Lots of businesses pledge to never pay ransomware demands. That sounds good, but priorities quickly change when you need to get the business back to normal after an attack occurs. What good is a statement like that without the infrastructure and organizational commitment to make it possible?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is my guest, Thom Langford, CISO, Velonetic.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, CyberMaxx
Full Transcript
[Voiceover] Biggest mistake I ever made in security. Go!
[Thom Langford] So, I sent out a questionnaire to find out how many personnel records there were in our organization as a consultancy. Amazing kick-ass spreadsheet. Of 300 questionnaires I sent out, I got maybe 18 responses, and that was when I learned that actually, I could have just asked five questions and got just enough of the answer rather than the perfect answer.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series. And joining me as my co-host for this episode, whether you like him or not, you’re going to get him right now. His name is Andy Ellis, he’s the managing partner for YL Ventures. Say hello to the audience, Andy.
[Andy Ellis] Hello to the audience, Andy. And I wonder how many people, when they hear you say, “Whether you love him or not,” are wondering whether it’s me or Mike at that point.
[David Spark] Oh, that is a good question. [Laughter]
[Andy Ellis] Right? Maybe somebody’s going, “Oh, God, I hope it’s not Mike today,” or maybe they’re saying, “Oh, God, I hope it’s not Andy.”
[David Spark] There’s either this moment of relief and just or, “Ugh.”
[Andy Ellis] Yeah, and how many people are now hearing this because they just said, “Fine, I’ll listen next week. I’m done with Andy.”
[David Spark] We’re available at CISOseries.com, in which we have lots of wonderful, fantastic programming. And our sponsor for today’s episode, spanking new sponsor of the CISO Series, that would be CyberMaxx, managed detection and response, combined with offensive capabilities you need for stronger security, and we’re going to be talking about just that a little bit later in the show.
But first, Andy, I have a question for you that came up. I was at an event. We actually, for those of you who listen who are in the San Diego area, you should come to one of our regular meetups that we have. Just go to meetup.com and find the San Diego Cyber Group. And I met a woman who said, “I’ve been listening to your show for five years.” I was like, “That’s great.” And I was thinking, “Here’s a stranger listens to my show all the time,” and it dawned on me, I don’t think my own family listens to my show.
So, that’s my question to you, Andy, and I’ll tell you what my family’s response was in a second. Does your family listen to you on this show?
[Andy Ellis] Not generally. My mom actually occasionally does. When I was hosting the Cloud Security Reinvented Podcast, currently on a long hiatus, I know she listened to every one of those. But my family hears enough of me all the time, so this is not what they do.
[David Spark] So interesting you say that because I got almost an identical response from my wife, I said, “A stranger listens to my show and you don’t listen?” And she says, “I listen to podcasts to escape. I don’t need your voice in my head.”
[Laughter]
[Andy Ellis] I love it.
[David Spark] Yeah. So, there you go. My wife does not listen to this show at all because she hears enough of me. I want to introduce our guest and I’m going to start with I am completely remiss that I did not invite this guest on earlier. I have known him since way before we started the CISO Series.
He is fantastic. I’ve interviewed him many times before and it’s about time I have him on this show. And I also want to point out that his opinions are his own, do not reflect that of his employer. But I’ll mention he is a CISO for Velonetic, none other than Thom Langford. Thom, thank you for joining us.
[Thom Langford] Well, thank you for having me. And also, I’m just going to say hello to my mother, who will no doubt be listening as well.
[David Spark] Ah! Because your mother loves you.
[Thom Langford] She does.
[Andy Ellis] Hi, Thom’s mom.
[David Spark] Hi, Thom’s mom.
[Thom Langford] The Duchess of Ladywell.
They didn’t think that through all the way, did they?
3:49.034
[David Spark] We hear all the time that organizations shouldn’t pay ransom demands, and lots of leaders are happy to talk the talk, “We will not pay a ransom.” But shouldn’t organizations also make it an imperative to operationalize this statement? Argued Andy Runyan in a recent LinkedIn post. For an SMB, this could be as simple as ensuring data is backed up and accessible in the event of a ransomware attack.
