Um… Maybe You Shouldn’t Have Done That. Sometimes, someone high up comes up with such a bad idea that we need someone to be the official voice of reason and stand up and announce very loudly, “Maybe we should not do that.” This was the security community’s response to Forbes and Security Scorecard’s list of the top 200 most secure companies. Adrian Sanabria of Valence Security summed up everyone’s collective frustration when he said, “You don’t have to be around in this industry as long as I have to know you NEVER boast about how good your security is.”
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Jesse Whaley, CISO, Amtrak. Our guest was Paul Branley, deputy CISO and director of strategy, innovation and testing, Lloyds Banking Group.
We recorded this episode in front of a live audience in Tel Aviv as part of Team8’s CISO Summit 2023. CISO Series is honored to have been invited to record our show at the event.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, Team8
Full transcript
[Voiceover] Best advice I ever got in security. Go!
[Paul Branley] The best advice I ever got in security was when someone said, “Paul, no matter how busy you are internally, and you will be very busy, find time to collaborate outside because you’ll get more back than you put in.
That has been so true for so many times throughout the past few years whether it’s been operational when we’ve been under attacks like DDOS attacks from the Mirai Botnet or working with other banks in Asia, US, UK on SWIFT payments attacks or whether it’s on an innovation where we’ve been working with other banks to share information but without sharing sensitive customer data using homomorphic encryption.
So, the best advice — find time to collaborate outside, you’ll get a lot more back than you put in.
[Voiceover] You’re listening to CISO Series Podcast recorded in front of a live audience in Tel Aviv.
[David Spark] All right, welcome to the CISO Series Podcast. My name is David Spark. I am the host and producer of the CISO Series. We’re available at CISOseries.com. We are live in Tel Aviv at the Team8 CISO Summit. Sitting directly to my right is my guest co-host right here, it is Jesse Whaley, who is the CISO of Amtrak.
Let’s hear it for Jesse.
[Jesse Whaley] Thanks for having me as your co-host, David.
[David Spark] Yes, I am thrilled to have you as well. I should also mention that Team8 is our sponsor for today’s episode. For those who don’t know, Team8 provides entrepreneurs with an unfair advantage to accelerate success and help enterprises digitally transform. More about Team8 later in this show.
I’m going to just say that you started at Amtrak 4½ years ago, correct?
[Jesse Whaley] That’s correct.
[David Spark] As I understand, you had a staff of three people.
[Jesse Whaley] It was very small.
[David Spark] Quite small. Kind of scares me that critical infrastructure had three people but that’s okay. But what I’m thrilled to know is that you learned how to be a CISO listening to this show, right?
[Jesse Whaley] That is correct. Lots of advice.
[David Spark] What was the advice that you found that stuck the most?
[Jesse Whaley] Well, I think it started with, one, finding the community and the people to talk to like Paul just mentioned. The other was I was being bombarded with vendors as soon as I switched that toggle on LinkedIn that said I was a CISO.
[David Spark] Oh, yeah. That’ll do it. All right, yeah. In fact, every time someone becomes a CISO, my first question is — how many? How many emails have you gotten? How many pings on LinkedIn asking you to set up a meeting? But as pretty much every CISO in this room knows, what you know to buy when you join is literally zero, yes?
[Jesse Whaley] Yes, absolutely.
[David Spark] It’s nothing. All right, I want to bring in our guest who you heard at the very beginning of the show. He just started literally weeks ago at TSB Bank as a CISO. It is Paul Branley. Let’s hear it for Paul.
[Paul Branley] Hi, everyone. It’s great to be here with such a knowledgeable group. It’s quite humbling actually, with such a knowledgeable group of CISOs from all over the world.
Why has this topic suddenly become the center of attention?
3:11.066
[David Spark] Forbes’s list of America’s 200 most cyber secure company has caused an uproar in the cyber security community. Most of the response is why the heck did they do this? Now, I’m going to say that literally moments before getting up here, I was speaking to the author, Alan Schwarz of Forbes defending the article.
I’m going to try to echo his sentiments on this as well.
By applause, how many people actually saw this article of the 200? Yeah, but you got to applaud. They can’t hear the hands going in the air on the podcast. [Applause] All right, now, I’m going to say that Alan believes that what he saw, because I shared a post that Jason Chan, formerly of Netflix had posted and a lot of people commented, he believes it appears to be a minority of the cybersecurity community, his feeling.
Most argue that what I saw on this post is that it was self-serving and really unethical especially publishing the names and titles of the companies’ security leaders who may have had nothing to do with what they were being measured by.
By the way, the methodology explanation seemed meager to me.
