If you want to annoy a security professional, just point out the nearest sticky note on a monitor with a password. These common workplace practices make starting a dogpile session on users easy. But does that help the situation outside of a momentary catharsis? How do we make these conversations about errant security practices constructive to improve security awareness?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest Daniel Daraban, senior director of product management, Bitdefender.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Bitdefender
Full Transcript
Intro
0:00.000
[Voiceover] What I love about cybersecurity. Go!
[Daniel Daraban] I love the constant challenge of trying to stay ahead of attackers. If you think about cybersecurity, it’s dynamic, ever evolving, and honestly, at its core, it’s about protecting both people and businesses, trying to keep everybody safe so both people and businesses can thrive.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series, and joining me as my co-host, it’s Mike Johnson, the CISO of Rivian. Mike, say hello to the audience.
[Mike Johnson] Hello, audience, and good morning.
[David Spark] Good morning. Not everybody’s good morning. It’s just you and I when we’re recording this this early in the morning. In fact, our guest is on the other side of the country, so it’s not morning for him either.
[Mike Johnson] Well, I like to think of folks listening to us on their morning commute.
[David Spark] Have you heard Andy’s little opening spiel? He says, “Good morning, good afternoon, good evening, good night.”
[Mike Johnson] Eh, that’s just a lot of words. That’s just a whole lot.
[David Spark] I wouldn’t be surprised some people listen to our show as they’re falling asleep.
[Mike Johnson] I hate to think that these are the last words that they hear as they’re drifting off. Imagine the dreams that people have.
[David Spark] Yeah, that’s the thing. People could be having dreams about our show because that’s what they’re listening to.
[Mike Johnson] I was just thinking about cybersecurity in my dreams last night. I had this nightmare.
[David Spark] You must have had cybersecurity nightmare dreams.
[Mike Johnson] Yes, yes. I think that’s a lot of folks, they have dreams and nightmares about their job, and this is my career. So, absolutely, I’ve had those moments. I can’t think of one off the top of my head, but yes, I’ve had more than one.
[David Spark] One of my absolute favorite improv games to see performed is the game Nightmare where they get an audience member to come up on stage, sit in a chair, and just describe what they did during the day, like what they had for breakfast and all that. And then the actors perform their nightmare for that evening, which it’s a great, great shtick.
[Mike Johnson] [Laughter] That sounds amazing.
[David Spark] It almost always works. It’s a very funny premise and it works really well. We will not be having any nightmares during today’s recording.
[Mike Johnson] Mm-mm.
[David Spark] Let’s hope it all goes smoothly.
[Mike Johnson] It’s all good dreams.
[David Spark] Our sponsor for today’s episode is Bitdefender. Thrilled to have Bitdefender on board. They’re a brand-new sponsor with CISO Series. So, we’re thrilled that they’re joining us. Now, I do want to mention that this episode is dropping on December 17th. For those of you listening, we will not have another episode until 2025, so you can draw this one out for the next few weeks if you would like.
[Mike Johnson] Favor it.
[David Spark] Listen to it over and over again. But I do want to actually give just a hearty thanks to our entire audience and all our supporters and all our sponsors. 2024 was an absolutely spectacular year for the CISO Series. If you don’t listen to our other programming, please do. But yeah, it was just an absolute stellar year.
I can’t speak it. We’ve been growing year over year over year and this was probably our biggest jump was 2024.
[Mike Johnson] Amazing year. Looking forward to next year.
[David Spark] 2025 will be even better. I know it.
[Mike Johnson] Yes, sir.
[David Spark] All right, let’s start the show with our guest. Very thrilled. Did I mention that Bitdefender is a brand-new sponsor? Guess what? They’re also responsible for bringing our guest today, our sponsor guest today. He’s the senior director of product management of Bitdefender, all the way from Spain.
None other than Daniel Daraban. Daniel, thank you so much for joining us.
[Daniel Daraban] Thank you very much for having me.
What works? What’s not working?
3:40.918
[David Spark] We all want a positive culture at work, but how do we move past platitudes into action? That’s key. So, Geoff Hancock, the CEO at Access Point Technology, recently posted a list of things for CISOs and CEOs to consider daily – be receptive to feedback, honest communication, peer accountability, team engagement, and be result-oriented.
