Why are so many companies unprepared for phone-based social engineering? As an industry, we’re very familiar with the attack surface presented by email. But the recent MGM Resorts breach showed that phone-based defenses are sorely lacking. Why do many organizations not give this attack surface the attention it deserves?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Arvin Bansal, former CISO for Nissan Americas.
Huge thanks to our sponsor, Palo Alto Networks
Full Transcript
Intro
0:00.000
[Voiceover] Best advice for a CISO. Go!
[Arvin Bansal] Focus on organization culture. Does it align with your personal values? Does it align with your strength and opportunities? And will it help you grow?
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode, it’s my cohost. He is the operating partner over at YL Ventures. His name is Andy Ellis. Andy, say hello to the nice audience.
[Andy Ellis] Hello to the nice audience, and hello to the not nice audience if you happen to join us today.
[David Spark] We will embrace the not so nice audience, too. That’s a good point. We do embrace both sides.
[Andy Ellis] We’ll help you become nicer.
[David Spark] Yes. We want to bring you over to the not dark side, if you will.
[Andy Ellis] Oh, no, no, the dark side can be nice, too. We have cookies.
[David Spark] Well, there you go.
[Laughter]
[David Spark] We’re available at ciso-dev.davidspark.dcgws.com. All our programming is there. And our sponsor for today’s episode, you know them. Everybody knows them. It’s Palo Alto Networks. We’re thrilled to have them onboard. Thank you very much, Palo Alto Networks, for joining us. Now, we are recording this episode actually late September, but this episode drops in November, just before Thanksgiving.
And Thanksgiving is the kickoff to the holiday season. And, Andy, you and I are both of the Jewish faith. We have a significant percentage of our audience that is Israeli and Jewish faith. Question – does it annoy you, upset you, irritate you, anything like that when people wish you a merry Christmas?
[Andy Ellis] Not at all.
[David Spark] Same here.
[Andy Ellis] I take it in the spirit that they’re coming from as an individual. That said, if I’m in a store, I prefer, “Happy holidays,” but if someone says, “Merry Christmas,” fine. Whatever. It doesn’t both me.
[David Spark] It’s all meant positively. That’s my feeling. I have no problem with it whatsoever. Wish me merry Christmas.
[Andy Ellis] Now, if you’re wishing me merry Christmas before thanksgiving, I might have some words for you then. You’ll probably get a, “Happy Hannukah,” back from me.
[David Spark] [Laughs] There you go. And also Hannukah is coming much earlier, too, than Christmas, too. So, I think it’s all right that we wish happy Hannukah before they wish a merry Christmas.
[Andy Ellis] Absolutely. And in fact I have friends that they’ll wish me a happy Hannukah, and I’ll reply, “Merry Christmas,” because I know that’s what they observe.
[David Spark] Right. But for the person at the grocery store who doesn’t know.
[Andy Ellis] Yeah, it totally doesn’t bother me.
[David Spark] Again, not even an iota, whatever. For all those people that thinks it bothers us, it doesn’t.
[Andy Ellis] There are some. There are some it does bother, so I’m not going to speak for everybody.
[David Spark] I won’t speak for everyone either. But, no, I couldn’t care… Not that I could care less. I just appreciate the spirit which it’s given. It’s all meant positively.
[Andy Ellis] Yeah, here’s my thing, which is if you’re going to take out the “merry Christmas…” I’ve seen this. Companies will send out a holiday card, and they say, “happy holidays,” but it’s green and gold with stars. And it’s sent on December 24th, and it’s a Christmas card that just says, “Happy holidays.” I feel more excluded by that than if the card had just said “merry Christmas.” Because now it’s like, “Oh, we’re going to pretend we’re not sending you a card for Christmas, but we’re really sending you a card for Christmas.”
[David Spark] Just send me a card for Christmas. I got no problem with it.
[Andy Ellis] Send me a card for Christmas if you want. Or send me a holiday card. Or send me both.
[David Spark] Send me a “merry Christmas” card. Dress up in the nativity scene. I’m fine with it.
[Andy Ellis] Yeah. In fact the most beautiful Hannukah card we actually got is from cousins on my wife’s side who are very devout Christians. And they send us the most religious Hannukah card I have ever seen. It’s amazing. I look forward to getting it every year because they’re totally embracing it.
But if they send us a Christmas card, I’d be cool with that, too.
