Technical debt is an inevitability in any organization. But how do you go about “paying it down?” This requires a framework to understand the risk the technical debt represents to your organization. So how do you decide when you need a systematic refresh and when can you kick the can down the road a little longer?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our sponsored guest, Aaron Shaha, CISO, CyberMaxx.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, CyberMaxx
Full Transcript
Intro
0:00.000
[Voiceover] What’s a great approach from a security vendor? Go!
[Aaron Shaha] I really appreciate honesty. The industry is full of a lot of what we’ll call hype, and when I have a vendor come in that gives me just the straight answers, tells me exactly what their product’s capable of and not capable of, helps me understand and make a reasoned decision, and really helps me bring forward my team members that are part of that decision-making process, the CFO, the CEO, etc.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of said CISO Series, and joining me for this episode, you’ve heard him before, whether you like it or not, you’re going to hear him again. Like, if you don’t like it, you could just stop listening, but you do like it.
Who doesn’t like Mike Johnson? He’s the CISO of Rivian. Say hello to the audience, Mike.
[Mike Johnson] Hello, audience, and thank you for listening.
[David Spark] And by the way, does anyone not like you, Mike?
[Mike Johnson] I don’t know. I don’t know that I would know, so we’ll just assume that there’s probably somebody somewhere out there, and I’m just not aware of it.
[David Spark] I’m sure I’ve got exes who don’t like me.
[Laughter]
[David Spark] We’re available at CISOseries.com, where we have other programming on our wonderful network, and in fact, the second season of Capture the CISO will be airing very soon after this episode, so people should be checking out that.
[Mike Johnson] Yes.
[David Spark] And I do want to mention our awesome sponsor, a brand-new sponsor with the CISO Series. It is CyberMaxx. Think like an adversary, defend like a guardian. They do managed detection and response combined with offensive capabilities, everything you need for stronger security, and guess what?
They’re responsible for our guest today. I’ll introduce him in a moment, but Mike.
[Mike Johnson] Yes, David.
[David Spark] I want to tell you about something that happened over this weekend that involved my son.
[Mike Johnson] Okay.
[David Spark] We go to the local indoor lacrosse games here in San Diego. The San Diego team is called the Seals. And during the games, actually we have season tickets, during the games they have these promotional things. And one of the things that my son, who’s 10, got a chance to do was the milk chug challenge.
Him and another little boy drank a pint of milk as fast as they possibly could. And this was a long time coming, we were very excited to do this or he was, as was I. And the other thing is he got to be on the Jumbotron while this was all happening as well. And I can proudly say, and he was very excited, and I have video of it in person and on Jumbotron, he did win the milk chug challenge.
[Mike Johnson] So, did he train for this?
[David Spark] Yes, he did. At school, he would down his half pint of milk as quickly as he possibly could. And here’s the part that amused me. So, I met the mom of the other boy who my son was up against, and the other mom goes to me, “It’s all for fun.” And I’m thinking, “Two kids drinking milk as fast as they can.
What else is this?”
[Mike Johnson] It sounds like torture, but you know, as long as the kids are excited and they’re doing it so willfully.
[David Spark] So, here’s the thing is that it was very exciting, the whole thing was fun, and he gets a bag of prizes. Now, what we thought he was going to get in his prize was like a jersey from the team because you often see them, they give them away to the prize. No, what did they get? They got a bag of just random pointless swag from the milk, you know, the dairy farm, the milk company.
So, a 10-year-old boy got a coffee mug, a to-do list notepad, and a license plate holder for the car that he can’t drive at age 10.
[Laughter]
[Mike Johnson] Well, so he’s preparing, so one day he’ll have his coffee, he’ll be able to pour milk into his coffee, and then he’ll have a car and he can put a license plate on it. It makes perfect sense to me. I’m sure he was so excited for this prize pack.
[David Spark] Well, he already gave away the license plate holder. That’s long gone. Anyways, it was a big thrill. The whole thing.
[Mike Johnson] Congratulations, John [Phonetic 00:04:11].
[David Spark] Yes. All right. Let’s bring on our guest who we are going to find out how fast he can drink a pint of milk, by the way.
[Mike Johnson] Surprise.
[David Spark] He is the CISO over at CyberMaxx, our wonderful sponsor. It is none other than Aaron Shaha. Aaron, thank you so much for joining the show.
