CISOs face a tough task. They must manage risk, but surveys show they feel increasing pressure to downplay those risks to the board. So, how does a CISO do their job without getting dismissed as a buzzkill?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Gary Hayslip, CISO, Softbank Investment Advisors. Joining us is Keith McCartney, VP, Security and IT, DNAnexus.
This episode was recorded in front of a live audience at the Planet Cyber Sec show in La Jolla, California hosted by Layer 8 Masters.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Entro
Full Transcript
Intro
0:00.000
[Voiceover] Best advice I ever got in security. Go!
[Keith McCartney] Gosh, it had to be skipping out on empathy. We had a big project, we needed IT support to get a vulnerability management client rolled out. They had to do their own server hardening. We thought this was great, do both of them at once. They did not agree. Wish I would have put myself in their shoes.
[Voiceover] You’re listening to CISO Series Podcast, recorded in front of a live audience in San Diego.
[Applause]
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, and we are recording live in, as you heard, San Diego, specifically La Jolla, which for those of us out here, we know that that is part of San Diego. I’m the producer of the CISO Series. Joining me as my guest co-host is the man sitting to my left, Gary Hayslip, the CISO of SoftBank Investment Advisors.
Let’s hear it for Gary.
[Applause]
[David Spark] We are available at CISOseries.com, and our sponsor for today’s episode is Entro, non-human identity and secrets security platform. Thank you, Entro, for sponsoring. We are actually at the Planet Cyber Sec Conference. Not the first time we’ve done this, we’ve been invited back before. I’m going to actually ask you a question, not related to this, but Gary, you have been pitched by a few vendors in your past, yes?
[Gary Hayslip] Yes.
[David Spark] Okay. Are you the person that actually reviews products?
[Gary Hayslip] Yep.
[David Spark] You do? You do actually review the products yourself?
[Gary Hayslip] Yeah.
[David Spark] You don’t have like staff members doing that?
[Gary Hayslip] Well, I mean, we do it together.
[David Spark] Oh, you do it together? Okay. So, do you see something and then you hand it off to a staff member, or a staff member brings it to you, or probably both ways?
[Gary Hayslip] Honestly, both ways. Normally, I see something, I want their input because traditionally, they’ll be doing more work with it than I probably will be. And they’ll know from a practitioner point of view, from an operations point of view, some extra things that we might want to be concerned about, but we usually do it together as a team.
[David Spark] The reason I’m asking this because I ran into somebody at a vendor, not security vendor, but a vendor that we use, and they never pitched me, they actually pitched someone who works with me, and he made a really good argument for the product. By the way, it was very affordable, so it was not difficult to say yes to it.
But it just made me realize, like, if they had come to me, it would have been a useless effort, completely. So, I’m interested, what are some of sort of the arguments that your staff makes that says we really need this in our environment?
[Gary Hayslip] Typically, when my staff and I are looking at something, I just don’t buy things. Usually, there’s a problem that we’ve got that we’re trying to fix. If we’re going to be replacing something, it’s a like for like.
[David Spark] Okay.
[Gary Hayslip] So, basically going to put in a technology that’s going to improve the current security we have and maybe offer new services as well. And then another thing we look at too, is how easy is it for my staff to be able to do things with it? The reporting, the visibility, the automation piece as well.
If it’s going to be integrating with other things in the stack, is that data transfer or that data inference between the various pieces in the stack, does that do very well?
[David Spark] Okay, so actually, you have a very sort of elaborate vending process.
[Gary Hayslip] Yeah. Right.
[David Spark] I just wanted to get a little feedback. All right, let’s bring in our guest. He’s been very quiet until now, but you heard him at the very beginning of the show. To our far left, joining us for today’s episode is the VP of Security and IT over at DNAnexus, Keith McCartney. Let’s hear it for him.
[Applause]
[Keith McCartney] Thank you. Glad to be here.
I tell ya, CISOs get no respect.
3:46.883
[David Spark] How do CISOs close their credibility gap with the business? It’s not their technical acumen, but the Cassandra that’s always warning of cyber doom. Now, this is a well-documented issue, and a recent Trend Micro study found that 79% of CISO respondents felt boardroom pressure to downplay cyber risks.
Now, the reasons for this pressure were pretty easily split between being perceived as nagging, overly negative, and just being dismissed out of hand by the board. That’s definitely a rap a CISO wants to avoid. So, I’ll start with you, Gary, on here. What’s a better approach, or maybe that is a good approach, I don’t know, your take, maybe a compliment sandwich to get cyber risk concerns across?
What do you think? And do you fear this, or maybe in your past you feared this?
