As a principle, zero trust can be taken for granted as a best practice. But the reality is that many aspects of IT infrastructure, from legacy systems to IoT, were architecturally never designed with zero trust in mind. So how do you manage creating a zero-trust environment where numerous endpoints don’t allow for it?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Danny Jenkins, CEO, ThreatLocker.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
Intro
0:00.000
[Voiceover] What I hate about cybersecurity. Go!
[Danny Jenkins] I hate buzzwords, mainly because vendors overuse them, and they use them wrongly. In addition to this, CISOs often don’t understand what they need to achieve solutions because they’re so overwhelmed with buzzwords.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series, and my co-host, you know him, his name is Mike Johnson. He’s also the CISO over at Rivian. Mike, say hello to the audience.
[Mike Johnson] Hello, audience. Great to be with you today.
[David Spark] And Mike, you are also an owner of a Rivian vehicle, correct?
[Mike Johnson] That is correct. I’ve had mine for almost a year now. Actually, by the time y’all hear this, it will be over a year.
[David Spark] Would you give it a five-star review, your car?
[Mike Johnson] Oh, sure. It’s the best vehicle I’ve ever owned, and it actually has gotten better over time.
[David Spark] It improves over time because it does software updates?
[Mike Johnson] It’s a software-defined vehicle, so new releases bring new features. It’s been really cool.
[David Spark] That is very cool. Our sponsor for today’s episode is ThreatLocker, zero trust endpoint protection platform. Now, many of you may see zero trust as a buzzword, but as you heard from the opening tease, our sponsor actually offers a suite of solutions that help you with your zero trust journey, and we’re going to learn more about that later in the show. But first, Mike, this episode is going to air just two weeks from the Black Hat conference, and I will be on the floor conducting interviews. And if you see me with my camera crew on the floor, please come up and say hello because I may have a question for you. The questions that I asked last year were, and I don’t know what the questions this year will be, but last year I asked, what were the red flags that a job is not right for you, either during the interview process or while you’re at a job? I’m sure you’ve experienced that before, Mike, yes?
[Mike Johnson] Oh, absolutely.
[David Spark] Can you tell me what a red flag was?
[Mike Johnson] Oh, now you’re putting me on the spot. I think a red flag for me would be, is performance the only thing that you measure people on? And if you think about that, that actually leads you into the brilliant jerk concept.
[David Spark] Ah.
[Mike Johnson] So, that’s one of those where if performance is king and the only thing that anybody cares about, it’s an environment that’s going to be very supportive of brilliant jerks.
[David Spark] By the way, that’s a tease. For those of you who don’t know of Mike’s history and the brilliant jerk irritation that he has, that’s going to come up later in this show.
[Mike Johnson] Ooh.
[David Spark] You’re going to like this, Mike, because it reaffirms what you’ve always felt about the brilliant jerk.
[Mike Johnson] Excellent. I like being reaffirmed.
[David Spark] All right. Someone who is not that. This was a horrible lead-in to our guest because we’re talking about brilliant jerks. This is definitely not our guest here, at all, whatsoever. But I do want to introduce him. I’m actually thrilled that he’s on this show. It is actually the CEO of ThreatLocker, who is a brand-new sponsor of the CISO Series. They are phenomenal. They’re also going to be at Black Hat in force. So, look for him and the whole ThreatLocker team. It is our sponsor guest, none other than the CEO of the company, Danny Jenkins. Danny, thank you so much for joining us.
[Danny Jenkins] Thank you for inviting me today. I really appreciate it. And I’m excited for Black Hat. We’re actually delivering a keynote there.
Will we really ever achieve zero trust?
3:28.907
[David Spark] Zero trust is now taken as de rigueur in cybersecurity, the fundamental from which all successful cybersecurity springs. But Maria Korolov at CSO Online pointed out that there are a number of areas where zero trust alone isn’t enough. This can be something like legacy systems that architecturally were never designed with zero trust in mind, or pervasive IoT devices, or third-party services where you’re trying to rely on their internal security without much visibility. The basic argument is if the tool or service you’re working with doesn’t allow for the zero trust paradigm, you essentially have an opening where you can’t enable zero trust. So, Mike, how do you manage creating a zero trust environment where there are points that you simply can’t enable it?