[David Spark] There you go. We’re saying to our audience fee free to wish us a merry Christmas. We’ll take it. We’ll accept it in the spirit that it is given. In fact I’m going to wish a merry Christmas to our audience, too, as well.
[Andy Ellis] Yeah, Merry Christmas. Happy thanksgiving. Happy Hannukah. Festive yule. Happy solstice.
[David Spark] Merry Festivus.
[Arvin Bansal] I feel like we need to drop in the, “Happy Diwali,” too. Right?
[David Spark] Hold on. There you go. Happy Diwali, too.
[Andy Ellis] It’s happening right now.
[Arvin Bansal] Right. We just past it.
[David Spark] That, by the way… The voice you’re hearing right now, that is our guest. He is the former CISO For Nissan Americas. I just met him in Nashville while we were doing a recording at the Evanta Conference. So thrilled that he’s joining us. It is Arvin Bansal. Arvin, thank you so much for joining us.
[Arvin Bansal] Thank you for having me, David.
That’s something I’d like to avoid.
4:41.644
[David Spark] Why are so many companies unprepared for phone-based social engineering? As an industry we’re very familiar with the attack surface presented by email. A good spam filter eliminates a lot of potential threats. But the recent MGM Resort’s breach was recently caused by ALPHV attackers finding an employee on LinkedIn and calling in to a help desk.
In a LinkedIn post, SocialProof Security CEO, Rachel Tobec, said, “Phone-based attacks work due to a lack of verification protocols, easy spoofing of identity and phone numbers, and help desk being incentivized to resolve calls quickly.” Andy, I will start with you. Why do so many organizations…? And I’m going to admit, we haven’t talked about this much at all.
So, I think we’re guilty as well. Why do so many organizations not give this attack surface the attention it deserves as we clearly see it needs?
[Andy Ellis] I think there’s a lot of complexities here. Rachel Tobec is so correct when she names, “Here are these basic core problems.”
[David Spark] Yes. She is awesome. I’ve met her, too, as well. She’s great.
[Andy Ellis] Love her. What’s the core problem is that we run our businesses, our command and control infrastructure, over completely unauthenticated protocols – email and telephone. And so there’s this whole trust based model. It’s like, oh, you trust an input that comes to you, and you do something with it.
And in fact I will even challenge that a good spam filter eliminates a lot of potential threats. A good spam filter eliminates junk. It doesn’t actually eliminate real threats – people who carefully craft emails that are going to get through.
[David Spark] True.
[Andy Ellis] It deals with the spam. But the person who makes the phone call isn’t spam. I get the spam phone calls. It’s an automated recording. That’s not a threat. The threat is somebody who calls me and says, “Hey, Andy, this is David Spark.” But I’ve never actually talked to you. And now what do we do, and how few companies have built processes to do verification and validation to say, “Hey, when I get a request from someone, how do I know that’s a real request so I know whether it’s a threat or not?”
[David Spark] Very good point. Arvin? First of all, have you dealt with this before, creating security training for phone-based attacks?
[Arvin Bansal] 2014. That was the last time I worked on looking at phone-based security, and it brings back the memory from the DEF CON Hacking Village where we saw some of the greatest demos of how simple it is to break into an organization using phone phishing pieces. But let me come back to you, the original question.
What happened at MGM, and how are we doing across the industry for that.
[David Spark] I should point out to our audience, you’re going to hear this in November, and we’re recording in September, so it’s possible a lot more information may come out between the two. So, go ahead though, Arvin.
[Arvin Bansal] Yeah, so the way I look at it, David, there are three layers that we need to look at from a security perspective for phone hacking of breaches. The very first part is if you look at the business outlook of it, you will see the majority of breaches, what kind of breaches we’ve been hearing about or seeing in the newspaper, and how many of those breaches were attributed to phone phishing.
You will see the number is dramatically low. You might hear a lot about email phishing. You might hear a lot about breaking into infrastructure. But how many of those breaches really reference to phone hacking? So, that’s the first part. That’s the visual of what business leaders, technology leaders, and security leaders are hearing, internalizing, and working on from the frame of reference, breach frame of reference they have.
[David Spark] So, when they hear it’s low, they think it’s not something to concern themselves with.
