Open source is a bedrock of modern organizations. But we’ve taken securing it for granted, with many vital pieces of software still largely maintained by volunteers. So, how do we keep these software packages secure when the point of failure could be a single developer?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Steve Zalewski. Joining us is our guest, Brett Perry, CISO, Dot Foods.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Tines
Full Transcript
Intro
0:00.000
[Voiceover] Best advice for a CISO, go!
[Brett Perry] So, when you move from a technical role to a CISO, your thought process has to change from what you do to why you do it. And let me tell you a little story about that. I was having just a simple conversation with a very nontechnical person, and this person asked me what I do. And my reaction was, “Well, I do cyber security.
I answer a bunch of emails, and I go to a bunch of meetings.” He could tell it was a little weird, so he asked me in a different way. He goes, “Well, why do you do what you do?” And that completely changed the conversation into probably one of the best conversations I’ve had about cyber security. We both came out of that with some really valuable insight.
He shared with me after the fact that he’s got a better understanding of cyber security, and I’ve got a completely different approach to being a CISO because I found my why. And I’d like to make a quick shoutout to Simon Sinek because I did a lot of research after this discussion about that. And so my advice is to find an aspiring CISO or a young CISO and ask them what they do and record the answer.
Then ask them why they do it and see if that tone changes. If the tone doesn’t change or become kind of a spirited discussion then that person might not be really passionate about what they do or ready for what they do.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And joining me as my cohost, you’ve heard him on the other show. Now he’s on this show, but he’s done this show plenty of times. His name is Steve Zalewski. Steve, say hello to the audience.
[Steve Zalewski] Hello, audience.
[David Spark] You’ll hear him say that… No, he won’t say that. You’ll hear the voice is what you’ll hear throughout the show. We’re available at ciso-dev.davidspark.dcgws.com, where you can find all of our programming. If you haven’t checked it all out, you should. Like why not Steve’s show, Defense in Depth? It’s awesome.
[Steve Zalewski] Yes, it is. It’s the best.
[David Spark] It’s the best. Except this one they’re listening to right now. At this very moment, this is the best. Our sponsor for today’s episode is Tines, the smart, secure workflow builder. Tines. More about just that a little bit later in the show. Steve, there is a super-hot button issue that is going on around offices, which is often not how a lot of security programs have been built lately.
I will say lately. And that is the forced return to office. There a lot of obvious pros and cons, but, man, a lot of people have really gotten used to the work from home, haven’t they?
[Steve Zalewski] Oh, yes.
[David Spark] This is a tough one to put back in the bottle, isn’t it?
[Steve Zalewski] Yes. There is a lot of reticence to have to go back in. The commutes, the inconvenience, the issues, what I call the tissue paper issues are just coming out everywhere. It is a white storm of problems.
[David Spark] But I will say this. Two things. I think this is mainly for growing talent. And also for the youngest people in your organization, it’s a core need. This is my theory. I think about myself outside of college. If I had to do work from home, which I’m sure many of our listeners have to, that would be really depressing.
It would have been awful. And I don’t know how much I would have learned for that matter. I think this is critical for that age group and growing them within the organization to make them successful. I don’t know how much they can learn from work from home and not having that sort of training onsite.
Steve, what do you think?
[Steve Zalewski] Yes, and training isn’t just an educational exercise. It’s a social exercise.
[David Spark] Yes.
[Steve Zalewski] And that’s I think where people are going, is through COVID we kind of deprecated the whole social maturity, interaction as to how that foundationally establishes who you are from the business perspective of getting the job done. And I think people realize there’s a big gap there. A lot of business now is basically saying, “We acknowledge that gap, and we want to address it.” But many in the industry simply say, “Yeah, but it’s too inconvenient for us.” It’s like cyber security.
It’s a friction that I don’t think I need, but I don’t necessarily understand what I’m doing by not doing it.
[David Spark] Very good point. Well, enough of this discussion because we’ve got a lot of other great discussions coming up on this show, and I’m very excited to bring on our guest, who I just met at a big Evanta conference here in Del Mar. Thrilled to have him on board. It is the CISO for Dot Foods.
None other than Brett Perry. Brett, thank you so much for joining us.
