It seems inevitable. Whenever there’s a high profile cyberattack, salespeople come out of the woodwork asking if the affected CISO would like to see their product which would have helped prevent the attack. We recently saw this occur while a victim was actively dealing with an attack. These sales tactics are universally derided. Is there any way for a vendor to positively reach out to victims after a cyberattack?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Kurt Sauer, CISO, Docusign.
We recorded in front of a live audience at Microsoft’s offices in Mountain View, CA as part of the ISSA-Silicon Valley chapter meeting. Check out all the photos from the event.
Huge thanks to our sponsors Veza, Sysdig, and SlashNext
Full Transcript
Intro
0:00.000
[Voiceover] Biggest mistake I ever made in security. Go!
[Kurt Sauer] That was when I moved from a large organization to a small one and decided to take on too much stuff. Moving from a 300-person organization to a 10-person organization requires a different set of focus.
[Voiceover] You’re listening to CISO Series Podcast, recorded in front of a live audience.
[Audience] In Silicon Valley!
[Applause]
[David Spark] Welcome, everybody, to the CISO Series Podcast. My name is David Spark, I’m the producer and one of the hosts of the CISO Series Podcast. The other host is sitting right next to me. His name is Mike Johnson, he’s the CISO of Rivian. Let’s hear it for him!
[Applause]
[David Spark] We have three awesome sponsors, and I do want to mention them all and we’re going to talk about them throughout the show – Veza, Sysdig, and SlashNext. Let’s hear it for our sponsors, yes? Yay!
[Applause]
[David Spark] So, that applause you hear is not canned that I downloaded from YouTube, but rather an actual live audience because we are here at the ISSA Silicon Valley San Francisco Chapter event in Microsoft’s offices in Mountain View, California, and it’s pretty darn nice here, Mike.
[Mike Johnson] This is a nice spot. Earlier, our guest referred to this as a really nice home theater space.
[David Spark] Yes. [Laughter]
[Mike Johnson] And really nice home theater space. But yeah, this is great.
[David Spark] That’s assuming you have hundreds of family members.
[Mike Johnson] I mean, for your closest 100 family members, this would be an amazing home theater space.
[David Spark] Yes, it is. And there’s no echo here. Because we just did a whole slew of live shows, I just did like Las Vegas and Miami and Los Angeles, and especially these big, huge ballrooms, huge echo in it, but this place.
[Mike Johnson] It’s like they knew what they were doing when they set it up.
[David Spark] Yes, it’s like they did. It’s quite impressive. All right, we’re going to get this show on the road because we’ve got so much show to pack in. So, we’re going to get done with the kibitzing. I want to introduce our guest who’s been on the show before, he is the CISO for DocuSign. Big warm round of applause for Kurt Sauer.
[Applause]
[David Spark] Kurt, welcome.
[Kurt Sauer] Glad to be here. It’s wonderful to be back on the show and it’s lovely to see so many people out here in Silicon Valley.
What do you think of this vendor marketing tactic?
2:27.749
[David Spark] Recently, one of our CISO friends got hit with a high-profile cyberattack. It’s a rough time for this person, and they are in the thick of it. So, of course, what better time to spam their inbox and LinkedIn account with sales pitches? And this CISO forwarded me some of the actual pitches, and I’m going to read a few of them for you, “I can only imagine how busy you must be in light of the recent incident.
I wanted to reach out and share that our solution boasts an impressive 99% success rate in preventing phishing clicks.” Another one, “I saw you guys had a recent cyberattack. Sorry about that. I thought you’d be interested in hearing our cloud-based dah-dah-dah-dah-dah.” And here’s one more, “You’re definitely busy now.
We’re launching a CISO podcast series,” not mine, let me just stress this, not mine.
[Laughter]
[David Spark] “We’re launching a CISO podcast series and would love to have an episode with you. Get some good PR for you and your company.” All right.
[Audience member] Uh-oh.
[David Spark] All right, Mike. I’m going to start with you on this one. So, these ambulance-chasing vendor emails are universally hated. And Mike, this is actually how I discovered you and why we actually launched the CISO Series. Now, you complained a lot about this. First, let’s just start with simply explain why this is wrong.
But more importantly, can you tell me a few ways vendors or just anyone did reach out to you during a really bad time that was actually positive? It was like, “That’s what I wanted to hear.”
[Mike Johnson] What’s amazing about this is this is actually worse than what spawned my original rant. When I originally was talking about it, it was somebody else got breached, I was anticipating getting a whole bunch of inbounds. I did, but I can’t imagine this. You’re in the middle of responding to an incident and your inbox or your LinkedIn messages is just blowing up with – this?
I mean, that’s not helpful. And so when I think about what makes this wrong, they’re self-serving messages, they’re not actually helpful. There’s no desire to actually be helpful here. These are all they’re trying to make a sale, and that’s not what you need in that moment. It really makes it difficult to come up for air when you’re trying to get help and you’re just being bombarded with things that aren’t helpful.