[Arvin Bansal] It gets reprioritized lower risk, much lower in the layers of priorities they have. Now, the second part is the question to ask is, “Where does phone, AV, and other systems sit in an organization?” So, if you start talking about it a decade ago, they were all part of IT. And within IT, you will have the Wires of the world, Ring Centrals of the world, Alcatel Lucents of the world providing those technologies and supports.
Then gradually those things started moving into smartphones and web based systems. So, that landscape shifted. And the third layer that immediately started coming in, business was looking for outsourcing. Business was looking for cost cuttings. So, where do these help desk phone-based support systems really sit?
Probably a lot of them are outside US.
[David Spark] Good point.
[Arvin Bansal] Parts of Asia. Whether it’s India, or Philippines, or you’re looking at call centers being opened in Europe or Latin. So, how do you secure something that’s out of the company in most organizations already? The answer is, “Oh, we have a contract, and the contract has clause. And those companies and people are supposed to be up to a certain level.” But are they really at that level?
So, that’s the second layer. Business breach framework and looking at where do these systems and technologies sit, and who actually operates and picks up the call on the other side of the phone. Now, the third part of that is how do we secure these technologies and systems. One is, of course, you can build standards, controls, policies, frameworks.
But then to execute those standards, controls, and frameworks, you need technologies. That’s where… You mentioned today’s sponsor, Palo Alto, is doing a lot of work in that space. We have tons of other security vendors. They’re all working towards it. But in my experience, David, the landscape shifts.
Data center security was paramount, and then all of a sudden cloud security became paramount. So, everybody is trying to secure cloud. Where is the vendors for securing the phone-based attacks? Can we list five companies or solutions that we have interacted with in the last five years? No. So, it’s the entire ecosystem, David.
If we start looking at the breach preferences, if we start looking at who’s serving the [Inaudible 00:11:17] system. And then we get to how to protect it. You will see there are tons of gaps there.
What would you advise?
11:21.855
[David Spark] Are we doing enough to support whistleblowers in cyber security? Deciding to voice security concerns either internally or to a regulatory body isn’t something to be taken lightly. Andrada Fiscutean at CSO Online outlines what organizations can do better to facilitate internal whistleblowers.
Now, this needs to start with having a clear policy to allow for confidential reporting of issues by employees in the first place. This should also be tied with multiple reporting options to let the employee keep anonymity, ranging from a hotline to reporting through a specialized office. So, I’ll ask you, Andy, have you set up policies to do whistleblowing and anonymity for that matter?
And how else can companies create a culture where employees feel safe blowing the whistle?
[Andy Ellis] Certainly every public company should have this, and most companies do. You have some sort of an anonymous hotline that gets handled by the general counsel actually. It usually gets reported to the board that somebody has reported to it, and then there’s an investigation.
[David Spark] By the way, so this is… When you say general counsel, is this usually something that cyber does not deal with at all, or they do?
[Andy Ellis] Right. It doesn’t even come to cyber. This is just… That’s straight to the top. Hits the general counsel. Board sees it. Now there’s going to be an investigation driven by the general counsel’s office.
[David Spark] Right.
[Andy Ellis] Now, as the CISO, I want to make it that people can come to me and say, “Hey, I disagree with what’s going on here.” Come tell me. Lots of different ways you can do that and show them that you’ll listen. The biggest challenge… And I went and read this article. This article really wasn’t about whistleblowers.
This was really about a disagreement of prioritization. It used the Mudge example. Mudge, who did go and do a whistleblowing. But when you read Mudge’s complaint, a number of the issues in there were things that I don’t think rose to the level of being a whistle blow. This was, oh, there were a number of problems.
They were prioritized in a different order than he agreed with. And he wanted to whistle blow that they did not do the prioritization in the order he would have.
[David Spark] But we’ve seen variations of exactly that in that… I’m sure you’ve had employees that get really concerned about a vulnerability and want you to escalate it.
[Andy Ellis] Right.
[David Spark] And you don’t agree with them. And then they get really annoyed because it’s kind of their world, and they think it’s important, right?
[Andy Ellis] Exactly. Or it’s somebody else’s world, and they want somebody else to go fix it. I’ve certainly had that. We’re pushing on a program, and they’re like, “Well, why are you pushing on this? This other person’s program is much more dangerous.”
[David Spark] So, quick question to you, and then I want to throw it to Arvin. How do you acknowledge that person and make it clear that, “I’m hearing you. I understand you. I understand the importance you think… Just want you to know this is part of a larger milieu, and I appreciate you coming to me.” I’m assuming say all the things I just said, or is there more to it?
