The CISO’s job is all about managing cyber risk to an organization. That’s not all. The conversation around cybersecurity has increasingly shifted to a focus on building organizational resilience. Should the CISO role change to reflect that? Should CISOs become business resilience architects?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Edward Contreras, senior evp and CISO, Frost Bank. Joining us is Ryan Bachman, executive vice president and CISO, GM Financial.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Doppel
Full Transcript
[Voiceover] Who should be listening to the CISO Series Podcast? Go!
[Ryan Bachman] Anybody who’s aspiring for a career in cyber security. Anybody who’s trying to understand more about the challenges and topics that CISOs are facing. It’s a dynamic field, so therefore I could see anybody from members of boards of directors to other C suite members, all the way to people that are venturing into this field or the technology field and want to learn more.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And joining me, as we like to call them, friend to the show, Eddie Contreras, the CISO over at Frost Bank. Eddie, say hello to the audience.
[Edward Contreras] Hello, audience.
[David Spark] So, Eddie was supposed to join me at a live show. The whole live event got cancelled. Not just us but the whole show got cancelled. And actually our guest we’re bringing on as well. And I said, “Well, we can’t be at the live show, but let’s do a virtual show. What od you say?” So, thank you, Eddie, for joining us. We’re available, audience, at CISOseries.com. You can check out this show and all of our other shows. We have five shows in our network. We drop 11 episodes every week now. It is quite extensive what we have on the CISO Series.
Our sponsor for today’s episode is Doppel, defend what’s real. Disrupt what’s not. Doppel… We’ll talk more about exactly that a little bit later in the show. All right, Eddie, I want to bring up something, and this is going to be kind of a little bit of a PSA to our fellow cyber security professionals. You are very savvy in cyber security. Our guest is very savvy, who I’ll introduce in a moment. And the people listening. But I’m sure you have family and friends who are not. Eddie, yes?
[Edward Contreras] Absolutely. Yes.
[David Spark] All right. So, sadly someone very close to me got swindled out of a lot of me.
[Edward Contreras] Oh.
[David Spark] And it was one of these things where I was like, “If I just…” And I thought to myself, “If I just sent an email out to everyone saying, “Hey, here’s a heads up on some of these latest scams that are going on,” this could have prevented. Had I just sent that. And I was like, “I should do this.” And so I wrote up an email listing off common scams, how they’re done, and then kind of a list of ways to protect. And I didn’t do one of these things like, “Oh, here’s an article.
Go check it out,” kind of a thing because nobody does. But I just sent it to the immediate family and immediate friends, including in laws and things like that. And I’m hoping this will stop this kind of thing from happening before. Have you done something like this before? And my advice is to everyone, please do this to your own family and immediate friends.
[Edward Contreras] Yeah, David, I could be optimistic here and say absolutely, I have done that. I’m a realist. And what I’m finding out now is that the more that I interact with my kids, trying to give them advice, the less they listen.
[David Spark] [Laughs]
[Edward Contreras] I can send them a text message, a video, an email, memes, you name it. And I’m the last message that my kids actually will look at. So, sometimes I’ll send messages through others. And my intent is…
[David Spark] That might work.
[Edward Contreras] …they’re going to finally read the message. They’re going to look and see, and they’re going to come to me and tell me, “Did you know?” And then I will just say, “Really?” Where did you get that from?”
[David Spark] “Thank you for enlightening me.” [Laughs]
[Edward Contreras] But yeah, I’ve thought about that. But yeah, I think the reality is dads are the last messages you want to hear from.
[David Spark] First of all… Okay, your dad and your kids, but I’m talking about extended relatives. I’m sure you have the people who could fall for these kinds of things in your family, yes?
[Edward Contreras] I do, and I think it’s very similar across the board. Where it’s like, “Okay…” [Laughs]
[David Spark] But the thing was after it happened, I’m like, “Ugh, I bet you I could have stopped this if I had just sent an email like this.” Anyways. So, this is my big PSA for everyone listening. Please write up an email like this and just send it to all your extended family and any very close friends. It pained me what happened. And it’s been pretty rough. And so I think this would be a good way to sort of help prevent it, if we can just do our part. And just send it out once in a while when you see a new kind of scam coming up, a reminder. But, again, an email from you personally.
