There are some startup ideas that just never go away. There’s always another one to replace the last failed startup that tried to fix something blindingly obvious. Still with the apparent obvious need, no one has yet to nail the execution. Ross Haleliuk characterized these as “tarpit ideas.” What is it about these perenially appealing ideas that get so many well-intentioned startups caught in the sludge?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), partner, YL Ventures. Joining us is Shaun Marion, vp, CSO, Xcel Energy.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Noma Security
Full Transcript
Intro
0:00.000
[Voiceover] Best advice for a CISO. Go!
[Shaun Marion] Get out, network, meet peers in the industry. Don’t duplicate things. You’re going to hit problems. You’re going to run into situations, good, bad, otherwise. Lean on that network you’ve built so you don’t have to duplicate. Don’t reinvent the wheel.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series, and my co-host for this episode, we love, love having him on. It’s none other than Andy Ellis, partner over at YL Ventures. Say hello, Andy.
[Andy Ellis] Good evening, or depending on when you are in the world, good morning, good afternoon, or good night.
[David Spark] You know, Andy has recently prepared different languages, but he got lazy this time and he’s leaning on English again. [Laughter]
[Andy Ellis] I did, in fact, get lazy. I meant to do Swedish this morning, but then I had a complete brain fart.
[David Spark] It’s all right, we’ll let it slide. We are available at CISOseries.com. That’s where you can find many of our programs and, God willing, by the time we are releasing this episode, our new show will have been released, but not to be said yet. Our sponsor for today’s episode is Noma Security.
Secure your entire data and AI lifecycle. A very interesting combination. More about that later in the show. But before we begin, I want to mention a site that you have launched, Andy, that I’m impressed that you launched this and you are populating it with your wisdom and knowledge of, may I say, decades of being a CISO, yes?
[Andy Ellis] Decades, in fact.
[David Spark] Decades of being a CISO. The web address is howtociso.com. What started this? What is it? Explain.
[Andy Ellis] So, I’ve always been a fan of writing evergreen content, the things that you write, not to get clicks today, but that you can always just easily go reference. And what I found is there’s a distinct lack of “here’s how to do the job” aimed at either CISOs who are transitioning from one role to another or just want to get better at it or people who want to become CISOs.
And we sometimes pretend that a lot of our knowledge is aimed at CISOs when it’s actually aimed at lower-level practitioners. And I wanted something to say, “Hey, if you’re a CISO, here’s what you should be thinking about.” So, it’s not going to have like tons and tons of content because everything’s going to be carefully curated to be what are the things you need about.
So, whether it’s the op-eds that are relevant, the how-to-CISO volumes, which are a little bit longer. So, folks may remember I wrote one a couple years ago about the first 91 days on the job, just published another one, which is The Idealized CISO Job Description, which you might find entertaining.
I’ve got one on risk measurements in the works.
[David Spark] Ah, very good. Well, we are sure to lean on some of that content because it is, well, pretty much in line with the editorial of this very show. [Laughter]
[Andy Ellis] Exactly.
[David Spark] So, if you don’t read it directly, you’re going to get it on this show, whether you like it or not.
[Andy Ellis] Yep. A lot of the things that I’ve written down there are things that I first said in response to something here, and I’m like, “Ooh, I should write that down.” And here’s where it goes.
[David Spark] Then we want full credit. All right, let’s bring our guest on. The last time we had our guest on, he was working as a CISO at a different company, but now he’s at a new company. So, I like to think of it as a fresh, new, brand-new guest because he’s a CISO somewhere else. It is the VP chief security officer, CSO, at Xcel Energy, none other than Shaun Marion.
Shaun, thank you so much for joining us.
[Shaun Marion] David, it’s great to be here.
They didn’t think that through all the way, did they?
3:47.054
[David Spark] “Do we really have a policy for this, or did we simply write one?” Alan Wilemon of KirkpatrickPrice asked that question, reminding us that policies are a good starting point, but mean nothing without implementation. He posted a picture of a bird sitting on top of a “No Birds” sign. Sure, you can put up a sign, but where’s the control to back up the policy?
For Alan, a good policy must be paired with training, monitoring, and coaching to actually be meaningful. All right, Andy, I’m going to start with you. When does a written policy become an actually implemented policy and what causes an implemented policy to fall apart?
[Andy Ellis] First, I just want to comment that he’s an optimist if he thinks a policy without implementation is, what did he write, it meant nothing? No, no, it means a negative. Just to be very clear, policies that don’t match the real world are harmful to your business because they degrade every other policy.
