Coaching as a Service for Human-Centric Cybersecurity | Interview with Dominic Vogel
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello. I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Today, we have a very interesting guest.
Dejan Kosutic:He is actually doing, or approaching cybersecurity and consulting in, I would say a different way. And his name is Dominic or Dom Vogel and he's the president of Vogel Cyber Leadership and Coaching. And he has grown his consultancy from basically zero to more than a 100 clients and has coached more than a thousand professionals in this cybersecurity area. So in today's podcast, you'll learn about, I would say a very different approach to cybersecurity and I would say an innovative approach to consulting services. Welcome to the show, Dom.
Dominic Vogel:Thank you so much for having me. Really looking forward to spending time with you today.
Dejan Kosutic:Okay, great to have you here. So Dom, how did you start with cybersecurity coaching and actually what brought you to this, let's say, specific type of consultancy service for your clients?
Dominic Vogel:Yeah, I really appreciate that question. I'll say it's been an evolution of me as a person as well. So I've I've been in cyber for for twenty years, I got to a point, you know, when I was just doing the, I'll say, the traditional security consulting, and I was feeling just very empty inside and very I I burned out in corporate. I was trying to feel that burnout again. Was like, this doesn't feel like it matters.
Dominic Vogel:Like, why am I doing this work?
Dominic Vogel:You know? And as part of that journey, I recognized that what I love most isn't necessarily security, but it's helping people Mhmm. In their journey. You know? And it actually came up when one of my prospects, this is about five years ago, he reached out to me and he said, Dom, would you be?
Dominic Vogel:He said, I can't afford to pay you as an advisor from a consultant or even a fractional CISO perspective, but would you be willing to coach me in terms of how I can start building out my security program? And I was like, wow, that's an awesome idea. No one's ever asked me that before. And it was from at that point forward where I started to focus more so, like I said, on the people side of things and recognizing that if I can help from that coaching perspective and help people grow into these roles, he was an IT manager at the time, he's now a cybersecurity director at a different organization, he grew into it because he started to really love it. So that sort of moves me to where I am today, where my coaching focuses on meeting people with where they are in their security journey.
Dominic Vogel:Some of them are responsible for security without actually having a security title. Some of them are, you know, the long time CSOs, they're feeling, you know, burned out or disconnected from their team or disconnected from their purpose. So I love being able to inject that human element, that humanity piece into it, being able to help them with wherever they are in their respective journey. That sort of brought me to the coaching piece. It allows me to feel soulful about security.
Dejan Kosutic:This is great. I mean, I know lots of consultants that are maybe even making a lot of money, but very often they're not kind of feeling good about it, right? And this kind of, I would say different approach to this work could actually be much more satisfying from what I understood from you, right?
Dominic Vogel:I think it is, know, to me, like I said, was recognizing that the traditional consulting was leaving me feeling empty and void inside. Like you said there, I was getting a lot of good contracts, but I didn't feel purposeful. Was feeling disconnected from something more meaningful. Right? So Mhmm.
Dominic Vogel:Like I said, when you put people and you connect with people as people rather than let's connect over, you know, security framework or security strategy or what have you. But when you connect as people, that's where some really cool stuff happens. So that's what I try to have lead me today.
Dejan Kosutic:Okay, great, great to hear. And how does this coaching really work? So basically, kind of, let's say, help are you providing to your clients and how long does it last and what are you actually helping them with?
Dominic Vogel:Yeah, that's a really great question. It's a contextual, it depends. So I'll give some examples of some coaching successes or areas where I focused. So one example is around branding, around the brand of IT or the brand of cyber within the organization. For a
Dominic Vogel:lot of CIOs, IT directors, CSOs, they often struggle with the brand of what they do. Right? We're not marketers by default, unfortunately, in this field. And so I had a CIO who reached out to me and said, I'm really struggling to connect with the board, my peer executives. They want nothing to do with IT.
Dominic Vogel:Right? And I said, well, what does the brand of IT look like in the organization? He said, our brand sucks. He said, no one wants to deal with us. Right?
Dominic Vogel:So what that coaching engagement looked at was actually focusing on the face of IT, and for this, for a lot of organizations, it was the IT help desk or the service desk. So I coached their frontline responders, for lack of a better term, in terms of here's how you communicate with empathy, here's how you communicate with kindness, here's how you communicate in a way in you're going to be more relational and less transactional. As part of that process as well, we changed the law of service desks metrics. So rather than focusing on how quickly they close tickets, we're focusing more so on likability index. Right?
Dominic Vogel:How much did you enjoy this experience dealing with the IT help desk? We went through that journey, over a six month period of time, we started to see that the brand of IT started being elevated, right? So that's example where I come in and focus on burnishing the brand of a cyber team or an IT team. Another concrete example is with dealing with senior leaders who are constantly in end to end meetings, and they feel like they don't have the time to develop their people.