Again, not to your kids. I totally get that, Eddie. But to the extended family. Trust me, my kids…I don’t think they would even read something like that. All right, let’s bring on our guest, who we were all supposed to do something live in person. Again, another friend of the show. Two friends of the show on one show. Pretty darn exciting. Here is the EVP and global CISO over at GM Financial. Ryan Bachman. Ryan, thank you so much for joining us.
[Ryan Bachman] Thanks for having me, David. Glad to be a friend of the show.
Once again, we’ve got identity issues.
[David Spark] It seems like new vendors in the identity space have coalesced into three different categories. These boil down to visibility and hygiene, governance and posture, and identity threat detection and response. This all according to Francis Odum of Software Analysis Cyber Security Research. Odem envisions consolidation across these categories and more plus AI stepping in to do what AI does. And we just recorded an episode of Super Cyber Friday discussing the fragmentation of identity.
I’ll start with you, Eddie. Are users demanding consolidation in identity? Because it seems like there’s a lot of tools you need to get this right. What do you think?
[Edward Contreras] Consolidation is a preference, maybe a utopia. It’s simplification, probably is a more obtainable goal here.
[David Spark] That’s a good way of putting here.
[Edward Contreras] Yeah. One of the things that I look at is…
[David Spark] Let me just clarify… Vendors want consolidation. Users just want simplification.
[Edward Contreras] Exactly. Vendors absolutely want to have market cap, and they want to be able to say, “We sold you our entire SKU of offerings here.” And so the reality is simplification should be the goal. But what I often tell people is things are just not as easy as a term or a phrase. And I’ll tell you what I mean by that. If every CISO just said, “All we have to do is adopt NIST MITRE, and we’re going to be secure,” well, then that would be an easy rule to have, and it’d be an easy goal to obtain. Apply the business now. Okay, every business is different.
“Well, what do you mean you can’t have 15-character passwords because you have a mainframe? What do you mean that you can’t apply an EDR agent to an AIX operating system?” There’s so many variables there. So, the goal really should be about simplification and saying, “Okay, let me see how I can simplify the process to make the most sense for what my business needs as opposed to that single pane of glass or unification, or just all out, ‘Let’s get one vendor to run everything.’” The goal really is about simplification.
[David Spark] So, it’s interesting you mention that about simplification, because I remember talking to some other CISOs who worked at companies where they didn’t have a huge engineering staff. And they actually live in the world of looking towards consolidated environments because their attitude is, “I can’t train my staff on 20 different tools.” And to them, that’s a huge variable in simplification.” Ryan, what’s your take on this? Is there a great demand for consolidation, or is it really a great demand for simplification? What do you think?
[Ryan Bachman] The easy answer is both. On the consolidation side, I agree with Eddie quite a bit. Each vendor wants to capture a bigger part of that market share. And so you’ll see that with Microsoft, for example. They’ll come to the table and say, “Now you can get rid of all these other tools because we have a tool that can do it for you.” On the user side, you certainly want simplification.
But I think what this really underscores is a bigger issue, which is there’s no one single solution or solution set that’s going to take care of the challenges that CISOs, and their teams, and organizations face. Number one. And number two, I think that it also underscores that there’s a reason that these companies are immerging with capabilities in these little niche spaces. It’s because they realize there’s opportunity of other companies aren’t doing it very well.
So, I think the problem is complex enough that it creates an opportunity for new companies to come out and say, “Hey, here’s a problem we know nobody has been able to solve yet, so here’s our best volley at trying to solve it.”
[David Spark] I want to double down on something you said there, and I want to know the reality of the phrase, where you said, “Well, Microsoft will come to us, and they’ll say, ‘Hey, we got the complete solution for this, and you can get rid of all these other solutions.’” Let’s just say that someone did come to the table and said, “We’ve got this thing that can get rid of these five, six products,” how easy or capable could you…?
You were like fully onboard of whatever the heck vendor X, Y, Z said. How easy and possible would it be to just eliminate five, six products from your environment like that? Is that even possible like that?
