The user experience for security products is a mess. Does it have to be? Security practitioners often bemoan that interfaces aren’t designed by anyone who actually has to use the product. But how can we optimize interfaces when these products often have to span disparate roles and use cases?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis (@csoandy), principal of Duha. Joining us is our sponsored guest, Edward Wu, CEO and founder, Dropzone AI.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Dropzone AI
Full Transcript
Intro
0:00.000
[Voiceover] What I love about cybersecurity. Go!
[Edward Wu] What I love about cybersecurity is how we are continuously competing against smart attackers who are trying all sorts of different things to get into systems and networks.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I’m the producer of the CISO Series, and joining me for this very episode, you’ve heard him before, you’re going to hear him again. It’s Andy Ellis, who is the editor of How to CISO, and the author of 1% Leadership. Andy, let people know what the sound of your voice sounds like.
[Andy Ellis] Good afternoon, folks, or depending on when you are in the world, good morning, good evening, or good night.
[David Spark] That is Andy Ellis’ Johnny Carson golf swing as he likes to introduce himself. Those are our older listeners who remember Johnny Carson.
[Andy Ellis] Yeah, for the much older listeners. I barely remember that, David.
[David Spark] Yes, you do.
[Andy Ellis] I pretend I barely remember that.
[David Spark] You’re not that young, I’ll tell you that much. We’re available at CISOseries.com. Our sponsor for today’s episode, which, by the way, phenomenal sponsor of the CISO Series, Dropzone AI, AI SOC analysts that never sleep, so you can. And most of us like to sleep. I’m a big fan of it. All right, Andy, before we jump into the show, you have started a series on, I believe, LinkedIn or, I don’t know, where it’s living. It’s on the blog.
[Andy Ellis] It’s on howtociso.com, but I’m littering things on LinkedIn as well, so people can find it there. Yep.
[David Spark] You’re putting an effort. It’s howtociso.com, which is kind of what we do on this show as well. So trust me, many of the material that Andy has in this will appear on this show, but if you want to get a jump start, you should just go ahead and subscribe. What the heck is it, Andy, and why’d you start it?
[Andy Ellis] So I decided I was giving a lot of the same commentary in a lot of places, especially here. People would ask a question, and I would say a thing, and then I realized one of the challenges is, people have stopped producing evergreen content. The social media machine and Search Engine Optimization is people just trying to give you the next hot take, rather than just write the reference, so people can always come back to it. I’m reminded that I have some amazing content like the Vendor Rebuf that everybody knows. It’s like, “Oh, everyone goes back to this.” Like, 10 years ago, I wrote this blog post, and it’s still in circulation. So I want to do the same thing for CISOs, and this is for people who are CISOs for a while, they want to be CISOs, they’re just coming in. Folks may remember my first 91-day guide for a CISO, which was released 2 years ago and I’m basically packaging this all up in one place. It’s basically everything I think a CISO needs to know. So the commitment that I make is, everything published on howtociso.com is written by me. There’s no AI, there’s no guest contributors. This is me. I might link to other CISOs whose opinions that I value, and I think have useful things to say, but it’s designed to be the reference for everything you need to know about a CISO.
[David Spark] Andy, a lot of what we do here on the CISO Series is also highly evergreen. Hence, what we have seen from people who download this show years afterwards, and not only that, per what you said about How to CISO, I’ve heard from many CISOs that they listened to this program to learn how to be a CISO.
[Andy Ellis] Absolutely. There’s a lot of folks in our industry that are still learning, or they’re changing industries, and being a CISO in power is very different than being a CISO in hospitality.
[David Spark] The other thing we often hear is a CISO who is in one industry wants to hear what it’s like from a CISO in another industry.
[Andy Ellis] Yes.
[David Spark] We hear that all the time. All right. Let’s bring on our guest who’s going to help us with a nice conversation we’re going to have about the AI, the SOC, OSINT, a lot of other good stuff, and I’m thrilled he’s here. I met him actually in Las Vegas at Black Hat last year, and I’m expecting him to be at Black Hat again this year. They’ve been a great sponsor of ours, it’s our sponsor guest, the CEO and founder of Dropzone AI, none other than Edward Wu. Edward, thank you so much for joining us.
[Edward Wu] Thank you for having me today.
It’s time to measure the risk.
