In principle, we can generally all agree that security theater is a waste of time for security teams. But the reality is that these are things that look good, so it can be hard to justify to non-technical leadership why you’re eliminating something they see as secure. So how can we positively identify actual security theater practices and how do we communicate that to the rest of the organization?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our guest, Davi Ottenheimer, vp of trust and digital ethics, Inrupt.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Sysdig
Full Transcript
[Voiceover] Ten second security tip, go!
[Davi Ottenheimer] Don’t get in a Tesla, don’t drive a Tesla, don’t let your friends or family get in a Tesla. It is riddled with flaws that if it was a computer, it would have so many vulnerabilities already that you wouldn’t even touch the thing. It is a disaster of engineering.
Probably the worst car in history.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I’m the producer of the CISO Series. And joining me as my cohost, you know him very well. You’ve heard him before. He’s he operating partner over at YL Ventures. His name is Andy Ellis. Andy, say hello to the audience.
[Andy Ellis] Hello to the audience.
[David Spark] You know, we’re available at ciso-dev.davidspark.dcgws.com. I know you’re aware of that. But if you’re tuning in for the very first time, audience member, if you were to go to ciso-dev.davidspark.dcgws.com, not only would you find this program, you’d be finding many of our programs as well. And our sponsor for today’s episodes is Sysdig.
Time to rethink your Cloud security. More about exactly their approach to Cloud security a little bit later in the show. I know, by the way, Cloud security affects you because it affects everyone. But first, Andy, I want to talk about Halloween. Because the day this episode drops is on Halloween.
[Andy Ellis] Oh, spooky.
[David Spark] I live in a neighborhood in San Diego which is Halloween central. Everybody comes to our neighborhood. There’s nobody outside my door right now. But on Halloween night, it will be packed with thousands of people in this neighborhood. I’ve given out hundreds of pieces of candy on Halloween in my neighborhood, and peoples’ homes are just elaborate to no end.
It’s unbelievably impressive. We had a neighbor around the corner that had about 14 animatronic scary clowns on their lawn.
[Andy Ellis] I’m in the opposite, which is I live on top of a hill in a little community that houses are spread out.
[David Spark] Nobody wants to walk up to your house.
[Andy Ellis] Nobody wants to walk up the hills.
[David Spark] But that was my last house, I was on top of a hill.
[Andy Ellis] But the flats are around us, so it’s just a couple blocks away. We see exactly that. So, it’s nice. You can have the kids wander down over there. I got teenagers now, so I just kick them out of the house and let them go.
[David Spark] Do you at least buy candy in the hopes that a child will show up?
[Andy Ellis] So, we buy candy because we’re on a cul-de-sac, and there are teenagers and little kids on the cul-de-sac. So, basically we buy candy for the four houses that are all going to trick or treat each other.
[David Spark] What about the teenagers that show up not in costume? How do you feel about that?
[Andy Ellis] Given that I would take anybody, I don’t actually care.
[David Spark] My feeling is when you’re not in costume, it’s no longer trick or treat. You’re just begging at that point.
[Andy Ellis] Oh, come on. They’re showing up as emo teenagers. That’s a costume.
[David Spark] Which is what they are. I always have to point that out. I go, “It’s now begging. You’re no longer… We have an exchange. You show up in an adorable costume, and I give you candy.”
[Andy Ellis] No, remember, it’s always been trick or treat. It’s a threat. They’re extorting you for candy. They’re just taking the veneer off it.
[David Spark] Well, we had one house that was all done up as Harry Potter theme, and they had candy depending on which house you wanted to go to.
[Andy Ellis] Yeah, there’s a house near us on a main road that basically… They have a pull through driveway, and so they basically send out on the local social media like, “Oh, hey, come by our house. Here’s the hours in the week leading up to Halloween.” And just do a drive through. They’ll be trick or treating drive through because they’re on a major road that’s not safe for people to walk on.
But they’re like, “Hey, your kids can come by three to five in the afternoon. We’ll be here, and they can get their trick or treating in.”
[David Spark] That’s impressive. Our guest is shaking his head.
[Andy Ellis] And they have like 20 feet tall skeletons all over their place.
[Davi Ottenheimer] Well, when you said animatronic scary clowns, I was thinking, “That’s just Tesla.” People pull in a Tesla, and they’ve already got their costume on. But you remind me of how some places you can’t walk, so you kind of have to go buy a car. And then I guess if you use the latest scheduling technology you would say, “Please show up between these two or three minutes,” in your clown car.
[David Spark] Let me ask you – have you ever ordered a Lyft or an Uber before, Davi, and they show up in a Tesla? Although you do know the car that’s going to show up. So, if you see it says Tesla, do you just immediately cancel the ride?