[David Spark] So, have you had a moment where someone reached you at a time of need and it was a very positive engagement?
[Mike Johnson] [Sigh] So, I’ve been fortunate to not have these kinds of types of need.
[David Spark] Okay.
[Mike Johnson] However, there were situations where there’s big vulnerabilities, like the celebrity vulnerabilities that are going on on the internet, and while it isn’t helpful in the moment to have that initial contact and they’re able to say, “Well, here’s a little bit of what we’re doing. Here’s a little bit of useful information that you can apply.” It’s not a sales pitch.
It is genuinely helpful. Whether or not it’s actually helpful in the moment, it can be, but it’s something you remember.
[David Spark] It’s the thought that counts.
[Mike Johnson] Yes, the thought actually counts.
[David Spark] All right. I’m throwing this to you, Kurt. Have you had a nasty incident for which someone hit you and just got you, just made a good positive comment, maybe not necessary, but just the right thing at the right time, they said the right thing, and what was it?
[Kurt Sauer] Yeah, so I think we have had one incident. I was working for a pretty heavily regulated company at the time, and we had a multi-company incident that happened. I was kind of involved on the periphery, but I definitely had a communications path to deal with some of those regulators. And we had vendors…
Not only vendors. We had CISOs at vendors reach out and kind of offer support and guidance. They were people who were vendors to us, but they were not talking to us in a sales pitch way. There was one in particular, one infrastructure vendor who came back and said, “We just wanted to share with you because we know you have this, a problem like this that happened to one of our other customers.” They didn’t name them, but it was actually really helpful instructional information for us.
So, it gave us a new kind of view, and it was not a sales pitch. I think the key is they weren’t selling something, they were actually trying to help, and I think that’s what makes the difference.
[David Spark] Let me throw out this other thing, because there’s a lot of salespeople that just want to be seen as positive, they don’t want to be nagging, but they may not have that knowledge, and I’m just throwing this out there. Would this be appropriate? Like, if you’re really in the thick of it, working 16-hour days, would it be appropriate for them to just send you a DoorDash coupon and say nothing else and just say, “I hope you make it through this,” or would that be inappropriate?
[Mike Johnson] I think that’d be weird.
[David Spark] Okay. I don’t know, just because I mentioned it once to somebody.
[Mike Johnson] No, what I think they can do is actually, they may not be able to themselves help, but maybe they’ve got a white paper that they can hand off, or “Here’s a link that we’ve seen that’s been helpful,” or it could just be a genuinely, “I’ve heard you’ve had a rough time. Thinking of you.” The term is “sending you HugOps.” That could actually go a long way.
[David Spark] And that’s it?
[Mike Johnson] That’s it.
Could this possibly work?
7:34.988
[David Spark] Now, I’ve brought this up before, and this has to do with something that Sounil Yu, who’s a long-time CISO himself… It’s the job of a CFO to spend money to drive value for the business. Shouldn’t the CISO be doing the same thing for IP, AKA intellectual property? This is what Sounil Yu suggested.
So, we’ve read far too many stories of the dangers of putting personal information into ChatGPT, “Don’t do it!” screams the warning. But tell your staff not to do it? Once it’s out there, it can be used by anyone. But not all IP has the same value. Some is worth five bucks and some is mission-critical that you would never want to spend/invest, and there’s plenty in between.
So, in an interview I had with Sounil Yu, he suggested that the CISO has the opportunity to extract value out of generative AI for the business if they look to spend IP just like a CFO does with money. I’m going to start with you on this one, Kurt. Do you agree with this philosophy, and if so, what could be some effective ways to invest IP with generative AI to actually create value for the organization?
[Kurt Sauer] When I read the question originally, it was puzzling to me because I had not actually thought about spending IP as a cash item before. That was kind of an interesting way to look at it. But then I got to thinking, “Okay, let’s kind of take the awe and mystique about AI and ChatGPT and any other kind of AI thing out of it and say, “Would I give IP to a third party for some reason?” Right?
And it turns out that I probably would give IP to somebody for a particular reason. So, maybe I want to have help building better runbooks, maybe I want to have somebody do a better job of answering security questionnaires. Which, by the way, anybody who’s doing SaaS services has to answer those things.
And those are just really simple examples. And so would I spend IP? Would I disclose IP for that? I would certainly say that there’s a case to be made for that. I think it’s a…
[David Spark] So, that’s a perfect example of what Sounil was getting at. What about you, Mike? First of all, do you agree with the philosophy here?
[Mike Johnson] With some nuance. And I think the way that I think about it is more around being a conduit for making it easier for others to invest IP. I’m not going to go and upload my company’s intellectual property to a partner, to a vendor, to a platform. It’s actually not mine really to share, it’s another business leader.
