Are cybersecurity influencers exploiting the cyber skills shortage as a means to sell a range of “get a cyber career quick”-type courses? While some areas in cybersecurity struggle to fill roles, the reality is that this demand isn’t for entry-level positions. How do we start filling those badly needed skills without selling cybersecurity career snake oil?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Mike Johnson, CISO, Rivian. Joining us is Anne Marie Zettlemoyer, former vp of security, Activision Blizzard.
A huge thanks to our sponsor, ThreatLocker
Full transcript
Intro
0:00.000
[Voiceover] Best advice for a CISO. Go!
[Anne Marie Zettlemoyer] Besides rethinking your life decisions, [Laughter] I want CISOs to really welcome the role of being an executive, and that means that you have to learn how the business makes money, how it loses money, how it protects money. So, you’ve got to learn how to speak in terms of dollars and downtime, brand impact, competitive advantage. Boards don’t buy EDR. They don’t buy the tech. They invest in resilience. So, while you are expected to be technical, it’s your strategic ability that’s going to set you apart from other CISOs.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. My co-host since day one, in fact, actually, this episode is going to air one month after our seven-year [Laughter] anniversary.
[Mike Johnson] Seven years?
[David Spark] Holy moly. It’s Mike Johnson, CISO for Rivian.
[Mike Johnson] Wow.
[David Spark] Mike.
[Mike Johnson] Well, seven years plus one month. That’s really hard to believe. That’s, I mean, it’s a heck of a run.
[David Spark] Yeah, that is.
[Mike Johnson] We should at least double that.
[David Spark] The 14 years. Yeah. Let me ask you a question. When you met me, when I took you out for lunch, did you think I was some Yahoo? Because I sure felt like one at one time.
[Mike Johnson] [Laughter] Honestly, I didn’t know you. Like it was literally that we met, someone had connected us on LinkedIn, and I was like, “I have no idea who the heck this guy is, but what the heck? Let’s sit down and have a conversation.”
[David Spark] Let’s give it a whirl. It was a gamble you made, and it paid off for everybody.
[Mike Johnson] Absolutely.
[David Spark] We’re available at CISOseries.com. Go check out all our programming, especially our brand-new show. That would be Security You Should Know. It’s our fastest growing show on the CISO Series. And our sponsor for today’s episode, an absolutely spectacular sponsor of the CISO Series, and that would be ThreatLocker – zero trust endpoint protection platform – and we’ve got some new cool stuff to tell you about them. So, stay tuned for that. All right, Mike, here’s my question for you. Now, you unfortunately got COVID during RSA, which stinks.
[Mike Johnson] Yes, that sucked.
[David Spark] So, you weren’t able to experience it. But one of the big themes at RSA was not just AI, which was huge last year, but agentic AI.
[Mike Johnson] Mm-hmm.
[David Spark] And here’s my question. When someone is pitching agentic AI, which I’m sure you’ve heard plenty already, how do you validate how good it’s actually working? Because to say it and to see it in practice, and you can demo it, but to see it in your environment and how it works, how do you know? Like what would the paces you send through to know that?
[Mike Johnson] One of the interesting things about agentic AI is it generally is use case specific. You have a problem that you want this agent to solve for you, and that does mean you can have measurable outcomes. It’s very different than the general purpose LLMs out there of I’m just going to ask it random questions. With agentic AI, it is I want it to solve this specific problem. And it either can or it can’t. You measure it just like you would measure any other security product. That’s actually one of the nice things about it.
[David Spark] We are for sure. We’re going to have to do more on agentic AI down the road. It’s just something I realized because there were a lot of vendors coming out with some level of agentic AI solution, which I know is highly desired.
[Mike Johnson] Sounds like a great Defense in Depth episode.
[David Spark] It could also be a great Defense in Depth. All right, let’s bring on our guest who we’ve had on before, but it’s been way, way too long since we’ve had her on again. And thrilled to have her back. She is the former VP of security over at Activision Blizzard, none other than Anne Marie Zettlemoyer. Anne Marie, thank you so much for joining us.
[Anne Marie Zettlemoyer] It’s great to be here.
Didn’t we solve this already?
