customers you've been working with for these years?
Jim: So the outcome really depends on the goal, right? We, when we started out right out of the gate, we had eight schools that started working with us, which was awesome. But now, you know, we work with 150 schools, organizations, the federal government, businesses, and they all have different needs. Righ? And they all require different outcomes. So, many of our off the shelf labs are mapped to industry certifications, which are important, but at the end of the day, they really come down to a core level of hands on skills, Right?. Which is, Trumps everything. Hands on skills is the,
Ryan: In this space, it is a trade.
Jim: it is.
Jim: Show me, you know, how to do this. We're seeing hiring managers, turning computers around in interview saying, show me, you know how to do this. And if you don't, you won't work here.
Jim: So, reading a textbook is one thing, but doing the actual skills and performing at a high level is something completely different. So, although we have some labs that map to industry certs, we have other projects and labs that just are hands on skills related. And we have a lot of custom work. About 60% of our customers ask us to do some type of custom work, whether it's a custom set of labs or creating some custom learning objective.
Ryan: So that's a, so you guys have been basically developing like a nice expertise sort of by focusing on the EDU kind of space, right? And so like that customization probably just gets you better and better at serving those individual customers in that space. So, what, what's it like to be like maybe pros and cons? What's it like to be in the EDU space?
Jim: Yeah. Well, I'm very familiar with the space, right? So you avoid some of the pitfalls of someone that's new. Everybody thinks that, you know, ed tech is so incredibly flush and it's not. There's not, you know, you're going to roll into community colleges and if you expect an entire community college to sign off on one product, I mean, you should expect to wait a while.
Jim: There's not tons of cash out there. You have to have a great product. And I like the EDU space in the model that InfoSec works because, you know, we work with individual college instructors and high school instructors that are teaching these courses. We show them the product. If they like it, they use it. And that's the sales cycle. A lot of folks come into the, you know, the ed tech and the.edu space, and they have a product that you have to get an entire school to buy in on. That's a, you know, an enterprise deal, those sales cycles, although the dollar amounts are much higher, the sales cycles are much, much longer, and you have great companies that can die on the vine.
Trevor: With all the custom work that you're doing for these instructors and for these organizations, why do you think that they need so much customization when you have these certifications that are out there. I mean, is that, you know, are we, we do assume that these, these educators and instructors are not finding the contents of the certifications completely aligned to what they need from their students and what they need from their workers.
Ryan: Great question.
Jim: I mean, I wouldn't call it a great question. I would call it a, no I'm kidding. It's an excellent question, it is. Because there's more than just certifications. Right?
Jim: We work with a lot of schools that want to do hands on exams. They want to make sure that students have and have retained their, the skills that they learned throughout the course. So, we buy custom work. Sometimes we will work into, it depends on how a school wants to structure their course. Right? Not all of them are exactly aligned to the domains of various industry certifications. And there's a lot of industry certifications. I would say most of them that are not hands on, they are pen and paper or pencil and paper, however you want to do it. So the majority of the custom work that we do fills gaps in the courses where they say, we want to do, we want to teach on this skill specifically. Can you do something where, you know, we want to test on this, see if students can pentest in a certain way, find these vulnerabilities? We do those. In fact, outside of the EDU space, we worked on a project last year for a company that wanted to screen applicants. And at the end of the day, they said, we want applicants to have these skills. So we built an environment. We gave users 24 hours of access. If they found the vulnerabilities, all of them, and they got a job interview, if they didn't, then they didn't. it was an incredible tool, and, you know, we built that to spec, you know, we work with Southern New Hampshire university. They're an incredible partner of ours. And, you know, they do a lot of hands on learning as well, and they wanted to be able to have an environment with specific needs, specific networking and settings. And they wanted to come up with some of their own assignments to have students go in. So they, we were flexible with them the whole way through. And when we first built this platform, one of our core goals was to continue to always be flexible. And if we have to do a lot of custom work, then it can't be so arduous that we can't do a lot of it. Right?