[Andy Ellis] Exactly. Right. You say, “I hear you.” Look, there’s a lot of good work to be done. The biggest challenge that a security leader has is to be able to communicate that we are doing a fraction of everything we could do. Sometimes there will be valid disagreements. Look, if you want to go do some work that I don’t currently prioritize, I’m not going to criticize you for that.
I think there’s great work to be done.
[David Spark] All right. Arvin, throw it to you. What is sort of the whistleblower environment that you have created? Excuse me, maybe I didn’t set that up right. What is the environment that allows for whistleblowers to exist?
[Arvin Bansal] Right. So, there’s a lot that we need to think about from an environment perspective for a thriving whistleblower perspective in security. I was just thinking about from a business perspective, the very first part is being a whistleblower, what does that mean. And what’s the analogy in the industry?
So, I spent about a decade at Citigroup. We had a very robust program in financial industry, and it wasn’t a program that a leader of a security department created, the leader of the company created. It actually drives, if you look beyond those layers…it’s driven by the law. And there is an agency that actually seek out, and support, and pursue those kind of things.
So, you have SCC out there, publicly listed companies. Somebody who wants to be a whistleblower can have those channels and means to go through and actually execute on those things and have the protection from the legal side of it. That’s because the companies are breaking laws.
Now, we take the same analogy into cyber space. What laws are being broken? And how much educated the industry is about those laws? And what are the implications of companies not following those laws? So, I think in my perspective, we are not there yet. If we are expecting that people that will walk in and give you the whistleblower piece for the cyber security part of a company, which is publicly listed, I think we have a lot of work to do, and it starts with the laws becoming more stringent, the leaders becoming more educated and accountable for meeting those laws.
And then having some protections outside of the corporate environment. So, that, to me, is paramount and the starting point of doing a really solid job in the whistleblower space.
Then of course I agree with Andy. It goes to the general counsel. The discussion needs to happen. And of course you’re part of a corporate organization, so you have to follow this structure. Then from the industry and law, we get into the business side of it, in the corporate. The third part is the technical and execution pieces.
How many times the CEOs and the business leaders really talk in their town halls about bringing out security defects, about, “Hey, we are there to fully support you. Here’s the channel, and here’s how you can do it.” How many times does that happen in the technology CIO world? If I put myself into the CIO shoes, dude, what are you going to find?
[Laughs] Tons of things that we are not doing well in technology.
So, how do we align those incentives for CIOs and CTOs to be part of this and maybe have them drive these things, have them build those dashboards. It’s no different than Marc Benioff and Salesforce when [Inaudible 00:18:06] became crucial for the world about half a decade ago. He had his dashboard of every lead accountable to show him what are the numbers and progress happening.
So, my take on this is, David, unless we have, to Andy’s point, the leadership buying into it coupled with the industry infrastructure, regulation, laws, governing bodies supporting those pieces and then have the actual technology owners realize it’s happening them, not finding faults in them, this area is not going to grow.
Sponsor – Palo Alto Networks
18:40.933
[David Spark] Before I go on any further, I do want to mention our sponsor, Palo Alto Networks. Now, I know you are all aware of them. You know them as the global cyber security leader and a big supporter of our work. They protect more than 80,000 customers globally. Help them safely embrace cloud native architectures and ship secure applications by default.
Now, Prisma Cloud by Palo Alto Networks is the world’s only cloud native application protection platform or CNAPP to deliver security coverage from code to cloud. They help customers break down the operational silos between engineering and security teams to accelerate secure application development and build scalable, predictable, Cloud workflows.
With numerous native integrations into developer tooling and powered by the industry leading open source policy as code engine Checkov, Prisma Cloud unites code builders and defenders across a common framework. Industry leading threat intelligence provided by Unit 42 and Integrated Web Application and API security capabilities help protect against immerging and zero day cloud threats.
As the global cyber security partner of choice, Palo Alto Networks is a recognized leader across more than a dozen industry analysts and third party reports and surveys. You know where to find them. Just go to paloaltonetworks.com to learn more.
It’s time to play “What’s Worse?”
20:13.947
[David Spark] It’s time to play “What’s Worse?” All right, Arvin, I know you know how this is played because you came to our live show, and you saw us play this live. So, what we have is two scenarios. Both are not ideal, but you have to pick which is the worst of the two. I make Andy always answer first.
