Cybersecurity frameworks are a great starting point for any organization. But none will survive first contact with a production environment without accounting for local context. So why do we keep missing that point?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is David Nolan, former CISO.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
Intro
0:00.000
[Voiceover] Best advice for a CISO, go!
[David Nolan] You definitely have to obsess over the business you serve. My advice is get out there, get your hands dirty, get on the front lines where revenue is actually made, and get to know what that success looks like. Talk to your executives and your business peers and help them achieve what their goals are but do it in a secure way.
The cool thing is not only does that help you to translate your risk in their business terms, but it helps you identify potential impacts and those opportunities that your strategy on security may cause.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of said CISO Series, and joining me as my co-host, one of your favorites. It’s Andy Ellis, the principal over at Duha. Andy, say hello to the nice audience.
[Andy Ellis] [Foreign language 00:01:06].
[David Spark] That one was in Hebrew. That one I picked up.
[Andy Ellis] Excellent. David actually recognized the language for once.
[David Spark] Well, I don’t speak it, my wife speaks it, and I did recognize a handful of the words there. So, there you go. We are available at CISOseries.com where you can find all of our other wonderful programming. And our sponsor for today’s episode, a spectacular sponsor for years now and continue to be a great sponsor of the CISO Series.
That would be ThreatLocker. Allow what you need, block everything else by default, including ransomware and rogue code. We’re going to be talking about that and a lot more a little bit later in the show. Thank you, ThreatLocker. But first, Andy, I’m bringing our guest in right now.
Okay? So I’m going to announce it, but there’s a reason I’m bringing him in, and this is to drive you crazy, just so you know. It’s to drive you crazy.
[Andy Ellis] Like I’m already there, it’s not a short drive.
[David Spark] He is, by the way, the former CISO over at Asurion, none other than David Nolan. David, welcome to the show.
[David Nolan] Thank you, glad to be here.
[David Spark] All right. Here’s something David and I discovered just very recently.
[Andy Ellis] That you’re both named David?
[David Nolan] Yes.
[David Spark] That is one thing we do have in common, yes. But that’s not the thing I was going to bring up that would drive you nuts.
[Andy Ellis] And you have five-letter last names.
[Laughter]
[David Spark] Yes, that was the other thing that was going to come up. But we are both massive pinball nerds.
[Andy Ellis] Oh, no! No! [Laughter]
[David Spark] I knew it, I knew it. Let me give you an idea. First of all, one of the machines, we own the same machine. Well, we both own a few machines, but we own the same machine. And he took a photo of his score because he broke a billion points on Godzilla, which is a big deal.
[Andy Ellis] Please tell me it was higher than your score.
[David Spark] It was higher than my score.
[Andy Ellis] Yes.
[Laughter]
[David Nolan] Lifetime achievement.
[Andy Ellis] Because you’re going to obsess over beating that now.
[David Spark] My high on that is about 870 million. He broke a billion, which is a big deal on that machine. And he knew I would appreciate it, and I did.
[David Nolan] [Laughter]
[David Spark] And I actually showed it to my wife and kids who also know it’s a big deal to break a billion on that machine.
[Andy Ellis] Congratulations, David, well done.
[David Nolan] Ah. Life goals achieved right there, right behind my kid’s birth.
[David Spark] This is one of the things is I think I get more enjoyment out of a pinball achievement than any professional achievement.
[Andy Ellis] That’s okay. Just to be clear, everybody has their thing. You make fun of people who like football, I’ll make fun. I only make fun of pinball because it trolls you right back.
[David Spark] Right.
[David Nolan] [Laughter]
[Andy Ellis] I’m glad you have a thing that brings you that much joy.
[David Spark] Well, like for example, I finally placed in a tournament. I got third in a tournament, which was huge for me.
[Andy Ellis] Wait, I just need to check just to be sure. How many people were in the tournament?
[David Spark] Twenty-four, I came in third.
[Andy Ellis] Okay, that’s still pretty good.
[David Spark] Okay.
[Andy Ellis] My mother-in-law does this because she’ll come in and she’ll be like, “Oh, I took first place in my age group.” “Well, how many people were in your age group?” “One.”
[Laughter]
[David Spark] Well, typically, I ran a foot race, and I came in third in my age group, and there were five in my age group.
[Andy Ellis] Yeah. I mean, that said, my mother-in-law is in her 70s and places in cross-country skiing races. So, I don’t care how few people there were in her age group, she showed up and she finished.
[David Spark] Oh, she showed up and finished, forget it. That’s a win right there.
[Andy Ellis] That’s a win.
[David Spark] So, here’s the thing, on that pinball competition, I made a whopping $14, but…
[Andy Ellis] Whoo. What did it cost you to enter?
[David Spark] There you go.
[Laughter]
[David Spark] Because I paid for myself, my wife, my two kids, all of us were totally into it, and the cost to actually play each game. So, we dropped about $50, but I won 14.
[Andy Ellis] So, $50, and 4 of you entered out of the 24 who were in, and you placed third. This story gets better and better. Who else was in this tournament, David?
[Laughter]
[David Spark] Well, other very good pinball players were in it.
[Andy Ellis] It’ll turn out I was playing in the pinball tournament.