Dominic Vogel:They're like, hey. I'm always rescheduling my one on ones with my my direct reports. I don't have the time to coach them. I don't have the time to hear them out and help them develop as people. So I get brought in to focus on team development and personal development, human development.
Dominic Vogel:Mhmm. Mhmm. Right? So that way, a manager or director doesn't have to feel guilty about, oh, I'm always rescheduling my one on ones. I do that.
Dominic Vogel:I focus on that. I focus on the team building and the development of the direct reports, and then working with the CIO, IT director, whomever it is, in terms of here's how we keep building this connectivity as a team. Here's how we keep building your people as people. And then that elevates the team. Right?
Dominic Vogel:That elevates the brand. Mhmm. And that allows the CIO or the the the director or whom have you to be able to do their job more confidently. So it's very much what I refer to as human centric approaches to coaching. That's where I focus a lot on my efforts.
Dejan Kosutic:And how does this really differ from, let's say, traditional training?
Dominic Vogel:So it differs in a couple of ways. So back in my corporate days, where I worked, they would bring in a coach to coach senior leaders. The thing is that leader, or that coach I should say, while they were given good theoretical advice, they had never been in IT, had never been in cyber, right? And it's a very unique field. There are nuances that unless you've lived a day in the life, you can't always apply advice that's given to you, right?
Dominic Vogel:So one of my, I'll say, more endearing aspects in terms of how I approach coaching is that whatever a cyber team has felt or the IT team is feeling or what have you, I have felt that and then some. I'm able to empathize and understand much more so than, like I said, a traditional coach, right? And how I approach my coaching is fundamentally different than a coach who hasn't gone through or hasn't been in IT or in cyber. So that's one part. Another part is that I don't focus on here's the coaching program, here's the modules you need to do, here's what you need to do.
Dominic Vogel:I really believe in, and again, does it scale? No. But that's not the intent. For me, my approach is very much focusing on meeting people with where they are right now and understanding what is it that's motivating them? What is it that's holding them back?
Dominic Vogel:What can I do to support them in terms of allowing them to achieve a truer version of themself? And then that takes time in terms of building relationship, building trust. To give another example, I had a CIO reach out to me. He said that the help desk manager had been a top performer a long time, and all of a sudden, he stopped being a top performer, and he said, I don't want to fire the guy. He's a really good guy, but the whole team is drowning because he seems to be totally disconnected.
Dominic Vogel:And so he brought me in to coach the help desk manager. It took about four months, but as we were going through and developing a relationship and developing trust, he told me that earlier in the year that he had lost his mom. No one there knew that. He had not told anyone for whatever reason. I said, well, so tell me, like, how is that, why is that affecting your work?
Dominic Vogel:I said, get that in short term, you're losing a loved one, you'll absolutely do that, but why didn't you share that? And he said, well, he felt disconnected from IT. He said it was because of his mom he got into IT, and with her gone, he sort of lost that motivation to keep doing what he was doing. And I said, well, what is it that makes you happy? What derives professional joy for you?
Dominic Vogel:And he said, well, I've always he said he had a dual degree in marketing. He said, I've always wanted to do more marketing, but I never looked at it. I always find that really interesting. And I said, okay, well, let's see what we can do. So I went back to the CIO, I said, look, he's unhappy.
Dominic Vogel:He's not gonna succeed in this role. He wants to be in marketing. And he said, Get the hell out. How'd you learn that? I said, Well, we had to develop this communication.
Dominic Vogel:We had to develop this trust. And long story short, he ended up being moved to the marketing team to, again, he had to take a more junior role than what he was in, but he was much happier. Yeah. Right? And over the long run, over, I think, over a three or four year period, he ended up getting promoted, being in the manager role, and he flourishing.
Dominic Vogel:So he was happy. The IT team put in someone else to lead the help desk, that team started flourishing. Right? And it was all focusing because we took a human centric approach. Mhmm.
Dominic Vogel:Mhmm. He could have fired the guy, and that could have put the team in a further tailspin. That would put him in a tailspin. But by taking, like I said, a very human approach, we able to achieve that. That's why I take it, like I said, a different approach to coaching.
Dominic Vogel:It's not regimented. To me, it's around really understanding each other as people.
Dejan Kosutic:Yeah, and if I understood well, difference from training is that training already, I mean, always has some kind of a training program which is predefined, whereas you adapt on one on one basis and personalize, I would say, this coaching to each and every person and unique situation where this person is in, right? Okay.
Dominic Vogel:Yeah, absolutely.
Dejan Kosutic:And if I understood well, you're providing these services not only to cyber functions, but also to CIOs, to help desk, to other senior leaders. How do you manage actually to cover such a wide range? Because functions are, okay, they're all tech, but they're not like cyber only.
