Usually the buck stops with the CEO. But for a CISO, what do you do when a CEO wants to exempt themselves from your security program? Whether it’s granting privileged network access or just ignoring protocols, it can put a CISO in a tough spot. So how do you deal with a leader that thinks they’re above the controls you have in place? Is it enough to document your disagreement or is there anything else you can do in that position?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and John C. Underwood, VP, information security, Big 5 Sporting Goods. Joining me is our guest, Joshua Scott, Head of Security and IT, Postman.
We were live at the ISSA LA Annual Summit hosted by ISSA Los Angeles.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Veza
Full Transcript
Intro
0:00.000
[Voiceover] Best advice I ever got in security. Go!
[Joshua Scott] Best advice I ever got was have empathy for your users. Make sure you have a better understanding of what it is that they are up against and ensure that you’re actually helping them achieve their goals, not just putting a control on them and being the team that creates work for them.
[Voiceover] It’s time to begin the CISO Series Podcast. Recorded in front of a live audience in Los Angeles.
[Applause]
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And sitting to my immediate left is my guest cohost for this episode. It is the VP of information security for Big5 Sporting Goods. Please warm round of applause for my guest cohost, John C Underwood.
[Applause]
[David Spark] And our sponsor for today’s episode, allowing us to actually be here in front of you, this audience… And I’ll explain that to the listening crowd in just a second. Our sponsor is Veza, secure your identity access everywhere. Veza. More from Veza later in the show. Thank you so much for sponsoring us.
We are live at the ISSA Los Angeles event in beautiful Santa Monica. We’re literally on the beach, John. Have you walked into the sand?
[John C Underwood] I have not. I’m looking at it right now.
[David Spark] Looking at the white…
[John C Underwood] I see the coast. I see the sun about to set.
[David Spark] There are people on the beach, going into the water. And we’re here inside, recording a cyber security podcast.
[John C Underwood] We’re having a better time.
[David Spark] We are definitely having a better time than them. For sure. That’s good. And our audience agrees with us, don’t you?
[Applause]
[David Spark] Of course you do. All right. Well, we’ve got a great show planned for you. I know you’re going to like this. We did this last year. We had a lot of fun. We got to thank all the people at ISSA for making this possible. This has been a great event of education. We’ve been really appreciative of everything they’ve given us during this time.
All right. Now, you have to…we have to welcome our guest as well. He is the head of security and IT over at Postman. Please warm round of applause for our guest, Joshua Scott.
[Applause]
[David Spark] Josh, thanks for joining us.
[Joshua Scott] Thanks. Glad to be here.
Why are CISOs leaving the profession?
2:20.125
[David Spark] So, is it worth it to be a CISO anymore? Based on our podcast name, I’m actually hoping so. But in a piece on ITSP Magazine, Sean Martin asked this question. “Is the role of a CISO with its inherent legal complexities and potential pitfalls worth the pressure? There is an increasing amount of liability tied up in the CISO role.” I’m thinking of obviously the conviction of the CISO of Uber, Joe Sullivan.
Now, does it seem that it’s kind of out of balances with the responsibilities of the rest of the C suite? I’ll start with you, John. Do you think the negatives outweigh the positives or the other way around?
[John C Underwood] Oh, it’s really hard to answer that because it’s kind of a global question. But the risk is at an individual level, so it’s really something that each security leader needs to kind of evaluate for themselves.
[David Spark] Did you do this for yourself, I hope?
[John C Underwood] I’m in the middle of doing this for myself, yeah.
[David Spark] Oh, wow. All right.
[John C Underwood] Yeah, I’m having conversations with my leadership where we’re trying to get some protections in place. And I’m sure we’ll get into that topic in a few moments here. But yeah, I think it’s worth it. It’s a very rewarding career. And I encourage anybody that is young in the industry, set your sights.
Go for it.
[David Spark] Did you question yourself about going into it for the fear of the legal implications or because it’s becoming more prevalent now, maybe it’s… Because you’re dealing with it now. It’s scaring you a little bit more now?
[John C Underwood] I think it’s a concern. I’m involved with multiple industry groups, a lot of CISO work groups, things like that. and we are having conversations. I don’t think I’ve been in a conversation for the past year that hasn’t talked about the liabilities or the concerns that a CISO has as an executive in their organization.
[David Spark] All right. I’m throwing this one to you, Josh. First of all, I’m going to assume positives outweigh the negatives because you still have a job. Or maybe you have a job that you’re miserable with, and I’m sure you wouldn’t admit that. But what’s the negatives and positive debate that you’re having?
[Joshua Scott] For me… So, I definitely think there are more positives to it, but there’s considerable risk without a doubt. So, what I’ve done is purposefully gone to certain types of companies and certain types of environments where I can kind of mitigate some of the risk by that. Just by where I work.
I couldn’t do any other job. For me, security has always been life. I’ve been doing this almost 30 years now. Mid 90’s I started doing security. So, being a CISO is what I wanted to do.
[David Spark] So, even if there’s a risk…
[Crosstalk 00:04:47]
[David Spark] …you don’t have a choice because you don’t know how to do anything else.
[Joshua Scott] I enjoy it. This is life.
[Laughter]
[Joshua Scott] It’s that, too. Yeah. I don’t know how to do anything else.
[John C Underwood] I would say it’s a calling. It takes a certain type. But don’t know how to do anything else, that works, too.
[Joshua Scott] I don’t want to do anything else.
