It’s not enough for cybersecurity professionals to talk among themselves. Storytelling is a vital way to connect technical security controls and policies to the rest of the business. So how do you go about turning metrics into a narrative that can get buy-in?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is Stephen Harrison, CISO, MGM Resorts International.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Vectra AI
Full Transcript
Intro
0:00.000
[Voiceover] Biggest mistake I ever made in security. Go!
[Stephen Harrison] I was on a pentesting engagement about 15 years ago. I had been spending far too much time trying to use a Proxmark bypass on a device. My supervisor was upset. He scolded me very briefly to tell me how much of a fool I was making out of myself as he continued to shimmy a manila envelope in between the low poundage mag lock and open the door, showing that I had not just lost well over a day, but that it was such an easy solution, and I think about it all the time.
[Laughter]
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, producer of the CISO Series. Joining me is my cohost since the very beginning. It’s Mike Johnson, the CISO of Rivian. Say hello to the audience, Mike.
[Mike Johnson] Hello, audience. It is a pleasure to be here with you today.
[David Spark] We are available at CISOseries.com. If you have not gone there, I would say on an hourly basis would be an appropriate time for people to visit our site.
[Mike Johnson] Oh, yeah. Every hour, yeah.
[David Spark] Hourly?
[Mike Johnson] Yeah. Hourly.
[David Spark] Hourly would be low touch, I would say. You could do it more frequently if you would like.
[Mike Johnson] If you really want to be behind the times, just only go once an hour. But if you really want to be up to what’s going on, five minutes feels more appropriate.
[David Spark] That does feel more appropriate. Our sponsor for today’s episode is Vectra AI. Find attacks others can’t with the most advanced AI-driven Attack Signal Intelligence on the planet. We’re going to be talking about that a little bit later in the show. Now, before we jump into our show, Mike, you and I are almost exactly six years into doing this.
Actually, six years since probably recording, but almost exactly six years that we have been doing this.
[Mike Johnson] Mm-hmm.
[David Spark] And here’s the important question I want to know. How many games of pinball have you been playing in the past six years?
[Mike Johnson] [Laughter] Oh, David.
[David Spark] Because I know you played the machine at my house, but the question is have you played any others?
[Mike Johnson] I think I have a confession to make.
[David Spark] Is the answer zero?
[Mike Johnson] The answer is zero. Sorry.
[David Spark] This is an embarrassment because I said to my own team because it’s Memorial Day weekend that we’re recording this, and I said, “Hey, everybody, obviously send me photos of wherever you’re going to be playing pinball this weekend,” and I’ve yet to receive a single photo from anyone.
[Mike Johnson] I think you may have learned a valuable lesson here today, David.
[David Spark] Yeah. Some people are not as into it as I am.
[Mike Johnson] Go figure. How many machines are you up to now in your house?
[David Spark] I now have a number of them. Yes, I have a number of them.
[Mike Johnson] You have more in your house than games I have played of pinball since we started doing this.
[David Spark] Of pinball? Really? When you played mine, how many had you played prior to that?
[Mike Johnson] Oh, I mean, back in high school and middle school, I probably played plenty, but it’s been a while.
[David Spark] I got my wife, she is now addicted, and she was streamed on Twitch playing pinball. I don’t know if you’ve ever seen, they have these rigs now that go over a pinball machine, one camera on the play field, one on the scoreboard, and one on the actual individual playing.
[Mike Johnson] Oh. So, three video feeds at once.
[David Spark] Three cameras and they’re all put together onto a single screen view. But the camera rig is on a roller, so it just rolls to a different pinball machine, depending on which one’s playing.
[Mike Johnson] Wow
[David Spark] It’s great. Yeah.
[Mike Johnson] Very cool.
[David Spark] So, anyways, I have yet to stream myself, but my wife, she was streaming.
[Mike Johnson] Oh. She beat you to that one, David.
[David Spark] Mm-hmm. She did very well. She finished 19th out of 52 in the women’s competition, so I was quite impressed.
[Mike Johnson] Pretty good.
[David Spark] All right, enough of this nonsense because people didn’t come, this is not… There are pinball podcasts out there.
[Mike Johnson] This is not one of them.
