The rush to not fall behind with the latest AI tooling is creating a vicious cycle. Is there any way to enable teams to use these new tools without abandoning security best practices?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Michelle Wilson, CISO, Movement Mortgage. Joining is sponsored guest Rob Allen, chief product officer, ThreatLocker.
Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
Intro
0:00.000
[Voiceover] Biggest mistake I ever made in security, go!
[Rob Allen] I may have accidentally once left a O.MG cable at a security conference that I was demonstrating with, and I forgot to put it in my bag and I left it around. So, there’s probably somebody now charging their phone with an O.MG cable. So, I’m sorry.
[Voiceover] It’s time to begin the CISO Series Podcast recorded in front of a live audience in Orlando.
[Applause]
[David Spark] Welcome to the CISO Series Podcast. I am David Spark, I am the host and the producer of the CISO Series. And joining me to my immediate left is my guest co-host for this episode. It is the CISO of Movement Mortgage, Michelle Wilson, let’s hear it for her.
AM; Woo!
[Applause]
[David Spark] We are available at CISOseries.com, and if you don’t know it, our sponsor for today’s episode is ThreatLocker – allow what you need, block everything else by default, including ransomware and rogue code. We are at Zero Trust World in Orlando right now.
Let’s hear it for everybody.
[Applause]
[David Spark] Thank you for coming on out. And I also want to introduce our sponsor guest who’s to my far left over here, and he usually goes by the title of Chief Product Officer for ThreatLocker, Rob Allen. Let’s hear it for Rob!
[Applause]
[Rob Allen] Not today, friends!
[David Spark] Not today.
[Rob Allen] Not today. Chief Podcast Officer today, and I want to give a shout out to Paola, one of our marketing rock stars who organized this for me. I also want to give a shout out to David Coovert for organizing this and convincing me to actually get on to a stage with David Spark again, and I want to give a massive shout out, I know it’s been mentioned already, but Heather and all of the events team who’ve put this entire event together bigger, better than ever, and I want a proper round of applause.
I want some whoops. I want some hollers. Come on, come on!
[Applause]
[Rob Allen] Come on! More!
[Applause]
[Rob Allen] There we go. Thank you very much. Thank you very much. So, yes, Chief Podcast Officer for the day.
[David Spark] Michelle, you haven’t spoken yet. People don’t know your voice yet.
[Michelle Wilson] It’s okay. They’ll get to hear me soon enough.
[David Spark] They’ll get to hear you plenty.
[Michelle Wilson] Right, yes.
[David Spark] All right.
Okay, what’s the risk?
2:32.737
[David Spark] The key to building a company culture that can handle risk effectively is daily practice, not annual slides, argued Maman Ibrahim and Gavriel Schneider in a CSO Online piece. An effective risk culture should be based around four questions.
Do people notice risk early? Do they name it clearly? Do they know who can decide? Do they act without fear? The key is that the conversation about risk is commonplace, even when risk signals are weak. I’m going to start with you, Michelle, on this one.
How do you have conversations about risk with your team? And more importantly, how do they bring it up with you?
[Michelle Wilson] I’m actually talking about risk almost all the time with my team. There’s very rare occasions that I have a conversation with anyone that I work with that risk doesn’t come into play. So, I’d say that they’re tired of hearing me talk about risk, but they definitely know that it’s one of the things I’m most interested in.
They do tend to bring it to me…
[David Spark] How do they bring it to you? Like, give me an example of something you would get.
[Michelle Wilson] Last week I got one, we had a developer that noticed that they didn’t follow some certain process and wanted to make sure we had it on our risk register and we’re tracking it too.
[David Spark] All right, that’s a good way of putting it. All right, Rob, you deal with risk, ThreatLocker deals with risk. How do you discuss it with your team and how do they bring it up with you?
[Rob Allen] I’d like to say we reduce risk. It’s one of the things that as a platform, as a product, as a company, we help organizations do. I mean, I just want to say, first of all, that I reject the premise of this question. The fact that, I mean, it mentions four questions.
There’s actually six questions here. I’m not entirely sure which one I should answer.
[David Spark] Well, it’s the ways they bring up risk, like noticing it, naming it, who decides about it, can you act on it, things like that.
[Rob Allen] I’m just being difficult, David. I’m just being difficult.
[David Spark] Oh, I know. That’s what you do, Rob.
[Rob Allen] Yeah, I mean, open, clear communication is extremely important.
[David Spark] But risk conversation’s different than having conversations about security. Yes, they go hand in hand, but the question is how is that conversation happening in your environment?
[Rob Allen] We’re human beings. We talk. Somebody sees something, recognizes something, realizes something, discovers something. We’re human beings, we communicate, and it’s open, clear communication is key to having.