[Ryan Bachman] I mean that’s one of the main things that we look into. So, we look at risk reduction. We look at overall costs. And we look at ease of implementation or integration.
[David Spark] Sure.
[Ryan Bachman] And so if you look at some of these companies that have been out there in acquisition mode… And I don’t want to pick on anyone in particular, but you’ve got Google that’s just acquired Wiz. You’ve got Palo Alto that’s regularly acquiring other companies. CrowdStrike acquiring other companies. But the challenge comes in integration. The challenge comes with being able to integrate that entire technology stack even when it’s under one umbrella, like one of those large tech companies. So…
[David Spark] All true, but could you all of a sudden dump five, six products like that? How tough a lift would that be?
[Ryan Bachman] Yeah. No, you’d have to make that it obviously operates and works the way that you want it to, and that’s going to go beyond the confines of a POV or a POC. And then once it’s proven out then you can potentially walk away from it. Right? But that takes time.
[David Spark] Eddie, how realistic is that claim? Like in your environment… Again, you agree 100%. I think it is amazing product. I think it can do all this. But in my environment, can I get rid of these five, six products?
[Edward Contreras] It’s complex. And I think Ryan said it absolutely perfect. There is good aspirations here to be able to do something like that, and I think the challenge is realizing once you’re in the product itself, what was the original intent of your business case. Can you actually solve for those business cases with the unification tool? And I don’t know. In Microsoft, like I said, I love the example of Microsoft because I think that’s something that everybody is accustomed to. If you were to have the money in your budget and you were to buy the E5 license, so much comes with that E5 license.
It opens up the possibility of what you just said, David. Is all of that is now to be discussed. You have to evaluate it. But then you realize the cost of a SIM, the Microsoft version of it versus maybe your on prem Splunk, varies differently in how you’re using it. So, yes, the opportunity is there, but the reality is you do have to do a case by case analysis as to what’s up for evaluation and retirement, and does it really make sense to do that.
[David Spark] I’m going to throw one quick question, and I just want a quick answer. Because realize, from the vendor’s viewpoint, we simply bought these five, six identity products, so it should be able to replace use. Wouldn’t it be better if they asked the question, “What would it take for us to shut down these six products in your environment?” Am I right on that?
[Edward Contreras] Yeah, absolutely. But it’s rarely something that’s discussed at the beginning. And maybe it’s, “What can I shut down,” versus, “What are the use cases that you simply do not want anymore that we can help address?”
[Ryan Bachman] I agree with what Eddie said. The reality is is a lot of times in security, we’re racing to the next problem. We’re racing to the next thing that we’ve got to address, and sometimes we have…we’re guilty of not reflecting on the solutions that we’ve put in place in the past and whether or not they’re still providing the value that they should. So, a lot of times is think CISOs have to stop and reflect on the technologies they have in place, see if they’re still as affective as they were when you first put them in place, see if they’re still delivering on that value proposition, and then also see if there’s other technologies that have been brought into the fold that could potentially do some of those things for you.
I know a lot of people felt that way around user behavior and analytics. They felt like they could get other competency out of other solution sets versus a true UBA player. So, a lot of them have walked away from that UBA stack or UBA space because they can get value from the other tools and technologies they have, and that allows them to divest and put those resources some place else.
Would this person be a good fit for the job?
[David Spark] Part of the conversation about entry level jobs in cyber security has been the claim that it is the…that the whole role has been poisoned by online influencers. Now, there are the people telling you online that you can get a few certs and start working for six figures.
But as Ira Winkler, CISO over at CYE, pointed out on LinkedIn, entry level doesn’t mean no experience required. He names real entry level cyber security roles involving programming, networking, help desk, project management, and compliance. Ira maintained that he doesn’t know a senior cyber security practitioner that began their career in cyber security. Agree? And if so… And I’m going to start with you, Ryan, on this. Where are the real entry level fields before you start in cyber? What do you think?
[Ryan Bachman] Well, I think it’s somewhat self evident that the cyber security field probably hasn’t been around as long as some other fields in technology.
[David Spark] Correct.