[Davi Ottenheimer] First of all, I never use Lyft or Uber.
[David Spark] Okay.
[Davi Ottenheimer] The closest was when I was riding a motorcycle ,and I stopped at a red light, and it ran into me. Very close to getting inside of it.
[Andy Ellis] Maybe getting onto it.
[Laughter]
[David Spark] Yes, very close to getting into it. All right. By the way, everyone, that’s the voice of Davi Ottenheimer. He’s the VP of Trust and Digital Ethics over at Inrupt. We adore Davi, and it’s been a while since you’ve been on. So, thrilled that your back here again. Thank you for joining us, Davi.
[Davi Ottenheimer] Thanks for having me.
How can we secure new technology without creating new risks?
4:55.321
[David Spark] For all the digital ink that’s been spilled, spreading endless hype about generative AI, we still don’t know if it’s ready for the enterprise. Now, current consumer focus tools can deliver “instant mediocrity,” but that needs to improve out of the box to appeal to large organizations long-term.
“The enterprise is going to test LLMs to the edge of their capabilities,” predicted Jon Reed in a piece for Diginomica. Davi, you were quoted in the article saying, “ChatGPT has had some very problematic missteps and hasn’t yet proven it won’t blindly drive an enterprise into some wasteful, entirely avoidable accidents and real harm.” I’m going to start with you, Davi.
Taking Reed’s comment and yours as well, Davi, where should enterprises begin testing so they can see the accidents they’ll want to avoid in the real world?
[Davi Ottenheimer] So, the answer is they should start testing right now. Enterprises should start testing personal data stores. That’s because they can start to see where things will go wrong if they start testing for multiuser systems. I think a way of framing this… The more I look at open AI, the more I realize it’s like Microsoft DAWs of AI, which is perhaps why Microsoft likes it so much.
It has a very weirdly single user centric model that doesn’t fit at all the way the world works. So, what should we test is things that are much better than DAWs. Like it’s like testing multiuser Unix…Linux if you will…when people are offering you a single user system. And I mean that in all sincerity.
We have the technology already. In fact if you look at Apple…
And they’ve released this new Sonoma [Phonetic 00:06:39] feature that gives you the ability to train your own voice to the point where it impersonates you, it represents you, speaks for you as you. That’s exactly what I’ talking about. But it’s proprietary. It’s locked into the Apple model. You want to do that across your entire enterprise such that anybody who wants any kind of knowledge based large learning model capabilities should have the option of having models trained on private data.
They should have the ability to delete themselves out of data sets. They should have the ability to update and change on a regular basis, retrain. That’s what you should be testing right now.
[David Spark] All right. Good tips. Andy, what’s your advice?
[Andy Ellis] Yeah, so I love that as sort of an end stake. Like, “Here is where you need to be heading for is this very customized LLM.” But where organizations need to start practicing is recognize that LLMs right now are basically savant 12th graders. They are really good at writing prose and really bad at writing content.
So, they can write sentences that look coherent and paragraphs that look coherent. It’s like that person at the cocktail party who can talk on any subject, but they’re not really true and accurate, but they’re confident. And so you listen to them. And then later you’re like, “Wait, they were just making stuff up.” That’s what LLMs have a tendency to do.
So, if you’re going to be using LLMs in your enterprise today, you should think of them as your first generator, and then you have an editor who is reading for content and making sure that this doesn’t just look like a stilted 12th grader who can perfectly write an essay but is sort of cribbing from Wikipedia without understanding what they’re reading.
[Davi Ottenheimer] We make it easy by making it so… Right. I wouldn’t say it just tends to be like that. it’s always like that.
[Andy Ellis] It’s always like that.
[Davi Ottenheimer] One of my pet peeves is when people talk about hallucinations as though it’s something that sometimes happens. They’re always hallucinating. It’s not hallucination if you’re always unable to tell the truth.
[Andy Ellis] Right. But sometimes their hallucination happens to match reality.
[David Spark] I like that analogy. It’s always hallucinating. Because even hallucinations have threads of value in them.
[Davi Ottenheimer] Yeah, exactly.
[Andy Ellis] Right, but there’s no self-awareness in an LLM. It doesn’t know what it’s saying.
[Davi Ottenheimer] Correct.
[Andy Ellis] It’s just stringing together things that are plausible English structures.
[David Spark] I know one of the features of ChatGPT is you can constantly have it refine itself. I don’t know if it can do this, but you ask ChatGPT a question, and then you can say, “Revise it this way,” or, “Make it more like this way.” Can you say, “Can you check the fact that you said this, this, and this that it’s actually accurate?”