4:11.619
[David Spark] “We were Sisyphus, eternally pushing the boulder of alerts uphill, only to watch it roll back down, crushing our spirits with its relentless weight.” That was a quote from Anton Chuvakin of the Google Cloud Security Podcast’s AI-aided take on the current state of the SOC. He points out why the classic SOC is failing. We’re still drowning in alerts. And while we have historically found technology to make them slightly better, it doesn’t fix the underlying issues. Now he frames the problem with a quote from Ryan McGeehan, “When a human being is needed to manually receive an alert, contextualize it, investigate it, and mitigate it, it is a declaration of failure.” Wow, that’s a big take right there. What we really want is to take humans out of the loop, which is the promise of agentic AI, which we just mentioned. There are no shortages of vendors out there that are selling the promise of agentic AI. So, what should buyers be asking for testing when looking at those SOC AI solutions? Well, pretty much what I was asking before, but this was what you should be asking ahead of time.
[Mike Johnson] So, I’ll answer this again. When I think about the SOCs that Anton and Ryan described, those sound terrible. It sounds like those are fundamentally broken SOCs. They don’t have to be that way.
[David Spark] But Ryan makes an interesting comment. It’s like each alert requires all these different things to happen, and that seems like too frigging much for a human.
[Mike Johnson] He’s 100% right. And that really is one of the first places that you should look at adding at least automation into your SOC. You should have all of that information presented to the human. If you’re giving a human an alert to look at, to analyze, you should have all of the context already in there. You should have all of the enrichment done. You should have anything that might be related to that all available so that the analyst can look at that and make a decision right there. They don’t need to go and pull information from 10 different places. That, I absolutely agree with Ryan. That’s broken if that is the way that you’re working your analysts.
[David Spark] So, once you have to leave your environment, if the information isn’t coming to you, if you go out and investigate rather than the investigation coming to you, that’s where you have the problem.
[Mike Johnson] That’s where something is either it’s this is a much bigger alert than I thought it was, or you’ve messed up somewhere in your automation within your SOC.
[David Spark] All right. Anne Marie, I’m throwing this to you. By the way, many of these tools have been sponsors of our show, so what are good questions to ask about these SOC AI agentic tools?
[Anne Marie Zettlemoyer] Well, I would say first, what Anton is talking about is common. [Laughter] It’s one of the fundamental problems with running a SOC or having a SOC. What I would ask is how do you train this… We have to train every model, right? And we say that, have we solved this before? No, of course not. We haven’t solved it. We haven’t even solved vulnerability management. That thing’s been around for 25 years.
So, what are we doing to train the process for decision making on the analyst’s part? Yes, you want to bring all of the information there for them to make a decision, but once they make that decision, what feedback are we giving on the efficacy of that decision, right? And let that inform the next decision or the next alert or the next process, right? We forget that, because the adrenaline’s down, you go through the incident, and you do all of these things, and you forget to do that extra bit of tuning, which is going to be paramount to the success of any type of tool. And as Mike said, the integration of additional information, I have given up on the single-pane-of-glass thing, but if you could tell me or tell an analyst where to look on a prioritized basis and what’s going to give them the most bang for the buck, that is going to improve efficacy and efficiency for the SOC. And we just don’t do that. That’s not available.
Would this person be a good fit for the job?
8:42.788
[David Spark] When you look at specific verticals like OT forensics and malware reverse engineering, there is a meaningful skill shortage in cybersecurity, said Leslie Carhart of Dragos. These specific shortages are not entry-level positions, and that “universities, colleges, and boot camps sold the heck out of an entry-level skills shortage that does not practically exist.” The increased capabilities of AI tools means that junior SOC roles now have much better requirements than just a boot camp or a certification. You likely need a combination of IT experience, a degree, SOC certification, and community work to land the job.
This we’ve heard plenty of times. Getting in the door in cybersecurity requires that you’ll be able to do a lot on day one, and the current education model isn’t adapting to meet the changing landscape fast enough. And I also feel this very much to be true with AI supposedly going to be taking away these lower-level tasks. So, I’m going to start with you, Anne Marie. Do you agree that we now expect more from these junior roles, like starting roles? And if so, do you believe there’s a new minimum standard?
