Are we spending too much time listening to our users when it comes to authentication? We all know a password-only solution is weak and full of security holes. We try to amend with multi-factor authentication, but adoption is so low. Why don’t we just force people to adopt passwordless? Don’t even give them an option. It’s our way or the highway.
This week’s episode was recorded in front of a live audience at the Colorado Convention Center in Denver as we kicked off the Rocky Mountain Information Security Conference (RMISC). Joining me, David Spark (@dspark), producer of CISO Series, on stage was my guest co-host, Jay Wilson, CISO for Insurity. Our guest is Michelle Wilson, CISO, Movement Mortgage.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, Trend Micro
Full transcript
[Voiceover] Best advice I ever got in security. Go!
[Michelle Wilson] Know your audience. So if you’re emailing an executive, make sure that you start with what you need. Are you asking them a question? Do you need them to make a decision? Are you just letting them know something? And then be succinct, to the point, and if you need to elaborate, do that later.
[Voiceover] You’re listening to CISO Series Podcast recorded in front of a live audience in Denver.
[Applause]
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer and host of the CISO Series, and sitting directly to my left right here, this is Jay Wilson, he is the CISO for Insurity. Big round of applause for Jay, let’s hear it for him.
[Applause]
[David Spark] Our sponsor for today’s episode is Trend Micro. You see them on the screen behind us. Those of you listening at home – you don’t see them, but you’ll hear more about them later in the show. Jay, we are at the Rocky Mountain Information Security Conference, or RMISC the locals call it. Last year was the first year you came here.
You said you were blown away. What was it that blew you away?
[Jay Wilson] So, I think the thing that really blew me away about RMISC, as we call it, is that when I think about security conferences, I think about conferences where I gain knowledge from the content, the great speakers, the networking aspects. But when I compare RMISC to other conferences, I’m usually thinking about the bigger conferences, the national conferences.
When I think about it, I’m thinking, “Oh. Well, how does it compare to Black Hat [Phonetic 00:01:46]?” Not, “How does it compare to the local other conferences that we have?”
[David Spark] Right. This is of par of a big conference because I will say I’ve never attended a local conference of this size. And also, the sheer number of sponsors that are here. It’s astounding.
[Jay Wilson] Yeah. You really are impressed by our sponsor list.
[David Spark] It is quite an impressive sponsor list. Yes, I will mention that it is. I also saw that people that attend this conference get CPE credits…
[Jay Wilson] Yes.
[David Spark] …for coming here. I hate to break it to everybody. You’re losing them from watching this show though.
[Laughter]
[David Spark] You get a demerit from this. And also, I appreciate that they served alcohol before our podcast, which is great. I thought nickel beer night though was a bad idea. All right. Let’s introduce our guest who’s joining us as well. Thrilled to have her onboard. She’s a brand-new CISO, 90 days, am I correct, 90 days a CISO?
[Michelle Wilson] That’s right.
[David Spark] That is awesome. It is the CISO of Movement Mortgage – Michelle Wilson. Michelle, thanks for being here. Let’s hear it for her.
[Applause]
[Michelle Wilson] Thank you, David.
[David Spark] All right. Let’s begin.
Are we making the situation better or worse?
2:57.889
[David Spark] So, should companies be forcing users to go passwordless? That’s what Expensify did earlier this year by announcing they were dumping passwords for, get this, “magic links.” They actually didn’t call it passwordless, that’s what they called it. So, in Expensify’s new authentication process, links would be sent to your email or mobile, and you would use it in that way to log in.
No password necessary. But moving to passwordless has not been easy. We can look at its test case, which is multi-factor authentication, which has struggled with adoption. So, regardless, the industry wants to go in this direction. Apple, Google, Microsoft, they’re all adopting a phone-based passkey system.
So, how are we going to get there? Do we have to be like Expensify and just rip off the Band-Aid? Now I know Mailchimp offered a discount to users who adopted MFA. Won’t forcing passwordless though elicit, “We’re going to lose customers from the business”? And while there are guidelines from both Microsoft and Gartner on how to do this, according to Paul Wagenseil in an article in SC Magazine, they admit it won’t happen overnight.
There will be a period of transition. So, I’m going to start with you, Jay, on this. What’s it going to take? I mean, do people like their passwords? I mean, if they’re using their dog’s name, I’ve got to imagine they’ve got an emotional attachment to it.
[Jay Wilson] I mean, I think it depends on a lot of factors. Password policies are part of the bane of society usually.
[David Spark] Mm-hmm.
[Jay Wilson] But that’s changing right now. NIST came out with recent publications – I say “recent” like five years ago, but recent – that provided guidelines on digital ID that said, “Hey, you shouldn’t be changing passwords on a regular basis. You should be using long form pass phrases.” Do people like their passwords?
Well, if your password doesn’t change and it is your dog’s name, hopefully mixed with some other things, then yes, maybe they do like their password. [Laughter] But I think the passwordless is still something that I’m looking for, to getting towards. I do think it’s a progression. You don’t just wake up one day and say, “Okay.
Everybody’s passwordless.”
