Protecting Data and Models: Cybersecurity Insights and Pricing Strategies for AI Solutions with James D. Wilton and Bryant Tow

[00:00:14] We're going to dive into the intersection of AI, cybersecurity and monetization. Not just how we protect these technologies, but how we position and sell them. As AI adoption accelerates, so do the risks and the opportunities, especially for those who can align technical depth with business value. We've got two experts today, Bryant Tow and James D. Wilton, to unpack both sides of that equation, from protecting the infrastructure to pricing the innovation. Welcome to the Business Effect Lounge.

[00:00:44] the live version of the Business of Tech podcast. It's Wednesday, May 14th, 2025 and I'm Dave Sobel. We'll take questions and comments throughout the show, so make sure to put them in chat. If you have a question, we'll happily respond to it. Now I want to thank Sales Builder, our Patreon sponsor, whose support makes this show possible. Focus on your IT sales workflow with the power of automation and visit them at salesbuilder.com. That's B-U-I-L-D-R.com. A reminder, I am watching the

[00:01:14] chat. We'll keep an eye out for your questions. We'll pull them up on screen whenever they come in. Now, Bryant Tow is the Chief Security Officer at Leapfrog Services, where he leads comprehensive cybersecurity programs encompassing strategy, governance and operations. He's recognized for his expertise in managing cyber risks, particularly in the context of emerging threats like AI-driven phishing and deep fakes. Bryant, welcome to the show. Hey, Dave.

[00:01:41] I'm super excited to have you. And James Wilton is a founder and managing partner of Monovate, a consulting firm specializing in pricing and monetization strategies for SaaS and tech companies. With over a decade of experience, including leadership roles at McKinsey & Company, RELX, he is also the author of Capturing Value, The Definitive Guide to Transforming SaaS Pricing and Unshackling Growth. James, welcome to the live show. Good to be here, Dave. Thanks for having me.

[00:02:09] Now, guys, this is a fascinating mix of technical expertise and sales positioning. And I kind of want to start in right with a big issue that's going on right now, Bryant. AI in business means two big risks. Attackers targeting company data and attackers tampering with the models themselves. When you think about these risks, is there one that's more urgent that we have to put a priority on?

[00:02:35] I think it depends on your perspective. If you have the model, obviously you want to protect it. And if you're using the model, certainly you want to protect your data. Right. So having those two completely and unique defense positions impacts directly how you would want to use the model. Right.

[00:02:59] Gotcha. Now, James, this is interesting because as I think about this, when we're starting to now price these solutions, there's different levels of what we're working on. Right. We're looking on protecting company data. We're looking at integrating models. We're looking at enhancing the models and talking about the value of dual layer protection, both data and model integrity. Is there a way to talk about this that justifies premium pricing for the approach?

[00:03:25] Yeah, I think there absolutely is. Right. And I think it just depends how you how you frame it up. I mean, oftentimes within, you know, there are many different types of cybersecurity company with different features. Right. But I think oftentimes there are some which are really seen as the table stakes things that everybody needs to have. So those are things that people would expect to come a standard. And there are some things that sound like they're a little bit extra. They provide a little bit more protection. They're a little bit more advanced. And these are things that you can potentially put into premium bundles or potentially charge extra as add ons.

[00:03:54] And these are things that you think people are going to be willing to pay extra for things all about how different segments of your customer base are going to perceive the value for that. Yeah. And of course, I think the other access to that we should probably talk about in more detail is the architecture around it and thinking about how does the value scale with each of these features that you might be providing? And can you can you build a system that's going to allow you to charge appropriately the amount of value of that particular set of capabilities offers?

[00:04:23] All right. Brian, you're obviously the man to give us some perspective on that. Like, how would I would we put that together? Let's particularly focus on on the data itself, because I think the vast majority of customers are going to be thinking about protecting their data, where a subset are the ones that are going to be building models. You know, what's the way that we should be thinking about approaching that with customers? Yeah. OK, so come at this from a lot of different levels.

[00:04:46] So first first thing that that you want to understand is is there needs to be what we call an AI readiness assessment in place. Right. And starting with the strategy, starting with how how do you intend to use these models? Are you just purely doing chat based models, chat, GBT and so forth? Are you going to be doing videos and those kind of things? What what what is the use case and the value in the organization?

