Not all security controls are created equal. Some result from a thoughtful security program, others come from compliance requirements. But what do you do with controls from leadership that are more about optics than security outcomes?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Christina Shannon, CIO, KIK Consumer Products. Joining us is Jim Bowie, CISO, Tampa General Hospital.
This episode was recorded in front of a live audience at the Convene conference in Clearwater, Florida, hosted by the National Cybersecurity Alliance (NCA), providers of the website, StaySafeOnline.org.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsors, Cofense, KnowBe4, and Proofpoint
Discover cutting-edge security insights and industry trends from leading experts at Proofpoint Power Series—a monthly virtual event designed to empower the security community. Learn more at Proofpoint.com.
Full Transcript
Intro
0:00.000
[Rich Stroffolino] If you’ve ever wanted to cut through the fluff and get real answers about a security solution, we’ve got the podcast for you. Security You Should Know is our new 15-minute show, where two security leaders ask the questions you actually care about, straight from the vendors themselves. No sales pitches, just the insights you need to solve your problems. Listen now at CISOseries.com or wherever you get your podcasts.
[Voiceover] Biggest mistake I ever made in security. Go!
[Jim Bowie] Letting my parents convince me to help them recover files off their hard drive.
[Laughter]
[Voiceover] It’s time to begin the CISO Series Podcast, recorded in front of a live audience in Clearwater, Florida.
[Applause]
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And yes, we are live in Florida, in Clearwater, Florida, for the Convene Conference. I don’t believe there’s actually a town named Convene. Is there one, Christina?
[Christina Shannon] No, not last time I checked.
[David Spark] No, there is not. There is not a town like that. That right there is the voice of my guest co-host for today’s episode. It is Christina Shannon, the CIO of KIK Consumer Products. Let’s hear it for Christina.
[Applause]
[Christina Shannon] Thanks for having me.
[David Spark] All right. Well, we love having you here. All right. We’re available at CISOseries.com, if you didn’t already know that. And our sponsors, let’s hear it for our sponsors. I believe the gold sponsors of this event, Proofpoint, Cofense, and KnowBe4. You’ll be learning more about all of them, those of you in the room, and those of you listening to the recording, a little bit later in the show. All right.
Here’s one quick announcement I do want to make. I want to tell you about this, Christina, because I don’t know if you know the details on this. But when this episode releases, we will have officially launched publicly our brand-new show, but we have soft launched it now. So, those of you in the room can actually see this, but it’s a brand-new show called Security You Should Know. Sound like a good topic? It is a takeoff on a very popular other podcast that has a similar name. But this came as a result of interviewing both vendors and CISOs and about what they want in terms of when they engage or a CISO talks to a vendor. So, let me ask you, when you are looking for a solution, what’s your best sort of route of finding a solution for a category? Like you don’t know anything about the category, and you’re trying to learn and look for a proper product. How do you go about doing that?
[Christina Shannon] Gartner, social media, phoning a friend. [Laughter]
[David Spark] Phoning a friend.
[Christina Shannon] Yes.
[David Spark] Now, let me ask you, of those three, which one do you lean on the most, would you say?
[Christina Shannon] Probably phoning a friend first.
[David Spark] Phoning. Now that we hear a lot. We hear the phone a friend a lot. And that was kind of the idea behind this because the problem with phoning a friend is if they’re all using the same product, you’re kind of in an echo chamber. Alan Alford, a former co-host of mine, explained that. So, the point of Security You Should Know is we have vendors on, and they’re interviewed by two CISOs, and they ask some questions. They’re interested CISOs in the category, and they ask some questions relevant to their product. So, the idea is it’s kind of like phoning a friend in that you’re hearing from other CISOs what they think about the product. So, that kind of in line. But you would only look at the episode and say, “Oh, this is a category,” because it would be titled whatever the category is. It’d be you would only listen if you were interested in that category.
[Christina Shannon] That sounds like a great way to find, I mean to speed up the time and efficiency and effectiveness for identifying solutions that solve real world problems.
[David Spark] And to make it even more attractive, we keep it short. They’re less than 15 minutes. All right. Let’s bring in our guest. Let’s bring in our guest right now. No more of the plugging of our brand-new show. You in the room can go check it out before really anybody else knows. It’s available on our site. You’ll have to go under the Shows menu to check it out because we kind of hid it a little bit. But let me introduce our guests. Both of the people on stage have been on our show before, so I know they’re going to deliver for you. Not too much pressure. To my far left is the CISO for Tampa General Hospital, Jim Bowie. Let’s hear it for him.
[Applause]
[Jim Bowie] Thank you. It’s good to be here.
Pay attention. It’s security awareness training time.
4:23.996
[David Spark] You’re never done with security awareness training. Everyone in this room knows that. You wouldn’t have a job if you were, for that matter. So, we all know that annual training for compliance just does not cut it. It’s a constant process. But Santosh Kamane of Rivedix argued it requires long term planning, and he suggested picking out different themes and exercises at the start of the year to build a cumulative effect. I’m going to start with you, Christina, on this. Is this an effective strategy? And if so, what would be in a long-term plan? Like what are the different stages we’re looking at?
