We keep hearing that humans are the weak link in a security program. If that’s the case, why do we keep putting so much strain there? No one will claim that humans are perfect, yet we keep designing security systems as if they were.
This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis (@csoandy), principal of Duha. Joining us is Richard Rushing, CISO, Motorola Mobility.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
AI-infused security operations tip of the week – Anvilogic
Jump to the full tip here.
To learn more about saving costs and optimizing analysts’ capacity with a hybrid SIEM and data lake, go to anvilogic.com.
Full Transcript
Intro
0:00.000
[Voiceover] Biggest mistake I ever made in security. Go!
[Richard Rushing] Thinking that malware and ransomware works the same way today as it is going to work tomorrow, and the controls that work today are going to be effective as tomorrow’s controls as well. So, the mistake I made was assuming that this system was totally compromised, shut it down, get rid of it, and that was the only effection.
In fact, we had file systems that were in the process of being ransomwared up due to their connectivity to their original machine.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series and joining me as my co-host, you love him, it’s Andy Ellis. He’s a principal over at Duha. Andy, say hello to the audience.
[Andy Ellis] Good afternoon, folks, or depending on when you are in the world, good morning, good evening, or good night.
[David Spark] You’re covering all your bases.
[Andy Ellis] Got to cover all the bases. And when somebody leaves the world and heads to Mars, I got to think a little differently about how I do that.
[David Spark] There you go.
[Andy Ellis] Good Sol or something.
[David Spark] We are available at CISOseries.com. There’s lots of other wonderful programs you can check out there as well. Our sponsor for today’s episode, a phenomenal sponsor of the CISO Series, ThreatLocker, and they have got a brand-new tool that’s pretty darn cool.
I haven’t really seen many others do this. It’s called Defense Against Configurations. You’re going to want to hear more about that a little bit later in the show. Now, Andy, we are recording this during the Jewish New Year.
[Andy Ellis] Yep.
[David Spark] And this is also the time that we go to our friends that we feel that we have wronged, try to ask for forgiveness. Now, there is something a friend of mine used to do. I’m not asking you for forgiveness, if you thought that’s where this was going.
[Andy Ellis] Oh, no. Oh, come on, David. You cannot lead with that and then not.
[David Spark] No, I’m going to tell you something funnier than that.
[Andy Ellis] Okay.
[David Spark] I had a friend every year, he would send a mass email out, said, “If I have wronged [Laughter] you, give me a call. Let’s work it out.” Or he would try to absolve himself via mass email. He would say, “Please, my apologies for anything I may have done and wronged you over the past year.” And I thought that was so wonderful.
He sort of…
[Andy Ellis] It’s funny.
[David Spark] …did a mass email to deal with his, you know, issues.
[Andy Ellis] Does it match the cavana [Phonetic 00:02:35] of the moment? Probably not.
[Laughter]
[David Spark] No, but anyways, I’ve confronted him on that personally, I kind of, “I’m humored and annoyed by that email you send out every year.”
[Andy Ellis] Yeah, I’d say it’s a funny once.
[David Spark] Well, he says, actually, some people do respond. He goes, “Yeah, well, there was a time that you did such and such,” and it sort of opens up a conversation that they are able to resolve. So, it does have some value here.
[Andy Ellis] Yeah, I can see that.
[David Spark] Now, do people come to you to talk about the things, that they have done something wrong to you, or have you done the same, reached out?
[Andy Ellis] So, probably, I get about like one every five years.
[David Spark] One every five years. Okay.
[Andy Ellis] One every five years, somebody will give me an apology.
[David Spark] How many do you give out every…
[Andy Ellis] Very rare. I mean, I would have to make mistakes.
[David Spark] You would have to be… Yes. It’s hard when you’re perfect, right?
[Andy Ellis] But David, I would like to apologize because I think sometimes, I make a little bit too much fun of your pinball enjoyment.
[David Spark] No, but that’s fine by me. That’s nothing to apologize for.
[Andy Ellis] And to our listeners who sometimes aren’t part of how close David and I are, and so sometimes see us sniping at each other, don’t recognize that it’s in good fun.
[David Spark] In fact, I will say one of our…
[Andy Ellis] And that’s not on you, that’s on us.
[David Spark] One of our direct competitors, Smashing Security, actually has a name for this type of bantering going back and forth. They refer to it, and I love it, and I’m totally copying them here. They call it bickertainment.
[Andy Ellis] Bickertainment. [Laughter] I love it.