Dominic Vogel:For sure. And that's a really good question. My corporate career, I spent a lot of time in IT teams, Like all my cyber roles were deeply embedded in IT. So I know the space, I know the people really well, and again, it's not about meeting them with technology, it's about meeting them as people, right, and knowing that, you know, we all have these quirks and nuances and what have you, you know. And where I find I'm able to have the greatest impact with IT leaders, is there any IT leaders that recognize that there are fundamental, I'll say, people gaps in their teams.
Dominic Vogel:In IT, and by extension, cyber, we often focus on the, you know, hard skills, people with their tech skills. And we have chronically underinvested in developing people as people. And that's where I find like I said, when I'm able to connect with a CIO or IT leader or IT director, what have you, and say, how are you developing your people as people? They're like, I'm not. What do we do?
Dominic Vogel:How do we do that? Rather than approaching it from a technical lens. So, that's where I'm able to have good overlap with IT leaders.
Dejan Kosutic:Why do you think that these kind of, let's say, soft skills cannot be developed by simply, I don't know, simple training, right? Some kind of a more traditional training. Why do you think that this kind of coaching is a better approach for developing these soft skills?
Dominic Vogel:Yeah, great question. To me, again, the soft skills, human skills, people skills, whatever you want to call them, to me, it's rooted around what I call muscle memory. It's not simply around developing knowledge or developing skill like it is with some of the, air quotes, hard skills. Right? You do it, you practice it, and you got it kind of thing.
Dominic Vogel:The things with soft skills slash human skills is that it's very much muscle memory. Right? And it's not around just taking a training module, like, here's how I'm gonna communicate more empathetically, or here's how I'm be better at developing relationships, or here's how I'm going to be easier to deal with during, you know, conflict or how to deal with conflict resolution. That type of stuff needs to have that muscle memory. And with coaching, where I find it's really powerful is that people are able to bring a specific scenario.
Dominic Vogel:Hey Dom, I know we were working on empathy last week, I was having a conversation with a coworker, I was really struggling. Here's what I said, I was really struggling with empathy because he or she said, you know, x, y, z. What can I do differently next time? Compared to training, it allows them to take these real world situations and work on it, learn and get that feedback in, I'll say pseudo real time, and be able to apply it better next time. That to me is why it's fundamentally different through coaching than just trying to train those people
Dejan Kosutic:Okay, makes sense, yeah. You also mentioned this concept of internal branding. Can you elaborate a little bit on this?
Dominic Vogel:Sure, sure. You know, one of the things that I've come to appreciate, especially as an entrepreneur, you know, so after my corporate days, became an entrepreneur, and you know, so I've been an entrepreneur for ten years, and one of the things that I've really realized is that everyone has a brand, right? I had to focus on developing a brand as an independent and growing a personal brand and a company brand. But one of the things that I wish I had done a better job of back in my corporate days was recognizing that the security team, which was my last cyber role where I was in charge of a cyber team, we had a brand, right? And every business unit organization has a brand, right?
Dominic Vogel:Some business units are better at it because maybe they have more refined human skills, right? I would expect the marketing team to have very good branding skills. But IT and cyber, right, back to that earlier point, we tend to underinvest in developing us as people. We historically suck at our brand, right, or marketing ourselves. Right?
Dominic Vogel:When we talk to the boards or we talk to executives, we're often talking, missing the point in terms of what it is that matters to them. Right? We're talking about, you know, things that we've seen on the firewall or or or what have you. Right? We we we end up being too technical.
Dominic Vogel:So to me, it's about going back and refining that brand and recognizing that individually, we all have a personal brand. That should roll up to a team brand, right? And that way, when someone else in the organization says, oh, you have to deal with IT, rather than they're like, oh, IT? I wish we could go around them. They'd be like, oh, great.
Dominic Vogel:Yeah. IT is fabulous. Right? We're gonna we're gonna deal with them. Or the cyber team.
Dominic Vogel:Right? How often have you heard cyber team in an organization is always seen as the office of no. Right? That to me is part of the brand. Right?
Dominic Vogel:That's a bad brand. Yeah. It's still a brand, but it's a bad brand. Right? So how you build a brand of, sorry, team.
Dominic Vogel:Yeah, why didn't we involve them earlier? Absolutely, we need to, they're fantastic people to deal with. That to me is the power of branding.
Dejan Kosutic:And how do you actually come from, let's say, this negative brand that usually these tech functions have in a company towards a very, very positive internal brand? How do you actually come to this, how do you make this transition?
Dominic Vogel:Yeah, to me it's around again the relationship building. To me, it's focusing less on transactional relationships and more on meaningful, deep, visceral relationships. A lot of organizations where that brand is, I'll say suboptimal Or negative. If I look at the relationships that, you know, a security director or a CISO or CIO or IT leader has with his or her peer executives, it's mainly transactional. Right?
