Christian Espinosa, Author, Speaker, and CEO, comes down to the Ranch to talk about the journey of starting, growing, selling, and moving on from the business he created, Alpine Security. From correcting the problems with his high IQ staff to unshackling himself from the golden handcuffs of a business sale, Christian breaks down the specific conflicts he faced on his entrepreneurial journey— and reveals how these experiences have inspired two books about cybersecurity, business ownership, and life itself.
[00:00] Finding business coherency in the one-page strategic plan
[08:39] Selling Alpine security & transitioning from leader to participant
[13:46] Escaping the golden handcuffs & embarking on a new career journey
[17:35] Outlining seven steps to emotional intelligence in cyber with his first book
[20:34] Embarking on appreciation of life’s little moments with book number two
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
What were the challenges in growing the business you started, and how did you overcome those?
Christian’s inspiration for Alpine Security, his first business, was actually the stress of a conflicted relationship with a CEO he worked with. Feeling misaligned with the company he worked for, Christian left and began his journey towards entrepreneurship, thinking that his work ethic and willingness to do it all would lead to his success. Instead, refusing to delegate and lack of focus on leadership created conflicts between himself and his employees.
“I had to get over myself. Initially, I thought I’d do everything. I thought I could brute force this and make this work. I just tried to do it all myself. If my staff was having problems with something, I would jump in and help, but there's only so many hours in the day.”
Was your intention to sell your business from the beginning? What was the process of selling like?
Although he advises every entrepreneur to have an exit strategy, Christian admits he didn’t initially create one with Alpine Security. After agreeing to a deal with Cerberus, Christian learned the hard way that the process of a business sale can be like a pair of golden handcuffs. Struggling with a lack of control and feeling constantly under scrutiny, Alpine Security eventually lost its founder as Christian embarked on a new journey in his career.
“In my company, I was in charge of the culture, the core values, the emotional intelligence, the touchpoints, the clients, all of that. Now that I was part of the larger organization, I wasn't in charge of that. I had to approach things differently.”
Can you tell us about your first book and the seven-step process it outlines in cybersecurity?
Major struggles during Alpine Security’s founding were due to a lack of emotional intelligence and people skills amongst staff, in Christian’s opinion. These conflicts inspired the 7 steps of emotional intelligence for cybersecurity practitioners that Christian outlines in his first book, The Smartest Person in the Room. These steps include: awareness, mindset, acknowledgement, communication, mono-tasking, empathy, and Kaizen (continuous improvement).
“My first book is really about all the challenges I had in the company I started. 99% of the challenges I had were because of my staff, who were super bright, super high IQ penetration testers that didn't have emotional intelligence or people skills.”
What are you going to do with your new book? Is that also cybersecurity related?
In contrast to his first book, which focused solely on cybersecurity professionals and the struggles they face with people skills in the workplace, Christian’s second book dives deeper into mindset. Focusing more on the value of life and the ideas around mono-tasking, Christian inspires his readers to care more about the micro moments. This second book is all about slowing down, seeing what’s happening around you, and seriously absorbing the information we take in every day— from the big moments to the little moments and everything in between.
“I think a lot of us go through this zombie state in life, going from one thing to the next thing, and we're distracted with our phones and everything else. We're missing a lot of things that are right in front of us.”
Check out Christian’s book, The Smartest Person in the Room: The Root Cause & New Solutions for Cybersecurity
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
It was a big challenge for me because I came from running my own organization, where everybody reported to me, to being in a company where I reported to other people when I had peers. One of the things that was interesting, and I think about this quite a bit is, in my company, I was in charge of the culture, the core values, and now, as part of a larger organization, I wasn't in charge of that. So, I had to approach things a little bit differently.
Howdy, y'all, and welcome to this Cyber Ranch podcast. That's Christian Espinosa. He's retired Air Force. He's a former consultant. He's a former Director of R&D, consultant again, instructor, VP of Product, and author of a very popular book on cyber. But the reason he is down here at the Ranch today is to share with us another interesting journey in his career; conceiving a cyber business, building that business, selling that business, wearing the golden handcuffs, and now, moving on and beginning to build another business. That is a journey I'm sure many of you are interested in. So, thank you, Christian, for coming on down to the Ranch to share it with us.
Yeah, thanks for having me on the Cyber Ranch, Allan, I appreciate it.
Cyber Ranch Intro 01:02
Welcome to the Cyber Ranch podcast. Recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts. Here's your host, Allan Alford.
