Security thrives on context. So why does cybersecurity as an industry get so caught up with universal concepts that often can’t be applied?/
This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, principal of Duha. Joining us is Rebecca Harness, CISO, Deltek.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Strike48
Security tip of the week – Qualys
Jump to the full tip here.
Head over to qualys.com to learn more.
Full Transcript
Intro
0:00.000
[Voiceover] Best advice I ever got in security, go!
[Becca Harness] Best advice I ever got was years ago from Alan Paller. He said the most important thing is that people trust you. So, job number one, when you start a new job is just establish that trust with the board, the executive team, your peers, anyone and everyone.
That was absolutely true.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. And joining me as my co-host, one of your favorites, better be, it’s Andy Ellis, principal of Duha. Andy, say hello to the audience.
[Andy Ellis] Hello to the audience.
[David Spark] Ah! It’s like the walk this way gag.
[Andy Ellis] Got to try something a little bit new from time to time.
[David Spark] By the way, that gag, which is so old, either repeating what I say, “Say hello to the audience,” “Hello to the audience,” or “Say your name,” say your name. That joke is so old. Although it repeated itself, I was just thinking, say your name is from Animal House.
They’d say I…
[Andy Ellis] Yes.
[David Spark] …state your name.
[Andy Ellis] It’s because it’s just a funny joke.
[David Spark] But it’s been said a bazillion times.
[Andy Ellis] Yeah.
[David Spark] Anyways. Classics sometimes never go away. We’re available at ciso-dev.davidspark.dcgws.com where you can check out all of our wonderful programming. Our sponsor for today’s episode is Strike48. Strike48 unifies your logs and agentic AI. We’re going to be talking about that just a little bit later in the show.
In fact, they are a brand-new sponsor and a brand new company! Pretty spectacular. Now, Andy, first thing I have to do, though, on today’s episode is say happy birthday. Because I understand today, you’re celebrating your birthday by recording an episode with us, correct?
[Andy Ellis] I am because I just wasn’t fast enough to block today before you managed to schedule something.
[David Spark] [Laughter]
[Andy Ellis] So, it’s the only work I’m doing professionally. I got other work I have to do. There might be a little bit of snow I’m dealing with, I know.
[David Spark] Ah, yes.
[Andy Ellis] This is airing not on my birthday, so hopefully there’s no snow today in March.
[David Spark] Yes, let’s hope not. Now, I don’t want to know about today, but I want to know what was the most spectacular birthday you’ve ever had?
[Andy Ellis] The most spectacular birthday I’ve ever had? Hmm, that’s got to be a really hard one. I don’t think I know, I’ve got to…
[David Spark] I mean, or a surprise gift you’d never…
[Andy Ellis] Well, actually, I got a really great surprise gift today for this birthday. We’re visiting some friends, and they gave me a shirt that says, “Of course I talk to myself. Sometimes I need expert advice.”
[David Spark] There you go. [Laughter] That’s good. So, that’s the best you can think of?
[Andy Ellis] Yeah, I just enjoy living in the moment and enjoying sort of what’s happening, and what’s going on. Because here’s the important thing. Growing old is something that happens to you. Growing up is a choice.
[David Spark] That is true. I will say the thing that for my wife and I, we don’t actually buy each other gifts, we essentially plan an entire day for the other person.
[Andy Ellis] Oh, that’s awesome.
[David Spark] So, my wife’s name is Joy, I’m David. So, the idea is we create what is called Joy Day or David Day, and it’s a whole day of activities, and we do not tell the person what’s going to happen. They just come along.
[Andy Ellis] I love that.
[David Spark] And it’s always fun. The big joke in the family is that I’ve done too much in a day there where I’ve brought my wife to tears. [Laughter]
[Andy Ellis] Oh, my God. See, that was sort of the problem that we would have, which is if I was going to schedule a day around my wife, I’d just be like, “Okay, great. We’ll do like a spa day.” Because it’s easy to schedule. I don’t have to think about it.
Whereas my wife is an amazing planner and she’d have like so many activities, and I’d be like, “I just want to sit and do nothing.” Like, hop on a plane and go somewhere it’s sunny would actually be a highlight. Instead, my birthday’s in the winter and I live in New England, so my days often revolve around snow.
[David Spark] Hmm. For example, my wife who grew up in Reno and is a snowboarder, I thought she would also be into ice skating, did not realize this. Now this didn’t bring her to tears, but I took her ice skating on her birthday once.
[Andy Ellis] Oh, my goodness.
[David Spark] She was beyond miserable, beyond. [Laughter] Like, I have video of her just being miserable on ice skates.
[Andy Ellis] Yeah, ice skating, if you don’t actually know how to skate on ice, that is a brutal sport that looks nothing like any other snow sport that’s out there.