But if I can give them the opportunity to do so safely. A great example I think about this is providing the paved path using one of the generative AI platforms that has actually been made safe. And I can now say this environment is available, it’s ready for you to use, here’s the easy path, and that then is the conduit for others to invest the intellectual property of the company.
So, that’s how I thought about it and how I took it.
[Kurt Sauer] But David, I think one of the things here is just like spending money, you’ve got to see there’s a return on the investment. So, I think the question is how can you measure the return and how can you coordinate with the owner of the property – because you don’t want to give away gold bars that aren’t yours – in order to make sure that the return you’re getting is worth it.
And I’m not sure how to do that, but I think that there’s a way to look at the outcome.
[David Spark] I’m going to jump to an audience question that I usually save for the end, but this is relevant to what we’re talking about. And this comes from Jason Quiles of SlashNext who asks – what’s one thing you’ve heard or seen in AI that’s actually getting you excited? So, I mean there’s endless buzz, but let me boil it down, let’s close this segment out.
What’s one thing in AI that’s actually getting you excited, Mike?
[Mike Johnson] So, we’ve actually been looking into our own internal use of generative AI for my own team. We developed an in-house tool where we were looking at our own APIs trying to understand exactly what they do and build a series of regexes and simple string matches, but then when it falls through, we actually make a callout to generative AI to say, “Hey, what does this thing do?” And it’s been right every time we’ve asked that, so it’s really helped us understand the purpose of a particular API, and once we understand the purpose, we can better secure it.
[David Spark] Kurt?
[Kurt Sauer] And I think for us, I’m really excited about trying to use generative AI to help us understand the sprawling mass of security addendums that we have with vendors, right? I mean, every contract has to be redlined. And you can get control of it when your company gets bigger, but we have a legacy, and I think a lot of companies do.
This helps us understand what’s our exposure or where are we having gaps that we didn’t see.
Sponsor – Veza
12:29.033
[David Spark] So, we have three phenomenal sponsors and let me start off with one – Veza. So, 75% of breaches happen because of bad permissions. Traditional IGA tools don’t really help because they only analyze users and groups. If a group is labeled as “read-only,” in fact, grants permissions to edit PII data, traditional IGA tools wouldn’t catch that.
So, Veza is actually the next-generation IGA platform that lets customers visualize and control who can do what with their data. Veza manages individual permissions across all cloud, on-premise, and hybrid systems and apps. The platform supports the full lifecycle of identity management from creation to monitoring to reviews, integrates with any system via API, and offers hundreds of out-the-box integrations with platforms like AWS, GitHub, Salesforce, SharePoint, and Snowflake.
So, Expedia, Intuit, and Blackstone, they all use Veza to find and fix bad permissions and streamline audit prep, entitlement certifications, and user access reviews. You want to learn more about it? You got to go to their site. That’s veza.com.
It’s time to play “What’s Worse?”
13:51.638
[David Spark] All right, “What’s Worse?” I’ve been actually pretty excited about this “What’s Worse?” scenario, Mike, because this comes from Osmon Young, who is actually a pseudonym.
[Mike Johnson] Okay.
[David Spark] It’s not his real name. He worked for Setec Astronomy, so for those of you familiar with the movie Sneakers, you would know that reference.
[Kurt Sauer] Oh, so not real.
[David Spark] I’m going to just say this, for those of who are not familiar with “What’s Worse?” There are usually two scenarios. They’re both bad, you have to decide between the two which one is worse. And give me some time, this is a long explanation. I’m just going to say this – you are familiar with these two scenarios, and in fact, you know the outcomes of both of these scenarios.
In fact, I’m going to go so far as to – everyone in this room knows these two scenarios and the outcomes.
[Mike Johnson] Okay.
[David Spark] Hang tight.
[Mike Johnson] Okay.
[David Spark] Here we go. You’ll see where we’re going on this. You are the administrator of a large space station equipped with a superweapon that could completely shift the balance of power in the galaxy to your favor. What’s worse? Here’s the first scenario. This is the first iteration of the space station.
It was discovered shortly after go live that a malicious insider embedded a vulnerability in the station’s design. If exploited, it could cause the entire station to explode. However, the vulnerability is not publicly known. It would only be discovered by an in-depth analysis of the station’s architectural plans.
These are stored in a secure vault with a highly secured military facility with multiple layered physical and technical controls. Furthermore, even if the vulnerability became known, the station is protected by numerous layered compensating controls that would make exploitation extremely complicated.
Senior management chooses to accept the risk. See where we’re going with this, Mike?
[Mike Johnson] Okay.
[David Spark] Scenario two – this is the second iteration of the space station, rolling in lessons learned from the first station. It has been rearchitected to eliminate the original vulnerability. The station is currently under construction, and it’s not ready for go live. However, the organization’s senior management has carefully crafted a plan, that if successful, could shift the balance of power in the galaxy to their favor.
