Troy Hunt’s new site, “Dumb Password Rules,” demonstrates yet another slice of security theater. Rules designed to make the creator believe they’re making the business more secure, but appear to do nothing more than create unnecessary roadblocks and confusion.
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our guest is Dave Hannigan (@davidhannigan), CISO, Nubank.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, Reqfast
Full transcript
[Voiceover] 10-second security tip. Go!
[Dave Hannigan] Take a moment before you do anything. Remember that speed can be your enemy. It’s psychological for you to want instant feedback or gratification. Hackers know that. Even when you’re thinking through complex problems, just take a moment and pause and then take the action that you want.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer and one of the hosts on the wonderful CISO Series. My co-host for this very episode, which by the way, we are past five years with this episode, Mike, believe it or not. That is bizarre to me to realize it’s five years.
[Mike Johnson] Wow. Time flies.
[David Spark] Yeah, I forgot to mention, I think we’ve recorded the June 1st episode already, or I don’t know what the heck, the June 1st or around the June 1st, but that’s when we did it. June 1st of 2018 and now we are in June of 2023. In fact, we did only four episodes, so by July we had sponsors.
It was that fast. I was stunned.
[Mike Johnson] There was a lot of interest in what we were talking about, which was awesome, and I think what’s even cooler is that interest has remained. The audience is growing, and here we are five years later. That is so cool.
[David Spark] We still have cybersecurity. It’s still an industry. Here’s my feeling – when the industry collapses, we’re going to be out of a job.
[Mike Johnson] You know, at the same time, I think I could find something else to do and be perfectly happy.
[David Spark] All right. I do want to mention our sponsor, a brand-new sponsor here of the CISO Series, that’s Reqfast – the healthy start to a complete intelligence program. It sounds like a cereal but it’s not. It’s actually a security program. More about just that later in the show. But before I go on any further, I want to ask you a question about these emails that I receive, and I’m sure you receive them as well, that are guessing the level of your busyness and how much email you have in your Inbox.
They start with, “You must be very busy or your Inbox must be very full,” and I don’t know whether to be creeped out about it like, “Are you looking over my shoulder?” or “You’re wrong. My Inbox isn’t that full, actually, to tell you the honest truth.” What’s your take from that intro right there?
[Mike Johnson] I think it’s just something they’re tossing out there. It’s almost like…
[David Spark] It’s like saying good morning?
[Mike Johnson] Yeah. Good morning, how you doing, hi. It’s a pleasantry. It doesn’t really mean anything. My take on it is, well, my Inbox was empty but now you have gifted me this new email.
[David Spark] You’ve gifted me! I love that!
[Mike Johnson] And now I will delete this one too.
[David Spark] I’ve received the gift of an email from you!
[Mike Johnson] Yes, yes. It’s just somebody trying to come up with something to say.
[David Spark] Here’s what I’ve realized. I own my own business, I only have two full-time employees, I’ve got a bunch of contractors as well. But I actually don’t get a lot of email and I think the reason for that is because I’ve worked at much larger companies is I don’t get a slew of cover your butt emails.
I don’t get those. I’m not cc’d on… You know, you work for a large organization, you’re on an email thread with seven other people, and you unfortunately have to wade through all these CYA emails.
[Mike Johnson] I mean, you’re not wrong. That’s a thing. There’s plenty of email that doesn’t need to happen. There’s the whole thing of this meeting could have been an email and now it’s this email could have been a Slack message. That’s really where we’re headed. And I think, yeah, I’ll send you some more email, David.
[David Spark] Please do.
[Mike Johnson] Yeah.
[David Spark] Now let’s bring in our guest. I have wanted to have our guest on for quite some time. There was some difficulty, he’s got a new gig. So, thrilled to have him onboard. It is the CISO for Nubank, none other than Dave Hannigan. Dave, thank you so much for joining us.
[Dave Hannigan] Thanks for having me. It’s a pleasure to be here and I’m glad I could finally do it.
Walk a mile in this CISO’s shoes.
4:16.990
[David Spark] Alyssa Miller, the CISO for Epiq, received a chorus of “Hell ya” with this tweet, “It’s not risks that cause lack of sleep and burnout among IT and security leaders. It’s the mental fatigue of being told you’re critical to the success of the org but being forced to repeatedly defend the same technology/service spends over and over again.” And John Prokap, CISO over at Success Academy Charter Schools, added, “Time spent defending program over time spent building and leading.
