Are we headed for a mass CISO exodus? Organizations may have budget for cybersecurity, but without a committment to process, will it leave CISOs in the lurch?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Lee Parrish, CISO, Newell Brands. Joining us is David Tyburski, vp of information security and CISO, Wynn Resorts.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Palo Alto Networks
Full Transcript
Intro
0:00.000
[David Spark] Are we headed for a mass CISO exodus? Organizations may have budget for cybersecurity, but without a commitment to process, will it leave CISOs in the lurch?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And my guest co-host, one of our favorites. In fact, this whole episode is filled with favorites. You’ll meet the other one in a second, but it’s Lee Parrish, the CISO over at Newell Brands. Lee, thank you so much for joining us.
[Lee Parrish] It’s great to be here again, David.
[David Spark] Our sponsor for today’s episode is Palo Alto Networks. They have a brand-new solution you’re going to want to hear about. It is the Cortex Cloud, defining the code-to-cloud-to-SOC future through real-time security. It’s pretty darn cool. More about that a little bit later in the show. All right, Lee, how can organizations better support CISOs beyond just budget?
And this was a question that Dan Maslin, CISO of Monash University, laid out some steps that boards can actually take to do this. This includes everything from understanding the threats an organization actually faces, to working with the CISO to engage external auditors. These steps that Dan put out, are they enough to keep a CISO doing their job?
Because we hear it again and again that CISOs struggle to get sort of the recognition, the respect and attention from the executive suite. What think you?
[Lee Parrish] Yeah, I think what Dan outlined in his article, I agree with everything – clear communications, understanding the threats, plans for addressing them. If the board or the executive leadership is looking to learn more about these things, that in and of itself shows good support. They’re curious about the topic.
They want to know more. They want to make sure that we’re providing due care. So, yeah, I think that’s really good support, and I think Dan’s points were really good.
[David Spark] And audience, I just want to point out that Lee is perfect for this discussion because he is the author of a brand-new book called The Shortest Hour: An Applied Approach to Boardroom Governance of Cyber Security. And the reason it’s called The Shortest Hour is because that’s the time CISOs have in front of the board.
Explain, Lee.
[Lee Parrish] It’s an average. I know that some CISOs have more time, some have less, some have no time, but I took an average of about 15 minutes a quarter to present to the audit committee or the technology committee or to the board. And there’s four quarters in a year, so that’s an hour, and I believe that an hour is not enough time to talk about something as critical as cybersecurity.
[David Spark] Very, very good point. Well, more on Lee’s book. It’ll be linked from the blog post from this episode. But the person to help us with this very discussion is another good friend of CISO Series. We love having him on board. And the fact that we have the two of you, this is going to be fantastic.
It is the VP of information security and CISO over at Wynn Resorts. None other than David Tyburski. David, thank you so much for joining us.
[David Tyburski] Pleasure. Glad to be here.
Who’s losing out there?
2:56.419
[David Spark] Derek A. said, “Average CISO tenure is right around two years, average CFO tenure is around five years, and average CIO tenure is right around three years. So, the last three years have been massive year-over-year increases in cyber budgets without much to show for it. Boards are going to start to question cyber costs and program effectiveness.
CEOs and CFOs are going to push CIOs and CISOs to justify the ever-increasing OpEx costs associated with security products and tools. I expect to see the purse strings tighten. CIOs and CISOs are going to start to consolidate vendors.”
And Limor Silvie Kessem of IBM said, “The talk about security budgets is all about cuts while organizations have to push growth in what they offer without additional security investment. What CISO wants to take on and invest their blood, sweat, and tears in a losing game? Organizations without a security chief already flock to get the vCISO consultants and interim CISOs just to get by.
So, for CISOs, this can be the preferred mode if things continue as they are.” So, it’s interesting. It just looks scary for CISOs and budgets in general, is what both Derek and Limor say.
[Lee Parrish] I agree. I think hopefully as CISOs, we’ve already been doing security budgeting in a way that provides an optimal service for the most value. And value doesn’t necessarily mean the cheapest. I mean, it’s the highest value. And so, for those who have lined budgeting, doing it this way, any kind of increased scrutinization in the future won’t be a large shift to what they’ve already been doing.
So, one of the things I say often is, I say it in the book is, I don’t really worry about getting the budget that I need. I think in the end, I’m going to get the budget. There’s no question about it. It’s how I get the budget. Am I going to get it in a thoughtful process year over year with small incremental investments?
