There’s no doubt that AI will displace some portion of current knowledge workers, including in cybersecurity. But if it can displace all of them, how do businesses differentiate? Will cybersecurity become commoditized by everyone using the same LLMs?
This week’s episode is hosted by David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining is Jean-Paul Calabio, vp and CISO, Grainger.
Join the conversation on LinkedIn.
Huge thanks to our episode sponsor, ThreatLocker
Full Transcript
Intro
0:00.000
[Voiceover] Best advice I ever got in security. Go!
[JP Calabio] The best advice I ever got in security was to create a stakeholder map so before I go into a meeting, I understand what motivates each of my stakeholders.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. And joining me is my co-host, it’s one of your favorites, the original, Mike Johnson, CISO over at Rivian. Mike, say hello to the audience.
[Mike Johnson] Hello, audience. One of your favorites, huh? Well.
[David Spark] Well, like my children, I cannot play favorites, Mike.
[Mike Johnson] Ah, okay. Okay, well.
[David Spark] I cannot play favorites.
[Mike Johnson] I guess I’ll accept with one of.
[David Spark] One of. You are going to be one of our favorites. You know, we’re available at CISOseries.com, and our sponsor for today’s episode is ThreatLocker. Again, spectacular sponsor of CISO Series. If you don’t know, they are a zero trust solution.
Allow what you need, block everything else by default, including ransomware and rogue code. If you’re not clued into what they do, guess what? We’re going to be talking about that a little bit later in the show. Mike, I have a question for you.
[Mike Johnson] Okay.
[David Spark] So, I run the San Diego Cyber Group, and there’s a lot of young people who are either in school or just out of school trying to get their first job in cybersecurity.
[Mike Johnson] Mm-hmm.
[David Spark] And I would say I think I’m seeing more of that now than I’ve ever seen before, personally. It’s just anecdotally. They’re wide-eyed, very excited, very eager to get in. When someone young of that age looking for their first job in, they’re grasping at straws.
They don’t know what to do. It’s like, “What do I do? What’s the guide? What’s the path?” What do you say to those people? What is your sage advice that you give to them?
[Mike Johnson] What I usually tell them is look at the skills that they have that are, frankly, non-security-related, and go and find a job, a role in that, and build up that skill, and then use that to pivot into security.
[David Spark] Hold it. Give me an example. This is a very interesting take here.
[Mike Johnson] It could be something as simple as IT Help Desk.
[David Spark] Well, IT Help Desk, it’s interesting. The number of young people I’ve met goes, “Well, I’m kind of working the Help Desk,” and I was like…
[Mike Johnson] Great, keep doing that.
[David Spark] Yeah, I light up. I’m like, “Oh, you have no idea. You’re in the most attractive position right now.”
[Mike Johnson] Absolutely. Or development of some sort, like lightweight development, entry-level software development or network engineer or cloud engineer, something that is security adjacent. Because right now, there’s actually not a whole lot of a concept of entry level in cybersecurity anymore, right?
[David Spark] Yeah, it’s kind of sad. That’s a really good point.
[Mike Johnson] So, go and build your skills elsewhere, and use that on your resume as your introduction for like, “Hey, I did all this cool stuff over here that’s very security adjacent. I have all of this knowledge and training in security as well. I want to apply that to security.” And that’s really the best path into the career these days.
[David Spark] And hold it. Have you hired people at exactly that sort of combination you’re describing?
[Mike Johnson] Yes. Yeah. So, the best example, the one that I love the most is, and this was a while ago, we had an intern who had been a first responder, like a fire department or police department, and we hired them into the SOC after an internship because they had that calm-under-pressure concept.
[David Spark] Yeah.
[Mike Johnson] And so, that one’s way afield, but I’ve brought people in from IT, from Help Desk roles, from network engineering roles, very common.
[David Spark] And just confirm I’m right. Someone who on paper has lots of education in cybersecurity, but no kind of real-world adjacent experience is not as attractive as someone who has some cyber training, educational training, but also with an additional adjunct position.
That’s more attractive?
[Mike Johnson] Yes. Yes. having experience in an enterprise, corporate company culture and having some security knowledge, some security experience is actually going to stand out more than somebody who has a lot of education and no professional experience at all.
