There are so many third party vendors we want to work with, but uggh, their security and privacy is so troublesome. Is it only the security department’s job to vet these partners or should everyone have a responsibility of keeping tabs on third party security?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our guest is Phil Beyer, former head of security, Etsy.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Balbix
Full transcript
Intro
0:00.000
[Voiceover] Best advice for a CISO. Go!
[Phil Beyer] Many junior executives think there’s an executive career ladder and there isn’t. You’ve got to ditch the ladder and think differently about your career once you become an executive. The top of the career ladder ends at the clouds of the executive level where things are a whole lot less linear, less measurable, less predictable, less obvious.
If you take a purely vertical and logical approach to your career choices at the executive matrix, you’ll become frustrated and lost. Results and relationships are the only principles that apply to executive careers. The sooner each of us internalize that reality, the better.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of said CISO Series. And my co-host for this very episode, as I have said about our other co-hosts, you’ve seen him grow up over these past five years. We’re over five years old here, Mike. Mike Johnson, everybody.
Let’s hear the sound of his voice.
[Mike Johnson] I was five years younger when we started this. I am five years older now. So, yeah, you’ve seen me grow up five years.
[David Spark] We just got some head shots done recently.
[Mike Johnson] I had more hair. I had more hair, yeah.
[David Spark] I can’t believe how much I’ve aged in five years.
[Laughter]
[David Spark] It’s depressing.
[Mike Johnson] It’s this show. This show ages you.
[David Spark] It does. Like the presidency, just like that.
[Mike Johnson] Exactly the same as the presidency.
[David Spark] Exactly. The pressure’s exactly the same.
[Mike Johnson] Totally the same. Totally.
[David Spark] Our sponsor for today’s episode is Balbix: a brand new sponsor for the CISO Series. Welcome aboard, Balbix. Automate your cybersecurity posture. More about that, exactly that, later in the show.
Mike, I am remiss about not mentioning this earlier. We are recording this in May but this episode is dropping in July. You have had a new gig for, by July, a number of months now. You are now the CISO of Rivian which is an electric car company. Give us the lowdown. What happened?
[Mike Johnson] [Laughter] Well, it’s one of those things where you can have a bunch of passions come together at once, and that’s what the opportunity at Rivian has been, and it’s this ability to be a car geek, to be a tech geek, to be a security geek, to be all kinds of different perspectives and brought all in one place. And it’s really also this opportunity to help change the world. Electric vehicles are the future.
[David Spark] Electric vehicles, definitely those are the ones that are growing. And I didn’t even know about this car company, you showed me a photo, and I finally got to see one of them in the wild.
[Mike Johnson] Once you see them, you will never be able to miss them.
[David Spark] Yes.
[Mike Johnson] They are very distinctive. The face is very recognizable.
[David Spark] All right. So, here’s my quick question – what is the biggest change of working for an electric car company? In fact, I think this is the first company you’ve worked for that’s a manufacturer of durable goods, yes?
[Mike Johnson] In a long time. I actually worked for a manufacturing company named Ingersoll Rand a very long time ago. And really the big difference is when you’re making a thing, there’s all the technology that goes into making that thing. There’s also the supply chain, the suppliers, all of the partners.
[David Spark] I can imagine that’s the toughest part.
[Mike Johnson] It’s very tough.
[David Spark] We had the Lexmark CISO on and that was like everything. I mean, the number of parts that was going into his equipment was insane.
[Mike Johnson] It’s a crazy number of parts, and that’s a printer. Imagine a car. It’s a few more parts.
[David Spark] But you only have two models, am I correct?
[Mike Johnson] We have got three, so we have two for consumer and one for electric delivery vehicles. You’ll see delivery vans from Amazon that we make, so that’s the third vehicle.
[David Spark] With the same iconic headlights?
[Mike Johnson] They’re slightly different but you can see the familiar resemblance.
[David Spark] More about this on later shows.
[Mike Johnson] I won’t stop talking about it.
[David Spark] I’m sure you won’t.
