If incident response’s mission statement is so clear, why do so many companies struggle when delivering on it? Often the fault lies with communications. The business and its divisions are not aligned with their cybersecurity capabilities, and no one is following the playbook. Or, it’s possible it was never tested. Or worse, there is no playbook.
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Steve Zalewski. Joining us is our sponsored guest, Amir Khayat, CEO and co-founder, Vorlon Security.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Vorlon Security
Full Transcript
Intro
0:00.000
[Voiceover] Best advice for a CISO. Go!
[Amir Khayat] When uncertainty strikes, don’t wait for clarity to appear. Hack the uncertainty.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series. And joining me as my co-host for this episode, which you normally hear this gentleman over on Defense in Depth, but you’re getting a lucky opportunity right now. You get to hear him on the CISO Series Podcast.
It’s the big crossover you were all hoping for. You’ve heard him before. It’s not his first time. It’s Steve Zalewski. Steve, say hello to the audience.
[Steve Zalewski] Hello, audience.
[David Spark] You’ll hear a lot more of him today, but first let me mention our sponsor, and that’s Vorlon Security, proactive third-party API security. That’s with Vorlon Security. You’re going to hear a lot more about that throughout the show. In fact, they were responsible for bringing our guest today.
Who, why don’t I just introduce him right now? It’s our sponsor guest, Amir Khayat, who’s the CEO and co-founder of Vorlon Security. Amir, thank you so much for joining us.
[Amir Khayat] Thanks for having me. Great to be here today.
[David Spark] All right. Now, the reason I’m bringing you in early because our opening banter, we always have a little quick opening banter, is about Black Hat 2024, which is going to happen one week after everybody hears this episode. And you’re going to be there, I’m going to be there, and Steve’s going to be there.
So, I will start with you, Amir. You’ve got a booth on the show floor. How can people connect with you at Black Hat?
[Amir Khayat] We do, definitely. Black Hat is a great event that we participate in. We will be in the startup area. If you’re looking for emerging technology and you want to see Vorlon in action, please come and visit us and the team.
[David Spark] All right. So, Vorlon will be there. Steve, you’re going to be roaming around asking for handouts. Is that correct?
[Steve Zalewski] I don’t know about asking for handouts, but I’ll be asking a lot of questions. Yeah, I’ll be on the floor with you, David, wandering around. So, for anybody that wants to find us, come on down or reach out on LinkedIn and let me know because while I’m there, our audience is my number one concern.
[David Spark] I will also be there. I’m aiming, actually, because I’m coming in early on the 5th, and I’m aiming to get a little bit of pinball time over at the Pinball Hall of Fame early on, which I hope to do. Which I’ve been to. I have a love, hate of the place. It’s got a ton of machines, but about a third of them are broken and off, and many of them don’t play so well.
But most of them do play pretty well. So, that’s my love/hate with the Pinball Hall of Fame and me.
[Steve Zalewski] Oh, I may be coming this year with you. Let me know because I am like you, old school pinball. Oh!
[David Spark] They got plenty of that. If the machine’s on, that’s another question. Problem is the place, it’s a 501(3)(c). It’s a nonprofit. He doesn’t have enough people to fix these machines and they constantly break. They need someone to fix it. Anyway, that’s not the reason I’m talking. The reason is on the 7th of August, Wednesday, the show floor is open all day.
I will be there with the camera crew filming man-on-the-street-style videos all day. If you see me with my camera, man, please come up and say hello. And I may have some questions to ask you. If I am filming someone, when you see me, just wait. All my interviews only take a couple of minutes at most.
I would love to chat with you. So, please, we look forward to seeing you there. All right, Steve, anything else you need to say about Black Hat?
[Steve Zalewski] It’s going to be hot. So, drink a lot of water, folks.
[David Spark] No, just don’t go outside.
[Amir Khayat] Stay indoor. Yeah.