Ryan: I think that nimbleness is huge for a product like yours, just because you know, all these different organizations, they have their own technological stacks, right? So they, they require different things like we're a Splunk shop, we're not a Splunk shop where we have this product. We have alien vault or AT&T Cyber now.
Jim: we do some alien vault stuff. We have also worked on projects where folks do have their own stacks, companies have their own stacks, and we replicate those stacks, and now users can go in and really play around with isolated networks that mimic the stack that they have at their own company. We can put malware in there. We can do a whole bunch of stuff in a safe environment. I mean, it's hard. You gotta practice how you're going to play, right? And if you're not doing that, then you're going to get into the game. And you're going to be thrown a curve ball. I mean, I don't know how many sports analogies I can throw into this, but there's definitely gonna be a few more, but it's like you need to practice how you play.
Ryan: So off script again, but this is a, this is a really cool thing that came from the lunch that him and I had the other day.
Jim: It was on. Yeah, it was excellent.
Ryan: It's Tim, super good. So why don't you tell us, talk us through that one, a company or as a customer or something like that, that you went in front of and you showed them how you were spinning up VMs at like an alarming rate that was like blowing, knocking their socks off. Cause this is going to be really good as an extension to what you just talked about, and just, you know, keep it buttoned to tight.
Ryan: Whatever, but let's, let's hear that a good one.
Jim: One of the largest customers that we work with, one initially, as we got in there wanted to kind of see the way that we've virtualized things in last August. We rolled out a brand new way to virtualize machines. We stood on the backs of some existing technology but did a whole bunch of our own code, you know, to really bring this to fruition, to set up these environments. So we showed them how we were setting up full environments, cloning servers in three seconds, cloning, you know, Linux boxes in two seconds and then getting all the network settings. And they said to us, you know, the first question was, how are you doing this so quickly networking everything? How did you automate all of this to be one click to set these up? And secondly, why are you working in the EDU space? And it was, you know, two incredible questions. But we, you know, we, we spend a lot of time and money doing research on scalability. We want to be the fastest and most scalable company out there. You know, I'm a big fan of CNBC. I listen to it every morning and you have a lot of CEOs that come on, you know, their show and they talk about, you know, we want to do this, and we want to do that, but no one ever really, in my opinion really says exactly what's on their mind. And you know, ultimately if you ask, what do you want to do with InfoSec? I want to build, yeah. I want to build the best products out there. I want to be the fastest to spin up the most number of VMs. And I want to go out there and eat somebody else's lunch.
Ryan: Yeah, like literally
Jim: Literally, cause I eat a lot.
Ryan: Okay. Got it.
Trevor: I would love to hear a little bit about any recent product updates or new feature additions that are going to be coming in the next quarter or two that you can share.
Jim: So the virtualization coding that we push was was huge for us last August. And we're always making tweaks to that, but you know, one thing that we just recently rolled out was our new dashboard for instructors because they, you know, we interact with customers on a daily basis, right? In fact, every customer that we've ever had, I don't think there's one that I haven't spoken to on the phone.
Ryan: That's awesome.
Jim: So, you know, I talk with customers every day and that's our pipeline. So this dashboard we were hearing from folks, they wanted more granular information. So what we did was we developed some new technology where we're tracking all of the users’ movements or environments, and they have to, as they're going through a lab, they have to capture flags. And flags are six digit codes. There, any number of things we can create into a flag. And we track a ton of information about their time on task. If they got it right or wrong. In fact, we're taking screenshots, and we're logging all of this information information, a wealth of data on, on the user's interaction with the environment and putting it into a dashboard that's easily readable, and instructors can now go in and see where entire cohorts of people are falling short.
Trevor: That's awesome
Jim: And digging into individual users saying, I know you're not doing well right here. Here's how I can help you. It was incredibly important that we have anti-cheating mechanisms built in where it doesn't matter if someone's sitting next to you, giving you the answers, you still won't be able to cheat, which is really important in today's EDU space.
Trevor: That's incredible.