[Mike Johnson] [Laughter]
[David Spark] All right. Let’s bring in our guest. I’m very excited to introduce him. I met him in New York when we did our live audience recording in New York and I said, “Why don’t you come on the show?” This guy used to be the head of security over at Etsy but no longer. Regardless, we want him as a guest. It’s Phil Beyer. Phil, thank you so much for joining us.
[Phil Beyer] Hi, guys. Pleasure to be with you.
Pay attention. It’s security awareness training time.
4:32.362
[David Spark] Mike, how aware are our users of third-party risk, and are we, and should we be, using them in frontline protection? I realize that all our conversations about third-party risk are focused on how the security department should handle it. And Robert Wood, CISO for Centers for Medicare & Medicaid Services, gave a rather good simple explanation to his five-year-old explaining third-party risk. He used the analogy of building a fort with your friends. Each kid is going to be responsible for different materials, cardboard, sticks, string, etc. And as a third-party risk manager, you need to make sure the cardboard isn’t dirty and the sticks are strong enough to hold up the fort and not sharp that they would hurt anybody. His son understood it but then replied, “Why don’t we just make it out of LEGO?” to which I thought of as a “No one got fired for hiring IBM” line. So, Mike, is third-party risk education being taught to our employees? If so, how? What can frontline employees do to manage third-party risk?
[Mike Johnson] I think there’s an interesting question in here related to overall security philosophy of how much do we teach our employees and how much should we just take care of? How much should we hide from them?
[David Spark] Mm-hmm.
[Mike Johnson] Third party is one of those areas where we should be teaching them that third parties do pose security risks, but we shouldn’t expect them to be able to fully examine that risk on their own.
[David Spark] But it seems to me there’s something they could see.
[Mike Johnson] I think that’s where you can come up with kind of the conversation generators. These are things that you should keep an eye out for and expect that we’ll want to know more of.
[David Spark] So, give me an example what a frontline employee could do.
[Mike Johnson] A great one is if you’re evaluating a new third party, if there’s a purchase that you’re wanting to make. We’re going to make an assumption that you have some knowledge of the technology behind it and you’re going to ask the vendor, “Do you support single sign-on?” And we can go ahead and tell our employees that if you’re talking with a vendor who doesn’t support single sign-on, it’s going to be a really high bar, and that simple question then becomes a conversation opener. It can also be asking them where they store our data. And leaving it open and generic like that, there’s several different ways that you can answer it, and you can get a lot from that. But we’re not going to expect them to be able to read an executive summary of a penetration test report and to be able to make a call from that.
[Phil Beyer] Yeah, those are great examples, Mike, because it engages the employees in the role. The employees are empowered to reach out to these vendors on the company’s behalf and they become part of the risk management process.
[David Spark] So, Phil, can you give us an example? And by the way, should employees, do you agree, that they should play some part in sort of being a layer of security for third-party risk? And if so, what way?
[Phil Beyer] Yeah, absolutely. I’m glad you picked this out as an example, David, and I love the kid’s retort because LEGOs are awesome, right? But unfortunately, when I tell my kids that all they can ever play with for their rest of their lives is LEGOs, that doesn’t really go over well, right? And a lot of times that’s kind of how we approach policy. And with that policy in my household, maybe I would even say, “You can play with LEGO-branded stuff for the rest of your lives – movies and apps and all that other kind of stuff,” but I still don’t think that’s exactly what they would expect, and I think they would probably revolt. So, as absurd as that sounds, it is kind of like we security professionals in general tend to approach this problem.
Along the lines of what Mike was just saying, we can also think about it in a way where who else is trying to solve this problem with us, and if we haven’t already in our organizations, let’s partner with those folks, those other risk management functions in our organizations who are already tackling third-party risk. Maybe they don’t call it the same thing that you do or that we do, but in addition to InfoSec – finance, legal, compliance, audit. They’re all dealing with the same fundamental problem in your organization just like they are in mine. “Supplier management” – that’s been a thing for a long time.
[David Spark] So, they’re looking at different risks, not necessarily security risks.
[Phil Beyer] Absolutely. And as risk management professionals, why not kind of glom on to that process? Because it’s a whole lot easier to be part of an existing process than to kind of try to redo it in our own way just because we call it something different.
