We often fallback on severity when evaluating cybersecurity incidents. Severity has its place in analyzing an incident after the fact, but does it help the situation when dealing with one?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Trina Ford, CISO, iHeartMedia. Joining us is Rob Allen, chief product officer, ThreatLocker.
This episode was recorded in front of a live audience in Orlando, Florida at Zero Trust World.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
[Announcer] Have you checked out Security You Should Know yet? It’s our brand-new podcast that connects security solutions with security leaders. What does that mean? Well, each episode is focused on one cybersecurity vendor with two security leaders asking the questions you want to know about a security solution you’re interested in. And it’s only about 15 minutes. So, on your next coffee break, head on over to CISOseries.com to check it out.
[Voiceover] Biggest mistake I ever made in security. Go!
[Rob Allen] This is my fourth Zero Trust World. At one point, at one stage, in the first one, I managed to get involved in trying to help someone set up and make a pineapple, a Wi-Fi pineapple, work.
[Laughter]
[Rob Allen] There’s a few giggles out there. So, after that, I somehow managed to be promoted to the position of Chief Pineapple Officer. So, I’ve basically spent about half of all the Zero Trust Worlds locked in a room getting kicked in the nuts by a pineapple repeatedly.
[Laughter]
[Rob Allen] And can I just say the best thing about this Zero Trust World has been that I managed to offload that pineapple task to somebody else? John, I’m sorry. So, all I can say is I’m so thankful that it was somebody else this year who was getting kicked in the nuts by a pineapple and not me.
[Voiceover] It’s time to begin the CISO Series Podcast, recorded in front of a live audience in Orlando.
[Applause]
[David Spark] Welcome to the CISO Series Podcast. We are live at Zero Trust World in Orlando. Let’s hear it!
[Applause]
[David Spark] My name is David Spark. I’m the producer and host of the CISO Series. And sitting to my immediate left is playing the part of my guest co-host. It is none other than the CISO for iHeartMedia, Trina Ford. Let’s hear it!
[Applause]
[David Spark] And by the way, ThreatLocker is our sponsor for today’s episode – Zero Trust Endpoint Protection Platform. They’re our sponsor. Let’s also introduce our sponsor guest who’s joining on the far left. You heard him at the beginning of the show. None other than the chief product officer over at ThreatLocker, Rob Allen. Let’s hear it for Rob!
[Applause]
[David Spark] All right. Here’s what I’ve noticed.
[Rob Allen] Ex-Pineapple Rob.
[David Spark] It’s Pineapple Rob. Everyone likes it. It’s a long inside joke. For those in the room, they’ll appreciate it. For those of you not in the room, just play along. All right. So, here’s what I’ve noticed, Rob and Trina. This event is called Zero Trust World, but I’m surprised at how nice people are at a show called Zero Trust World. I would assume them to be far ruder given the name of the show. Wouldn’t that make sense, Trina?
[Trina Ford] I agree. I absolutely agree. She asked me for my passport, and I was like, “Uh. I don’t share my passport.”
[David Spark] But I am appreciative of how kind and how nice everyone has been at the show. Are you responsible for any of that, Rob?
[Rob Allen] A very small piece of it.
[David Spark] Very small. What piece?
[Rob Allen] The people who I invited.
[David Spark] The people you invited. And everybody else?
[Rob Allen] You know who you are. You’re all good people. But actually, on a serious note, one thing that you will notice at this event is basically everybody is good people. There’s nobody who you can’t stop and talk to and have a conversation with, and it’s one of the big things that people appreciate.
[David Spark] I will say that I am very appreciative that the culture here at ThreatLocker, which also bleeds into the actual show of Zero Trust World, is everyone has been incredibly kind, friendly, and extraordinarily approachable.
There’s got to be a better way to handle this.
3:40.801
[David Spark] How much do we need to consider severity when it comes to incident response? When you respond to an incident, “Evidence at hand is likely to be scant, ambiguous, and divorced from context.” Now, this was noted by Dan Slimmon of Clerk.com. Now, determining the severity often requires time-consuming research to get a full picture, and effort is likely better spent responding to the incident. Severity scales are good analysis tools but not suited to action. So, instead, Dan suggests a complexity-based classification system is more meaningful. “By the time you’ve thought enough to know how complex a response you need, you already have a beginning of a plan.” Okay, so Trina, I’m going to start with you. Does this kind of approach actually sound workable in practice? And I would also ask, have you actually done it this way?
[Trina Ford] That depends.
[David Spark] Okay. All right.
[Trina Ford] I’m going to sound like a lawyer for a second.
[David Spark] Go ahead but walk us through it.
