Everyone wants to implement AI, but no one feels ready for it. This disconnect stems from both concerns about technical debt hindering the infrastructure needed to fully realize the benefits of AI, as well as the simple fact that we don’t yet know how to secure it.
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), partner, YL Ventures. Joining us is our sponsored guest, Jadee Hanson, CISO, Vanta.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Vanta
Vanta’s Trust Management Platform automates key areas of your GRC program—including compliance, internal and third-party risk, and customer trust—and streamlines the way you gather and manage information. And the impact is real: A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get started at Vanta.com/ciso.
Full Transcript
Intro
0:00.000
[Voiceover] Best advice for a CISO, go!
[Jadee Hanson] Your security program shouldn’t scale headcount at the same rate as the overall organization. Instead, proactively invest in automation and AI-driven security solutions to streamline your operations and reduce your manual workloads. By taking these simple steps now, you’re going to future-proof your team, ensuring it can grow with the company while maintaining strong security as complexity increases.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. And Andy Ellis here, he is the partner with YL Ventures. He is going to be our co-host for this episode. Say hello to the audience, Andy.
[Andy Ellis] Good morning, folks, or depending on when you are in the world, good afternoon, good evening, or good night.
[David Spark] That’s his sign on to the show. Do you have a sign off of the show that is equal to that?
[Andy Ellis] I actually don’t, and maybe I should think about that because usually we go through the whole sign-off at the very end, and you banter with the guests, and you say, “Oh, I’ll banter with Andy,” but I have nothing to say, so I need to come up with something.
[David Spark] No, no. Who cares about you by the end of the show?
[Andy Ellis] Yeah, actually, I’ll take contributions from the audience. What do you want to hear from me at the end of shows?
[David Spark] Do you think anyone’s going to respond?
[Andy Ellis] Look, you never know. Some people respond. We have some seriously devout listeners who really like to engage.
[David Spark] We do, I’m always amazed. I am always amazed at how ludicrously supportive our audience is, and I greatly appreciate it.
[Andy Ellis] Yeah, and how smart they are, too.
[David Spark] And good-looking. That’s what I’ve noticed,incredibly handsome group.
[Andy Ellis] That I would not go so far as to assert.
[David Spark] Hey, we’re available at CISOseries.com, so you can check out all our programming. If you haven’t listened to our brand-new show, Security You Should Know, go check it out. It’s pretty darn cool. Lots of interviews with lots of vendors about their cool products led by security professionals. But our sponsor for today’s episode is Vanta. They are a GRC platform. If you have not been paying attention to them, you are out of the loop. So, start paying attention. More about them, and they’re responsible for bringing our guesttoday. Andy, we just had a fabulous week at RSA. That was incredible. I can’t believe they made you grand marshal of the RSA parade and gave you the key to the city in San Francisco. By the way, these are our hopes for what happened.
[Andy Ellis] I mean, it’s San Francisco. The key was not worth very much.
[David Spark] These are our hopes because we’re recording this well ahead of when RSA is happening, but I’m projecting what a wonderful time we had at RSA.
[Andy Ellis] I’m just hoping that we don’t get some vendor who decides to do the guerrilla marketing of having like a street dance team pop out of nowhere wearing all-black tactical clothing.
[David Spark] You remember when, I think it was Swimlane did this?
[Andy Ellis] Oh, no. It was a much larger vendor that decided not to give money to RSA, so instead was doing other things.
[David Spark] Well, you can get away with that if you don’t sponsor RSA. That’s the thing. They’ll shut you out for the future.
[Andy Ellis] Yeah, but they basicallyhad a dance troupejump out and start dancing, but they were all wearing black tactical fatigues.
[David Spark] Ooh, not good.
[Andy Ellis] And right in front of me, it literally almost started an altercation.
[David Spark] Yeah, there’s inappropriate. So, I think it was Swimlane, I’m almost positive of this. They were a sponsor, but then they did a guerrilla thing outside that was a mock protest, and they got kicked out of RSA.
[Andy Ellis] Right, that was years ago. This was one of the very large vendors whose name we all know, named after a region of California.
[David Spark] Okay.Well, I don’t remember that one. But I will tell you, that event, like I’ve said before, the gravity of that thing, it brings the community together. It’s just a great way to connect with the rest of the community. It’s incredible.
[Andy Ellis] Yep.
[David Spark] So, let’s bring on our guest, who we’ve had on before. We adore her. She’s fantastic. It is the CISO over at Vanta. None other than our sponsor guest, Jadee Hanson. Jadee, so wonderful to have you back.
[Jadee Hanson] Thank you so much for having me. Great to be with you all.
What about this AI security challenge?