What’s it going to take to get them motivated?
9:25.739
[David Spark] Dr. Anton Chuvakin, host of the Google Cloud Security Podcast, asked in a Twitter poll, “Which of these two is a more hopeless pursuit – security awareness for users or talking security to developers?” Now, users “won” with 55% of the Twitter vote, but there were still 45% that thought it was developers, which I take as rather depressing. Wynn Fenwick said, “Taking security to devs is basically telling them they are doomed to last minute bugs that 100% delay their deliverables’ deadlines on every project, or they need to work 10% overtime pumping their own creations full of holes that would never happen.” So, I’ll start with you, Phil, on this. Do you agree with this? If not, what are the roadblocks that make talking to developers so darn difficult?
[Phil Beyer] I’ll say that reading through this thread was disheartening because more than a few of the people in that thread seemed to believe the choices were actually valid choices and that’s where, “Oh, oh.” Like, I’m glad that – like, Anton, love you, dude – I’m glad that you eventually seemed to realize after responding later how adversarial and one-sided…
[David Spark] Well, let me also point out that we put Twitter polls out to get people excited, so I appreciate Anton doing that. It makes a good segment. [Laughter]
[Phil Beyer] Sure. We got to engage people, I get that, but neither of the options were hopeless, and I want to make sure we take away here that this is not a zero-sum game. Some of the respondents and other people in the thread kind of hinted at the biggest flaws. The objective of an employee awareness program should not be unattainable. If you’re starting with that, you’re already failing, it’s already wrong, you already did it wrong. And then the second thing – engineers always want to ship quality stuff. An engineer doesn’t want to go out and build a bridge that just falls, right? Engineers want to build high-quality stuff.
[David Spark] But 45% of security people believe that. And also, let me also hearken back, and this goes back a number of years. I shot a video at Black Hat where I asked the attendees who were all security people, I think I spoke to one developer, and I asked should security and developers be in couples counseling. To which I got a lot of funny responses, but pretty much everyone said, “Yes.” But the majority of the responses were, “Well, if they just listened to me.” And if you’ve ever been in couples counseling, that line doesn’t work. [Laughter]
[Phil Beyer] You were talking to just security folks, right?
[David Spark] Just security people, yeah. They all said… By the way, you look that video up, it’s funny.
[Phil Beyer] Absolutely. So, the best retort in that Twitter thread was the proposed third poll option which was teaching empathy to security professionals who think like this.
[David Spark] [Laughter]
[Phil Beyer] That is the most hopeless of the three…
[David Spark] So, it was a slam against Anton.
[Phil Beyer] …of the three options. Yeah. Because if we were all more empathetic, if we listened to our developer spouses, then maybe we wouldn’t be in this couples’ therapy.
[David Spark] Excellent point. All right. Mike, what did you think of this poll? Now, I’m going to ask you – do you believe it’s tough to talk security to developers? My feeling is no because you’ve always had like an engineering team, haven’t you?
[Mike Johnson] Well, I think at the end of the day, maybe we shouldn’t be talking security to developers. Maybe we should be talking about, as Phil mentioned, talking quality. Security vulnerabilities are bugs. These are unexpected, unintended outcomes, consequences. These are not the way that the developer wants the thing to operate. And if we’re trying to teach them to be a security expert, they already have a job. That’s not their job to be a security expert. So, what we really need to teach them is, “Hey, there’s sharp edges to these things, but as long as you’re aware of that and as long as you’re building to the design – non-trivial – but as long as you’re building to the design and you’re building with a minimum amount of possible bugs, we’re actually going to end up with a secure system.”
So, I think the failing that we keep coming back to on security is exactly what you said, David, is, “Well, if they would just listen to us.” We’re expecting them to come to us and we need to go the other way. We need to meet them where they are and speak their language. And as we’re doing that, as we’re thinking more about resilience, as we’re thinking about reliability, quality, all of these things, this is what developers want. They want to do this. We just say, “Hey, here’s just another aspect of it,” and we can all get along quite well and we can all end up in the same situation where we’ve got high-performing, reliable, bug-free software. It’s what we all want.