[Laughter]
[David Spark] But do you think…? Here’s the thing, specifically… Because with the Joe Sullivan case, everyone is like, “Oh, this really changes everything.” I heard that line a lot. Do you feel because of that case and the increase scrutiny, and also the new laws that are coming about that the risk you’re facing is higher than I’ll say three years ago.
[Joshua Scott] Yeah, absolutely.
[David Spark] Okay. So, let’s dig into that. What are the risks you feel you face now that you didn’t face three years ago?
[John C Underwood] Well, if you’re working for a public company and you’re the head of security there, whether it’s a functional CISO, CISO, deputy CISO, if you’re the head of your given department or your company, there’s some liability on you. You need to be having these conversations with your executive team and with your GCs about what kind of protections do I have.
Am I on the cyber insurance? Do I have…? Am I on the DNO policy? What can you do to make sure that as I’m trying to protect you and make sure that we’re stable as an organization I’m not putting my home, my family at risk?
[Joshua Scott] That’s good right there. That’s good feedback and good information. I also make sure that my teams, in everything that we’re doing, we’re very diligent in making sure that we don’t run into those scenarios, that we’re blurring the lines between what’s right and wrong and blurring the lines between whether we should have paid out a particular hacker or anything like that.
So, just ensuring that we’re doing the right thing.
[John C Underwood] Well, one of the things that’s concerning me is you can do everything right, and you can still have litigation action against you. Civil action, criminal action. So, yeah, there needs to be some level of protection there for the CISO. So, any executives, board members listening to this, you might want to have those conversations with your security leaders.
The great CISO challenge.
6:40.623
[David Spark] Everyone appears to be onboard with the Cloud security automation. But why isn’t everybody already doing it? So, over on ReadWrite, Zac Amos wrote up some steps to help implement Cloud security automation. So, there’s some typical items on it, nothing that’s going to come as a surprise to anyone here, starting with risk assessments and expanding visibility into the Cloud.
It then goes into implementing generalized and case specific automations, adding automated threat monitoring, and ending with evaluation and iteration. Now, this all sounds easy. But if it was, we’d all actually be doing it. So, I’m going to start with you, Josh, on this. What in all these steps becomes the biggest challenge for the security team who’s dealing with trying to do Cloud security automation?
[Joshua Scott] There’s so many. It’s a great article in a perfect world, but we’re not in a perfect world. You’re never going to have a full understanding of what the risks are. The business changes at such a rapid pace that being able to stay on top of that is going to be challenging. Then you’ve got to deal with multiple Cloud platforms because if you’re in a larger organization, you may have multiple Cloud platforms, which adds to the complexity.
So, it’s nice to say that these are the six steps towards Cloud security if you’re a one-product, one-service, one-Cloud environment. That might be possible. But the minute you get into multiple Clouds, that’s going to cause challenges.
[John C Underwood] Yeah, I would say I’m kind of looking at the threat landscape kind of like we’re in this moment where we’ve kind of had this big bang. And so your threat landscape has gone… It’s not only lateral, but it’s going up, and it’s going down. So, it’s multidimensional. And so when you’re looking at securing your endpoints, securing your network, securing your Cloud, securing your other Cloud, securing the other two Clouds, the idea of slowing down the speed of business so that you can kind of get your arms wrapped around what you’re trying to do, it becomes very difficult for an organization when you have multiple different initiatives and projects going on at the same time.
It’s a struggle all the way through, every one of these steps.
[David Spark] Let’s go into some specifics on Cloud security automation. Because when we say automation, there’s a very wide breadth of that. So, let’s start… What has been something easy you’ve been able to pull off that didn’t take such heavy lifting? Either of you jump in. There is no answer to that.
[Laughter]
[John C Underwood] Yeah, we both kind of leaned back in our chairs and were scratching our chin here. I Think you can kind of review simple things like access controls. It sounds easy. It takes a little bit of time, but it’s one of the simpler things you can do that add a big bang to the security program.
[David Spark] Access controls? Okay.
[Joshua Scott] I think access controls is a good one, but that’s easy when you have one account, one environment. The minute you get into… We’ve got many accounts within just a single Cloud provider, which makes it very complicated. So, it’s not easy to just do that. Now you got to talk about integrated SSO or some kind of central authentication, which makes it a little bit more complicated.
[David Spark] So, let me ask, with Cloud security automation, do you have a CISO guru friend that has kind of nailed it? I don’t know if this person even exists. But do you have a friend that you’re in awe of, like, “Aw, they’re getting this every single time,” and you kind of go to them for questions and advice?
Or does this person truly not even exist?
[John C Underwood] I think groups exist.
[David Spark] Groups?
[John C Underwood] Groups, yeah.
[David Spark] So, you can literally piece together a Frankenstein monster and get this information together?
[John C Underwood] Yeah. When you’re young in your career, networking is something that you don’t really think about. When you get older, your career network is not just for career advancement, but it’s for solidifying the security program. And so gleaning that information from peers has been something I try to do with every group.
But that one person… I don’t think anybody has it figured out completely. It’s easy to put it on paper. It looks great. But execution is difficult because we’re all dealing with a different environment.
[David Spark] What about you, Josh?
[Joshua Scott] They may have bits and pieces of it. But having the full picture of what Cloud security automation would actually look like… Yeah, I would actually go reach out to the various groups I’m a part of as well and find out which sections they’re doing well on and combine it all together.
[David Spark] But you haven’t found one friend…?
[Joshua Scott] But I haven’t found one, no.
[David Spark] That’s figured it all out. This is also what I feel about AI and the marketplace. I was just talking about this with some other people is that every session of AI is packed, and they’re just hoping they’re going to walk into the room with the person who has all the answers, and that person still doesn’t exist.