So, they pressure construction teams to make the station operational as soon as possible. Since the station is not complete, there are numerous known and unknown vulnerabilities that could present severe risk to the station. But the station has the compensating controls of an impenetrable shield and fleet of ships that would respond to any such attack.
Senior leadership feels the risks are acceptable and moves forward with the plan. Mike, what’s worse?
[Mike Johnson] I got nothing.
[David Spark] You got nothing?
[David Spark] Don’t stall. No, no. All right, all right.
[Mike Johnson] Yes, I recognize…
[David Spark] Do you know the story? Are you familiar with the story?
[Mike Johnson] Yes. I get the Star Wars reference.
[David Spark] You know which ones these two are?
[Mike Johnson] Yes. Yes.
[David Spark] Does our audience know which one these two are? Scenario one being…
[Audience member] Star Wars.
[David Spark] Star Wars I, and scenario two being?
[Audience member] Death Star II.
[David Spark] Death Star II? In which movie?
[Audience member] Return of the Jedi.
[David Spark] Very good. Return of the Jedi as one audience member yelled out.
[Mike Johnson] Yes.
[David Spark] All right.
[Mike Johnson] Whooph. So, essentially, you’ve got, in the first case, you’ve got a vulnerability that you know about that can’t be fixed but is also thought to be impossible to discover.
[David Spark] That is it. By the way, we know the outcomes of both of these.
[Mike Johnson] Sure.
[David Spark] Yes.
[Mike Johnson] I mean, the good guys win in both scenarios.
[David Spark] Well, in both cases, the answer is it’s the same fate.
[Mike Johnson] Yes.
[David Spark] For both space stations.
[Mike Johnson] It blows up twice. Oh, spoiler. Sorry.
[Laughter]
[Mike Johnson] If you haven’t seen the movies. And so the second one is there’s likely vulnerabilities. We don’t know what they all are, and we’re trying to push to launch anyway before we’ve really got a good feeling for them.
[Kurt Sauer] Is that really kind of distilling them down?
[David Spark] You got it.
[Kurt Sauer] Okay.
[Mike Johnson] So, I generally always prefer to deal with my knowns versus my unknowns, and in the first case, I at least know the vulnerability. We’ve discovered it. We’re not going to fix it.
[David Spark] And it’s one well-known vulnerability.
[Mike Johnson] Right. But we know it exists. And the other one, we have no idea how many there are.
[David Spark] Mm-hmm.
[Mike Johnson] They could be even worse. It could be somebody sneezes, and the thing blows up. It would have been a very short movie, but I think the second one is the worst just because of all of the unknowns and not having the time to go and properly threat model it to decide should we actually do something about it or what is the long-term implications of it.
So, I think the second one is the worse one.
[David Spark] I don’t know why Darth Vader didn’t hire you.
[Mike Johnson] I would have been excellent.
[David Spark] He should have. All right. Kurt, do you agree or disagree?
[Mike Johnson] You and your pitiful friends.
[David Spark] [Laughter]
[Kurt Sauer] I tend to agree with that. My first thought was that, but there was a different compensating control in the second time and that was that you had different protectors.
[David Spark] You had a shield, yes.
[Kurt Sauer] Right, you had a shield. So, I mean, I think that there was a sense, but I would say pushing development past the bounds of your SSDLC usually leads to massive failure in uncontrolled ways. So, I would go back to, I’d rather know the design and just build in some additional compensating controls later than to push the developers and have I’m not sure what delivered.
[David Spark] All right. We’re going to the audience here. All right, Death Star number one. How many people think that’s, again, what’s worse? Death Star number one, by applause, how many people think that’s worse? Nothing.
[Mike Johnson] Wow. Crickets. Yes!
[Audience member] [Inaudible 00:19:48].
[David Spark] There you go. [Laughter]
[Mike Johnson] Or just put a cork in it. Like, just solvable.
[David Spark] All right. By applause, how many people think it’s the second one?
[Applause]
[David Spark] All right. So, there’s mass agreement. That’s what’s interesting. The sequel, it was a worse setup. They should have learned from previous, and that’s rare that the version two is more susceptible.
[Mike Johnson] It was a movie.
[Laughter]
[David Spark] I am aware it’s a movie. Hopefully, George Lucas is not going to sue us for any infringement of his IP. All right, we have another scenario here. This comes from Dustin Sachs of World Kinect Corporation; this is far shorter. All right, this one’s good. What’s worse, an employee using the same password for multiple accounts, or employees casually sharing passwords with their colleagues?
Mike?
[Mike Johnson] Ooh. How are they sharing? How are they casually sharing? Just passing notes in the hallway?
[David Spark] This is all I have. It could be any way, electronically passing notes.
[Mike Johnson] Well, so that’s where it depends.
