We’ve increasingly seen vendors not releasing patches for critical vulnerabilities and instead pointing to rip and replace as the only remediation. Sometimes this is the only option. But are organizations ready for zero-days that effectively move your hardware to end-of-life?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), partner, YL Ventures. Joining us is our sponsored guest, Danny Jenkins, CEO, ThreatLocker.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
Intro
0:00.000
[Voiceover] Biggest mistake I ever made in security. Go!
[Danny Jenkins] I think the biggest mistake I ever made was assuming something did what it said on the tin. I pitched for a new security product. I’ve done it several times, but there was one in particular I fought like hell to get a new security product, this is back in 2002, and I said it was going to stop all of our virus problems, and it didn’t, [Laughter] and I got egg on my face.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series, and joining me as my co-host, you love him, you know him, you can’t get rid of him, we can’t get rid of him. It’s Andy Ellis, the partner over at YL Ventures. Andy, say hello to the audience.
[Andy Ellis] [Foreign language 00:00:58].
[David Spark] Was this Irish, Gaelic, what?
[Andy Ellis] That was Irish. My apologies for butchering that for anybody who speaks Gaelic fluently.
[David Spark] Did you listen to somebody else saying it or AI saying it?
[Andy Ellis] I tried, but Google Translate will not actually give you the sound for Irish. It’s such a difficult language that even Google gives up on it.
[Danny Jenkins] So, 90% of people in Ireland, I know they’ve said it there for 10 years, cannot speak Irish. They know how to say slán abhaile, and that’s about it, which is safe home.
[Andy Ellis] Yep.
[David Spark] Let me just mention that that’s our sponsor guest. That’s Danny Jenkins, CEO of ThreatLocker, who is Irish himself.
[Danny Jenkins] No.
[David Spark] No, you’re British. I’m sorry. You’re British. I’m sorry.
[Danny Jenkins] I’m British, but I spent a long time in Ireland and my wife is Irish.
[David Spark] I’m sorry, your colleague, Rob Allen, he is Irish. I’m sorry.
[Danny Jenkins] Correct.
[David Spark] My apologies. But yeah, I kind of assume that. You don’t hear a lot of people speaking that at all, do you?
[Danny Jenkins] No.
[Andy Ellis] But I figured since he lived in Ireland, I would at least give Gaelic a try.
[David Spark] There you go. Let me just say this. Our sponsor is ThreatLocker, phenomenal sponsor with the CISO Series. Danny is the CEO. They are the Zero Trust Endpoint Protection Platform. Let me ask you this, Danny, and I’m going to ask Andy as well. All of us have gone to big trade shows like Black Hat, like RSA.
I know the last Black Hat, I saw ThreatLocker had a huge presence. We’ve all had many, many, many experiences there. What is one thing that you’ve done that has hugely paid off for you at a conference that you advise others to do as well? I’ll start with you, Andy.
[Andy Ellis] Bring a stuffed animal.
[David Spark] Bring a stuffed animal. Just one or just a lot to give away?
[Andy Ellis] No, no. The trick is, like when I was with Akamai, we had George the Penguin. When I was with Orca, we had Orky Orca. It’s this higher-level piece of swag. Everyone was like, “Oh, my God. I got to find this. I got to go take a picture with it.” I actually had George the Penguin had his own RSA badge because I was doing keynote talks.
And so he just became my mascot. People wanted to engage with it. Everybody who shows up next year, you all have stuffed animals, then you lose the feature of it. But something that’s unique and personal and relatable for your brand.
[David Spark] And I will just say this. One of the good things of stuffed animal giveaways is often people are at trade shows looking for gifts to give to their kids.
[Andy Ellis] Exactly.
[David Spark] And that becomes very popular. All right. Danny, same question to you. One thing you’ve done at a trade show that you advise others to do because it was a huge success?
[Danny Jenkins] Okay. And it depends on the type of trade show. We did 850 trade shows last year.
[David Spark] That’s a lot.
[Danny Jenkins] And some of the ones we do are in the MSP industry, and the difference when you’re selling to MSPs and selling to enterprises is you’re selling to the business owner. So, you can get away with a lot more selling to the owner.
[David Spark] Mm-hmm.
[Danny Jenkins] You can’t do this in an enterprise trade show. Gave away a Hummer EV.
[David Spark] Whoa.