[David Spark] Stay indoors. Never go outside. I, one year, was staying at the Luxor, the event is in the Mandalay, and they have the hotels from the Luxor to the Mandalay are all connected. All right? And you don’t need to go outside. One year, I spent 72 hours indoors, never stepped outside.
[Amir Khayat] That’s smart.
[Steve Zalewski] And this year, that is going to be a really good strategy because, yeah, I’m not looking forward to 120, but that just means we’ll all be inside, and we’ll have more time with each other.
Didn’t we solve this already?
4:17.556
[David Spark] Incident response isn’t new. So, why do we see so many established companies doing a really bad job at this? Now, this could be for a lack of visibility, like when Block and Zacks Investment waited months to disclose data leaks, as highlighted by Neil Weinberg in a recent CSO Online article.
So, if bad incident response is a lack of transparency and, well, really slow remediation, is good incident response as simple as doing the opposite? Give me some transparency and just remediate quickly. If that’s the case, why do we keep seeing otherwise, Steve, competent organizations getting it so unbelievably wrong?
[Steve Zalewski] So, the first thing I’ll say is I don’t think that we’re getting it wrong. What we have to realize is just because it isn’t new doesn’t mean it isn’t hard. And when I say hard, I don’t mean that it’s a static problem that we’ve had. It also means what good looks like for a response is changing dramatically, right, compared to 10 years ago to what we want now.
And you hear this, right, which was we used to find things that were 285 days old, and now we’re being demanded to find things that are happening right now. Okay?
[David Spark] So, the bar has raised tremendously.
[Steve Zalewski] The bar is raised.
[David Spark] So, the definition of good, even though I defined it, it’s the bar of good has gone up.
[Steve Zalewski] And I think that’s the key.
[David Spark] All right. I throw this one to you, Amir. What do you think? Agree? And is there something more to the equation here?
[Amir Khayat] Yeah, I completely agree with Steve. I think that transparency is the foundation for a swift remediation, but most organizations don’t even have that. Think about your IT environment today. You have products that are on-premise, products that are hybrid, and ones that are fully in the cloud.
You need to understand who connects to who and what data goes where. The interconnectedness often means that a bridge is one system that can have cascading effects, right? But let’s say you somehow have transparency and that you have the technical and personal resources to act swiftly. Sure, that’s definitely a great start, but effective IR is much more complex, as Steve said.
I think that, again, echoing what you said, Steve, the threat landscape is continuously evolving, and attackers are becoming more and more sophisticated. Staying ahead of these threats requires constant vigilance, updating security measures, and regular training. An organization that, even if they have robust defenses in place, but still caught off guard.
And if you add on top of that the human element and the fact that IR teams are working in different locations and shifts, that creates a high level of complexity. So, we all have the tendency to think that what worked for us in the past will work in the future, I agree, which is where I think organization and especially large enterprises with less of agility struggle the most.
A good IR requires a security strategy that is, one, comprehensive, addressing all the known factors, and two, adaptable, constantly learning and iterating, discovering the unknown factors. And the best way to achieve these things is to invest time in training your people, equipping them with the right tools and the processes for success.
[David Spark] All right, Steve.
[Steve Zalewski] So, I want to use the word lack of transparency, okay? And what Amir is talking about, right, is transparency on the infrastructure. So, from a technical perspective and process, do we have transparency to know what’s going on? But the other part of this is transparency with our customers, right?
Which was moving fast to be able to understand the problem and have transparency to the breadth of the problem is very different from having transparency to tell our customers we had a problem, right? Look at customers now. They have a different tolerance level to what a good incident response looks like.
So, we have two facets here, again, that we’re having to consider.
Why has this topic suddenly become the center of attention?
8:41.671
[David Spark] Automation in cybersecurity always sounds like a good idea, but in practice can be really hard to get right. And what can you automate? I mean, a redditor on the cybersecurity subreddit asked that very question with one person joking, “I automatically tune out everyone when I join a meeting,” which was pretty funny, I will grant that.
