Virtually every organization is making moves to embrace AI. Security teams and threat actors are no exception. But this presents a unique challenge. How do you secure these new generation of tools everyone is so keen on using, while also trying to use them yourself as a security practitioner?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Rajan Kapoor, vp of security of Material Security.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Material Security
Full Transcript
Intro
0:00.000
[Voiceover] Best advice I ever got in security. Go!
[Rajan Kapoor] The best advice is focus on the fundamentals, and that hasn’t changed in 30 years. Very often, people aren’t able to do that because they either inherit the security program that someone else built, and did not focus on the fundamentals. The attributes of the fundamentals change, for example, how you do MFA, or you’re coming in to fix a fire, and that’s why you got your job.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I’m the producer of the CISO Series and joining me as my co-host, this is quite exciting, Mike, for our seventh year, it is Mike Johnson, the CISO of Rivian.
[Mike Johnson] Wow, that is incredible that we’ve made it seven years, that we’re starting our seventh year, whatever the math is on it, but we’ve been at it for a long time.
[David Spark] By the way, this is your third job. I just want to also point out, this is your third job in seven years, but I’ve stayed at my same job.
[Mike Johnson] Yeah. Some things have staying power.
[David Spark] I do want to mention that we’re available at CISOseries.com, and our sponsor, phenomenal sponsor, they’ve come back again. They love us, we love them. It’s Material Security. Secure what your business is made of. If you’re trying to secure your Google Workspace and your Microsoft 365 environments, you need to listen to this, okay? More about that later in the show. But Mike, back to our seventh anniversary. Now I want to take you back to more than seven years ago when I took you out to lunch and I suggested we do a podcast. I want to hear your thoughts of this guy you didn’t know from a hole in the wall, what you thought of me at that time like, “I don’t know about this clown.”
[Mike Johnson] What it really came down to is, you were very passionate about the concept. It was something that you were excited about. You were excited about having this conversation. Back then, it was the CISO Security Vendor Relationship podcast, like so many words.
[David Spark] Yes. Yes. By the way, no one called it that. That was the name of the show. No one called it that, including myself. Go ahead.
[Mike Johnson] Pretty regularly. But that excitement that you had over having that conversation that hadn’t been happening at the time, for us to then sit down and have a conversation together, and with others in the field, I was interested in having that. It was really just how excited you were really pulled me in.
[David Spark] So that worked. Huh.
[Mike Johnson] Absolutely. I fell for it.
[David Spark] You fell for it. Well, it was a good falling for it. I would say that much. Now, I say, by the way, those of you listening, it’s seven years and two months, because this is dropping just before Black Hat, or I think on day one of Black Hat, for that matter. But it was in June 1st, is when we first launched this show. Which, by the way, the amazing thing about this, Mike, is that we did four episodes, and by episode five, we got sponsors. Except maybe…from that episode five to now, seven years later, I think we’ve had a sponsor on every episode, except maybe two or three.
[Mike Johnson] That’s pretty incredible, given one episode a week for seven years, it’s a lot of episodes, and to have had that much interest…
[David Spark] Well over 300.
[Mike Johnson] Again, it says that we’re doing something that people are interested in hearing about, and thank you to our audience for your feedback, and for listening to us for all these years.
[David Spark] Well, this show also launched the other four shows that are on our network as well. So thank you for that. So I have to thank you, Mike, for making this all possible.
[Mike Johnson] Thank you, David.
[David Spark] Also, who makes this possible is our sponsors, and we actually have a sponsored guest on today’s episode. Thrilled. You heard him just at the very beginning of the show, but now let me introduce him, so you know this person by name, so they don’t just become a nameless voice that you got into your ears. He is the Field CISO over at our sponsor, Material Security, none other than Rajan Kapoor. Rajan, thank you so much for joining us.
[Rajan Kapoor] David, Mike, I feel very honored to be here on the seventh anniversary. I had no idea what I was joining when we signed up for this. So thanks for having me here.
What about this AI security challenge?