[Mike Johnson] I really liked this article because it speaks to me living in a world that is not a cloud-only, cloud-first environment. We’ve got a factory. We have systems that have to be connected to networks that have to be low latency. We’ve got very specific requirements. And I think people who think about zero trust, their way of thinking about it is the classic tech company that only works in the cloud and maybe all of their employees are remote. There’s a lot more complexity to it. In order to actually head down this path where, if you think about zero trust, if you zoom out a little bit, a lot of it is about creating micro segments or much smaller connections where everything knows what everything else is talking to it. And so I think at some point, you have to perhaps move on from the book definition of zero trust and really think about what you’re trying to accomplish.
So, the concept of micro segmentation is one way that you can do that. And that’s where you can bring that into environments that are OT, where you can’t just add authentication to everything. That’s not even an option where you have extreme latency requirements of very low headroom devices. So, you really just have to think about, okay, zero trust is a great concept. What are the things that you’re really trying to accomplish? What are the other ways that you can bring into your models and then still get those same ends in the end?
[David Spark] All right, Danny, I throw this to you. Do you find, and I mean, I know a lot of what you’re doing with ThreatLocker is addressing this very zero trust issue, but as is pointed out by Maria Korolov in this article, there’s just some things that can’t enable it because of their design.
[Danny Jenkins] So, I think, first of all, the concept of zero trust is the idea of least privilege, and zero trust is the new buzzword for don’t give access where access isn’t required. And when we’re thinking about systems and we’re thinking about what does that mean, it’s not one system. So, ThreatLocker is thinking about zero trust when it comes to what is allowed to run and execute on your system and what those programs are allowed to do. But it could be about authentication. It could be about giving users permissions, who has permission to what. And some software systems don’t allow you to grant that kind of granular access because they’re older systems. That’s okay as well because what we want to do is we want to get as good as we can in reducing permissions. And what we think about in ThreatLocker is we go and look at these systems.
For example, we actually onboarded a manufacturing company recently, and they have 25,000 employees. They have computers online that have been there for 20, 30 years, that are running operating systems like Windows XP. They’ve got software on those computers that cannot be patched, and equally, they cannot remove those computers. So, in these environments, what we want to do is we go in and we say, well, how do you address this rationally? How do you say, how do I take away privilege without breaking stuff? Because the end goal is not to break the business, but make the business continue to run.
So, the way we think about it is, first of all, how do we harden the operating system? So, if it’s a Windows XP operating system, what can we do to reduce the risk? We can do things like put firewalls on them. We can do things like stop unauthorized software running on them. We can do things like take the applications that are running and limit what they can do. The word micro-segmentation gets used quite a lot. The big problem with micro-segmentation when we think about network is it often means taking an object and putting it in its own container. The challenge is with most networks is that object needs to communicate with something.
So, take in the healthcare industry. So, I’ve got an MRI machine, and I’ve got a piece of software on the machine. Well, that software needs to communicate with my medical record system or upload my scans to my server. So, then you say, well, I’m going to bring the server into that micro-network. Well, I can’t because now this user needs to be able to communicate with that server. So, we like to think of a bit more of nuance than that. They’re not about taking things and completely isolating them, but we call it ring fencing. The idea being is isolate them so they can see only what they need. So, if PowerShell needs to see your files, then let PowerShell see your files. If it doesn’t, which in most cases it doesn’t, don’t let it. If it needs to go out to the internet to this one site, let it go out to the internet to this one site, but don’t let it see your entire network. So, we like to think about, it’s not about putting everything completely isolated, but only giving it permissions where it needs to. And sometimes it’s just not possible, but if you can harden the rest of the environment, it becomes less relevant because someone can’t get in to trigger that attack.
What’s the best way to handle this?