[David Spark] My oldest son, of the machines I own, I have four machines, he has a high score in three out of the four of them. It’s the darn Godzilla’s the only one I’m holding onto right now.
[Andy Ellis] Ah, and the student surpasses the master.
[David Spark] Yeah, yeah. Well, he’s really good. My oldest son’s very good.
[Andy Ellis] This is what we should all aim for, that when we’re developing our teams, whether we have to grow them ourselves or get to hire them, that they should surpass us.
[David Spark] I am very happy that he’s a great pinball player. It aggravates me, though, that I’m not better than him. Sometimes. Here’s the thing. First of all, I had the high score on all four machines at one time. No longer.
[Andy Ellis] That’s what the reset button is for.
[David Nolan] I feel like pinball’s like darts and shuffleboard. You can’t really apply it anywhere else if you’re good, so I always hesitate to get good at it.
[David Spark] No. But you don’t ever play in tournaments, do you, David?
[David Nolan] Ah, I generally haven’t. I mean, just maybe at the local place, but.
[David Spark] Yeah, well, I mean, that’s the thing. This was a kind of a local tournament. We have them all the time. No, I’ve done the really big ones, too. Those are pretty rough.
[David Nolan] Yeah, we’ve got a national champion and many state champions in our local place, so it’s tough.
[Andy Ellis] It’s challenging, yeah.
[David Nolan] Yeah.
[David Spark] All right. Enough of the pinball talk. Let’s get to the show.
How is the CISO role evolving?
6:03.377
[David Spark] “I’m not here to brief risk. I’m here to get a decision so we can move.” That line from Geoff Hancock, CISO over at Unacast, is part of his argument that executive presence for security leaders isn’t about polish or gravitas. It’s about controlling three things in the room – the narrative, the tempo, and the decision itself.
CISOs need to stop bringing problems and start bringing decision packages. Stay calm when everyone else panics, lead with business impact, not security context. But is this framework about executive presence, or is it really about CISOs orchestrate decision-making when they’re accountable but often not empowered?
So, I’ll start with you, Andy. When you walk into that room, what role are you playing? The advisor, the translator, the decision architect, or something else entirely? And does the calm, clarity movement model work when you’re dealing with executives who want certainty you just can’t provide?
[Andy Ellis] So, I think you’re playing all of those roles. There’s not just like one thing that you’re doing, and it also depends on the circumstance, right? You walk in and as an advisor, the first thing that you’re doing is you’re making a decision about the direction you want this conversation to go.
And that direction might be to say, “Let’s stop worrying about this thing,” because you might have executives who are stressing about something they shouldn’t. In which case, this is actually about your executive presence that you’re controlling the narrative.
You’re not worried. You’re calm. “Here’s why we’ve got this under control.” Tone it down. Go worry about something else, right?
And maybe the way in which you do that is by letting them vent and stress and get that out of their system and then task you with something, even if what they tell you to do doesn’t matter. You’re like, “Great, I’ll go take care of that,” get it off your plate, go away.
Other times, you’re bringing in a problem or a problem that’s already there, and you’re trying to drive towards a decision. Now, a key piece of the narrative shaping that Geoff leaves out is you want to get to a point where there are no bad decisions.
You do not want to present, “Here is a great choice and here is an awful choice,” because the awful choice might be what the company goes with. So, what you want to do is provide two measured choices that are both ways of dealing with something, maybe a big one, maybe a little one, but so that if the company says, “Look, we can’t afford to go invest in $5 million in solving this problem,” that you didn’t say, “Well, invest 5 million or I’m going to go publish all of our secrets out in Times Square.” Like this cannot be the like I’m going to hold you hostage to this great decision.
Maybe there’s a great decision, and the next one is just tolerable, but it’s got to at least be tolerable. So, you’re sort of playing that decision architecture role, but they are trusting you, and an important thing is that they should trust that you’d never play Chicken Little.
I had an executive who would always answer the phone when I called him. It did not matter what meeting he was in. If I called, even if he was in a customer meeting, I was the only person he would recuse himself from a customer meeting and he would say, “I have to take this.” Because if I called him on his cell phone, it was always important and always urgent, and he always valued that conversation.
That’s really the most important thing is that they know that you will never waste their time and their ability to make choices with silly arguments and silly choices.
[David Spark] All right, that’s very good. And by the way, that reminds me if anyone is a good Connect Four player, that to play that game well, you find two ways to win.
[Andy Ellis] You have to. If you don’t have two ways to win, then if you happen to win, it’s because you were playing against somebody who doesn’t know the rules of the game.
[David Spark] Yes. But this also sounds a little bit, David, like what a magician does, who makes you think you’re picking the card you want, but you’re forcing the card you’re doing. Are you being a little bit of a magician here?
[David Nolan] Yeah, I mean, you definitely are. I absolutely love what you said there, Andy, about basically making him have an out, if you will, the great-versus-awful idea. David, to your question, I think we’ve got to serve as a risk advisor, but it’s a trusted risk advisor, and how you’re going to establish trust is bring them realistic options, right?
Not the, “Invest $10 billion or I’m going to the street,” type of thing, or “I told you so.” So, building that trust is a big part of it, and you got to bring it to them with the proper business context, not the classic fear, uncertainty, and doubt.