[David Spark] Good, good advice. By the way, I’m going to echo that, Mike, and I will quote you appropriately.
[Mike Johnson] Great.
[David Spark] All right, let’s bring in our guest. Somebody I have been working on to get on our show for quite some time, and we just discovered that if you were to go way back to a live show that we did in Los Angeles, he made a sneak appearance playing a game we had called Security Squares.
This was an episode with you and me, Mike, and Gary Hayslip for the ISSA LA event. It was a live show, and he played the game in Security Squares. [Laughter] I think that might have been the last time we played that game, to tell you the truth.
[Mike Johnson] I think that’s right.
[David Spark] I want to bring the game back. It’s fun. It’s based on Sounil Yu’s Cyber Defense Matrix, which is pretty darn cool. All right. Excited to have him on, the VP and CISO over at Grainger, none other than JP Calabio. JP , thank you so much for joining us.
[JP Calabio] It’s a pleasure to be here.
How is AI going to solve this problem?
5:35.539
[David Spark] “One thing that experience keeps teaching me: the scariest issues usually aren’t bad code. They’re broken assumptions between components.” That’s an interesting take. A recent cybersecurity subreddit post on the future of AppSec in the Age of AI found that maybe the new tech won’t solve as much as we think.
So, commenters pointed out that code scanning maps the repository. It doesn’t map the running system, the identity providers, the service-to-service auth assumptions, the legacy endpoint that quietly bypasses your permission model, and the config drift that makes your secure defaults moot.
So, if AI gets better at hardening the map, how do you actually secure the territory? Mike, I’m starting with you. Can AI help us solve the broken assumptions at the heart of this issue? And I think it’s interesting. It’s not the code, it’s the connections is the problem.
What do you think?
[Mike Johnson] Well, I have to start with a disclaimer. I’m not an AppSec expert. I don’t claim to play one on television.
[David Spark] But he’s going to provide some advice. Let’s hear it. [Laughter]
[Mike Johnson] But I’m going to do my best here. And if you think about AppSec, code scanning is one of the key pieces of it, and we’re seeing a lot of value there. AppSec is already changing in the world of AI, especially when it comes to code scanning.
We can cover more, we can find more. We can also weed out false positives better. And that last part, the weeding out false positives, that is something that we used to have humans do. And humans would spend all their time like, “Before we hand this over to a dev team, let’s make sure that this is legitimate.” We’re not having to do that as much anymore.
Or frankly, getting to a place where we don’t have to do that at all.
What maybe this person isn’t so much thinking about is AI doesn’t have to solve all of the problems. AI has to solve some of them so that we can move resources. We can take the people who are spending their time evaluating false positives, and they can go and solve the harder problems.
They can go and look at the system interfaces, the way that data moves around, the threat models at design stage. That is something that we can now do more of than we could in the past because people were spending their times on things the machines should be doing for us.
And that’s current state, like we’re seeing that today. We’re seeing that advantage. But I think one of the things that folks might not really be internalizing is what AI can do today is very different than what it can do six months from now, three months from now.
[David Spark] And I may have mentioned this on the show before. I know I mention it in conversation all the time. The best way we know that, Mike, is just look at AI image generation and AI video generation.
[Mike Johnson] Yep.
[David Spark] I was first introduced to AI a little less than three years ago, and I remember how crude it was now. And now I see it today. And I’ve seen it at every month interval, and I’ve watched it get better and better. So, if we can just visually see it changing, like with AI image generation, we know it’s improving across multiple planes.
All right, I’m throwing this to you, JP, as well. Where do you think the problem is in AppSec? Do you agree with this opening statement – it’s not the code, it’s in the connections?
[JP Calabio] I do to a degree. The problem that I’ve run into with my AppSec organization and the developers is really around prioritization. So, I agree with Mike. Code scanning is getting a lot better. The problem is prioritization of fixing these vulnerabilities versus the actual code that they have to do for the business.
We can’t use AI today to go through and identify the dependencies and fix the dependencies, but that’s our hope that we can eventually get there.