[Christina Shannon] Yeah, I mean, if you decide to get fit, you’re not going to the gym one time, right? We all know that. So, I think any type of program that involves continuous learning, continuous training, that’s going to ensure that your organization, that your teams, that they understand how to act just in time when there is a threat. I really like the idea of using different topics, different themes. I think the way to approach that or a really good way to approach that would be to look at where are the high-risk areas in an organization, where do the crown jewels live, and what’s the risk exposure to those? And then targeting those groups to do continuous testing, maybe on a quarterly or a monthly basis, depending upon the threat.
[David Spark] That’s a good point. It’s not just about your audience you’re trying to train. It’s what you’re also trying to protect at the same time. You’ve got to kind of marry them together. All right. What would you add to that? And I’m assuming you would agree to that theory?
[Jim Bowie] I do. I do agree with it. The only thing I would add to it, and it’s the stuff I’ve seen here today, is you’ve got to make it engaging and you’ve got to make it personal to them. So, it’s the same threat – it’s going to sound silly – but it’s the same threat surface at their home with your corporation because the attackers are going for their home first. So, what we’ve done or what I’ve seen success with is if you say, “I’m going to protect you…how to be safe at home,” they’ll carry those habits over to work, and you should have a much higher success rate and more engagement in your training.
[David Spark] All right. So, let me talk about 100-level to 400-level sort of training because we’re actually getting some pretty cool 400-level training. I’m thinking like the stuff we just saw from Perry Carpenter over at KnowBe4 with these deep fakes was pretty impressive, and your general populace really has not seen this or the depth of how it is handled. Give me an idea. What are you talking when you’re training the people low level to high level? What are the things you’re looking at?
[Christina Shannon] When you’re training people low level to high level, you mean like the skill level, right?
[David Spark] Yeah. The skill level. Like barely know what security awareness is to I’ve been learning a lot, I’m very savvy, I’m maybe a security champion, but I want to know the latest greatest, like what I should be aware of. Kind of like what we’re seeing here today.
[Christina Shannon] [Laughter] Well, if it’s anyone in my family, I’m probably going to come up with something that is non-technical jargon that they can relate with. If it’s my dad, I might try to think of something that conceptually can tie to drinking beer and watching football, right? [Laughter]
[David Spark] Wait, does your dad work for KIK Consumer Products?
[Christina Shannon] No, he doesn’t. [Laughter]
[David Spark] So, we’re more concerned about your staff.
[Christina Shannon] Yeah. But from the staff standpoint, it’d be if the gentleman in Perry’s previous speaking, I think his name was Vivek, he had said, “Where’s your GitHub? Can I download it for the GitHub?” There’s some people on the team that you need to do something like that with, right? You need to let them get their hands on it, like on the product that you have, that’s doing security awareness training. And then if they’re businesspeople, I would look at who can be the champion, right? How can you tie the risk to what they care about and the business risk and then have them champion security awareness with you?
[David Spark] All right. What would you add to that, Jim?
[Jim Bowie] No, she nailed it again. Basically, keep them engaged. So, if you’re dealing with her dad who’s drinking the beer, you tailor it that way. But if you’re dealing with highly technical people who often will challenge you in your training, “Well, I don’t agree with that,” they will say, or whatever, then you show them. So, what we’ll do is we’ll spin up a lab and be like, “Fine, I’ll show you how easy it is to hack if you click on a PDF. I’ll let you hack it, and you’ll get the credentials back. We’ll fish somebody right here if you want.”
[David Spark] Yeah. I mean, letting them see it themselves, let them be the hacker, that’s got to stick, right?
[Jim Bowie] Yep.
[David Spark] That’s the best way.
Why are CISOs leaving the profession?
8:38.869
[David Spark] There is no doubt that cybersecurity can be a high-pressure job, but does that mean it’s high stress as well? A Devo SOC performance report found that over half of SOC staffers said they’ve considered walking away from a job due to stress. Also, a recent BlackFog survey found that about a quarter of CISOs want to leave roles over stress. That points to a systematic problem not found in other critical operations, said William MacMillan in a Dark Reading piece. He pointed to his own experiences as an Air Force Special Ops helicopter pilot who was under intense pressure but never felt like a role he wanted to walk away from. That fortitude came from having “cutting-edge equipment, unwavering support from my leadership, and a mission that made my heart race.” He argues for better support across analysts, the SOC, and leadership, that’s what he wants. So, it’s a call we’ve heard often. So, how do we start moving this high-pressure industry? And I’m talking to you, Jim, first. How do we move this industry into something that can be exhilarating and mission-driven instead of driving burnout? Which seems, by the way, a lot feel inevitable.
[Jim Bowie] It’s hard. So, I’ll take it from our perspective, from my perspective, I work at a not-for-profit healthcare. So, I can’t pay Google money. Money goes a long way, but it doesn’t solve everything. So, what I have done or what I’ve found success in is letting them go to… Training’s easy, like this. I have a couple people from my team here. The more you let them go to training, let them drive projects. If they have a problem, say, “All right, how would you solve it?” Have them come up with the solution, then support them and fund them. One of the biggest things that I saw recently was someone came to us with a problem. I said, “All right, how would you fix it?” And they came up with this whole plan. They made this great presentation, and I was like, “Okay, let’s do it.” And they were just like, “What?” And I was like, “Yeah, okay, let’s do it.” So, since then, they’ve been more engaged, their project was more successful, and it just helps them own it.
[David Spark] Yeah. The old misnomer that if you train them, they’ll leave is actually the complete reverse. If you train, they’ll stay because they’ll know if I stay here, I’ll get trained. Now, what experience have you had either on training or something else to essentially make it more mission-driven, where they get excited to work hard instead of thinking, “Oh, I’m leading to burnout”?