[Andy Ellis] It’s a challenge. And you have to recognize that, again, it’s going to answer you as an LLM. Now, many of them do have ways of doing NLP to check, “Is this actually semantically valid?” But you can’t rely on what it tells you. You have to go do that checking yourself.
[Davi Ottenheimer] Another way of putting this is Gödel figured this out in the 1920’s. And David Hume figured this out in the 1700’s. The problem is not new at all. We’ve gone through this. It’s the incompleteness theorem in its most recent formulation, which is you have to have an external input. I mean in a paradox situation.
You have to have an external input to know whether something is right or wrong. You can’t just have the system tell you something is right or wrong by itself. And so the refinement can actually make it worse, can take the lie deeper. You can ask it, “Give me a court case…” This is true. I asked it to give me a court case about seatbelts, and it gave me one that never existed, but it actually gave me one that said that seatbelts have been made illegal.
The Supreme Court ruled that seatbelts are no longer allowed in America. I was like, “What? That doesn’t exist.”
It said, “I’m sorry. I’m not allowed to tell you things that don’t exist.” Then it doubled down, and it kept getting worse and worse. And at some point you just have to look at it and be like, “This thing,” as you pointed out, Andy, “does not know truth from fiction.” It’s supposed to be generative.
It generates garbage. But it predicts what people expect. And so if you want to take something that is you want it to be accepted and it is rough, you can give it to it to refine it to something that is better because people are more likely to expect it. You don’t know what people might want to expect because we aren’t good at that.
But it is good at that by looking at everything that people have seen before.
What works? What’s not working?
10:41.102
[David Spark] Why does security theater keep sticking around? Cyber security is hard enough without spending time, money, and effort on things that look good. Google Cloud’s Taylor Lehmann and CISO Series alum Seth Rosenblatt wrote up some tips for identifying security theater. This include easily proving a control actually mitigates a threat and actually imitates it at the same time that you care about or only justifying a control because it’s a compliance requirement.
So, as a CISO, how should we approach security theater that’s already in place? It’s there. Before you came there, you just walked in, and I’m like, “Oh my God, there’s security theaters in place.” Since theater is usually about optics, do we need to worry about buy in when eliminating these practices?
I mean they’re going to see that it’s gone. Andy, I bet you you’ve walked into a situation, seen security theater, and had to get rid of it. And just all of a sudden pushing muscle like, “We’re getting rid of this now because it’s idiotic.” Or like that doesn’t work, I’m sure.
[Andy Ellis] So, here is the bright thing about security theater, which is if it’s truly theater, it doesn’t do anything or what I think is worse, blind compliance. You do this thing, but it’s actually making you more risky for doing it. Most of the people who live under it know that. They’re smart.
Security people aren’t these fountains of wisdom that know more than our enterprise. So, I like to go in and ask people, “Hey, are there any security practices that you think aren’t adding value that we should get rid of?” Let the people who live under the theater that you want to get rid of ask you to get rid of it.
You don’t need to go get buy in when they’ve asked you for it. In fact you earn political capital by eliminating something that isn’t providing any value. Now, that said, some of the things that people call security theater do sometimes provide value against the worst adversary that most companies have, which is your outside auditor.
[David Spark] All right. Davi is laughing at that. Davi, what…? I’m sure you have seen your share of security theater. How do you start eliminating it without ruffling a lot of feathers? Or do you just ruffle the feathers and not care?
[Davi Ottenheimer] Well, there’s a lot to unpack here. Because I think first of all, eliminating theater sounds like a bad idea. Because theater is like fiction. It has a purpose. And if you use it wisely then it can really be like a placebo. It can be a way of addressing peoples’ fears, and that’s important because fears matter, and people want a sense of comfort, so you can give that to them.
Feelings are real, but you shouldn’t replace or get in the way of security. And probably the worst form of theater is the corrupt theater.
That’s the one that really gets me. And so when you look at Chertoff who as a member of government said that we need to have body scanners in airports and then was on the board of the body scanner company, and then went to work under the body scanner company to make sure that all the airports had the body scanners that didn’t really do what they’re supposed to and didn’t make us any safer… I hate that kind of theater because that’s just enrichment through corrupting the process of making people scared.
It’s the opposite. Theater should make people feel safe, not scare them into buying something they don’t need. And there’s the big rub. So, we don’t want to confuse fiction with fact. Because you’re right back to Tesla killing people again. I can’t get away from… [Laughs]
[David Spark] This is going to be the theme of the show.
[Laughter]
[David Spark] Thank God I’m not worried about Tesla being a sponsor.