That ratio is pegged to stress level.” So, the thread degenerated into a complaint fest of conflicting ways security professionals are treated. Mike, I’m going to start with you. Assuming you have seen this, how do you manage these behaviors or do you just have to deal with this endless loop?
[Mike Johnson] So, I’m going to rephrase this slightly, and the way that I read this is it’s the mental fatigue of being a cost center rather than a profit center. This isn’t unique to security. It’s not unique to IT. HR teams deal with this, legal teams, even finance teams. They actually have to justify what they spend their money on.
They all have the same challenges we do and they’re also critical to the success of any organization. I get that it’s a point of stress, I totally understand that, but it’s something that we need to recognize that we’re business leaders and we are leading cost centers.
That does lead to a level of stress. It can look in a way that other teams are able to spend however they feel like it, but that’s not the reality. They also are having to justify their spend. Should you have to justify each and every line item in your budget? Absolutely not. You should have an envelope, you talk through that envelope, “This is how much we’re going to invest in security this year,” and then you as the leader manage within that.
That’s really the normal way of doing things. So, I get that folks want to put this out there as a source of stress, but it just kind of is something that we need to get used to as business leaders.
[David Spark] Dave, are you in the same world of Mike here as this is just the result of being a cost center?
[Dave Hannigan] Yeah, I mean, I’m definitely in the same boat of it’s just something that we have to accept we have to do, and it comes with the role. I mean, that really is one of the most important jobs of a CISO is going out there and constantly selling the value that you’re bringing to an organization.
I don’t think it ever stops. I think it’s one of the overlooked parts and maybe one of the parts that people don’t like as much, which is I call it the security marketing, and you just have to do it. And I think it also highlights and brings me back to a point that to be successful… By the way, I don’t want to take away.
It is cumbersome and I recognize folks are going through it and it’s not pleasant all the time. But if you just accept it, then you can plan techniques to manage through it.
And one great way, I’ve always found this to work is, look, if you’re the only person advocating for yourself, you’ve lost the battle. If you can go out and get a few people like the CFO or the CEO or a president of a business unit who’s had tremendous success with what you’ve been doing and they’re advocating for you, all of a sudden you just offloaded a little bit of that work.
And it’s a really powerful message when it’s not just you saying, “We need to do these things,” but others are saying, “We must do it.” And I’ve even seen it where other organizations have given up some of their money to make sure that certain things got done within security. So, yes, it’s cumbersome.
You shouldn’t have to do it over and over. But it is part of what we do, and really highlight it’s one of the most important. And I would just add one other nuance to what Mike said. It’s even the same if you are a profit center. Imagine the stress when you’re not hitting revenue. That’s even more stressful, in my opinion, right?
Oh, my gosh. You can see it clearly.
[David Spark] So, cybersecurity’s a cake walk, is that what you’re saying?
[Dave Hannigan] [Laughter] No, I’m just saying it’s a different type of stress.
[David Spark] So, this one only causes you to break out in hives.
[Dave Hannigan] For some of us. Yeah, absolutely.
Why are we still struggling with cybersecurity hiring?
8:38.481
[David Spark] Peter Schawacker of Nearshore Cyber is proud to be a gatekeeper for those trying to get into cybersecurity. He’s not saying that he doesn’t want more people in cyber, but we need gatekeepers. Heck, that’s the hiring process. There are tons of people eager to get into cyber, and tons of unfilled positions.
And yet at the same time, you Dave, have mentioned that you’re trying to attract people who haven’t considered a job in cybersecurity. So, why aren’t all the people raising their hand saying “I want in” not enough? Because there are a lot of them, and they still can’t get in. And how do you do both, for that reason?
I mean, if you want to get both in, there are people demanding to get in that can’t get in, and the people who haven’t even thought about it but you want to attract them. So, how do you attract those not showing interest while also communicating that they’re going to have to face gatekeepers like with any job?
Dave?
[Dave Hannigan] Yeah. Look, I think it’s a great question. It’s something I’m super passionate about, so I’ll start with a couple stories that will help explain my position on it and how I’m thinking through it. First of all, my background, I don’t have a computer science degree. My degree is in political science and Asian studies, first of all.
I had no idea, my own experience when I was in college, that you could even get a job in technology, let alone did I have any clue what cybersecurity was back in the day. I am going to turn 50 this year, right, so it’s been a while.