So, the redditor wanted to know though, for legitimate reasons, wanted to know what is actually being automated. Answers ranged from automating database creation, password auditing, tracking certificates, disabling old accounts, and ticket creation. All pretty darn good. So, one redditor summed it up as, “Not everything repeatable is automatable, unfortunately, but it is good to take a look at those tasks anyways to improve efficiency.” So, Amir, let’s start with you.
Where are you seeing the greatest success in automation?
[Amir Khayat] Well, I totally agree with the redditor. Working a few years in the SOAR space and for those who don’t know the acronym, that stands for security, orchestration, automation, and response, I can say that automation and security helps a lot when you have repetitive tasks, like when you get phishing email, and you want to check the email headers automatically.
However, you can only automate to a certain extent, since you can take the human element from the equation. I would say that if your expectation is to automate identifying an attack and fully remediate it, that’s quite ambitious. I’m sure it’s doable, but it’s too risky for companies. And from my experience, security teams want to automate up to a certain level, typically the collection of the information, and then they will take a manual action.
As a good colleague of mine used to say, people are the problem, but you can take people out of the solution.
[David Spark] We’ve heard of that one before. All right, Steve, I throw this to you. What do you think can be automated? And by the way, this is a very, very hot topic. And in fact, when we’re recording, we’re going to be discussing this on our Super Cyber Friday show.
[Steve Zalewski] Yes because automation is a force multiplier, right? And if you don’t have enough resources, then everybody says automation is a way to do more with less, okay? But what I will say is automation for efficiency is where everybody talks about this. But as an industry, and when I think about this as a CISO, I go, “How am I leveraging automation to be more effective at stopping the attack, not more efficient at doing more with less?” Because that’s where the easy part is, okay, to be brilliant at the basics.
So, I think some of this comes back to here’s what we know how to do with automation versus here’s where we need to learn to do new things to be effective with automation, and let’s do some innovation there. And we’re going to see the force multiplier that we’ve been hoping for for years.
[David Spark] What are some maybe variables? Like the person said, just because it’s repeatable, that’s not the solution. What are variables that say, oh, this thing’s ripe for automation, Amir?
[Amir Khayat] So, again, going back to the phishing example, which is a repetitive pattern that happens a lot for a cybersecurity team. When you investigate a potential phishing incident, you need to take specific steps. And I think that these are all repetitive things. You want to enrich the data. You want to get to a logical decision if this is a risk for you or not.
Those are the things that taking a lot of your time. And again, going back to what Steve said, about being efficient with your time. This is where you want to reduce the time that is spent around collecting all the information. You want to actually get to a decision. And that’s where I see automation can be the force multiplier.
[David Spark] I think that last line you just said though, it’s just how do I get to a decision faster? Right, Steve?
[Steve Zalewski] And the decision that the business will find acceptable, right? Because it’s easy if we just tell you what to do. The problem more and more is the business isn’t willing to just do as they’re told. They want to have a conversation about what’s good enough. And an example there would be, all right, Amir fell for a phishing attack.
I’m the CISO. What do I do? I just disable his account, I put him through a mandatory 40 hours of security awareness training, and then I turn on his account. How does that feel for the business?
[David Spark] It sounds like torture. [Laughter]
[Amir Khayat] Yeah.
[Steve Zalewski] Yeah. There’s automation at its worst. People will argue that’s at its finest. Okay? Now what we’re realizing, reality is, hey, look, if Amir fell for a phishing attack, what do I do? Good news is what I should do is I got to give him a call first, “Hey, Amir, looks like you fell for a phishing attack.
I’m sorry about that. Okay, I’m going to disable your account for 15 minutes. I’m going to ask you to do password reset. And since this is the third time in the last 90 days we’ve seen it, I’m going to ask you to spend another 30 minutes in doing some security awareness training just to help me help you.” Is that the right level of automation now?