[Danny Jenkins] And I can show you the math. We’ve done it three times. And we did the same show three times the year before without it, and they were the same shows, and we tripled our ROI on the show.
[David Spark] With one Hummer EV giveaway each time?
[Danny Jenkins] Yeah. On a million-dollar show, 150 grand car gives you three times the return. But it won’t work at a show like Black Hat because you can’t give away a Hummer to a CISO because they become conflicted.
[David Spark] Yes.
[Danny Jenkins] You can give it away to a business owner if you sell to IT security companies.
[David Spark] Right.
[Danny Jenkins] Because they can’t be conflicted because they own the business.
[David Spark] Good point.
[Danny Jenkins] But best payback we ever get. We do it three times a year and it works wonders.
What’s the starting point for a CISO?
4:37.320
[David Spark] When a zero-day hits, we usually know the drill, apply mitigation, and wait for the patch. But what happens when the only mitigation is rip and replace? That happened with Barracuda Networks last year, as highlighted by Brian Krebs. Now we’re not looking to throw anyone under the bus, but it’s hard for your initial instinct not to see this as a forced upgrade.
Organizations have process in place for patch management and decommissioning end-of-life hardware. Andy, where do events like this fall and is anyone ready for a zero-day that effectively makes hardware end-of-life?
[Andy Ellis] So, this is a really, really tough challenge. First of all, we do have to accept that sometimes you just have to end-of-life a device.
[David Spark] Exactly.
[Andy Ellis] That you have stuff encoded in the firmware, the firmware is not capable of being upgraded past a certain point, and so all hardware does at some point have to get ripped out. The challenge is when it has to get ripped out, not on a schedule you control, because there’s a vulnerability tied to the hardware.
And that’s, I think, what people are reacting to. But I think the challenge has become people think of hardware as a capital investment that lasts forever, and the reality is it doesn’t.
I actually have this problem right now in my house, which is we have a home automation system that was here when we bought the house, and you can no longer actually even get parts for it because they’re not making that chip set anymore. There are no fabs left that make the chips that are used in this hardware.
So, at some point, there’s a vulnerability, it’s a rip and replace. Now, fortunately for me, home automation system, I don’t want anybody else automating my home. So, I have ripped out the network for it, and I’m much less worried. Much harder to do that with your email security appliance.
[David Spark] Yeah. People aren’t ready for end-of-life hardware, but we kind of all know it eventually. And it’s just more of like, “I can’t do this anymore, Danny. So, I guess I got to get an upgrade.” We never have this feeling of it’s forced. Like if I don’t do this, like the walls come crumbling down.
Where do you stand on this?
[Danny Jenkins] The first problem is hardware. When you buy hardware, you tie yourself into a fixed life of that hardware and upgrading it becomes very problematic. We’re in a world of subscription-based security now, and that’s good because it means your security vendors won’t get paid if they don’t continue to innovate.
It also means your CFO doesn’t expect that he’s just made a capital purchase that’s going to last forever. So, I think when it happens, you’ve just got to move fast. And unfortunately, it does happen sometimes. I think the bigger the solution is, stay away from hardware-based purchases, where it’s not the software and the hardware coupled together, and your only solution is to get a new piece of hardware.
To try and, where possible, use software-based services, or SaaS-based services even better, and then you know you’re paying a yearly subscription. The vendor knows, if they want to keep getting paid, they got to keep delivering updates and enhancements and better security.
[David Spark] Do you think this is also the reason because, I mean, I have seen the trend – and let me see, agree or disagree with me – for a shifting away from capital-based expenditure business in general to operational-based expenditures. Danny?
[Danny Jenkins] I think all expenditure is operational, whether you like it or not.
[Laughter]
[Danny Jenkins] You buy a car, it’s operational. You choose the lifespan of your car. Is it two years? Is it five years? Is it 10 years? But at some point, it’s going to run itself into the ground. All expenditure in a business is operational. Everything you do is essentially rented, except maybe if you invest in gold or something like that.
[David Spark] But that’s actually a good point because what then makes attractive, like you say, SaaS based services – I’m going to throw this to you, Andy – is it’s operational expenditures without the capital expenditure, which is you’re saying everything’s operational. So, if I can do operational without capital, even better.
Yes, Andy?
[Andy Ellis] So, I think the expenditure type doesn’t really matter because you expended CapEx, like you buy a thing, you amortize it across the years. You’ve turned it into an operational expense through bookkeeping. So, while that does matter somewhat, I think what matters far more is are you stuck with the device, right?