4:24.105
[David Spark] Ninety-seven percent of CEOs plan to adopt or further integrate AI into their business, but less than 2% feel ready for AI, according to a recent Cisco study. Now, a third of CEOs say security concerns are delaying their plan to roll out AI in the business, with 49% saying increased investment in cybersecurity is part of their roadmap for AI development. This is part of an even larger area of concern about technical debt in infrastructure, making them feel unable to fully realize the potential gains from AI. So, everybody wants it. They don’t exactly know what to do with it, but not many feel ready. So, Andy, to me, doesn’t this sound like a perfect recipe to get an integration partner? Yes, no?
[Andy Ellis] Maybe.
[David Spark] Oh! [Laughter]
[Andy Ellis] Sorry, integration partner is a scary phrase to me. Whenever I hear that, I’m like, “Oh, we’re going to spend a lot of money on somebody who doesn’t actually know better than us but will at least use a lot of big words to tell us that they do.” I think as companies are embracing AI, which they absolutely should be doing, you need to think about how you’re using it and where you’re using it because you have different problems with that. One isyou’ll have a lot of your vendors who are just going to sort of slap AI on top of something, whether it’s just a straight naked LLM you can interact with a la Grok or ChatGPT or Gemini. In those you’ve got to say, do I trust the data that I’m handing to it? Isn’t sensitive data, through a commercial thing. Like maybe I need a partner there to secure my use of SaaS AI.
But then there’s a separate, which is I have vendors who are going to embed AI inside their application. I don’t interact directly with it, but their application is likehow do I think about what’s going on there and do I trust that they’re doing the right thing with my data? And then there’s where am I actually going to be using AI or LLMs embedded in my own product? That’s maybe where you want an integration partner if you’re not AI savvy. And finally, you also just have to think about as agentic becomes the thing, right? Where are you using AI agents to solve specific problems for you? How are you embedding that into your ecosystem? You probably do want a partner there, but I suspect your partner looks more like a vendor in the agentic AI space.
[David Spark] All right, Jadee, you were nodding your head too much at what Andy was saying because I don’t like to see our guests agreeing with Andy that much, but were you agreeing with him that much?
[Jadee Hanson] I know. I desperately want to disagree with Andy, but I do agree, it’sa maybe. So, if the article says that 97% of CEOs want AI solutions, but we only have 2% of folks that really feel ready, I do think that there’s a clear need for deeper AI strategy that partners or experts can help provide. The AI adoption for most companies, I don’t think is a simple problem to solve. Obviously, we have security risks, we have lots of training gaps, we have legacy systems in some companies that aren’t AI enabled. And so, all of these pose issues, but I think the biggest issue in many companies is just this lack of understanding of capabilities. So, different than other technologies. It’s not about just like implementing a technology, it’s about re-imagining the art of what’s possible with AI. And this is a challenge for most organizations who just don’t really know where to start or how to apply AI effectively to meet kind of their unique needs.
[David Spark] By the way, I think you hit the nail on the head with the realizing the art of AI. Like people don’t have that creative vision of what it can do for you. I mean, I’ll just give you one analogy to this. When I was first learning about video production and video editing, I would sit down with a really talented video editor and watch them work. And I realized my mind doesn’t go like that. It doesn’t operate in that space. And in those cases, I’m thinking you do need a partner to provide that vision that you wouldn’t have.
[Jadee Hanson] Yeah, I think it’s a partner or even just like other innovative players that have leveraged AI and done different things and learning from them. People who are on the forefront of experimenting and sort of pushing the boundaries in ways that others won’t really consider. And so, in some companies, I think this comes from within, but in other companies, they really need those partners and those experts to sort of paint the picture of what’s possible for them.
[Andy Ellis] Yeah, a key lesson I think everybody has to learn from the SaaS sort of explosion is you have to get out ahead of this, and that doesn’t mean get out and stop it. That means you have to figure out how you’re going to accommodate and support your employees who are going to go embrace AI, whether you want them to or not, and how are you helping them do that quickly, sanely, securely, and in a way you can learn from rather than just having every employee is using a different AI agent in a different way and there’s no lessons being learned from it.
[Jadee Hanson] Yeah, I think that’s a good point. I read a coupledays ago where they were talking about true AI adoption requires just like a very thoughtful approach to take a company from, “I want to do more with AI,” to a spot where they’re saying, “We leverage AI securely, ethically, and effectively.”
Didn’t we solve this already?
10:08.266
[David Spark] Are we mistaking the symptom for the disease when it comes to burnout? Now this topic comes up again and again, and it’s usually centered on individuals likehow can you identify the signs of burnout or deal with it in your career? But this buries the fact that burnout isn’t primarily an individual mental health issue, it’s an organizational problem, noted Chad Loder of CyberSN. Part of the confusion stems from equating burnout with fatigue, that simply giving someone more rest will make it go away. Instead, Loder quotes Professor Christina Maslach from UC Berkeley, who defined it as prolonged response to chronic interpersonal stressors on the job, resulting in “an overwhelming exhaustion, feelings of cynicism and detachment from the job, and a sense of ineffectiveness and lack of accomplishment.” Not good. So, Jadee, when we think about it as an organizational problem, how can we stop burnout from feeling like an inevitability in cybersecurity?