[David Spark] Not that interesting. I’ll warn you, they’re not that interesting. But our show is far more interesting than that, and let’s get to our guest at hand. We’ve had our guest on before on other shows, but not on this one, and he has recently been promoted to the title of CISO over at MGM Resorts International.
Excited to have him on, none other than Stephen Harrison. Stephen, thank you so much for joining us.
[Stephen Harrison] Happy to be here, David, Mike. I’m actually a pinball fan myself. And if you’re here in Vegas, this is home to the Pinball Museum.
[David Spark] It is the Pinball Museum. And I have a love-hate because they have a number of machines that are broken in that museum.
[Stephen Harrison] Yes, yes. You’re going to lose quarters. You’re going to…
[David Spark] Well, it’s not lose quarters. You’re going to be annoyed that the machine doesn’t play well either. But actually, the last time I went, they did actually do a massive upgrade of a lot of the machines, and they are playing better. So, I can recommend now, people go.
[Stephen Harrison] It’s fantastic for anyone in town. But I guess, again, we’re not here to talk about pinballs. [Laughter]
How can we secure new technology without creating new risks?
5:10.352
[David Spark] What does the attack surface look like for AI? Daniel Miessler put together a comprehensive look at where and how threat actors can attack AI systems right now. We’ve already seen prompt injections used to exploit AI in proof of concepts, but the list also includes training attacks, which attempt to poison AI training data to either break the model or have it give responses that benefit the attacker.
So, Mike, I’m going to start with you. What should we be concerned about now, and what do you think will be the longer-term threats here?
[Mike Johnson] So, first, I’ll say to the audience, please go read Daniel’s article. He really summarized this whole topic far better than I could. And he also has a great graphic that really walks folks through it. So, please go read that. But beyond that, I’m going to make an assumption that most of us are not building new foundational models.
There’s a few, but your average company isn’t doing that. So, I kind of view the threats that I think about is prompt injection, hallucinations, and theft of service. Those are the ones that I think about.
[David Spark] What is hallucinations? We’ve talked about that. Remind me again. What is that, hallucinations?
[Mike Johnson] A hallucination is when the AI essentially makes up an answer. It’s something that it thinks is the right answer, but it’s actually the wrong answer.
[David Spark] Okay. Which, by the way, honest AI systems trying to do a good job, I guess, are hallucinating.
[Mike Johnson] Well, I think ultimately it comes right down to they’re prediction machines. They’re trying to predict what the right answer is, and they get it wrong every once in a while. Where I view hallucinations as a cybersecurity threat is they decrease the trust in the system. If you can’t trust the AI system, and maybe you’re using it for a very specific purpose, so maybe you’re actually using it to solve cybersecurity problems.
If you can’t trust it because of those hallucinations, then I do view that as a threat to think about. The other one that I’ll mention is the theft of service. That’s where you might accidentally expose your entire AI platform. Maybe it’s just a front-end to ChatGPT. And someone recognizes that you’ve done that, and they’re like, “Well, I don’t want to pay ChatGPT any money.
I don’t want to have an OpenAI account.” But I can just go to your chat interface, and I can ask it an arbitrary question that is all that I really want out of the AI, and you’re going to give me the general answer, not something that is specific to your service.
There was a car dealership. Many people remember the fact that somebody convinced it to sell them a car for a dollar. But the reality is other folks came and figured out, well, you’ve just exposed ChatGPT enterprise to the internet. We’re just going to take advantage of that. So, I think the theft of service is something that folks need to keep an eye out for when it comes to AI threats.
[David Spark] Stephen, I want your take on this.
[Stephen Harrison] I agree with Mike here. What Daniel Miessler put together was a great place to start for anyone wondering on how to protect with all these new initiatives coming into their environment. I’m going to add on and say securing the infrastructure behind the LLM is also a priority. Think about model extraction.
We saw this early in the months following ChatGPT’s launch, and then when Bard – I guess Gemini, the LLM formerly known as Bard – that there was a rush from competitors in this space, that they were just throwing out this technology, and the result of this was insecure infrastructure calls that exposed the models, and attackers and competitors in the space were able to hijack and spin off clone services.