[Aaron Shaha] Yeah, honored to be here. Really appreciate the time.
Surprising research just in!
4:31.388
[David Spark] Since generative AI has hit the consumer level, we’ve seen speculation how it will be used by threat actors. Now we have findings right from the horse’s mouth with a report from Microsoft and OpenAI. They’ve already seen threat actors attempting to hit models with prompt injections, misusing LLMs to make malware, and to assist with fraud.
Microsoft said it’s committed to disrupting malicious use and will share information with the public and other AI service providers about new approaches. That transparency is a big commitment, so how can CISOs, Mike, take advantage of this data and how can it improve your security program, if at all?
What do you think, Mike?
[Mike Johnson] So, you know I’m an optimist, David.
[David Spark] Yes, you are. You are always the glass is half full.
[Mike Johnson] I always try and find the good in everything, and I’m struggling with this one because this one feels like marketing from Microsoft. It really strikes me as Microsoft trying to convince us that we should trust them because they’re doing something. I don’t know what I can do with this.
I don’t feel like this is actionable to me as a customer of Microsoft, as a customer of OpenAI.
[David Spark] What do you think they’re driving at?
[Mike Johnson] I really think that this is trying to get ahead of all the negative press about generative AI. And this is Microsoft saying, “Hey, we are looking into it. We have witnessed the attacks that everyone is speculating. We know they’re out there.” And so that’s giving some confidence.
[David Spark] So, they’re validating. Doesn’t that have value there?
[Mike Johnson] But there’s nothing actionable for me. In some ways, this is… Again, I appreciate that they’re doing this research, but to answer your question, how can CISOs take advantage of this? I don’t see a way. I don’t see something that we can do with it. I appreciate their commitment to share with other generative AI vendors.
I think there’s something there to help make the technology safer, but I can’t do anything with this, and so I’m stuck. I don’t know what to do with this.
[David Spark] Is this like the panic lurch we used to hear about terrorist threat levels? Like, what do we do here? Aaron, I’m throwing to you, you’re nodding your head.
[Aaron Shaha] Yeah, I think so. That’s exactly it. Totally agree with Mike. And it’s probably a good yin and yang we have here where I’m a little bit more on the pessimistic side. One of the interesting things, to kind of do a little bit of a takeoff on that, there are now standalone GPTs, right? We saw NVIDIA just released one that ships with their card.
There’s another high quality one out there called GPT4All. We’re seeing kind of what we’ll call next tier down players like Gab AI come in, and they’re starting to produce their own AIs. So, I agree that there’s probably a little bit of marketing hype here, and I think the ability of the attackers to pivot and cross that digital moat that we were hoping OpenAI would give us, that ship’s already sailed.
[David Spark] So, it’s just Microsoft looking for some lame excuse to have more press around AI here, and hopefully get some goodwill from the community? You’re nodding your head, Mike.
[Mike Johnson] Yeah, I think that’s what this is, is it’s an attempt at goodwill, which is fine. Again, I don’t begrudge them that. But there’s just nothing actionable for the average cybersecurity person, for the average generative AI researcher, for the average generative AI user. We have to rely on Microsoft doing something.
And so again, they’re trying to build trust from us, but I can’t do anything with this.
Are we having communication issues?
8:22.459
[David Spark] We know that security needs to operate under the aegis of the overall business, but how do you account for that in environments where the time to follow proper security could cost lives? That came up in a recent paper by Fred Hebert, looking at cybersecurity in hospitals.
Hebert noted ways hospital staff sidestepped security controls deemed as a hindrance to life-saving work. We often talk about staff working around security as just looking to get their job done, but this paper treated the organization from the lens of ethnography or culture. So, I’m going to start with you, Aaron, here.
It sounds like we need to better understand company culture and job processes to build security controls that staff will actually work through. Doesn’t that just seem like security’s job? And if they’re not doing that, that’s totally the blame of security?
[Aaron Shaha] I think at some level, yes. This is also really well-timed. I was, within the last couple weeks, I was at a major hospital complex talking with their CISO, and we got into the CIA triad. And I asked him, “Okay, what are your crown jewels, right? Like, what are we trying to protect here?” And he said, “No, you got it backwards.
