Do security professionals limit themselves when they ask “if” they can secure something? How would the approach, and the problem solving change if they instead asked “How?”
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Mike Johnson, CISO, Rivian. Joining us is Hanan Szwarcbord, vp, CSO and head of infrastructure, Micron Technology.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Query
security teams real-time context from all connected sources. Analysts move faster and make
better decisions with AI agents and copilots that handle the grunt work and guide each step.
Learn more at query.ai
Full transcript
Intro
0:00.000
[David Spark] Do security professionals limit themselves when they ask if they can secure something? How would the approach and the problem-solving change if they instead asked, “How”?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO series. And joining me as my co-host… He’s normally not the co-host of this show, so don’t get confused because many people would. He’d normally co-host the CISO Series podcast, but you’ll see in a moment why he’s co-hosting this episode. It’s Mike Johnson, CISO of Rivian. Mike, say hello to the audience.
[Mike Johnson] Hello, audience, and surprise, I’m back.
[David Spark] He’s back. Now, it doesn’t throw you at all, Mike, that you record this show when you normally record the other show.
[Mike Johnson] I’m a professional, David. I pick this up and I go. I mean, we’ve been doing this… I think we decided almost seven years, so yeah, I got this.
[David Spark] Almost seven years. It’s mind-blowing. Yes, I’m impressed. All right. Our sponsor for today’s episode is Query. “Security data is everywhere. Put it to work.” Query, it’s a federated search and analytics platform that essentially connects all your data sources. No more manual connections yourself. They do it for you. More about just that a little bit later in the show.
Mike, the topic is you’re responsible for it. And let me just set it up for everybody else. Tapping into a creative mindset is an underappreciated skill in cyber security. And Mike, you pointed out on LinkedIn that we often don’t allow ourselves to think creatively when we ask if we can secure something rather than, “How can we do it?”
Now, this more positive approach is similar to the “yes, and” rule of improv, and very opposite security’s poor branding of being a “department of no.” So let me just ask you, when you do this exercise, and hopefully, it actually becomes a mantra for security, what are the broader benefits to opening yourself up to creative possibility, Mike?
[Mike Johnson] You very much nailed it with the “Yes, and” approach to improv. That was in the back of my mind as I was writing this. And it really is all about just changing the way that you think. It’s very easy to just be closed off to say, “No,” but if you force yourself to say, “How” rather than, “No,” “Maybe,” “Yes,” it moves it from a binary question into that different part of your brain that gets you creative and gets you thinking about, “What can we actually do?”
It may still not be a great idea. It may still lead you down a path of, “Wow, this would be really difficult to do,” but it might also get you to a place of, “We can actually do this pretty easily.” And then you take it back to the business or you take it back to the requester and say, “Yeah, we can do this. Here’s what it would take.” Quite often, they’ll then jump in and go, “Oh, okay, great. We can do that.” And that then moves it away from yes/no to everybody gets what they need out of it.
[David Spark] And I’m looking for a yes/no answer from you. Have you pulled this off? Have you gone to the “How” mode and actually secured something that an initial response would have been, “No, we can’t,” from you initially thinking it?
[Mike Johnson] Absolutely. And it happens so often that I have a hard time coming up with an example. Because it really is a way of thinking and it’s a way of making progress.
[David Spark] The Mike Johnson philosophy of approaching security. That’s how… By the way, I’m branding it right there.
[Mike Johnson] Okay. Thanks, David. Thank you.
[David Spark] You’re welcome, Mike. All right. The person who’s going to join us in this discussion, he’s excited about being part of this discussion as well. We’re going to find out if this is his philosophy as well. He may steal the branding from you, Mike. We’re going to find out in a moment. He is the VP and CSO and Head of Infrastructure over at Micron Technology, none other than Hanan Szwarcbord. Hanan, thank you so much for joining us.
[Hanan Szwarcbord] Thank you for having me, David. It’s great to listen to you every day on my way to the work. And great to have you here, Mike, as well.