[David Spark] Well, this is what Expensify did. They said, “You’re going there.” For some, that’s the way to do it. By the way, Expensify also in a financial industry like both of you. I know that many organizations struggle with this. Do you struggle with this?
[Michelle Wilson] Absolutely. There’s two other aspects to it. One is there are still legacy applications that aren’t going to work with passwordless, so the most pain in the neck application that I have today, it’s going to be a long time before it works that way, so the value isn’t going to be perceived.
The other piece, and I’ve had customers argue with me before, when we made it too easy to log into a system and they felt like it was less secure because it was suddenly simpler, we had put all kinds of other security in the back.
[David Spark] And that’s the thing. Users think passwords are secure. Security people know it’s not secure. So that’s a weird dynamic to get around, isn’t it?
[Michelle Wilson] Absolutely.
[Jay Wilson] Yeah. And more difficult doesn’t mean more secure.
[Laughter]
[David Spark] All right. So, let’s see if we can isolate some success cases here. There’s no massive amount of convincing that’ll get everyone onboard, is there? That’s not going to work. There is going to have to be an either phased approach that’s going to ultimately come to removing a Band-Aid, yes, you believe?
How do you see it, Jay?
[Jay Wilson] Well, look. I’m actually pursuing passwordless as an initiative. I wouldn’t say I’m going to Expensify this thing.
[David Spark] Yeah.
[Jay Wilson] I’m going to take a slow roll kind of approach to it and really make sure that my organization’s ready for it. But I see a tremendous value in it, both from the user experience perspective but also from the security perspective. There’s currently a series of attacks that are occurring, especially if you’re on the Microsoft stack, that have impacted different people that targe the multifactor authentication that Microsoft uses.
If you’re in the passwordless side of this, you avoid those kind of crosshairs. So, there’s a real push from just the plain old “make it more secure” perspective of using passwordless.
[David Spark] There’s an endless balance, isn’t there? There’s no right answer here.
[Michelle Wilson] No, there’s not. I think people will just become accustomed to it. When you first got your iPhone and it wanted to use your face, people were uncomfortable. They’ve gotten comfortable with that now.
[David Spark] This is a good point. Yes.
[Michelle Wilson] So, getting into the comfort area where it’s the norm.
[David Spark] This is what I like in this too. Is that moment that everyone first put their credit card online and realized it was okay.
[Michelle Wilson] Right.
[David Spark] There was a time people were scared to do this. Nobody’s scared to do it now.
[Crosstalk 00:08:07]
[Michelle Wilson] Well, my mother-in-law is.
[Laughter]
[David Spark] Not currently.
Why has this topic suddenly become the center of attention?
8:12.725
[David Spark] What do you think I’m going to talk about? ChatGPT! It’s the topic of attention. So, ChatGPT could or can provide the cybersecurity industry the following benefits. According to an article by Ashwin Krishnan on TechTarget, these are the things it could provide – cyber defense automation, adversary simulation, reporting and threat intelligence.
But are we looking too deep? This is my question.
On the cybersecurity subreddit, a redditor asked, “What does the future of cybersecurity look like with the rise of AI?” And one redditor responded this way, listen, “Our customer wanted us to prepare a tabletop incident response exercise. I basically copied their email to ChatGPT and told it to prepare the scenario and the timeline.
Then I copied the answer to email, changed just two things, and then sent them. The customer was happy. Saved me a half an hour.” So, I envision the real benefit of ChatGPT, and essentially all these new AI tools, being that those creative people who know how to take advantage of the tool at the right time quickly slicing out time-intensive projects.
So, I’ll start with you, Michelle. Do you agree or am I selling the benefits way too short?
[Michelle Wilson] I agree in the near term that that’s probably the benefit of GPT. I know people that have used it to help write their policies, to make sure their policies aligned with regulations that they were required to meet. There’s benefit to it. It’s got some downside too.
[Laughter]
[David Spark] Yes, yes. We’re aware of it. Okay. Have you seen either yourself or anyone on your staff find a creative moment and opportunity to take advantage of that or any of these generative AI tools?
[Michelle Wilson] I did have an employee admit to me that they’ve been using ChatGPT to help write scripts for incident response.
[David Spark] That’s good.
[Michelle Wilson] Yes.
[Jay Wilson] I feel like that’s always the way in which it comes across to a CISO is…
[Michelle Wilson] Admit?
[Jay Wilson] …admit, right. “I had an employee admit that they used ChatGPT.”
[David Spark] Yeah, okay. But that’s good. Probably you were probably happy about that because they found a way to be more productive.
[Michelle Wilson] Right. And not put anything sensitive up there, they know better.
[David Spark] Did you applaud that employee on their work?
[Michelle Wilson] I did.
[David Spark] Excellent. That’s good. All right. What has happened in your environment?
[Jay Wilson] Well, I’ve actually gone out to my team and given them kind of a warning, like, “Hey. These tools are taking the data that you put in them and they’re trying to claim ownership over it, so you need to be aware of what you’re doing.” Now, I’m not taking a “ban it out of the company” stance.
I was in a session earlier today where you kind of put it into three categories. Like, hey, just let anybody do anything with AI, ban it, or try to find, call it, the term was “contained use of AI.” That’s the approach I’m going down. I think it’s a revolutionary technology. We need to embrace it like everything.