4:14.414
[David Spark] “AI was supposed to make security teams more efficient, but it’s making their jobs harder.” There is a fundamental contradiction in AI adoption. While 98% of companies are embracing AI, I would say, to different levels, security teams face a unique burden, as pointed out by Aimee Chanthadavong at CSO Online. Now, marketing gets to use AI tools, finance gets to use AI tools, but security has to govern everyone else’s AI use, and figure out how to integrate into their own workflows, often without proper training. So meanwhile, attackers are already using AI to generate more convincing phishing emails and develop evasive malware. This creates an interesting dichotomy. Everyone else in the business is expected to just use AI, but security is being asked to do both oversight and implementation on top of their core responsibilities. Mike, how exactly is this supposed to make their lives easier?
[Mike Johnson] Maybe it’s time for some tough talk.
[David Spark] Yes.
[Mike Johnson] This is the job. This is what we signed up for. We signed up to enable and empower the business to go quickly. We’ve seen this before. We saw it with cloud, we’ve seen it with smartphones, we’re seeing this again with AI, where it has the capability to make every team more productive, including our own. That means that we have to figure out how to use it just like everybody else does, but our job is to help the company move safely into new technologies. That’s really what we need to do. From a training perspective, a good AI tool actually doesn’t take a whole lot of training. Maybe to get the most out of it, sure, but you should be able to pick up an AI tool and be productive pretty quickly with just a little bit of tips, like one team member just goes and tries it, and shares a few ideas with the other team members, and the next thing you know, everybody’s just diving in. This is the job. Figure it out.
[David Spark] So Mike’s advice is suck it up.
[Mike Johnson] Absolutely. Absolutely.
[David Spark] All right. I don’t know if anyone’s embracing that advice. Rajan, do you have advice that’s maybe a little bit less tough love than Mike has?
[Rajan Kapoor] Unfortunately, no, because I think we, as a security industry, and I’ve been guilty of this too, in the past, we tend to panic when something surprises us. In this case, we had another evolution in technology. No one had “roll-out AI” on their security road map because it wasn’t a thing that existed. When we get surprised, we really try and pump the brakes and just stop so we can wrap our arms around it. I understand why that’s the reaction, but the business is already running towards this thing, and they’re not going to stop, and it would just end up creating attention here. So my reflection on this, and Mike, you’re absolutely right, AI is like a productivity tool. If you start thinking about it that way, then you start to think about, “Well, how can this make my security team more productive?” The answer seems pretty clear to me, which is speed. It will allow your team to move more quickly, and get things done, that would’ve taken longer before. So leverage that speed to augment your existing workflows. Don’t think of new, novel kind of like, “Oh my God, AI is like now my helpdesk.” Just try and speed up what you already have while you’re helping the company do this responsibly.
Attention CISOs, your expert opinion is needed.
7:51.333
[David Spark] How much rope should you give your staff to figure things out? Now, no one likes a micromanager, and I know, for me, I don’t like to be one either. But too much laissez-faire attitude can also burn out staff. This came up in a cybersecurity subreddit, where someone asked if it’s normal for a boss to delegate tasks without priorities or requirements, using the phrase, “you have to own it, run with it,” but then not empowering them to make any actual decisions. So I hope this is not either of you, but I’ll start with you, Rajan. So what’s your management style to challenge staff to grow without creating a toxic environment, and how much does that depend on the individual staff member themselves?
[Rajan Kapoor] Yeah, I think that almost any staff member, any level that they’re at, whatever experience they have, if you set them up correctly, they’re going to be able to do their job and make good decisions along the way. One thing that I see managers get wrong very often, and I’m sure I get this wrong all the time too, but I like to start with an agreed view of, “What does success look like? We’re tackling this problem. What does success look like?” Because once you know where you’re trying to get to, and once everyone’s agreed on that, your team can then independently work backwards from what success looks like, and make good decisions along the way, and then I get to do my favorite thing, which is block and tackle for them when organizational challenges come up. But I see very often, that just more junior employees are told to go and do something, and they’re not really told what they’re running towards, so how can they know what decisions to make? But once you are on the same page, I think it becomes much easier to just take a step back and let your employees do their thing.
[David Spark] All right, Mike, your management style saying different, augmenting Rajan’s, what is it?