And quite honestly, to use the terminology that was used in the quotes, right, if artificial intelligence is helping to secure the map, I don’t see why there isn’t a reason why AI couldn’t help us secure the territory. You don’t need a single product to do everything.
And in this case, you can probably start to use agents or create agents to tackle different pieces of the puzzle. You just have to figure out how to make these agents work together, and I know that’s not as easy as it sounds. Can I do it today? Maybe not completely, but I do believe there’s a quote out there that kind of encapsulates what we’re talking about here.
Today’s AI will be the worst AI you ever use.
Where can we cut costs?
10:31.306
[David Spark] “CFOs don’t fund faith, they fund math.” That from Adrian Salasa, CISO over at ShiftKey. He laid out a framework that got him a 40% budget increase. Quantify asset value, exposure factor, annualized loss expectancy, and suddenly, security.
The math is clean and that appeals to the CFO, but is it necessary? We don’t calculate ROI on the receptionist, the office furniture, or the CFO’s own salary. Plenty of business expenses get funded because leadership accepts them as the cost of operating.
So, why does security uniquely have to justify itself in financial models while other functions get a pass? Is it because security still hasn’t earned a seat at the table as a business fundamental? Or does forcing the ROI conversation actually sharpen security leaders’ thinking…” I’m asking you, JP, “…making them prioritize controls to move the needle over ones to just check a box.” And I think that last line is key right there.
What do you think? Why is the proof so important for security leaders, or proof of value, if you will?
[JP Calabio] I actually saw this post the other day and I thought it was great for that CISO, and I do appreciate the case for quantifying risk. I consider risk quantification the gold standard. But is it necessary at this point? I don’t think so. There’s a lot of security leaders out there that have successfully used qualitative risk or, I guess, the other gold standard, fear, uncertainty, and doubt, to get what they needed from a budget standpoint.
Does it make it easier to get funding? If you have risk quantification, maybe. But at the end of the day, the CFO or whoever is still making a funding decision based on all the information that’s presented to them, along with all the other requests that are in the queue for budget.
Getting to this level, though, will definitely help sharpen a security leader’s thinking, especially if we’re talking from a financial standpoint. But it’s also helpful to understand different perspectives. There’s a limited pool of funds. The CEO may be comparing security risks against the repair of a roof or the returns of an acquisition.
So, always getting that perspective or understanding that perspective is key. There’s never any harm in improving your financial and business acumen.
[David Spark] All right, Mike, I’m going to throw this to you. You’ve had multiple CISO roles. I’m interested to know, in each of your CISO roles, have you required different levels of proof of the value of your security program, depending on the job you’ve been at?
[Mike Johnson] I think you always have to be able to talk, like, what is the value that we’re bringing here? Being able to prove through risk quantification, I’ve never been challenged with that.
[David Spark] So, you haven’t had to put numbers behind these?
[Mike Johnson] No, because I agree with JP that risk quantification feels like the gold standard, but it’s also one of those that it’s very difficult to actually prove when you start peeling back the layers of it.
[David Spark] Let me pause you for a second. Let’s say you do go towards a quantification, not a qualitative model, but a quantified model. Don’t you feel that someone could just shoot bullet holes in the darn thing?
[Mike Johnson] That’s the risk, right? That you show up, and you say, “Okay, well, if we spend a dollar, we will avoid $10 of an incident,” or something like that.
[David Spark] And then someone could challenge you and you’re like, “Well, yeah, I guess it breaks down when you look at it that way.” [Laughter]
[Mike Johnson] That’s one of the problems that I have with it, and I will put out there that I am quantification curious, but…
[David Spark] [Laughter]
[Mike Johnson] …it’s also something that I’ve really struggled with myself.
[David Spark] All right. So, if I’m reading you correctly, it is the gold standard. You would love to be at that level, but you feel it’s such a tough level to achieve, yes?
[Mike Johnson] I think so. And I think what I would wonder, this doesn’t feel like an A/B test, right? If this CISO walked into the same CFO with a list of here’s all of our risks in order and here’s red, yellow, green of each of them, they might have walked out with the same amount of money.
Like I don’t know that we have an A/B test to say that quantification really was the cause of the funding that they had. And so, I haven’t needed to get to that level of precision. Again, though, I agree with JP that you need to understand the business.