The moment someone says, “Oh, look, there’s a policy, nobody follows it,” that means they don’t follow other policies as well. So, cut that out. I think of policies actually a lot like processes, which is you have to account for all the different nuances, all the different ways things can go wrong. And so instead of writing a one-size-fits-all, either a statement, “This is what we do,” or a process, “Do step A, B, and C,” without noticing that sometimes you need to do D and sometimes you skip B, you have the same problem.
I’m a big fan of implementing policy slowly. You want to change policy? Great. Go do an implementation as a process, get some buy-in from people who want to do better.
[David Spark] So, do it the opposite direction.
[Andy Ellis] Do it the opposite direction, like start with the practice. And once the practice becomes the norm, then you just write a policy to say, “Hey, here’s what we do.” And nobody’s going to object because it’s actually what you already do.
[Shaun Marion] Two points here. One is I call these whoobies. I don’t think that will translate well across lines, but it’s Linus and his blanket, right? It’s your safety blanket.
[Andy Ellis] Yep.
[Shaun Marion] It’s a false sense of security. So, you walk around, we’ve got this policy, we’re all good. But in reality, the second point is you can introduce a tremendous amount of legal liability. If you say we’re doing one thing and you don’t actually do that one thing, that’s liability.
[David Spark] Ah, good point.
[Shaun Marion] So, I agree with everything Andy said. Start small and get it right. I would rather have a policy that is less effective but implemented completely than one that’s just that whoobie that nobody follows.
[Andy Ellis] Yeah, my favorite whoobie is the policies against being on a phone while you’re in a car.
[Shaun Marion] Right.
[Andy Ellis] And you get that call and general counsel’s in the car. You’re like, “Okay, great.” Like you have moved from being negligent to being reckless. Like you know better because you wrote the policy and yet you’re still violating it. And I actually think you increase your risk rather than decreasing your risk.
[Shaun Marion] Couldn’t agree more.
[David Spark] Well, as we know, this also falls under the area of change management. People don’t usually like to change.
[Andy Ellis] Yep.
[David Spark] But at the same time, and this I know is not policy, but I’m going to quote Mark Zuckerberg, who every time he made a massive change to Facebook – and by the way, I reported on this multiple times – everyone would comment and get upset, “Oh, Facebook is making a mistake doing this. This, they shouldn’t have done this.” And what happens is that thing that they got so upset of becomes the norm and they forget completely about it.
Does that ever happen with policies, Shaun?
[Shaun Marion] Absolutely. Well, there’s two problems. One is everything you said, where they kind of get numb to it, and two is, I don’t think we do a good job of communicating those changes. The why behind it, we tell them what, but we don’t always tell them why. And they don’t always understand so it’s just not a priority.
I don’t think that people come to work and say, “I don’t want to do the right thing.” I think sometimes they just don’t fully understand how to do the right thing. And then back to the prior point, we can make these policies so complex that sometimes, “I’m not going to read that.” Back to the Apple, like, “I’m just going to click through.
I’m not going to read that.”
[Andy Ellis] Yeah, I think Shaun’s also being pretty generous. I think that a vast majority of the policies implemented in the corporate world are not actually that helpful. And so if somebody comes in and says, “I want to do the right thing,” that policy isn’t it.
[David Spark] Is there an example of a policy where you know the people looking at it are rolling their eyes like, “Seriously? We’re not going to do that.”
[Shaun Marion] Oh, I’ve got a great example. So, as chief security officer, I have physical and cybersecurity. On the physical side, we ask people to badge in and to badge out. They know the policy, there’s signs. And the reason we have them badge out is if there’s an emergency, we know who left the building.
We have data on that. But they will push back, “I got to badge out. It’s such a pain.” It’s a very simple thing and they know it, but sometimes they’ll push back.
[David Spark] That’s a good point. Andy, you got a quick example?
[Andy Ellis] Oh, I was actually going to go with the same one. Like if your badge out is not tied to actually opening a door, nobody’s going to do it.
Are we having communication issues?
8:49.588
[David Spark] We’re always saying cybersecurity professionals need to “speak the language of the business.” We’ve said that more than once on this show, but what that actually means varies across roles. Evgeniy Kharam’s recent LinkedIn post and his book, Architecting Success: The Art of Soft Skills in Technical Sales, highlight how soft skills like communication, curiosity, empathy, and active listening can look different for vendors, engineers, and executives.