So, I already gave some highlights of your career in cyber. How about the biggest high point for you and maybe a little bit about the newest, what you're doing?
Sure, the biggest high point for me was probably— At the time, I thought it was a low point, I was working for a company, I was a VP of Cybersecurity Products, and I wasn't aligned with a CEO. We had a quite a few run ins, and I just felt stressed a lot. I was getting paid a decent salary, I kind of ticked all the boxes, I had a decent title, decent job, but there was stress and friction there. So, it was to the point where my mental sanity was at stake there. So, I decided to quit the job, without actually having another job lined up, and it's the first time I'd ever done something like that. I just gave notice and quit and there was no other job. So, that forced me to kind of reevaluate my career path and I thought, "Well, I have a lot of contacts here. So, why don't I try freelance work or solopreneur work?" And that's what I ended up doing. So, it was that moment where there's a lot of friction, I decided to quit, though, and it kind of put me on a path that led me to starting my own company.
Got it. Okay, so, that's where you are today. Now, you got a new company you started again?
Yeah, I've got quite a few different companies in different industries. Yeah. I guess I'm a serial
entrepreneur, as they say, at heart.
Fantastic. So, let's start with: What did it take to go from, "Gee, I'd like to start a business," to actually
starting one? That moment you think, "Wouldn't it be cool if I ran a business that did x?" You know, and now you've launched a business that does X. How does that transition work?
When I was doing freelance work, or solopreneur work, I was teaching cybersecurity classes, doing penetration testing, and doing audits, I was doing a little bit of everything. The reality is it got kind of boring and routine for me. I was making a lot of money. I had a lot of free time, but I felt like it wasn't growing personally. So, I felt like what better way to grow and contribute to society than to form a business. I had a lot of people ask me, kind of through my solopreneur career, if I could do more work and my answer was always no, it's just me. So, I thought, well, if I form a business, it'll force me to grow and it will allow me to increase my capacity to deliver to clients that have an interest of working with me. So, that's what I did.
Fantastic. You see that you're going to add some value, you get it off the ground, you start from a position of doing a various few things here and there, and you kind of hone in. So, now, you've got the business going. Getting it off the ground from that original conception, what were some of the hurdles? What were some of the challenges in growing it, and how did you overcome those?
There were a lot of challenges. I thought it'd be easy to start a business and have payroll and
employees and run it and clients would just show up, but there were a lot of challenges. I had a kind of a vision of a dashboard with all these dials and when you turn one of the dials up, another one goes down. If you turn sales up, delivery capacity goes down. If you turn delivery capacity up, sales goes down. It's like you never get the dials quite balanced. So, with me, the challenges were getting those dials balanced, having the right amount of sales with a process behind it, the right amount delivery with the process behind that, and marketing. One of the things I neglected at first was marketing and sales. I just kind of felt like, "Well, if I build this company, people will come," but it's kind of like that Field of Dreams movie, people just don't come. You have to market. You have to get the word out, you have to network. A few of the things that helped me is I had to get over myself. Initially, I thought like do everything. I thought I could brute force this and make this work. I just tried to do it all myself. If my staff
was having problems with something, I would jump in and help, but there's only so many hours in the day and after 20 hours every day, you kind of get burned out. So, I ended up seeking some outside counsel and outside advice, by joining some peer groups. Vistage is a group I joined, the Genius Network. With other business owners that were on the same path as me, or further ahead of the path, so I could shorten my learning curve. And one of the things that really helped was this thing called the One Page Strategic Plan, it's just literally one page, but it gets everything dialed in on one single page; your messaging, your target niche, your staffing, to make sure you have the right people in the right roles, because one of the things that I had to realize, when I tried to do everything myself, there are certain things I'm not good at and I just don't like to do, like processes. So, I had somebody on my team that is really good at processes, so I made her the COO, and she helped nail down all the processes, and I could focus on the vision and the way forward. So, it's a combination of a lot of different things, but it was definitely an intense learning curve.
Yeah. Alright, so, some of it was the school of hard knocks, some of it learning from folks on the outside, getting help from those who've been there before. I also heard in there finding folks with the right skill set to align with the right roles, right? Finding that operationally minded person to be your COO, I can't help but think was super key to your success.
Oh, it was, yeah. Like you said, the school of hard knocks, I did pay a lot of dumb tax, as they say. It was definitely a growing experience.