[Mike Johnson] It’s a very similar concept. It is understanding the capabilities and the skills of the team members, and making sure that you’re supporting them to be able to take risks, to move quickly, but do so in a safe manner. Provide them with the safety net. Rajan called it blocking and tackling, but it’s very much supporting the team member so that they can go and get their work done. The way that you do that varies based on their level of experience. You can’t take someone directly out of school and say, “Hey, go own this thing.” There’s no way that they’re going to be successful in doing that. But somebody who’s been around for a while, you can very easily say, “This is what success looks like. Figure it out and let me know how to support you.” That’s really how I think about it is, “This is where we’re going. This is what success looks like, what good looks like. Let me know how I can support you, but go make it happen.”
[David Spark] Yeah. Michael, I love that. It’s almost like the more senior someone is, the more ambiguity they should be expected to operate under, right?
[Mike Johnson] Yes.
[Rajan Kapoor] So the more junior, just out of college, there’s very little ambiguity that you can give them for them to continue to be successful, but more senior employees, “Just go do this thing and figure it out,” and they should be able to do it.
Sponsor-Material Security
11:04.550
[David Spark] Before I go on any further, I do want to tell you about Material Security. So your cloud office is the heart of your business, but it’s still protected by a patchwork of point solutions and manual workarounds. We hear this all the time. Modern companies run on Google Workspace and Microsoft 365, where documents, data, communications, and accounts live. Yet, while other critical assets have purpose-built security, EDR for endpoints, IAM for identity, CSPM for cloud workloads, your cloud office remains exposed. Shouldn’t you have something special for that? So it’s time to protect the system your business relies on with dedicated security built for cloud workspaces, which you do your actual work in. So Material Security is the only detection and response platform purpose-built for protecting your company’s cloud workspace. Siloed point solutions might stop some threats at the gate, but they leave massive gaps between your tools. So Material provides a continuous protection across your cloud office environment before, during, and after an incident. Material automatically identifies vulnerabilities and suspicious activity, reduces the impact of a breach, and protects sensitive data, even when credentials are compromised. Sophisticated email attacks, risky misconfigurations, shadow IT, account takeovers, Material not only monitors everything continuously, it applies fixes and steps in to make sure information only flows where it’s supposed to go. So if you’re ready to stop trying to fill the gaps and start getting ahead of threats, check out Material Security. You can learn more if you go to the website. It’s pretty simple to find. Material.security. Material.security. Go check it out.
It’s time to play What’s Worse.
12:54.520
[David Spark] Rajan, are you familiar with how this game is played?
[Rajan Kapoor] I’m not, but I think I can figure it out.
[David Spark] I think you can figure it out. It’s not that difficult. Mike, I make him answer first, by the way.
[Mike Johnson] Oh, I guess I’m playing, too, huh?
[David Spark] You’re playing as well. No, it’s not just Rajan.
[Mike Johnson] All right, fine.
[David Spark] By the way, I was trying to think, did we do a What’s Worse on the very first episode?
[Mike Johnson] I don’t remember. Maybe.
[David Spark] We could go back and listen and find out. But I think I’ve done it. We have done it since the very first episode. I mean, we’ve done it on every episode. If we’ve done it on the first episode, we’ve done it on all of them.
[Mike Johnson] In my mind, there’s no time before What’s Worse.
[David Spark] I agree with you on that. All right, Rajan, what you need to know is I make Mike answer first, and you can agree or disagree with him. Whatever you’d like. I’d prefer it if you’d disagree. We’re going to see what happens. All right.
[Rajan Kapoor] I’ll do my best.
[David Spark] This comes from Neil Saltman of AHEAD. Neil has given a lot of great What’s Worse scenarios, and here you go. Scenario number one. Okay. You make recommendations for security controls to be put in place for the business’s critical projects, and they’re getting ignored. That’s the first one, all right? You recommend them for the business, and they just flat out get ignored. Or you implement controls, and you get blamed by your peers every time a performance issue occurs, that your controls are impacting the business. Which one is worse? By the way, this is the way Neil summed it up. You’re either the department of no, or the department of irrelevant. So irrelevant first one, department of no, the second.