[David Spark] And is there like a risk register? Are you managing it? You’re looking at things, things that need to be taken off the register? I mean, like, how’s that going back and forth?
[Rob Allen] Yeah, I mean, we do roundtables quite regularly, basically. And you would be surprised at some of the conclusions that are come to when we have these.
[David Spark] Let’s get an example.
[Rob Allen] So, one of the things that we’re extremely conscious about is insider threat, insider risk. If someone was to go rogue, what could they do? And I won’t get into specifics, but we had an enlightening risk roundtable recently where it became apparent that someone with the appropriate levels of access within the environment – and there’s not many of them, but there are some of them – but somebody with the appropriate level of access could cause a tremendous amount of damage and a tremendous amount of downtime.
Now, when that was discussed, when we thought through it, then we realized there was a fairly simple solution to it. And it was, again, to even more reduce the things that people were able to do. But it’s an example of where something was thought of, discussed, and dealt with in a relative…
[David Spark] Pretty systematically, essentially.
[Rob Allen] Yeah, absolutely, absolutely.
[David Spark] Michelle, close this out. Is there a systematic process beyond like what you described with the register?
[Michelle Wilson] So, monthly meetings to discuss any new risks in the environment, that we get risks sent to us from the teams throughout the month. We don’t wait for a meeting to discuss those and evaluate those, put them in our register, track them until they’re gone or until they’re gone enough.
Do you trust this LLM?
6:47.819
[Voiceover] Do you trust this LLM?
[David Spark] OpenClaw is a locally run AI agent that acts as a proactive personal assistant. That sounds like something I could use but wait. To get its benefit, it must be running on your primary computer, which gives OpenClaw access to your shell, email, files, calendar, and browser.
Guess what? Many people did that. Have people gone mad? Questioned Cassio Goldschmidt of Reflex Security. That data is now everywhere. The story gets worse with the introduction of another tool called Moltbook, a social network for AI bots, which began prompt injecting their AI buddies to steal API keys and to rewrite identity.
So, autonomous systems with access to personal data are talking to other autonomous systems with personal data, and it’s doing it at machine speed. Rob, I’m going to start with you. Is there a way to rein this in so we get value and not have a privacy and identity nightmare, which is what it looks like?
[Rob Allen] This specifically? Probably not. Fun fact or story, a very good friend of mine, actually my best man from back home, called me about two weeks ago and he said, “Look, I want you to set up or help me with setting up OpenClaw,” and I flat out refused.
I said, “Are you absolutely insane? I am not going to be responsible for doing something that means your crypto accounts get wiped out, your bank account gets emptied, everything gets stolen.” And we have had a lot of customers of ours panicking about this.
They want to know, “Where is OpenClaw running in our environment? And it’s actually a really simple thing because default deny takes care of it. So, it’s not running unless you explicitly allow it to run. And the same applies to other agentic AI tools.
But the bigger thing that’s approaching us and all of us, I believe, is organizations are going to want to run agentic AI, but they’re going to want to run it safely, and that’s a much bigger question.
[David Spark] Yes.
[Rob Allen] I mean, as I said, default deny takes care of OpenClaw. It’s not going to run unless you allow it to run. The bigger question is when everybody from the MD, the CEO downwards wants to run agentic AI, it is unbelievably important that they be set up in such a way that they can be run safely.
[David Spark] All right, I throw this to you, Michelle. I mean, this seems like the cat’s out of the bag. I mean, it’s gone haywire, for that matter. But let’s divorce all the privacy and security issues. It does sound darn cool, but wow, it is a nightmare, isn’t it?
[Michelle Wilson] It really is. It’s not just – again, you’ve got default deny for your corporate environment, that’s wonderful – but if you’re talking to any other human, they’re using it on their personal environment, right? And that still makes them a target and makes them susceptible to having their information taken and used outside of your environment.
[David Spark] So, this actually, this was a discussion that we brought up on another one of our shows about like how do you make agentic AI run in a safe way, and there’s an eagerness for this and there’s a fear for this all at the same time. And I know you’re probably getting plenty of pressure, yes?
[Rob Allen] It’s, by a considerable distance, the most common question that I’ve been asked. Not only from customers, big customers, small customers, prospects, massive organizations, everybody has this in their mind. We’re going to need to allow these things to run.
How do we allow them to run safely? And the phenomenal thing from our perspective is we already have the technology. We have the concept of ringfencing, which is allow this thing run, but don’t let it access my files, don’t let it reach out in the internet.
So, there is a solution, a ready-made solution there already. Now we’re going to need to tweak it, adjust it somewhat to match the behavior of these tools, but as I said, there is a solution there right now. It’s called Ringfencing. Don’t let it access data you don’t want it to access, don’t let it call things you don’t want to let it call, and don’t let it go places you don’t want to let it go.