Jim: Yeah. So that, that was that. The, the next big things we're going to be working on are our challenge arena, which is going to allow for a red team, blue team activities. No longer are we going to have an environment where one student sits down, we can have it almost tournament style, where you have four VMs, two red VMs, two blue VMs, and you have two people sit on them. And they go at it and we see who wins. Right? We have a digital scoreboard. We're going to track things individually for a, you may or may not know this, but there's a lot of schools out there that have Cyber teams
Trevor: They do.
Jim: Right. And so they go to these competitions and a lot of times setting up the network and getting things running is a little bit difficult. We want to automate everything and have folks ready to go. We want to give students the ability to train in a red team, blue team setting, and then go play their game.
Ryan: That's killer man.
Trevor: That's incredible.
Ryan: It's a great product. Yup. Without a doubt and exciting work for the future, too. So why don't we jump over real quick to tell us a little bit about how you kind of go to market? How do you reach your customers?
Jim: Yeah, so. You know, I was just telling you guys this story. We had a, a large customer that I was trying to get in touch with for two years. Just trying to get in touch with the right folks there and get the ball rolling. Yup, but with no luck and Yeah. We had an instructor of ours that worked at a different school that transferred over to this new school and said, hey, we used InfoSec labs there. They were really great and magically, the doors opened and that's how a lot of our growth has occurred. It's not that we have these aggressive marketing campaigns. In fact, I'm not one for sending like tons of mass emails out. What I enjoy doing is building these products and letting them speak for themselves. So it's really kind of referral-based like, hey, I went to this conference, I use InfoSec labs. You should really try it. We have weekly webinars. Every single educator who comes to a weekly webinar gets a free demo account. You can play around with labs, you can see the features, you can see everything that you need. And the proof is in the pudding. Come and use it, see what the experience is like and you won't want to use another platform.
Trevor: How big is the team now?
Jim: So the overall team we do with outsourced work, there's almost 30 people that work on the total aspect of the environment, whether it's from the code to the data center to, you know, it’s to the labs themselves. There's around 30, sometimes 35 people that, that touch some of the product.
Trevor: Yeah. I would imagine that the content developers are our big piece to that, and making sure that the content is
Ryan: And you also have one or two rock stars in regards to that.
Jim: Yeah, and everyone needs those. And I have one, I have a couple of rock stars that are just, they're so much smarter than I am, when it comes to, to Cyber Security and Information Security. And they're just, they're there. they're masters of their game. And I always tell folks that like, listen, you don't need to be a master at everything, but you, man, you have to be a master of your game. You have to want to get out there and play in the sandbox every day. If you want to get better at it. And these guys have been doing it for 20, 25 years and every day. They're excited to get back in there and try new things. It's that kind of enthusiasm that you need in a company like if I had 30 of those, those guys it'd be incredible.
Ryan: It’d be unstoppable, right?
Jim: Yup. We also have a, you know, we have a great partnership with the National Cyber Watch Center, right? And they're an incredible organization that has, I believe, 300 schools with them and they've seen every product out there or their preferred platform. And we use a lot of SMEEs from the EDU space to vet content, to look at stuff, to tell us what's next. I mean, as I mentioned before, we're always asking our customers, what do you want to see next? We have a roadmap that is over a year long and our roadmap is labs and features.
Ryan: Yup. Yup.
Jim: Gotta have that pipeline. We're always going to be building something.
Trevor: Yup. So, yeah, Jim, what kind of funny story do we have on you on the, on the business? What were any funny times, tough times through the business and, yeah. What can you share?