[David Spark] That’s a much softer touch. And that can be acceptable. You had to crank things up because of… By the way, sorry, we had to use you as an example, Amir, of screwing up phishing tests.
[Laughter]
[Amir Khayat] It actually reminds me of a funny story, and again, I don’t know if we’ll have time to put it in, but Steve, you basically gave a bad example for automation. I remember working with a company, which I won’t mention her name, working with their IR team around receiving a phishing attempt.
And they told me when we implemented an automation tool there, they told me, “Is there a way for you to put it to sleep for five hours and then respond to the user just so people won’t know that it’s an automated process?” Yeah, so definitely agree with you about the bad stuff.
Sponsor – Vorlon Security
14:54.395
[David Spark] Before I go on any further, I do want to tell you about our absolutely awesome sponsor, and that’s Vorlon Security. Now, have you ever bought a waterproof rain jacket? Well, we assume all rain jackets are waterproof, right? Now you think it would be nice and it would keep you dry, but when you step out in the rain, you find out that it’s about as waterproof as a paper towel.
Maybe you weren’t wearing it right, or maybe it doesn’t cover you all up, and you end up sitting around in soggy clothes all day. So, nobody wants to be that person. Trust me, nobody wants to sit next to that person in the office either.
Putting your company’s data into a third-party vendor’s hand is about as waterproof as the jacket we just described. When you integrate with third-party APIs, you lose 100% control of your company’s data. You send it, you connect it, it’s gone. And surprise, surprise, if something goes wrong, you’re still on the hook for data security.
All is not lost here. Meet Vorlon. Vorlon helps you take back control of your data. With Vorlon, you get continuous visibility of sensitive data shared via API across third-party applications. So, you always know who, what, when, and where your data is accessed. Waterproof your data today with Vorlon.
Visit vorlonsecurity.com to learn more and take advantage of a free risk observation report. That’d be cool. All one word, vorlonsecurity.com. Go there because your data deserves better than a soggy raincoat.
It’s time to play “What’s Worse?”
16:32.870
[David Spark] All right, Amir, I’m assuming you know about the “What’s Worse?” game. All right?
[Amir Khayat] I do.
[David Spark] He’s nodding his head. The way this works is I’m going to make Steve answer first. But being that you are in the third-party risk space, I have chosen something that is appropriate for you. Okay?
[Amir Khayat] Let’s do it.
[David Spark] Does not mean it’s going to be easy, but it just has to do with third-party risk. All right, Steve, are you ready? Two crappy scenarios.
[Steve Zalewski] No, never ready for these, but you never let me out of it. Go for it.
[David Spark] It’s part of the game. It’s fun. Aaron Kinder of Livingston International, he supplies the following two scenarios. Having a third-party vendor suffer a data breach that exposes your company’s sensitive data. Sounds like a solution for Vorlon here. Well, sadly, they didn’t have it. All right?
Scenario number two, learning that an internal employee has been intentionally leaking sensitive information to competitors. Which one is worse here? These are both pretty awful.
[Steve Zalewski] And here’s why. The first one is, well, I’m going to lose customers. The second one is I can put the company out of business. I am going to go with the second one, which was it’s worse to have an insider leaking confidential business data out to a competitor. Okay? Because I have a much harder time managing the financial consequences of that than quite honestly I do with a PII breach.
[David Spark] Well, it says company sensitive data. I don’t know if it’s specifically PII. It could be any and all, to tell you the truth.
[Steve Zalewski] That’s why both of these, like when he set them up, neither are good. Right? So, I’m just like I’m dead man walking in either case. But I’m going to go with the insider threat, the second one, which is I’ve got an insider moving data out.
[David Spark] It’s conceivable, but yeah, and essentially, you’re playing a risk game here too, and it is a risk management… All right. Amir, we throw this to you. Steve gives his argument for the second one being worse. I would assume you’d want to take the first one, being that it speaks to your company’s business.