9:25.240
[David Spark] When you’re outsourcing your pentesting, how do you find the right provider? Specifically for small- and medium-sized businesses that don’t have an internal pentesting team, noted Vicente Aceituno Canal on Medium. Outside of using the pentest to become another compliance checkbox or not fixing any of the vulnerabilities the pentest reveals, what are, and we’re going to start with you, Danny, some of the classic mistakes to avoid in pentesting or setting up a pentest?
[Danny Jenkins] Now there’s two parts to this. So, we’re a large organization, we’re a security company, so we have extra steps. I like to think of pentesting in multiple ways. One is we have regular companies we use to do pentests on a regular basis. And the two objectives of a pentest are first to find ways to exploit your software or exploit your environment. The other objective is to make sure you haven’t messed up because I see people mess up as well. Make sure you haven’t accidentally opened a port that you shouldn’t have opened. You haven’t put a password in a configuration file or something along those lines.
The way we do it is first of all find good companies, reputable companies, companies that you can rely on to do regular pentests for you. And I feel like outside of putting the right controls in place, pentest is the most important thing you can do because it validates those controls are actually working. We have our primary pentesters which we don’t change, but then we have secondary pentesters which we change regularly. So, we engage on a three- or a six-month engagement, and then we go to a different company.
And the reason we do this is because when you use the same company over and over and over again, they’re typically going to look for the same threats over and over and over again. And whenever we bring in a new company, they always bring new insights to the environment. They always come up with new ideas to get around your software or new ways to run untrusted software or new ways to inject memory. So, it’s always good to bring those fresh minds in. So, like I said, to recap the way we like, get a good company you’ve used for a long time and then get other companies to come in regularly.
[David Spark] Good tactic. All right, Mike, again outside of the classic issues of not fixing vulnerabilities and just not looking at it as just a compliance checkbox, what are classic things to avoid when setting up a pentest?
[Mike Johnson] I think this is one of those areas where it really helps to lean on your own network, especially if you don’t have a relationship with a pentesting company already. Danny’s philosophy strategy makes a whole lot of sense of establish a relationship, bring them in, have a secondary that you’re rotating through. That makes a lot of sense. But if you’ve never engaged with someone in the first place, you can’t just go off of websites to determine who to pick. So, it’s really a good opportunity to lean in on your network, go ask some of your fellow CISOs who they use. And also, perhaps even more importantly, who they used and no longer use. Because sometimes you’ll run into lack of communication, or they don’t really go as deep as you would like them to, or they go out of scope. One of the worst things that can happen is if they go out of scope and maybe they bring down your environment, they bring down something that you…
[David Spark] Not good.
[Mike Johnson] …that was out of, like, “I didn’t want you to test this. I knew it was fragile, and you broke it, and now you’ve shut down my factory.” And now not only are you not going to work with us anymore, I’m not sure I’m going to have a job come Monday morning. So, it’s important to find someone…
[David Spark] Have there been those kind of pentest catastrophes?
[Mike Johnson] I have certainly, in the past, I have seen pentesters take down entire networks by testing things that they shouldn’t have tested. I’ve actually been on one of those networks when it happened. So, yes, it can happen. Reputation matters a lot, as well as being very clear on what is in scope and what is out of scope.
Sponsor – ThreatLocker
13:26.866
[David Spark] Before we go on any further, I want to tell you about our absolutely awesome sponsor, and that is ThreatLocker. So, do zero day exploits and supply chain attacks keep you up at night? Of course they do. Nobody likes them. And that’s all we think about, and we talk about this endlessly in our shows. So, worry no more. You can actually harden your security with ThreatLocker. So, imagine taking a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user, unless specifically authorized by your team.
ThreatLocker helps you do this and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation is fully supported by their US-based support team. Stop the exploitation of trusted applications with your organization to keep you running efficiently and secure, protected from ransomware. Worldwide companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high. Now to learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, go to their website. Just visit threatlocker.com.
It’s time to play “What’s Worse?”