[David Spark] It’s a great name. It’s a great name, bickertainment.
[Andy Ellis] Yes.
[David Spark] So, it’s our form of bickertainment, if you will.
[Andy Ellis] There we go.
[David Spark] But yes, there’s no [Laughter] ill will whatsoever at all.
[Andy Ellis] Yeah. And to everybody who I’ve butchered their mother tongue when I’m doing the greeting at the beginning, my apologies, my effort is sincere, even if it is not always good.
[David Spark] All right. No more apologizing for today’s show. We’re done.
[Andy Ellis] Come on, we still got like eight more days in the Days of Awe here.
[David Spark] Let’s go on and bring on our guest, who I just saw in Santa Monica at a conference where we were doing a live show. So thrilled that he’s back. He is the CISO for Motorola. By the way, long-time CISO at Motorola. He might be vying for your tenure when you were over at Akamai too.
It is none other than Richard Rushing. Richard, thank you so much for joining us.
[Richard Rushing] Thank you, David, for having me. It’s great to be back and it’s good to see everyone again.
What’s a CISO to do?
4:54.207
[David Spark] “We’ve found the difference for great CISOs is not about budget or technology. It’s about mindset, strategy, and ownership,” said Phil Venables, who’s the host of Google Cloud podcast. He put together a framework of good CISO/bad CISO based on this idea.
Okay, sometimes when people leave bait this juicy, we’ve got to bite. I mean, this was a perfect title for the show. There’s a lot of examples here. I’m just going to give out a few here for you, Andy. Good CISOs are business executives who manage technology risk.
Bad CISOs are IT managers who manage security tools. Good CISOs manage their behavior, software, and partner supply chains. Bad CISOs just buy more security products. Good CISOs have deep technical foundations but use them for empathy. Bad CISOs either lack technical depth or wield it like a club.
Good CISOs play long-term games with long-term people. Bad CISOs are transactional. A, agree with them. What would you add to this list, Andy?
[Andy Ellis] So, I’m going to throw Phil under a bus. I so rarely get the opportunity to do this.
[David Spark] So, this is… Oh, so what better time when you’re looking for…
[Laughter]
[David Spark] You’re trying to repent?
[Andy Ellis] So, Phil, I think I might need to apologize for what I’m about to say. So, I’ll probably send you a text message in a few minutes and you’ll be like, “What are you talking about, Andy?” and I’ll be like, “Wait till November to hear this one.” So, first preface, if you are a marketing professional, especially in the content world, I want you to go to the link and read Phil Venables’ post, the whole thing, because here’s the good CISO/bad CISO.
Good marketing CISO, bad marketing CISO. Good marketing CISOs write consumable content that they have the same level of excitement for the whole thing. Bad CISOs are trying to check a box of, “Oh, I have to have 10 pairs of good CISO/bad CISO,” but I clearly got bored around [Laughter] pair number six, and so my statements got shorter and shorter as I got to the end.
And this is a common content marketing problem. People have a really great idea, and they want to repeat this cadence, good CISO/bad CISO, and execution is really hard. The first four are like, “Oh, I’ve got it,” and then you’re like, “Oh, fine. I’ll just fill these out,” and it really sort of felt that way as I was reading Phil’s list.
[David Spark] Hold it now, but have you done one of these listicles and you’re like, “Oh, God, I really need 20, and I’m only up to 12”?
[Andy Ellis] Yes.
[David Spark] And I’m like, “Hey, can anyone help me out? I need like eight more.”
[Andy Ellis] Right, and the correct answer is no, stop at 12. If you’re only excited about 12, stop at 12 because your excitement carries through, in the same way that you’re building out your security program, you’re writing your policy. You’re like, “I need six key principles and I’m excited about my first four.” You have four principles.
[David Spark] So, the attack here isn’t on the advice of good CISO/bad CISO. The attack is on the content marketing effort that Phil did.
[Andy Ellis] Is on the execution on Phil.
[David Spark] All right.
[Andy Ellis] Like all of them are pretty decent. Like none of them are bad, but the content marketing of it made it really feel like he got bored after the first six or so.
[David Spark] I don’t know if this was the time to say that during the Days of Atonement.
[Andy Ellis] So, now I will text Phil an apology.
[Laughter]
[David Spark] All right, Richard, I am throwing this to you. What was your take on this? Because it was a lot of good stuff in it. Maybe petered out per Andy’s opinion. What’s your thoughts?