Okay, so you're growing the business, you're getting it off the ground, you're fiddling with those dials, you're getting your delivery versus your sales versus your marketing versus your operations, you're worried about payroll, you're getting all that going. And somehow, you're also growing over time. What does that growth look like? Were there specific growth strategies that you went for? Did it just sort of organically happened as you worked on the dials? Talk to me a little bit about the growth aspects of it.
Yeah, this is the ironic part. It's kind of counterintuitive to a lot of people, especially when you're in the business and you've got payroll, you have to make payroll and everything, you want to take all the clients you can get, even if it's a stretch for your delivery team. So, initially, I would take pretty much any client that needed cybersecurity help. If my staff couldn't figure out how to deliver, I would step in personally, but I realized that that strategy was stretching us thin and we weren't really growing from that strategy. So, what I did is I niched it down and focus on a specific niche, which was medical device cybersecurity assessments and penetration testing. So, when I focused on that, because there's a compliance requirement for it, the FDA requires medical device manufacturers to have a penetration test done, have a third party do a cybersecurity assessment, and I thought this is like the blue ocean, there's not a lot of people doing this. So, I niched it to down to that. I wrote blog articles on it. I did videos on it. We SEO-ed our website. So, when somebody searched for medical device cybersecurity,
we were the first search results to pop up on Google. And that is when we really started growing quite a bit, because we hadn't narrowed it down to where we were one of the few companies that did something specific. So, niched it down is really, I think key. At first you don't want to do it, but I think it's critical to find a specific niche.
Yeah, it seems a little counterintuitive, even almost. To grow, shrink, right? Like, shrink your focus to grow your business.
Exactly. It does seem counterintuitive. Yeah, but it works.
That's a lesson learned. Those that are trying to get their cyber practice off the ground, heed that one, that sounds like a very good lesson to me. Alright. So, now, you've grown the business, you're booming, life is good, and there's buyers. Did you try to attract buyers? Was your intention to sell? Did the buyers just approach you and say, "Hey, we want to buy you?" Where did the buyers enter the equation and how did the buyers enter the equation?
I didn't really have an exit strategy when I started the business, which in hindsight, you should have an exit strategy. I just sort of started it and figured things out as I was going. I noticed though, when it got to a certain point, that there was a lot of interest in buying the company. So, I had a lot of different offers, which would come in through email, through LinkedIn, through a phone call, and I entertained most of them just to get a feel or a sense of what people were looking for in a company, what they were willing to offer. It's kind of like when you are looking for a job, you interview with a lot of different places to get a sense of what's out there and the options. One of the offers I had, the one I ended up taking, I felt like it aligned with me. The company that bought my company is called Cerberus. It's like the threeheaded dog that guards against hell. Ironically, I have a patent on a device called Cerberus and my
squadron at the Air Force Academy was called Cerberus, and there's a dog in this show I watched, SEAL team, called Cerberus. I thought, "This is weird. Maybe the universe is aligning, and I should go with this company." And they structured the offer a little bit differently, because they offered me stock and they had a roadmap to go public. So, I thought, there's little more upside on this, there's more risk, obviously, than cash up front, but if this roadmap is successful, and they go public and the stock rose, then it will help me more so than just a bunch of cash up front.
Right on. So, kind of a long-term play. It wasn't just a sale, it was a sale plus, you deliberately tied yourself to the buying organization, right? You became part of this and bet on a future play, and not just a sell and run kind of deal. So, that kind of leads me to my next question. Whenever you do a sale like that, obviously, your name, your reputation, your brand, your leadership, your presence in the company, all of those things matter in the sense of you the person. And so, any buying entity that acquires a smaller company is going to want the leadership to stick around, and it sounds like with the stocks, they incentivize you to stick around, right? But there's also kind of the golden handcuffs, where contractually, usually anyway, you're committed to sticking around. What was that like? Did you have a set period where you had to be there? What were the golden handcuffs like for you?
I didn't have a set period where I had to stick around. I had a lockup period for a year, where I couldn't sell the stock or anything. So, I sort of had some golden handcuffs. It's one of those things where I felt like, if I could contribute to the company's growth, that will help the stock, since I was a shareholder at that point. I wanted to stick around to help., and it was a big challenge for me, because I came from running my own organization where everybody reported to me to being in a company where I reported to other people when I had peers. One of the things that was interesting, and I think about this quite a bit is, in my company, I was in charge of the culture, the core values, the emotional intelligence, the touchpoints, the clients, all of that. And now, that I was part of the larger organization, I wasn't in charge of that. So, I had to approach things a little bit differently. When I had some friction with somebody that didn't have people skills and wanted to be smarter than everybody. I had to approach it differently from more of a peer level, versus supervisory level.
