Surveys show that most consumers support data minimization laws. However, the vast majority of security professionals don’t think they can convince their boards to see data minimization as a competitive advantage. Why isn’t the individual desire for data privacy translated to the corporate level?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), partner, YL Ventures. Joining us is Mandy Huth, svp, CISO, Ultra Clean Technology.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Vanta
Vanta automates evidence collection needed for audits with over 350 integrations—giving you continuous visibility into your compliance status. And with cross-mapped controls across over 35 frameworks, you’ll streamline compliance— and never duplicate your efforts. Learn more at Vanta.com
Full Transcript
Intro
0:00.000
[Voiceover] What I love about cybersecurity, what I hate about cybersecurity. Go!
[Mandy Huth] So, what I absolutely love about cybersecurity is I have a really high altruistic need to help people, and so I get to help protect people from the bad guys and I get paid for it. And then what I hate about cybersecurity is that there are bad guys out there and that I have to deal with them.
[Laughter]
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series. My co-host for this very episode, it’s Andy Ellis. He’s partner over at YL Ventures. Andy, say hello to the nice audience.
[Andy Ellis] Bonjour, [French 00:00:52].
[David Spark] Was this the good morning, good evening, all that, all in French?
[Andy Ellis] In French today.
[David Spark] Yeah.
[Andy Ellis] And my wife always complains that I am the only person who can make French sound like an ugly language. [Laughter]
[David Spark] All right. Well, anyone who speaks French in our audience, please criticize Andy’s performance, I would love to hear that. Not just his wife, but our listeners too as well. We’d appreciate that.
[Mandy Huth] Anyone.
[David Spark] By the way, that’s our guest, I’m going to introduce her in just a second. Hold on. I do want to mention that we’re available at CISOSeries.com. And our sponsor for today’s episode is Vanta – automate compliance, manage risk, improve trust continuously. That is key, by the way. We’re going to be talking more about just that.
Since she just spoke, I’m going to drag you into our opening little banter. This is Mandy Huth, who’s the SVP CISO over at Ultra Clean Technology. Brand new CISO, correct, Mandy?
[Mandy Huth] That’s right. Two months in.
[Andy Ellis] Ooh.
[Mandy Huth] It’s been a ride.
[David Spark] Awesome. Awesome. All right. I’m going to bring something up that I don’t even know if… You weren’t actually on the call yet when Andy brought this up. Andy hopefully will have closed on a house by the time this airs.
[Andy Ellis] That’s the hope.
[David Spark] That’s the hope. As I understand, Andy, you looked at one house, put a bid on one house and got one house.
[Andy Ellis] Yep.
[David Spark] Now, let me stress…
[Andy Ellis] And the house I’m currently in, same thing. Looked at one house, put a bid on one house, bought one house.
[David Spark] Same thing. Okay. Let me explain.
[Mandy Huth] I was going to say, do you usually buy two houses, David?
[David Spark] No, no, no, no.
[Andy Ellis] I’ve done that too, Mandy. So, it’s a separate problem.
[David Spark] Let me point something out. The first condo I purchased in San Francisco took me a year and a half. I overbid on six places before I got mine.
[Mandy Huth] Wow.
[David Spark] Similarly, when we moved down to San Diego, six months before we got a place.
[Mandy Huth] Wow.
[Andy Ellis] Yep.
[David Spark] Looked at plenty of places. Now, therefore, I don’t like you, Andy.
[Laughter]
[Andy Ellis] So, just to be very clear for all the people who are listening and going like, “How does Andy stumble into this luck?” My wife and I spend years refining our thesis for what our next house will look like every time.
[David Spark] And then it literally lands in your lap?
[Andy Ellis] No, it doesn’t land in our lap.
[Mandy Huth] Well, it’s it does. It does. You put it out into the universe and the universe responds to you. I bet you that is what’s happening.
[Andy Ellis] It responds with Zillow. We then search on Zillow for a very long time. Like, “Oh, this is what this neighborhood looks like. Here’s what houses are.” And then when we’re ready, we find the house and we’re like, “Oh, that’s the one we want to go look at.” We go look at it. It’s the right house.
We make an offer. We’re done.
[Mandy Huth] I don’t like him either, David.
[David Spark] No, no, we both don’t like him. And by the way, I’m assuming most of our listeners don’t like him either.
[Andy Ellis] I’m just telling you, like, it is easier to buy a house now than it has ever been in the history of America.
[David Spark] I’m interested to know – well, because the interest rates are so high – I’m interested to know if any of our listeners have had the same kind of luck as Andy or you have the kind of luck that I have that takes forever.
[Andy Ellis] You make your own luck is all I’ve got to say, David.
[David Spark] Oh, really? I do?
[Laughter]
Pay attention! It’s security awareness training time.
