We think of cybersecurity as a discipline. But when do ideas like best practices and NIST frameworks change into a system of belief?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Davi Ottenheimer, principal, Flying Penguin. Joining is Joshua Copeland, director of security, Crescendo.
Join the conversation on LinkedIn
Huge thanks to our sponsor, ThreatLocker
verifies both user and device before granting access to specific applications. No broad
access, nothing exposed, and no reliance on credentials alone. It’s a smarter way to
control access and reduce risk. Learn more at ThreatLocker.com/CISO.
Full Transcript
Intro
0:00.000
[David Spark] We think of cybersecurity as a discipline, but when does that turn into a system of belief?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series, and joining me as my guest co-host for today’s episode, one of our favorites here on the CISO Series. It’s Davi Ottenheimer, who is essentially the founder and blogger of, I think, the longest continuous blog in tech that I know of, flyingpenguin.com.
Davi, thank you so much for joining us today.
[Davi Ottenheimer] Thanks for having me. My pleasure.
[David Spark] We adore having you here. First, let me mention our sponsor, and that would be ThreatLocker, also one of our favorites, the zero trust company. Allow what you need. Block everything else by default, including ransomware and rogue code. We will have more about just that a little bit later in the show.
But now I want to get to the topic at hand, and Davi, this topic was so controversial that I said, “We have to have Davi on.” All right. This is right up your alley, Davi.
The question is, is cybersecurity a cult? So, our guest, Joshua Copeland of Crescendo, I’ll introduce him in a moment, made that case on LinkedIn, arguing that we’ve dressed up “best practices” as a system of belief based on fear, complete with sacred texts from NIST and ISO, thoughtless rituals like phishing tests and compliance audits with the CISOs sitting as the high priest.
Cults don’t need a compound. Even Peloton has been described as a cult. I’m going to ask you, Davi, just set us up here. Are we falling into this trap in the cybersecurity world? Are we falling into the cult of cyber?
[Davi Ottenheimer] Wow. Great question, and I’m glad you brought me on for this because I would say it’s worse than a cult. [Laughter] I think the framing is right.
[David Spark] Hold on. Let me pause you there, “worse than a cult,” because some cults have done some horrible, horrible things. I think the goal of cyber is a little bit more altruistic.
[Davi Ottenheimer] Oh, my God. No. Well, I mean, the goal could be more altruistic, but it isn’t necessarily. What’s worse than a cult is a cult would have at least true believers, but I think our industry has people who are competent professionals who are executing theater they actually know doesn’t work and they aren’t believers, so they belong without believing when they know they should leave.
So, the sacred text, the high priest, the rituals, they exist because they’re profitable and not because anyone actually believes in them. And that’s sad.
[David Spark] All right. Did I tell you, audience, that we would get some spicy responses from Davi? And I appreciate you being here, Davi, and I know our guest does as well. Let’s introduce him. Joining us in this conversation, the person who started this conversation, it is the director of security over at Crescendo, none other than Josh Copeland.
Josh, thank you so much for joining us.
Why is everyone so confused?
2:47.669
[David Spark] Dr. Brian McElyea said, “Frameworks aren’t dogma, they’re guardrails. They give us common language across complex environments. Without them, every team would reinvent the wheel. Rituals build muscle memory. Many CISOs are already shifting from checklist compliance to continuous validation, exposure management, and resilience metrics.” Totally agree.
We need less dogma and more proof. But throwing out the frameworks isn’t the answer. Using them as tools, not religion, is.
And let me also add Asrar Ismail’s comment, he’s from Quality Management Australia, “Love the metaphor…” – a tip of the hat to you, Josh – “…but let’s not confuse structure with dogma. Cybersecurity frameworks like NIST and ISO aren’t sacred texts.
They’re peer-reviewed, regularly updated, and grounded in real-world incidents. NIST SP 800-53 has six major revisions. ISO 27001 is reviewed every five years. That’s not a cult. That’s a continuous improvement. Phishing tests? Ah, think of them like code blue drills in hospitals.” So both Brian and Asrar here, Davi, are saying that we have guides for security through these frameworks.
And by the way, we’re just taking one slice of this discussion here, so let’s just focus on this slice. What is your take on the abundance of frameworks?
