“Less money, less resources, and a giant target on your back” isn’t exactly a great pitch for recruiting cyber talent. But that’s exactly the pitch municipalities have to make to their staff. So how can we set up municipal cybersecurity to succeed in what seems to be a thankless task?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is Charles Blauner, formerly of Team8 (at time of recording) and now operating partner, Crosspoint Capital.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Material Security
Full Transcript
Intro
0:00.000
[Voiceover] What I hate about cyber security? Go!
[Charles Blauner] I hate all the backseat drivers. It’s actually become institutionalized in a lot of organizations to have whole teams designed just to double check and question every decision a CISO makes.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of said CISO Series. And joining me as my cohost from episode one back in June of 2018, that would be Mike Johnson, the CISO over at Rivian. Mike, say hello to the audience.
[Mike Johnson] Hello, audience. It was episode one and a few in between. So, it wasn’t just episode one and then this one.
[David Spark] Correct.
[Mike Johnson] One or two in the middle, yes.
[David Spark] Thank you for clarifying that. [Laughs]
[Mike Johnson] [Laughs]
[David Spark] There have been a few more that you have done.
[Mike Johnson] Back from episode one.
[David Spark] There are a few. Actually, we should have… Dwayne Malosin [Phonetic 00:01:00] was our first guest. I should get him back on again.
[Mike Johnson] That would be amazing.
[David Spark] Yeah, we should get him back on. I’ll bug him.
[Mike Johnson] We should actually dust off all the exact same topics and basically just do that first episode all over again.
[David Spark] Yes. And just say, “Look, I’m not as bad as I was when I first started.”
[Laughter]
[David Spark] All right. Our sponsor for today’s episode… Thrilled to have them back on board again. It is Material Security, secure email from every angle. And actually, they have a very, very cool take on email. Looking at it as your biggest data repository. It’s pretty darn cool. So, more about that later in the show.
But, Mike, this episode is going to be dropping really on the first full day of RSA. Tuesday, the 29th of April. And here’s my take on RSA. I think everybody who goes has wide eyes and deep pockets. And everyone’s attitude is, “Yes, I want to buy that.” “Yes, we’re going to do business together.” And then when the show is over, it doesn’t really work out exactly that way, does it?
And by the way, I’m asking you, Mike, and I do also want to bring in our guest, Charles Blauner, who is the operating partner and CISO in residence over at Team8. Charles, have you seen or experienced this from either side? From being a buyer or a seller.
[Charles Blauner] So, solely as a seller, it’s been unique. But I spent most of my life there actually as a buyer.
[David Spark] Do you go in with a little bit too much excitement about all the things you would like to have?
[Charles Blauner] No.
[David Spark] You don’t?
[Charles Blauner] Not at all. I don’t. But I think I come from a very sort of spoiled place. I was always from early on a very early adopter of technology. And so I sort of lived on the cutting edge already. And so for me, RSA was really a little bit more like Davos [Phonetic 00:03:02]. It was just a place of concentration.
[David Spark] Yes.
[Charles Blauner] A place to meet everyone at one time.
[David Spark] We refer to it as the gravity that the event creates.
[Charles Blauner] Absolutely. And as a CISO, it’s a huge timesaver. But at least for me, I didn’t go in there that way. Quite honestly, I went in there the opposite. I walked around with my badge turned around just to make sure none of the vendors knew who I was.
[David Spark] Okay. All right, Mike, I cut you off earlier, my apologies, in the process of introducing Charles. Do you find this…? Because actually you’ve always been on the buyer side yourself pretty much.
[Mike Johnson] I have. Generally, yes. And I actually thought you were telling a joke about walking in with wide eyes and a fat pocketbook because I don’t think that’s reality or has been for a while.
[David Spark] No, no. It’s wide eyes… Here’s the thing. I’ll just say when vendors talk to me about sponsorship, and I love it, and we have lots of great sponsors… And this is also even before I started the CISO Series. Sort of the percentage of excrement and the desire to do something was much higher than what actually came to be after the event.