This one comes from a listener who wishes to be anonymous. There’s nothing greatly revealing, but I guess he doesn’t want to be associated with the show is what I’m thinking.
[Andy Ellis] Or with this scenario.
[David Spark] With this scenario. Who knows? So, this comes from anonymous, although I do know who it is. But I have to say anonymous because that’s what the person requested. So, other people… I’ll accept anonymous. If you want to send in a scenario that actually happened to you and you want it to be anonymous, please send it in.
Please do. All right, here we go. And we’ve done variations of this one before, so this is not going to be a big shock to you, Andy. So, promoting… This is a key thing. Promoting an extremely technical person able to resolve any problem but with really poor communication skills and not understanding how senior leadership functions.
Or you hire someone with the complete opposite skillsets – amazing communication skills, really is a master of dealing with senior leadership, but technical skills, eh, pretty pathetic. What’s Worse?
[Andy Ellis] I think a lot is going to depend… I hate when I start with the depends.
[David Spark] I hate the depends, yeah.
[Andy Ellis] Onto what level are you promoting them. But that said, I’m going to go with let’s assume that we’re maybe director or VP level. I’m going to say probably the first one is what’s worse. Because I’m not allowed to teach them. That’s generally our rule is I can’t say, “Well, I’ll promote the technical one, and I’ll teach them the personal skills.”
[David Spark] Right, because then it negates the whole thing.
[Andy Ellis] It negates the whole scenario. But given that I have the technical person on staff then what I’m missing is the people and process skills. So, if I can bring in that person, now I have a scenario where maybe I do have some tension because this person wanted the promotion, but at least I have the full set of skills on my team.
So, I’m going to go with promoting that person…
[David Spark] The technical person.
[Andy Ellis] …who is incapable of learning the people skills at all because that, for the scenario, is the worst situation. But I don’t like either one of them.
[David Spark] No. Well, that’s the idea. Neither one is good. All right, Arvin, I throw this to you. Which one is worse of these two scenarios?
[Arvin Bansal] So, for me, I would just say there are two sides of the coin, David. If I’m working for a smaller size of company and if I’m working in a sector, let’s say manufacturing versus financial and technical, I’m leaning more towards it’s good to have a technical guy on the team because the team size is smaller, and you really need someone to be jack of all trades.
We can work on the communication part of it. You really want to fix the problem.
[David Spark] But you have to promote one of these two people. Are you promoting the technical person or the savvy business person?
[Andy Ellis] And you can’t fix their gaps. That’s part of the rules is you cannot mitigate the scenario.
[David Spark] The gaps are there. They’re going to stay there. They’re not going to improve.
[Andy Ellis] David, it wasn’t promote one or the other. It was promote the technical or hire in.
[David Spark] Oh, yes, excuse me. Hire out someone with the opposite skillset.
[Andy Ellis] Right. That was why I went with the better to hire out because now I get both sets of skills on the team. Whereas if I promoted, I would not have that set of skills.
[David Spark] That’s a good point.
[Arvin Bansal] Yeah. So, look, I would take communication any day over technology.
[David Spark] Really?
[Arvin Bansal] And the reason I say is I think a lot of us feel security is complex, but it is not. At the end of the day, the simple analogy I would give is it’s a police and thief situation. You are really trying to make sure bad people are out of the door, and you’re trying to make sure that the same reasons that other people are getting breached from doesn’t happen to us.
So, there’s a lot of known processes, technologies, tools, and function that can be utilized. But if you’re not able to communicate the risk to the senior management then it’s a problem.
That’s where my caveat is. I would promote communicate if I’m in a larger organization and if I’m working in financial, technology, healthcare, high moving sector where it’s crucial to get the buy in. But let’s say if I’m working in a smaller firm, the number of people, startups, mid-size company, there’s only so many people you can hire.
And the budgets are restrained, so you have to look at where do I get the biggest bang for my buck. That’s where you start making those assumptions of, “Hey, I really need someone who understands technology and who can do three, four, five different jobs instead of being fixed into a bucket.” That’s why I would go for the technology guy.
[David Spark] I realized that this… I think we changed it a little bit. I should have altered this “What’s Worse” scenario to not hire out. Because it’s actually… It’s the best of both worlds. It’s like I still get to have the technical guy, and I hire out. It should be the alternate, like promote one or promote the other.