[Trina Ford] Yeah, that depends. It’s going to depend on the environment, the situation, the lenses that you’re looking through. And not for nothing, many of us have dealt with a lot of incidents, so it’s almost like muscle memory. But in some ways, we actually do this complexity-based system without realizing it because we know that certain environments, we already have a plan, we’ve already worked it out, and we already know what we’re going to do. It’s part of our IRP and our process. But then you have those where… And we know our critical assets, some of us, anyway. Asset management is not always fun. But then you also have those environments where you’re going to need to divide and conquer. And, again, it depends on your program. If you have a smaller program and you’re reactive, then you’re going to be reactive. You’re not going to be trying to plan. You’re going to be trying to contain. And you’re going to try to understand the impact. Because your business doesn’t, at least my business doesn’t come and say, “What’s the severity?” They say, “What’s the impact, what do we need to be worried about, and has it been contained?” So, I think in some ways it can be a workable approach. It just depends on the program that you have.
[David Spark] Rob will tag that. Does it depend on anything else? And what do you think about this whole severity model of like it’s not necessary when you need to respond?
[Rob Allen] One of the challenges with incident response is understanding what the severity of an incident is because you very often don’t know the scope. You don’t know what’s actually happening and how deep are they.
[David Spark] Right. There’s very little information.
[Rob Allen] Exactly. How long have they been in the environment, etc.? It’s actually one of the really interesting…from a ThreatLocker perspective, one of my favorite things working for this company is when customers of ours come up with novel and unique ways of using our solution. And one that came up over the last year or two is it being used as part of incident responses. Because one of the first things that a lot of organizations will do when an incident takes place is they’ll basically pull everything out. They’re going to disconnect everything and they’re going to take everything out of the network because they don’t know what’s impacted. They don’t know what’s encrypting. They don’t know what’s happening.
But what some of our customers have been doing is rather than doing that, they will deploy ThreatLocker, but they will secure it immediately. So, they’ll lock everything down using our solution, and they’ll basically work backwards from there. Now, that gives them a couple of things. It allows them to continue to operate using a core set of programs that they may need to use, so Office and so on, but it also gives them time and space to actually evaluate the impact. They’ll be able to see network traffic. They’ll be able to see what’s running on people’s computers. They’ll be able to see what’s going on, basically. And as I said, that’s something that we didn’t initiate. We didn’t say to people, “You should use our solution for incident response.” It’s something that our customers went, “Hmm, we could use this for incident response,” and it’s been really successful.
[David Spark] Good point. But I want to go back to the severity issue. I mean, this seems like this is sort of the thing you ask yourself when you’ve dealt with the incident. Okay, we’ve dealt with it. How bad was it?
[Trina Ford] When you think about severity, we grew up in IT. Security was a function of a function of a function within IT. And it started with severity, P1, P2, P3, whatever. And then as security started to kind of break away, in order for us to be able to successfully communicate with our business and our IT, we had to continue that type of severity. When I said the business doesn’t ask us for severity, it’s because they’re assuming that we already know it now. We try not to communicate that too quickly, given that we are security, and our credibility is going to be at stake.
[David Spark] Yeah, and there could be panic, too.
[Trina Ford] There definitely will be panic, and then there’s more questions than you’re ready to deal with. From that perspective, absolutely agree that severity is relevant because that’s the way we’ve always done business, but there is that complexity, that planning part that’s also important as well.
Well, that didn’t work out the way we expected.
8:40.666
[David Spark] “Don’t let people do things that you know are wrong and then tell them after the fact that they were wrong for doing a thing that you let them do.” So, UX designer Noah Iliinsky recently pointed to a classic data entry example, with developers taking the time to put in a warning that a zip code entered without exactly five digits is wrong, rather than limiting the input of the field to only accept five digits. It seems like in cybersecurity we do this all the time, particularly around phishing. Don’t click on links in emails, where links in emails are designed to be clicked. So, I’ll start with you, Rob, on this one. It’s kind of an anti-pattern here. So, what are some of these other anti-patterns in cybersecurity, like things we tell people not to do, yet we make it very available for them to do it? And, I mean, is there a way we can do better?
[Rob Allen] Probably the best example, I mean, some of what computers can do are kind of unnecessary. I mean, probably the best example, I mean, PowerShell is used in a huge proportion of ransomware attacks. Very often it’s the first stage of an attack. So, somebody clicks on a link, as you said, in an email, all of a sudden PowerShell is open and things are happening. Now, realistically, there is no good reason for Outlook to be able to interact with PowerShell. But somebody in Microsoft, in their infinite knowledge and wisdom, decided it would be a really good idea to put in a system whereby Office can interact with PowerShell. Now, they still haven’t stopped that. They still haven’t done anything about that. And, again, coming back to a ThreatLocker’s perspective, ring-fencing Office from PowerShell is a fundamental part of what we do. But there’s so many different examples of things that our computers can do that can be misused, whether clicking on a phishing link or if a bad actor…
[David Spark] And the PowerShell is a good example because that sort of communications mechanism was designed by Microsoft to make more things happen. They wanted more things to happen. So, you would use their operating system and all their applications more. I don’t think they were thinking about threats coming through Outlook into your system at the time.