But this list was published in conjunction with SecurityScorecard. It was on Forbes. And ostensibly, to raise the profile and hopefully give kudos to the security professionals mentioned but it delivered the exact opposite. Now, what Alan said, this was actually more to communicate to the customers out there that these are companies that are secure.
We kind of did a little bit of a roleplay over the phone of like well, if you were a CISO and someone asked you about your security, what would you say?
I said, “Well, we are trying to do our best to protect your data as best as possible.” He said, “Well, by this list, we were doing the same thing, what you would do.” Again, this is Alan’s argument as well.
All right, I’m going to just also read a quote from Adrian Sanabria of Valence Security who, I believe, summed up everyone’s frustration around this.
He said, quote, “You don’t have to be around in this industry for as long as I have to know you never boast about how good your security is.” All right, now, I want to take this to you, Jesse and also Paul.
What levels of wrong do you feel was with this article?
[Jesse Whaley] Actually, on a break, I walked around and I talked to my peers and I kind of asked some questions. I wanted to get a couple one-liners here which we can get into. But it’s almost like Fight Club. I mean, you don’t you don’t talk about it in that way. In security, no news is usually good news, right.
You don’t want to boast about having like an overly secure program and you certainly don’t want negative publicity either.
It’s just not very responsible in every sense of the word.
[David Spark] But okay, and again, I’m playing Devil’s Advocate and playing essentially also what Alan said. He goes but if someone asked you about your security, you would be honest and upfront in saying we try to do our best possible.
[Jesse Whaley] We’re on a journey just like everyone else. We are prioritizing the things that we need to do to protect our company, to protect our employees, protect our customers. We know that we can’t get to everything but we get to what matters most. At the end of the day, we do the best that we can do.
[David Spark] All right, Paul, your take on this?
[Paul Branley] Firstly, I think I would like to say the vast majority of articles that I’ve read from Forbes on cybersecurity have been pretty good, okay, but I do think that this one was misguided. I do think that benchmarking and rankings have a place but I think the worst thing about this is it paints a target on some of the people on the list.
[David Spark] All right, let me… Alan’s response to that, the paint the target response. He says, well… First of all, he has empathy for security professionals. He kept repeating this over and over again and the fact that you are already a target whether this article exists or not. He feels will this article change how you’re attacked or not?
I do also know that the dark web was talking about this article.
What do you feel? Do you think this will change a security program or the number attacks for any of the companies listed?
[Paul Branley] I think it will. I think it will give a bit of kudos to some of the attackers if they were able to achieve one of the people who are higher ranked on the list.
[Jesse Whaley] Well, I can say I shared this with my team and I said I’m so glad I’m not under this, in brackets, (dark web hitlist).
[David Spark] All right. Are there any other things that sort of upset you? I mean, one of the things that came up was the fact the individuals were mentioned. By the way, I should mention Alan said that Intel, who I believe was ranked number one here, was thrilled to be on the list. Was there something else, like I mean, the individuals being mentioned, one of the arguments I heard is like they may or may not have anything to do with the rankings and by the way, it was hard to figure out how they were measured.
[Paul Branley] Yeah, I agree. I think this needs to be participative. There are other ranking mechanisms we’ve been involved with each year, the Which Magazine. They rank all of the internet banking sites within the UK for their level of security and so on. It has its shortcomings but at least it’s participative and you get the opportunity to comment and give feedback.
I think one of the big problems here is it’s judging companies from the outside only.
It’s not looking at the totality of the security and the multi-layered defenses that some organizations have.
[Jesse Whaley] I’m just thinking here, we’ve got what, close to 100 CISOs in this room. Was any of your companies on this list? Okay, got one hand.
[David Spark] Anyone else, two, three.
[Jesse Whaley] Got a couple hands.
[David Spark] By the way, was anyone actually named on this list? Was anyone actually in this room named?
[Jesse Whaley] Was your name called out?
[David Spark] Nobody was named on this list, okay.
[Jesse Whaley] Wrong names.
[David Spark] Wrong names were listed. All right. Well, that’s more of a fact-checker issue for Forbes.
[Jesse Whaley] I’m just curious, did anyone in this room, and I know that there’s a few that raised your hands, did you agree to the criteria in which this ranking was being made on whether or not that’s the criteria that you agreed to of your company being ranked as being cyber secure? Anyone?
[David Spark] No. Again, I’m going to speak… Oh, this gentleman, he’s going to yell it. I’m going to have to repeat in the microphone. What? Through Intel, they manage the security scorecard procurement budget. So, if you manage your security scorecard posture, you weren’t happy with it. All right, okay.
