The barrier to entry for using technology has almost completely disappeared compared to the 80s and 90s. But by smoothing out all the rough edges, have we lost the ability to build meaningful security instincts through accidental breaks?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is Paul Drapeau, Head of Global Information Security, New Balance.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Doppel
Full Transcript
Intro
0:00.000
[Voiceover] What I love about security vendors, go!
[Paul Drapeau] I spent some time in the vendor space, and what I really love about security vendors is they can give me that outside perspective. Sometimes you get a little overly locked in to your internal view of the world.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series. Joining me as my co-host for today’s episode, it’s Andy Ellis. You may also know him as the principal over at Duha. Andy, say hello to the audience.
[Andy Ellis] Good afternoon, or depending on when you are in the world, good evening, good morning, good night, or it’s really cold.
[David Spark] Where you are, not necessarily when. Where and when you are.
[Andy Ellis] Yeah, and you could be in summer and it’s not really cold unless you’re in Australia.
[David Spark] Summer in San Francisco where we lived was unbelievably cold.
[Andy Ellis] Well, yeah, that’s because nobody should live in San Francisco.
[David Spark] No, San Francisco’s a wonderful city, I love it, but it would get cold in the summer.
[Andy Ellis] Yes.
[David Spark] We’re available, by the way, audience, at CISOseries.com. If you don’t spend at least half your day there, I don’t know what you’re doing, to tell you the honest truth. I expect people spending at least three to four hours a day on that site.
[Andy Ellis] I thought it was like five, but.
[David Spark] I’m okay with people cutting back one hour. I’m okay with it.
[Andy Ellis] Daylight Savings Time and all.
[David Spark] Exactly. Our sponsor for today’s episode is Doppel, the AI-native social engineering defense platform. Guess what? We’ll be talking about that and exactly what that means a little bit later in the show. Andy, I’ve brought this up in the past before and I’ve heard people say it, I bet you’ve heard people say it.
It kind of signals that the person is a jackass, but the line is, “Do you know who I am?” You know.
[Andy Ellis] Yeah.
[David Spark] My question is is there a version of, “Do you know who I am?” that doesn’t come off that that person’s a jackass? Is there a way to get what you want that does not come off as the line of, “Do you know who I am?”
[Andy Ellis] Well, I mean, I guess it depends on what you’re trying to do, right?
[David Spark] Mm-hmm.
[Andy Ellis] Like if you are trying to get a privilege that you are expecting. Like for instance, I go to football games and there are Patriots alumni who are there all the time. Like they have a special wristband or a badge or usually a minder who’s there.
So, they get lots of stuff, right? And so, I can see them, like they walk up to the bar, and they order a drink, and the drink always gets comped.
[David Spark] Mm-hmm.
[Andy Ellis] So, yeah, there’s like a polite way for them to sort of flash their badge, their ID to be like, “Yeah, you know who I am, right?”
[David Spark] That is a politer way. Yes.
[Andy Ellis] Right. The challenge is most of the time when people are saying it is they’re trying to get a privilege that they’re not entitled to. Like, “Oh, I want to be first in line. Do you know who I am?” Now, I’ll be honest. I have done this at RSA when I’m speaking, which I did not this year, but I’ve walked up to the line and they’re like, “Oh, get in the back of the line,” and I just point up at the sign and I’m like, “By the way, I’m the speaker.” I did this in the keynote, when I was doing the keynote hall and my picture was there.
[David Spark] There you go. There’s a perfect version of, “Do you know who I am?” which is not being obnoxious, just pointing out, “By the way, I’m speaking,” rather than, “Hey, moron working the front door.” [Laughter]
[Andy Ellis] Yeah.
[David Spark] Because you can’t expect them to know.
[Andy Ellis] You can’t expect everybody to know. It just becomes fun. They get this moment like, “Oh, that’s who you are,” and you treated them with respect as a human. Like, that’s the real challenge of do you know who I am?
[David Spark] There is a way to treat people with respect and to cajole them a little bit rather than make them feel bad about who they are or them not knowing you, which my attitude is if someone doesn’t know someone, big deal.
[Andy Ellis] Big deal. Who cares? The best part is if there’s a reason that they should know you, you get to introduce yourself to them and have them be blown away by your awesomeness.
[David Spark] There you go. I just love the egotism that is connected to the phrase, “Do you know who I am?” Just there’s something sort of so beautiful about, wow, you’ve gotten to your point in life where you feel entitled to say that line. [Laughter]
[Andy Ellis] And I suppose that the challenge that I’ve run into is when I’ve had people do that is I know enough people who could throw their celebrity around who don’t that I’m kind of immune to it when somebody’s like, “Well, don’t you know who I am?” and I’m like, “So?