Or am I going to get it all at once in the wake of a massive breach when customers and clients are asking, what are we doing for security? In the end, I’m going to get the budget. It’s just I want to make sure that I’m doing it in the right way. And so doing that, the role of the CISO should be to explain the risks, explain the value proposition, and request budget that way.
[David Spark] David, everything Lee just said sounds really logical, but sounds easier than it actually sounds, doesn’t it? And that’s why he wrote a book on the subject too, I should mention. [Laughter]
[David Tyburski] Yeah, that’s why he wrote a book on the subject. I think that CISOs have to understand that they have to be business enablers as well though. So, if you’re asking for budget just to build a security program, but that security program is viewed as a hindrance to business development, then you’re going to get that scrutiny.
They’re going to pull budget away. They’re going to cut costs because the business is trying to move forward. The business is trying to generate revenue. The business is trying to do the things the business is going to do. So, I think as a CISO, you have to be able to turn that around and say, “Here’s how I’m supporting those business objectives.
Here’s how my program is not only protecting the company, but accelerating or supporting those things that the business wants to accomplish.” And I think that’s the biggest difference in the way the newer approach is…
I mean, the old joke is that it’s a CISNO, right? The guy who always says no to everything is the CISO. And we can’t be that. We’ve got to be the ones who are saying, “Yes, I understand the business wants to travel at a thousand miles an hour, and I’m going to be supportive of that, but I’m going to be there to help protect the business as well.” And so, I think it’s a different conversation in some ways as well.
What are the elements that make a great solution?
6:38.056
[David Spark] Andrew Morgan said, “I have been running around my workplace telling everyone and anyone that our security program will be driven by culture, informed by risk, and delivered through people, process, and technology. If you don’t win the culture part, it doesn’t matter how good your understanding of your risk is or whether you have the best people, processes, and technology; the program has to fail (because nobody will care enough to help it succeed.)” Albert Kolbach of Springbok Agency said, “If employees leave, then that also means knowledge disappears and costs even more than investing in retaining good staff and a healthy corporate culture.” I think this is true for everyone, not just CISOs, but this really speaks to how culture isn’t just keeping everybody happy.
It’s like a house of cards. If you don’t do this, it all falls apart. David?
[David Tyburski] I would absolutely agree. I mean, I think that not only goes for the cybersecurity staff and the people who run a security program for an organization, but everybody’s a part. I mean, the old adage, a chain is only as strong as its weakest link, right? But you go that from a technology perspective, and we call that shadow IT.
There’s also this inherent nature that people want to do their job, and if security’s in the way, they will find a way around it. So, security has to be a path of least resistance as well. So, they have to be able to do the safe thing easy so that they want to do it naturally. And if you can’t produce that, then you’re basically fighting the business and you’re fighting the people and you’re fighting the problem.
And all of a sudden, you’re going to lose because you’re outnumbered, probably hundreds to one.
[David Spark] Right. You will always be outnumbered for that matter. But Lee, your book talks about communicating to the board, but it seems that culture doesn’t happen by itself. It does take an investment, maybe not in tools and technology, or maybe some simplistic things, but how do you sort of invest improving the culture?
And is that something you’re communicating to the board? Like we really need to either A, pay these people better, create better working environments, because that is going to improve our security environment. Not like I need to buy this new tool to essentially scan these endpoints.
[Lee Parrish] The thing that came to mind when I heard about this culture aspect of the cybersecurity program, it reminded me of Lou Gerstner. He was the CEO of IBM many years ago, and he said that management doesn’t change culture. Management invites the workforce itself to change the culture, and I agree with that.
I think that as a CISO, it’s our job to create the demand for a security culture, and how I do that is by creating programs that get employees and leaders excited about security. So, we do open houses where we open up our doors of our security operations and show the employees what we do. We show them the tools that we use.
We show them why it’s important, and it gets them excited about it.
[David Spark] Can I pause you? Because that’s really interesting you do that. I mean, we talk about sort of cross-pollination, but one example we’ve seen is showing an executive how a hack actually unfolds so they can see for themselves. But when you bring just any staffers in and you’re showing the tools and what you’re doing, like, give me an idea, get into the weeds here.
What do you do?
[Lee Parrish] Yeah. We usually book a conference room. We work with our vendors to give us free koozies and stress balls and things like that. We set them out on the table. Sometimes we’ll bring food in. And we set up these stations and they have these very large screens, and we have our cybersecurity team manning each one of those stations.