But for a larger organization, I would extend this approach to be ransomware resistant across your infrastructure, so your leadership can choose to stand by this talk when there’s pressure from customers and press. Does this talk – I’m going to start with you, Andy – actually help any organization or should we all be talking softly and carrying a big stick?
[Andy Ellis] So, I think I like the idea of talk soft and carry a big stick. There is pretty much no reason for you to advertise outside your business what your actual business practices are going to be unless they’re relevant. That said, I think every business should be structured to say, “No, we have no intention of paying ransoms.
What do we need to do to make that happen?”
[David Spark] Let me pause you for a second. What if, in some kind of press type interview, someone asks the question because it’s a common question asked, do you pay ransomware demands? How do you handle that situation?
[Andy Ellis] I think it’s reasonable to say, “I don’t think it’s appropriate to make statements about that in advance.” Imagine if you said, “Do you pay ransoms when your executives are taken hostage?” If you said yes publicly, you are literally inviting people to take your executives hostage at this point, and there have been industries that have had that problem.
[David Spark] So, okay. No reason to give the information. It’s like telling your tactics to the enemy.
[Andy Ellis] Exactly.
[Thom Langford] Yeah. But we didn’t say how much we’d be willing to pay for our executives.
[David Spark] [Laughter] That’s true.
[Thom Langford] Maybe it’s a performance-based thing, “Sorry. You didn’t hit your figures last year.”
[Andy Ellis] “We didn’t hit our numbers. He’s only worth 50 bucks this month.”
[Thom Langford] “You’re on your own, buddy.”
[Andy Ellis] Yeah. So, the real way to back this up at this point is mostly with how do you use cloud-based services? Because the thing you most care about is your data. Data backup is hard. Let people do it for you. So, you shouldn’t be having files on local people’s drives. Those should be in M365 or Google Drive or whatever your favorite platform is.
So, they’re just automatically replicated. If you lose a laptop, go down to the Apple store, and get a Vision Pro and replace it.
[Thom Langford] Yeah. And I think that’s a great place to start. I think it’s a little bit sort of pie in the sky for many organizations, unless you’re brand new, built from the ground up, as it were. There’s so much legacy stuff out there, let’s face it, in the world, and that’s not always the case.
Show me a CISO who doesn’t have a spreadsheet on their desktop that they absolutely rely on or show me anybody who doesn’t use a spreadsheet that’s stuck on their desktop. But that’s not to say that the principles don’t apply, right? You’re absolutely right. We shouldn’t be in a position to have to ask ourselves the question, will we pay the ransom?
But let’s hope we’re not in that position, but you may find yourself actually saying it’s going to be quicker, easier, and potentially cheaper to pay the ransom.
[David Spark] But I think going back to Andy’s statement, even when you’re asked, you just don’t need to give the information out to anybody.
[Andy Ellis] Yep.
[David Spark] But you’re both in agreement.
[Thom Langford] The standard approach should be, “We don’t pay the ransom. We don’t support terrorism, human trafficking, etc. We will not pay the ransom.” Absolutely.
[David Spark] And the whole thing is, yes, have your tactics, back it up, regardless, but don’t advertise that you’re willing to pay.
[Thom Langford] Yes.
[Andy Ellis] Yep.
[David Spark] It’s like saying security is very important to us, whether you’ve got a good security program or not.
[Thom Langford] We take security seriously.
[Andy Ellis] Yep. If you want the easiest way to get your company to move all the data into the cloud rather than on local machines, give people two machines. I have to work between a desktop and two different laptops, depending on where I’m traveling to. Let me tell you, I have nothing critical on any one of those machines because I don’t know which machine I’ll be using at any given point.