Do I care?”
[David Spark] Let me chalk this up for I don’t care.
[Andy Ellis] Yeah.
[David Spark] All right, let’s get into the show, who everyone’s going to know in just a minute. He doesn’t need to throw his weight around. His weight is thrown around ahead of him. That’s what happens. Thrilled to have him on board. He has a connection to the CISO Series family, actually…
[Andy Ellis] Whoo.
[David Spark] …which is very nice. And we’re thrilled that he’s joined us. He is the head of global information security over at New Balance. None other than Paul Drapeau. Paul, thank you so much for joining us.
[Paul Drapeau] Oh, thank you so much for having me, Dave and Andy, really excited to be here. Thanks. You did steal my opener, though. Do you know who I am?
[Laughter]
Is this really the right strategy?
5:11.376
[David Spark] “Is it better to have a few rusty quarters than a shiny silver dollar?” That’s how Ira Winkler of CYE framed the debate over startups chasing Fortune 500 logos right out of the gate. He built off of Jason Cenamor of Confide’s frustration with vendors after the RSA conference.
He found them obsessed over Fortune 500 meetings while ignoring mid-market CISOs who need them the most.
There can be a lot of strings attached to a Fortune 500 deal. Months negotiating contracts, scaling before you’re ready, supporting complicated legacy environments, and burning resources you don’t have. But some startups land a Fortune 500 customer early, and it legitimizes them instantly.
I mean, I know of cases of this. Their logo becomes marketing without having to do marketing. But that Fortune 500 might not let you say they’re a customer, which kills the whole value proposition. So, Andy, I go to you. What’s the right play here in terms of who you’re targeting?
And for CISOs, if you’re at a mid-market company watching vendors chase those enterprise logos, does that change how you evaluate their commitment to your success?
[Andy Ellis] So, actually, first, I want to take apart a couple pieces of the argument, even though I mostly agree with it. I just want to say, caveat, I’m going to end up in the same place. But first of all, I got to say the better to have a few rusty quarters than a shiny silver dollar?
Is there a worse analogy to go with? No, I’d rather have the shiny silver dollar than a few because few is three; two or three. So, yes, I want the shiny silver dollar. This one would have been better if we’d said, “Is it better to have a handful of rusty quarters than a shiny silver dollar?” I’ll take the handful of rusty quarters, thank you.
[David Spark] Is a few – hold it – is a few considered less than four?
[Andy Ellis] Yeah, generally few is two to three. Like, that’s my expectation. So, it didn’t resonate, but I’m nitpicking here. The second thing I just want to nitpick is the reason that the startup wants the Fortune 500 is not as marketing to other customers.
It’s as marketing to get their next round.
[David Spark] That too.
[Andy Ellis] They land the Fortune 500, they get a bigger next round, which means they have more money to put into building product. Like, that’s what their actual ecosystem is. You’re a startup at the seed round, you can bring in a six-figure deal on a Fortune 500.
Boom, you’ve got your next round right there. Like that makes your A round happen. And so, I think a lot of people who are on the CISO side are like, “Oh, but why would you want to be tied to a Fortune 500?” [Laughter] The answer is because I would like to have a lot of money in the bank that I can use to now build the product I need.
Because at seed, you’re not building a product, you’re building a feature.
[David Spark] Right.
[Andy Ellis] And I think the financial services industry has really sort of distressed this piece of the market because big banks will buy a feature from a seed stage startup, and so everybody chases them. That said, if you are a startup, do not pivot everything to going after this hypothetical whale.
Land customers, find your fit. You have a feature, you have a buyer because that’s the first step to getting to product market fit. And yes, the mid-market CISOs are going to look around and be like, “Oh, you don’t know how to sell to me,” or “You don’t want me,” when that’s actually who tends to buy the most product is in the mid-market.
There’s a lot of companies there you want to have. If you have a market, it has to include them.
[David Spark] All right. Now, I will say that I know of one case where they did get a blue chip client like right out of the gate.
[Andy Ellis] Yep.
[David Spark] And they were able to drop their name, and it did allow sort of a lot of other customers to fall into place because of it.
[Andy Ellis] Right. Even if you can’t publicly use their name, everybody will just still disclose it in customer prospecting calls.
[David Spark] Private conversations. Yeah. Okay. I throw this to you, Paul. Paul, what’s your take on this? Do you agree with the don’t be chasing the Fortune 500s Or heck, if you need that next round, you got to go for it.
[Paul Drapeau] I agree with the comment that it’s a balance, right? I mean, I spent some time in a startup I joined just between seed round and a round. And I’ll tell you, our first paying customer was about a 60-person textile manufacturing company.