[Anne Marie Zettlemoyer] It’s an interesting question. My first instinct to say is not really. And the reason for that is because we always – and this, I’m not saying that this is correct – but we expect new folks in the SOC world, new analysts to have the judgment of a two- or three-year SOC analyst. That judgment requires practice and time, right, training yourself through these alerts, that persistence of thought, the maturity to get through a wall of data, which when your adrenaline’s pumping, it’s hard to do. It’s hard to get that focus. So, I have seen analysts come in with no background at all, and we train them, and six months later, they’re providing real value because the environment is created to give them that feedback loop and give them that attention span to do so, right?
But I think part of the problem is that folks don’t know how to run SOCs effectively. They don’t know what aptitude is needed to make a successful SOC analyst. It’s not the technical skills. There’s an aptitude to it. There is a persistence that’s required. There is these soft skill sets that are needed to be successful in that role. And I think that part is what is missing in this equation. SOC work can suck. It sucks. You’re on shift work. You’re looking at the same thing all eight hours a day. How do you keep them engaged and get them through that? It’s very much like many other professions, like accounting, let’s say, or when you’re an auditor, you’re going through tax season or whatever. It’s very much like that. That brand new person coming out of college has to sit with a senior person to be trained before they are allowed to make judgments on their own. So, I think there’s a disconnect on what ramp-up time means and how we support them to learn that judgment.
[David Spark] All right. Great take on this. Mike, we’ve talked a lot about this. I also think just AI is throwing another wrench in the problem as well. Are you… By the way, think about it when you first started, you were the CSO over at Lyft. Now you’re a CSO over at Rivian. Are you hiring junior staffers differently now than you did before?
[Mike Johnson] Those are two very different environments, and that’s really what I want folks to take away from this is it depends on the company, the environment, and the needs. A company like Lyft, they weren’t hiring analysts. We weren’t hiring anybody who didn’t have software engineering experience because that was what the company needed and what the company expected. A large company with a massive SOC, like a 100-person SOC, they actually do have the capacity to hire someone fresh out of school, fresh out of a boot camp, and then spend the six months to train them. And that’s great. And that really helps feed the industry as a whole.
[David Spark] Hold it. So, let me pause you right there. Would an MSSP that has a SOC be a good place for a junior person?
[Mike Johnson] That is an excellent place for a junior person.
[David Spark] Okay.
[Anne Marie Zettlemoyer] Yeah, much better.
[Mike Johnson] Because if you go into an MSSP, they’re going to have all of their processes written down. There will be very little left up to decision making, and that gives that person a very rote list and actually teaches them the decision making that Anne Marie was discussing. And that’s what people need to come away with. And so, if you’re getting started in cybersecurity, go work for an MSSP. You will get a broad expanse of experience in doing that in an environment that can really take their time to invest in you and really provide you that training. Most enterprises need you to be providing value day one, and that’s very difficult for someone fresh to do.
[David Spark] And you were confirming, MSSP, you think a great starting point, Anne Marie?
[Anne Marie Zettlemoyer] Yeah, I do. Because I think most companies actually have no business running their own SOC. They’re just simply not big enough, they don’t have enough budget, and they don’t know how to run it. It’s something that you should be farming out and then supplementing it with your senior people to help tune that vendor.
Sponsor – ThreatLocker
14:27.866
[David Spark] Before I go any further, let me tell you about ThreatLocker and lots of cool new stuff with them. So, as we all know, in cybersecurity, seconds matter. Heck, we’re talking about the SOC. And also precision matters. That’s what we’re talking about, AI as well. So, this is where ThreatLocker is upping the game again. The company just launched a new set of solutions built for teams who need to move fast, but without compromising security. So, it’s zero trust, but without complexity.
All right, let me go through some of the options here. We have ThreatLocker Insights. You get real time intelligence from millions of endpoints worldwide to empower you to make the best swift cybersecurity decision on what applications to allow and what controls to put in place in your environment. And patch management, instead of chasing updates and manually approving patches at 2:00 a.m., ThreatLocker takes care of it for you with the rigorous research and testing you need to stay compliant and secure. Cloud control adds an essential layer of defense, further closing the gaps that phishing and token theft campaigns love to exploit. And they’re also making life easier for IT and security teams with the new User Store, a smart way to give users instant access to pre-approved software while maintaining the strong security of your environment. And for web threats, there’s web control, lets you block sites you don’t trust, or users should not access from the workplace. It blocks unapproved content by category, not URL by URL.