[Davi Ottenheimer] Well, we run the risk of thinking that by working on the frameworks, we’re working on the problem. There is a language here and a vocabulary, but a vocabulary that has no enforcement doesn’t do us a lot of good if everyone stands around and says, “Yeah.
There’s a should do, and there’s a how to, and that’s a crime.” And then everyone says, “Yeah, that’s a crime. We all agree.” And no one does anything about the fact that people are committing a crime. It doesn’t get you where you need to go. You can update your frameworks all you want, but you really got to move on it.
The actual infrastructure has to be changed. Otherwise, you’re just updating the frameworks to reflect the fact that your infrastructure isn’t changing, and then what good is that?
[David Spark] Josh, I throw this to you. When you brought up frameworks, what was your feeling towards them? Did you agree with Brian or Asrar? Or you’re like, “No, they’re pushing us to just believe that this is the solution if I just follow this guideline.” Which by the way, a lot of people argue a religion behaves that way.
[Joshua Copeland] So, my thought on it was that frameworks in and of themselves are neither good nor bad. They exist and they’re a good baseline to start with. But to kind of talk directly to the point about updates, ISO has only been updated three times, and it’s been seven years between the first and the second iteration and almost a decade between the second and third iteration.
ISO hasn’t been updated in, I think, nearly five years or so.
This is cybersecurity. Things evolve extremely quickly. Weren’t even thinking about agentic AI five years ago. Nobody even heard the term agentic AI unless you were in one of those deep research labs. So, I think one of the problems is that we take these things that are great guardrails, they’re great structure, but we hold onto them like they are the total gospel of this is what cybersecurity is.
And when you take that perspective, you don’t look at the full context of what you have in your area. Does this even really apply to my organization? I can take NIST 800-53, but if you’re a small-to-medium organization, does that level of security really match what your threat landscape is?
Probably not. They’re great to start with, but you need to have that big smart brain and understand that they’re not to be taken at pure face value. You have to contextualize them.
[David Spark] This is a good point. Davi, can’t frameworks just be seen as like a nice instruction how-to manual? This is a good thing to follow if you don’t know where to start?
[Davi Ottenheimer] Well, it was already said, I think quite eloquently, that you get the framework and things change and the framework doesn’t reflect them. And so what do you do? You have a gap. So, agentic, what do you do? I think it’s more fair to say there are, and people who study religion know this, there are sort of the absolutes and then there are the relatives.
And so you have the things that change within the absolutes. CIA as a triad and AAA as a triad have been around forever and they still apply. They’re so effective. Confidentiality, integrity, availability. Fantastic. Back of the napkin in the ’70s, I think, maybe the ’80s.
We do the same thing in Unix. We have users, groups, and world. Fantastic triad.
When we try to go more complex with 16 different permissions to set on a single file because Active Directory is trying to improve on it, it actually gets harder because it’s trying to be newer, and it violates our sense of what works. So, there’s a balance here between the things that are ultimate, simple, always apply, and the new great things that seem to not fall into the categories we thought they did.
We don’t understand how to make them fit. And we see that lately. I’ll just throw it out there. I mean, for me, OpenClaw deserves all the hate in the world because it’s like someone walked up using SSH and said, “You know what? What if we just switched to cleartext Telnet?
Has anyone tried that yet?
[Laughter]
[Davi Ottenheimer] Let’s leave our tokens laying around and communicate in cleartext. How about that? That should throw all kinds of violations. People should throw up all over that thing and not even allow it in the discussion. But somehow by calling it new, we can say it doesn’t fall under the existing frameworks or guidelines.
So that’s the tension, is we have things that are always true, and we try to apply them to new things. And we feel like, “Well, I don’t know how it fits.” So we try to create new versions of the regulations, which are overcomplicated and make things harder for ourselves, when really, we should just figure out why the new things aren’t as shiny and interesting as we think they are, and we should do better versions of that.
I didn’t think of these options.
8:34.421
[David Spark] Brian Bronstein of Appalachia Technology said, “As far as frameworks, I agree. They are starting points, not endpoints. They are baselines proving guidance from zero. Rituals, however, have value. Hear me out. Phishing tests and tabletops do build resilience and help identify soft spots if used properly.