Jim: I have a good story about our funding process and I live in Baltimore and it's, there's a lot of ed tech funding and, I originally went out to raise money for this idea that I had on cocktail napkins. Now, granted, it was much more refined once I was actually presenting to people. I mean, I'll tell you I got a lot of nos and it just, I couldn't understand it as an entrepreneur, which I feel like is such a. I high hold any person that runs their own business. I don't care if you have one employee, no employees or 5,000. I mean, it is so difficult to run a company and, and the level of admiration I have for folks that do this and have sustained it for five, 10, 15 years. They're incredible. And we have incredible partners that we work with. But when we went to get funded, it's such a tricky game. Like I listened to a lot of podcasts on funding, the full ratchets, one of I listened to it all the time. I'm always trying to pick up the best ways to, you know, to still be a master at the game. And we pitched to some folks here at a couple ed tech incubators in Baltimore. And I don't know if the pitch was off. I don't know if I was off, which I mean totally, but some folks didn't, you know, didn't really understand the Cyberspace and they weren't sure that, you know, bringing a scalable product that folks didn't have to mess with. It would serve, you know, thousands and thousands of students. Oh, I guess wasn't appealing, and so we got a lot of nos and I thought to myself, is it me? Is it the product? Is it the idea? I mean, my jokes, I know, are incredible. So yeah. I mean, those are all stars. And then I went out to Indianapolis and I sat down with a group called blue rock partners, and they had a ton of experience in the ed tech space.
Jim: And, I left there with a handshake agreement that we were going to do something. Well, before I left and, and it just really goes to show ya. I mean, it only takes one, right?
Jim: Snd that's important and it's been a great relationship with those guys. They've been incredible. They've been supportive, but it, you know, for a while there, I thought, you know, should I just not do this. I mean, but
Ryan: Yeah, that's tough, man.
Jim: It's really, I mean, it was tough, you know, there's been a lot of nights from that day until now where, you know, there's a lot of what I call ceiling staring, like laying in bed at night, wondering what's next? What am I doing wrong? But for every entrepreneur that's out there that has an idea. If you have a lot of people telling you, yes, like we need something and you have the ability to bring that and build that user experience. I mean, you just keep fighting.
Ryan: So, Jim, it's customers that validate your idea, right? Not an investor. And so with that in case, it sounds like you just found the right one who had enough of the right experiences in their back pocket to where they're like, Oh yeah, we get this, we've done this successfully before. We'll do it successfully again with this guy. Cause we think he's great. And so you have to have that sort of company, founder, investor, all three need to align, you know, for those stars to come together. But good on them, good on you. Cause you guys, again, customers have been speaking for the product and the idea cause you guys, I believe, have something like tripled in the last like 12 months or so.
Jim: Yeah, a little more than tripled.
Jim: I mean, it's just fine. Just sell a short. Yeah, no. It's been great. It's been great, but I mean, it's the kind of one of the law of averages as you continue to get more customers, then there's more customers talking about what they're doing, and it's tough getting it started. We had to, you know, we jump-started the business, we got it out there and, you know, eight customers. Grew pretty quickly.
Ryan: So Jim, you have an amazing product. It sounds like man and great product development process, which is awesome serving the EDU space, but it can certainly serve a wider landscape. So, we at Cybrary, we've been talking and we have a target to try to get your product integrated for our customers by hopefully the end of queue three of 2019, which would be a goal for us, but how can people get in touch with you, If they want to just inquire about the product or maybe want to participate in some way or another?
Jim: Yeah. I mean, Ryan, if you just want to give them your cell phone, you could hook them up with me, right?
Ryan: Yeah. 800, right? Yeah.
Jim: I mean, we're very receptive, you know, if you send us an email to email@example.com, you will get a response within 24 hours, possibly 24 seconds.
Ryan: That's great. Yeah. That's your primary source? Are you guys on the old Twitter or that are on Twitter?
Jim: I've promised myself to get better at tweeting, but I am a slightly tweet shy based on some of the things that I've seen. We are on LinkedIn. Yeah, you can find us at infoseclearning.com. Yup. In fact, we're rolling out a new website next month. That's going to be much cooler than the one that we have now. Cause I don't think the one we have now is very good. Ryan: Great.
Jim: But yeah, those are the ways you, you can reach us. We're like I said, very, very responsive.
Ryan: That's awesome, man. Congrats on all the success. Great product, keep building it. I'm looking forward to getting it integrated into the Cybrary, and any last thoughts anyone?
Jim: No. I mean, I'm good to go. I just really appreciate the opportunity to be here. And, you know, being a part of Cybrary would be a great addition for us.