4:04.154
[David Spark] “Security awareness training is at best a waste of time and at worst actively harmful to security.” J.M. Porup had this opinion seemingly confirmed by a recent study published at the 2025 IEEE Symposium on Security and Privacy. Now, the study saw failure rates on phishing fall only one to four percent, and contextual interactive training doesn’t help either.
No matter the training, phishing messages around vacation policy and dress code still work, and Porup’s point is that with limited bandwidth, employees will always choose to get their job done than care about security policy.
Instead, for better security outcomes, organizations should focus on simple, top-down technical controls – I know vendors who are listening to this. He compares the effort needed to get people to opt in to 2FA, where you’d struggle to get 50% adoption versus turning it on and everyone has to enroll to get their job done.
The findings of the report is pretty damning for security awareness training effectiveness. Do we need to rethink where we’re spending our time and effort? Andy, you were kind of cheering when I said it doesn’t work, that opening quote.
[Andy Ellis] Yeah. So, I just have to say, if you know J.M. at all, this is amazingly restrained, given how awful this research points out security awareness is. Like the correct answer is security awareness training is…we have a blind compliance. We do a thing because we’re told to do it, and it actively makes it worse.
There’s a lot of cases like this. One of my favorite examples, not to do with training, I was in a hotel in Cheltenham in the UK. So, those of you who know what is in Cheltenham, you know who I was visiting.
[Mandy Huth] I’ve been there.
[Andy Ellis] You’ve been there.
[Mandy Huth] Yeah.
[Andy Ellis] So, you know who I was visiting. And in the hotel bathroom, there was a sign stuck to the tiles inside the shower, clearly written by a lawyer that says, “For your safety and comfort, please ensure that the bath curtain is inside the tub and the bathmat is securely fixed to the tub bottom.” Right?
So, you can imagine they got sued or they heard about a story where somebody slipped in a tub and they’re like, “Make sure you do the right things.” Do you know what that bathroom didn’t have? A shower curtain or a bathmat. It was one of those European half-shower walls, and I’m like, “So, you have now actively made yourself more at risk because you went from being negligent to reckless.
You’ve told me there’s a problem, but you’re not going to do anything about it.”
And that’s where we are with security awareness training. The problem is that our technologies are fundamentally bad. The fact that somebody can email you a link and you click on the link and a bad outcome happens is the fault of our email system. The browser that you’re using, whatever client it is, the web browser and the email transmission.
It is not the user’s fault. Pretending it’s the user’s fault lets us get away with leaving the system bad.
[Mandy Huth] So, Andy, I don’t disagree that.
[Andy Ellis] But I hear a “but” coming.
[Mandy Huth] There’s not a but. There’s not a but. There’s an “and.”
[Andy Ellis] Okay.
[Mandy Huth] It is not the user’s fault, and employees are incentivized to only do their jobs.
[Andy Ellis] Right.
[Mandy Huth] Security is an add-on. It’s a bolt-on. It’s something extra they have to do. When people think that it’s a shared responsibility and they understand why it’s important, they pay more attention. So, I don’t disagree with the research, right? Phishing simulation, more than anything, is only just to keep it top of mind, but I think there’s other ways to do it.
I think you’re communicating with them. You’re educating them. You’re telling them the “why” and how it’s relevant to their work. Because ultimately, if something bad happens and your business goes out of business, everybody loses. So, why isn’t security part of every single person’s job?
[Andy Ellis] So, the reality is it is part of their job, and they know that this is not security. Security awareness training, despite the word security at the front of it, has nothing to do with security, and so, they rightfully say, “You don’t care about security. So, why should I if you’re the one who’s paid to care about security?
Why are you wasting my time?” We did annual security awareness training when I was at Akamai. We had to satisfy compliance. And you know what it was? It was a cron job that emailed people a link that said, “Come here to click the button to say you got trained, and on that page is three paragraphs I need you to read,” and that’s the entirety of the training.
It takes you 30 seconds to skim it and you’re done because I know this is a waste of your time, so I’m going to minimize the waste of time. I had links in there to all of the awareness documentation, said, “If you want to go read it, go for it.”
[Mandy Huth] No one’s clicking on your link. [Laughter] They’re clicking on the email links.
[Andy Ellis] You say no one’s clicking on those links. But I will tell you, at least five times a year, we would get comprehensive and detailed criticism of those policies by people who had clicked through to read them because we said, “Look, here’s the policies. You’re welcome to read them, but we’re not going to force you to.” But enough people would go read them because they chose to because they cared about security, and I had told them, “I’m not going to make you read a 90-page document every year just to click a link.”
[David Spark] By the way, I want to tell you a very quick story. Last night, I ran into a woman who was the head of HR for a company I worked for 19 years ago. And I hadn’t seen her. I was like, “Oh, my God.” And I said to her, “You know what? I have to divulge something and reveal something to you.