Something they’re going to understand, something with mitigations, and really something that you’re going to bring an advisement, say, “Hey, here’s what I suggest, but here’s the other alternatives that we’ve considered as part of that.” The only thing that gives me pause in that is the word “control.” We can’t control the decision.
I mean, ultimately, we have a risk if we approach it with that mindset of the old “thou shalt” and “office of no,” and everything.
[David Spark] But you can control the environment like what you were saying, Andy.
[David Nolan] I’d say influence is the word I would use.
[Andy Ellis] You can shape the narrative and shape the conversation, but you can’t control the players there.
[David Nolan] Yeah.
[Andy Ellis] But you can manipulate them a little bit.
[David Nolan] Yeah. [Laughter] Yeah, for sure.
[Andy Ellis] I once worked for a boss who would never accept any choices we brought to him. If we brought him two choices, he had to tamper with them. So, I would just reverse engineer his tampering and bring him a choice near what I wanted him to do, and he would say, “Well, instead of that, how about if we do this?” And I’m like, “Do we really have to?” and inside, I’m like, “Absolutely.
That’s what I wanted to do, but I couldn’t tell you that.”
[David Nolan] Yeah, I think why I have a visceral reaction to that is some of the faux pas that some CISOs out there make is if they bring something and an executive has a higher risk tolerance and they don’t follow that exactly, there’s this like…
[Andy Ellis] Yeah.
[David Nolan] They get offended and get upset, right? But the reality is we’re a partner and we’re going to work together to find what that right decision is.
[Andy Ellis] Yeah, if you find somebody who has a higher risk tolerance than you do, you got to learn to run with it.
[David Nolan] That’s okay. I mean, risk is a business decision at the end of the day. Some companies are going to have a high risk tolerance, some aren’t. Your job as a CISO and as a business leader, ultimately, is to figure that out and to meet those goals within that risk tolerance.
[David Spark] Hold it, have either of you worked at a business where they accepted a ton of risk and they really rolled the dice, yes?
[Andy Ellis] Yes.
[David Nolan] Yeah, of course.
[Andy Ellis] If you work for a company that ends up with revenue over a billion dollars, there was a lot of dice rolling involved to get there.
[David Spark] Really? [Laughter]
[Andy Ellis] Yes. So, here’s one of the perceptions that I run into a lot, which is people think that the riskiest executives are the ones that end up failing. And while some of them do, all of the ones who succeed rolled the dice a lot. Because if you didn’t roll the dice, your competitors who did beat you.
[David Nolan] 100%. Yeah, and I think you’ve got to have the framework where you can fail quickly, right? Like the companies that are taking a risk are not doing transformational level risk that is going to cost a company billions of dollars. It’s A-B testing, different marketing concepts, it’s trying this new technology, etc.
So, it’s not big bang risk, it’s small risk that’s tolerable. I think the last thing, David, that you asked was about executives that want certainty. I have encountered so many board meetings and executives that say like, “Can you tell me we won’t get hacked?” And as we know, that’s super dangerous to promise things.
So, we got to be really careful there and be transparent that there’s no sure things, but immediately pivot that conversation to how we’re managing that risk to give them that comfort, right? To really enable that business goal that they’re trying to do and achieve that right balance.
But certainty, always a risk. I’m sure Andy would agree on that.
[Andy Ellis] Oh, absolutely.
What’s broken about cybersecurity hiring?
13:32.680
[David Spark] “You aren’t struggling to find entry-level candidates, you’re struggling to find the mid-level candidates that are willing to take entry-level pay.” That’s how one Redditor responded to a hiring manager’s frustration about trying to fill a SOC analyst role.
The manager claimed most candidates lacked business fundamentals, like no Active Directory knowledge, no cloud platform experience, no scripting abilities. The two hires who worked out had gone beyond their degrees. They did Capture The Flag participation, GitHub projects, self-driven learning.
But if someone graduates with a cybersecurity degree and a Sec+, what do they need to demonstrate to be quote ‘SOC-ready’? Is it hands-on and Active Directory management or building a home lab with detection tools, contributing to open source security projects?
I mean, David, I’ll start with you. When you’re hiring for a junior SOC analyst, what’s the minimum viable skillset that proves someone can operate like just on day one, come in, and whose job is it to build that bridge between graduation and being ready to enter the SOC?
Because, I mean, I would just say I run the San Diego Cyber Group, and there are a ton of young people who’ve got tons of education. They’re eager, eager for that first SOC job. What’s your advice?
[David Nolan] Yeah, so first off, we joked about it here the last time I was on, but hosting an entry-level role with 10 years of AI experience.
[David Spark] Yeah.
[David Nolan] That’s the thing that happens, it’s the running joke. So, assuming that we can squash that one, specifically for junior roles, when I’m hiring, you’ve got to be a realistic hiring manager about it, right? We can’t have tons and tons of experience expectations.
What I’m looking for is someone who shows initiative, that they can show us examples of that continual willingness to learn. That can be formal, that can be through different organizations. It could be home labs, things like that. But ultimately, and I’m sure not all leaders are this way, but I’ve got countless examples throughout my career where we’ve grown employees that come in as maybe a project manager or a help desk or salespeople from security tools, but they show that right initiative and that willingness to learn.