If we don’t, it’s going to bypass us and we’re going to end up holding other problems upward as a result.
[David Spark] Well, I’m completely fascinated by it and every time I sort of read about it and read about the different ways you can do the prompts, I realize, “Oh, my God. This is at a sort of level of creativity my brain’s not at,” and also realizing, “Oh, I didn’t realize you could do it this way,” kind of a thing.
That’s where I’m thinking, it really is going to be – and by the way, and this is how I see it in the future – people are going to be putting this on their resume, like, “I know how to use ChatGPT at its fullest extent.” And those people are going to be of great value. Let me ask you – would you hire someone who really knew ChatGPT well?
[Michelle Wilson] I think I would, honestly. We have a lot of push for automation. I could see someone that was very skilled with that being very successful.
[David Spark] Yeah. I mean, showing you opportunities that you don’t see. Which is often what you want to do in cybersecurity – someone giving you vision you don’t have.
[Jay Wilson] Yeah, I completely agree. I think the interesting side of ChatGPT that some people I’ve talked to internally, they don’t think about the negative use cases, right? So, here we go, let’s replace the search engine with a ChatGPT-enabled system. Have you thought about what happens when you ask it, “Hey, I really don’t like XYZ company,” or whatever the question is, and they’re like, “Oh, I guess people could put that in”?
It’s this sudden silence, and I’m like, “Yeah, we need to think through these negative use cases.”
[David Spark] Although ChatGPT has put some controls, like I know that if you say, “What do you think of this person?” it won’t actually tell you.
[Jay Wilson] Absolutely. There’s ethics generation that’s gone into the process.
[David Spark] Which I’m very impressed by.
[Jay Wilson] Absolutely. But there’s always going to be gaps in that, right?
[David Spark] Yes, yes. You can’t think of everything.
[Jay Wilson] So, I think the other aspect of this that’s interesting to all of us in cybersecurity is now we’re going to have to spend time catching the gaps in ChatGPT. There have been multiple cases in the last few months people have been able to either discover or just plainly exploit vulnerabilities, leveraging ChatGPT just by kind of tweaking it, telling it the right things, feathering its ego, whatever it might be.
That part of ChatGPT’s scary as a CISO.
[David Spark] How scared are you by it right now, Michelle?
[Michelle Wilson] Not as scared as I am sitting up here.
[Laughter]
Sponsor – Trend Micro
13:51.996
[David Spark] I want to tell you about our sponsor Trend Micro, which by the way, those of you who are fans of the CISO Series, you know they have been with us practically since day one. They have been a phenomenal sponsor of the CISO Series. Let me tell you a little bit about them. At Trend Micro, everything they do is about making the world a safer place for exchanging digital information.
They believe cyber risks are business risks, and they empower organizations with complete visibility of their digital assets to understand how well they are protected and where to prioritize their investments to lower their risk.
Trend Micro secures the world by anticipating global changes in modern infrastructures, evolutions in threats, shifts in user behaviors, and advancement in application development. They help their customers transform cybersecurity from siloed technologies – nobody likes that – to a unified security platform that accelerates digital transformation, hybrid workforce collaboration, SOC modernization, vendor consolidations, and operationalization of zero trust strategy, while integrating with their existing investments and partner ecosystems.
As a global cybersecurity leader, Trend Micro’s platform, threat intelligence, and services are deployed by over 500,000 enterprise customers across 175 countries and recognized by third-party reviewers and industry analysts. You know where to find them. You just go to trendmicro.com.
It’s time to play “What’s Worse?”
15:32.630
[David Spark] All right. For those of you who have heard the podcast, this is hands down the most popular segment on our show, the “What’s Worse?” scenario. For those of you who’ve never heard it before, let me clue you in. I have scenarios that have been sent in from our listeners. And actually, usually it’s just two scenarios, like you pick A or B and they’re both bad.
This first one – actually, we’re going to play two games of “What’s Worse?” – this first one has three different scenarios that you have to choose from, and it’s quite involved, so stay with me. It’s a risk management exercise. All of these scenarios stink. You’re not going to go, “Oh, that’s the one I want.” No.
You’re going to hate all of them. But again, it’s what’s worse. Which one of these three is the worst of the three scenarios? All right. I’m going to want everybody else’s feedback in the room as well, so stay with me.
This is from Jason Dance of StubHub and here’s the scenario. You are a small cybersecurity team of three serving many thousands of people and a number of complex systems. Let me ask you – in this room, by applause, how many are a team of three or less? By applause. By applause, don’t raise your hand.
I said by applause, they can’t hear you on the podcast by a hand. A few. Still people raising their hands. All right.
[Laughter]
It’s not easy. All right. Making pragmatic decisions, you are able to cope with the load of your security program without problems. However, out of nowhere, one of your staff quits, reducing your available manpower to two. That’s you and one other. You put the role out on job boards to get the third person, and almost all the applicants are not very skilled in how to secure the components in your business technology stack.
In fact, you find it a challenge to attract candidates that make it past the initial phone screen, and it is taking time away from you securing the business. Five months go by without filling the open role and the other employee is starting to show real signs of burnout. All right. This is crappy. Now the three options are also crappy here.