You need to understand the trade-offs. I’ve sat in finance reviews where somebody is showing up saying, “I need to spend $17 million on this one piece of equipment.” And when my whole budget is less than that piece of equipment, but that is the thing that lets us make cars, it is a very different perspective, and you really need to have that holistic perspective of how you fit and how the security program fits within the business.
And then you can make good arguments from that direction. Storytelling is perhaps more valuable than quantification.
Sponsor – ThreatLocker
16:04.735
[David Spark] Phishing isn’t going away. Credential theft isn’t slowing down. And identity alone is no longer a reliable control, even with MFA in place. We’ve seen it recently. Attackers gaining access to cloud environments using stolen credentials and session tokens without ever triggering traditional defenses.
Because once they’re authenticated, they look like a legitimate user. So, security teams are being forced to rethink what actually determines trust. It’s no longer just who you are. It’s what device you’re on, the context of the request, and how access is being established.


That’s why ThreatLocker is expanding its platform and security coverage. Now already known and trusted for endpoint and application control, ThreatLocker is now extending its zero trust approach into network access and cloud access. The goal is to ensure access is only granted when identity, device, and policy all align across both internal systems and SaaS applications.
So, even if credentials are compromised, access isn’t. If you’re rethinking how access should work in your environment, visit threatlocker.com/CISO to learn more and book your demo today. And do me a favor. Go to threatlocker.com and add the /CISO.
Easiest way to let ThreatLocker know you heard about them from the CISO Series.
It’s time to play “What’s Worse?”
17:33.011
[David Spark] JP, I know you know this because you saw us do it live on stage. The way it works, two horrible scenarios. You’re not going to like either one of them, but you have to pick out which one’s worse. Mike, I’m going to make you answer first, and this comes from one of our favorites, Jonathan Waldrop, who’s the CISO over at Acoustic, and here’s the setup.
I’m going to give you the options in a second, this is the setup. You’re at an enterprise company, more or less kind of an old-fashioned company. Security reports to IT, and IT manages the identity platform and MFA policies. Now, security has requested that IT implement phish-resistant MFA.
How they define that, I don’t know.
[Mike Johnson] Okay.
[David Spark] So, the idea is that someone can’t fool you into giving up your second authentication.
[Mike Johnson] Yep. Pass keys.
[David Spark] It was promised for delivery six months ago, yet security is still waiting. So, here are your two options.
[Mike Johnson] Okay.
[David Spark] Number one, and I never heard of something like this happening, so you tell me if this actually does happen.
[Mike Johnson] [Laughter]
[David Spark] You execute a hostile takeover of identity management. Does that happen?
[Mike Johnson] Hostile might be a questionable way of putting it.
[David Spark] Anyways, that’s the way he wrote it, that’s what I would say.
[Mike Johnson] Okay.
[David Spark] But we’re going to go with it. All right?
[Mike Johnson] Okay.
[David Spark] You execute a hostile takeover of identity management without adding any additional staff to your already stretched security team, but you complete the rollout in three weeks.
[Mike Johnson] Mm-hmm.
[David Spark] You now own identity going forward, yet your team is stretched, and you expect the other programs are going to suffer. Look, you took on more that you currently can’t handle.
[Mike Johnson] You took over the responsibility without additional resources.
[David Spark] Exactly. So, now you’ve got more that you’re dealing with.
[Mike Johnson] Mm-hmm.
[David Spark] Or you just sit back, you wait for IT to roll it out, but it takes them another year to deliver the capability, and this doesn’t tax your team at all. Which one’s worse?
[Mike Johnson] So, realistically, you have to zoom out and look at the big picture. Like what is the long-term impact to either of these directions? And one of these, it took you a little bit longer to get to phishing-resistant MFA. You probably haven’t had phishing-resistant MFA your entire time, otherwise you wouldn’t be asking for it, and that state has been fine.
Is waiting a year and a half to get that implemented that big of a deal in the grand scheme of things? Versus taking on a new responsibility that has been negatively impacting the security of the organization because your team is going to start dropping other programs?