4:24.228
[David Spark] “While OSINT, that’d be Open-Source Intelligence, continues to be a powerful tool in intelligence and investigations, its limitations in handling digital evidence must be scrutinized, especially in legal contexts.” This is what Paul Wright said, of eCrime Intelligence. The problem isn’t just that social media and open-source material contain misinformation, but that “data collected through OSINT may reflect the biases of those who create or share it.” Now Wright argues for integration with digital forensics, with OSINT, using forensic techniques like metadata analysis and file integrity checks to validate findings. But this creates a practical dilemma. “What do you trust? Which one requires verification?” So I’ll start with you, Andy. So what’s your framework for relying on Open-Source Intelligence? How do you balance thoroughness with investigation speed, which is another consideration?
[Andy Ellis] So I think it’s really important to understand that there’s basically three different problems we’re talking about here. One is, you’re in the middle of doing something and you want to use OSINT to just figure out like what’s going on like, “Hey, is the network up or down?” There’s like a bunch of tools that are like, “Is it just down for me?” Think of that as OSINT, right? “I’m going to ask somebody else a thing, and I’m going to find out an answer, and that answer gives me a hint. Yes, you do care about the reliability of that answer. If you’re on LinkedIn and you’re seeing somebody post about a thing, you’re just taking that as the hint of what you should do next. So you’re not so worried about the reliability of what you have because you don’t actually trust anything at that point. You’re just looking for hints. There’s a middle case which is, “Okay, now I’m doing the thing, and I’m doing an investigation, and I want to make sure that when I pull in information from outside that, that information doesn’t mislead me.” So now my credibility questions are all around, “How should I trust this data versus something that I collected myself?” Like if I did a malware reverse engineering, I trust that more than if somebody else did. Although, actually, let’s be very honest. If you’re a reverse engineer listening to this, I should trust you more than I would trust myself. But then the third category, which is mostly what this article is about, is what happens when you want to use it as evidence? You basically just have to accept that, from an evidence perspective, what you’re basically doing is you are picking up trash off the ground, and claiming that, “This is useful evidence.” It’s always important to start with, “I picked this up as trash off the ground,” because you don’t actually have a primary source. It’s possible that it’s forged. It’s possible that it’s only a part of the thing. It’s like getting a ripped-up receipt, and you have like one piece of line out of it that’s interesting, the rest of it might have been an invalidation of whatever you read. So you have to take it with like a whole carton of salt, not even just a grain of salt.
[David Spark] All right, Edward, I’ll throw this to you. I know you spent some time in the SOC yourself. First of all, just generally, did you have a lot of problems with OSINT, and how’d you deal with verifying it?
[Edward Wu] Yeah, I think one challenge with OSINT is, back then, it was part of the community of security practitioners, that’s contributing to what they found, and sharing with each other. However, with the recent advancement in large language models, and we have seen cases where attackers will plant malicious libraries, and then do a good job on gen AI optimizations, so their malicious OSS library becomes the most recommended OSS library or implementation. When you ask ChatGPT about it, I do think OSINT will go through a phase kind of similar to forums or Reddit posts. Historically, you could argue 95% of the forum posts and Reddit posts are written manually by humans. You can say the relative quality is much higher than probably in the next couple of years, where there might be a lot of bots out there that’s posting randomly on Reddit, posting randomly on forums to poison the well, to some extent. This is where I could definitely see attackers. It’s not that easy for a gen AI system nowadays to create free accounts on VirusTotal, and leave comments on IP addresses and saying, “Hey, this is FBI’s secret national security IP address.”
[David Spark] All right. Well, let me, let me cut to the chase. So going back to the earlier question I asked Andy, like, you know, there are problems out there. How do you balance verifying? Is this incredibly popular package tainted, or is this valid for me, versus, “What do I have to move through because you have to move quickly when you work in the SOC?” So where do you play that balance?
[Edward Wu] Yeah, I think a lot of it is providence, right? Which is, who created the data, and really paying attention to the source of information? Because with gen AI, the assumption is 90% of the things you see on Google are going to be somewhat untrusted, and could be potentially influenced by attackers in the first place.
There’s got to be a better way to handle this.