[Gary Hayslip] Well, I mean, in my past, yeah, but I mean, I look at myself as a business executive, and I use technology and people and process and frameworks to manage risk. So, when I go and I talk to a board, and I also serve on boards, and I advise boards, the whole doom and gloom thing, that’s one small piece.
When I’m there, it’s, “This is the funding that we have, the projects that we have ongoing. This is how we are supporting the business. This is the current efforts that we are integrated with with other departments.” I am a business executive that’s talking about how we’re supporting the business, and the doom or the risk piece is a small piece of it.
If you go before the board, and you got five minutes to talk to them, and all you talk about is the sky is falling, you’re doing it wrong because you’re not going to be invited back. Board members know…
[David Spark] Hold it. Is that the key? What do I say to get invited back?
[Gary Hayslip] Well, it’s not so much what you say to be invited back as what you say that’s pertinent to the business that makes sense.
[David Spark] So, they get kind of excited about what you’re saying, “Oh, this is really relevant to what we’re doing right now.”
[Gary Hayslip] Yeah. And so what I go ahead and I do is I find is, okay, I’m supporting compliance, and I’m supporting legal, and I’m working with certain projects. And yes, I’m reducing risk. And yes, we are concerned about attacks on our portfolio companies, and we’re concerned about… So, what I do is, I talk about how we’re doing that support, and how we’re helping the business move forward and be innovative.
And then at the same time, I also talk about the risks that we are reducing. So, I’m getting it across that we are dealing with these risks, and we are dealing with attacks, but you want to go ahead and kind of sandwich that in with what you’re doing for the business and how you are supporting the business because that’s what they want to hear.
[David Spark] All right, Keith, I throw this to you. Agree, disagree, and do you have this fear that you’re coming off as a Chicken Little/Cassandra/sky is falling issue?
[Keith McCartney] Yeah, absolutely. I think one of the important things to keep in mind is that these folks are not just there to talk about cyber risk, they’re there to talk about every risk that the business faces. And so if you know the context, if you’ve done your homework, and you know the risks that the board is going to be considering or that the company faces, then you can offer your assessment of the cyber risk in context of those other problems and challenges that your business is facing.
[David Spark] And by the way, Gary elaborated very much. Are there certain techniques that you have learned over time? Maybe I made this mistake before, but now I handle it like this? Because I can’t imagine you were out of the gate doing this right. So, maybe give an example of, “I used to do it this way.
Now I do it this way.”
[Keith McCartney] Yeah, I think you’ve got to really listen to your board members, you got to listen to the questions that they’re asking and adjust your approach to fit the information that they need. It is important to talk about your program, but they’re not going to be concerned about the nitty gritty details of operations, right?
They’re looking at the big picture. What is it that you’re doing to help the business go out and sell more? What is it that you’re doing to help the business be more effective operationally? Changing the timeframe it takes to get a new acquisition integrated, changing the timeframe it takes to get new employees up and running?
All of these things are helpful when you think about the revenue targets that the business is facing.
[Gary Hayslip] One of the things that I’ve learned over my six roles as a CISO is that each time you kind of get better because you get smacked. And you learn when you talk with boards is that it helps having a mentor, someone that’s either a board member or someone that regularly reports to the board, and they look at your slides ahead of time.
They look at your presentation ahead of time, and they’ll tell you, they’ll start throwing stuff out, “You got five minutes. Why you got 35 slides here? Are you stupid?”
[David Spark] [Laughter]
[Gary Hayslip] And you start going through stuff and everything and, “Okay, we got to get it down to two slides. This is what they’re going to be interested in.” And you want that type of mentor because you want to know the personalities that you’re going to be talking to. You want to establish a relationship.
You want them to be able to trust you that you can speak about risk and talk about my program is 35 million on the budget line, and this is what we’re spending it for, and I need that 35 million, and oh, by the way, I need another 10% increase, but you need to be able to speak to that. And so you want a mentor, you want someone that’s going to be able to help you before you go in, so you can effectively tell your story.
And that’s one of the biggest things I’ve learned is it’s about storytelling, helping them relate to what you’re discussing and why it’s important to them and important to the business.
As a CISO, what do you think about this?
9:07.403
[David Spark] What do we mean when we talk about security engineering? A post on the cybersecurity subreddit argued the definition can vary between industries. Now, one respondent defined it as either an architect role where you do the technical designs and review of designs or “a programmer that implements the designs.” Others defined it as a system admin of security tools, a function of evaluating, implementing, configuring, and maintaining a security platform, or an information system security manager/officer for hire.
So, I’ll start with you, Keith. Is the role of security engineering really that varied? And what do we need to do to clarify it so we understand the role and its value, especially for hiring?