Dominic Vogel:They don't know much about the other executives, right? They haven't gone out and had meaningful conversation with them outside of work, right? It's very superficial, the relationship they have, right? So by putting IT people and security people in what can often be an uncomfortable situation, you know, be a bit more extroverted, focus on the relationship building, right? Don't just talk with them when they need you or you need them, right?
Dominic Vogel:Focus on, again, knowing them as people, right? Focusing on and developing what I refer to as connected leadership. To me, being a connected leader means that you're able to have very deep and very strong emotional ties with your peer executives or your peer leaders. If they only see you as the IT guy or the IT leader, you'll only ever be seen as that. As an example, I hear from so many CIOs, oh, my executives always send, if they have a broken keyboard, always ask me to deal with Why don't they just call the help desk?
Dominic Vogel:Well, how's your relationship with them? What do they see you as? If they just see you as the, you know, this guy's gonna get me a new keyboard, that's all they're gonna keep going to you for. Right? Because you haven't fundamentally tried to change the relationship.
Dominic Vogel:Mhmm. Right? So that's why, like I said, one aspect like that is centered around developing meaningful relationships and going above transactional relationships and making them like I said, very human centric relationships.
Dejan Kosutic:Okay, yeah, it's very interesting approach and definitely something that I would say most tech people should develop further. Okay, I noticed that you also are dealing a lot with this cybersecurity leadership as a concept, so can you speak a little bit about that part of your work?
Dominic Vogel:Sure, sure, sure. Yeah, so the cyber leadership piece is really around trying to work with, I guess, dealing with smaller organizations that smaller IT team and as an IT manager who wears multiple hats, right, who's doing many, many, many things. Right? And part of that security is on their desk. And really about trying to give them very pragmatic pieces to build out the security program on.
Dominic Vogel:So as an example, one of the ones that I'm working on right now, they are a 75 person manufacturing company in Western Canada, and the IT manager has a team of about, I think, maybe seven people. And he said, I want to be able to start developing a meaningful cyber program here. So we looked at, okay, well, what's a good framework to start at least measuring something that's repeatable and looking at from a maturity perspective? So we ended up landing on CIS. Then we focused on, okay, well, what are some other building blocks that we can build around?
Dominic Vogel:So coached him through how to do a self assessment with CIS, then he started seeing where the gaps were. Right? Then, as we started seeing the gaps, like, okay, here's some spots where we can start shoring things up around policy. Here's how we can start shoring things up around a very simple and at least good spot to start, a cyber incident response plan, Let's lay the roots for maybe an internal tabletop where he's going to talk with the executives around potential situations that could arise. How do I then talk about, well, how do you communicate with the executives in terms of gaps and things to focus on?
Dominic Vogel:So it's around really coaching them around these basics and supporting them in their, sort of I call it security DIY approach. And they're able to start working on that and start leveraging that. And with some of my coaching clients in the cyberspace, as their company grows, they then bring me in for larger projects once they have budget and it makes sense to have a security consultant or what have you. But really, this is trying to really help the organizations that really need the most security guidance right now, and that's a lot of these smaller businesses. That's why I said I feel the coaching model helps them better than traditional security consulting.
Dejan Kosutic:Okay. When you work with your clients on this cybersecurity leadership, is this mainly on how they develop their, let's say, security programs or management systems or is it something beyond this as well?
Dominic Vogel:Yeah, you know what, I'll say it depends on where they are in their own journey, So, those organizations that I would categorize as small business, and to me, a small business is sub 200 employees. I mean, really helping them start doing something repeatable. Mhmm. Right? Rather than just saying, security, oh, yeah.
Dominic Vogel:We have endpoint protection, and we have a firewall. We're we're good. Right? Actually, starting to develop the semblances of a repeatable program that they can measure and manage as they hopefully grow as a business, compared to larger organizations that are going to be more, I'll say, project specific. So I do a lot of work, at least in Western Canada, with a lot of cities, towns, and municipalities that are they're not small.
Dominic Vogel:They're not huge. They're in the middle. And, they generally need a lot of help around certain security projects. Mhmm. I mean, they don't necessarily have internal cybersecurity leadership, but they're not so small that they aren't they haven't they don't have at least a you know, they have at least some repeatable security program in place.
Dominic Vogel:So as an example, a few weeks ago, I had a municipality reach out to me. They really needed help scoping out a pen test. Uh-huh. They had not had a pen test in five plus years. They're like, we don't know what we should test.
Dominic Vogel:Should we test everything or what? So they brought me in to help scope that. That is where my cyber leadership piece is focusing on just that as a particular project. Mhmm. And they don't need fractional CSO or coaching, but we're just focusing on on that on that project.