And if someone didn’t have a solution like yours, then they would suffer the first and that would be the worst. But it’s very conceivable you may think like Steve does here, that the second is far worse. Where do you stand on this one, Amir?
[Amir Khayat] So, I haven’t been ever in the CISO shoes, but I will say that hearing it a lot from different CISOs, I will actually go with the first one. And not only because we can help with the first one, we can actually help with the second one, I just think that the risk itself is a little bit more clear when you know who is your insider threat from an operational perspective.
I would say that…
[David Spark] Oh, that’s a good point. He makes a good point, Steve.
[Steve Zalewski] He does.
[David Spark] Go ahead, Amir.
[Amir Khayat] Yeah, you just need to connect the dots. It will take you time, but if you have the right solution – Vorlon – that can help you. But I will go with the first one, Steve, which I actually think that the impact is harder to assess and will require more time, which will cause larger distraction for the business.
[David Spark] That’s a good argument. It’s taking a different angle here, Steve, in that you immediately assume the second one’s worse just because you think the company may fold. But he does make a good point. The second one, you can actually kind of track who did what and where it went. Versus the first one, that’s anybody’s guess.
[Steve Zalewski] Right. And the first one is third-party risk management and more and more fourth-party risk management. It’s bringing visibility into something I have no control over, right? Because by definition, I’ve given it to somebody else and I’m trusting them. And so I can tell them what I want, but I can’t make them do what I want, right?
And so a lot of what we’re talking about is how do I get visibility? And then when something bad does happen, right, what limited capability do I have, right, to be able to manage it? That’s the ongoing problem we have and why we’re talking about this. The second case, I can do a little bit more about it.
Maybe it just feels like I have a better answer for the executive team than I do for the first one with our current level of third-party and fourth-party risk.
Please, enough! No, more!
21:05.270
[David Spark] Today’s topic is, in honor of our guest, third-party API security. So, Steve, I’m going to start with you on this one. What have you heard enough about with regard to third-party API security, and what would you like to hear a lot more?
[Steve Zalewski] I would like to hear less about the problem and more about answers to the problem because mostly for the last two years, all we’ve talked about is the fact that it is a problem, and we don’t have the people, process, and technology in place for me to do something about it, and more and more, it’s becoming my number one issue is being able to characterize that risk first and then be able to do something about it.
[David Spark] That is a good point. By the way, I think I’m pretty darn clear on the problem, and I’m pretty darn clear that the problem is pretty massive. All right. And by the way, we did, a long time ago, we did a whole piece on dealing with API security, and this list of problems with API security I think only is growing.
I think it’s one of the more complicated spaces, if not the most complicated space in security. It’s ludicrously confusing. Amir, who’s nodding his head, who has dealt with this for a while, I’m going to ask you the same question. What have you heard enough about with regard to API security? What would you like to hear a lot more?
And we’re going to get into Vorlon here. Go ahead.
[Amir Khayat] So, I will say that I heard enough about the challenge with API that you publish as a company and that you own. And I would say that I didn’t hear enough about what you consume as a company, which again, this is a larger attack vector. You just mentioned it. Think about the number of applications that organization consume.
From an API perspective, it’s way more larger than what you publish. So, although you secure that aspect, I would say you need to put high attention to what you don’t secure today.
[David Spark] All right. So, explain to me, obviously, what do you want to hear more, how is Vorlon dealing with this issue?
[Amir Khayat] So, I will start by saying that most of the internet communication today is driven by APIs, right? And what we hear for a while is that companies can’t predict the future, but they can control their destiny. And today when you connect third-party application relying on APIs, your vendor owns your destiny.
And Steve mentioned that before. You don’t know what data he has access to and where he is accessing it from, and our vision at Vorlon is to change that. We want to help companies in three things. One, see what third-party application have access to their data. Two, understand who’s accessing those API in every given moment so they can control their own destiny.
And three, proactively detect, assess, and respond to third-party threat immediately.