And I think this happens to a lot of people.
[Mike Johnson] Right. I think that’s reasonable though. Because in some essence, this is our tribe coming together. You’re suddenly surrounded by a whole bunch of other cyber security professionals, and you can just talk cyber security all day long. And that’s what really generates the excitement at big conferences like that.
[David Spark] I think you’re being too polite.
[Mike Johnson] Well…
[Charles Blauner] No. But I think he’s right. But I also think…
[David Spark] No, he’s right. You’re right.
[Mike Johnson] Thank you, Charles.
[David Spark] You’re right, but you’re being too polite. And this is my argument. And, Charles, I do want to hear from you. The thing is people have a hard time saying not to people to their face. [Laughs] And that’s a bad thing. Charles?
[Charles Blauner] It is harder to say no to someone in person. That is correct. But I also think it has to do with where the power is. The buyer has the power. The vendors are all getting excited because going to an event like RSA, or AWS, or any of the big ones is almost just table stakes for them.
They have to do it there, and they have to do good because otherwise people wonder, “Why aren’t they here?” All right? I don’t think most of them think of it… I mean if they think of it as a huge opportunity to generate new business, I agree, they’re not going to get a good ROI. The only companies I’ve ever seen get a good ROI at RSA are the ones that win the Sandbox.
If you win the Sandbox, that’s a big deal.
[David Spark] Not true. I know a lot of people who bought the simple 10×10 booth. Because Haroon Mir [Phonetic 00:05:53], he wrote a whole writeup about…
[Mike Johnson] He wrote a great article about that.
[David Spark] Yeah. About like why it did pay off, and he kind of showed all the pros and cons, and what he actually spent. Put out the dollars, and it was pretty impressive. Regardless, we’re not doing a whole show about RSA.
[Charles Blauner] Yes, but that’s a smart person who did the little 10×10 booth. The vast majority of people are spending huge amounts of money with big, fancy booths. And yes, the little 10×10 booths on the edge perimeter of the floor are much more interesting than the center of the floor is.
[David Spark] We hear that all the time. By the way, I do want to remind everybody, Charles is going to be speaking on Thursday. So, if you are actually hearing it on Tuesday and you’re at RSA, you’ll want to see Charles speaking on Thursday, and we’ll get to that at the very end of the show. Let’s jump into this.
Let’s talk community.
6:39.585
[David Spark] Can a model created by Benjamin Franklin help us with cyber security? Well, Craigslist founder, Craig Newmark, seems to think so. His philanthropic foundation has been funding a series of volunteer efforts like the Franklin Project to protect water infrastructure, and he recently announced Volunteer Network for Civil Cyber Defense that will act as a coordination layer between cyber security volunteers and local governments as reported by Cyberscoop.
This sounds great, but how do you make these kind of cyber volunteer efforts work? Does this amount to a see something, say something effort? If you come up with a system to give these volunteer groups any kind of access, doesn’t that become a giant target for threat actors and defeat the point? Mike?
[Mike Johnson] I really love what Craig is doing. And I can say this with some experience. I’ve been part of the Shadowserver Foundation for a long time. And we’ve been working with Craig for a few years. So, I’ve seen how he supports these organizations. And a lot of what they’re doing is really just focused on overall improvement of cyber security of the internet or of areas that are under invested in and frankly don’t even really have the opportunity to be invested in but are of critical importance.
And that’s really what Craig is focusing on. And we are seeing some of the results of that. In terms of what it looks like, it varies wildly. It’s not like he’s funding efforts where they’re going to go sit somebody down to watch the SIAM council of a government. That’s not really what’s going on. Some of this is education.
Some of this is being able to do penetration testing or vulnerability analysis to help find weaknesses in these systems before the adversary, before the attackers do. So, it really can take the shape of many different volunteer opportunities. And on the flip side, you’ve got all these folks who really just want to help.
A lot of us in cyber security, we just want to help. We don’t know how to. And quite often what we need is that matchmaker, and Craig is really helping with that.