That’s the key thing of capital is do I have a thing I’m stuck with that I can’t afford to pivot? So, when we think about operational expenses, don’t worry as much about the bookkeeping and more of the do I have a sunk cost that I can’t do something with?
What works? What’s not working?
9:14.410
[David Spark] What’s a process for setting up a pentest? Someone on the cybersecurity subreddit shared an experience of reporting a pentester to building security, who eventually was detained by the police. Now the employee did what they were supposed to do, report someone suspicious on site, but shouldn’t the pentest account for something like that?
How can we make sure these tests are effective without getting the police involved? Or do pentesters need to make sure they have their stories straight just to be safe? And have you ever run into this, by the way, Danny?
[Danny Jenkins] Actually, [Laughter] very, very recently, we ran into this. And I’m not sure pentest is the correct word, but we decided to drop a Wi-Fi pineapple onto the roof and take over the ThreatLocker Wi-Fi. Traditionally, we’ve done this before, we did it last year with a drone and we accidentally crashed the drone into the window.
[Laughter]
[Danny Jenkins] So, I was explicitly told by the powers that be no drones this year. So, we use a chopper instead.
[David Spark] Oh, really?
[Laughter]
[Danny Jenkins] And apparently, when you drop a Wi-Fi pineapple onto the roof from a chopper, it causes chaos with the police force because someone thought it was a bomb. So, a little bit more extreme.
[David Spark] Oh, my God.
[Danny Jenkins] We recently had a visit from the police into our office because they thought someone dropped a bomb on our roof from a helicopter, and we didn’t have a story prepared because we didn’t expect someone to call the police. I’ve never even thought about it until recently and…
[David Spark] And by the way, hold it, was that person who called not an employee of ThreatLocker? Someone else?
[Danny Jenkins] Not an employee. We are directly across from a sports center. So, apparently, the police were not happy because multiple calls came into 911 about a suspicious package, potentially a bomb being dropped on our roof, and there was videos from the gym across the road where people obviously saw this chopper coming around.
Now, that wasn’t really a very subtle pentest anyway, but it was really about a point I can do it without a drone.
[David Spark] [Laughter] Something much larger. But okay, if you were to do that, let’s just say if you were to do that again, I’m assuming you would call the police and say, “How can we do this ahead of time, so things don’t happen like this?” Yes?
[Danny Jenkins] Yes, we have the police number. They asked us to make sure that if we’re doing this again, that we notify them ahead of time, so they don’t get completely freaked out by a helicopter circling a building with something hanging out of it. But I’ve never thought about it, and I’ve done a lot of pentesting, and I’ve walked into places and dropped rubber duckies and OMG cables into the back of computers, and I’ve never been caught.
With their permission, of course, but I’ve never been caught. But I never thought once, “Oh, I could get caught and get arrested.”
[David Spark] Yeah. Well, [Laughter] that’s…
[Danny Jenkins] They should probably have the engagement contract in their hand.
[David Spark] Right. This is a good thing. Alert the police before you do a pentest that this could happen.
[Andy Ellis] I would just stop there. Alert the police before you do a pentest, like you’re doing any physical pentest and you have not engaged with the police. Like the police love you. You call them, you say, “Hey, by the way, we’ve been engaged to do this pentest,” or “We’re engaged…” What you really want is the owner of the building to have contacted the police, like the person that they know is going to be making the call, or that they’re going to be calling to say, “Hey, by the way, we’re coming to your building.” Like, you should have this.
I guess I’m lucky because the first pentest I did involved M16s. So, yes, we made very, very sure that the security forces on the base knew who was doing the pentest, what was going on, and that there were like seven letters covering the person because we were afraid they were going to get shot.
[Danny Jenkins] Yeah, you don’t want to do that. That’s worse than calling the police.
[Andy Ellis] Yeah.
[David Spark] [Laughter] First of all, I know in general, the police, they love that you do security testing as well. So, is there more involvement with the police beyond like you’re alerting them, letting them know that should someone contact you, you’re aware that this was a test?
[Andy Ellis] Yeah. I work on security with our synagogue, and we talk to the police all the time. Like when there’s an event where it’s like, “Hey, by the way, we’ve got an event. Here’s what’s going on. You should expect unusual activity.” When we’ve had a security consultant come in, we tell the police.