[David Spark] Yeah, she was not happy. I thought, “Ah, you’re into snowboarding. Well, you must be into all winter sports.” I was wrong.
[Laughter]
[David Spark] All right, enough of this nonsense. Let’s bring in our guest, who we’ve had on before. I’m thrilled to have her back on again. And in fact, we have something in common, both owners of aquariums, although technically I don’t own one yet [Laughter] because mine had a leak and I ordered a new one.
But I always appreciate people who are aquarium owners and owners of fish. Anyways. But that is not her claim to fame for this episode. Rather, she’s a CISO. The CISO for Deltek, none other than Becca Harness. Becca, thank you so much for joining us.
[Becca Harness] Thanks for having me here.
Is AI going to help us or hurt us?
5:10.818
[David Spark] “Ninety-five percent of AI pilot projects fail to make it to production.” Now that stat is from MIT, was recently highlighted by Enrico Signoretti of Cubbit to show the pressure CISOs are under when it comes to AI strategy. Executives are hearing about competitive advantages, seeing competitors announce AI initiatives, and wondering why you’re not already deploying your own chatbots and automated threat detection.
But in the rush to go “AI first,” organizations are skipping the “data first” step that makes AI work. For Enrico, without data that’s organized, secured, cataloged, and accessible, AI projects become expensive hobbies, not production systems. So, when your CEO asks what the company’s doing with AI, how are you framing that conversation, Andy?
And how do you balance exploring legitimate opportunities against managing expectation about what’s achievable? This seems like something everyone’s dealing with.
[Andy Ellis] So, it absolutely is, but I just want to start out by challenging the underlying premise here. Like 95% of your pilot programs, and we can talk about pilot in a moment, failing is a great statistic. This is not a bad statistic. I see way too many companies that basically say, “Look, once we decide to try something, of course it will make it to production.” You’ve set the bar too high for getting into pilot.
The whole point of a pilot is to figure things out in live production, not just on paper. So, I’m actually happy to see 95% are actually not making it to production and are failing because that might mean, doesn’t necessarily mean, but might mean that companies are iterating and saying, “Oh, hey, this didn’t work, let’s try something again.” And now maybe if you want to call it something that’s like a pre-pilot, but most companies just don’t have language for, “Hey, we’re playing around,” because that’s what companies are doing today.
You’re playing around with AI to see what might work. And if it works, then you’re running with it.
Now, what they’re not going to do, which we all wish they would do, is once something works, go back and clean up the deployment model because you probably cut a lot of corners, like you should when you’re playing around. And so, that’s going to be the real challenge is the AI projects that stick will not be ones that you actually did all this diligence work.
Like he wants people to organize, secure, catalog, and make accessible all of your data? That’s an impossible barrier. No project that starts that way will ever make it to pilot, let alone to production. So, the things that make it to production are all going to need that work done retrospectively, and that’s been the challenge of our career field for basically my whole life.
So, I don’t expect anything different out of AI.
[David Spark] But I see this as, okay, if 95% of AI pilot projects fail, that means the answer to your executives is, “We’re trying things out and a lot of things are failing right now.”
[Andy Ellis] We are experimenting rapidly to identify the synergies that will provide the most value to the business and to quickly spot the places where AI will not provide sufficient value to justify further investment. You don’t say we’re failing.
Because you’re succeeding.
[David Spark] That is a fantastic way to getting rid of your executives, isn’t it? [Laughter]
[Andy Ellis] You have to learn their language. Like 95% not making it to production is not 95% failed. It’s 95% we learned enough to realize that was a bad path to continue down and we went somewhere else. Learning is success.
[David Spark] All right, glass half-full. Rebecca, I throw this to you. Do you see this the same way as Andy?
[Becca Harness] Yeah, pretty much. I mean, what was it? Like in Web 2.0, all of us were championing fail fast, right? So, going to try an awful lot of things. Don’t go too far down the rabbit hole before saying, “Okay, that’s not working, let’s try something different.” But for us, the goal was get AI in the hands of all of our people.
Let’s not have a culture of have and have nots, get it in the hands of everyone and figure out who succeeds, figure out where the logical use cases are. And that’s been real successful for us over the last year.
[David Spark] And so, is everyone kind of on the same page then? Like, have you had this, you know…
[Becca Harness] Oh, absolutely not.
[David Spark] Oh, [Laughter] okay, all right.
[Andy Ellis] Lots of pages.
[Becca Harness] Yeah, there’s lots of pages.
[David Spark] But the thing is, I’m sure that the executives, those not in security, are trying to push AI initiatives everywhere just because they’re reading it and they realize it’s some kind of competitive advantage, but they don’t know exactly where.
[Becca Harness] Yeah, certainly every executive and probably every industry knows they have to have an AI story for the board. How are we leveraging it? How are we using it to reduce costs, to move faster, to be more competitive, equip our customers with AI tooling with [Inaudible 00:09:55]?