[David Spark] That is very key. All right, I throw this to you, Charles. This whole concept of collective defense, it’s not really new. But how does it manifest itself? Mike gave a few examples. What can you tell us?
[Charles Blauner] To me, collective defense is not…it goes back at least in the cyber space to the 1990s when we started to build the ISACs. And it is really about this realization that within an industry, the real competition in cyber is a bad guy. And so the idea of collective defense… I think when you think about the example that we were just talking about, the volunteerism, you can see it even in banks.
And I think 2012 was a great example. The government of Iran was pissed off with the US. They did a bunch of DDoS attacks against the US banks. A lot of smaller banks got targeted that didn’t have the wherewithal to understand how to defend themselves. And so a collective of the larger banks actually got together and actively helped defend the smaller banks.
And so that’s an example of it. I also think what we were just talking about… And the idea of it being broader than just active defense is really important. Because I think one of the things that the CISO community has been better at than almost any other community you’ve ever seen is this idea of mentoring.
All right? Because I also think collective defense is about how CISOs sort of help each other through the networks that they build. I’ve always felt that CISOs were each other’s best therapists and best advisors, and so this is another form of collective defense.
Why are we still struggling with cyber security hiring?
10:57.174
[David Spark] “Less money, less resources, and a giant target on your back,” isn’t exactly a great pitch to recruit cyber talent, but that’s exactly what municipalities have to do. There will always be people drawn to public service, but how do municipalities recruit beyond that pool? In a piece for CISO Online, Deb Radcliff points out that government jobs often have lengthy recruiting processes that include background checks where candidates can leave for other positions that response faster.
And typical internship to employment pipelines aren’t as straightforward with the government. So, Charles, I’m going to start with you. What creative recruiting techniques have you seen work? And especially for municipalities that, well, don’t pay as well, and, heck, I don’t know if we’d have the same sort of cyber infrastructure as maybe a bank where you used to work.
[Charles Blauner] That’s a really interesting challenge. One of the things I’ve been privileged with since I stepped away from being operational was the two times I was on the National Academy of Sciences committees. Once we looked at the FAA’s cyber workforce. I think the point made earlier about people being motivated by the mission is really critical.
Everyone I interviewed at the FAA, it was extraordinarily mission driven. I think the biggest challenge we run into honestly is HR organizations. HR organizations, whether they’re in government or in big industries, are very fixated on very sort of set ways of doing things. They look for degrees. They look for acronyms that say you’ve gotten a certain award, or certificate, or something along those lines.
And in cyber today, we have to be a lot more creative. We have to do things like look at vets coming out of the military who may not have had college degrees but who have had years of experience. We need to look at people who may not have done great at school but have the great skills that you might need.
And so I think we need to get our HR partners to start thinking differently. Because most of the CISOs I know and talk to see all this talent and actually get frustrated by the HR roles that prevent it. And actually one of the things we recommended in this report that… It’s in the congressional record.
You can go read it on the FAA. Well, as we talked about that process and we talked about how the government needs to sort of think much more creatively about the rules of what they want as sort of the entry requirements… Because they take most candidates, and they never even get a chance to be interviewed because they don’t meet some tests.
And that’s ridiculous because we do need more workforce. Especially in those places.
[David Spark] Mike, let me throw to you. And when this subject comes up, I always give a tip of the hat to Jesse Whaley, the CISO of Amtrak, who’s created a real pipeline. And Amtrak is kind of a pseudo government institution. I think government has the capability to create a training pipeline. And when you’re talking about individual municipalities, it’s a little bit harder, I guess, for them.
But I mean I think that’s where they have maybe an edge over others. Yes or no? Am I thinking out of turn here?
[Mike Johnson] No. No. I think that’s one of the opportunities that they have is first of all to recognize that they can be a weigh station rather than hiring folks who are going to be lifers, to Charle’s point about being more creative. I think a lot of them expect that they’re hiring these lifers.