[Brett Perry] Thanks, Dave and Steve. I really appreciate you guys creating such an invaluable podcast for the cyber security community, and I am truly honored to be a guest.
As a CISO, what do you think about this?
5:09.521
[David Spark] Should cyber insurance carriers offer MDR, managed detection and response, services? Now, that question got thrown out by Peter Schawacker of Nearshore Cyber on LinkedIn after seeing the provider, Beazley, getting in on the market. That being MDR. Is offering both cyber insurance and MDR services a great example of vertical integration, or could it be a conflict of interest?
So, IT consultant, Eric Silberman, surmised, “I guess what the ‘fire department’ wants most is for you never to have a fire in the first place. If they have to come to your house to do a personal inspection then so be it. Win/win, I suppose.” Not everyone was on board. Others didn’t like the idea of MDR being moved into an insurance checkbox category.
Steve, where do you stand? I think this is kind of an interesting debate here.
[Steve Zalewski] So, to me it comes down to the conflict of interest. If the MDR goes into insurance then are they cooking the books? Which is, is the cost of the insurance relative to the value of the insurance now going to change because we’ve lost that competitive edge for the MDRs to compete on price and insurance?
But ultimately, I actually agree. I think they should integrate it, because having the fire department come out and see if you’ve got fire alarms, seeing if you have a hydrant nearby, that is going to positive impact the insurance rates that you pay. Because overall, we have a better preventative perimeter to prevent the event.
Then if the event does happen, a higher likelihood that people survive. So, I look at the greater good and say definitely we should be pursuing that.
[David Spark] But isn’t that firehouse example…wouldn’t that just be like the example of an audit though? An MDR is like full blown service. It’s more than that. It’s like the fire department coming and literally putting out the fires for you, should you cause one.
[Steve Zalewski] Well, you could argue who’s going to do it better, somebody that knows your house, that’s looked at it, that knows how many rooms there are, that knows where your kids’ bedrooms are? So, when they come to the house, they already know the layout, and they know what to do…
[David Spark] Good point.
[Steve Zalewski] …to be able to help you survive through the event. As opposed to simply saying, “No, it’s not in your interest. I’m just going to shop you for price. Then when I need you…” All of a sudden, there’s potentially a lot of misrepresented expectations.
[David Spark] All right, I throw this to you, Brett. What’s your thought on this?
[Brett Perry] My first reaction to this was this is like a car insurance company asking you to plug a telematics device into your car to get discounts.
[David Spark] Oh, yeah.
[Brett Perry] To reward good driving habits. I can only tell you that… I’m a really good driver. I’ve never had a ticket or an accident. Yet if an insurance company knew my driving habits, my premiums would go through the roof.
[David Spark] Well, they may know it now that you’ve mentioned it on the podcast.
[Laughter]
[Brett Perry] Yeah. I won’t mention what insurance company that is. But it kind of harkens back to the old days of PCI compliance and some cyber security departments are being a compliance shop. They’re just checking the boxes. They’re going through the pages and going, “Oh, we need SIEM. We need this.
We need that.” And just checking a box and not really following up with fully deploying the product and utilizing the product correctly. Right now we see insurance companies going from like a two or three page questionnaire. Now they’re 20, 25, 30 pages long. It’s ridiculous. And so I see a lot of companies…I’d like to warn a lot of companies not to try to just get cyber insurance because they’re going to do what they’ve got to do to get cyber insurance.
What they need to do is build a good cyber security program, and the compliance and the insurance will follow at normal rates.
[Steve Zalewski] But here’s the challenge with that. Chicken or the egg came first. How do I build a good security program if the business isn’t interested? Whereas if the insurance companies tell the business, “You need to have a reasonably good security program for you to be able to get the rates and the coverage you want,” which one carries the larger argument?
[Brett Perry] That’s a great question. I think your business has to be dedicated to actually building good security. If they’re just wanting to be compliant and that’s what… Yeah, I would probably find another company to work for because you’re not going to be there long.
What’s the starting point for a CISO?
9:51.627
[David Spark] Are cyber security teams the pot calling the kettle black when it comes to technical debt? CISOs will be the first to tell you that legacy IT introduces risk as it ages. But as Ericka Chickowski pointed out in CSO Online, there is less awareness about technical debt on the security stack itself.