[Richard Rushing] No, I think it’s good, and I think it’s the same area. It could be affected by company culture, as parts of that is what’s good of that. Could be whether you were appointed the job through the company or organization, or you got hired in on some of that.
Sometimes there’s that. I always get in discussions about the difference between having leadership and being a manager. Vastly different on different directions. And there’s also the same thing. Yeah, you could add stuff to this of looking towards outcomes versus checking checkboxes and things around that.
And I think it’s one of the things that we go back to in a lot of these. I didn’t see AI as part of this. So, that’s a good thing from the content marketing side that we left that out. But it’s one of the things of show your work. It’s no longer black boxes.
And the security organizations for a long time were, “Hey, a black box, stuff comes out, stuff goes in. We don’t know really what happens, but there’s there.” Now, you have a way, as you elevated the position up in the org, more responsibility came with that.
And I think that’s why these sometimes hit at certain levels, but miss at other levels, depending on the organization size and reporting structure for the CISO as well.
[David Spark] And just closing this out so you can actually say something legitimate about Phil’s article here, Andy, off of what Richard just said is, a lot of this stuff really varies depending on the context of your environment, the size of your environment, things like that.
Yes?
[Andy Ellis] I mean, absolutely. But like Phil’s things are mostly just principles. Like he’s like, “Good CISOs ensure bad news travels fast, bad CISOs are the last to know.” I actually completely agree with that. Like that is fantastic. But he’s got like seven lines about travel fast and two sentences on being the last to know.
So, it’s like that was sort of the inflection point where it’s like, oh, very clearly got bored on the execution here.
[David Spark] Maybe he wasn’t bored. Maybe he was like, “There’s not much more to say.” That’s all you need to say.
[Andy Ellis] Then you go back and make them all equally crisp. I did want to say that as I was reading this, this felt like Goofus and Gallant as CISOs. And somebody should go license from Highlights.
[David Spark] That I like, Goofus and… By the way, that’s an old deep cut reference of Highlights. Yeah.
[Andy Ellis] Yeah. That’s what this felt like. Just to be clear, I don’t have any issues with what’s on the list. These are actually pretty good, but I had to make fun of execution partly because you asked me to add to a list of 20 things. Clearly, Phil ran out of things to add.
[David Spark] Phil, we’re going to get some nasty letters from Phil.
[Andy Ellis] I already emailed him an apology.
[David Spark] [Laughter]
[Andy Ellis] So, it’s like [Inaudible 00:10:59], I’m already in advance on my apology.
[David Spark] Sorry for robbing your store. Here’s an apology note. [Laughter]
[Andy Ellis] Yeah.
How would you handle this situation?
11:08.046
[David Spark] How do you define security hygiene versus finding actual vulnerabilities? Now this came up on the cybersecurity subreddit with a post that was frustrated by pentests flagging flaws as “mediums” when they didn’t impact risk. On the subreddit, they laid out this rubric, “A vulnerability means there’s a threat which goes to an exploit path, which goes to a business impact.
If you can’t show that line, it’s hygiene, not a vulnerability.” Now, not all commenters agreed with that, with some pointing out that compliance requires including things like fairly low CVSS scores, and that while issues around security protocols SSL and TLS shouldn’t be on that report, low and medium issues are often changed to exploit systems.
All right, Richard, is there a functional difference between security hygiene and vulnerabilities or does it more depend on your company culture?
[Richard Rushing] I think it depends a little bit on the company culture, but I also think it depends then what’s defined as a vulnerability. And I think there is two parts of vulnerability pieces. You have the vulnerabilities, which a lot of people patching software code, that.
There is the other part, which is configurations. This is the TLS world. This is some of the other sides of it. You’re not set up with the right cipher specs. We’ve all seen this before. And the issues is that’s a configuration and you can classify it and say, okay, it can lead to problems.
It can lead to issues and vulnerabilities and things around that. But there’s the software patching aspect and the configuration. They need to live in your vulnerability management program, period, on that. Otherwise, what are you trying to get better at?
That’s the goal is on fixing things and doing something that’s there.
I think you can classify the cyber hygiene is a very larger area, surface area to look at rather than nuances that are around that and saying, hey, there’s a different cyber hygiene score than your vulnerability side of it that’s there. At the end of the day, these pose risks that are defined, and if you’re willing to accept the risk, well, you’re willing to accept the risk.
Can’t do anything about that. But in most cases, accepting the risk usually leads to bad results at the end of the day.