This is what should make it more challenging. But it’s still… I think your answers would stay the same, correct?
[Andy Ellis] Probably.
[Arvin Bansal] Absolutely. To me, in my experience, it’s not about what specific skills, one skill that you have. If I have less money and I have to deal with multiple drills, I’ll go for technical, because that’s the hardest finding thing, and I will become that communication guy.
Okay, what’s the risk?
26:12.861
[David Spark] How useful are CVE numbers? I’m not questioning the utility of a single number to track known software issues across the industry, but a recent piece by Jake Edge on LWN.net questioned the usefulness of the Common Vulnerability Scoring System used to contextualize these vulnerabilities.
Now, we have constantly mentioned on the show how that number should not be used to determine the importance in your environment. Jake Edge documented several instances of popular open source projects receiving critical scored CVEs, which were later disputed to not being vulnerable at all or downgraded to much lower scores.
Now, this not only causes extra work for open source projects but also has implication for service level contracts and government regulations that require quick patching of critical scored vulnerabilities. The CVE system isn’t going anywhere anytime soon. But, Andy, how should we factor them in their scoring of your overall risk profile?
[Andy Ellis] So, I think there were two separate points in Jake’s article. One was around when somebody reports a vulnerability in software that they don’t have the right details. Maybe they mis-scored it, or they don’t actually understand what’s going on. And so they’re misreporting. I think that’s certainly a problem, but we shouldn’t throw out the baby with that bathwater.
The second problem that CVSS has… I get to actually say I was the first consumer of CVSS back when it was being standardized, so I probably have more experience with it than most people, including having my own Bespoke scoring system in the early days when I didn’t like what was happening there. We should recognize that CVSS is about scoring a hazard, not an entire risk.
This is the hazard presented on one system or set of systems by a vulnerability. Without the context of what the gives access to, what is the attack path an adversary could have. You can’t prioritize solely based on CVSS. That’s its biggest problem. I think people don’t want to go back to the world before CVSS, and you could look at EPSS as a potential replacement for it.
But you should remember that before we had CVSS we used to have to go in and argue that we should patch something because it was a high vulnerability or a medium vulnerability, and people love to argue with qualitative assessments like that.
Because something that’s right on the boundary of medium/high, I say it’s medium, you say it’s high, or vice versa. We would spend so much time arguing about these relative priorities on a nine-box of risk versus likelihood. When you walked in and said, “This is like a 6.78,” everybody just shuts up because the math is just so convoluted.
They don’t want to understand it. Even though there’s only like 42 CVSS scores that ever come out, it feels like there’s a lot more.
[David Spark] So, it is a form of standardization even though there are debates over it, how it’s relevant [Inaudible 00:29:24] But it is one score that has been accepted.
[Andy Ellis] Absolutely. And so it’s easy to get past the arguments for 99% of the vulnerabilities. And on the one percent that matter, you should absolutely do your own negotiation, and rescoring, and figure out what you want to do with it.
[David Spark] All right, Arvin, how have the CVSS scores helped, hurt, or do not have a major impact in your environment?
[Arvin Bansal] Early on, David, if we talk about a decade ago… And Andy rose a good point there about CVSS and CVE. They were tremendously helpful. Because, remember, security was just starting off, and a majority of security work at that point in time was scanning our systems and finding those security defects, and then how do we know which one to fix.
CVS Score became the sort of founding foundation of starting that discussion. It is only after a few more years that we started talking a lot about identities. Then we started talking about a lot on firewall pieces. Then we started conversations on the data protection and all. And all of a sudden the technology was taking off big time.
So, it was challenging to see tons and tons of security vulnerabilities, defects, and how do we prioritize them.
That’s where some of the security smart guys, they came out with solutions, like Kenna Security acquired by Cisco now. How do we prioritize that? How do we add more layers to which one to work on first? Which one has the biggest impact? Then a few years later, that sort of reduced the value but did not eliminate the value of CVE.
Then it became attack surface, which attack parts attackers can get into, “Let me just fix those.” And now we are talking about, “Hey, the IT has moved to cloud.” And there are tons of codes, and PaaS and SaaS services in use. How do we think about securing everything? And part of those we don’t even own.