9:55.787
[David Spark] Who do we blame for bad user interface/user experience design in cybersecurity tools? We’ve all seen it before. So vendors are often proud to crow about tools being created by those who used to work in the field. Edward, not saying you’re doing this, but you used to work in the field. Pretty much all of us have, for that matter. But the sentiment on the cybersecurity subreddit was much more critical, with one commenter lamenting, “They throw in features that no one asked for or needed. They organize it in a way a UX person wants it, but not how a security experts would need it, and they force windows on analysts that usually contradict the defined ones in their organizations.” I’m going to start with you here, Edward. You have a tool. You had your own experience about what you wanted to do, but I’m going to guess. I don’t know that you’re not a UX expert. So hopefully, you worked with a UX expert. What has been your experience where you asked yourself, “Why is that there?” Or maybe it was your own tool, and maybe people gave you feedback of changing things. What was your experience? Let’s just start with your own tool of making it usable for the SOC, and people telling you, “No, that’s not so usable. We need it more like this.” What was that give-and-take that you had?
[Edward Wu] Yeah. I think one of the challenges we have run into a lot is not all SOCs are created equal or the same, and different types of SOCs oftentimes have different needs. For us, as an AI SOC Analyst… So first and foremost, our value proposition is providing analytics, and over time, we have actually morphed into a philosophy where we view our UI as optional because, at the end of the day, different security teams have different single panel of glass. It’s very difficult for any particular tool to always operate as if your tool is a single panel of glass because every tool wants to be the single panel of glass. By the end of the day, there’s only one tool that could be that.
[David Spark] By the way, hold on. Let me pause you. You’re winning over a lot of people with that line because the pitch that we’ve heard for years, and years, and years of, “Oh, here’s the single pane of glass,” assuming you liked ours, but the fact that you are optional with your single pane of glass, like, “Use it if you like. Don’t use it if you don’t want to.” By the way, that very much ring true with our audience. Go ahead, Edward.
[Edward Wu] Yeah, thank you. Yeah, and a lot of this, frankly, has to do with the challenge, right? Which is, it’s hard to build an UI or UX that satisfy the needs of different SOCS. This is why we landed on this approach. To answer your question more tactically, like what is some of the challenges? I think a lot of it has to do with the workflow. If you look at software developers, most of the software development teams have the same workflow, which is product managers will have conversations with developers, they will create tickets in a ticketing system, developers will pick up tickets from the ticketing system, and then write code in a code repository, and then that’s pretty much it. But for SOCs, actually, like when you look at different SOCs, the workflow actually vary greatly. So the diversity of the workflow, some SOCs are very ticket-focused, some SOCs are very Slack-focused. Then there are SOCs who, for example, might use their SIM as their ticketing system. This is where, because of the diversity of the workflows, building end-user experience that really meets where everybody is, is almost mission impossible.
[David Spark] That is a very good point. I like that. Andy, pick up on that.
[Andy Ellis] Well, I actually think Edward downplayed the problem there a little bit, if that’s even possible.
[David Spark] Mission impossible is downplaying it?
[Andy Ellis] So one big piece of the challenge is that the underlying capabilities are built by one set of people, and then the user interface is built by someone else. So often, what happens is those engineers go off and build the capability, their adage is, “Well, look, I can call it by API. Like why would you bother with the user interface?” and now you have to go build a user interface. But sometimes, the developer who built the capability didn’t actually understand what problem they were trying to solve. I recall a time at Akamai when we were building how to manage the certificates on your origin server, not the certs that we had for you, but we had to validate the certificate that you had, and so we were building a front end for you to interact with. We had to rebuild it three times because we could not get the engineers for the core capability to agree with the engineers for the front-end capability, to integrate with the professional services teams who would have to go talk to the customers. And it was a disaster. So the thing that I love that Edward started with is this idea that you don’t have to be the single pane of glass. In fact, even better, if you recognize that you are competing for mindshare, and so your user interface should be something that either people aren’t going to use at all because they have something that works for them, or they’re going to love it. There’s nothing in between that’s acceptable.
[David Spark] That’s a good point.
[Andy Ellis] When people build single panes of glass, they think they have you trapped, and so they’re not building a thing you would love, and they’re going to try to figure out how to get away from you. So I’d love that strategy if you really buy into it.