We care about availability.” And I had to take a step back there because my whole career I’ve been focused around we got to protect those crown jewels, protect those assets. And he said, “No, availability for us is first. If a major event comes in and takes out our blood donor network, for example, we’re not able to ship blood around, give transfusions to the hospital and things like that, that’s a catastrophic event for us.” So, I think this paper’s onto something.
I disagree that people should be trying to sidestep those. So, I think I agree with your premise that as security professionals, we’re probably not understanding our business context properly, and we need to take that into account.
[David Spark] That’s a really good point that hospitals have very, very different needs than your traditional business, and that’s a great point about availability. Throwing this to you, Mike. It’s clear that security professionals need to understand the processes and the culture. I mean, isn’t that job one?
[Mike Johnson] It is because it can lead you down this path of trying to go forward with controls that don’t make sense.
[David Spark] And Aaron made a perfect example of about availability.
[Mike Johnson] Right. I think that was precisely it. And I really liked what Aaron had to say about we talk about the CIA triad in cybersecurity, but generally folks lean heavily into the C. Sometimes talk about I. A is very rarely talked about, very rarely prioritized. It’s often not even seen as a cybersecurity problem in the first place.
And when you’re in those environments, like the hospital that Aaron mentioned, an OT network where you’ve got machinery that’s running a factory, availability is king. In our situation at Rivian, it is, can we keep making vehicles? In the hospital example, can we keep saving lives? If the system is down, that is really the catastrophe.
Sure, they don’t want to lose information, integrity. I think in those environments, it’s really the AIC triad where availability is king, integrity really matters because if you’re giving the wrong information, that’s just as bad as it not being available. Confidentiality matters, but it is the third priority.
And so I think all of this does come back to understanding the business context, which we talk about on the show so much and is especially key where lives are at stake, where human safety is at stake.
[David Spark] All right. Let me throw this to you, back to you, Aaron. You said availability was key. So, you’re running a security department, and the team has been maybe operating in a different way. Maybe they were so focused on confidentiality, like Mike was just saying. How do you shift the focus, and does it become a big shift or is it an easy shift to get, go like, “No, we’re moving to availability, guys.” Like how does that work?
[Aaron Shaha] Yeah, I think that really comes down to your initial question, right? Is there a communications problem? We need to have solid communication. We need to have everybody understand what are we in the business of, right? A lot of people just bring security principles from past lives and try and stamp them on everything.
I came from the DOD, very high security there. Those things are not going to work for manufacturing an OT plant like Rivian or in a hospital complex. It’s a different paradigm. So, we have to be able to adapt, be flexible, right? And then communicate with our staff to kind of bring them along that journey to help them understand what’s really important here.
And that’s not to say confidentiality isn’t important, but availability is priority one, right? So, being able to adapt to that.
Sponsor – Cybermaxx
13:21.788
[David Spark] Who’s our sponsor this week? Well, it’s the awesome company that Aaron works for. It’s CyberMaxx. Now, CyberMaxx helps companies assess, monitor, and manage their cyber risk. CyberMaxx believes that offense fuels defense. We’ve heard that before, we’re all on board. Their next generation managed detection and response solution or MaxxMDR, it strengthens your defense capabilities with insights from offensive security, hence the offense fuels defense.
They have digital forensics and instant response, DFIR, and threat hunting. Now, to learn more about it, you got to go to their website and that’s cybermaxx.com. CyberMaxx, you think like an adversary, but you defend like a guardian.
It’s time to play “What’s Worse?”
14:13.515
[David Spark] All right. Aaron, are you familiar with how the What’s Worse game is played?
[Mike Johnson] From our conversations, yes.
[David Spark] Yes. So, it’s not that difficult. Two crappy scenarios. You’re not going to like either one of them, but you have to pick one. And Mike always goes first. And we have from a new listener who has not submitted before.
[Mike Johnson] Oh, great.
[David Spark] From John Densmore, he’s with First Mutual Holding, and here are his two crappy scenarios, Mike. Scenario number one, your employees use company-issued computers and you have them completely locked down so that malware does not stand a chance. Unfortunately, this means that your employees have to work through your overburdened and understaffed service desk for all, and I want to stress “all,” computer changes including but not limited to adding printers, creating email rules, changing desktop wallpaper, and adding applications, no matter how minor.