[Keith McCartney] Yeah, I think it is that varied. Engineering, in my mind, is solving problems, right?
[David Spark] Good way to put it.
[Keith McCartney] And the problems that we face as security practitioners are pretty varied. I think about it, there is this discussion about is it a technical role or is it not a technical role, and I think if you’re in the technology function of an organization or there’s a technology component to your business, which is pretty much every business these days, you’re going to be solving a technology problem.
And if you do that through configuration of a system, pushing a policy, or through writing code, that is solving the problem, right? It doesn’t mean that necessarily every person with a security engineer title is going to be writing code, but it should be something that they’re not scared of. It should be something that they’re familiar with.
[David Spark] Gary, what do you think about the role? Have you struggled with this? And I’m sure you’ve seen job listings for security engineers are all over the map.
[Gary Hayslip] Oh, yeah. Same thing. I do believe it varies for each company because when you really look at it from a security standpoint, from a management of risk and everything that you’re doing as a CISO and your security team, each company has unique issues – whether you’re regulated, whether you’re not, the different technologies you use in the different projects and stuff that you’re doing, you’re operating in different countries.
And so your security program is going to reflect what the business currently needs. And so engineering, I think there’s some core things that all security engineers have and know, like you know firewalls, you know IDP. These are things that you know. That’s about 60% of the job. The other 40% is things that are going to be unique for each time for each business that you’re at.
And then the more senior you get, as you build your teams, and you’re a team member, and then a team leader, and then a manager, and then you start working yourself up to CISO, then you start bringing in the soft skills as well. I mean, it changes, and it’s going to reflect the business.
[David Spark] So, what I’m hearing, I’m kind of hearing two things. The role evolves over time.
[Gary Hayslip] Yep.
[David Spark] And two, and correct me if I’m wrong here, the role would also change depending on the environment you’re in.
[Gary Hayslip] Mm-hmm.
[David Spark] And has the – well, you’re the same person, Gary – but has the role changed in different environments you’ve been in?
[Gary Hayslip] Oh, yeah.
[David Spark] Oh, it has? Okay.
[Gary Hayslip] It’s basically the needs of the business, and you’ll see the business shift. Where at SoftBank, we were an on-prem, and in 2019, we made the decision to totally gut all of the infrastructure and go 100% SaaS. That’s a bunch of different skill sets that you’re going to start recruiting for now because you’re in a full cloud environment.
[Keith McCartney] One of the things I think about too, is your security engineers are advisors to other folks in your business. So, they’ve got to be able to peer with those folks, and they’ve got to understand what their roles are too, right? So, if they’re peering with somebody and helping with a marketing website development, they’ve got to know a thing or two about how websites are run.
Same thing if they’re peering with software engineers, they got to understand how software is built. That’s their job.
Sponsor – Entro
12:53.362
[Voiceover] Who’s our sponsor this week?
[David Spark] It is Entro and let me tell you about them. So, as non-human identities, such as applications, APIs, and devices continue to expand, we know that’s happening, their associated risks and related exposures expand with them. That’s kind of true with all tech. So, this is why Entro Security created a unique and powerful feature – Non-Human Identity Detection and Response, or NHIDR for short.
So, Entro’s NHIDR capabilities identify potential threats by monitoring behaviors to illuminate unusual usage patterns and unauthorized interactions. Now that means that if an NHI, non-human identity, acts outside of its normal parameters, like accessing data unexpectedly or interacting with systems it shouldn’t, NHIDR catches it in real time.
So, Non-Human Identity Detection and Response doesn’t just stop at detection. It actively mitigates these risks before they can cause damage. In a world where a single compromised NHI can bring down an entire organization, having Non-Human Identity Detection and Response in place gives your organization the edge it needs to stay secure.
So, stay ahead of the curve with Entro Security and their advanced detection and response solutions. For more, just go to their website, it’s entro.security.
It’s time to play “What’s Worse?”
14:25.736
[David Spark] All right, we all know. For those who have heard the show before, you know this game. This game has been around since the beginning we started this show. We get wonderful “What’s Worse?” scenarios from our audience, and by the way, we’re always looking for more, so please send them in.
And essentially, it’s a risk management game, something security professionals deal with. And we have a great couple of scenarios from John Hayden with Trend Micro, and here it is, Gary, you’re going to answer first, and here we go. Scenario number one, your company gets fined for $10 million by the SEC for not being transparent for a breach, or your company’s CISO goes to jail for 24 months for not being transparent in a breach.
What’s worse?
[Gary Hayslip] Oh, I don’t want to go to jail.