Here we go. Option number one – you take a chance on the candidate market. It hasn’t been working up until now, but you carry on as you are and try to reassure the other employee who’s getting burned out that you’ll find someone soon – option one. Option two – reduce the security program coverage at the expense of security to the business and the possibility of failed compliance actions or a breach – that’s two, also stinks.
Number three – you hire in help from an MSSP. Oh, this is sounding good, but wait. They’re in your price range but you have a minimum of 48-month lock-in. And after signing the contract, you engage with the MSSP and see that they are not very good with securing your tech stack. You spend more time to manage the offboarded tasks to make sure they’re done properly, and also you spend three times of the pay of the replacement hire which requires a variance on your budget and the CFO is now critical of your decision-making process.
All right. That’s a doozy. That’s a long one. They don’t usually go that long. I will start with you, Jay. Which one’s worse?
[Jay Wilson] Worse? I would go with number two.
[David Spark] Okay, all right. I’m going to ask you for all three. Why is that one worse? And then give me number two and number three in terms of worse.
[Jay Wilson] Well, I think the role of security is to make sure the company’s secure and compliant typically, so if you’re going to…
[David Spark] So, doing number two…
[Jay Wilson] …sacrifice that, then what are you doing?
[David Spark] Right, right. But if you stay as you are, you could lose that employee, and you could be trying to be Superman trying to secure the whole company and you’re going to be miserable.
[Jay Wilson] Of course you’ll be miserable.
[David Spark] Yes. All right.
[Jay Wilson] I think we’ll be miserable in any of these scenarios.
[David Spark] Yes. You’ll be miserable in all of them. But two is the worst. Now, if you were going to pick a second choice, the second worst is?
[Jay Wilson] My second worst in this list would be number three. And it’s mostly because I like number one because I would keep on trying to find somebody. The scenario is not that far from reality. I mean, forget the three-person team part. I’ve been hiring people for months and months and months many times before, and you just keep trucking on and you find people eventually.
[David Spark] It’s just the hope [Inaudible 00:20:01] number two is not going to give up?
[Jay Wilson] Yeah, that’s right.
[David Spark] All right. Michelle, I’m throwing this one to you. Which one’s worse?
[Michelle Wilson] All right. I’m going to be contradictory because that’s fun.
[David Spark] All right, go for it, please. Makes it more fun.
[Michelle Wilson] I’m going to say three is worse.
[David Spark] It’s pretty horrible.
[Michelle Wilson] They’re all horrible. Three, I see as worse though because of the distraction that you’ve got on top of the strain of everything falling to the one employee that you still have. So you’ve now added distraction both for you and for that employee. So you may not have intentionally reduced the size of your security program or scope, but you did because now there’s another distraction for that team.
[David Spark] And number two, the second worst is?
[Michelle Wilson] Yes, two.
[David Spark] Is number two, all right. I’m throwing this to the audience. By applause – again, don’t put up your hands, they can’t hear your hand when it just gets thrust in the air on the podcast – by applause, how many think just wait it out is the worst scenario? I saw one person raise their hand.
[Laughter]
[David Spark] All right. Nobody thinks that’s the worst scenario. All right, that’s good, you agree with it. All right, number two, you would be agreeing with Jay here. How many think two is the worst scenario? By applause.
[Applause]
[David Spark] All right, good.
[Jay Wilson] I think you’re going to win the show.
[David Spark] Who thinks number three is the worst scenario? Michelle.
[Applause]
[Michelle Wilson] I told you I loaded the audience.
[David Spark] I think three won. But here’s the problem. A lot of the people applauded for both two and three.
[Laughter]
[David Spark] And some people didn’t applaud. Some people didn’t applaud because, “I don’t want to play,” which is not a way you can play this game. You have to play with everything. All right. We have one more which is not nearly as long, and this comes from Dustin Sachs of World Fuel Services. Your smartphone is hacked and all your texts and calls are being monitored or having all your social media accounts and actually embarrassing photos that were not on social media but from your hard drive are being posted.
Which one is worse there?
[Michelle Wilson] Again, both awful. Two, I guess.
[David Spark] Having your social media and all embarrassing photos? So, you do have a collection of embarrassing photos.
[Laughter]
[Michelle Wilson] Of course. My mom does too.
[David Spark] And your mom does too as well, okay. I have posted some of them, some of my embarrassing photos, so everyone’s seen them. If you see my bar mitzvah photos, they’re pretty bad. All right. Jay, one or two, which one’s worse here? Again, let me remind you, everyone. The smartphone hack, texts and calls being monitored.
The second one is embarrassing photos all over social media.
[Jay Wilson] It’s a tough call, actually. I could go either way on this. I will be contradictory and go with number one this time, just because my social media’s relatively clean.
[David Spark] They’re doing this…
[Jay Wilson] Mostly because I just don’t do social media. [Laughter]
[David Spark] But no, but more the issue is embarrassing photos get pushed to the social media via your accounts.
[Jay Wilson] That I don’t have?
[David Spark] You don’t have any social media accounts?