How important is this Issue?
4:18.263
[David Spark] Pete Salama said, quote, “Your comment on ‘How can we?’ versus ‘Can we?’ is one of growth versus fixed thinking.” Love that. I mean, that nails it right there. “Throughout my career the ‘How can we?’ question was my default go-to. I considered it an opportunity to grow, to help the business grow. One of the roles of security is to provide checks and balances to enable the business to operate securely, reducing risk, not to limit its innovation and operations.” I mean, that quote is on the frigging money right there.
And Aleksandra Melnikova of SquareX said, quote, “We need more how-to approaches rather than a ‘Can I?’ attitude in cybersecurity. Especially with GenAI, many organizations choose to block these tools entirely, which may secure an enterprise but isn’t always the most efficient strategy.” So Mike, both Pete and Aleksandra are fully on board here.
[Mike Johnson] Yes. And I give a lot of credit for Pete in that if he’s done that his entire career, that’s not how I was taught. The early days of security was very much the department of no mentality, and this is something that we’ve evolved over time. So, kudos to Pete for always asking the “How” his entire career. I think it’s, again, an example of how we’ve progressed as a career.
[David Spark] I’m throwing this to you, Hanan. I didn’t even ask you because I asked… Have you adopted this philosophy yourself? Give us sort of your background. And did you start with the “Can we?” and evolve into “How”?
[Hanan Szwarcbord] We’ve been doing security for over 25 years. We absolutely didn’t start with a yes. We started with a hard no, started with blocking everything that we could. We started making life as hard as we can because we didn’t know anything else, and we were IT guys trying to do their best job.
I think over the last years, probably the last five, 10 years, there’s obviously the CISO mentality of, “We are going to enable the business,” which is a good next step in our evolution. I think now we’re starting to move into the next step of the evolution.
The AI, the LLM evolution is forcing us to make changes and to have that level of flexibility to better understand the business, to better understand the challenges, to better understand the opportunities, and to see how we can better connect them.
One of the things that I’m really excited about my position in Micron is managing both the IT infrastructure and the security team. And my job is to find ways to securely enable the business to do it right the first time, but as default, making sure that we’re saying, “Yes,” and, “Yes, but,” in some cases, but still find the ways to do it.
[David Spark] So, let me ask you about the creative exercise itself. I’m sure you’ve been posed a challenge and your first sort of knee-jerk reaction might be, “Ugh, yikes, can we do that?” How do you shift yourself into that, and what… And again, I’m sure there’s lots of examples, but just give me one example of something. And you don’t have to be specific to your business, but just an example so we can understand what this is.
[Hanan Szwarcbord] My method is using a squishy balls and breathing. I use the same breathing my wife was taught for labor. So usually it works. I think what we’re trying to do is really analyze what the risk is. We’ve done a really good job better understanding what is the risk to us? What do we consider as a high risk?
And we focus on those risks and we focus on trying to really understand what the business is trying to do. Are they trying to create a new LLM, or are they trying to use something off the shelf? Are they trying to open a port to who knows where, or are they trying to just connect to one of the vendors? I think the challenge is really understanding what the risk is and what the business is trying to do, and then finding smart ways to allow that.
How would you handle this situation?
8:13.370
[David Spark] Let’s put the “How” theory to the test. Here’s a discussion about how to secure AI. First, David Ethington of Paramount said, quote, “It helps that most new things, despite being new, tend to follow foundational tech rules. AI takes input and generated output, albeit in a complicated manner. That being said, it has already been shown that you can introduce data that can impact the system in various ways.”
And David (Wood) Messerly of Cyberhaven said, quote, “Seeing ‘how’ a lot with the questions we’re getting asked a lot, like, ‘How can we put guardrails on shadow AI apps to prevent sensitive/confidential data egress/ingress (source code, intellectual property, customer data, etc.) with public LLMs?'”
So I think this example, just around LLMs in the “How” I’m sure this has come up. It’s come up with absolutely everybody right now. How have you approached this “How” discussion around AI and LLMs, Hanan?