[Thom Langford] That’s very true. That’s very true. Two devices – the iPad and the laptop, right? I want to be able to use both of them wherever I am, whatever I’m doing. And I think that’s a really good point of view, actually.
[David Spark] There is not a human on the planet right now that has only one device. We’re all multi-deviced.
[Thom Langford] But they might have multiple devices, but they’ll use their phone for email on the move, but not for Excel on the move, for instance.
Where does a CISO begin?
8:41.716
[David Spark] There are a lot of great conversations about how to advance your cybersecurity career with meaningful advice and great tips. But we received an email from Sandy Taggart outlining how so much of this advice doesn’t apply to the neurodiverse community, with a lot of it flying in the face of the challenges they face every day.
Things like self-promotion and eye contact can’t be taken as a given when we’re throwing out career advice. How aware, Thom, are you of the issue of neurodiverse people? And how can CISOs make space for neurodiverse candidates? And how do you educate yourself on the unique complexities of these people when they’re candidates and employees too, when they’re actually working for you?
Thom, how have you addressed this?
[Thom Langford] So, and fortunately enough, I’ve got a couple of kids. One of them is neurodiverse. And I think neurodiverse people or neuro-nontypical people, whatever the right term is, bring huge amounts to the cybersecurity industry, etc. But when we’re talking about trying to get neurodiverse people into the industry, I think what that comes down to is the people who are already in it.
We have to start being aware of not only our own limitations and what we are bringing, or perhaps more importantly, not bringing to the table within our industry, but also the fact that it’s bringing in people who have a much wider range of experiences.
[David Spark] Can you boil it down to an example of, like, dealing with a neurodiverse employee? I like the fact you say it’s best to learn with the people that you already have. Can you give me an example of what you’ve done, the space that you’ve made for that person, and how they can sort of excel as a result?
[Thom Langford] It’s about, right from the recruitment point, making it clear that you are welcoming people who might have neurodiversity, and the fact that you will make accommodations, and that will include a greater amount of working from home, or working away from face-to-face contact, not having to have your camera on all the time if you don’t wish to.
Things like that, that actually allow people to still engage, but on their terms, as well as your terms, and actually being able to embrace those differences because they will bring so much more to the table as a result.
[David Spark] Excellent point. Andy, you’ve been nodding your head. What do you have to say?
[Andy Ellis] So, I like to think that your advice is going to fall into multiple categories. So, there’s one set which sort of leads into the question you led with, says self-promotion, eye contact, things that tend to be hard if you’re on the spectrum or diverse in different ways, that it’s still really important for you to educate people about the importance of these, and help them potentially, how do you fake it?
Like, I have a problem making eye contact with people. So, I learned very early on to stare at the bridges of people’s noses. They think you’re looking at their eyes. I’m not, I don’t get uncomfortable with it. And so, that’s a coping mechanism I use that I’ve taught to many people that says, “Hey, here’s how you do this thing that will make people who are less comfortable with it feel comfortable with you.”
Then, there’s how do you change some practices so that you accommodate people wherever they are? I’m a big fan of giving feedback using a modified EEC. So, for those not familiar, EEC is evidence, experience, change. And so, when you give somebody feedback, you say, here’s the evidence, here’s the experience for the people in the room, here’s what I want you to change.
I throw out change. Actually, change is a bad thing to do in giving feedback because people then argue with that. Instead, you say, “Here’s the evidence, here’s what you did, and then here’s the experience, here’s how people in the room experienced it.” This is valuable wherever you are on the spectrum or not because if you’re neurodiverse, often you’re like, “Yeah, no, I totally did that.
Wait, what? How did somebody possibly experience this?” Right? And now you’re giving them that opportunity to say, “Oh, I need to learn how somebody normal is going to react in that space, which might help me predict and build a better model for them.” And somebody who’s normal might hear a different thing and be like, “Oh, how did that happen?” So, also focus there.