You just build this relationship with your local police force, partly so they know who you are, and they care a little bit more about your building because you’re a great upstanding citizen who likes to tell them things.
[David Spark] So, the guy who’s essentially the manager of our synagogue, actually, he did it as a more ongoing process.
[Andy Ellis] Yeah,
[David Spark] Where he had regular meetings with the police about, “Here’s what we’re doing, here’s what we’re setting up,” engaging with them. So, everyone was in sync all the time. Let me go back to you, Danny. Have you done anything sort of either for yourselves, for clients, like where you’re sort of constantly in sync with authorities of any sort?
[Danny Jenkins] So, we work very closely, not so much the police, actually, I mean we work with the police, but the FBI more so. So, we work very closely with the FBI, where the FBI will actually come to us and say, “Hey, there’s a new malware. We’re trying to understand it better. Can we give it to you?
Can you run it in your environment?” And we’ll constantly have meetings like that. The police tend to have, especially in Orlando, Florida, they’re not the most tech-savvy cybersecurity unit. So, we don’t do too much with the local police, more so FBI. The police stuff is more just normal community stuff that we put an offer out, when the whole world got blue screen, to any law enforcement or schools and things like that, that we will send our staff on site to help recover computers if they’re affected by that incident.
Sponsor – Threatlocker
14:48.184
[David Spark] Before I go on any further, I do want to tell you about our absolutely spectacular sponsor, and that is ThreatLocker. So, cybersecurity really isn’t just about fighting fires. Sure, it’s an important part of it, but it’s really about making sure they never start in the first place. That’s a really good security program, and that’s where ThreatLocker comes in.
With ThreatLocker’s deny-by-default approach, nothing runs on your network unless you say so. It’s like having a digital bouncer guarding your organization, keeping out ransomware, zero-day exploits, and sneaky supply chain attacks. Plus, you get a full audit trail of every action because visibility is power.
ThreatLocker’s US-based support team makes setup seamless, so you can stop worrying about vulnerabilities and start focusing on what matters most. That’s why thousands of companies trust ThreatLocker to keep their business running and secure. Take control of your business’s cybersecurity today. Visit ThreatLocker.com to learn more.
It’s time to play “What’s Worse?”
16:02.360
[David Spark] All right. It is time to play “What’s Worse?” Danny, I know you know how to play this game because you played it before. We’re going to play it again. Andy answers first. I love it when you disagree with Andy. Not required, but I love it when you do. Now, I’m going to say this one comes from ChatGPT.
We’ve been actually leaning on ChatGPT to help generate some “What’s Worse?” scenarios, and this is a pretty good one, I think. We just can’t tag ChatGPT on LinkedIn because I always like to acknowledge the person. All right. ChatGPT gives us two scenarios. Scenario number one. Discovering a data breach three months after the fact affecting sensitive customer information.
You’re going to have to do…
[Andy Ellis] So, normal for discovering data breaches. Three months? That’s fast.
[David Spark] Normal. Now, you’re going to have to do an audit. You’re going to have to do an audit to see what’s been taken. You have no idea, all right? So, it’s still normal.
[Andy Ellis] But wait. How do I know that there was a data breach if I have no idea what was taken? ChatGPT, you got to work on these a little bit better.
[David Spark] But let’s play along here in that you know something happened, but you don’t know to the degree what’s happened. It could be a little, it could be a lot, and you do know that it does affect sensitive customer data. All right. Scenario B.
[Andy Ellis] Okay.
[David Spark] You’re detecting a live ongoing breach where the attacker is actively exfiltrating intellectual property, all right? So it’s coming out right now. It’s going on right now.
[Andy Ellis] But it’s IP, not customer data?
[David Spark] Correct.
[Andy Ellis] Okay.
[David Spark] Which situation is worse?
[Andy Ellis] The first.
[David Spark] Okay.
[Andy Ellis] Oh, this one’s easy. I like when I get easy ones. Danny may disagree with me. First of all, I got a shot of shutting down the thing that’s going on right now.
[David Spark] Mm-hmm.
[Andy Ellis] I certainly, from a PR and messaging perspective, like, “Yes, we got breached, but we caught it as it was happening,” a lot better than, “We discovered it three months later.”
[David Spark] Mm-hmm.
[Andy Ellis] I would always rather lose my IP than lose my customer data.
