When we’re looking to secure LLMs, the security considerations can be overwhelming. But often the things that make the most headlines only matter to those building their own models. For organizations that are simply using AI, where does there security focus need to be?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Danny Jenkins, CEO, ThreatLocker.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Security tip of the week – Tenable
Jump to the full tip here.
To learn more about exposure management, go to tenable.com.
Full transcript
Intro
0:00.000
[Voiceover] 10-second security tip. Go!
[Danny Jenkins] Simply block remote desktop clients from being able to reach out to the internet because attackers are using it to connect to remote servers and exfil data.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series, and joining me, since the very first episode, it’s none other than Mike Johnson, the CISO of Rivian. Mike, say hello to the audience.
[Mike Johnson] Hello, audience. Good to be with you again.
[David Spark] You will hear that voice periodically, multiple times, all throughout this show. We’re available over at ciso-dev.davidspark.dcgws.com. You can hear all of our programming over there, watch it, read it, anything you want to do. Lots of ways to consume this programming.
But don’t go anywhere now. Stay with this show.
Our sponsor for today’s episode is ThreatLocker. Meet the world’s leading zero trust platform, and in fact, we’re going to be talking about just that. In fact, their core principle of default deny, that coming up later in the show, but we’re going to be talking with actually the head honcho of ThreatLocker in just a moment.
But first, Mike, we are now in December.
[Mike Johnson] Yes.
[David Spark] And here’s something I’ve run into year, over year, over year, in just business in general…
[Mike Johnson] Ready to do it again, too. Great.
[David Spark] … in December is everyone seems to think that business comes to a screeching halt.
[Mike Johnson] Wait, it doesn’t?
[David Spark] Unless you’re in retail. Retail’s a whole different story.
[Mike Johnson] Yes. Yes.
[David Spark] But it’s like the number of conversations I’ve had with people in December that says, “Oh, let’s talk about it at the end of the year,” as if nothing can happen in the month of December. I used to take it personally, and now I realize this is just the way people behave.
That’s their mode of operation. All right. I won’t take it personally. We’ll just wait till January. So one-twelfth of the year, people seem to not be able to do any work. Now, I know in cyber, you can get plenty attacks during the holidays, yes?
[Mike Johnson] I mean, it can happen immediately. What was it? Log4j occurred over Christmas.
[David Spark] Was it in December, Log4j?
[Mike Johnson] Yeah, it occurred over the Christmas break one year. So, yeah, it can be really, really bad.
[David Spark] But isn’t that kind of classic? They used… So many of the tactics by the malicious hackers is to use the holidays against us.
[Mike Johnson] Oh, quite frequently, yes. I think that, that is one of the challenges that we face in cyber is if there is an incident over the holidays, quite often the teams that we depend on might be off on vacation. So even though we’re minding the shop, the teams that we need help from might not be.
So maybe the tip for folks here, make sure you’ve got your pager rotations set up for those teams that you depend on, so you know how to get in touch with them while they’re not there.
[David Spark] That is an extremely good point. We only think about our own team, not everyone else we’re going to have to engage with.
[Mike Johnson] Yep.
[David Spark] That is a phenomenal tip. All right. Let’s get to our guest at hand. By the way, ThreatLocker has been an absolutely phenomenal supporter of the CISO Series, and we adore working with them. We’re actually fully supportive of their philosophy, and we’re going to be talking a lot more about that here on the show.
And couldn’t be happier to have the head honcho, who we’ve had on multiple times on the show, our sponsor guest, the CEO of ThreatLocker, Danny Jenkins. Danny, thank you so much for joining us.
[Danny Jenkins] David, thank you for having me here today.
What about this AI security challenge?
3:49.217
[David Spark] “Noise from lab-based AI attack research is drowning out the actual risk to enterprises,” said Calendly CISO Yassir Abousselham on LinkedIn, pouring some cold water on security leaders who were wringing their hands over real-world low-risk AI threats.
His hit list of what not to worry about includes, and this has to do with AI, data poisoning, model theft, and model inversion. Instead, he says, “Focus on prompt injection, supply chain compromise, weak access controls, and over-privileged agents.” All right.
This is some harsh talk. Mike, do you agree with the listed AI non-concerns versus concerns? Why or why not? And if so, what’s at the top of your AI concern list?