Sponsor – Balbix
14:26.153
[David Spark] Before I go on any further, I do want to tell you about our sponsor Balbix. Remember? Automate your cybersecurity posture. So, CISOs at large multinational organizations face many challenges in measuring and reporting their cybersecurity risk. Oh, we talk about that a lot on this show. So, articulating security risk is complex and involves an understanding of the threat landscape, application and infrastructure vulnerabilities, current security controls, and its impact on the organization. If CISOs can’t articulate the value of the risk to their board, and I will also say their C-suite for that matter, they struggle to get additional budgets for tools and resources which stall security programs. You got to communicate the risk to know how you’re going to apply your effort towards the risk.
So, this is where Balbix enters – a cyber risk quantification program. Balbix discovers all managed and unmanaged assets such as servers, VMs, Kubernetes clusters, and even those pesky IoT devices that you may have forgotten about. It identifies, prioritizes, and manages vulnerabilities associated with those assets. All of this data is used to deliver cyber risk in monetary terms that enable you to get the support and budgets to improve your security posture. It’s kind of like, “Whatever,” but a want on all sides here. So, check out what they’re doing at Balbix at balbix.com and go ahead and follow them on LinkedIn.
It’s time to play “What’s Worse?”
15:58.573
[David Spark] Phil, I know you know how to play this game because you were at the live show where we did two “What’s Worse?” scenarios, but now we just have one. And this one is quite unique as in the two options are not, like, sometimes they’re mirror images of each other, they’re very different. So, how you weigh this will be very intriguing. Comes from Mike Toole of Blumira, and he says you are the CISO of a highly targeted organization. After a very evenly divided annual security project planning offsite, you have determined that the company’s security posture is exactly average compared to others in your industry, and for your upcoming plan, you can only implement one of the two following projects, everything else will stay the same. One – you are able to move the entire leadership and C-suite, just the leadership and C-suite, to Chromebooks. I know that’s attractive to you, Mike.
[Mike Johnson] Yes, it is. Already talking my language.
[David Spark] All right. They will hate it – and by the way, Mike strongly believes that this happens, this is why he put it in it – they will hate it for the first year and complain about very cosmetic issues. They will be 95% functional from day one, and after that first year the complaints will stop, and they will be 100% functional. By the way, I should also preface this. These are not bad scenarios, the two I’m going to give you, so this is a pretty good scenario. All right. Second one…
[Phil Beyer] Yeah. This first one is fantastic. I love this already.
[David Spark] All right. Well, the second one’s pretty attractive too. Hold on. Through a government-sponsored program, you are able to apply for and get – get ready for this – free cyber insurance. The policy includes up to 50% of your company’s lost actual revenue, not potential revenue, plus an external government response team for remediation only. The insurance comes with no strings or control requirements other than you are not allowed to buy any other supplemental cyber insurance. Mike, now, they’re both attractive, so which one’s worse?
[Mike Johnson] So, essentially we’re now asking which one’s better.
[David Spark] Which one’s better is not… So, it’s the one that’s least better.
[Mike Johnson] Least better. [Laughter]
[David Spark] So, it’s going to be worse, it’s going to be worse…
[Crosstalk 00:18:18]
[Mike Johnson] We’re just going to have to name this whole new category to it’s time to play “Which is Least Better?”
[David Spark] These are two very different scenarios so I think you very much have to be thinking about the business here and funding, I think is the way it works.
[Mike Johnson] Well, I almost fell into the “it depends” trap.
[David Spark] Can’t do that. [Laughter]
[Mike Johnson] Can’t do that. When it comes to insurance, one person’s insurance is going to look very different from another.
[David Spark] Mm-hmm. But you get it free.
[Mike Johnson] Well, but that’s kind of the thing of there’s a whole lot behind the scenes of what that actually looks like.
[David Spark] They said no strings attached, 50% of your company’s lost actual revenue.
[Mike Johnson] But the key part is “actual.”
[David Spark] Yes, I know. Not potential. Potential, that could spin into a lot of things.