[Laughs]
[Joshua Scott] I will say if you’re listening to this and you do exist, call me. I’d like to talk with you.
[Laughter]
[Joshua Scott] I’d like to pick your brain.
Sponsor – Veza
11:09.013
[David Spark] Our sponsor is Veza. Veza. That’s awesome. Let me tell you a little about them. I don’t know if you know this, that 75% of breaches happen because of bad permissions. We were actually just talking about seconds ago. That cannot be detected though by traditional identity governance and administration or IGA tools.
So, for example, traditional IGA tools fail to detect roles labeled as “read only” that in fact grant permissions to edit PIA data or users and admins created locally within a SAS app, bypassing the IGA system all together. This is all because traditional IGA tools cannot track granular permissions across enterprise data and applications.
So, this is where Veza comes in. Veza is the next-generation IGA platform that manages individual permissions across all cloud, on-premise, and hybrid enterprise systems and applications.
Veza supports the full lifecycle of identity management from creation to monitoring to reviews, and offers over a 100 integrations… I know this is what we all like to hear. With platforms like AWS, GitHub, Salesforce, SharePoint, and Snowflake. The Veza Open Authorization API also makes it quick to connect to any cloud, on-premise, and hybrid system.
Companies like Expedia, Intuit, and Blackstone use Veza to streamline audit prep, entitlement certifications, and user access reviews, as well as to find and fix bad permissions, enforce security policies, and to continuously update every permission to maintain least privilege. Something we all like to do.
So, if you want to do this, you want to learn more about this, go check them out at veza.com.
It’s time to play, “What’s worse?”
13:11.592
[David Spark] All right, it is time to play, “What’s worse?” So, for those of you who are not familiar with this game, this is a game of risk management. A lot of times we talk about security professionals not really being security professionals but being risk management professionals, and this is really where this game plays really well.
So, we’re going to play two rounds of this game. This first round, actually the first scenario… There’s actually three scenarios, and it’s actually not a “what’s worse” submission but actually something that somebody posted publicly on LinkedIn that works perfectly as a “what’s worse” game. So, we’re going to play it.
And I have to give credit to Jay Dance of StubHub for pointing me to it. But the person who wrote it is Joe Hudson of TCM Security. So, Joe is an unwitting participating in this game right now. All right, here we go. Scenario number one…
So, this one actually has both positive and negative to it. So, there is a rose and a thorn attached to each one of these. Scenario number one, your team is awesome your company treats you well, and your pay is competitive. But your manager sucks and makes every day a challenge. All right? Scenario number one.
Scenario number two, your team is disconnected. Your company makes you feel like a face in the crowd. Your pay is competitive, but your manager freaking rocks, is a true mentor, and always has your back. Third scenario… Are you following these? So, the first one is I’m just going to repeat, great company, treats you well, pay is competitive, but the manager stinks.
Second one, team is disconnected. You’re essentially kind of competitive, but your manager is off the charts. The last one is your job is boring. Your team and manager are all replaceable, but your pay is 30% higher than anywhere else you can find right now.
[Laughter]
[David Spark] What’s worse? John, you start here.
[John C Underwood] Obviously the worst position there is the one that pays the most. Yeah.
[David Spark] [Laughs] You make sure that Big5 hears this?
[John C Underwood] Yeah. No, I think that’s worse is with the team disconnected. There’s nothing worse than trying to defend an organization when you’re standing alone.
[David Spark] So, that’s the worst scenario?
[John C Underwood] To me.
[David Spark] Okay, good. What do you think?
[Joshua Scott] I think it’s the third one.
[David Spark] The third one – the 30% pay where everything kind of stinks except the pay.
[Joshua Scott] Yeah. Because if you’re bored, you’re not going to be engaged anyway. So, it doesn’t matter if you’re making plenty of money, you’re going to be bored of the job. You’re going to leave anyways.
[David Spark] Yeah, so you’re struggling through it. So, I’m hearing…
[Joshua Scott] I would prefer the first scenario.
[David Spark] I’m hearing a lot of “yeah” from the audience. Okay, let’s go through these again. I’m going to get audience response here. All right, scenario number one, to remind you… Applaud… Again, it’s the one that’s the worst, not the one that you like the most. All right. Because that’s the name of the game.
We always have to explain this. And the other thing I’m going to explain to the audience before you do it is that we have played this, and sometimes people raise their hand. I always have to explain that you can’t hear hands being raised on a podcast. All right. Trust me, it happens every single time.
Although this is the first time I’ve explained it beforehand. All right. The first one is great team, but your manager sucks. By applause, how many people think that’s the worst?
[Applause]
[David Spark] All right, three people think that’s the worst. All right. Four. Four people. All right. Second one is your team is disconnected, manager is great. How many people think that’s the worst?
[Applause]
[David Spark] All right, a lot of people behind you on this one, John. All right. Last one is 30% higher pay. That’s a good third almost there. But everything else stinks. How many people think that’s the worst?
[Applause]
[David Spark] Pretty…
[John C Underwood] Josh, I think you took this one.
[David Spark] I think, Josh, you took it on that one. All right. Okay. We got one more. One more scenario. This comes from Dustin Sachs of World Kinect Corporation. He, by the way, sends us tons of “what’s worse” scenarios. This one I love. All right, this one is really funny, and I’m really interested to… I really want you to work this one out in your head and how this actually would play out.
And these are both bad. What’s worse, ignoring software updates for years, leaving your system vulnerable to known exploits, or…get ready for this one…clicking on every link in your spam email folder. Which one is worse?