[Jay Wilson] No, I do have. I have a couple.
[David Spark] I’m connected to you on one of them.
[Laughter]
[Jay Wilson] No. I’d still go with number one, mostly because of the risk to the business that I’m tied with on my phone.
[David Spark] Good point. So, obviously, Jay’s more concerned about the business than you are, Michelle. You’re more concerned about yourself.
[Laughter]
[Michelle Wilson] Not true.
[David Spark] Well, we got this revealed in this “What’s Worse?” scenario right here. All right. So, you’re focused on the business. That’s a very, very good point. All right. By applause – and again, only vote for one here – scenario, from the audience, by applause. Your smartphone hacked and all your texts and calls being monitored – is that the worse scenario?
Applaud.
[Applause]
[David Spark] All right. A good amount of applause. The embarrassing photos, second scenario. How many people applaud for that?
[Applause]
[David Spark] Oh, far less on that one. Far less. So far less people have embarrassing photos. Unlike you, Michelle, all right.
[Michelle Wilson] [Laughter]
They’re young, eager, and want in on cybersecurity.
24:00.274
[David Spark] All right. Ricki Burke, founder of CyberSec People, offered some excellent myth-busting advice for those eager to get into cybersecurity, and here are some of my favorite tips that Ricki offered – it’s not who you know, but who knows you. That one’s a good one. Your industry experience outside of cybersecurity actually can be your competitive advantage; and you must demonstrate your current, not future, eagerness to learn.
And I’ll add – ask someone who’s done any hiring in any field to see what the process is like and what they’re looking for.
So, once I started hiring for my own business, I realized how poorly 95% of the people out there go about trying to get a job. Had I seen that back when I was applying for jobs, I would have done it very, very differently. So, I will start with you, Michelle. What is your favorite myth-busting advice you’d offer around hiring, and what from your process of hiring do you think most people do not realize?
[Michelle Wilson] I’m going to start with the second question. I think a lot of new people to the field think it’s good if they have a varied level of experience, which is true, as long as you didn’t job hop. So, if I see a resume that has one year, one year, less than a year, it doesn’t get any further.
It’s good to show that you can endure even if it’s not your favorite place to work.
[David Spark] What if there’s somebody in their early 20s? I mean, kind of that’s what you do in your early 20s.
[Michelle Wilson] You should at least be able to stay somewhere a year. For a new person, stick it out.
[David Spark] Right, right. But sometimes reality sets in and that’s what’s happened. You can’t not be that person. Let’s say I’m a job hopper and it’s just I’m in my early 20s and that’s just the reality of what happened.
[Michelle Wilson] Mm-hmm.
[David Spark] How do I shine a bright shiny light on, or add some sort of – not shine a light on – but make it look better than what it obviously looks like? Like how do I convince you that’s not me?
[Michelle Wilson] I don’t know if you could in an interview, to be perfectly honest.
[David Spark] Really?
[Jay Wilson] Ooh.
[David Spark] So, those people are ruined.
[Laughter]
[David Spark] For you, at least.
[Michelle Wilson] For me.
[David Spark] We’re going to come up with a better answer about this by the end of this segment.
[Michelle Wilson] [Laughter]
[David Spark] All right, Jay?
[Jay Wilson] That’s interesting.
[David Spark] We’re going to come back to the myth-busting advice later. All right.
[Jay Wilson] Yeah, yeah. That’s interesting.
[David Spark] What would you say to that, to her thing? Like how do I, if I come to you with that kind of resume, how do I say, “This is not who I am, and I can prove it by this.” What could I do?
[Jay Wilson] Well, if you’re actually having that conversation with me, you probably already got past the point.
[David Spark] Right, right. But is there something I could say in a cover letter maybe?
[Jay Wilson] Maybe. I mean, look, I think that varied experience matters a lot to me, so that advice that you read off resonates with me. And job hopping is a thing that a lot of people do, so the way I look at it is not so much if you job hopped, it’s bad. More like if that’s all you do, that’s bad.
So, if it’s job to job to job to job all within less than 12 months or less than 18 months, then you’re not taking enough time to actually build enough context to be good at something, ultimately. Like, I don’t get good at any job that I’ve been at and I’ve only been at this job for eight months, so I guess I’m not very good yet.
But the point is is it takes time. You need to dig in, you need to sink your teeth in. So I agree with the essence of what Michelle’s saying. I might not be so cavalier to say I’m just not going to pay any attention to them. But coming back to the bigger point about the myth-busting side of this, it’s not just what you’ve done, it’s how you get in front of somebody.
When people just apply for jobs, they’re not necessarily getting in front of someone.
[David Spark] That’s really good. The getting in front of you. Okay, I’m going to throw this back at you. What if I found a mutual connection that said, “Hey, do me a favor”? Jay’s my mutual connection. “Jay, please talk to Michelle. I know my resume doesn’t look so good in terms of all the job hopping, but we know each other.
Could you put in a good word for me?” Would that work?
[Michelle Wilson] It probably would. And then to your point of what they could put in a cover letter potentially, things they’ve done independently on their own time, “I’ve learned this, I’ve set up a lab to do that, I’ve volunteered for ISSA or ISACA.”