So, of course, you still get ThreatLocker’s 24-7 US-based cyber hero support. No scripts, no waiting hours for answers. They deliver world-class swift support responding in about 60 seconds. Now it’s no accident that over 50,000 companies now trust ThreatLocker to help them harden their environments against modern threats. If you’re serious about tightening your defenses and getting a platform that doesn’t slow you down, check out their website, ThreatLocker.com to learn more.
It’s time to play “What’s Worse?”
16:39.029
[David Spark] I know it’s been a while, Anne Marie, but you know how to play “What’s Worse?” I’m going to make Mike answer first and then you will agree or disagree with him. This comes from Dustin Sachs, who’s given us lots of great scenarios. He is with the Cyber
Risk Collaborative and here are the two scenarios, Mike, and it’s actually very relevant to what we’ve been discussing right now. An organization implements zero trust but fails to properly monitor and log authentication and access events. So, there is a zero-trust model in place, but they’re not logging anything. So, set it up and truly forget it. You seem confused.
[Mike Johnson] I am, but I need to hear the other part of the scenario because this doesn’t actually sound like properly implementing zero trust. So, okay.
[David Spark] Well, again, I know we’re being quite vague here, but it’s like, “Oh, we’ve set it up. So, it’s doing its thing, but nothing’s being monitored and logged,” which that would kind of defeat the purpose of zero trust, I understand. Or it’s kind of the opposite. An organization overcompensates with excessive logging and alerting, drowning the SOC team in a load of false positives. All right. So, both of these are a giant mess. Which one is worse?
[Mike Johnson] So, it actually went the direction that I expected it to, which was the first one is you’ve essentially leaned in your preventative controls.
[David Spark] Right.
[Mike Johnson] You’re preventing bad activity. You’re preventing people from accessing things that they shouldn’t. The second one is you don’t have the same prevention, but you have detection. You’ve leaned heavily into your detection. That feels like that’s the scenario that we’re going for here?
[David Spark] Right. But the thing is, both setups are very poorly done pretty much. [Laughter]
[Mike Johnson] As per usual, these are both terrible solutions.
[David Spark] Exactly.
[Mike Johnson] So, for me, considering these two options, which is the whole name of the game.
[David Spark] They’re both bad.
[Mike Johnson] Drowning your SOC means you’re going to miss everything. If you’re depending on all of your controls having some human in the SOC who somehow picks through this deluge of events and then finds the needle in the haystack that saves the day, you’re doomed.
[David Spark] It’s a super gamble.
[Mike Johnson] It’s a super gamble, and odds are not going to be in your favor. In the former scenario, you actually have decent preventative controls, and you’ve got a level of confidence that you’re keeping bad activity out. And so, I really do think that one between the two is the better case. So, the drowning your SOC is the worst scenario of these two.
[David Spark] All right. Good rationalization. Anne Marie, do you agree or disagree with Mike here?
[Anne Marie Zettlemoyer] I adore Mike, but I’m going to disagree on this one.
[Mike Johnson] Great.
[David Spark] That’s what I like to hear. Let’s hear your rationale. By the way, we adore Mike as well.
[Anne Marie Zettlemoyer] Of course.
[Mike Johnson] Thank you. Thank you.
[Anne Marie Zettlemoyer] I mean, who doesn’t?
[Mike Johnson] Oh, thank you.
[Anne Marie Zettlemoyer] That’s why I come back here all the time.
[Laughter]
[Anne Marie Zettlemoyer] If you implement anything or you think you’ve implemented something without verifying, you’re using hope as a strategy. If you implement zero trust – and you can’t see me doing air quotes right now, but I am – without monitoring your logging…
[David Spark] I’m verifying that she did do air quotes so our audience knows.
[Anne Marie Zettlemoyer] You are completely blind. You are going blind. You don’t have the opportunity to go back for any forensic trails, for any type of verification. If an incident happens, you are SOL. If you’re doing excessive alerts, then you’re dealing with alert fatigue and noise, true, and you’re blinding your SOC, yes, but you’re not completely blinding, right? Because you can solve that with scale. If you are in a critical incident or something has hit the fan, you can bring in more firepower. You can go back and look. You can figure it out because the log exists.
[David Spark] Right. In the first situation, there’s nothing. And like you said, SOL.
[Anne Marie Zettlemoyer] Right. So, I, my goodness, I would rather have a lot than none because at least I have a small chance, even if it’s a small chance in hell, to find something in the sea.