[Rob Allen] One would hope not.
[David Spark] Yes.
[Laughter]
[David Spark] Actually, that’s a good point, Rob. All right. Trina, do you have another example of these kind of anti-patterns, things that we let people do that we tell them not to be doing?
[Trina Ford] Where do I begin? So, we want our users not to save passwords in browsers, yet we don’t give them password managers. We tell them not to download data on their personal devices, but we may not have CA policy. We could have CA policies in place. We could utilize MDM. We don’t want them using Dropbox, but yet we don’t look for an enterprise solution for them. And developers, the best. We say developers should not have access to production, but yet they have access to production. We don’t set up policies and/or technical solutions to bring awareness or block it. So, there are a lot out there. I could go on and on.
[David Spark] You know, I was just reading a quote from Ross Young, who’s the CISO-in-residence over at Team8, and he said, “It would be great if the top 10 policies of app development on OWASP for security were literally built into programming code, that you could not break those things.” That’d be a good example right there.
[Trina Ford] That’s a perfect example. Look, technology is there for a reason. We need to use it. Email security. We have cloud security technology. All of it. We want our engineers and developers to develop and produce, but at the same time, we’re limiting them with words. We need to limit them so they don’t have to think about it.
[David Spark] And going back to you, Rob, on your example of PowerShell, that’s actually a pretty good example of protecting people from making their own mistakes, if you will. Like Microsoft made this far too permissible, and with ThreatLocker, correct me if I’m wrong, you’re essentially preventing people from making the mistake or essentially opening up the hole that would allow the attacker to come in.
[Rob Allen] Absolutely. I mean, look, at the end of the day, training is really important. You should train your users. The fact of the matter is that people make mistakes. People are tired. People are tricked. I mean, it’s the whole nature of phishing is that they will make mistakes. It’s what the bad guys are depending on. But you have to work on that assumption that they will make mistakes. So, if they do, what controls can we put in place that will stop the attack from progressing?
Sponsor – ThreatLocker
13:23.586
[Voiceover] Who’s our sponsor this week?
[David Spark] Our sponsor is obviously ThreatLocker, and we’re thrilled that they’re sponsoring us here at the show, and they’ve been a great, great sponsor of the CISO Series. But hang tight. For those who are not as clued in, mostly the listening audience right now, let me explain. Now, do zero-day exploits and supply chain attacks keep you up at night? Well, no one likes to think about those, right? So, worry no more. You can actually harden your security with ThreatLocker.
Now, imagine taking a proactive, deny-by-default approach to cybersecurity – this is kind of ThreatLocker’s philosophy – blocking every action, process, and user unless specifically authorized by your team. ThreatLocker helps you do this and provides a full audit of every action, allowed or blocked, for risk management and compliance, while being easy to manage. ThreatLocker’s onboarding and operation are fully supported by their US-based support team. Stop the exploitation of trusted applications within your organization, just what we were talking about, to keep you running efficiently and secure, protected from ransomware. Now, worldwide companies across all industries trust ThreatLocker to keep their business secure and operational. To learn more about how ThreatLocker® can mitigate unknown threats and ensure compliance for your organization, go to their website. It’s ThreatLocker.com.
It’s time to play “What’s Worse?”
15:00.309
[David Spark] All right. I know that both of you have played this game before and you’re well aware of how this game is played, so I will explain it to the audience who is not aware of it. Essentially, I’m going to read two horrible scenarios. They both stink. You’re not going to like either one of them. But you have to decide between the two of them which one is worse. Now, remember, it’s which one is worse. Don’t tell me which one is better, but which one you think is worse.
So, this “What’s Worse?”, two scenarios, comes from Steve Wingate of CyberGuard Advisors, and here’s the first scenario. And by the way, Trina, you’ll be answering first. All right. Scenario number one. Your organization has implemented a strict zero-trust architecture, enforcing granular access controls, micro-segmentation, and continuous authentication. Sounds good. However, frequent access denials occur for legitimate users causing frustration and work delays. IT is overwhelmed with access requests and troubleshooting authentication failures. Developers and security teams clash, don’t they always, as security controls slow down code deployments and system updates, and business operations are impacted leading to missed deadlines and a drop in customer satisfaction. Okay. That’s not good.
Here’s another bad scenario. Your organization claims to follow zero-trust principles but has taken a very lax approach to implementation. So, excessive exceptions are granted, many for legacy systems to avoid disruption. Many implicit trust relationships remain in the environment, examples like overprivileged service accounts, broadened network segments. MFA is inconsistently enforced and there are many exclusions in conditional access, and security alerts are ignored or minimized. All right. Tell us, Trina, which one is worse?