[Christina Shannon] Something that I think is extremely important and helpful is you have to teach the team about risk, and you got to get them focused on risk quantification early, right? Like I think that when they can tie like an asset that the business cares about, whether it’s a product or a service, and then they can tie that to here’s the risk, right? And here’s what happens if we don’t protect, detect, respond, put controls around it. Then I think that that then, it work…in both ways, managing up and managing down. It really ties everything together and you can gain a shared purpose, and you can understand this is why we’re doing this, and it makes your work more meaningful at that point.
[David Spark] No, that makes a good point. And one of the other things, and this was actually a question that I had for the end of the show, but I’m going to kind of bring it up now. And that is so many businesses talk about work/life balance but isn’t so much of the work we do is we need to actually get into their personal life because their personal digital life affects their work life, yes? So, do you communicate that to them? Because there’s that fear of, “Oh, the stress, I’m bringing it home,” or more of, “No, I’m just learning,” and this, I’m talking about all staff, not just your security staff, “I’m just learning to be better at home and at work.” How do you sort of communicate this, balance it, say, “This is all good, not stressful”?
[Jim Bowie] Oof!
[Christina Shannon] Ooh, yeah.
[Laughter]
[Christina Shannon] That’s a hard one.
[David Spark] I stumped you. All right, Jim, you want to save Christina here?
[Christina Shannon] Yeah.
[Jim Bowie] So, I have the same challenge. I’ve actually had to threaten to cut their accounts off so they won’t work. Like, I don’t know if anyone has figured this out. Once you get people engaged, like you’re talking about with this Air Force pilot, the problem I’m having, and let me know if you figured this out, I can’t get them to stop. I’m looking at you back there.
[Christina Shannon] Yeah.
[Jim Bowie] Like I can’t get them to log off at the end of the day. They’re so invested.
[David Spark] I know that. Do you have problems with people not taking vacations?
[Jim Bowie] Yeah!
[Christina Shannon] Yes. And that’s what leads to burnout, right? [Laughter]
[Jim Bowie] Yeah.
[David Spark] Yeah, yeah.
[Christina Shannon] Which is the whole question. Yeah.
[David Spark] It’s good that they’re eager and passionate about the job, and here’s the other thing. Maybe it’s just like a forced, like, “We’ll take you all out,” but then we’ve all been on these sort of forced group outings with the staff, and it always is unbelievably uncomfortable. So, maybe that doesn’t work either.
[Jim Bowie] So, one thing that I have done, and this may reach into uncomfortable region, is I’ve actually called their partners and spouses.
[David Spark] Oh, really?
[Jim Bowie] I’ve been like, “How is Bob doing?” I have no Bobs. “How is Bob doing?”
[David Spark] Yeah, yeah.
[Jim Bowie] Or, “How is Jane doing? I want to make sure you’re okay. How are you doing with what they’re doing?”
[David Spark] They don’t get upset that you…
[Crosstalk 00:13:54]
[Jim Bowie] I make sure it’s okay with them first. I’m like, “Look, you’re working really hard, and I’m trying to help you unplug. Do you mind if I talk to your partner? And you can say no. There’s no demerits here.
[David Spark] Oh. So, you get the clearance.
[Jim Bowie] Yes. And then I’ll talk to them, and it helps the spouse understand that the pressure’s not coming from me. They’re not mad at me at the next cookout or forced outing.
[David Spark] [Laughter]
[Christina Shannon] But that’s so true though because they do get mad at you.
[Jim Bowie] Oh, yeah.
[Christina Shannon] And that’s the whole thing, that’s why I was stumbling because I was like, “I can tell people to go offline.” We can lock their account out if we wanted to go extreme. But at the end of the day, I’ve had more people that get frustrated with those actions than appreciate them or… And maybe it’s just that you need a couple days to decompress and then you’ll enjoy it but really purpose-driven people have a hard time relaxing. [Laughter]
[Jim Bowie] I do want to add one thing, and this is something that someone hit me hard with on my team, and they’re like, “Jim, you’re sending emails at 3:00 a.m., so why can’t I?”
[Christina Shannon] Oh.
[David Spark] You know what? There is an answer to that.
[Christina Shannon] That’s a good… Yeah.
[David Spark] Schedule the email.
[Jim Bowie] And I didn’t even know that was a thing. I’ll be honest. My fault being a tech guy, right?
[David Spark] [Laughter]
[Jim Bowie] My wife was all over me. She’s like, “You didn’t know about that?” And I was like, “I’m sorry.”
[Christina Shannon] And I’ve found that they tell you, or at least in my experience, I would send out a note anytime I’ve been new to an organization like, “Hey, it’s just me working on the weekend. You don’t have to respond.” And that doesn’t work. They still respond, right?
[Jim Bowie] Yep.
[David Spark] Yeah, yeah.
[Jim Bowie] Fired up the whole team once with one of those, “I don’t need this answer right now.” Next thing I know, I look on Teams and the whole team’s green.
[David Spark] Ugh! You’re both at fault.
[Jim Bowie] Yeah.
[Christina Shannon] [Laughter]
Sponsor – Proofpoint
15:24.953
[David Spark] We have got a lot of great sponsors, and we’ll go through all of them, and here’s the first one, and it is Proofpoint. Proofpoint is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks. They’re people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world target threats, safeguard their data, and make their users more resilient against cyber attacks.