So, you saw all these clone services coming out right after GPT and Gemini, back a little over a year ago now. So, I think it’s very important to do dynamic security testing on your infrastructure, similar to your development pipelines. Input validation is just as important here as it is for any application working with free-form or variable text input.
Think of malicious inputs crafted to cause the model to make the wrong decisions. This is what Mike was talking about. Imagine a self-driving car mistaking a stop sign for a yield sign due to some cleverly placed sticker out there. This is what we’re talking about when we’re…
[David Spark] This sounds like RoboCop is what this sounds like. It’s like getting the RoboCop, he all of a sudden doesn’t see the right stuff and can’t behave correctly.
[Stephen Harrison] Exactly, exactly.
[Mike Johnson] So, we have to worry about RoboCop. That’s what everyone should take away from this is RoboCop is the threat.
[Stephen Harrison] I think it’s [Laughter] real. Definitely RoboCop is a threat today, tomorrow, and yesterday. No, that’s Terminator. But when we look at AI technologies emerging, a lot of it is the more expanded attack surface from your traditional development and DevOps practices. We’ve taken those and we’ve added language, [Laughter] which is incredibly complex as a variable to securing this technology.
Are we creating more problems?
10:44.411
[David Spark] What policies need to be in place for increasingly popular low-code and no-code development tools? This has become quite a little hot topic, hasn’t it? These tools were already widely used before GenAI gave them a further shot in the arm. But the flexibility these tools offer come with a significant security cost, argued Ericka Chickowski at CSO Online.
Now, in many ways, these tools are their own form of shadow IT. I mean, as I see it. So, assuming these tools are already in some kind of use, Stephen, how do organizations get a handle on policy for them? Is it similar to how we try to deal with shadow IT? Is it a different story? What’s going on here?
[Stephen Harrison] It’s probably very similar to the adoption of generative AI in the workplace.
[David Spark] So, generative AI adoption and low-code, no-code, similar policies around them. So, walk me through it.
[Stephen Harrison] Yeah. So, when you think about low-code, no-code, you need to have some sort of approval process for projects before development begins, or at least an agreed-upon set of standards and tools that you give your enterprise, think about finance, commercial sales. Everyone needs some sort of guidance on what to do, or they’re going to go rogue and you’re going to have shadow IT in the space.
And it’s not necessarily a slight against your program. This is the nature of emerging and innovative technologies is that they’re going to be adopted and used widespread. And so your best chance is to get ahead of it, figure out an approval process, what technology involvement with IT, digital data, have some sort of standardized set of approved platforms that meet security requirements, just so you can simplify the management of this and reduce the risk.
[David Spark] It sounds like this just comes down to culture because if the culture of the company knows to listen to security or work with security, then there will be sort of a healthier exchange, I would assume. Yes, Stephen?
[Stephen Harrison] I think that’s for everything. Obviously, there’s secure coding and data security practices that need to be considered here, but overall, it’s a management of the cultural adoption of this new technology, similar to generative AI.
[David Spark] All right. A, do you agree with this, Mike? And what would you have to add if you do?
[Mike Johnson] Stephen made several points in there that really are akin to provide people the platforms, provide them the standards, the anointed or approved platforms, and that then, in a way, solves a lot of these problems. People are going rogue when they don’t have the tools to do their job. So, if you can get ahead of that, or at least catch up to it and say, “These are the platforms that behave and generate code in the way that we would like them to.
Use these.” And maybe you even go one step further and find all of the teams in the company that are trying to use platforms like this, get that consensus, and then you’re able to make a bulk purchase. These platforms are not cheap. So, if you’ve got 10 different people off doing their own thing, you add that together, that’s a lot more expensive than a group license for 10.
So, I really think the provide a platform, provide the expectations and the standards, and folks are going to do the right thing. Make it easy to develop securely.
[Stephen Harrison] I completely agree. I think if you don’t do it this way, you’re creating Frankensteins in your environment too, or you’re allowing them to be created, and I like this analogy a lot. So, if you think about Mary Shelley’s Frankenstein, he goes into the barn at the end every time and he never comes out, so they don’t survive.