Any argument here on any of these? Well, is anyone recommending dishonest feedback? But for any one of these, I’m going to start with you, Mike, how specifically are you going to do any one? I mean, how do you stay consistent with it year over year?
[Mike Johnson] It’s a solid list. I think it’s what you would expect from a CEO or an executive or a leader to really walk through their expectations and set some behaviors that they would like to see modeled. The feedback topic is the one that I’ll pick on. I don’t think anybody wants dishonest feedback.
[David Spark] No.
[Mike Johnson] But a friend of mine recently said something to me that stuck with me, and what they said was “clear is kind.” And it’s a good way of understanding that even though giving feedback is difficult, people really appreciate getting clear guidance, clear expectations, even if it’s hard.
[David Spark] Mm-hmm.
[Mike Johnson] The challenge is that giving feedback is a skill. We’re not born to be able to give feedback. We need to understand how people are going to receive it. We need to understand how to deliver it. There’s a great framework called Situation-Behavior-Impact, or SBI. We don’t really have the time to walk through it here.
I certainly cannot do it justice.
[David Spark] Look it up, everybody.
[Mike Johnson] I really recommend our listeners go look up the Situation-Behavior-Impact framework to understand how to give feedback, and I really think that’s a great way of turning this from a platitude into action.
[David Spark] Good suggestion there. All right, I’m going to throw this one to you, Daniel. I mean, there’s nothing wrong with any of this advice here. And you know what this also reminds me of is like these classic things of how to separate your work with your personal life. Like all the advice sounds great, but pulling it off is quite the difficult thing.
So, how cognizant are you of all these sort of things you should do as a leader, and do you follow through, or do you really have to make a checklist? Like, “Hey, today I’m going to go get feedback from my staff.”
[Daniel Daraban] It’s not going to be such a specific list like “I need to do this between 1:00 and 3:00 p.m. to get feedback,” and then go and say, “Okay, from 4:00 p.m. to 5:00 p.m., you need to be result-oriented.”
[David Spark] Right. [Laughter]
[Daniel Daraban] I think it’s more towards getting this to be part of your day-to-day without ever having to think about it. So, I’ll give one example when it comes to, or a parallel, when it comes to product management, right? I mean, a good product manager needs to understand what customers are asking, what the market is saying, and how that product is utilized.
It’s exactly the same thing within every other area. I mean, if you are a security team and you need to provide feedback to a vendor, or if you are a security analyst and you need to provide feedback to your team leader, to your CISO, to the board, to everybody, that feedback, just to double down on what Mike mentioned, needs to be clear, needs to make a difference.
Because if you just come and say, “Hey, these things do not work,” or “These things don’t make sense,” without actually providing the entire context and giving that clarity, that feedback is honestly, and I’m very sorry to say that, it’s kind of useless.
[David Spark] Let’s conclude this with one quick tip from both of you. For a new CISO, who wants to make this sort of a reflex muscle, how do you sort of suggest they sort of get into the training of that? And I’ll ask you quick, Daniel.
[Daniel Daraban] It needs to be like a process that you own yourself. So, that list would help to just set in the process, to set in the steps, and once you’ve done it one time, second time, the third time, you will start feeling it. Again, it is very similar to what we are doing in product management.
And it’s very similar to how we are training our junior PMs to look at things, get feedback, and again, look at everything that is relevant and communicate that.
[David Spark] And Mike, anything to quickly add to that?
[Mike Johnson] I would really just emphasize what Daniel said about practice. These skills, they’re not natural to us, but if you practice them and continue to think about them and be intentional, it will really help.
Why is everyone talking about this now?
8:43.876
[David Spark] We just talked about positive work culture, but we all know it’s easy to dogpile on some negativity and cynicism in cybersecurity. Now look no further than the cybersecurity subreddit post on the worst cybersecurity practices seen in the workplace. It turns out a sticky note with a password is enough to set a lot of people off.
We all need to vent sometimes, and it’s good to have spaces with peers to do that. I know Mike likes to use Slack for that.
[Mike Johnson] Mm-hmm.
