There’s no shortage of frameworks that offer ways to manage and configure your security program. While they may be providing some guidance, are they offering advice that appears beneficial but doesn’t actually improve your security posture?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Ross Young, co-host, CISO Tradecraft. Joining them is Dan Walsh, CISO, Datavant. Be sure to check out Ross’s book Cybersecurity’s Dirty Secret: Why Most Budgets Go to Waste.
Join the conversation on LinkedIn
Huge thanks to our sponsor, Fenix24
Full transcript
Intro
0:00.000
[David Spark] There’s no shortage of frameworks that offer up ways to manage and configure your security program. While they may be providing some guidance, are they offering up advice that appears beneficial, but really isn’t improving your security posture?
What should we stop doing?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And joining me as my guest co-host for today’s episode, and you’ll find out why in just a second, it is Ross Young, co-host of CISO Tradecraft and author of a brand new book, Cybersecurity’s Dirty Secret: Why Most Budgets Go to Waste.
Ross, thank you so much for joining us.
[Ross Young] Hey, thank you. It’s my pleasure to be here today. I’m super excited to talk with our listeners and also talk with our guest speaker today, so it’s going to be a fun time.
[David Spark] Well, I am going to bring up the topic in just a second, but first I want to mention, if you’re not aware of our website, CISOseries.com, please spend half of your day there. If your boss gets annoyed that you’re wasting time on our website, have them email me and I will let them know that they should give you a raise.
Our sponsor for today’s episode is Fenix24, redefine cyber resilience. These guys have an amazing amount of experience dealing with the worst day possible. They’ve seen it, and you’re going to want to hear what I have to say about them a little bit later in the show.
All right, Ross, I want to get to our topic at hand because you are the person who brought this topic up on LinkedIn. You recently released a MITRE ATT&CK-inspired framework based around the idea that other frameworks offer unproductive nonsense to consume your time.
You argued that “busy is the new stupid.” I love that line. So, what is the “busy” you think we’ve been doing that’s getting in the way of being effective? And again, I want you to generalize here because we’re going to get into more specifics as we go on through the show, but what is that “busy” we’re doing?
[Ross Young] Yeah, so a lot of times in corporate culture, we’re focused on activities instead of focused on outcome and results. And just think of how much our calendars are busy with meetings that aren’t really that important, how full our Gmail or Office 365 inbox is just full of spam and crap that you’re responding to, and every other thing that just steals your time.
And I thought maybe this is the MITRE ATT&CK that nobody’s talking about is how busy we are instead of how productive we are, and I really wanted to create that conversation for folks to engage and learn from.
[David Spark] And as someone who enjoys the mental satisfaction of physically crossing things off my to-do list, I can understand how people would think they’re being successful when in actuality, they’re not. Also joining us today for our conversation, who has been a frequent guest co-host on this very show and a frequent guest on multiple shows here on the CISO Series, thrilled to have him back.
It is the CISO at Datavant, Dan Walsh. Dan, thank you so much for joining us.
[Dan Walsh] It’s great to be here today, David.
Would this work?
3:12.021
[David Spark] Tarak Hamba of Onward Platform said, and referring to your framework, Ross, “What struck me of your framework is how recognizable these ‘techniques’ are day-to-day, meeting overload, which you referenced, urgency injection, inbox flooding, not as random noise, but as repeatable patterns that quietly degrade thinking.” Oh, I love that.
“The framing of busyness as an attack on effectiveness rather than a productivity problem resonated. I’ve seen technically strong teams struggle, not because of lack of skill or intent, but because attention was constantly fragmented long before meaningful decisions had to be made.
Treating countermeasures like calendar auditing or protected focus time as defensible controls is a clever shift. It makes the cost of context switching tangible instead of abstract. Which ‘technique’ tends to be the hardest to mitigate in practice once people start recognizing these patterns?”
And let me also add Marco Ermini, who’s a CISO over at EQS Group, said, “Busy is actually a very old stupid, but it’s cool that the framework doesn’t really limit itself to cyber. It can be applied elsewhere in the organization.” Very true. All right.
These two quotes very much support your theory here. My question is, how do you identify? I mean, look, we operate in email. We have meetings. How can that be a bad thing, Ross?
[Ross Young] Yeah. So, no one’s saying meetings are a bad thing, but meetings where you’re not actually driving outcomes and requiring individuals to be there for specific purposes create waste. And just think of, hey, we have a let’s just call it a review board or some type of monthly meeting that’s added to everybody’s calendar and you got 20 people going to this thing.
