The first reaction to AI tools is often that it will take jobs. But for analysts, it allows them to free up repetitive tasks for more hypothesis-driven threat hunting that would likely slip through the cracks in automation. The promise of time to focus on higher-level work is alluring, but what will that look like for analysts?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), partner, YL Ventures. Joining us is Alexandra Landegger, global head of cyber strategy & transformation, RTX.
Get more pictures from the event here.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsors, Nudge Security, SecurityScorecard, and Vanta
Get started here: nudgesecurity.com/cisoseries
Vanta’s Trust Management Platform automates key areas of your GRC program—including compliance, internal and third-party risk, and customer trust—and streamlines the way you gather and manage information. And the impact is real: A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
Get started at Vanta.com/ciso.
Full Transcript
Intro
0:00.000
[Voiceover] Biggest mistake I ever made in security. Go!
[Alexandra Landegger] A number of years ago, I was working on a cyber incident, and at the end, we put together this beautiful AAR. And then came my mistake of not checking the system. I assumed everyone was going to get the work done, and a year later, the same incident, same way, happened all over again. The lesson I learned, accountability is everything for cyber.
[Voiceover] It’s time to begin the CISO Series Podcast, recorded in front of a live audience in San Francisco.
[Applause]
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. We are live in San Francisco at BSides San Francisco. Let’s hear it, BSides.
[Applause]
[David Spark] A mighty, mighty crowd sounding much larger than they actually are. We appreciate that. Hey, my name’s David Spark. I’m the producer of the CISO Series. And joining me on my far left is my co-host. It is Andy Ellis, who is a partner over at YL Ventures. Let’s hear it for Andy.
[Applause]
[Andy Ellis] [Foreign language 00:01:12].
[David Spark] So, for those of you not initiated, that is Andy speaking what language?
[Andy Ellis] Slovak.
[David Spark] In Slovak, he has chosen a different language for each show to essentially do his greeting where he welcomes you to listen at pretty much any time of the day. Yes?
[Andy Ellis] Yep.
[David Spark] All right.
[Andy Ellis] At least that’s what I tell you it means.
[Alexandra Landegger] I speak Polish and it’s close enough. Close enough.
[David Spark] Really? Okay, good. This happened when we had a guest who spoke Hindi and who actually told Andy it wasn’t too far off. All right. We’re available over at CISOseries.com. And let me just mention our phenomenal sponsors, who you can see right here behind me. SecurityScorecard, Nudge Security, and Vanta. Let’s hear it for all three of them for making this episode possible. Let’s hear it for them.
[Applause]
[David Spark] You’re going to hear all about that. Now, for those of you, again, just listening to this, we are in a movie theater in San Francisco. Our logo, along with the sponsor’s logo, are literally the largest I’ve ever seen them before. Generally, when people are in this theater, they are seeing some big budget Hollywood movie.
[Andy Ellis] The Accountant 2 will be playing here tonight.
[David Spark] The Accountant will be playing here tonight. Okay. We put a lot of work into this graphic behind us of our four logos on the screen. In fact, we got Industrial Light and Magic involved in this project, and I was really impressed at how they pulled it off. So, they did a great job on it. So, kudos to them. I want to thank BSides for making this possible. And I want to introduce our guest, who’s on stage with me, sitting immediately to my left. It is the global head of cyber strategy and transformation for RTX, none other than Alexandra Landegger. Let’s hear it for her.
[Applause]
[Alexandra Landegger] Hello. Happy Sunday. Excited to be here.
Is training the solution to the lack of security talent?
2:59.179
[David Spark] The internet is flush with courses in cybersecurity. Some from educational institutions and many from industry influencers. There are the pitches that come with the attractive lure that graduates of their program will get a lucrative job offer. Too good to be true? Well, until recently, I had never heard of any person who got a job in cyber in that manner, in the sense of no experience in cyber IT, took a course, and then got a job offer. Now, I wondered does that really happen, so I asked the community on LinkedIn, and it turns out it does. Actually, about 15 people said that it happened to them. Although a good number of them had IT experience. But it’s clear it’s not common, and people knew of such cases or were one themselves. My question is, I’m going to start with you, Andy, what would it take for it to be a lot more, that you could actually get into cyber just taking one of those courses? And really, my question is, can you fast track a career into cybersecurity?
[Andy Ellis] So, I like to think of cyber as less of an entry level role and more of an insertion level role, and I have seen people successful entry level. And usually, it’s programs that a consortium of companies have all bought into. That this program will train people to come in and learn how to work a help desk or IAM operations. “Here’s your entry level role, we’ll teach you just enough to do it, and good luck with that.” These aren’t necessarily the most lucrative careers out there, let’s just be very honest, but they are opportunities for people who desperately need them.
But I think for it to be something more, I think we need to stop thinking of cyber as something special and start thinking of cyber as something adjacent. That almost every career in cyber, there is a non-cyber career field that looks very similar to it. And what we need to start doing is figuring out how do we provide training courses for those professionals to move laterally, right? If you want to write a research report, you need a journalist to be part of your research report writing team. But who’s training the journalists, other than the security magazines that we keep hiring them from? But that’s kind of a short and small labor pool. So, that’s how we need to really approach this is how do we take people who have some set of skills and retrain them into cyber?
[David Spark] I like that it is an insertion job, not an entry-level job. So, how do we sell to all these different roles who want to make the switch over to cyber? Alexandra, what’s your take? How do we make this an easier thing to fast track?