[Ryan Bachman] So, it’s sort of a foregone conclusion that if you started in cyber security maybe with a cyber security degree or something along those lines, which have only been around in and of themselves for 10 years or so, maybe 15 at most, it stands to reason you might not have reached senior cyber security leadership positions just yet. But I’m of the belief that there’s not necessarily one particular discipline that leads to good cyber security introduction level positions. I think that obviously there’s the computer science background or things like that. But really I’ve seen people springboard very affectively from help desk and other areas in IT support.
[David Spark] Help desk… By the way, we keep hearing again and again it’s like one of the best places to start, yes?
[Ryan Bachman] Sure. It’s troubleshooting, right? At the end of the day, if somebody starts from help desk and then maybe ends up in a SOC or a C-cert type position, really what they’re doing is they’re troubleshooting alerts. Chasing down alerts to find out what’s going on in the environment, not unlike they would do that from a troubleshooting or problem solving perspective. So, I think there’s a whole lot of different avenues into cyber.
I mean we’ve taken people from other areas of traditional IT. We’ve taken people from engineering backgrounds. You name it. It’s really… I feel that a lot of the people who are successful coming into introductory roles within cyber are typically people who have done a fair amount of self study and then can augment that with some level of prior experience. I mean we’ve had tremendous success hiring people in from what I would call big box retail stores that self studied and became very interested in cyber, and they were very successful.
[David Spark] All right. I ask the same question to you, Eddie. Where do you think the real entry level fields are before you started in cyber?
[Edward Contreras] Yeah, I think it may not be a popular answer, but I disagree.
[David Spark] Let’s hear it. By the way, you’re not the first person to disagree with Ira Winkler. Go ahead. [Laughs]
[Edward Contreras] I like the concept, but I think it’s a dated concept. But I think Ryan really said it perfectly, which is context. Right? Context matters. Before the industry was here, you had to come from somewhere. And so of course the statement makes sense in context. You entered the field because before this field was there, you were in another field. But there are entry level positions. We hire them. That’s what intern programs are for. We have an amazing graduate program where we hire people that are in their undergraduate or their graduate program, and we’re the first job they’ve ever had. And if you know and you’re studying the information in college, you can absolutely get a role in the industry at an entry level.
So, think of application security. You’re learning how to code. You’re learning how to scan. You’re looking for quality assurance and quality checking. Those are things that you can be taught conceptually, and you can apply it within a junior role so long as you have peer reviews, so long as you have somebody overlooking and giving you guidance. So, I can look across all the departments in my area, and we have interns that have come through each one of them and are being successful, and it’s their first job ever. So, I think Ryan said it accurately. That view of you came from somewhere was applicable, but you can absolutely start in an entry level position.
[Ryan Bachman] Just one more thing, David. We’ve actually…to Eddie’s point, with college internships, we’ve actually had success with high school internships in certain cases. So, younger – 16, 17, 18 year olds, juniors, seniors in high school that intern for us, and then we see going to college, and then come back and intern for us during college, and then come on board after they graduate. So, that’s actually been something that we’ve had a lot of success with.
Sponsor – Doppel
[David Spark] Before I go on any further, I do want to tell you about our spectacular brand new sponsor, and that is Doppel. So, Doppel is the first social engineering defense platform purpose built to dismantle impersonation threats before they cause harm. And I was talking about the importance of educating your family about this. Well, this is a sort of critical issue as well. I was talking to family about this very issue about the fact that the AI’s ability to impersonate voice and video is incredible now. Now, while legacy tools focus on detection and alerting, Doppel goes further, using AI and infrastructure correlation to link phishing emails, fake domains, and deep fakes, and impersonation campaigns across channels.
From executive protection to brand impersonation take downs, Doppel doesn’t just flag threats, it disrupts them from the source. Every attack fuels their shared threat grid, giving every customer the benefit of collective intelligence. The result, faster disruption, stronger resilience, and fewer opportunities for adversaries to profit. Doppel makes digital deception unprofitable, protecting your people, your reputation, and your revenue in a world where social engineering is now the biggest threat to enterprise security. For more, go check out their site. It’s doppel.com.
It’s time to play, “What’s worse?”