Sponsor – Vectra
14:48.140
[David Spark] Before I go on any further, I do want to tell you about our brand-new sponsor, and that is Vectra AI. So, SOC teams can’t possibly have eyes on everything, can they? What if I told you they can? I know you’re not going to believe me, but listen, this is what Vectra AI does. Around every entry point and every clever attacker, Vectra AI sees the attacks others can’t.
How do they do it? They have AI on it. Vectra AI’s Attack Signal Intelligence XDR platform tells SOC teams where to focus, what matters. It wades through thousands of individual threat events, so you don’t have to. So, are attackers infiltrating your network? They have AI on it. The “they”? That’s Vectra AI.
So, attackers compromising your identities? They have AI on it. Attackers moving to your cloud? They have AI on it. Attackers exploiting your GenAI tools? They, that’s Vectra AI, has AI on it. So, to learn more about how Vectra AI’s Attack Signal Intelligence XDR platform works, you got to visit their site.
Go to Vectra.ai/showme. Go there to learn more.
It’s time to play “What’s Worse?”
16:16.575
[David Spark] Stephen, you’re familiar with this game, correct?
[Stephen Harrison] Correct.
[David Spark] All right. Two crappy scenarios, and you have to tell me which one is the worst of the two. I always ask Mike to answer first. Mike, this comes from our good friend of the show, Jonathan Waldrop, who is currently now the CISO over at The Weather Company. And I will have to say that, Jonathan, I adapted this one a little bit because I thought one side was a little too lopsided, and I think I’ve evened this out a little bit more.
[Mike Johnson] So, you tried to make it more difficult.
[David Spark] Make it more difficult. So, hopefully you agree with me, and this is a challenge, but I’ll find out when I read it and you go, “Ah, this one’s easy.”
[Mike Johnson] Fun for everyone.
[David Spark] We’ll see how this goes. All right. Scenario number one, Mike, your hiring processes take way too long to hire talent. About 75% of the time you lose candidates because of the length of the interview processes and the rounds of interviewers. So, really good candidates, they just miss the boat just because your whole process stinks.
Now, the second scenario, your hiring process and the timelines are totally reasonable, but by direction of your executive team, you’re only allowed to hire entry-level candidates, and here’s the worst part. You have no budget for training. So, you bring in entry-level people. They’re going to kind of have to learn it all on their own, but you can get the best entry-level people, for that matter.
Which scenario is worse?
[Mike Johnson] So, in the first one, what you’re dealing with is you’re losing candidates.
[David Spark] Losing good ones.
[Mike Johnson] Seventy-five percent is a very high dropout.
[David Spark] Some squeak through, but a huge majority, you’re getting subpar candidates.
[Mike Johnson] Twenty-five percent of them make it through. Isn’t that great?
[David Spark] There you go.
[Mike Johnson] We’ll be glass half full.
[David Spark] The glass is a quarter full.
[Mike Johnson] Glass is a quarter full. And then the other one, what you’re running into is you can only hire entry-level. So, it’s essentially a budgetary constraint [Distortion 00:18:23]. Because you said you can only hire entry level, and you have no budget for training.
[David Spark] But you create a good experience, and you can hire good entry-level people too, for that matter.
[Mike Johnson] Yeah. So, this is one that I’m not sure how you adjusted this one, David, but I do think these are pretty equal.
[David Spark] Good. I changed the second one. I made that one a little bit… That’s the one I made.
[Mike Johnson] So, I think I’m just going to pick one and go for it and make my argument. And I think realistically, the first one is the worst. It’s not great that you can only hire entry-level folks, but as you said yourself, David, you can hire the best entry-level folks. And because you’ve got a decent hiring process, a decent interviewing process, those folks are that much more engaged.
They’re excited to be there. They’re not dreading their first day. In the first scenario, you’ve got folks who, that 25% who decided to stick it out, they’re already dreading their first day. They’ve lost their excitement. Yes, they accepted the offer, but they’re like, “Oh, I’m not sure what I’ve got myself into.”
[David Spark] Well, I should mention that the entry-level people also have to face the fact that they’re getting no budget for training.
[Mike Johnson] Well, sure. But again, they also have a fabulous security team that they can learn from and they’re getting on-the-job training. They just can’t put any money into it. And there’s plenty of free training.