We probably spent more at the bar that night celebrating than we got for the deal, but we learned a ton from that customer, right? I mean, they had a bunch of legacy stuff. We were building an endpoint product in the EDR space. So, we learned to solve some of those challenges at a smaller organization that might have been a little bit lower stakes for us, but we could really direct that product at different customer bases than just that Fortune 500.
Now, the other side of that is we definitely had our bigger sort of blue chip clients as well. I think from the CISO perspective, I might get a little nervous with a startup that was really directing their efforts there because as you said, I start to lose a little bit of control as to where the product’s going.
And the big advantage for someone like me investing in early-stage products to use in our environment is I get some direction on that roadmap, right?
[David Spark] And we’ve heard that a lot. That’s usually the excitement CISOs have for startups.
[Paul Drapeau] Right. And I don’t necessarily believe that a startup’s not going to pay attention to a customer like me or a logo like ours, but they definitely direct where the money’s going, like we said. But there are barriers to entry in larger companies.
Smaller companies can act much faster and be a lot more nimble there.
Why is everyone talking about this now?
10:46.530
[David Spark] “Is the next generation not paying their cybersecurity dues? LimeWire…” for those of you who don’t know is one of these download services where you can download music and movies illegally, “LimeWire taught me to trust nothing.” That came from cybersecurity subreddit post about why people who grew up in the ’80s and ’90s might have better cybersecurity instincts.
Back then, you built immunity through exposure to countless small threats. Click the wrong ad banner, download a wrong song, you use the wrong thumb drive, and you’d spend hours reinstalling Windows. I’ve done that.
Now the internet is sterile. Even pirate sites look like Netflix. Young people grew up with iPads and Chromebooks that are locked down. That means no tinkering, no troubleshooting, no learning the hard way. One commenter thought, “Gen Z is as computer illiterate as boomers.” But others pointed out that age isn’t a strong indicator of cyber risk; being overwhelmed and under pressure is what increases risk.
So, is this, “generational immunity” real, Paul, or is it just nostalgia for doing things the hard way? And we hear that a lot, “When I was young, we had to do this and that.” Paul, what’s your take on this?
[Paul Drapeau] I think it’s quite real, not necessarily because of the exposure to smaller threats. My take on this would be ’80s and ’90s people, we grew up watching these things get built. We probably had a home computer that wasn’t connected to anything and then we got to dial up and then we got to wired internet.
And then we embraced a world where there was basically wireless internet delivered everywhere, so it leaves you with this conceptual understanding of how things work and how things come together and what the implications might be on certain things.
So, as technology transitions from one phase to another, you have this analogous view of how those pieces come together and really where the threats might be. I think folks that might be growing up now, I mean, I look at my teenage daughter. She grew up in a world where the internet was always in the palm of her hand, right?
So, that becomes magic to a lot of people. I think of the Arthur C. Clarke quote, “Any sufficiently advanced technology is indistinguishable from magic,” right?
[David Spark] Yes.
[Paul Drapeau] So, folks that weren’t exposed to how these things were really developed, more or less from the ground up, just don’t have the fundamental understanding as to how they work and how they can break.
[David Spark] Good point. All right, Andy, I throw it to you. You grew up in this era. You, I’m assuming, may have reinstalled Windows once or twice.
[Andy Ellis] More than that.
[David Spark] Were you a little bit more, I guess, wary, I would say, of these things as a young person?
[Andy Ellis] So, I think there’s a couple different things going on, and one thing here is sort of a selection bias, which is, yes, there are a number of people who grew up in the ’80s and ’90s who are wizards because they understand this technology very, very deeply, but that doesn’t mean everybody from our generation did.
So, I think that’s a thing we should pay attention to. Now, it does mean that when you have deep expertise, you understand things like leaky abstractions.
One of my favorite blog posts ever from like 23 years ago, Joel Spolsky wrote about the law of leaky abstractions, like what happened when Java got created, but memory management still leaked through as a problem, even if Java wasn’t doing it, and if you didn’t understand how memory worked, you would not understand why your Java program was breaking because you assumed memory was infinite and scalable, but it turns out it’s actually not, under the covers.
So, yeah, we have a leg up when we actually understand the technology underneath the magic, but I think what’s happened is we’ve looked at the people who became experts coming through that and are then comparing them to the mass of people who are coming later.
And that’s an unfair comparison because we’re sort of comparing the 1% to the 90%.
Like in my house, I have two kids. My eldest could care less how technology works. Like, it’s just a tool. Their focus is elsewhere. My youngest, like this is the guy who taught himself how to reinstall Windows because he’s the only one with a Windows box in the house because he wants to do gaming.