[David Spark] All right, it is time to play, “What’s worse?” You’ve both been on the show. You know how this game is played. But since you are playing the part of our guest cohost, Mr. Eddie Contreras, I would like you to answer this first. All right? So, I’m going to set you up. This comes from Oscar Morales from Calian IT and Cyber Solutions. And the set up is it’s a nation state cyber attack versus a disinformation campaign. Here are the two scenarios.
Remember, you’re picking the one that is the worst of the two. So, scenario number one, you’re working for an organization who does business with a country who is being attacked by a nation state actor, thus making you a victim caught in the cross fire. And because of it, your systems and environment is being targeted and disrupted. Pretty awful. Would you agree with that, Eddie?
[Edward Contreras] I would completely agree with that. It sounds bad.
[David Spark] Okay. This next one also stinks. Or you’re dealing with false information and narratives being circulated and communicated about your company. So, this is specifically targeted to you. And it is impacting your stock price and losing user confidence in your business. Now, I can’t tell you the variance of how bad or worse each of those scenarios, but in general, being associated with someone who’s getting attacked by nation state actors, so it’s affecting you, or a direct disinformation campaign that’s really affecting the financials and your customer confidence. Which of these two is worse?
[Edward Contreras] So, David, I’m going to channel my inner Andy, and I’m going to do a thesis on each one for 25 minutes before I get to my…
[Crosstalk 00:20:40]
[Edward Contreras] I will not do that to you. And hopefully, Andy understands the gest there. So, I think the latter is worse. And here’s why – disinformation, whether coming from a credible source, or it’s coming from a nation state, or whether it’s coming from a…what are they, script kiddies…if you don’t know, you don’t know what to believe. And that’s really challenging. At least with the nation state, there is tactics that you can understand who your adversary is. There is kind of a profile. You’re probably going to get a lot of information, so at least you know what you’re up against.
When it comes to disinformation, you have to kind of discount certain things, or you have to essentially account for everything. And that is so disruptive. And the fact that you know there’s pressure, your stock prices is being impacted, your executive team is kind of looking at you. And you have to assume all is correct or assume all is incorrect. It could be a really challenging scenario there, so I do think that’s worse.
[David Spark] So, the second one puts you more in balance, would I say? Like you’re so out of balance, out of whack, and you don’t know where to go next.
[Edward Contreras] Yeah. Yeah.
[David Spark] All right. By the way, I have an argument against it. I’ll throw it at you, but I want to hear from Ryan first. Which one is worse of these two? Do you agree or disagree with Eddie?
[Ryan Bachman] I agree. Disinformation. Disinformation has no symmetrical response.
[David Spark] Yes, good.
[Ryan Bachman] In other words, there is really no playbook there. You’re going to have to bring to bare all kinds of different resources within your company to try to battle it.
[David Spark] Well, you bring crises management teams in, don’t you? Yeah?
[Ryan Bachman] Yeah, no, for sure. But it’s very much a cross disciplinary approach. Whereas as a CISO, I kind of know how to handle more symmetrical cyber attacks and things like that. There’s better information sharing about the adversaries and better ways to potentially foil those tactics. Plus you’re not necessarily dealing with out in the public sphere as much.
[David Spark] All right. Now, here’s my argument against it, saying it’s not as bad. People have short memories. I’ve seen many a disinformation campaign or just many bad news campaigns go away over time. Would you rather wait it out rather than having the associated nation state attack? I’m going for that. Because I have the theory of most of this stuff, people have short memories, and it moves on. So, the dip in stock price could be just temporary. What do you think?
[Edward Contreras] I think that’s the reality. If you look at Target when they got breached.
[David Spark] Yeah.
[Edward Contreras] Their stock recovered. And we get that. And I think that…
[David Spark] By the way, not just Target. In fact, the Verizon data breach investigation report showed this just happens time and time again.
[Edward Contreras] It does. And I think the assumption here is you can outlive that as a CISO. So, yes, the company will recover, but will the CISO get through that process?
[Laughter]
[David Spark] So, this is more self preservation at this point.