[Mike Johnson] I really think Yassir’s meta point here is, “Don’t follow the crowd.” Like, don’t just read everything that you see on the headlines and assume that is your threat or your risk. You really need to think about what matters to you and your company.
As he said, not everybody is building or training their own models. Some are. Just because you’re not a frontier lab doesn’t mean you’re not training your own models, but you do need to think about what makes sense to you.
I’ll go even further to say, not everybody actually needs to be worried about prompt injections, even though that’s on his list. A lot of companies do, but not everybody does. So it’s a good list, and I agree with it. I mean, for me, prompt injections, hallucinations, access controls, overprivileged agents, these are all at the top of my list, but it really depends on the use case.
That doesn’t apply to everyone in particular.
[David Spark] Danny, I’ve been to many conferences. There’s a lot of fear around AI security issues, and I think what it is, is a free-floating anxiety because people don’t really know exactly what to be afraid of. What’s your thoughts on this list of concerns versus non-concerns?
[Danny Jenkins] Okay. So I actually think the biggest concern is the obsession with building AI security tools.
[David Spark] Really? Okay.
[Danny Jenkins] I can think of one particular case where a CISO came to me and said, “We have to deliver AI security immediately. This is our biggest priority. How can you help us deliver AI security not from AI attacks, but to implement AI to stop attacks.” I said, “The first thing you need to do is figure out what you want to defend, and if AI is a good tool to defend against that, then implement it.
There’s no way in the world you should go into a problem with a solution.”
It’s crazy. It’s almost like the board are so scared about falling behind, they’re putting pressure on CISOs, and C-suite, “What are we doing to drive AI forward? How are we using AI in our company?” Whereas what they should be saying is, “What problems do we have, and could AI help us solve those problems?” I think that’s the biggest risk right now, and everyone’s closing their eyes or blindly put blinkers on to say, “Let’s focus on AI,” and not focusing on the bigger issue.
Of course, we do have AI issues. We have 4 billion people that can now write malware that had no intention of doing it before, and no ability to do it before. We have phishing emails that look better than they ever did in history, but you shouldn’t be going into any problem with a solution without understanding the problem first.
[David Spark] So I like that, is that, the biggest threat is no intention around AI usage, like just AI for AI’s sake. Yes, Danny?
[Danny Jenkins] Absolutely. But to the point where people are actually not looking at the other things, they should be looking at their business. The number one priority is, “Let’s deploy AI. Let’s deploy AI to solve our security solutions. Let’s deploy AI to solve our IT problems.
Let’s deploy AI to solve our staff problems. Let’s deploy AI.” The solution is being made, and then they’re trying to find problems to match the solution, rather than saying, “These are the biggest problems we have in business right now. This is the biggest security concern we have.
How can we deal with that? And if AI happens to be the solution, great. If it doesn’t, let’s implement the real solution.”
[David Spark] Mike, I’m sure you feel consistent on that.
[Mike Johnson] No, I think it’s a very good point of, “Use the right tool to solve the problem. Don’t just fall for the shiny.” AI is shiny right now.
[David Spark] Which, by the way, this is a chronic problem security falls into. AI didn’t introduce it.
[Mike Johnson] Absolutely. AI didn’t introduce it, but I think it amplified it.
[David Spark] For sure.
[Mike Johnson] I think Danny’s point is a good one, in that, people are being pressured, “How can we use AI to solve our problems?” And so now they’ve got this hammer that they’re being told to go solve problems with. It’s not necessarily the right solution for all things, not for most things.
[David Spark] Going back to you, Danny, I can hear, like the way you described this security professional, it was not that person coming up with this idea. It was clear, there was some outside pressure telling him to do this.
[Danny Jenkins] Absolutely. I think that’s what we’re seeing consistently. This was [Inaudible 00:09:02] in Barcelona, so there was a lot of presence from the Middle East there, there was a lot of presence from Europe there, and there’s a little bit more control of the board than there is in the US.
The security seems to be given a bit more of a freedom in the US, but whereas in the Middle East, it’s very much, “We’re scared about falling behind. Let’s do this.”
What’s the ROI?
9:17.471
[David Spark] “This is the bane of every CISO.” Now, that’s how Steve Zalewski, our familiar Defense in Depth co-host, describing demonstrating ROI for cybersecurity initiatives. This is what he talked about in our recent cybersecurity subreddit, AMA, calling it a “dark art” essentially trying to figure out ROI in cybersecurity.