Let's pause right there and hear a brief word from our sponsor.
Axonius Ad 12:15
Hey, everyone. It's me, Simone Biles. You might be wondering why you're hearing my voice on a cybersecurity podcast ad. Well, it's because I'm partnering with Axonius. Whether you're a gymnast, like me, or an IT, or a Security Pro, complexity is inevitable. I've learned that the key to success is focusing on what you can control, go check out my video at Axonius.com/Simone.
What other challenges were there in that transition from leader to participant, right? Like, that's a radical gearshift, the longer you've been used to running your own thing, I would imagine that's an even more radical gear shift. So, what other challenges were there on that front?
Some of the challenges were, when I had my own business, I could do my own personal brand and I could do pretty much whatever I wanted. With the company that bought my company, they had, like I said, the roadmap to go public. So, there's a lot of more scrutiny over what I personally did, because they were focused on going public. So, like growing my personal brand, what videos I posted, anything I did on social media was under scrutiny, because they were looking to go public at that point. So, I had to tone all that down and pull it back, which was different for me because I thought, my personal brand with my company, Enhanced Alpine Security, the company has sold, but in this situation, it was sort of like I had to go dormant on my personal stuff for a while until the company went public.
Okay, so, restrictions on, what for you were default behaviors, having to wrestle with that as well. Alright, so now, you're with the new company. Now, you're learning to adjust. And now, the next stage, I guess, is deciding maybe it's time to move on and do something else again. What was that pivotal moment for you? Where did you decide, "Okay, this has been a run, now it's time to try something
I decided back in June to leave the company. I wasn't feeling like I was adding as much value as I wanted to anymore. I had been asked to take specific leadership roles, but didn't want to because my whole plan all along was not to stay with a company. I didn't want more responsibility. So, I left in June, and it was liberating. My goal, I remember planning out my year in December of last year, and one of the goals I have this year was sovereignty. So, for me, that's freedom from a lot of constraints and my life is in my own hands. So, it felt very liberating, and initially, I thought I would just take a bunch of time off and do nothing. I did take about six weeks off. I traveled around and saw my favorite band, Nightwish. I think I saw them like, six times in the US. I just was like a groupie. I went to Hawaii for a few weeks and I started a couple different ventures since then. I'm doing some real estate investing with short term rentals. I started a new cybersecurity company. I'm opening up a med spa with a partner in St. Louis. And I'm working on my next book. So, that idea of taking all this time off was only about six weeks, really, and I also bought an RV. So, it's a 1974 Winnebago Brave, like a super old RV
that I plan on living in for a while.
That's cool. Okay. Alright, I was gonna say somebody with your background, I can't imagine like six weeks, that sounds about right for what I would expect, in terms of your tolerance for doing nothing, despite your plans, right? Planning to do nothing, and six weeks later, you're doing 18 things. So, let's deconstruct some of that a little bit. Do you want to share what your new cyber company is doing? Or, are you still in stealth mode?
Basically, I have a cybersecurity company where I'm doing penetration testing, medical device, cyber assessments, but it's by referral only. I'm not out actively marketing anything, because I do a lot of speaking engagements and talks, and I felt like if somebody wanted help with something, I have a platform to help them basically. Cyber-related, anyway.
Yeah, right on. Okay. Alright, so, let's go back in time, let's talk about your first book, because I
mentioned that in the leader, but we haven't talked about that yet. Why don't you tell folks about your first book, and then we'll talk about what you're doing for your second book?
Yeah, my first book is about my journey with my company, my cybersecurity company that I sold, Alpine Security. It is really about all the challenges I had in the company. 99% of the challenges I had were because my staff, which is super bright, super high IQ penetration testers didn't have emotional intelligence or people skills. So, they would talk over a client's head, not understand the client, and make the client feel misunderstood or appreciated. And even internally, there was like this fear where somebody would be afraid of say they didn't know something, out of fear of being ridiculed by another teammate. So, I thought, "This is not the culture I want for my company." And I realized, when I saw it from the perspective of a CEO, running my own company, it kind of clicked that this is a problem the entire industry. I used to be part of that problem. I used to be the one that talked over somebody's head, because that's how I felt significant, by being smarter than other people. So, I decided to shift
that culture in my company. All the things I did that worked is what I ended up putting in the book. The book is really about a seven-step process of how super high IQ people can develop emotional intelligence and people skills to remove that glass ceiling that's holding them down.