[Jadee Hanson] Yeah, first of all, kudos to Chad for the article, and really all the folks at CyberSN, including their amazing founder, Deidre Diamond, who she’s contributed a ton for the security community and continues to do. So, kudos to them for publishing this article. Many parts of the article resonate with me, but most of all, that real point of burnout is not fatigue. I 100% agree, it’s a lot more. Attributing burnout to just fatigue just really oversimplifies the problem. And I think, David, to your point, like it leads to these ineffective solutionslike, “Hey, here’s a couple more weeks of time off,” instead of treating this like more pervasive issue. And really to identify like the other issues, you need to go deeper. So, what are those other issues? Is it lack of autonomy? Is it strong community, inadequate rewards, or just misaligned values? And so, if you give folks just a couple weeks off to address their burnout, they come back to the same environment where you have all of those same issues, and you haven’t really fixed anything.
[David Spark] Yeah, and you come back to the impending doom, if you will. So, maybe they don’t enjoy their two weeks because they’re fearing coming back.
[Jadee Hanson] Absolutely. So, if we don’t change the environment as well, we don’t really fix anything.
[Andy Ellis] All right, Andy, I throw this to you.
[Andy Ellis] So, I take a slightly contrarian thing here. I do agree that it is an organizational issue, but it is also an individual issue. At the core, burnout is a mismatch between your expectation of the world and what the world is doing to you, right? And that sustained for a period of time is a problem. And we often approach this and say, well, it’s the organization’s fault for doing things to you you don’t expect. Well, sometimes you have to expect that, right? This is one of my favorite chapters of my book. It’s been a while since I’ve done a book quote for you, David, and the readers.
[David Spark] Let’s hear it.
[Andy Ellis] Serenity is knowing that the crap you’re wading through is crap you chose to deal with, right? Burnout is the exact opposite of this. Like you’ve chosen to be in cybersecurity, which means that you’re going to deal with the fact that nothing is perfectly secure. If you expect to get to perfect security, you are going to suffer burnout because you’re continuously going to be disappointed.
[David Spark] Yeah, like there’s always something more you can do, always.
[Andy Ellis] There’s always more, and the more is not just the stuff that doesn’t matter. There’s always more that matters. And here’s the exercise I would give to individuals, which is imagine that you had one FTE to place in the company, anywhere.
[David Spark] Full-time employee.
[Andy Ellis] Full-time employee. You could put one full-time employee somewhere in the company. Where is it going to do the most good for the company? Do you actually think the answer is in the security team? It’s probably not best used there. It’s best used somewhere else. Except that you could use that employee for amazing things in the cybersecurity team, but in the go-to-market team, you’d bring in more revenue, which means you might get more employees in the future. In the customer success team, you lose less revenue. So, you get to have more employees in the future. Like I could go through every organization. Great justification. If your expectation is, “Well, of course that should always go to cybersecurity,” you’re going to suffer burnout.
[Jadee Hanson] Mm-hmm. Yeah, I think that when you think about like all of those people listening to this that feel burnt out, making sure that they’re clear with their employer, their leaders about what really is going on because it’s more than just like fatigue for the number of things that you have to do. And so, raising your hand and speaking clearly about needing better roles and responsibilities or stronger development plan or consistent employee feedback, thinking about it broader than just like the amount of work that’s on a person’s plate because it typically is much more than just that.
[David Spark] And this is where I’m a huge, huge proponent of playing the five whys. This is a Japanese philosophy that come from the creator of Toyota, where you get into the core reason something is happening or why they’re upset. Have you ever played this, where you ask them why upset? “Well, I’m doing too much.” And you’re like, “Why is it?” Like you dig down and find out, oh, there’s a problem at home kind of a thing or something like that. Have you done this before, Jadee or Andy?
[Andy Ellis] So, I have, and I often find that it comes down toa very badly misset expectation when you’re digging in on this one. And I’ll use as an example, if everybody remembers Mudge’s complaint against Twitter,did the whistleblower complaint. And there were a lot of people who were like, “Oh, my God. Twitter at the board meeting, the CISO said one thing, but Mudge had pointed out there was something else and that never got mentioned.” And I’m like, “If you believe that every single risk should always be told to the board, you are going to be sadly disappointed.”
The CISO talking to the board is there to basically talk about the marginal risk. Like what is the one thing that is going to bite us hardest that we could do something about? And I’m not going to tell you about 17 other things that could bite us hard that we can’t do anything about, except maybe in a summary that says, “Hey, by the way, we’ve got a bunch of these hazards we can’t do anything about.” And I’m not going to tell you about the next 20 things because I get to tell you about one thing that we’re about to go engage on and that’s it. Like that’s part of the deal of talking to a board, but I’ve known lots of people who aren’t in the room who’ve come to me afterwards and they look at my slides and they’re like, “Why didn’t you mention X, Y, and Z? Like, this is crazy. You don’t care about security.” I’m like, “You don’t understand how to run a business.”