[Hanan Szwarcbord] That’s actually a really good question, one that I’m sure every CISO and every CIO are facing right now. I think the challenge is really understanding what are we trying to do and what the business is trying to access, and then creating the guardrails around that.
I think the challenges are that some of the tools that we’ve been working to fix, and tools that we’ve been trying to work with, DLP for example, Identity for example, we haven’t fixed them. We don’t really understand our data. We still don’t really understand who’s trying to do what.
And the challenge is that LLM engines, the AI requirements that the business has for us at this point are just magnifying those gaps. I think what we were trying to focus on and the way that we’re looking at these problems is really focusing on understanding what those LLMs are going to access and analyzing the risk from the business perspective, and then putting the right guardrails to reduce that risk, still enabling it where it makes sense.
[David Spark] Give me the idea of the kinds of guardrails you would put in for an LLM concerned about certain data sharing access, entry, you know, whatever it would be.
[Hanan Szwarcbord] I think the first step that we did is really go back and understand our data. Focus on our mostly classified data and put the right controls around that. Controls like role-based access, IP protection, segmentation of our network, segmentation of our environment.
Making sure that the just-in-time concept is in play, the zero trust concepts are in play. Making sure that when we start walking into the LLM era, into the AI era, we have the same controls put in place to provide the same level of protection to the company, but still allowing them to access the data that they need.
[David Spark] All right. I’m throwing this to you, Mike. I am sure you’ve had this conversation about AI, LLMs constantly. What I’m buoyed by with AI is very few organizations truly blocked it when it… Because we’ve had a history of that with new technologies initially gets blocked. But most realized the benefit here.
Were you more saying like, “Let people play with AI here. Let’s create guardrails,” like what Hanan mentioned? Or did you say, “Let’s have very business case-specific situations and only build it for just that”? How did you look at the problem?
[Mike Johnson] The early days of AI, people were still trying to figure out what the heck to do with these things. A business case or a use-case specific model didn’t work then. What we had to do was, and this is the concept of guardrails, is give them the playground that’s safe, that they can go and do whatever the heck they want in.
We know that we can trust that environment. We know that the data that goes in stays in there. We know where it’s going to go, what it’s going to be used for, and that allowed us to then identify the business cases by those teams actually getting in there, playing around, experimenting.
And that then allowed us to say, “Okay. Well, for these use cases, we’re going to use this LLM, and this is how we’re going to engage with it. And for these use cases, we’re going to use this one, and this is how we engage with that.”
So we reached a point where the guardrails truly are what they mean. If you’re staying between them, have at. Here’s all the ways that you can use it. Here’s how you can use it. If you want to go outside of that, it actually will be blocked, and we need to have a discussion about that.
[David Spark] And let me ask the two of you, and again, if it’s sensitive, you don’t have to say it, but were there any mistake… Because I can’t imagine you got this right on the first try. Things like this need tweaking. What did you find yourself tweaking, I guess?
[Hanan Szwarcbord] I think when we started the process, we went a little bit too far with our controls. We were too restrictive. We were too concerned about the level of access. At the same time, we blocked… We found ourselves blocking some of the tools because we weren’t sure on how they work and what exposure will occur there. And I think the combination, and over time, we felt more comfortable about what we’re sharing and how we’re sharing that.
Sponsor – Query
13:29.904
[David Spark] Before I go on any further, I do want to tell you about our spectacular sponsor, and that would be Query. Now, for decades, security teams have been chasing contacts, trying to piece together the right data at the right time to make the right calls. It’s kind of what it’s all about, right?
Now, what’s the problem? Well, data lives everywhere, in different tools, in different formats, and in silos. More often than not, it’s the analysts who are left stitching it all together manually. This is exactly where Query comes in. Query is a federated search and analytics platform that connects directly to your distributed data. So no ETL pipelines, no centralization required, just API connections to the tools and systems you already use.