Now, in today’s digital landscape, security awareness training alone is not enough. So, with Proofpoint’s Zen Guide, organizations are going beyond mere compliance-based awareness programs to identify and focus on high-risk individuals, actively engage and motivate them, and cultivate a security-conscious culture by building resilience against human-activated threats and the latest attack tactics. Leading organizations of all sizes, including 85% of the Fortune 100 – that would make 85 of them – rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. You want to learn more? You got to go to their site. It’s Proofpoint.com.
It’s time to play “What’s Worse?”
16:49.338
[David Spark] All right. Now, for those of you who have heard this show before, you’re familiar with this game. It is two horrible scenarios sent in by one of our audience members, and neither one is good. You won’t like either one, but you have to tell us, and we’ll go to the audience, and you’ll get to vote as well, which one of these two is worse. So, I’m going to start with you, Christina. You will answer first, and then, Jim, you can agree or disagree. This comes from Adam Ferdman with Common Sense Security Solution, and here are the two scenarios that Adam poses. What’s worse, their employee who reuses the same weak password across all accounts, or the employee who falls for every phishing email?
[Christina Shannon] I’d say the employee who falls for every phishing email.
[David Spark] Now, why is that? I need an argument why that’s worse than…
[Christina Shannon] Maybe the weak password is 16 to 18 characters. It’s harder to hack.
[David Spark] No, no, no. Reuses the same. It wouldn’t be 16. You just said it’s a weak password, 16 to 18 characters.
[Christina Shannon] Oh, you said weak password.
[Christina Shannon] Okay.
[David Spark] Yes, weak password.
[Christina Shannon] I’m still going to go with the phishing because the phishing comes with malware, and then the phishing can come with a lot more damage.
[David Spark] That is a good point, but that weak password, it’s like the phishing email is one at a time, but the weak password, it’s like you’re opening it up to a free-for-all for everybody.
[Christina Shannon] Oh, it’s equally as bad, right? Bad passwords are usually 60-80% of the attacks start with a password theft.
[David Spark] So, wouldn’t you say that the first one’s worse?
[Christina Shannon] Yeah, I would now that I understand that it’s a weak password, and I can’t just say it’s 16 to 18 characters.
[David Spark] So, where are you landing? You still think the one who falls for every phishing email is worse?
[Christina Shannon] I’ll stick with it.
[David Spark] Okay, you’re sticking with it. All right.
[Christina Shannon] Yeah.
[David Spark] We’re going to Jim on this one. Which one do you think is worse? The weak password across all accounts, and it’s the same one, I should point out, or the phishing email they fall for every single one?
[Jim Bowie] Phishing email, hands down.
[David Spark] Okay, now why?
[Jim Bowie] Because I can control and predict the user with the weak password. I can limit their access. First of all, I can find the weak password on my own, right? And then just make them change it, right? And then keep making them change it.
[David Spark] No, no, hold it, wait, wait, wait, hold it. You don’t understand this game.
[Jim Bowie] Okay, all right.
[Laughter]
[David Spark] The game works is…
[Christina Shannon] I was trying to do that too. [Laughter]
[David Spark] …you cannot change anything, okay?
[Jim Bowie] Can I monitor for it?
[David Spark] You can monitor. Yes, you can monitor.
[Jim Bowie] All right.
[David Spark] So, you can monitor the accounts.
[Jim Bowie] All right. I’m still going phishing.
[David Spark] But couldn’t you also… Wait. You could do something similar for phishing. You could create like a quarantine area for that same employee, so every one of their emails gets quarantined.
[Jim Bowie] But how’s that different than changing their password on the other one?
[David Spark] No, no, it’s just you’re creating a protection area. But changing the password is changing the thing. You’re trying to create some kind of protection around their bad behavior, which you can do.
[Jim Bowie] Okay.
[David Spark] But you can’t change the aspect. They’re all still going to click for every phishing email. They’re still going to use a weak password across all their accounts. Same one.
[Jim Bowie] Nope, still phishing. Because humans, no matter how good your password is, humans are going to fail. Like you or I will fail phishing at some point, right?
[David Spark] Yes.
[Jim Bowie] Like, we’re going to fail. And so, someone who keeps clicking on it, the chance that…
[David Spark] Yeah, but that doesn’t matter in this scenario because they fall for it every time.
[Jim Bowie] I know, so it’s even worse.
[David Spark] [Laughter]
[Jim Bowie] But like statistically…
[Christina Shannon] The attacks escalate. Yeah.
[Jim Bowie] Yeah, they’re going to hit something that you offer protection for very quickly, as opposed to if I know this employee has a weak password, I can monitor the heck out of them.
[David Spark] But again, I’m going to throw out my argument that the weak password is you’re open to, like, everybody. It’s like you’re a free-for-all at that point.
[Jim Bowie] I get it. But so, with phishing, phishing is going to be like two minutes with that person. You’re going to be compromised.
[David Spark] All right, I’m taking this to the audience. All right.
[Christina Shannon] [Laughter]
[David Spark] By applause, how many people, by applause, think the weak password on all accounts is far worse? By applause.
[Applause]
[David Spark] All right, all right. Lisa Plaggemier is on board with that one.
[Christina Shannon] [Laughter]
[David Spark] All right, by applause, how many people think falling for every phishing email is far worse?
[Applause]
[Christina Shannon] [Laughter]
[David Spark] All right. You guys win.