[Laughter]
[Davi Ottenheimer] I’m happy to help. So, I think that when we talk about checkbox criticisms, that’s probably where this all gets mixed up in law. Checkboxes or checkbox compliance is actually a viable way of dealing with risk. And pilots do it all the time. It keeps you safe, which is essential to staying alive in the aviation industry.
So, we don’t want to try everything like it’s the first time and have no checkboxes or checklists or minimal judgement systems that we use for security because that’s too expensive. It’s just so error prone. It’s chaotic.
So, there needs to be a balance. Some of the theater is for getting rid of fear by using placebos, granted. But it is a way of keeping people in a sense of control that need it. But then you get into the actual checklists that should be based on real tests that have been validated, not corruption that somebody got paid to put this in place.
It should really be based on science. Then we get into the other side of this, which is the checklists can’t account for all the things that we don’t expect. Checklists are good for getting the plane off the ground and making it land again. It’s not good for there’s an adversary in the air that’s going to get into a dog fight with you.
You don’t want a checklist for that. Although you can practice, it’s not the same.
Sponsor – Sysdig
15:01.260
[David Spark] Before I go on any further, I do want to mention our sponsor, Sysdig. Sysdig, they’ve been an awesome sponsor of the CISO Series, and we greatly appreciate them. They actually help companies secure and advance innovation in the Cloud. Now, these days, building applications on Cloud is a clear advantage, right?
We all think this. Enabling businesses to accelerate their time to market. But the Cloud has introduced a new world where attacks happen in the blink of an eye. It only takes ten minutes to initiate a Cloud attack. Now, as a result, security teams need better visibility to prevent threats and move faster to detect, investigate, and remediate attacks.
In real time we’re talking about here. They have to protect the business without slowing it down. But how do they cut through the noise to identify and prioritize real threats? This is exactly where Sysdig comes in. So, Sysdig strengthens cyber resilience across the Cloud Native lifecycle by reducing the attack surface, detecting threats in real time, and accelerating incident response.
They bring risk based prioritization to reduce vulnerability noise by as much as 95%. And they can actually help businesses stop Cloud attacks in real time. In the Cloud, every second counts. To secure every second, go to sydsdig.com/ciso.
It’s time to play, “What’s worse?”
16:42.265
[David Spark] It is time to play, “What’s worse?” Davi, I know you know how to play this. It’s a risk management exercise. Two crappy alternatives. You get to pick which one is worse, remember. Sometimes people get confused by the title of the show. But it’s not the one that you prefer to have, the worst one.
You got that, Davi?
[Davi Ottenheimer] Got it.
[David Spark] All right. I always make Andy answer first so you can agree or disagree with him. All right, this comes from Dustin Sachs of World Connection Corporation. And we have received many “what’s worse” from Dustin, and I got a slew more from him, too.
[Andy Ellis] Excellent.
[David Spark] So, he gives us lots of good stuff. Also he credits the CISO Series for getting his job because it was through a connection through our audience he got hired. We love hearing stories like that as well. All right, here we go. Here’s the scenario or the two scenarios. You store sensitive customer data on an encrypted USB dive that you frequently misplace.
Andy, that’s just the kind of person you are.
[Andy Ellis] I love USB drives all the time.
[David Spark] You’re wandering around with a USB drive, and you’re just leaving it all over the place. “Where did I leave it this time?” Or you accidentally email that data to a very small mailing list. And let me point out it’s a BCC list that don’t…even you don’t see. So you don’t know who it goes to, but it’s a small list because I know if you do a small list you’re like, “Oh, you could contact everybody and like, ‘Oh my God, don’t look at that.
Delete that please.’” So, that option is out.
[Andy Ellis] Okay. BCC, my mailer would still tell me, but we’re presuming I can’t actually see who it went to.
[David Spark] You can’t actually see it. Yeah, I know. If it was your BCC list, you could see it. But we’re going to just say a small list that you don’t see. So, it’s either the small list, or you accidentally just leaving that USB drive around, and who the heck knows what happens with that thing.
[Andy Ellis] Let me give props to Dustin. These are two really bad scenarios. Like I don’t want to pick either one of them. Usually I can find some redeeming feature about one of these or the other one. I think I’m going to go with the email is the worse one, and the reason I’m going for that is that the propagation cost is so low that any one of these people can easily propagate that list so quickly.
Their barrier to entry is so high. And hopefully we’ve done a fantastic job of educating the world to not take random USB drives that they find and plug them into their computer.
[David Spark] Hopefully we’ve educated the world? Did you hear yourself when you said that line?
[Andy Ellis] Hey, look, I’m grasping for straws here because I’ve got two bad situations. Isn’t that the whole goal of security awareness month? Which we just exited.