The value is in preparedness, not precision. Think about fire drills. They’ll run endlessly and are never perfectly executed, but the muscle memory and lessons learned are invaluable. Rather than ‘cult behavior,’ I’d call it structured discipline in high-stakes environment.”
And Garrett Galloway said, “I agree with the sentiment, but I disagree on some level that the frameworks have no value. The biggest problem isn’t that frameworks exist. The biggest problem is we’ve allowed our entire field to dumb down to think that they are all that exists.
People get mad at me when I say they’ve got to have some sysadmin, netadmin, and coding experience to be able to do security. Nobody is ready for anything security related until they know what they are trying to secure.”
And John Skaarup, CISO for SRB Systems, said, “Cybersecurity has its rituals and frameworks. However, I disagree with calling it a cult. What some see as dogma, others recognize as discipline. What feels like conformity may actually be scaffolding of trust.
We lean on NIST, ISO, and CIS, not as sacred texts, but as battle-tested compasses. We don’t need fewer disciples. We need more architects.” All right. So, I’m going to you, Josh. They’re attacking your claim that they’re cults here. Although the first quote here, Brian, things that we’ve pooped on a lot on this show are like phishing tests, he goes, “Look, yeah, I know that there are problems with it, but just the act of making people do it is just a good exercise.” What do you think?
[Joshua Copeland] Thinking of this from like the big picture, there’s a thread through this of frameworks lead to discipline. And discipline is good, but discipline questions itself. It goes, “I see I’m doing this. Why am I doing this?” And that refines the discipline.
We’re doing it dogmatically. We’re doing it because we’re told to do it because the framework says so, and that’s kind of where the big difference between the two things lie. I’m a pure anti-phishing test guy. It doesn’t do anything. It drives trust out of your organization because you’re playing the gotcha game.
You can do phishing tests in a way that builds trust in your organization, but how many organizations and how many products are actually designed to do that in a way that builds that? Almost none of them. We’re doing it based off of what the framework says.
Same thing with tabletops. If your tabletop is something that you do and you’re following the script and it’s super easy, yes, you’re building muscle memory, but it’s muscle memory for that incident that might never occur in your type of organization.
Yeah, you’re going through the ritual of doing these things, but is it actually giving you any value on the back end? Saying that you’re building muscle memory and comparing it to things like fire drills and things like that, I understand where their comparison is, but ultimately a fire drill is a very, very specific instance in which you know the exact outcome every single time.
Cybersecurity, we don’t know what the exact threat is every single time. We don’t know how things are going to be layered across each other. So we have to have that ability to think and apply context to what we’re doing. And that’s where we run into with frameworks that we adhere to them as pure dogma as opposed to here’s a good idea, build upon that.
[David Spark] All right, Davi, your take on this. Is there any value to tabletops, phishing tests, essentially different kinds of drills to help people out to sort of, I guess, build a security muscle memory?
[Davi Ottenheimer] Yeah, I’m happy to take this one. I don’t think we have enough time in the day to really discuss it properly, but I’ll take a stab. I’ve written a blog post recently where I pulled up Zen and the Art of Motorcycle Maintenance by Robert Pirsig.
I recommend this book to everyone who’s trying to tackle this problem about when does it matter that I think versus when does it matter that I do without thinking. All the sciences I’ve ever studied and I looked at sort of bifurcate into two parts, which is easy, routine, minimal-judgment stuff, which is sort of in their subconscious that we’ve already figured out how to do.
The other is that we identify things, we store things, we evaluate them, and we adapt to them, which is a very slow process. In areas where you’ve done that slow process and you figured out what to do, you can switch over to the other. Like once you’ve figured out how aspirin works in the brain, then you can start taking aspirin out of a bottle, and those are two very different disciplines.
In the motorcycle book, Pirsig talks about how some of us, we ride a motorcycle and we smell and we think, “Oh, I don’t think my carburetor is working quite right. I need to change my choke, and I think the temperature and the heat and the way I ride.” You do all those calculations to figure out the optimal riding experience and that is what your experience is.
But then the other type of rider gets on their BMW and there’s what’s called an idiot light, and if it’s red, you take it to the shop. If it’s not red, you just keep riding.