Just like other parts of IT, cyber security teams are so busy using their current tooling to face evolving threats that the time and money to upgrade can seem daunting. So, I’ll ask you, Brett, what are some strategies you’ve seen work in tackling technical debt within the security stack?
[Brett Perry] So, this being my third build from the ground up…
[David Spark] Oh, wow.
[Brett Perry] …fortunately I don’t have to deal with a lot of security technical debt. Now, a lot of these companies are really, really old, so they’ve got a lot of other technical debt. But I don’t really inherit much of that. But here’s some of my strategies. Never buy another tool or technology until the previous purchase is fully deployed.
[David Spark] That’s a good point. Oh my God, that is such an obvious good point that I’m sure nobody pays attention to. [Laughs]
[Brett Perry] No, I mean if you’re given the budget, you’re just going out and buying whatever you can, but I don’t allow that next tool to even be talked about until the last tool is fully deployed because the tech debt will actually pile up pretty quickly if it just becomes shelfware, right?
[David Spark] Right.
[Brett Perry] So, the other approach is once the security program is fully established, my approach becomes one in, one out. So, security architect, you want another tool to do this, but what’s going to go? Because security changes year to year, and so…
[David Spark] Do you keep a balance of tools? Like I’m making up a number. Like say you have 15, 20 tools in your environment. This whole philosophy is if you want a new tool, what are we getting rid of.
[Brett Perry] Yeah, I mean consolidating is good, too. Obviously I don’t want to have all of my eggs in one basket, but I am willing to consolidate a few things that my team thinks that they could.
[David Spark] But that’s as really interesting philosophy because it forces you to look back as you want to look forward at the same time. I do like that take. All right, I’m going to go to you, Steve, on this one. How have you dealt with technical debt? And, by the way, have you walked into a situation where you…that whole stack was there when you walked in?
[Steve Zalewski] Yes, a couple of times, but I’m going to differentiate technical debt from technical obsolescence. Because I think for cyber security tools, it’s not that we’re building tech debt. It’s that our security perimeter is adapting. Our threats are adapting. And often times some of the technology we bought, even 12 or 18 months later, is the wrong tool based on the threats that we’re trying to address.
And so therefore it’s the obsolescence of that control compared to the new ones I have to put in. And so often times then I’ve only deployed 25% of the tool, but it’s run its course. I now have to move somewhere else. Let’s get rid of it. And the ability to flush tools out of an infrastructure turns out to be the harder thing.
And so therefore the tech debt builds because we simply don’t have the maturity to push them out because the finance guys have said, “Wait, that was a 36-point contract, and you’re only 18 months in. And I don’t want to throw away the money.” Whereas I’m like, “Yeah, but it doesn’t do me any good anymore.
Just write it off because my job is to protect my company, not to just efficiently manage the costs.”
[David Spark] Yeah, this loss fallacy that often happens.
[Steve Zalewski] There you go. There’s the fallacy. So, I go, “That’s actually I think closer to the truth.”
[David Spark] Right.
[Brett Perry] That’s why I think three-year deals are great, because… It’s probably not so good for the technology, because if you’re willing to rip them out. But if you start looking at technology two, two and a half years down the road, and say, “Well, we should probably go to something else,” it makes you look at that technology, make sure that they’re not falling behind.
They’re actually developing the product. You don’t get into a resigning a three-year deal, resigning a three-year deal. You always have to constantly take a look at that technology and possibly get rid of it. So, my last point is to never get to a point where one product or vendor is too hard to rip and replace.
[David Spark] Okay. Well, get into the details. Because I personally had an experience with that, and I did the painful band-aid rip.
[Brett Perry] It’s difficult. I mean identify for one thing. It becomes so engrained in the business, and you’ve got HR involved. You’ve got all these parts of the business that are involved. And identity has become one of those technologies that gets you kind of stuck. And how would you even figure out how to rip and replace or even move towards another one without buying that product a year or two in advance?
Or at least getting hopefully 12 to 24 months of free product, right? Until you’re able to replace that. It’s hard. My only advice is if you find yourself in that situation, you got to actively work on an exit plan and figure out… Because you don’t want to be stuck.