And they really quickly can even come into a SOC role and be willing to kick butt. However, it’s a really big ocean right now. And there’s a lot of, especially folks coming out of college, and you got to differentiate yourself.
So, how are you going to do that? I think that’s the core of the question here that you’re getting from your San Diego group. So, lots of options there, minor cost or no cost. We always talked about home security labs as being a thing, but those are becoming cheaper with all of the AWS and Azure free instances you can do.
We mentioned AI. You can start Open Web UI instances at home for fun to play around with. Contribute to open source projects, hack the box. I mean, overall, if you show initiative and you’re willing to tinker, play, try, and you can articulate that, I want that person in my camp and they’re going to be ready for SOC activity.
[David Spark] That’s a great tip. What would you add to that, Andy? And again, what I’m looking for, and I’m going to echo this because tomorrow we’re having our meetup in San Diego and there’s going to be a bunch of young people. In fact, many of them are my volunteers, I love it.
So, what advice can I give them as echoed by Andy Ellis?
[Andy Ellis] Yeah. So first, I want to start, there’s a bunch of soapboxes here. I’m going to play some quick parkour. If you have a cybersecurity degree and a certification and you don’t think you have the right skills, I hate to tell you, but you kind of got ripped off on your degree.
[Laughter]
[Andy Ellis] I just got to say this. I know a lot of cybersecurity degrees out there that are not really worth the paper they’re printed on. Fortunately, that’s not unique. That’s the truth of the case for many degrees. Second thing I’m going to tell you if you’re starting right now, there are no entry-level SOC positions in four years.
They won’t exist. There will only be mid-level SOC positions.
[David Spark] Because those are all going to be eaten up by AI.
[Andy Ellis] Right because what entry level actually means is an alert fires and there’s a procedure I need you to go follow. That’s all going to get replaced by AI because the procedure gets followed by automation, and it’s kicking it up to somebody to make a decision.
You need context for that decision. So, there’s two soapboxes for you there. Yeah, a lot of people post entry level because they want to pay entry level even though they need somebody with a lot of skills. How do you go get those skills? The best way to get into security is to start in IT.
And I know you’re going to say there’s no IT jobs left out there. You are almost all part of some community group, whether it’s your church, your synagogue, your mosque, whether it’s some nonprofit, whether it’s a meetup group. Offer to do the IT support.
Like our synagogue is deploying network, we’re deploying cameras, access control, all of the things a small business has to do. And what’s fascinating to me is all of the people who are working with it are all very senior professionals, long time in their career.
We’ve got no junior people working on it. I’m trying to figure out like how do we pull in people?
[David Spark] That’s a great way to learn from the senior people.
[Andy Ellis] To be like [Laughter] you want to learn how to do identity management, we got to do identity management for our access control system, and right now, it’s like me and a senior researcher out of Harvard who literally like, “We’re the IT guys.” That’s wrong, yet that’s what we’re doing.
So, go find those roles, get practical hands-on experience because once you’re doing IT, there’s nobody doing security so you can do it as well. Look, I’m a big fan of all the hands on, like go do CTF, build your own home lab, but it’s much easier if you’re actually doing it in support of a business and a mission, and there’s a lot of folks who need the support and cannot pay because they’re nonprofits.
So, you need the experience, you don’t need the pay right now.
[David Spark] Good advice.
[David Nolan] So true. I think it’s so easy, too, to find a nonprofit that wants help. You just got to find something you’re passionate about and generally they don’t have the money to do it. I mean, we all say we want a job we can be passionate about.
I started internships in high school working out, and it was all about like passion and finding that right thing. And so, again, it goes back to initiative though. Like if you’re just waiting for that job to fall in your lap, you’re never going to get it.
[Andy Ellis] Yeah, or honestly, go do it for your parents. I’m also the IT for my parents and like, oh, cutting the cord and figuring out how to do TV tuning over the air, over the network. Like, that’s interesting.
[David Spark] Yeah, but there’s no one’s going to help you with that. The advantage of doing it at an organization where there are senior people currently doing it is you’ll learn from them.
[Andy Ellis] Right, they’ll teach you. You can learn a lot from the internet. I will tell you the number of times I have turned to an AI and said, “This isn’t the piece of software I’m using. How do I install it?” and it’ll point me at very useful references.
[David Nolan] So, Andy, in conclusion, support your mother’s Azure instance.
[Andy Ellis] Yes.
[David Spark] No, support your mother-in-law’s because I’ve done this with my wife. My wife is tech support for my mom, and I’m tech support for her mom. It makes everyone a lot happier.
Sponsor – ThreatLocker
20:33.760
[David Spark] Before I go on any further, let me tell you about our spectacular sponsor, ThreatLocker. And you may have heard me talk about this before, but they got some cool stuff to let you know that you may not already know about. So, first, let’s start with something you do know.
CISOs don’t lose sleep over the malware they see, and they can handle that if they know where it is, right? They lose sleep over the things they trusted that they really shouldn’t have because that’s how modern breaches happen. Not through zero days.
Through everyday tools doing things no one realized they could do. And that’s exactly the problem ThreatLocker eliminates.