[David Spark] Yeah, there you go.
[Mike Johnson] So, I’ll toss that in there as well. So, I do think the first one is the worst because those folks, they just know they’re not going to have a great experience. They’re not going to be excited. They’re not going to be engaged. And my guess is you lose those people pretty quickly, even after they start.
[David Spark] All right. Stephen, you’re nodding your head that you agree with him. Do you agree here or disagree? What’s going on?
[Stephen Harrison] I agree. I would love to argue with you, Mike. I agree. For me, a drawn-out interview process is like a special kind of hell.
[Laughter]
[Stephen Harrison] When you go through all of this rigor to vet out candidates again and again in multiple rounds and the process is so complicated and convoluted that I’m losing 75% of my candidates before I can even get them to selection. That is a lot of rework, and I hate rework because you’re essentially saying all the time and effort you gave into picking the right candidate didn’t matter.
You’re going to lose them anyways 75% of the time. I agree that you can train and foster and grow new talent. And again, if I can get the best entry level, I’m getting some post-grad work students in here. Yeah.
[Mike Johnson] And one of the things that I think you highlighted there, Stephen, that I think is interesting is you also reflected on how bad the experience is for the interviewer. Just that you’re beating your head against the wall, you’re trying to find these people, you’re putting in all of this work, and you’re having to do it over and over and over again.
I hadn’t really thought about it from that direction as well.
[Stephen Harrison] Yeah, I’m personally in PTSD mode right now, trying to think about going in interview after interview and it not mattering. And that’s no way, not for me.
What’s it going to take to get them motivated?
21:45.053
[David Spark] How important is storytelling in cybersecurity? We bring this up all the time. So, this conversation came up in a cybersecurity subreddit post asking how to convince a boss to stop a bad security practice. Now some commenters pointed to technical security controls as an answer or to look for a new job.
This is a common line on the cybersecurity subreddit. But the comment that resonated the most involved telling that boss a story about how the bad practice could lead to direct business risk going forward. Ah, no wonder we’re so popular. So, I’m eager to hear from both of you. I’ll start with you, Mike.
What are some of the stories you’ve told as a CISO to get by, to make that convincing argument? Like you realize if I showed speeds and feeds and explained technically, it would just fall on deaf ears. What was one of your most convincing moments, if you will?
[Mike Johnson] First of all, I like that you highlighted that it seems every one of these threads includes a “quit your job” response.
[Laughter]
[David Spark] Yeah.
[Mike Johnson] It feels that way.
[David Spark] It’s the pull of the rip cord. It’s just like, “I’m out of this.”
[Mike Johnson] Yeah, just quit. But I think what it comes right down to – storytelling is situation. Sometimes you need to bring data to a conversation. Some folks, that’s what they’re driven on. And sometimes you need to build a relationship. And that’s kind of the difference between the two. Storytelling is helping you build that relationship.
And generally my stories, it’s past experiences. They’re not made-up scenarios. These are real situations, and I think that allows them to speak louder.
A lot of folks, it’s very easy to just try and scare people, “You need to do this because this bad thing is going to happen.” But if instead you can say, “Hey, I worked for a prior employer. We had a significant malware incident that years later, we had to deal with concerns from prospective customers.” We had to keep telling that story, and all we had to do was just do it right the first time.
We needed to build the appropriate detection mechanisms. We needed to be more serious about preventing people running whatever they wanted to run. And we would have not had to keep coming back every time and time again. Because there was a headline that people would go and Google company name, cybersecurity, they would find those incidents.
So, that’s one example that I use is I started a job at a company, and I was immediately having to tell customers, “Hey, here’s what happened,” and try and come up with new solutions going forward. But being able to say to managers since then, other leaders since then, “I’ve been there, I’ve done that.
I’ve seen it. Here’s the situation. Here’s how we could have avoided it.” It does tend to bring it home to folks more.
[David Spark] In sales, storytelling kills, I remember a mentor had communicated to me. I was frustrated that I wasn’t getting certain levels of business, and he said, “Oh, don’t worry about that at the beginning. Just get the stories. Once you have the stories, everything else falls in line.” He couldn’t have been more right.