[David Spark] All right. Andy, your feelings on whether it’s hygiene or a vulnerability, your thoughts.
[Andy Ellis] So, I dislike the language. They’re onto something, but they’re conflating language about risk with projects around solving risk. First of all, vulnerability is kind of a term of art that they’re misusing here, right? A vulnerability is a hazard in a system generally tied to a software defect.
[David Spark] Mm-hmm.
[Andy Ellis] That’s it. It’s a class of hazards. When they say threat to exploit path to business impact, the exploit path is that collection of hazards. What they’re calling a vulnerability here is a scenario, a way in which a set of hazards are exploitable by an adversary to cause a problem.
That’s just me. I got to put my soapbox here. Got to be very careful about language because if you start redefining vulnerability to mean something different, you’re going to confuse everybody.
The really interesting point here is that when we think about these hazards and these scenarios, we really have four different problem areas depending on how bad they are in terms of impact and how bad they are or likely they are in terms of probability or how surprised we’d be if they happen.
And what they talk about as hygiene here is what I call litter cleanup. The low probability, low impact things, the things that are very low CVSS, it’s not worth the energy to go figure out a scenario. Think of it like litter on the street. If you come out of a nightclub at 3:00 in the morning or out of your hotel at 6 a.m.
when it’s over a nightclub, anybody who visits Tel Aviv is probably familiar with this scenario, the street is covered in litter. It’s all really annoying. It’s all really dirty. And you would be foolish to try to do the work to figure out how bad each piece of litter is in the same way that a configuration mistake that we just found that seems minor, like that’s not worth going and figuring out how bad it could be or how likely it could be.
You should just have a hygiene project to clean it up. Right?
If you don’t have street sweepers cleaning the litter off of your streets in your nightclub district, that’s the actual problem is the lack of street sweepers, not the fact that there are either 1,000 or 5,000 pieces of trash on the street. It doesn’t really matter how many you’ve got.
And so I think that is a very key component is we should stop using the language of high severity or high frequency events to talk about hygiene problems, and we should say this is hygiene. The problem is not any given one of them. It’s the fact that there are so many that there might be some needles sitting there, and people are going to step on druggies’ needles and that creates a health problem for the city.
We don’t have to count to find the one needle. We should just clean everything.
Sponsor – Threatlocker
16:24.862
[David Spark] Who’s our sponsor this week? Well, it’s our fantastic sponsor ThreatLocker, and you’re going to want to listen to this brand new tool that they’ve got. ThreatLocker Defense Against Configurations delivers clear visibility into system risk by continuously scanning endpoints.
Built directly into the ThreatLocker agent, it identifies misconfigurations, weak firewall rules, risky USB permissions, and default Windows settings that weaken your defenses so you can address them before they’re exploited. Findings are also mapped against compliance frameworks including NIST, CIS, HIPAA, and ISO 27001, with actionable remediation guidance to simplify security hardening and audit preparation.
The platform updates daily, provides administrators with the most current view of their environment without added performance impact, additional agents, or complex integrations.
By consolidating configuration risks into a single dashboard, ThreatLocker Defense Against Configurations streamlines compliance, reduces attack surfaces, and strengthens overall security posture. See how ThreatLocker makes it easier to secure and maintain a compliant environment.
Just go to threatlocker.com, and if you want to let them know that we sent you there, go to threatlocker.com/CISO. Easiest way to let them know that you heard about them from the CISO Series.
It’s time to play “What’s Worse?”
17:51.297
[David Spark] Richard, I know you’re familiar with this game. This is how it’s going to work. I’m going to read the two crappy scenarios to Andy. He is going to pick one that he believes is worse, and you are going to agree or disagree. If you want to be my favorite, you will disagree with Andy.
If you want to be Andy’s favorite, you will agree with Andy. Got it?
[Richard Rushing] Got it.
[Andy Ellis] I think you should do what feels appropriate, Richard, which is always agree with Andy.
[Richard Rushing] Yeah, there we go.
[David Spark] All right. Here we go. From Erik Bloch of Illumio, he asks what’s worse, Andy, your AI-powered automation platform auto-remediates issues based on detection confidence, but once a week, it kills a critical business process. Hmm.
[Andy Ellis] Awesome.
[David Spark] Just randomly kills one.
[Andy Ellis] Well, that’s already a shortlist contender for worst possible, but let’s see what could be worse than that.