[David Spark] Now, this is the thing that I have done. It’s a simple thing as I just… If I’m using any tool that makes me put data in, I just want to know that I can export it fully out. Which I’ve had tools that don’t do that. What is the question asked up front to know that you have an exit plan?
[Brett Perry] “Who owns this data,” is one question, and that should all come out in the contract language.
[David Spark] Right.
[Brett Perry] Because if I’m giving you a bunch of data or this is a cloud app, I want to make sure that I can recover all that data and move it into a new technology if I need it. That’s a conundrum, for sure.
Sponsor – Tines
15:48.049
[David Spark] Before I go on any further, I do want to tell you about our spectacular sponsor, and that would be Tines. Security teams are facing a constant uphill battle, between alert fatigue, repetitive manual tasks, endless false positives, inflexible technology, and the looming risk of burnout.
It all adds up, making it tough for teams to stay ahead of threats. Every day, valuable hours are spent sifting through noisy alerts and managing rigid workflows instead of tackling the real security issues that matter. It’s draining. And over time, it can start to impact even the most dedicated teams.
That is where Tines comes in.
Built by security practitioners for security practitioners, Tines is an orchestration and automation platform designed to meet the demands of security teams. Tines empowers analysts and engineers to automate their most repetitive, time-consuming tasks regardless of complexity. No coding experience required, just the flexibility to tailor workflows to your team’s exact needs.
The result, companies like McKesson, Canva, and Mars are saving hundreds, even thousands of hours on manual tasks, allowing them to focus on impactful work and real time decision making. So, if your team is ready to trade burnout for breakthroughs and tackle threats without unnecessary noise, visit tines.com/cisoseries.
Yes, go to that site. Tines.com/cisoseries. Tines, because security work should empower, not exhaust.
It’s time to play “What’s Worse?”
17:33.902
[David Spark] It’s time to play “What’s Worse?”
[Steve Zalewski] [Groans]
[David Spark] There he goes. Listen to the noise of Steve Zalewski not looking forward to playing a game.
[Steve Zalewski] [Laughs]
[David Spark] When you play games with your family, is that the noise you make, Steve? “[Groans] Monopoly…”
[Steve Zalewski] I don’t want to lose. This is hard. You know? I’m like…
[David Spark] There’s no losing in this game. It’s just me criticizing you.
[Steve Zalewski] [Laughs]
[Brett Perry] Steve, has anybody ever agreed with you on your answer?
[Steve Zalewski] On “What’s Worse?”
[David Spark] We’re going to find out.
[Laughter]
[David Spark] I don’t remember what your odds are on this game, but here we go. Just so you know, Brett, I always make the cohost, in this case, Steve, answer first, so you get a little bit more time to decide and decide if you want to agree or disagree with Steve. All right?
[Brett Perry] All right.
[David Spark] This comes from Nadav Lotan with Cisco, and here are the two scenarios. Okay, so you have a situation of a cos tly expert or limited automation. Here we go. The costly expert. Your organization opts for a high-quality manual penetration testing and validation program conducted by renowned experts.
These experts provide in depth assessments that mimic real world attacker behavior, thoroughly probing your modern application stacks. However, this level of expertise comes with a heft price tag, consuming a significant portion of your security budget. Additionally, you must place immense trust in the pen tester’s skills and integrity as their findings directly influence your security posture.
Due to cost and resource constraints, these tests are infrequent, potentially leaving vulnerabilities unaddressed between assessments. Okay.
So, some parts good, some parts very good. Now the limited automation. Alternatively, you rely solely on automated penetration testing tools. These tools offer quick results and are cost affective, but they are highly scoped and lack the sophistication to emulate real world attackers. They struggle with modern application stacks, especially those involving micro services, cloud native applications, and complex integrations.
Might as well just describe everybody’s environment right there. [Laughs] The tools miss nuance vulnerabilities and multi-step exploits, providing a superficial assessment that could lead to a false sense of security. So, essentially what you’ve got is some really good pen testing with very little that you can do with it with the money you’ve got left, or crappy pen testing with a lot of money left over.
Steve, what’s worse?