[David Spark] But I’m going to argue that participating in this, “Look what this moron did,” even if it’s done almost among industry friends, just promotes an “us versus them” culture, and that’s definitely not helping. So, is there anything constructive that can come out of these kinds of threads like this one on Reddit?
Is this the way to do it, or is there another way of addressing bad security practices that can actually improve corporate security culture? Daniel, I ask you.
[Daniel Daraban] So, you’re absolutely right. It’s super easy to vent about bad practices. The “us versus them” mindset in reality doesn’t improve security. It just divides teams and creates unnecessary tension. I mean, instead we should focus on using those moments as teachable ones. When we see poor security practice, it’s an opportunity to educate, not to shame.
So, we have seen bad practices often as symptoms of a larger issue, I mean lack of awareness or training, and calling them out constructively can actually strengthen the overall security culture. I mean, the key here is to foster a culture where people feel comfortable asking questions and learning from mistakes without the fear of being ridiculed, right?
[David Spark] That’s key, the fear of being ridiculed. I think a lot of people don’t talk up because of just that right there. Go on, I’m sorry.
[Daniel Daraban] I just wanted to add that the fact in reality, this is how we improve security together, by collaborating, by not being afraid to say, “Hey, I do not understand this,” or “Hey, I messed up.” It’s fine, people learn from mistakes.
[David Spark] All right. Mike, I throw this to you. Again, I will just stress this. It is kind of fun to poke fun at people who are stupid, but it’s not fostering a good security culture.
[Mike Johnson] I want to echo what Daniel said and give you a little bit of a hard time of what you just said there, David, is it’s not people being stupid. It’s people not understanding. It’s people making a mistake. And I really liked what Daniel said about make those teachable moments. If you see someone with an insecure behavior, have a conversation with them.
And if you do so constructively, they’re actually more likely to engage. They’re more likely to do the behavior that you want them to do.
[David Spark] All right, let’s do a little role play. I just left my password on a sticky note on a computer. How are you approaching me?
[Mike Johnson] So, I think that’s a very interesting one because I don’t think that’s as insecure as everyone thinks it is, but it is a great teachable moment opportunity.
[David Spark] Well, give me a better, more horrific situation than that.
[Mike Johnson] Let’s run with it because I think it’s an opportunity to say, “Hey, I saw you write your password down on a sticky note. While we’re not really worried about somebody coming in here and stealing your password, your account has multi-factor authentication on it, and here’s why that’s valuable.
This isn’t going to be as bad as you think it is, but here’s an opportunity to store that password in our password manager, and if you store it in your password manager, you can then generate new passwords for every site that you use, and that then gives you protection from any of those sites being compromised.” So, even though that that practice – like now I’m switching out – even though that practice isn’t fatal…
[David Spark] You didn’t double down on the benefit for them, which is less sticky notes.
[Mike Johnson] Exactly. I could go there as well like, “Think of all the trees that you can save.”
[David Spark] There you go. [Laughter]
[Mike Johnson] I missed the opportunity to speak to the environment there. You’re right.
[David Spark] Why not decorate your office with things you like and not sticky notes?
[Mike Johnson] Give them a Christmas ornament and say, “I’ll give you this Christmas ornament and I’ll take your sticky note.”
[David Spark] There’s a good trade right there.
[Mike Johnson] Exactly.
Sponsor – Bitdefender
13:30.142
[David Spark] Who’s our sponsor this week? It’s Bitdefender. Didn’t I tell you earlier? Now let me tell you how awesome Bitdefender is. So, let’s just point out what sets Bitdefender apart. It starts with their solutions, which are natively built from the ground up and run on a single platform. This is key.
We talk a lot about platform plays here. They offer comprehensive security that covers endpoints, networks, and cloud environments, with capabilities for prevention, protection, detection, and response. It’s kind of the whole gestalt right there.
Now for those who prefer a more hands-off approach, they also actually offer managed services. So, second on Bitdefender’s list is their strength in its research. With hundreds of experts from their Labs team and strong ties to academia, they continually discover new malware, vulnerabilities, and cyber-criminal techniques, helping businesses stay ahead in an evolving threat landscape.