All 20 people probably don’t need to be there. You need the team who’s presenting their thing that needs to be reviewed and maybe four or five, let’s call it decision makers and experts, that provide the guidance, to say, “Can we pass or fail this review?” And so, by scoping things to say, “Who’s the right person who’s going to be there?” That’s a key thing.
Another thing I’ve really found that’s important are meeting agendas. How often have you been invited to this blank calendar entry? You have no idea. You show up and it’s just like a waste of your time. If we just go back and challenge to say, “Tell me what the outcomes you want to achieve in this meeting are,” then we can figure out if it’s even worth attending in the first place versus just showing up and wasting time.
So, little tips and tricks like that, I think, are key things we really have to focus on.
[David Spark] So, Dan, a lot of what Ross is talking about is really just general organizational efficiency, which sometimes can hurt people like, “Hey, I wanted to be invited to that meeting,” or “How am I going to progress in the company if I don’t know what’s going on?” You have to kind of play that balance of being efficient but also allowing people to know what’s going on and being able to be seen and grow within the company, yes?
[Dan Walsh] Oh, a hundred percent. And I think especially in fast-paced environments, it’s very difficult because you bring someone into the company, they need to develop relationships. They need to get contacts. The way they do that is attend meetings, sometimes as a non-active participant.
And so, that is very difficult. But I think, and I agree with Ross, it goes back to, like, what is the outcome? What is the goal? What is the thing we’re trying to achieve? And really, it’s more of like a systems mindset, right? Our businesses exist to produce an outcome.
So, in that same way, our meeting and our other corporate rituals should exist to do the same.
Who’s losing out here?
7:03.941
[David Spark] Michael Rebultan said, “If ‘busy’ has become the default operating mode that masks urgency with activity and distracts strategic thinking, how do we know whether our SOCs and leadership are truly advancing security or just perfecting the art of looking important without moving the needle?” That is a good point, and I want to drill into that.
Jeremy French, CISO over at Stetson University, said, “Everyone sending in their requests as high importance and immediate resolve requests is what eats my time. They do this through back channeling. I’ve already taken the approach that if it isn’t a ticket, then don’t focus on it.
Cut off the back channeling.”
So, let’s start with Michael’s quote here, Dan. How do you identify that just being busy isn’t actually moving the business forward? Because people might get really defensive, like, “Hey, we got to stop doing this,” or “I can’t stop doing this because I need this.” I’m being super vague here, but maybe you can give some examples of how you’ve isolated an ineffective task that was always being done, but it was just busy work.
[Dan Walsh] So, I think what needs to be accounted for that’s not necessarily accounted for in Michael’s quote is what is the maturity of the organization or the team that you’re trying to evaluate on whether busy is a distraction or is actually valuable?
Right? So, if we take a SOC as an example, right, let’s say you come into a security operations center as a new security leader. They’ve got a ton of alerts, but they can’t understand their mean time to detect. They can’t understand their mean time to contain.
They don’t have a baseline. How are you measuring them and really focusing on what’s important and what you need to measure is important?
And then if they do have established metrics, as the function matures, those metrics and those outcomes should continue to mature, and so they should change. And so, one of the things that I’ll look at and I’ll say, “How old are these metrics?” “Well, we’ve been measuring this thing for three years.” Well, unless you are like a world-class SOC in this example, that’s probably time to change the measurement because now you’re running the risk of just doing busy work.
[David Spark] All right, Ross, you wrote this framework. Do you have any sort of telltale questions to ask to sort of indicate this has to be reduced or eliminated?
[Ross Young] Yeah. So, take the example of SOC-based metrics. I think the focus here should really be on driving outcomes, not driving activities. So, we can always have a SOC that has more alerts than they’re able to process, and we can even have tickets that say, hey, we processed 2,000 tickets this week.
Well, what if all those tickets were false positives that you just wasted a lot of people’s time on? That really doesn’t mean anything. It means your guys were busy, but they weren’t actually effective. So, what I’d like to do is maybe step back to say on every one of these things where we’re doing tickets, which of these were meaningful tickets that were actually true positives that we went and fixed?
And now we start to tune things because what we’re trying to do is eliminate waste.