And so, one of the stations will be vulnerability management, and we’ll show the vulnerability management solution that we have. And we’ll answer questions about what is a vulnerability and what is patching and things like that. Then they can move on to our endpoint protection. Then we show them that solution.
We even have components of our cyber risk partner program, which is like a BISO kind of role and what they do. And then we talk about compliance and PCI compliance, although the lines for the PCI compliance isn’t as long as some of the other lines [Laughter] in the open house.
[David Spark] Nobody gets too excited about compliance. [Laughter]
[Lee Parrish] No. No. But that’s typically what we do, and it’s been great.
[David Spark] Can you give me an idea of some of the things you’ve heard from employees not in cybersecurity after experiencing something like this?
[Lee Parrish] Well, the big thing is they ask more questions, so they’ll reach out to you more.
[David Spark] We hear that that is a good indicator of success. David, you’re nodding your head as well. Have you done something similar or maybe just some way you’ve seen your non-cyber staff get excited about cybersecurity or show interest?
[David Tyburski] Well, I mean, we do a lot of the same thing. I mean, I don’t know if I do it in a conference room with big screens, but we go through some similar open-house technology where we expose how we do what we do. We try to get the frontline workers, the non-cyber professionals, to understand how they’re a part of that ecosystem to protect the organization.
Because that’s the truth. They can be compromised. They can provide pathways for the attackers. So, we try to make sure that we not only show them how that impacts the organization, but how we can help them in their home life. How can we help their families? How can we put it in a perspective of this just not only here at your work, but it’s what goes on at home, too, and how you can use these techniques and different things that make it a sense for them.
And then that’s true. They become more involved, and you measure that by how much they begin to feed back to you.
[David Spark] Yeah. Correct me if I’m wrong. Is there any other barometers? Feedback to you, so it could be like reporting, phishing, or just asking more questions. Is there any other sort of metric you use to sort of see how well that’s working than those two?
[David Tyburski] I use the metrics that when they come to me and say, “Thank you.” It’s the thank you metric that, “Hey, I appreciate you going over that. It really helped my mom, my dad, my sister, my brother, my kids, whatever.” And so, I use that as a methodology, too, which is a more positive side of the equation, as opposed to just more phishing reports and things like that.
[Lee Parrish] That’s a good point, David, because if you can align your security goals to help the employee, not only at work, but at home, I think that goes a long, long way. Also, one of the things that it did for us was it seeded other programs. Like I have what’s called a cybersecurity champions program where we take employees who are not in cybersecurity, and we train them up a little bit more on cybersecurity and they help spread the word across the enterprise.
We expected about 50 volunteers maybe; we had 50 slots. Over 200 people applied for it. I mean, so that shows you that there’s a lot of interest in this topic.
[David Spark] Now, let me just quickly, in terms of your success for that, was it 200 after you had run those programs you described earlier, or you hadn’t and then 200 showed up?
[Lee Parrish] No, it was after.
[David Spark] Yeah. So, you kind of seeded it a little bit.
[Lee Parrish] I did. Yes. Yeah. Well, my team did. Yeah.
Sponsor – Palo Alto Networks
13:44.117
[David Spark] Before I go any further, I do want to tell you about Palo Alto Networks and more importantly, their brand-new announcement, and that is Cortex Cloud. Let me set you up here. To play your best cyber defense, you need enterprise and cloud data within a single unified platform. Now, without AI-powered detections, rapid investigations, and the ability to respond to remediated speed, security teams are left reacting to threats rather than outmaneuvering them.
Cortex Cloud by Palo Alto Networks rewrites the rules of engagement. As the world’s only code-to-cloud-to-SOC platform, it prevents cloud threats in real time with industry-leading runtime protection. This is what it’s all about here.
So, the rise of AI has accelerated cloud adoption, creating complexity that bogs down security teams. Cortex Cloud cuts through the noise by unifying the data, automating workflows, and delivering AI-driven insights that let you see, stop, and shut down attacks before they become headlines. Security shouldn’t be a patchwork of disconnected tools but built as an open platform.
Cortex Cloud is designed to integrate data from third-party tools to provide centralized visibility, full-context intelligence, and end-to-end remediation across the entire cloud ecosystem. You want to learn more about Cortex Cloud and how Palo Alto Networks is defining the code-to-cloud-to-SOC future through real-time security?