When I left the company, I quit. When I left the company, you said to me I cannot take any files out the door with me, and I said, ‘Yes, of course.’ And yes, of course, I did leave the company with files.”
[Andy Ellis] Everybody does.
[David Spark] [Laughter] Everybody does. And she smiled, she goes, “Yeah, whatever.:”
[Andy Ellis] Right. What you’re trying to do is make sure they don’t take specific types of files.
[Mandy Huth] That’s right.
[Andy Ellis] Right.
[Mandy Huth] And so, I think that’s where, Andy, I absolutely agree that what the research does say, one, I think we do need to communicate the “why” and help people understand how it’s relevant to their job. And I think that technical controls that make it easy to do the secure thing is really what our responsibility is, 100%.
What’s broken about cybersecurity hiring?
10:38.872
[David Spark] How are we creating the next generation of cybersecurity professionals? Caroline Wong, Director of Cybersecurity at Teradata, recently published a Forbes piece about developing cybersecurity talent. One option she highlighted was apprenticeships. Now, these allow for recruiting individuals from a variety of backgrounds and giving them a clear path into the industry.
One of the benefits of cyber is you can come from practically any background, but at the same time, everyone who wants to participate struggles to find a path to entry, and those who want to hire struggle to offer coaching advice. We have heard this a lot. So, I’ll start with you, Mandy. How can businesses do this without having to create another branch of the business to accommodate the apprenticeship program?
What do you think?
[Mandy Huth] I love that you asked me this question because what I see in my life, in my professional life, is that we spend six to nine months finding someone that can step into a role, right? They need to be able to hit the ground running and it just takes forever to find that person. Why don’t we have a pipeline and spend that six to nine months training someone the way that we need them to work, right?
Side by side. Now, what that does take, one, it takes intentionality, right? You’ve got to create a pipeline from internship to co-op to rotational to actual job offer. And if you have people in that pipeline, you are going to build good talent, but it also takes intentionality that you have to have good teachers.
And that is the one thing that I think we’re missing, right? We all have the best of intention, and we don’t put the foundation in place to actually get them to the end of that road, right? Because they don’t have people taking the time to educate them, and I think that’s where we really have to focus.
And I think we can do it. We have to do it if we’re going to have enough people to fill the jobs we need.
[David Spark] Andy, your take on the whole apprenticeship element, because should we formalize something like this? I mean, it just seems like more work for a business to be doing that.
[Andy Ellis] Yeah, I’m not a big fan of the apprenticeship, but I see where Caroline is headed and it’s in the right direction. I think Mandy landed on the key point, which is we have to commit to training. And that’s not just the people coming in. It’s our own people. The first thing you should do is commit to developing every member of your staff and saying, “How do I train you to get to the next job?” Which is cybersecurity experience, it’s management experience, it’s leadership, it’s interfacing with the rest of the company.
There’s a whole host of skills. And once you’ve committed to doing that, now it’s easier for you to take people in and say, “Well, this person needs more communication training and less cybersecurity training because I’m bringing in a technician,” or “This person needs more cybersecurity training, but less communications training because I just hired a reporter.” If you have a research team whose job is to publish research, and one of your people is not a former journalist, you’re doing it wrong because that is actually the person who brings in all of the skills that you need.
And yes, they aren’t a cybersecurity expert the day they walk in the door, maybe you got somebody off the security beat, but you can develop that better than you can teach somebody how to write English.
[Mandy Huth] Absolutely. No, I think you hit it spot on. And Caroline is always thinking of really interesting ways to do that. And as you said, apprenticeship maybe, but it’s really about it’s not a one-and-done, and are we training our own people to help them train the next generation?
[David Spark] Which, by the way, I want to double down on what you just said there. This is the number one problem, I think, around remote work is one of the advantages when you’re in your 20s and 30s, really your early 20s and you go to work, yes, you get the socialization of the office, you get the ability to work together, but you need to be around the people who are older and more experienced and learn from them.
When you aren’t there learning from them directly, you can’t really train up to be like them because you’re going to be replacing them, and I think that’s a major, major problem with remote work.
[Mandy Huth] 100%.
[Andy Ellis] I think there’s two different problems there and we should separate them. One is most places don’t know how to teach people other than through adjacency osmosis. Like, fix that if you want to be a remote work establishment, that is possible. But the other one is there’s a lot of opportunities that we never write down, and that’s what you miss if you’re not in person.
There’s a conversation happening two cubes away that has nothing to do with your day job, but it’s interesting and you listen, and you expand, and you grow. Those are the real opportunities you lose. You become so much more of a specialist when you’re a remote worker because you’re not even hearing about the things that aren’t necessary for your job.