[Laughter]
[David Spark] This one is a tough one.
[Joshua Scott] I think the first one is worse. Leaving all your software unpatched.
[David Spark] Unpatched.
[John C Underwood] I agree.
[David Spark] Okay.
[John C Underwood] Because I think you can put in controls and other ways to minimize the risk of the second one.
[John C Underwood] Yeah, I don’t see many RCEs coming through email.
[Joshua Scott] That, too. That, too. Yeah.
[David Spark] Okay, so do you think…? Could you actually survive either scenario? Could the first scenario…you don’t think you could survive it?
[John C Underwood] I think there’s lots of companies that are surviving that right now.
[Laughter]
[John C Underwood] I’ve been to companies where it’s been like that, yeah. So, we survived.
[David Spark] All right. So, you think you could put enough controls in place that you could survive the spam email one?
[John C Underwood] Yeah. I think so.
[David Spark] Okay, so walk me through. What are the controls you would put in place to survive the spam email one?
[John C Underwood] The one that comes to mind for me offhand right now is containerization. So, if an email comes in to your…
[David Spark] Oh, so you create a sandbox type thing.
[John C Underwood] Yeah. So, the user doesn’t even have to think about it. If it’s an email from outside my domain, it opens up in an AWS instance. Boom. It’s captured there. If there’s anything malicious, it explodes. It doesn’t ever hit my environment.
[David Spark] Good point. That’s actually the simple… Same for you?
[Joshua Scott] Mail gateways, solutions like what John mentioned.
[David Spark] Have either of you had to do anything like this? Like it got so bad, you had to create a weigh station, if you will.
[Joshua Scott] No, nothing. I never experienced anything like that. Not to that extent.
[John C Underwood] Not a weigh station, but we’ve implemented a tool like I jus mentioned, yeah.
[David Spark] Let me bring this up. So, we talked about this on a previous episode. I have a friend who works in human resources for a big company, and they actually had to fire a mechanic who kept failing phishing tests. Now, this guy was not a knowledge worker. He did not spend a lot of time on computers.
But they let him go because he just couldn’t stand clicking. I guess it was an addiction. Who the heck knows what it was. But he could not stop clicking. I’ve talked about this with all my guests. Everyone thought that was horrible. I thought it was horrible, too. Could you shield someone like that?
A mechanic, good person. They’re not going to be spending much time on computers. Although they probably have to check their own payroll and things like that. Could you protect an individual that’s a happy clicker?
[John C Underwood] Yeah, I think there’s a couple ways to approach that. First, are you training this guy? Are you having conversations with him?
[David Spark] Well, obviously… He failed it multiple times, and he had to take a lot of retraining over and over again.
[John C Underwood] Yeah, I kind of think that if you’re depending on your users to keep your company safe then… We all do it to some degree. But if you’re relying solely on your users to keep your company safe, you’re kind of failing at your job as a security leader. So, you need to have those controls that are invisible and underlying so that if they do fall, it’s not going to hurt too bad.
[David Spark] So, what would you do to the mechanic who’s the happy clicker?
[John C Underwood] So, in that case, what we did…we just put containerization in for all email. And so anything…
[David Spark] And you can do it for one person? Containerization for one person?
[John C Underwood] No, we’re doing it for everybody across the board. So, if he clicks on something, it doesn’t matter. It doesn’t explode in our environment. However, for that situation, at some point I kind of agree with HR. I don’t like it. I don’t ever want to be involved in firing somebody. But if this person is jus continuing to do that, they’re a risk, and we need to take care of that.
[David Spark] Josh, last word on this.
[Joshua Scott] I would never fire anybody for anything like that.
[Laughter]
[Joshua Scott] That’s the last word.
What would you do if you were the CISO?
20:59.609
[David Spark] Is your CEO above security concerns? Like if the CEO asks you to let them make a serious security mistake, what can a CISO do? Now, there was a lively discussion over on the cyber security subreddit about, get ready for this, a CEO wanting admin rights to the network. I know. It’s not settling well with anybody.
All right. So, it’s not something I know anyone in this room would ever voluntarily do. But as one redditor wrote, “It’s the CEO. And at the end of the day, they do what they want.” And I’m sure you’ve had those “they’re going to do what they want” kind of moments. So, everyone offered this advice, like write up an email outlining why you strongly advise against this.
With that cover your butt email, another redditor commented, “The CEO ordered me to implement it against my advice.” So, having a paper trail just definitely seems obvious. But you don’t want to see the house of cards crumble. We’re going to get back into kind of the same discussion of containerization.
I’m going to start with you, Josh, on this one. If you had a CEO that said, “Give me admin rights. You have to do it,” what protections do you put in place when your CEO gets those admin rights?
[Joshua Scott] What protections do I put in place? So, if there’s a CISO at an organization, you should be pushing back on that CEO.
[David Spark] Of course.
[Joshua Scott] Without a doubt.
[David Spark] But the CEO is like, “I’m sorry, it’s your job…”
[Joshua Scott] I would find a way to give him what he thinks he needs and not give him what he actually really is asking for.
[David Spark] Oh, so like Fisher Price version of admin rights.
[Laughter]
[Joshua Scott] Exactly. But in reality though, I would actually have a conversation with him and find out what is it that you’re trying to accomplish, and let’s find a way.
[David Spark] You could have it like read only and just edit it to say “admin” on it. [Laughs]
[Joshua Scott] I’d create a new domain admins group or whatever it is he’s asking for, and that’s what he’s got.
[David Spark] Yeah, just give him his own little play space, if you will.