[David Spark] All right. So, let me see if I can summarize. By the way, good arguments on both sides. Mike argues you’ve got something set up to work. And the latter situation is you’re guaranteed failure because you’re drowning your SOC. Anne Marie says you have a solvable problem in the second scenario, even though it’s awful. And the first scenario, there’s nothing to solve because there’s nothing to do. You got nothing. Correct? Did I summarize this well?
[Anne Marie Zettlemoyer] Right. I mean, I also don’t trust that the zero trust is implemented.
[Laughter]
[Anne Marie Zettlemoyer] I’ve been doing this too long, right? You know? [Laughter]
[David Spark] Yeah.
[Mike Johnson] Yeah, I think you summed those up well, David. I think this is actually a good example of a very balanced “What’s Worse?” scenario.
[David Spark] Kudos to Dustin Sachs.
[Mike Johnson] Yeah, this is a really good one, Dustin, because I do think there are sound arguments for either decision here.
If you haven’t made this mistake, you’re not in security.
22:10.121
[David Spark] “I cannot stop beating myself over the fact that I hold a piece of blame as a cybersecurity engineer.” We talk a lot about the stresses of cybersecurity, but a recent conversation on the cybersecurity subreddit got into how to deal with the guilt you can feel after a breach. By the way, we’ve never talked about the guilt of a breach, I like that. So, some commentators essentially said, “It happens,” using more colorful language, and your job is to minimize you is to… You can’t prevent everything. Now, others put a more positive spin focusing on learning from failure to make the experience worth it. And others pointed out that if leadership isn’t buying into cybersecurity, they are accepting the risk that a breach can happen. So, Mike, I’m sure you’ve had incidents in the past. How did you handle your first cyber incident, and how have you learned to help others cope? And did you learn from that experience?
[Mike Johnson] So, I don’t even remember my first event.
[David Spark] Mm-hmm.
[Mike Johnson] But what I do remember, one that I do remember was I essentially unplugged a firewall that was sitting in a data center several hundred miles away, and I had to then get in the car and go fix it. And my takeaway from that was really understanding resilience and that you need to have backups. You need to have alternative systems that you can feel confident in, in order to enable you to move faster, because that’s what I was doing. But one of the things that this person is somewhat leaning into, and several of the responders leaned into, is within security, we quite often look for somebody to blame. We want to say this human caused the problem, and that’s not really the issue in most cases.
[David Spark] Did you feel it ever?
[Mike Johnson] Again, I felt that I’ve now ruined several people’s weekends by that action.
[David Spark] And do you feel guilt about it? I mean, this was the whole point of the question. Did you feel any guilt yourself personally?
[Mike Johnson] I did. But again, I think that’s something that as an industry, we’ve been trying to move people away from. If you think about incidents outside of security, an outage that’s caused, the first thing that doesn’t come up is, “Who caused it?” That’s not where things go for availability incidents. It is how do we get the environment back online, and what do we learn from this? And that’s really where we need to have folks within cybersecurity move towards is, “Okay, there’s a breach. Let’s fix it. Let’s get things back online. Let’s prevent it from happening again and then let’s learn from it.” And that’s what we need to do rather than going around trying to find someone to blame because that’s how you get this overwhelming feeling of guilt because you’re taking the blame, and the reality is it’s probably not your fault when it comes right down to it, and it’s probably not even a single human’s fault.
[David Spark] By the way, and I’ve had this happen for much smaller problems, way, way smaller, but being in a meeting with like a dozen people, and it was a small problem, not a big one. Breach is a different story. And the discussion was who to blame.
[Mike Johnson] Exactly.
[David Spark] And all I could think was I was looking around the room and counting up the dollars of everybody’s hour for this, that we’re having this meeting. And I’m like, “This was not [Laughter] a good use of our time.”
[Mike Johnson] And you’re bang on. Any time that you’re spent trying to assign blame is time that you’re not spending solving the problem or making the environment better.
[David Spark] Yeah.
[Mike Johnson] I mean, that’s a great example of time wasted.
[David Spark] All right. Anne Marie, I come to you. First of all, your first ever experience, and did you learn something from it, or did you feel blamed?
[Anne Marie Zettlemoyer] Well, like Mike, I’m struggling to try to remember what my very first one was because there’s been many. I mean, I lost track of how many that I’ve handled or been called in.