[Paul Branley] I think that’s one of the dangers as well though that it could distract CISOs to be focusing on the wrong thing rather than defending the organization and doing the right things, it can possibly, because of the publicity, distract people.
Surprising research, just in.
9:46.217
[David Spark] All right, the Verizon Data Breach Incident Report or DBIR is out now. This is the most awaited annual research for security professionals. Many CISOs point to it to amend their security programs and similarly, vendors use it to validate their security tool. Now, some of the new trends from the report are 74% of all breaches include the human element with people being involved either via Error, Privilege Misuse, Use of stolen credentials or Social Engineering.
50% of all social engineering attacks are actually pre-texting incidents.
Nearly double last year’s total. That’s a huge shift right there. 83% of breaches involved external actors and 19% internal actors. So, there’s obviously some overlap there. But what that means is one in five incidents, you have to point at your team or your contractors.
I’m going to start with you, Paul.
Is this report valuable to your security department and how are these findings in this report used in your business?
[Paul Branley] We do find these reports are valuable even if all the information we don’t necessarily agree with but we compile this and many other reports whether it’s CrowdStrike or whatever in order to help build our intelligence about what’s out there. We maintain internally, the top 10 threats that we see and we refresh them every three months based on open-source intelligence, closed source intelligence, our own experience.
We also maintain a list of the top actors, there was some information there, and also the top ransomware groups.
And then sometimes we pick a particular topic, for example, phishing’s been high up for several years on this and we try to see what we can do to change our defenses in order to rely, let’s say in this phishing example, rely less on the human and put in some technology to help because the attacks are getting more sophisticated.
So, yes, we do use this.
[David Spark] All right. What’s the value to you, this report?
[Jesse Whaley] Well, the value is similar. We do break apart the report. Our threat analysts dig in quite deep actually. But where I see this report is actually validating some of the things that we already know because we are seeing the attempted attacks, at least in our environment, we’re getting threat intelligence about other companies being attacked.
We know that the human factor continues to be one of the top threat factors.
[David Spark] But when you’re showing stuff to the board, would you be showing the Verizon DBIR or just your own data? I mean, I would assume you just show your own data, yes?
[Paul Branley] Yeah, we would show the data that we’ve come up with on this and a lot of other things as well, yeah.
[David Spark] By the way, does your own data go in line with what you see with the Verizon DBIR?
[Paul Branley] Not always.
[David Spark] Can you give us an example of something that your data showed something different?
[Jesse Whaley] Well, I’d say I heard Chris English quote something earlier. I don’t know where he got this data exactly but he said that 84% of the attacks are criminal in nature versus 14% are nation state in nature. While the nation-state attacks have a much greater impact, that is kind of what we’re seeing too and plus what we’re hearing through our networks with our peers.
That is about the right ratio, I think.
We’re seeing a lot more criminal attacks, more financially motivated attacks. That is probably one thing that I’d probably call out here that I don’t think the report dived deep enough into.
[David Spark] But also, does it also say to yourself when you start to see that your data is matching out and you’re like, “I think we’re measuring this correctly.” There’s always the fear of — maybe we’re not measuring things right and we’re not seeing everything.
[Paul Branley] Yeah, that’s true. I mean, it’s not a precise art in that respect. I think you’re right. One of the things that we definitely are seeing and we’ve seen an uptick and it was mentioned earlier by some of the CISOs here is the attacks on the supply chain. I think that does come through some of that within some of the statistics in the report.
Sponsor – Team8
13:43.112
[David Spark] It’s Team8. They are doing an awesome job at this event here in Tel Aviv. I am thrilled that they brought us out here to record this podcast. Let me tell you something about them, for those of you listening, by the way, everyone in the room knows but those of you listening probably don’t know, so Team8 group is a global company building and venture capital group that creates and invests in companies focuses on cyber security data, AI, fintech and digital health.
Team8’s signature foundry model is designed to identify meaningful problems, create these on potential Solutions and build Innovative companies that tackle these challenges.
Team8’s foundry model leverages an in-house multi-disciplinary team of more than 80 company builders located in Tel Aviv and New York together with dedicated communities of global C-level executives and thought leaders grouped as Team8 domain focused villages.
Team8 partners with world class founders and works with them to increase the probability of success via disciplined repeatable process from the inception through product market fit, growth and beyond.
Team8’s strong expertise and proven experience in cyber are at the core of the success of Team8’s CISO village.
Now, that’s a community of hundreds of CISOs, many of which are in this room who enjoy access to thought leadership content and valuable networking events and who partner with Team8 in return to support the company building process.
It’s time to play “What’s Worse?”