[Alexandra Landegger] Yeah, I 100% agree with the idea of adjacent roles. When I was CISO at Collins Aerospace, about a third of my team, we hired about 70 people over a three-year period. A third of those individuals had never worked in cyber, and the adjacency was exactly how we did that. We found a pre-K teacher who could take super complicated topics and distill them down for a five-year-old and their grumpy parents, right? If you can do that, you can train anybody about cybersecurity. How do you find those adjacent skills? And then certainly, if training is a way that you learn, it can help you really come together around that topic and help accelerate once you’ve landed that job.
[David Spark] So, my question is, for an insertion job, so someone who doesn’t have any traditional cybersecurity background, what are the kinds of questions that you would want to ask them to realize, “Oh, yeah, they want to do this, they’re prepared for this,” Andy?
[Andy Ellis] So, I think a big question I often go for is, do you like to break systems? And I don’t mean computer systems. And I’ll give an example since you brought up the pre-K teacher. I’m in Massachusetts and my kids were in a pre-K program when Massachusetts decided that after every meal, the teachers were required to make sure that all children brush their teeth. And they knew that parents would want to opt out. So, they also said teachers were not allowed to tell parents that opt out was a possibility. Because they knew that all the teachers would be like, “Of course I’m going to opt out.” So, what did the teacher do in my classroom? Came and met with me and my wife beforehand to explain this policy to us, and I said…because they knew I would be like, “Well, I can opt my kid out, right?” And she’s like, “Well, yes, and we have forms for that, but we’re not allowed to offer them.” Wink, wink, nudge, nudge. And so, when they then briefed the parents on like back to school night, I asked the question and the teachers like handed it out. That’s a security professional right there. Somebody who when presented with the system said, “How do I beat the system?” That’s what I want to look for.
[David Spark] By the way, I recommend if you’ve not read Bruce Schneier’s book, The Hacker’s Way, it speaks to this at great volume. Same question to you, Alexandra. What would be those questions you’d ask to see if that person’s prepared?
[Alexandra Landegger] What is the last crisis you encountered and how’d you survive?
[David Spark] That’s a good one.
[Alexandra Landegger] Because it doesn’t matter. We all face crises on all sides of our lives, whether it’s I accidentally ran a stop sign earlier today and got pulled over and was late to a meeting. Or maybe it’s my kid is sick and all of a sudden, I’m late for the big meeting at work. Or maybe a hundred different things. If you can survive chaos all around you, that’s ultimately what makes a good cyber professional.
That might not have been the best decision.
8:08.818
[David Spark] If online courses don’t land a job, should you turn to hacking to sell your services? Now that’s what Nicholas Kloster allegedly tried to do at a health club, gaining access to the organization’s IP cameras and fiber router. He pulled this routine at a few organizations and is facing an indictment for his trouble. Now a conversation on the cybersecurity subreddit called this optimistic red teaming, but it speaks to what people can do when they get desperate for a job, even if it will likely blow up in their face. I’m going to start with you, Alexandra, on this one. Have you ever seen other examples of candidates going too far, thinking outside the box to prove their worth? And this could be good or bad. All right? It could be a combination of eagerness and/or desperation. What have you seen?
[Alexandra Landegger] So, absolutely have seen this and some companies entice it through things like a bug bounty program, vulnerability disclosure, etc.
[David Spark] Right. This was definitely not a bug bounty program in this case.
[Alexandra Landegger] And some companies don’t like that.
[David Spark] [Laughter]
[Alexandra Landegger] And so, certainly understanding the business, the industry that you’re in, I think, is a key piece here, but also state by state, laws vary. And so, you can wind up in legal trouble. And if you’re the kind of person that’s willing to wind up in legal trouble, there are very particular types of companies that look for those services, I would say it that way.
[David Spark] Have you worked for any of those types of companies?
[Alexandra Landegger] I worked for Booz Allen, and we did a lot of consulting with different government agencies who happened to do some cyber offense occasionally.
[David Spark] Oh, okay. So, you have some experience with this. All right. Andy, I take it to you. What’s your experience of people being a little too eager?
[Andy Ellis] So, I see people doing an awful lot of stalking and then admitting it.
[David Spark] Okay, in what form does the stalking take place?
[Andy Ellis] So, I get this all the time. I get vendors do most of the stalking, but I’ve had candidates do the same thing, which is they do the research on a person, and then rather than using the research to inform a conversation, they make it the point of the conversation. It would be like if you’re going to go on a date with somebody and you stalk them a little bit and find out that they have a dog. And so, you make sure you’re going to talk about dogs. Okay. Talk about their dog. Not okay. I get in my inbox all the time, people’ll be like, “I saw that so-and-so connected with you about this thing and because of that, you should interact with me.” And I’m like… And at this point now, you’re just using AI to do it. You’re not even doing the legwork yourself. But the number of people that I’ve had go into my background and read a whole bunch of things I wrote and then reference them blatantly. Like, don’t reveal that you did the stalking. I’m okay with the stalking. Just don’t reveal it.
[David Spark] Hold it. There’s a certain level. If you’re going deep into the archive, maybe, and hitting multiple, yes. But if you recently posted something, they go, “Andy, I really like what you wrote about this, this, and this.”
[Andy Ellis] Yep.
[David Spark] That’s cool.
[Andy Ellis] That can be cool. Like, I had somebody reach out to me who’s doing a job search and said, “Hey, I just heard this episode on the CISO Series. I read your first 91-day guide for a CISO. I’d like some advice about this specific thing.” That’s okay because that’s not stalking. I’ve had people pull up a post I wrote 10 years ago that is not one of my popular ones and reference it.