[Trina Ford] The first one.
[David Spark] Okay. Why is that one worse?
[Trina Ford] From a practical perspective, the second one is not good either, but at the end of the day, we’re trying to run a business. And if you’re not put in a position to run that business, you’re not going to make money. The bottom line is we’re not going to meet our imperatives and our goals. And at the end of the day, the business actually dictates how IT and security operate and the approach to our environment. Many of us live with the second scenario today.
[David Spark] Yes. It’s actually pretty common, actually, the second scenario.
[Trina Ford] It’s actually very common.
[David Spark] I would say second scenario has been the default until people have been starting to really deploy zero trust.
[Trina Ford] Exactly. In phases. They need to understand it, absolutely agree with ThreatLocker. But yeah, it would have to be the first one for me.
[David Spark] All right. I throw this one to you. Do you agree or disagree here with Trina?
[Rob Allen] I thought this was a trick question.
[David Spark] Okay.
[Rob Allen] I very much disagree with Trina.
[Laughter]
[David Spark] Okay. That’s what I thought. Now, understand you are very much a zero-trust organization. By the way, I love disagreement. Your argument, why?
[Rob Allen] There is a reason why people have begun implementing the kind of controls that we’ve been speaking about, the kind of scenario that you spoke about. Now, what I will say is it doesn’t need to be painful. It doesn’t need to cause significant friction. If it is, it’s not set up properly and it’s not configured properly. But the reason that…
[David Spark] Now, by the way, just so you know, the “What’s Worse?” game, you can’t start changing the variables in the game.
[Rob Allen] Well, I was going to suggest some sort of a happy medium in between the two would be your ideal scenario.
[David Spark] Yes, of course. That would be a good scenario.
[Trina Ford] He doesn’t follow directions.
[David Spark] The game’s called “What’s Worse?”, Rob.
[Trina Ford] Men. Women, we follow directions.
[Rob Allen] The second one is the worst because the second one is what is going to have you have your asses handed to you by ransomware.
[David Spark] Right. Okay. Both of you make good points. You’re arguing, Trina, that first scenario prevents us from really running business. You’re arguing, by the way…
[Rob Allen] A ransomware attack.
[David Spark] The second one, you’ll be out of this.
[Rob Allen] It will pretty effectively stop you being able to run your business and potentially permanently.
[Trina Ford] But we can’t ad lib. Since we’re going to, you also have other mitigating compensating controls that you can put in place, and that’s what you have to be able to utilize. It depends on the type of program that you have. Everyone is not in a position to implement zero trust. So, we have to look at our environment, understand the culture and mindset, and take phased approaches to zero trust. I absolutely agree with it. But the question that he asked was like putting us out of business.
[David Spark] Well, no, but the first one might not put you out of business. It would just make people really angry and upset. The second scenario…
[Rob Allen] It will also make me angry and upset when they have no jobs to go to.
[David Spark] Right. But it may potentially put you out of business.
[Rob Allen] Yes.
[David Spark] Yes.
[Rob Allen] Yes.
[David Spark] So, there’s both. Both are impacting the business.
[Rob Allen] Both are impacting the business.
[Trina Ford] Both are impacting the business.
[Rob Allen] If there was a choice between, broadly speaking, the question is, do we go more security or do we go less security, I’m always going to lean on the side of more security.
[Crosstalk 00:20:22]
[Trina Ford] I’m going to lean on that side too, but that’s not fair.
[Laughter]
[Trina Ford] You’re letting him…
[Crosstalk 00:20:26]
[Rob Allen] If we want to talk about not…
[Trina Ford] He’s changing the rules.
[Rob Allen] Hang on. Let’s talk about not fair for a moment. Okay?
[Laughter]
[Rob Allen] Essays of notes written in preparation for the question. Single words.
[David Spark] Okay. Okay.
[Trina Ford] That’s mine and that’s his.
[David Spark] First of all…
[Rob Allen] My strategy going forward is going to be reading her notes.
[David Spark] By the way, do not attack her. Rob looked at the script literally minutes before we came on stage, all right?
[Rob Allen] So did Trina.
[David Spark] Don’t give her crap.
[Trina Ford] I don’t. I’m anal. Okay?
[Rob Allen] Excuse me.
[David Spark] She’s prepared.
[Rob Allen] Can I just say…
[David Spark] On the other hand…
[Trina Ford] Did he just make me say that?
[Rob Allen] Can I just say, not only are there the essays of notes on the pages. She has more notes.
[Trina Ford] Oh. Oh.
[Rob Allen] Then she had them down there!
[David Spark] Do not blame her for being prepared when you’re not, Rob!