[David Spark] Ah, ISSA, yeah.
[Michelle Wilson] There are things.
[David Spark] So, that would do it. Coming back to the myth busting, is there any sort of myth busting around hiring you’d like to throw out there?
[Michelle Wilson] I don’t know if it’s a myth, but really showing that you have initiative, showing that you spend your own time to continue to learn and that you’re proactive on what it is you do learn is really helpful in getting past some of the initial wariness. Especially if you don’t have that introduction from a known source to help you get in the door.
[David Spark] All right. Any last piece of advice, Jay?
[Jay Wilson] Yeah. I mean, I agree with the take initiative, I’ll give an example here. Recently posted a job. I had some people reach out directly to me on LinkedIn even though we weren’t connected. I thought that was taking initiative. I actually looked at their applications as a result. I’m not telling every one of you to reach out to me on LinkedIn but…
[Laughter]
[Jay Wilson] …but seriously, I took note, and those people got in front of me. And that was the real question – how do you get in front, right?
[David Spark] Yeah. I personally actually got one job in everything I did purely by just sending in a resume. I was more shocked that I got a call than anything.
[Jay Wilson] Yeah, I would be too. That’s never happened for me.
[David Spark] It rarely happens. But no, we’re bringing on somebody else on staff too, and I was just more than blown away. Like I wrote requirements like, “Please do not send in anything if you don’t fill those requirements,” and 90% of them did not fill those requirements. Astonishing.
Maybe you shouldn’t have done that.
30:17.716
[David Spark] All right, so this is a controversial topic, and that’s cybersecurity awards. Mark Curphey of Crash Override wants to put an end to the endless stream of non-credible cybersecurity awards. This effort is supported by Thinkst Canary and Resourcely. They launched a site, sillysecurityawards.com.
It exists. Check it out. And they’re offering evidence for how bogus these awards are. One case I know is Haroon Meer of Thinkst Canary created a – believe this, this is true – he created a fictitious person from a fictitious company and he paid the fee and he won the award. Curphey pointed out that the Cybersecurity Excellence Awards published on their site, that if you pay them $1,900 you will “significantly increase your odds of an award win.”
Now, I want to note though that legitimate awards like the Emmys do require an entry fee. And if you do win, you do have to pay for the physical award, and it actually costs $500 to get a physical Emmy. So, paying for an awards program is actually very common. The issue is paying to guarantee a win.
So, while passionate about this, Curphey realized “there is far more demand from practitioners to stop this practice than the vendors.” So, I’m going to throw this to you, Jay. Where do you see the value in any of these cybersecurity awards? Vendors see them as a great means of advertising and that’s why actually marketers are usually the ones offering them.
What’s your take?
[Jay Wilson] Look, it is marketing at its core.
[David Spark] Yes.
[Jay Wilson] I’ve never received or paid [Laughter] for one of these awards before. Doesn’t seem like it’s hurt my career. I didn’t even really think about this before we were talking about doing this podcast.
[David Spark] I mean, first of all, they give out awards to CISOs and that’s a whole other topic too that sort of drives me crazy because how do you determine what’s a good CISO or not. But these vendor awards, the vendors need more avenues to shine lights on them, and this is an avenue to do that.
[Jay Wilson] Sure. I guess the point I’m making is I’m not paying any attention.
[David Spark] You aren’t? So, when you see they mention all these awards, it’s wallpaper.
[Jay Wilson] It’s like noise to me. A vendor saying they won an award, they might as well just make up the award and not pay.
[David Spark] Well, which is often what the case is.
[Jay Wilson] Right? They don’t need to pay.
[David Spark] Oh, yeah.
[Jay Wilson] They can just make up their own award, like, “We just won Best Vendor of the Year.” According to who? I don’t know, I just made it up.
[David Spark] Yeah. If you’ve got a graphics department, make one.
[Jay Wilson] Yeah. Exactly.
[David Spark] All right. Michelle, what’s your take? First off, are there any awards that you do pay attention to?
[Michelle Wilson] No. I actually didn’t know about most of these up until we had our conversation. There’s some that I think maybe are a little more credible, if they’re Gartner Top 10 sort of things, but that’s not really an award.
[David Spark] Well, there’s a lot of argument about that.
[Michelle Wilson] There is some argument.
[David Spark] And I’m not saying that it is, but there have been arguments out there that the only way you get recognized by Gartner is that you have to pay to be a customer but Gartner, from a quote that I read, has flatly refused that.
[Michelle Wilson] There are foundations that spend a lot of their time, like Gartner, evaluating different solutions and products. It does give a little more weight but it certainly isn’t going to make my decision for me.
[Jay Wilson] Taking away the pay for play part of this conversation and just focusing on what are these things, one of those things is a plastic award that I just bought. The other one’s a report that tells me a little bit about the vendor that’s meaningful, right?
[David Spark] Right.
[Jay Wilson] So, regardless of whether I pay for it or not, it’s still more useful to me as a buyer to see you in a Gartner report than it is to see an award that you’ve just bought.