14:50.284
[David Spark] All right, Danny, I know you’ve heard this before. This is the game where we give you two crappy options, and one of them actually has to do with zero trust. It didn’t even dawn on me that I had picked this one, but it does. All right, but I always ask Mike to answer first. You’re going to agree or disagree with whatever Mike says, and I love it when my guests disagree…
[Mike Johnson] That’s true.
[David Spark] …but please choose what you would like. All right, this comes from Conner Biolsi, who is with Lewis County, does security for them, I believe director of information security there. Here are the two scenarios, Mike. Scenario number one, telling the CEO that he or she cannot log in/work remotely while doing work-related research in foreign countries. Just can’t do it. I’ve told you you can’t do it, and you can’t do it.
[Mike Johnson] Okay.
[David Spark] Sounds pretty crappy. You’re also not being a good security professional when you do that.
[Mike Johnson] Mm-hmm.
[David Spark] Or, get ready for this. This one’s also going to be crappy. Enabling remote logins by whitelisting every country for all employees because the CEO requested more remote access.
[Mike Johnson] Okay, so the way that I think about this is the first one, you have no controls, and you’re basically telling everyone including the CEO that you can’t log in from foreign countries. That’s what I’m reading into this is the first one is, it’s just you wag your finger, say you can’t do that, and that includes telling your CEO.
[David Spark] Yes, maybe you’re acting like a brilliant jerk.
[Mike Johnson] Perhaps.
[David Spark] Possibly.
[Mike Johnson] Perhaps. The second one is you’re basically allowing login from everywhere for everyone because the CEO wants it.
[David Spark] Right. In both cases, you’re being a bad security professional. I think we can clearly state that.
[Mike Johnson] Sure. There’s a little bit of caveat for the second one that I’m just going to go ahead because people in the audience are screaming this right now. There are certain countries that you simply cannot allow login from.
[David Spark] Like North Korea are we talking about?
[Mike Johnson] Dear, dear listener, we understand that you can’t allow that, and so we’re just going to put an asterisk on that. So, really, I think what you have here is in one situation, you’re blocking the business and the other, you’re enabling the business. You may not be enabling the business in the way that you desire the most, but your entire workforce, including your CEO, is productive when they’re away from the office, when they’re traveling, and you’re going to cut all of that out in that first case. In the second case…
[David Spark] Now, I just want to say this. The first case is just telling the CEO, maybe the CEO is a more high-profile target, and that’s why the security leader tells the CEO that he or she cannot work. But you’re qualifying saying everybody.
[Mike Johnson] There’s the underlying aspect of it, right? It’s unlikely you’re going to say, “You know what? This entire company of however many people, you can all log in from wherever you want, but oh, CEO, you are the one person who can’t.”
[David Spark] Well, again, I throw it out that it’s possible the CEO is a ludicrously high-profile target, and you’ve got threat data that says X number of people are going after this CEO. Who knows? I’m just throwing that out. It could just be that case.
[Mike Johnson] I’ve got the question before me. I’m making my assumptions and I’m sharing.
[David Spark] Pull the trigger. Tell me which one you like less.
[Mike Johnson] I do think the first one is the worst because I am reading that as a company-wide policy, and I am reading that as you’re shutting down productivity for everyone when they’re traveling. If it truly is the CEO, maybe that’s a different thing. But my assumption is…
[David Spark] Would you change your mind if it was just the CEO?
[Mike Johnson] Well, that’s not the question that you gave me, David. So…
[David Spark] Well, I say just the CEO. You’re the one who extrapolated, said the whole business.
[Mike Johnson] But at the same time, it seems I cannot imagine a world where…
[David Spark] I just gave you the world to imagine!
[Mike Johnson] Wow.
[David Spark] The CEO is the target. Your threat data is showing it.
[Mike Johnson] I reject your world, David, and I substitute my own. I’m sticking. I’ve given my answer.
[David Spark] Okay, you say the first one’s worse.
[Mike Johnson] Potentially a bad answer. The audience is screaming at me and I’m fine with it.
[David Spark] All right. Now, Danny, the second scenario makes your skin crawl, given your business. So, I’m feeling that you may disagree with Mike here. How do you feel? Agree or disagree?