You got to visit this site – paloaltonetworks.com/cortex/cloud. Go check them out.
Does anyone have a better solution?
15:26.691
[David Spark] Brett Randall of Fractl said, “It’s a stressful time for technology leaders who are aware of the potentially catastrophic business impacts of failing ‘to do cyber well,’ but at the same time, either failing to get support or seeing budgets and headcounts slashed. There’s a role for CISOs/CIOs to play in educating the board and executive management of risks and keeping them updated.
I only see the relationship between boards and CISO becoming more critical in the years ahead.” Lee, I’m sure you very much agree with that quote.
To the next one, though, Adam McCaig of Byte Software Services said, “I’d add, make your CISO a board member themselves,” I know many would argue for this, “Information security is much more than a technology conversation, and the reach into other functions is extensive. It’s time the CISO had a seat at the table to deliver effective change with real accountability.” Lee, I would just say is, have you seen with your research for the book, and I’m assuming you talk to other CISOs that do and don’t have representation, what changes when a CISO’s on the board and not?
[Lee Parrish] When they’re presenting to the board?
[David Spark] Or, I mean, just they exist on the board. I mean, there’s argument here for them being… Or what we’re also hearing is former CISOs with very deep cybersecurity experience being on boards, too. So, like either way here, you know.
[Lee Parrish] Yeah. So, the latter, it would be very good if we had more cybersecurity experts. Some of the folks against that would say, “Well, we’re mortgaging a board seat to a specific domain and expertise where that person may not have expertise in finance and operations and other things, and we can’t do that for every single business domain that’s out there.” Which I understand, but it doesn’t mean that you can’t find a security executive, a CISO who does have that really good understanding.
Not just a glancing understanding, but a really good experience with finance and economics and budgets and all of those things and cybersecurity expert. It’s not mutually exclusive.
And I think there’s some comments in the industry about, “Well, we have somebody who is on the board who is a cybersecurity expert.” I would challenge not all of them, but the majority of them. I think there’s a distinction between expertise and experience. I think that there are probably some people who have led cybersecurity teams, maybe as a CIO or something like that.
That doesn’t mean that that person has deep-seated expertise in that area, where they’ve solely devoted their career to one particular domain, which is cybersecurity. And instead, it’s just a glancing understanding of it. That’s not expertise, in my opinion.
[David Spark] David, let me go to you on this on that, and we’ve talked about this before, is if you’re the only one communicating cybersecurity to the board or to the executive suite, you’re this one voice communicating. Conversely, you think of other departments, like just finance. Well, you have the CFO, but the CEO can talk finance, and probably someone in sales can talk about that as well.
So, you kind of have three people with a basic understanding. So, with just one voice, is it kind of a lone wolf situation where you’re just fighting for your team here, or is there something that can sort of help and support you in your effort, or really get feedback so you can make better decisions, too?
What do you think?
[David Tyburski] You said the same thing, is that when you’re talking about finance or audit, there’s more than one voice communicating. So, I think that’s the objective you’re looking for.
[David Spark] But you can’t all of a sudden dump and say, “All right, you’re now also a cybersecurity expert, and you care about it every day.” To a degree, they do, but it’s not kind of core to their function.
[David Tyburski] No, but I think to Lee’s point, you have some expertise there, maybe not experience, but you can use that within a board scenario and drive some common goal and common conversation.
[David Spark] So, can you give me an example? Like where do you see that, where you can have a common conversation? Like it’s not me as Moses from the Mount talking down to everybody about cybersecurity, but rather we’re having sort of an equaler-footing conversation.
[David Tyburski] I can work from my personal experience on the board, and we have some very technical board members who have great industry experience, both in technology and other areas. And we have outside conversations from the board so that I can gain their knowledge, their understanding, and build that relationship as much as anything.
But during that board presentation, that comes in handy as well because they can help guide the conversation to the other board members, even though I don’t hold the seat.
And the same thing where we talk about, should a CISO have a seat on the board? And I agree, Lee, that you’d be mortgaging a seat. This way, you’ve got board members who, in a sense, are your advocates and allies who can help guide those conversations to the more non-technical members, but they also are there for your support outside of your 15 minutes of fame.
So, when those conversations come up later, the other board members turn to them, those technological experts, to say, “What do you think?” And they give impression, but you’ve had, as the CISO, input to those. So, you can use that. It’s a much more political world, and I’m not saying it’s not, but I think that you have to utilize that based on who the members are, and you have to gauge that and build those relationships as well.