So, he’s a great systems administrator. He understands how Windows works. Both of them, I tried to teach them good cyber awareness and good risk awareness. I think they’ve got their heads on straight, and that’s mostly because we tried to put them in situations where they would learn.
And I don’t think that’s about the technology. I think that’s sometimes about removing the safety net. For those of you who are not from the ’80s, you should go watch Stranger Things if you haven’t watched it already and recognize that, demons aside, that was the life we grew up in.
There was no safety net. We had no phones. It wasn’t that we didn’t have, like, the magic of the internet. No. We had no way to call our parents.
[David Spark] Right.
[Andy Ellis] We got kicked out of the house in the morning and we were not expected to come back until the evening. We got into trouble. We had lots of life-learnt lessons there.
[David Spark] I can’t imagine you got into trouble Andy.
[Andy Ellis] Oh, you have no idea.
[David Spark] What? Hold it. Tell us one quick story. Go.
[Andy Ellis] So, my favorite story is when, at our previous house, I was giving a friend a tour in it, and we had three upstairs bedrooms. Two of them were for the kids, one was for my gym. The one that was the gym was the nicest of them, but it had an external patio, and I said I wasn’t putting my kids who were about to be teenagers into a room with an outside door because I know how much trouble I got into as a teenager with an outside door, and my mom said, “You never got into trouble,” and I said, “No, I just never got caught.”
[David Spark] So, everyone creates a picture of what Andy did going in and out of that outside door from his bedroom.
[Andy Ellis] You can decide anything you would like based on that. But anyway, the point is, it’s not that kids don’t have access to the technology and they aren’t tinkering. I think there’s just as many tinkerers now as there used to be. I think the challenge is we have protected them from a lot of risk that has nothing to do with technology risk and everything to do with life risk.
[David Spark] But Andy, when you and I were growing up with technology, it was the people who were into the technology used it. Truly, everyone uses technology. Everyone’s got a mobile phone. It was only a percentage back then.
[Andy Ellis] Right. It was tiny fractions. How many of us had personal computers in our bedrooms when we were kids? I did. When I was in sixth grade, I got a Commodore 64. It was the coolest thing ever. I was like the cool kid among the geeks.
[David Spark] It’s still pretty cool. Do you have, by the way, any of these old computers still or no?
[Paul Drapeau] No, no. I donated them a long time ago.
[Paul Drapeau] I’ve got an office full of them. I still have my Commodore 64.
[David Spark] Strongly recommend a visit to the Computer History Museum in Mountain View.
[Andy Ellis] Yeah. I wish I had a good way to get rid of things now. I now have a bin that is labeled necromagnetic hygiene for like every laptop or tablet we’ve had in the last 15 years that I just have not gotten around to purging.
[Paul Drapeau] Shredder.
Sponsor – Doppel
17:38.572
[David Spark] Maybe that’s an urgent message from your CEO, or maybe it’s a deepfake trying to target your business. Doppel is the AI-native social engineering defense platform fighting back against impersonation and manipulation. As attackers turn to AI to power increasingly sophisticated strikes, Doppel uses it to fight back.
Their digital risk management dismantles attacker infrastructure while human risk management builds team resilience through simulation and training. With automated takedowns, multi-channel coverage, and AI defenses that build intelligence with every fight, Doppel works relentlessly to protect people, brands, and trust.
Doppel, outpacing what’s next in social engineering. Learn more by going to their site. It’s doppel.com, and when you go, let them know that you heard about them from the CISO Series.
It’s time to play “What’s Worse?”
18:38.408
[David Spark] All right, Paul, do you know how this game is played?
[Paul Drapeau] I don’t.
[David Spark] Well, it’s simple. It’s just two crappy scenarios. I make Andy go first. You have to tell me from a risk management perspective which one is worse. All right?
[Andy Ellis] And the rule is you can’t really modify this scenario. So, you can’t say, oh, like I inherited not having a team and the first thing I do is go hire a team. No, no, you don’t actually [Inaudible 00:19:11] in that scenario.
[David Spark] Right, right. You can’t all of a sudden change it. These are the parameters. This is what you’re going to work with. But this is a very different sort of take on our traditional “What’s Worse?”
[Andy Ellis] Okay.
[David Spark] Okay. This comes from Ryan Rene Rosado of RSM. Here you go. And again, there’s kind of two parts in each half of this. Scenario number one. Andy, your company is suffering from a major DDoS attack right before an IPO, and all the time this is happening, you also have to watch a three-hour elementary school musical in which your children are not in the show, and you don’t know anyone else’s children in the show.
You have to sit through this.
[Andy Ellis] Wait. Why do I have to sit… Wait, Ryan, I need to, Ryan Rene, I need to understand, why am I actually here if it’s not my kids? You can’t tell me I have to without a story. I need a story.