ThreatLocker enforces default deny at the point of execution. So, if it’s not approved, it doesn’t run, period. Your attack surface collapses from everything on the endpoint to only what you say is allowed. And the real power? ThreatLocker controls how trusted tools behave.
PowerShell can’t start scraping credentials, Chrome can’t start launching scripts. Your remote monitoring and management, RMM, can’t suddenly turn into an attacker’s remote access platform. CISOs, they say the same thing, “This is the first time I felt actual control instead of alert fatigue.” So, if you want to shut down entire categories of attacks, not just react to them, ThreatLocker built a resource hub just for security leaders.
Start there. This is easy. This is really easy for you. Go to threatlocker.com/CISO. Remember, it’s threatlocker.com/CISO. If you want fewer surprises, start there, and it’s the easiest way to let them know that you heard about them through the CISO Series.
It’s time to play “What’s Worse?”
22:23.091
[David Spark] All right. Before we went on the air, David Nolan made it very clear that he wants to disagree with Andy.
[Andy Ellis] So, I’m really hoping this is a lopsided “What’s Worse?” with one easy one and one stupid one so I can back David into a corner.
[David Nolan] I’m so afraid.
[Laughter]
[David Spark] Look, I think you could take the ball and run it with either one of these, okay?
[Andy Ellis] That’s good. That means we have disagreement just for the sake of it.
[David Spark] And they’re very short, by the way. These two, this is very short.
[Andy Ellis] Ooh, two short ones.
[David Spark] Okay, from Joseph Carson of Segura. Here we go. Here are your two scenarios.
[Andy Ellis] Okay.
[David Spark] You got thousands of stale accounts. That’s one scenario. Or one very active account nobody recognizes.
[Andy Ellis] So, I’m trying to figure out what “nobody recognizes” means because that could be one…
[David Nolan] I think a service account that nobody knows.
[Andy Ellis] Right, it could be a service account that actually is a service account being used correctly as a service account, but we all forgot it existed. Or it could be it has been taken over by an adversary.
[David Spark] Right, but also, these thousands of stale accounts could just be stale accounts that nobody’s touching.
[Andy Ellis] Right. Well, they’re stale, so nobody’s touching them.
[David Spark] But this could be two benign things, and it could be two horrible things. [Laughter]
[Andy Ellis] It could be two horrible things. Oh, this is a fascinating one because this is not clearly…
[David Spark] All right, David just literally rubbed his hands. He’s excited to jump on it.
[David Nolan] [Laughter]
[Andy Ellis] I know. He’s so excited because he’s like, “Which way is Andy going to go?”
[David Spark] Whatever one it is here.
[David Nolan] I don’t know, I don’t know.
[Laughter]
[Andy Ellis] Right, so I think there’s three different ways I could look at this one. I’m going to spend a little bit walking through it just to annoy the heck out of both Davids.
[David Spark] [Laughter]
[Andy Ellis] So, there’s the this is all benign. Like, stale accounts, yeah, we should probably…
[David Spark] There literally could be zero. This, by the way, I think a first time where one of the options is this could be nothing across the board.
[Andy Ellis] Right. And the same thing for the service account. Well, I’m going to call it the service account, the unrecognized account. Could just be a service account that is doing a whole bunch of stuff, really active because all of our automation is on a service account rather than on user accounts.
Like, this is actually a good thing. So, this is one possible set of scenarios. There’s another one which is we’ve got some weird things going on, not necessarily malice, but we need to do investigating. Don’t want to be investigating on a thousand stale accounts that who the heck knows, or on this one hyperactive account that’s doing a million things, all but one of which might be legitimate, but I got to go figure it out.
Or this could be I’ve got to go find an adversary. Where am I looking? Oh, look, the account nobody knows what it is that seems to be doing everything, or these thousand accounts that we can’t go through.
[David Nolan] So, did you make a choice?
[Andy Ellis] No, I haven’t even made a choice.
[Laughter]
[Andy Ellis] Because I haven’t convinced myself. This is a good one.
[David Spark] By the way, this is exactly what Mike Johnson does. He like reiterates it. Although, you are going through all the variances this could be.
[Andy Ellis] I’m going through the variants because I’m trying to decide like in each variant, I have a different one I would pick, which makes this much harder because I’m trying to decide, would I rather be able to focus all my efforts on one hard problem, or do I want this, “Oh, I’ve got a long tail.” And I think I just answered that, which is I actually don’t want to deal with the long tail.
I would rather have that one service account or unknown account because now I can focus my effort in one place. If I’ve got these thousands of stale accounts, I know I’m never going to be able to clean them all up because we’re going to get distracted by something else, and that’s not a problem I can wrap my brain around.
So, I’m going to go with the one active account that we have no idea is what I want. I don’t want thousands of stale accounts.
[David Spark] All right.
[Andy Ellis] David, to you.
[David Nolan] Andy, I’m going to disagree with you here.
[David Spark] Good!
[Andy Ellis] Geez, what a surprise!
[David Nolan] Yeah.
[Andy Ellis] For people keeping score, this does not count as disagreement because I flipped my answer at the last second. So, now he agrees.
[David Spark] Yes, it does. It totally counts as disagreement.