My favorite is the changing desktop wallpaper. I’d like to see that ticket come in. All right. Scenario number two, your employees use their own computers and you’re not going to like this one, Mike, and have full admin rights on them.
[Mike Johnson] Okay.
[David Spark] Company applications are installed on the employee BYOD computers and there is no XCR solution in place, and VDI is not an option, virtual desktop. So, Mike, which scenario is worse?
[Mike Johnson] Wow. Two very extreme scenarios.
[David Spark] And they’re pretty crappy.
[Mike Johnson] Yeah, both suck. Both are terrible. And what’s funny though, as you were walking through the first example, what I was remembering was the early days of application allow listing. You really had to be very precise with what was allowed because the idea was if it’s not allowed, it’s blocked, and that meant that any little change for an inappropriately configured system required a help desk ticket.
So, I’ve seen this. I’ve actually witnessed this. It does suck.
[David Spark] Have you seen the desktop wallpaper change?
[Mike Johnson] We basically told people they couldn’t change their wallpaper because for a while, even changing your screensaver meant running an executable. This was a Windows thing. And so just what you would think would be the easiest change required a help desk ticket. So, I’ve lived the first one.
[David Spark] Okay.
[Mike Johnson] The second one is what I’ve colloquially referred to as YOLO security. Like just whatever, everything goes. And it also sucks. I can say I’m fortunate that I’ve never lived that one. But the way that I look at these is I still have to bring it back to empowering the business. And what I’m not hearing in the first one – so, I’m going to make an assumption again because it’s what’s worth, I’m going to make it even worse.
That even if someone needs to change a business process, that that requires a help desk ticket. That even if it’s something that supports the business, it’s going to slow the business down.
[David Spark] Anything that interfaces the computer with the business, yes, you can assume that.
[Mike Johnson] Right. So, I’m just assuming that that’s the case of the first one. And so what that really means is as a cybersecurity team in that first one, we’re not supporting the business. We’re actually against the business. We are fighting with them for everything. And that inevitably is going to lead to either the entire team getting fired, or the business going down in flames.
The second scenario sucks, it is likely to lead to a security breach. I’m not saying that this one is a good one.
[David Spark] I know. Again, the game’s called “What’s Worse?”
[Mike Johnson] Exactly. But at least the business is able to operate, like at least the business can serve its mission.
[David Spark] Yeah. But I argue that the first scenario, while crappy, at least the business does operate, and with some good security. Poorly, it operates and with a lot of [Inaudible 00:18:26]. But the second one could bring the business to its knees and not operate.
[Mike Johnson] I think maybe we’re interpreting that first one differently because I’m trying to make the first one really, really bad because if it’s what you said…
[David Spark] It is bad, but it’s just, it’s the business moves at a snail’s pace because of it. The second one, it’s possible. And we got to bring Aaron in here because he’s nodding his head like crazy. It’s possible it could be falling apart. I just want to make sure that you’re sticking with number one being the worst.
[Mike Johnson] I think again, just with the scenario that it just drags the business to a halt, I think the first one is the worst.
[David Spark] Okay. I don’t think it’s a complete halt. I think the second one could bring it to a complete halt. That’s my argument. All right, Aaron, where are you on this one?
[Aaron Shaha] If you got to pin me down, I’m going to say the second one’s worse. So, if we’re looking at something like a regulated industry or something, again, we have to bring our assumptions in here. The full lockdown makes sense in some cases – nuclear power plant or something like that. The Wild West scenario, while very effective for startups and small companies trying to be agile, if you’re bringing that into a larger business, could have some pretty catastrophic results from that.
So, if I had to choose the two, I would definitely choose the more regulated one. But I hate the decision on this.
[David Spark] We try to create a Sophie’s choice each time is what we’re trying to do.
[Mike Johnson] But I also think what you’re hearing, David, is the differences in our backgrounds and the assumptions that we make in these answers. So, very much as Aaron said, you have to take the business context into account, and that’s where the assumptions come in.
[David Spark] Yeah, and I understand the it depends there. But yes, but overall, Aaron was correct this week.
[Mike Johnson] Great.
[Aaron Shaha] Thank you.
Please. Enough. No more.