And then finally, recognize that you have people of very different styles. And a huge challenge I’ve seen in corporate America over the last several years is people have tried to come up with like, what is the perfect style that everybody wants? And I used to have somebody who worked for me who said, “Look, the right way to learn things is like becoming a Jedi.
You need to go live in the swamps of Dagobah and break things and do really hard work and you come out at the end of it and you’re amazing.” And I’m like, “Yeah, that works for you.” There were other people who said, “You can never teach anybody like this.” And this person’s like, “This worked for me, and I see other people it works for.” And I’m like, “And you notice that almost everybody there is somewhere on the spectrum?” Great.
Identify those folks and say, we’re going to give you the hard challenges, we’re going to push you and we’ll give you the emotional support when you need it. But we’re not going to force it on you in the same way we might push it on somebody that we know needs it earlier.
Sponsor – CyberMaxx
13:55.744
[David Spark] Before I go on any further, I do want to tell you about our absolutely spectacular sponsor, and that is CyberMaxx. Remember I told you about them, managed detection and response? Well, they help companies assess, monitor, and manage their cyber risk. If you’re listening to this show, then you care about all of those things, and you’re trying to do that as best as you can.
Well, the CyberMaxx people can help because they believe that offense fuels defense. Their next generation managed detection and response solution, that would be MaxxMDR, it strengthens your defensive capabilities with insights from offensive security, digital forensics, and incident response, that would be DFIR, and threat hunting.
You want to learn more? You got to go to their site. Visit cybermaxx.com, two X’s at the end, cybermaxx.com. CyberMaxx – think like an adversary but defend like a guardian.
It’s time to play “What’s Worse?”
14:56.937
[David Spark] Thom, I’m sure you’re aware of how this game is played. Essentially, two horrible scenarios sent in by our fantastic listeners, the ones that are not my family, nor Andy’s family, but possibly your mother. Who knows, Thom?
[Andy Ellis] Yeah, so Thom’s mom, when you listen to this one, we would love a “What’s Worse?” from you.
[David Spark] We would love a “What’s Worse?” scenario from you.
[Andy Ellis] Maybe about like, what’s worse, raising a child who becomes a CISO or raising a child who becomes a, pick your least favorite activity.
[David Spark] Yeah, what is worse than those two? I have a “What’s Worse?” scenario from a listener who has not submitted one before. So, for his first “What’s Worse?”
[Andy Ellis] I love it.
[David Spark] It is from Tyler Rogers, who works at Plexicus. And by the way, I make Andy answer first, you’re going to answer second, so you can agree or disagree with Andy. Here we go. What’s worse? Having an employee disregard security standards, allowing third parties to access vulnerabilities through the employee’s credentials – sounds awful – or having a disgruntled ex-employee exploit vulnerabilities through their old credentials that are still active.
Which one is worse, Andy?
[Andy Ellis] Oh, this is… So, what I really like about this one is they’re the same problem exploited in a different way.
[David Spark] They are the same problem from different angles. Yes.
[Andy Ellis] Very different angles. This one is really good, Tyler. So, first of all, I love this one because you see, I get points if I… I have this internal scoreboard of whether I can make the guest agree with me, and I don’t know that I’m going to agree with myself when this one comes back out.
I might have a completely different opinion then.
[David Spark] This really could go either way. And I will tell you this, the way Mike Johnson handles this when he has one that’s really a Sophie’s choice, he goes, “I’m just going to pick one and I’m going with it.” That’s how he takes it.
[Andy Ellis] Yeah. Well, because normally I talk through both of them as part of convincing the guests, like I’m going to be right when I get done with this. But this one, either I have an employee who’s sharing their credentials with a third party.
[David Spark] Bad.
[Andy Ellis] Exploiting the vulnerabilities is sort of the uninteresting one. It’s like you’re sharing your credentials with a third party or you’re now a third party and you’re still using the credentials you had.
[David Spark] They’re still open for some reason.
[Andy Ellis] And you’re disgruntled. So, I think the disgruntled thing is what tips it for me. I would say that is marginally worse.