[Steve Zalewski] I would go with it’s much worse to pay a very expensive expert to give me a one-time view that’s good for 365 days but is obsolete on day one. That’s way worse than me having a limited automated view of an enforceable perimeter.
[David Spark] All right. Brett?
[Brett Perry] Well, I hate to break the cycle, and I think you actually convinced me to go the other direction, Steve. But yeah, I was originally going to say the automated testing.
[David Spark] Is worse?
[Brett Perry] Well, yes. But I’d have to go the other way because you’re absolutely right. That data is only as good as the day that they print the report out. And the remediation steps that you got to got to take… The only other thing I would do is probably have to increase pen tests from once a year to twice a year, but…
[David Spark] You probably won’t have the budget to do that. [Laughs]
[Brett Perry] Yeah. I mean, nothing can replace a good human doing pen testing though. It just doesn’t… I would almost be willing to pay it every year if the business would give that to me.
[David Spark] So, you’re both agreeing that the first scenario is worse because it’s just a one-time situation.
[Steve Zalewski] Is worse. And what I would say is remember the two key principles for security, which was be brilliant at the basics and automate, automate, automate. And so I’m just applying that to say I’d rather have a limited perimeter that I can consistently monitor and report on than having a one-time brilliant report that means nothing to me the next day.
[David Spark] But hold on. But I argue that comment right there. One-time brilliant report that has true insight into your environment doesn’t vanish the next day. It’s not as accurate the next day, but it still has a lot of validity and gives you a lot of wisdom into your space. Where the second scenario is like, eh, who knows.
[Steve Zalewski] Except that the second case is giving me automation capability in a limited sense to continuously monitor and report.
[David Spark] Right, but it also… My other fear is even with all this money you’ve got left over, you’re not going to be spending it correctly at all at that point. What do you think?
[Steve Zalewski] So, here’s the key. Do I want to have no money and bet all of my company on one egg, one basket, or do I want to have money to be able to have that debate and give myself the opportunity to do better or worse. And I’d rather take the extra money and have the chance to see what I can do the other 364 days.
[David Spark] Sounds good. Brett, where do you stand?
[Brett Perry] Best case scenario, you pay a ton of money the first year, and then you just follow it up year after year with automated testing.
[Steve Zalewski] There you go.
[Brett Perry] And don’t change anything.
[David Spark] There you go. The best of both worlds.
[Steve Zalewski] Yeah, as long as the bad guys agree with me, and as long as the lines of business do what I tell them to do, this is a phenomenal strategy.
[David Spark] Just as long as everyone listens to Steve. The new name of the podcast.
[Steve Zalewski] [Laughs]
What works? What’s not working?
23:28.253
[David Spark] If it’s such a struggle to hire good staff, why don’t we talk more about employee retention? It seems to be an industry-wide problem. So, a recent ISACA survey found that 55% of respondents had trouble retaining qualified cyber security staff. Why are they not holding onto staff? So, recruitment from other companies was a big reason.
But respondents also said poor financial incentives, limited career development, and high stress levels. As a CISO, there’s not much you can do about recruitment, but I feel like improving the other three factors make recruitment a lot harder. Brett, you told me that you haven’t had any staff turnover in years.
What’s been your secret to holding onto talent?
[Brett Perry] So, I would like to say that I am the secret. I am the special sauce here. But I will give it up to Dot Foods who truly has a great culture. I did poll some of my longest standing director reports, and that was the first thing that they came back to me with is, “I’m here because of Dot’s culture.”
[David Spark] And before you go on any further, can you just give me a couple little insights. What is integral to Dot’s culture?
[Brett Perry] Well, so one thing is in 64 years, they’ve never had a layoff of a reduction in force.
[David Spark] That’s insane. Seriously?
[Brett Perry] Huge. And so, yeah, just one quick story. During COVID… 80% of our business is food service. So, restaurants, food away from home. And overnight, 60% of our business was shot off. Overnight. And the business basically said…or the leadership basically said the last thing on the table is layoffs, knowing that once the COVID fog lifted we would be back to business as normal.
And the last thing that they wanted to do was to have to go out, rehire, retrain everybody. And sure enough, it lifted, and it was pretty turbulent. But when we came out of it, we came out stronger than we came in because…
[David Spark] That’s huge.