[David Spark] For something that’s so complicated, you kind of spell it out as simple as possible. Like what every cyber person wants to hear is, “I don’t want to know what the heck I have. I want to know what’s happening right now, and I want to be able to deal with it right now.” Why has this been so difficult in API security in the past?
[Amir Khayat] I think coming from my background at SOAR and our team at Vorlon in general, we’ve seen hundreds of hundreds of API, third-party API, and we understand how they’re structured and their limitation. That helped us to actually build the product, which is patent basically around reconstructing all this information and hand it over to the partitioner in a very easy way so they can actually take decision.
Going back to the automation discussion, you want to be able to take an immediate action after gathering all the information.
[Steve Zalewski] I’m also going to expand on that for a minute, right? Which is third-party API security historically, right, has been I’ve got my own data centers, right? And I’ve got maybe some cloud data centers. And I’m trying to move data between a user and a business application, right? How do I manage that to a store?
But what we’ve done in the last five years is we went to a data-centric model of infrastructure. And so those third-party APIs that used to have hundreds, I’ve now got thousands, and it’s right to the data itself that’s being exposed, not to a business application that then has the data. That transition in the last five years at light speed is really why third-party and fourth-party risk has become such a big problem for us is because we’re putting all the data directly out there.
So, we’re exposing a soft underbelly we’ve never had to before and we’re just not very good at it yet.
[Amir Khayat] Totally agree, and I’ll just add one more thing on that to clarify without getting too much into the weeds. The challenge, David, is that this communication does not go through your traditional controller. It does not go through your API gateway. It does not go through your WAP, as Steve mentioned.
And this is the challenge of having a solution like that.
Could this possibly work?
26:31.702
[David Spark] Every security pro thinks they are building a secure program. I mean, that’s their job, why wouldn’t they? But I just saw yet again another study claiming there is a serious misalignment on how well security pros think they’re doing and how their security programs actually perform. Now, by the way, I just want to say to everybody who creates one of these reports, I get it.
Your point of creating the report is to show that the problem is bigger than you think it is, so you need to spend money on our product. I got it. I got it. We all got it. All right? So, I don’t need to see another one that says exactly the same thing. But here, we go on with this report and others we see.
Just look at the breaches we see in the news every day.
If our security assumptions aren’t up to snuff, why aren’t we testing them, wondered Maurice Uenuma in a recent piece on Dark Reading. He pointed to the SolarWinds attack as a moment that showed the assumption that you can trust verified updates to a trusted network management platform. This kind of testing would require understanding what assumptions we’re already making in security, developing a plan for when that assumption is no longer valid, and then coming up with a systematic way to test against that.
So, this is kind of aligning with sort of these concerns around API security, or just anything third-party related, Steve. I get a sense of knowing what we should do and what actually get done, that’s where the misalignment is. And a lot of it goes back to this classic trust but verify line. Who does that?
They say it, but they don’t do it. Steve?
[Steve Zalewski] Well, I also go back to a favorite line that says show me the money, okay? Because we’re trying to build a secure program, but we can’t secure the entire perimeter, right, without sufficient resources. And so time and time again, we have to “prioritize” the order with which we secure the perimeter, which means there’s always gaps.
And when the bad guys take advantage of a gap, people then look to us and say, “Wait, you said you had a secure program.” And the answer is, “Here’s what I’m securing, but here’s what I haven’t secured yet.” And that part gets lost when people want to place blame.
So, I would argue that’s kind of the yin and the yang of the argument when you talk to security practitioners is that this is that risk conversation that keeps wanting to enter the picture of security practitioners having to move from secure my company to protect my business. But that is a very different conversation, right?
When you do that, and now how do you manage that risk? So, for all these reports that say, “You security people, right, are lying or are not doing your job.” What I’d say is kind of sit in our shoes for a day, right? And see that this is how we are trying to manage the new perimeter and the new way that the executive teams are measuring us.
And so now tell me what’s good enough security to stay above the poverty line, knowing that they’re not showing me the money.