But I got lucky. University of Pittsburgh was way ahead of the game and they required every student to take a computer science class. Didn’t matter what degree you were in. You had to take a computer science class. And that opened my eyes that actually, whoa, this is pretty interesting. You could do coding, you could learn about these machines, and that just really exposed me to something that I never even considered before because nobody I knew was doing that.
I take first that as an experience. That you can have people with a high aptitude and willingness to learn who just had no idea that something exists. That’s the first step.
The second is when I was at Capital One, I had the privilege of being the executive sponsor for their TDP program, the technical development program. And that was really when we got all the brand-new people straight out of college and they joined, they went into a two-year rotation, and they had to bid on what type of work that they actually wanted to do.
Leading security at that time, okay, no problem. We have 10 roles; we’re easily get 10 TDPs to fill those roles. Now mind you, these were all students from some of the best universities, top notch, really smart. We didn’t get but three that applied for our roles.
So, I’m going in there at the welcome reception, I’m walking around meeting people, and the minute people found out that I was heading up security, they were like, “Oh, I wanted to do that.” And I was like, “Well, why didn’t you?” And they said two very interesting things that I’ll never forget. The first was, “Look, we wanted to make sure we got a role, and there were 100 others and only 10 of yours, so we just figured go for what we know we could get as opposed to something we couldn’t.” And the second thing they said was, “Well, but we didn’t have any experience inside of that,” and I had to chuckle a little bit and said, “You realize this is a development program.
We have no expectation for experience. We’re actually going to train you.”
So, I pause and what I found striking with that is people from the brightest universities and top notch were afraid and intimidated about our profession. Something’s wrong there. Something’s totally wrong. And what I then doubled down, it’s, “Okay, let’s open it up and let’s be clearer about what it means, what training programs that we’re going to offer to folks, etc.” And then the third thing that’s influenced me here that really drives me to make sure we open up and make people feel like they could see themselves in a role is Per Scholas, which I sit on the board for.
It’s an amazing nonprofit, they focus on getting adults that are often in underprivileged areas into technology.
But they had this summer event where they were helping, they were trying to figure out could they do something for high school students. And so they asked, “Hey, Dave, could you get together with some of the counselors and the STEM teachers inside of some of the schools inside of New York?” And I said, “Sure, I’d be happy to.” And they said, “All we want you to do is just find some software engineers, some security folks, and just get them in a room so that these teachers and guidance counselors can ask them questions.” I did that.
And it became apparent to me through three or four questions, I just had to stop and say, “Hey. These questions are really interesting but they seem like you have no idea what any of these jobs actually do.” And they said, “That’s exactly right. We know what a doctor does, we know what a nurse does.
We have no idea how to explain what a computer programmer does or what a cybersecurity analyst does at all. So, how can we ever then get our students interested in that?”
And so from all three of those stories, what I took away is that there are people that have qualifications, that they have a lot of gumption, and they have a lot of ability to learn and execute, who just have no idea about the possibilities of cybersecurity. And then they feel that it’s a club that’s very selective and hard to get into.
And I think we have a marketing problem here too where we have to shape that.
[David Spark] So, there’s a marketing brand and you make a very good point and I don’t disagree. Certain conferences, I’ll be honest, I think like BSides is very intimidating especially. And I know among security people, they love it, but it can be really intimidating. Mike, Dave kind of knocked it out of the park with three very colorful stories.
You going to be able to match that?
[Mike Johnson] No, I am not, I am not. But I think he really brings up some good points in that we can look like a very intimidating profession from the outside. And the story that I’ll mention on that is we’re intimidating to our own folks in our own profession. How many CISOs will actually say, will tell people, “Oh, you don’t want to be a CISO, a CISO is a terrible job”?
How many posts do we see publicly of people complaining about the responsibilities and the difficulty of being a CISO? It’s a turnoff to folks. So, not only do we have this problem where we’re not explaining our industry to folks who don’t understand our industry. Even within our own industry, it feels like we’re actively trying to turn people away from it.
To some extent it’s that we’re almost a profession of pessimists, people who are always looking for the worst, and that really sinks over into everything. And if that’s the face that we’re wearing, again, both internally and externally, we are going to appear intimidating and we’re never going to get past the problem that we have of negative unemployment where we’ve got too many jobs, we’re creating new jobs every day, and we’re not minting new professionals as often as we should.
So, I’m really glad to hear the work that Dave’s done and is doing with this particular nonprofit. Maybe we’ve got a chance if we keep working on it.