And that effectively solves this problem. It means you’re not depending on decisions. You’re not trying to figure out if cloud code is going rogue. You’re just placing guardrails around it.
[David Spark] Right.
[Rob Allen] What it can do.
[David Spark] But also there’s certain actions it’s going to need to take, so if you do allow it, you’re going to need kind of some other level… By the way, one of the things that we found from our community, two things came up is “guardrails,” which is a vague term and ringfencing is a version of that.
But another one was, how quickly and easily can I reverse the situation as well? Some things you can’t quickly and easily reverse. First of all, have you tried any agentic efforts in your environment?
[Michelle Wilson] We have some pilots going at this point.
[David Spark] And what have you discovered?
[Michelle Wilson] We had to build a kill switch to be able to turn it off if it was doing something that we didn’t want in the environment. So, that’s part of our incident response plan now.
[David Spark] And did it behave well? Did you have to hit the kill switch?
[Michelle Wilson] It actually behaved fine. We just wanted to make sure we had that ready. [Laughter]
[David Spark] Right, understandably.
Sponsor – Threatlocker
12:26.876
[David Spark] Surprise, our sponsor is ThreatLocker. You all know them but let me tell you a little about them if you don’t know all this. CISOs don’t lose sleep over the malware they see. They lose sleep over the things they trusted that they shouldn’t have.
Because that’s how modern breaches happen. Not through zero days. Through everyday tools doing things no one realized they could do.
And that’s exactly the problem ThreatLocker eliminates. ThreatLocker enforces default deny, as was just mentioned, at the point of execution. If it’s not approved, it doesn’t run, period. Your attack surface collapses from “everything on the endpoint” to only what you say is allowed.
And the real power? ThreatLocker controls how trusted tools behave. PowerShell can’t start scraping credentials, Chrome can’t start launching scripts, and your remote monitoring and management, or RMM, can’t suddenly turn into an attacker’s remote access platform.
CISOs say the same thing, “This is the first time I’ve felt actual control instead of alert fatigue.” If you want to shut down entire categories of attacks, not react to them, ThreatLocker built a resource hub just for security leaders, like our audience tonight.
Go to ThreatLocker.com/CISO. Add that /CISO, ThreatLocker.com/CISO. If you want fewer surprises, start there.
It’s time to play “What’s Worse?”
13:59.000
[David Spark] All right, this is how this game is played. We’ve been playing it since the very beginning of the CISO Series. I’m going to give you two horrible scenarios, I’m going to make Michelle answer first. You have to determine from a risk management perspective which one is worse, all right?
I pulled an audible, I had one set up, but I said, you know what? That’s not the one I want to do. I want to do this one. So, this one comes from Jared Mendenhall, who is the CISO over at Armature Systems, and here are your two scenarios. Michelle, remember you’re up first.
Scenario number one. Your company is in the middle of a crisis where a phishing attack caused a massive breach. Due to user error, your next phishing campaign is accidentally triggered, sending similar-looking phishing messages to the community causing a company-wide panic.
Not good, no.
Scenario number two, and by the way, audience, be prepared. I’m going to look for your vote as well here. It’s open enrollment time for HR. You send a phishing campaign telling users that their benefits have been canceled. You do not notify HR beforehand, and HR is flooded with angry messages.
HR and all the departments hate you, Security. It’s questionable if they will ever regain trust. All right, Michelle. Or if you will ever regain trust in the Security Department. Which one is worse?
[Michelle Wilson] Okay, so my options are…
[David Spark] Note the first case, you were actually in a breach.
[Michelle Wilson] Right.
[David Spark] You’re in a breach.
[Michelle Wilson] In the breach, and then accidentally send out a phishing campaign. Second option is we phish too close to open enrollment and upset HR, summary.
[David Spark] Yes, and you cause a company-wide panic, too.
[Michelle Wilson] Okay.
[David Spark] Well, actually, you cause a company-wide panic in both scenarios, too, for that matter.
[Michelle Wilson] Oh, that’s fair.
[David Spark] And also, you have this lasting hatred of…
[Michelle Wilson] Of HR?
[David Spark] Well, lasting hatred of pretty much the entire company, not just HR.
[Michelle Wilson] Hmm. Okay.
[David Spark] But HR probably is the king of the mountain.
[Michelle Wilson] Well, in both scenarios, I’m hated, so we’re going to go with the breach scenario being the worst case.
[David Spark] The worst?
[Michelle Wilson] Yes.
[David Spark] Because you’re actually in a breach?
[Michelle Wilson] I’m in a breach, yes.
[David Spark] You’re in a breach.
[Michelle Wilson] Much worse than just being hated.
[David Spark] But the lasting pain of this, of the second scenario, that’s better?