It creates what is known as a security data mesh, bringing the power of your existing stack together to deliver real-time context without the heavy lift. Even better, being more efficient with your data leads to lower SIM costs.
So mission-specific AI agents and co-pilots, they handle the tedious parts, triaging alerts, pulling in contextual data, enriching results, and surfacing next steps so teams make better decisions faster. Security data is everywhere. Put yours to work. Go to their website, check out what it is all about. It’s query.ai. And when you go there, let them know that the CISO series sent you there.
How do we determine what’s most important?
15:12.577
[David Spark] Robert R. said, quote, “Also consider the “Why,” especially if it is in the early acquisition stages. Might be other alternatives to include process improvements, impact, additional costs not realized.”
And Tom Kanan of Mobb said, quote, “I like the mindset shift. I usually break things down with ‘Why + How.’ ‘Why this? Why now? Why this specific thing?’ Understanding the ‘Why’ in this example, you get the business context and big picture lens helps me craft at least some of the strategy for ‘How,’ securing it effectively while balancing and productivity, etc. I guess ‘Why’ is probably baked in here, but still personally it helps me break it down that way.” All right. So I think this is good, combining the “How” with “Why.” Do you ask that question, Mike?
[Mike Johnson] When I think about Tom’s response, for me, the “Why” is inherent.
[David Spark] Yeah. And he says it could be baked in here, but he likes to break it out so he’s sort of understanding his two tracks.
[Mike Johnson] Oh, absolutely. And I think it’s a very good add to then break that out because you do need to understand the “Why.” That helps you understand the path that you’re on if it’s going to make sense.
A great example is if you’re heading down a path of, “Hey, we’re going to secure this thing with MFA and CAPTCHAs, and we’re not going to have an API,” if you then find out that the system needs to be used by other systems, by other services, you’ve now backed yourself into a corner, and you’ve got to go re-engineer. So the “Why” is very critical. I think it’s a good add to just say, “Hey, rather than yes or no, we’re going to say why and how,” and that then is a great way of thinking about things.
[David Spark] The other thing of “Why,” I’m throwing this to you, Hanan, is you can understand the intent of the business here. The business says, “We want to do this.” And you said, “Well, why do you want to do it?” And then if you understand the intent, that can kind of drive your security. Have you asked the “Why” and has that changed how you approach the issue?
[Hanan Szwarcbord] Absolutely. We have to ask the “Why.” It helps us really better understand what you’re trying to do and why you’re trying to do it. And it helps us better understand how do we provide them access? Access to data, access to the LLM, or the AI, or whatever they’re trying to do.
I think if we try to do something without really understanding the “Why,” we might impose too many controls or not enough controls, and we might expose things that we don’t want to, or just provide a tool that’s not efficient and they don’t get the productivity that they’re trying to get out of it.
So I absolutely agree with the comment, and I agree with everything that Mike said. I think that’s something that we as CISOs and practitioners are starting to understand more and more, that it’s not enough for us to try to imagine what they’re trying to do. And I know I’m taking it a little bit too much, but I think it’s important for us to really understand why they’re trying to do something, not just the “What” they’re trying to do.
[David Spark] And let me just throw this out. Because one of the exercises we’ve talked about on the show is the Japanese philosophy of the five whys. Or the six whys? Five whys, I believe.
[Mike Johnson] It’s five whys, and it comes from Toyota actually.
[David Spark] But this is even a deeper philosophy of “Why” in the sense that you keep asking “Why” to get to the root reason for doing the thing. And I know we’ve talked about the five whys as a way to look at when you have an incident. “Why did this happen? Why? Why? Why?” Would it work as well in this case, Mike?
[Mike Johnson] I think it might be a bit overkill and it might be a bit annoying to just keep asking, “Why, why, why, why, why?”
[David Spark] Like you’re a little child?
[Mike Johnson] Exactly. Yeah. I don’t think you need to take it that far in order to get the context. And that’s really what you’re after. And I really like what Hanan was saying is it helps you rationalize your controls and prevent you from either going too far or not far enough.