And if you have not seen their research before, you should. In fact, it’s reported about constantly. They’re always releasing something new.
Now their extensive technology licensing program provides access to vast amounts of telemetry data, enabling faster threat detection, licensed by more than 180 of the world’s most recognized technology brands. The chances are you encounter their technology every day, whether you know it or not. So, finally, Bitdefender is deeply committed to fighting cyber-crime and building trust.
I love this. They collaborate closely with global law enforcement on joint investigations to dismantle cyber-criminal operations and release free ransomware decryptors to help victims recover their data. This commitment to security and trust underscores their dedication to protecting customers and society as a whole.
For more about this, you should just be checking out their site and that’s bitdefender.com.
It’s time to play “What’s Worse?”
15:26.793
[David Spark] Daniel, are you familiar with this game?
[Daniel Daraban] I’ve heard a couple of episodes where you’ve played this before. I’m a bit scared to play it, but…
[Laughter]
[David Spark] You’re a bit scared. You’re not the first person to be a bit scared.
[Mike Johnson] It’s a healthy fear.
[David Spark] So, this is thrilling, Mike. This is someone who is clearly a fan of the show.
[Mike Johnson] Great.
[David Spark] They listen. So, he has customized the scenario to both of us. All right?
[Mike Johnson] Okay.
[David Spark] So, I’ll get involved in this as well.
[Mike Johnson] Great.
[David Spark] And obviously Daniel as well. And Daniel, just so you know, Mike answers first and then you can agree or disagree with him, okay? This comes from the CISO over at Sendbird, Yashvier Kosaraju, and here are the two scenarios. Get ready, Mike.
[Mike Johnson] All right.
[David Spark] And imagine your environment includes all of this too. You have pinball machines in your office, okay?
[Mike Johnson] [Laughter] Okay, yeah.
[David Spark] They listen to the show.
[Mike Johnson] Oh yeah, good listener.
[David Spark] If you don’t know, Daniel, I’m a pinball addict and I have pinball machines. All right. You find internet-connected pinball machines – by the way, all my machines are internet connected – running vulnerable OS on your corporate network, which is not segmented, they open up a port to the internet for anyone who wants to connect.
So, the pinball machines have become just a giant open port. Could be anything, could be your thermometer, whatever. We’ve heard that story too.
[Mike Johnson] Yep.
[David Spark] That’s scenario number one. Number two, you are casually told your CEO has jailbroken his Rivian R1S’s infotainment software and installing never reviewed aftermarket packages. Which is worse, the CEO essentially installing whatever on his Rivian or these internet-connected pinball machines with a big old open port?
[Mike Johnson] Wow. First of all, these are hypotheticals.
[David Spark] [Laughter] This would not happen.
[Mike Johnson] I know for sure RJ would not do this, and I also know the security of the vehicles, so we’ll set aside all of that.
[David Spark] Most of these are very hypothetical. We come up with rather fantastical stories.
[Mike Johnson] Yes. But just to all listeners, this is extremely hypothetical, does not happen, cannot happen. So, disclaimers abound.
[David Spark] Okay. And you’re speaking for the pinball industry as well, I’m assuming?
[Mike Johnson] For all of my expertise in the pinball industry.
[David Spark] There you go.
[Mike Johnson] But I guess I then have to say, I should add, that I’m speaking only for myself, my opinions are all of my own.
[David Spark] Exactly, go ahead.
[Mike Johnson] But that said, I think the reality is the pinball machines on the network, that is the worst scenario. What you have there is a gateway to your entire network. All of your data, all of your customers’ data, everything becomes at risk when you don’t have that segmentation. Our audience is screaming that there’s ways to secure this, I totally get it, but based on the scenario…
[David Spark] It’s based on the scenario, you have to go with the scenario. Now I also want to throw out that in scenario two, it is your CEO that is essentially driving an insecure Rivian. I know that’s not the case. It’s all hypothetical. So, are you saying in scenario two that your CEO is expendable?
[Laughter] e
[Mike Johnson] Well, so again, this is one of those where I know the internals of vehicles and I know that infotainment is not the control of the vehicle that people think it is.
[David Spark] Supposedly on airlines, it is.