Oh, no! That totally SOCs!
21:06.447
[David Spark] All right, let’s put up the next slide and our next game here. What you see before you are 12 hidden experiences that could happen in your corporate environment. Now, 11 of them are varying degrees of bad. One is actually quite good. And one at a time, you’re going to each pick three, and then the audience will determine which one of you has the worst environment, but you’ll get to argue your case why yours isn’t as bad as the other person. Okay. So, just for everyone’s awareness, Christina is going to be blue, and Jim will be red. And you’ll see what I mean by that in just a second. So, Christina, pick one of the numbers, 1 through 12, right now.
[Christina Shannon] Seven.
[David Spark] Seven. Let’s reveal seven. All right, your security training is skipped by 80% of the employees.
[Christina Shannon] [Laughter]
[David Spark] We’re going to leave her blue. Now, you see there’s an icon in the corner, we’re leaving that alone. So, that is not good, 80% of your employees have no security training.
[Jim Bowie] So, it’s real life.
[David Spark] Yes, exactly.
[Laughter]
[Christina Shannon] Yeah, exactly. [Laughter]
[David Spark] All right, pick one of the other numbers, Jim.
[Jim Bowie] Twelve.
[David Spark] Number 12. Let’s see what we got. CEO’s login credentials posted on the break room whiteboard. Not good.
[Laughter]
[David Spark] All right. I don’t know how the heck that happened. You definitely have to have a better environment than that. All right, pick another one, Christina.
[Christina Shannon] Two.
[David Spark] Number two. The receptionist gives daily tours of the server room.
[Christina Shannon] [Laughter] That’s good.
[David Spark] That’s sweet of her. Or him. I’m sorry, I don’t want to say what it is. So, it could be him or her gives a daily tour of the service room. What could be wrong with that? All right, Jim, pick one.
[Jim Bowie] Five.
[David Spark] Marketing sends customer data to the wrong email. Ooh, that is not good. All right, last one for you, Christina.
[Christina Shannon] Ten.
[David Spark] Number 10. A helpful employee resets a hacker’s password.
[Christina Shannon] [Laughter]
[David Spark] That’s very nice. All right.
[Christina Shannon] Oh, boy.
[David Spark] Now, I just want to point out you have not hit. There is one good one behind there and you have not hit it yet. So, one of those available numbers has the good one. Go ahead, pick.
[Jim Bowie] Eight.
[David Spark] Number eight. Training video plays while everyone scrolls on their phones. So, it sounds like you have a similar problem to what Christina has. All right. Now, Christina is the three blue ones here. The receptionist gives daily tours of the server room, security training is skipped by 80% of employees, and a helpful employee resets a hacker’s password. Not good, Christina. But Jim has marketing sends customer data to the wrong email, training video plays while everyone scrolls on their phones so they’re ignoring the training video, and the CEO’s login credentials posted on the break room whiteboard. All right. You, Christina, I want you to argue why your situation is not nearly as bad as Jim’s.
[Christina Shannon] Well, Jim already has data leakage, right? So, [Laughter] mine’s not that bad. The receptionist gives a daily tour of the server room, but we have everything locked down. All our servers and equipment and cages, those are locked. You have to get a key. Security training’s skipped by 80% of employees. Well, the 20% get access and the other 80% don’t get access to anything that’s not…
[Laughter]
[David Spark] And your helpful employee resets a hacker’s password.
[Christina Shannon] I’m going to really have to rely on my detection and response controls there, looks like.
[David Spark] All right. Okay, Jim, why is your situation better than Christina’s and hers is far worse.
[Jim Bowie] Well, what Christina didn’t tell you is her company does centrifuging for Iran.
[Christina Shannon] [Laughter]
[Jim Bowie] So, the tour obviously just ended her day. The training video’s playing while everyone scrolls their phone, I mean, even while doing this, some people are scrolling your phone, but you’re still learning something, right?
[David Spark] Yeah.
[Jim Bowie] It’s the osmosis. It’s something sinking in, right?
[David Spark] [Laughter]
[Jim Bowie] Sending wrong customer data to the wrong email. Look, guys, your stuff’s out there already. What else did they learn that they don’t already know?
[Laughter]
[Jim Bowie] Let’s be clear. It wasn’t that bad. I’m on 18. I don’t even have all these passwords and I’m on these sites. I have 18 different things on the hits every time I check my identity protection stuff, right? So, we’re all out there. It’s over. The game’s over on that front.
[David Spark] Now the login credentials of the CEO.
[Jim Bowie] Now the login, well, we don’t let him access anything anyway.
[Laughter]
[David Spark] How well you modified this game! Very good. All right. We’re taking this to the audience right now. Remember, the loser, that is the one who gets the greatest applause because we want to know whose environment SOCs more. So, by applause, how many people think Christina’s environment is far worse by applause?
[Applause]
[David Spark] All right. How many people think Jim’s environment is far worse?
[Applause]
[David Spark] I think Jim, you have actually lost on that one.
Sponsor – Cofense
25:49.687
[David Spark] All right. Let me tell you about Cofense. Did you know that in 2025, up to 94% of phishing and ransomware attacks are predicted to bypass so-called secure email gateways? Shocking, right? Well, that’s where Cofense comes in. Cofense has cracked the code on blending advanced technology with the power of humans to thwart cyber breaches. Instead of solely relying on technology, they make your employees an essential part of email security defense.