This feels pretty clear to me. That taking this thing, this responsibility over, great, you’ve solved this one problem, you’ve created 3 new ones, 5 new ones, 100 new ones that are now negatively going to impact the company. Versus taking a little bit longer to get phishing-resistant MFA.
Again, one control to get that done. It’s pretty clear to me that the first one is the worst scenario.
[David Spark] Now, it couldn’t be a situation that you have a crappy MFA, and people are abusing your identity, and for that year you could have a host of problems.
[Mike Johnson] The reality, though, is if you’re having a bunch of incidents related to that, then you will get the IT organization to solve the problem. That’s just reality.
[David Spark] Well, I know, but you can’t change the model of a “What’s Worse?” scenario.
[Mike Johnson] But you introduced that as well.
[David Spark] [Laughter]
[Mike Johnson] You added that in as well, so I got to add in my own.
[David Spark] Well, I don’t know. It’s still going to take them a year to get it done. All right, JP, I’m throwing this to you. Do you agree or disagree with Mike here?
[JP Calabio] Okay, I’ll give a counter to that.
[Mike Johnson] Great.
[JP Calabio] Sitting back and waiting can be just as bad, as we know, but it may be worse because you may run into a situation where you actually get breached.
[David Spark] This is what I’m thinking, yeah.
[JP Calabio] Because you’re sitting back and waiting.
[Mike Johnson] Mm-hmm.
[JP Calabio] Maybe they don’t have MFA in place. Context obviously matters. But if you have a breach or if you have continuous attacks where maybe your team members are, not your team members, but your employees are getting tricked into giving out their passwords, now your team is actually working just as hard or maybe even harder because they’re having to deal with each one of these situations and then still having to come back anyway and take it over.
So, there’s my thought.
[David Spark] That is a good point right there.
[Mike Johnson] Very valid point.
[David Spark] Let me also ask you this question, Mike. If you knew there was a security problem and you were watching it and you could fix it, could you literally sit on your hands for a year and not fix it?
[Mike Johnson] No, that’s a very different scenario. If that was literally happening, no, I would not wait. But at the same time, I would also be going over the CIO’s head to say, “Look, we are on fire. I don’t care what else they’re doing. They need to drop it and fix this.” Because it’s not like they’re sitting around on their hands.
They’re taking time because they’ve got other priorities, and if you are literally getting compromised, that is where you exercise all of the political capital that you’ve built to say, “We need to adjust the priorities and whatever else they’re working on needs to drop.” But that’s something that would need to [Inaudible 00:23:20] up.
[David Spark] Yeah, but that’s not this scenario, too.
[Mike Johnson] I’m answering the question you asked me, David.
[David Spark] [Laughter]
[Mike Johnson] I’m not answering the scenario.
[David Spark] No, it’s just I would just think just as both of you as security professionals, if you see something needs to be fixed, and even though there was this political nonsense that was going on, “Well, no, no, we can’t do it,” it would drive you crazy, wouldn’t it?
[Mike Johnson] It would, but again, there’s a difference between this is a new thing that we need to add because we think it is a good control and nothing is going wrong, but we want to improve this control. That’s different than the house is on fire.
We need to do something about it. And if the house is on fire, absolutely not am I sitting on my hands. I’m going to do whatever I need to do to solve that problem and then deal with tomorrow’s problems tomorrow, but if I’m, all things else being equal, I’m going to look at the long game and say, “If we go and do this today, are we really going to harm ourselves in the future?”
Is AI going to help us, or hurt us?
24:23.135
[David Spark] “When a CEO announces that AI can replace their workforce, they’re not making a bold bet on the future. They’re telling you their business has no core.” Dave Edwards of Artificiality makes the case that companies racing to replace knowledge workers with AI aren’t optimizing.
They’re confessing that their value creation was never that differentiated to begin with. When every competitor runs the same models, you’ve got a commodity business with a margin problem. But humans have always been displaced by the next age – I mean, look, classical, medieval, modern, information – and the workforce adapted each time.
So, is this moment genuinely different or is Edwards mistaking disruption for collapse? I’m going to start with you, JP. On the security side, if the analysts, engineers, and responders who hold your institutional knowledge walk out the door, what exactly does your AI inherit?