[Jadee Hanson] Extend the board meeting by 14 days and then maybe we’ll cover everything.
[Andy Ellis] Right.
Sponsor – Vanta
17:01.670
[David Spark] Who’s our sponsor this week? Well, our sponsor is the wonderful Vanta, and if you’re not aware of them, stay tuned. Just listen just for a second. Let me ask you a question. Do you know the status of your compliance controls right now? And when I say right now, I mean like right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we usually just rely on point-in-time checks. Look at this. More than 9,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here’s the gist. Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helpyou get security questionnaires done five times faster with AI. Now, that is a new way to GRC. You can learn a lot more about this if you go to Vanta’s website, but specifically, I’m going to tell you a specific website, so they know we sent you there. Vanta.com/CISO. Go to that one. Go there, check them out. You will be happily surprised.
It’s time to play “What’s Worse?”
18:25.931
[David Spark] All right, it is time to play “What’s Worse?”, Andy. Are you ready?
[Andy Ellis] I am. I’m so excited.
[David Spark] Okay. This just came in from Jay Dance of StubHub. He’s given us a flurry of phenomenal “What’s Worse?” scenarios.
[Andy Ellis] So, this is like the last-minute ticket for us.
[David Spark] This one came in literally last minute. He more wrote this as, have you done this one before? And I don’t know if he was officially submitting it, but I’m taking it as an official submission. So, here we go.
[Andy Ellis] Sounds good.
[David Spark] What’s worse, lack of an asset list. You just don’t really have one. I mean, you have some general idea, but you have no asset list.
[Andy Ellis] Pretty much everybody’s got that problem, okay.
[David Spark] Or complete lack of an incident response plan.
[Andy Ellis] Ooh. I’ll be honest, I kind of like the ones where I’m like, how would you even compare these two? This is like comparing apples to orange juice. These are not the same beast in any fashion.
[David Spark] It is not the same beast. It’s not the flip side of the same thing. It’s two very different problems.
[Andy Ellis] I’m going to cheat and Nir can yell at me later for this one. I’m going to say that lack of an incident response plan, I’m going to define as being likeyou don’t have an incident response program at all. Like you don’t even know who to call. You’ve got zero.
[David Spark] Right, right. There’s nothing. It’s like when what hits the fan, you’re like, “Oh, okay, what do we do?” Like you just start scrambling.
[Andy Ellis] Yeah. And the asset list is not like, oh, we have like all of our assets are out there, and nobody knows where they are. It’s like we just don’t have a centralized list. Like we can’t say what are all of our assets.
[David Spark] Yeah, you definitely don’t have a full inventory.
[Andy Ellis] I don’t have a full comprehensive inventory. It’s like not even 90%.
[David Spark] Which is, by the way, you’re right. That’s where most companies are in that situation.
[Andy Ellis] Right,most companies are. I will take not having an incident response plan as being the far worse one of these because you absolutely must have it. Like if you walk into a security team or into any company and they do not have an incident response plan, security or otherwise, honestly, very first thing you’re going to do is define who is the incident response leader, whether you’re client incident commander or incident manager or whatever. What’s the call list for them? How do you find them? And boom, you have an incident response program already, even if that’s all it’s got. And then you’ll describe likewhat are my tiers or severities of incidents? And you’ll flesh this out because you’re going to be running a lot of incidents because you don’t have an asset list. Although I guess in this case, you would at least have the asset list. So, you know what’s been compromised.
[David Spark] But here’s the other thing is, the lack of the asset list, you’re just counting the seconds before you’re going to get popped, right?
[Andy Ellis] So, yes and no. I don’t think an asset list directly gives you that level of protection.
[David Spark] No, butif you have a lack of an asset list, you are definitely not covering your bases.
[Andy Ellis] Oh, yeah, you absolutely don’t have good security if you don’t even know what you’re supposed to be securing.
[David Spark] Right, exactly.
[Andy Ellis] You’re going to rely on the ad hoc. Neither one of these is good, but the reality is you probably don’t have the asset list you think you do today, but you’d better have an incident response program.
[David Spark] But when I say also lack of it, I mean like there is no list at all of the assets. It does not exist at all. Some people have a poor asset list, but you have a no asset list.
[Andy Ellis] Oh, yeah, no, I can totally see security teams without one. Like I once went to an IT team and said, “Hey, I would just like to knowwhat laptops do we have out there? Can you give me the list of laptops?” And it took like six weeks.
[David Spark] [Laughter]
[Andy Ellis] And I was like, really? You don’t like just have an inventory button to print out and be like…
[David Spark] Doesn’t everyone have a sticker with a code number on it?