[Joshua Scott] Yeah, he doesn’t know. He doesn’t need to know. And that’s what I’ve found. They’re not going to be that technical, so why not just appease them. If it’s that bad of a scenario. If it’s really that kind of, “You need to do this, and that’s it.” Now, typically I would actually have the conversation with him and try to find out what he’s trying to solve, and what he actually needs, and then put in measures.
Whether it’s being able to check out an admin credential or some kind of just in time access to get admin credentials for a period of time that’s logged, and monitored, and then it expires after an hour or whatever.
[David Spark] What about you? What would you do in a scenario like this?
[John C Underwood] Well, I think the scenario we’re talking about is a little bit different than what was described in that thread. So, when I read through that thread, what they were talking about was the CEO wanted to download whatever they wanted to download. So, I read that as local admin rights, even though that wasn’t explicitly called out there in the…
[David Spark] Good point. I was just sort of playing this up. But yeah, it was just local… Yeah, good point. Having conversations like, “What is it you really want?” Because having admin is a lot here. Well, giving them the rights to download what they want, yes? You can do that?
[John C Underwood] Oh, you could. I wouldn’t recommend it.
[David Spark] [Laughs]
[John C Underwood] There’s a couple protections you can put. You can give them a thin client. So, if something happens on that machine, you know you just zap it, spin it back up, and he’s back up and running. If he doesn’t want network administrative rights, that’s a much smaller deal that you have to deal with if it’s just local admin rights.
You can put protections on that machine. There’s a bunch of different things you can do. But at the end of the day, I’m probably not writing an email to him saying, “Here’s all the reasons why you’re wrong, and I highly advise against it.” Because that’s antagonistic. So, I would have that conversation with him face to face.
[David Spark] And then if he still pushes it… But the whole thing is some paper trail… Would you create one eventually?
[John C Underwood] Oh, I’d create a memo and put it in OneDrive in my little memos box. Because then it’s discoverable, and it’s not I’m emailing you… I don’t want to be confrontational.
[David Spark] Okay. Well, good point, which is contrary to the advice from the reddditors. That’s a really good point. Now, let me ask you… Obviously this never happened at your current jobs, but have you had…? It doesn’t have to be a CEO but someone who essentially doesn’t need additional rights asking for additional rights.
Maybe because they say, “Oh, well, so and so got this. Can I have it?” Have you had this, Josh?
[Joshua Scott] Oh, yeah. Absolutely. It happens quite a bit. Every day.
[David Spark] So, what are the kinds of things they’re asking for?
[Joshua Scott] Maybe they want admin rights because they want to be able to look at something or make some change. There’s so many different cases. But ultimately it’s just asking them, “What is it that you’re trying to accomplish? What is it that you need?” And then finding…
[David Spark] You’ll often do it for them or…?
[Joshua Scott] Yeah. I mean given that I also own IT. So, yeah, I’ll get the IT staff to actually take care of that change for them or do whatever it is that’s necessary.
[John C Underwood] A lot of times I find it’s people trying to do their job in an application where they can’t even see some of the configurations maybe or some of the modules that they need to get into if they don’t have a particular role. So, they’re trying to do their job, but they’re bumping up against this wall.
So, then it just becomes a game of, “Okay, well, what do you need?” Getting them in front of the right people that have those roles so they can kind of figure it out. Because a lot of times, people don’t know what they don’t know. What I mean by that is they don’t know what they need in that particular application.
Then also they don’t actually know what they’re trying to accomplish. So, there is a little bit of a game there that you need to play, a conversation you need to have. And it’s never as straightforward as, “No.”
[David Spark] Right. Because you’re really discovering… But they just asked for it, thinking, “Oh, if I have this, I can do that.” But they don’t understand the implications of asking for admin rights.
[John C Underwood] Yeah. Yeah, they want this control here to do this job, but they don’t realize it comes with access to all of that over there, and that’s additional risk that I don’t want to provide.
[David Spark] Well, do you also tell them? Say, “Okay, I could do that for you, but you’re going to be open to this, this, and this. And that’s going to open to you a lot of risk. Are you sure you want that?” Do you ever play that game with them?
[John C Underwood] Sometimes. It depends. If they’re in a role where they actually need that, and there’s a legitimate business need for that then, yeah, we have that discussion. But sometimes you just pull the complaints card. Like, “Yeah, sorry…”
[David Spark] Oh, and so that’s a variation of department of no right there.
[John C Underwood] Sometimes.
[David Spark] [Laughs] “I would love to give you admin rights. But unfortunately, our regulators wouldn’t like it.”
[John C Underwood] No. No, I don’t play that card very often.
[Joshua Scott] Yeah, I try not to play that card at all actually. But yeah. But you do sometimes. There are scenarios where you need to. But I think ultimately it’s about having that conversation, trying to find out what is it that they’re to solve. And then figuring out how you can actually… So, it’s saying, “Yes, but this is what we need to do.” “Yes, you can get that permission, but we need to figure out a different way to actually give it to you without exposing a lot of extra risk.”
[John C Underwood] And if there’s a legitimate business need, let’s do it. Let’s figure out a way to get this done.
If you haven’t made this mistake, you’re not in security.
27:20.805
[David Spark] So, over on our show, Cyber Security Headlines, we reported on an incident where Microsoft leaked 38 terabytes of data on Get Hub all due to a misconfigured token. Now, for all the breaches caused by malicious actors out there, we also see plenty of self infected security wounds. One redditor on the cyber security subreddit said, “The two worst incidents I ever worked on were triggered by, one, an out of hours pentester, and, two, a batch job scheduled to run at the quietest time of night.” So, we don’t actually talk about this much on the show.