Sponsor – Vanta
15:35.148
[David Spark] Who’s our sponsor this week? It is Vanta. They are our sponsor this week and they’ve been an absolute spectacular sponsor of the CISO Series. Let me clue you in on something about Vanta that you may or may not know. Let me ask you a question, though. Do you know the status of your compliance controls right now?
And when I say right now, I mean like right now, this very moment. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we usually rely on point-in-time checks. But get this, more than 9,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here’s the gist. Vanta brings automation to evidence collection across over 35 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting. And Vanta helps you get security questionnaires done five times faster, well, using AI, obviously. Now, that’s a new way to GRC.
You can learn more about doing just this if you go to Vanta’s site. And go to Vanta.com but go Vanta.com/CISO. You want them to know that we sent you there. So, Vanta.com/CISO, go check it out. Get continuous reporting in your environment.
It’s time to play “What’s Worse?”
17:00.889
[David Spark] Mandy, you’re familiar with this game, right?
[Mandy Huth] I saw this game, I listened to this game, I don’t know how to prepare for this game.
[David Spark] This one is tough.
[Andy Ellis] You don’t get to prepare for this game at all. You say, “I agree with Andy,” and you’re fine.
[David Spark] No, no, do not listen to him at all.
[Mandy Huth] [Laughter]
[David Spark] All right. I think this one is tough, and I hate when I set it up and I go, “I think this one is tough,” and then, Andy, you go, “Oh, this is easy.”
[Laughter]
[David Spark] Truly, I think, this one is tough. All right.
[Andy Ellis] Okay, let’s see how you did.
[David Spark] All right. Well, it’s not how I did, but I did choose, I think, a good one.
[Andy Ellis] Well, it’s how you did in choosing it and in prepping it.
[David Spark] Dustin Sachs of CyberRisk Collaborative, he’s the one who wrote this, okay?
[Andy Ellis] Dustin usually does some good ones.
[David Spark] He does some good ones. He also does some very silly ones too. But this one is a true “What’s Worse?” two scenarios.
[Mandy Huth] I’m really getting scared. Okay, I’m ready.
[David Spark] Get ready. The good news is Andy answers first. So, you just hang tight. You agree or disagree with Andy. And then you have to give your reasoning too. Sometimes people agree, but for different reasons. That also can happen too. All right. What’s worse? You’re discovering an advanced persistent threat, an APT group has had access to your network for a year.
Pretty bad.
[Andy Ellis] Only a year. We’re looking good.
[David Spark] [Laughter] You’re looking good. Or realizing your incident response plan has significant gaps during a real-time attack. Which one’s worse?
[Andy Ellis] Oh, the first one.
[David Spark] The first one’s worse.
[Andy Ellis] I know, I’m making you upset here.
[David Spark] Why is this so easy for you?
[Andy Ellis] Because I ran incident response. Like I was responsible for…
[David Spark] But no, but there’s significant gaps in it.
[Andy Ellis] That’s okay.
[David Spark] There are always significant gaps?
[Andy Ellis] There’s always significant gaps. If you’re not discovering significant gaps when you’re doing a significant incident, then you’re probably not looking close enough.
[David Spark] So, hold it. The only reason that this is the first scenario is worse is because the second scenario, which is bad, happens all the time.
[Mandy Huth] No, but the second one, Andy, you’re right. We should be practicing it anyway.
[Andy Ellis] Right.
[Mandy Huth] So, even if there are significant gaps, we know most of it.
[Andy Ellis] We know most of it.
[Mandy Huth] Right. But I’m really worried because if you’ve been in there a year, my logs probably only go back nine months.
[Laughter]
[Andy Ellis] One is I have been owned for a year, and the second is I need to improve my processes. I’m going to take improve my processes over being owned for a year.
[Mandy Huth] Yeah.
[Andy Ellis] So, here’s the reality, which is at the core of incident response, you can either say you have no gaps or you have all the gaps and you’re always in both of those states because the correct answer is you have empowered somebody to run the incident who has the authority to spend the company’s resources commensurate with the level of incident they have.
If that is true, you ultimately have no gaps because that person is capable of closing them in real time. If you don’t have that, then you have the only gap that matters, which is you don’t actually have an incident response program at all.
[Mandy Huth] Right. 100%. Incident commander is in charge, and if they’ve practiced and even if there are things missing.
[Andy Ellis] Right.
[Mandy Huth] Sorry, David. I agree with Andy on this one. It’s 100% the first one’s worse. Yeah.
[Andy Ellis] We define it as a credit card. Like you have an incident commander, and they have to be senior enough to have the right credit card, which is if you have a tier one incident, you have severity one incident, they have a credit card to create as many non-severity one incidents as they need to solve the severity one incident.