Oh, I love it. Can you rattle off the seven steps? You don't have to go into the whole book, but just what are the seven steps? Can you tell me?
Yeah, the first step is awareness. So, awareness of yourself. I talk about neurolinguistic programming quite a bit in the book and strong neural pathways. So, when you're triggered, you automatically kind of run this program that goes on autopilot and before you know it, you've read execute the program. So, it's important to have the awareness to do a CTRL-C or stop that program from running and run a new program or new behavior. Okay, the second step is mindset. So, I talked about a fixed mindset versus a growth mindset. A lot of people in cybersecurity say, "I'm just not good with people." That's an example of a fixed mindset, because we can all get better at something, right, which is the growth mindset, right?
Step three is acknowledgement as a leader. One of the things I struggle with is acknowledgement. I remember like finishing the Ironman World Championship in 2015, in Hawaii. And as soon as I crossed the finish line, I was automatically thinking about the next accomplishment I wanted to do. Yeah, versus taking a moment to like, pat myself on the back when I realized is, if I can't acknowledge myself, I'm going to have a hard time acknowledging my staff. Step four is communication. With communication, I'm a believer that the meaning or the purpose of communication is response you get. So, if you're not getting the right response from somebody, the ownership is on you to alter how you communicate, it's not to place blame on somebody else for not understanding. And then, step five is mono-tasking. Monotasking is the opposite of multitasking. Mono-tasking is to do one thing with concentrated focus, break
your day up in blocks of time. You only work on that one thing during that block of time, and it shifts you from being busy to being productive and it also helps your presence when you're communicating with someone. If you're there in the conversation, you're going to be a better communicator than if you're half listening, on your phone, texting somebody, etc.
And then, step six is empathy. In our world today, there's a lot of division. We like to focus on us versus them, even in cybersecurity. It's like, we're the cybersecurity team, they’re sales or marketing, they’re management, and all that division makes us see fellow humans as separate from ourselves. We all have the human condition in common, and it's hard to have empathy when you're focused on division. So, I talk about cognitive versus effective empathy in the book. Steps seven is Kaizen, which is a Japanese word for constant and never-ending improvement. I'm a believer that we're not going to achieve perfection, but if we're making progress, that's what matters. Kaizen is about getting to the root cause of something, not just improving on it, finding that root cause and then, making the incremental improvements. It also gives you the confidence to get started on some of these steps, because often we feel like we don't know where to begin. With Kaizen, it’s about taking that first step and then making
corrections along the way, and that's the journey of life. That's the journey, those seven steps I just went over.
I love it, man. Alright, how about the new book? What are you going to do for the new book?
The new book is on— It's not cybersecurity-related. It's all what I call the in-between. It's the micro moments of life that are often ignored, because we're so focused on the macro. It's about approaching those in between moments with some intention. That could be something as simple as driving to dinner. The dinner is like, the macro thing, but the drive, if you approach that properly, could have more meaning to the actual dinner. I think a lot of us go through this sort of zombie state in life where we're just sort of going from one thing to the next thing, and we're distracted with our phone and everything else, so we're missing a lot of things that are right in front of us. Really, I believe the micro moments of life are what end up making a life in total, basically.
Was it John Lennon who said, “Life is what happens when you're busy making plans?”
I didn't know John Lennon said that. That's the good one, though.
I think that was John Lennon, I could be completely wrong with the source of that quote, but life is what happens when you're busy making plans was the quote, I'll have to research who said it. I have to look that up. Yeah. All right. So, listen, Christian, I've got one question I ask every guest at the end of the show, and that is this: You are given a magic wand and you can wave the magic wand and you can change any one thing about the world of cybersecurity. It could be people, process, tech, the ecosystem, the culture, the business of it, anything. If you could change any one thing about cybersecurity, what is the one thing you would change?
I would change the people. I think in cybersecurity, we have the processes, the frameworks, the technology. The thing that's missing is the people skills. In cybersecurity, we tend to hire a lot of people that are super brilliant, that don't want to work with other people. I'm believer that you get what you tolerate. So, when you hire people that are not good communicators, that are always trying to posture as being smarter than everybody else, I believe that's hindering the industry and hurting the industry a lot. I think if we can develop those people skills in our super brilliant high IQ staff, in high IQ people in cybersecurity, we would move the industry shifted much further along.
I love that. Alright. Well, Christian Espinosa, author, CEO, consultant, pen tester, retired Air Force trainer. You've done it all. Thank you so much for coming on down to the ranch. Thank you, listeners. Y'all be good now.