So you kind of have to figure out where you are in that spectrum when you say, “Let’s tabletop.” Threat modeling is a good example of this, you can’t threat model with people who don’t understand anything about threats, don’t understand anything about the technology they’re looking at.
It’s like you’d spend your whole time just trying to introduce how the system works before you even get to what you’re supposed to be doing with the exercise. So, that’s the struggle is which side are you on? What are you trying to accomplish?
And the blog post really got into the latest trend, which I find absolutely frightening, which is rejecting all the philosophical [Laughter] foundations to say, “I think, therefore I am,” is what we’re supposed to be doing instead of “I use AI, so I use artificial intelligence, therefore I don’t think.” It’s such a habit now of people to sort of open up someone else’s intelligence – being a robot, for example, or an agent – and saying, “Well, it’s going to think, and I don’t have to,” when in fact, it’s the opposite.
It’s an example of when, if you’re going to think of it like you’re exercising using a machine, but if you don’t think about how you’re using the machine, it can be very, very bad for you or anyone else involved.
So yeah, figure out what you’re trying to do first, figure out what level you’re at, what level of expertise you have and how involved you are, what your background is and whether you’re qualified, and then go forward. You can do very, very effective things if you have an expert, but if you don’t believe in experts anymore because you just use idiot lights, then you’re probably not the type of motorcycle rider you think you are.
Sponsor – ThreatLocker
15:21.888
[David Spark] ThreatLocker is extending zero trust beyond endpoint control. With their recent release of Zero Trust Network Access and Zero Trust Cloud Access, organizations can now control how users connect to both internal systems and cloud applications.
Access isn’t based on credentials alone. It requires the right user, the right device, and the right conditions. Users are granted access only to specific applications, never entire networks or environments.
Now, that matters because hackers aren’t breaking in, they’re logging in. We’ve all heard this before. As we’ve seen in recent large-scale CRM breaches, stolen credentials and misconfigurations can expose massive amounts of sensitive data. ThreatLocker’s Zero Trust Network Access ensures internal resources are never exposed and only reachable through tightly controlled policies.
Zero Trust Cloud Access extends those same protections to SaaS applications, so even if credentials are compromised, access is denied without unapproved advice.
It’s a modern approach to access control that reduces attack surface and stops unauthorized access before it starts. You can learn more and start your free trial today at threatlocker.com/CISO. Remember, go to threatlocker.com and do us a favor, add that /CISO at the end.
It’s just a quick and easy way to let them know that you heard about them from the CISO Series.
What needs to be considered?
16:56.075
[David Spark] Richard Harrison, CISO over at Foodstuffs South Island said, “What are the underlying management assumptions that enable these approaches to sustain themselves? I’d argue that they have arisen out of a dominant management paradigm grounded in command-and-control thinking, reinforced by quality management approaches developed in the ’70s and ’80s.
Traditional siloed approaches to anything, TSM, GRC, cybersecurity, etc., are no longer sufficient to manage modern digital supply chain complexity.” Very good point.
Ryan Rambo of IXN Solutions said, “Just look at the way companies respond to an incident. The answer is almost always, ‘We need more cybersecurity, more cyber tools, more useless alerting, more cyber consultants,” etc. The response never considers anything other than cybersecurity.
I argue that corporate counterintelligence programs are the future. Counterintelligence, not cybersecurity, is a glue that binds cybersecurity, physical security, personal security, information security, operations security, compliance, and threat intelligence together.” So two very interesting takes here is that we have an outdated system that can’t keep up with the interconnectedness of our world, and Ryan here says we need counterintelligence to solve the problem of being attacked, which I would assume that it falls in the same line as threat intelligence.
Davi, your take?
[Davi Ottenheimer] Well, I think Rambo here has a problem I don’t think he recognizes in that he’s just creating the next framework to sell people. The counterintelligence goes way back. I remember working with counterintelligence vendors 10, 15 years ago that said exactly this, and they didn’t take off as a thing to buy.
Maybe they would now, but the core problem is that there’s something simpler and harder here, which is to do the actual work to build the muscle memory, do the actual work of fixing the problems. And it’s not because they lack a counterintelligence program.
It’s because there’s a cost center here, and there’s a profit center, and the economics that I talked about in the beginning creates a sort of cult-like obsession around keeping the problems so that you can make more money, getting people addicted to the frameworks and the theater.