[Mike Johnson] I’ll take the potential one. So, I’m going to just pick one and run with it and we’ll see what you do here, Phil, on the other side, but I mean, you lay out Chromebooks and that really is candy to me. And so all you had to say was Chromebooks and something else and…
[David Spark] By the way, if you go back in the history of our episodes, you will see that Mike has highly promoted…
[Mike Johnson] Yes.
[David Spark] …if people can operate on Chromebooks, it’ll make your life a lot easier.
[Mike Johnson] Yeah. And I think frankly the reality is Mike, our question submitter, is right in that there will be cosmetic complaints. There always are. They’re not really… They’re fine, they’ll work out just fine. But once you’re there and once you’ve got that example set of the Chromebooks, everyone else is going to be interested in adopting them. And then you end up with this really solid security situation where you don’t have to worry about entire classes of attacks.
[David Spark] Mm-hmm. We were told ransomware becomes a non-issue. How do you feel about that?
[Mike Johnson] So, ransomware becomes a different issue, especially we are seeing different ransomware attacks that are going against infrastructure as a service. So holding someone’s AWS account ransom, for instance, can be a thing, but it really does minimize the potential impact. The insurance side, that is really a situation where the insurance isn’t going to always be something you use. You can end up spending a whole lot of time cleaning up from a mess that you can’t use insurance to help you with. So, it’s really, on the one side, you’ve got prevent issues. The other is help you recover from some issues. And that’s how I weigh these two. So, that’s why I go with the least better is the insurance one.
[David Spark] Okay. So, the least better is insurance, all right. Phil, are you agreeing or disagreeing?
[Phil Beyer] I’m ready to play “What’s Least Better?”
[David Spark] “What’s Least Better?” [Laughter]
[Phil Beyer] I’m going to choose the better of the options – because you’re already confusing me – the better of the options is the cyber insurance deal and here’s why.
[David Spark] So, the least better would be the Chromebooks, okay. So, you’re disagreeing with Mike here. Let’s hear it.
[Phil Beyer] Correct. And here’s why. Because the insurance cost, the cyber insurance premium cost, has been going up at least double-digit percentages over the past few years in premiums, and certain years it’s been triple-digit percentage increases, so it’s doubling every year, and I don’t think that’s going away. So I’m going to save money in the long run if my cyber insurance is free. I think there was something in there about that, maybe I misheard the options.
[David Spark] Yes. It’s cyber insurance is free, yes.
[Phil Beyer] And here’s the other one, which actually I realized I was thinking about when Mike was talking, I had the benefit of having a few extra minutes to think about my answer.
[David Spark] I know. This is the advantage of not being Mike.
[Phil Beyer] Here’s the option that I love. The option I love is I don’t have to answer those fricking questionnaires anymore.
[David Spark] Oh, yeah, you didn’t even think about that, Mike.
[Phil Beyer] Mike with all of his Chromebook wonderfulness will still have to answer those questionnaires every year and I get to swear them off.
[David Spark] That’s like bloodletting, Mike. That’s awful.
[Phil Beyer] Mike may be in heaven but so am I, so we’re both good.
[David Spark] That is a really good point. Mike, you are not giving up the questionnaires. You’re going to still have to deal with the questionnaires.
[Mike Johnson] It’s one questionnaire a year.
[David Spark] Really?
[Mike Johnson] So, to be clear, it’s…
[Phil Beyer] That’s getting really, really long. Really, really, really long. [Laughter]
[David Spark] By the way, there are companies that’ll fill these things out for you.
[Mike Johnson] Well, no, no, no. So, the questionnaire he’s talking about is the cyber insurance questionnaire and you don’t get to sub those out.
[David Spark] No, [Inaudible 00:22:47] be third-party ones.
[Crosstalk 00:22:50]
[Mike Johnson] Yeah. This is not third-party risk. It’s a whole different level of fun that Phil’s talking about.
[Phil Beyer] Right, [Laughter] right.
[David Spark] By the way, Mike just defined filling out insurance questionnaires as a level of fun. It’s on some level for Mike.
[Mike Johnson] It’s on some level of fun. This is me being an optimist, David.
[David Spark] You’re being very kind to fun is what you’re doing.
As a CISO, what do you think about this?