[David Spark] All right. Well, it could be any way.
[Mike Johnson] What you’ve got is there’s two different scenarios. The employee is using that same password in multiple places. If they use it in one of those places that gets compromised, that then is available for outside attackers to then go and attack all of their accounts. In the second one, I’m making an assumption that they’re casually sharing in an environment where there’s not outsiders, where you don’t have people all the way around the globe able to get access to those passwords.
And so I really think the first one is the worst scenario because it’s actually more likely to result in a compromise.
[David Spark] All right. Kurt, agree or disagree?
[Kurt Sauer] Alas, I have to agree.
[David Spark] Oh!
[Kurt Sauer] And the main reason for that is because the scale of the problem is worse in the first, and the speed of transmission is more than likely slower in the second. So, I think that’s where we have to land.
Sponsor – Sysdig
21:53.228
[David Spark] Let me tell you about one of our other great sponsors. That would be Sysdig! Now, Sysdig helps companies secure and advance innovation in the cloud. These days, building applications in the cloud is a clear advantage, as we know, enabling businesses to accelerate their time to market. But the cloud has introduced a new world where attacks happen in the blink of an eye.
It only takes 10 minutes to initiate a cloud attack. As a result, security teams need better visibility to prevent threats and move faster to detect, investigate, and remediate attacks. They have to protect the business without slowing it down. But how do they cut through the noise to identify and prioritize real risk?
That’s where Sysdig comes in. So, Sysdig actually strengthens cyber resilience across the cloud-native lifecycle by reducing the attack surface, detecting threats in real time, and accelerating incident response – three key items. They bring a risk-based prioritization to reduce vulnerability noise by as much as 95% and can help businesses stop cloud attacks in real time.
In the cloud, every second counts. So, to secure every second, go check them out. Go to sysdig.com/CISO.
Are we having communication issues?
23:21.000
[David Spark] Can company leadership become a cyber risk? So, we talk a lot about the importance of creating a cybersecurity culture within an organization, but even if the structural elements of that culture are in place, humans still need to act on it. Tyler Farrar and Gianna Driver of Dark Reading wrote up some examples where they can be good intentions that fail because of culture fear.
So, for example, a direct report feels uncomfortable talking to a manager about risky behavior, or management is damaging relationships with employees to the point they become insider threats. So, Mike, how do you see these behaviors and how do you account for these risks that are actually introduced by leadership, and do you agree?
[Mike Johnson] Well, just the other day I was actually discussing the example of phishing your own employees.
[David Spark] I know you’re not a fan.
[Mike Johnson] I’m not a fan.
[David Spark] He’s mentioned this many times.
[Mike Johnson] That’s actually an example of leadership becoming a risk. You’re disincentivizing people from reporting. They’re embarrassed to report, they’re embarrassed to bring up something because they are worried that they’re being tested, and so that actually is an example.
[David Spark] You know what? You make a good point. I mean, think about just in our own schooling. Nobody shouts – they take a test and the two items they get wrong – they don’t shout, “Hey, these are the two I got wrong!” They don’t get excited about that.
[Mike Johnson] Yeah. And ultimately, you want to encourage people to “see something, say something” across the board. And that goes along with the idea of anti-retaliation policies that most companies have. If you think about step outside of security for a moment, you encourage people to report, “Hey, there’s a loose wire over there,” or “There’s some spilled water that someone could slip on,” and you encourage that reporting.
But if you report a thing, and then the first thing that happens is your own management gives you a hard time for that and tells you, “Don’t report that thing,” then it’s actually going to make it less likely for you to do that, and it’s normalizing the behavior of not reporting.
[David Spark] And by the way, can I throw out – because traditionally, the way the phishing programs work is if I were to fail a certain number of things, I essentially get penalized with more training.
[Mike Johnson] That makes it even worse.
[David Spark] Yeah.
[Mike Johnson] Yes.
[David Spark] And they don’t see it as “penalized,” but to the recipient, it feels like that. Kurt, you’re nodding your head.
[Kurt Sauer] Yeah. I mean, I would just say that also, you need to think about what the incentive structure is. So, yes, management. I was nodding heavily up and down at the beginning because yes, I think management can induce a communication breakdown. But I also think that when you see problems, it’s a quality control problem.
You were using a different example, but I think it’s the same idea. When you are building a thing or you’re operating something, you want to make sure you’re doing it in a quality way, and when people aren’t doing it in a quality way, you need to find a way to make sure that they understand how to do it properly without it becoming a penalty.
And the biggest complaint that I get is security training tends to be large blocks of blobs that get laid down, and nobody remembers them afterward. And I think the people who are moving towards a micro-training and small incident of connection are really, they’re the vanguard, I think that’s where we need to go.
[David Spark] Now, the phishing thing is probably the most obvious example of this. Is there another example where leadership actually gets in the way?