[David Spark] No, but they can research and that will come up in the search.
[Andy Ellis] And reference in a way that was part of a sales call. Not that they wanted to talk about it. They just were referencing it to like drop.
[David Spark] So, I get pitches for the CISO Series all the time, which is great. It’s wonderful. I’m thrilled the demand. But it always follows the exact same format, “I loved your last episode when so-and-so, and you had Alexander and Andy. It was wonderful.” Next line, “I was just happened to be thinking that the CEO of our company would be a great guest on your show.” Always the same exact format.
[Andy Ellis] Yes.
[David Spark] Always the same format. But let me also throw out that there is one creepy way that used to happen a lot, not so much, is that LinkedIn lets you know that somebody looked at their profile. I’ve had people say, “Oh, I saw you looked at my profile. What would you like to talk about?”
[Andy Ellis] Oh, yeah, that’s totally creepy.
[David Spark] I’m like, “Yi, yi, yi.”
[Andy Ellis] I mean, that’s like the vendor tactic of, “Somebody at your company went to my website and now you must be interested.” “Okay. And?”
[David Spark] This is why CISOs, correct me if I’m wrong, Alexandra, do you bail when you see a book a demo button?
[Alexandra Landegger] Don’t say it too loudly, but very often, yes. [Laughter]
[David Spark] Yes. That’s because you don’t want to be what?
[Alexandra Landegger] I mean, sales pitches aren’t always effective. Seeing something in practice, talking to a CISO peer and hearing, “Hey, I’m working with this vendor on X and here’s the problem they really solved for me.” Those are the companies that I go after and try and understand what they’re doing.
[David Spark] By the way, we hear that story all the time.
[Andy Ellis] I think I want to build a deep fake company, which is like the blind demo that you can click the book a demo and you get a different deep fake will attend the demo for you, but they have no idea who you are.
[Alexandra Landegger] I love that.
[Andy Ellis] Somebody wants to steal that idea, let me know. I just want like two points.
[Laughter]
Sponsor – Nudge
13:04.299
[David Spark] We have a lot of great sponsors, and I want to talk to you about Nudge Security. So, let me ask you a question. How big is your SaaS attack surface? You can actually find out with Nudge Security. Their patented approach to SaaS discovery finds all SaaS accounts ever created by anyone in your organization and alerts you as new apps are introduced. The best part, you’ll have a full SaaS inventory in minutes, even apps introduced before you deployed Nudge. Now for each SaaS app discovered, you’ll see the list of all users, MFA coverage, SSO enrollment status, breach history, and more. You’ll also have a full inventory of app-to-app, OAuth connections, scopes, and risk scores with the ability to revoke risky grants with just two clicks. Now, Nudge Security also includes playbooks to automate tedious, time-consuming tasks like user access reviews, employee off-boarding, and more. You can actually take control of SaaS security and AI governance with Nudge Security. Why not just start a 14-day free trial? See for yourself. You don’t even have to do the demo. Just go jump in right away. Go to their website. It’s nudgesecurity.com/CISO Series, and please add the CISO series so they know we sent you there. So, nudgesecurity.com/CISO series. Check them out.
It’s time to play “What’s Worse?”
14:39.286
[David Spark] All right. I know that both of you are very familiar with this game, and I’m pretty sure that our audience is very familiar with this game as well. This is how it’s played. We have usually just two bad scenarios. But this actually has three. So, you’re going to rank them worst to best.
[Andy Ellis] Rank ordering, not just picking one.
[David Spark] Not just picking one. What’s the worst? What’s the second worst? What’s the least worst, if you will? And this one, you might actually have to write a note because it’s kind of, you’ll see, it’s a series of different combinations. Is this combination worse than that combination? Worse than that combination? That kind of a thing. All right. It comes from Jay Dance of StubHub. And just to remind you, Alexandra, I’ll make Andy answer first. So, you get to agree or disagree with him…
[Andy Ellis] Agree.
[David Spark] …and give your rationale. I like it when people disagree with Andy.
[Alexandra Landegger] Way less work.
[David Spark] Okay.
[Andy Ellis] That’s the best rationale yet.
[Alexandra Landegger] [Laughter]
[David Spark] All right. Here are the three. I mentioned Jay Dance of StubHub, who gives us phenomenal “What’s Worse?” scenarios. Here you go, here are the three scenarios. Scenario number one. In fact, I can just even show it to you right here. No asset management and no offboarding process.
[Andy Ellis] No asset management and no offboarding process for users or for assets?
[David Spark] I’m going to say users. I’m going to say users.
[Alexandra Landegger] Good clarifier.
[David Spark] No incident response process and no asset management. It’s pretty bad.
[Andy Ellis] Okay.
[David Spark] No offboarding process and no incident response process. So, let me review these again.
[Andy Ellis] So, there’s offboarding, asset management, incident response, and you only get one of the three.
[David Spark] Yeah, essentially, you only get one of the three.
[Andy Ellis] Okay.
[David Spark] So, there you go. No asset management, no offboarding, no incident response, and no asset management; and no offboarding and no incident response. Which one is worse?
[Andy Ellis] So, I’m going to go with the best of these. The least bad is going to be that first one, where at least I have incident response.
[David Spark] I know.