But if they just recognize that we’re going to hire some people. They’re going to work here for a few years. They’re going to get experience that they can’t get anywhere else. A scale and an impact that they can have in an organization like a municipality, you can’t really do that if you’re just getting started at a bank.
While the scale of a bank is huge, that’s the little fish in a big pond thing versus going into a municipality. It’s a small pond. You really have this opportunity to have an impact. So, I think that’s where these municipalities could think more creatively is to recognize those.
[Charles Blauner] Yeah. But can I give you an example? I think the best ways municipalities honestly can attack this is honestly through their own tax policies within the municipalities. Because you can do things like encourage large companies that may have large offices or headquarters in certain states or certain municipalities.
You can encourage them to have things like rotation programs in and out of government. And then you can encourage that through tax policies. There is certain countries in Europe… Singapore has done that really well. Working with companies through tax policies. They’ve driven internship programs and the like.
And so you’re a city in the state of Minnesota. There a bunch of very big companies headquartered in Minnesota. You could talk about policy and how you build a relationship between governments and those companies.
[Mike Johnson] I think that incentives is a great idea. And a former company, former employer, we had someone who came from the Australian government who just came and worked for us for a year. No cost to us. And he was a great employee, and he actually ended up coming on full time. The government agency knew that that was likely to happen, and that was a way that they would bring people into their programs.
Because they would say, “Look, we can get you placed somewhere. We’ll be able to create a long-term career for you by doing that.” So, I think that’s a great example of where they can get creative.
Sponsor – Material Security
17:12.708
[David Spark] Before I go on any further, I want to tell you about our brand new sponsor, and that would be Material. Now, your cloud office is the heart of your business, but it’s still protected by a patchwork of point solutions and manual workarounds. Now, modern companies run on Google Workspace, and Microsoft 365 where documents, data, communications, and accounts live, yet while other critical assets have purpose built security.
You know, EDR for endpoints. IAM for identities. CSPM for cloud workloads. Your cloud office remains rather exposed. So, it’s time to protect the system your business relies on with dedicated security built for cloud workspaces. Material security is the only detection and response platform purpose built for protecting your company’s cloud workspace.
Now, siloed point solutions might stop some threats at the gate but leave massive gaps between tools. Material provides continuous protection across your cloud office environment before, during, and after an incident. Material automatically identifies vulnerabilities and suspicious activity, reduces the impact of a breach, and protects sensitive data even when credentials are compromised.
Now, sophisticated email attacks, risky misconfigurations, Shadow IT, account takeovers, Material not only monitors everything continuously, it applies fixes and steps in to make sure information only flows where it’s supposed to go. So, if you’re ready to stop trying to fill the gaps and start getting ahead of threats, you got to check out Material Security.
Super easy to find. Just go to material.security. That’s it. That’s the web address. Go there, check them out.
It’s time to play, “What’s worse?”
18:59.380
[David Spark] All right, Mike.
[Mike Johnson] All right.
[David Spark] Are you up for another, “What’s Worse?” Charles, I’m just going to warn you… Are you familiar with this game? Do you know how this is played?
[Charles Blauner] No, but I’ve been waiting for it with great anticipation.
[David Spark] That was a good answer right there.
[Mike Johnson] Good answer.
[David Spark] So, there’s two horrible scenarios that are submitted from an audience member. Sometimes past guests in fact, too, as well submit to us. And they both stink. On rare occasions you’re selecting between two good options. But they both stink, and it’s a risk management game. You have to tell me which of the two crappy scenarios stink more.
All right?
[Charles Blauner] Okay.
[David Spark] So, this comes from Jonathan Waldrop, CISO over the Weather Company. And there are the two options. And I always ask Mike to answer first, so Mike is answering first here. And by the way, Mike usually repeats as question. He hems and haws often on these, too, as well. I’m setting you up for familiar here, Mike.
I know.
[Mike Johnson] I’m used to it, David. I appreciate it.