[Kurt Sauer] Well, for me, I would say yes. I think clearly there are fears of revenue loss and reputation damage and all the other bad things that can happen. And so I think that there are, in some quarters, there’s some instinctual desire to suppress any bad news, and so people don’t want to share for that reason.
And I think our job as security leaders is really to up-level that conversation, talk about the value that transparency gives to all of us and also gives to the business and our customers and our suppliers.
How can we improve this pitch?
27:30.583
[David Spark] Mike, if we had a MythBusters series for security solutions, which would be the first thing you’d like to see busted? And I know you’ve got a long list yourself but let me mention some of the ones that I saw on the cybersecurity subreddit because this was a hot discussion. A sales rep tells me, “Our leading-edge SIEM has AI built in for advanced threat detection.” Another one said anything pitched is seamless integration.
So, Mike, are these myths just marketing bluster or do these vendors actually drink the Kool-Aid with some of these? Like they truly believe it?
[Mike Johnson] I think to some extent you have to believe your own Kool-Aid. That’s part of your job. But at the end of the day, when I think about these, I zoom out a little bit. The myths that I think about are soft cost savings and return on investment for security products. There was a rash several years ago of automated SOC solutions of, “We’ll do all of your tier one SOC for you with this piece of software, and you can…” What, fire your SOC team?” It was never very clear what they were trying to sell, but the reality is that never worked out.
But then there was also the idea of, “Well, if we save every employee one minute per week, how much money are you going to save as a company?” Also doesn’t work, and yet it still is a method that people are trying to sell on at a more higher level.
And then return on investment, I mean, security products, security solutions, you’re generally not making money off of them. They do not have a positive return on investment. These are risk reduction, they are not helping the company make money, so this idea of you’ll get this massive return on investment…
[David Spark] I’m going to argue on that one. That’s kind of a glass half-empty attitude because a lot of security people will say, “Well, I’m allowing you to generate revenue by keeping essentially the income stream flowing.”
[Mike Johnson] That’s revenue protection…
[David Spark] Yes.
[Mike Johnson] …which is different than creating revenue.
[David Spark] That’s true.
[Mike Johnson] So, that’s the difference.
[David Spark] All right, okay.
[Kurt Sauer] I’ve certainly bought a lot of single panes of glass over the year, that’s for sure.
[Laughter]
[David Spark] Hold it. Is there one that you liked or one that you’re like, “I tried to like it and I just couldn’t”?
[Mike Johnson] Oh, careful.
[David Spark] Again, don’t mention any names.
[Kurt Sauer] No, I would just say, I think when vendors come or even when they’re really trusted vendors and you’re working with them for a long time, I value when people will come and say, “This isn’t actually going to solve everything, but it’s a good tuck-in to other things that you have,” as opposed to saying, “We can replace all the other stuff,” because the uplift cost of that is really high, and you have to recognize that.
[David Spark] All right, there’s got to be other ones. Because Mike, in fact, you used to post about these all the time, about things that would drive you crazy, it was “what grinds my gears” with you.
[Mike Johnson] [Laughter] Well, a lot of those were just ad hoc in the moment.
[David Spark] Oh, I know.
[Mike Johnson] Yeah, it was just…
[Crosstalk 00:30:44]
[David Spark] Essentially, an inbound email would come in, would set you off, right?
[Mike Johnson] That was pretty much how it would go. But the single pane of glass is a great example. I think one of the other things that we’ve seen a lot is this concept of shift left for security. And conceptually, it makes sense. The actual practice of it is one of those that I think might be a little bit mythbusty to think about.
[Kurt Sauer] “We’ll reduce the false alerts a little bit,” right?
[Mike Johnson] Oh, yeah. Thank you. “No false positives.”
[David Spark] No, okay, but that’s an interesting thing because I see the internet awash, this isn’t just isolated to security, but the internet awash of advice, you know, 10 tips to do this, the kind of listicle-type things. But it’s like nobody operates that way in a sort of a perfect way. Like, I remember because my wife and I used to work together and there was this thing, it’s all these articles about how couples can work together and stuff.
I was like, “This is BS. Nobody operates like this at all. It’s not realistic.” And one of the classic lines is, “Leave the work at home.” Everyone’s personal and business life is always intertwined constantly.
[Mike Johnson] Yeah, I mean, the whole idea of work/life balance in security is maybe a myth that could be busted. That’s not really a thing.
[David Spark] All right.
[Kurt Sauer] Yeah, I would just come back to my trope, which is OODA loops, so looking at how do you orient yourself to look at problems, and everybody’s tooling needs and everybody’s environmental needs are going to be different. So, unfortunately, we’re living in a world where people who are selling services and vendors selling equipment are trying to sell to mass markets, and so there’s this fundamental misalignment.
And so people all want to have the single pane of glass as if they’re selling to somebody who has no services or solutions installed today, and it’s just not the reality.