[Andy Ellis] Because I’m screwed no matter what. This is one of my soapboxes, is if I have a choice, give me incident response first because I’m going to have lots of problems I need to deal with. And just getting rid of one problem, incident response lets me take care of the rest of them. So, that’s going to be my least bad of these. So, now I’m deciding whether I’d rather have asset management or offboarding. And I think that the challenge here is offboarding is more binary than asset management is. Like either you have offboarding or you don’t. The question is, if I have offboarding but not asset management, clearly, I don’t have comprehensive offboarding. Like, offboarding in my core systems is easy. It’s my things I don’t know about that’s hard. So, I think I’m going to go with not having, let’s see, that having…
[David Spark] No incident response and no asset management.
[Andy Ellis] No incident response and…
[David Spark] No asset management.
[Andy Ellis] No asset management is going to be my worst. My next worst will be the no offboarding and no incident response. And then my least is the no asset management and no offboarding. Which says, in order, I’m going to get I need incident response, then I need asset management, then I need to worry about offboarding.
[David Spark] All right. I throw this to you, Alexandra. Same thing, which you can look right here to your right.
[Alexandra Landegger] Yep. I mean, to me, asset management is the ERP of your environment for digital. It is the backbone of absolutely everything. You can’t do incident response. You can’t do offboarding. You can’t do anything cyber without asset management. That said, first up, I agree with you, always IR first. Asset management, though, if it’s good asset management, I would say that’s actually the most important of all three, but if it’s mediocre asset management, then it’s IR, yeah.
[David Spark] Let’s assume it’s good asset management.
[Alexandra Landegger] Okay. If we’re assuming that it’s good asset management…
[David Spark] Well, now you have either good or nothing.
[Alexandra Landegger] Yeah. Good or nothing, I’ll take good any day of the week. [Laughter]
[David Spark] All right. So, what’s your order here?
[Alexandra Landegger] I would say…
[David Spark] This was his order right here.
[Alexandra Landegger] Yep. So, then I agree that the least bad is no…
[David Spark] Is no incident response and no asset management.
[Alexandra Landegger] So, that’s one.
[David Spark] This was his two, the no offboarding and no incident response.
[Alexandra Landegger] I think no asset…
[David Spark] You think that’s the second least, second worst?
[Alexandra Landegger] I’m annoyed. I now actually agree with you, I think.
[David Spark] Oh, no. Geez.
[Andy Ellis] That’s the best one, I’m going to guess, wants to not agree with me.
[Alexandra Landegger] Dang. I really wanted to disagree.
[David Spark] Oh, yeah. Just…
[Crosstalk 00:18:58]
[David Spark] …here.
[Andy Ellis] I didn’t even do anything.
[David Spark] I’m going to throw this to the audience. I’m going to read them in the order that I read them. So, you’ll determine, by applause, how many think of the three, the worst is no asset management and no offboarding? By applause, how many people?
[Applause]
[David Spark] All right. We’ve got a few, a handful, yeah. Second, no incident response and no asset management, by applause?
[Applause]
[David Spark] We got a few more. We got a few more. All right. The last one, no offboarding process and no incident response. How many people think it’s that?
[Clap]
[David Spark] One.
[Andy Ellis] Sounds like we had agreement.
[David Spark] I appreciate that. So, the audience is a little off of you.
[Alexandra Landegger] A little different.
[Andy Ellis] No.
[David Spark] They chose… And I think where you want to go. No, they’re off you. They chose worst is no incident response process and no asset management. So, agreed with you. But their second worst was no asset management and no offboarding.
[Andy Ellis] No, no, no, no, no. You’re messing up the statistics. The group that picked it as the worst was larger does not mean that that’s the consensus as the second worst pick.
[David Spark] Yes, it does.
[Laughter]
[Andy Ellis] No, it does not.
[David Spark] Yes, it does.
[Andy Ellis] No. You’re making us do rank choice. I need rank choice out of the audience as well.
[David Spark] [Laughter] I’m going with that. So…
[Alexandra Landegger] Yeah.
[David Spark] …you’ve got agreement with Alexandra, slight disagreement from the audience.
What is Dave’s mom talking about?
20:15.436
[David Spark] All right. We played this game last year. It was a hit. So, we’re playing it again, and I just recently interviewed my mother again. So, here we go. I asked my mother to explain some cybersecurity terms. Surprise, my mother is not a cybersecurity professional at all. All right? I said the term and she made her best effort to try to describe it, and there was no other prompting. Now, all of her answers are varying degrees of wrong, with some having an element of being correct. So, this is kind of a reverse logic game here. You all know what these terms mean. Everyone in this room knows what these terms mean. Okay? But my mother does not. So, you have to think, if I’ve never heard this term before, and you were my mother, how would you describe it? Some of you may have mothers who are very savvy. My mother, on the other hand, is not. All right.
[Andy Ellis] I think David’s mother is more savvy than David gives her credit for.
[David Spark] She is savvy, just not in cybersecurity. Okay. So, I’m going to play one clip at a time, and I can repeat them if you need to hear them again. And we’ll start with the two of you. And if you can’t get it, we throw it to the audience. Okay. Here’s the first one. What the heck is my mother describing?
[Dave’s mom] No way are we going to give you internet service.
[Alexandra Landegger] Denial of service?
[David Spark] Bingo. Yes.
[Crosstalk 00:21:32]
[David Spark] Denial of service.
[Alexandra Landegger] Yes.
[David Spark] Very good.
[Alexandra Landegger] Oh, thank goodness. Last time I didn’t get any.