[David Spark] Here we go. Scenario number one. It’s an onboarding process that grants excessive permissions in an effort to make onboarding faster. Accounts are overprovisioned, and people have more access than they really need. Or you have a terrible offboarding process where departure terms aren’t well documented, and sometimes you don’t find out that a person left until they’ve been gone a good three months.
So, you’ve got like ghost accounts with tons of permissions, and who the heck knows what’s going on. Which scenario is worse, Mike?
[Mike Johnson] I feel like just going ahead and blurting out an answer and then just stepping back.
[David Spark] Just to spite me? [Laughs]
[Mike Johnson] Just to spite you. So, what you’ve got in the first case is people being onboarded. They get too much access. But presumably they’re being offboarded well.
[David Spark] Yes.
[Mike Johnson] And that’s the trade off and the back and forth. And the second one, they’re getting offboarded poorly. But while they’re working for the company, they have exactly the right access. So, that’s kind of the tradeoffs here.
[David Spark] Right. But you could be letting someone go that has admin access, and then that thing could just be left wide open.
[Mike Johnson] And that’s… I mean you’re helping me with my answer here, David. Because I really do think the worst case scenario is a former employee having access to a company they don’t work for anymore. They have no obligation anymore. They might have an ax to grind. There was a case years ago where somebody was fired from the City of San Francisco, and they basically shut down the entire network after they had already been fired.
So, we have case after case of how that is a terrible thing. So, I do think this one is actually easy for me. That they keep access after they’re gone. That’s the bigger issue.
[David Spark] But let me just argue a little bit. In the first case, it’s perpetual too much access for a longer…for a much longer time versus just three months at most.
[Mike Johnson] And these both suck. This is our scenario here. And in the first one…
[David Spark] All right. Well, I’m just trying to fight back to see if the other scenario could be worse. You might change your mind. Because by the way, we have evidence that you’ve done this before, Mike.
[Mike Johnson] Once.
[David Spark] We had one of our guests convince them the other way. Maybe Charles wants to do that. We’re going to find out. We’re going to Charles on this one.
[Mike Johnson] Give it a shot.
[David Spark] Charles, which scenario is worse, and do you disagree with Mike? And if you do, are you going to convince him to come to your side?
[Charles Blauner] I do disagree with Mike.
[David Spark] Good.
[Charles Blauner] I don’t know whether I’ll convince him to come to my side. But honestly, especially from the background that I came from, overentitlement and toxic combinations can cause huge issues operationally everyday. Fraud losses operationally every day. And I would honestly pick to have every human being perfectly provisioned and deal with their exit risk because maybe I have a chance that I only do one thing right from a deprovisioning perspective and maybe just deprovision their remote access token.
Maybe that’s the only thing I get right. Maybe I’m lucky that way. But the truth is that overprovisioning, living with it every day is a huge operational risk. And from the most simple thing, if you’re a publicly traded company and you are wildly overprovisioned, you will never get an auditor to sign off on your books, which as a publicly traded company is the death nail.
[David Spark] You’re sure you don’t want to jump over to Charle’s side, Mike?
[Mike Johnson] No. Because if the argument rests on that, also not deprovisioning people is also not something that auditors are going to say off on.
[David Spark] Auditors hate… Well, here’s the thing. What do you think an auditor would find worse?
[Mike Johnson] They both suck. And the fact of the matter is the auditor is going to write them both up.
[David Spark] [Laughs]
[Mike Johnson] And they’re not going to say one is worse than the other. They’re going to say, “Both of these are really terrible, and you’re going to have a bad day.”
[Charles Blauner] Yes, but, again, we’re picking between two horrible situations. So…
[Mike Johnson] Absolutely. Absolutely.
[David Spark] Yes. Do you want to burn, or do you want to drown?
[Laughter]
[Mike Johnson] Morbid way of putting it, David, but thank you or bringing it there.
What’s the future for a CISO?
24:31.172
[David Spark] We’re slowly seeing reporting structures for CISOs changing. But the size and ownership of the company plays a big part. By the way, this was a huge surprise to me. So, listen to this. A recent survey by Hitch Partners found that about 30% of all CISOs at public companies still report to the CIO, and that was down 9% on the year.