[Mike Johnson] I can’t speak for airlines. I just know what goes on in the auto industry and how we think about safety and the separation of the systems. So, I know that there are no humans at risk in the second scenario.
[David Spark] All right, Daniel, I am throwing this to you. Michael thinks the first scenario is far worse having the open-port internet-connected pinball machines. What do you say? Agree or disagree?
[Daniel Daraban] I fully agree with that view. We have seen it in the wild. Not once. I don’t have enough fingers on my hands to actually count the number of times that people got breached just because of things like this. And there is another aspect to this particular scenario. Nobody’s going to update the firmware on those smart things regardless if it’s a pinball machine, a coffee machine, or whatever.
[David Spark] I will say that updates do get pushed to my pinball machines. Now, I don’t know about secure firmware, but it does get pushed.
[Daniel Daraban] Yeah, but at the same time, again, having a hole in your network and not making sure that it’s quite airtight, it means that you are more exposed than in the second scenario. And again, I fully agree with Mike on the second scenario. There is a clear limitation between what the infotainment system can do and what is used and everything else and the way that those are controlled.
I mean, worst-case scenario, maybe you get hit with a rave song and you just like classical music.
[Laughter]
[David Spark] The worst-case scenario is just music you don’t like.
[Mike Johnson] Yeah, music you don’t like.
[David Spark] So, Mike, would you change your mind at all if in the second scenario, it was a Tesla and not a Rivian? Would you be open to throwing Tesla under the bus in the second?
[Mike Johnson] No, again, I really recognize that folks don’t understand and it’s difficult to understand.
[David Spark] Teachable moment, Mike.
[Mike Johnson] Yes. The reality is vehicles go a long way to separating the systems and making sure that especially the internet-connected pieces do not have the ability to impact safety. This is something the industry learned a long time ago.
[David Spark] Should the entire industry be looking at how Rivian does its micro-segmentation?
[Mike Johnson] I think the reality is it’s a modern architecture, it’s a modern vehicle architecture. So, I do think that it is a very solid architecture to model for others to take a look at. Whether or not it works for them is a different scenario, but we invest.
[David Spark] You had a greenfield opportunity, I guess.
[Mike Johnson] Exactly. We built all of this from scratch. We own the platform from bottom to top. It’s all our software. It’s all our systems. And that has given us opportunities that most automakers don’t even have.
Please, enough! No, more!
22:19.262
[David Spark] Today’s topic is detection and response, which pretty much is the overall definition of cybersecurity, the way I see it. But the industry has constantly evolved. It’s kind of like the stages of grief and loss or how we feel every year with cybersecurity. We’re constantly going to “get back into shape.” So, cybersecurity’s purpose started with prevention, then risk management, and then acceptance that we’re going to get breached.
And how do we manage the blast radius? Or rather, we started talking resilience. But is history repeating itself and are we talking about prevention again? I feel as years pass, the cybersecurity goalposts keep shifting. So, Mike, I’m starting with you. What have you heard enough about in detection response, and what would you like to hear a lot more?
[Mike Johnson] So, this is an interesting question, especially as someone who came up through detection and response. That was my chosen career path. But I think rather than looking at it as goalposts shifting, I think it’s just a swing of the pendulum. We as an industry invested very heavily in detection response for a very long time, and that was catch up.
That was the recognition of controls are going to fail. We need to be honest about that and build the appropriate detection response capabilities. So, we’ve invested very heavily in those. But we’re now seeing it swinging the other way, and I think that’s healthy. We’ve started thinking more about prevention, and that’s really what I would like to hear more about, is how do we ride this swing of the pendulum, and how can detection and response better inform prevention?
[David Spark] That is a good thing. And you say it as if it was complicated, but it’s so simple. That’s what it should be, shouldn’t it? And Daniel, I throw this to you. Isn’t this the way it should have always been? Why has this become so confusing?
[Daniel Daraban] I think both of you are hitting on something crucial here. I like a lot of the pendulum analogy because the pendulum swing between detection, response, and prevention in cybersecurity. It’s also true that for a long time, the focus has been on detection and response, and largely because of the rise in various sophisticated threats, and of course, the acceptance that the breaches are inevitable.