20:17.418
[David Spark] Today’s topic is managed detection and response or MDR. We’ve heard this before. All right. It is actually what our fine sponsors, CyberMaxx, they do. And so we’re going to definitely get the lowdown from Aaron here. But I’ll start with you, Mike. What have you heard enough about with MDR, and what would you like to hear a lot more?
[Mike Johnson] I think there’s still a lot of first and I don’t know if you’d call it second generation MDRs around. And a lot of them rely heavily on install this agent, just go install this agent, and everything is solved. And there’s a lot of downsides to that, and so I’d really like to hear less of the just go install this agent, it’s so simple to deploy.
What I’d like to hear more of is how MDRs show value to a company and how they can act, augment, how can they act as an extension to the cybersecurity team? So, it’s less tool centric, less of the tools, and I’d like to hear more of the business outcomes.
[David Spark] That is a really interesting point, Mike, because we have heard that a lot because we’ve heard the line of, “Oh, if you can’t hire, you get an MDR,” or we’ve also heard the line of, “No, I just got to make my current organization more powerful with your capabilities.” And some people argue that it is not the first case.
You can’t completely replace your security team with an MDR, but some argue yes. So, I’m interested to know what your take is on this, Aaron, and how CyberMaxx operates in such an environment. So, let’s start with what have you heard enough about with MDR and what would you like to hear a lot more?
[Aaron Shaha] Yeah, first, Mike needs to get out of my head because that was actually both of my answers. So, what I’ve heard enough about is companies, that we’ll say mid-market, possibly to small, large Fortune companies that think that they can create their own SOC, their own MDR practice overnight.
This is a really challenging area to get into, both from the velocity, the volume of data, the technology required, the capital expenditure, not to mention bringing in your people operations to staff something 24/7. I think a lot of people really underestimate that.
What I’d like to hear more about is people really understanding what it means to be an attacker and why attackers are successful. A lot of people in the industry come down to think that this is a tools problem. And to kind of summarize this, I hear about, “Oh, we were just attacked by LockBit ransomware, and it took out our servers.” “No, you weren’t.
You were attacked by an actor who used the tool LockBit to attack your servers at your company that’s had a human impact upon you.” It’s humans attacking humans, right? Means, motive, and opportunity. We need to decompose and get out of the nerd realm, right? We always want to look at this from our technology perspective, but this is really a human problem.
If this was a technology problem alone, we would have solved this 30 or 40 years ago after the cuckoo’s egg, and we would have locked things down, right? Now it’s very much a human problem, just leveraging new and unique ways to employ tools. And you can see this from tradecraft, like living off the land.
It doesn’t matter how much we take away. The adversary still has capabilities on our networks.
[David Spark] That is a really interesting take. So, excuse my ignorance, and please explain how CyberMaxx works here, but how do you take the human element into account for your own SOC, for working with a client, for educating them? I mean, explain the process here.
[Aaron Shaha] We have an excellent security research staff that’s constantly evaluating new threats, looking at things they just pulled up. The reason LockBit came to mind is he grabbed the posting from LockBit after the FBI took down, in air quotes, LockBit over the last couple days. And he got the posting of the LockBit author laughing at them and saying, “Yeah, you got a few keys, it really didn’t impact anything.
And by the way, I was enjoying yacht life, you know, on a cyber yacht, and now you guys have energized me and I’m back in the game.” So, one of those ways is going out and using good intelligence, good cyber research, understanding the lay of the land and kind of the motivations of the actors. The other way that I really like doing this is with purple team events.
I think purple teams are very valuable. If you don’t understand how an attacker works on your network and kind of some of the fundamental asymmetries between attack and defense, you’re going to really have a hard time implementing defense only. Attack and defense are two sides of the same coin, and you really have to understand both to really secure your network.
[David Spark] Can you give me an idea of, and maybe you went through purple team exercises when you did this, but a client that didn’t understand the human element, you worked with them, and you got them to understand it. And where were they and where did they move to and how was operating your SOC better, easier, done differently?
Explain sort of like a before and after case with a client.
[Aaron Shaha] Yeah, this was actually with a previous company, that’s my experience. I joined in November, so I haven’t had this experience currently. But we were looking at building a ML AI tool in the elastic stack for a customer, and we were trying to understand password sprays. And the customer was looking at this and saying, “Okay, this is very simple, right?