[David Spark] All right. I’m going to let you close this one out, Amir. What is your thoughts on this, what we should do and what actually gets done?
[Amir Khayat] So, after hearing Steve, it’s harder actually for me to answer this question because he took me to think about the real challenge. But if you did not have the budget limitation, I see it as a…organization cybersecurity program as a basketball team. Like during practice, the team runs drills, practice plays, and simulate game scenarios to prepare for the real competition, right?
And in cybersecurity, you call it the red team, basically. So, if you do have the budget, I believe you should invest in it because the same as the basketball team practice and preparing for game time, having security program without constantly testing it, it’s pointless because you will be destroyed in game time.
[Steve Zalewski] And yes, I kind of took it from a different perspective, right? Kind of strategically is there are two things we talked about earlier, right? Be brilliant at the basics in your security program and automate, automate, automate, okay? And I think we still want to come back to those two about how it can possibly work.
But we have to look in this day and age, what really is brilliant at the basics now? It’s not having a full-blown security program, right? It’s what does brilliant at the basics mean. And leverage that automation at every stage for efficiency and effectiveness. And I think we are making a lot of progress there, but it’s causing us to now have to go back to actually ask those questions all over again.
[David Spark] Good point.
Closing
31:47.249
[David Spark] Well, that brings us to the very end of this show. I want to thank our guest and his company Vorlon for sponsoring. Remember proactive third-party API security. If you forgot about that, just go back a little bit. We talked a lot about it on this show. In fact, go to their website, vorlonsecurity.com, and they’ll give you a free assessment of your situation.
Which by the way, not enough companies take advantage of this, mostly because they know something will be discovered and they’re going to be scared about what they see. You know what? Just do it. It’s better to know than to stick your head in the dirt like an ostrich. Which I have seen ostriches before, but I’ve never actually seen them do that, Steve.
[Steve Zalewski] The other thing is, we’ve talked about this with Vorlon today. What we will say to that is we will stick our head in the sand unless you show us the solution to the problem. And an assessment here is not just seeing more problems. It’s actually an appreciation for when we’re ready to do something about it, and so we have an opportunity to take our head out of the sand in this case.
[David Spark] All right. And by the way, you answered my question. You’ve never actually seen an ostrich do it.
[Steve Zalewski] No, I have not.
[David Spark] Amir, I’m throwing it to you. I’ll let you have the final word. Do you have any special offer beyond what I’ve just said on the show? Anything else to add about Vorlon, let’s hear it.
[Amir Khayat] Just if I have to leave our audience with one thing to remember, it’s that you have to control your own destiny. When your vendor is breached, a couple of legal clauses in your agreement are not going to protect you, or more importantly, your customers. Your security is a shared responsibility at best and more often a sole responsibility.
And I think that you would all agree that you can’t find an organization out there that does not leverage third-party APIs. They’re amazing. Definitely, they help us to improve productivity and scale our business, but they’re also very largely unmonitored. This is why we created Vorlon. Would love to meet you at Black Hat.
Visit our website. And thank you so much, David and Steve, for a great conversation today.
[David Spark] This was an awesome episode. I appreciate it. Yes, I’m going to echo what Amir just said. Come find us at Black Hat. Remember, I’ll be on the show floor all day on Wednesday, August 7th, with the camera crew. Just come up. I got random questions I’m asking people on the floor I’d love to get your input on.
[Steve Zalewski] Come say hi. We love our audience.
[David Spark] And to remind you, Vorlon will be in the startup area. They don’t have one of those regular booths. I guess they give you like a little table or a little space. But just go to the startup area. You’ll find Vorlon. Say hello to Amir. Let him know you heard him on this show.
[Steve Zalewski] That’s right. It’s where all the cool kids are going to hang out.
[David Spark] There you go.
[Amir Khayat] [Laughter] We’d love that.
[David Spark] Awesome. Thank you, everybody. And we greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.