23:17.144
[David Spark] Back in November 2022, Apurva Venkat wrote for CSO Online about AWS’s announcement of their security data lake that aggregates and normalizes online and on-prem security data, like from your SIEM, all into one giant repository. In general, it kind of sounded like they invented the folder. Is this just making organization a little bit easier? That’s what it sounds like to me, Phil. Is it really a great boon? Have you or do you know of anyone who has taken advantage of the security data lake and what has been the response? What has been the net result? Phil.
[Phil Beyer] Yeah. This has been a particular interest of mine lately, and I do think it’s infinitely more complex than just another folder or a version of a folder or a tag. The way I see it, data management, data engineering, they already are separate disciplines with their own kind of evolutions and histories that are now kind of running in parallel and distinct from information security where we’re living. It’s time for us to bring other experts in to help here. More of that partnership, relationship building stuff. That can be challenging for us as security pros but we need to prioritize it.
The underlying concept of this is not new. Maybe you remember. We used to have Hadoop clusters, it used to be a thing. Every security team was like, “Ah, I need ELK Stack, I need Splunk, maybe I need both of those.” Well, maybe some of us, instead of troubleshooting some aging config or trying to optimize the Hadoop file system, maybe while we were doing that, data engineering as a discipline, it evolved kind of while we weren’t looking. If you’re part of a team that’s mastered all this, you probably may not need to pay attention to data lake stuff.
But most of us, like the mere mortals of us here, that is something that we really need to pay attention to. Solution providers all over the place, cloud providers as well as others like Snowflake and Databricks, they’re commoditizing this. They’re commoditizing data management on our behalf and providing us more time to focus on the work we want to do – threat hunting, risk analysis, incident response, data protection. Let’s let the data geeks do their thing so we can focus on being security geeks.
[David Spark] All right. You are very bullish. Mike, are you as bullish on the security data lake?
[Mike Johnson] Can I be more bullish? Is that an option?
[David Spark] How do you get more bullish? And is it more than just a folder, Mike?
[Mike Johnson] So, it’s a series of folders, David. What we’re really talking about here is it’s not just the repository that’s solved. One of the things that data lake does is normalization, and I am extremely excited about data lake. I’ve had multiple conversations with AWS about it. I think it really is a game changer. And it’s hard to understand why it’s such a game changer unless you’ve actually built one of these systems in the past. Something as simple as a time zone, where you’ve got systems that are distributed all over the world, if you’re not parsing your time zones correctly in all of the security events, you can’t compare them.
[David Spark] Oh. Good point.
[Mike Johnson] If you look at IP addresses, you would be amazed at how many different ways someone can write an IP address into a log. It can just be a bare IP address, it can be SRC, it can be IP, it can be source, it can be source IP. There’s somehow an infinite number of ways that you can say what is an IP address. We actually built a system like this while I was at Salesforce, Phil called it out. We had ELK, we had Hadoop, like, we built all this stuff, and the hardest part was the data normalization piece.
And that really, when you’re able to remove that entire challenge, you’re able to focus on figuring out which needles in your needle stack you need to care about. That’s what you can focus on. That’s what Phil was really mentioning is focus on the things that really matter to us in security and we don’t actually have to write regexes for every single new event log that comes out. So, I’m really, really excited about data lake. I think this really is the future, things like this, that is taking the heavy lifting off of the responsibility of the security team, making it kind of go away, and letting us really focus on getting the security value out of these things.
How scared should we be?
28:10.136
[David Spark] It is May 2023, and we’re going to talk about ChatGPT. This platform seems to be making large leaps weekly, so what we say may possibly be out of date by the time you hear this, which will be late July. The Cloud Security Alliance has released a report of security implications of ChatGPT and isolated five new trends, as reported by Michael Hill of CSO Online. They are ChatGPT-enhanced enumeration to find vulnerabilities. And then kind of related, the rest are all kind of related to that, but foothold assistance to gain unauthorized access, reconnaissance to assess attack targets, more effective phishing lures, and develop self-altering or polymorphic code.