You just add these two rules in.” And as we started to run the purple team through, we could see the attackers… They would give us just the generic fire hose, right? And blast things through and very simple to pick up. But as the attackers evolved their trade craft to what I would call more realistic scenarios, it became much more difficult to detect, right?
And those nuances kind of came through. So, by working with the purple team, we could have the attacker try something, we could have defenders look through their logs, and then we could generate the rules in ML and AI to help speed the defenders to understand what was happening on their network, right?
And it was a very give and take type of development process.
[David Spark] So, essentially a just-in-time education, if you will.
[Aaron Shaha] That’s a great way to describe it.
What is the best time to do this?
26:15.482
[David Spark] How do you reprioritize paying down your technical debt? Every organization has to deal with this question. It often comes to light when needing to update end-of-life hardware, deciding when to do a systematic refresh versus a simple update to kick the can down the road. So, on LinkedIn, Zach Zoulius ran through how a classic Five Whys approach, and I’m a huge fan of the Five Whys approach.
He says the Five Whys approach can help you fully understand the depth of your technical debt across various stakeholders to better inform your process. Mike, so when do you really create an end-of-life plan for technology, and what are the key elements of that plan?
[Mike Johnson] So, this was an interesting topic that, frankly, I’ve never thought about before. I’ve never really thought about planning ahead for an end-of-life. I guess usually I’m on the receiving end of, “Hey, this thing is going away all of a sudden,” and now I have to panic. But I wonder if you think of this from a maturity perspective, I think the most mature organizations would create this end-of-life plan as part of implementation.
Just as you would for a critical process or system, create a disaster recovery business continuity plan, you create an end-of-life plan. And it might be thinking about what’s next. What does a future migration look like? If we need to move away from this thing, what would that look like? That would then mean you need to understand how to get your data and processes out of there.
When I was at Salesforce, one of the things that we did was you could take your data out of Salesforce at any time, but the problem was companies built up processes that relied on that, and so the data was only part of it. So, I think if you’re thinking about an end-of-life plan, you need to think about both the data and the processes, how you would get that out.
[David Spark] That’s a really good point.
[Mike Johnson] That’s how you build that plan.
[David Spark] I remember having to get out of a CRM system and actually I had a problem getting data out. I actually had to hire someone manually to copy and paste stuff out. That’s how bad it was.
[Mike Johnson] Oh, fun.
[David Spark] But it wasn’t too painful, for that matter. Aaron, have you had this experience of dealing with end-of-life and maybe some good and bad stories of how you’ve dealt with it?
[Aaron Shaha] Yeah, so this is really challenging. A lot of the businesses I’ve dealt with in previous lives when I was doing DFIR work with Deloitte, you would see lots, and I mean lots, of very large companies go through M&A activities, things like that, where they’re bringing in lots of technology from people that might not be as mature, even though they had a mature process at the acquiring company.
And the plan, Mike’s spot on, right? I mean, having that maturity plan would be great to get us through there, but sometimes that’s not going to happen, and that technical debt does seem to have compound interest on it and bring it through. And that’s really difficult to do, as well as some of those business processes that are kind of ingrained.
We’ve seen legacy COBOL and AIX around there, right? And you’re not dropping an EDR solution on those, right? So, it kind of evolves down to what I call looking for black holes, right? The way we look for black holes in science is we look for the activity around the black hole, the light bending past it or whatever.
We have to do similar things with our network defensive tuning, right? And tooling. And look for things around that, put them in a hardened enclave. But really migrating some of that technology off of those old systems is much harder than many people appreciate, and they can be around for quite some time.
[David Spark] I will just say personally – and again, my personal stories doesn’t have nearly the hooks nor the hardware that like a hospital has to deal with, with technical debt – but when you’re on the other side of it, oh, it feels a lot better. It’s just getting to that other side. Mike, you’re smiling.
[Mike Johnson] Oh, yes. Because I mean, it’s like so many challenges, right? It’s the feeling of accomplishment that comes out of it.
[David Spark] But the long road you feel afterwards, not just that moment.
[Mike Johnson] Exactly. You might have had a vendor who was not doing what you need or an application that was not doing what you needed, and then now you’re in this bright new world where everything just works, and you’ve got both the moment and the ongoing feeling of satisfaction from it.