[David Spark] Well, do you ever feel personal guilt is the thing. Does it weigh on you ever?
[Anne Marie Zettlemoyer] Of causing the breach?
[David Spark] Causing the breach or dealing with the breach or anything like, “Oh my God, this is my problem,” or anything like that?
[Anne Marie Zettlemoyer] I’ll tell you, I don’t feel guilt. I feel a intense sense of responsibility to stand in that gap because that’s what I’m trusted to do. And like many of us, we might be our own worst critics, and so I’m always thinking, should I have pulled this team faster? Should I have pushed for this resolution faster? Should I have brought this person in faster? Should I have spent less time? And so, I’m always doing that. And I think one of the things that early on, I wish I would have known sooner or realized sooner was just, especially for my junior team members, and I do this now, but previously, I wish I would have known quicker to coach them how to handle with the adrenaline of an incident because you will have team members that jump in, and they just want to help. And they’ll stay there for hours, 12 hours, 15 hours, 16 hours because they’re running on that and then they collapse.
[David Spark] Mm-hmm.
[Anne Marie Zettlemoyer] And so, had I had known very early on to watch for that and coach them so that they didn’t burn out in the middle and have them rest and know when to bring them in, which sometimes is only taught through experience. That, as the leader, I think is something we need to say more to each other, to remind each other that our teams are going to want to jump in, but that doesn’t mean they should at that time, and it’s our role to know when to bring them in at the right time.
[David Spark] Yaron Levi had a really good comment about dealing with a serious incident where you got to go 24 hours. That immediately puts people on eight-hour shifts, like not letting the 12 to 16 thing happen. Where it’s like, “You’re this eight hours, you’re this eight hours, you’re this eight hours.” Have you had to do that, both of you?
[Anne Marie Zettlemoyer] That works if you have a team for that size, you know?
[David Spark] Yeah.
[Anne Marie Zettlemoyer] But sometimes you don’t.
[David Spark] Yeah, you don’t have the manpower to do it. I mean, it’s [Inaudible 00:28:43].
[Anne Marie Zettlemoyer] Right.
[David Spark] Have you had a situation like that, Mike, yourself?
[Mike Johnson] Oh, for sure. And what I’d like to add a little bit, something to what Anne Marie was saying, one of the problems that we have in security is these big incidents are relatively rare, fortunately, but also relatively rare so you don’t have that opportunity to practice. And the first incident that you run into, like, “I’m going to be the hero and solve everything, and I’m going to be highly involved,” and you crash, and then you’re useless to everyone at that point.
One of the things that I was fortunate enough at Fastly to be involved in was all incident management. So, anything, even availability related, performance degradations involved in all of that. And we did build the team so that you could split into shifts so that we would pull people in and we would tell them to go away so that they would be frosty to actually do the work. If they’re there and just taking up space, they’re actually probably bringing negative value by asking irrelevant questions, by going and getting the wrong answers, and that’s actually a detriment. So, it really does come down to, even if you don’t have a big team, figure out how you can bring in others outside of your team on volunteer work, on shift work, what have you, to get through the incident so that people are really at their best. If you’re working for 12 hours straight, it’s not going to work out.
Can this be measured?
30:20.279
[David Spark] “What should security leaders prioritize when evaluating vendor viability?” That question was posed by Christopher O’Malley, who’s the CEO at Exabeam. And as an industry, we’ve seen viability be a problem. Whether it’s startups not living up to the hype, tech giants suddenly abandoning products, or legacy vendors finally riding off into the sunset. Christopher suggests focusing on a vendor’s long-term commitment and current maniacal focus on cybersecurity and security operations and looking for a proven history delivering on innovation promises. You want to work with a startup, I’m going to ask you, Anne Marie, but what are the green or red flags to look out for? This looks good. This looks like a warning. What do you think?
[Anne Marie Zettlemoyer] Well, in my previous profession of accounting and finance and being the head of those orgs, we had approved vendors lists, right? And those approved vendors would go through a due diligence process in order to be able to work with the company. And so, you talk about viability and trying to understand that, and if they’re going to have longevity, I’m going to obviously put in items in the contract where they’re going to hit milestones. And are they meeting them? Are they open to feedback? Are they defensive? Are they answering the questions I’m actually asking, or are they sidestepping? Because you can smell blood in the water real easy when they start pivoting into a different genre of whatever I’m trying to ask, right?
