Byte Sized Insights: IT Leaders on Security: Tools & Time

Author:

Todd Bortke

Published:

September 4, 2025

Cybersecurity

We gathered IT leaders to discuss two major topics: AI and security. In this blog series, our panelists, each with unique industry backgrounds and strategies, will share their insights on today’s top of mind questions.

Jump to meet our panelists section.

Don’t miss the first blog in our byte sized insights series!

In regard to security, I have a two-part question:

#1, I’d like to know your impression of the tools that you’re using right now to protect your organization, are they keeping up with the changing landscape and threat vectors?

#2, would you mind sharing how much time you spend on a weekly/monthly basis around security related items?

Jason:

I would put myself at maybe 5 to 10 hours a week of actually doing security activities. Between meetings, looking at logs, trainings, KnowB4 (phishing campaigns), looking at servers, patch management, vulnerability management, and more, all those things cascade into time. And then we pay somebody to watch our environment: an MSOC and an MDR service, so I interface with those guys on almost a weekly basis, not including the incidents they send to us review and confirm if it’s natural in our environment, or if it’s something that we should be concerned about. So, there’s all types of activities that we’re always doing.

And for the tools, the short answer is no: it’s always going to evolve. Bad actors will always be one step ahead of us. If we could ever get to the point where the tools keep up with the evolution, I would sleep better at night. Your security program has to be pretty diverse in what tools you’re using, and it has to be complete. Don’t negate or dismiss anything that’s supposed to be part of the checklist. NIST 800-171, CMMC (Cybersecurity Maturity Model Certification), ISO 27001, or whatever framework you choose to follow, you need to achieve the whole checklist. To stay up to date is always a struggle and its consistent maintenance, upkeep, and a lot of training.

Jon:

Well, it’s like you’re in a king-size bed but you’re covering it with a queen size blanket. You always feel like you’re never really comfortable. It’s a vicious cycle, and it’s just part of what we do. One big mission statement that we’re trying to push is “simple and secure.” That just means if you minimize your exposure, that should minimize your risk. Minimize the amount of data you have out there, endpoints, servers, etc. When new threats are coming out (zero-day vulnerabilities) those are the hot and heavy items you have to patch right away, but we have all this other legacy software that has its own vulnerabilities we forget about. In our environment what we’ve tried to do is take a practical approach. Our IT staff, like most, runs really lean. So, we leverage NCI for some of that security posturing. We also have a SOC as a service. One thing that can help automate is making sure that you have a patch schedule for your critical infrastructure, and all your endpoints: physical endpoints and virtual machines. We don’t have a designated security person because my outlook is cyber security is a shared responsibility between IT and the rest of the company. So, we send out simulated emails and monthly education. Even within our IT department everybody has their own area that they’re focusing on for security. And I’ll be transparent with the group, it’s a tough challenge. I don’t think you’re ever comfortable.

Joel:

Whether or not the tools are keeping up to date for us I can’t answer a “yes” or “no.” The blanket answer is “no.” We know that educating our end users is number one since they’re the most vulnerable point. But in our organization, there’s so many basic things we can get better at, and we don’t feel like we’ve exhausted all those basics yet. I can’t say that the tools are not keeping up when we’re not even leveraging all of them yet anyway. As far as how much time I spend, I’d say about a quarter of my time on security related items, and I’m by no means the front lines, my team spends a lot more time on it than myself.

Jay:

The bad actors in the world have access to way more tools to attack than we do to protect. Not to mention, they’re inventing more tools at a faster rate to attack than we are to protect, so no environment can be considered safe. And anybody in a security role that’s too comfortable and thinks things are safe, might not be a security person by nature. Also, you need written incident response plans. Literally write it down. Run through scenarios on a repeated basis, and ask questions like: Have we thought of everything? Are we going to be able to recover from this? When this happens how fast can we recover? How can we limit the damage? One of those scenarios will happen at some point, and you have to be prepared for it. There’s no better security for yourself than preparation… and not sleeping. That helps.

Follow along in this series as we dive into more questions from today’s IT leaders. Want the rest of your Q&A insights right away? Watch the 45-minute panel recording on demand now.

Curious about AI for your organization? Start a conversation with our team today.

Interested in attending nVision?
Save your free seat today and join us for our biggest event of the year!

Meet our Panelists:

Joel Weber has been with Vector Windows, of Fergus Falls, for about 12 years. He currently leads technology, cyber security, and physical security operations. Vector Windows has between 100 to 160 end users.

Jason LeZalla has been with Microbiologics, Inc. for 2 ½ years and is the IT operations manager. They have 270 users, and 500 computing devices due to the science equipment and all the instrumentation they have.

Jon Artz is with KLJ Solutions Holding Co, a civil engineering company of about 600, and is spread across 26 different offices.

Jay Tambornino is with the Minnesota Bankers Association (MBA Consulting Group). They have 17 employees in their office and advocate on behalf of banks in Minnesota.