Sponsor – Dropzone AI
15:25.921
[David Spark] Before I go on any further, I do want to tell you about our spectacular sponsor, and that is Dropzone AI. Now, if you’re in security, you know the struggle. Hundreds of alerts flooding in daily, and your team can only thoroughly investigate maybe 40% of them. I’m being generous here. Important threats could be hiding in that other 60%. They probably are. So Dropzone AI changes that equation. Dropzone works as a trusted teammate alongside your SOC analysts and handles those time-consuming Tier 1 investigations, the ones that typically take 40 minutes and completes them in just 5 minutes. But here’s what sets it apart. Dropzone shows you exactly how it reaches every conclusion. You get detailed findings with all the evidence linked so your team can trust and verify the results. The platform integrates seamlessly with your existing security stack. whether you’re running CrowdStrike, Microsoft Defender, Splunk, or heck, any combination of tools, Dropzone connects with over 65 security platforms to investigate alerts comprehensively. Now, listen to this. For just $36,000 annually… Well, that sounds like a lot, but wait, hold on. For $36,000 annually, you get up to 4,000 complete investigations. Now, compare that to hiring even one analyst, and the math speaks for itself. Plus Dropzone works around the clock without fatigue or turnover, and heck, I’m adding this in, and you don’t have to pay health care. So your team deserves to focus on high-value security work, not alert fatigue. Visit their website, dropzone.ai to explore their self-guided demo. That’s right. That’s key. Self-guided. And you’ll see exactly how it works. That’s dropzone.ai. When you go, let them know you found out about them on CISO Series.
It’s time to play What’s Worse?
17:30.407
[David Spark] Edward, you know how this game is played. Two crappy scenarios, you’re not going to like either one of them, but you have to pick one, and I make Andy answer first, but then you’ll get to agree or disagree with Andy. And here we go, Andy. This comes from Matt Muller, Field CISO over at Tines, all right?
[Andy Ellis] Oh, fantastic.
[David Spark] All right. It’s actually kind of a simple two options, but we’re elaborating here as we… You’ll see. When we come to the end, you’ll realize it’s a quick A and B here. I feel I know which way you’re going to go, but let’s see how we go here. So here are the two scenarios that Matt poses. Scenario number one, you report to a leader that constantly meddles in your tech stack based on their own personal whims and relationships, things like forcing you to change a SIM unexpectedly because they were brought to dinner by a new vendor.
[Andy Ellis] Wait, Matt didn’t work for me, did he?
[David Spark] What? But they give you full autonomy over your team and hiring decisions, so you have complete control over that, all right?
[Andy Ellis] Okay.
[David Spark] That’s good. Now, it’s pretty much the flip of that. You report to a leader that constantly meddles in your team based on their own personal whims and relationships. Things like moving your favorite people into roles they want on your team, regardless of whether or not they’re a good fit, but gives you full autonomy over your tool stack and your service providers as well. So it’s a question of, do you want to control your tools or do you want to control your team?
[Andy Ellis] So I got to say, this one sounds like it’s going to be really hard, but I put this one into the really easy, if I…
[David Spark] No, no. I think you’re going to answer really easy here. I think I know where you’re going to go.
[Andy Ellis] I want to control my team.
[David Spark] Right. I assumed you want to.
[Andy Ellis] Whatever tools I have to work with. Fine. If you’re going to spec them out for me, I can work around that problem with an amazing team. If I don’t have control of my team… I don’t mean this is a controlling thing. But if you can keep changing around who’s here, they’re demotivated, like really hard to lead in that environment. So the fact that I get to pick the tools, so what? So I think this one’s a lot easier than it sounds at first, and not being able to pick your team is the worst.
[David Spark] Well, most leaders want to pick their team.
[Andy Ellis] Well, because I want to develop my people, I want to be invested, and I want them to know that I’ve got their back. If I’ve got a boss who’s coming and moving people around, my people know I don’t have their back. I can’t even protect them from the chaos, which is part of my job.
[David Spark] But then there’s the chaos of the tools constantly changing, and that’s driving them crazy.
[Andy Ellis] I can build my team around that chaos. That’s an okay… That’s manageable, as a people manager, but you can’t manage around the chaos of people just willy-nilly being moved around. You can’t let go poor performers. You have weird performance issues that you have no control over, would be a very ineffective manager at that point.
[David Spark] All right, Edward, do you agree or disagree with Andy here?
[Edward Wu] Yeah, I definitely agree. So way I think of it is, the tool works for the people. Analogy of your question is, can you make good developers still productive even given some the most challenging programming languages on the planet? I think the answer is yes. But even if you give challenging developers the best programming languages on the planet, they might or might not be able to deliver. So at the end of the day, the tool works for the people and the best team can always work around regardless what kind of challenges and problems they have with the tools.