[00:05:15] And then that will give you guidance into what your infrastructure needs to look like. If it's simply chat, there's probably not much. But if you're doing heavy video editing and those kind of things. Right. And then when you get to the data, that is really the primary key. And when you're getting ready for this type of thing, one of the one of the things that people often forget is having that data properly categorized.

[00:05:42] Right. So we have to have not only because we talk about data classification as the primary thing for AI. So we know what we're protecting and where it is. But what I would argue and having rolled out several of these kind of things for our clients, it's really the data retention that needs to be looked at first, because just like if you're going to move across the country, you would probably have a yard sale before you moved everything.

[00:06:07] Right. So before we apply all of these security measures just as a blanket across across everything, we really need to classify. We need to make sure that we're only doing to the things that we need. And so so. So having that data retention policy, which leads to the fourth of the categories, which is the government.

[00:06:29] So when so even when you get down into like like training, like for your users, there's two very specific training areas that we need to look at. Number one is the governance around the AI. Right. What is acceptable use? How do we want our people to be using this this type of thing? Which ones if we can police which ones that they actually are using? And so forth. And then you need to train them how to use the tool. Right. So govern the tool and how to use the tool.

[00:06:58] So there's two very specific governance things around that. But, you know, to the point of the data, it really starts with not just classification, but starts with retention. Gotcha. Now, James, we both know that clients, their eyes are going to start glazing over too much in governance. Now, I know it's a foundational element to be successful at the end, but oftentimes they're going to resist. That initial step because they want to get to the perceived business value. Are there particular ways that you look at this?

[00:07:27] We kind of oftentimes put assessments or onboarding in a particular pricing category. Like, is there a way that works best position this kind of work? To position the work of assessing the risk, Dave? Yeah. Yeah. The assessment and the governance work that needs to be put in place first to make things useful with the AI data. Yeah. Yeah, no, absolutely. I think like oftentimes you find these kind of services and evaluations are done on these these sort of set up or onboarding fees first.

[00:07:53] Right. Because this is something which is it's not something that necessarily equates to ongoing value that the that the company provides. But it's something which there is value in terms of getting you set up there. So a lot of companies will end up putting those into those those set up or implementation fees when they're establishing these systems.

[00:08:13] Gotcha. OK. Now, the other thing that I knew that was an area that's real issue here is Brian, you've talked about the fact that the cybersecurity workforce isn't quite ready for the complexity of AI threats. Are there particular skills that, you know, managed services providers, SOC teams, security teams really need to be investing in to prep for this? Yeah. So interesting at if you're familiar with the RSA conference, this was like the world's largest security conference last was was just this past week.

[00:08:42] Yeah. And the skill the skill gap was was top of mind for a lot of those those areas. One of one of the most interesting things in that topic was one of the keynotes were basically talking about going after gamers and they applied the basic mentality of gamers being like, you know, like threat hunting. For example, they applied it to the I don't I don't know the names of the games because I unfortunately am not a gamer.

[00:09:13] But it was really attaching that that mentality to that skill set, which was really, really interesting to me. So I'm sure you could find that very quickly if you search for it. But the biggest challenge that we have and not having the the skills is where do they come from? Right. So typically when we need something, we go out and get it and we go go hire, hire it in. So you're seeing two different models in that.

[00:09:40] So you're hiring it fractionally to be able to get what you need for when you need it, especially as adoption is coming in and we're kind of sticking our toes in the water. And a lot of those types of fractional positions will come to our. And the other way is to take somebody that has capability and train from within. I'd say most of the skills gap that's being closed is literally being able to take people with not necessarily the skills, but with the capacity and then putting them in that area.

[00:10:10] Because there's a lot of people that are running to security, which is great. But it's they're not the general migration of the herd, so to speak, is not exactly fast enough. And it's just kind of all all over the place. James, I've been thinking about the skills gap problem from the from the positioning of outsourcing here. Right. And that traditionally, when we look at a space that has less skills in it, we oftentimes talk to customers that, hey, that's a service we can deliver for you because you're not going to be able to find those those people themselves.

[00:10:39] But we're also kind of in a world in a space right now where cost cutting is very heavily and people are looking at outsource contracts as one of the things to do to cut. Are there differences in message right now around the skills gap conversation? Or is it the same consistent message still resonates with customers?