[David Spark] Very proud of you on that. Good job. All right. Here we go. You got it very quick. Jump in as soon as you know it. Here you go, Andy. Here’s the second one.
[Dave’s mom] Making your CV look awfully good.
[Andy Ellis] Making your CD look…
[David Spark] CV.
[Alexandra Landegger] CV, like your resume.
[Andy Ellis] CZ look awfully good.
[David Spark] Come on, you can get this one.
[Andy Ellis] Resume watch? No.
[David Spark] Come on. Think.
[Alexandra Landegger] Lying on your resume?
[David Spark] Okay. Let me just start off. She’s 100% wrong on this one.
[Andy Ellis] Social engineering?
[Alexandra Landegger] Fantastic. Okay.
[David Spark] But listen to what she’s saying.
[Alexandra Landegger] Yeah.
[David Spark] I’m going to play it one more time.
[Dave’s mom] Making your CV look awfully good.
[Andy Ellis] Look awfully good.
[David Spark] Okay. I know you can get this one.
[Andy Ellis] I always feel stupid when they’re revealed. I don’t think I’ve ever gotten one right, just to be very clear.
[Alexandra Landegger] Phishing.
[Andy Ellis] No. I’m going to throw this to the audience.
[Alexandra Landegger] We might have to phone a friend.
[David Spark] Hold on.
[Andy Ellis] AI washing.
[Audience member] CVE?
[David Spark] Not CVE. No. Nobody? Yes?
[Audience member] [Inaudible 00:22:31].
[David Spark] No.
[Andy Ellis] Oh, I like that one though. That’s a good one.
[David Spark] No? Come on. I knew it’s a…
[Audience member] [Inaudible 00:22:37].
[David Spark] No. All right. I have to reveal it. I’m sorry, everyone. It’s credential stuffing.
[Alexandra Landegger] Oh.
[Andy Ellis] Oh, I love that.
[Alexandra Landegger] That’s brilliant.
[Andy Ellis] That’s a brilliant one.
[David Spark] That one…
[Alexandra Landegger] Wow.
[Andy Ellis] This is where I give her credit for being very savvy.
[Alexandra Landegger] Yeah.
[David Spark] Yeah. You should have gotten that one. All right. Here we go. This one, I feel you’re going to get this one. I’m going to let Andy try to get this one first.
[Andy Ellis] Yeah, Andy, who looks bad. So, David, you look bad, I guess.
[David Spark] Here we go.
[Alexandra Landegger] Ding, ding, ding. [Laughter]
[David Spark] Hold on.
[Dave’s mom] The wind comes through a crack.
[Andy Ellis] The wind comes through a crack.
[David Spark] Come on. I know you can do this. Don’t say anything.
[Andy Ellis] Air gap?
[David Spark] There you go! Very good, Andy.
[Andy Ellis] I think that’s my first one ever!
[Applause]
[Alexandra Landegger] [Inaudible 00:23:18].
[Andy Ellis] JJ over there is like, “You should have known this one. Come on.”
[David Spark] All right. I’m very proud of you. All right. This last one is difficult. It is difficult. Here we go. By the way, you can now say you got one right. Congratulations.
[Andy Ellis] I got one right.
[David Spark] All right. There you go. Here we go. Here’s the last one.
[Dave’s mom] Your boss wants something, your co-workers say something else, and you’re stuck.
[David Spark] I will stress this is 100% wrong.
[Alexandra Landegger] Your boss wants something, your co-workers want something else. Cyber security? I don’t know.
[Laughter]
[David Spark] Okay. You’re thinking correct. Can’t stress this enough. It’s 100% wrong.
[Andy Ellis] Your boss wants something, your co-workers want something else. It’s a mismatch. It’s a… I want to say it’s like something with Active Directory, but probably absolutely not.
[David Spark] Hold on. I’m going to go to the audience.
[Andy Ellis] Audience?
[Audience member] Man in the middle.
[David Spark] Man in the middle attack. That is correct.
[Alexandra Landegger] Ah.
[Applause]
[Andy Ellis] Oh, because you’re the man in the middle.
[Alexandra Landegger] Well done, team.
[David Spark] Very proud of our audience here.
[Andy Ellis] I got one, which…
[Alexandra Landegger] We all got one.
[Andy Ellis] …means I’m no longer a zero.
[David Spark] Yeah, so one wrong, and the audience got one, and each guest got one. I’m very proud of everybody here. Good job, everyone.
[Alexandra Landegger] Perfect.
Sponsor – Security Scorecard
24:28.810
[David Spark] As I told you, I’m going to tell you a lot about our great sponsors here, and we also have SecurityScorecard is one of our wonderful sponsors. All right. Today, resilience means more than protecting your own environment. It means securing your entire supply chain. Now, SecurityScorecard is leading the way with a supply chain detection and response approach that does more than monitor vendor risk. Their team helps organizations detect, prioritize, and actually remediate threats across their third-party ecosystem. Now, think about it. Seventy percent of breaches start with a supplier. SecurityScorecard gives you the visibility to know where the risks are, and the export resources to take action before those issues impact your business. Now, it’s not just more data. It’s a managed service that closes a loop with vendors, reduces risk, and helps organizations build a more resilient, breach-resistant supply chain. Now, you can learn more over at securityscorecard.com and start seeing results, not just scores.
Why has this topic suddenly become the center of attention?