By the way, if you don’t know, every month, we do an AMA on the cybersecurity subreddit, the CISO Series does.
So after decades as a discipline, we still can’t agree on how to prove our worth, meaning cybersecurity’s worth. Some swear by financial risk modeling and FAIR methodology, others struggle to move beyond maturity models. But everyone agrees, companies are no longer satisfied with security as, “continuous improvement exercise.” It turns out the business responds to demonstrable business value.
Danny, is ROI even the right metric for something about preventing losses rather than generating revenue? Again, some argue that you can show security generating revenue.
[Danny Jenkins] So I think, in some cases, it’s very easy to say security is lowering costs where we haven’t had any breaches, especially if you’re going from a case where you had X number of malware attacks a year, X number of phishing attacks a year, it’s very easy to show ROI.
I disagree in many cases that I think in many cases, the CISO overstresses of need to show ROI, because it does get asked, but I think every CEO…I’m a CEO, so we spend lots of money every month.
Of course, if marketing come to me and say, “I want to spend a million dollars on something,” and I can say, they say, “I’m going to get this many leads. We’re going to get this many sales,” it’s really, really easy. If security comes to me and says, “This is a potential risk, this is what’s going to happen.” I’m not thinking about, “Show me ROI.” I think we shouldn’t be talking about ROI, we should be talking about risk.
We should be saying, “This is a risk, we buy insurance, we have building security, none of which provide ROI unless something happens, and then they provide lots of ROI.” I think we should be changing it to, “We’re talking about risk, and we’re talking about taking away that risk.” If we don’t take away the risk, then we’ll be having a conversation next year about, “How can we get return on investment and not get breached again?”
[David Spark] You know, Mike, this is so interesting. So ROI discussion comes up again and again, but it’s interesting, there are a lot of other things we spend money on in businesses like the receptionist, the front desk, or the cleaning crew, who the heck?
You know, just lots of random things, and we don’t ask for the ROI on those things. So why does security get this sort of special behavior?
[Mike Johnson] I don’t think we’re actually being asked ROI. I think some folks in the security industry are trying to push that.
[David Spark] Or maybe just prove our worth.
[Mike Johnson] And maybe that’s what folks are going for. But it’s like you said, there are many other functions that aren’t being asked to show their ROI. The finance org, for instance, doesn’t generate revenue for a company. They manage costs, and to Danny’s point, there’s a lot of value in that.
But they’re not a profit center. The legal team, very much the same.
So I very much agree with Danny. We need to stop talking about ROI. We’re shooting ourselves in the foot by continuing to talk about ROI where we’re never going to be able to show it. We are a cost center. That’s okay. There are plenty of cost centers in a business.
There are plenty of places that we are not generating profit, not generating revenue, but they’re absolutely needed for the company. So I love the idea of, talk more about risk, talk more about risk reduction, and that’s really where we need to get.
[David Spark] I mean, it’s just, it’s analogous risk reduction to ROI, but just to say ROI is just missing the point. Yes, Danny?
[Danny Jenkins] It is completely missing the point. And to your point, the finance department is just a pure cost center and nobody questions it. Well, probably because they write the checks, but we are missing the point that this is a risk. We have to address the risk.
Security isn’t optional in a business. If you don’t do it, you will eventually have massive financial consequences or potential business consequences where you don’t exist anymore.
I think most business owners, most board members understand that. I think CISOs sometimes want to make this an ROI play to make themselves feel more valuable. When you get into a digital transformation world, you’re getting into ERP systems and order-taking systems, you can start showing worth.
But security is a cost center, but it’s a risk reduction and potentially a business-saving cost center. We don’t ever question any other cost center in the business, and we shouldn’t be trying to compare ourselves to a marketing department.
[Mike Johnson] Yeah, I think the one thing that we’re trying to solve for is, what is the right amount of security? And we haven’t figured that out yet. So there’s absolutely…it is critical, it is required, but how much is enough? And that’s why I think people keep trying to push for ROI.