For privately held companies, more CISOs reported to the CEO directly, about 20%, than the CIO. But company size also played a big role in who you report to. For organizations with less than 250 people, a third of the CISOs reported to the CEO. But for companies over 5,000, it was just 2.5%. So, in those large companies, 42.6% of the CISOs still reported to the CIO.
So, I’m going to start with you, Mike, because I know you’ve had sort of different experiences with this. Is CISO reporting structure just the function of old corporate architecture? Is it outdated? Why do we see this trend as companies get bigger?
[Mike Johnson] When can we stop having this debate over the ideal reporting structure? The fact…
[David Spark] But no… No, no, no.
[Charles Blauner] [Claps]
[David Spark] Charles.
[Mike Johnson] [Laughs]
[David Spark] But I’m more interested in the fact that this is so tied to company size it seems.
[Mike Johnson] So, the reality is what you’re actually is seeing more and more small companies are getting CISOs. That’s really what underlies this data. This is not that we’re seeing some dramatic shift, and these companies are making these decisions. It’s that they didn’t have a CISO before, and they were just like, “I don’t know where to put it.
I’ll just make it yet another one of my responsibilities.” So, I don’t think this is some necessarily intentional design. It is just a function of that there are more CISOs than there used to be.
[David Spark] Okay. Well… But it also… Same thing is the larger companies had CISOs for long periods of times, probably. But, again, it could be just part of the old reporting structure, too, for the matter. And also throw this out. Younger managers definitely shake up their reporting structure in general.
[Mike Johnson] And in many cases, the younger companies, they don’t have CIOs. That’s not even a concept that they have.
[David Spark] That is very true. I remember… And this goes back 10, 12 years ago. I remember I had to go to an AWS re:Invent conference, and I was asking people about their IT department. And I would say at least half… And, again, I was at an AWS re:Invent. But at least half said, “What IT department?” It’s like, “We’re all cloud based.”
[David Spark] Yeah, I think that’s one of the things that you see in these startups, and that works fine for them. And it works fine for a period of time. The other thing that I think folks may not really fully comprehend is in a lot of companies the CIO actually owns all of the technology. So, in one of these startup companies or a company where the CISO is reporting to the CTO that is the equivalent of reporting to a CIO in a lot of companies.
So, it’s a debate that really just doesn’t matter. And the data is so messy that it’s not really telling us anything, and people really anchor on the CIO reporting to the CEO is somehow the best reporting structure ever. And in some organizations and some companies, that works great. And in a lot of others, it doesn’t.
And so that’s why the CISO reports not to the CIO. Because that doesn’t work well for that company.
[David Spark] All right. I throw this to you, Charles.
[Charles Blauner] So, I’m going to make a controversial statement. Having been the CISO of three very large banks. Two controversial statements. One is that in a large enterprise…in a really large enterprise if the CISO is reporting to the CEO, it’s a problem. All right? The CISO should be worrying about bigger things than just cyber.
And I don’t think it actually should report there. The other thing I would say is… Because people always ask me more about CIO versus like CFO or… You can’t do it in banks, a chief risk officer. But what I’ve always said is the reporting line is irrelevant. A CISO is going to be successful if a company has got good culture and good governance.
And irrespective of a reporting line. You could report directly to the CEO and have your best buddy be the chairman of the board. But if the company doesn’t have good culture and good governance, you’re still going to fail from a CISO’s perspective. And so we should just talking about where it reports and just make sure that they’ve got the right support, and culture, and governance to help whoever it is be affective.
Can this be measured?
29:25.007
[David Spark] “We are still struggling to understand the efficacy of security controls, especially when looking at the aggregated industry wide level.” Many people fundamentally believe that cyber security is too complex for industry standardization, so they fall back on “oracles and soothsayers,” argued Ross Haleliuk in his blog venture in security.
Cyber Security is not the only complicated field. Medicine is also highly complicated, and they’ve figured out medical classifications with the use of diagnostic, procedural, pharmaceutical, and topographical codes to provide a statistical basis for a host of research and services.