15:22.759
[David Spark] All right. Now, for those of you who don’t know and have not heard our show before, this game, What’s Worse, is a risk management exercise. I am going to have both Paul and Jesse playing along but you will play along as well. Again, you cannot change the scenarios. They both stink. The whole thing, it’s a risk management exercise.
You have to determine which one is actually truly worse.
All right, here we go. This comes from Rob Odin of Roblox. By the way, I’ll have you answer first on this one, Jesse. What’s worse, you have an overly generic pen test that provides details you already know but have the resources to fix. So, that’s good but you already know this is like a waste of money.
By the way, you’re paying for this pen test without any regulatory requirement.
So, it’s really just burning money to find out what you already know. Now, the flip side, you have a targeted pen test with an actual list but you’ve got no resources to resolve them. Now, I know it’s always better to know but you could be opening yourself up to liability knowing about vulnerabilities without doing anything to fix it.
As a cyber lawyer once said, you can easily find yourself going from ignorance to negligence overnight.
Which one’s worse?
[Jesse Whaley] I think this is a pretty crappy situation in both of these. I do think I have a preference here. I’ll just kind of work my way through it a little bit.
[David Spark] Again, you got to pick the one that’s worse.
[Jesse Whaley] Yes. I will pick the one that’s worse. The one that I think is worse is the generic test because well, let’s see, maybe that one is worse. That’s the way I want to go. The generic test is worse. I think that’s worse because you just wasted a bunch of money on things that you already know and you could have fixed it, everything that was on your list without having to spent money on a pen test.
I think the targeted pen test is actually a better result for the company here even if we don’t have the resources to fix, I can advise our management team, the executives…
[Crosstalk 00:17:40]
[David Spark] Now, won’t this though, upset your legal team because, “Oh, you just set us up for a whole mess of liability.”
[Jesse Whaley] No, I don’t think so. I mean, at the end of the day, I think it’s about being aware of what’s in your environment and what your risks are.
[David Spark] Or put you out of compliance too.
[Jesse Whaley] It could.
[David Spark] That also could do that.
[Jesse Whaley] But then it’s on the company of my job is to advise them on what the risks are. It’s the company’s job to prioritize and invest in what they want to fix.
[David Spark] All right. I throw this to you, Paul.
[Paul Branley] I’m going to disagree with you, Jesse, I’m afraid.
[David Spark] Oh, good, good. Why?
[Jesse Whaley] I actually think that if you’ve got no resources to fix it, the whole thing is pointless then. The fact whether you know or you don’t know, if you’re not going to change the risk profile, then I think that’s the worst. But I do agree with you, they’re both pretty bad.
[David Spark] Yeah, that’s the idea. All right, I want to go for the audience, get the audience vote. Remember, applaud. Don’t raise your hand because they can’t hear you at all when you raise your hand. All right, by applause, again, which one’s worse? Not one you like better. The overly generic pen test that you already knew.
By applause, how many people think that’s worse?
[Applause] All right, that’s a good amount. All right, by applause, how many people think the targeted pen test you can do nothing about it. By applaud. Again, you can’t applaud for both. How many people applaud for that? Nope. Wait, no one thinks it.
Paul, isn’t too… Wait.
[Jesse Whaley] We got one.
[Crosstalk 00:19:00]
[David Spark] Ally applauded. Ally applauded for that. Ally’s on your side. All right, okay, good job. All right. This next one, I think, is even tougher. Here we go. We’re going to play two rounds here. This comes from Neil Saltman of Armis. All right, what’s worse? You’re not going to like either one, again, I’m going to stress this.
What’s worse, give everyone an admin rights.
I know some people are breaking out in hives as I say that, give everyone admin rights and freedom to download anything on their workstations or allowing users to use any third-party hosted application and uploading anything to them without a vetting process for all business needs?
Let’s hear it. Which one’s worse.
[Jesse Whaley] Oh, this is a tough one.
[David Spark] Yeah.
[Jesse Whaley] I think if anyone has been around cyber security for, I’d say more than 10 years, you’ve probably dealt with the first one before where everyone was running at admin at some point in your career. Because of that and because I know we’ve gotten through it, even though it’s still quite scary to hear, to show up somewhere and you find out that there’s a half a dozen more employees that were running as admin that shouldn’t be, I do think the second scenario is the worst where employees can upload anything they want to a third party because now, what you’ve done is exposed your data where the first one doesn’t actually directly expose anyone.
The worst scenario is the exposure of data to third parties.
[David Spark] Okay, third parties, all right. I throw this to you, Paul, agree or disagree.
[Paul Branley] Well, I think after the last vote, I’m going to have to agree.