Sponsor – ThreatLocker
14:32.773
[David Spark] Before I go on any further, let me talk about ThreatLocker, a phenomenal sponsor of the CISO Series. So let’s be real. Most cybersecurity tools only act after the damage is done. Detection is reactive. We know this. Prevention is what actually changes the game at multiple levels, and that’s exactly where ThreatLocker comes in.
Instead of chasing threats, ThreatLocker helps organizations stop them at the source before they ever even run. Only approved applications, scripts, and executables are allowed. Everything else denied by default. That is a core philosophy of ThreatLocker.
It’s the control CISOs have been asking for, protection enforced right at the execution layer, and even trusted tools stay in their lane. Ring fencing helps PowerShell and browsers from being misused, while storage control and elevation control tighten how data and privileges are handled across the enterprise.
It’s zero trust made practical and scalable for modern environments.
Now, if you’re tired of alert fatigue and endless detection noise, who isn’t? It’s time to shift the model from detect and respond to deny and verify. So you can learn more. If you go to their website, Threatlocker.com/CISO. And do me a favor. You go to Threatlocker.com, add the /CISO.
It’s the easiest way to let them know that you heard about ThreatLocker from the CISO Series. if you go to Threatlocker.com/CISO, you’ll see how default deny can finally give you real control over your environment.
It’s time to play “What’s Worse?”
16:13.981
[David Spark] Danny, you have played this before, you know how it goes. Two crappy situations, you have to decide from a risk analysis, not an ROI viewpoint, which one is worse. All right, Mike, we’ve done variations of this one before, but I like the simplicity of this one.
This one comes from Anna Liv Christensen of Compliance Partner, and she asks the following. Scenario number one, you inherit a security team of highly skilled professionals with no interpersonal skills. So they’re very good at their job, but their ability to communicate to others is a big zero.
Now, you know where this is going. We got the flip side.
[Mike Johnson] Oh, I think I know exactly where this is going.
[David Spark] You inherit a security team that communicates very well and builds trust, but lacks deep technical experience, and you will never be able to train them. I have a feeling I know where you’re going to go on this, but I will ask you which one is worse.
[Mike Johnson] Yeah, so the first one is the brilliant jerk scenario. Like you’ve got a team of brilliant jerks.
[David Spark] Well, hold it. No. It doesn’t… I take that… That doesn’t mean… They just can’t…
[Mike Johnson] But no interpersonal skills.
[Danny Jenkins] Nerds is a nicer word.
[David Spark] But no, it doesn’t mean they’re brilliant jerks. They’d just be buffoons that don’t… You know, the incredibly shy person that just doesn’t know how to talk to the girl at the dance? That could be your security team. Not necessarily brilliant jerks.
I don’t want you to pitch and hold them as brilliant jerks.
[Mike Johnson] Well, that was how I interpreted. So if that’s not what we’re saying, it’s really just…
[David Spark] They’re not… No. They’re definitely not brilliant jerks. I didn’t say that.
[Mike Johnson] That’s just not their skill. Their skill is not communication, their skill is security.
[David Spark] They get tongue-tied, they screw up, they just don’t know how to do it.
[Mike Johnson] Yeah. So if I reframe it, the first is people who are very good at security and not very good at interpersonal relationships.
[David Spark] Correct. Doesn’t make them bad, doesn’t make them mean or rude.
[Mike Johnson] Yeah. The second one is they’re great at interpersonal relationships and [Inaudible 00:18:18] in security.
[David Spark] Just, they struggle to configure a single tool.
[Mike Johnson] Yeah. So if that’s where we’re at, this one actually is pretty tough.
[David Spark] It is.
[Mike Johnson] Because what you’ve got is people who can actually meaningfully move security forward for the company in a silo, versus people who can’t effectively move security forward, but they’re not doing this by themselves. I think if we break it down into that, like it…again, always these both suck.
At least in the first one, you’re moving security forward. It sucks that you’re doing that alone, but at least you’re making improvements. So for these two, I think the one that you’re not making any progress on security, that actually feels like the worst scenario for me.
[David Spark] So that would be scenario number two?
[Mike Johnson] Yeah.
[David Spark] Okay. All right. I have other arguments why I think that’s interesting. Danny, I want your thoughts on this.
[Danny Jenkins] So scenario one is the nerds that are really bad at communicating. But one question I’d like to ask, are the nerds… Are you inheriting it, as in me, as in charge of the nerds, the CISO, essentially?