[David Nolan] Yeah, a thousand stale, you said stale, right? So, I’m going to do the old school approach, and we’re going to take them in batches and just start turning them off.
[Andy Ellis] Turn them all off. Unplug the network one at a time.
[David Nolan] Unplug the network. I think that very active account…
[Andy Ellis] Yeah, all your backups will die in 91 days.
[David Spark] [Laughter]
[David Nolan] But they’re stale. They’re stale. I mean, this sounds like a hygiene thing to me.
[Andy Ellis] But we did not define what stale meant, and I know a lot of things that use hasn’t been active in 14 days as stale, so.
[David Nolan] Yeah, that’s fair. That’s fair.
[Andy Ellis] Any automation might just be broken.
[David Nolan] This very active, unknown, crazy account just worries me because that screams malicious.
[Andy Ellis] Oh, it totally does! But at least I only have to pay attention to one account.
[David Spark] [Laughter]
[Andy Ellis] But it might be that it’s an account shared by like 75 services and I got to clean them up one at a time and I’m in the same boat, so.
[David Nolan] Yeah, I just say I’ve done a million hygiene initiatives. Preview – we’ll talk about it in a minute, I’m sure.
[Andy Ellis] Yeah, they’re like neither one of these. So, Joseph, I hate you, by the way.
[Laughter]
[Andy Ellis] But you came up with this one. This is the best “What’s Worse?” in my I don’t know how many years I’ve been doing this.
[David Spark] Really?! This is the best “What’s Worse?”
[David Nolan] Really?
[Andy Ellis] This is the best one because it totally sucks.
[David Spark] That is high praise for Joseph Carson.
[Andy Ellis] Yes, because I cannot disagree with David disagreeing with me. Like he came in wanting to disagree, but I’m 50/50 on this one. I’m flipping a coin on which one I pick because they both suck. They’re not awful. This isn’t like career ending.
[David Spark] It’s a weird environment because they could both be a big nothing.
[Andy Ellis] Right. They could both be a big nothing. They could both be disasters. Either one could get hit by this hygiene problem of trying to clean up. Like I can see how it hits both of them. Like this one, actually it’s almost, it’s just two different ways of looking at the same problem and both of them suck.
[David Nolan] Yeah.
[Andy Ellis] So, Joseph, you’re fired. I don’t want any more “What’s Worse?” from you.
[David Spark] So, the winner here is Joseph.
[David Nolan] Who knows? [Laughter]
[David Spark] He wins.
[Andy Ellis] You know something? I don’t think I’ve ever said this, David. So, I’m going to exercise co-host privilege and say, Joseph, you just won a fleece.
[David Spark] Whoa!
[Andy Ellis] So, reach out to David. David will send you a fleece.
[David Spark] You know what? I’ll send him a code. I will do that. I will send Joseph Carson a code.
[Andy Ellis] You absolutely deserve one for this. This is the best “What’s Worse?” yet.
[David Spark] All right. Although I sent a fleece to, he hasn’t sent me in a while, the guy who used to send me – he uses a pseudonym – who sent me all those creative ones a while ago.
[Andy Ellis] Right, yeah. We had that wave for a while. I’m glad he got one. But like Joseph, I think this is the first time Joseph has submitted one potentially. Yeah, he’s, by the way…
[Andy Ellis] I don’t know, I didn’t recognize his name.
[David Spark] Just so you know, he submitted like seven or eight of these.
[Andy Ellis] Oh.
[David Spark] We got more from Joseph coming up.
[David Nolan] Oh, geez.
[Andy Ellis] Go delete the rest of them!
[David Spark] [Laughter]
[David Nolan] Do not envy you, Andy.
[Andy Ellis] Man. Now on that, David’s going to save them all for me. Like he’s not even giving them to Mike.
[David Spark] They’re all loaded up.
[Laughter]
Could this possibly work?
29:15.104
[David Spark] “Best practices assume a level of maturity most organizations simply don’t have and most likely will never get to.” Ross Haleliuk of Venture in Security argues the security industry is too obsessed with idealized frameworks built for greenfield environments, but it’s not reality for 99.9% of organizations.
Instead, he says we should obsess over “basic practices,” the baseline everyone should implement and master before anything else. MFA is the perfect example. It’s unsexy, won’t land you a keynote at a security conference, but it’s what makes the difference.
What are, and I’m going to start with you, David Nolan, what are the biggest “best practice” offenders? The ones that everyone talks about, but no one actually achieves?
By the way, this is the classic, I’m just going to throw this out as a red herring for a second. My wife and I used to work together, and the number of articles I read about spouses working together, and one of the big pieces of advice is never bring the work home with you.
That’s impossible, [Laughter] impossible, impossible. So, I want to know, these are the kinds of things I want. People say you can do it, but you don’t. So, as a CISO, is it hard to defend focusing on basics without looking like you’re settling for mediocrity, David Nolan?
[David Nolan] Yeah, thanks Ross. I mean this, I definitely agree with this and I love this. I like using the term “best approaches” because it is impossible to hit perfection with a lot of these frameworks, right? And especially for companies with lower budgets and maybe smaller companies, I think trying to achieve perfection without focusing on the basics is a recipe for disaster.