If they have that clout and authority, then you’re fine.
[David Spark] But let me again, playing the devil’s advocate here.
[Andy Ellis] I love when David does this. He’s like, “I thought this was hard. I have to make it hard.”
[Mandy Huth] He really thinks it’s the incident response answer. [Laughter]
[David Spark] I just thought it was more equal than the way the two of you are approaching it. But no, you make a very good argument. I’ve got nine months of logs and they’ve been in there for a year. So, that is a good point. But nothing’s happened yet in the first one, but it could just be the walls could come crumbling down.
[Andy Ellis] They have owned my systems for a year. You did not specify nothing had happened yet. Like, what if this was Operation Aurora?
[David Spark] No, nothing’s happened yet. Nothing’s happened yet in the first.
[Mandy Huth] They’ve gained persistence, and you have no idea where they are.
[David Spark] The second one is there’s an incident happening and you got a giant gap.
[Andy Ellis] Yeah, but you didn’t say what the type of incident was.
[David Spark] We don’t know yet, I know, but there’s a lot of ifs on all of these scenarios.
[Andy Ellis] Lot of ifs.
[David Spark] Lot of ifs.
[Mandy Huth] And incident response, honestly, we always say it’s not about… You know, you have to plan that you’ve been owned. Fine. So, you have to know how to recover. Everybody should be practicing that, I feel like.
[Andy Ellis] Right.
[Mandy Huth] Please don’t let anybody into my network. [Laughter]
[Andy Ellis] Yeah. And you should be editing your incident response program and documents every time you have an incident. If you walk out of an incident and you have no edits to make, you did something wrong. Or you’re amazing, come talk to me.
[Mandy Huth] I might have recency bias, David. I just ran my annual. So, we do it twice a year, right? One is a table read-through and then we do a tabletop exercise, right? So, I definitely have some recency bias. [Laughter] We just updated that bad boy.
[David Spark] Well, this is what happens when you’re only a journalist and producer and you’re not actually a security expert.
[Andy Ellis] Right. Haven’t actually lived the pain.
[David Spark] You have a very clouded view of what’s good and bad. I just thought, given that it’s happening right now, and the other one is a big if, a big, very likely if, an extremely likely if, but the first one’s like…
[Andy Ellis] No, the first one…
[David Spark] Oh, I mean the second one, I’m sorry.
[Andy Ellis] Right. You’re seeing it that way. But the first one is that. It’s happening now and has been happening for a year.
[David Spark] Yeah.
[Mandy Huth] Yeah.
[Andy Ellis] So, we just detected that we had been compromised for a year versus we have some incident, we didn’t even specify what the incident was, and our response program has gaps. You didn’t actually say, “And they did all these things.” No, our response plan has gaps. Of course it does. Like, “Oh, we didn’t think about the fact that we have to do end user notification in this region…is a gap that I’ve got to solve in real time.” And so, I’d better have a robust and dynamic program that can solve gaps in real time.
[Mandy Huth] But we have a chance to respond. I mean, detection and really containing somebody that’s been in my network a year? Oh, that sounds awful. It sounds like a really long, long, long opportunity to practice your incident response plan.
[Laughter]
[Andy Ellis] Yeah, like I’ve had to real time build defenses for the incident of a government wants to be able to log into one of our systems in real time with fingers on keyboard, and we need to surveil and monitor everything they do remotely. They have physical access, and I don’t. Like, I didn’t have that in my response plan the day before it happened, that’s a gap.
[Mandy Huth] Right.
[Andy Ellis] Okay, we, but we had the ability to solve that problem, identify what we were going to do. It’s a fascinating story. Someday somebody find me with a glass of wine, and you can have it.
[Mandy Huth] Sounds like I’m coming to visit soon.
As a CISO, what do you think of this?
24:04.079
[David Spark] We all like to boil down complex topics into easily understood statements. So, let’s try this one out from Ross Haleliuk, who is the author of Venture in Security. He says, “There are only two sources,” two, you can boil them all down, “Only two sources of security issues – software bugs and configuration mistakes.” So, he points out that the former exists due to an industry-wide lack of incentives around software quality.
There’s never a “right time” to focus on security for a vendor, and security engineers aren’t compensated for writing secure code. Because we lack these incentives, shifting left isn’t going to be our salvation for secure code. Instead, we should have security engineers build secure defaults and make them easy to adopt.
Now for configuration issues, he points to CISA’s recent Secure-By-Default initiative, which calls for shipping extremely hardened default configurations with a set of loosening guides to change defaults as needed. All right, Andy, I’ll start with you on this. Can we simplify all security issues down to software bugs and configuration mistakes, or have we left something out?