[Rob Allen] This is like somebody in an exam with notes written on the back of their hands.
[Trina Ford] I’m so embarrassed right now.
[David Spark] No, you should not be.
[Rob Allen] You’re not the one who has one-word answers written on this piece of paper.
[David Spark] Trina, you did fine. We adore you. Right, everybody?
[Audience] Yes!
[Applause]
[David Spark] Rob, stop being mean to Trina.
[Rob Allen] I’m not being mean. I’m jealous!
[Laughter]
Where does a CISO begin?
21:34.536
[David Spark] The US Air Force recently released its zero-trust strategy but acknowledged this will be a more challenging IT transition because, “It is an architectural imperative that touches every device, user, and piece of data in the department.” Now, the strategy document knows that there are a lot of potential problems that could derail its efforts, citing, listen to this, institutional resistance, lagging development of automated data management tools, near non-existent endpoint security systems for IoT, and a lack of open standards. Oh, and the reality that it can’t afford to refit its data centers until 2028. All of those sound like some pretty big issues to overcome. I’m going to start with you, Rob, on this because, I mean, dealing with this stuff is right up your alley. Oh, by the way, he’s looking at Trina’s notes. He’s going to steal her notes.
[Rob Allen] I’m going to use all of your answers.
[David Spark] Here’s my question. Where do you start to tackle any of these issues, and what do you think are the biggest challenges?
[Laughter]
[Rob Allen] Oh, she’s going with the political answer here. So, she’s saying the biggest challenge is it depends.
[Trina Ford] It depends.
[Rob Allen] Once again.
[David Spark] Again, I asked you. I didn’t ask her. She’s coming up next. Let her answer.
[Rob Allen] Okay, short answer to your question. Start somewhere.
[David Spark] Okay, good answer.
[Rob Allen] Somewhere, anywhere.
[David Spark] Start somewhere.
[Rob Allen] Just because something is complex, just because something is daunting, just because – yes, thank you, gentlemen – just because something is going to be a lot of work doesn’t mean that it shouldn’t be done, and it’s not an excuse not to do anything. So, the short answer to the question is to start somewhere.
[Trina Ford] I agree.
[David Spark] You agree. Okay.
[Laughter]
[David Spark] All right.
[Trina Ford] She’s playing me at my own game here.
[David Spark] By the way, I know you have more to say than just that. All right. The institutional resistance, lagging development of auto data management tools, non-existent endpoint security for IoT, lack of open standards, and not being able to refit data centers. You say start. Which would be the easiest of these to tackle?
[Rob Allen] What we find is step one is visibility. So, having visibility, having a knowledge of what is present, what these environments consist of.
[David Spark] And I know this is something ThreatLocker does, like, do an audit of what’s in the environment.
[Rob Allen] Absolutely. Absolutely. It’s really, really important because there’s always surprises. There’s always something you don’t know. There’s always something you don’t consider.
[David Spark] By the way, I just want to point out. In all the times, every single audit you’ve done, no one has said, “Oh, yeah, I knew all of that”?
[Rob Allen] Yeah. No, absolutely zero times.
[David Spark] It never happens?
[Rob Allen] Zero times. And it’s really interesting. And it’s actually quite fun sometimes when you point out to people the things that are running or sitting on computers in their environment. But, I mean, obviously this is on a bigger scale because we’re talking about an entire organization. But the challenge is the same. The place to start is the same. Which is to evaluate. It’s to, you know, okay, these are the things that we have to deal with. And then going from there. But, again, it comes back to start somewhere. It’s not, “Oh, this is going to be really hard. We better not do this until 2028 because we can’t refit our data centers.”
[David Spark] All right. I throw this to you, Trina.
[Trina Ford] I still agree.
[David Spark] You still agree with him?
[Trina Ford] I still agree. I actually wrote down that it really does depend. There’s three areas that I think we should look at. I believe, again, that it’s about the mindset and culture. It’s about visibility and it’s about understanding your environment. So, all the things that my partner over here said. And it goes back to if the business is not on board with that strategy, they will eat it for lunch. You may implement it, but it may be doomed to fail, or it won’t work as designed. So, I agree that the US Air Force needs to really understand what visibility they have in their environment and then kind of go from there. With the basics, it didn’t sound like they had basics or anything. So, it’s like ThreatLocker’s a shiny toy. I know, I’m looking at it. I want it, too. But it’s a shiny toy. If you don’t have some of the basics in place, ThreatLocker can only do so much or other technology or solutions can only do so much to get us to that zero trust, whatever it is for our strategy.
Can’t we all just get along?