[David Spark] I mean, correct me if I’m wrong, both of you. When you’re a CISO walking in, you’re walking into a suite of tools and a suite of people as well. You just accept what you get, don’t you, in both cases? Edward.
[Edward Wu] Yes. I think traditional management consulting always talk about, you have the strategy, you have the process, and then you have the people. I think tool probably is like the fourth one on that list, and a lot of it is, with people, people are infinitely moldable as a tool. Again, I think really good people can adapt with whatever tool they have, but if your team is not where you want it to be, having the best tool on the planet is not going to help.
[David Spark] That is a very good point. Now, I’m going back, Mr. How To CISO. That would be you, Andy Ellis.
[Andy Ellis] Oh, hey, look, that’s me.
[David Spark] Going back to the comment I just made to Edward, isn’t most CISO situations, you’re walking into both of these, and that you’re walking into a team that you didn’t build, and you’re walking into an environment that you didn’t construct.
[Andy Ellis] Exactly. Right. So you’re going to walk in, and that’s your first thing. So look, you’re going to actually deal with both of these problems, but I will tell you the change management of people is easier than the change management of embedded tooling. There’s tooling that’s easy to get rid of or replaced because nobody actually cares about it. You’re like, “Oh look, like we have this thing, nobody’s actually using it today.” I can end the contract, buy something cheaper that I like, and roll with it, and everybody’s happy. So find the easy wins on the tooling side while you just deal with the hard problems, which are like, “How do I deal with the brilliant jerk that’s on this team? How do I deal with the people that nobody has invested in developing? How do I deal with the people that were hired because they were buddies with the last CISO, but they’re really not qualified for this job?” Those are actually really hard problems you got to go deal with.
Please, enough. No more.
23:05.210
[David Spark] So, Andy, we have heard a lot about AI in the SOC. In fact, it’s become like your place to put AI, if you will.
[Andy Ellis] Yup.
[David Spark] So I’m going to ask you the question of this segment. What have you heard enough about with AI in the SOC, and what would you like to hear a lot more?
[Andy Ellis] So I think everybody’s talking about, like, “How do you replace Tier 1 analysts with AI?”
[David Spark] Yes.
[Andy Ellis] That’s the thing everybody just keeps repeating over, and over, and over again. The reality is that the reason you have Tier 1 analysts for 90% of their work is because you don’t trust automation. This is not actually an AI problem. It’s a little piece of that. It’s that nobody actually trusts you to let automated systems make changes. AI is not going to solve that organizationally. What I really want to hear is, how are we going to put AI in the SOC in a way that takes every human you have, because you do not have enough humans, and makes them more effective and more efficient, and provides them with career development? How do you take a Tier 1 analyst who, today, is doing one unit of work, and by giving them the correct agents that are helpful, that accelerate what they’re doing, and give them this access to the knowledge base, develop them into being a Tier 4 analyst over the course of a few years, who’s doing 100 times as much effective work as they alone were doing when today you started with your AI journey?
[David Spark] All right, very good. Now, I take this to you, Edward. I know that this is one of the things that Dropzone AI does, is help support the lack of need of so much Tier 1 analysts. But what have you heard enough about with AI in the SOC, and what would you like to hear a lot more?
[Edward Wu] What we have heard a lot about is, frankly, autonomous SOC. I think there are too many startups or pitches about autonomous SOC or lights-out SOC. From my personal perspective, I don’t think it’s going to happen anytime soon, but the over-promise of the AI agents within SOC leading to autonomous SOC, I do think at the end of the day, hurt all parties involved. What we would like to hear more about is actually some of the nuances of operationalizing AI agents within SOCs, such as, “Can you actually coach an AI agent so that it knows about specific policies or practices within your environment?” That’s actually very similar to, like, we were talking about, team versus tool, right? One of the beauty of the team is you can coach your team, right? You can hire somebody who might not have all the correct ideas and understanding, but over time, adjust his or her understandings, and processes, and techniques to align with the organizational leads. So are there ways to do the same with AI SOC analysts or AI SOC agents?
[David Spark] All right. You know what? This is very interesting you brought this up, because we talked about the very topic in an earlier episode, and it was about, treat your AI like someone green coming into your company. You can’t assume that they’re going to know everything, you need to train them, and then the discussion became, how do you train a human differently than you train an LLM. So what have you discovered?