So, how often are incidents due to this kind of friendly fire? John?
[John C Underwood] Well, one of those rings pretty close to home for me or hits pretty close to home. We had a pen tester a few years ago… I’m not going to say which company I was with. But yeah, they did an after hours pen test, and they did a brute force for all of our users. So, we came in the next day, and about 90% of our users were locked out.
That was a fun day.
[David Spark] Wow. A lot of phone calls.
[John C Underwood] That was a fun day.
[David Spark] And let me ask… So, how often have you…? And can you tell a tale of a self-inflicted wound?
[Joshua Scott] Yeah, I think the majority of the issues that occur are actually self-inflicted and are accidental. They’re mistakes that happen. It’s only the ones that are actually malicious that end up making the news. But I think there’s so many more that don’t make the news that are all just simple mistakes – an oversight, an accident.
We had a vendor of sorts that was actually doing some consulting on a particular assignment, and then they took Get Hub items and then decided to publish it somewhere else where they shouldn’t have. Within there, we made the mistake of actually putting a key in there. This is many years back. And then all of a sudden this key is now public, right?
Which is an AWS admin key. So, you can kind of figure out what happens…
[David Spark] Well, that’s how the CEO can get the admin key, right?
[Joshua Scott] Yeah, exactly. Yeah. Yeah. But it was friendly fire. It was us making the mistake or a vendor making a mistake. And I think there was nothing malicious behind it. But it led to malicious access into the environment.
[David Spark] But I’m sure with every case like this where it is a friendly fire case where you make your own mistake like this, it’s always a learning experience, I got to assume.
[John C Underwood] I would hope.
[David Spark] You would hope so. So, two things. One is hopefully those kinds of incidents reduce. And second, the person who causes that, what’s the fallout? Are they scolded? Do they beat themselves
up? What happens after that happens?
[John C Underwood] I think this kind of goes back to what Josh was saying at the beginning of the show where you need to have empathy as a leader. You need to understand that your people take their jobs serious. They really want to be there. When they do something that negatively affects your organization, they take it hard.
So, sometimes it just takes a kind word. “Hey, I understand this happened. Let it roll off.”
[Joshua Scott] Mistakes happen. Mistakes do happen.
[David Spark] Can I…? My ask of this is that it could be an opportunity for the two of you right now… Have you made stupid mistakes yourselves?
[Joshua Scott] Oh, man. I cut out the VoIP system for the whole company one time when they were on live sales calls.
[Laughter]
[David Spark] How did you do that?
[Joshua Scott] It was 15, 16 years ago, early in my career, a small company. And we had this system where whenever you created a change for somebody’s phone number, you hit commit, or you hit send, or something. And it basically had to take the whole system down while it did that and then brought it bac up.
And so ideally we should be doing that after hours. I didn’t know. Nobody told me.
[Laughter]
[Joshua Scott] Or maybe they did. I’m not saying. But anyways, I hit send, and it went…
[David Spark] You took everybody down.
[Joshua Scott] It wasn’t just but 30 seconds until the CEO and everybody down the line to my peers were standing next to my desk, and I’m looking up like, “What the heck just happened?”
[David Spark] Any colossal stupid mistakes?
[John C Underwood] Yeah, I bricked a core VPN router when I was network security guy between our data centers. So, we basically lost all connectivity for like 12 hours.
[David Spark] Oof.
[John C Underwood] That was rough. And we had to get RMA equipment sent out to us, which got there the next morning by like 10 AM. So, we were making a change at like 10 PM the night before.
[David Spark] So, did you beat yourself, or did somebody do the beating up for you?
[John C Underwood] No, I beat myself up. My boss was very understanding. He’s like, “Hey, things happen.” But I made sure that moving forward, I’m never making that change again. I’m giving it to somebody else.
[Laughter]
[Joshua Scott] Empathy.
[John C Underwood] Yeah, exactly.
[Laughter]
It’s time for the audience questions speed round.
31:44.854
[David Spark] All right, I have in my hand a whole slew of questions from you, the audience. So, thank you very much for that. I think we’ll be able to get through these all because we got a little bit of time to finish this. So, this is how we’re going to wrap up the show. Here we go. This is from Steven Weil of Point B.
By the way, either one of you can answer this. “Do you have a plan, or when do you think you’ll have a plan for quantum computing?”
[John C Underwood] No idea. [Laughs]
[David Spark] No plan and no clue when you’re going to have a plan.
[John C Underwood] No plan, no idea. Yeah.
[David Spark] All right, so there you go. Honest answer there. Has this ever come up? I’m actually going to be going to an event in Las Vegas where this is going to be a hot topic actually.
[Joshua Scott] Not for me.
[David Spark] You? Anything?
[Joshua Scott] I’m keeping my mouth shut. I got nothing here.
[David Spark] No? You got nothing to say? All right. Sorry, Steven, you got nothing from that one. All right. Now this comes from Lori Pelletier. “Now that litigation is possible with California’s new privacy law, CPRA, what, if anything, has changed in your organization?” So, they can litigate for privacy violations.
Has anything changed in your program? When I say change, I think maybe more conversations with the legal staff. Who knows. What’s changed?
[John C Underwood] Yeah, so nothing has really changed for us. We look at privacy as a legal issue, so legal owns it. Then I will help on the security/IT side of the house to implement whatever they need. But that’s about it. Nothing has really changed. We’re having these conversations. We’re trying to keep a pulse on what’s going out there with new privacy law.
But I wouldn’t say we’re doing anything different at this point.
[David Spark] Josh?