[Michelle Wilson] I can rewin trust eventually.
[David Spark] No, no, no. It’s questionable.
[Michelle Wilson] It’s forever?
[David Spark] Yeah, this is going to be forever. You can’t rewrite the scenario.
[Michelle Wilson] I’d still rather not have the breach. [Laughter]
[David Spark] Well, I know it’s bad, but I don’t know. You’d rather be continuously hated?
[Michelle Wilson] Absolutely.
[David Spark] Than have a breach?
[Michelle Wilson] Absolutely.
[David Spark] Okay, that’s good. All right, let’s hear it. Rob, same thing here.
[Rob Allen] Can I just say, first of all, this isn’t on my piece of paper, right?
[David Spark] No, it’s not supposed to be.
[Rob Allen] My least favorite thing about this particular game is that I actually have to listen to David for a good 40 seconds. I have to concentrate, focus, listen to him explaining these scenarios.
[David Spark] All right. Rob has been a very frequent guest on our shows, and we love having Rob on the show. You love Rob, right?
[Applause]
[David Spark] But that was…
[Rob Allen] You guys.
[David Spark] That was the weakest applause I’ve ever heard from you, Rob.
[Laughter]
[Rob Allen] Excuse me, it was more than you got when you came out on the stage. How dare you?!
[David Spark] True.
[Audience member] [Laughter]
[David Spark] All right, Rob has a gentle, fun way of chronically abusing me when we’re off microphone, and he’s doing it now live for your enjoyment right now.
[Rob Allen] I’m not, I’m just saying I resent the fact that I have to pay attention to you…
[David Spark] Yes, there are certain things that are surprising.
[Rob Allen] …while you present me with these…
[David Spark] Like in most games, you don’t know the questions beforehand.
[Rob Allen] I mean, it’s pretty obvious. The one where you’re actually breached is worse at the risk…
[David Spark] Well, but hold up. That is bad, but like I asked Michelle, you’re okay with being universally hated, and this is going to essentially really make your security culture bad.
[Rob Allen] No, no, you weren’t universally hated. You were hated by HR, I think, if you…
[David Spark] In the second scenario, you’re going to be universally hated.
[Rob Allen] I thought you were hated by HR. Okay, I obviously wasn’t paying that much attention.
[David Spark] Oh, HR, everybody. HR and all the departments hate you.
[Rob Allen] Oh, and all the departments.
[David Spark] You and the whole Security. You may never have a security culture again.
[Rob Allen] Yeah, I’d still rather not be breached. Thank you very much.
[David Spark] Okay, you don’t want to be breached. All right.
[Rob Allen] Yeah, no.
[David Spark] I’m throwing this to the audience. Scenario number one, you’re breached. You accidentally send a phishing campaign, causes panic, but they do not hate you. But second scenario, open enrollment, a really nasty phish. Everyone hates you. By applause, how many think – again, you’re choosing the worst – how many people think the first scenario is worse, what they chose?
By applause.
[Applause]
[David Spark] Don’t raise your hand! Okay. All right, a lot for that. All right. All right, by the way, by applause, how many people do not want to be universally hated and do not want their security culture ruined forever? Which one thinks that’s worse?
[Applause]
[David Spark] All right, a smattering. A smattering, if you will.
[Rob Allen] David?
[David Spark] Yes?
[Rob Allen] I think what they’re saying is we were right and you were wrong.
[David Spark] I’m not saying wrong, it’s a game. You have to choose which side you want.
[Rob Allen] And we chose correctly.
[Laughter]
It’s time to play Fantasy CISO!
19:13.113
[David Spark] All right, let me explain how this is going to work. This is a new game we’ve been playing. In this game, each of you are going to choose your team of controls. Okay? Now once a control is chosen, like picking a player on any kind of team in a fantasy sports, it’s no longer available to the other player.
And once you each have your roster, we’re going to review, and then we’re going to give you a random attack, and it’s up to each of you to argue why your environment of controls is better situated to hit that random attack that you were hit with. All right?
Michelle, you were up first. There are eight controls there. Pick one of the controls, that’ll be the first member of your team.
[Michelle Wilson] I’ll take access control management.
[David Spark] Access control management will be the first one for Michelle. All right, now we have seven left. Rob, what do you want to choose?
[Rob Allen] I will go with network segmentation and microsegmentation.
[David Spark] All right, that’s for Rob. You’re back up, Michelle.
[Michelle Wilson] EDR, please.
[David Spark] EDR for Michelle. Rob?
[Rob Allen] Data recovery capabilities.
[David Spark] That first one, data recovery. All right, what would you like?
[Michelle Wilson] Incident response management.
[David Spark] Incident response. Rob?
[Rob Allen] Application software security.
[David Spark] Okay, two left.