Like, that’s true in every organization today. And I think downstream of that, it’s looking for those pragmatic, practical implementations of AI where you get it in the hands of people that are experts in their field and let them figure out how to use it best and then tell that story up upline with probably a lot of marketing [Laughter] included in there.
How is the CISO role evolving?
10:16.012
[David Spark] Andy, a little while ago, you wrote a piece for CSO Online proclaiming the “Death of the CIO,” arguing that “As most of the traditional IT-based application support activities are handled by SaaS vendors, the primary need for SaaS support is security support, and it’ll be wasteful for companies to have both a CIO and CISO providing that support separately.” So, Becca, you took that idea, the very one that Andy was saying – it’s amazing, Andy, people listen to you and they take action, I’m shocked.
Let me go on.
[Andy Ellis] Wow.
[David Spark] You took that idea, Becca, and you ran with it, floating the idea to your executive team that your organization should close the open CIO position and shift to a new operating model with most of IT reporting to you as CISO. Six months in, you now have 150 people reporting to you with IT infrastructure and support services under your leadership.
We talked about this theory on the show before, but now we have an actual in the wild example. All right. So, Becca, walk us through that Jerry Maguire moment with like how did you make the case? Because I’m envisioning this whole movie scene that played out.
[Becca Harness] Oh, yeah.
[David Spark] What’s working six months in and where are the friction points? Let’s hear the story.
[Becca Harness] So, where this really started was, this is my third run as CISO, having been CISO at St. Louis University and Quickbase and now Deltek. And one thing that’s followed me at each spot, I don’t know if I’m the death knell for CIOs, but at St.
Louis University, six months in, we had a changeover in CIO. Quickbase, I think it was nine months in, we had a changeover in CIO. Here at Deltek, same thing. We had a CIO exit, and they started looking for a new CIO. Every single time, it’s kind of been the same story where, okay, we’re going to bring someone else in, then I got to develop that relationship, develop that trust.
We got to figure out how to work together and then hopefully make some progress towards whatever we’re trying to accomplish.
And this time I was just like, “Okay, third time’s the charm here. We got to figure out a different way to go about this because it takes too long, it interrupts progress.” And we’re also at a point in the industry, like we talked about, every organization is trying to do this transition over to AI and such.
I happen to be in a position where I spent a good part of my career in IT services and support and IT engineering, so I had the right background there. I’ve been in security since around 2012, so I’ve got maybe the right foundation to take on something like this.
So, when I was at Quickbase, the CTO that I reported to had come from Amazon. He was a big believer in the Amazon six-pager and the PR FAQs that come out of the Amazon culture. So, I sat down and rather than kind of build a slide deck, I wrote a 15-page Amazon six-pager with references, including Andy’s article, which was really kind of the first one that I ran across when I started looking at doing something like this, and kind of made that point of, “Let’s think about this in a different way.
Maybe rather than bring in a CIO and say, ‘We’ll have everything report up to the CIO,’ why not move the IT engineering and IT support, which I’ve got a good background in, let me take leadership on that and focus on bringing in an executive that’s solely focused on transformation, digital transformation, the transformation towards AI, those big bucket things.”
Because inevitably what happens is you bring in a CIO or whatever you want to call them, and in our case, they’re executive positions, but not called CIO. They’re looking to make a name for themselves. They’re, of course, going to focus on innovation and transformation, that sort of thing.
And IT services and support, security, it’s kind of best effort type of thing. Bringing it into the security organization allowed me to merge the teams together. So, our IT and security teams are really tightly blended together. My SOC manager now also leads network operations.
Our security engineering team is part of the network engineering team. There’s really great synergies across the stack.
So, it worked really well. I wrote the paper, I sent it to all of our executive team, and then I kind of went one by one and met one-on-one with them. And they poked and prodded on it. And I think what it really came down to was they had seen what I’d done with security over the last year, and I’d done some really great stuff, taken a very pragmatic approach.
[David Spark] Mm-hmm.
[Becca Harness] They trusted me, and I was really telling the story from their perspective of, we know we got to do these big bucket things. Okay, give me the things that are kind of noisy, so to speak, let me take that and manage that, and then other folks can focus on the big transformation activities and such.
So, six months later, I think it’s worked really well. The teams have picked up on it. I think some of the biggest friction points was IT used to be very project-focused, which tends to slow things down, it takes longer to run large project cycles.
So, I’m a big believer in Agile methodology, Kanban plus Scrum, so we’ve been migrating to that’s how we manage work and how we implement stuff. I think that’s kind of been the biggest thing so far.
[David Spark] All right, Andy, so you hear a real-world example. Had you heard others, what’s your take on Becca’s story?