Every time our SOC analyst does something, it actually stopped a real-world attack, not stopped vaporware, or just responded to benign alert. That tells me I have to actually go back to tune the rules, tune the alerts to actually get better outcomes from every ticket and every alert.
And so, these are the types of things we really have to focus on, shifting from hours online to results delivered in order to combat some of this security theater that we might be exercising.
Sponsor – Fenix24
10:50.932
[David Spark] When a ransomware attack hits, the key question becomes clear. How fast can you get back up? The moment your systems go down, revenue, operations, reputation, and trust begin to slip away. In that moment, you need more than a plan. You need a team that knows how to restore your business while the pressure is highest.
That is what Fenix24 delivers. Fenix24 is recognized as the leading breach recovery company in the world and the first civilian cybersecurity force built for modern cyber warfare. Their team has completed hundreds of ransomware recoveries, including support for major global enterprises, and they bring operations back online far faster than industry norms.
They do not rely on theories or generic checklists. They embed with you and your team, work with your forensics partner and breach council and handle the work required to rebuild infrastructure quickly and safely.
Now, the advantage of Fenix24 begins before an attack occurs. Their cyber resilience program provides clarity, hardening and protection to withstand threats. They deliver asset visibility, realistic assessments, and continuous protection of backups and infrastructure and a recovery force.
Even identity systems and backups are secured and ready for rapid restoration. Will your backup survive a breach? Find out and go with the ones who’ve done this many, many times before. Those are the people you want in your pocket. Visit Fenix24.com, and when you go, let them know you heard about them from the CISO Series.
What are the elements that make a great solution?
12:42.159
[David Spark] Athanassios Tony Michailidis said, “I particularly like the boundary erosion, gradual elimination of work/life boundaries.” Having seen this happen around me with devastating effects on families and people’s physical and mental health, I’d say this is by far the most important in the list.
And Chris Mixter of Gartner said, “Love this. I helped a client install a technique called regret-based calendar management…” I like that “…a few years ago. So, every quarter he goes through his calendar from the prior three months to identify which meetings he didn’t actually need to be at.
Then having his PA go through the next quarter, seeking and destroying on similar meetings. It improves his sense of useful time, and the task, frankly, delights his assistant.” Well, this is interesting. The boundary erosion of gradual elimination of work life.
So, when people’s personal lives are getting abused, that is a good place to stop. Yes, Ross?
[Ross Young] Absolutely. And I’ll just give you two examples. For the longest time, I didn’t actually have time planned on my calendar to go through emails or to go through lunch, and so people would just book over 11:00 to 1:00 because that’s when I was free for my lunchtime, and then I would be hangry in the meetings and not really pleasant to be around.
[David Spark] I could not imagine that, Ross. Go on.
[Ross Young] [Laughter] Or maybe because I didn’t actually book time to do emails for myself, I would stay two hours late after work going through emails so I’d make sure things were responded to in a timely manner. So, what I found I needed to do is start booking time for myself and then also saying what’s acceptable and what’s not acceptable.
So, maybe I would tell my coworkers and my employees, “Hey, I end my work at 5 p.m. during the day. I go home, I have dinner with my family, I do things with my kids, and I really think that’s important to me in my life. And so, what I want to do here is say at 5 p.m., don’t expect me to respond to anything until the next day.
Now, if for some reason something is truly an emergency and it’s urgent, don’t email me, don’t text me. Call me on my phone and say, ‘Ross, this is exactly what’s happening. I need you to help.'” And I know if I get a phone call, that is an emergency situation, quickly respond to that.
But if it’s anything else, I can pretty much ignore it till the next day. And that kind of boundary between my work/life balance really helped make sure I wasn’t losing time from things that are more important with my family after hours.
[David Spark] Dan, have you done any kind of reflective management of your own time? And it seems, by the way, all this conversation, as a manager, you do have to watch out for your employees, but you do have to, like the whole idea of put your mask on before you help others, maybe you should be doing this for yourself first.
So, have you done this reflective, like looking back at past meetings and go, “Well, a bunch of these were a waste,” yes? And do you feel that you have had wasteful meetings, Dan?
[Dan Walsh] Yeah, 100%, and I think it is a lot of time forest for the trees situations, right? How do we take a step back and evaluate what we’ve been doing over the past quarter or whatever, in terms of meetings, in terms of work/life balance? I try to set the expectation with my team that unless there’s a really bad incident, do not disturb me between 5 p.m.
and 8 p.m. because that’s family time. There’s studies out there, to Ross’s point, on the physical side of it, that I think if you stay up like 24 hours, it’s actually the equivalent of being over the legal limit for being drunk because there’s an equivalent cognitive comparison there.