[JP Calabio] You don’t want your security engineers or responders with institutional knowledge walking out the door.
[David Spark] No.
[Mike Johnson] AI’s a great tool, and its advantage is speed and scalability, but it doesn’t have a human intuition or collaboration capabilities, which really is the human aspect of security. Like who’s going to call someone that needs help or do a little bit more of an investigation where you need to talk to someone versus checking logs and following a playbook?
So, today, we use AI to reduce the noise for our security operations center, and this past year, we really significantly increased the amount of ingestion into our SIEM, simply because we want to have visibility to our entire environment.
We also knew that we wouldn’t be able to scale up with resources quickly enough to handle all the alerts that would be coming in with all this new data. So, we use AI and an MDR that uses AI, and this solved it for us. It’s processing all of our alerts.
It’s triaging based on our playbooks, and it leaves the high alerts to us to handle. It also documents everything for my analysts, which is great. So, that’s very helpful. I think the real question here, though, is going back to the beginning of this podcast.
What skill sets will the next generation of security professionals really need to have with this introduction of AI?
[David Spark] This also becomes a question for the young people because the traditional entry-level positions are not going to be the traditional entry-level positions anymore. What do you think, Mike?
[Mike Johnson] I think that what folks should be really spending their time on today is how they can use AI to augment themselves. Developing skills and using AI to scale yourself to either add on more knowledge or, as JP mentioned, to have AI take care of the noise and allow you to focus on what really matters.
Having that skill set and that mentality of augmenting yourself, that’s really what people need to be thinking about these days, and I think that’s where we’re going to see more and more. And yeah, the entry-level SOC jobs are going away, but we’ve seen that as technology has advanced time and time again, how many people have skills in writing assembly language anymore?
That’s not a thing.
[David Spark] By the way, I studied Fortran when I was in college.
[Mike Johnson] Yeah.
[David Spark] [Laughter]
[Mike Johnson] I mean, Fortran, I’m sure there are still some people who are great at Fortran, and maybe people need to call you, David…
[David Spark] Does anyone need it?
[Mike Johnson] I don’t know. I don’t know. But the reality is we’re shifting skills, and that’s going to happen again and again and again as we figure out what are the limits of these systems. And I think this is a good thing. This idea of letting humans focus on what really matters, on what humans are really good at, and machines may never be good at, that’s really the value here.
And JP had the great example of we can now ingest more data, we can look at more events because the AI is filtering out the noise, and we wouldn’t have been able to do that otherwise. That’s really the world that we live in today, and that’s part of the enabler that we need to be thinking about.
There’s got to be a better way to handle this.
29:12.044
[David Spark] A cooling tower fails to drain before a freeze, a chiller plant shuts down, and 90% of global derivatives trading goes offline. Ed Walters uses this “no malware, no adversary” incident to diagnose the real OT security problem. Nobody owns the gap between cyber and physical infrastructure.
The org chart never caught up to the network. Cyber says they don’t touch OT. Facility says it’s a security problem. The CISO reports risk, the VP of operations reports uptime, and the exposure lives exactly where those two conversations never meet.
Ah, kind of like our discussion about AppSec earlier. Legacy hardware runs for decades because replacement means downtime that nobody will authorize. The catch-22 is that systems most critical to protect are the ones least tolerant of the security controls designed to protect them.
So, Mike, when it comes to resilience, who owns this issue? Because it seems a lot of people are involved.
[Mike Johnson] So, I’m really confused at the premise. There’s this idea that cybersecurity doesn’t touch OT. Okay, we also don’t touch the routers. We’re not going and touching everything that’s out there. That doesn’t mean that we eschew our responsibility.
We are working very closely with the OT teams on what are the appropriate architectures? What are the ways that we can engineer security controls around those ancient systems? We have systems in our factory that are older than our company, and we’ve worked very closely with the OT teams on appropriate security architectures for that.
And we monitor the heck out of things, and we build the appropriate walls around them. We have regular conversations with our OT teams. And that’s really what we need to do. Whether or not we own OT resiliency, that’s not really a question that I have.
My question is really what is the security of that environment and how are we building in the appropriate controls to deal with the reality of the environment, rather than wishing it were something different?