So, I’m actually going to start with you, Mike, on this because I know you said ChatGPT is operating off of what we know, so I want to know are you truly concerned about any of this, or is this just another tool in an attacker’s toolset? It may make their life easier, but if I’m doing my job as a security professional, this shouldn’t matter. Do you agree with that statement? What do you think?
[Mike Johnson] Is this one of those things where the option of not to play is…
[Crosstalk 00:29:30]
[David Spark] Oh, you don’t want to play. No, you play. [Laughter]
[Mike Johnson] The only way to win is not to play.
[Phil Beyer] Only if you have a whopper.
[David Spark] By the way, I heard so much ChatGPT conversation at RSA.
[Mike Johnson] Huh!
[David Spark] By the way, on both the pro and the cons, or like how it’s going to help us and how it’s making our life miserable on both sides.
[Mike Johnson] It’s one of those things where I do think it is changing the world, honestly, but these are, these five particular threats/concerns, these aren’t the problems. Everything that’s listed in here is something that a human does better, and I don’t really see how ChatGPT is doing anything novel with any of these particular examples.
[David Spark] But I would just argue that, yes, humans can do this but, like, we use computers. It’s just doing that faster, so there just might be more of it.
[Mike Johnson] I don’t think any of these, it’s not going to find vulnerabilities faster than when you’ve got 1,000, 10,000 security researchers in a bug bounty. It’s not going to gain footholds any faster than all of the initial access brokers who are out there who are spamming everyone. It’s not going to understand targets. Humans need to do that. I mean, today if you look at spycraft, you have intelligence agents who are analyzing all of the data that’s coming out, and ChatGPT isn’t really helping out with that.
But what I am worried about and I think we need to pay more attention to is the potential disclosure of intellectual property or of customer secrets or customer/company secrets. And that’s what bothers me is it’s really easy to go and paste a whole bunch of text into a public ChatGPT interface, which may or may not actually be ChatGPT, it’s a different issue, but at the end of the day, that thing goes into somebody else’s repository. Imagine that then gets spit out into somebody else’s answer…
[David Spark] Ouch!
[Mike Johnson] …who’s now going to claim ownership of that, and you might have lost a patent or a trademark or a trade secret in all of that.
[Phil Beyer] So, Mike, at the time of recording, there was just announced some options like pay 10 times as much and have your private instance, right, of OpenAI LLM stuff, GPT-4 stuff. Is that sufficient to address that, or do you see like long-term there are more nuances to that issue?
[Mike Johnson] I think there’s nuance to it. What you also have to worry about is what are the guardrails for your company. You can’t necessarily expect your average employee to be able to tell those apart. You have to figure out some way to give them a safe environment. And to be clear – I think this is a very transformative technology that companies need to figure out how to embrace. I’m not in the “this is a threat that we should just put back in a bottle.” We have to get creative on how we provide our team members, our company, the ability to use this tool safely, and I’m not sure if the commercial pay 10X, keep your data separate, is the right answer. I don’t know, maybe it is. But those are the things that we should be looking at, and that’s where we should be spending our time, not worried that it’s going to be able to write a better phish.
[Phil Beyer] Yeah. I think you’re right about that. I do think I’m aligned with you on as much as these five, it seems to be what people are talking about today, I don’t know that that’s really the threat, I think this is just scratching the surface. I agree with you completely that the genie’s out of the bottle, we can’t put it back in. Toothpaste is out of the tube, whatever your preferred analogy. I think we have to figure out how to work with it. It’s another inflection point just like we’ve seen a whole bunch over the course of technology.
So, we’re so early on we can’t really predict the security vulnerabilities with it yet, but what we do know is that there will be security vulnerabilities, right? With cloud, definitely security vulnerabilities. Mobile? Definitely security vul… I mean, go back to internet – definitely security vulnerabilities, right? So, each time we see these massive acceleration inflection points, we always see the vulnerability issues crop up or emerge over time, and those iterate and evolve as well. Just like we’re seeing different things today with cloud than we were seeing when it first came on, whenever that was, 10 or 15 or more years ago. But it’s the same thing that happened with AI, same thing.