[Andy Ellis] Yeah, so this is absolutely not the first I’ve heard of it. In fact, I did not write this cold and be like, “Oh, I have this great idea.” I wrote it because I was already starting to observe it. And in fact, I’ve been observing – fascinating and it may just be availability bias – I’ve noticed a gender skew here, which is I’m more likely to see a woman who is doing both jobs than I am a man who’s doing both jobs.
And certainly the early cases, I actually pitched a panel to RSA, and I went and I tried to find everybody who’d been both CIO and CISO, and the first 10 people I could come up with were all women. It wasn’t even like a little bit of a split. I could not find any men who had done this several years ago.
So, to me, that’s just fascinating, I don’t have an explanation for it. That’s just observational data.
But I think exactly what Becca sort of closed with is I think a key thing, which is there’s different cadences that organizations operate at, and IT is traditionally a very operational role. Like things have to move fast, but it evolved into this project role.
Oh, we want to do big things. Big organizations like that don’t move fast. They become sort of these engineering, change leadership, change management, and that affects the operational teams because more and more of your leadership doesn’t know how to work in an operational role.
And you also, I’ve seen some really weird dynamics, and I can’t wait to see – actually, I hope Becca doesn’t run into this – which is there’s a boom and bust cycle of headcount, right? It’s like, “Oh, let’s get more headcount. Oh, we have to take away headcount.”
And what I’ve seen in a lot of IT organizations is when they get a boom, they apply all of the boom into the big projects. It’s like, “Oh, let’s put all of this bonus headcount we’ve got into digital transformation.” And then a year later, when they’re told, “Oh, cut 10% of your heads,” they protect digital transformation.
And the 10% cut isn’t just the 10% of the ops team, it’s the 10% from digital transformation applied to ops. So, your ops team keeps getting cut even more and more, and so separating them out, I love as an idea, just to protect the budget lines as well.
It’s like, hey, here’s our operational support team. They’re not carrying this – I don’t want to say dead weight, but – this weight of these big transformation activities that you should invest in or disinvest in as a whole, not partially.
[Becca Harness] One way we mitigate some of that is through monthly metrics meetings. I’m a big metrics nerd and we’re constantly doing trending data. And every team tells a very tight story of what they’re delivering for the organization and what they’re doing in the name of continuous improvement.
That’s one way we avoid that is we make sure that we tell our story very, very well upline so that everybody understands the value that we bring to the organization.
Sponsor – Strike48
17:53.282
[David Spark] Before I go on any further, I want to tell you about our fantastic new sponsor and that is Strike48. As we know, everyone is talking about AI for security. Copilots, assistants, chatbots, the list goes on. But how much time is AI really saving you?
I mean, really. Does it have access to the data it needs or is it just isolated in silos? And can you trust it to do real reliable security work? Enter Strike48. This is the first agentic log intelligence platform that gives AI agents the visibility they need to take a load off of your team.
Now it’s no secret that AI is only as effective as the data it can access. So, if your SIEM costs force you to drop logs or put them in cold storage, any existing AI you deploy will have blind spots. Don’t worry about that anymore. You can now maximize log visibility without maximizing costs.
Plus the platform connects to your logs wherever they live, so you can keep the technology you already have. With Strike48, you can deploy prebuilt agent clusters or build your own agents and workflows covering phishing, threat intel, alert triage, SOC, and more.
You can try Strike48 for free. Yeah. Just go to strike48.com/security and start deploying log intelligence agents today. Remember, strike48.com/security. You heard about it from the CISO Series!
It’s time to play “What’s Worse?”
19:32.246
[David Spark] Becca, you remember how this game is played. Two crappy scenarios. You have to decide which one is worse from a risk management perspective. I will make Andy answer first. You can agree or disagree. This again comes from Ryan Rene Rosado of RSM.
She has put together an interesting combination on each side of the “What’s Worse?” scenario. So, there’s, again, it’s kind of apples and oranges on each side, but you will see what I mean. All right.
[Andy Ellis] But I loved this one last one we did like this, even though I thought it was somewhat easier, it really made us think, so.
[David Spark] Well, this one will make you think as well. All right.
[Andy Ellis] Okay.
[David Spark] A huge data breach that will lead to fines and SEC scrutiny with a material weakness, and – this is all on one side here.
[Andy Ellis] Yep. While that’s happening.
[David Spark] You’ve got a huge data breach that can lead to fines and SEC scrutiny with material weakness, and a wildfire is heading towards your area. Okay?
[Andy Ellis] Oh, this is a California problem.
[David Spark] Okay.
[Andy Ellis] If I got wildfires heading towards my area, we got serious issues.
[David Spark] It could be just anywhere up and down the West Coast, this could be.
[Andy Ellis] Yeah.
[David Spark] Or let me say, there’s dry areas in the Midwest too.
[Andy Ellis] Okay. So, actually, honestly, I’ve been really close to this one before, I had serious issues with a wildfire headed for the engineering team that needed to deal with the issues.