[Andy Ellis] Yeah, I didn’t want the data for anything other than prove to me this exists. Nope, couldn’t even prove it. That was a weird situation.
[David Spark] All right, Jadee, I saw you nod your head at the beginning. I fear that you’re going to be agreeing with Andy again here.
[Jadee Hanson] I am. I really want to disagree, but I think incident response programs are one of the most important things to have in place. It’s one of the first things that I dug into when I took this job at Vanta. And I think that for all the reasons that Andy called out, but above anything, without it, it’s just completely brand damaging. Something happens and that’s kind of like a given in security that bad things will happen. And so, knowing exactly how you’re going to respond to them, who’s going to respond to them, how you’re going to resolve them is like priority number one.
[Andy Ellis] Andadvice for anybody who realizes they need one and goes and does one, at some point you’ll realize your comms team also has an incident response plan. These need to be merged together. You do not throw over the wall, “Oh, we had an incident. Let’s tell the comms team and they will handle comms.” Whoever is your incident executive, the executive overseeing the incidents, is going to be the public face presumptively. You may change that in the incident, but if they’re not part of the comms team during the incident, you’ve done something wrong.
Please, enough! No, more!
23:31.999
[David Spark] Today’s topic is employee cybersecurity training. It’s everyone’s favorite. We’ve all been through the endless security awareness programs, the required training modules, and of course, the infamous phishing simulations. But are we actually making employees more security conscious or just turning cybersecurity into an annoying box-checking exercise? So, Andy, I think you have at least one, I checked, maybe two opinions on this subject. What have you heard enough when it comes to cybersecurity training and what would you like to hear a lot more about?
[Andy Ellis] When it comes to cybersecurity training, I’m like the Pokémon of opinions. I’ve got them all, mostly negative. So, let’s pick on phishing training because I don’t think we’ve picked on that one for quite a while. Obviously, I could sit here and talk aboutthe formulaic computer-based training that forces you to have window focus. That’s awful. Phishing training, universally horrible. First of all, if I want somebody to click on a phish,you can do that. You will always get somebody in your company to click on a phish and everybody who says, “Oh, our phishing click rate is down under 2%,” my answer is usually, “Yeah. And how hard are those phishes to really detect?” Like your vendors could crank them up.
[David Spark] Right, and I will say the CEO of a phishing company said, “I could create a phish that I would click on.” Yes. And they do have degrees of severity on them.
[Andy Ellis] Right, and so what happens ispeople don’t want to turn up the degree of severity because they report to their board the phishing click rate, and if you make it a better training, then you’d get more people to click and now you look bad, like perverse incentives.
[David Spark] Well, in defense, I’m going to – by the way, I know you’re against it, and I also know the other co-host, Mike Johnson, he’s against them too, he doesn’t do it – but in defense, I do believe most of these phishing training platforms have a degree of difficulty for their dive so we know how tough it is.
[Andy Ellis] Yes, no, no, absolutely. They do. And I would love them to publish what percentage of companies use each difficulty. That would be a fascinating report. But anyway, here’s what I’m tired of hearing about, which is that this provides any value to your company. Zero value. In fact, negative value because you create an adversarial situation where your employees do not like your security team. Here’s the real problem. I have to click links to do my job, end of story. That’s my job, involves clicking links, whether it’s from payroll to get paid, from HR to do training, from InfoSec to do training, or from a partner who’s sending me a PDF I’ve got to go look at, I am going to click links and open documents on my corporate laptop. If you can’t make that safe, that’s your fault, not mine, the employee, because I couldn’t figure out which one happened to be safe when the browser or the email client you gave me hides from me any information that might make it safe.
[David Spark] So, are you saying that metaphorically you should put all employees into a padded room so they can’t hurt themselves?
[Andy Ellis] You should make sure that when they do their job, that that job is safe. So, if you have an agent on that endpoint, if you have controls on email coming in, whatever those controls are to make it safe for me to click on a link, how do you know those controls work? How do you know those controls do their job? That’s what I want to hear about. It is not my job, the employee, to be the first or last line of defense for security. If I happen to notice a thing, great, that’s helpful, but stop pretending that the average random employee is actually part of the security team. They’re not, they’re part of the business team. Make them secure, and it’s your job to figure out if they are secure.
[David Spark] Wow. So, by the way, you are flying straight in the face of security is everybody’s concern.
[Andy Ellis] It’s not.
[David Spark] Wow, wow, wow, Andy, that is a bold one. All right, Jadee is laughing. Jadee, do you agree with Andy on that? This is a big one to bite off here, Jadee.
[Jadee Hanson] I get to disagree with Andy, and I’m so excited.
[David Spark] Awesome.[Laughter]
[Andy Ellis] Yay.