Sponsor – Reqfast
16:00.356
[David Spark] Before I go on any further, I do want to mention our great, brand-new sponsor Reqfast. All right. Let’s just start with a little exercise here. Raise your hand if you have heard of or understand the need for intelligence requirements. Now, raise your hand if your intelligence team is actively using your requirements to guide their operations.
Now, who here is in public and embarrassed to have their hand raised and they’re just listening to a podcast? And by the way, don’t raise both hands if you’re driving, please. No worries, folks, but if your intelligence team is not tracking its work against identified stakeholder requirements like yours, now that is embarrassing, my friends.
Why? Because if intelligence is all about decision support and it is a customer service, how can they possibly provide value if they don’t know what their stakeholders are making decisions about?
Our sponsor today – Reqfast. Reqfast ties a stakeholder’s requirements to their intelligence team’s day-to-day operations and provides them with the metrics that demonstrate their value to the stakeholder. If you, the CISO, is the primary decisionmaker, then your intel team needs to make sure you are getting the most accurate information, in the format you need it in, in the most timely manner possible.
Reqfast ensures that happens. Reqfast – they build confidence, clarity, and trust in your intelligence team. Please, join them at their website reqfast.com.
It’s time to play “What’s Worse?”
17:41.946
[David Spark] Dave, you’re familiar with how this game is played, yes?
[Dave Hannigan] Yep, I am.
[David Spark] All right, good. We have two bad situations. You’re not going to like either. And this comes from Jason Dance who I got to meet just last week in person in New York. Yes. He is a frequent, frequent supplier of “What’s Worse?” scenarios and this is yet another good one. He now is at StubHub; I’d like to mention that.
So, Mike, you will answer first on this, here we go. Scenario number one – a threat actor uses ChatGPT to create a set of exploits crafted to get around your enterprise’s security controls or their specific controls. Or two, your own employees have now inputted information into ChatGPT, a significant amount, like your essentially intellectual property, customer PII, PHI, etc., some very sensitive data.
It’s all on ChatGPT. Which one’s worse here?
[Mike Johnson] This one’s easy.
[David Spark] Why do you believe that?
[Mike Johnson] Because I really feel that the threat of ChatGPT right now is one about intellectual property. It’s not about creating novel attacks. The reality is any attacks that it’s going to come up with tailored for my environment are the same thing that somebody else has already done. It doesn’t have creativity; it doesn’t have the ability to come up with something novel.
So that first category of something specifically tailored for my environment, the reality is it’s going to be something that some other actor has already figured out and has put out into the world, so I don’t feel like that one’s an issue.
The second one, sharing our intellectual property with some third party who, if I remember right, the acceptable use policy says that anything that they receive through their input form kind of becomes theirs. In a way, our employees are fundamentally transferring intellectual property to another company without our own permission.
That’s a problem. That’s going to impact our own company’s value as a result. So in this world, the intellectual property threat, angle, vector, whatever you want to call it, is far and away the bigger concern for me.
[David Spark] All right. Now, I’m throwing this to you, Dave. Remember, the first one is they are exploits designed to go after you. So, it could conceivably take more than what your own employees have dumped. What’s worse?
[Dave Hannigan] Yeah, I’m going to add on to what Mike said and why I think the second one is worse. Because if we look at just attack vectors, we know that it comes down to five ways that most breaches happen, right? And if we’re focused on those fundamentals, which by the way, most people don’t want to be doing because they’re boring and they take a lot of work, but they make the most difference.
I’m more worried about novel algorithms that we use or my company would use for risk management or for making decisions on the business that actually generate revenue for us or give away our IP. That’s more worrisome to me than the first one, for me, at this moment, right?
[David Spark] Okay. We have agreement. Congrats. Mike wins.
[Mike Johnson] Yay!
[Dave Hannigan] Yay! Congrats.
[David Spark] I lose.
How would you handle this situation?
21:24.514
[David Spark] So, on both Twitter and LinkedIn, Dr. Anton Chuvakin of Google Cloud – also does the Google Cloud Podcast – he asked this question, “Would you call your SIEM vendor and complain if their out-of-the-box detection rule/content is producing false positives?” So, the two polls on both Twitter and LinkedIn actually provided somewhat different results, and I think it was about 300 or 400 on each.