[David Spark] Oh. Now you’re holding out. You can be independent here, Paul.
[Paul Branley] Yeah.
[David Spark] But I liked your argument on the last one. I thought it was very good.
[Paul Branley] Yeah. I agree with Jesse from the point of view that the admin accounts, I think that we all have a number of people who have excessive admin rights and we have, through education and other things, learned to try to deal with that. So, yes, I’m…
[David Spark] But now, going to throw this out but if you’ve got excessive admin rights and they’re downloading anything they want, then you are just like a beehive of hack problems about to happen, aren’t you?
[Paul Branley] That’s true.
[Jesse Whaley] Well, neither scenario is good.
[David Spark] Right, neither one is good.
[Jesse Whaley] I went with the scenario where you’re depositing your data directly into exposure land.
[David Spark] Yeah, but again, it doesn’t necessarily mean it’s in an insecure environment. It’s just in a lot of different places.
[Paul Branley] But you don’t know.
[David Spark] Right.
[Paul Branley] I think at least you know the situation and you know which systems it’s all, you know.
[Crosstalk 00:21:26]
[David Spark] All right, okay. So, both of you are agreeing that the scenario where they are both essentially third-party hosted. All right, so let’s get the audience applause on this to see, find out. By applause, how many people think it is worse? Again, remember, I’m throwing the fact that you give everyone admin rights.
It’s like you just could be a field day of ransomware problems and things like that.
[Jesse Whaley] That was so 2010. We’ve been through this already.
[David Spark] All right. By applause, how many people think the admin rights is far worse? By applause. [Applause] All right. A lot of people disagree. You could have gone that way, Paul. You could have gone that way. All right, by applause, how many people think the third-party hosted is worse? [Applause] I think that’s a split decision.
I think we got a 50-50.
[Paul Branley] 50-50.
[Jesse Whaley] I think Neil won this one actually.
[David Spark] Yeah. Neil did win. By the way, that is how you win is when there’s a pretty even spit.
[Crosstalk 00:22:15]
[David Spark] Good job, Neil.
Would this person be a good fit for the job?
22:16.128
[David Spark] Solve the cybersecurity shortage by growing the team you want. Now, in an article on Dark Reading, Rob Lemos speaks of the trend of cyber leaders upskilling their staff instead of struggling to hire new talent. Now, but upskilling has its own challenges. How do you identify the knowledge that must be learned, who will learn it, who will provide it?
Can they just take a class or do you have to take someone else away from their senior duties to train them?
What does this do to your current security if people are spending time teaching and learning? I’m going to start with you, Jesse, on this because for those who don’t know, and I’m going to toot your horn here a little bit, Jesse’s got one of the most impressive pipelines I’ve ever heard of.
It’s kind of amazing.
Again, he took it from 3 to 100 people in about 4 years. He’s got about a third of that is interns and you’ve got people assigned to mentors. You have them going what, two-month stations at a time learning as much of cybersecurity as possible. Let me ask, what did it take to actually build the program and how much are you refining it?
Add to this story.
[Jesse Whaley] Really, where it started was just an idea is like we need to grow the team and I can’t afford to bring on the best and top talent at the higher salaries. I’m hearing about this cybersecurity talent shortage across the community, across my peer group. I’m like, what do I need to do to help solve this cyber talent shortage?
The answer was quite clear to me, is you create an internship program, you create a pipeline through multiple different universities and you start bringing them on.
We have pivoted a little bit to… We’ve gone through a complete rotation now of 36 interns. They rotate through every job function within cybersecurity so they have the opportunity to do different types of GRC work, different types of cyber defense, penetration testing, engineering work, architecture work, managing projects and programs.
They’ve got this well-rounded exposure to what’s in cybersecurity.
Now, we’re at the stage where we’ve identified, at least within this cohort, where they have an aptitude for and what they have an interest in. So, now, they are settling in for a longer period of time within their internship within a specific job role.
[David Spark] Let’s skip to you, Paul. Well, you’re starting at a brand-new company now and I mean, this whole thing of upskilling, it’s easy to say it but there’s so many issues you have to deal with do it and it’s like who’s going to learn this at what time, how they’re going to learn it. How are you managing that?
[Paul Branley] Yeah. I think it is a challenge but I think it’s the right thing to do because I think it is a very competitive market externally. I do think you should still try to recruit diverse talent but I think growing the talent inside is a good thing. Now, what we want to do is to try to provide an environment for learning for all the different types of diverse learning styles that people have.
I think a lot of people we found in cybersecurity, particularly in the technical roles, they learn by doing.