[David Spark] [Laughter]
[Dan Walsh] It’s been studied quite in depth. And so, you do have to do that. I tell my folks on my team, like, I expect you to take three to four weeks of vacation every year, and the reason for that is because once a month on a Friday night at 11 p.m., something goes bump in the night, we’ve got to jump on it, and people are burning the midnight oil.
Generally, I’ve seen that happen quite a bit in security, especially when you get these zero days release that you want to rush to patch. So, yeah, you definitely need to do that. You definitely need to let your team know that self-care is the top priority because if it’s not, they’re not going to be at their best, and I don’t want sleep-deprived people working, making decisions with privileged access and critical situations, and ultimately causing harm to themselves and to the company.
[David Spark] I was at an event where a CISO honestly said this on stage, “Don’t,” referring to taking vacation, like what you were referencing, because he would go on vacation and work. And the team knew it because they were getting messages from him as he’s at a resort in Mexico.
And he honestly said, and I, by the way, called out BS on this at the event. He says, “Don’t do as I do. Do as I say,” and he was telling them, “You take a vacation, but I’m not,” but if they’re watching you and they want to be a CISO, they realize this is what it takes to be a CISO.
[Dan Walsh] 100%.
[David Spark] And I say, “No, you can’t do that. At all.” So, let me ask you, Dan, do you take time off?
[Dan Walsh] I do take time off.
[David Spark] And are you frequently sending messages to your team during your vacation? Now, I understand sending a few.
[Dan Walsh] I genuinely try not to do that. If I absolutely can’t help myself, I will schedule the Send, like in Slack or in Outlook, to go Monday at 9 a.m. when I’m back because if there’s something that’s bothering me, I don’t want to forget it.
[David Spark] Yes. And I’ve done that too.
[Dan Walsh] But no, you have to take time off because again, like to your point, you’re the leader. People are going to generally emulate. Especially if you’re a good leader and people like working for you, they’re going to try to emulate and sometimes emulate the bad things, which is never taking time off, always being connected to your phone and to your laptop, and you do need to set a good example.
[David Spark] I’ll literally close on this, Ross. The whole don’t do as I do, do as I say. What are your thoughts, especially when you’re trying to be a leader? I mean, you got to do the things that you’re telling your own staff to do.
[Ross Young] I think that’s exactly right. Look, there’s work time and then there’s play time, and we’re all going to have times when we have to work after hours.
[David Spark] Yeah, it happens.
[Ross Young] The first incident I had was there was a bombing in Nashville on Christmas. Like what a worse time to like go and respond to things that work because everything on the internet is down for your corporate company. But then what I would also say is find ways to find balance.
Right? If somebody just worked a lot of hours because of Log4j or some other big thing that’s happened, say, “Hey, I want you to take a week off here, so you can kind of get that lost family time.” I think it’s important for us to really be happy both at home and in work, and the way that comes from is having a healthy work/life balance.
Crushing it, I just think, is the wrong mentality. And when people see that, you’re like, “Look, you don’t have to tell me every time you take a day off and all these little things. Just go have fun.” They respect that, and then they’re like, “Wow, he really cares about me.” And I think that’s the type of leaders that inspire us and people really want to work for.
Where does this effort fall flat?
19:36.017
[David Spark] Mauricio Ortiz of Merck said, “Love the irony of creating a new framework to tell us the other frameworks are full of unproductive or ineffective stuff or steps. However, I would highlight my respect and admiration to the huge efforts many smart people in the industry put in the ideation and refinement of those frameworks.
Critical thinking, all frameworks are valuable and full of good intent, but as often, not perfect or sometimes misused.” So first of all, I can’t imagine one framework can be good for all people. I mean, you’ve got to pick and choose, don’t you? They’re just really good guidelines.
Ross?
[Ross Young] Yeah. So, nothing on this framework was designed to attack another framework or say this framework is bad. Obviously, there’s frameworks that help in any different organization, but the point here is to say how do we really think about what we’re doing?
If you think about it, the higher up you move in an organization, usually the more management functions that you have, which mean you’re in more meetings than let’s call it the junior level employees. And so, now you need to be much more mindful of your time because you’re overloaded by having to manage 20 or 50 different folks.