[00:11:00] I think it just means that as with so many things in pricing, right, if you're going to be talking about your you're essentially selling this thing, you have to start with value and try to get a good sense of like how coming to us, getting the service from us delivers value that goes above and beyond what you could what you could do on your own. And this is a tricky space and area, right, because AI technology so nascent to still a lot of people figuring it out. It may not be apparent that, you know, some of the things that you will do here.

[00:11:27] What we have seen to be quite effective in this kind of case is to be able to actually try to break down how the value scales with a with a value calculator for customers. You can basically say if you were to try to put an estimate on the amount of value that completing the service with us would would would give you it is you calculate it by by this.

[00:11:49] It is the risk that you are avoiding multiplied by the probability that you avoid this this this risk potentially like comparing the risk of you are adopting a technology like this versus versus not. And that then like it allows them to get their arms around that extra value. And look, you're always going to have certain customer segments who are very price sensitive and frankly are going to go for but but but avoiding the cost, even if there is value there.

[00:12:18] But you know those value centered buyers who most of the time we're going to be wanting to attract that messaging is going to resonate provided that you you nail the the articulation of it. Gotcha. Now, interestingly, you just brought up something that I'm curious to go in this is is is the price sensitivity is often linked to size of customer. It's a general kind of rule in this and I know, you know, Brian, we also see this in cybersecurity resistance right into the smaller the customer, the more more typical.

[00:12:45] Brian, when you think about the the the cybersecurity and AI issues as we try and sort of scale them down for smaller customers. Are there particular approaches of delivering the solution or, you know, when we think about things like deep fake attacks and insider threat amplification? Are there ways of positioning this and bundling it for smaller customers that are particularly effective that help them align with that price sensitivity?

[00:13:13] Yeah. And, you know, to what James was talking about as the value, you know, we have to start with what exactly that I mentioned at the top of the show is talking about use cases and strategy, figuring out what exactly that is. And I think, as James said, the next step to that is to establish what the value is. You know, in the in the security space, we don't say return on investment because it's a little bit like like car insurance.

[00:13:39] Right. So, you know, whoever made whoever got a return on investment on their car insurance until something happens and you get a payout very much in the cyberspace. Right. So it's really, really difficult to to measure that as a metric. But I think the way we do it in cyber does apply over to a. And by that, what I mean is we look at levels of maturity.

[00:14:03] So, for example, if we are doing X, Y, Z with our technology and we're doing X, Y, Z with our governance, right, looking at processes and how all the and we're able to improve process efficiency with a certain level of that. You know, and I've seen a lot of the models where you look at the level of work that is being done now. Right. So like the human capital element of that and then how much does that you know what?

[00:14:32] What's the cost of the labor cost of all the other things and whatnot? What does it look like after? Right. There's a gap somewhere. But on the security side with what we're doing, if we're able to look at if we're doing all of these things, like I mentioned in the assessment and the readiness assessment, there's definitely a way to be able to see we're doing this and therefore our risk is is is significantly reduced. And that should be the pathway forward. Right.

[00:15:00] I think you bring up that sort of that reduction in risk as the element to it. And James, I'm kind of really curious to get your take on how pricing reflects where risk is, you know, because because I would feel like this is an element that needs to be translated into the cost of something, you know, for delivering value. It has to to build in the risk. How do we build in risk properly into pricing?

[00:15:26] Yeah, no, it's I mean, it's really it's well, first off, let's just call it. It's challenging. Right. Because really, I mean, the risk is a little bit intangible, but like that is this that is where the value comes from. It's like it's protection against risk. It is cost avoidance from having a disaster, essentially. Right. You you you prevent these disasters from from happening.

[00:15:46] But yeah, I mean, you really as you would with any with building in a pricing strategy for anything, what's really important is to try to identify the factors that are going to scale with the amount of opportunity here. So for risk, you know, it could be is it that, you know, does the risk increase with the level of exposure that you have, like with your attack surface, for example, or the amount of attacks on you?

[00:16:08] Or does it does it scale with the sensitivity of the data, like the type of the type of data that you are that you are predicting? Would it be more damaging for you to lose your data than for somebody else because of the nature of the data that you have? There are usually multiple different factors for this. Right. And, you know, within a good pricing strategy, what you're trying to do is price differentiate, build a structure that allows you to scale the price based on all these different areas.