[Michelle Wilson] Hmm. Well, we’ll go with controlled use of admin privilege.
[David Spark] Controlled use of admin. And Rob gets pentesting here. All right, don’t hit the reveal attack yet. Let’s review what we have here. Michelle, on your team, you’ve got access control management, EDR, incident response management, and controlled use of privileges.
And Rob, you’ve got network segmentation, data recovery capabilities, and application software security, and you’ve got pentesting as well. All right, you’re going to go first, Michelle. We’re going to reveal the attack, and you’re going to explain why your team is better situated to handle the attack than Rob.
Go ahead, reveal the attack. Ah, a nation-state attacker physically infiltrates an air gap secured network. Geez, I don’t know if any of this is going to work.
[Laughter]
[David Spark] What do you think?
[Michelle Wilson] In this one, I think my best savior there is my incident response management. So, if you have a good plan, you can address most things.
[David Spark] Yeah, your EDR is not helping here, I don’t think.
[Michelle Wilson] No.
[David Spark] I don’t think your admin privilege is. Possibly your access control, possibly. But no, probably not.
[Michelle Wilson] Yeah.
[David Spark] I think your incident response. Now, you can also argue why Rob is not situated at all.
[Michelle Wilson] Hmm. I could see how he might be okay. But…
[David Spark] But again, you want to win, Michelle.
[Rob Allen] I appreciate that, Michelle. Thank you.
[Michelle Wilson] But I want to win. [Laughter]
[David Spark] So, all right, you got an incident response plan.
[Michelle Wilson] I do, and he’s sitting there trying to figure out how to recover something.
[David Spark] All right. Rob, why are you better situated?
[Rob Allen] Oh, I thought I got a different attack. It’s the same attack.
[David Spark] No, it’s the same attack.
[Rob Allen] Oh.
[David Spark] Yeah.
[Rob Allen] I was going to say, if it’s those guys and that’s all we have available to us, then we’re both screwed.
[David Spark] Yeah, it’s a pretty bad selection.
[Rob Allen] It’s not a great selection of controls and tools. So, yeah, I think we’re both in trouble.
[David Spark] Although, I mean, maybe data recovery capabilities?
[Rob Allen] No. No. Because nation-state are not interested in causing damage. They’re interested in…
[David Spark] So, you’re pretty much saying you’re hosed and you got no defense here.
[Rob Allen] Not a lot of great options you’ve given us here. Now, if you’d said application control, if you said allow listing, if you said ringfencing, if you said all of those things, I would have said you’ve nothing to worry about. Well, you’ve not as much to worry about.
But with that set of options available?
[David Spark] Yeah, you’re hosed, unfortunately.
[Rob Allen] You’re hosed.
[David Spark] Well, this was, again, it was a random attack.
[Rob Allen] On that particular attack. Now, if you’d given us a different attack, then I’d…
[David Spark] All right, let’s do it. Click new attack. Let’s see what we got. All right. Cyber criminals convincing deepfake audio and video of the CEO demanding secret financial transactions within the company. I think you’re equally hosed possibly here.
What do you think?
[Rob Allen] I think she wins.
[Michelle Wilson] Yeah, I’m doing okay.
[David Spark] Yeah. All right, by applause, how many people here think Michelle wins? By applause.
[Applause]
[David Spark] In both cases?
[Applause]
[David Spark] Anyone think Rob’s going to win here by applause?
[Silence]
[David Spark] Rob, you’re hosed. [Laughter]
[Rob Allen] Okay, can we just have one that involves ransomware, please?
[David Spark] All right, click a new attack again. Let’s see if we get a ransomware one, I have no idea. A disgruntled [Laughter] employee…
[Rob Allen] Oh, for God’s sake!
[David Spark] …steals sensitive data.
[Laughter]
[David Spark] You’re hosed.
[Rob Allen] I reject the premise of this game.
That might not have been the best decision.
23:51.137
[David Spark] All right, a door with a combination lock whose code is printed on it is no longer locked. David Travis, City of Auburn, posted a photo of the offending door lock to mock it and show how the blast radius expands when someone bypasses the control.
And it was just a photo of a lock and literally had the four-digit code printed right above the lock. Now that’s the knee-jerk reaction, though, what David Travis said, of a security professional and understandable. At one time, that door did need to be locked, but it’s possible systems have changed.
That door doesn’t need to be locked anymore. If that’s the case, honestly, it’s far easier and cheaper to just post a code on top of the lock than finding a locksmith to remove the no-longer-needed lock.
So, system design requires security professionals to walk in users’ footsteps. When do you ask, and I’ll start with you, Rob, here, why is this control here? And what risk is mitigated by having this control? I mean, is this the regular process you go through to audit your security controls, or do you do something else?