25:41.187
[David Spark] So, some of you mistakenly thought one of my mom’s explanations were CVEs, but that’s what we’re going to talk about right here. So, it’s easy to dunk on the CVE program, that’s the Common Vulnerabilities and Exposures, but does it fall under Winston Churchill’s wisdom of being the worst system except for all the others we’ve tried? Now, nothing makes you appreciate a partnership like the idea that it could end suddenly, and we experienced that with the CVE program this spring when funding was set to lapse. Now, for a quarter of a century, it’s been one of the most impactful, ongoing public/private partnerships, noted MITRE’s Alec Summers on CyberScoop. Now, we know CVEs aren’t perfect. They lack context for individual organizations. They’re pretty much why, whenever it’s mentioned, and we’ve mentioned them a lot on our show, our guests have consistently dumped on it. But I’m going to challenge you, my guests, to show the CVE program some love. All right, so I’ll start with you, Andy. What is something nice we can say about it, and does it go underappreciated in our industry?
[Andy Ellis] I love the fact that we can just have a very neutral name for a vulnerability, which is the CVE number, and we no longer have to deal quite as much with the crazy, wacky names of trying to distinguish between last week’s Active Directory of Vulnerability and this week’s Active Directory of Vulnerability. We can just have numbers that are unique and specific, and that is an amazing amount of value. And if you’re like, “Oh, but Andy, that’s not much.” No, that’s huge. That’s what we need it for.
[David Spark] Just numbering it.
[Andy Ellis] Just the numbering system.
[David Spark] Yeah, we’re getting I wouldn’t even say a smattering applause. One person appreciated that.
[Laughter]
[David Spark] All right, Alexandra, I will throw it back to you. What love can you give to the CVE?
[Alexandra Landegger] So, I’ll focus on two things. One, similar to what you just shared, Andy, I think having a common taxonomy to be able to speak about vulnerabilities. So much of what we do as cyber professionals is working with our suppliers, with our customers, making sure that we’re passing on information through things like the ISACs. Having a common taxonomy to talk about these things, a common place to direct people across the organization. Because cyber is a team sport. We do not fix everything ourselves. Being able to direct people to something that’s always there and available for us, until the news the other day. But having that, I think, is huge. The other thing, public/private partnerships are tough to pull off. The fact that this has been around as long as it has, I think, deserves some credit. And there’s a number of players that really have gone above and beyond to make sure that this has continued for such a long time.
[David Spark] If you could fix, I’ll just say, one thing in the CVE program, would you? Andy?
[Andy Ellis] So, I would fix a disconnect I have seen happen, and it’s going to happen more and more frequently, when coordinated disclosure happens and a researcher tells a vendor, and the vendor fixes it before it becomes public. And the vendor says, “Well, I’m not going to report it to MITRE and get a CVE number.” And so, it never gets a CVE number because it was never a publicly known vulnerability that was exploitable. It means that we’re missing a piece out of our taxonomy.
[David Spark] Ah, so it just needs that added, if you will. Good point. Alexandra, what would you like to fix?
[Alexandra Landegger] Everything.
[David Spark] Everything.
[Andy Ellis] Everything.
[Alexandra Landegger] No. Just kidding.
[David Spark] Now, let me just say generally, the dumping that we get on this show is just like when you’re determining your risk, it goes, “Well, don’t just go by the CVSS score.” They dump on that constantly.
[Andy Ellis] Well, we should recognize that CVSS and CVE are different things, even though they share two letters in common.
[David Spark] Yeah.
[Alexandra Landegger] Yeah. Well, and I think organizations need to embrace the fact that we’re going to have to put in a little bit of work to understand the context. It’s just the reality of the way our systems are. And that actually brings me to the point that I would want to fix, which is as the world has become more and more connected, how do we make sure that we understand what these vulnerabilities mean in a product environment versus an IT environment or an OT environment even? So, to me, I think that that sort of ecosystem context is a critical part that I would look at as well.
[Andy Ellis] And if we’re going to talk about CVSS for just a moment, we should recognize that what CVSS gives us is not an accurate scoring system, and that was never really one of its goals. I have the benefit of being the first consumer of CVSS, and its single biggest goal is that we no longer say low, medium, high. Because everybody wants to argue with low, medium, high. When you can say 6.8, everybody’s like, “Well, I’m not smart enough to argue if it’s 6.8 or 6.7.” And you can just move on and get on with actual prioritization.
[David Spark] Well, but the problem is a lot of vendor tools are green, yellow, red.
[Andy Ellis] Well…
[David Spark] So, they already…
[Crosstalk 00:30:29]
[Andy Ellis] …then we end up back in that world.
[Alexandra Landegger] All of our board decks are green, yellow, red.
[Andy Ellis] Green, yellow, red.
[Laughter]
[Andy Ellis] But get out of the vulnerability being green, yellow, red and get to project status there.
Sponsor – Vanta
30:37.644
[David Spark] The third sponsor I want to tell you about is Vanta. Compliance regulations, third-party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? Now, if you’re thinking there must be something more efficient than spreadsheets, screenshots, and all manual processes, guess what? You’re right. GRC can be so much easier while strengthening your security posture and actually driving revenue for your business. Vanta’s Trust Management Platform automates key areas of your GRC program, including compliance, internal and third-party risk, and customer trust, and streamlines the way you gather and manage information. And the impact is real. Listen to this. A recent IDC analysis found that compliance teams, the ones that are using Vanta, are 129% more productive. So, you get more time and energy to focus on strengthening your security posture and scaling your business. Vanta, GRC – how much easier trust can be. So, you want to see for yourself? You got to go to their website. Go to vanta.com/CISO and learn more. Please add that /CISO so you know that we send you there.