[00:16:35] But that's the guidance that you should be thinking about, really thinking about what are the what other dimensions that affect that that that value and build out a structure that does that. And in a lot of cases, not always. Right. A lot of cases that usually means there is going to be some element of your pricing structure which is tied to the size of the company. Right. Something about that shows that scale is going to equate to the value.

[00:16:57] So this could be it could be a usage thing or a workload thing. It could be about the the size of the organization, the number of endpoints, whatever it is. Right. That ties to the scale and that potentially could be another sort of what we would call an implicit factor where you're changing the price list depending on companies that are in different sectors, which kind of aligns to the value that they get for their particular scale, given the nature of their of their particular business.

[00:17:25] And with all this, it just really it really comes down to a your objectives and how granularly do you want to be able to price differentiate and maximize your capture of the of the customers willingness to pay. And what's your tolerance for complexity on your end? Right. There's a lot of if you end up with this multivariate price model, there's a lot of complexity. Your sales teams have to be able to manage the price in that way.

[00:17:48] Now, Brian, Jim said something I'm really kind of curious to get your take on is like, can we play with some of the parameters of security pricing in a way like could we charge based on attack surface exposed? Like could we could we charge and position on some of the more potentially customer controllable risks, you know, exposure or lack of training? Like could we charge based on those? Yes, I think so.

[00:18:15] OK, so attacks of attack surfaces is an interesting metric. So when you're looking at risk overall, you know, external drivers, you know, bad guys out there and people, the amount of threats and then, you know, ransomware groups and all those kind of things, things that we have no control over. We do have control over our taxes and minimizing that that threat vector, minimizing that attack surface is always the key to start your your program.

[00:18:44] So if you're charging for that, then you can reduce the cost by reduction of the overall overall attack surface. And then the and then how the data in and of itself is is stored and where it is stored and what the threat would be to that data. You know, and I'll give you examples. So any of our managed customers that are that are on our premium stack, meaning, you know, they have endpoint that got sound.

[00:19:13] They've got everything that we do for security with. They have all of those things in place. We have very few, if any problems with those points. Very well. And you could argue today that the adversaries are not so much breaking in as they are logging in just because we've all reached terminal velocity with our data because it's all been breached, I guess, probably at some point.

[00:19:39] So clients that fall victim to an MFA fatigue or something along those lines where you'll get an account takeover. But then nine times out of ten, we'll catch that under unusual logging because we watch that and we'll see it before really anything. Anything happens. So when you talk about pricing and so forth, if you spend the money, you will reduce the risk.

[00:20:00] And if you don't spend the money, you want 90 percent or higher of all of the issues that we have with clients are those that are very hesitant. Maybe it's because of price point. Maybe it's because cultural inertia towards not wanting to do the things that they need to be doing. A lot of the executives are not to be ageist, but they're older and they like kind of things the way that they are and they resist that change.

[00:20:25] And those are the ones that get hit because they haven't had they won't put the MFA in place or they won't do something like that because it's going to cause them a little bit of a problem. So that's where we have our problems. Well, find the younger customers is a more difficult way to approach this. Now, James, as I think about that, like there's a classic answer that I want to make sure is still relevant here in terms of the value of an ongoing service.

[00:20:52] Brian's just described a premium service, which is exactly what we want to get our customers to and delivering. But I know that there are potential risks in terms of once you've been perceived as always making the problem go away at times, the fatigue goes away and like, well, why am I paying for this? Are there particular bits of advice that you offer broadly to sort of say like, hey, these are the things you do when you've achieved what Brian's exactly talking about to make sure that customers continue to perceive the value over time?

[00:21:21] Yeah, no, absolutely. It's like shifting baseline that we talked about. Right. Like, you know, we sort of started here and I improve things and got you to here. But now we've been here for a long time and now I don't see the benefit anymore because we're here. Right. Right. It is. It's it's it's difficult. I think there's I think one thing that companies can think about doing is always sort of reminding what that starting point was and calling out the change that has been that has been made. Indeed, you have driven that change.

[00:21:48] And I think depending on the nature of the particular product that you're talking about as well, you may be able to run reports that show this is the work that this particular solution is doing for you over over time. Like, for example, if you have like if you're if it's an anomaly detection type software, right? These are the amount of anomalies that we have detected over the past over the past X months and that you have been able to to resolve here.