Sponsor – SlashNext
32:46.089
[David Spark] We have another phenomenal sponsor, and that would be SlashNext. For those of you who are not in the know on SlashNext, let me tell you. SlashNext protects the modern workforce from malicious messages across all digital channels. So, SlashNext Complete integrated cloud messaging security platform utilizes patented generative AI technology with 99.9% accuracy to detect threats in real time to stop zero-hour threats in email, mobile, and web messaging apps across Microsoft 365, Gmail, LinkedIn, WhatsApp, Telegram, Slack, Teams, and pretty much any messaging channel you can think of.
So, take advantage of SlashNext’s integrated cloud messaging security for email, browser, and mobile to protect your organization from data theft and financial fraud breaches today. What do you need to do? You need to go check out their website, it’s slashnext.com.
It’s time for the audience question speed round.
33:55.635
[David Spark] All right, we have a little bit of time left in our show, so I have a bunch of questions. I was hammering our audience before this show to try to get some really good questions for the two of you, so you have not seen any of these.
[Mike Johnson] Not a one.
[David Spark] They’re all going to be a shock to you. So, this first one comes from Siva Vadakandra of Neptune Retail, and Siva asks how much in terms of metrics does a board need to see to feel comfortable with understanding cyber risk? What is it you have to show them, they’re like, “I get it”?
[Kurt Sauer] I would say my general adage is “less is more.” I would say also that I’ve looked at books of pitch decks of people, CISOs who have contributed information in sort of board examples, and almost universally there’s just too much data. When I talk to board members, they say there’s too much data, it’s not actionable for them.
The problem is that it’s really difficult to take that data, distill it down to some numeric value that they’re going to go like, “Yeah, we believe this.” So, you really have to find some approach that creates compounded metrics of some kind, and while we may not like that, it is something that is going to help drive an actual discussion, which is really what you want to be having with the audit committee, risk committee, board, wherever you’re reporting.
[Mike Johnson] The only quick thing that I’ll add to that is every board is different. There’s no right answer to this question, it definitely depends on your board, and you should talk with them and ask what they’re interested in.
[David Spark] Good answer from both of you and you both get a point. The metric has to drive that conversation, I thought that was a good line, and everyone is different, like a snowflake. All right. This one comes from Hemam Muthyala who’s CISO over at SPAN.io. What is one thing you ask when users ask, “Can I use this technology, this thing, in product development?” So, they ask you that – can I use this?
[Mike Johnson] Why?
[Crosstalk 00:36:07]
[Mike Johnson] That’s the answer.
[David Spark] …allow me to do this.
[Mike Johnson] I need to understand the reason. What is the business purpose for the thing that they’re needing to use? And if I don’t understand that, I can’t give them any advice whatsoever. Just because it’s a shiny bauble is not a good answer, and you can actually learn a lot when they give you the answer to your why question.
[David Spark] And what kind of good valuable answers do you hear to, “Why?”
[Mike Johnson] Well, some, “It saves us money,” or “It gives us more sales.” I mean, those are really excellent answers to the why I need to use this tool.
[David Spark] That is a good answer. Anything to add to that, Kurt?
[Kurt Sauer] Nothing to add, except I think it’s important to look at what other tools are already out there and see if there’s duplication so you can help guide them in the right direction.
[David Spark] All right, from Siwei Dodge of Check Point, asks the question about the platform and best of breed question. What type of environment would a CISO have where platform makes a good decision to go in that direction, or best of breed makes sense to go in that direction? Either one of you jump in on this.
[Mike Johnson] I think a lot of it is going to depend on the size and complexity of your environment. The more complex your environment is, actually I think the platform is the better answer because then, you’re spending all of your time trying to integrate the complexity of your environment into the simplicity of a platform versus the complexity of your environment combined with the complexity of a series of best of breed products, and you’re probably going to end up with not a great outcome as a result.
So, if it’s a small environment, simple environment, then best of breed makes more sense in that space.
[Kurt Sauer] Yeah, generally, I’ve been working on more complex environments, so it makes it more difficult because there’s oftentimes monitoring environments you have to consider as well. So, I think it’s better not to go for best of breed because then it’s just a bunch of boxes that are, I mean, logical boxes, that are installed in an environment, it doesn’t really make as scalable a solution for me.
[David Spark] All right, here’s another question. These two questions are related, they have to do about vendors. First from Brian Roth from SlashNext – what’s a new way you’re discovering new solutions? So, the old way of asking your friends, “What are you using?” for whatever product or whatever category, and what’s something, a new way you’re discovering solutions that you didn’t do before?
[Kurt Sauer] So, this isn’t the way I’m doing it now. I will tell about a way that another CISO that I worked for did, and I thought it was pretty ingenious. He found somebody on the team who was very ingenious, more senior, very engineering-bent, and kind of aimed that as the choke point for all new products and vendors, and said, “Come and test with me.” And they carved out time and actually led a lot of vendors down the garden path, but I mean that in a good way, and were able to get some great new ideas about like DeepDwell, how can we actually use this in our environment?