[David Spark] Right, right. It’s like you just joined a company. This is your team. You get team A, or you get team B.
[Danny Jenkins] I will always take the nerds.
[David Spark] The nerds that can’t talk.
[Danny Jenkins] I’ll tell you why, because…
[David Spark] Because you could talk.
[Danny Jenkins] As a CISO, your job is to go to the board, and one of the things that we do very well in ThreatLocker is very technical interviews where we make sure people have good understanding and good ability in their role. What we found is, people who can talk, who can’t do, often make people feel falsely confident.
[David Spark] Good point.
[Mike Johnson] And that is much, much worse. I would rather people who make me feel scared than people make me feel really, really confident and go home every night thinking, “We’re great, we’re going to do really fine.” So I think I’m always going to choose the nerds, and as a CISO in this role, that’s my job to communicate with the business, and my job to communicate with the nerds, and figure out how we build a team.
[David Spark] Right, and I’ve heard that a lot, that a really good CISO essentially speaks the language of Nerdville, of the cybersecurity professionals who fall into that camp. Not saying all of them. But also, and we’ve said multiple times, that they can speak the language of all the other departments.
Another point I’d like to throw out, in scenario number two where they lack the technical expertise. That means you’ve spent all this money on tools that nobody seems to be able to operate or configure. So you’re just wasting money in that second scenario.
[Mike Johnson] Got a lot of shelfware.
[David Spark] Yeah. It would be like having a great tool like ThreatLocker and nobody configuring anything.
[Danny Jenkins] That’s a big problem in any security tool, actually, where people buy the tools and do not configure it because they don’t have the technical skillsets. I use the saying quite often, and I’ve heard it quite a few times, that IT people have friends, security people don’t necessarily.
[David Spark] Let me ask you this. I’m sure you’ve heard this complaint, if you will. And I know, by the way, just supporting ThreatLocker, you guys have an amazing support staff, and you are hyper, hyper responsive, but I’m sure you’ve heard the complaint of…from somebody who did not configure the tool correctly, and blamed it on ThreatLocker, yes?
[Danny Jenkins] Oh, of course. All the time. Actually, we released an entire feature that just deals with that, and sends email reports over and over again saying…
[David Spark] All right, this is the DAC tool.
[Danny Jenkins] Yes.
[David Spark] Yes. Defense Against Configurations. It’s very [Inaudible 00:21:48].
[Danny Jenkins] Otherwise known as dumbass configurations.
Please, enough. No, more.
21:53.082
[David Spark] Today’s topic is cybersecurity complexity versus simplicity. Okay, because we’ve heard that, “It’s too complex,” and, “Oh, no, we can make it simple.” But I’m going to start with you, Mike. What have we heard enough about? What would we like to hear a lot more on this topic?
Or in essence, what are we making unnecessarily complicated in cybersecurity? Where can we simplify here?
[Mike Johnson] Right. You know what? Now that I mentioned that, I’ve actually heard complexity is the enemy of security too much.
[David Spark] Yes.
[Mike Johnson] It is a throwaway phrase that has no meaning. The reality is we live in a world of complex systems. We need to embrace that. We need to understand that. I really think the opportunity here is to make security simple. Golden paths, paved roads, whatever you want to call it, it’s really complicated to make something simple.
That’s really our opportunity here, is we should make security simple for others. We ourselves should embrace the complexity, recognize it’s there, but put the work into hiding the complexity from others.
[David Spark] Very good philosophy. Right, I’m throwing this to you, Danny. I know one of your core philosophy is default deny, which, that single philosophy in action that you do greatly reduces complexity of cybersecurity. So what’s your thoughts on what you’ve heard enough about, and what would you like to hear a lot more?
[Danny Jenkins] I’ve heard enough of AI, maybe not that I’m [Inaudible 00:23:30] right now. I think one of the things I’ve heard enough about is the sophisticated attack. Everyone is going to have some cyber incident in their life, whether someone’s email account gets compromised or someone’s phone gets stolen.
But when you hear about these massive companies that have just been hit by a major cyber-attack, and there’s 30,000, 40,000 endpoints down or 5,000 endpoints down, and they hear words like, “It was a sophisticated attack,” most of the time, it is not.