The other side of that equation where your comment of, should a CISO have a board seat? I think we have a model when you think about you have an audit committee, you have a finance committee, you have all these other committees which aren’t composed of 100% board members, but they’re spun from the board to then draw in additional expertise.
I think the next logical step is a cybersecurity committee for the organization, something that takes those people, steps from board memberships with board input, but then puts more expertise around it so that there’s a focus and focused presentation and conversation, and then that feeds back to the full board as well.
There is definite intermediate step here that can be made.
[Lee Parrish] Yeah, I think one of the things that we need to watch out for as we build the next generation of board of directors is we don’t want just one expert on a board. We want every board member to have some level of cyber fluency. We don’t want to proxy it all to one expert because then, you lose that interaction between the board members on the best approach to provide oversight to that company.
Just real quick, one of the things the listeners should check out is the Digital Directors Network. They do a lot of great things in the area of cybersecurity and board of directors and things like that. I’m a member of that. They do great things.
How do we convince the board?
22:13.365
[David Spark] Jason Popp of Microsoft said, “It continues to astound me that boards/CEOs haven’t figured out that they have the power to completely shift their organization’s cyber posture, mostly for free. Setting a cyber program structure with a few select risk-informed hygiene initiatives based on a mix of internal and external maturity assessments is well understood.
This can be done with minimal financial investment on existing layers if accountability is defined, communicated by the CEO, and measured by each business unit, etc. It’s time for everyone to eat more veggies and exercise more,” I like that line, “Expensive pills aren’t the answer to being healthier.” I really like the metaphor that Jason put.
It alludes to this discussion that we had a couple of segments ago about building corporate culture, that you just kind of need the right leadership and connection and communication, and you could solve a lot. And that could also bubble up to the C-suite and to the board. There’s so much that can be done with just culture.
Yes, David?
[David Tyburski] I agree. I mean, culturally, if you’ve got the support. Like I said, if security is a path of least resistance, it becomes natural for people to take the secure approach, and it becomes culturally a part of their day-by-day. You don’t get the pushback and resistance, and the more people working toward that same objective leads to better results and better hygiene, better reporting.
Cybersecurity can then look at more and be a part of the organization. So, I mean, yeah, culture plays an absolute part of that, getting involvement from everybody plays a part of that, and that’s going to feed up to the board. I love the fact that you have these companies that I read all the time, and people say, “We have a security-first approach,” and yet the industry comes back all the time and says, “Well, we forgot about security.
It was an afterthought. It was too expensive.” Well, how do you have security first and it be an afterthought?
[David Spark] Well, no one’s going to say, “We have security second.”
[Laughter]
[Lee Parrish] Right.
[David Tyburski] So if you really put security first, that’s the point, then it becomes cultural. It becomes everybody. Everybody gets involved. And I think that’s what the security leaders and the CISOs have to do, is build that culture of involvement, educate, show how it involves not just in the business world, but their personal world.
And then, you’ve got a team of the entire company working toward that directive instead of just a few people fighting to roll that rock uphill. It’s everybody pushing together. So, yeah, I think that’s the first step, and that is going to filter up to the board. It’s going to make a difference. And the CEOs are going to say, “Hey, we see that,” and make those changes because that’s the direction they need to go to be supportive, profitable.
It’s where they need to be.
[David Spark] I remember interviewing a woman many years ago who literally, her job was essentially building and maintaining culture at the company. She said, “It doesn’t happen on its own. You have to actually work at it.” Both of you gave great examples of how you work at it for security. I got to assume like anything else, things fall apart because people get busy with other things and just security’s yet another thing that can get pushed away.
Lee, let’s close with you on this. How do you not fall into that rut?
[Lee Parrish] Well, first, before I get into that, I would say that the foundational elements of security are incredibly important, and those are the ones that tend not to be too expensive. You know, when you talk about patching and things like that, you can do wonders in that area. I look at our adversaries, I think I mentioned it before on another Defense in Depth, is our adversaries don’t start with custom malware.
They start with the open doors and the open windows, the foundational stuff. So, that’s what CISOs should do. They should start with the foundational stuff and then move into the super sexy security stuff.
I think that relationship building is the primary factor in advancing a cybersecurity program. And I think that if CISOs are having customized conversations with whoever they’re talking to – the CFO, the chief marketing officer, whoever – they’re customizing that conversation, and they’re tracking their relationships.