[Jadee Hanson] Okay, first of all, let me call out that I 100% agree that phishing training needs to go away, but, this is a big but, it actually used to be effective. So, I’ve been in security for a very, very, very long time. And when we used to get phishing emails that had everything misspelt and were completely off the wall,it actually was effective at that point toeducate you onwhat to look for and how to address it. Today, we know that all of the bad actors are using AI to create this perfect phishing email to attack a specific person and a specific company. And so, phishing simulations are no longer effective, and they have to go away. I do agree with Andy that relying on technology on the endpoint is what we need to do. And so, like, let’s think after the click, and so after the click malware’s downloaded, what do we have running to catch it, to identify it, to resolve that particular issue?
So, things that we do at Vanta, we very much think that we need strong agent health across our entire fleet of endpoints. And so, we’ve actually used the Vanta solution to create thislike continuous monitoring to ensure we have healthy agents everywhere. So, we’ve like created a custom test. It’s a really important test for us to say, “Hey, we have our Jamf agent running.” We have our EDR agent running on the endpoint to make sure that if this does happen, because users will click the link, that we will know about it. And malware, if it’s detected, we will know about it, and we’ll be able to resolve it. And then we also do the right training related toreaching out to the security team. We’ve created a strong culture of being approachable so that the person, once they do click the link, feel safe and feel like they have the ability to reach out and describe what happened. And so, all of that, I agree with. Here’s the point that I don’t agree with…
[David Spark] Okay.
[Jadee Hanson] …is I do think that there’s elements of security that are everyone’s responsibility. I don’t think the security team can be everywhere. I don’t think that the security team can be responsible for every single individual action. And so, just like you have an ethical responsibility as part of an employee of your organization, I think you have a security responsibility as part of an employee of your organization.
[Andy Ellis] So, I’ll concede with Jadee, there’s “a” responsibility.
[David Spark] Hold on, I’ll concede.
[Jadee Hanson] Yes.
[David Spark] We’re going to pull that sound bite out.[Laughter]
[Andy Ellis] Go for it. I’ll concede a piece of this, but it’s a piece. But when people say security is everyone’s job, that’s not usually what they’re referring to. So, Jada just pulled a motte-and-bailey trick on me, which was, “Oh, well, of course, everybody has this little piece of security responsibility. We’re not disagreeing over that.” My contention is, is that if we are expecting the security of our corporation to survive, because every single employee is capable of doing the right thing, which I’m going to put giant quotes around because I don’t think that’s actually what it is, then we have failed as a business. That’s not their job.
[Jadee Hanson] Okay, so we sort of agree.
[Andy Ellis] We sort of agree. I mean, I don’t know how long we’ve been having this conversation, Jadee. So, of course we’re going to agree on a lot of stuff.
[Jadee Hanson] I know.
[David Spark] Hold it. I have a question though about, like you were saying,you’re sort of protecting the people from clicking the link. So, say I get some kind of email that’s a phish of some sort, like one I’ve been seeing a lot of is this PayPal thing. “Oh, you owe this amount of money here.” And I’m like, “What the… Huh?” And I click on it. What happens on your end when I click? Walk me through the steps. If I click this PayPal email, what goes on?
[Jadee Hanson] So, depending on your setup, malware’s downloaded. And then the EDR’s flagged it because most likely it’s a commodity malware. And then we address it. It’s contained. We can follow up. Sometimes the user is going to noticesomething that they expected to happen didn’t happen and they’re going to reach out, and we kind of get like dual notified, one of our security technology and then two of the user itself, so that we can kind of take a look, understand what’s going on, make sure that there’s nothing nefarious happening on the endpoint.
[David Spark] So, my guess is the malware is probably the bigger payload payoff for them. Because let’s say like I’ll get something that says I owe $599 on PayPal. They could conceivably send me to some page where I’m paying $599. Now that would stink, but it wouldn’t cripple the business.
[Andy Ellis] Actually, what they’re trying to do is get you to log in somewhere so they can capture your credentials. I get this… This is amazing. Like we just sold the company, and I was on the board of it. So, I had to do like a bazillion Docusigns in the weeks leading up to it. And I will tell you almost every single time I had a legitimate one, I had five or six fake Docusign notices and one of them got me. Like I clicked it, it took me to a Google login. And I’m like, “I don’t do Google login before Docusign.” I’m like, “Oh, I clicked on a bad link.” That’s what they wanted. They wanted my Google login.
[David Spark] Somebody got Andy.
[Andy Ellis] Somebody got me to click the link.
[David Spark] Mm-hmm.
[Andy Ellis] If you can get me to click the link, trust me, you’re going to get other people to click the link. You might not get everybody. We certainly probably have a listener who’s more paranoid than me.
[David Spark] [Laughter]
[Andy Ellis] But you’re going to get the vast majority of your employees because at some point, they’re just trying to get their job done.I was expecting a Docusign at that moment and the fish hit before the lawyer’s Docusign hit.