[David Spark] Okay. Now, the thing is, it’s going on; also, you don’t know the degree of scenario A. Actually, what am I saying? You don’t know the degree of either of them.
[Andy Ellis] I don’t know the degree on either one of them, realistically. Like, who knows?
[David Spark] Right.
[Andy Ellis] But I have to treat scenario A like it’s all my customer data got breached until I can prove otherwise. We’re no longer in the world where you get to put your head in the sand and say, “We don’t know what data was breached; therefore, we get to pretend nothing was breached.” Like, now you’re in a world where if you think customer data was accessed and was stolen, you have to treat it as if it was, unless you kind of have proof on the other side of it.
Like if you’re a responsible CISO, that first one’s pretty bad.
[David Spark] Let me ask you, if the situation was different, like say you were a Lockheed Martin.
[Andy Ellis] Yep.
[David Spark] And it was the intellectual property of Lockheed Martin that went out the door versus the customer. Would you still feel the same way?
[Andy Ellis] I mean, it might, but the question is like which intellectual property? Because the design schematics of all of their planes, certainly all the commercial planes, they’re shipping out anyway. Because you have to ensure that when a plane lands, somewhere, if it needs repair, that the schematics for that plane are being delivered to that airport because every plane is different.
Now, obviously, if it’s a jet – I don’t remember which one, Lockheed Martin, I think they’re the F-16, but somebody will correct me – that might matter a little bit more, but that’s different than just being intellectual property. So, I’m going to go with, from almost every circumstance, I think A is worse of just a data breach in the past that I’ve only discovered, but I don’t know how bad it is.
I’d always rather catch the bad guy in the act.
[David Spark] All right. I throw this one to you, Danny. Same thing. Do you agree or disagree? And if you agree, do you agree for the same reasons or different reasons?
[Danny Jenkins] Pretty much this is pretty boring, I’m afraid. I agree for the same reasons. The only time I could think it would be worse is, like I said, if we were actively at war with someone and they got all our weapons stuff and that could change the trajectory of the war, then maybe that would be a different scenario.
But in 99% of scenarios, losing the data is always worse.
[David Spark] Customer data.
[Danny Jenkins] Customer data is always worse. And not to mention, we’re a security company. What we do isn’t super secretive. Everyone knows what we do. [Laughter] Everyone knows how it works, and you have to be pretty transparent on how it works anyway. So, I think losing customer data is the worst scenario all the time.
[David Spark] All right. That’s good answers, both of you. I will talk to ChatGPT to do a better job next time.
[Andy Ellis] Yeah, yeah. Really train that thing. Try Grok next time. Let’s see how it does. We could try every week a different AI.
[David Spark] AI tool? [Laughter] Okay. But I’d rather have submissions from our audience, and that’s a call out for you, audience. Send in some more submissions.
Please, enough! No, more!
20:49.579
[David Spark] So, if you ask cybersecurity professionals about user training, you’ll either hear that it’s the linchpin of a successful cybersecurity strategy or that humans are the weakest link and a lost cause in cyber. So, there are a lot of strong feelings on both sides. Andy, though, I’m going to start with you.
What have you heard enough about with regards to user training, and what would you like to hear a lot more?
[Andy Ellis] Well, I’ve almost heard everything I would like to learn about user training. I’m tired of almost every argument I’ve seen in this space because they come down to refusing to admit that your security system is weak and you’re going to blame the user and say, “Ah, they need to be better at spotting a phishing attempt,” not, “Oh, we need to make sure phishing attempts just don’t work because clicking a link doesn’t matter.” What I’d love to hear more about is user training that is actually focused on giving them skills to do their job normally, not that’s focused on awareness.
Like that should be a side benefit, but how are we getting better at helping humans to do their jobs safely but effectively?
[David Spark] That’s a very interesting take. I like that. All right, Danny, I throw this to you. Both questions I ask is, what have you heard enough about with user training and what would you like to hear a lot more?
[Danny Jenkins] So, I’ve heard enough about user training, period.
[David Spark] Like Andy.
[Danny Jenkins] And I would like to see, in terms of user training, I would like to see a lot less training. And I will tell you why this is so important.
[David Spark] This is interesting.
[Danny Jenkins] We’re a security company. So, under X number of compliance requirements, our users go through more training than you can possibly imagine. And by the way, it does no good. If your user is going to click on that link, you can reduce the risk a little bit by training them, but not a significant amount.