But I think we’ve reached a point where organizations have mature detection and response capabilities, whether it’s through EDR, XDR, many services like MDR, etc., and most companies that need those capabilities already have them in place. Now, what’s exciting from my perspective is that in the last years, the conversation is shifting back to prevention, and this isn’t about returning to the old way of thinking.
It’s about using what we’ve learned in detection and response to build more effective and intelligent prevention strategies.
And this is where us at Bitdefender, I like to say that we are leading the charge. We’ve always had this aggressive prevention-first approach. We recently developed a technology that we call PHASR, which stands for Proactive Hardening and Attack Surface Reduction. And PHASR is all about understanding that using a one-size-fits-all approach doesn’t work in real life.
I mean, for the last two to three years, we have been hard at work to create unique machine learning profiles for every user application and machine in an organization. I mean, this means that we are not just responding to threats as they come, but what we are doing, we are anticipating them by understanding the behavior of each user and application.
If you think about it, the old way of looking at prevention was, I block everything, and when someone complains, I add an exception. In reality, I end up with multiple exceptions that are never maintained due to various reasons – lack of time, skills, the people left the company, etc. – and nobody’s looking.
So, what we’ve done with this, we took a different approach. And this approach allows organizations to shift left in cybersecurity without impacting day-to-day operations, and to focus more on prevention without losing sight of the need for robust detection and response capabilities. At the same time, this technology is leveraging the intelligence that is gained from detection systems, and it’s feeding it back into proactive, even preemptive measures.
It’s, I like to call it, a much more dynamic way of managing risk – preventing attacks before they can even start. And of course, this automatically and dynamically reduces the attack surface, and the major benefit is that you are allowing your users to run applications safely. You are not impacting their productivity like in the old prevention way.
[David Spark] Let me ask you one more question because it just popped in my mind. Is there something that you have done that you’re most proud of with regards to prevention, you’re like, “This has had a huge, huge impact. This one move.” Could kind of be like a tip for our audience, like, “If you do this one thing, you’ll be surprised how much it builds your prevention program.”
[Daniel Daraban] I would say the best thing for any organization is to clearly understand their attack surface, their exposures. Once that is clearly understood, then you can start mitigating it. But don’t do it in the, “Oh, I have a thousand risks. Let me mitigate everything,” because you won’t be able to do anything that actually has a clear impact on the business.
Do it in a smart way, in a prioritized way, understand clearly what makes sense to be fixed, what doesn’t make sense to be fixed, what can be ignored, and what can actually impact your organization. Because if you decide to, I don’t know, let’s say patch something that will impact half of your organization or will get 20% of your servers down, that’s not a good decision.
And this is one of the key things that we are doing here. We are providing this prioritized list of risks and those 20% that solve 80% of the issues.
What we’ve got here is a failure to communicate.
29:19.348
[David Spark] What are good C-suite alliance strategies with cybersecurity? So, recent regulatory changes in the US have made this more imperative than ever. Yet, as Raja Mukerji pointed out in Dark Reading, this kind of alliance is often seen as lip service, with cybersecurity teams quick to point to budget as a misalignment with the business.
But that argument feels reductive, so let’s look at this from both sides. How can you show that cybersecurity is a core company value beyond throwing money at it, and as a cybersecurity leader, how can you shift the business alignment discussion beyond the budget sheet? That’s a good point. Like if everyone says, “Well, they’re not giving us enough money, they don’t take cybersecurity seriously, how can we take them seriously?” Yada, yada.
I’m sure that discussion has been heard in your history, Mike. So, I ask you, how do you get beyond the, “It comes down to money whether they take us seriously,” discussion.
[Mike Johnson] I like the way that you’re putting that in trying to get people to think beyond the budget as a sign of interest or priority. Budget doesn’t equal alignment, doesn’t equal priority. Go ask your legal team, ask them what their budget is, ask them how much they spend on tools. It’s not going to be a whole lot.
[David Spark] And sadly, and I don’t know if you’ve ever done it, is there any correlation between dollars and improved security?