Closing
34:18.680
[David Spark] That brings us to the very end of this episode. Thank you very much, Phil Beyer, former head of security over at Etsy. That was awesome, Phil. Thank you so much. I’m going to let you have the very last word here, but first I want to mention our sponsor – Balbix. Huge thanks to Balbix for sponsoring this very episode of the podcast. Please check them out at balbix.com if you want to get a better understanding of your risk posture so you can communicate it to those who need to know so they can make the decision so you can get the funding to improve your security program to better manage risk. A great solution. Check them out at balbix.com. Mike, any last thoughts on our conversation today?
[Mike Johnson] Phil, thank you for joining us. I’m glad you were able to. I’m glad we were able to sit down and have this conversation. I hope you’re able to turn your AC back on soon.
[David Spark] Yeah. We told him to turn it off because it was making background noise and we didn’t want you to have to listen to that.
[Mike Johnson] That’s how much, dear listener, we’re looking out for you.
[David Spark] His children are frying right now.
[Mike Johnson] [Laughter] But genuinely had a great conversation. One of the things that really kind of stuck with me and you started at the beginning was talking about results, and I really think that’s something that we need to focus more on in security. And you’d mentioned in the discussion around security lake allowing us to focus on the work we want to do. I think there’s so much opportunity for that in security, so thank you for really helping to drive that point home and thank you for joining us today.
[Phil Beyer] My pleasure. It’s been great and super fun, David and Mike. Thank you for having me. That reference to results, it comes from Manager Tools they have in Executive Tools Podcast, and that advice I gave at the beginning of the episode is directly from them, so hat tip to Manager Tools and credit to them.
[David Spark] They’ve been around for a long time, that podcast, hasn’t it?
[Phil Beyer] Quite a while, quite a while as a business pod, yes, yeah. I think they’re getting close to 20 years, certainly over 15.
[David Spark] So, just so you know, I wrote an article umpteen years ago for Mashable when Mashable was a thing. And I remember interviewing them about how they’re making money in podcasts because I’d written this whole article about making money in podcasting, again umpteen years ago when people actually do that. Now, I notice you wanted to plug this, which I just received in the mail, Phil.
[Phil Beyer] Absolutely, yeah. My plug and I should insert here before this, I know you guys are five years old and all, but I tell you, you still sound young to me because every time I listen to both of you, it’s in triple time, and everybody sounds young in triple time.
[David Spark] There you go.
[Phil Beyer] Keep it up. Keep it up, guys. Keep up the energy.
[David Spark] Are our voices getting higher too?
[Phil Beyer] Absolutely, absolutely, it’s wonderful.
[David Spark] Like the chipmunks? I should mention that I held up Andy Ellis’s book, which by the way, if you listen to this show, Andy’s the other co-host to this show, he plugs his book incessantly. But now for Andy’s pleasure, Phil is going to now plug Andy’s book. [Laughter]
[Phil Beyer] Yes. That’s my recommendation, that’s my plug. I recommend everybody should read 1% Leadership by Andy Ellis, wonderful co-host of CISO Series. His guidance will help us all be better leaders, better coworkers, better family members – even though I’m letting my family members cook right now without the air conditioning – and better human beings. My own take on Andy’s wisdom kind of is interspersed and embedded through everything I’ve said today, as I learn more from all of his experience, as all of us learn from his experience. We’ll be better in the future, so thanks so much, Andy.
[David Spark] Awesome. Well, I know he will appreciate that as well. Thank you very much, Phil. Thank you very much, Mike. And I’m assuming people can find you on the LinkedIn, Mr. Phil Beyer?
[Phil Beyer] Absolutely, pjbeyer on LinkedIn. Come find me, let’s connect.
[David Spark] We will connect to your LinkedIn profile on the actual blog post, so that’s probably the fastest way to get to it. Thank you very much, audience. We greatly, greatly appreciate your contributions, your “What’s Worse?” scenarios, keep sending them in. Today’s was quite an intriguing one, I thought. A very different take. So, we like those clever new takes, so thank you very much, Mike Toole of Blumira. Mike Johnson, you did okay as well.
[Mike Johnson] I did fine.
[David Spark] All right. Thank you very much, everybody, for your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet-up, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.