25:54.599
[David Spark] All right. This is going to be a fun one. Cybersecurity workers of the world, unite! Now, that’s the premise of a really fun cybersecurity subreddit post, asking if the entire cybersecurity industry went on strike, what would be the list of demands? So, some ideas included a cold shower for anyone mentioning generative AI, forbidding meetings longer than 30 minutes, preventing the C-suite from buying a solution they just saw on LinkedIn, and stopping the marginalization of workers seeking opportunities in new roles. Two of my favorites were turning off all computers and everyone just getting naps. I’ll throw with you, Trina, on this one. What are on your list of demands when the cybersecurity strike hits? What’s on your demands?
[Trina Ford] A spa day.
[David Spark] Spa day. That’s good.
[Trina Ford] Once a month for all security practitioners and leaders. Mo’ money because we’re working all the time.
[Laughter]
[David Spark] Okay.
[Trina Ford] Mo’ money, mo’ money, mo’ money.
[David Spark] By the way, that got a nice response right there. First of all, all strikes want more money, which is good to bring that up. What would be on your list of demands?
[Rob Allen] Golf days on any day that ends with a Y.
[Laughter]
[Rob Allen] But actually, my favorite is naps.
[David Spark] Naps?
[Laughter]
[Rob Allen] I’m the world champion in naps.
[Crosstalk 00:27:21]
[David Spark] By the way, I’ve worked with people. One woman I worked with literally took a nap under her desk. Have you seen anyone do that before? Take a nap under their desk?
[Rob Allen] I have not. But I now have thoughts about naps under my desk.
[Laughter]
[David Spark] Oh, by the way, I took a photo of it, and it became blackmail.
[Rob Allen] I mean, some of you guys have been to our office. I could probably get away with it.
[David Spark] Can you fit under your desk? [Laughter]
[Rob Allen] Yes.
[David Spark] Oh, you’re a big guy. [Laughter]
[Rob Allen] It’s a big desk. It’s a big desk. But we actually have a “Quiet – Recording in Progress” sign on my door, specifically because of you.
[David Spark] Oh.
[Rob Allen] It’s one of the many things that have happened in my office because of you…
[David Spark] Oh, that’s how you can get away with naps.
[Rob Allen] …from microphones to earphones to all the other things. But I could close my door. There’s a sign saying “Recording in Progress” and I could have a nap under my desk.
[David Spark] That is the answer. Get the recording, the red light outside your office door.
[Rob Allen] Even better.
[David Spark] You should do that too, Trina. What do you think of that?
[Trina Ford] I think it’s great. But I also have two more.
[David Spark] Okay.
[Trina Ford] You know, back when we were in school and we had field day or what is it, recess? I think they should bring back like mandatory one-and-a-half-hour recreation for any IT and security practitioners. Because we have a lot of stress going on. So, we need that. And then two three-day weekends a month. I think that’s good.
[David Spark] Two three-day weekends a month?
[Trina Ford] Two three-day weekends a month.
[Applause]
[Trina Ford] And car allowances.
[David Spark] By the way, hold it.
[Trina Ford] Because our cars just sit there, and they do need maintenance. We don’t get to drive them. So, we at least need to get paid for it, right? Because we’re paying for it. So, car allowance.
[David Spark] By the way, I’m going to lean into that three-day weekends, two three-day because, and by applause from this audience, the attackers know when vacations come up, like holidays. We’ve all had really bad Fridays on a three-day weekend or before a holiday. Yes, by applause?
[Applause]
[David Spark] Yes. That’s happened. So, if you had three-day weekends not on holidays, those wouldn’t be popular times to attack.
[Trina Ford] Very true. And we might get out of the office every now and then or stop working because not for nothing, we work around the clock. So, I’m really serious about the we need some stress relievers, spa days, three day, two three-day weekends, recreation times during the day. That works. And mo’ money.
[David Spark] And mo’ money.
[Laughter]
It’s time for the audience question speed round.
29:38.359
[David Spark] All right. We have a little bit of time left, and I got it right here in my hand, I got a bunch of questions from you audience members right here. And I want you, Rob and Trina, answer these questions as quickly as you can so we can get through as many as we can in the time that we have left right here. All right. This first question comes from Howard Holton of GigaOm. He’s been a frequent guest on the CISO Series. All right. It’s kind of a big question, but I’m looking for kind of hot takes on this, and jump in either one of you first on this one, how much friction is acceptable in security to reduce risk? And so, really, the question is how do you address that discussion and the culture around it? Because security does introduce friction. The question is how do you sort of approach the “too much, too little” discussion? Rob, you want to take this?
[Rob Allen] I suppose a degree of friction is inevitable. If you’re taking away people’s abilities to do whatever the hell they want, there is going to be a degree of friction. I mean, from our perspective, some of the new products we announced this week, they are designed to take away some of that friction. So, the likes of the user store, we just added letting people go download the software they want to download. In fact, knowing what software they can download is about reducing that friction. So, it is something we’re conscious of, but it’s also something we’re working towards fixing.