[Andy Ellis] So, we have left a lot out, but I can simplify it even further, which I can say that the only source of security issues comes from a gap between expectation and implementation. The customer expects something, and you have implemented something different. Like they decide to use your open-source embedded web server to run diagnostics on an implanted dialysis machine.
Boom, we have security issues because what you implemented was not designed for healthcare. Right? You expected to implement bug-free software, you implemented software with bugs. Boom, that captures his software bugs. Right? Configuration is you expect it to be used in one way, it gets configured a different way.
Like every nested down through it, it’s like how do you operate it versus what was expected? That’s the only source, but the reality is you’re never getting rid of that gap between expectations and implementations.
[David Spark] All right, I throw this to you, Mandy, do you think it’s all simplified?
[Mandy Huth] I love where he’s going and I have to do a shout out, right? Because we always talk about hardening all of our systems. I love that CISA has talked about secure-by-default and you actually have to loosen your tie. I love that, right? Because I do think that it captures most of it. But if you think about what the Verizon DBIR says, right?
There’s system intrusion, there’s miscellaneous errors and there’s social engineering. So, okay, yeah, what he talks about is definitely vulns, credentials, malware. All of those can be boiled down. But how do you stop the misdelivery of information from like a data exposure? Oops, I accidentally sent this to 50 people and this Excel sheet had a whole bunch of numbers.
You can’t code for that. I mean, you can try to put technical controls and DLP in, say, “Hey, wait, wait, wait, there’s a lot of data and you’re sending this to a lot of people.” So, we can do that. But I think they’re missing the human piece of it.
[David Spark] And also, I think everything that comes as a result of social engineering would probably fall into that category as well.
[Mandy Huth] Absolutely. And so, yeah, we can get to stricter configuration so that we can minimize the ability of social engineering. We can make our filters heavier, right? Our email filters. But at what cost to the business and at what cost to the user, right? Because when you lock it down so much, how do they do business?
Or they miss that really key email, right? So, there’s an inflection point that pops over. So, I don’t think it can be just those two things. I think it hits a lot of things. And I’m 100% really thinking about how do we start strong and loosen? And that shows us being an enabler versus us being the police adding friction.
How about we start with the friction, and we become the good guys that are loosening it for the business? Just something to think about.
[Andy Ellis] Yep. I actually did a talk on this very topic at RSA last year, was the talk on you can’t measure risk. But I really just talked about like the hazards that we think of as security issues, like it’s customer needs, product goals, product design, engineering, implementation, operation. Those are sort of the six spots that the gaps between them is where you get a problem, right?
And Mandy’s just talking to you, “Hey, look, you should configure it correctly, but you should also operate it correctly.” How many people have flaws in how they just operate their software that has nothing to do with the software misconfiguration?
Is this really the right strategy?
28:50.687
[David Spark] Are companies missing an opportunity with privacy? A recent Consumer Reports survey found that 75% of Americans across partisan lines support laws requiring data minimization. That would seem to indicate privacy could be an important differentiator in a crowded market. Yet the ISACA State of Privacy report found that just 6% of privacy professionals think their board of directors view their privacy program as a competitive advantage, as opposed to 42% seeing it as compliance driven.
The idea of privacy seems to still carry a lot of weight with individuals. By the way, after speaking to some university professionals – college students, heavily, heavily concerned, actually more with privacy than security, believe it or not. So, my question to you, Mandy, is why aren’t we seeing that translated on a corporate level?
Or is it? I mean, this is from one report, but it seems globally that privacy still isn’t heavily adopted. My main argument, just by the way, is often the business wants the data and that kind of wins out often.
[Mandy Huth] Yeah, David, you hit spot on, but I’m going to play the devil’s advocate here. The company definitely wants the data, and I’m going to tell you my personal preference. This is speaking from my own mind. In my house, I am an Apple ecosystem and the reason I’m an Apple ecosystem is one, ease of use, right?
So, I don’t lose anything, but two, I have always felt that Apple will go to bat to protect my privacy. That doesn’t mean they don’t use my data. I know they do, but they’re protecting it in a way that I feel is a differentiator for them, right? You ask me if I’m going to choose an Apple product or an Android product, right?
And every time I’m going to choose Apple because I think that their privacy is a differentiator for them. So, what companies in my mind need to really work towards, they say things, and everybody has a privacy policy, but they don’t say, “We’re going to go above and beyond,” right? And they don’t, and they don’t communicate and act that way and that’s the difference because you can say all the words, but until you actually do those things and people know about the things that you’ve done to protect them, I think it’s going to continue to be a problem.
[David Spark] Apple has kind of led the way of publicly acknowledging that they’re trying to use privacy as a differentiator. They have billboards about it in fact as well. Andy, where do you think companies are shifting on privacy?