So, I’ll ask you, Shaun, do certain soft skills play differently in different cyber roles for either yourself or others? What have you seen work the best? And if you can specify certain things work better in other roles, that’d be interesting, but I don’t know.
[Shaun Marion] Well, I’ll speak specifically for my role because I’ve not been doing it long as Andy, but I’ve been doing this for about 12, 13 years. So, at least one decade under the belt. But I think in my role, a lot of what I do is storytelling. And I don’t mean fake storytelling. I mean it’s connecting with others through stories.
So, whether it’s the architects and trying to relay a priority, or whether it’s the board of directors or whoever it is, trying to relay what’s important. Not dumbing it down, not watering it down, but just trying to make sure I can communicate that story effectively, so they understand.
[David Spark] Can I double down on your cold open today where you say, “Look for help”? Have you ever had a situation where you’re like, “I need to explain this.” I don’t know, you go to your CISO peers and say, “What’s the best way to tell this story?” And has someone helped you?
[Shaun Marion] Yeah, absolutely. I’ve got a friend, a confidant, a coach, a mentor, Rich Mason, I think you might know him.
[David Spark] Yeah, sure.
[Shaun Marion] Rich has been a friend of mine for 25 years. And there have been many times when I’ve reached out to him to say, I had a board presentation recently, “Hey, can I give this pitch? Can I share this with you? Give me feedback. Am I relaying this appropriately?” It’s things like that that make me better and get me more prepared.
[David Spark] Ah. By the way, I can’t stress the value of whatever you have, like a 5-to-15-minute presentation, getting an audience for it. I did this where I had a 15-minute presentation, and it went through like four or five different audiences who were willing to listen to it. By the way, people will listen to a 15 minute, not an hour, to give you feedback.
And from the first time I said it to the last time, it drastically changed. Maybe like 70% it completely changed. Andy.
[Andy Ellis] So, first of all, I want to start by saying soft skills are actually much harder than what we call hard skills. The reason that we call hard skills hard skills is because we can measure them directly. Like we know how well you can write code or write English. How well you can communicate to somebody in their jargon is much, much harder.
So, let’s just put aside the soft skills things for a moment, we’ve all known that’s my soapbox. When we say speak the language of the business, what that actually means is, can you craft that narrative like Shaun talked about, that’s going to resonate with the party? And I like to think about it like fairy tales.
Why do we tell fairy tales? Like Little Red Riding Hood is basically saying, “Don’t talk to strangers.” That’s literally all it says. Stranger approaches you on the street, asks you a question, you shouldn’t talk to them. But you put it in the language of a child because you’re trying to teach a child.
You have to do the same thing with the business. If you want to talk about risk to a product manager, you’d better be putting it in terms of product launch delays, in terms of customer dissatisfaction. If you’ve got this weird arcane story about this vulnerability being exploited and lateral movement, and it sounds really cool to you, but their eyes are glazing over and they’re thinking, “I got a product to launch, it’s going out in a month, how does this affect me?” And if they’re like, “Oh, I’m just going to spend an hour listening to you and then I won’t do anything and that’s how I get through this,” that’s what they’re going to do.
Sponsor – Noma Security
12:38.128
[David Spark] Before I go on any further, let me tell you about our absolutely spectacular brand-new sponsor and that’s Noma Security. You know, the rush to embed AI into applications has created incredible innovation for enterprises. No question. We’ve been seeing the news, we’ve been doing it ourselves.
But with that innovation comes new risks. That’s where Noma comes in. It’s the first application security platform built to secure the entire data and AI lifecycle. And there’s a lot involved there. From securing your AI supply chain to protecting AI applications in runtime, Noma detects and prevents threats like misconfigured data pipelines, vulnerabilities in notebook environments, malicious models, and adversarial AI attacks like prompt injection.
With a single platform that integrates seamlessly across your AI tools, code, and application SDKs, Noma empowers AppSec teams to secure AI applications without disrupting data engineering and AI teams’ day-to-day workflows. Fortune 500 companies are already using Noma to bridge the gap between security and AI teams, delivering complete visibility, security, and compliance across the data and AI lifecycle.
You want to learn more? You want to know how you can get this into your environment? You got to go to Noma’s security site. And it’s simple – Noma.security.
It’s time to play “What’s Worse?”
14:01.226
[David Spark] All right, Shaun, you’ve played this game before. Do you remember this game?
[Shaun Marion] I have indeed, and I do.
[David Spark] Two crappy environments. I will make Andy answer first. I always like it when you disagree with Andy, but no pressure.