Dominic Vogel:So it like I said, it's about understanding where these organizations are, and every organization is somewhere in their security journey. Some are very early on, some are deeper. Right? So it's it's just like I said, trying to meet them with where they are.
Dominic Vogel:And where they need to be.
Dejan Kosutic:And I've read some somewhere that, basically, you're also speaking about this, that the most effective cybersecurity leadership actually supports business goals of a company. So, you explain how this is done and really how cybersecurity can support business goals?
Dominic Vogel:Absolutely. And to me, it's around elevating the conversation at the executive level and an organization has one at the board level. That, what I see when I'm dealing with clients is that most boards, again, generally, especially when they're mid sized or smaller, they perceive cyber risk or cyber security to be the domain of IT. The IT team deals with that, IT guys deal with that, IT service provider deals with that. And trying to the only way that we can start trying to change that narrative and misperception around that is trying to go beyond the notion of security being done for security's sake.
Dominic Vogel:Mhmm. Right? One of the reasons why a lot of executives believe that is that security strategy is often just rooted in, okay, here's the framework without any context around business or resources or mission of the organization. Here's the best practices that we need to do. It's almost what I call security in a vacuum.
Dominic Vogel:That's why, and again, it can often be very deeply technical, because it's coming from technical people. And again, not saying it's not good, but that's leading to that misperception, that gap between seeing this as more of a, you know, at least from a risk management perspective, and why boards and executives need to be more involved, rather than just saying, Oh, that's for the IT team to deal with. You know, one of my favorite questions to ask when I go in and I'm talking to a group of executives is, I'll say, What's the most pressing financial risk facing your organization? Mhmm. CEO will I'll say, well, give me an answer.
Dominic Vogel:And I'll say, what's the most pressing operational risk facing your at your organization? CEO will give me an answer. Right? What's the greatest, you know, personnel risk facing your organization? He'll give me an answer.
Dominic Vogel:Mhmm. I'll say, what's the greatest cyber risk facing your organization? Right? More often than not, they're like, I don't know. Ask IT.
Dominic Vogel:Mhmm. I was like I was like, that's interesting. I asked you about financial risk. You didn't say go ask the CFO. You gave an answer.
Dominic Vogel:And all the other ones, you didn't say go talk to someone. Why do you not see cyber risk as a risk discipline? And they're like, never thought about it that way. Just never have. Just thought it was technical issue, an IT issue.
Dominic Vogel:Right? So it's around trying to really change the narrative around that. And again, when you tie business objectives, mission statements of an organization, security doesn't exist just to do security. Security exists when an organization can do the awesome stuff it was set out to create.
Dejan Kosutic:How do you actually achieve this kind of convergence of cyber and business? So can you explain me, is there some method to do or can you give me some examples on how this is normally done?
Dominic Vogel:Yeah, I mean, and I wish I could just say here's the formula and do it. To me, it's around persistent and consistent communications, right? And again, developing those type of relationships, right? As with anything, trying to correct misperceptions takes a lot of energy, right? If someone truly believes, you know, anything, even if it's not related to cyber, trying to convince them of an alternate truth requires time and energy.
Dominic Vogel:Often requires a lot of time and energy, right? So when I go into organizations, I generally am asking to speak at the executive and or board level, right? Because that's where meaningful change needs to happen. Just doing a strategy in isolation may help to a degree, but it's not changing overall culture or approach or it's not changing misperceptions. So when I typically engage, I ask to, like I said, speak to the powers that be, the executives, board directors if one exists, right, and be able to just ask those types of questions.
Dominic Vogel:Right? Another question I'll often just ask is, if your company was to go down tomorrow, all your key systems were to go down for an hour, what would that mean? Three hours, five hours, how long can you tolerate? A lot of these organizations, again, typically the midsize and smaller, it's an uncomfortable truth. Many of them haven't had the time to think about it.
Dominic Vogel:Further, I was to say, okay, if you can only bring up three systems, what systems are they? And again, you'll hear 10 different answers if I ask the different executives, right? So, it's around having those conversations and getting them thinking differently that, hey, you know what? All this stuff here, it's actually not just an IT issue, Right? As a board or executives, we need to be more present from the risk perspective, from the government's perspective, from an ownership perspective.
Dominic Vogel:It's about planting doubt, planting those seeds, those questions to make them question their current truth.
Dejan Kosutic:Definitely, I mean, and also there are some other approaches really to kind of get this convergence and simply looking at their business plans and then simply kind of plugging in cyber security in the right places really to help a business actually achieve these goals. When you think about your consultancy business, so you're dealing with cybersecurity leadership, you're also dealing of course with this coaching. What would you say? What is the kind of the most profitable out of all these activities? Is this really coaching or something else there?
Dominic Vogel:Yeah. That's a really good question. Me, the ones where and to me, I look at having what I call sustainable clients, where I'm not just in there for a spell and leave. Right? To me, I feel I can have the most impact if I'm there over a longer period of time.