And I will hold them, “This is the question that I’m asking and here’s why I’m asking it.” And if they’re not saying, “Listen, I don’t know yet,” or “Let’s co-develop that together,” I’m going to give them small things to test out to see how we work together first. If I can trust what they’re saying, if they can prove to me that they’re going to deliver on those things. And then as a CISO in general, I’m going to have contingency plans like I would for any tech that I’m putting in. You’ve got to plan for a tech to fail, something to go out of business, or what have you. That’s not limited to a startup, that’s for everything. So, hopefully you have those mechanisms in place, but if I’m meeting somebody new, I’m going to trust them with small things before I can trust them with big things.
[David Spark] Very good take, and I like the watching them sidestep because that’s easy to see right away. Mike, so what are the red or green flags for you? Because we’ve talked in the past about liking to work with startups. And also, I mean, the fear of there are big companies that do abandon products. It happens.
[Mike Johnson] And you can also have a great company that you’ve been working with who is acquired.
[David Spark] And then you don’t know what’s going to happen at that point. [Laughter]
[Mike Johnson] You don’t. And that’s certainly something that all of your planning goes out the window.
[David Spark] And most startups are looking for that kind of exit too.
[Mike Johnson] Most startups are looking for an exit of some sort. That exit could be going public, but they are looking for whatever is next. They should be. I mean, you don’t start a company to stay small and like, “Oh, we’re just going to do this one thing and we’re going to serve five customers.” There’s no reason to do that.
What I think about is, first of all, you have a set of founders. There’s people who are involved in that company. And what experience do you have with them in the past? What is their past experience? Is this something that they’re a serial startup, like this is now their third company that they’ve started? You’ve got a history that you can look at there. Is this somebody who had a problem at a company, at an enterprise, and they realized other companies have this problem, and so they went and started their own thing. And you now know that there’s at least a market for them and they’re likely to get customers. So, they’re going to remain some level of viable as a result. But a lot of it comes back to what Anne Marie was saying, which is ultimately this is risk management. If you’ve got a core capability that your entire company depends on, that’s probably not a great place to go and try a startup.
[David Spark] Let me get this final question to both of you because we’ve been talking about this with many vendors. Do you ask the worst-case scenario? Like say you get hacked and all your data gets compromised, or you collapse, whatever worst-case scenario you want to throw out, you want to hear that they have been thinking about this and have an answer to it. I’ll start with you, Anne Marie. Have you?
[Anne Marie Zettlemoyer] I always ask that question. Listen, I’ve been in nine industries in these past bajillion years, startups included, and if you want me to trust your tech to secure my environment, you better be securing your own environment.
[David Spark] Right.
[Anne Marie Zettlemoyer] [Laughter] And a lot of them don’t.
[David Spark] But the thing is, things happen. But do you ask the worst-case scenario? Like, “If the worst happens to you, what happens to us?” Like what happens in this situation?
[Anne Marie Zettlemoyer] I mean, of course, we have conversations like that. Maybe not in the specific terms all the time, but I’m going to want to know what their plans are in that situation as part of my conversations with them. Of course, I do that with every vendor, not just startups.
[David Spark] Mike?
[Mike Johnson] I don’t think I always ask that question directly because they don’t always know my business. So, I do need to understand that, though. Like, if I am entertaining a vendor, I need to understand what’s going to happen if they fail. How is that going to impact my business? Some of that is getting information from the vendor, some of that is implementation specific, and I need to figure that part out. But ultimately, I do need to understand what is the worst-case scenario and what we’re going to do about it, and if we don’t know what we’re going to do about it, probably not going to be a good decision to go with that solution. Excellent.
Closing
36:34.367
[David Spark] Well, that brings us to the very end of this show. I want to thank our guest, Anne Marie Zettlemoyer, who is formerly the VP of security of Activision Blizzard, and my co-host, as always, Mike Johnson. Thank you very much. By the way, huge thanks also to our sponsor, and that’d be ThreatLocker. Remember, ThreatLocker, zero trust endpoint protection platform. Just go to their website. We’ve listed off all the wonderful things they’re doing, ThreatLocker.com. Check them out. So, thank you, everybody. We appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.