[Andy Ellis] I don’t.
[Shaun Marion] Oh, raise the bar here.
[David Spark] All right, this comes from Jay Dance over at StubHub. He’s given us lots and lots of good “What’s Worse?” scenarios. Here you go. Scenario number one, you have a breach, and your security vendor tells you that they had a problem, and they’re missing some of your logs sporadically and randomly throughout an eight-hour window during the breach, okay?
So, your ability to investigate is going to be a little messed up, to say the least.
[Andy Ellis] Yep.
[David Spark] Or your security vendor tells you they failed to log two to three weeks’ worth of security logs. Now, no mention of a breach here. Nobody has reported anything concrete that leads you to believe that there was a breach during that time, but you’re receiving anecdotal evidence from IT of weird behavior in the environment that makes you very suspicious.
Andy, which one’s worse?
[Andy Ellis] Ooh, so what we’re really doing here, let’s ignore the security vendor. I actually think that’s a red herring, but I really like you bringing that one in, Jay, because that’s fascinating. So, the question is, I have a breach that I can’t fully investigate, which means I have a breach. You can never fully investigate a breach.
I don’t think anybody has an environment where they have every log they want post-breach. Or maybe I’ve got a potential breach, and again, I can’t really easily, historically look for the evidence of one coming in.
[David Spark] And by the way, there’s far more that’s lost in the second scenario.
[Andy Ellis] Right, and there’s a bunch of stuff that’s lost, but let’s just be honest, how many people have security logs that they never go look at unless there’s a breach? The breach is what matters here. Like, the logs are important, but the breach is what matters. So, given my choices, I’ve got a breach that I know about, or I’ve got a potential breach I don’t know about.
Like, this is now very challenging because I might be spending a lot of time chasing down this possible breach, or I might walk away and not bother chasing it down, but I’ve got a breach. Ooh, this is a hard one, Jay. So, I actually want to give Jay credit because I could argue both directions.
[David Spark] Yes.
[Andy Ellis] So, I have to figure out which way I want to argue it to try to convince Shaun not to disagree with me.
[Shaun Marion] [Laughter]
[David Spark] And by the way, I want to get a little credit on this. I went back and forth with Jay a few times to make this a little more even.
[Andy Ellis] Yeah, no, this is a really good one. I think I’m actually going to go with the known breach is worse because it’s very clear that you have a breach, and you don’t have all of the logs related to the breach. I’m not saying the other one is like a better, there’s not a category thing of one is way better than the other, but…
[David Spark] No, but it’s the what’s worse. So, you’re saying the first scenario is worse because it’s a known breach.
[Andy Ellis] Yeah, I don’t want to have the breach. Like the other one, I’m going to go investigate. I’m going to go send my people to go look real time. Maybe it gives you an opportunity to clean stuff up, but I’m not allowed to take the serendipity of, “Well, this can force some cleanup,” because that’s not part of “What’s Worse?” I’m just going to go with the breach is worse.
[David Spark] All right. Shaun, I throw it to you. These are two very difficult choices. Which one do you choose? Again, which one’s the worst one?
[Shaun Marion] Yeah, yeah. Well, so I’ll go door number two. Andy’s right though. You could argue both sides of this fairly easily. Is ignorance bliss? Sometimes. I think if I go with door number two though, I can at least try to understand a little bit more because I have a little bit… This is the scenario I’ve got.
I’m missing two weeks of data, right? But I’ve got real time recent data.
[David Spark] Yes.
[Shaun Marion] I can at least see what’s going on right now. I have no historical data to go back, but I can at least see what’s going on, do a little real-time analysis. So, I still think in both scenarios it sucks, but in my perspective, I can at least see what’s going on live, get a little bit more updated with option two.
[David Spark] Okay, you’re agreeing with Andy on this one?
[Andy Ellis] So, you’re saying option two is worse?
[David Spark] No, no, you said option two is better because you can look at the recent date.
[Shaun Marion] Yeah, this is like a punch in the face or a kick in the butt.
[Laughter]
[Shaun Marion] Is it worse? They both suck.
[David Spark] No, no, but you’re saying the first one’s worse because the second one, at least you can look at the current data.
[Andy Ellis] Right, so I think he agreed with me though then.
[Shaun Marion] Yeah, so may… Oh, Andy and I are agreeing.
[Andy Ellis] Yes. He agreed, we’re done.
[David Spark] But hold it, wait, wait a second. There’s nothing that says you can’t do that in the scenario number one because it says…
[Andy Ellis] No, but scenario number one we know we were breached.