As opposed to saying just the knee-jerk reaction of, “I don’t think it’s interesting,” “I think it’s interesting,” because that’s all you have time to do if all you’re doing is screening mail.
[Mike Johnson] Chat GPT.
[David Spark] Seriously? You’ve been using it to find solutions?
[Mike Johnson] No. [Laughter]
[David Spark] Well, that was my question!
[Mike Johnson] But it was a funny answer, and it mashed.
[David Spark] You didn’t get much of a laugh.
[Mike Johnson] There were some sympathy chuckles out there. They might not have come through in the recording, but there was a sympathy chuckle or two out there.
[David Spark] Well, we’ll sweep it later in post.
[Mike Johnson] What I’ve found is the old ways still work.
[David Spark] Asking your colleagues.
[Mike Johnson] Asking the colleagues, paying attention in the Slack communities that we’re a part of, listening to people working through solving their own problems. So, sometimes it’s not necessarily me asking, “Hey, I need to solve this.” It is more watching other people work through a problem. I then combine some, a month later or six months later, I actually have the same problem, I remember that, I go back to it, I dig into it, “Hey, this was done before.” But this is a way that I’ve been doing it for quite a while.
[Kurt Sauer] And I’d have to just plus one on the community thing, I really forgot about that. The great thing about that is while you may not get a totally representative sample, sometimes you don’t need a totally representative sample to get some really good ideas. So, listening to your peers is a really great way.
[David Spark] All right, this comes from Alice Schaff over at Kiteworks. I like this. You’re interviewing candidates. All right? Both of you. Just give me one. What is the absolute toughest question you ask during an interview?
[Mike Johnson] So, what I’ve actually found, I’ve been interviewing recently, and what I’ve actually found is the “why this company?” actually turns out to be a difficult question for folks. And as I’m asking it, it feels like it should be an easy question. But what I’ve been getting back in terms of answers are very thoughtful responses, and it turns out to actually be a very helpful question.
But there’s always this moment of like the deer and headlights of, “Okay, now I’ve got an answer.” And so it turns out that that actually is a difficult question.
[David Spark] All right, what’s the toughest one you ask, Kurt?
[Kurt Sauer] It’s a slightly different twist on this. I like to ask what people think they can add to our company. What is it that you can do? Not just a specific skill, but what’s the outcome that you expect that you would have for us? And it usually leads to some pretty long discussions that helps me understand whether they understand what kind of company that they want to join.
Because if they don’t know that, they’re probably not going to be successful.
[Mike Johnson] I want to channel Steve Zalewski for a moment of, “How are you going to help me sell jeans?” That should be the question.
[Kurt Sauer] Yeah.
[David Spark] That is the question! Excellent. We’ve quoted Steve on that many, many times.
Closing
41:57.863
[David Spark] Well, that brings us to the end of the CISO Series Podcast. I want to thank our awesome audience here.
[Applause]
[David Spark] I have to thank the ISSA Silicon Valley and our phenomenal sponsors that you can see on our logos here. That’d be SlashNext, Sysdig, and Veza. Thank you all for sponsoring. Afterwards, they have tables set up. We’re going to be having food and drink afterwards. Please visit. Please chat with our sponsors.
And also, I want to thank Microsoft for hosting us in this absolutely beautiful theater. We absolutely adore it. Any last words from both of you about a topic of discussion, the crowd, the environment we’re in, anything you’d like to say?
[Mike Johnson] I do want to say this has been an amazing crowd. I mean, this is easy pandering, but the reality is y’all have been active, involved. It’s been great getting the energy from y’all. So, thank you all for being here. For the folks listening at home, you should come to a live tape. These are awesome.
[David Spark] Yes. We do have live shows. In fact, well, there’s a small event happening in La Jolla, California. I just did a string of live shows. We don’t have much more, but we got one coming up in January in Clearwater, Florida, as well.
[Mike Johnson] They’ll come around. They’ll be around next year.
[David Spark] We’ll be doing more.
[Mike Johnson] So, keep an eye out for them.
[David Spark] We did a ton this year. We did a ton. Any last thoughts, Kurt?
[Kurt Sauer] Yeah, I’ve just been doing a lot of research recently on the Incident Command System and how that can have some applicability to the cybersecurity space. There’s some graduate research out there, it’s pretty interesting stuff. So, if you’re interested in seeing how that might apply in a larger cyber case, look it up – Incident Command System.
[David Spark] Well, thank you very much, Kurt. Thank you very much, Mike. And thank you to the ISSA. And thank you, audience. We greatly appreciate your contributions and listening to the CISO Series Podcast.
[Applause]
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.