How do you handle it?
[Rob Allen] That was a really long-winded way of getting around to a question about reviewing controls.
[David Spark] I’m trying to set it up with a colorful picture here.
[Rob Allen] I was going to say, you were painting a picture there, David.
[David Spark] I could have started this segment how do you review controls, Rob?
[Rob Allen] Yeah, yeah, I mean…
[David Spark] I wouldn’t have painted a picture.
[Rob Allen] We didn’t need a Mona Lisa to get to the how do you review controls or do you review controls. Yeah. Quick, short answer, yes, you should review controls. You should review controls regularly. I mean…
[David Spark] Like, what are the questions you… Like, here’s a control. What are we doing? Like, why is this there? Are we even noticing that the control is there? Like what is the conversation you’re having?
[Rob Allen] Well, one might argue that you would be better having a control even if it is no longer necessary or perceived as no longer necessary than not having a control.
[David Spark] You think it’s better to have one even if it’s no longer necessary?
[Rob Allen] Maybe it’s going to be necessary again tomorrow. Maybe it’s necessary, but we don’t know it’s necessary. Maybe it’s necessary, but we think it’s not necessary. More controls are better than no controls or less controls.
[David Spark] But hold it. Now we have the business that we’re dealing with right now.
[Rob Allen] Screw those guys. Oh, sorry.
[Laughter]
[David Spark] But hold on, Rob.
[Rob Allen] We didn’t say that the control was stopping business. I mean, a door having a lock is not stopping business. Again, your metaphors are killing me, David.
[David Spark] So, for example, people need to get into this room to this session. If we had a lock on the door, then it would be quite difficult for people to get in here.
[Rob Allen] Yeah, but they’ve got a code posted on the top of the lock.
[David Spark] No, not in this case, they didn’t have a code posted. But what I’m saying is when do we need to make things slow down for a control, and when do we need to remove it? Or when do we need to keep it strong? Is everyone confused?
[Rob Allen] Yes.
[David Spark] Michelle, I’m going to let Michelle take over. Michelle, take over.
[Rob Allen] Yeah, Michelle’s going to tear this entire thing up.
[Michelle Wilson] I’m going to argue with you about having more controls is better.
[David Spark] All right, good. Thank you for being on my side.
[Michelle Wilson] I’m not on your side, but I’m going to argue with him. [Laughter]
[Rob Allen] Okay. Bring it on.
[Michelle Wilson] Well, so I’ve always had to operate with a very lean team. So, if I have a lean team and I have a lot of controls that they’re having to manage, update, keep working, keep functioning, I find that either reducing or collapsing controls into something that’s more uniform so that they can work with one tool that maybe does multiple things rather than having lots of controls that maybe aren’t doing something very successfully.
It’s an efficiency thing that I’m talking about.
[Rob Allen] So, I’m a gentleman, so I’m not going to disagree with you, I’m not going to tell you you’re wrong, but you’re wrong.
[Michelle Wilson] [Laughter]
[Rob Allen] Controls can help and facilitate teams being lean. Controls are not necessarily something that require constant management upkeep. Yes, they should be reviewed from time to time, but equally, I mean, a very simple example is the difference between proactive, what we do, basically application control, allow listing, etc., and detection and response.
Detection and response involves alerts. Alert fatigue is a real problem. It’s a massive issue in cybersecurity. That entire whack-a-mole or boy who cried wolf where you better hope to hell that your security teams check everything out, hope they don’t miss the one thing that’s really important versus proactive, basically blocking everything by default, and working backwards from there.
One’s a control, one’s a response, and I would argue that the control requires far less management and far less work for a lean team like you have.
[Michelle Wilson] I would agree when you’re defining it in that way, but only when you define it that way. [Laughter]
[Rob Allen] I did define it in that way.
[Michelle Wilson] There you go.
[Rob Allen] Yay!
[Michelle Wilson] All right.
[Rob Allen] Look at me go.
[Michelle Wilson] I concede. No, I don’t. [Laughter]
What we’ve got here is failure to communicate.
29:25.037
[David Spark] “The words we choose build the reality we operate in.” Now, Phil Venables, who’s the host of the Google Cloud Security podcast, recently explored how cybersecurity metaphors shape our decisions. He started with a Stanford study that gave people identical crime reports with one key difference, whether the crime was described as a “wild beast preying on the city” or “a virus infecting the city.” Now, those who read about the beast suggested enforcement, capture, punishment, and caging.
Those who read about the virus were more likely to suggest systemic root cause solutions.
Venables then dissected our field, security’s, most common metaphors. Cyber war pushes us into reactive, tool-obsessed mindsets and diverts focus from foundational work like managing vulnerabilities and governing access. Castle and moat fosters false security and over-invest in perimeters while leaving the interior vulnerable.