[Danny Jenkins] Okay, so these are the assumptions I’m going to make. One is the CEO travels regularly and isn’t just going to Mexico for the weekend because otherwise, every security environment you have to go off and make a business decision based on what is the impact of the business one way versus the other way. We always say in ThreatLocker, you shouldn’t allow coupon clippers in your browser that can see your passwords because the value to the business is very low, but the risk is higher. The same applies in this case. We’re going to assume the CEO travels like I do, and they need to access the environment, first of all.
There’s another factor that I’m going to bring into my decision-making process. One is I spent multiple years as an ethical hacker, and I know that only the dumbest hackers in the world don’t access the network from US servers or at least servers in the location. So, I’m actually going to agree with Mike, and I’m going to say leave it open to the world. But I’m also going to say that, of course, no one’s going to do that without having proper controls. And just because it’s coming from a US IP address doesn’t mean it’s good. 70% of hacks come from US IP addresses. We’re not talking about increased risk on the basis that it’s an international IP address. We’re talking about increased risk on the basis that we are scared of our other security systems failing. And if they’re going to fail abroad, they’re going to fail in the US as well. So, I’m sorry. I know you wanted a nice big debate here, but I’m going to agree with Mike. We’re going to keep the business running and we’re going to make sure our security is safe, not just from foreign IP addresses, but from US IP addresses.
[David Spark] No, we did actually have a debate. You don’t realize that you had a much better answer than Mike had.
[Mike Johnson] Yes. Much better answer, Danny. Thank you.
Please, enough! No, more!
21:05.338
[David Spark] Today’s topic is endpoint protection. Actually, I can’t believe we haven’t done this topic in the “Please, enough! No, more!” segment at all, I don’t think. So, this is our first time. So, Mike, I’m going to ask you, what have you heard enough about regarding endpoint protection or even EDR, endpoint detection and response, and what would you like to hear a lot more?
[Mike Johnson] I think what you really just said there about calling it EDR is really the thing that I’ve heard enough of. That was the evolution beyond antivirus, was we then got endpoint detection and response. And I think we’ve had enough. It’s time to move into protection, prevention. Detection response is important, but I would really like to hear more about actually just preventing things. That thing that you detected that shouldn’t be there, how about you just prevent it? Just make it not run. So, I’d really like to see us talk more about moving beyond just detection and into actual protection.
[David Spark] We talked about this on the show earlier. There was a discussion on Reddit that said, why is it companies that have EDR are still getting ransomwared? Why is that still happening? And I think it’s to the, like, let’s talk about just protection.
[Mike Johnson] I think so.
[David Spark] All right, Danny, I throw this to you, and you could take my reference to that Reddit discussion about why the heck is this still happening with companies with EDR? Let’s start with what have you heard enough about with endpoint protection and what would you like to hear a lot more?
[Danny Jenkins] I think I’m going to agree with Mike, detection. I’ve heard enough of detection. And by the way, we sell detection tools, and we have a number one rule with our salespeople. Do not bring up our detection tools until everything else has been discussed. Because the reality is, I don’t care how good your detection is and how fast your SOC is. I mean, we have an MDR that responds in 30 seconds. I don’t care how fast they are. When you take an executable encrypting files or uploading data to the internet on a new solid-state disk, you lose that battle. You absolutely lose that battle. You have to stop talking about detection, and you have to start talking about real things that are actually going to stop this to begin with. And the only reason we should ever implement detection into our security is to tell us when everything else failed. And so we should be saying, “Let’s just block unauthorized software to begin with. Let’s take the applications that we have in our environment and limit what they can do.”
Because I saw an attack where… Well, actually, we did a demo of an attack in Dublin last year, where we offered 15 people to come up and get a free trip to Florida, to Zero Trust World, if we couldn’t bypass their security detection by using PowerShell to exfil, a Rubber Ducky in PowerShell to exfil their files. And 15 people in a row came up, had EDRs, had blocked USB drives, and we were able to exfil files on I think every single one of them bar one, and then we had to make a change to do that, without triggering any detection alarms. The best way to secure your environment when we’re talking about endpoint is hardening your endpoint, stopping untrusted software, stopping applications stepping out of their lane, taking away administrative permissions, which will not stop ransomware by itself. But these are the things we need to be doing and not talking about detection.