Is AI going to help us or hurt us?
32:11.000
[David Spark] Yes, says Andy. All right. We actually have some questions that are going to hit this a little later in the show but let me ask you this. “An analyst’s work today looks incredibly different than an analyst’s job 10 or 20 years ago.” Agree with this? Yes?
[Andy Ellis] Yeah.
[Alexandra Landegger] Yep.
[David Spark] So, that’s Lesley Carhart of Dragos who argued on their blog that modern analysts should be doing “hypothesis-driven threat hunting for threats that their automation will have challenges in detecting.” Now, when we talk about automation, there’s always the argument that it won’t necessarily eliminate cybersecurity jobs, rather, it will “free up” professionals from mundane tasks and allow them to do more impactful high-level work. So, I’ll start with you, Alexandra. What are those higher-level tasks that are now possible thanks to the fact some are actually deploying automation? And maybe you’ve seen it already.
[Alexandra Landegger] Yes, I absolutely have. I think there’s a lot of potential here to allow people to take on those higher-level tasks. But again, that question is, what are they? So, really, I think a few different points. One, when you’re looking at a SOC analyst specifically, I think computers have gotten very good at detecting a lot of types of threat behavior, but one that has not really been very well solved in a consistent way is when people use legitimate access credentials to be able to then traverse across and get to where they’re going. So, really, having a solid understanding of the system, of the people, where they reside, etc., I think is something that the human brings in that regard. The other big area that I’ve seen a lot of automation really help in is around GRC as well.
[David Spark] Oh, yeah.
[Alexandra Landegger] There’s a lot of compliance things that it just takes time, and the more that we can free people up to come up with more sophisticated programs around risk management or accountability. Like I started at the beginning of the session today, building an issues management platform where we really drive the culture change and that accountability throughout the entire organization. That’s really where I see a lot of potential.
[David Spark] All right. Excellent answers there, Alexandra. Andy, what’s your answer on this?
[Andy Ellis] So, I love Lesley’s framing of the hypothesis-driven threat hunting because one of the things I see people who are using AI sort of sometimes over-rely on is have AI be the source of truth. Say, go collect the data and tell me what happened. And instead, we have this opportunity to send multiple agents and prep them differently and say, “Your job, agent one, is to assume that this is adversarial activity. Explain it to me.” And a second one to say, “Your job is to assume this is normal activity and go look at it and explain it to me.” And then the human can now look at these and sort of hold both truths in their head. It’s really hard for humans to do that and basically impossible for the AI. But like, get the human to now think with the business context and to understand that sometimes the exact same action could be malicious, could also be legitimate, and you have to be able to entertain both of those. Let your AIs get stuck in a rut.
[David Spark] All right, let your AIs get stuck in a rut. Was there anything in AI, because this whole automation thing has been sold for quite some time, and actually, it’s only within the last few years that we’re really seeing it take fruition. It was initially sold as you’re going to be able to decrease your staff. We all realized that was bunk. But one of the questions that came up – oh God, and I’ll try to find it, I’ll try to quote the person in a second – -is that if AI is doing all these low-level tasks, what entry-level positions are left?
[Alexandra Landegger] And building off of that, I think how do you then train people to get to those more advanced levels because they will never have gone through the 101 of cyber that we all built our careers in. And maybe that’s a great thing because that will actually drive different ways of thinking, the same way that kids that grew up with a TI-83 Plus versus kids that had an abacus, very different outcomes. So, it’s really about understanding how different generations learn and what we can do to drive the conversations where we value everyone’s perspective for the fact that it is different, for the fact that it comes from different educational and experiential backgrounds.
[David Spark] Yeah, that was from actually Chris Pedigo of Axonius who asked that very question. What’s your take on this, Andy?
[Andy Ellis] So, I think if we take an incrementalist approach, we just start plugging AI in and giving it the boring work or the automatable work, whatever, that’s the world we’re going to end up in. That we will have nowhere to put in humans. But the reality is we didn’t know how to bring in humans and train them anyway. Let’s not delude ourselves into thinking that the corporate world is good at bringing in entry-level staff and providing them on-the-job training to develop them to be senior staff.
[David Spark] Which, hold it… Wait.
[Alexandra Landegger] Insertion points.
[David Spark] Hold it. I want to do a survey of the audience. That’s a good thing. By applause, how many people, let’s just say any job, have come in a job and they so poorly prepared you on day one? By applause, how many people?
[Applause]
[David Spark] We’ve got a good amount. Yeah, very bad.
[Andy Ellis] So, I think what we need to do is redesign how we build organizations and treat humans as AI herds, right? Your job is you have a bunch of AIs that do work for you. What is the human going to do in that world rather than saying we’re replacing humans with AIs, but you don’t need like one manager for every seven AIs. Like that math doesn’t work out anywhere. So, all the mental models we have for how to do organizational design around humans do not work in a blended organization that contains both AIs and humans.
It’s time for the audience question speed round.
37:48.508
[David Spark] I have here in my hand a bunch of questions from you, the audience, and with the little time that we have left in the show, I’m going to ask as many as I can and get your answers as quickly as possible. All right, here we go. This is from Arkadiy Goykhberg of Branch Financial. And Arkadiy asks, and I love this one, when did you have security theater in your environment and what did you do to get rid of it? Alexandra or Andy?