[David Spark] This is just the scenario! By the way, I’m the one who adapted this, I’m the one who actually edited that part. She had something else that was a little more depressing, [Laughter] and I took it out. That’s it.
[Andy Ellis] Okay.
[David Spark] So, you could ask me, I’ll tell you a perfect situation. We were at a friend’s house who was actually helping produce an elementary school musical that our child did go to at one time.
[Andy Ellis] Okay.
[David Spark] We helped her.
[Andy Ellis] I mean, this one I’ve got a good answer for. So, this is not going to be the worst.
[David Spark] We helped her out with the design and stuff, and at the end of helping her out, she was so thankful, she said to us, “I’ll get you free tickets to the show,” and all I can think is… Because we didn’t have any children in the show.
[Andy Ellis] Oh, God.
[David Spark] What, are you nuts? [Laughter] I’m not going to that. I’m not out of my mind.
[Andy Ellis] But I will say we’ll say you’re on the board of the school that does it.
[David Spark] Okay. Well, no. That’s only scenario number one. I have to give you scenario number two.
[Andy Ellis] I know, but I like to understand the scenario before we go to the next one.
[David Spark] Okay, scenario number two.
[Paul Drapeau] Those are concurrent scenarios. I don’t get to choose which of those?
[Andy Ellis] You get both of those.
[David Spark] You’re dealing with both of these things at the same time.
[Paul Drapeau] Okay.
[David Spark] Your company’s suffering from a major DDoS attack right before IPO.
[Andy Ellis] Right. Right. So, assume the DDoS attack starts as you walk into the performance.
[Paul Drapeau] Okay.
[David Spark] Yes.
[Andy Ellis] And you get the notification.
[David Spark] Yes. Right before the IPO, you have to. Now, granted, you have a team that works for you. Like, you don’t have to deal with it.
[Andy Ellis] Yep. Okay.
[David Spark] Or your organization is the root cause of a supply chain attack that hits your customers, and you have to chaperone a sixth-grade field trip to New York City. Again, you don’t know any of the children. None of them are yours. Which scenario’s worse?
[Andy Ellis] Wait. You don’t know them or they’re just not yours?
[David Spark] They’re not yours. They’re not yours. And your kids are not friends with them. You just have to deal with somebody else’s sixth-grade kids.
[Andy Ellis] [Laughter] So, this one’s kind of funny.
[David Spark] Yeah, it’s plenty funny. I think this is hysterical.
[Andy Ellis] I’m entertained.
[David Spark] They’re both awful from all angles here.
[Andy Ellis] No, no, the first one is actually not at all awful because what I’m literally going to do is I’m going to tell my team, “Go pick Akamai or Cloudflare and turn it on.” Boom. My DDoS attack is dealt with. Like, we literally have vendors who’ve solved this problem.
I am the wrong host to get this.
[David Spark] I know, I know.
[Andy Ellis] As the guy whose patent is on solving this problem. But this is a 15-year-old solved problem.
[David Spark] Let’s assume you’re not turning this on. You just… You’re getting hit.
[Andy Ellis] I’m getting hit, so. But I can deal with it. This is not like getting hit with the thing that there’s no dealing with.
[David Spark] I’m going to assume you can’t all of a sudden, because yes, that would be a simple solution to this problem.
[Andy Ellis] No, no, it’s an incident to manage. Like DDoS attacks are easy to manage. Like if you want to give me an incident that sucks, DDoS is not in the suck. I’m the root cause of a supply chain failure that I assume is…
[David Spark] That’s awful.
[Andy Ellis] …across a large environment. That’s a much worse problem. These are just not even comparable to me. Like, that’s happening, and I’m chaperoning sixth graders where I have to pay attention to them. This is not about whether I know them or not.
This is I actually have sort of a duty and responsibility as a chaperone.
[David Spark] Yeah, during the three-hour elementary school musical, you could use that as a nap.
[Andy Ellis] Right, elementary school musical. I’m like, great, I’m on my phone solving the incident. That totally works. I’ll have some parents nearby glaring at me, so I’ll pretend I need to go to the bathroom, step out, deal with the incident. But if I’m responsible for sixth graders, I can’t do that.
So, it’s difficult for me to manage this painful incident while chaperoning.
[David Spark] You make a very good point.
[Andy Ellis] So number two is worse.
[David Spark] Paul, do you agree or disagree here?
[Paul Drapeau] I agree entirely. Number two is far worse. A supply chain attack like that that’s impacting my customers is hurting other people, it’s hurting other organizations. So, from a pure cyber risk standpoint, that one is far worse to me. The DDoS is hurting us, but it’s recoverable, like Andy said.