[David Spark] We are. This is our last day of security awareness… We’re squishing it all in on this last day.
[Andy Ellis] If you find a USB drive, do not plug it in, especially if it has my sensitive data on it.
[David Spark] By the way, we did an episode a long, long time ago about how would you…if you just literally found a drive on the ground, how would you look at it?
[Andy Ellis] I wouldn’t.
[David Spark] I know.
[Andy Ellis] I’d call somebody and have them look at it.
[David Spark] Mike Johnson’s response was set it on fire. But no, we can address that in a second. But, Davi, do you agree or disagree? So, he says the small mailing list where you don’t know the people, and they don’t know each other. That is worse than just randomly leaving a USB drive around.
[Davi Ottenheimer] I disagree. I think… And I don’t want to reveal too much around how my brain works, but there is two things at least, probably more… One, you have an opportunity for logs here. I know even if you don’t have visibility in the BCC and even if you don’t have visibility in the mail server at all, you could till jump in a network.
You could still get into NetFlow. You could still find ways of figuring out where it went. Whereas in the physical space, you would have to have cameras set up. You would have to have some way of knowing where you were. And even with all the latest cameras, it’s harder to assemble that data than it is to break into systems to find the net flow.
[Andy Ellis] I think that we have to accept that we can’t figure out where it goes to. That’s part of the scenario.
[Davi Ottenheimer] But that’s immediately where my brain goes. Because the second part of this is I could actually break in and stop it.
[Andy Ellis] You’ve already mailed it off. Then you discover that you sent it off to MailChimp and then deleted the MailChimp account. And MailChimp is like, “Oh, we can’t tell you who it went to.”
[David Spark] And when I say small, I’m saying under a dozen, too. It’s very small.
[Davi Ottenheimer] But I could engineer an incident response scenario that I could actually eliminate that it existed in the email sent, so it’d be very difficult…
[Andy Ellis] He’s going to go eliminate the dozen people.
[Davi Ottenheimer] Exactly.
[David Spark] [Laughs]
[Davi Ottenheimer] That’s much harder to do with the USB drive that’s being picked up by random people because you don’t know the implications of that. Whereas in the email, I feel like you would. Much more discreet and easy scenario, less messy cleanup in my mind. But I will admit that if you want to just go with the assumption that both are super messy and you have no control over it then I still end up on the side of USB is worse to me because it’s just so much more can go wrong in the USB world that you just can’t anticipate.
Whereas I feel like in the email it’s much more discreet. The ways it can be shared, the ways people can read it, the things that they do, USB is very scary.
[Andy Ellis] USB is certainly more embarrassing, too. Everybody has done the accidentally BCC the wrong person. Every corporation has this problem, so it’s not like you’re like, “Oh my God, we’re still living in the 90’s.” Whereas, “Oh, we have our data on USB drives.” I want to question all of your business practices at that point.
[Laughter]
[Davi Ottenheimer] That’s right.
There has got to be a better way to handle this.
22:12.291
[David Spark] Are half of your cyber coworkers stressed out? That’s what more than half of respondents said in a recent survey by Tines as reported by Cyberscoop’s Tonya Riley. Respondents had “significant levels of stress at work.” And that stress impacted their performance. Now, Gartner predicts that work related stress would result in half of cyber security leaders changing jobs by 2025 with a quarter of those employees leaving the field entirely.
What are the specific contributors to stress, Andy, and what are the healthy ways you’ve dealt with it? I think these are some pretty extreme numbers by Gartner.
[Andy Ellis] I actually don’t think those numbers are very extreme actually at all.
[David Spark] Okay.
[Andy Ellis] Because that basically says 50% of cyber security leaders will change jobs in the next two years. And given that the medium tenure in a cyber security leadership job is two years, this is not actually that outlandish.
[David Spark] That’s not the stat. It’s the quarter that will leave…
[Andy Ellis] The quarter of those, so one-eighth, will leave. Some, that is retirement. I do know a lot of CISOs who are like, “It’s kind of a dead end job, and I’m going to go look for something else.” I think one of the single biggest contributors is this believe that CISOs have that they own risk.
That when their company is doing something that has risk in it and they’re not mitigating it that you own the stress from that failure to mitigate when the answer is your job is to advise the company on what it’s supposed to do. And if your executives choose not to mitigate a risk, that is not your stressor.
You just need to accept that you have done your job. And if you can’t tolerate being in a business that won’t fix the things you want to fix, you should go elsewhere But you should not let it be burning you out. You are not the conscience of the business. People who believe that they’re the conscience of the business need to have a level set and a recorrection to recognize that they’re the informant to the business to help them make wiser risk choices.