So, yeah, I think quality management frameworks are actually quite useful. And I’ve always been a fan of the Shewhart and the Deming cycles where you plan-do-check-act. I think those actually work. I think you can actually build that into a quality improvement model where you look at what you have and see if it’s improved, and if not, figure out why.
You can use the five whys. Again, you have to use it in a way that is driven by experts who understand what they’re doing, who can communicate the effects and set steps forward towards improvement. If you don’t have that kind of commitment, then it becomes theater in itself, and you’re just, again, checking boxes and selling tools.
[David Spark] I like the metaphor you had of the motorcycle, the person who understands the vehicle they’re riding, and the person who just responds to the idiot light. All right, Josh, I throw this to you. These are both very interesting takes of the fact that we have a complex environment and that solving cybersecurity with more cybersecurity is not the solution.
[Joshua Copeland] And to that point, I think they’re right to a degree, but it’s also, to Davi’s point with the CIA triad and AAA, we have things that are very, very simple that we should intrinsically understand, but we’re still not doing them right.
Talk to any major organization and ask them, “Do you know 100% of your assets, what they do, why they’re there, and why they’re configured the way they are?” And almost no one will admit to being 100% accurate on their CMDB. And that in itself is an intrinsic problem.
It doesn’t matter how much, to Mr. Rambo’s point, counterintelligence you have, if you don’t know what you’re trying to protect in the first place, how it’s configured, or why it’s configured that way. We go through the process of the third-party attestations, the checking the boxes for the frameworks, but we’re truly not understanding what’s in our environment, how it works, how it’s configured, and how does it drive the business forward?
Because that takes context. You have to get out of the checkbox, and you have to actually understand what you’re doing and how it relates to all the other pieces and parts of your organization. How does your CRM actually interact with your sales folks and your HR folks and your marketing team?
That takes context and true understanding that we’re just not developing as a skill now. We shove tools and frameworks down people’s throats and say, “Buy this thing and it’ll fix your problem,” instead of actually analyzing where your problems really are.
[David Spark] One thing that I’ve learned in business is people would rather throw money at a problem than actually do the work to fix the problem. Davi, and I think this is like what you just said, like you need to do the work.
[Davi Ottenheimer] Yeah, that’s right. And it’s funny because you find people who are saying, “Take my money,” and you say, “Well, what if I just do it for free and I give you free tools?” And they say, “No, I got to spend the money to feel like I’m doing something.” [Laughter] Because if I spend the money, then I can say, “I tried and it didn’t work,” as opposed to you come in and say, “Everything’s free and let’s just do this,” they say, “I don’t get it.
Where’s my feedback? How do I prove that I did something?” The actual work, man, the actual work, [Laughter] we actually measure.
Let me put it like this. One of my pet peeves is people talk about a SOC 2 or a ISO or any of these things as though it’s aspirational. I say, “Oh, you want to jump in the pool? You better get your swimming license because if you don’t know how to swim, you’ll sink and drown.
So get your SOC 2 so you don’t drown.” And they go, “Oh, man, I don’t want to be the Olympic swimmer. I don’t want to win the Olympics and get the gold medal. So, can you get…” It’s like completely backwards to the way we should think about these things.
So the hard work is just the baseline. And that’s crazy that it’s so hard for people just to get to the point where they don’t drown. That’s what we’re talking about when we talk about these goals. And it should be easy. It should be low cost. It should be easy.
And I feel like we have vendors that make it difficult because they want to sell gold medals, and very expensive participation medals become the value. And their success is measured in how much money they’ve made, these vendors, as opposed to what they’ve really done in the industry.
Well, I guess that’s one way to solve it.
23:10.837
[David Spark] Suzanne Button of Intelligence Consulting BV said, “The only reason it’s become a cult and that frameworks are checkbox exercises is politics. Once you understand that, then everything else becomes much clearer. The second part is more simple.
Fix the damn holes. If companies spend half as much time fixing their own issues as they do with shiny tech and rooms filled with SOC analysts, they’d be winning.” So, it seems like Suzanne’s right up your alley here, Davi. But I want to get Josh’s take first on this.