With millions of employees globally trained to spot sophisticated phishing attempts, Cofense delivers actionable intelligence straight from the front lines. Their integrated intelligence solutions don’t just stop there. Cofense automatically analyzes threats, removes malicious emails from inboxes, and quarantines them before a breach occurs, all in real time. Imagine combining global community insights with cutting edge automation. That’s how you outsmart bad actors. Now, Cofense proves that humans aren’t cybersecurity weaknesses. They’re the most vital component of your email security. Want to transform your email defense and stay a step ahead of today’s threats? You got to go to their website, and it’s Cofense.com. Check them out.
What about this AI security challenge?
27:23.148
[David Spark] We are seeing the tidal wave coming of deep fakes. Those of us here in the room just got a phenomenal presentation from Perry Carpenter of KnowBe4. We all need to be prepared, and that’s what we’re doing right now. Now, last year on this very stage, we recommended having a verbal password to avoid falling for deep fakes. I actually now have one for my family, and we have one for our business. And a recent paper with researchers at Google DeepMind, Stanford, and Northwestern found that with a series of interviews, they could create “simulation agents” that could match the responses of an individual 85% of the time across a range of personality tests, social surveys, and logic gates. Now, this did require two rounds of interviews. It took about two hours, and yes, 85% will show a lot of mistakes, but we’re all seeing this technology moving very rapidly. Verbal passwords is one type of defense. I’ll start with you, Christina. What other kinds of defenses can we create against deep fakes?
[Christina Shannon] Well, something we’re doing is if someone calls in and it’s on the phone and they want a password reset, we make them actually, if it’s a C-suite, and we train the C-suite to do the same, like, they’ll actually call them up on a video call just to make sure that it’s really them. That’s a new thing that we’ve recently started doing, but I mean, I think it goes to what’s your multifactor strategy, right? And then it’s also security awareness, teaching them if it’s too good to be true, it probably is, like the meme coins and things like that.
[David Spark] Mm-hmm.
[Jim Bowie] So, we get hit with this all the time in healthcare. They’re trying to reset doctor’s passwords, patient’s passwords, and finally had enough of it. The help desk, unfortunately, kept failing at it, and it’s not their fault because they want to help 99.9% of the time, and you’re asking them that 0.1% to be a jack wagon and not do anything, right?
[David Spark] [Laughter]
[Jim Bowie] So, what we did is we went with a vendor that can automate, and then we automated some custom integrations, thanks to my identity team. We took away the ability for the help desk to reset passwords, and it gets kicked off to a website that we made, goes to this vendor, they verify with facial recognition and an ID that the person is who they say they are, gets a confirmation back to the DTS, it automatically resets their password, sends them an FA challenge. We’ve done it. We started it last month, we’ve had 1,200 things go through, and every one of them’s been correct. So, that’s helped with that part of it. We’re going to roll it out to the rest of the business where you can challenge. If you’re on a phone call with somebody and you want to know who they are, it doesn’t matter if they belong to the organization or not, you can send them this link, and it will verify them digitally who they are, and then it comes back and says, “Yes, this is David,” or “No, this is not David.”
[David Spark] Have either of you had to use a verbal password for anything?
[Jim Bowie] Yes.
[David Spark] Yes, you have?
[Jim Bowie] Yes. Mm-hmm.
[David Spark] Let me ask, how do you weave that verbal password into whatever it is, or is it one of these kind of call and responses, like the boat will sail at midnight and they have to get the response to that?
[Jim Bowie] It’s a ridiculous phrase. I would say, “What’s the word I need? What do I need to hear?” and the ridiculous phrase is then said.
[David Spark] Right. Now, here’s the other thing, is that being that Perry showed us how easy it is to do deep fakes of audio, someone could just send an audio or do a fake phone call like what we saw, and would you stop the call in the middle of it and say, “What’s the keyword?”
[Jim Bowie] Yeah, absolutely.
[David Spark] And you just do it like that?
[Jim Bowie] Yeah, you don’t have to be natural about it because you’ll stop them.
[David Spark] And what about you received a voicemail that said it, and they said, “I need you to do this right now,” would they put that code in there or not, or how would that work?
[Jim Bowie] They better not because I told them never to write it down or put it in a recording.
[David Spark] Okay, that’s actually a good point. All right, very good point. What about you? Have you ever had to lean on the actual verbal password?
[Christina Shannon] Yeah. More personal, right? But we’ve used it a couple of times so far. Yeah, I think the verbal password, I mean, even still a year later, you said you guys talked about it last year, it’s still probably one of the very best ways. I mean, listening to Jim, though, I want to go by his solution. [Laughter]
How have you actually pulled this off?
31:38.814
[David Spark] All right, this is kind of a fun one. What are the most absurd security controls you’ve ever seen enforced by leadership? Did you implement them? Or did you find ways to work around them? Now, this question came on the cybersecurity subreddit, and it yielded some surprising security requests, such as the CFO forbidding the use of number pads to enter numerical passwords, demanding data center access be done via paper, and all business documents on personal machines with no backups. All right. So, I’ll start with you, Jim. Can you top any of these ridiculous things? Have you heard them? And when you get one of these ridiculous requests, do you agree to any or do you subvert them?
[Jim Bowie] So, it’s actually an interesting problem to be in to try to want to be less secure. It’s not less secure, but…
[David Spark] Well, none of these really, yeah.