You’re overloaded from everybody wanting one-on-ones and weeklies and all these other meetings with you, and there isn’t enough of you to go around. So, it’s saying how do I become really strategic? Not to trash any other frameworks, but if a framework doesn’t actually give you value where you’re producing more results, chances are it’s the wrong framework for you and your company.
[David Spark] What value do you see in frameworks, Dan?
[Dan Walsh] So, frameworks is a means to an end. It’s not the end itself. And so, people get in trouble with frameworks when they think that it’s the end-all be-all, right? If frameworks equal outcomes, you have a problem. Because in reality, what happens is it’s frameworks plus incentives plus human behavior equals outcomes.
If those incentives and those human behavior isn’t systematized, in my opinion, or good, they will have unintended outcomes. So, I think that frameworks are super valuable. I mean, our entire industry is built on it. You can build a very defensible security program.
Even outside of security within technology, you can build a very strong enterprise technology organizations that power massive companies. You can’t angle always on the frameworks. If you do that, you can find the good, the bad, and you can criticize all you want.
[David Spark] Very, very good point.
Closing
22:14.601
[David Spark] Well, that brings us to the portion of the show where I ask each of you, and I’m going to start with you, Dan, which of these quotes was your favorite and why? And Dan, I will start with you.
[Dan Walsh] I kind of like Chris’s regret-based calendar management. I think it’s a good exercise to just orient yourself and kind of rebase on yourself to go through calendar and say like what do I really need? What’s really valuable? And I think it’s bonus points for Chris that it makes his assistant happy.
So, we like to make people happy with making our lives more efficient.
[David Spark] I don’t like to turn people down when people want to meet with me, I like to, but sometimes I just, I’m sorry, I can’t keep saying yes to get-to-know-you meetings, to literally everyone. I just can’t do it. So, what I try to do is I’ll have, because I run these general meetups or we’ll do our virtual events on Friday, I sort of try to invite them to that rather than one-on-ones.
All right, Ross, your favorite quote and why?
[Ross Young] Yeah, I like the quote by Tarak Hamba of, “What struck me…is how recognizable these ‘techniques’ are day-to-day, meeting overload, urgency injection, inbox flooding, not as random noise, but as repeatable patterns that quietly degrade thinking.” And I think that’s exactly it.
Hey, we can all do a little bit of reflection to say how do we work smarter, not harder? At the end of the day, nobody cares if you crushed an 80-hour week. They care about what results you accomplished. So, if you accomplished the results in 10 hours and it took somebody else 80, that’s exactly what we’re trying to get that mind shift to focus on.
So, think about that, and then drive more of those time activities that deliver outcomes and less of the things that keep you busy.
[David Spark] Total agreement on that. I sort of get a sense of satisfaction when I cross out my to-do list, but then if I didn’t see anything happen, I’m like, well, it’s just sort of a dopamine effect for the moment, but it doesn’t last long, for that matter.
All right. This brings us to the very end of the show. I want to thank our sponsor, and that would be Fenix24. Remember, go to Fenix24.com to find out whether your backups will survive a breach. You want to be with a team who has really seen the worst and, well, these guys have seen the worst.
When you go check them out at Fenix24.com, let them know you heard about them through the CISO Series.
Ross, I want to thank you again for joining us and bringing up this conversation, which was actually quite popular on LinkedIn. We’ll have a link to that. And more importantly, everybody, we will also have a link to where you can buy Ross’s book, Cybersecurity’s Dirty Secret: Why Most Budgets Go to Waste.
I don’t think anyone’s written about this and you wrote a full book, going through great detail on this topic, which is fantastic. Thank you very much for writing it. Please go pick up Ross’s book. You can get it on Amazon. And Dan, let me ask you a question.
Are you hiring over there at Datavant?
[Dan Walsh] We are always hiring at Datavant. So, please go to the Datavant Careers page. Yeah, check it out.
[David Spark] That is a good thing to hear. Always hiring at Datavant. They need talent. So, I’m assuming they can drop that they heard you on the show?
[Dan Walsh] Yep, absolutely. Love to hear that.
[David Spark] We will have a link to Dan’s LinkedIn profile on the blog post for this episode. Thank you very much, Ross. Thank you very much, Dan. And to our audience, as I say, and I truly mean it, we greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.