[Edward Contreras] There’s time to live, and you have to have some type of longevity. But even with that complexity there, I think that’s less of a concern just because, you’re right, most companies are going to…especially larger companies are going to be able to survive the attack. But disinformation… If you think about that within a security program, can you trust your own logs? Can you trust the information coming to you where you’re supposed to focus your investigation on? And so if they’re providing this information to the public and about your company, you should assume there is disinformation already within your environment. And so where does it end? You’re kind of in that “Inception” movie where how deep do you go. I’d love to hear Ryan on this.
[David Spark] All right. Okay, Ryan, so my take is that disinformation will go away over time.
[Ryan Bachman] Yeah, there is others that might disagree. I think there’s companies that have struggled with massive PR related issues due to some of the decisions they’ve made and somebody out in the media sphere not liking it and then running with it, and then they just become a constant sort of recycled topic in the headlines, and it does a lot of damage to the company. So, again, I’m still going to go with disinformation being a much more difficult one.
[David Spark] All right. Regardless, I think it was a good topic.
[Ryan Bachman] Yeah.
[Edward Contreras] You’ve got to do a poll on that one next time.
[David Spark] All right. Before we leave this, we do want to hear from the audience. Tell us which is worse – being essentially associated with someone getting attacked by a nation state attack or a disinformation campaign against you. Which one is worse? We want to hear from you. Let us know.
How is the CISO role evolving?
[David Spark] It’s never an easy time to be a CISO. Would you agree, gentlemen? Yes?
[Edward Contreras] Absolutely.
[Ryan Bachman] Correct.
[David Spark] You never go, “Well, today was a breeze.” Has that ever happened?
[Laughter]
[David Spark] No.
[Edward Contreras] There’s a lot of wine back here for those days.
[David Spark] It’s never an easy time to be a CISO, but the last few years have been a doozy. There are increasing regulatory requirements being heaped on the role at the same time as we’re seeing an ever expanding roster of threat factors and attack surfaces. Rather than splitting the role up between two functions, the role could evolve into something like an architecture business resilience. This is what was suggested by Randolf Barr in a Dark Reading piece. He likens this to an enterprise architect that sits between IT and senior management while overseeing technical architecture and roadmaps.
The CISO role has always been about managing risk. But could reframing it around building business resilience help make the job more manageable? I’ll start with you, Ryan. It’s like this idea of you’re just focusing on that, and then you have other team members to deal with the other aspects of your business. What do you think if the job changed into that?
[Ryan Bachman] Well, I think it already has a little bit.
[David Spark] Yeah, I do envision that it’s like that. But the idea is you could push a lot of stuff off, and you just focused on that. Like the whole security program is not under your auspices, I guess, would be the idea.
[Ryan Bachman] Yeah. No, I don’t think that’s the right answer. I think what it honestly comes down to is there’s an operations and engineering side to cyber that I think it makes sense just from a conflict of interest perspective and a lot of other reasons why that would be under a CISO’s domain and continue to be. But I think what we’re talking about is growth. It doesn’t have to be broken into pieces and spread out. I think what you’re talking about the ascension of a role and the more critical importance of a role. And I think this question around operational sustainability and enterprise resilience is at the forefront of everything. Because it’s not just about protecting data, it’s about protecting the enterprise.
So, it’s natural that we’re having those types of discussions and that we’re being pulled into those directions. But I don’t think that calls for a, I guess, bifurcating of a typical CISO organization and breaking it off into pieces. I’m not sure that really makes a whole lot of sense.
[David Spark] Let me ask you, Eddie – whether it makes sense or not, do you think this could be pulled off? Say some Greenfield organization says, “We’re not going to have a CISO. We’re going to have an architecture for business resilience, and the other functions are going to be handled by other people.” Could that be done, or would that be seen as a giant mistake?
[Edward Contreras] I think it can be done. It’s an intriguing concept. And Gartner tried this I think about two years ago where they tried to introduce the next level of CISO, which was going to be the chief resilience officer.
[David Spark] Yes.
[Edward Contreras] Where their role would be exactly what you said – the continuity of business. And believe it or not, I actually know Randy Barr. He and I are actually childhood friends.
[David Spark] Really?
[Edward Contreras] And so the fact that we both ended up in this industry is amazing. But I get what he’s getting at. It’s really about understanding what is a priority. Is it availability, continued revenue generation, or is it security and ensuring that the company can withstand whatever it needs to withstand? So, I’m agreeing with Ryan here that it’s not probably the best practice to do something like that. I’m assuming there will be companies that try this. What I really like about the financial sector… So, we go by regulatory guidance and expectations.