[Mike Johnson] So, again, the first one is basically you have no security, the second one is you have security but…
[David Spark] You’re screwing up the business.
[Mike Johnson] …people blame you when things go wrong.
[David Spark] Yeah.
[Mike Johnson] That’s the way that I read it. This one’s actually very easy. We’re going to get blamed all the time anyway. I would rather actually have some security implemented, and the first one…
[David Spark] First one, I don’t think you’re doing anything.
[Mike Johnson] I’m not doing my job. Why is that environment I would want to work in? At least in the second one, I’m making forward progress and…
[David Spark] But, okay, again, I’m just playing devil’s advocate here.
[Mike Johnson] Sure.
[David Spark] You’re impacting the business, the business doesn’t like it, the business has a hard time to operate. The business operates… I’m going add an amendment. The business operates better in the first scenario.
[Mike Johnson] Sure, until something really horrible goes wrong, and we all know that’s what will happen in that first scenario. It’s just, it’s simply a matter of time. In the second one, there’s opportunities to improve the relationships and make things better. But, again, even in the situation where you’re getting blamed for things, you’re still in a better environment where you’ve got some controls in place.
[David Spark] So the way I see it is, you’re kind of Larry David on the second one in that, everything else is going fine, but you’re just getting blamed for everything.
[Mike Johnson] Larry David or Rodney Dangerfield, or any number of very famous comedians.
[David Spark] I was using a more current reference than Rodney Dangerfield. I don’t know if all our audience knows who Rodney Dangerfield is.
[Mike Johnson] We’ve been at this for seven years, David. Clearly, we know who Rodney Dangerfield is. We’ve been around.
[David Spark] You know who Rodney Dangerfield is, Rajan, yes?
[Rajan Kapoor] I do know who Rodney… Yes.
[David Spark] The Mr. I Don’t Get No Respect.
[Rajan Kapoor] Very fond memories of Rodney Dangerfield.
[David Spark] All right. Are you agreeing or disagreeing with Mike?
[Rajan Kapoor] It’s interesting because I want to disagree here. The reason I’m going to disagree is I always tell my team, “Look, every minute that we take away from an employee who’s trying to get their work done because of the security control is one less minute they have to have dinner with their family.” In the second scenario, you’ve already lost the confidence, it sounds like, of the organization. You’ve damaged a lot of relationships, and I guarantee you, your employees are finding like workarounds and taking your data and putting it somewhere else that you will never see the light of day for your security team. In the first scenario, there’s an opportunity there to introduce usable controls. You haven’t damaged your reputation yet, you haven’t damaged the relationship yet, and your employees are having a great time. They’re just doing whatever they want right now. As you tighten the screws a little bit to protect them, you have an opportunity to do it in a way that works for the business and doesn’t slow it down.
[David Spark] All right, so he’s taking my theory, by the way.
[Mike Johnson] Well, and what… He’s putting words in your mouth, Rajan, but it’s really, it’s kind of predicting what’s next. In one of these, security actually gets better, and in one of these, security actually gets worse. The one where it gets better is the first scenario, where you have no good security. The one where you have security that’s slowing everything down, security is going to get worse over time. That’s a worse place to be. But at that state in time, at that point in time, I’m sticking with my answer. But I think, again, good scenarios and really good conversations come out of it.
[David Spark] This is not an easy decision, because honestly, both of these are terrible. So it works towards the name of the game, What’s Worse? All right. Now I wanted to go back to our audience, knowing who the heck older comedians are. Let me ask you a question. Do you know who the comedian Victor Borge is, Mike?
[Mike Johnson] I do not.
[David Spark] And Rajan, you don’t know who he is?