[David Spark] Right.
[Shaun Marion] Yeah, and we’re missing some data, so it’s like what’s…
[Andy Ellis] Like that’s why the sporadic logs doesn’t really matter in scenario one. It matters in two more than in one.
[Shaun Marion] And what’s worse? Like having partial information or no information? Partial information can be a red herring too, it can lead you down the wrong path. So, that’s why, I mean, either one is rough.
[Andy Ellis] Right. We’re really judging the probability of the breach.
[David Spark] Okay, again, but just confirming you’re saying number one is the worst because you’re agreeing with Andy here.
[Shaun Marion] Unfortunately, and…
[Andy Ellis] So, scorekeepers, mark that one at home as a win for Andy and a loss for David.
[Shaun Marion] [Laughter]
[Andy Ellis] But really, actually, honestly, much as David says these are losses, it’s actually, I think it’s a win for David that we argued this one.
[David Spark] I think, no, I think it’s a win for Jay Dance because this was a good…
[Shaun Marion] Yeah.
[Andy Ellis] Jay, amazing. I would like buy you tickets for something, but you’re the source, so.
[David Spark] Yeah, he’s the StubHub.
[Shaun Marion] And it’s not that far-fetched, what he described.
[Andy Ellis] No, no, these are actually real scenarios. I think the reality of scenario one is that’s every scenario, like you never have all the logs you want to have.
[Shaun Marion] Yeah.
[David Spark] All right, great job, Jay Dance.
Would this person be a good fit for the job?
19:32.913
[David Spark] “For the practical question of hiring around cyber crisis experience, the answer is counterintuitive, but ultimately simple. Hire for crisis experience but beware the onlookers.” Recent research has shown that for cybersecurity incidents in particular, decision makers that don’t hold a stake in the crisis are the most at risk to latch onto real-world parallels to learn potentially misleading lessons from, according to a piece by Christopher White on CSO Online.
Those in direct response are most likely to see the event as full of unique variables and that’s pretty idiosyncratic. Now with that in mind, we’re going to play another quick round of “What’s Worse?” So, what’s worse, you’re hiring a CISO who’s been through five major crisis incidents. Three turned out very well and two that were very, very bad.
Or you hire a CISO with the same number of years of experience but has never had to face a critical incident. I throw this one to you, Andy. Which one’s worse?
[Andy Ellis] So, I want to say only five?
[David Spark] [Laughter] I’m just throwing that out. And I’m saying critical like monstrous incidents.
[Andy Ellis] Yeah, I’ve lost track of the number I’ve had to deal with that were monstrous incidents. So, a lot’s going to come down to I’m hiring somebody who has never managed a crisis. So, I need to understand what’s the likelihood I’m dealing with crises. Like if I’m a technical planetary-scale business, crises are a way of life.
And so I’m probably going to go with the person with the crisis experience. If I’m not, I’m kind of less concerned about it because yeah, crisis will happen maybe at some point, and we’re all going to learn through it. What’s really going to matter for me is I want the narrative of those five incidents.
Like I got somebody who can come in and do they have a credible narrative about how they run crises, how they learn from crises, how they deal with what I call instant authority syndrome?
A lot of people think of this as the Dunning-Kruger effect. By the way, other soapbox, Dunning-Kruger effect is bogus research. Dunning and Kruger are the only example of the Dunning-Kruger effect. I can do that later if anybody wants to catch me on Twitter or LinkedIn, make me explain. But what you do see is people who have bad models but they’re experts.
They’re really good at one thing, but they’ve got models in that one thing. They come to something nearby and their model doesn’t really apply, but they don’t know enough about it. And that’s what people often look at of, “Oh, these people aren’t good, but they don’t know how not good they are.” No, they know how good they are.
They just don’t realize they’re in the wrong world. That’s what I want to try to detect. Like were the category failures on those two incidents the CISO’s fault or was it an organizational problem? Because sometimes it is the organization and not the CISO.
[David Spark] All right, Shaun, you’re nodding your head and let me just set you up again. I think Andy brought up something that was very interesting. For the first CISO, the one that’s had five bad incidents, three that went well, two that were disastrous, finding out the process. The thing is, in the second scenario where you haven’t faced a bad incident, do you ever have a process?
Can you even tell one? Or maybe you create a scenario and say, “Well, how would you handle this?” Like, I don’t know, what do you do with that second person?