[David Spark] But they’re an ex-employee. That’s the thing. You got rid of them.
[Andy Ellis] I got rid of them and they’re disgruntled, and they still have access and they’re doing stuff. I think that is worse because I could argue, Tyler, you left me just enough space to say that the current employee who’s sharing it with a third party, maybe that third party actually needs access, and this was easier than giving them credentials in some way.
And it’s still awful, like, I’m not very happy about it, but I’m going to convince myself that this is why the disgruntled employee is worse.
[David Spark] All right. I like that you picked one and you went with it. Thom, are you going to agree or disagree with Andy here?
[Thom Langford] I’m going to agree. It’s an easy choice and I’ll tell you why because…
[David Spark] Hold on. Why?
[Thom Langford] Easy choice because I can influence the behavior of one more than the other.
[David Spark] Hold on. Let me reel you in on that answer. The way “What’s Worse?” works is you can’t change the scenario.
[Thom Langford] No, I’m not changing the scenario.
[Andy Ellis] Influencing the behavior is changing the scenario.
[Thom Langford] No, no. I’m not changing the scenario. It’s worse to have a disgruntled former employee because they’re doing it for bad reasons, bad stuff’s going to happen.
[Andy Ellis] Right.
[Thom Langford] The ignorant employee who’s handing out credentials, I’d much rather have that because in the future, I will be able to influence that behavior.
[David Spark] I do also want to point out, it’s one disgruntled ex-employee having access versus one employee giving third parties plural access.
[Thom Langford] Mm-hmm.
[Andy Ellis] Yep.
[David Spark] All right.
[Andy Ellis] Right. But I’m just going to say, maybe I needed to give these third parties access and this employee is just making it easier for me.
[Thom Langford] Exactly.
[Andy Ellis] Now I don’t have to have an IAM Help Desk for third parties.
[Thom Langford] Because one is malicious, and the other one isn’t.
[David Spark] Right. Just plain old stupid.
[Thom Langford] Yeah. And the other one is…
[Andy Ellis] I don’t know that it’s stupid. Let’s not assert that it’s stupid just because we have a hard time comprehending it because I have had employees do that before, and in every case, you could see the reason why they did it. Like there was a business need for this third party to have access and Help Desk had made it so impossible that they just said, “Fine, let me just do this.
It’s fastest and easiest.”
[Thom Langford] It was still a terrible reason, but it was a reason.
[Andy Ellis] Still a terrible reason, but it was a terrible reason for a company, not a terrible reason for an individual.
[David Spark] Ah, good arguments here.
Is this the best solution?
19:39.170
[David Spark] What are the impacts of a talent shortage in cybersecurity? (ISC)² estimates at 3.4 million positions globally. By the way, I just want you to know that we’ve been reporting on this for years, started a million and then went to a million-two, two million, three. So, we’re now at 3.4 million.
Soon it’s going to be the entire U.S. population. Then we’ll merge into other countries as well. So, Jamal Elmellas at Dark Reading found a World Economic Forum report that this shortage is leading to big companies increasingly competing for the limited talent pool. Well, this is something we’ve known for a while.
This is leading employees to switch jobs more while also pricing smaller organizations out of security talent. So, this is the key part right there, that last thing, the smaller organizations getting priced out. So, as a sign of this, a recent U.K. government report found 44% of companies find cybersecurity job applicants lack required technical skills.
It would seem internal training is the path forward, but why does it seem so hard for organizations to invest in this? Thom, you’re nodding your head. You’re like, it drives you crazy too. Yes?
[Thom Langford] Oh, my God, this annoys me, annoys me so much. So many things wrong here. So, 44% of companies find cybersecurity job applicants lack required technical skills. These would be the people that require five years’ experience for entry-level positions, right?
[David Spark] Yeah, yeah, yeah, yeah.