[Brett Perry] …people weren’t afraid of losing their jobs. Everybody just felt confident in the business. And the other thing is the transparency that… This is a family-owned business, and they provide a lot of transparency into how the business is doing. Every period, every quarter we get an exact picture of how that business is doing, good or bad.
So, we can expect our bonus is going to be good this year, or how are…possible increases in pay, or whatever. We know that that’s coming, and we don’t just wait for it once a year.
[David Spark] All right. Steve, retention. This is a hot, hot button issue because especially in like the Bay Area where people are constantly fighting for talent, it can get very, very expensive, especially if you hire someone young, train them for five years, and then they leave. And now they’re very much a hot commodity on the market.
[Steve Zalewski] So, this is what I say to a CISO when I talk with them or mentor. I go, “Are you a good manager, or are you a good leader? Are you managing your organization for short-term efficiency, or are you leading your organization to show the business how you can effectively grow?” And it’s kind of what we talked about here with the private company, which is to the degree that you can create an environment and principles that want to work there as opposed to they get frustrated, and so therefore it becomes a financial compensation exercise, you lose the battle.
It only goes so far. You can only lead for so long because eventually if there is no career path for individuals or you’ve asked a lot of them and they just get tired of being a level one analyst because it just burns them out then that’s why I say, good leadership then becomes good management on career guidance.
Career development, mentoring so that you’re blending the two. But ultimately I say if you’re a good, strong leader and set a vision, and people feel like they are part of the solution that you have the best likelihood of longer term retention.
[David Spark] That’s actually a really good point. And we hear this a lot. It’s that people want to be trained within their company. They want the company to invest in their own growth professionally. I’m assuming you see this with your own staff, Brett, yes?
[Brett Perry] Absolutely. One of the other items that was brought up is that I don’t force the people to train. At least once a year get some outside training. Go to a conference, network. Because that becomes invaluable. When I got to Dot, they were kind of in a bubble. They’re in the middle of Illinois, and it’s a very small town.
So, people really didn’t want to travel to those big conferences or travel for training. And now that I’ve got those people getting out every year, it’s paying dividends for Dot Foods, and it’s also paying dividends for their professional growth.
[Steve Zalewski] The other thing I’ll say to that is like when we were at Levi’s, I was gently warned more than once poaching out of other parts of the company is not appreciated. And I would simply say, “Look, good cyber security people don’t necessarily come from a cyber security background.” And so I would put my cyber security folks into the business as business information security officers to let them mingle with the business and grow.
But I also found good PMs and good others in the business that liked cyber security, and the skills were cross trainable. And I would encourage them to be my advocates. And then all of a sudden when positions opened, they’re coming across. Again, as a leader, look at the message you’re sending, which was not only am I willing to train you but training you about how to run the business.
And from the business perspective, bringing you into cyber security is hugely powerful as people want to work through their career growth path.
[Brett Perry] I’ve got a couple of other points, Dave, on this. How I’m training to retain people. One is absolutely provide a work-life balance. People in cyber security need to know that this is not a nine to five job. You don’t have to be at your desk eight hours a day. But one rule I have is when the bell rings and the stuff hits the fan, it’s all hands on deck for as long as we need you.
So, kiss the spouse goodbye. Kiss the kids goodbye until this thing is resolved. And everybody understands that. That’s my first rule when you come onto my team is you go to take the kids to the doctors appointments, and pick them up from school, and do the things that you can’t do over the weekend.
Get that stuff done. But understand when it goes down, everybody is on deck.
Why is everyone talking about this now?
30:21.030
[David Spark] “What Gartner giveth, Gartner can take away.” Now, this was Gartner that coined the acronym SOAR back in 2017, but now its latest hype cycle for Information Technology Service Management, or ITSM, put it at the very bottom of the “Trough of Disillusionment.” But as Rob Lemos, who said the opening quote here of Gartner giving and taking away, pointed out in Dark Reading, most organizations want a single hub for all their security information, but that hub doesn’t have to be SOAR.
Gartner makes a case for SOAR being on the way out, saying that its components have been subsumed into other services, and automation is now just an expected product feature, like AI is in everything now. So, to paraphrase [Inaudible 00:31:19], have we come to bury Soar, not to praise it? Is Gartner right to put it out to pasture?