It’s a fundamental flaw in basic configurations. A VPN was poorly secured. A RDP server was left open. Remote, untrusted software was run. These guys aren’t getting in John Travolta style from Swordfish, where they’re pounding on the keyboard, and everyone thinks it’s some kind of magic code.
They’re literally just doing basic things to get into systems and fundamental basic security measures could have stopped them. So I think that’s what I’ve heard too much of is the word sophisticated attack. It’s very, very seldom a sophisticated attack.
We need to stop talking about that and start talking about basic.
[David Spark] Not only that, Danny. I can’t remember the last time I truly saw a sophisticated attack.
[Danny Jenkins] I would say the closest thing I’ve seen to one, and, again, not a sophisticated attack at its root, but a sophisticated attack by the time it got there was SolarWinds Orion, in that, they got into SolarWinds’ source code. Again, not sophisticated, but the long-term plan of getting to a vendor, getting into a source code, and then getting down.
[David Spark] I would put quotes around sophisticated for the ones that have the long game, essentially, for the attack. That is, in a way, “sophisticated”.
[Danny Jenkins] Yes, but many times that long game gets stopped by a simple control day one.
[David Spark] Yes, exactly. So what would you like to hear a lot more of, and explain your philosophy at ThreatLocker?
[Danny Jenkins] Look, my philosophy is very, very simple. There’s very few ways that somebody gets into a system. It’s really open ports, untrusted software being run, bad credentials, or bad dual factor turned on. So I think we should be focusing on this idea of controls.
Let’s think about what controls we can put in place, tangible things we can do. And that means we have to accept that a user is going to click on an email link and download something they shouldn’t do. We have to accept that. We can’t train it out of them.
It’s impossible.
So if we put basic controls in place, it doesn’t have to be hard. People think it’s incredibly complex, where we say, “This user…500 users in my company are salespeople, they run Zoom, they run Office, they run Chrome, only allow that to run.” I would like to see more controls like that, more dual factor controls, more closing network ports where they’re not necessary to be open.
Most companies will go and install a server, the whole network, the whole LAN can see this server. Why is it not configured to only allow the group of users that need to see it? If we think about controls, that’s what I’d like to see more of.
I think even when we think about detection, we should be thinking about it in response of control. So, for example, quite often right now we rely on a detection, an indicator of compromise, going to a SOC who is expected to make a decision, “Somebody’s ran an IP scan on our network, should we shut down this server and take us offline in minutes today?” Because I’ve seen cyber-attacks go from initial access to impact within minutes.
We can be thinking about controls in response to detection. So one of the things I like to do is, if an indicator of compromise is triggered, it might be an IT guy running an IP scan, but what I’d like to do instead is send an alert to the SOC, but also disable all admin tools automatically until the SOC has responded to slow down an attack.
These are real tangible things you can do to stop attackers to begin with by blocking untrusted software, closing ports, but even when they gain access, making their life miserable.
[David Spark] Mike, I know this has been a philosophy of yours in that, the goal is, just make the process of attacking us as difficult as possible. I’m going to assume, and maybe this is something you can visually show and describe how you show it or you can see it numerically through any metrics, but when you create essentially walls of, “Well, you shouldn’t have access to that.
You shouldn’t have access to that.” It should be super clear that you should see these vectors dramatically decrease.
[Mike Johnson] Yeah. A lot of what we focus on these days is we always call it reducing the attack surface, or reducing the blast radius, or what have you.
[David Spark] Right.
[Mike Johnson] That is where you see that manifest, is there are limited ways that somebody can get in, and then there is limited damage that they can do when they do get in, and I think… When I was listening to Danny, what I really liked was, there’s a lot of focus on prevention, but he’s also describing rapid response to detections.
I think that’s something that we also need to think more about is, there might be things that we can’t just block, we can’t just prevent because it will slow down the business or block a normal process. But if we see a detection like something triggers, maybe we actually do then take the automated action to slow the business down until we’re sure.
I think that’s an interesting thing. I just wanted to highlight what Danny had said there, because I do think it’s another way of thinking about controls. They don’t have to be just preventative.
[Danny Jenkins] I think that is really good, and I want to give another example of this. In the world of zero trust, you gain, give access where access is required. It’s not about no. It’s about where access is required. So my marketing team need access to USB drives because they copy PowerPoints onto USBs, video files onto USBs to go to booths at trade shows , and things like that.