[Andy Ellis] So, I actually honestly don’t think they’re shifting that much. I think we’ve seen some of the really big players – Apple and Google are probably near the top of this – that have basically said, “Look, we’re here to protect,” and they focus on it in different places. Like, I am going to use a Google web browser before I’m going to use an Apple web browser because Google has focused differently in that area, and I think they’re much better than Apple’s going to be.
But then we are using Facebook, and let’s be honest, Facebook doesn’t care about our privacy at all. And fundamentally that’s our challenge, which is people say they care about privacy, but then they make choices that make it very obvious that they will trade away their privacy for just about everything.
[Mandy Huth] 100%.
[Andy Ellis] How many people went to use the Little Red Book app, XiaoHongShu, when TikTok was being shut down, but literally they went to an app that is the “little red book” run by the Communist Party of China. Like, come on, you voluntarily chose to hand your data over to a foreign government, not even a company.
People are demonstrating that this is not actually as important as they say, and that’s the disconnect.
[Mandy Huth] Do you think it’s not important, Andy, or are they missing the point when they click on the terms and conditions of, one, what they’re accepting, and two, it’s not that they don’t value their privacy, they value convenience more.
[Andy Ellis] Right. They value convenience more, but that function, it lets us say they’re not valuing privacy, at least at the level of convenience.
[David Spark] But also take a look at the Cambridge Analytica case, which the privacy was so obliterated in that. But the thing is, if you looked at the web and how your data was shared, it was beyond anyone’s human imagination. Like, what the heck? It’s like, “What the heck just happened here?” It was like a privacy explosion.
And I think the problem is it’s so damn confusing that no one can really understand how their privacy is being abused.
[Andy Ellis] So, you can’t understand how it’s being abused, but at this point, like, I’m not going to give you the benefit of the doubt if you believe it’s not being abused. Like, first of all, we should acknowledge that everybody should say, “Yep, I know my privacy is being abused, and I know who some of the big abusers are.”
[David Spark] Mm-hmm.
[Andy Ellis] When you demonstrate that you will figure out how to deal with your privacy away from the big abusers. Now, like the fact that there’s this big explosion and those big abusers are still abusing your privacy, even when you don’t use them, completely different problem. Here, you want my big pet peeve about privacy?
The number of people who call my cell phone to sell me stuff. Let’s just be clear. If you’re listening to this podcast and you work for a vendor, your company should never call my cell phone ever…
[David Spark] Hold it.
[Andy Ellis] …unless I have a contractual relationship where I gave it to you.
[David Spark] Girl Scout cookies.
[Andy Ellis] I don’t want the Girl Scouts calling my cell phone.
[David Spark] A little girl that’s a neighbor of yours calls you to sell you Girl Scout cookies. You hanging up on her?
[Andy Ellis] There’s a good chance that I might.
[Mandy Huth] I won’t answer the phone because I don’t have her in my contacts.
[Andy Ellis] I don’t have her, right. But if it’s a friend across the street…
[David Spark] You probably have the parents, she used the parents’ phone. You know what?
[Andy Ellis] Right.
[David Spark] I don’t think you want to be a neighbor of Andy.
[Mandy Huth] [Laughter]
[Andy Ellis] But a friend across the street that I have a relationship with. Right? That’s different. I’ve given you my phone number. No, what I get is I get people who are making phone calls or reach out that…
[David Spark] I know. I know. It’s a big no no.
[Andy Ellis] They’ve just harvested me somewhere and said, “Oh, look, we think you’re a perfect fit.” I get this all the time, “We think you’re a perfect fit to invest in our late-stage company in the non-security world.” Like, really? You didn’t even bother to leverage the privacy breaches you should have.
We publicly tell you what we invest in and yet you harvest my data and don’t look at the public information. Sorry, my pet peeve.
[David Spark] I understand. I recognize it.
[Mandy Huth] Hey, Andy, I promise never to call you unsolicited.
[David Spark] Awesome. Thanks, Mandy.
[Mandy Huth] [Laughter] You’re welcome.
[David Spark] I promise Andy that if I want to solicit you, I’m going to call Mandy first and have her call you.
[Mandy Huth] [Laughter]
[Andy Ellis] You’re just going to Slack me. We know how this works, David.
[Laughter]
Closing
35:57.192
[David Spark] All right. That brings us to the end of this show. Mandy, you were fantastic. Thank you so, so much.
[Mandy Huth] Thank you for having me.
[David Spark] Greatly appreciate it. Two months into the job.
[Mandy Huth] Love it. It’s going to be a ride.
[David Spark] How’s it going?
[Mandy Huth] It’s going so great. I love when I have the opportunity to make change that really helps a company, and it’s the semiconductor industry. So, our customers are some of the most important players in that industry today. So, I’m super excited to make sure that our customers know that we do protect their data.