[Shaun Marion] So, agree, Andy started talking about like five crises. That’s actually a fair question because no CISO like graduates college or whatever the case is and the next day they’re a CISO. They’ve been working their way through various ranks. After 10, 15, 20 years, if you haven’t had a single incident, I’m more curious of where you’re looking.
[David Spark] Again, single massive incident.
[Shaun Marion] Yeah, okay, even single massive, but even then. So, I take a different perspective here, sort of, it depends on the role. So, people like Andy, me, some others, we’re not as common in the industry. We’ve been CISOs for many, many years, but the industry’s exploded. And so you have a lot of deputies, number twos, that maybe haven’t been in the role that I think are ready for that big job, that may not have had the experience to manage through that crisis.
But I think it depends on the company too, like to Andy’s point. Like if I pick on a, I don’t know, Google, like something massive, I’m probably not going to put a CISO there who’s not had some experience managing through a crisis.
I really want to understand the failures, like what did they learn from that? You can learn a ton from a failure. If I’m running, I make all this up, like some local credit union, right, much smaller, that’s some pretty extreme examples, but… And I’ve got a deputy who’s never lived through that but is maybe up for the opportunity.
Well, that’s how they’re going to cut their teeth. That’s how they’re going to get strong. So, I think it really kind of depends. I mean, yeah, I’ve had my fair share of major incidents. I wouldn’t wish that on anybody, I think most of us have, but I did learn a ton from it. So, there is value there, but I think it depends on the company and the role.
[David Spark] Okay, hold it. Can you respect a CISO that’s been in the job for a while that hasn’t faced a major incident?
[Shaun Marion] Oh, yeah, yeah.
[Andy Ellis] Oh, absolutely. What are they doing to keep the incidents at bay? Like they might be an amazing preventative builder who creates a program that keeps incidents at bay.
[David Spark] Shouldn’t they be more applauded if you describe it like that?
[Andy Ellis] Yeah, no, like I want the people who build things that keep us safe rather than the people who get us back to safe, but we need both of them.
[Shaun Marion] And I think you could argue too, you’ve got – I’m taking all the extremes here, right? Maybe they’ve had their, back to the example earlier, maybe they’ve had their head in the sand. They’re just not paying attention, so that’s why they don’t see a breach. It could go either way and it’s hard to judge that.
I’m looking at the experience they’ve got, where they worked. To Andy’s point, like what have you built? You’ve built a really good vulnerability management program? Like that’s not the sexiest thing. That’s pretty boring, but it has a huge impact. Talk me through that. Maybe that’s why you haven’t had a big breach.
So, I don’t know that for me having one, two, three, five major breaches or zero would be a limiting factor. It would be a talking point, but it wouldn’t be a limiting factor.
[David Spark] I more want to lean on the one who’s had none. And let me ask you, is this even realistic what I’m describing? That does there exist a CISO who’s never faced a major incident?
[Andy Ellis] I don’t think there’s anybody with CISO experience in the multiple years category who’s never faced an incident. Like they might not have been on the front page of the Wall Street Journal. I’m never happy when my incident hits that level, but it has. But there’s a lot of incidents that are major for the company they’re in that are not major for society.
Like not every company, like when they have a failure, is going to break the world. You should be thankful for that. It’s a lot less stress there. The real question I want to ask, and it comes to something Shaun did. So, it’s really asking for our listeners, which is if you’re a CISO, are you putting your team in the roles of being able to run, maybe not your worst cyber incidents, but the ones that are one step down?
Because that’s where they’re going to learn the skills to be able to handle themselves when it becomes a major incident in their next job.
That might not have been the best decision.
26:33.596
[David Spark] A tarpit idea occurs when someone sees something that hasn’t been done and remains unsolved and tries to take it on. The problem is the reason there is an opportunity there is because everyone who has tried it before has failed. Invading Russia is the ultimate tarpit idea, with a single pane of glass coming in as a close second.
Ross Haleliuk on Venture in Security put together some classic tarpit ideas that cybersecurity startups seem to keep falling for, in a recent blog post of his. Now he listed the classic “only tool CISOs will need to do their job” dashboards – that would fall under the single pane of glass too – the better detection and response tools, perfect DLP, and the self-serve security marketplace as a few examples.
All right. Andy, this, I’m sure you see this being as a VC, so I want you to jump on this one first. What are some of the seemingly good ideas that always seem to become cybersecurity tarpits? They just like… And I’m sure you’ve seen plenty, yes?