[David Spark] I know, I know, I know. Okay, so I know that you don’t want to go to jail. Let’s just think about the overall business. What would be worse? Yeah, if you’re talking about yourself personally, I could see that that second scenario for sure would be worse.
[Gary Hayslip] Okay.
[David Spark] All right.
[Gary Hayslip] So, I’m not going to jail.
[David Spark] You, Gary, are not going to jail.
[Gary Hayslip] Okay, cool.
[David Spark] Okay. But you’re thinking about the business.
[Gary Hayslip] Okay, the business would be the $10 million fine.
[David Spark] That’s far worse?
[Gary Hayslip] Yeah because it’s basically the damage to the brand and the company and everything else, it’d be the fine.
[David Spark] So, it’s worse if it’s you, for sure. That is for sure. I mean, that’s obvious. It’s always worse. But if Gary Hayslip is out of the equation here because I don’t say Gary here, then it’s far worse than 10 million bucks.
[Gary Hayslip] Well, you’re not really telling me why the CISO is going.
[David Spark] Well, because he’s not being transparent in a breach. We’re just leaving it at that.
[Gary Hayslip] Okay. All right. So, I would say the company getting the $10 million fine would be worse if I was thinking about the company.
[David Spark] Yes. Well, we’re trying to be thinking about the company. But if you’re being selfish…?
[Gary Hayslip] If I’m being selfish, I’m not going to jail.
[David Spark] Exactly. All right.
[Laughter]
[David Spark] All right, Keith, I throw this to you.
[Keith McCartney] Yeah, I got kids, man.
[Laughter]
[Keith McCartney] No, I agree with Gary on this one.
[David Spark] A hundred percent.
[Keith McCartney] Yeah.
[David Spark] So, again, if it’s you specifically, it’s worse. So, you don’t think, because yeah, $10 million is bad, but I don’t know, does the brand damage of your CISO going to jail for 24 months, could that be worse than $10 million?
[Gary Hayslip] Depends.
[David Spark] All right, let’s hear. What’s the depends?
[Gary Hayslip] The thing about it is is that CISO is going to jail because they were not transparent about a breach. Okay?
[David Spark] Mm-hmm.
[Gary Hayslip] All of us CISOs that have been in, I’ve dealt with multiple incidents, usually the issue is, it isn’t that we’re not being transparent. It’s the fact that we’re being transparent as can be, and the company’s not listening to us. That’s typically the problem. If they’re not being transparent, that means they’re hiding things from the company.
So, I mean, it’s kind of like they’re at fault. They put themselves in this issue where they’re going to prison for two years…
[David Spark] Very good point.
[Gary Hayslip] …because they’ve been caught about the fact that they hid some facts, and they put the company in trouble…
[David Spark] To cover their own butt.
[Gary Hayslip] …to cover their own butt.
[David Spark] Okay. Which could speak to the culture at the company possibly.
[Gary Hayslip] Yeah. And it could be.
[David Spark] And that could be very brand damaging conceivably.
[Gary Hayslip] Yeah. Because, you know, cultures tend to run over CISOs quite a lot.
[David Spark] [Laughter] Okay. All right. I’m throwing this one to you, Keith, to get it back again. Do you think it could be that 24 months could be more damaging than $10 million?
[Keith McCartney] I think it’s the same conversation that Gary just highlighted, is what is the cultural problem that caused this issue, either the fine or the jail time? What didn’t work properly in breach identification and notification?
[David Spark] Very good point. All right. I throw this to the audience. By applause, how many people think it’s far worse that the company gets fined $10 million? And again, I’m taking out of the equation that anyone in here would be going to jail because I know that’s the selfish response. So, $10 million, is that the worst scenario?
By applause.
[Applause]
[David Spark] That’s a good amount. And by applause, how many people think it is the CISO going to jail is far worse?
[Applause]
[David Spark] That is pretty evenly split, I must say. I’m kind of shocked by that.
It’s time to play Fantasy CISO.
18:36.543
[David Spark] All right. We have yet to play this game on this podcast and there’s a heavy visual aspect to it. So, apologies to the listeners right here, but we’re trying to spell this out as much as possible. So, I need you guys to turn around, bring kind of the mics with you as you turn around. So, Keith is our guest.
I’m going to have Keith go first here. Essentially, these are your controls. You get to pick your team from these controls, Keith, and essentially each go one by one, and Dutch here is going to be helping us with selecting them. So, your first control, which one do you want from this list here?
[Keith McCartney] I think I’ll go with incident response management.
[David Spark] Okay. Incident response management goes to Keith. Gary, which one do you want?
[Gary Hayslip] So, I mean, if he gets one…
[David Spark] It’s crossed out, yeah. You see? You can’t select it. Like picking players for a team. You both can’t have the same player, Gary.