[David Spark] All right. What do you think? How do you address this issue?
[Trina Ford] I absolutely agree. It’s about not just the what, telling people what to do, but helping them to understand the how and the why, and then showing some empathy as well. And that way, if they’re aware of and they feel like they’re a part of it, it’s easier to introduce.
[David Spark] And I have also noticed, just throwing this out, the more they understand the reason and can see the reason for the friction, the better, rather than, I mean, it never really works saying, “Just do this because I told you so.”
[Rob Allen] Absolutely. And again, it’s something that we introduced. Danny decided about a year and a half ago that we should have a product research department, and the product research department’s task was to basically research every piece of software in the world. Now, it’s a pretty unenviable task because there’s a lot of software out there, but they found just general information about various things. So, this coupon clipper is made in China. So, when we actually block a user from running a coupon clipper, we actually say, “Well, look, this is a coupon clipper. It’s made in China. Do you want to request access?” So, the idea behind that is a user will go, “Hmm, maybe I shouldn’t actually try and run that coupon clipper, and maybe I shouldn’t send a request through to the IT department to allow me to do so.” So, it’s about, as I said, informing people to reduce that friction.
[Trina Ford] And one last thing, taking it from a holistic perspective, the partnership works too. It helps when you have a true partner in ThreatLocker or whomever because sometimes when you speak as the CISO or the security leader, it goes in one ear and out the other. But when you have a true partner, you bring them in, they have a different way of speaking. And that kind of eliminates some of the friction as well.
[David Spark] Good point. All right. From John Caballero of TerraCyber, and I really like this question. And actually, there’s two different angles for both of you to answer. You from the product side, and you, Trina, from the protect side. Do you look at huge public attacks, your Target attacks, any other big attack that happens, do you look at these as teachable moments for your product and company? So, for example, like, oh, if this happened to us, would we be able to handle it? And then similarly, if this happened to one of our customers, would ThreatLocker be able to handle this? Or do we need to adjust the product to handle these kinds of attacks? Trina, you want to start?
[Trina Ford] Yes. I use them as teachable moments, and I take advantage of them as well. It’s an opportunity for me to share with our leadership, our actual defenses that we have in place, and how we would have fared in that same situation. Usually it’s not the same, or it’s not as good. And then I take the opportunity to say what technology I know that’s out there that would help us in that situation. So, the simple answer’s yes.
[David Spark] And Rob, have you done this? I mean, like have you looked at it and go, “Oh, the product should be adjusted to better handle this”?
[Rob Allen] Absolutely. I mean, there’s always new tools and techniques or techniques that are being used by threat actors. But the teachable moments thing, I mean, basically every event is a teachable moment. One of the problems we have is that it’s only the really big ones that get people’s attention. It’s only the really big ones that end up on the news. So, you’re talking about your Colonial Pipelines, for example. I had a really interesting one with a customer. It was very early in when I started with ThreatLocker, and I was trying to convince them about why they needed what we do. They weren’t really having it. So, I said, “Look, what I’m going to do is I’m going to send you a different example every day of another organization that’s been hit by ransomware.” So, I did it for four days of the week, and the fifth day of the week was a Friday. That Friday, the Irish Health Service, the HSE, got wiped out in a ransomware attack. It was everywhere, news-wise. That customer said yes on the spot because that was a teachable moment for them.
[David Spark] All right. This comes from Dan Powers of Full Sail University, and he actually helps students find their first jobs in cybersecurity. And so, this question is related to that. Knowing what you know now, both of you are cybersecurity leaders yourself, but at one time you were not, and you were not even in cybersecurity at one time. So, knowing what you know now, how would you approach getting a job right out of college? A job in cybersecurity, specifically. Oh, my God. Speechless on this one.
[Laughter]
[David Spark] Trina?
[Trina Ford] I would network more. Knowing what I know now, if I wanted to get a job right out of the gate into cyber, I would actually network more. I’d use my parents more, or anyone that I know is already in the business. I would do that, but I don’t know if I would go this route knowing what I know today. I’m not sure I would.
[David Spark] The route that you did to get in.
[Trina Ford] Oh, the route that I did to get in. Yeah, that was about money. My dad told me I needed to be independent and take care of myself, so I went down that route. But now I would probably, if I’m going to end up here anyway, then yes, I wouldn’t go the route I did. It took too long. I’d just cheat and find people who like me and kind of get promoted that way.
[Laughter]
[Trina Ford] I’m serious.
[David Spark] I like that technique. Rob, what would you do differently?
[Rob Allen] Can I just say that was a tremendous answer?
[Laughter]
[David Spark] Yeah.
[Rob Allen] I don’t think I would be able to do that because I think, again, any of you who know me know I’m fundamentally a very unsociable person.