[David Spark] Let me challenge you with one item because this is something that comes up a lot in our shows and our discussions, and that is this idea of denied by default. There is this fear that if you have that philosophy, you may prevent the business from operating. You seem to be very much on board with that given your response in the “What’s Worse?” scenario because stopping the CEO from operating is not a good business practice. So, how do you balance that very issue that is very top of mind with our audience, if you’re having this sort of denied-by-default approach?
[Danny Jenkins] So, first of all, the idea is least privilege, and in most businesses, for example… So, ransomware is software, malware is software, and EDR is looking for malware or attacks in your environment. It’ll look for things like IP scanners and password extraction tools as well. If you ask most businesspeople, 99% of businesspeople, or at least 95% of people who use a computer for work, “What software do you need to run to do your job?” The list is pretty limited. It’s Office, it’s Chrome, it’s Zoom, Teams, a bunch of programs, maybe some production software. So, if you stop anything else running but that, that doesn’t stop the business from functioning. Stopping the CEO from logging in abroad may stop the business from functioning.
There are exceptions. And the goal is least privilege. Developers, for example, may need to compile code all the time. So, in those cases, we’re not talking about not having detection, but we’re also saying limit what they can do, limit that they…maybe they can run all code from Visual Studio, and any untrusted code can’t see our network, so we’re limiting damage. But controls are still the way to go. It may not be block everything, but it may be limit what new programs can do. There are lots of things you can do to stop malware and stop cyber attacks on the endpoint without upsetting and stopping the user.
The reality is most people don’t change the software they run day to day, and as long as you’re tracking updates and doing everything else, which we do for you, in most cases, in ThreatLocker, you don’t need to worry about upsetting the user and stopping the business function. And anyone who’s saying that that’s a problem hasn’t really tried a modern allow listing solution because if they have, they’ll see that it’s effective and easy, and there can be exceptions where exceptions are required.
[David Spark] You bring up a really, really good point because that is the reality. We do use very few programs. But one of the things we’ve also discovered, and I’m sure you’ve discovered in your detection efforts, is that a lot is running that we’re not aware is running and doesn’t need to run, for that matter. So, you have this extreme imbalance, and I see the value of having this sort of deny-by-default attitude because by default, way too much is running. Yes, Danny?
[Danny Jenkins] Way too much is running, and way too much of what is running has access to way too much data.
[David Spark] Good point.
[Danny Jenkins] Because every program that’s running, including vulnerable programs… So, if you look in your tray in Windows, you’ll see your QuickCam support app and your SAM support app. All of these apps aren’t written by security professionals. They have access to all of your data. Now, that’s not to say they will steal them, but they could have vulnerabilities, they could have supply chain issues, and any of that could turn into a big cyber attack. So, too much is running, and it has too much access when it’s running.
Are we having communication issues?
28:01.351
[David Spark] What makes a cybersecurity professional stand out from the rest? A recent post on the cybersecurity subreddit asked what separates the best people in the field, regardless of role, and Mike, get ready for this. You’ll be pleased to hear that the most popular response overwhelmingly was, “Don’t be a jerk.”
[Mike Johnson] Yes!
[David Spark] Soft skills were also popular with redditors saying the real standouts were those with creative and critical thinking skills, and the ability to communicate outside of cybersecurity. I’m going to start with you though first, Danny, on this. In your experience, what separates the best from the rest in cybersecurity?
[Danny Jenkins] Now, I think that if I put on a hat as if I was sitting in a CISO’s chair, I would almost say exclusively is that ability to explain to the business the problem in a way that they understand, explain the risk in a way that they understand, but also be willing to tell them, “This is a really bad idea,” and not scared of saying no, or at least recommending no. If I say in general, that’s a non-true statement because we’re a security company, so we’ve got 400-plus security professionals that work for us, and different personalities fit into different roles very well. [Laughter] So, we’re not putting the introvert who has no people skills talking to customers, but we might have them trying to figure out how to create a bypass for a product in the background.