So, I believe in the past, it was tremendously useful, and people were developing frameworks and using like STRIDE threat modeling. But in today’s world, technology wise, CVEs are a good starting good point, but they are not the go to point for that, number one. Number two, if we look at the business of it, what are we trying to accomplish by using these scores?
It’s not just about a technology guy getting a security defect, and let’s fix it. But it’s more about what systems are impacted, what business function those systems are serving, are those revenue focused, regulatory focused, have a potential economic service impact.
Then you bring in all of those factors together to say, “Yes, this is the first one I want to attack,” or, “This is at the top of my list.” So, while CVEs… In Summary, I would say technology wise they are not serving the function which they were built onto. The article pointed out some of the good examples how the systems can be less than perfect.
I think in today’s world it’s changed drastically and dramatically. CVEs does play a role, but it’s so minor looking at the business focus, looking at the risk focus. We need to do a better job in that space. But that’s where I would love you.
What’s broken about cyber security hiring?
32:58.443
[David Spark] A report from the analyst firm Cyber Security Ventures recently predicted there will be 3.5 million unfilled cyber security jobs in 2025 with 750,000 in the US alone. Okay. Just so everyone knows, we’ve reported on this number from Cyber Security Ventures who actually gets it from others as well.
The number just keeps going up. I think over a number of years, we are going to say the entire human population is what it is because it just keeps going up and up. So, if you’re looking to break into the field, it’s a good time to enroll in a bootcamp and get some certifications. Right? Not so fast, cautioned Ben Rothke in a recent Medium post.
He points to a couple of reasons why unfilled cyber security positions grew in recent years. “Employers don’t pay market rates for employees with significant experience. Hiring managers not giving HR meaningful job requirements to create accurate job posts and outdated recruitment practices…” I know that’s a big one for you, Andy.
“…all play a role. The roles available are specialized, making them more suited for internally filling from existing IT staff rather than hiring new staff with generalist certifications.” I’m going to start with you, Arvin, on this. We address this issue again and again. What of any of these factors that Rothke brought up would be the easiest actually to tackle and solve?
Because the problem just keeps compounding. We got to figure one of these things we can deal with. Which one do you think we can deal with?
[Arvin Bansal] I think we need to deal with the experience part first. To me, that’s the foundational. We can talk about money, and job descriptions, and all. But it’s all about what exactly are we looking for in a cyber security candidate. So, I’ll just take you through the history very quickly. In the past, it was all about, “Hey, do you know security technologies?
Are you that security guru that I want to hire who’s going to come in and fix all my problems?” That’s where the problems of getting the best talent, and paying the best talent market rate, and all of those stem from. But if you take a step back, how is cyber security any different than how we build talent in IT.
Right?
So, how do we build talent on the business side. We all need to start somewhere. And we need to start tracking at the basics level. So, to me, I think, David, we need to focus a lot more on building a bench of cyber security talents at all levels versus hiring these rockstars and paying them arms and a leg to get them into the boat.
The reason I say is… To give you an example, in September I was part of the Grace Hopper Conference. The focus of the conference was to bring in the future generation of women and nonbinary technologist through connection, inspiration, and advancement. Where is cyber security in that conference? Why are we not there?
Why are we not looking at the nonconventional way of bringing in the right people?
[David Spark] Well, that goes to historical hiring practices. That’s the answer to that. That we have to break away from. And we address it again and again. Andy?
[Andy Ellis] I’m trying to decide if there’s anything new to add to this one. Like at the end of the day…
[David Spark] But my question here is what’s the easiest to tackle first? Because, yeah, we’ve talked about this a lot. But I’m just interested in what do you think is like, “We could actually solve this pretty easily.”
[Andy Ellis] So, employers have to solve this. It cannot be solved outside of the employment cycle. And the way to solve this is the next time you have an open position in your team, promote someone into it. That’s it. Until there’s no one left to promote, and only then go hire. Because that’s how you’re going to bring new people into the career field is by saying, “Oh, I need a principal architect.
Well, I’ve got an architect. I’ll promote them to senior with a plan to make them principal next year, and I’ll promote one of my engineers to architect. And then I can go hire an engineer, or I can go hire an analyst.” But as long as you keep saying, “Look, I’ve got a problem right now, and I need somebody with 85 skills to solve it,” A, you’re not going to find the person.
But, B, you’re not going to create opportunities for people to get into the career field and develop the talents you need.