[David Spark] Okay. All right. Or you have an insider threat stealing proprietary information when your mistress is pregnant and your wife just found out.
[Becca Harness] Well, if my mistress is pregnant, that’s going to be a really difficult thing.
[David Spark] [Laughter]
[Andy Ellis] Yeah, that’s a…
[David Spark] That’d be a miracle.
[Andy Ellis] It would be a miracle, Becca.
[David Spark] Look, things can happen. Things can happen. Let me just say, things can happen. All right. But Andy’s going to answer first. What’s your take on this?
[Andy Ellis] So, first let’s go with the professional piece of it because I love that these are professional and a sort of a personal one.
[David Spark] Yes.
[Andy Ellis] Which is obviously the first one is worse. Like the breach with fines is worse than the insider threat. That to me, that would just be a no-brainer if it was just those. And so, then the question is a wildfire headed to you versus you are engaged in an extramarital affair and that partner got pregnant and your spouse is about to find out about it.
[David Spark] By the way, this happened to a neighbor of one of ours actually.
[Andy Ellis] Like, that actually is really, really fascinating. And I have to say, like, how bad is this wildfire?
[Laughter]
[Andy Ellis] Compare with that one.
[David Spark] But that second one, I mean, you want out of that scenario at all costs, I think. That’s pretty bad.
[Andy Ellis] Well, the problem is you got into that scenario because you weren’t thinking about the cost. I got to say, this is a good one, but I generally try to put the professional hat on when I’m answering these from sort of a risk perspective.
[David Spark] Yes.
[Andy Ellis] And I got to say, you did this. The second one, you did this to yourself. You have a mistress, like this is on you.
[David Spark] I know, but again…
[Andy Ellis] Versus wildfire coming to your house.
[David Spark] Yes, that’s true.
[Andy Ellis] Yeah, wow.
[David Spark] By the way, this is the longest I’ve ever seen Andy debating something. [Laughter]
[Andy Ellis] Well, because if I put on my professional hat, like how do I feel as a professional, I would have to say the first one is worse.
[David Spark] Yes.
[Andy Ellis] Especially because the wildfire impacts your ability to deal and your whole team’s ability. You can’t even delegate.
[David Spark] Oh, yeah, just the number of people this affects is the first one.
[Andy Ellis] Because the wildfire is headed towards your headquarters. Like the number of people being affected.
[David Spark] But that second one, oh man, does that get you. [Laughter]
[Andy Ellis] But that second one, from a very personal perspective, that’s just like how do I go up to my wife after recording this and say, “Well, I just said that if hypothetically I was in an affair and got her pregnant, that’s not that bad.”
[David Spark] [Laughter]
[Andy Ellis] There’s just no way to walk off with that one. I got to say, this is a really good one, but I’m going to stick to my guns and say the first one is worse.
[David Spark] Okay.
[Andy Ellis] Simply because the amount of effect on your life, your company’s life, all of your employees’ life is much more massive in every realm of it. Whereas the second one, the risk is all just concentrated on you were an idiot.
[David Spark] Mm-hmm.
[Andy Ellis] And so, I have a hard time saying that’s worse, even if personally that would be really awful.
[David Spark] Now, Becca, same story for you. You got your mistress pregnant, I don’t know how you did it, but you pulled it off. Good job.
[Laughter]
[Becca Harness] Yeah.
[Andy Ellis] You’ll make a lot of money repeating that experiment.
[David Spark] There you go. [Laughter]
[Becca Harness] I bet, right? The book deal alone would be great.
[David Spark] All right.
[Andy Ellis] The book deal is fantastic.
[David Spark] So, are you going to agree or disagree with Andy? Again, you see how sort of this is weighted.
[Becca Harness] Well, I mean, selfishly, I would say that the second one is actually worse because that’s going to follow you for the rest of your life, whereas the first example is temporary pain. Like it’s going to suck for six months…
[David Spark] Ah!
[Becca Harness] …then it’s going to go away. And in modern society, like living through that as CISO, like that’s a resume-building activity, you know.
[David Spark] Yeah.
[Andy Ellis] Although your house could have been in the Pacific Palisades and when it gets burnt down, the state won’t let you rebuild it because they want to seize your house for some other purpose, who knows?
[Becca Harness] But you get all new stuff, so, you know.
[Laughter]
[Andy Ellis] You get all new stuff.
[Becca Harness] I’m a silver lining type of person, so.
[David Spark] So, anyways, so you’re leaning on the second one being worse because, a great example…
[Becca Harness] Oh, yeah.
[David Spark] …it has a longer lifespan, the rest of your life.
[Becca Harness] Exactly.
[Andy Ellis] Yeah.
[David Spark] All right, well, I think Rebecca wins on this one, Andy.