And ultimately, the approach is different for every company. We talked about risk tolerance. Everything like that is going to be different for every company. So, it’s a different approach. It doesn’t have to be the exact same framework for everything.
You have to obsess over the table stakes. We actually talked about this in a CISO roundtable a few weeks ago that I led. And it’s not sexy. I mean, you talk about it, David, it’s not the cool new tool and it’s not the new logo and things like that, but the amount of companies that have been burned for not patching a legacy or an end-of-life server is most, right?
[David Spark] Yeah.
[David Nolan] And so, you talk about some of the things that companies get wrong. You have to be continual on your patching. You have to be wholesome. You can’t have these scotomas and these dark areas that you just say, “Oh, those are the systems we don’t patch,” right?
Or “Those are the production systems we’re scared of touching.” So, Ross mentioned IAM hygiene, but it goes more than just the MFA and all the controls. We talked about cleanup. So, the is it worse? You’ve got potentially tens of thousands of stale accounts.
You’ve got service accounts you don’t know what they are. You’ve got overprivileged accounts that you should be running BloodHound on. Like these are all to me, all the hygiene basics and things, especially as a CISO coming new into a company, you need to be finding all these skeletons, all these end-of-life.
Where’s the end-of-life?
And my favorite thing to do on that example, and I’m wondering if Andy has done this, find all of your end-of-life and your legacy and don’t steal that budget. Get the budget for IT for them to go replace those and upgrades those. That is the best security budget you can spend is reducing risk when it’s not part of your budget.
[Andy Ellis] Oh, absolutely. Yeah, I’ve gotten budget for IT and engineering teams before to go do work I needed them to do that they hadn’t been able to budget. Best thing to go do. I just want to disagree with Ross slightly. I mostly agree with him.
[David Spark] Sure.
[Andy Ellis] But I will point out that he says, what was it? MFA is unsexy and won’t land you a keynote at a security conference. Seven years ago, I keynoted [Laughter] RSA…
[David Nolan] [Laughter]
[Andy Ellis] …talking about how I’d used MFA to put all of our intranet applications publicly on the internet, not behind firewalls, no VPN. That was an RSA keynote only seven years ago, and a key piece of it was the MFA that we had put onto every device so that we had certificates and push off to get access to all of our stuff.
So, the answer is it can be sexy.
[David Nolan] Andy, are you the godfather of MFA and Zero Trust?
[Andy Ellis] No, I’m the godfather of ZTNA.
[David Nolan] ZTNA?
[Andy Ellis] Zero trust, like you’ve got some analyst whose name I don’t need to mention running around claiming to be the father of zero trust. I will point out that, yeah, zero trust was innovated at Google is who you can actually point out, for like who really was the core for it.
But we were the first people to market with zero trust. So, yeah, and I built that internally for us. So, here’s actually the reality. When people talk about these frameworks, they’re trying to create this perfect model of thinking about a problem rather than tackling parts of the problem.
And until you have tackled enough of the problem that you can’t just glance around and go, “Oh, I should fix that.” Like as long as there’s good work to be done that you can just glance at and say, “We should go do that now,” you shouldn’t be bothering with some perfect framework of how to categorize all the work you’re doing.
Go do the good work that’s in front of you.
Do you trust this LLM?
34:25.456
[David Spark] Development has been “the” use case that’s paying dividends for LLMs, but Keith Townsend, the CTO Advisor, is skeptical if we’re about to replace developers saying, “AI does not own outcomes. It does not bear responsibility when an assumption turns out to be wrong.
It does not understand the difference between confidence and correctness, only how to simulate both convincingly. AI can argue its case fluently, citing plausible metrics and familiar frameworks, but the moment you ask it basic questions, the confidence outpaced the evidence, not because it was lying, but because it was presenting claims with no accountable owner.
For him, until AI closes that gap, it’s an accelerator, not a replacement.” So, Andy, how should security leaders manage AI-generated code? How do you build a governance model for code that arrives with confidence, but no owner?
[Andy Ellis] Okay, before I even answer that question, I would just like to posit that this was set up to say AI does these things that developers don’t do. And the things that AI does that apparently developers don’t do is not own outcomes, not bear responsibility for assumptions being wrong, not understanding the difference between confidence and correctness, but can simulate them convincingly.
That sounds like [Laughter] a developer to me. No offense. I’ve known a lot of developers that that describes very, very accurately.
I actually do agree that AI is not about to replace developers. What AI is doing is turning everybody into, or giving everybody the capability to be, a very basic developer. Let’s go vibe code an app to solve a problem that a developer would never try to solve for you, so you can get something done more quickly.
It’s really democratizing, doing systems integration. I actually think of it not necessarily as development, but more, I used to think of it as shell coding. Those of us who would sit down and we didn’t really write software, but we could take a shell, and we could write a bunch of calls out to different pieces of software and different applications and it would get something done.
That was a hard skill, but now that’s what vibe coding is. Like somebody walks down and says, “Oh, hey, make a call to here, a call to there, put this two pieces of data together.” Like, AI’s absolutely knocking that out of the park. That is not replacing Salesforce, right?