[Gary Hayslip] Dude, this sucks.
[Laughter]
[David Spark] You’re going to see how this game plays out.
[Gary Hayslip] I really don’t like this. Where is identity on here?
[David Spark] Identity? I guess we didn’t even put it on. There we go.
[Gary Hayslip] So, we have no 2FA on here.
[Keith McCartney] You got access control there.
[David Spark] There was access control.
[Gary Hayslip] I’ll do access control.
[David Spark] There you go. Access control management. There you go. We have it. All right. That goes to Gary. All right. Go ahead. Pick, Keith.
[Keith McCartney] All right. I’m between asset management and data recovery. Is there any poll the audience here?
[David Spark] You can. You want to poll the audience? Go ahead. Go ahead, poll the audience. By applause, how many people think he should pick asset discovery? No one. Just go for EDR, I guess.
[Keith McCartney] All right. Let’s go with data recovery.
[David Spark] Oh, data recovery. I’m sorry. You wanted data recovery?
[Keith McCartney] Data recovery. Let’s go with that one.
[David Spark] All right. Didn’t even respond. I wasn’t even going to poll them on the other one.
[Keith McCartney] [Laughter]
[David Spark] All right. Gary, pick the next one.
[Gary Hayslip] I’ll do EDR.
[David Spark] EDR? Okay. And then, Keith?
[Keith McCartney] I’ll do… Yeah, this is tough. Let’s go with application software security.
[David Spark] Okay. Application software security. He’s got application software security. Gary, we got five left.
[Keith McCartney] Controlled use of admin.
[David Spark] All right. There you go. That’s somewhere on the identity level, sort of. All right. Keith?
[Keith McCartney] Asset management. Go back to that one.
[David Spark] All right. All right. Gary, three left.
[Gary Hayslip] I’ll do email and web browser protections.
[David Spark] All right. Two left. Keith?
[Keith McCartney] I will go for security awareness.
[David Spark] Security awareness, Keith. And Gary, you get penetration testing.
[Gary Hayslip] Pen testing and red teams.
[David Spark] All right. Now, let’s go to the summary page. That’s the second tab where it says attack. All right. So, just quickly before we reveal the attack, Keith has asset management, data recovery capabilities, implement security awareness and skills training program, application software security, and incident response management.
Gary has EDR, access control management, controlled use of admin privileges, pentesting, and email and web browser protections. All right. What’s going to happen is there’s going to be a random attack, and then Keith and Gary are going to each argue why they are better situated to handle this attack than the other, and you, the audience, will vote.
All right. Reveal the attack. What do we have? Your cloud-hosted logging platform has been compromised. All right. Gary, I will have you go first. Why are you better situated to handle this attack?
[Gary Hayslip] Well, let’s see. All right. So, we’re managing access control. We’re managing admin privileges. We got endpoint detection on there. I mean, I’m used to running my EDR solutions inside my cloud environments.
[David Spark] All right. Keith, why do you think you’re better situated?
[Keith McCartney] I’ve got incident response management.
[David Spark] All right. There you go.
[Laughter]
[David Spark] He leaves it. He just leaves it there. He just leaves it. No more needs to be said, Keith.
[Laughter]
[Keith McCartney] I was really excited about that. That was my top, top pick.
[David Spark] All right. We’re going to throw this to the audience now. Audience, by applause, how many people think Gary is going to win here with his team of controls? By applause.
[Applause]
[David Spark] There’s about four people who are applauding for you, Gary. And Keith, how many people think Keith is going to win?
[Applause]
[David Spark] All right. Keith wins. Good job, guys.
Red Alert! All CISOs on deck!
22:58.235
[David Spark] “Imagine a house where the drywall, flooring, fireplace, and light fixtures are all made by companies that need continuous access and whose failures would cause the house to collapse. You’d never set foot in such a structure, yet that’s how software systems are built.” Now, that’s how Bruce Schneier talked about the market-driven brittleness shown in the CrowdStrike outage.
He argued the push for short-term profitability leads to situations where everyone runs as leanly and quickly as possible with little redundancy. Now, we need “infrastructure to mimic nature in the way things fail.” Now, he pointed to Netflix’s Chaos Monkey tool, we all do this, actually, as an example of something whose purpose is to build resiliency.
Can this kind of deliberate breaking of infrastructure, can this be done at scale? Can we kind of build resiliency to scale? Kind of looking at the Chaos Monkey example, which is used within a very closed environment. And then what could be an area where we’re going to have a point of failure? I mean, you don’t have to call anyone out by name, but we’re happy to listen if you want to.
[Gary Hayslip] No, I don’t think you can do it by scale.