On Twitter, two thirds said, “I’d tune it,” so it’s like I’d do it myself, I’d fix it myself. But only 44% on LinkedIn said they’d do it. Now a quarter of the respondents on Twitter said, “Yes, they better fix it, the vendor,” while a third, a little more on LinkedIn demanded the SIEM vendor fix it.
And then there was the other remaining where people said, “Well, we’d ask them to fix it but only in special cases.”
So, I argue the discrepancy why there’s more sort of DIY attitude on Twitter is there’s more hands-on practitioners there. This is just my theory. But I’m going to start with you, Mike. This also goes to a bigger argument of what do you demand of the vendor, and aren’t CISOs always arguing about wanting a partnership?
Should this question actually be moot? I mean, shouldn’t the vendor jump to the opportunity to help if they want to be seen as a partner?
[Mike Johnson] So since this isn’t “What’s Worse?” I will answer with it depends.
[David Spark] Ah! You’re getting at it through a loophole here.
[Mike Johnson] I’ve been doing this for five years now, David. I’ve worked out the loopholes by now. But it really depends on what the product is promised to do. What is the agreement that is either in writing or in principle with the vendor? They can’t possibly know every combination of false positive that might happen.
[David Spark] Well, I think he wrote this in a way that he said it’s the out-of-the-box detection rule/content producing, I mean, I would say significant false positives. You’re always going to get false positives, right?
[Mike Johnson] You’re always going to have false positives but some environments are very different than others. My current one, I have factory machinery. My previous role, I had none of that. And they’re already two very different environments, so even the out-of-box rules are going to behave differently.
The important part is what is baked into the product to help me with that. If it’s very easy for me to do the tuning myself for my environment, the vendor has built that particular capability, then yeah, I’m just going to take care of it myself, and I’ll just deal with it and move on. But there are other products that they can’t expose – can’t or don’t – expose the logic or give you the ability to tune it yourself.
The other example here is vulnerability scanners. They’re not going to divulge the meat of what a particular vulnerability test does. That’s going to be opaque. So, in that situation because I can’t make the change and the interface isn’t there for me to do that, I absolutely have to lean on the vendor for that.
Now in either case, if I’m getting a lot of false positives, I am going to give that feedback to the vendor. Like, “Hey, 50% of your out-of-the-box rules I had to go tune, you really need to fix this,” and we’ll work together on that. But if it’s just one here or there, then that’s fine and it’s not a big deal.
[David Spark] Yeah, one here or there, yeah.
[Mike Johnson] Yeah.
[David Spark] Yeah. I would assume so. All right, Dave. Where do you stand on this? And again, I’m going to assume it’s an unacceptable number of false positives is what’s coming up. Where do you stand, how do you answer, and then secondly, do you believe the question is moot? Like the vendor should just jump at the chance to be a partner.
[Dave Hannigan] I agree with a lot of what Mike said, first. Specifically around out of the box assumes that there’s good data quality, right? It assumes that you have all of the data points that are needed for these things to work, and we all know that’s one of the toughest parts about making sure you have the data in order to take advantage of this.
But I’ll start to answer your question with the latter part of it on the partnership side because I think that’s really important. I do believe that we as business leaders, CISOs, whatever role you’re in, you should strive for partnerships and really take that to heart. It should be really hard to become a partner.
That should be one of the hardest things for anybody to do is become a partner.
And when I was over there at Zappos, I saw the power of it, and I kind of live by this still today. Very few partners. And Zappos kind of flipped the playing field when it comes to partners. And they did something, I don’t know if you know this, but they had one of the best parties in Las Vegas every year, and it was their vendor appreciation party.
And they threw a gigantic party where we invited every vendor who is a critical business partner of ours. We took them out. We paid for everything. We flipped everything that there is about it. And really showed them. Not only were we saying this, not only living it, but then we’re just going to do something very special for you.
It became one of the hottest things for people to come to, right?
But what it afforded us was amazing things. I will tell you, I wasn’t the biggest spender, I didn’t buy premium support, but I got the quickest resolutions to issues than anybody else out there. Right? People spending way more than we were. And there’s a funny story too at Zappos. Rumor is we had better rates at FedEx than Amazon did at the time that they bought us because of the vendor relationships.
Right? And so that one, I don’t know how true that is, by the way, I’ll put that caveat out there.
But that’s the philosophy I do have, that it is a partnership. We all know that no matter what we do, even in our businesses as CISOs, mistakes are going to be made, issues are going to happen. It’s not about that. It’s about what do you do and how do you work through those things to make sure you either keep critical business functions going, keep things secure, or resolve to make sure you are working towards something.