There was an update to our regulatory guidance a few years ago where it says the CISO cannot report into operations because of the conflict of interest that it proposes there. So, there is actually mandate now that says there has to be a separation between information security and the executive or the leader over information security versus those making decisions around availability and revenue. And I think that’s a good thing. So, I know in the financial sector, it’ll be a little more complex and maybe not as easy and straightforward, but I’m sure companies will try it, and we’ll see what the results are. But it’ll be interesting to see how that turns out.
Managing security changes for business optimization.
[David Spark] We just talked about the CISO role being complicated, but a lot of that comes down from the reality that cyber security is extremely complicated. Is there any way to simplify things? We talked about this at the very beginning of the show. So, maybe we can turn to Occam’s Razor, the idea that, “entities should not be multiplied beyond necessity,” as suggested by Jay Jay Davey of Planet. Now, a sound principle, but where can that be affective in cyber security, and where are the areas that we can’t simplify no matter how hard we apply Occam’s Razor? So, really it’s just a simple question of what can be simplified in cyber, Eddie, and what just we can’t. It’s going to always be that complicated. What do you think?
[Edward Contreras] I’d love to give you a use case, and I’ll tell you the use case here in a second. But when you look at the cost of a control, the cost of the control cannot outweigh the risk that you’re trying to protect. And so you’re talking about simplification, and you’re saying, “I’m about to spend a million dollars on this control,” but the problem you’re solving is only a hundred thousand dollar problem. Well, then is it really worth the investment to simplify that control? I love what NIST did around the password and around what authentication requirements are still needed for the password.
If every company is trying to eliminate the password eventually and NIST is now saying, “Well, now it’s a variation of letters and numbers from 8 to 15,” it’s no longer mandating the longer control. You can actually simplify that control with the delivery of invisible controls or transparent controls. So, you can essentially minimize the impact of the users by simplifying the control, but it has to be cost affective to do that. So, if you’re bringing in some very costly controls to be able to just get rid of passwords, is it really worth it at the end of the day? But I do think you have to understand the cost. You have to understand the user impact before you actually apply the simplification process.
[David Spark] Ryan, before you jump in, Andy Ellis, who’s one of the cohosts of this show…one of the things he does when he comes into a new role and what he suggests to others is ask the staff, “What is the one thing we’re doing here that’s insane that we’re still doing it that way?” Which to me seems like a really great way to begin the simplification process. My feeling is that knowledge of simplification sits in the minds of your entire restaff. Yes?
[Ryan Bachman] The knowledge of simplification, absolutely. They’re the ones who are closest to having to do the actual work every single day, so they’re going to live the pain that we later hear about. And so trusting them and giving them the opportunity to say, “These are opportunities where we can make things a lot more efficient, improve processes, improve technologies, whatever it may be,” is… Andy is not wrong. That should be one of the first places you start. One thing I want to say really quick though is, David, you’re sitting here asking CISOs in our profession, “What can we do to simplify our profession?” Well, look at a CFO and think about all the things that a CFO has to deal with relative to tax, relative to financial reporting, all the different countries they work in, all these different aspects of a CFO’s role. I think that certain things are just going to maintain complexity and are going to have to have that level of leadership and have that level of priority within a company. And I think security is very similar.
It is complex, and it’s going to be driven by your regulatory components that Eddie was speaking to. It’s going to be driven by your operating footprint of where you operate, by your technology footprint, by what your company wants to do. And as long as companies are wanting to do different things to differentiate their products and services, security is going to be, I think, a challenging and increasingly complex thing to have to be able to apply to those companies.
[David Spark] Hold on. If I’m getting this right, you’re blaming the business on having aspirations? Yes? [Laughs]
[Ryan Bachman] No, what I’m doing is I am aligning to the business and what their aspirations are and trying to figure out how to help them succeed and operating and be protected.
[David Spark] Right, but that makes a really, really good point. Look, if your business is just providing one product…
[Ryan Bachman] Exactly.