We talk about this, by the way, endlessly on the show of do the basics, do the fundamentals, which by the way, we actually point to the CIS controls on seeing the first steps of the fundamentals. Your take.
[Joshua Copeland] Yeah, Suzanne’s absolutely right. There is a lot of politics around this. You do a SOC 2 or an ISO 27001 or a HIPAA attestation or a PCI DSS, not because most companies care about actually doing security. They care about checking the box so that they can have it for customer engagement, so they can pass the first step of trying to get a customer.
So, it becomes a scenario in which you don’t care about actually doing security and fixing problems. You care about passing your audit, your attestation. Which means you don’t really care about fixing the holes. You care about meeting the minimum requirements.
And that’s where a lot of these frameworks tend to go off the rails is that they’re really, really good at telling you where to start.
To Davi’s point, it’s your swimming license. But unfortunately, so many organizations see it as the end goal versus the starting point. And when you change that mentality, where this thing that should be a starting point is your end goal, you’re always going to have holes.
You’re always going to have all these issues. And it is completely political, whether that’s geopolitical or whether that’s your internal company politics. It comes down to am I doing security for the ability to be more secure, or am I doing security for theater so I can get new clients, new revenue streams?
And when you kind of look at those things, that’s why you see chasing the new shiny thing I seen at RSA, the big new startup that came out with the new tech and the new shiniest thing that isn’t really fixing a problem that my org has, it’s just the new shiny thing that I can say, “Look, we’re on the cutting edge of this technology,” but it doesn’t matter that I’m still using SMB version 2 and version 1 to do half my stuff because I’m using some legacy software.
[David Spark] Davi, again, Suzanne seems to be right up your alley here. We hear this all the time on the show – fix your basic problems.
[Davi Ottenheimer] Yeah, I agree. She’s the one who said the thing that’s easy to say, I think, is right. However, it’s also too easy to say that just, “There’s a hole in the bucket, so fix the bucket.” Well, how do I fix the hole? [Laughter] It gets a little more complicated.
And to Josh’s point, we are selling fire trucks all the time but not measuring whether we’re putting out fires because if we put out the fires, we wouldn’t have to sell the fire trucks. And so if we’re obsessing around this, like vendor obsessing around who has the shiniest fire truck, it might be because people are setting fires to sell fire trucks at the end of the day.
That’s very cynical, but also unfortunately, a realist approach to what we’re seeing.
From an economic standpoint, let me just point out. When there’s money coming in, people won’t spend on security, when there’s tons and tons of money because anything you spend on security gets in the way. You’re already making so much money, just eat the risk is typically what I see in large organizations.
But as soon as that money goes away and things flatten out, then they look for risk avoidance, and then they spend money on security because they got to get rid of the loss. So the way that they look at risk is relative to upside a lot of times, and that’s the economic reality that sort of corrupts our ability to say, “There’s a fire, fires are bad, let’s put out the fire.” It’s all sort of fit into an economic perspective of what’s the business doing in a way that can actually be ignoring the harms and long term setting you up for disasters that you can’t possibly prevent.
Fire drills, I think, are backwards in that sense because we should be building buildings that don’t catch fire, or we build buildings that can respond to fire in ways that are predictable to put it out before people are hurt, we should have doors that open out so people can get out.
All these sorts of things that come back to, if you look at history, ethics exists in most forms of engineering and certainly most professions except for technology. There’s no ethical requirement that I’ve seen. And when I used to teach computer science and security, I would ask students, “Where do you think the rules come from?
Do you inherit the rules and ethical framework that you have to abide by? Or can you just make the rules up that you want?” And there was always one person in every place I’ve ever taught who said, “I think we should just make up the rules as we go along.” And I would ask, which to me is crazy that they would even think that, that they could create…
That’s like being God. They would assign, in front of everybody with God and themselves as a witness, they would say, “I am God, nobody else is, and I decide everything myself.” And I thought, “Well, that’s shocking. Okay. Well, how do you decide whether you’re doing good or bad?” And they go “Money.
If I’m making money, it must be right.”
And that is a person who does not understand how the world really should work because if they make up all the rules, and all they care about is money, that person should not be working in security for sure, and probably shouldn’t be working as an engineer at all.