It’s smarter to put dual factor authentication and stop untrusted software running and do sensible things like that. I think every employee that starts at ThreatLocker or 30% of employees that start at ThreatLocker receive a text message on their personal number from someone pretending to be me, asking them to Best Buy gift cards.
They get emails from a Gmail account with my name, asking them to do something. They’re very, very common attacks.
[David Spark] Mm-hmm.
[Danny Jenkins] I think we should focus on one page of data that are most likely to happen to that employee and train them on that because then they’ll remember it. When you give someone five things to do, they’ll do them. When you give them 500 things to do or 500 things to learn, they won’t learn any of them, or they’ll learn five that you don’t have control over.
So pick five things, train them on those, and accept the rest have to be dealt with by good IT systems and processes.
[David Spark] All right. I love this challenge you have right here, and I want to go back and forth on this. All right, Andy, we’re going to do this. The five things you want, and I know this can be different for different people in different roles, what was the very first thing you would train someone on?
[Andy Ellis] What I love is I love this idea of five things, and the training should not come from the security team. It should come from the CEO.
[David Spark] Mm-hmm.
[Andy Ellis] Because the five things are, I, the CEO, will never email you and ask you to do something unusual.
[David Spark] That’s good.
[Andy Ellis] You shouldn’t expect to hear an instruction from me unless you’re my admin or one of my direct reports. So, if you get something, go ask your boss. Boom, there’s number one. Number two, I am never going to ask you for a gift card. If you get a text message that claims to be from me, I want you to send it to me in email because I’m going to make fun about it and use it as a reminder for everybody else, and you’ll get a kudos for bringing it up.
Those are my top two right there. If I’m the CEO and I’m reaching out to you, it isn’t me. I don’t even know what my next three would be because I would just like those two.
[David Spark] But hold it. I just wanted one. I want to go ahead. Then hold it.
[Andy Ellis] Okay.
[David Spark] I’m coming back to you. Danny, what would be on this top five list? I love this idea of a top five list.
[Danny Jenkins] So, you want me to, obviously, two of them have already been answered.
[David Spark] But do you agree? Those are good ones. Those are good ones.
[Andy Ellis] Yep. So, take number three.
[Danny Jenkins] They’re good ones. The only thing is I would say is I’m never that polite in emails.
[Laughter]
[Danny Jenkins] I’m the CEO. [Laughter] So, if I send you a polite email… So I agree with those two. I think if I had one thing to say, I would say, “Do not wire somebody money over X amount unless you have called the public number of record and spoken to the department to confirm the bank details.” I don’t care if you got an email from them.
I don’t care anything about it. That’s probably one of the top things I would do to anyone in finance who wires money. Only people who wire money.
[David Spark] Yeah, yeah.
[Andy Ellis] Yeah. In fact, I would just be like, “And you can’t change banking details,” just to tweak that one. Like any change to how we will send someone money, including starting one, needs to have that very clear authentication of who that human was.
[Danny Jenkins] We were getting investments once. It was about $20 million. So, they emailed me and said, “Can you send me your number so I can call you to confirm your bank details?” So, I sent them my number and they called me, and they said, “Can you confirm your bank details?” So I did. And I said, “Do you know this was a completely pointless exercise?” Said, “What do you mean?” I said, ” Well, either if mine or your email had been compromised, you don’t know my voice.
You don’t know my phone number.”
[David Spark] Yeah.
[Danny Jenkins] The number could have been switched out.
[Andy Ellis] Yep.
[Danny Jenkins] She said, “Well, what am I supposed to do?” I said, “Ask the person I’ve been working with my phone number or find it on Google.”
[David Spark] Yeah. Yeah. [Laughter]
[Andy Ellis] Yeah. I recently had that. I decided not to tell them because I just wanted to get the money.
[Danny Jenkins] But she already had the details. She was just confirming them.
[Andy Ellis] Right.
[Danny Jenkins] And then she wired me the $20 million.
[David Spark] That’s a great case of procedure gone wrong. It’s like they just don’t know the procedure. All right, hold it. We’ve sort of wrapped up this sort of element of how the CEO communicates and the transfer of money. What else would be on this top five list?
[Andy Ellis] So, I’m going to add in. Now, I could do this because of where I worked at the time, but you will never type your password into anything. I want you to go passwordless with phish-proof multifactor and certs on devices, and you’re never going to type in a password.
[David Spark] That’s a huge leap. That’s a much bigger leap than the other two.