[Andy Ellis] Well, I think that Ryan Rene wins on this one for getting Becca and I to disagree because it’s been a while since a guest has disagreed with me.
[David Spark] That is true. Thank you very much, Becca. Thank you, Ryan. Thank you, Andy.
What works? What’s not working?
25:23.163
[David Spark] “We’ve all implemented controls that looked solid in design reviews then cause unexpected friction once real users and workflows got involved.” Now this comes from a recent cybersecurity subreddit discussion that looked at what security controls look good on paper but create too much friction.
The responses ran the gamut. USB drive lockdowns triggered massive pushback because people felt untrusted rather than protected. And removing local admin privileges exposed how many shadow tools employees were using, DLP policies that blocked accounting teams from establishing customer relationships, HTTPS inspection broke Microsoft 365 traffic when misconfigured.
So, when you implement a control that causes unexpected operational friction – it happens – how do you diagnose whether the problem is the control itself, poor change management, or something deeper about trust and culture? Becca, what can be adapted and what needs to be ended with controls?
[Becca Harness] Yeah, I do want to say like removing local admin permissions, I’ve done that at several organizations so far and I’ve never really run into a lot of challenges there, but I’ve always had an EPM tool to assist with that. And so, that’s one that I haven’t actually had a lot of friction there.
You would expect it to be in every single organization. They’re like, “The developers are going to hate this. They can’t stomach this.” And we always seem to make our way through that. So, I’ve never had a problem there. The one that’s always, always, always a problem is that migration to zero trust network access.
Anytime you’re changing out networking tools, firewalls, routers, that type of thing, it just seems like we’re unwinding decades of stratified goo when it comes to network rules and trying to translate that into modern stacks, modern tooling, always going to run into challenges.
And I think that’s the difference. You’re going to find out really quick, do I have a good networking team, or do I have a great team? Because if I have a great networking team, I think there’s always going to be impact, but it’s going to be relatively minor.
You’re going to get through it, a day or two of pain, be okay. If you have a good networking team, that pain is going to last a while and things are just going to bubble up again and again for months. But that’s the one tool that I think extremely necessary, but I’ve never seen it go super smoothly.
[David Spark] All right, Andy, I throw this to you.
[Andy Ellis] I’m just laughing because if you asked me to pick what thing I’ve deployed that went smoothly and what thing I tried to deploy that failed, I’d say what went smoothly was ZTNA and what failed was removing local admin access.
[David Spark] [Laughter] You see? You’re disagreeing on everything with Becca. Although Becca’s the one who followed your advice, too, about the whole CISO model.
[Andy Ellis] But we’re not disagreeing about why. The why is in which place did you truly understand what your users were doing in advance and be prepared to support them? And almost every time that I see something like this, where it’s like, oh, this looks solid in a design review.
Did anybody ever ask how people use the system? Did you think about change management as part of design, or did you just assume that nobody would do something like that? By the way, most dangerous phrase in security, “Nobody would ever do that.”
[David Spark] [Laughter]
[Andy Ellis] Believe me, you have employees and customers doing exactly the thing you think nobody would ever do. That’s not on them. That’s on your failure of imagination. So, if you don’t start your rollout by saying, “How will it fail?” Do premortems, what could go wrong?
Let people tell you and listen. Yes, it took us nine years to build and roll out ZTNA, but we were the first people to do it. There was no roadmap.
So, we built, we went very slowly. And by the end of it, we had people begging us to go faster. They were like, “Why are you doing this so slowly? Like, just give everybody this right now, it works.” And often we would do. We’d be like, “Oh, look, here’s the system, here’s the VPN.
We’re not turning off the VPN yet. But if you just use this, you don’t have to ever use the VPN again.” And that was amazing because we didn’t take away what they trusted. We just gave them what was a better option, and they started using it and we’re like, “Oh, hey, this works.” Or they would like let the person next to them, like, “Mikey likes it, let him try it.” They would let somebody next to them try it, and when it worked, and the biggest fight that I had was with the IT department that they wanted to control the rollout.
They wanted to say, “You can’t use this new system until we approve you for it.” And I’m like, “No, approve everybody for it, but let them opt in as to when they want to do it,” and just be prepared for that. And once you do that, if your system works, people will jump.
And if it doesn’t work, they’ll tell you early, but they’re not disrupting your roadmap because you let them self-select back out.
[David Spark] I would assume these kinds of changes really boil down to the culture that you create and like kind of what you described, do you have a good or a great team, Becca?
[Becca Harness] Mm-hmm.
[David Spark] Like you got to make changes. It’s how your team and also all the users respond to it and what they know or to expect from them. So, I guess maybe my question is for both of you, and let’s get quick answers here is, what do you communicate about your culture to everybody about, “Hey, changes are coming, this is going to happen, we might have some friction.” How does that roll itself out?