And I’ll ask you, Steve, and why do we keep letting Gartner define our industry like this? What’s the situation here with SOAR?
[Steve Zalewski] So, the one thing is we have to give Gartner credit where credit is due, which is being able to run an entire industry on acronyms was a stroke of genius. That they got us all to be idiots savants to what acronym do you fit into, and I, as a security practitioner, are now decided whether to buy you.
Okay? But be that as it may…
[David Spark] Yeah, because everyone has a spreadsheet with a series of acronyms on the line items. [Laughs]
[Steve Zalewski] You got it. Right. And we can thank Gartner for that. Now, here’s the key. Things like SOAR, which was service automation, to be able to let the machines run at machine speed was a good idea. And they thought that if I look at people, process, and technology it was primarily a technical issue.
And so therefore they created a category, and a bunch of companies went off and built some technology. But what we all came to realize was it was a people and business process problem, it was not a technology issue that ultimately was what prevented it from succeeding. And so the “Trough of Disillusionment” was the technology in and of itself was incapable of meeting the expectations.
And now we’ve moved forward to security mash and an appreciation that it isn’t just if I can take a look at a runbook and what a level one analyst does that I can automate 90% of that task. Eyes on glass and what’s going on between the ears is an AI, gen AI conversation that just requires more innovation and engagement with the business process to get where we need to be.
And so I would simply say yes, SOAR has passed. But we never really understood why. They just simply said it didn’t meet the need. And there’s where the accountability in my mind needs to be laid firmly at the feet of Gartner.
[David Spark] All right, Brett, your take on SOAR. Is it…? By the way, do you have a SOAR line item on your spreadsheet?
[Brett Perry] I do not. And the reason is because our MDR takes care of all that stuff for us.
[David Spark] There you go.
[Brett Perry] So, one of the things that I did… The first thing, I was like, “I do not want to buy a SIEM because I don’t have a bunch of full-time employees to be able to run this thing.” And in the past, it’s never really been affective anyway. But the point with Gartner that I want to make is I’m okay with them helping define our industry more than I’d like the industry to define the industry.
So, the technology industry can come up with this real cool new idea, and they define the direction based on how cool this new, shiny product is. But the thing with CISO… And full disclosure, I do hold a CISO license with Gartner. So, they take a lot of input from CISOs by going through… We take surveys and go into conferences.
And they also provide valuable tools to us for use and benchmarking against our peers. So, I would rather see Gartner define that than the cyber security technology people.
Closing
34:47.757
[David Spark] Very good. Well, that bring us to the very end of the show. Thank you so much, Brett. That was fantastic. Loved having you on. So glad you could make it onto the show. And, Steve, thank you for stepping up as cohost for this episode. Huge thanks to our sponsor, and that is Tines. Go to tines.com/cisoseries to learn how you can trade burnout for breakthroughs.
Save hours, hundreds, even thousands of hours with your security team. Any last thoughts about today’s conversation, Steve? You first.
[Steve Zalewski] Really appreciate the thoughtfulness, Brett. You brought up some really good points that I think really expanded on the conversation. But I want to thank Tines, because this whole conversation today, these components I think continue to gnaw at the industry at large. And so the more that we periodically review this is really our opportunity to not just continue to do what we’ve done but to realize what we need to do different.
[David Spark] Excellent. Any last thoughts from you, Brett?
[Brett Perry] Yeah, just one last thought. If you’re a young CISO or an aspiring CISO, I would advise you to find a mentor that’s been around for a while and take the advice that they have. Most of them will drop what they’re doing to give you any advice or answer any questions that you guys have. You guys are not alone.
I know it seems like when you take that new job as a CISO, you seem like you’re out there all alone, but there are lots of people out there ready to help. So, please reach out and take that advice.
[David Spark] Very good tip to close that out. And I love your opening tip. Ask yourself the why, not the what about your job. All right. Thank you. As always, we greatly appreciate your contributions. And, by the way, send me in more “What’s Worse” scenarios. And for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows, Super Cyber Friday, our Virtual Meetup, and Cyber Security Headlines Week In Review. This show thrives on your input.
Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to the CISO Series Podcast.