In general, the pain point for me in both of these scenarios is the dealing with other people’s children side of it.
[Laughter]
[Paul Drapeau] My daughter, 16-year-old daughter, again, she does competitive dance. I love to watch her dance. It is so amazing. Watching other people’s children dance for extended periods of time at competitions and recitals, that’s the painful part.
[David Spark] That’s torture. That’s complete torture.
[Paul Drapeau] That is a more painful part. On the cyber end though, 100%. Supply chain that I’m responsible for, that’s the worst scenario.
[David Spark] But hold it, I’m throwing this out. Say you don’t have Akamai or Cloudflare to help you out with the DDoS attack – which you are correct, it’s very manageable. Let’s just say, hold on.
[Andy Ellis] Okay, so I will invent a solution. I already did.
[David Spark] It’s just before an IPO. How much is this damaging your IPO, do you think?
[Andy Ellis] Not very much at all. No, I don’t think so. And look, the kid thing doesn’t actually bother me. I don’t think either of those are negatives other than I’m probably bored at this elementary musical, but I actually think educating and entertaining other people’s kids can be fun.
That’s why I’m on the board of trustees of a high school because I actually think that’s like the greatest privilege you have is to create this environment for them. So, I don’t find it a problem that I’m in New York City as a chaperone other than I can’t also do my day job of being a security professional because I have this responsibility that I take seriously.
[Paul Drapeau] Yeah. That one takes you out of the game for much longer as well, too. Three hours. Look. Our teams have dealt with incidents, all of us here, I’m sure.
[David Spark] Mm-hmm.
[Andy Ellis] Yep.
[Paul Drapeau] Three hours is sort of a blink in most larger incidents.
[David Spark] Yeah, so it would be magical if it ended in three hours.
[Andy Ellis] Yeah, yeah. Try being the chaperone for a high school trip to another country, which I’ve done part of, and that’s a very different time constraint.
What about this AI security challenge?
25:36.623
[David Spark] “We don’t need faster answers. We need better questions.” Stuart Winter-Tear argues that in the Age of AI, knowledge isn’t the edge anymore. Synthesis is. LLMs can recall anything quickly, but they can’t weigh tradeoffs – like we did in our last game – [Inaudible 00:26:02] contradictions or ask, “What are we not seeing?” The value now belongs to what he calls the “specialist generalist,” someone deep enough to master something wide enough to connect it meaningfully to something else.
Someone who can sit in the intersection of disciplines. He frames synthesis as the hardest skill, knowing what matters, not just knowing more. So, is this synthesis capability, Paul, what separates effective security leaders from technical experts?
And if synthesis is the hallmark of the CISO role, which I kind of get the sense is from his description, how do you demonstrate it before you get hired and when you’re on the job, Paul?
[Paul Drapeau] I think it is, obviously. The specialist generalist is a really great way to put that. Security’s a broad problem set, and yes, with its deep dives at any given time, you might need to deep dive into different topics. I think having the ability to do that is probably one of the most important capabilities of a security leader, right?
And it’s something that people in this field should definitely look to grow very, very early on in their career.
I saw this when I was in threat research roles, right? Being able to, again, look across a broad set of problems, but really dig deep where we need to is super important. Someone asked me one time, “How do I get to be a great threat researcher?” and this person at the time was in a sales engineering role, customer-facing role.
And I said get good at using Google. You’re going to have to dig into a lot of things that nobody is an expert on in this organization, and you’re going to have to become one overnight. That’s the synthesis aspect of that. You don’t have to have all the answers in your head.
I do sort of wonder about these AI tools and how we’re using them. One interesting point from last year that I was thinking about was the situation that Anthropic was dealing with, the exploitation or the misuse of their Claude tooling. One of the aspects that they mentioned in that write-up on that was that the tool hallucinated to the threat actors and gave them false data about valid credentials or data or whatnot.
It really takes an expert to understand the output of these tools and understand what to trust and how to use it. It’s super important.
[Andy Ellis] So, I want to pivot on that concept of the expert, and there’s a term that’s often called deep expertise, which is when you understand a system well enough to understand its constraints, right? And we’ve always known that person, right? There’s the running joke about the mechanic who knows how to fix the boiler, like exactly where to bang on it and why that works.
And one of the challenges that we have is there are very few people who have deep expertise, but even rarer is the ability to synthetically have deep expertise, to walk into a system you don’t understand, but engage with it as if you had deep expertise, right?
To say, “This system has to have constraints I don’t yet know, let me go figure out what they are.” And I like to think of that not as the specialist generalist, but the generalizing specialist, that you can walk in and become a specialist in almost any field.