[Rajan Kapoor] I know the name. I’m not familiar with his work, but I’ve…
[David Spark] Yeah. So I used to work as a stand-up comic, Rajan, and also very much a student of comedy in general. Years ago, I went on a date or two with his granddaughter, Victor…and it was through a date I found out that her grandfather was Victor Borge, who is incredible in my mind. Unbelievable. He had like the most masterful timing. You know, if you saw him… Most of his act was performing in front of symphonies, doing the shtick in front of a piano, where you follow a piano, but it was all this sort of very funny comedic timing. The point I want to make is that she was surprised I knew who her grandfather was, and it made me feel quite old. She said, “None of my friends know who my grandfather is. My friend’s parents, they know who the heck he is.” I don’t know. So I don’t want to make myself sound old, but I think everyone knows who Rodney Dangerfield is or should.
[Mike Johnson] Right into the show. Let David know if you do or do not know who Rodney Dangerfield is.
[David Spark] Or Victor Borge, for that matter. Or Larry David. List all the comedians you know, and just send it to me.
[Mike Johnson] Yeah, just a long list.
Please, enough. No more.
19:39.134
[David Spark] Today’s topic is, well, a topic that’s near and dear to our sponsor’s heart, and that is securing Google Workspace, but I’m going to start with you, Mike. It’s our Please, Enough. No More segment. I’m going to ask you, what have you heard enough about, with regards to Google Workspace Security, and what would you like to hear a lot more?
[Mike Johnson] This is a big one. Really, what my biggest frustration with Google Workspace Security is, all of their documentation is click-ups, like, “Here’s all the things you click on to do this thing,” and I’m really tired of that guidance. “You should click on this to make this happen.” What I would really like to hear more of is, an as-code way of managing workspace security. Like, how can I have Terraform manage Google Workspace Security? I really fundamentally want to manage the security of my Google Workspace environment the same way that I do as AWS as code. So that’s really what I would like to hear more of.
[David Spark] All right. You heard what he said. Now this is your space, and maybe you can sort of explain what you were frustrated by Google Workspace Security, and what attracted you to Material Security. Rajan, start with what you heard enough of.
[Rajan Kapoor] If you really want to secure Google Workspace today, Mike is totally right, you’re just clicking a bunch of stuff, and unfortunately, the stuff you really need to click isn’t even in the UI. Google does an amazing job of shipping secure infrastructure, they do not put enough controls in the UI for Google Workspace admins.
[David Spark] Give me just one example of what you mean by that. Like, they’re providing the control for the admins.
[Rajan Kapoor] Yeah, for sure. A great example is automation. If Google will ship you an alert, literally, that says, “Hey, this account is being accessed in a suspicious way, and there’s been a novel log-in to it,” they give you no choice to say, “When this alert pops up, let’s rotate the password automatically, and let’s suspend the account automatically if it’s that severe.” These are things that should just be, set it and forget it, in the interface. So to really do that stuff, you get closer to what Mike’s talking about, where you have to ship some code that will do it for you. That’s basically where we got interested in this problem, which is Google admins should not spend their days trying to wrangle Google Workspace through their APIs, building their own detections, building their own remediations. That should have just been out of the box for to Google, but it’s not, so why don’t we do that for them? I talked to a detection engineer who goes from job to job, and every job he spends the first six months writing the exact same detections for Google Workspace. Well, that should be a product. Something should just do that for you if Google’s not going to do it for you. So yeah, I’m really just, like, no more of having to sit there and click boxes, and wish you had more control of Google Workspace. No more having to hire a team of threat detection engineers just to go consume Google’s APIs. Just let’s turn something on that does it for you, that lets you detect stuff and remediate it automatically.
[David Spark] Correct me if I’m wrong, but the way you see it at Material Security, this was a prime target that needed help for security, the fact that there just wasn’t really much of anything for administrators to manage the environment. Heck, I mean, you’re right. Many, many businesses, I mean, an enormous percentage are on Google Workspace or on Microsoft 365, that’s where they operate. It’s where they exist, and if those go down, the business probably goes down too with it.
[Rajan Kapoor] That’s right. Yeah, I mean, look, you think about everything that’s in there. It’s your identity. Even if you have Okta or something like that in place, you’re probably leveraging Google Workspace as your source of truth. It’s your business data. It’s the first application you give to an employee. It’s the last one you take away from them. Every single employee has it. It’s where your business communication happens, it’s where you talk to your customers. There is a lot in Google Workspace. There’s a lot in Microsoft 365, and we, as an industry, we started to patch together fixes to help us manage it. But just like you had with endpoint detection response, you went from a whole bunch of different tools to one tool that does it all for you, and it’s about that time for our cloud office services to go through the same evolution. Just one thing to help you wrap your arms all the way around it.