[David Spark] Mike, I used to do a television show up in the Bay Area called This Week in Northern California, and I was like the tech expert that would come and talk about whatever big tech story was coming that week. And my audience were general consumers. And one of the problems, and I refer to this as the curse of knowledge of when you have too much in your head and you want to say so much, but you really only have three to five minutes to explain it, that you really have to practice, flex those muscles. And I remember my wife, we used to do this on the drive to the recording, is that she would start quizzing me, and I’d try to give quick, sort of snap answers to questions so that would be clearly explained. Let me ask you, have you ever done this yourself where you’ve practiced your response on a colleague or practiced your response to a topic on someone who isn’t a cybersecurity expert to see if they grok it?
[Mike Johnson] I don’t recall if I’ve tried that, but what I have done is pre-recorded something that I was going to try and explain. Maybe it’s a big presentation coming up. To actually pre-record that, get the camera up, mic, everything, record that, and then listen back to it. And try and listen with that ear for if I’m not an expert, does this actually mean anything to me? Do I understand what’s going on? So, I like the idea of practicing, be it with another person or just change the way that you’re listening to yourself, and that might help you be more concise with your point, but also be more, as Danny said, meeting people where they are.
[David Spark] Danny, let me ask you this. You’re going to be speaking actually at Black Hat. So, here’s my question. A, will you be rehearsing the keynote? And B, will you be rehearsing in front of an audience and asking for feedback?
[Danny Jenkins] No and no. And that might surprise you.
[David Spark] Really?
[Danny Jenkins] So, what I’ve learned about talking at events, and I probably did 100-plus keynotes last year, we do 800 events a year in ThreatLocker, is when you’re talking to people, first of all, you need to go in and you need to understand your audience before you go in. When you rehearse something, you come across unauthentic and not true. When you go in and you tell the truth and you speak as you believe it, and you pay attention to what you’re saying – and I try really hard to pay attention, I watch the audience, I watch the feedback – you get a more authentic and accurate story at the end of it.
[David Spark] Hold it. I’m going to qualify. I’m totally agree with you if you’re not a performer, if you will, in the sense that someone who’s a performer, who knows how to, I mean – and I’m saying performing in the very literal sense of this, just not a security professional that just knows how to speak in front of an audience, which you definitely know how to do – but a performer like, “Oh, I’m going to do this each time in the same way.” It’s convincing, like an actor would do if they’re on doing theater. I can totally see that that works very well for you, and that if you are too rehearsed, you’re not able to come out authentic. And I guess you know that about yourself. Yes, Danny?
[Danny Jenkins] Yes. At the very beginning in ThreatLocker, I rehearsed a pitch, and it went very wrong and very unauthentic. And after that I stopped, I refused to do any rehearsals. I make all of the event organizers very stressed. And I show up with a different set of slides to what I sent two days before because I want to talk about something different today, but that’s what I always do. And yeah, where there’s an award for presentation, I normally win best presentation, so I’m not doing too badly, but I also know some people can’t do that. If they don’t have it exactly rehearsed, they cannot deliver a good keynote.
[David Spark] No, and I totally get that. And I guess really the answer to this, and I’m going to throw back to you, Mike, on this is it’s about knowing just yourself. I mean, I was kind of throwing like, oh, we all need to rehearse, but Danny, you make a really good point. If you know yourself and you know how the audience responds if you do come off to rehearse, then it’s not you, it’s not right for you, and not all solutions fit. I can do both personally, but when I have to kind of nail it on a presentation, I want to practice it in front of a bunch of audiences just to know how it lands on others. Have you done this, Mike, before?
[Mike Johnson] I do agree with Danny that one of the worst things that you can do is sound like you’re reading from a script.
[David Spark] Yeah, yeah.