[David Spark] So, there’s parts of this answer I love, and there’s parts of this answer I go, “Oh my God, there’s a ton of issues here.”
[Andy Ellis] Yep.
[David Spark] The parts that I love is I’ve gone to… I’ve worked at so many companies that in the process of me being hired said, “Oh, we very much promote promoting within.” Then when you work there, you realize they don’t do that at all. At all. They just hire someone to… Or it’s one of those things like, “Oh, geez, let’s just promote this person because I really don’t want to look for somebody.” But at the same time if you’re always promoting from within that if you leave a job and you’re looking for another senior position, it’s going to be very hard because they’re constantly promoting from within.
[Andy Ellis] I think this is not a binary problem, but we are so far over the, “Let’s always hire from outside.”
[David Spark] Right, I get it. Yeah, I don’t think it’s going to come to that extreme, what I described.
[Andy Ellis] Right. If you have somebody who’s a marginally credible candidate internally, take them. Because everybody from outside, you’re going to have to lower your standards, and they won’t know your company.
[David Spark] And you’ll probably have to pay them a hell of a lot more than you would pay to promote the person, too.
[Andy Ellis] Yep.
[David Spark] Yeah, I agree.
[Arvin Bansal] I totally agree with that. Andy, great point. We have to promote from internally. I would just put another layer of that, and probably that’s where Andy was leading towards. How do we build internal bench of talent? How do we stop thinking about, “Hey, we have positions to fill,” to, “We have to build the team.”
[David Spark] Oh, “1% Percent Leadership,” as Andy points to it. That’s his book.
[Laughter]
[David Spark] He’s going to pull up the chapter.
[Andy Ellis] Performance development should be applied to every person on your team. That’s how you do it.
[Arvin Bansal] Absolutely, yeah.
[David Spark] I will also point everyone to the episode of Defense in Depth we did with Jesse Whaley, who’s the CISO of Amtrak. He is the poster child on how to do exactly this, man. He has got a pipeline to be hugely envious of. Go ahead, Arvin.
[Arvin Bansal] Absolutely. And the final point I would make is we have to have that five-year, ten-year view as a security leader to build that bench. So, instead of focusing on creating job descriptions or promoting people, filling positions, what is my big picture view of next five years? Who’s going to start my initial pipeline of the talent from SOC, vulnerability management, IAM, and how am I getting in the next two or three years internal managers and bringing that management feel to senior management feel so that we have people coming in without getting impacted by everyday rockstar hiring or paying more prices for those people?
So, one example is, hey, just cast a wide net of getting lots of interns to start with. Bring them into the company. Let them learn the culture and work on it. Then start building those benches of future managers in individual departments and go from there. You’ll have a stable pipeline. You’ll have lots of diversity coming in right from the bottom.
People will be learning the culture and executing on what needs to be done.
[Andy Ellis] And if for some reason you like the term rockstar hiring… And I hate it. But if you like it and you want to learn from rockstars, I was at three concerts this year – Taylor Swift, Blackpink, and Billy Joel. I’ll tell you at any time there was one rockstar on stage, and there were thousands of people around them who nobody would call a rockstar but were critical to the success of those performances.
And that’s what you need in your team. You don’t need more rockstars. You need more people who show up and do the work and advance your mission as an organization.
[Arvin Bansal] Well said, Andy.
[David Spark] Make your security team like the band Blackpink. Or Billy Joel or Taylor Swift.
[Andy Ellis] And their entire support team. Like the techie who walks out with the microphone or fixes a microphone.
[David Spark] All part of it. Part of the team.
[Andy Ellis] All part of it.
Closing
41:53.743
[David Spark] With that said, we’re bringing the show to a conclusion. We did a super-sized show, everybody. So, my apologies for the extra calories you had to consume while listening to this episode. I want to thank our sponsor. That’s Palo Alto Networks and the Prisma Cloud. Please check them out at paloaltonetworks.com.
We greatly appreciate their support of this very said CISO Series. Andy, thank you so much for coming and joining us as well. And, Arvin Bansal, who is the former CISO of Nissan Americas. Thank you so much. That was truly excellent. As always, I greatly appreciate the contributions from our audience.
Please give me some more “What’s Worse” scenarios. You can give them to me anonymous, or I can quote you. Either is perfectly fine by me. I like it. We just love wonderful scenarios. So, thank you, as always, for contributing and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meet up, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to the CISO Series Podcast.