[Thom Langford] That sort of thing. So, there’s that for a start. I think the whole sort of talent shortage means they’re looking internally. Why were they not looking there in the first place? We should be growing our own people upwards and therefore allowing entry-level people who don’t have experience or the skills to come in at the lower-level positions.
[David Spark] Hold it. Let me pause you. I’m going to quote Jesse Whaley, who I’ve quoted many times on this, who’s the CISO of Amtrak, and his attitude is grow your own unicorn rather than trying to find one.
[Thom Langford] Absolutely. The army doesn’t go out and hire snipers and tank drivers. They hire a bunch of squaddies, throw them around in the dirt and shout at them and work out which ones can still aim properly after that, and which ones can drive after that. And they’re testing for aptitude and things like that.
So, this whole thing annoys me, and then it ties back to that neurodiversity question of, we should be broadening our searches here. I hired somebody, a chap, I think you probably both know him, I won’t mention him though, but he was a shelf stacker overnight in a High Street store who happened to run a cybersecurity website and was a very good writer.
He’s now working at the ISF, for goodness sake. I mean, there are people out there who are showing passion and aptitude. You can teach skills; you can’t teach passion and aptitude.
[David Spark] It should be what percentage of companies find cybersecurity job applicants lack passion and aptitude rather than technical skills.
[Thom Langford] Yes.
[David Spark] That’s a good point. That number, we don’t know. Andy, what’s your take on this? Of essentially, the smaller organizations that are getting priced out, how are they dealing with this? I mean, we assume training, yes, or something else here?
[Andy Ellis] So, the challenge is the small organizations are the ones who can’t actually afford to build the right training programs because the reality is, like, I had 95 people that worked for me. It’s easy for me to do training programs. We basically brought in four or five interns a year, made job offers to two to four of them, brought them in, and they would spend the next several years being trained and moving through a set of jobs.
And when someone said, “Oh, we need a senior architect,” I had a pipeline of people ready to be a senior architect, like that we were just bringing them in. We didn’t go hire mid-grade talent. And that’s the problem is so many organizations are trying to hire the mid-grade talent, like not the top CISOs, not the entry-level positions.
I’m going to come back to that in a moment. They want mid-grade talent, but nobody wants to develop it. They’d rather go get somebody who can do the job today. So, that’s your first problem is you do not want to hire somebody who can do the job today.
In fact, when I hear that, like, 44% of companies found that job applicants lacked required technical skills, my first question is, were you requiring them to have all the skills they needed to do the job day one? Because if so, you’re looking for the wrong person. If I’m capable of being a senior architect, I’ve been a senior architect for seven years, I don’t want a senior architect job.
I want a principal architect job. Hopefully, my last job prepped me for it. But if not, you should expect that you’re going to hire me and need to provide me some more skills. And the other thing is cybersecurity jobs are not entry-level. I think we need to accept this fact. I know too many people who say, “I want to move into cybersecurity.
I want to get an entry-level job in cybersecurity.” And I say, “That’s called Help Desk.” That’s one place to go start. You don’t start in a SOC.
[David Spark] Let me ask you that question right now, because I, at my meetup, I was mentioning the San Diego meetup, I met a young man who was working at a Help Desk, and I said, “You’re in the right spot,” because he wants to break into cybersecurity. But then he was asking about certifications, and I was like, “Well, I don’t know how much weight that does, it does and doesn’t to a certain level.
But the fact that you’re on Help Desk, that’s very attractive.” I mean, A, did I say the right thing? What would you say to this young man?
[Andy Ellis] So, what I like to say is I say, “Look, certifications suck.” They actually don’t provide meaningful signals, except some people rely on them. So, I’m not going to tell you not to get a certification. But what I am going to tell you to do is that when you go through the common body of knowledge for that certification, you should then be looking for ways to actually go apply those and figure out if they’re really useful.
I remember when I got my CISSP way long ago, I have let it lapse, I’m a formally certified security professional. You had to learn about the Biba and star integrity models and all of these access control models that nobody uses in real life. And yet there’s this whole thing that you get that knowledge that this exists.