[David Spark] Your customers, I’m assuming, when they come to you, they are the first layered solution on top of Google Workspace, that whatever platform they’re on, that they’ve ever used before, what is their before and after reaction, after having used Material Security?
[Rajan Kapoor] Yeah, one of my favorite things is showing what we do to someone for the first time, and just, you know, watching their reaction. I’d say the easiest way to describe it is, it just clicks. It’s a problem that they knew they had, but it was a problem that they weren’t sure exactly how to tackle it. They were looking at different solutions for Google Drive, or for posture, or for email, inbound email, threat detection, and all of a sudden, you show them, “Well, do this all-in-one spot, and you can actually follow an attack all the way through your environment, if you need to, without having to context switch between different tools or wire up your own detections into your SIM or your SOAR.” And it’s just this ah-ha movement of like, “Oh, I don’t have to hire someone to go do all this now. I can just put this thing in place.”
What works? What’s not working?
25:34.235
[David Spark] Is business logic a blind spot for cybersecurity? The most effective route for threat actors is not to be sophisticated, it’s to be trusted, pointed out by Anthony Fu of Dvuln. Now, you don’t need custom code when you can exploit the psychology of trust with a legitimate-looking DocuSign request. So how can cybersecurity help account for the business pressures and logic that fuel most employee behavior? I mean, this is core to phishing philosophy. We see this again and again, make the email look like it just came from PayPal or from DocuSign or whatever. I’m assuming people are going to think this looks legit. I’ve heard it again and again, Mike.
[Mike Johnson] Yeah, and we have to assume that they’re going to assume it looks legit, and they’re going to click on it. That’s part of our job, is to make sure that our environment is resilient to them clicking on that thing. I’m going to give credit to Kelly Shortridge here. We have built thing-clicking machines, and we expect people to somehow know when they should and shouldn’t click on that thing. They’re going to get it wrong some of the time. So it’s up to us to build our defenses in such a way, with the presumption that they will click on the wrong thing, that there will always be a business process that looks a little bit weird. I got an email today from one of our security vendors with a report about our usage that came from a domain that’s not theirs. That’s from a security vendor. They’re sending out suspicious-looking emails.
[David Spark] Could that easily be flagged?
[Mike Johnson] I mean, it could easily be flagged, and frankly, in that case, my system should just automatically delete it. It’s a bad design decision from my security vendor, it’s a bad business process that we’re having to work around. So we just have to assume that there are going to be bad business processes that lead to behaviors that we’re not excited about.
[David Spark] All right. I throw this to you, Rajan. This is so core to, well, a lot of security failures, is that people falling for something looks legitimate, it’s core to phishing. It seems like a lot of this could be thwarted through some basic technology filters, yes?
[Rajan Kapoor] Yeah. Mike totally hit the nail on the head here, which is, what are you doing to prepare for that incident? Just assume it’s going to happen, right?
[David Spark] Yeah. Of course, someone’s going to click on something that looks like a PayPal email.
[Rajan Kapoor] Exactly. It’s interesting. I have these conversations with other CISOs, and I’ll ask them, “Well, what are you doing to prepare for post-breach?” Some of them just can’t even make that mental leap of, “Oh, I should stop investing in pre-breach and maybe think about post-breach a little bit more.” We almost have this thing in security where we can’t admit a breach might happen. We’re just like, “No, we’re going to prevent it. We’re going to prevent it.” So really starting to think about phishing protection as one component of protecting your cloud office and protecting your employees, but not a siloed component. You really need to start seeing the entire picture of what’s happening in your environment from, “Employee clicked this email” to “Employee’s own mailbox is now sending out suspicious emails.” Then I think that what companies are missing is really just that fully holistic view of what’s happening with any single account at any single moment.