[David Spark] …very simply, security is going to be pretty easy.
[Ryan Bachman] Relatively, sure.
[David Spark] But once things…you start offering a hundred products to lots of different customers, it starts to get a little complicated.
[Ryan Bachman] Sure. And I mean, every company looks for a way to differentiate itself against its competitors. To differentiate itself within its industry. And with that comes the complexity that follows and with that comes the security to secure that complex web of systems, and data, and everything else. So, I think we’re not driving complexity into the business. We’re responding to that complexity, and companies have to increasingly…in a more competitive environment…have to figure out ways to differentiate. Have to figure out ways to create new revenue streams. And it’s our job to come up with ways to protect it.
[David Spark] Now, while you gave the glass half full response, I’ll give the glass half empty response in saying we’re blaming the business for making security complicated.
[Laughter]
[Ryan Bachman] Okay.
[David Spark] But I support your response.
[Ryan Bachman] As long as it’s clear that I didn’t say that, because I do value my job and my employment. Thank you.
[Laughter]
[David Spark] I’m just giving you a hard time, Ryan. No, but that’s as really good answer to this. Eddie, what were you going to say?
[Edward Contreras] I was going to say there’s a good use case here, if you think about a publicly traded company versus a non-publicly traded company. There are times where user attestation, you have to do because it’s a regularly requirement. SOCs. In a non-publicly traded company, you may not have to do it in a way that the SOCs program does. Sometimes you have to inform the business this control is present to be compliant with our regulatory environment. And there’s other times where you can say, “You know what? I agree. Let me take that feedback.”
Just like Andy said, “Let me take the feedback. Let me understand.” And because we’re not publicly traded, maybe we can retire a control like that and use automation or technology to help ease the burden on management. But when you look at that, it’s like, “Okay, there is reason and rationale why controls are present.” And sometimes it is… Maybe to Ryan’s point, it’s educating the business on why it’s here so that way there is not so much pushback when they’re executing that control.
Closing
[David Spark] Thank you very much, Eddie Contreras. Thank you very much, Ryan Bachman. And thank you to our audience. We greatly appreciate you listening to the show. Hold it. Let me ask both of you a quick question. We like to let our audience know. Eddie, Ryan, are you hiring at your respective companies?
[Edward Contreras] The answer is yes.
[David Spark] Ryan?
[Ryan Bachman] Absolutely yes.
[David Spark] And I’m assuming there’s job boards on Frost Bank and GM Financial, correct?
[Edward Contreras] Yes, please visit the website.
[David Spark] And can people contact you directly if they’re interested once they find the job? Yes?
[Edward Contreras] Absolutely. If they come and say, “We heard about this on David’s show…”
[David Spark] On the CISO Series Podcast.
[Edward Contreras] CISO Series Podcast.
[David Spark] That will give you a gold star, yes?
[Ryan Bachman] Absolutely. Put you right at the top of the applicant pool as far as I’m concerned, David.
[David Spark] This is what we love to hear. Awesome. That’s great. Awesome. All right. Well, thank you very much. Go check them out. GM Financial and also Frost Bank. Work with two great security leaders. Man, anyone would be thrilled to work with both of you guys. We loved having you on the show. Friends of the show, both of them. All right, I want to thank our sponsor. That’s Doppel. Remember, defend what’s real, disrupt what’s not. Go check out what they’re doing over at doppel.com. Any other last plugs you gentlemen would like to make about what we talked about? Anything for your companies, security, working with you guys? Let me know. Eddie? Ryan?
[Edward Contreras] Happy to be here. I’m glad I’m a friend of the show. And absolutely, if you’re looking for a job in Texas, you can look at our website.
[David Spark] Yes. Ryan, any last words?
[Ryan Bachman] GMfinancial.com/careers. We’re hiring in cyber security at a number of different levels.
[David Spark] That’s awesome.
[Ryan Bachman] We’d love to have you come be a part of our team and learn about what we’re doing.
[David Spark] And you both hire entry level. I love hearing that. Because this is the major aggravation is that nobody is hiring entry level. That’s great that you’re doing that. Awesome. Thank you very much. Thank you, everyone. We greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, Our Virtual Meetup, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.