[Joshua Scott] Yeah, it’s always been important to us, so nothing has really changed. We just continue with what we’re doing.
[David Spark] But I would just assume you’ve cranked up conversations with legal?
[Joshua Scott] We were already having quite a few conversations anyways because we’re really concerned about just making sure we do everything that’s right with data security and data privacy.
[John C Underwood] And one of the things we’re doing, just to add to that, that’s not really changed, but… And not because it’s a legal requirement, but we want to treat privacy as a chief concern for us. So, what we’ve done is we’ve kind of… And this is a little bit of a practicality as well. But we’re operating in multiple states, so what we’ve done is we’ve tried to bring privacy to the lowest common denominator.
So, we’re basically treating all of the municipalities and the states that we’re in with the same preference. So, if somebody from another state calls us and says, “Hey, what information do you guys have about me?” We’ll treat them like they’re a California resident.
[David Spark] Always, yeah, lowest or highest common denominator.
[John C Underwood] Yeah. I don’t know how you want to say it.
[Crosstalk 00:34:19]
[David Spark] It’s the highest common denominator in this case.
[John C Underwood] Yeah. Yeah.
[David Spark] All right, this one comes from Michael Vinding, CISO over at AP Technology. We’re going to get into some questions about vendors. So, “What’s one new way you’re discovering vendor solutions that you did not do before?” I’m assuming you look out for new solutions when you need them. Do you have any new techniques or ways that you are discovering them that you didn’t do before?
[Joshua Scott] Peer groups. That’s probably the place I find the most about new vendors is…
[David Spark] My guess though is that you’ve been doing that for a while.
[Joshua Scott] Yeah, true.
[David Spark] Are you going to new peer groups?
[Joshua Scott] Yeah. I mean I am going to new peer groups, anywhere I have an opportunity to network and talk with other security professionals and other CISOs and all that. And other vendors, too. Tell me about your competition, tell me about who you’re running across. And then also getting connected with some of the VCs, and the YCs, and the YLs, and all that.
That helps actually to see what they’ve got going.
[David Spark] We have found that that’s actually a popular place for CISOs. What about you?
[John C Underwood] I would say the same. I’m not really doing anything different. Most of my discover comes through… Well, my discovery comes through reading logs, reading industry articles, podcasts, peer groups, Slack channels. I’m really plugged into the community and my peers. And not so much reaching out to a vendor unless they’re on my hitlist or they’re on my project list.
[David Spark] Similar to that question… This comes from Nancy Long from Gurucul. “What’s one way a vendor has gotten your attention?” And I’m going to say this in a positive way. I’m sure plenty have gotten your attention in a negative way. But in a positive way, what’s one way a vendor has gotten your attention?
[John C Underwood] It sounds a little bit like a platitude, but I would say be where we are. Today we’re here at the ISSA in Los Angeles, and we have a bunch of vendors that are out here. I’m happy to sit and talk with them, and figure out what they’re doing, how they compare to my current vendors, and what are the gaps that they’re filling that I may be looking to fill in the future.
But that’s… Just be where we are.
[David Spark] A great plug to sponsor ISSA LA next year, yes, Richard? That’s for you. [Laughs]
[Applause]
[David Spark] All right, what do you…?
[Joshua Scott] I think what John said is great. I think be where we are. I could add a lot more there, but that’s another time.
[David Spark] All right. This next one also comes from somebody at Gurucul, from Pierre Jamet. And we actually had a similar question like this on a previous show. I think this is a good one. “If you were starting from scratch right now, how would you even begin looking for a SIM solution?”
[Joshua Scott] I wouldn’t use SIM. I wouldn’t look for anything SIM.
[Laughter]
[Joshua Scott] That’s the first thing I would do is actually get rid of that notion that I need a SIM, and I would try to figure out what I’m trying to solve and then go look for that type of solution.
[David Spark] Okay. So, I want to dig a little deeper on that. Why do you think you don’t need a SIM?
[Joshua Scott] I think what SIM is now is not what we were promised 20 years ago. I think it’s something that… It’s probably one of the biggest budget items we have, and it’s something that still really hasn’t delivered the value we want. So, there’s a number of things. There’s transforming the data.
There’s collecting the data. Each of those are separate problem spaces, too. And long-term retention, data lakes. There’s always different conversations happening around what you need. And sometimes maybe you just need to search data, like what Splunk provides or something along those lines. So, understanding what it is that you’re trying to solve and then go finding that tool that may solve it.
Maybe eventually you get into a SIM, but maybe you really don’t need one. Because I think where SIMs are today… We don’t have one, and we’re not looking to buy one. We’re looking to by point solutions that solve other problems.
[David Spark] I don’t want to turn down all SIMs vendors out there because there are a lot of people who still like SIMs. What’s your take? How would you begin looking for a SIM solution, John?
[John C Underwood] Well, I was going to take the escape and say, “Hey, there’s nothing left to say after that.” But realistically…
[Laughter]
[John C Underwood] Realistically if it was me, I’m looking for a couple things. I’m looking for does it fit my environment. Actually more to the point, does it scale with the environment? So, cloud become so very big deal to me. I would rather not having something on prem if I can avoid that.
[David Spark] All right. Last few questions here… All right, this comes from Sammy Basu of Careful Security. “What’s one way you know you’re being a good CISO versus a bad CISO?”
[John C Underwood] Honestly I think if people are kind of complaining that you’re…
[David Spark] If there’s no complaining, you’re being a good CISO? Is that the idea? If everyone is quiet?
[John C Underwood] [Laughs]
[David Spark] Or they’re talking behind your back, and you don’t know.