[Andy Ellis] I have so many of them and it’s the question of which ones do I want to go with today? So, I’m going to use two. So, one is real-time TPRM, third-party risk management. The number of times I see people who come in and they’re like, “Well, I’m going to build a startup that’ll give you a real-time view of your vendor cybersecurity.” And I’m like, “Have you ever been a vendor?
Have you ever talked to one? There’s not a single one that wants to expose a real-time view to their customers or literally anybody else.” Like there’s a tarpit. Technically, you could go solve this. Practically, you can’t. That is certainly going to be one. And then I think the second one that I’m running into a lot lately is the AI SOC.
People are like, “Oh, we’ll just replace our SOC with AI agents.” And I have a really hot take here, which is nobody actually knows what value the SOC provides. So, providing it gooder and harder is not necessarily the solution.
[David Spark] Well, hold it. The AI SOCs that I’ve heard of, which many are actually of our sponsors, is not a replacement of the SOC, but a reduction of the level one activities in the SOC.
[Andy Ellis] Yeah, that’s the replacement of the SOC. When you’re looking at it from what the company wants. They’re all messaging it softly because you don’t sell somebody on, “We’re going to fire your whole team.” Who’s going to help with that one? But the real challenge is, is that in most places, right, SOCs are really triaging into three categories.
One category is, “Oh, my God, we have a breach.” Like get humans involved and solve it. Like we have a really big problem. Category three at the bottom is, “Oh, we have a procedure for this. We should have just automation go solve this,” and the human bridges it. And that is a place for AI and really for automation.
What people really want is like ChatGPT on top of something like Torque or Tines. But then the middle category is the stuff that the business isn’t going to fix anyway, and so it’s going to get stuck in the logjam of organizational dynamics and AI is never going to solve that problem.
[David Spark] All right, Shaun.
[Shaun Marion] I think of, and I hope AI can solve this problem, by the way, because we’ve been looking at it for years, but my favorite acronym in the security world is DLP.
[David Spark] Mm-hmm.
[Shaun Marion] Primarily because we get the executive, the CIO, the CEO, somebody goes and meets with Microsoft or some big provider, and they walk you through what DLP could be. And not what it is, but what it could be, but they pitch it as what it is.
[Andy Ellis] Mm-hmm.
[Shaun Marion] And they come back and like, “This is going to solve everything. This is going to keep all… It’s data loss prevention. It’s in the name.”
[David Spark] The name sounds great. It does sound good.
[Shaun Marion] It does, but it’s data loss notification. It’s like, “Oh, there it went, there it went.” If I think of AI and some of the possible, maybe, I don’t think it’s going to get it right, right? But I think it can get a lot better. So, maybe that’s an example of a tarpit. It’s been a tarpit for what, 20, 30 years?
[Andy Ellis] Yeah.
[Shaun Marion] That maybe there’s an opportunity there, but I’m also I got scars, man. I’m still trying to like I’m… I don’t know. I’m cautiously optimistic, but that seems like a tarpit.
[Andy Ellis] Yeah. The one place in the DLP space that I’ve got some optimism – and full disclosure, I’ve got a company in that space – is the use of AI to do categorization because categorization has been the thing that has killed every DLP project for the last 30 years. You say, “Oh, this is an amazing project.
We’ll make sure that your categorized data doesn’t go anywhere.” And you’re like, “Well, who’s going to categorize it?” You’re like, “Well, you’re going to.” And I’m like, “People are creating content faster than I can do anything to categorize it. Like, I’m going to fail.”
[Shaun Marion] Yep, I think you and I might be talking about the same company, Andy because I met with them.
[Andy Ellis] Oh, yeah, awesome.
[Shaun Marion] Yeah, yeah. That’s exactly what they’re talking about, right, is how do we categorize at scale?
[Andy Ellis] Yes.
[Shaun Marion] Okay, that’s why I say I’m cautiously optimistic.
[David Spark] Well, and actually, by the way, I’ve used AI for categorization and for identification as well. And it actually does a pretty good job, I’ve seen. So, I mean, like I’ll tell you just one super simple example. I took a bunch of photos of the sponsors for an event, and I fed that into ChatGPT, and I go, “Just type these all out for me, all the logos that are on it.” And it did it perfectly.
[Andy Ellis] Yeah.
[David Spark] It was great.
[Andy Ellis] Oh, no. I love a whole bunch of the use cases for AI, but you have to understand what the output is of the thing you’re handing to AI before you hand it to AI. And like, oh, I want to use AI to replace low-skilled labor. I think there’s a huge opportunity for that in a lot of the workforce.