They’re understanding, “Okay, I haven’t talked to this person in two quarters. I need to reach out to them again.” Customization of the message. You can’t do a blanket security message to all members of the executive team, the board, the directors, the middle management. It just doesn’t work. You have to tailor it to the person who’s listening to it.
I think that’s the key is the building the relationships and a very close working professional relationship.
[David Tyburski] I want to add one thing to that, and I agree with what you’re saying, the question that they always need to ask in those personal conversations is, “How can I help?” That has got to be the words of the CISO. So, if you’re sitting in front of the CFO, the CMO, somebody else in those organizations, “How can I help?” Not, “How do you help my security program?” How does my security program help you?
How can I help?
[Lee Parrish] Yeah, the best question, it was brought up by Dan in his LinkedIn post, and that is my favorite question comes from the board is when they say, “Lee, are you aware of any material weaknesses in the cybersecurity program? Do you have all the resources you need to address those?” And on one side of me is my boss, and the other side is my boss’s boss.
That’s a really unique time to answer that question. That’s a great way to draw out what a CISO needs.
Closing
27:50.108
[David Spark] That is great. If you could always be fed that question right when those people are in the room, you’d be a very, very happy CISO.
[Lee Parrish] Yeah. It goes in the minutes, too.
[David Spark] Oh, awesome. All right. Well, we’ve come to the portion of our show, you actually mentioned somebody, but I don’t know if that’s your favorite quote. David Tyburski, I’m going to ask you, take a look at the quotes. Tell me which quote was your favorite and just tell me why’d you like it so much?
[David Tyburski] Well, I think the Brett Randall quote, which is, “It’s a stressful time for CISOs and for the industry.” I agree with that, but I think it goes to what we’re saying, is that it’s stressful because you haven’t built the culture. You don’t have the good relationships. You’re struggling to try to build an environment that isn’t supportive of the business.
And so, to the point, you’re pushing a rock uphill, and you have to decide be supportive, build those relationships. And that stress level reduces because you realize you have allies in your quest to protect an organization, quest to protect the business. And so, building that structure out and being there helps reduce that stress and builds a longevity into the organization, which will lead to instead of 24 months, maybe 36 or 48 months.
Because now you’re being part of the business. We talk about it goes to, you want a seat at the table? Well, you have to earn your seat at the table. And to earn your seat, you’ve got to be a part of the business and be a part of the solutions and be a part of developing the forward momentum. And so, it goes to all of that.
And I think that stress is caused because you’re not in that spot.
[David Spark] That’s a very good point. Lee, your favorite quote and why?
[Lee Parrish] Yeah, so Brett Randall gets a twofer. That was my favorite as well. So, there’s a role for CISOs, CIOs, to play in educating the board and executive management of the risks and keeping them updated. I only see this relationship between boards and CISOs/CIO becoming more critical in the years ahead.
I can’t stress enough how important the relationship building is, and I think Brett nailed it.
[David Spark] And that is kind of the theme that I’ve been hearing from both of you throughout this episode is relationship building, not at the actual meeting point of presentation, but beforehand.
[Lee Parrish] Some very self-promotion.
[David Spark] Yes, please. Yes.
[Lee Parrish] I have another book coming out in the spring, and it’s called Security Relationship Management, Leveraging Marketing Concepts to Advance Cybersecurity Program. So, that will be out in April.
[David Spark] We will get you back on again.
[David Tyburski] I feel bad. I now feel like I need to write a book.
[Laughter]
[David Spark] You can still connect with David Tyburski on LinkedIn. He’s always entertaining, if you didn’t already know that from this episode alone. By the way, we will link to Lee’s current book on the blog post for this very episode. And that book being the shortest hour, referring to that just one hour at a time you get with the board the entire year, Applied Approach to Boardroom Governance of Cyber Security.
Thank you both very much. Thank you so much for stepping in, Lee. And thank you so much, David, as well. And I want a huge thanks to our sponsor, Palo Alto Networks, and their brand-new Cortex Cloud, defining the code-to-cloud-to-SOC future through real-time security. It’s pretty awesome. Go check them out at paloaltonetworks.com/cortex/cloud.
As always to our audience, we greatly appreciate your contributions. Please, if you see a really good conversation on LinkedIn that you think could be an entire episode of Defense in Depth, send it to me. We find that is our greatest resource to turn into full episodes. So, thank you again for your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.