They want to learn on their own. They don’t want to be in a classroom. We’ve set up certain labs like Immersive Labs or Snap Labs or something where they can get hands-on that can go at their own pace.
Potentially, we even use gamified approaches where they can compete against each other in order to encourage them to learn much as possible.
[David Spark] Going back, how did though, your security program changed because one of the things that you have to do is you assign people mentors. How much of their time is being dedicated to actually doing training and education?
[Jesse Whaley] I mean, I think there’s really like four channels, if you will, of how our interns and then entry-level employees gain the knowledge to do the job. The very first, I think the most important one is on the job training. It’s real-world experience working in our security operations center, working alongside more seasoned practitioners.
The advisors, so each intern is assigned to an advisor which is a more senior cyber security employee, they spend maybe an hour or so a week with the intern that’s assigned to them.
There’s online training available through multiple different resources, some free, some paid. Then as they graduate and move into entry-level roles, we create development plans for them and get them into more formalized training in education programs and help them get certifications so they can up their skills.
[David Spark] What is the hardest part of creating a training program, Paul?
[Paul Branley] I actually think you need to create the environment for people to learn rather than be precise and try to think you can define everything that people need to learn. So, if you can create the right environment, then…
[Crosstalk 00:27:08]
[David Spark] That goes back to the labs you were referring to.
[Paul Branley] Yeah, that’s right. It’s also not being prescriptive saying this team needs to know this, this and this. I think there’s a baseline that people need to understand. But what we’ve done is we’ve tried to create the concept of me-time where we give people permission to go and learn whatever they want to learn.
What we found is that the people who are best in cyber security are people, you know, they’re going to learn anyhow.
They’ve got a real appetite, they work a weekend sometimes.
[David Spark] So, you found that the need to be prescriptive doesn’t really come to play because I’m thinking if you’re taking on some cloud services that like, well, you need to learn this.
[Paul Branley] Well, I think we certainly give guidance and say we’re going to use automation more. We’re moving to cloud. We’ve got multi-cloud. You can do Amazon. We provide certain different facilities and learning opportunities for people but we do let the individual also follow the path that they wish to follow.
Sometimes that can be even way off beam, something completely different.
[David Spark] What have you learned from your interns about security?
[Jesse Whaley] Well, one, what I want to share with everybody here is never underestimate the power of interns. I think of this similar to what we heard some other folks from the Israeli Defense Force talk about earlier and being positive and showing optimism about what they can accomplish. What I’ve learned the most is, tell them they can do something and, “I know it’s going to be great.
I don’t know how you’re going to do it but I know you’re going to figure out.” And then check in with them later and they’re going to do something absolutely amazing that is so far better than what you could have thought of on your own.
[David Spark] And you’ve experienced that?
[Jesse Whaley] Absolutely.
[David Spark] Paul, what have you learned from interns?
[Paul Branley] I think if you get the right interns and you create the right culture and atmosphere, I think they will grow really quickly and I think a lot faster. They can acquire the skills a lot faster than everyone appreciates, which keeps the more experienced people on the toes as well because they’ve got to continue to learn themselves.
[David Spark] I do want to close out this one thing because one of the things that comes up with the fear of training is that you train them and they leave. What’s been your experience, Jesse?
[Jesse Whaley] My experience is that when we bring someone in at the entry level, there’s a career progression ladder. As long as they’re doing a good job and they’re progressing in their career, they’re accomplishing their individual development plans, they’re accomplishing their goals, they’re going to get promoted automatically after a year, 18 months, you know, after another year.
So, all the way up to probably the three promotions are going to be automatic for them.
So, they have something to look forward to and are not looking somewhere else, at least in the short term.
[Voiceover] I tell you, CISOs get no respect.
29:47.885
[David Spark] What’s the best way to trigger a CISO? Asked Misha Sobolev of Aphinia who offered some triggers of his own, and I’m sure many in this room have heard these. “Can I have 15 minutes of your time?” A classic. And this one, when a board member says to you, “My nephew is in cybersecurity and he said we should…” Also, the community offered a few others.
Laura Whitt-Winyard of Hummingbird said when a recruiter messages a CISO and says, quote, “Are you interested in this security analyst position we’ve got available?” Don Bolan, CISO of Hound Labs said, quote, “If you use our tool, you won’t need any other security tools.” These triggers or annoyances are the result of others just not understanding the difficulty of security or the specific pressures of a CISO.
The CISO Series was launched actually in reaction to many of these annoyances so I’m sure you’ve heard them all.
I’m actually… Jesse, you showed me one yesterday that was a doozy. I want you to retell this story. I’m telling everyone, strap in when you hear this, okay. Go.