Cyber hygiene can place the burden solely on users, leading to a blame culture instead of building robust architecture. He argues the wrong metaphor leads to the wrong investments and false security, while the right one aligns the organization on a shared understanding.
I’m going to start with you, Michelle. What metaphors resonate with you to build the right solutions?
[Michelle Wilson] One of my favorite metaphors is talking about how the business likes to go fast. So, they…
[David Spark] The race car metaphor?
[Michelle Wilson] They want to use a Lamborghini. I need to make sure the road is not full of potholes. So, we need to make sure that we’ve got our foundations set and effective so that that nice Lamborghini doesn’t end up in a pothole and lose a tire in the first five minutes.
[David Spark] Yeah, and I think, actually, the race car metaphor’s been used many, many times and it is very apropos. What about you, Rob? Do you have a favorite metaphor?
[Rob Allen] I have lots of favorite metaphors. I think metaphors are really useful.
[David Spark] Okay.
[Rob Allen] I think an important part of what we do is explaining complex things in a simple way that anybody can understand.
[David Spark] Yes!
[Rob Allen] Probably my, well, my go-to for what we do, if a normal person was to say, “What’s ThreatLocker all about?” you use the analogy of your house and a lock on the door and how a lock on the door is a control or a lock on your windows is a control.
They’re all controls. You could talk about how detection and response is like an alarm. It’s a motion sensor. It’s something that is reactive. The control is stopping people from getting in, but the reactive is in case somebody does manage to get in.
You can take that to the nth degree because we have people who will go so far as to say ringfencing is about allowing people into your house through the lock but then saying they can’t go to particular rooms within the house, so they’re allowed to come so far and no more.
[David Spark] That actually, it’s a better version of the candy bar metaphor through just classic firewalls, hard on the outside, chewy on the inside. You address that with the ringfencing.
[Rob Allen] Yeah, and you can take it to the nth degree. You can go really far with that, but just in very simple terms, it is. Actually, I don’t know if you caught Danny’s intro on Wednesday, he described it as ThreatLocker being a bank vault and the EDR portion of it being a motion sensor with laser beams, which I thought was an interesting way of describing it, but it’s fundamentally the same idea.
Which is we build locks, we build controls around environments. In some cases with like ringfencing, you let things in and you let them do certain things, but no more. But I think that is a useful metaphor for describing to people who don’t understand what proactive security looks like is.
[David Spark] Okay. Do you have any more metaphors? You just gave us the race car one. Any others that you sort of lean into? And is this what you describe to others within the organization?
[Michelle Wilson] I don’t actually use metaphors that often, sorry.
[David Spark] So, you don’t?
[Michelle Wilson] Yeah, I just try and explain in English what it is we’re trying to do.
[David Spark] Sounds good.
[Michelle Wilson] [Laughter]
It’s time for the audience question speed round.
33:54.570
[David Spark] All right. With the time that we have left, we have a little bit of time left, I’ve got questions in my hand from our audience. All right? You have not seen these, like you didn’t see the games. You haven’t seen these. I’m just looking for your answers to these.
This comes from Amar Amar, first name and last name are exactly the same, from the University of Tennessee Health Science Center. And Amar asks, what security defenses are going to fail from AI attacks at scale? So, we’re concerned about how attackers are using AI, doing the attacks they’re doing now, but at scale.
So, what security defenses do we have now are just simply going to fail at that? Anything, you think?
[Michelle Wilson] Security awareness training is not going to be able to help us as much as we’ve always come to rely on it.
[David Spark] Security awareness training, what do you think, Rob?
[Rob Allen] Anything that involves detection and response. When you’re trying to detect and respond to 560,000 new pieces of malware every single day, when you’re trying to recognize them when 40% of them are AI generated or AI enhanced or AI iterated, you’re guaranteed to fail at some stage.
You won’t fail all the time, but trying to detect, recognize every one of them is doomed to failure. I’m sorry to tell everyone.
[David Spark] All right, let’s go to the next question. From Stephan Yelle of Silicon Valley Services. MSPs, he’s an MSP, wants to say yes to every client. You say, “Yes, you want to do this?” “Yes, yes, yes, yes.” They don’t operate as the Department of No.
But what should we as security professionals, even though we do not want to be known as the Department of No, what should we be saying no to?
[Michelle Wilson] I don’t say, “No.” I say, “Yes, and.”
[David Spark] Okay.
[Michelle Wilson] So, the answer is yes, we can do that, and we need to do these 82 other things to do that.
[David Spark] Okay. But maybe would they also balk like, “All right, but I don’t think I want to do those 82 things”? So, they say no to themselves?
[Michelle Wilson] Yes.
[David Spark] That’s a smart way of doing it. Throw it in their hands. What should we be saying no to, Rob?