[Edward Wu] One thing we have discovered is there are a lot of similarities between how you train a human versus how you train an AI agent. For example, in a lot of these SOCs, one of the best ways to train a human Tier 1 security analyst is by asking that person to read through all the historical case notes. Generally, it takes a long time for a person to read that, but for AI agents, that can happen within minutes. So essentially, feeding your historical documentations and historical case notes have turned out to be tremendously valuable, at least in our experience. But beyond that, most humans, we take instructions. We take instructions from our team leads, when we are like a Tier 1 analyst, we take instructions from the managers, and this is where, what we have seen is developers or vendors who are working on AI SOC agents, really need to optimize your product so it’s easy for the human operators to give AI agents instructions. Like, imagine there’s a way for you to tell your AI minion or AI SOC agent, “Hey, next time you see this alert or run into situations like this, you should look at these three additional data points or metadata, and then if X and Y conditions occurred, this alert should be treated as benign,” for example. So actually allowing human operators to give natural language directives to AI agents is another way we have seen to be tremendously effective in tuning the behavior of AI agents and AI SOC analysts to that particular deployment and environment.
How have you actually pulled this off?
28:27.189
[David Spark] “If your job is to respond to crisis situations, you need to build an organization that views it as their job, not as a crisis. If your job is to put out fires, build a fire department.” That’s advice from former Uber CSO, Joe Sullivan, and he gave that to Cynthia Brumfield on CSO Online. Fire departments, military units, and police forces constantly drilled to normalize crisis response. But cybersecurity teams really have that luxury. So I’m going to start with you, Andy, on this. What does the cybersecurity team look like that can handle major incidents, “as if it’s another day on the job”? I mean, have you seen or yourself built a team with that level of psychological resilience, and what did it take to get there?
[Andy Ellis] So I have, but I want to just say that Joe’s made a very facile comparison here. We should note that 90% of what fire departments, military, and police forces do is not deal with crises, right? There are incidents, they’re interesting, but it’s not like every day the police force is out dealing with rioting in Los Angeles, for instance. Like that’s a crisis that is very different than what they’re used to. So we should recognize that in the same way that they have to deal with this escalating layer, so do we, and good teams do. It’s important to recognize that you have three different cadences that organizations tend to work at, and the security team has all three, which makes them unusual. So one cadence is the project case. Think of the governance team, the compliance team, that basically, you work on a project timeline, and your architects are often doing this as well, like nothing actually matters today. There’s a deadline you have to hit it, but you’re not in any form of operational cadence. There’s then the normal operational cadence of, a ticket comes in, we have to go solve the problem right now, but if it comes in during lunch and we don’t have the same responsibilities, it doesn’t really matter, and 90% of operations isn’t that. Then there’s the incident cadence. Something has just broken, and then now we have to operate at incident tempo. The thing that really matters here, to make it work…and I built a team that did this, my organization at Akamai, actually oversaw all technical incidents for the entire company, whether they were security-related or not. What’s really important is recognize, how do you get into incident tempo, how do you come out from it? How do you clearly communicate that we are in incident tempo, and how do you protect people? Like we had rules that said, “Within the first hour of an incident, you have to evaluate how long it’s going to take to solve this incident. Because if it’s going to take more than eight hours, you have to figure out who’s going to take over the incident in eight hours, and send them home. Because if it’s 4:00 PM and everybody’s working until midnight, you don’t have a second shift to come on at midnight if you had everybody working instead of sending people home.” So it’s really important to have rigor, and that the people who oversee your incidents themselves, to them, this is now an operational cadence. You have a person who’s running the processes, making sure the meetings are happening, and to them, this is just their operational day work. They might have subject matter experts who’ve popped in, and to them, it’s an incident. They’ve dropped all their other work. But you need to have people for whom incident tempo is actually operations tempo, so that you can pull your people who work at architect and project tempo and say, “Guess what? All your deadlines are now pushed out because you’re solving this problem right now, and we’re going to make it work.”
[David Spark] Love it. All right. I throw this to you as someone who worked in SOC, Edward. When was it incident tempo, when was the crisis tempo, when was the project tempo? Could you manage all of that?