[David Spark] Okay. Simple as that, we’re wrapping up this segment? [Laughter]
[Gary Hayslip] Well, the thing with this is that you’re not breaking what’s causing it, and the fact that there’s a whole thing about infinite games and finite games.
[David Spark] Right.
[Gary Hayslip] Cybersecurity as a community, as an industry, is a finite game. We’re stone crazy if we think we’re going to be a winner because this thing never ends. The threats, the things that we’re dealing with never ends. That drives profitability. That drives getting the product out there as soon as we can.
That drives this whole market thing that’s what Bruce is talking about here. Where you, if you’re dealing with an infinite game, it’s you’re in the game to play the game, you’re not in the game to win, which means that you’re in the game to be there for long term.
[Keith McCartney] Resilience.
[David Spark] Right. And by the way, there’s a great book, The Infinite Game by Simon Sinek, that speaks of that, that the winning of the game is the continuing to be able to play the game.
[Gary Hayslip] Is to be able to continue playing. So, if we take out the point where the issue’s what Bruce is talking about, where we’re just hurrying to go ahead and get the market to go ahead and make this quarter’s numbers to make money. And instead, we’re looking at the fact that we want to produce something that’s going to be around for a long time and that’s good for the community, that’s good for our customers, and that it’s going to be resilient.
It’s going to be able to take attacks. That is honestly what we should be talking about. I mean, I get what he’s talking about, about the Chaos Monkey piece and that you’re constantly breaking, and you want to build resilience that way. I’m like, “We shouldn’t be breaking. It shouldn’t be that way.” Just looking at it from a different point of view.
[David Spark] All right. Okay. I mean, the thing is but the value of breaking is that hopefully we won’t have another incident like the CrowdStrike incident.
[Gary Hayslip] Well, you’ll know where it’s going to break ahead of time.
[David Spark] Yeah. So, you could build resiliency at that point. I mean, I think that’s kind of a basic point in cybersecurity. But I’m going to throw this to you, Keith. What say you? Can it be done at scale? Where could be a possible breaking point? How do we learn about the next breaking point so we can build resiliency?
[Keith McCartney] I think testing everything, like literally everything at scale is going to be a very challenging problem. I do think that there’s parallels though with what we do already when we build software, when we design systems and architect them. We do a threat model. We look at how can this thing go wrong, how can we have problems?
And I think resiliency or availability, if you want to use that word, is something that we look at, and I think that that’s something that we can continue to do and do more often. But I don’t know that we can do it across everything at one time. I think it’s going to remain in the component level. So, when you’re looking at pieces of a system, or you’re looking at a third party and your dependency on that third party, you’re going to do the assessment there.
It’s funny, the point on Chaos Monkey because Netflix actually has a Chaos Kong. So, rather than a component failure, it simulates a regional failure, and they also have something that they’ve called the Chaos Platform, where you can do further automation. But I think with those things, you start to run into this problem where not every component that we have needs to be multi-region, multi-cloud, fully available, fully redundant.
It’s just a cost problem at that point. So, we still have to make decisions on where we want to spend our limited investment to add the resiliency in.
What about this AI security challenge?
27:36.032
[David Spark] CISOs love a good framework. They are a critical tool to help push compliance conversations forward as organizations attempt to manage risk. But when it comes to AI, what are our framework options? Actually, we heard a little from Dutch Schwartz about this very thing today. So, Sita Lakshmi Sangameswaran posted a good roundup of the existing AI frameworks showing which ones are designed for CISOs, like the NIST AI RMF, and which are more developer focused, like MITRE ATLAS.
So, I’ll start with you, Keith, on this. What makes an AI framework so unique? Have you found an AI framework that works for your organization? Or does it feel like we’re going to have to start from scratch?
[Keith McCartney] Yeah, this is a really great question, and we have had some very good conversations on this today. I think the frameworks are tending to approach the problem at two different ends. So, they’re looking, one, at the governance side, of like how do organizations identify and control this risk?
And then some of the other frameworks, MITRE is a great example, OWASP is a great example, approach from a very technical level of what do your practitioners need to do? What do they need to consider when they’re building systems that include these AI components? So, I’m really hoping we don’t need another framework.
[Laughter]
[Keith McCartney] I think that’s a problem that we find ourselves in. We’ve got plenty of them already. I think it’s just a matter of looking at the framework for the problem that you’re trying to solve. Are you trying to solve this organization wide, or are you trying to solve this for the threats that a specific system will face?
[David Spark] Gary, your thoughts?