[David Spark] All right. I throw this one to you, JP. You have a little experience in OT. Have you seen this sort of disconnecting communications before?
[JP Calabio] Yeah, absolutely. Whenever you have multiple teams involved, there’s always a bit of confusion, but the question is who owns resilience? And it’s a good question. If we’re talking about accountability, I think it should sit with a senior leader.
If we’re looking at that one person, maybe it’s the COO or the equivalent. Or if you’re a forward-looking organization, maybe there’s a chief resilience officer. I think those are new titles that I’m hearing these days. I like to use my tried and true method, which is when things go wrong, who’s the CEO calling?
That’s usually the person who’s going to be accountable. But ultimately, it’s a shared responsibility, and it depends on the situation, right? So, if it’s a safety issue, you’re going to have an environmental health and safety group that’s managing the aspects of that.
But since we’re talking about cyber, to me, it’s a collaboration, just like Mike said, right, between cyber and OT engineering. My team, my GRC team, works with engineers to do, like, business impact analysis. We help with business continuity plans, etc.
The architecture team ensures that we’ve got secure standards in place for OT connectivity, and my SOC monitors network traffic. So, like IT, we rely on OT engineering to maintain their environment, and they assist us if we find anything related to cyber.
[David Spark] All right. Well, someone’s going to take ownership of this someday, let’s hope.
Closing
33:20.417
[David Spark] We have brought ourselves to the very end of the show. I want to thank our sponsor, and that would be ThreatLocker. Remember, ThreatLocker, allow what you need, block everything else by default, including ransomware and rogue code. ThreatLocker, zero trust leader, phenomenal sponsor of the CISO Series.
Remember, go to ThreatLocker.com/CISO. ThreatLocker.com/CISO, easiest way to let them know that you heard about them through the CISO Series. Do that for us. It makes our lives a lot easier and lets them know that, oh, people are actually listening to them.
It’s fantastic. Mike, as always, I greatly appreciate your contributions here. Any last words you’d like to say to JP?
[Mike Johnson] Just, JP, it was great being able to catch up with you again after all this time.
[David Spark] But let me ask you, do you think he did better playing the game Security Squares or on today’s episode?
[Mike Johnson] Well, he had a lot more airtime this time.
[David Spark] That is true.
[Mike Johnson] And so, we really got to hear more of his insight versus the on-the-spot ad hoc listing of whatever he was listing at the time. And so, I really liked the example that you gave, JP, of using AI in the SOC allowed you to ingest more events.
I thought that was a really visceral example that people can relate to of the value of AI in this current space. And so, thank you for sharing that example and also reminding us from the very beginning that relationships matter. Know your stakeholders.
[David Spark] Yes.
[Mike Johnson] Something that we always have to keep front and center. So, thank you for joining us today.
[David Spark] Everyone has different motivations. That is so, so key. You play into that, you’ll make a lot more people happy. All right, JP, I’ll let you have the last word. And one of the questions I have for you, are you hiring over there at Grainger?
[JP Calabio] Yes, we are.
[David Spark] All right. So, I’m assuming you’ve got a jobs board there?
[JP Calabio] We do have a jobs board. You can go to our career portion of our website at www.grainger.com.
[David Spark] And also, if they see something, they heard you on the show, they can contact you directly via LinkedIn. We will have a link to his profile on the post for this very episode. Any last words about today’s show?
[JP Calabio] Pleasure being here. Great questions. Always enjoy the game that we play, “What’s Worse?”
[David Spark] Yeah. I thought you both played well.
[Laughter]
[David Spark] You both handled it well. There was a desire to change it. I can’t stress enough. The way the game works is you can’t change it.
[Mike Johnson] [Laughter]
[David Spark] That’s the way it is.
[JP Calabio] Right.
[David Spark] Because if you could change it, then it wouldn’t be as bad as it is. It is what it is. [Laughter] You got to deal with that. All right. Thank you very much, JP. Thank you very much, Mike. And to our audience, as I always say, and I always mean, and I’m not going to get earnest about it at all.
Just going to say it. I’m going to just put it out there and just be done with it. We greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review.
This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com.
Thank you for listening to the CISO Series Podcast.