And let’s take LLMs as one of those. If you understand how an LLM basically works, what you recognize is that LLMs are non-deterministic. The hallucination is a specific form of non-determinism, but it’s the fact that this is a constraint that they have is they’re trying to synthesize human behavior, and humans don’t repeat things.
Which means anytime you want to ask an LLM to run a process over and over and over again, it is not going to work because it’s non-deterministic, it’s going to do a different thing every time it runs the process. Now, having an LLM create a process and create an automation that will then just run the process over and over again would be what you would do.
Right? And so, that’s an example of how somebody who can think about constraints of a system might walk in and say, “Here’s what I need to do. What are people not seeing?”
And that’s one of the biggest challenges you see. You see it at every level of an organization where somebody who believes they have expertise walks into an adjacent system and never says, “How are the constraints here different? How might this system behave differently?
And how will that change the decisions I make about how to use it?” People make fun of executives that just walk into the room and say, “Well, why don’t you just…?” And I like to say that “just” is the most dangerous word in the business ecosystem because it means the person didn’t understand how the system worked.
[Paul Drapeau] The other most dangerous word is probably “only.” It only does this.
[Andy Ellis] Yeah, I always love, yeah, customers would never use our system this way.
[Paul Drapeau] [Laughter] I’m thinking about this from the perspective of a threat actor, too. I mean, what makes a good threat actor? Exactly what you were saying, Andy.
[Andy Ellis] Right.
[Paul Drapeau] Someone who looks at the constraints in a system that can be exploited to do something that wasn’t intended, make it do something that that’s not repetitive, absolutely work outside that loop.
[Andy Ellis] Right. And in a sense, that goes back to our ’80s and’ 90s kids conversation, which is I think a lot of us did grow up where we had to interact with systems and figure out how to make them do things that they were never intended to do, whether that system is a technology system or a human-based system.
Look, I’m the guy who sits and walks in and watches TSA every time I fly to figure out all the process vulnerabilities, which I’m not going to list on the air, but they exist. I’ve seen process vulnerabilities in TSA that I understand why they do them.
And that’s like, oh, if I needed it, I could use that, but I’m not going to because I don’t want to make TSA any worse than it is.
[David Spark] This reminds me of the book by Bruce Schneier, The Hacker’s Mind, which speaks to very much what you are all talking about.
[Andy Ellis] Yep.
[David Spark] I recommend it.
What’s the starting point for a CISO?
31:39.146
[David Spark] “When leaders hold everything tightly at the top, it’s often not about ego. It’s about experience being burned before.” That’s Rinki Sethi, who’s the CISO over at Upwind Security, who reflected on what separates leaders who scale from those who bottleneck, the ability to trust people enough to let go.
She argues that control rooted in fear has predictable consequences. Decisions slow down. People stop taking ownership. Strong talent leaves. Innovation narrows. But when people feel frustrated and empowered, they step up, think bigger, move faster.
Leaders gain leverage instead of control. But how does a CISO know when they cross from healthy oversight into fear-based control? Interested on your take on this, Andy. What are the signals that reveal you’re holding too tight?
[Andy Ellis] So, I don’t like the framing of that as fear-based control because sometimes it’s just they’ve never been exposed to how to do it. They don’t know how to create systems of delegation. I had a friend who liked to say, look, the CMM model, the Capability Maturity Model, the Level One to Level Five for organizations.
The challenge is there are people who don’t know how to operate at different levels. And so, if you grew up in a Level One organization – heroes, I do it all myself – and nobody taught you how to build a Level Two or a Level Three org, it’s not that you’re afraid.
You just don’t know how. Like, you don’t know how to delegate, what delegation even looks like because you’ve never been well delegated to.
I had this challenge, like early on in my career, my boss had no idea what I did. Occasionally, I’d get vague direction, but that’s not delegation. That was like this such laissez-faire, like I’m not being micromanaged [Laughter] at least, but it didn’t teach me how to delegate.
I had to learn how to do delegation. Thank goodness I’d gotten that in prior parts of my career, so I was able to use it. So, I think the lesson really needs to be do you have people who are capable of making the decision you made, but refuse to make it?
That’s your signal. If you’ve got somebody who should have been able to say, “Oh, yeah, I’ll go do X,” but came to you and said, “What should we do?” and you said, “Go do X,” and they give you the look of, “Yeah, I knew you were going to say that,” and they go execute, you’ve got a problem there because you’re not delegating.
[David Spark] Mm-hmm.
[Andy Ellis] Micromanagement is simply the mismatch between how much supervision somebody needs and how much they’re getting, i.e., they’re getting more than they need. And so, you need to learn how to delegate, which is to let go and say, “It will not be done exactly the way you did it, but more will happen,” and you just need to say, “Here’s the success criteria.