[Gary Hayslip] Yeah, I do recommend his article that he posted up on Medium for anybody that wants to read it. It’s actually really good. I was amazed at the list of stuff that’s out there dealing with this right now, and it’s very fast moving and changing. I’m used to using frameworks. We’re heavily into GenAI where I work at as well.
Thank God I don’t have a developer team that’s doing this, so I don’t have to deal with that side of the house. What I find interesting though, is that many of the security startups that are starting to pop up now that are doing things around AI security are now offering the operation side and the dev side, depending on which side you want to use.
And that’s the question I’ve been asking them now as they’re developing this is, which framework are you using as you develop this tool or you develop this platform and you’re bringing it to market? And many of them will talk about NIST or they’ll talk about MITRE, but as you were just stating, Keith, they tend to be for specific things.
They’re not really for everything, and I don’t think there’s really anything for everything yet. It just depends on the use case of what you’re doing.
If you are an organization, a company that’s selling a product, and the product happens to have some type of AI capabilities or you’re using LLMs, then you’ll use a specific framework that they’re developing now that tends to be more towards dev. If you’re a CISO, you may want to be familiar with that because if you are tasked with AppSec and product security, you want to be able to look at it, but really you’re going to be real more concerned about operations in the governance piece.
Where’s all the little GenAI tools that are popping up? Where’s the data leakage that’s happening? Are we doing this correctly? Are we training our staff correctly for prompt engineering and making sure they’re using the correct tools? And that’s a totally different framework that’s being developed.
Again, it’s going to be up to the business.
[David Spark] Let me ask a question. Is there anything that’s unique with AI that frameworks are not covering? Or is it just, hey, this is just another new technology, it’s not the first time we’ve had to deal with a new technology?
[Gary Hayslip] I was actually, I was asked that at another conference a couple of weeks ago, and to me, cyber is cyber. We still have issues that we still got to manage. People are still going to be stupid with technology. AI is something new. It accelerates extremely fast. I mean, the rate of change has just been amazing.
But when you really look at it, it’s the use of data with new technologies and you’ve got to be able to understand the controls that you typically have around data and then look at it at scale and look at how fast it’s moving with these new technologies. And so in many ways, the controls and the stuff that you’re trying to do are still the same, but it’s just it’s a new technology.
It’s a new approach. So, you’ve got to learn that to understand the risk that you’re still trying to manage. And so I try to tell people cyber’s still cyber. The risks are still there that we still got to manage, but this is a new technology that you’re dealing with and you can’t be scared of it. You’ve got to get involved and actually use it, work with it, break it, and then help your team be comfortable with it as well.
So, then you can then understand the risk.
[David Spark] Keith, anything to add?
[Keith McCartney] Yeah, I think there’s one thing about AI that might be a little bit unique, and that’s the over-reliance issue, and that is not necessarily an obvious issue for the people that are developing and using and designing these systems. So, that’s one that we got to think about.
[Gary Hayslip] Yep.
It’s time for the audience question speed round.
32:39.155
[David Spark] I have in my hand here a handful of questions from our audience, these people out here. And we got a good amount of time, I think we can get through all of them, just a few right here. So, I want to get your feedback on these. From Emily O’Carroll at GuidePoint Security, want your thoughts.
I’ll start with you, Gary. For those entering the field now, so those green or switching careers, what are the top three, and I want you to say top three growing roles you believe in cyber that would be a good entry point.
[Gary Hayslip] Actually, we did this whole thing about people that are entering, and if they’re green and they’re starting. I don’t tell them to come into cyber. I tell them to go into networks. I say learn cloud, learn Python, get familiar with AI tools, learn networks, basically come in on the IT side and then pivot.
[David Spark] All right. What’s your…
[Keith McCartney] One hundred percent agree with that. I think find an organization and an industry that you’re passionate about, find a role where you can do support for technology, support for networks development, and then help your security team.
[David Spark] All right. Good advice. All right. Hope someone green is listening and adhering to that. All right. From Haral Tsitsivas from Arlo, now we’re going to compare this to a year ago. What do you think the stress level of a CISO is today as compared to a year ago? Higher, lower? What’s unique?
Keith, you first.
[Keith McCartney] I think the individual stressors have changed, particularly with LLMs and AI, but I think overall the stress level is probably about the same. Probably about the same.
[David Spark] Hold it. That was one thing going up and another thing going down, so that’s why it’s equal?
[Keith McCartney] Yeah. [Laughter]
[David Spark] Okay. What? What do you think’s going up? What’s coming down?
[Keith McCartney] Like the focus on AI is…
[David Spark] Bringing it up.
[Keith McCartney] …bringing it up. And I think the geopolitical situation for a lot of reasons is continuing to be a hot topic, depending on your industry.