[Andy Ellis] Right? Because if you’re asked to type in your password, you should tell me the CISO so I can go hunt down that system owner and get them into our passwordless environment.
[David Spark] Danny?
[Danny Jenkins] I think that’s difficult.
[David Spark] I would love that to be the case, but that’s a tough leap.
[Andy Ellis] Let me then make it more generic so Danny can agree with this is, for any control that you think you have implemented across the enterprise, you tell the employees that if they ever see a deviation, that they should come tattle on the system owner and tell you so you can hunt down the system owner to do the right thing.
[Danny Jenkins] We do it for limited systems, I think, and I think about how many accounts we have. Bear in mind, we have accounts with nearly every other software vendor in the world because that’s what we do, and we run on their systems. But we have systems. We have our CRM system, which is proprietary.
We have our invoicing system. We have our Active Directory. There are certain things that we have very strict procedures. And I think if you… Focus on the ones that are going to end your business when they go wrong, rather than trying to focus on the 500. Because, again, if you tell the user “never,” then they’ll say, “But I have to enter my password into Netflix, which we play in the conference room.”
[Andy Ellis] No, no. But your company password doesn’t get entered anywhere. So, what you type to log into your laptop and then you never type it anywhere else over the network.
[Danny Jenkins] Okay. But it’s all the different systems. So, the company password, yes, you type in, but your Active Directory or your Intune, or not Intune, whatever it’s called now, it keeps renaming, is [Inaudible 00:28:20], the newer version of it.
[Andy Ellis] Oh. Whatever, yeah.
[Danny Jenkins] The password, yes, that is, we should never type in. But in general, I think the problem is I spoke to a user recently and I said to them, “Why did you click-enable macros?” And they said, “Well, why wouldn’t I?” And I said, “Well, it’s giving you a warning.” And then they pointed out to me, “Look, when I download this from the internet, it gives me a warning, and I’m supposed to click on that.
And when I download this, it gives me a warning, I’m supposed to click on that. How do I know which warnings I’m supposed to click on?”
[David Spark] Right.
[Danny Jenkins] And I think when you talk to someone who isn’t IT savvy and you say, “This is your company password,” they actually don’t know the difference between their Active Directory password and the iCloud password.
[David Spark] That’s a very good point right there.
[Andy Ellis] Right.
[David Spark] Hold it.
[Andy Ellis] So, that should be your North Star as an IT system is how do you get to a point where your employees are not doing over-the-network passwords for authentication.
[Danny Jenkins] They need second factor anyway.
[David Spark] All right. I want to call back one thing you said, Danny, though, which I kind of liked. And I think it’s actually, correct me if I’m wrong, I think this is a strong philosophy of ThreatLocker in that… Maybe hold it, I’m sorry, I take that back. I think Andy, you said this was, “Don’t do anything that will cripple the business.” Were you the one who said that or…?
[Andy Ellis] Yep.
[David Spark] Okay. But I’m taking this to Danny because I think this is very much your thing, in that this whole concept, the way you look at zero trust, the idea of deny-by-default in that let’s do this in reverse. What are we going to train them? Well, let’s first think about what will cripple the business and then let’s train from that aspect.
Is that, I mean, that’s got to be your philosophy here. Yes, Danny?
[Danny Jenkins] Yeah. I mean, that’s our philosophy in general. But it’s that for security, we always start with what will cripple the business. And you’ll notice I said over a certain amount with the wires, too, because sometimes it’s not worth the validation.
[David Spark] Right.
[Danny Jenkins] We’ll lose $5,000. We’re not going out of business from it. It’s not worth someone spending two hours trying to validate bank details. But I think start with what’s crippling the business, and that’s what we do because we’re about blocking untrusted software because we know that the users can’t identify what’s good and bad.
Leave it to the IT professionals.
What’s the future for a CISO?
30:24.538
[David Spark] Let’s gaze into our crystal ball and think about the future! So, Ross Haleliuk was thinking about what new cybersecurity roles will take off in the next decade. One that stood out was a role focused on behavioral psychology with a cybersecurity-specific focus. The idea being if we can better understand how people make decisions, we can use that to guide better security outcomes.
This is kind of a tip of the hat to what we were just talking about. So, the other standout was a cybersecurity economist using a blend of game theory, statistics, and value evaluation to give us a new lens to look at this industry. Ah. Again, something we were talking about. So, I’m going to start with you, Andy.