[David Spark] By the way, write in if you’re more paranoid than Andy.
That might not have been the best decision.
33:32.035
[David Spark] So, what’s a red flag when it comes to compliance? If a vendor won’t show a full SOC 2 report and instead points to a public-facing Vanta portal, is that acceptable to you? So, this came up recently and specifically called out Vanta on a cybersecurity subreddit, and some commenters said this all depends on the organization’s risk tolerance. Others suggested asking the vendor to at least screen share the SOC 2 report on a call for applicable domains or sign an NDA to get access. Obviously, vendors shouldn’t be hiding things, but is there any reason to be cagey with a SOC 2 report for the vendor? And I’m asking you, Jadee, how does Vanta manage that? Because I know you have trust centers and honestly, I mean, correct me if I’m wrong, people can manage their trust center any way they want, right? It’s not Vanta deciding whether you should or should not share your SOC 2 report. It’s up to that individual company, right? So, how do you manage something like this?
[Jadee Hanson] Yeah, we at Vanta, obviously, we support trust centers. We have the largest amount of trust centers among all the vendors that support this, and users can configure it however way they want. And so, they can allow transparency to certain documents or not. I do love that we’re talking about this because I feel like in general, we have a lack of transparency between buyers and sellers, and this is kind of a big issue within the cybersecurity industry. Calling out this one specifically, the purpose of SOC 2 is to provide assurance to customers. So, it’s technically meant to be shared. That said, I don’t know the situation here. And so, there may be something larger going on with this particular company where the scope wasn’t right or maybe it doesn’t clearly cover what the prospect is buying. We’ve certainly seen that come up. So, I don’t want to just assume that something terrible is going on, but I do think the buyer should ask more questions and get more details as to why the report can’t be shared.
[David Spark] But isn’t that kind of the whole problem with the trust center is that you can kind of layer insort of the reveal, if you will, like here’s the front-facing one that everyone can see, and if you want to dig down deeper, you start asking for access, yes?
[Jadee Hanson] Yeah, so for us at Vanta, we use trust center and again,completely configurable, but we share our SOC 2 report on our trust center portal. So, as long as the individual has signed an NDA and is approved to download the trust center, it’s available for them and they can dig into it.
[David Spark] So, there isa “barrier” to entry. I’m using that term…
[Jadee Hanson] There is.
[David Spark] …but there is something you have to do to get that information, if you will.
[Jadee Hanson] And customers can provide it without an NDA. It’s really up to the customer. So, we have public documents and then we have documents that we require an approval for access as well as an NDA. But even having it up there, one, I think it promotes this aspect of transparency that I think is so critical between buyers and sellers and it saves us so much time. So, as long as the individual has signed the NDA, is approved to download it, they self-serve and it saves my team just a ton of time.
[David Spark] I was just sayingit’s like a choose your own adventure for GRC.
[Jadee Hanson] Yeah, it absolutely is. And I think it’s important to remember that, with all the documents that we share externally, no one security program is perfect. And to me, I think it’s better to provide a bit of transparency of what you have going on, what you’re working on fixing, versus have your prospect find those things out after the fact. I think in general, our industry needs a bit more of this transparency between buyers and sellers.
[David Spark] Of course. All right, Andy, I’m throwing this to you. You see a rather cagey trust center and there’s no SOC 2 report. It’s annoying you. What’s your take?
[Andy Ellis] So, I’ve been on the cagey side, I’ll be very honest.When I was at Akamai, we had…
[David Spark] Oh, you’ve hidden SOC 2 reports?
[Andy Ellis] Well, actually it wasn’t even SOC 2. We had people demanding our ISO 27001 or 27002. They wanted the details.I have had so many customers who’ve shown up where it’s a security team who’s really just going to spend way too much time digging in and then arguing about, “Oh, we don’t like that you do 120-day password rotation instead of a 90-day password rotation.” I literally had that. And I’m like, “The only thing we use passwords for is for people to connect into email,” because Exchange OWA required you to have a password. Passwords were in use nowhere else in our environment. And so, that had 120-day rotation. You basically every 120 days rotated it, typed it into your mail client and forgot it. You put it into your password manager and 120 days later pulled it out to rotate it again. And I had people arguing with me that I should make that more frequent.
[David Spark] Mm-hmm.
[Andy Ellis] So, I can understand the people who do not want to get into this fight with the very prickly security teams, primarily banks, governments, and healthcare. There are people who, if you show them under the covers, they’re going to nitpick and waste your time and energy. So, that said,that was a different time and era. First of all, SOC 2 lets you be a little bit less specific about the details of your controls, nicely enough. And if you’ve got a SOC 2 Tier 2,you should be pretty golden on that. Share it with people, let them see what’s going on. I recommend in addition to an NDA doing something like we will charge you professional services hours to explain this. Like, “Here is our SOC 2 Tier 2. If you need somebody to explain what’s in here, we reserve the right to charge you professional services hours.” You probably will never actually do so, but it’s a nice way to sort of intimidate the other side security team into not wasting your time and energy.