[Edward Wu] Yeah, one thing I’ve seen around this is, ultimately, a lot of it has to do, at least in my experience, with level of automation. For any organization that’s constantly responding to a variety of different inputs, whether it’s SecOps, whether it’s DevOps, a lot of it is, you need to create capacity for yourself, for interruptions. One way you do that is by having a strong layer of automation. So similar to we, as humans, when we are walking around and thinking about what to eat tonight, we’re not using our conscious brain to control different muscles of the whole leg, to when we’re navigating across the mall and a group of people. This is where very similarly, I think, in my experience, just with operations overall, having a basic level of automation. So 90% of the work can be automatically taken care of, is tremendously important because when you get to that phase where the team is not burning itself out just by keeping the lights on, that really gives you the capacity to tackle and address a lot of these interruptions because at the end of the day, anybody who worked in ops knows that interruptions are bound to happen one way or the other. So it’s very important that when you don’t have interruptions, investing in automations, so that the day-to-day could be offloaded or essentially be taken care of subconsciously.
Closing
34:07.550
[David Spark] Very, very good point. Well, that brings us to the very end of this show. Edward, I want to thank you. That was fantastic. We loved having you on this episode, and we greatly appreciate Dropzone AI for sponsoring this episode. Remember, AI SOC analyst that never sleep, so you can. More at dropzone.ai. Andy, any last thoughts from you on today’s discussion?
[Andy Ellis] So I think that of people are going to listen in and they’re going to be like, “Oh, I just need more automation.” I think that the nuance that they’ve got to capture is, you have to think about your whole organization top to bottom from your most junior AI to your most senior people, and how do you create surplus at every level where you can take work that is not valuable from the person who’s doing it, and extract that value with lower cost?
[David Spark] Good point. Yes. It’s not just a Tier 1 thing, it’s something for everybody. We all can get value out of it.
[Andy Ellis] Right. What are you, as a CISO, wasting your time on that could be done by somebody else or by automation?
[David Spark] Oh, wait, the question’s just for you. Let me just shoot it right back at you, Andy. Top thing that CISOs waste their time on, that automation could help.
[Andy Ellis] Meeting scheduling. Even if it’s just a human is your automation?
[David Spark] All right. I don’t know good solutions for that with automation, though.
[Andy Ellis] Yeah, they’re not so great. But look, honestly, like Calendly or Google Calendar links absolutely can help if you’re willing to take the time in advance to set up the rules to make them effective for you.
[David Spark] Very good. All right, Edward, thank you so much for coming today. Do you have any special offer you would like to give to our audience?
[Edward Wu] Yeah, absolutely. So we have a self-guided test drive of our product on our website, where you can instantaneously access to a real live instance of Dropzone, and click around, and see how our technology can actually automate the investigations of different types of security alerts. You don’t need to put in your credit card, you don’t need to put in your phone number to talk to a salesperson. You can get access to it immediately.
[David Spark] But if you want to put in Andy’s credit card and phone number, can you do that?
[Edward Wu] That assumes you already know Andy’s credit card and phone number.
[Andy Ellis] I will come hunt you down if you do that.
[David Spark] I know one of those. Thank you very much, Edward. Thank you very much, Andy. Remember, go to dropzone.ai and get access to that self-guided demo right now. To our audience, we greatly appreciate your contributions. Keep ’em coming, keep sending What’s Worse scenarios. We have to stump Andy. I knew where you were going to go with this, but I liked the working it out.
[Andy Ellis] I did like this one. It was a good one, even if it was an easy one for me to pick, but yeah, I know. Think about how you would answer this one, and maybe ask one of your friends too.
[David Spark] There you go. Good point. By the way, we’ve heard from many, many people that they like to use the What’s Worse scenarios for their interview questions.
[Andy Ellis] Oh, I love that.
[David Spark] And also sometimes in team meetings, challenge the team. How would you handle this?
[Andy Ellis] Hey, if your team comes to the conclusion, I was completely wrong, come tell me. I want to hear it.
[David Spark] Yes.
[Andy Ellis] And why? What was I missing that they came to a different opinion?
[David Spark] Good point. There is also the theory of… Here, I’m going to throw this out to maybe our audience members. Theory of, there are tools that are so loved by teams, that anyone would jump to get the chance to use them, and tools that are so reviled by teams that they would run away from them.
[Andy Ellis] I think there’s far more of those than in the other direction.
[David Spark] All right. Audience, we greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@CISOseries.com. Thank you for listening to the CISO Series Podcast.