[David Spark] That is an excellent point because these marketing teams are not research outlets. They’re just offering shiny awards, for that matter altogether. For those of you interested in knowing, this website sillysecurityawards.com, you can actually go to it and there’s an option to pledge to stop them.
Now, I don’t know what the heck this pledge is going to do for any matter whatsoever, but that is the effort that they’re going for all around here.
It’s time for the audience question speed round.
34:46.948
[David Spark] So, this our last segment, and I have in my hand a bunch of index cards that have questions on them from many of you that are in the audience right now. I think I have seven of these we’ll get through, maybe more? Seven, I think. We’ll try to get through as many of these as possible. I want your quick hot-take answers on these so we can get through these in the time we have allotted, but we actually have a good amount of time here.
All right.
This one comes from Anthony Getto of Cofense. Actually, a lot of people were asking this question about budget cuts. So, you’re getting the classic situation of you’re getting budget cuts but security’s not getting easier, attacks are on the rise, everything’s increasing. What is the sort of quick response answer of how do you handle the opposite of what you want?
Budgets going down, problems going up. Jay.
[Jay Wilson] You got to fight for what’s right.
[David Spark] Well, the bottom line is when budgets get cut, they get cut across the board. They don’t just cut from security.
[Jay Wilson] Sometimes they get cut across the board and sometimes you fight to keep the budget that is required to keep going.
[David Spark] Let’s just say your budget does get cut. You get it like 10%.
[Jay Wilson] So, you’re not giving me a back-door option here?
[David Spark] No, no, no.
[Jay Wilson] Okay.
[David Spark] So, what gives at this point?
[Jay Wilson] What gives in the security program? That’s a tough question. That’s not an easy question. You’re going to pick the thing that impacts risk probably the least.
[David Spark] Good point.
[Jay Wilson] Or your customers, right? So, if you’re at that point where you’re cutting a security program, how do you not impact the revenue stream at the same time, right?
[David Spark] Good point. Yeah. That’s a good point. Michelle?
[Michelle Wilson] Look for any redundancy you may have in tooling.
[David Spark] Yes.
[Michelle Wilson] If there’s a tool you can drop and keep most of the functionality you need and replace it with a little bit of extra hard work, then that’s usually the best option.
[David Spark] Yeah. But you make a good point about the revenue, that I’m like, “Yeah, I could cut this,” but the revenue’s going to go down too at the same time. So that’s how you fight for it. Good answer. All right. Next question. This comes from Michael Lines of Open Technology Solutions. How is the increased scrutiny with regulations in the financial industry affecting your security program?
By the way, one of the points he made is it’s constantly twisting every year, it’s getting tighter and tighter and tighter. I’ll start with you, Michelle on this.
[Michelle Wilson] It’s getting tighter. [Laughter] It’s getting tighter. They’re also getting more interest in how we are accomplishing things. Which honestly, just makes us do a better job. I’m okay with that part.
[David Spark] All right. But it’s just making you better at what you’re doing, I mean, are you now focusing on different things because of the regulations or we’re like, “Well, now, we just have this choose this but we’re going to keep the security program as we’re doing it?
[Michelle Wilson] For the most part. We try and keep the security program ahead of the regulations, so it’s more of making sure we have all of the little pieces that they’re looking for and the little things that they’re asking for that are different.
[Jay Wilson] Yeah. I mean, my opinion is the regulations typically are behind what a good program should be at. And so that doesn’t mean they don’t impact me, sometimes they do, but I try to stay ahead of it, like Michelle said. And ultimately, it doesn’t impact me if I keep an incremental kind of, “Okay, I’m going to see how it changes this six months, this year,” and always be aligning the program up to that.
[David Spark] All right. Next question. This comes from North Rittner of Antero Resources. What was the key driver to make you want to become a CISO? So, was there one turning point to say, “All right. This is what I want to do”? Jay?
[Jay Wilson] Yeah. I really like the role of a CISO because you’re an interface point between your clients and the business, that you’re working deep technical problems.
[David Spark] But was there something that happened to you, you saw a conversation, event, that said, “Oh, this is what I want to do”?
[Jay Wilson] Actually I got asked to be an interim CISO. That’s how it all started for me.
[David Spark] And you liked it?
[Jay Wilson] And I liked it, yeah.
[David Spark] And you said, “All right.” That was your moment. Michelle?
[Michelle Wilson] Mine was the first security program that I built and seeing a successful team and a successful program and seeing what all of us could do together. It was very motivating.
[David Spark] Oh, okay. Awesome. I like those answers. All right. This one comes from Den Jones of Banyan Security. Which are you more concerned about with generative AI programs, is it, A, more targeted attacks from these programs or employees uploading sensitive data? Which one concerns you more?
[Jay Wilson] Right now it’s probably sensitive data. I think over time, the first one, more targeted attacks will become the real risk.
[David Spark] All right. What do you think?
[Michelle Wilson] No. I have the same answer, unfortunately. I like arguing with Jay but I can’t on this one.
[David Spark] All right, okay, good. All right. This is from Brad Rager of Crux, and he asks what are the criteria you screen for that is nontechnical? I’m sorry, Crux is recruiting for him so he’s asking a question, when you’re recruiting people. And so when you’re recruiting for these and you’re screening for these nontechnical skills that really you can’t put on a resume, how do you do that?