[David Spark] You make a good point, and that’s a really interesting take, and I want to follow up on that, is that, we talk about, when you talk about securing the business, “Well, look at what the business process is. How does someone go to an ecommerce site and buy a product? What are all the steps there that could be?” But it could be done also internally like, “How does your own team work, and how could they fail at their own job? Where are the points of failure?” I mean, do you guys create charts of that? Like, “Here are all the points of failures. Let’s start plugging them up.” Yes? I mean, how does that work, Rajan?
[Rajan Kapoor] If you start to think about testing your business process like you would your defenses, and what I mean is a pen test. You have a pen tester come in, who then tries to see where your defenses will fail, do the same thing with business process. Sit with the teams, understand how they’re handling data, understand how they’re interacting with the external world, and then try to test and see, “Well, how would I take advantage of this?” I was at Dropbox before this, and I was a director of security there, and one of the things we did was pen test our customer support team. We would call them up and try and get them to do the wrong things with accounts, and we treated it like a bug if we were able to get them to do something. So I think just, yeah, you do have to sit with the business, but we’re good at testing, so just keep testing.
[David Spark] Mike, anything to add?
[Mike Johnson] I really like the idea of doing those adversarial tests of business processes where there’s significant data at risk. You’re not going to look at every process, but you can take a step back and say, “Something or someone that has access to customer data is a very high-risk concern. Let’s test it, let’s learn from that, and let’s implement improvements based on that test.”
Closing
30:56.450
[David Spark] Excellent. Well, that brings us to the very end of this show. I want to thank our sponsor, that would be Material Security. That’s Rajan’s company. Remember, secure what your business is made of if you are working in some type of business productivity environment, which you probably are if you’re listening to this, go check out what they’re doing over at Material Security, material.security. Couldn’t be easier. If you can remember the company name, you can remember the website. Just material.security. Simple as that. Mike, any last thoughts for today’s discussion?
[Mike Johnson] Just really enjoyed the conversation, Rajan. The thing that you said about asking folks how are they preparing for post-breach, I really do think we need people to think more and more about that. So I think that’s a great question for folks to be asking themselves. So thank you for that tip, and thank you for joining us on our seventh anniversary.
[Rajan Kapoor] Yeah, thank you. Thank you, Mike. I appreciate that. I’m definitely walking away with some knowledge here. So thanks for bringing some knowledge today, and David, thanks for having me.
[David Spark] Of course.
[Rajan Kapoor] Happy anniversary to both of you.
[David Spark] Thank you very much. By the way, I’m assuming if someone wants to reach out to you, to connect with you…because as I understand, you’re hiring over at Material Security. Yes?
[Rajan Kapoor] That’s right. Yup.
[David Spark] I’m assuming you got a job board. Yes, on your site?
[Rajan Kapoor] We do. Yup.
[David Spark] Go check out the job board. Always check out the job board first before you contact the person at the company to ask about a job. Specify what you’re looking at rather than the classic very green person say, “Can you get me a job in security?” Which, by the way, that’s never worked in the history of time. Just saying that. Ever. Quick question for you, Rajan. How’d you get your very first job in cyber?
[Rajan Kapoor] Oh, well, I was in IT, and then IT became cyber. I was at a company that did a lot of work with government agencies and sorts.
[David Spark] So you literally had no choice, you just became cyber.
[Rajan Kapoor] I had no choice. It became a thing. Yeah.
[David Spark] Mike, I don’t know if I ever got that answer from you. How’d you get your first job?
[Mike Johnson] It’s somewhat similar. I was working helpdesk that transferred on to a new project, and we were building interesting things for the army that involved cybersecurity, very long time ago.
[David Spark] So Mike and Rajan’s advice to those of you trying to get your first job is, accidentally fall into it. Was that…
[Rajan Kapoor] What I will say, and we’ve talked about it before is, start in IT.
[David Spark] Helpdesk, I hear, all the time, is one of the best places to start.
[Mike Johnson] Yup. Start there. Start there.
[David Spark] All right. It’s exactly right. Reach out to Rajan if you’re interested in Material Security or about the careers there as well. Thank you very much, Rajan. Thank you very much to our audience as well. We greatly appreciate your contributions, and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to the CISO Series Podcast.