[00:22:12] So while day to day, the buyer may not be seeing anything happening because, you know, they they're not getting they're not having attacks going going through threats are being are being neutralized. You are communicating all these things that are happening in the background and letting them know that there is a lot of value going on that is that is keeping their their life relatively event free. Yeah. And Dave, I have something for that as well. Something I was great.

[00:22:38] Yeah, something that when I talk to my clients because that that objection will call it is very common. And, you know, why am I paying for this? You know, nothing's happening to which I tell those people, I want you to go out and take out your seat belts and your airbags out of your car right now. Because you're not using them at the moment, you're not seeing any, you know, whatever.

[00:23:04] So, oh, oh, wait, that's that's still you're there's still a risk there. And you're doing these things to continually you wear a helmet. You know, when you ride a motorcycle, you've got locks on your doors. You have all these little things. I want you to take all of those things away because, you know, you've not had anybody break in your house for a year. Well, you don't need locks on your doors anymore. You should take them off. Right. And when and as as you know silly, maybe is that is that my sound? It's the it's the actual truth.

[00:23:32] The reason you weren't having those types of problems is because you have locks on your doors. Right. And so it's a bit of a joke. But there's there's a there's actually a lot of a lot of truth, a lot of value that that kind of a comparison. Well, I'm going to as I sort of get us towards the end of this conversation here, I've got one one sort of follow up for each of you that I'd like to think about. We've talked about the security skills shortage, but we also then danced a little bit into some of the messaging.

[00:24:01] Is there a bit of a messaging shortage here? Are the security leaders doing enough to connect with the go to market teams and driving the right kind of value conversation out to the customer? I'll take that one. So, yeah, so I'm not sure where that was going, but Dave knows I always have something to say. So here we go.

[00:24:25] So I'm going to I'm going to reflect that back to you, Dave, in just a little bit different way and say that the answer should be yes. But the value and where that comes from, not the security, the value where that comes from and understanding, comprehend, comprehending the risk and then the value that's placed on that and how the business is protected needs to come from the leadership of the business itself.

[00:24:53] If it comes from the security guy, we're all a bunch of people that are crying wolf and we don't know what we're talking about anyway, because, you know, for whatever. But the business minded person that can take that can understand, can comprehend the risks, associate that into the business model and then communicate using their language back into the organization. That's really where the way. And we call that term from the top, right? That's a it's an old age old cyber security term.

[00:25:22] But from a business perspective and demonstrating overall value, though, though, though, though, the pot of gold at the end of the rainbow, so to speak, is taking that understanding, comprehending of risk, translating it to the business language so that it's understood what those risks are to the business, not to the technology. And James, as you look at this, this side of the from the other side is you're looking at from the business solution to the technical teams.

[00:25:48] What's your take on the kind of potential misalignment there about positioning these kinds of solutions? You know, it's interesting, kind of broad-down this way, David. I mean, I think what I've seen looking at this is that I hear a lot of pull from from the buyers sort of saying, like, we are concerned about the security of our data with AI, right? Now we don't know where all this data is going. We need to make sure it's protected, et cetera, et cetera.

[00:26:13] Actually, I see that a lot from the clients that I've been speaking to and also just a lot of the stuff that I've been reading around the space as well. So I think that is there. And yet there are a lot of AI native solutions that you look at, and I don't see many of them talking about advanced security features or trying to differentiate themselves on their level of security. And I think it's an opportunity, right? There is a hunger there and there is a need there. I think there's an opportunity for somebody to be able to say, we are more secure.

[00:26:41] We will make sure that everything is protected and make you feel very good and safe about adopting all this technology in the way that you would like to adopt it. Well, I think we've just identified where some of the good opportunity is. Guys, I don't want to be taking too much of your time. So I want to make sure listeners get an opportunity to reach out if they've got follow up questions, particularly for watching the recording. Brian, if people are interested in getting in touch, what's the best way for them to do so?

[00:27:06] It's real simple on any of the socials, LeapFrog Services. We're LeapFrogServices.com. There's my email address. You can certainly find me there or on LinkedIn. And James, if people are interested in learning more about what you're up to about pricing, how can they reach out? Yeah, absolutely. I think best way would be on LinkedIn. My handle is James D. Wilton. Guys, this has been interesting to match the risks of cybersecurity out there with the best way that we can do positioning. And I really appreciate you joining me today.