I started getting a few stories, and I remember once I had those and from very big players and I would reference them, everything else fell in line after that. So, I throw this to you, Stephen. What has been your most compelling storytelling technique? And if you have a specific example too.
[Stephen Harrison] On my side, it’s really about building the emotional connection. So, security threats are often seen as a technology problem, not a business risk. So, a story can help bridge that gap, show how a cyber attack can damage your company’s reputation, disrupt operations, lead to financial losses.
Emotion is a big connection. It’s the key to getting buy-in. You hear this in business lectures and talks again and again, that it’s not really what you said or how you said it. It’s how you made the audience feel at the end of this presentation or conversation or lecture. And so I really focus on that and being relatable, similar to what Mike’s talking about here.
It depends on what you’re talking about. Contextually, if you’re talking about addressing tech debt, I really like the idea of tying that back to remodeling a home or adding a pool when your foundation is cracked and your furnace is broken. You have other priorities here that you need to deal with before you can do this fun, great, exciting thing.
And that’s really what it comes down to as technology leaders, is helping prioritize your strategy in a way that your business leaders have buy-in and understand that in the very common term. You’re not trying to get them to understand what you’re talking about. I remember [Laughter] from a friend of mine talking to me about local admin removal with his C-suite, and he was interrupted by his CEO and his CEO said, “Listen, if you tried to get me to explain what local admin is to someone, I can’t.
I don’t know what you’re talking about. If you put a gun to my head, I’m dead all day.” So, you cannot bring the technology language to the C-suite, to the boardroom in most cases. They’re going to understand AI right now because it’s a hot topic. But in general, the problems that you’re dealing with in your program are complex, and the quicker you can simplify that message into something they can understand and follow along, the better it is for you.
You want brief, concise interactions with your board, with your C-suite. You don’t want to be burying them in long tirades or lectures about the technology you’re dealing with. That’s your job; it’s not theirs.
[David Spark] Let me ask briefly for both of you, are you able to see the connections down the road with the business? Like taking the example of sort of antiquated technology, can you see, well, if we keep this technology, this happens, this happens, this happens. You bring it all the way to the front of the house, if you will, kind of a thing.
You can see how it plays in the front of the house. But if we upgraded to this, this is how the front of the house would play. Are you able to make that time? Do you know the business well enough to be able to do that? Because I know that’s a core part of a CISO’s job. Stephen?
[Stephen Harrison] Yeah, I think about that, and I do see the downstream effects of the technology stack and strategy deployed. When you think about downstream effects, you think about it as friction and experiences. When your technology or security stack isn’t performing the way it needs to be, you’re creating friction for your accounting, your front-end sales, your maintenance or facilities, whatever your business line is in the departments you have.
If your technology isn’t where it needs to be, it creates visible friction that you should be able to follow upstream to some sort of root cause that’s probably in your strategy roadmap for the next few years that you’re working on.
[Mike Johnson] I do absolutely think you need to be looking around the corners for these types of situations. You need to think about how an impact in one business area might have an impact in another. That’s part of being a business executive. And I think also quite often CISOs are often thought of as technology leaders as well.
That means you have to be able to see how these particular tools are all fitting together, and a change of a platform, what is the downstream impacts of that and advise based on where that’s going. So, yeah, you have to be able to see around the corners.
Could this possibly work?
30:01.259
[David Spark] Are public-private partnerships the solution to managing increased attacks by sophisticated actors? Now we’ve seen success from these types of initiatives. Recently, Jonathan Greig at The Record profiled the success of CISA’s Ransomware Vulnerability Warning Pilot that launched last year.
Mike, I’ll start with you. When have you seen personal success with public-private partnerships?
[Mike Johnson] CISA’s a great example of the public-private partnerships. They’ve really been engaging closely with the industry. They keep putting out really useful tools. One of the ones that I really appreciate is their list of commonly exploitable vulnerabilities. This is a list of vulnerabilities that are actively being exploited in the wild.
If you have a particular technology in your environment that shows up on CISA’s KEV list, that immediately goes to the top. You might have a CVE 9.8 or CVSS 9.8 somewhere else, but there’s something that’s on the KEV list that is a 9.0, that should absolutely trump your own internal rating systems. So, that’s one of the most significant tools.