What we were able to do, and what…again, it’s implementing controls as needed, rather than blocking USB all the time, we’ve put a policy that says they can copy X number of files per hour to a USB drive, and if it exceeds that, we now revoke the policy.
So, again, the computer still works, they’re still able to operate, but they can no longer copy those files. The SOC will then respond, decide, “Was it a false positive or were they data exfiling? Did they decide to copy all of our files to a USB drive?” These are the type of automated controls that aren’t necessarily black or white, allowed or not allowed, allowed under normal circumstances, but if the circumstance changes, we’re going to revoke that access.
[David Spark] Today’s security tip has to do with patch fatigue. Yes, this is not just vulnerability management, but the humans that are dealing with it. That’s coming up right now.
Security tip of the week – Tenable
30:01.518
[David Spark] Even the most advanced exposure management platform can’t protect you if your teams are overwhelmed. Patch fatigue is real, and when remediation velocity slows down, your exposure widens. No matter how good your visibility is. Pay attention not only to vulnerability counts, but to process capacity.
How many patches can your team realistically apply in a week? How many configuration changes can they implement without burning out? If the workload consistently exceeds that capacity, you’re not dealing with a tooling issue, you’re dealing with a human exposure problem.
Automated patching can clear out routine, repetitive remediation tasks, those low complexity updates that eat up most of your team’s time. That frees your experts to focus on the high-risk items, the actively exploited vulnerabilities, the misconfigurations that form attack paths, and the issues that require context and judgment.
So by managing workload as deliberately as you manage vulnerabilities, you create a sustainable exposure management rhythm, hedging yourself against the risk of tired teams missing things.
Will we really ever achieve zero trust?
31:49.729
[David Spark] “Zero trust is like dating in high school. Everyone’s talking about it. Not many are doing it, and almost no one is doing it correctly.” I love that quote. That gem dropped in a recent cybersecurity subreddit thread, with one commenter noting they had “zero trust in zero trust marketing.” While vendors slap zero trust on everything, actual practitioners are struggling with the realities of implementation from microsegmentation resistance to legacy system nightmares.
One commenter pointed out, the cultural change is harder than the tech, while another argued, it’s just repackaged Defense in Depth for the identity era. Okay. Now, this is in no way attacking you, Danny, but I know that this is a part of your philosophy and part of your marketing.
So if zero trust is really a mindset shift rather than a product, why are we still letting vendors define what it means? But you’re a vendor. You’re not, I don’t think, defining what it means. I think you’re kind of leaning into it, aren’t you?
[Danny Jenkins] Absolutely. And actually, if you look back on Wayback Machine, our messaging on our website, when everybody else was saying zero trust, we didn’t actually even say it because it became white noise. We had EDRs saying, “We’re a zero trust endpoint.” Every booth at RSA and Blackhat said zero trust just like every booth says AI on it right now.
We didn’t put the wording on our website because I would rather transition to the wording of block untrusted software, limit what applications can do, stop access, take away admin privileges, because an IT practitioner or a security practitioner can understand that messaging, whereas if you just put generic terms, they can’t.
Then if we want to use zero trust and where I personally focus on using zero trust is I’m going to tie everything back to it. Blocking untrusted software is a zero trust approach. So I think the messaging… I’m not really big on any security messaging, and I think it comes down to marketing people creating messaging and not practitioners and not security people.
However, do we…can we achieve it? I don’t think we achieve it, yes or no. I think we achieve a zero trust mindset in certain areas.
And right down to, if we go back 20 years ago, companies would say, “Nobody can access the payroll folder except the payroll staff.” That’s zero trust when it comes to payroll. I think we expand from just payroll to a much larger part of the business, and we start talking about untrusted software, and who can access what files, and who can upload data, and who can use USB drives.
I just think we get more secure by implementing more controls that follow that philosophy than we did 20 years ago, when it was just a payroll folder.
[David Spark] Yeah, Mike, honestly, it’s impossible to truly have zero trust. I think what we’re really talking about is chronically minimizing trust, or minimizing access, which achieves…sort of, we’re getting to a point of ever closer to zero trust, while never actually achieving it.
Yes, am I correct in this way of describing it?