So, I want to answer it that way, on the back side. I believe we should have really strong partnerships and those should be limited. You can’t do that with everybody, it’s not practical. But for the ones that you do choose, I think you can do extraordinary things with a good partner.
If you haven’t made this mistake, you’re not in security.
27:52.571
[David Spark] Troy Hunt, creator of “Have I Been Pwned” has a new site now, Dumb Password Rules. Actually, it’s been out for a while, for those of you listening. And it does what it sounds like, it lists dumb password rules and the sites/companies responsible for them. Here’s a few of the popular ones.
This first one is hands down the most popular – must be, I’m saying 8 to 16 characters, that number varies a little bit both ways but there is a limit on the far end, and it’s not an 8 to 50 characters, it’s usually sub-20 for that matter; PIN must be 4 digits, only 4; there are limits on the kinds of special characters you can use, and some that just have very, very long lists of requirements on making a password.
Quite irritating actually I would say.
So, I’ve worked with companies that do these things and I’ve actually tried to point out to them the error, and they simply just don’t want to hear it. There’s no sense of, “You’re right, I’ll make that request.” Rather it’s just, “Shut up, we’re not going to discuss this. This is the way we’re doing it, and that’s that.” So, how do you get companies to change what is really a bad password requirement behavior?
It is really security theater. And this site, which is designed to shame companies, is great, but I don’t think any company is going to change as a result of it. Mike, what do you think?
[Mike Johnson] Some of these rules are from underlying technology that is just ancient. There are websites that still are interfaces to mainframes. They can’t fix that. Their only way forward is to replace their mainframe, and they’ll eventually get there but they’re not excited about the idea. But I mean, ultimately that said, I kind of feel like this website is screaming into the void.
It’s not going to move the needle. Some companies might listen and maybe it’s just a matter of bringing it up to them, especially if done in a respectful way. Like, again, I don’t think putting them up on a shame site is going to have them suddenly change their ways.
[David Spark] I mean, is there a better way to handle this, or no?
[Mike Johnson] I think it’s a matter of, as Dave was alluding to in the last thing, about leveraging partnerships. If you actually know someone there, if you know someone who knows someone there, you can then have a conversation about fixing this, improving it. But what I’ll argue is you shouldn’t have them try to change their settings or increase their limit.
Have them leapfrog. Go to passwordless, go to FIDO2, go to a whole new way of authenticating your users that actually makes it easier for the user and also improves security. I have a whole lot of respect for Troy, he’s done some great things, but I don’t think this is the way.
[David Spark] All right. I think it’s just sort of opening people’s eyes to maybe do the result you just said, but it’s not going to have this your shame changes, like the SSO tax site as well. Dave, what’s your take on this? Let me ask you – what value do you see in this site?
[Dave Hannigan] In the site, quite honestly, I’m not sure because the people who have those rules know that they have those rules. And so is the intent that there’s a mass uprising and there’s a million people that say, “Goddamnit, we’re not going to…” Oh, can I say that? “That we’re not going to use this site anymore because it has these ridiculous password requirements.” I know if that’s going to happen or change anything.
But if it’s just to bring awareness for new sites to come up, I don’t think it’s a problem for newer ones. I bet you if you went through, it’s a bunch of older sites and the likes.
And one thing we can’t forget is another, and I’ll tie something to the beginning, is that not everybody’s running on the most modern technology, to Mike’s point, right? And then if you go back up to the very first part of what we talked about today, and it’s the exhausting things that you have to deal with as a CISO, this is not like…
You don’t need somebody else pointing out that you have these rules out there this way, right, I would argue. I think a better approach, to answer the question that you asked Mike, is that, hey, look, if you took a step back and put a lens on it from a customer perspective, and you simply said and made the outcome that you want is you want the most user-friendly logon that’s also the most secure.
Start from there, and I just think that’s a better way. To challenge people, to Mike’s point, to think about what’s possible as opposed to potentially shaming them that what they have is terrible and we have no context as to why it is the way it is.
[David Spark] But it’s possible that shows the complication of all these password rules and really the ridiculousness of it says we just got to stop passwords period.
[Dave Hannigan] Yeah. I think it’s a strong argument for that, absolutely. Yeah.
Closing
32:59.924
[David Spark] Well, that brings us to the end of the show and speaking of powered, our site is actually powered by a hamster running on a wheel. A lot of the people don’t know that.