[David Spark] So, yeah, Aaron, you’re nodding your head all the way through this. Add your two cents here.
[Aaron Shaha] Yeah. I mean, when the plan comes together, it’s amazing, right? Being able to age off those systems, get them off your network. I’ve seen so many companies, unfortunately, the majority of them, that just struggle with the planning. And part of that’s people moving on, people not being at their jobs for as long as they have been in the past.
So, those plans tend to disappear, evaporate, get lost, right? And before you know it, you’ve got a whole closet full of aging equipment that nobody knows is there. I spoke about it earlier. That’s one of those advantages that the attacker can leverage because they have ground truth on your network, they know what’s there, where you might have lost it, your IT staff might not know about it, etc.
Closing
31:45.103
[David Spark] Excellent point. Well, that brings us to the very end of the show, which we have fully upgraded. We have dumped all our technical debt here at the CISO Series. Look, we have old processes that have gone, but again, we are not stuck to any major physical hardware too, for that matter. We haven’t had that kind of problem.
I think it’s the giant physical hardware is the thing that really, really ties you down. That’s the tough one. If you don’t have huge physical hardware, you really don’t have much to complain about.
[Mike Johnson] I do think that makes a difference, but sometimes people have physical lights that keep the show on track.
[David Spark] That too. But also, you also brought up a very good point too, Mike, was the fact that like you’re on Salesforce and you want to migrate off Salesforce, but you’ve got hooks into 12 other applications. Well, good luck getting off. That ain’t easy. All right. We come to the end of our show, and I want to thank our sponsor.
That would be Aaron’s company. That’d be CyberMaxx. Think like an adversary, defend like a guardian. They do manage detection and response. And if you heard what he was saying, they have a great approach to it as well. So, they combine the offensive capabilities you need for stronger security. And Aaron, I’ll let you have the very last word.
Mike, any last thoughts on today’s conversation?
[Mike Johnson] Absolutely. Aaron, it was a pleasure meeting you and having the conversation. I always love when I get to geek out on response. Like my background is incident response, intrusion detection, so I love being able to geek out on that. So, thank you for that opportunity. I also wanted to highlight a couple of comments that you made.
One is your example of the hospital and reminding folks that sometimes availability is king, and people need to factor that in, that that is actually part of the CIA triad. So, thank you for that story.
[David Spark] By the way, for those who don’t know, confidentiality, integrity, and availability. That’s your CIA triad. Go on, Mike.
[Mike Johnson] Thank you, David. The other quote that I really liked was when you had mentioned that companies were saying they were attacked by the LockBit malware. And you were reminding that, “No, you were attacked by an adversary. You were attacked by a set of humans.” That was a very good way of reminding folks.
So, thank you for those anecdotes, those stories, those comments. And most importantly, thank you for coming on this show. It was great talking with you, Aaron.
[David Spark] Aaron, I want to ask you, please give a plug for CyberMaxx, anything that I have not mentioned that our audience should know. Also, I understand you are hiring as well. And by the way, let me thank you for being an awesome guest on the show. Any other thoughts?
[Aaron Shaha] Awesome. Thank you, gentlemen. No, it was great. So, yeah, at CyberMaxx, this is kind of the takeaway, right? We believe it’s our duty to defend against those who commit wide-scale societal disruption through cyber attacks, right? Some days it’s we get in the grind, I’m sure Mike’s seen it, and we wonder why we’re here.
We’re essentially keeping the lights on and keeping civilization going. It’s sometimes a thankless job and tough, but you know, all of us in the security industry and [Inaudible 00:34:36], keep fighting the good fight. Visit us at cybermaxx.com.
[David Spark] And you are hiring, correct?
[Aaron Shaha] We are hiring. Yes, thank you. Yes, sales engineers right now.
[David Spark] And they can reach out to you. Yes, Aaron?
[Aaron Shaha] Yes. Yes. Or the website, either way.
[David Spark] Or on LinkedIn, you’re available, yes?
[Aaron Shaha] Correct. Yes.
[David Spark] Awesome. So, thanks to Mike Johnson. Thanks to Aaron Shaha, who is the CISO over at CyberMaxx. And thank you to our audience as well. We greatly appreciate your contributions. That was a really good “What’s Worse?” scenario. Get more “What’s Worse?” scenarios to me as well. And we appreciate you listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.