[David Spark] We talk about this all the time. That it is the business that owns the risk and not the CISO.
[Andy Ellis] Yep.
[David Spark] So, Davi, where do you see the stress yourself? I’m assuming you’ve received some of it as well. And what are the healthy ways you’ve dealt with it yourself and others?
[Davi Ottenheimer] I like that you assume there’s healthy ways to deal with this. But seriously, I think… I’ll get myself kicked off the show now. Maybe you don’t deserve the C if you aren’t assuming at least some modicum of that risk yourself. The business is hiring you to take some sort of risk. We used to call it a long time ago like in the 90’s when we were doing pen tests and utilities… I remember they used to tell us that they had designated felons.
They would give somebody a VP or higher level position so that when they really got in trouble and somebody had to go to jail, they’re like, “Oh, there you go. See you later.”
[David Spark] We in fact quoted you on that in a past episode. The designated felon. We love that line.
[Davi Ottenheimer] So, the CISO in some sense actually could be or should be that person. But I got into some of these numbers… I really love numbers. And I got into the data, and I realized that the US and EU respondents had very, very different numbers. And right there you could just say, “Hey, why did the EU workers have five points boosted over the US workers?” And just do whatever the EU is doing because it’s working, apparently, versus the US.
And maybe you could push it to ten.
[David Spark] Well, but now you’re in the EU yourself, and correct me if I’m wrong, people don’t work nearly the number of hours they do in the US. Yes?
[Davi Ottenheimer] They work smarter, not harder I think is a better way of putting it.
[David Spark] Okay.
[Andy Ellis] Folks from the EU like tot ell us that.
[Davi Ottenheimer] Well, I can tell you in the Silicon Valley area… One of the core value propositions of being in the Silicon Valley for me was that it had a culture probably came out of Park, an AT&T, and some of the old military stuff, but it was like you would work for a bit, and then you would go for a walk.
And you’ go on these long hikes, and you’d go surfing and sailing. You’d have this mix of life and breaks. Which is not uncommon in a lot of academic environments where if you’re going to have a breakthrough, you got to have some time to think. You can’t be just interrupted constantly by alarms bleeping in your face.
You’ll never get a coherent thought together. And that stressor of the operator fatigue of watching the dashboards and security vendors trying to push things at you all the time, that really does burn you out. So, I think the EU pushes back on a lot of that stuff because it has a much older sense of civility.
It’s not this, “Well, maybe if I just quickly burn myself out and get rich,” it doesn’t matter. I think they push back on that.
For me it actually goes back to when you think about Bismarck in 1881. He was like, “You can call this whatever you want, but I want credit for inventing welfare.” He really keyed in on the idea that welfare was going to be good for workers. And that meant that they got weekends off, that meant that they got insurance they paid into.
So, if they got hurt, they weren’t just thrown by the wayside. They actually got some recovery period. And there’s mental pain as well as physical pain. If you’re stressed out because you’ve had too much, take a break. Take a holiday. Be forced to take three weeks off. And it’s true in the EU, they say, “Hey, everything shuts down for a month.”
But when you think about it, shouldn’t that be required? In some financial institutions it is. You can’t have people working every day of the year because they uncover fraud if they go away for a while. So, they force them out for the safety of the business. Why not safety of the individual? So, let me get to the point in the US though that really interests me.
That I’ve seen… This gets into one of the fixes again. I’ve seen a system that really rewards fools and punishes experts. And so who is more stressed out, the good cop or the bad cop, in a system where a CISO who enables bad decisions spackles them over, gets a bonus, a big house, a hill, notoriety.
They get all these things for just sort of saying whatever the CEO wants to say. I’ve seen that multiple times. It’s like a one-off. And sending a CISO to jail hasn’t been taken seriously enough, honestly. Because I think that would clear the air for other people who are really good at the job if we tried to get more folks that are bad at the job out of the way.
[David Spark] Hold on. Now, should we do this for most people who are bad at their job? Send them to jail?
[Davi Ottenheimer] Then the stakes are high enough. You look at the Facebook CISO getting charged with essentially crime in court. It’s amazing to me that only one of the two worst CISOs in history has been tried in court, both at Facebook. When you’re talking about enabling or facilitating humanity crime… Crimes against humanity is no joke.
So, if you’re facilitating crimes against humanity, it’s a crime. And if you let people get away with that and get a three million dollar bonus and then go live on a hill as a reward, that to me is like tin pot dictator level stuff where if you help a coup and put a dictator in place you get to live a nice posh retirement in Paris.