[Jim Bowie] Less absurd than people already think cybersecurity is.
[David Spark] It’s a form of security theater here.
[Jim Bowie] Yeah, it’s theater, 100%. I actually ran into this, it’s not topping that, but I ran into this last week. We had a user click something they weren’t supposed to, and they didn’t mean to, and it’s not their fault. It was good. It showed up on Google for something they were searching for, and the solution from the C-suite, they asked me, like, “Why can’t we block every website?”
[Laughter]
[Jim Bowie] It’s like, “Okay.” The amount of capacity that I would need, I explained it to them, I said, “I need 50 FTEs, and you have to sign this form saying you won’t get mad at me when you can’t go to fluffykittens.com for your daily dose of kittens, right?
[David Spark] [Laughter]
[Jim Bowie] I’ve recently walked them through, like, “That’s a good idea. It comes from the heart, and I appreciate that, but here’s why that’s not going to work, and here’s what you’re actually creating. And if I was a hacker, here’s how I’d bypass that.” And they were like, “Oh.” So, again, it’s about talking to people.
[David Spark] I like that. Can we block every single website? That’s a doozy. All right. What about you, Christina? How have you been faced with these kinds of things?
[Christina Shannon] Yeah, absolutely. Probably one of the bigger ones was earlier in my career as a manager at a real big company, and we had a business interruption related to not having a backup available or not taking a backup of the data, and the CFO at the time said, “That’s it. We’re going to take backups of everything. People’s My Documents, you name it, everything in the environment. We’re taking backups and we’re keeping them forever.” Well, I happened to be the manager of the storage and backup team at that time. [Laughter] I wasn’t in security yet, but enough to know that that’s not going to do a whole lot from an improved business continuity. It may help you restore the item that we had lost, but really, what we were doing was we were increasing our liability risk for a potential data breach that could happen without having any data hygiene. We were also increasing costs exponentially. And at the time, like I said, I ran the storage team, but it was like, “Okay, well, how many more million-dollar arrays are we going to buy [Laughter] for backup data?” So, what we did was we started doing data classification, right? And then we drove that through the company. And that’s how we got back to doing 30-day backups for most of the world and a little bit longer retention periods for the more critical stuff.
Sponsor – KnowBe4
35:03.131
[David Spark] Last sponsor I want to mention is KnowBe4. So, your employees are your greatest asset, we’ve been hearing this a lot through the show, but they’re also your biggest attack surface. Why? Because any suspecting employee can click first and ask questions later. Every click, email, and login is a potential risk. That’s where KnowBe4 comes in. Trusted by over 70,000 organizations worldwide, KnowBe4’s HRM+ platform empowers employees to make smarter security decisions every day. From cloud email security to real-time security coaching, awareness training, and even AI defense agents, they create an adaptive defense layer that strengthens your security culture. Cyber threats aren’t slowing down. The question is, is your workforce ready? You can learn more by going to their website, KnowBe4.com.
It’s time for the audience question speed round.
36:12.640
[David Spark] All right. I have a number of great questions that came from our audience here, and we’re going to get through them with the little time that we have left in this show, okay? Are you two ready?
[Jim Bowie] Let’s do it.
[David Spark] Ready to do this? Okay. This one comes from Laurie Streeter of Liberty Mutual. How do you deal with repeat offenders without being punitive – and when I say repeat offenders, repeat offenders like the person who clicks on every darn phishing email – without being punitive and repeat training that does not work. Lars Streeter has seen this happen and does not know what to do. So, she would really like some advice. Christina, got any good advice for her?
[Christina Shannon] I mean, if the training’s not working, eventually it has to probably go to a little bit of corrective actions. That may not be that pleasant, but at some point…
[David Spark] What would a corrective action look like?
[Christina Shannon] It’d probably be escalating, right, to the supervisor, to the next level, and then looking at…
[David Spark] So, passing off your problem to somebody else?
[Christina Shannon] Well…
[David Spark] Jim’s nodding his head.
[Christina Shannon] Yeah. I mean, yeah, you got to tie it to their performance, right, at that point. That’s what I would do.
[David Spark] And I’ve mentioned this actually multiple times, I had a friend who worked in HR. They had a mechanic who literally failed every darn test. And he was not a knowledge worker, but I mean, it happened again and again and again, and they actually fired him because he couldn’t do it. By applause, has anyone had to fire an employee just because they couldn’t get it down? Anyone? Nope, nobody. All right. By the way, all my co-hosts were appalled by that story. All right. Jim, what do you do in this situation that Laurie is dealing with?
[Jim Bowie] Unfortunately, if you don’t have a lot of time, then the easy answer is not punitive, but what Christina said, right? Push your problem off to someone else in HR and be like, “Look, I got to take away your access. We take away your access, you can’t do your job. Do you belong here?” kind of a thing. But if you really want to solve this problem and you have the time and capacity to do it, you need to look at why the training’s not working. Sit down with them and be like, “Hey, man. What’s going on? Like, why? Why can’t we get through this thing?”
[David Spark] Just so excited when I see a link.
[Jim Bowie] Yeah.
[Christina Shannon] [Laughter]
[Jim Bowie] Like, “Can you see?” and then maybe show them like, “Look, when you click this link, this is what happens. This is why it’s bad.” And after you’ve personally tried it and he’s still not getting it, at some point you got to cut your losses. You are representing a company at the end of the day.