I mean, I’m just making something up, Becca. What do you say? What do you do?
[Becca Harness] Yeah. Well, I mean, in my first example, we were trying to convert a university at the beginning of COVID to enable everybody, including students, to work remotely. So, there’s a ton of challenges there, but everybody got it, right? I mean, it was just going to be difficult.
I’d say the more relevant recent examples, we have a global workforce working 24-7. So, for us, that culture aspect was really, look, let’s get rid of tooling, let’s get rid of that decision point – do I connect to the VPN, do I not connect to the VPN?
Like, hey, it just works. It’s always on, it’s there in the background, and we’re slimming down the number of tools on your laptops. Being a product company, developers, like one less security tool, great, I’m in. So, I think that really helps buy some patience as you work through all the rules and such.
[David Spark] All right, Andy.
[Andy Ellis] I think the most important thing is to communicate to IT and security that we work for the user. If the user needs a thing, the answer is not, let’s run that through the process. The answer is yes. In real time, you need to get to a yes as fast as you possibly can, even if you think that might be the wrong decision because we can come back and revisit it.
But if at 3 a.m., a user’s like, “I need to install this thing on my platform,” unless there’s a really good reason you’re saying, “No, we know that that’s malware, let’s not do that.” But if you just want to say, “Well, we haven’t approved it, no,” you approve it, you let it go.
And then in the morning, let’s sit down and figure out was that the choice we want to make going forward. But don’t get in the user’s way, and that’s the biggest challenge I see in so many security teams is they think they get to say no to a user. You don’t.
The person who’s going to say no to that user is their boss. If you don’t like the tool that a user thinks they want, then you go to their boss and say, “Hey, they can’t have the tool.” Let the boss deliver that message. Your job is just to enforce the rules of the organization and to make it seamless and fast.
[Becca Harness] Championing employee enablement will build a lot of trust quickly.
[Andy Ellis] Exactly.
Security tip of the week – Qualys
32:39.324
[David Spark] Coming up next, don’t weigh down security with all vulnerability management. Exposure ownership belongs with the control owners.
[Voiceover] Today’s exposure management tip is sponsored by Qualys.
[David Spark] In some past multiple identity-related breaches, excessive privileges were known issues, but remediation stalled because security lacked the authority to change access models. Application teams shouldered the responsibility of making the changes, but accountability sat with business executives to approve those changes.
Security was then left holding the bag. This resulted in months of delay, and it ended with eventual exploitation. The lesson wasn’t to deploy better tooling, but simply to align exposure ownership with control ownership.
Exposure management breaks down when everything is owned by security. The most effective programs push ownership to the teams that can actually control the risk, such as identity teams that own privilege sprawl, cloud teams that own misconfigurations, and network teams that own segmentation gaps.
Security then becomes the orchestrator, not the bottleneck. This model also shortens remediation cycles dramatically because fixes happen where decisions are made. More importantly, it embeds exposure awareness into daily operations, instead of treating it as an external audit function.
That’s where exposure management becomes sustainable at scale.
[Voiceover] Want to go beyond exposure visibility and actually reduce risk? Find out how by visiting qualys.com/ROC.
Here’s a brand-new vendor marketing tactic.
34:32.955
[David Spark] “Your company is vulnerable. We found 23 security issues.” That was the subject line of something CISO Nick Ryan of Ryan Leadership found in his inbox from a pentesting company demanding $15,000 to reveal what they supposedly found. Nick’s response was direct, “Send me the list and I’ll pay you.
Otherwise stop scanning our infrastructure without permission.” He never heard back because they didn’t find anything. They likely sent the same email to hundreds of companies hoping someone would panic and pay. As Nick puts it, “This is what desperation looks like in security sales.” So, how do you quickly distinguish between legitimate security vendors and companies running scans with an LLC?
What are the red flags you watch for in vendor outreach? Besides obviously this one. And is this the shadiest sales tactic you’ve ever come across or are there worse, Andy?
[Andy Ellis] Okay, so I see this from legitimate vendors. So, this is not just a signal of a shady vendor. My least favorite was actually all of the various file sharing and instant communications platforms that would send a CISO the, “You have 75 employees in your organization using our platform, but you’re not an enterprise customer.
Talk to us and let us know.” And I’ve always been like, “Look, if you actually think that I care,” which I actually did. And I’m like, “Look, if one of my customers wants to use Dropbox for us to share with, fine. An employee’ going to set up a Dropbox account to share there.
That’s not the end of the world.” But if you think I would care, what I don’t care is the list of 75 is what you’re trying to tell me. What you want to sell to me is like your enterprise tool where I can manage the 75. So, send me the list. Send me the list and say, “Hey, here’s what I’ve found.
I’ve already got it. I’m giving it to you as good faith and I can sell you value on top of it.”