[Jesse Whaley] All right, here we go. You guys ready? First, I’ll make a disclaimer that the company that I’m going to mention here is not a Team8 company and it’s not represented by anybody in the room. So, you have no fear, right. We’re not under Chatham House Rules because we are actually recording this.
I received notification from the CEO’s office that they had received an email from a third party that had been trying to do business with us.
I had met with them actually once before and politely kind of declined and we kind of went about our separate ways. In the email to the CEO that this company expressed their concerns about the vulnerabilities that they’re aware of in our company, my company, and wanted to make sure, at least at the CEO level, that security was taken seriously.
In fact, I did…
Well, I felt like I was being extorted a little bit, that’s for sure. In fact, I did take a follow-up meeting. I brought my general counsel and we had some nice discussions about their approach and they haven’t contacted me again.
[David Spark] Paul?
[Paul Branley] I can’t beat that one. That’s a really good one. Very late engagement, I think, is one thing that is a challenge. When someone turns up and says, “We’ve been running this project for the last nine months and we’re going live this weekend and there’s a big launch event. We just want to check that you’re okay with the security.” I think that’s quite a challenge.
[David Spark] Vendors are so desperate to engage with you and they essentially have a bag of tricks, if you will, in the hopes to engage. It’s driving everyone nuts. You guys know that what they’re trying to do. What have been some actually positive engagements that you’ve had that you’re like, “Yes, this is the way to engage with us.”
[Jesse Whaley] I’ll take the first crack of this. For the most part, the best way to engage with the CISO is through the community, through other CISOs, through groups like what we have here with Team8, through other CISO groups. If you’re a new cyber security company and you want to capture the attention of the CISO, you start talking to CISOs and you have CISOs introduce you to other CISOs.
That’s how you start a conversation.
I’ve purchased more cybersecurity products based off of a referral from a fellow CISO on how this product helped them achieve their cyber security goals. That’s typically what I find is helps me the most rather than cold calls.
[David Spark] All right, what has been your positive engagement and the best way to engage with you too for that matter?
[Paul Branley] Yes, I agree with that. I think recommendations from the community is valuable. I thought Nia was correct last night when he was saying that there’s a lot of products out there that don’t really live up to expectations. I think recommendations is good. Particularly, we’ve gone for certain products in the past when they’ve been evaluated by one of the intelligence agencies.
If something’s been validated by GCHQ, then it’s pretty damn good enough for me kind of thing.
I think recommendations is probably the number one and then secondly, the best thing if it’s not through that is directly with me rather than through my boss or my boss’ boss.
[David Spark] There’s never a time you like that, is there?
[Paul Branley] Yeah, no.
[David Spark] No, it’s not. Never good.
It’s time for the audience question speed round.
34:31.656
[David Spark] All right, with the little time that we have left here, I have in my hand, questions from you, the audience, [Inaudible 00:34:45] gentlemen, and we’ve got a lot of them. So, just, I want quick answers from both of you on all these questions. Here, this is a good one, totally appropriate for our event here with Team8.
It comes from Jason Cenamor with Merlin Ventures.
What are you hoping to achieve by coming to an event like this? I’ll start with you, Paul.
[Paul Branley] I’ve shared with a few of you, I’m really hoping to understand what to do, definitely to do in the first 90 days in my new role and what definitely not to do. So, to learn from your mistakes, really.
[David Spark] Learn from the mistakes. By the way, have you found people are very eager to tell you their mistakes?
[Paul Branley] They are. In fact, it’s putting me off actually. But, no, no. It’s been very helpful.
[David Spark] Awesome. All right, what do you hope to achieve?
[Jesse Whaley] I’m here to really expand out my network. It kind of takes a village to be a CISO and I think that’s kind of what Team8 is all about, is growing that village so that we can all excel together.
[David Spark] All right. From Allison Miller, what’s your favorite threat? I like this one.
[Paul Branley] My favorite threat.
[Jesse Whaley] Is that like a what’s worst, or?
[David Spark] No, you got to have a favorite threat.
[Paul Branley] I think often, organizations are better when they have suffered from something. They learn the hard way. We learned the hard way a few years ago with the Mirai Botnet targeting us. So, the DDOS threat for us is probably my favorite.
[David Spark] Your “favorite” in quotes.
[Paul Branley] Because today, we’re in a better shape. Yeah.
[David Spark] Jesse, your favorite threat.
[Jesse Whaley] Well, I’d hate to like actually pick a threat as something being my favorite, but if I…
[David Spark] Like you don’t want to put a target on your back.