I think we really need to clear some of this out, and I think that would destress people if we could get rid of liars and charlatans the way Theodore Roosevelt talked about in 1910 in his big speech on privilege.
Let’s talk community.
29:06.586
[David Spark] Even among competing companies, cyber security infosec folks are known for collaboration. In the past this was done at conferences, but increasingly this information sharing takes place online. So, when one of those sources starts declining, it can be a big deal. The Cyentia Institute began tracking conversations about CVEs on Twitter back in July 2021.
These conversations remained remarkably consistent until June of 21, 2023. Now, since then, these conversations have slowed down to a trickle, down 87%. The social network now called X, formerly Twitter, has since cut off its API access. So, we won’t know if this community returns. Communities don’t last forever, Andy.
Not all of them. Some do last for a good, long time. But how does the loss of a once vibrant space for information sharing impact the overall community? I know you are an active user on X. Again, I say it with such derision, by the way, now with the new name. Things often just get replaced. Is this just the natural order of community sharing?
Like one community dies, another one takes off. What’s going on here?
[Andy Ellis] I don’t know that you want a community to die and then wait for something to take off. It’s often more disruptive that something new comes along that moves people to it. I don’t think we’ve really seen that. there’s a lot of want to be Twitter replacements out there that aren’t really filling in.
I do wonder about the use of CVE as a way to measure community. I do agree that I’ve seen the infosec community split, and some have headed off to Mastodon, and some to Blue Sky, and some are still on Twitter, and some are on LinkedIn. But we should also recognize that the number of CVEs that are out there has exploded, and I also wonder if there was a burn out factor of just, “We can’t just keep talking about every single CVE.” Four years ago, that was possible.
Right now it’s like every day is dozens of CVEs being released.
[David Spark] What do you think? I know, Davi, you have in the past been a very, very active Twitter contributor yourself. Has your activity dropped dramatically? Especially since it’s now X and owned by the manufacturer of your least favorite car?
[Davi Ottenheimer] I deleted all my accounts. There’s no question. I would no sooner have an account on X Twitter than I would have a house in South Africa apartheid.
[David Spark] Not sugar coating it at all.
[Davi Ottenheimer] No. Fundamentally the EU just warned X Twitter that it’s officially the worst platform on the internet. And it’s very clear to me. I don’t think there’s any question here that when you really dig into who this person is that’s taken it over and the inconsistencies, and the, “I believe in free speech, but I’m going to constantly censor people if they disagree with me…” That’s just classic fascism.
To get to the core of your question, are people going to leave…
[David Spark] Well, people have already left, but it’s just the fact that this platform… Which correct me if I’m wrong… Let me just back up a little bit. You were active on Twitter. It was very popular for cyber security professionals. It still to a smaller degree is, but it’s not like what it used to be by any stretch.
[Davi Ottenheimer] No. I had hundreds of thousands of tweets. I was extremely active. Miro blogging was a huge thing for me, and it actually led to many, many big career moves for me. People discovered me on Twitter, and I got a lot of traction and all kinds of really interesting work out of it. And yeah, I deleted all of it without question.
Without any hesitation.
[David Spark] So, where do you find your community? Is it on Slack channels?
[Davi Ottenheimer] I actually have my own community, which is going back to the origins of the web, which is what I really like. I built my blog up over a long time, since 1995. Yeah.
[David Spark] Your blog, flyingpenuin.com, which I highly recommend people check out. Flyingpenguin.com.
[Davi Ottenheimer] I use the web the way it was designed to work in that sense. But I also do a lot of…as strange as it seems, I do a lot of Signal communication now as an encrypted end to end. It’s almost sort of counter intuitive. I do a lot of group chats and a lot of communication through Signal that’s all encrypted.
[David Spark] Do you do WhatsApp as well? Since it’s also on the Signal backbone, or no?
[Davi Ottenheimer] Absolutely not. Because WhatsApp to me is a backdoored version of Signal. Why would you use WhatsApp? I do not understand that at all. I do not. WhatsApp to me should never have been born or existed. They just made a worse version of Signal that everybody can see into your community and still somehow got to call it end to end when it’s not.
I don’t like it.
[David Spark] I wish you weren’t so much of a wallflower, Davi.
[Davi Ottenheimer] Yeah. No, I know.
[Laughter]
[David Spark] Let’s go to the discussion at hand with regards to is the dropping of one community the growth of another. Because we’re essentially seeing this now.
[Davi Ottenheimer] Again, it’s you go to Berlin, and you look at the film museum, and they have a room dedicated to the sucking sound of the Nazis destroying the film industry, and Hollywood being born. And it’s fascinating because you think, “Wow, Berlin was the center of film? It was Hollywood?” And then Hollywood was born because somebody came to power that made it totally impractical to do the things, to have the community necessary.