[John C Underwood] Well, I was going to go down one path, and I realized, “Well, no, if they’re complaining then you might be saying no,” and so maybe that didn’t work. I don’t know. Josh, you go ahead. I’ll rethink….
[Crosstalk 00:38:37]
[Joshua Scott] …board and your executive team feel that you’re doing a good job, that’s part of it. That you retain your team over multiple years.
[David Spark] Retaining team is a good sign. And do you ever get sort of feedback from the C suite or the board?
[Joshua Scott] Mm-hmm. Yeah, definitely.
[John C Underwood] Yeah.
[David Spark] And I’m assuming that helps.
[Joshua Scott] Yeah, it’s definitely a contributor to it. But I think it’s just one piece of the puzzle. I think team health, and the team dynamics, and not just your team but your cross functional teams as well.
[David Spark] All right. All right, here we go. From Sarah Fornaldes of Champlain College… A recent graduate over there. I like this question. “What was your first thought when you became a CISO or a security leader?” “I now have this job.” What are you thinking? What’s going through your head?
[Joshua Scott] I was already… I was the lone security engineer who was sort of like the manager, sort of like the director, sort of like the CISO.
[David Spark] You were a security team of one?
[Joshua Scott] So, I was already a team of one, so it didn’t feel… When I got a team formed around me, it didn’t feel any different. It’s like, “All right, I’m already doing all this stuff. Now I just have a manager title or a director title.”
[David Spark] So, you kind of sort of slowly fell into it? It wasn’t a big coronation day or anything?
[Joshua Scott] Yeah. Yeah. No. No.
[John C Underwood] Yeah, so for me, I don’t know when I became a CISO. I actually don’t have the title right now. I’m a VP of information security. I’m a functional CISO for my organization. But I’ve been the security leader at every organization I’ve been at. I was much, much less experienced early on.
A little more experienced now. But I don’t think I ever woke up one day and was like, “Oh, yeah, I’m a CISO now.” I think it just kind of grew.
[David Spark] So, a lot of people just sort of slowly roll into it. Or because this industry is so [Inaudible 00:40:11]… I hear a lot of these, “I was a team of one, so it wasn’t anything.” Were you ever a team of one, a security team of one, John?
[John C Underwood] Oh, yeah. I started off as a security team of one. And then we kind of built out an IT and a security group. Then I left that organization and became a director. I guess the titles came along, but I’ve always been kind of sometimes not knowing what I’m doing but the only one doing what I’m doing in my organization.
[David Spark] All right, last one, from Haral Tsitsivas of Arlo Technologies. “Do CISOs have an expiration date?”
[Laughter]
[David Spark] Are you going to expire anytime, Josh?
[Joshua Scott] I don’t know. That’s a good question. I don’t think it’s 18 to 24 months like many say. I think it really depends on the industry you’re in, and it depends on the CISO. But I spent 13 years at my last company, so I’m not expiring any time soon. Not from work related stuff at least.
[David Spark] Do you think you’re going to expire anytime soon? Oh, just like as a career CISO. That’s also… We’re not talking specific companies but as a career CISO.
[John C Underwood] I don’t think the role is going anywhere any time soon. I think it’ll morph and change over time. But I talk with plenty of CISOs now who are in this position where the role is changing. I mean obviously there’s new regulations. The board is paying more attention to us now. Sometimes a company isn’t paying as much attention to the CISO as the practitioner would like.
But we’re in this growth phase where it’s developing into a real executive, if you want to term it that way. But then I also have CISOs that I’m talking to, and they’re looking for what happens life after CISO. So, are you going to go the VCISO route, or are you going to be a consultant? Or are you going to be a board member?
[David Spark] Well, that’d be a CISO expiration date.
[John C Underwood] So, there’s an evolution. I don’t know if it’s…
[David Spark] It’s a CISO evolution.
[John C Underwood] It’s an evolution.
Closing
41:54.651
[David Spark] All right. Well, that brings us to the very end of the show. Let’s hear it from our audience.
[Applause]
[David Spark] I want a huge thank you to our sponsor, Veza. Remember, Veza, secure your identity access everywhere. And remember, go to their site, veza.com, to deal with all your identity issues. Very interesting stuff. I also want to thank my cohost here, John C. Underwood, who is the VP of information security over at Big5 Sporting Goods, and also Joshua Scott, who is the head of security and IT over at Postman.
I’ll let the two of you have the last word on anything we said today. Also if you’re hiring, please let us know if you’re hiring.
[Joshua Scott] Yeah, it was great to be here. Thanks for having me on. We will be hiring very soon, so stay tuned to the postman.com/careers site.
[David Spark] All right. And?
[John C Underwood] David, I just want to say, it’s my second time on your podcast. I’m already a cohost, so I think there’s a good future here. I’m just saying.
[Laughter]
[David Spark] You’re doing very well, yes.
[John C Underwood] Yeah. No, but thank you for having us. I really appreciate it. This was fun. ISSA, Richard, guys, thank you very much. And ladies. This was a wonderful day. Really appreciate it.
[David Spark] Yes.
[John C Underwood] Big5, unfortunately we are not hiring right now, but I always have feelers out there looking for the next role or the next individual.
[David Spark] All right. And a huge thank you to ISSA LA, Richard Greenburg as well for welcoming us back again for a second time. I greatly, greatly appreciate it. Thank you very much. And thank you to the audience. We greatly appreciate you having us and listening and contributing to the CISO Series Podcast.
[Applause]
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our site, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meet up, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to the CISO Series Podcast.