Will the social sciences be the hottest field for new cybersecurity roles, and are you already seeing people effectively filling these roles right now? Or have you seen another new trend? What do you think on this?
[Andy Ellis] So, I think of this as a skill rather than a role. And just to be very clear, I’ve been on this war for over a decade. So, I think this is Ross is late.
[David Spark] I think at this point, I would agree with that, but it’d be interesting if it evolved into that further down.
[Andy Ellis] I actually don’t want it to be a separate role, except maybe as an educator within the team and here’s why. I did a keynote on this at RSA like 12 years ago at this point, managing risk with psychology instead of brute force. And what you want to have is that the people who are engaged in talking to other humans, which is your whole security team, should understand behavioral psychology.
They should understand, oh, the reason that we tell you about a risk is actually not so that you will fix this risk. This is an amazing thing that most people don’t realize. Why do we tell you about a risk? Because we want you to believe that you have a higher risk profile than you currently do. Because risk homeostasis will cause you to take some action to reduce risk.
It might be this one. It might be something else. But you have to believe about the risk. If I tell you about a risk and you don’t believe it, then you say, “Ah, Andy’s always over the top. I can ignore everything he tells me,” because my risk is listening to Andy, not paying attention to Andy. And so like everybody needs to understand how human psychology works, how people react, how they’re making decisions.
It can’t just be one person on your team.
[David Spark] All right. I throw this to you, Danny, same thoughts about these sort of two takes on the roles. Is it going to be a role or just a new skill that you’re going to see attached to roles? And if so, what roles?
[Danny Jenkins] I don’t think it’s a role. I think it’s a skill, full stop. And I don’t think just about that. I think all positions in business should be focused on I’m trying to solve a problem. How do I solve that problem? Is there a person that can solve it? Do I need to get someone in to help? And that’s just general business, not just security.
I think we’re kind of trying to use magic and intangibles to solve tangible issues. [Laughter] And it’s complete bull.
[David Spark] By the way, those not watching, Andy is loving what Danny’s saying right now. Go on, Danny.
[Andy Ellis] Yes! [Laughter] I’m like, “Danny, keep going.”
[Danny Jenkins] Yeah. There is no magic to this. There’s things we don’t know about security, and we should always assume we don’t know stuff. The reality is we just got to put proper security controls in place. We’ve got to put proper processes, proper checkpoints, proper speed bumps, and without stopping the business from running, and stop trying to use magic, and deliver tangible security and secure systems.
[David Spark] Yeah.
[Andy Ellis] And I think the key point on that is the magic is important in understanding how to put in those controls. The magic doesn’t replace those controls. You should understand human psychology so that when you put in place a control that doesn’t work and gets in the way, you’re not surprised when people go around the control and do something else because they’re trying to get their job done.
What you don’t say is say, “Well, we don’t have a control, but let’s try to manipulate people into believing we have one.”
[Danny Jenkins] Yeah, you can’t manipulate people. They’re always going to get around something that stops them doing their job.
Closing
34:39.032
[David Spark] All right. Well, that brings us to the tail end of this show, and this was a great show. By the way, unintended, but there was an interesting thread that kind of went through all of our segments today. And essentially, I like the idea of boiling it down to simplicity, looking at what would cripple the business, and understanding the logic of how we would get to the point of crippling the business, and how we can come back and stop that from happening earlier on.
And again, also, I think this feeds into the philosophy of ThreatLocker, too, which is a sort of deny by default, which prevents sort of the bad crap from happening further on, if you sort of deal with it at earlier stages. Huge thanks to Danny for sponsoring this episode. ThreatLocker, remember Zero Trust Endpoint Protection Platform.
You can find them at ThreatLocker.com. Danny, I’m going to let you have the very last word here. Any thoughts? I’m almost positive you’re still hiring at ThreatLocker, correct?
[Danny Jenkins] We had 40-something people start last week.
[David Spark] Oh, my God.
[Danny Jenkins] It’s a lot.
[David Spark] Yes. Any last word for our audience about ThreatLocker or anything else?
[Danny Jenkins] I would just say ThreatLocker offers a lot of security in our platform, the most important of which is block untrusted software. Allow what you need, nothing else. Period.
[David Spark] I love it. Thank you so much for supporting the CISO Series. Thank you very much, Andy. And thank you to our audience as well. We greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.