Here’s how I will measure your success. Go do it.”
[David Spark] I love that.
[Andy Ellis] Several things from my book, 1% Leadership, available anywhere you buy books.
[David Spark] Read his book too. Actually read Andy’s book on 1% Leadership before you read The Hacker’s Mind by Bruce Schneier. All right, Paul, I’m taking it to you. That was a great explanation right there. What would you add to that, Paul? Assuming you agree.
[Paul Drapeau] No, no, I definitely agree. I think one of the ways that I detect that in my world is if people are coming to you to be the easy button, right? Like Andy said, sort of offloading that decision to you. You have to figure out why that’s happening.
Is that some condition you’re creating? Is it a lack of confidence there? I often observe maybe people on my team or in other teams deferring decisions until certain people are in the room rather than, as Andy said, making a decision that a reasonable person would make in that scenario, knowing what they know.
And that’s an area that you certainly should dig into, right? I mean, if we’re doing this job right as we’re hiring the people and building the teams that we’re going to delegate to, we’re hiring people that are smarter than us in these areas, as we just talked about.
These generalist specialists, specialist generalists that can really understand these problems in ways that probably we as leaders cannot.
So, I think oftentimes what I’m really looking for my team to do is act independently, make those decisions when I’m not in the room because frankly, they have more information about the problem than I do. And we just have to understand that, as Andy said, it’s not always going to necessarily be done exactly the way that I would do it, but maybe the way that I would do it is wrong, frankly.
And I would rather have competent, great people in those seats to make those decisions and make those calls.
As we were talking about before, if I’m at the three-hour dance recital and someone needs to make a call in an incident, I need to have the faith that that person, A, will be able to execute and make that call or push that button. I think having simple rules across the team really helps, too.
I mean, one of the things that our team talks about is when we’re evaluating a condition or the severity of something and whether we need to take an action that, hey, might have some business impact, is this stopping the shoes, right? Is this impacting our key business efforts?
That’s what that boils down to for us, right? Is the situation creating a condition where either we can’t serve our customers, or our customer data or something like that is at risk? Hey, in those cases, people have to understand that they need to make those calls, make those decisions, and leaders, frankly, have to back them.
[Andy Ellis] And now here’s the advanced skill. So, once you master Paul’s skill, which is right on, like, that’s where you need to get to, watch out for escalations. Every time somebody outside your organization escalates because they didn’t like a decision that somebody on your team made and you overrule the person on your team, that’s a failure on your part, not on the person’s part.
[Paul Drapeau] One hundred percent.
[Andy Ellis] Right. And if you make it cheap for people to escalate to you, they’re going to keep doing it. So, this was taught to me by somebody who worked for me was he said, look, people escalate to you because you can flex on the policy and I can’t.
So, what we would do is he would say, “Look, we need to flex.” He would give them the flex, and then when they escalated because they still didn’t like it, I would take the hard line on policy, “Here’s what you need to do.” And so, they learned that it was painful to escalate to me because now I was watching and they couldn’t get the good deal that they had.
And so, they would go back to him and say, “Hey, can you help us get back to this deal you offered?” And now they wanted to work with him, they wanted to stay with the person who was in charge of this. And now delegation works because I wasn’t overruling them.
Closing
38:01.996
[David Spark] Excellent. Well, that brings us to the end of the show. I want to thank our sponsor, Doppel, the AI-native social engineering defense platform. Remember, just go to their website, doppel.com. Learn how to protect yourself from deepfakes at all levels to all people and let them know you heard about them from the CISO Series.
Paul, thank you so much for coming. I loved, your line was, does this stop the shoe? Was that the line?
[Paul Drapeau] Does this stop the shoes? That’s the question we ask.
[David Spark] I’m going to say this is analogous to a line that one of our other co-hosts, Steve Zalewski, who’s a former CISO over at Levi Strauss, would always say, “How does this help me sell jeans?”
[Paul Drapeau] Mmm, yeah. Think about the why. Think about why we’re doing this, right?
[David Spark] Yeah, I mean, it all comes down to the shoes, the jeans, whatever the heck it is.
[Andy Ellis] What’s the why?
[David Spark] Does this stop the shoes? It’s great. Thank you very much for joining us. I’m assuming people can reach out to you on LinkedIn. We’ll have a link to your profile on the blog post for this episode. Anything else you’d like to say in closing, Paul?
[Paul Drapeau] It was great to be here. Super fun. I look forward to maybe doing it again sometimes. Thanks for having me.
[David Spark] We would love to have you again. And again, to our audience, as we always say, and I truly mean it, we greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review.
This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com.
Thank you for listening to the CISO Series Podcast.