[David Spark] Oh, there you go. Good old intimidation. Way to start off the relationship.
[Andy Ellis] They’re trying to intimidate you. So, play the game right back.
[David Spark] Well, there you go.
[Andy Ellis] Or let them be nitpicky but never get on a call with the security team without the buyer in the room. That was one of my biggest lessons. When the buyer security team wants to come yell at you about what you’re doing, make sure that whoever’s buying, whoever holds the contract, is also in the room so they can see how obnoxious their own team is being.
[David Spark] [Laughter]
[Jadee Hanson] Yeah.
[Andy Ellis] It’s really, really helpful when youfinally say no because they’ve asked for like 18 unreasonable things and you gave them 17, and then they go to the business and say, “You should stop using this vendor.” The business will tell them exactly what they can do with their spare time.
[Jadee Hanson] Yeah, I agree with Andy on making sure that the business is in the room as well, but I actually like talking to the security teams of our customers, and we’ve gotten intoreally interesting conversations about like they’re requesting us to do a certain thing. And we actually have been in the seat where we’re educating them on why that thing is kind of ridiculous. And so, I actually really prefer working with our customers on that. You must’ve had not so great customers, butthe customers thatwe’re working with arevery reasonable. And I think, again, I’ll go back to that. Being really transparent aboutwe do have these things in place, and we don’t have these things in place, and this is the why, has beeneducational for I think both teams.
[Andy Ellis] Yeah, and I think the customers do the whole range. Like I have a bunch of customers who had my cell phone number. Their security team could just call me and say, “Hey, what’s going on here?” And often they would come and say, “Your business is doing something that pisses me off. Can you explain or figure out what’s going on here?” It’s the 1% on the other side that I want to make sure that…and usually they’ll sort of self-declare who they are. And it’s pretty easy to then say, okay, let’s give them the white glove treatment of we want to make sure they’re well taken care of. So, “Hey, account team, can you make sure the business team’s in the room so thatanything we promise gets written down?” When the reality is I’m not promising anything. I just need them to be observing what’s going on.
Closing
41:47.851
[David Spark] And that brings us to the very end of this show. I want to thank both of you. And by the way, Andy, Jay Dance, who sent in our what’s worse scenario, this is what he says, “Both are bad, but…” And I don’t think he is agreeing. He’s not really flat-out saying one’s worse than the other, but I’m getting the sense he’s disagreeing with you. He says, “I feel you need an asset list to put together a good incident response plan.” So, he claims it’s kind of a chicken-and-egg thing that he feels that the chicken comes first here.
[Andy Ellis] Hey, Jay, give me a call. I am happy to, on this one, disagree with you and explain.I think you’re correct in that you need to have an asset list so you sometimes know when you have an incident, but sometimes incidents will just show up, and whether you have the asset list or not doesn’t matter. Having an incident response plan does.
[David Spark] Yeah, I think also once you have the incident, it’s like, well, the incident’s here, now let’s deal with it.
[Andy Ellis] Yeah.
[Jadee Hanson] You might be building your asset list as the incident is carrying on.
[Laughter]
[Andy Ellis] Been there, done that.
[David Spark] All right. Well, that brings us to the tail end of the show. A huge thanks to your company, Jadee, Vanta. Remember, go to vanta.com/CISO, specifically go to that addressand check out what they’re doing there. We appreciate it. And Jadee, I’m assuming you guys are always hiring at Vanta. Yes, you’re hiring?
[Jadee Hanson] We are hiring a ton of people. I think I have five roles open on my team, and so if you’re looking for a role in a really awesome, great culture, moving quickly, scaling quickly type of environment, we are hiring. You can find the Careers page and you can find the roles listed right underneath there and filter on Security and you’ll find the ones that are part of my team.
[David Spark] And anything else you’d like to mention that’s something new and cool that Vanta’s doing or make an offer to our audience either? Any of those.
[Jadee Hanson] Ooh, we’re always doing new and cool things. I think one of the thingsI guess maybe I’ll call out, a lot of people think of Vanta as like a continuous monitoring solution, so continuous control solution that helps you monitor SOC 2 controls. And I would just encourage people tocheck out the product because it literally has modules that cover off on every aspect of what the GRC team has to deal with. And so, a risk management, vendor management, asset management, policy management. We even havea solid training and awareness program as part of the product that has very cute llamas in the videos. And so, everything that you need tomake sure that you have covered as part of a GRC program is part of the Vanta solution. So, definitely check that out.
[David Spark] Well, thank you again, Jadee. Thank you very much, Andy. And I want to thank our audience as always. Thank you for your contributions. Thank you for your “What’sWorse?” scenarios. Please disagree with Andy, that’s your responsibility, and continue listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.