[Michelle Wilson] I used to give a quiz and it was less about whether they could give me the right answer. It was more about if I could see how they processed the question and evaluated. So assessing their ability to troubleshoot and how they think as opposed to can you tell me what port something is.
[David Spark] Is there any way you can screen for this beforehand, like in the resume or the cover letter?
[Michelle Wilson] These were things I did during the interview process.
[David Spark] So there’s no way you can figure out this.
[Michelle Wilson] I don’t know if I can’t, I just haven’t. [Laughter]
[Jay Wilson] This isn’t something that I typically am able to screen for at the resume level.
[David Spark] It’s tough. It’s very tough.
[Jay Wilson] For me, it’s more like I think of security as it’s a business where we interface with people, so you need to be a people-first security person, almost no matter what your role is. It’s really hard to tell if you’re a people-first person when you look at a resume.
[David Spark] Yeah. It’s impossible to tell. All right. This one comes from Alex Wood who’s the CISO over at Uplight. Is that him? Right in the back, there he is. Look. He’s throwing up his hands. All right. So, Alex has this philosophy and I have this philosophy of not waiting for people to be unhappy.
So, what does your staff need to communicate to you and do you tell them this, so that you can help them? Like, “Don’t wait till you’re unhappy to tell me about situation X.” So, what is it you say, “Tell me about this so I can help you”? Michelle?
[Michelle Wilson] During all one-on-ones with all of my employees, we always talk about what can I be doing for you, what do you not have that you need, and what other things can we be doing to make your career goals more achievable.
[Jay Wilson] Yeah. I think all of that plus I also think helping people really with a tactical growth plan because sometimes people don’t know how to grow their own career, depends where they’re at in the process, right? But really getting them on some sort of track, right? It doesn’t mean that that’s the track that they’ll land on, but if they are on the track, they’re not busy thinking about unhappy they are, they’re on the track.
[David Spark] That’s a good point. And so what I’m also interested in is how do they tell you like, “Oh, right now there’s this issue,” before we have the one-on-one, like my next one-on-one’s not scheduled for a week or two weeks. How do I communicate to you like, “I need you to deal with this because this is something that either I’m going to burnt out or something like that”?
What’s the best way for them to come to you?
[Jay Wilson] I mean, my team can come to me any time, any day, literally, and I will pick up the phone. I’m there for them in that regard. If there’s a way I can buffer them from issues in the business, I will do that. It depends on the circumstances though, right?
[David Spark] Okay. And Michelle?
[Michelle Wilson] I’ve found it actually helps a lot to ask. A lot of them are introverts, they’re not going to volunteer.
[David Spark] So, you proactively, yes.
[Michelle Wilson] Yes. They’re not going to volunteer that information. If you ask enough probing questions, you usually get to what’s bothering them.
[David Spark] Very, very good point. All right, last question, here we go, and I like this one. This comes from Sppencer Eppstein of Darktrace. Are there behaviors other CISOs employ when talking about risk that you won’t do? Is there?
[Michelle Wilson] Oh, I’m sure.
[Laughter]
[David Spark] Can you think of them?
[Michelle Wilson] So, I don’t like scaring my audience. I like having a rational conversation with them. When I’m talking to my executive team, we talk about how the risks apply specifically to our organization rather than, “Oh, my gosh, this happened to this guy over here,” and put your tinfoil hat on and get scared.
[David Spark] Avoid.
[Michelle Wilson] No FUD.
[David Spark] Essentially, the FUD, the fear, uncertainty, and doubt. Okay. Good. Good point. What about you, Jay?
[Jay Wilson] Yeah. I definitely agree with that, but I would add on. I think that when we’re trying to solve these problems, again, I’m a people-first kind of person. When I compare myself to other CISOs, and there’s no right or wrong here, some folks take a tool-first approach to solving security problems.
I always am thinking about how the people are going to solve the problem because in my experience, the tools just sit on the shelf if the people don’t use them. So that’s what I would say to that. That’s what I focus on more than other CISOs. In the context of risk, it’s the same thing.
[David Spark] Well, awesome.
Closing
44:41.815
[David Spark] Well, that brings us to the end of the show. Thank you, Michelle and Jay.
[Applause]
[David Spark] That was great. I greatly appreciate it. I greatly appreciate the organizers here at RMISC, the ISSA, ISACA as well here in Denver. I appreciate the audience coming out for this as well, and I want to thank our awesome sponsor Trend Micro. Is there any last plugs you want to make, either of you hiring, anything else?
Michelle?
[Michelle Wilson] Always hiring. Definitely looking for staff.
[Jay Wilson] Always hiring. We’ve got open roles too.
[David Spark] Open roles. So if you’re interested, they’re here. Thank you very much and we greatly appreciate your contributions and for listening to the CISO Series podcast.
[Applause]
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday and Cybersecurity Headlines Week in Review. This show thrives on your input. We’re always looking for more discussions, questions, and “What’s Worse?” scenarios.
If you’re interested in sponsoring the podcast, check out the explainer videos we have under the Sponsor menu on CISOseries.com and/or contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.