Because the answer is outside very small niches, discovery is not something that CISOs want to pay for long term. That’s a one-time activity. So, if what you have is “I discovered some things,” give the things you have discovered, turn this from shady to, “Now I’m doing good work.
I found these things. I’m going to tell you about these things. By the way, I have a related tool so you can manage,” because that’s what you’re probably selling. So, this is shady. What is actually shadier is anything that involves going over my head.
The number of vendors I’ve had who have reached out to another C-level executive to try to get a call doing something like this, “Your CISO is ignoring this.” That’s honestly even worse because even if you’re right, I do not want to do business with you.
[David Spark] No, and hopefully you have a good enough relationship with your CEO that they know that that’s shady sales.
[Andy Ellis] Oh, yeah. They just forward it to you. They just say, “Hey, this is a vendor,” and you just reply and say, “Yeah, it’s one of the scummy sales tactics.” And they never follow up to say what were the 23.
[David Spark] All right, Becca, do you get these kind of weaselly sales techniques and have you seen worse than this?
[Becca Harness] Yeah, I get them all the time. That is kind of the worst of the worst is “I’ve got this thing” and demanding payment upfront. So one, I think it’s important to have a responsible disclosure program. So, when we get things like that, depending on the source, if it looks like quasi-legitimate, I’ll respond back and just say, “Hey, here’s a link to our responsible disclosure program.
We really appreciate your partnership and cooperation.” I don’t mention payment or anything like that. They want to submit it, great. If they don’t, they don’t. I will say, one thing I had at a prior organization is I think it was just a lot of misapplied, youthful enthusiasm, young pentesters trying to make a name for themselves.
They don’t think about like, “I should ask for permission, I should try and work with you.” They just go do a bunch of stuff and they’re trying to get you to say that, oh, you found this thing. They want to make a headline, they want to be in an article or something like that.
Kind of to Andy’s point that the big issue with us that I see all the time is just vendors being overaggressive on sales or they created a problem, basically allowing all these free signups with corporate accounts. And then, “Oh, now we want you to buy an enterprise license for it.” Just don’t engage with that.
And I do want to reinforce like, again, if you’ve got good trust amongst your executive team because vendors will absolutely climb up that ladder, but they’ll also go downstream too. They’ll reach out to your security engineers, your security analysts and say, “Oh, I found these things,” and then they get them all spun up and distracted from what they’re supposed to be working on.
So, a lot of challenges in that space, I think.
[Andy Ellis] Yeah, I’ve actually, I have two shadier ones that I’ve thought of, David. So, I got to share these. So, one was a researcher who wanted to collaborate with us and work with somebody on my team was like, “Hey, I want to do some data analytics.
You have access to some cool data.” So, our person went through legal and got to like, “Oh, we’ll share this with an academic researcher.” Academic researcher did the analytics and then sent us a bill. There was no contract. Like they just sent us a bill for analytics.
We thought we were doing nice. Like, “Oh, we’ll let you have access to cool data to do research.” And another one, and a company I can’t name because they have been a sponsor of ours in the past, said, “Oh, here’s what we’re telling our customers about you.
You should pay us money for us to stop saying that and say different things.” And I said, “Well, I will just go tell all of my customers not to do business with you.”
[David Spark] That is pretty bad. Well, I’ll find out off mic what the heck sponsor that was. By the way, all good companies have rogue employees. It does happen.
[Andy Ellis] Yep.
[Becca Harness] Mm-hmm.
[Andy Ellis] It does happen.
Closing
39:50.987
[David Spark] With that, we’re going to close this show. To our listeners who are not rogue listeners or employees, I know that, those people wouldn’t be listening to this show. The ones that are rogue. Thank you very much for listening to this very episode.
Let me thank our sponsor for today’s episode. That was Strike48. They unify your logs and agentic AI. Remember, you can go check them out at strike48.com. When you go, let them know that you heard about them from the CISO Series. All right, Becca, any last words you’d like to say on today’s episode or about your company or anything?
[Becca Harness] Always a delight being here. So, thank you very much for having me. And secondly, I’d just like to say this is a delightful industry to be in. I fell backwards into it back in like 2010, 2012, and I really hope that anybody listening to this, if you’re a young person, maybe early career, these type of stories are the things you’ll think about for your whole career and really can help develop your career.
So, I highly advise paying attention to the voices that come before you.
[David Spark] And would you support an outreach from someone debating whether they’re going to get into cyber and you’ll give them a convincing argument, Becca?
[Becca Harness] Yeah, absolutely.
[David Spark] So, reach out.
[Becca Harness] Yeah.
[David Spark] We’ll have a link to her LinkedIn profile on the post for this very episode. Andy, thank you as always. Becca, thank you as well. And audience, we greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review.
This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com.
Thank you for listening to the CISO Series Podcast.