The, “I’m going to use AI to solve my organizational problem that I don’t even realize I have an organizational problem,” that’s where, to me, that becomes a tarpit.
[David Spark] You’re calling these all tarpits. Let me ask, are you still, though, optimistic? I’ll take the one of the real-time third-party risk management. Are you optimistic it could ever change? But like the way you described it, it’s like, no, that’s kind of a human saying, “No, it’s never going to change.”
[Andy Ellis] No. Yeah, no, TPRM is a huge problem, and there’s going to be lots of niche solutions in a bunch of places around it. But fundamentally solving it by some magic real-time, I know all the risks of every vendor in my ecosystem, the moment the risk happens? No, like never going to happen. Like the worst thing for a vendor is having a customer who spends more time looking at your data in real time than you do because they’re going to ask you things that you haven’t even seen.
Like, why would you have somebody calling you up saying, “Why haven’t you patched this system yet?” And you’re like, “What are you talking about?” Like, “Vulnerability came out three days ago, but you haven’t patched.” That’s a real conversation you would have with somebody with real-time visibility into your patch status.
[David Spark] All right. So then let’s close on this question. It could be… Well, it’s not going to be the real-time third-party risk management, but it could be DLP. Which of these tarpit ideas are you most optimistic are going to get out of tarpit? Shaun.
[Shaun Marion] DLP, yeah. I know this is an anomaly given the role that we have, but I’m an optimistic person by trade. I don’t know that it’ll be perfect, but I do think we will get much closer to what we thought we’d have 20, 25 years ago with like Vantu and those things. I think we will get much, much closer.
Perfect? We’re not going to get perfect. Anytime you introduce the human element, you introduce a tremendous amount of complexity. But if we can get closer, I’m pretty good with that.
[David Spark] Andy, what do you think? What’s going to come out of tarpit?
[Andy Ellis] Well, definitely I’m optimistic on DLP. I made an investment there. I’m optimistic on non-human identity management. That has been a massive tarpit for a long time that most people don’t even realize existed as one because we were so careful about trying to talk about that. I’m also actually really optimistic, the self-service security marketplace, depending on what people think of that as, but I look at trying to do security hygiene in complex environments, like AWS is such a disaster.
So, the ability to self-serve and say, “Hey, I just want this set up sanely.” I think there’s some things coming down the road that might make that better.
[David Spark] Awesome.
Closing
34:41.185
[David Spark] Well, that brings us to the very, very end of this show. I want to thank Shaun Marion, who is the VP and chief security officer. He’s dealing with both physical and digital over at Xcel Energy. Shaun, I’ll let you have the very last word here, but I want to thank our sponsor, and that’d be Noma Security.
Secure your entire data and AI lifecycle. Learn more how they can do that because there’s a lot involved in it. Go to their website, noma.security, and you’ll end up there. Shaun, any last words for today’s discussion? Maybe a call back to your open? And are you hiring over at Xcel Energy?
[Shaun Marion] Yeah, so I can’t stress enough the importance of networking. In fact, I’ve shared this with him, but I have a picture of Andy and I about 20 years ago at an event in Florida.
[David Spark] Oh, wow.
[Shaun Marion] I think we both had a little bit more hair, but Amelia Island, if you remember, I’ll send it to you, Andy. Amelia Island, CSO 50, I think it was.
[Andy Ellis] Oh, yeah, I remember that one.
[Shaun Marion] You were at Akamai, I believe.
[Andy Ellis] Yeah.
[Shaun Marion] It just shows how these times go around, so lean on your friends. Make friends more than just colleagues.
[Andy Ellis] Yeah, was that the one that I brought beer to Bob on stage?
[Shaun Marion] You did, yeah.
[Andy Ellis] That was the fun one.
[Shaun Marion] It was, yeah, yeah. So, it’s been a while, so I appreciate the friendship and the partnership over the years. You know, on the plug side, we’re going to start wrapping up pretty heavily at Xcel, so look for my profile on LinkedIn, you’ll see we got jobs posting. Always looking to find, I’d say, excited individuals.
I always hire aptitude and attitude over anything, so would love to see it. And if I can make a personal plug, today is 28 years. I celebrate my anniversary today, so super happy about that.
[David Spark] Ah, congratulations.
[Andy Ellis] Congratulations.
[Shaun Marion] Thank you.
[David Spark] Well, I want to thank our audience. We greatly appreciate your contributions to the CISO Series Podcast, and for you listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.