Dominic Vogel:Right? Because to me, this is ultimately around changing relationships. Mhmm. Changing, one could argue, changing culture. Uh-huh.
Dominic Vogel:Right? So getting to that point and being able to do that, that to me ends up being the most profitable ones because that has the greatest impact. I'm able to change the culture, change the approach, change the relationships. It's like said, generally a longer term relationship, and because it's so successful in really changing things, not just giving a deliverable, that I stay around, people want me to stay around because that was part of such an important change in the organization.
Dejan Kosutic:Yeah, I'm asking you this because lots of consultants are actually dealing, let's say, with training, right? And then especially if they charge per seat, right, they have some some kind of economies of scale there because they're they're having actually several people at training and and that they are basically charging this, you know, not per hour, but but basically per per seat. Right? But if they do, let's say, coaching, then they have charge probably I don't I'm not sure how you are charging, but if you are charging per hour, then the question is really how do you scale this? Right?
Dejan Kosutic:And and so how do you make this a bigger business, so to say?
Dominic Vogel:Exactly. And you bring up a really good point. Like, I mean, one of the earliest lessons I learned as a consultant was not to exchange time for money because that does not scale. Mhmm. And to me, everything is focused on and the way I approach my pricing is what I refer to as value based pricing. Right? In which we're focused on what's the outcome.
Dominic Vogel:Right? Uh-huh. And taking more of a, like, just flat flat rate approach rather than saying, okay. I'm just gonna keep the meter running or, you know, and there could be a bunch of hidden costs. No one likes that.
Dominic Vogel:I jokingly call it, like, a a subscription model. It's like Netflix, right, where we can we can binge certain times or we can you know, if we need a month to to take a breather, then we will. Right? Mhmm. And, again, it's focusing more so on that bigger picture, longer term perspective, the goal is to strengthen the brand, strengthen relationships, change how IT sufferers perceive the organization, focusing on those types of outcomes, and giving us enough runway to succeed in doing that, then, like I said, more often than not, it ends up being a very successful relationship.
Dominic Vogel:And for me, I I'm starting off with at least a minimum six month requirement. Right? If someone says, oh, okay. Well, can we try it for a month? You can't change that in a month.
Dominic Vogel:Right? My minimum is at least six months. I'll say my my average commitment with with my coaching clients is usually around two years.
Dejan Kosutic:Great. So basically, you're you're making a long term contract with them, you're specifying, if I understood well, some, let's say, higher level objectives, and then you are coaching your way through to do these towards these objectives. Correct. Mhmm.
Dejan Kosutic:Makes sense. Makes sense. Yeah. When you mentioned this value based pricing, if I understood well, you're taking this concept from this Alan Weiss million dollar consulting book, right? It's
Dominic Vogel:Yeah. It's exactly that's His books are in my office here. Okay,
Dejan Kosutic:it's a great book, read it also. Can you explain how are you using this concept of value based pricing for your own business and to basically provide your services?
Dominic Vogel:Yeah, well it really helps me identify committed clients, right? And I found that as I've been firmer, you know, earlier on when I started being a consultant, I said yes to everyone. That led to some clients I was happy with, a lot of clients I was just like, oh, I can't believe I said yes to these people, they're so annoying and it's not worth the little money that they're paying me. I found that by being firm and focusing on that value based pricing, that those that understand that and buy into it, I'm going to say 95 ish percent of the time, and they end up being, if not higher, end up being amazing long term clients. Those that say, No, we'd rather pick, what's your hourly rate?
Dominic Vogel:We want an hourly rate. When I consistently say no to that, then it ends up being the best decision. If I bend and say, Oh, okay, yeah, I'll do it, they morph and not end up being a terrible client, right? So it really helps me determine and suss out who's committed, who's buying in, and who buys into essentially the concept I'm trying to sell them, right? So when I'm firm with that, I'm happy, and that's the thing, like I said, with each passing year, I've gotten better and better at saying no to those who don't buy into that concept.
Dejan Kosutic:And it's interesting, I mean, you're saying no to some clients, right? I assume this is very hard to say sometimes.
Dominic Vogel:It's hard, yeah. Sometimes they're easier than others.
Dejan Kosutic:Yeah, especially if there is money on the table almost, but you sometimes really have to say no. So what are your other criteria of basically saying no? So, how do you know when to say no?
Dominic Vogel:One of the obvious ones, so as I mentioned earlier, left corporate, I worked in an extremely toxic environment for an extremely toxic person. And so when I became a consultant, I said to myself, right, I'm not gonna work with jerks. I could use a more crude term, but I'll just say jerks for right now. And so I have a firm no jerks rule. When someone comes to me and I talk to them and I feel like they're not a good human, that they're a jerk, I don't deal with them.