That’s basically what I see is people are in an environment that’s toxic and counter… You can’t be an expert and you can’t be good at your good and say things that are really interesting and informative around people who are so fragile like the head of X Twitter. And so you get essentially a community moving some place where it is legitimately safe to discuss.
We knew this about Twitter in the past though. Women couldn’t say what they wanted to on Twitter, but Nazis could. That was always the case.
And I don’t want to get too caught up in that though because I think the greater theme here is true that the CVEs became less interesting. So, there’s that going on. But the community that was going to talk about CVEs, because they were interesting, can talk about other things that are interesting, and they’ve left.
So, what else is interesting? The way that CVEs were measured was inconsistent. We know that. So, the metrics discussion is fascinating now about how should you really figure out what a vulnerability is in terms of severity. The severity of metric is fascinating. And then how to do a software bill of materials, a fascinating discussion, SBOM.
And then how to represent the vulnerabilities in the SBOM.
So, essentially [Inaudible 00:35:12] All that is replacing CVEs because we’re talking now about the level of severity, the likelihood of exploit, and how many there are in this thing that just landed on your loading dock essentially. In every software development, everyone talks about the open source issues and all this… You’re grabbing all this stuff because it’s so convenient, and then it comes with all these flaws that you then have to start cleaning up.
It’s like bringing in really bad ingredients to your kitchen. So, that conversation is very, very reactive, and very, very interesting. And it is not happening on X Twitter because, are you kidding me. You think that guy cares about vulnerabilities? Look at his car.
[Laughter]
[Andy Ellis] Maybe this is the point where I just say the views of our guest are not necessarily those of the hosts’.
[David Spark] We’ve actually done that in past episodes when we’ve had Davi on. Davi works with Tim Berners-Lee and Bruce Schneier as well. Have you ever said something publicly where either Tim or Bruce said to you, “Hey, Davi, could you cool it?”
[Davi Ottenheimer] No, never.
[David Spark] I didn’t think so.
[Davi Ottenheimer] They would. They would, too. They would definitely say, “We don’t agree with that,” or, “We disagree with that.” But it’s actually the opposite. Bruce and I used to disagree. 2005 was when we really started to disagree a lot.
[David Spark] Well, this is how you got hired, right?
[Davi Ottenheimer] Exactly. And he said, “You know what? You’ve got some ideas that I need to hear.” He loves people who say he might have made a mistake, “Let’s talk about it.” And we do that all the time. And so he’s not going to say, “Stop saying things.” He’s going to say, “Say things you have conviction or believe, and then I may agree or disagree.” And it helps him have a sharper tip to the spear if he can use some folks around to help him hone it.
That’s how it works.
[David Spark] Well, we love having you on the show because we love this kind of thinking to jostle our own thinking as well. Just like Bruce needed. So, you’re hired, Davi.
Closing
36:56.194
[David Spark] Thank you very much to our audience. I want to thank also Sysdig, our sponsor. They are a phenomenal sponsor of the CISO Series, and we greatly appreciate their support. Thank you very much. Remember go to sysdig.com/ciso for more from Sysdig. Andy, as always, we greatly appreciate it.
Davi, I believe you are hiring at Inrupt, correct?
[Davi Ottenheimer] Correct.
[David Spark] All right. And if people want a job at Inrupt and work with someone like you, where would they go?
[Davi Ottenheimer] They can go to inrupt.com, of course. And even better, they can check out the Solid Project because Tim’s vision of the web and moving from version 1, to 2, to 3 is fascinating. Look at how he’s thinking about AI and look at how Solid Project really changes safety of AI and brings integrity back to the web.
[David Spark] I will also say that Davi, what I’ve been very impressed is your very aggressive view of privacy and essentially what Inrupt’s charter is. And so if any of you listening want some sort of aggressive understanding and look at privacy, you should be looking at what Inrupt is doing and talk to Davi as well.
Probably the best way to engage with people is through flyingpenguin.com, yes, Davi?
[Davi Ottenheimer] Yeah. Leave a comment.
[Andy Ellis] But certainly not through Twitter.
[Davi Ottenheimer] Well, not through any centralized platform. Let’s think about how we can do decentralized or distributed platforms. Distributed is so much better than central.
[David Spark] I agree. Again, Inrupt’s charter. Thank you very much to our audience. We greatly appreciate your contributions. Send in more “what’s worse” scenarios. And we appreciate you listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week In Review. This show thrives on your input.
Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interesting in sponsoring the podcast, contact David spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to the CISO Series Podcast.