[David Spark] That is really good to know. All right, Stephen, I throw this to you.
[Stephen Harrison] I’m a huge proponent of this. From InfraGard to CISA, there’s so much opportunity in sharing, and it’s weird that there’s this resistance in some programs to share. CISA’s fantastic. They also do zero-day exploitation briefing calls. You can join or have your team, your vulnerability management team join.
They do just a ton for the space. And when you think about what Homeland Security was doing eight years ago in this space, it’s night and day for the sharing and collaboration. I think on top of that, your ISAC groups are invaluable for more industry relevant. We’re part of retail hospitality, and so we interact with a lot of retail and hospitality organizations in threat intelligence sharing or just trends in the industry.
So, these partnerships are invaluable, I think, to a successful program. You really need to be engaging with them. And not only that, when you think about law enforcement, you don’t want your first engagement to law enforcement to be in a crisis. You really want to be establishing these public-private sector relationships ahead of time.
So, when things happen, you know who the special agent in your field office is. You know who you can reach out to at CISA. You know your local, state, federal points of contact. And if you’re not fostering these relationships, you’re not going to know who to call in a crisis.
[David Spark] That’s a very good point to bring up. We actually had someone from the FBI on the show that spoke to specifically that, saying you can call, and they will come and do tabletop exercises with you as well.
[Stephen Harrison] Yeah. We have a great field office here near our headquarters in Las Vegas, I know several of the special agents there, and that’s through intentional fostering of that relationship.
[David Spark] Excellent.
Closing
33:17.615
[David Spark] That’s a good point to close on for this episode. Thank you very much, Stephen Harrison, who is the CISO over at MGM Resorts International. Thank you also, Mr. Mike Johnson. I’ll let the two of you have the very last words here. And I want to say a huge thanks to our sponsor. That’s Vectra AI.
Remember, go to Vectra.ai/showme to see how their Attack Signal Intelligence XDR platform actually works and how it can have eyes on the stuff that your SOC can’t see. All right, Mike, any last words for today’s episode?
[Mike Johnson] Yeah, Stephen, thank you so much for joining. It was great to catch up with you again after all of these years. Glad to get to sit down and have the conversation with you this time. A couple things I really want to call folks’ attention to. One was your advice on build the relationships with law enforcement before you need them.
I think that’s really good guidance for folks to take home.
[David Spark] If people get anything out of this episode, that’s the one thing they should get.
[Mike Johnson] Yes.
[David Spark] Yes. Take advantage of it. Your tax dollars are already paying for it.
[Mike Johnson] Yeah, you’re already paying for it. You’re already soaking in it. But the other thing I’ll say is your point about meeting people where they are when it comes to storytelling. I think that’s also really good advice for folks to not show up in a ELT meeting trying to explain local admin.
[David Spark] I like that – local admin, gun to my face, I’m dead.
[Mike Johnson] I was cringing visibly as you were telling that story. So, thank you for that reminder to folks. And just in general, thank you for joining us and great catching up with you again.
[David Spark] All right, Stephen, before you say anything, we always like to ask, are you hiring?
[Stephen Harrison] Yes, we are hiring. Our InfoSec program is growing. We have some recent employees that moved on to bigger and better roles. A couple are now CISOs, so we’re happy to see them move on in their career. But we have a lot of opportunities, so hit me up on LinkedIn.
[David Spark] Great place to start. And also, I’m assuming there’s a careers page, yes, as well?
[Stephen Harrison] Yes, yes. MGM Resorts Careers page.
[David Spark] It’s always good to find the thing you want first and then ping Stephen about it. Yes?
[Stephen Harrison] Definitely, definitely.
[David Spark] He is not going to go search for the job for you.
[Stephen Harrison] I’ll quickly send you the link if you bug me, now that I think about it.
[David Spark] All right. Actually, just send me the link. We’ll put it in the post. Do that. That’ll make things even easier. Thank you very much, Stephen. Thank you very much, Mike. And thank you very much, our audience. We love your contributions. Keep sending them in. Send in challenging “What’s Worse?” scenarios.
And also, just great segments. If you have a great discussion online, those make great, great segments on this show. Thank you for doing that. And thank you for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.