[Mike Johnson] Feed the hamster. Feed the hamster, David.
[David Spark] Yes. In fact, actually, you come to our Super Cyber Friday, there’s a long running inside joke about hamsters too. I will not go any further than that because honestly, I didn’t start it. It just happened in the chat room and I don’t know why but it did. That brings us to the very end, and I greatly appreciate finally having you on, Dave.
You were awesome. Thank you so, so much for coming on the show. I’m going to let you have the very last word but first I do want to mention our sponsor Reqfast – the healthy start to a complete intelligence program. I think what they’re offering is pretty darn cool, so please check them out – reqfast.com.
Check them out and we love the fact that they have joined in the wonderful world of being a CISO Series sponsor. Now, Mike, do you have any last words and anything to say to our guest? And please, don’t swear.
[Mike Johnson] [Laughter] This time. Dave, thank you for joining us. It was really great having you kind of explain your background, your history, and I think it’s always interesting to hear the path that CISOs have taken. One of the things that really came through over and over again was your storytelling, and I think that’s something that not enough CISOs pay attention to as a skill.
And you called it out in the very first part where you were mentioning security marketing as critical for the CISO. So, thank you for explaining to folks the power of it and really illustrating the power of storytelling. So, thank you so much for joining us, Dave.
[Dave Hannigan] Thanks for having me.
[David Spark] Dave, I will throw it to you, I ask all my guests are you hiring, so are you hiring?
[Dave Hannigan] We are hiring. We are definitely hiring, check it out at nubank.com. Mostly in Latin America, Brazil, Mexico, and Colombia. But hey, we also will entertain great people anywhere, definitely.
[David Spark] Mm-hmm. Well, we have only great people that listen to the show. In fact, we have asked the not-great people to stop listening.
[Dave Hannigan] [Laughter] I love that filter. It’s a very powerful filter.
[David Spark] It is. So, that’s why just any listener of this show will be a fabulous employee. I know.
[Mike Johnson] It’s just natural.
[David Spark] It’s just natural. People sort of self-select. When they realize they’re not great, they tap out, and they go, “All right. Well, I got to stop listening.”
[Dave Hannigan] I just want to say thanks for having me on. It’s been an absolute pleasure. I’m glad I finally got to do it. For lots of reasons we don’t have to discuss, but it’s a little bit more freedom now and it’s nice to be able to talk about whatever I’d like to. [Laughter]
[David Spark] Well, I appreciate that the shackles have been removed.
[Dave Hannigan] And if you don’t mind, I would like to just highlight Per Scholas because I think it’s so important. If you’re looking to hire great people, contact Per Scholas. But more importantly, I just want to highlight what they do.
[David Spark] How do you spell that? I’m sorry.
[Dave Hannigan] Yeah, it’s Per Scholas, and let me just give you some facts. It’s free tuition for all the students, they don’t pay a dime, right? Zero. 85+% get a job in tech within the first year. The starting salary a person makes before they join is 10,000. After they join, it’s 42,000. I don’t know of another company that has stats like this that makes a significant difference in people’s lives, both in tech and we help drive through cybersecurity training for them, and 85% of the people coming out of school are people of color.
If you want to make a material difference, I can’t think of a better program. And I’d appreciate anybody going on the site, donating, reach out to me, dave.hannigan@gmail.com.
[David Spark] We will link to this on our blog post for this very episode. Thank you so much for mentioning it. Well, and I want to thank a huge thanks to our audience. Please, please keep sending those contributions, more “What’s Worse?” scenarios, one that Mike doesn’t respond, “This is easy.” It’s like my least favorite thing to hear from you.
Here’s the thing. I don’t want to blame the people who send in the scenarios, that when Mike says, “This is easy,” then it was a bad “What’s Worse?” scenario. It was a good “What’s Worse?” scenario. The problem is Mike. I always blame Mike.
[Mike Johnson] No, it’s actually, David, it’s your reading of it.
[David Spark] Oh! Okay. Let’s both take the blame.
[Mike Johnson] There we go! [Laughter]
[David Spark] Thank you, everybody, for your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday and Cybersecurity Headlines Week in Review. This show thrives on your input. We’re always looking for more discussions, questions, and “What’s Worse?” scenarios.
If you’re interested in sponsoring the podcast, check out the explainer videos we have under the Sponsor menu on CISOseries.com and/or contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.