Now you go looking for it and you’re like, “Wait, nobody uses this.” Okay, this is book learning that might help me somewhere down the road. But don’t walk in and say, “Oh, I can go do access control because I understand Biba.” Like, no, you don’t actually understand access control if that’s your world.
And now start to think about how do I apply this? Because that’s what… The passion and aptitude is actually how do you apply critical thinking? My biggest thing, you want to go talk about crypto, I don’t care about crypto algorithms. It’s like cryptography versus Bitcoin. What I care about is do you understand what happens when a cert expires or a key needs to be upgraded and rotated and how hard that is?
How do you write software that allows for keys to be changed over time? That’s what you should focus on as you’re trying to get in is learn these practices and then how do they operationally affect the world. So, get an ops job.
[David Spark] All right. I’m going to let you have the last word, specifically, Thom, adding to the advice that Andy just gave for the young man who I just met, who only had experience working the Help Desk. He was thinking down into it. I was trying to pump up his ego, “Good, no, you’re in the right spot.” What would he have to do for you to say, “I want to hire you”?
[Thom Langford] Form opinions and demonstrate them and be able to articulate them. And one of those ways is in a blog or writing an article or whatever. It doesn’t have to be published anywhere fancy, just somewhere that you can show people and say, “Look, I have opinions. I have looked into this, and I think XYZ is the case,” when it comes to, to your point, expired certificates or whatever.
And I think that’s really important.
Let’s see what they’re talking about on Reddit.
27:24.284
[David Spark] So, if you could wave your magic wand, both of you, and conjure some dream tools out of thin air, what would you want? So, this question came up on a recent cybersecurity subreddit post. The community had some great suggestions, like a tool to find out actual vendor pricing without having a sales call, I know a lot of CISOs would like that one, a “monitor” mode for firewalls that can learn normal traffic and automatically create access control lists, and a techie-to-normal speech translator.
So, all these are kind of interesting. Wondered if any of these interests you, you have some of your own, and have any of your past wishes come true. I will start with you, Andy.
[Andy Ellis] So, I work as a VC. So, many of my past wishes have come true, mostly by the application of large amounts of capital to create companies.
[David Spark] Okay, good.
[Andy Ellis] I really wished that I had an inventory system that would tell me where all the assets were, despite them being registered in 85 different things, and we funded Axonius, and it exists and they’re out there. I can give you a whole bunch of companies like that, but rather than just pimp the companies that have done well in our portfolio, I will give you my current dream, I have not yet found a startup that wants to do this.
And if somebody like CrowdStrike just wants to beat me to it, please feel free. I call it the Zero Trust Endpoint Defense and Keying Administrative Software. It’s ZTEDKA for those of you who speak…get a little Hebrew. I want an endpoint administration system that does EDR, patch management, everything, and does not trust a remote administrator at all.
The biggest way that companies are getting beat today is remote administration of various machines. I want an endpoint system that requires zero remote administration, auto-updates itself, manages keying materials so we know that this machine is mine, it’s got all my keys on it. That’s what I want. That’s my holy grail because all of a sudden it solves a whole bunch of our security problems by having really fantastic administration.
[David Spark] That sounds like a perfect solution there. All right, Thom, have you had any sort of dream tools that have come to pass, or do you have a current dream tool that you’re calling out to the community to create for you?
[Thom Langford] Do you know what? I wish, I wish I’d put as much thought into this as Andy has. [Laughter] I mean, but then again, why would anybody want anything other than Excel and/or PowerPoint? I mean, surely that does everything you need.
[Andy Ellis] Does an awful lot of it.
[David Spark] It’s funny, I just got back from the Comic-Con Museum, and I wish I could remember all the things that were there, but there was one sort of wall where they had all these quotes from really smart people like Bill Gates and like the CEO of IBM making claims of the future technology that were as far off as far off could be.