Dominic Vogel:Right? That's why I left corporate. Right? That is the easiest thing for me to suss out. The thing is around if I'm for the opportunity to talk to executives and or board.
Dominic Vogel:If the board and or executives want nothing to do with me and they, like, just deal with IT, I don't deal with that because, again, my impact ability to make meaningful change is limited. Again, if it's a very specific short term project where it's, as I mentioned, with large organizations, like, we need help scoping out a pen test. Fine. That's good. But any of those coaching broader leadership ones, if I don't get face time with the board executives, I I say no to that because I know it won't be successful.
Dominic Vogel:Mhmm. It'll end up be like, oh, Dom, you didn't bring in the change you said you were gonna bring. Mhmm. Right? So I make sure I don't shoot myself in the foot by saying yes to an impossible situation.
Dominic Vogel:And like I said, the thing is around if they get the value based pricing or not, right? So I find that those questions, those lenses, like when I'm having these conversations, more often than not, they guide me to the right clients or they bring the right clients to me.
Dejan Kosutic:Okay, and if understood well, this is what you mentioned now that you actually are getting to the board, it's something that is, I would say, valid for smaller and mid sized clients, For larger ones I assume it's not as easy to get to the board. How important in your philosophy is to really segment your markets and focus, let's say, on smaller and mid sized companies. Is there really a good market in small and mid sized companies?
Dominic Vogel:Yeah, I really believe there is, you know, and with each passing day, especially in North America, think it's just that to me is the base of the pyramid. All the small and mid sized businesses, which historically have under invested in cyber, they are getting slaughtered day in and day out. I feel calls from companies that I never thought I would feel calls from. Just two weeks ago, I had a call from a porta potty company. We got hit by ransomware, and they sell rental toilets.
Dominic Vogel:That's like, wow, I never thought I'd be speaking to a toilet rental place about cyber. Like, business needs it. They're all in this period of, I'll just say, rude awakening right now where they're recognizing they need to do more. They can't just do the basics of what they've been doing. So I really believe there's an opportunity there.
Dominic Vogel:And like I said, I think it's around crafting it in the right way so they recognize that you don't need to just break the bank to have a bunch of expensive security consultants taking, like I said, that coaching approach and building that out over time. That to me I think is more sustainable and more value laid. So I think, like I said, that's why I've chosen to keep focusing on them.
Dejan Kosutic:Okay, great. But isn't it that these smaller and mid sized companies are still much harder to accept that they need cyber, right? Because, okay, those that are hit, they understand, but, you know, large majority is out there not hit with anything. So is it hard to sell to them?
Dominic Vogel:It's hard to sell to them proactively, and especially everything which has happened globally at the start this year, that's made that all the more hard in terms of trying to sell cyber proactively. And I will even say anecdotally, looking at the clients I've onboarded, essentially 100 of them have come reactively, post breach, post being denied cyber insurance, post love B2B organizations who are saying, hey, we're getting all these security questionnaires from our clients and customers, we sell to Fortune 500, Fortune 1,000, we don't know how to answer these security questions. It's all very, very reactive. So where I've taken a marketing shift is that I focus more so on meeting people reactively. As a practitioner, I would love for them to be more proactive, but that's not happening.
Dominic Vogel:But there's lots of lack of term, there's a lot of meat on the bone for companies that are needing reactive help. There's no shortage.
Dejan Kosutic:Yeah, yeah, yeah. Unfortunately for them, right? And how do you actually reach, I mean, how do you get to these people? How do you get these leads from how do you get new clients?
Dominic Vogel:I appreciate that question. Yeah. For me, I generally focus on speaking engagements, so at least in Canada and The US, I get to speak to a lot of different business groups, business associations, virtually delivering talks around cyber, or if I'm talking to tech crowds, talking about the concept around coaching. So that's where I generally get most of my work, is through my speaking engagements, and I get a lot of my speaking engagements through platforms like LinkedIn, which is where, you know, we connected. So I get a lot of my speaking engagements through my content.
Dominic Vogel:So for right now, that seems to be working, and it's moderately scalable, but that's the model I'm working with right now. Great.
Dejan Kosutic:And I noticed that you want to have more than 35,000 followers on LinkedIn, which is, I mean, a great success. How did you make it?
Dominic Vogel:I appreciate that. Know, it's and I'll go back to this is a a theme here. By being very human oriented, right? Uh-huh. Most of my content is very much around human stuff, kindness, leadership.
Dominic Vogel:Very rarely actually do I talk about cyber. Right? My cyber stuff is is there, there, but by developing really meaningful relationships with people, that's allowed me to expand my circle of influence from what was originally just a few thousand to now 35,000 and growing. So I found that by focusing on being a human and not necessarily a security professional, that that's allowed my circle of influence to grow exponentially.