An equivalent for cyber security would be “codes” for adversarial tactics and techniques, defender counter measures, security capabilities from different tools, and ways for describing where attacks were observed. Now, I know all of you are going to say, “Well, the first two are actually covered by the MITRE ATT&CK and D3FEND frameworks, but the bigger problem is creating incentives for companies to share relevant data needed to make the system work.
Now, Ross points to the cyber insurance industry as a possible solution. If we can’t have a full standardized system like medical coding, can we move beyond relying on oracles and soothsayers for security solutions and techniques? Mike, I’d be interested to know if you believe this whole take from Ross?
And a lot of people sort of just say, “Oh, these wise sort of soothsayers of cyber, they are the ones to guide us.”
[Mike Johnson] Right. I do think we need to recognize that it’s not just a matter of people saying, “Hey, I’ve been doing this forever. You should listen to me.” “Because I said so,” is a terrible reason to do anything. And so I do think the mention of oracles and soothsayers or ivory tower pronouncements that are unassailable, that’s not… I actually don’t even think that’s the world we live in anymore.
We have people who are challenging what security is saying and advising and then actually having a meaningful debate to say, “Well, we should do this instead.” I was literally having a conversation earlier today about maybe our password complexity requirements are done, and we should do them in a different way.
And that’s using our own concepts against us. Like what is our risk based model that says that’s what they should be? So, I do think we need to make sure that we’re challenging ourselves.
And I think other teams should challenge us, and we should have the conversations that is somewhat based on experience. At the same time, I’m not going to be the best developer ever. And I should rely on folks who have done that, have them do that job. But we do need to have a better way of coding our knowledge and being able to share expectations and reusable concepts.
This is where the paved path concept comes into play where we should be providing tools. We should be providing implementations that teams should use. Not just saying, “Thou shalt not do that.” That’s not really a productive way of moving forward.
[David Spark] All right, I throw this ones to you, Charles. I mean I get the sense that… There are a certain percentage of people that just sort of hang on the words of what fellow colleagues say or people who are far ahead of them in cyber security. And like, “Well, this person obviously knows more than me.
I should just listen to them. There’s no rating system that tells me something is working or not, so I’ll just take that person’s advice.” What do you think?
[Charles Blauner] I think there are a couple of different things sort of intermingled there. I actually do this whole talk about the evolution of the CISO over the now 30 years. And I have these different dimensions of evolution. One of the things I added more recently was actually this dimension called professionalism where I talked about the fact that from a scale of evolution perspective, people evolve from amateurs, to artists, to professionals.
The problem is there’s no good definition of what a professional CISO is or what good is. And so that gets complicated. But I want get back to the insurance thing and the data thing. Because I think part of where I have problems with some of those attempts is that they’re very technology focused. Looking at what tools and looking at what configurations you have and all those sorts of things.
And I come from maybe a different perspective where I want to measure process. I don’t really care about the tooling and the technique. I want to be able to measure processes and outcomes. I think that gets complicated to do in a way that’s standardized across lots of companies. Because while everyone maybe uses these three or four products at a certain space, everyone’s policies and processes are different.
And you’re never going to standardize everyone’s process. That’s where I have the sole measurements question.
[David Spark] But I think Ross makes a good point. Medicine figured it out, but we can’t figure it out in cyber. Is it just because medicine has been around longer? And the body is a physically limited human structure? Is that kind of the reason we can’t kind of make a one to one comparison?
[Mike Johnson] I do think a lot of our frustration does come from the fact of, “Hey, we should have already solved this already.” But we don’t stop to recognize how long this career has been around. And it’s not that long.
[David Spark] Right.
[Mike Johnson] And that’s not a long time when you compare it to medicine. But the early years of medicine were probably filled with frustration, and, “Why can’t we solve this?”
[David Spark] Well, what are we talking about? They used to cure people with leaches.
[Mike Johnson] And a lot of people would die. Right.