[David Spark] All right. We got a few more. Now, this has to do with, obviously, security awareness. It comes from Aaron Gallagher of Fastly. What do you care about for security awareness metrics? Like what is a metric in security awareness that means something to you, Jim? Oh, my God. He’s stumped already.
[Jim Bowie] So, a lot of security metrics are for operational to see if your program’s effective. If you’re talking about security metrics that I personally care about that I need to know, like if you said you only get one for the rest of your life, it would probably be my team’s engagement.
[David Spark] And how do you measure your team’s engagement?
[Jim Bowie] We do press scanning surveys every year, but if your team is starting to slip or they’re not engaged or they’re not happy or however you want to measure their morale, it’s not a matter of if but when, and that when gets real close real quick.
[David Spark] That’s a good one. All right. What about you, Christina? What’s the metric that means the most to you for security awareness? Did he take the best one?
[Christina Shannon] I think he probably took the best one because I would say I would probably chase after, from an operational perspective, who has the repeat click rates, right? And then figure out what we’re doing there.
[David Spark] Okay. All right. Similar to that comes from Brian Roberts of Campbell’s Company and says what are the invisible risks that don’t show up on a dashboard? Like there’s no way for you to see through any kind of metric that it’s there.
[Christina Shannon] I think man in the middle attacks fit that bill. Those are one where clicking on a simple link can then lead into a big disaster that bypasses your EDR and detection tools.
[Jim Bowie] It’s a good one. Poor asset management. You can’t protect what you’re not seeing. So, if it’s not on the dashboard and you now have a whole segment of the network you didn’t know about that just got exposed. Don’t ask me how I know.
[David Spark] That’s a classic.
[Laughter]
[Christina Shannon] Dang. He beat me again. [Laughter]
[David Spark] All right. I got two more. Let’s get through these two really quickly. Roger Renteria of Discover Financial Services asks, and I like this one, what’s the most outrageous thing you’ve experienced from someone going into a facility? Now, this could be someone you hired to do a pentest or just something that actually happened.
[Jim Bowie] They unplugged the core router.
[David Spark] Someone came in and just pulled it?
[Jim Bowie] Yeah. They thought it was not the right one. They thought it was the test one or something, and they just went “beep.”
[David Spark] [Laughter]
[Jim Bowie] Yeah.
[David Spark] Well, it was that easy for someone to walk in and do that, I guess.
[Jim Bowie] Yeah. Because they were giving tours of the data center, which is why y’all should have applauded.
[Laughter]
[Jim Bowie] Right?
[David Spark] All right. What about you?
[Christina Shannon] I’ve seen, in my day, a pentest take down an entire ERP database because the pentester didn’t understand AIX and how Unix works.
[David Spark] All right. Well, that’s not walking into the facility. That was just doing a pentest.
[Christina Shannon] Yeah. Yeah. Yeah, that’s just a regular…
[David Spark] Anything about physically walking in?
[Christina Shannon] Physically walking in? I mean, I’ve worked at companies where if you don’t walk in with a badge, they’ll send you home. So, [Laughter] that’s one where we had a few times where a vendor at that company kept coming back without his badge. And then eventually it became one where we talked about it was a company policy, like do they get to be a vendor?
[David Spark] Okay. Well, they never actually made it in. Okay.
[Christina Shannon] Yeah. [Laughter]
[David Spark] All right. Last question, again from Brian Roberts of Campbell’s Companies, and I like this one too. What have you learned about your security – I’ll start with you, Jim, on this one – by just walking around the office, or in your case, the hospital, what have you learned just by physically walking around?
[Jim Bowie] That the amount of stress and friction that we intentionally create in the environment has a real lasting effect on the stress of the caregivers and the patients. So, the more I have to carefully balance making their life harder to get into with letting them do their job and how much stress that gives them.
[David Spark] That is a good one. All right. Did he, again, steal the best one, Christina?
[Christina Shannon] Well, no, that was actually a really good one. I would say probably a couple things. So, I would say that when you run into the C-suite, I still think that sometimes they see the CISO and the security team as the tax man, right? And so, it’s like I think that having social conversations with the C-suite is extremely important because it’s really easy for people to hole away. The other thing I would say is that when you’re walking around the office, you notice that people are really siloed. Like the help desk doesn’t talk to the other part of your team because I run all of IT, right? And so, then that tells me, okay, well, if the help desk isn’t really engaging with the security team, then I got to go work on that. So, that way the help desk uses secure practices and doesn’t just reset the hacker’s password. [Laughter]
[David Spark] Very good.
Closing
43:24.254
[David Spark] Well, that brings us to the very end of this episode. Let’s hear it for my guests.
[Applause]
[David Spark] Christina Shannon, CIO over at KIK Consumer Products, and also Jim Bowie, who is the CISO over at Tampa General Hospital. I want to thank our sponsors. That would be Proofpoint, Cofense, and KnowBe4. Please go check them out. Please check out their work. We greatly appreciate their sponsorship. And I also want a huge thanks to the National Cyber Security Alliance, the NCA, Lisa Plaggemier, who’s right here, who’s invited us. This is our fifth time doing a show at NCA, at the Convene Conference, so we greatly appreciate it. Any last words for my guests on stage?
[Jim Bowie] Thank you.
[Christina Shannon] Yeah, definitely. Thank you for having this. This has been a blast. Thank you.
[David Spark] Well, and thank you to our audience. We greatly appreciate being here. Thank you again.
[Applause]
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.