[David Spark] Is there anything bringing it down? Gary’s trying to think.
[Gary Hayslip] No.
[Laughter]
[David Spark] I’m interested, I’m going to go to the audience here. Does anyone think there’s anything that’s bringing stress level down? Anything? Complete silence. [Laughter]
[Keith McCartney] So, maybe the answer is then that it’s going up.
[Laughter]
[David Spark] That it’s going up.
[Gary Hayslip] We got CISOs going before the SEC. We’ve got companies being fined huge amounts of money for different things that have security components. Where we’re going before boards and leadership teams more often. There’s nothing that I can see that’s reducing.
[David Spark] Oh. So, this is why CISOs are getting burnt out because it’s just adding non-stop stress. Am I right?
[Gary Hayslip] I’ve known several that have walked away in the last six months.
[David Spark] Yeah. Well, whole other episode. We’ll come back to that. All right. From Matt Stamper of the Executive Advisors Group, and I love this question, and I hope you have an answer, by the way, for it. What’s a metric you used to report that you stopped reporting?
[Gary Hayslip] Oh, it figures Matt would run up with this one. We used to go ahead and report on like how many things were patched and how many things were unpatched, and we quit reporting on that just because to me, it doesn’t really reflect the proper risk of the organization. Because you’re going to go ahead and patch specific things that are unique to the business, unique to the applications and stuff that you’re using.
And there may be other things that you don’t patch right away that you may patch later. And so having this whole thing of, well, you’ve got this many that are unpatched or this many that aren’t patched and you got this many days in between, it doesn’t really properly reflect the risk. And we just quit doing it.
And actually the boards would just glaze over. They didn’t really care.
[Keith McCartney] Yeah, same thing. We focus on vulnerability remediation, SLA, like how well you’re doing versus the raw number of issues.
[David Spark] So, you stopped doing that. Anything else you stopped doing or just that, the patching numbers?
[Keith McCartney] We had other metrics that we were looking at around identity and access management, but it just wasn’t driving the right decisions. It wasn’t driving the right insights. So, we’ve really focused on, again, as Gary mentioned, where our risks are versus where our operations are taking action.
[David Spark] All right. Last question comes from Richard Greenberg, who is with Layer 8 Masters and the man who’s responsible for all of us here. Let’s hear it for Richard.
[Applause]
[David Spark] Oh, you can clap louder than that.
[Applause]
[David Spark] There you go. [Laughter] All right. I like this question, and we are making sure that none of your CFOs are going to hear this episode. So, we want to know your secrets. What’s your favorite technique to get your budget? Come on, reveal, Keith.
[Keith McCartney] Yeah. [Laughter] Have a good business case. Have a good business case. Why are we doing this? Why do we need to do it now? And are there other options that are cheaper?
[David Spark] You’re just saying yes to that, Gary?
[Gary Hayslip] No. Well, the thing about this is that when I’m doing my budget, I’m never doing it by myself. Typically when I am briefing my budget, I report to the CTO, and so it’s myself and the CTO briefing all of our projects in technology across the organization. And then when I brief the specific things that I am doing, I tie it into other departments and how we’re supporting the deals teams and how we’re supporting legal and compliance.
I never do it where it’s security standalone. Instead, it’s security. I’ve got these specific things. This is what I’m supporting. You’re telling a story. And so it’s that. So, that way they understand the impact. If you take that away, you’re going to hurt these other departments as well in their projects.
Closing
38:32.095
[David Spark] Awesome. Well, that brings us to the very end of this episode. Let’s hear it for our guests, Gary Hayslip of SoftBank Investment Advisors, and also Keith McCartney with DNAnexus. A huge thanks to our sponsor. That’s Entro Security non-human identity and secret security platform. Remember, go to their website, entro.security for non-human identity detection and response, or NHIDR.
All right. In closing, I always like to ask, are you hiring? So, maybe your portfolio companies, also within SoftBank Advisors, also with DNAnexus. Are you hiring? Yes, Gary?
[Gary Hayslip] Yes, I am.
[David Spark] All right. He’s a quick answer. Yes, I am. Keith, are you hiring?
[Keith McCartney] Absolutely. Reach out.
[David Spark] Reach out. All right. You can reach out. We’ll have links to their LinkedIn profiles. Our audience may contact you directly if interested in a role, yes? But go to the site first. Don’t go say, “Hey, what do you got for me?” Go to the site, do your own research, and then come to them with a specific request.
I want to thank Richard Greenberg, Planet Cyber Sec, Layer 8 Masters, and this entire audience for putting on a great show and inviting us to record this episode. And also, thank you to our audience for supporting and listening to the CISO Series Podcast.
[Applause]
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.