[David Spark] Not true.
[Rob Allen] So, I don’t know if I could do that. But I suppose the route that I took, which was basically starting at the very bottom, starting as a humble engineer in an IT company, and basically working my way up through that organization doing different things. When I got bored with just ordinary IT, moved into sales. That gave me skills in dealing with people. Then when I moved to ThreatLocker, probably a little bit later than was ideal because I was 18 years in that company, but it gave me a good grounding. It gave me a good place to start, I suppose. But then I think what’s really important is being outside of your comfort zone. So, if you’d have told me four or five years ago that I’d be sitting in front of a room of people on a live podcast, I would have laughed at you because the very idea would have terrified me. Now it’s second nature. Now, again, it’s just a day of the week that ends in Y. But that comes from being outside of your comfort zone. And, I mean, the point is, or the fact is, at this stage, I don’t even know where my comfort zone is. It’s that far out of sight. But doing that, I think, helps you grow. And anything you can do that will help you grow will help you succeed.
[David Spark] All right. Very last question. You ready? Here we go. Comes from Zachary Kinder of Net-Tech Consulting.
[Rob Allen] Oh, God.
[Laughter]
[Trina Ford] Who is that?
[David Spark] Well…
[Rob Allen] You don’t want to know.
[Laughter]
[David Spark] He’s a perfect…
[Rob Allen] Hi, Zach. Love you, buddy.
[David Spark] He’s a perfectly nice guy. Great supporter of ThreatLocker. And here’s his question, and I like this one. What is the toughest part of your job?
[Rob Allen] Don’t look at me.
[Laughter]
[Rob Allen] He’s gone first to you in everything. I need to think about this.
[Trina Ford] Me too. Your turn.
[Rob Allen] Oh, God. What is the toughest part of my job? It’s changed somewhat. So, for the first three or four years, the first three years I was with ThreatLocker, I used to travel a phenomenal amount. We used to do events all over Europe, and I’d pretty much spend the entire week out of home, away from home, and that was tough. Genuinely, that was really hard. It also had a very serious impact on my golf game.
[Laughter]
[Rob Allen] Because when I actually got back, I felt guilty about going out to play golf at the weekend. So, once upon a time, I’d play golf during the week, I’d play golf at the weekend. That just all went out the window, so my handicap skyrocketed, which makes me very sad. But travel in general, and a lot of travel, does take it out of you. And being away from home, being away from family, it is hard.
[David Spark] Trina, your toughest part of your job?
[Trina Ford] Let’s see, how do I say this? The limitations that come with being a Chief Information Security Officer, we have a lot of accountability and responsibility, and we have some authority, but we’re not positioned to make the changes that we need to make. And that’s really tough sometimes, just kind of being in this role and not being able to make the changes that you know are necessary, and oh, my goodness, always having to explain.
[David Spark] Well, you’re the Chief Communicator as well.
[Trina Ford] Well, that’s true too.
Closing
39:43.362
[David Spark] Well, that brings us to the very end of the show. Let’s hear it for my guest, Trina Ford, CISO over at iHeartMedia.
[Applause]
[David Spark] And Rob Allen, who’s the Chief Product Officer of ThreatLocker.
[Applause]
[David Spark] ThreatLocker has been our sponsor for today’s episode. We greatly appreciate ThreatLocker’s sponsorship and support of the CISO Series. Let me just close and ask Trina, and also Rob, are you hiring?
[Trina Ford] Absolutely.
[David Spark] You’re hiring. So, actually, if you see her, for those of you here in the room looking for positions, talk to Trina. And I know, as I understand it, ThreatLocker, you’re always hiring. Is that true, Rob?
[Rob Allen] We are never not hiring.
[David Spark] Never not hiring.
[Rob Allen] Hit us up.
[David Spark] That’s good. All right, well, if you’re looking for jobs, both Trina and both Rob are looking as well. We greatly appreciate both of you being on stage, ThreatLocker, and honestly, everyone here at Zero Trust World could not have been nicer. We greatly appreciate it. Oh, wait. Before we go, I do want you to reiterate, you made a big announcement yesterday. Please tell us.
[Rob Allen] We made many big announcements yesterday.
[David Spark] Give us just the highlights. Burn through them.
[Rob Allen] We’ve added web filtering to our product portfolio. We’ve added patching to our product portfolio. We’ve improved many parts of our product enhancements. Again, things like the store, which are going to reduce friction for users. So, a bunch of new stuff. Everybody should check it out.
[David Spark] Check out the new stuff from ThreatLocker. I know everyone I’ve spoken to here is very excited about it. Again, thank you to ThreatLocker. Thank you to my guests and thank you to the audience here at Zero Trust World. We greatly appreciate your contributions and listening to the CISO Series Podcast.
[Applause]
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.