[David Spark] That’s awesome to hear. I want to thank our sponsor, by the way, that would be Vanta – automate compliance, manage risk, improve trust. Here’s the key word, continuously. You want to do that yourself, don’t you? Go to their website. That’d be Vanta.com/CISO. Make sure you add that /CISO, so you know they came from us because then they continue to support us.
And if you’re going to support them, support us. All it takes is a /CISO at the end of Vanta.com. Mandy, are you hiring over at Ultra Clean Technology?
[Mandy Huth] Absolutely.
[David Spark] I’m assuming you have a jobs board over there, yes?
[Mandy Huth] Yes. Yes. Look at our careers.
[David Spark] And could they contact you maybe through a LinkedIn, not pick up their phone and call you, but contact through LinkedIn and say, “I heard you on the show. I heard you have a job position. I’m very interested in this position. I would like to apply”?
[Mandy Huth] If you’re looking to work for a moving company, absolutely. Do not call me.
[David Spark] Don’t.
[Mandy Huth] I won’t answer because you’re not in my contacts.
[David Spark] Call Andy if you’re interested in a job at Ultra Clean Technology.
[Laughter]
[David Spark] Because he will not be able to help one iota at all.
[Andy Ellis] Not at all.
[David Spark] That’ll be a wasted call.
[Andy Ellis] But I probably have an automated response to send you.
[David Spark] By the way, Andy, I am doing an SKO very soon, and my opening slide is to talk about your letter.
[Andy Ellis] Do you know I now have three versions of it? Because I have one that says you’ve asked me for money as an investor. So, here’s the like, “Please go away.”
[David Spark] No, but I am referencing your letter.
[Andy Ellis] Yeah. Right. The vendor rebuff message.
[David Spark] At an SKO that I’m doing next week. I’ll be in an SKO.
[Andy Ellis] Yeah. I have a security vendor rebuff, I have a business vendor rebuff, and now I have a funding rebuff.
[Mandy Huth] Yeah. Andy’s definitely going to have to share that with me, I love it, that way…
[David Spark] Well, you can just look it up. It’s public.
[Andy Ellis] Yeah. If you Google vendor rebuff, it’s the first hit.
[Mandy Huth] Vendor rebuff, I got it.
[David Spark] Yeah. Speaking of things that are first hits, I don’t know if it’s still there, and I wrote this article, I’m going to say 25 years ago, if you type in “improv sucks,” I don’t know if it’s still there.
[Mandy Huth] [Laughter] Are you doing this real time, David? [Laughter]
[David Spark] Yes, it is. It is at the top…
[Andy Ellis] Improv sucks, you’re the second hit for me.
[David Spark] It’s the second hit. It’s also actually I’m the first hit as well because in that Reddit discussion, they’re talking about my article.
[Andy Ellis] Yeah.
[David Spark] But I wrote, because I used to write for Second City out of Chicago, and I’ve worked as a standup comic, and I wrote this whole article about the Montague Capulet rivalry between improv and standups, and it got a lot of attention way back when. Let me just say also, I don’t believe a lot of the things I wrote, today, back then.
So, this may be even 30 years ago, I wrote it a long, long time ago.
[Andy Ellis] Second City’s great. We took our kids there a couple years ago when we were doing college tours.
[David Spark] So, they had a whole corporate entertainment division, and we would have companies who wanted the Second City people performance to come, and I’d write some of the silly sketches that they would perform. I was not a performer myself. In fact, that’s another thing. Type in, “David Spark and improv,” and you’ll see me doing a bit on stage about how much I suck at improv.
That’s because I’m not good at improv.
[Andy Ellis] Oh, and Mandy, since you’re within your first quarter of being a CISO there, you should check out my CISO 91-day guide.
[David Spark] Oh yes.
[Mandy Huth] Oh, it’s 91 days? It’s 90 plus one? [Laughter]
[Andy Ellis] Ninety-one to make it easier to Google. Well, because one quarter is 91 days.
[David Spark] Oh, I didn’t know that.
[Mandy Huth] [Laughter]
[Andy Ellis] So if you Google, “CISO 91 day,” it’s going to be the first tip.
[David Spark] All right.
[Mandy Huth] That’s very nice.
[David Spark] While everyone’s Googling something, I’m going to sign off and thank our entire audience because can I tell you, you know what is hot death for a podcast? Listening to people Google stuff!
[Mandy Huth] [Laughter]
[David Spark] Thank you, everybody. We greatly appreciate you contributing to the CISO Series Podcast. Send me some more “What’s Worse?” scenarios, ones that are equal that I don’t look like a fool when I say, “This is tough,” and Andy says, “That was easy.” I look like a buffoon.
[Mandy Huth] [Laughter]
[Andy Ellis] Au revoir.
[David Spark] Goodbye, everybody. Thank you for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.