[Hanan Szwarcbord] I would add to that one of the reasons that we have to stay close to the business is exactly following what Mike said. If we continuously ask, we’ll just be annoying. But if we’re part of them, if we immerse yourself in the business and become part of the business, it’s not the group that says “the business” all the time, which I hate when we say. I think that would make a significant difference.
How do I start?
19:39.945
[David Spark] James Porter said, quote, “‘How’ is an awesome word. Two words I have changed is ‘can’ and ‘issues’ to ‘how’ and ‘challenges.’ I am even teaching this to my kids. It forces us to think out of the box.” So ‘how’ and ‘challenges,’ rather than… So ‘issues’ to ‘challenges,’ is what he looks at.
And lastly, Julia Flick of Hook Security said, “‘Yes, and’ all day,” making a reference to the improv line. “This is why you want theater kids on your team.” Let me ask you, Mike, do you have any theater or improv performers on your security team?
[Mike Johnson] I don’t know on my current one, but I did on my last one for sure.
[David Spark] Did you? Well, I don’t know if you know this I used to write for Second City out of Chicago, and I was forced to take improv classes because I had to write in the Second City way.
[Mike Johnson] That makes you perfect for cybersecurity, David.
[David Spark] Perfect. Yeah. Well, perfect… Well writing, hopefully, jokes for Second City…
[Crosstalk 00:20:40]
[David Spark] So here’s the next thing I want to do, and I want to get into this with both of you. A lot of this where you say, “Instead of ‘can,’ then ‘how,'” but what are the sort of exercise questions you ask to sort of delve and look into other avenues?
You may only be thinking, “Well, we obviously have to slap some kind of MFA on this.” And you think, “Well, maybe if we don’t do that, we could just read the signals on the computer, and we don’t need to ask an MFA. We could use the information on the computer to be our second signal.” I’m giving some random example, but how do you get them to not only be thinking in one avenue? Or what are the questions you ask?
[Mike Johnson] Well, it’s a combination of returning to your philosophies, returning to your principles to say a principle might be, “We try and avoid agents at all costs.” That’s a principle. And then that then sends you down a path when you’re asking these “How” questions of, “We’re trying to avoid it. We can do it if we need to,” and that again is back to right-sizing your controls and rationalizing for the situation. So it’s really, you should have a set of principles that you fall back on that you factor in when you’re asking these “How” questions.
[David Spark] And do you ever do this thing because… Say, “What if we couldn’t use MFA at all here?” or, “What if we couldn’t do this at all in here? How would we handle it?” Hanan, I’m going to you. Do you play that game? What if we just couldn’t use these classic security controls we normally use?
[Hanan Szwarcbord] Unfortunately, it happens. It happens all the time. We don’t always end up using the Cadillac of companies because they don’t always have the solutions that we need. And we end up working with startups, and they don’t always invest in security first. They’re focused on their MVP, and you have to find a way to work around that.
So we have a really rigorous process where we validate the security, we validate the risk, we discuss the risk, we present the risk, and unfortunately in some cases, you have to go through a process of risk acceptance once we have enough control and mitigate the controls around that.
But I think as practitioners, it’s something that all of us have to feel comfortable assessing the risk, understanding the business case and the business benefit, and measuring the two against each other, and making a decision at the end of the day.
[David Spark] I’m going to ask you the same question of, have you limited… In terms of trying to get them to think in a different way, say, “Okay, this thing is off the table. We can’t do this, this and this. How would you solve this problem?” Have you tried that, Mike?
[Mike Johnson] For sure. Again, it comes back to we may be making a decision of we will not support a certain type of MFA, or we will only support a certain type of MFA.
[David Spark] And also, it’s almost impossible to get 100% on board on an MFA too, right?
[Mike Johnson] Different situation, but that is something that you do have to factor in. And I think Hanan’s example of working with vendors or suppliers is a really good one where you’re frankly backed into a corner in a way of, “All right. Okay. We have to get creative.”