Dejan Kosutic:Yeah, this is great because people typically think of you have to post something very clever for anyone to follow But you're really taking a very different approach and very successfully. So it's a great success. It's really something different I would say, a different approach. Thank you.
Dominic Vogel:I'm different if nothing else.
Dejan Kosutic:What would you say brings you more leads? These speaking arrangements or your LinkedIn profile or all these things together? Do you think?
Dominic Vogel:Yeah, it's very much I'll say, a system of systems. Know, doing what I've done for so long as well, especially in Western Canada and The US, I have a very deep referral network where I'm just stuff is always coming in, right? And that's great, and then by adding to that the stuff I get from LinkedIn, LinkedIn has been really good for getting me speaking engagements. Uh-huh. Right?
Dominic Vogel:So and then the speaking engagements is where I typically do more of the biz dev for the actual, like I said, coaching and or leadership. Mhmm. So it's sort of like this little circle there. Like I said, referral network, great, but LinkedIn gets me my speaking opportunities, speaking opportunities get me my coaching, and I just repeat that circle. Uh-huh, okay,
Dejan Kosutic:great, great. It's because, I mean, a lot of consultants are actually thinking about, thinking through how to really get more leads, and this definitely seems like a good way to do it. Okay, let's speak a little bit about AI. Lots of people are starting to use AI as coaches. They're asking CHJGPT or whatever, you know, how to do this and that.
Dejan Kosutic:And how do you actually see this consulting business in general or this specific service of yours, coaching service, you know, versus these AI technologies? Right? So do you see that in five or ten years from now, this will be a very viable business, let's say, option for you?
Dominic Vogel:Yeah, you know what? I think what's really interesting me from the AI perspective is that where I'm even for my own coaching, where I'm looking at adding capabilities is being able to have people ask sort of, you know, after I've I've gone going through a process of, you know, training some AI tools, so if people have out of hours questions, hey, know, I'm just struggling with this right now, they can ask sort of, you know, the DOM AI, you know, and just to get some quick feedback and thoughts. So I see great promise in that, I look forward to being able to integrate that into my coaching services. At least from a coaching perspective, I don't see it ever fully replacing it because at the end of the day, the conversations I have can be very real and very visceral and very emotional. Right?
Dominic Vogel:And it's about getting people to open up, getting people to say things that they normally wouldn't say. You know, of the things that I pride myself on is when my coach and clients say to me, Dom, I only feel safe saying this to you. Right? And to me, it's about creating that safe psychological space. AI cannot create safe psychological space.
Dominic Vogel:Right? It can create a vacuum. It can create a space that you think no one's gonna hear it, but it does not create a safe psychological space. That's something only a human can do. Right?
Dominic Vogel:So, personally, I don't think I'm not worried about that. Maybe the leadership stuff and helping scope out a pen test, yeah, I'm more worried about, AI taking that work away. And you know what, I'd be fine with that because I love doing the coaching.
Dejan Kosutic:Right, and it's interesting actually, one of the interviews I did a while ago, basically, other consultant mentioned this concept of CEO, where chief empathy officer, right? Not executive officer, but chief empathy officer. Is something that in the context of AI, This empathy is really something that AI in the foreseen future will not be able to emulate. So this is something that obviously will be main distinguishing factor in this kind of services, right?
Dominic Vogel:Absolutely, right? The stuff that makes us human.
Dejan Kosutic:Yeah, exactly. Great, so to wrap it up, what would you suggest to consultants? I mean, some kind of key things to do or not to do as consultants?
Dominic Vogel:To me, I'll go back to that central theme. Be deeply human. Right? I really believe, again, we live in an extremely divisive period of time right now. We will lead more and more so in very disconnected time era as well.
Dominic Vogel:Right? If you take a more connected approach, right? See your customers, see your clients as people, as humans, focus on developing those deep, trusted, emotional, and very visceral bonds, that's where meaningful work will happen. Right? You will never be searching for work if you're doing it that way.
Dominic Vogel:If you keep treating people as a transactional approach, like I said, in a very disconnected time area that we're in, that's not gonna serve you well in the long run. I really believe the consultants that are deeply human and lead with being a human are gonna be the most successful over the next ten years.
Dejan Kosutic:Great. Great. This is a great insight. And our whole conversation actually was a great insight for me. So thanks a lot, Dom, and it was a pleasure talking to you.
Dominic Vogel:Likewise, thank you so much. I really enjoyed this.
Dejan Kosutic:Okay. Thanks again. And thank you everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple podcast.
Dejan Kosutic:Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living.
Dejan Kosutic:On Advisera website, can check out various tools that can help your business. For example Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. The white label documentation toolkits for NIS2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients' workforce.
Dejan Kosutic:Check out the links in the description below for more information. If you like this podcast, please give it a thumbs up. It helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today. Stay safe.