[Mike Johnson] That’s not going to go over well. I do think that one of the things that I found from my own rehearsals, and you kind of addressed this, Danny, is I’ve got the wrong slides. What I want to say is what’s coming out of my mouth right now, and it’s very different than what this slide is. So, I think there is value for me in doing those rehearsals because it does end up in a better place for the overall presentation. Definitely agree, you don’t want to sound like you’re just reading from a teleprompter verbatim flat because people will go to sleep. People will get up and leave, for sure.
[David Spark] So, I think that what we learned here is know yourself, know how you excel the most, and if you need to rehearse, do it. And if it does not come off as authentic, don’t do it.
[Danny Jenkins] And know your listener.
[David Spark] And know your listener. Ah, yes, yes. For example, look, two big security conferences, the RSA crowd, very different from the Black Hat crowd. And I’m assuming you’re aware of that too, Danny. Yes?
[Danny Jenkins] Yes. And the Gartner crowd again, very different.
[David Spark] Good point.
Closing
35:32.023
[David Spark] All right. Well, that brings us to the end of the show. I want to thank you, Danny, and I’m going to let you have the very last word. If you have not gone to threatlocker.com, go there. I’m not going to say now because some of you are out walking or you’re driving. Definitely don’t check out their website while you’re driving. You don’t want to be doing that. So, wait till you’re pulled over and go find a rest stop. Before you use the restroom, maybe go to threatlocker.com, then use the restroom. We always recommend checking out our sponsor’s site before they use the bathroom. Do you think this is good advice, Mike?
[Mike Johnson] I mean, if you’re in a hurry, I mean.
[David Spark] Yeah, maybe. Okay. If you’re in a hurry. Okay, yeah, yeah.
[Mike Johnson] Prioritize.
[David Spark] Okay. Okay. But go check out their website, threatlocker.com. We greatly appreciate your support. Remember, zero trust endpoint protection platform. The key word there is platform. It’s a suite of solutions that help you in your zero trust effort. Mike, any last words?
[Mike Johnson] Yeah, Danny, thank you for joining. What I really liked is you continuously related zero trust to least privilege and really bringing back to that, and really reminding us, to your point about buzzwords, what it really means and what it’s really about. And I specifically liked your concept of ring fencing, of isolating applications, programs, whatever, so that they can only see the things that they need, and I think that’s a really good thing for people to think about. So, thank you for joining us. Thank you for reminding us what really matters at zero trust, and I really appreciate you joining us today, Danny.
[Danny Jenkins] Thank you, Mike. I appreciate that.
[David Spark] All right, Danny, you get the last word. I always ask our guests are you hiring, are you hiring over at ThreatLocker?
[Danny Jenkins] Yes, I think we’ve got about 40 people a month that start at the moment.
[Mike Johnson] Wow.
[David Spark] Oh, my God, you’re growing like mad. More than just hiring. You’re exploding.
[Danny Jenkins] I think we’ve grown five times in the last two years, and we’ve got about 45,000 companies that use our platform now.
[David Spark] Holy moly.
[Danny Jenkins] Which range from small businesses through managed service providers, right up to companies like JetBlue, parts of the U.S. Navy, other large airlines, banks, hospitals.
[David Spark] Excellent. Well, obviously, go to threatlocker.com. Do you want to say anything else about the company or any special offer you want to make to our audience?
[Danny Jenkins] Yeah, I think the main thing is come and check out what we do. We will show you what the applications are in your environment. We’ll show you the potential vulnerabilities of those applications, what they have access to. And we’ll even show you research on every single application you’re running, which will include previous vulnerabilities, what the application has…data it has access to, what countries the applications were developed in. There’s a big shakeup at the moment of software developed in Russia. Again, just because it was developed in Russia doesn’t necessarily mean it’s worse than it was developed in the U.S., but it gives you information that you can then use to one, harden your environment, or two, go to your board and make justifications for changes.
[David Spark] Awesome. Thank you very much, Danny. Thank you very much to ThreatLocker. And thank you to our audience. We greatly appreciate your contributions – even your “What’s Worse?” scenarios, send more in – and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.