[David Spark] Yeah. The company says, “We have to work with this vendor. You got to figure it out.”
[Mike Johnson] Correct. And a great example, and we’ll always come back to this, is single sign-on. And today, people are still writing new applications that do not support single sign-on, and that’s an area where you’ve got to make some pretty difficult decisions.
[David Spark] Have you considered shaking your fist? Does that work at all?
[Mike Johnson] I try it, and it still hasn’t worked. Every day, I’m shaking my fist at someone who doesn’t support SSO and…
[David Spark] But you got to do it to the sky.
[Mike Johnson] Oh, I’ve been doing it wrong. I’ll try. I’ll try that.
[David Spark] You’re shaking it to the ground. That’s your problem.
[Mike Johnson] I’ll have been shaking in the wrong direction, David. I will take that and adjust.
[David Spark] Jesus, I have to explain really basic security philosophy to you, don’t I?
Closing
24:31.871
[David Spark] All right. Well, that brings us to the portion of the show—thank you, Mike; thank you, Hanan—where I’m going to ask both of you which quote was your favorite and why. And I’m going to ask you first, Hanan. Looking at all the quotes that I mentioned here, which quote was your favorite and why?
[Hanan Szwarcbord] I really enjoyed the discussion on “Why,” and [Inaudible 00:24:47] in this case. I think having ourselves ask ourselves, “Why are we doing the things that we’re doing?”
[David Spark] So are you mentioning Tom Kanan’s? Because he’s the one who brought up “Why” there, too. As did Robert.
[Hanan Szwarcbord] Yes, that’s true. I think when we talk about better understanding what our partners are trying to do and why are you trying to do it, find maybe in some cases better ways to do it, and understanding the limits of our ability to impose on our businesses, what’s the right thing to do, and remembering that at the end of the day it’s about the productivity and the bottom line, not just our fancy security policies. It helps us to focus on what’s really important.
[David Spark] Okay. Mike, your favorite quote and why?
[Mike Johnson] I completely agree with Hanan. I think Robert R. and Tom Kanan’s point about specifically thinking about the why, great add to the concept and great add to our toolboxes to make sure that we’re incorporating that into our decision-making.
[David Spark] So that’s your favorite quote as well?
[Mike Johnson] Yes, absolutely.
[David Spark] You didn’t go… Pete Salama literally agreed with you 1,000%. You didn’t go with him?
[Mike Johnson] I’m going with the one that I think added to the conversation.
[David Spark] Pete was excellent as well.
[Mike Johnson] Yes, I’m glad that Pete was very excited about what I had to say, but I do think that adding to the conversation, adding to it brings even more value. They were all great quotes. These were all great quotes.
[David Spark] Huge thanks to our sponsor. And that would be Query. Remember query.ai. Let them know that the CISO Series sent you there and learn about how… Heck, you can get all the data from all your sources in one place so you can make more intelligent decisions. In fact, let some of the AI do the work for you too, query.ai.
I want to thank you, Hanan. Thank you so much. That was Hanan Szwarcbord, who is a VP and CSO and Head of Infrastructure at Micron Technology, who joined us today. Thank you again. Hope you had a good time, yes?
[Hanan Szwarcbord] It was great. Thank you for having me, David. It was great talking with you, Mike, as well.
[David Spark] Awesome. And thank you, Mike, as always for making the crossover all the way to Defense in Depth. I know it’s a huge leap for you. It’s a mental struggle to make it to this show.
[Mike Johnson] It’s like walking down the street and opening up a whole new house, a different door that I was just not expecting, and it worked out just well.
[David Spark] You made it. And I want to thank our audience as always. We greatly appreciate your contributions. And by the way, if you ever see a cool discussion online on LinkedIn that’s got a lot of comments, you’re like, “Oh, this would be a great episode of Defense in Depth,” send it to me, David@CISOseries.com. As simple as that. I would love to see it. Thank you very much, everybody. Again, we appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please, write a review, leave a comment on LinkedIn, or on our site, CISOseries.com where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.