You’re not going to vibe code Salesforce tomorrow, but you can totally vibe code almost every shell script that I have written in my career in a weekend if you wanted to. Like, I’m totally not that great of a developer. I’m not replaced by AI, but AI means all of the people who aren’t developers at all get access to that.
So, I just want to start with that, that we’re going to get a lot more integration code than we’ve ever had before, and it will mostly be written by AI.
So, I think as a security leader, that’s what you have to recognize is that the person behind the AI has never had to manage code before. And now they’re a software development manager who’s got an AI that wrote the code, but they themselves do not know what software development management looks like, and this is basically going to be the exact same problem we had when we went to cloud.
And you’re all going to be like, “In what way?” or “Is it just connecting two dots?” And when we went to cloud, what happened was all of the application owners who had never been IT managers for their own applications, they just got to throw them into a data center and they inherited all of this IT infrastructure to support them – security, networking, backups, you name it – now they were able to write their application, throw it into the cloud, and there was nobody doing IT support for them.
And they had to learn how to do it despite never having done it before. That’s the exact same challenge we’re going to have with AI-written code is the people who are writing the code are not professional software development managers. It’s not that they’re not professional software developers.
[David Spark] All right, David, your take.
[David Nolan] Well said, Andy. You got a decent amount of experience in this space. I think what you said about everybody is now a basic developer. Absolutely love that because I’ve definitely seen that being the case where it increases the speed to MVP.
[Andy Ellis] Yep.
[David Nolan] It has the classic back in the day, we wanted IT or the development or product teams to build this new thing for me, and I didn’t have enough time, or it wasn’t prioritized. This at least allows non-development teams to prototype and prove a concept before they then have to scale it, etc.
And then my vote is you have to put a point, where to your point, they prove something out and then it gets prioritized and traditionally scaled, developed, etc.
[Andy Ellis] Right. And somebody else takes it over, we hope.
[David Nolan] Somebody else takes it over.
[Andy Ellis] But the history of engineering organizations is that engineers never want to take over what somebody else wrote.
[David Nolan] Exactly. I don’t think it’s going to replace the developers right away. I’ve seen some cases where companies tried to do that, but it’s definitely an accelerator, right, of the… I did 10-plus years of development back in the day and I use it right now and it definitely accelerates the basic work I do as well.
I think the interesting thing is like people hear AI and they automatically think it’s special, but when you ask how are security leaders supposed to think about AI-generated code, there’s a lot of basic controls that should be applied whether it’s AI or human generated, right?
[David Spark] Mm-hmm.
[David Nolan] So, like AI-generated code could have the same weaknesses as human code, so the middle ground may be the same CICD pipeline as human-generated code. It should have code scanning, secret detection, software composition analysis, like all this stuff that we should have anyhow.
But we do, and I love your point, Andy, need to consider where it’s different. So, if you’re considering fully agentic development, we should consider human-in-the-loop if it makes sense when those risks necessitates it. AI-generated meta tagging may be a thing.
So, if someone’s going back and looking at code later, they know who has the accountability for it or AI had the accountability for it or tie it back to the product.
[Andy Ellis] Yeah.
[David Nolan] If a product owner is going to be using AI, make them be accountable for that code regardless of whether it’s AI or not. The thing that I find interesting though in the AppSec or the ProductSec world is SBOM analysis and SCA and all that stuff becomes very important because we don’t know where this code is being taken from or where it’s being motivated and inspired from.
So, that can be very important. But at the end of the day, the company’s got to decide what their risk tolerance is. Some companies may choose to ban AI code from specific databases and specific intellectual property.
[Andy Ellis] Mm-hmm.
[David Nolan] Or some companies may open it wide open because they see the business value in it. But I think probably the last thing to think about, and Mike Johnson and I talked about this last time on the show, is if it’s code, the cool thing about it is you can also do security as code.
So, we can do quality, risk, compliance, all that. You can use AI against AI. So, why not have a trained AI security bot that’s going to check all the AI work and use it against itself, right? There’s a lot of potential value here.
[David Spark] Excellent.
Closing
41:26.133
[David Spark] Well, great advice both of you. Excellent job during the “What’s Worse?” and kudos to all these sort of unwitting contributions for our show.
[Andy Ellis] And the one witting contribution that was also very good.
[David Spark] Yes, and one witting contribution. Huge thanks to our sponsor, that’d be ThreatLocker. Remember, allow what you need, block everything else by default, including ransomware and rogue code. Go check them out at threatlocker.com/CISO. Do me a favor, add the /CISO.
Simplest, easiest way to let them know you heard about them from the CISO Series. You don’t have to do anything more. You go threatlocker.com/CISO. They know you heard about them from us and they’re awesome. And so, go check them out. David Nolan, any last thoughts?
Great job on today’s show.
[David Nolan] This is always fun. Andy, I appreciate the banter and let’s do more of these fun “What’s worse?”
[Andy Ellis] Absolutely. And everybody, don’t forget to file your taxes tomorrow.
[Andy Ellis] File your taxes tomorrow if you haven’t already done it.
[Andy Ellis] If you’re an American. If you’re outside, I don’t know what your date is. Good luck with that.
[David Spark] Do whatever. Thank you everybody. We greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review.
This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com.
Thank you for listening to the CISO Series Podcast.