[David Spark] [Laughs]
[Mike Johnson] Right.
[David Spark] Let me ask you. Okay, let me throw this to you. What is the equivalent in cyber from our history of curing networks with leaches? What do you think that is? Like at the time we all believed it, we look back and go, “My God, how stupid were we?” I can’t think of what that is, but is there an equivalent to that?
And I throw this out to the audience as well.
[Mike Johnson] Passwords. Just the concept of passwords in general is just…
[David Spark] Right. What am I saying? It was insecure to begin with.
[Mike Johnson] It never had a chance.
[David Spark] I mean you could literally print out the passwords in the 1960s when they were first introduced.
[Mike Johnson] Yep.
[David Spark] What do you think, Charles?
[Charles Blauner] Passwords are up there. I’d actually say… But there is one other difference. When I think about trying to compare this to medicine, there are a lot of really good equivalencies. But I do think it’s a little bit like trying to practice medicine inside of a biohazard lab that’s exploded.
[Laughter]
[Charles Blauner] Because one of the things that’s really different is this active adversary. Evolution of microbes evolving to attack a human body takes time. Criminals evolve really fast. So, I think that active attack environment is to me different between cyber and medicine.
Closing
37:15.041
[David Spark] And that is a good place to stop. On this very episode, I want to thank our guest, and that would be none other than Charles Blauner, the operating partner and CISO in residence over at Team8. Charles, you are speaking this Thursday at RSA. What are you speaking about?
[Charles Blauner] So, the truth is we don’t really know.
[David Spark] So, hold on. Set us up. What is this that you’re doing?
[Mike Johnson] Great.
[Charles Blauner] This is the second year in a row. It’s the last session at RSA on the keynote stage. It’s called “CISOs Unchained.” And the premise is that while you are in your operational seat as a CISO… Sorry, Mike. You have corporate bounds that prevent you from actually speaking your mind in public.
Because lawyers and communications folks get really upset. I once had my CEO call and say, “Charles, what the heck did you say?” Because the ”New York Times” quoted me. And so when you retire or semiretired and stay active…
[David Spark] You’re unchained.
[Charles Blauner] You’re unbound. You’re unchained.
[David Spark] You and other retired CISOs are going to just talk smack about the industry. Is that the idea?
[Charles Blauner] Exactly.
[David Spark] Aw. This sounds like fun. [Laughs]
[Charles Blauner] Yeah. So, joining me this year is going to be Ed Amoroso [Phonetic 00:38:27], Jim Ralth [Phonetic 00:38:26], and Kristin Davies [Phonetic 00:38:27].
[David Spark] Okay. Well, awesome. Well, actually all these people you’ve mentioned we’ve had as guests on the show. All of them.
[Charles Blauner] I’ve got a different group of CISOs joining me this year. And my hope is in the future it’ll be going on forever and ever with four different retired CISOs every year forever and ever.
[David Spark] All right. Saying all the things they wanted to say when they couldn’t say them.
[Charles Blauner] Just like the cryptographers panel.
[Mike Johnson] That sounds amazing.
[David Spark] So, that’s going to be Thursday sometime? What time? Do you know?
[Charles Blauner] Thursday afternoon. Like I said, it’s the last session on the keynote stage before…
[David Spark] Oh, okay. Cool. Very good.
[Charles Blauner] Whatever their special event is this year.
[David Spark] They always have some celebrity there closing it out. All right, well, I want to thank you. What I also want to thank is our sponsor, and that would be Material Security. Go check them out at material.security. That’s it. Just material.security. For their very, very unique email security solution, which is not just stopping phishing.
It’s actually your database of knowledge and essentially protecting that as well. I want to thank you, Mike Johnson, as always.
[Mike Johnson] Thank you, David.
[David Spark] For supporting our phenomenal work and being there since day one when we started this whole thing. And to our audience, we greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, our Virtual Meetup, and Cyber Security Headlines Week In Review. This show thrives on your input.
Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@CISOseries.com. Thank you for listening to the CISO Series Podcast.