[Mike Johnson] It’s one of those things where… You remember the thing years ago of like, “What color is this dress?” I think zero trust is exactly that. It means so many different things to different people. I agree with Danny, it’s noise, and I think we’ve reached a point with it that, I would like to see the term go away because it’s absolutely meaningless at this point.
[David Spark] I don’t know if it’s meaningless.
[Mike Johnson] It is.
[David Spark] I mean, meaningless means zero. But I think everyone… Look, the government is embracing it. The government embraced the term zero trust, and people generally understand the philosophy of…
[Danny Jenkins] Least privilege.
[David Spark] …don’t give persistent access. Yes, Danny?
[Mike Johnson] I think Danny just nailed it. It’s least privilege, and it’s a term that we’ve had forever.
[David Spark] Right.
[Danny Jenkins] We also used to call it cloud hosting.
[David Spark] Also fair.
[Danny Jenkins] Marketeers come up with new buzzwords to reinvent hosting to make it sound sexier and call it cloud. I think it was SaaS somewhere in the middle, too, and maybe it’s SaaS sometimes now. But I think zero trust is the new word for least privilege.
[David Spark] Yes.
[Danny Jenkins] I think, as a CEO, I’m incredibly careful to make sure all of our banners, all of our messaging, includes the tangible things we’re actually doing…
[David Spark] Good point.
[Danny Jenkins] …as opposed to just zero trust. We can use that zero trust as the bottom tagline, but everything in between has to be stop untrusted software, ring fence applications, stop PowerShell meeting your lunch. These are more meaningful to a practitioner than the word zero trust.
[David Spark] By the way, we have this game that we started playing with our audience called Slogan’s Run, where we essentially put up a slogan from a company, and you have to guess which company’s slogan. And like what we’ve been talking about since, like the overuse of zero trust, the overuse of a lot of these terms, it’s quite difficult, and companies keep changing their slogans for that matter, because it’s quite difficult to describe something that is not tangible.
It’s tough.
[Danny Jenkins] Our mission statement in 2017 is exactly as it was today, which is to change the paradigm of security from default allow to default deny. I think we’ll lean into budgets, especially when companies get budgets for things like zero trust.
But ultimately, that’s what it means to us, change security from that default allow to default deny.
[David Spark] Which is now people are describing as zero trust, but you’re ahead of the game just with different terminology.
[Danny Jenkins] Correct.
Closing.
37:30.073
[David Spark] Excellent, Danny. Let’s wrap it up right there. I want to thank you, Danny Jenkins, who’s the CEO over at ThreatLocker, and ThreatLocker being a phenomenal sponsor of the CISO Series. Remember, go to threatlocker.com/CISO. Just throw the /CISO in there.
It’s an easy way to let them know you heard about them from the CISO Series. Their tagline currently is the world’s leading zero trust platform. Throw default deny in there, or deny by default. Just throw it in there. Mike, thank you so much as always.
Any last words?
[Mike Johnson] Danny, thank you for joining us. David made a comment along the way about, “This is a good episode,” and that’s really because your thoughts, your perspectives, your philosophies, and really being able to go all over the place, down into the details, but also give our audience some perspective of what a CEO thinks about.
So really appreciate you being able to share all across the spectrum. So thank you.
[Danny Jenkins] No, well, thank you for inviting me today.
[David Spark] Then, Danny, I’m going to just say it. You’re always hiring, correct?
[Danny Jenkins] We’re always hiring. I think we had 40 people last month.
[David Spark] Wow, that’s unbelievable.
[Danny Jenkins] We’re just, we’re expanding to other offices, and we’re probably going to add 50 people.
[David Spark] Oh, so you’re not just Orlando, right?
[Danny Jenkins] So we have offices in Orlando. We have a second building now in Orlando coming up.
[David Spark] Congrats.
[Danny Jenkins] And we have offices in Dublin, Dubai, Brisbane, and then we’ve got staff in, I think, 10 or 15 different countries at this point. I can’t even keep track of it.
[David Spark] Well, congratulations. If you’re looking for positions, please go to Threatlocker.com. They’ve got positions open there as well. Huge thanks to you, Danny. Thank you again for ThreatLocker for supporting CISO Series. Thank you, Mike, and our audience.
I don’t say this lightly. We truly appreciate your contributions. Send me more what’s worse scenarios, please, and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review.
This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com.
Thank you for listening to the CISO Series Podcast.