[Crosstalk 00:36:18]
[Jesse Whaley] I’m not going to put a target on my back but I’d have to say there’s threats, I think, to businesses that go beyond just the normal like cyber threat actor, I think, what was probably mentioned by the person asking the question. I think there’s other threats and I think the more serious threat facing cybersecurity programs is the financial situation and how their budget is going to play out over the next one to two years.
I’m going to call an audible here and throw out a financial threat as a threat to cybersecurity programs.
[David Spark] All right., all right. From Tomasz Chowanski, what aspect of security will be the first to be replaced by AI? Either one of you jump in.
[Jesse Whaley] I don’t know about what aspect of cybersecurity. I think what’s probably closer if we think in terms of generated AI is the more of the human plus AI and helping our SOC analyst. While we we’re training up entry-level practitioners, if they can simply ask questions against the data and ask questions about the alert that they’re analyzing and get answers back that normally might take a more senior person to help walk them through that, I think that’s probably a pretty quick win for the security community.
[David Spark] All right.
[Paul Branley] Yes. I think queries and advice is probably going to be replaced because there’s a big corpus of knowledge that can be ingested and the AI can probably remember the quantity of it better than a human.
[David Spark] Kind of an amped up FAQ, if you will.
[Paul Branley] Yeah, that’s right.
[Jesse Whaley] All right. This one’s comes from Cooper Wilson of Darling Ingredients. In an incident response, what’s your greatest fear? When it’s happening, what’s your greatest fear?
[Paul Branley] Some of our really clever people who help us on the incident response is that them being locked out and not having access to help defend the organization. I think that’s my biggest fear. As long as they’ve got access, they are really smart people and they can help us.
[Jesse Whaley] I’d say my biggest fear is that I forget to call general counsel.
[David Spark] All right then, let’s go to the very last question I have right here. Are you looking forward, and by the way, I’m going to just say this comes from Angel Urunel, a who is a CISO over at Fluida, and I’m just going to say you have to answer this question. No hard pass allowed on this one, all right.
Are you looking forward to your next CISO role or retiring?
[Paul Branley] I’m really looking forward to my next CISO role.
[David Spark] By the way, timing for you is great because he is in his next CISO role. All right, go ahead, Jesse.
[Jesse Whaley] Well, I think I have to be a little bit careful about what I say here and who might be listening.
[David Spark] Yes. That’s the idea.
[Jesse Whaley] I mean, I’ve got 4½ years at Amtrak. I’m much too young to retire. I am looking forward to what’s next. I don’t know if it’s CISO or if it’s something else.
[David Spark] Very politically correct.
Closing
39:12.178
[David Spark] Well, thank you very, very much, both Jesse Whaley and Paul Branley. Let’s hear it for them. I want to thank also Team8. You can find them, by the way, at team8.vc. They have been running this CISO Summit. It’s been absolutely spectacular community. They’ve brought some great presenters on this stage.
We totally thrilled they brought us here.
Paul and Jesse, I’ll start with you, Paul, any last words on today’s conversation? I’m going to guess your new job, are they giving you a head count to hire?
[Paul Branley] Hopefully, yeah.
[David Spark] Hopefully. So, if someone wants a job, they should contact you?
[Paul Branley] Yeah, but I do think the big thing is the power of this community, that we can use this community to help our organization as well as we can hopefully contribute something back as well.
[David Spark] All right. Jesse, any last thoughts?
[Jesse Whaley] I’ll just say, yeah, we’re hiring. We’re always hiring. We’re always filling our pipeline. Our talent pipeline consists of our internship program, transitioning military veterans and management trainees for those transitioning from blue collar workforce to cyber. If you want to learn more, go to amtrak.com/careers or hit us up on LinkedIn.
Our jobs are posted there as well.
[David Spark] Are you going to make a call out to any of these CISOs if they want an analyst position?
[Jesse Whaley] No. However, if you have any up and comers, you know some college students, you can send them our way and we’ll consider them for our internship program.
[David Spark] Awesome. All right, well, thank you very much to Jesse Whaley of Amtrak and Paul Branley, who’s now the brand-new CISO over at TSB Bank. Thank you to Team8 and thank you to our audience. Thank you to Tel Aviv as well.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website CISOseries.com. Please join us on Fridays for our live shows —Super Cyber Friday and Cyber Security Headlines Week in Review. This show thrives on your input. We’re always looking for more discussions, questions and “What’s Worse” scenarios.
If you’re interested in sponsoring the podcast, check out the explainer videos we have under the sponsor menu on CISOseries.com and/or contact David Spark directly at David@CISOseries.com.
Thank you for listening to the CISO series podcast. Thank you.