[00:27:37] Thanks, Dave. I want to tease an interview that actually has already come out and I wanted to make sure you didn't miss it. Srinivas Krishnaswamy joined me for a discussion about his new book, Inbound Marketing in the Age of GPT, which delves into the evolving landscape of customer search behavior driven by AI and its implications for managed services providers.

[00:27:58] He shared some actionable insights on optimizing marketing strategies, leveraging community engagement and adapting to the new AI driven content consumption paradigm to effectively reach and resonate with target audiences. Here's a preview of that interview. Gotcha. Now, let's let's balance that a little bit, because you've given some thought into the difference of what search is really good for. And now with this new AI prompt paradigm is for help me frame that a little bit for me.

[00:28:28] There's there's certain things then the traditional search is going to be really great at. And what's the difference with the prompting is going to be really good for? That's a that's a great question. Right. See, you know, there are if you were to really break down the types of searches that people typically have, it falls into one of the three buckets. First one is informational.

[00:28:49] I'm searching for information, for example, what are some of the options available for me to secure my mobile devices that my employees might be using on the field? So that that's the search. Obviously, if you are in group, probably have a shorter search phrase. Maybe you will type the entire sentence, whatever I just said in chat GPT to get an answer in these scenarios.

[00:29:15] You know, you know, generative AI chat bots really do a terrific job in responding to you. The reason they are able to do that is because you can give it a lot more context in your prompts. You don't have to just restrict it to, you know, the question that I said. In fact, you can even provide context. For example, I am a business.

[00:29:39] Let's say I am a nonprofit business and I have people on the field carrying tablets. They are going from place to place, you know, collecting donations, and they have these tablets that will allow them to register the donor information and collect payments.

[00:29:57] Let's come up with this hypothetical example. So if I were to add this context to the prompt in chat GPT, I will get a, you know, really tailor-made response. Now, I can't expect that kind of a response with Google search. So there is a fundamental, you know, difference in the way GPT works vis-a-vis Google search.

[00:30:20] And in the context of informational searches, like the example that I gave you, GPT will win hands down in terms of the quality of content, right? Or the response. But then there are other types. For example, if you go to the next slide, you also have navigational searches and transactional searches. Now, there is a difference between the two. What are navigational searches?

[00:30:45] So these are, for example, when you know where you want to go, for example, log into this particular application, log in for ABC app, right? So you already know where you want to go. And in this case, it's kind of, you know, pointless to expect, you know, 10 paragraph response. You just need the URL that will allow you to, you know, get there. Similarly, transactional intent, right? These are, you know, e-commerce purchase related intent, right?

[00:31:14] Where you are really looking at buying something of value. And so these are two types of searches where, you know, GPT hasn't really solved it very well because of the nature or the interface that they have built. But I am guessing given a few more quarters, they will start going after these types of, you know, interactions as well.

[00:31:40] So it's just a question of figuring it out in terms of how do you really bake it into the conversation model that they have built. That's number one. And at the end of the day, I also think market forces will force them to make money eventually. Right now they have pulled in billions and billions and dollars of investments. So the money lies in the transactional search terms, which results in a sale, right?

[00:32:09] Closer to the bottom of the funnel. So that is where the difference is right now. This conversation came up several times in news articles I've covered on the regular news show and thus why I wanted to highlight this as well as part of what we're seeing going forward. Now, my patrons get access to my interviews early.

[00:32:30] They can sign up at patreon.com slash MSB radio to sign up to get early access to all my videos, interviews drop on the YouTube channel and podcast feed on the weekend. Now, I want to thank Sales Builder, our Patreon sponsor whose support makes this show possible. Focus on your IT sales workflow with the power of automation and visit them at salesbuilder.com. That's B-U-I-L-D-R.com. And vendors, you too can get your name mentioned on the live show. It's a simple monthly subscription.

[00:32:59] Visit patreon.com slash MSB radio for more information. And listeners, you can support the show, like, share and follow on your favorite platforms or support directly on Patreon with our give what you want model. You set what you think the content is worth and you get access to videos early. If you have a question and are listening to the recording, send it in at question. Thanks for joining me for the Business of Tech Lounge and I will see you next time.