[Mike Johnson] Also true. The fact of the matter is you could go and spend 10% of your company’s revenue. It doesn’t necessarily mean that you’ve even improved security at all. Could be the wrong expenditures. So, budget isn’t a sign of alignment. I think if you look more towards how much do people care?
If they care, then that’s alignment. If there are…
[David Spark] And so how do you measure caring?
[Mike Johnson] So, are they engaging with you? Are they engaging with your team? Are they asking their peers, are they asking their teams, “What does security think of this solution? What do they think of this direction?”
[David Spark] So, you need a lot of anecdotal evidence for this to work.
[Mike Johnson] I don’t believe there’s a single measure that you can say, “Well, this means that they care.” It’s mostly anecdotal. The reality is cybersecurity supports the business. We’re not generally the profit center of the business. So, it is going to be a lot of anecdotal information.
[David Spark] You make a really good point here about anecdotal. I’m going to throw this to you, Daniel. And I’ve heard it from my side when people talk about us as well, is people often only need one person to say one thing to convince them that, “Oh, that person speaks for a much larger group.” You know what I mean?
They say something positive about security or a concern around security, and then that speaks for more. Or it’s something that we feel often. I’m going to throw this to you, Daniel. Does anecdotal evidence work as a proxy for interest and concern rather than money, or is there something else?
[Daniel Daraban] I have seen it work, actually, with several of the companies that I’m talking with, but everybody has a different approach to it. So, again, there is no, “Oh, this approach is universal and works with every C-suite,” etc. That’s not the case. But one of the best ways to do this is speak the language, translating technical risk into business risk.
I mean, when leaders understand how a security issue could impact revenue, operations, or even brand reputation, I mean, it becomes less about the technology and more about business continuity. Instead of waiting for breaches or audits to bring security into the conversation, I mean, cybersecurity teams should be part of the strategic decision-making process from the start.
And here, I fully agree with Mike, and I like the fact that just like with legal or finance, cybersecurity needs to be seen as a business enabler, not a cost center.
[David Spark] You are totally speaking the language of our audience as well because this comes up again and again and again.
Closing
33:57.739
[David Spark] Well, that brings us to the very tail end of the show. I want to thank you, Daniel. That was fantastic, especially our second-to-last segment went into great detail about detection and response. I love that. That was fantastic. I’m going to let you have the very last word here. I do want to thank your company, Bitdefender, for sponsoring this very episode and being a phenomenal sponsor of the CISO Series.
Mike, any last words yourself?
[Mike Johnson] Daniel, thank you for joining us. I always appreciate it when product managers are joining the program because y’all have such a unique perspective that comes from talking with just so many different customers. You see way more than any of us who are CISOs see, and so that perspective is really great, and I really enjoyed listening to some of the things that you had to say along those lines.
I liked your comment about translating security risk into business risk. I think that’s a good mechanism for folks to think about. I also liked your point about if you’re prioritizing things, quite often you can find that 20% of projects that can solve 80% of your risks. So, I think those are some really good points.
So, thank you for joining us, Daniel. It was great sitting down with you. I know our audience learned a lot, so thank you.
[David Spark] Any last words, Daniel, yourself? And a question we always like to ask our guests, are you hiring right now?
[Daniel Daraban] We are always hiring, and you can find a lot of jobs on LinkedIn and various other platforms. One thing before we wrap up, I wanted to also thank you very much for having me here. It was a pleasure discussing with you guys.
[David Spark] Thrilled to have you.
[Daniel Daraban] And just as a wrap-up thought, I want to leave the audience with this. I mean, cybersecurity is no longer just about defense. It’s about resilience. And our goal here at Bitdefender is to not just respond to threats but prevent them. And of course, we constantly invite everybody to explore how our technologies, which like David mentioned, trusted by hundreds of other cybersecurity vendors as well, and how our technologies can actually enhance an organization’s security posture and to provide that protection that you need against even the most advanced threats.
[David Spark] I echo again, go check out what Bitdefender is doing. Their research is top notch, and they pretty much have a full suite platform for lots and lots of security needs. Remember – bitdefender.com. Thank you very much, Daniel. Thank you very much, Michael. Thank you, audience. We greatly appreciate your contributions.
Give us more “What’s Worse?” scenarios. And thank you so much for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.