Like, who’s ever going to need this kind of a thing? And you know, we’re light years ahead of it. So, I’m always amused by that.
[Thom Langford] Yeah.
[Andy Ellis] Who’s ever going to need more than five computers on the planet?
[David Spark] Oh, that was, yeah, that was one of the quotes like, “Yeah, there’s no more than a market for five computers,” and I believe that was IBM, wasn’t it?
[Andy Ellis] It was IBM.
[Thom Langford] And wasn’t there another one, in the future, computers could weigh as little as 1.5 tons?
[Andy Ellis] Yeah.
[Thom Langford] Which if you had an old laptop back in the 1990s was pretty close to it.
[Andy Ellis] It was.
[David Spark] By the way, hold it, I’m going to throw this question out to both of you. My absolute least favorite question to hear at a panel session at a conference is, and by the way, if you’re a moderator and you’ve ever done this, slap yourself and never do it again, is the crystal ball question.
Andy, Thom, tell me five years into the future, where do you see…? I am going to just say it flat right now, nobody has said anything of any value to the answer to that question ever.
[Andy Ellis] If you’re the panelist and you get that question, here’s the answer you give, which is 95% of what we do today, we will still be doing five years from now. And the other 5%, we will look backwards and go, “How did we ever do it that way?” And looking forward, we have no way of understanding what we would actually be doing.
[Thom Langford] Yeah. We will still be looking at the basics. Let’s get the basics right.
[David Spark] Mm-hmm. Well, and I also quote, and I wish I could remember who said this, but my favorite line similar to that was, “You know the thing you were worried about before you went to the Black Hat conference? That’s the same thing you’re going to be worrying about after the Black Hat conference.”
[Andy Ellis] Yeah. And in five years, you’ll be worried about a variant of that same thing.
[David Spark] Yeah.
[Andy Ellis] Maybe in a new environment, like, oh, you’re in cloud now, but we’re still worried about all the same things in cloud that we were worried about before.
[David Spark] Awesome.
Closing
32:17.842
[David Spark] All right, gentlemen, let’s wrap this sucker up. This was a fantastic episode and apologies to Mr. Thom Langford for not getting you on sooner, and I’m thrilled you’re with us again. I’m going to let you have the last word, but I do want to mention our absolutely awesome sponsor for this episode.
That would be CyberMaxx. CyberMaxx – managed detection and response combined with the offensive capabilities you need for stronger security. Go check them out. Thank you so much, CyberMaxx. Now, Mr. Thom Langford, I know that you have a podcast that you would like to plug. Please do that.
[Thom Langford] I do, even though I’m sure it’s the height of ill manners to plug your own podcast on someone else’s podcast.
[David Spark] No, no. This is how we sort of build relations with the other podcasters, the whole community.
[Thom Langford] And even though it is a cybersecurity podcast, it is hardly going to be impinging upon your listenership by any stretch of the imagination. But as many of you know, I’m part of a trio of loosely affiliated people known as Host Unknown. We have our own weekly podcast. It releases normally on a Friday, and you can find it at podcast.hostunknown.tv or just type Host Unknown into your favorite and bestest podcast app.
[David Spark] And you know what? We will make this link and let people know about the podcast available on the blog post for this very episode. So, you will see it there too. Should everyone forget that, just go to the blog post for the episode if you want to hear more of Thom as well. By the way, does your mom listen to that show?
[Thom Langford] Yes, she does. In fact, she is one of the only sponsors of that podcast.
[David Spark] [Laughter] All right, awesome. That is spectacular.
[Thom Langford] So, we look forward to both our new listeners after this show goes out.
[David Spark] By the way, we’re going to recommend CyberMaxx also sponsor your mom’s sponsorship of your podcast.
[Thom Langford] I think they should. They’d be great. They’d be great.
[David Spark] This episode brought to you by CyberMaxx and Thom’s mom. That’d be awesome. That’s the episode I want to hear. Hey, everybody. Thank you so much for your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.