[Andy Ellis] My favorite security theater is security awareness training where you make people come sit in a room when I first started it or computer-based training. How did I get rid of it? A cron job with a webpage that you click the link that says, “Yep, I came here, I read the three paragraphs, I got trained.”
[David Spark] [Laughter]
[Andy Ellis] Kid you not, 96% compliance with no humans in the loop other than the person showing up and clicking the one page.
[David Spark] All right. Well, there you go. Did you get improved security awareness?
[Andy Ellis] Yes, because I had people who understood that the security team cared about their time and so when we did reach out to them, they gave us their time.
[David Spark] Ah, there you go, I like that. Okay, Alexandra, what’s your security theater story and were you able to eliminate it? That’s a big question.
[Alexandra Landegger] So, acceptable use. I don’t know what your policy looks like, but most companies I’ve seen, it’s a 50-page document and nobody reads it.
[David Spark] Right.
[Alexandra Landegger] So, we have a 50-page policy just like every other company, but the thing that we’ve done in the last couple of years is create a 1-page and a 10-page version that people actually do read regularly because it’s fun, it’s entertaining. It’s not a 50-page policy. So, to me, having a transition there was a big one.
[David Spark] All right. Let’s get a quick answer out of this one because I know you could go on forever, Andy. This comes from Bar Hofesh of Bright Security who asks what would a point product have to present to make you rip and replace? So, you have the product already, a competitive product, it’s working. The competitor would have to show something for you to go, “All right, taking that one out and putting this one in.”
[Andy Ellis] Be able to integrate within one day and provide better results.
[Alexandra Landegger] And work with me to figure out total cost of ownership, not just the licensing, but the people, the support, the long-term full cost to build that business case.
[David Spark] All right, someone who appreciates that. All right, from Supro Ghose, a Fractional CISO, said, “If you’re doing CISO succession planning and you do not have a deputy CISO, what are your options here?”
[Alexandra Landegger] I was CISO and did not have a deputy, so I got permission to go hire one.
[David Spark] That’s one option, I know.
[Alexandra Landegger] That’s the cheating option. But the other thing was becoming close with our head of infrastructure, head of applications, head of AI, and making sure that they had elements of security. So, that way, there were a few other peers that could potentially step in as well. Before then, again, I got to hire the deputy, who now is the CISO.
[David Spark] All right.
[Andy Ellis] You should look at every person on your staff who could potentially become CISO and ask yourself what development they need to become in that position, which might involve lateral movement or organizational realignment. Like move sub teams from one of your VPs to a different one so that they get experience, “Oh, now I’m managing a compliance team when all I’ve ever had was architecture before.”
[Applause]
[David Spark] All right. All right. What is one action CISOs can take in reducing risk that you think most are not doing? This comes from Mohan Kumar of Box. Either one of you. You could be reducing risk if you did this, but you don’t think a lot of doing it.
[Alexandra Landegger] Turn off your cell phone and computer and restart them on a regular basis.
[Applause]
[David Spark] Ah, that is a good one. That is a good one. Andy?
[Andy Ellis] Write your passwords down.
[David Spark] Write them down?
[Andy Ellis] Write your passwords down. How many of you have a legacy plan that if something happens to you, your loved ones are able to get into your accounts and do what needs to be done?
[David Spark] I have that plan. Not everybody does.
[Andy Ellis] I saw a couple of hands go up.
[Alexandra Landegger] A fair number though.
[Crosstalk 00:42:02]
[Andy Ellis] But if you don’t have that plan, that is massive personal risk on your family.
[Audience member] Or us if we’re still alive.
[Andy Ellis] Or you if you’re still alive.
[David Spark] All right. Last question I have for you. Given what you know now, and by the way, there’s a politically correct answer and the not politically correct, I’m assuming. This comes from Ty Sabano of Ursel. Given what you know now, Andy, would you be a CISO again?
[Andy Ellis] Absolutely.
[David Spark] Why?
[Andy Ellis] I made a lot of money doing it.
[Laughter]
[Applause]
[Andy Ellis] I’ll be very honest. And not only did I make a lot of money doing it, I changed the world for the better. How many of you use TLS on a regular basis to secure your interactions with vendors like your banks? I did that for you. You’re welcome.
[David Spark] [Laughter] All right. So, would you do it again?
[Alexandra Landegger] Yes, I would.
[David Spark] For the same answer as Andy?
[Alexandra Landegger] Yeah. Changing the world is a big part.
[David Spark] He also made money.
[Alexandra Landegger] Yeah. Well, money, money, hey, if my boss is listening, a little more always helps.
[Laughter]
[David Spark] But changing the world?
[Alexandra Landegger] Changing the world and rallying a team around an ever-changing mission is just exciting. You’re dealing with threat actors changing. You’re dealing with regulators evolving. You’re dealing with customers, suppliers. You get to integrate as much with the mission of your business as you’d like to, and it’s a lot of fun. A lot of fun.
Closing
43:22.819
[David Spark] Well, that brings us to the very end of the show. Let’s hear it for my guests on stage.
[Applause]
[David Spark] Alexander Landegger of RTX; Andy Ellis, my co-host with YL Ventures. And let’s hear for our three sponsors. We had Vanta, SecurityScorecard and Nudge Security. Let’s hear it for all three of them.
[Applause]
[David Spark] I want to thank you, our audience. I want to thank BSides as well. We greatly appreciate. I mean, you coming here in the crowd, and also everyone listening to this as well, we greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Applause]
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.