Because they couldn’t possibly build a bridge that fell down because they got paid for it. They couldn’t make a chemical that would be poisonous instead of helping people, you know, a pharmacy and get paid for that. It’s simple in the other disciplines, but not in technology.
[David Spark] Josh, were these the kinds of opinions you were looking for?
[Joshua Copeland] Yeah. My whole thing is I say things that a lot of folks might not say out loud, but I know, at least through private conversations, others are thinking. But it’s really to drive conversation so we can have this kind of exchange and understand where everyone’s viewpoint is.
I agree with Davi. Ethics is largely missing in cybersecurity because it’s purely a money-driven entity. Cybersecurity is not doing cybersecurity because it’s cybersecurity and it’s good, and we’re protecting people and we’re protecting life, limb, eyesight, other people’s money.
It’s all about how do I generate revenue from this thing? And is cybersecurity protecting the revenue that I’m generating? And when you really get down to it, those ethics are what determines who’s really good at cybersecurity and who’s out there just making money in cybersecurity.
[David Spark] All right. This has been a great discussion.
Closing
29:49.102
[David Spark] We’ve come to the point where I’m going to ask you which quote was your favorite and why, and each one has its value. There’s all good ones in here, but this is going to tease what part of this argument you liked the most. So I’m going to start with you, Josh.
Which quote here did you like the most and why?
[Joshua Copeland] I like John Skaarup’s quote the best because he at least framed it in the way that frameworks are and should not be gospel, but he at least acknowledges that they are. And his quote where it’s we need fewer disciples and more architects?
That means we need more thinkers, and that’s truly what we need in cybersecurity, is more people who think.
[David Spark] All right. Good point. Davi, your favorite quote and why?
[Davi Ottenheimer] Well, you kept fingering the button by saying she said, “Fix the holes.” I think she was the closest and the most practical about it.
[David Spark] And we’re talking about Suzanne here, by the way. Suzanne Button, yes. Go ahead.
[Davi Ottenheimer] I agree with her because I do think it’s a matter of measuring what’s broken and measuring how close you are to a resolution. And I say that in full awareness of the quantum problem. Quantum computing is here and everyone’s talking about it like it’s magic or it’s an apocalypse or it’s a Q day.
I disagree with all those people. I say it’s easy. Super easy. We’ve done this before many, many times. We’re rotating algorithms. We’re moving to a different crypto library. Let’s just find it, fix it, and not try to get too caught up in the cult or the mysticism of the economics, which is mostly about somebody gets rich, but we don’t know if we fix it or not.
[David Spark] Well, that brings us to the tail end of this show. I want to thank our sponsor, and that would be ThreatLocker. Remember, allow what you need, block everything else by default, including ransomware and rogue code. ThreatLocker actually has a very savvy look at cybersecurity, and it is not cult-like at all, whatever.
We like the guys over there at ThreatLocker. Go to their website, threatlocker.com/CISO. Add that /CISO. Easiest way to let them know that you heard about us through the CISO Series. Thank you, Davi, as always, for joining us. Remember, go check out his website, flyingpenguin.com.
Thirty years he’s been blogging there. And by the way, provide that link to that reference post you had about the art of motorcycle maintenance, Zen and the Art of Motorcycle Maintenance, Davi, and we will have that on the blog post for this episode.
And Josh, I’ll let you have the very last word on this. My first question is are you hiring over there at Crescendo?
[Joshua Copeland] At Crescendo, we’re always hiring. We’re a rapidly growing startup. So, go out onto our crescendo.ai careers and look for your new gig.
[David Spark] All right. Well, look for the new gig there. And I’m assuming people can reach out to you directly. We’ll have a link to Josh’s post. I’ll let you have the last word on this topic because this is the conversation you started, Josh.
[Joshua Copeland] Yeah. Ultimately, cybersecurity is one of those places where there’s lots and lots to learn. And I think Davi would agree – the more you learn, the more you know that you don’t know. And that’s where we can truly get in and dive into these topics and learn from each other, where we see the different perspectives.
I’m a big proponent of unpopular opinions, so I always like to see other people’s unpopular opinions on things in cybersecurity.
[David Spark] Well, thank you again, Josh. Thank you again, Davi. And thank you to our audience. As I always say, we greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.