[Rob Allen] Anybody who will not take your advice on security. I mean, fundamentally, anybody who doesn’t recognize, understand, believe you telling them they need better security or more security. I’ve been that soldier, I’ve spent 18 years as an MSP, and I know from painful experience that the customers who say no to wanting something else or better or different from a security perspective are the very same ones who will blame you when they get hit, when they get breached.
So, be mindful of and wary of customers like that who don’t take your best advice because fundamentally you are the expert. Have confidence in your own advice. Have confidence that you are giving this advice honestly and to the best of your ability.
And if they choose not to take it, be aware that they are probably the ones that are going to get hit, and they are probably the ones that are going to blame you when they do.
[David Spark] All right. Dan Powers over at Full Sail University asked this question, and I’ll start with you, Rob. Someone right out of school with some cybersecurity training or certificates, what could they also do? They have that, but what could they do?
Because there’s so many young people who have those experience, what could they also do to really impress you?
[Rob Allen] I met a young man last night who I hope I will see again today. If he’s in the room, by the way, do come and talk to me at some stage. This young man, fresh out of college, paid for his own ticket to come here to Zero Trust World. Not an insubstantial or unsubstantial amount of money for a young person not in the workplace yet, but he paid for himself to come here.
That’s incredibly impressive. He wants to learn. He wants to meet people. He wants to understand the industry. And that’s the kind of thing that, I mean, I’m not going to say he’s definitely the only just fresh out of college student that’s here, but I wouldn’t be surprised if he’s the only fresh out of college student that’s here.
But somebody like that who will go the extra mile, who will try to learn, to improve themselves, to meet people, to network, from my perspective’s incredibly impressive.
[David Spark] That’s very good. All right, what about you? What can impress you, Michelle?
[Michelle Wilson] It’s actually a pretty similar answer. Getting involved in the local community, getting to know people in the industry. Most cities have some sort of group that a new person could join for a reasonable amount of money to meet people, and then in their free time, learn more.
Demonstrate that you’ve got curiosity and demonstrate that you’re willing to learn. You never stop learning in this field.
[David Spark] What do you want to add, Rob?
[Rob Allen] I just wanted to add one other thing. When I had this conversation with this young man, I was dressed as Barf, the mug.
[David Spark] From Spaceballs?
[Rob Allen] From Spaceballs. So, it was quite difficult to have a serious conversation with him, much as I might have wanted to. So, yeah, it was a little bit tricky. But as I said, if that young man is in the room, come talk to me at some stage. We will organize a refund for you for your ticket for the event.
[Applause]
[David Spark] Oh, that’s very kind. Very kind. All right, last question, let’s wrap this up, from TJ Williams of MMI Technologies. How do you convince people whose knee-jerk reaction is to want to hide that they made a mistake, so like a phish, a real phish or a phishing test, their knee-jerk reaction to do that, they made a mistake, they got phished, but they need to report it, but they want to hide it.
It’s a positive thing to do. How do you convince them that’s what they should be doing, Michelle?
[Michelle Wilson] You do try and build a culture that does not reflect punishment for letting you know, especially if they let you know, and celebrate when they do let you know. We actually give out awards when people [Laughter] let us know that they did something or that they saw something.
We prefer to give them awards for noticing something and not clicking on it. But building that culture’s important to get people to work with your teams.
[Rob Allen] Everything that Michelle just said. You need a culture where somebody can be honest, somebody can admit to making a mistake or even thinking they made a mistake. If you have a culture where somebody’s terrified to admit such a thing, they’re not going to come forward, they’re not going to ‘fess up, they’re going to try and hide it.
So, it is all about the culture, it’s all about making, as leaders, making ourselves available and listening, and people knowing you’re not going to chew them out of it just because they made a mistake.
Closing
41:01.901
[David Spark] We are now at the end of the show. Thank you very much, everybody. Thank you.
[Applause]
[David Spark] I want to thank ThreatLocker for bringing us out here, ThreatLocker.com/CISO, allow what you need, block everything else by default, including ransomware and rogue code. And I want to thank my guest right here to my left, Michelle Wilson, the CISO of Movement Mortgage.
[Applause]
[David Spark] Rob, you are always hiring at ThreatLocker, is that correct?
[Rob Allen] Yes, very much so. We now have room for people. So, yes, we are ramping up hiring.
[David Spark] All right.
[Rob Allen] Yeah, come live in Orlando. It’s really nice. It’s warm.
[David Spark] All right. Well, thank you very, very much, Rob. Thank you very much, Michelle. And thank you to ThreatLocker and to our audience. We greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Applause]
[David Spark] Thank you, guys.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review.
This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com.
Thank you for listening to the CISO Series Podcast.