[David Spark] Here we go. You don’t use AI auto-remediation at all, and even a minor issue becomes a ticket that sits in a queue for a week before anyone looks at it. So, all issues sit and nothing gets done for at least a week. Which one’s worse?
[Andy Ellis] Okay. So, the way this one is phrased gives me an easy out. The first one is clearly the worst one. And the reason for that, and this is for everybody who’s going to submit what’s worse in the futures, and I hate to pick on a specific one.
The second one, the only impact being demonstrated is an impact to my security organization, not to my employer.
[David Spark] Ah.
[Andy Ellis] The first one, we’re killing critical business processes once a week. The company is having bad days. The second one, there’s no assertion that the company has anything bad happen to it.
[David Spark] Well, but it’s like a reverse, Andy. Hold on, wait. Hold it. It’s a reverse. Bad things are happening to it and security’s doing little to nothing about it.
[Andy Ellis] But you have to lay out what the outcome is.
[David Spark] Yeah.
[Andy Ellis] Right? So, since I don’t have an outcome there, it’s easy for me to say, well, [Laughter] shooting the business in the foot once a week is worse than not shooting the business in the foot once a week. So, I’m going to go with the first one is worse.
[David Spark] Yes. But I could also say…
[Andy Ellis] But we’re not allowed to modify. That’s the Nir rule.
[David Spark] The business may be shooting itself in the foot more than once a week and you’re not doing squat about it.
[Andy Ellis] But we don’t know, and the Nir Rothenberg rule is we don’t get to modify the scenario.
[David Spark] Correct. We’re not modifying. Yes. There is a lot of unknown here.
[Andy Ellis] Right. But we have to run with the unknown as it is.
[David Spark] Yes.
[Richard Rushing] Wow.
[David Spark] See, the thing is, once a week kills a critical business process, worse could be happening. I mean, we don’t know.
[Andy Ellis] It could be, but we didn’t say it is.
[David Spark] All right. Richard, agree or disagree with Andy here?
[Richard Rushing] I’m going to have to go with the disagree.
[David Spark] Now, now we’re talking, Richard.
[Laughter]
[David Spark] All right, go ahead.
[Andy Ellis] You’re killing a critical business process once a week.
[Richard Rushing] Killing the critical business process, I hate to see your metrics on that side of it that’s there, or your partners are going to be after you. Especially if it’s not the same business-critical process. And they can track it back to the AI system.
So, the evidence is pretty much you’re the one that’s responsible because a lot of times systems critically die. [Laughter] Oops, trying to do root cause analysis, never really get all the answers that are there. But I think from this one, having an unknown idea of not knowing what’s going on in the world of queues today, given the current cyber crime exploitation, zero day fiestas that are going on in this…
[David Spark] Mm-hmm.
[Richard Rushing] …it’s going to be waiting a week’s worth of time. It will destroy the entire business, not just one system that’s there that’s critical.
[Andy Ellis] I think we’re reading a lot into this. But no, the argument Richard’s making…
[David Spark] No, I think Richard’s got something going here.
[Andy Ellis] Is it the absence of AI-powered cybersecurity prioritization and auto remediation is destroying every business there is. We have lots of evidence that’s not true. So, I think he’s really rewritten the scenario just to be disagreeable.
[Richard Rushing] [Laughter]
[Andy Ellis] So, I’m going to challenge on this one. Plus, if we get to rewrite the scenario that little bit…
[David Spark] No, but he makes a really good point. Like, first of all, issues come up all the time, right?
[Andy Ellis] Yep.
[David Spark] Every now and then, an issue comes up that is maybe decimating the company, and if you don’t deal with it, that hour, that day, that week, there might not be a company.
[Andy Ellis] But we’re in the world of mights. If we’re in that world of mights, here’s my counter proposal. How long do you get to run your AI-powered cyber auto remediation system?
[David Spark] Killing a business. [Laughter]
[Andy Ellis] If you’re killing a critical business process every week, I give you eight days.
[David Spark] But I think that’s an interesting thing. But I think there’s a situation where there’s like this culmination point, like enough of these things happening that you don’t sit on for a while, enough business processes being killed.
[Andy Ellis] Yeah.
[David Spark] There’s going to be a point where they meet in terms of they destroy the business.
[Andy Ellis] Oh, no, right. Absolutely. These are both bad situations. But the problem I have with this one is one of them, the second one, describes the status quo for most companies.
[Richard Rushing] Yeah.
[Andy Ellis] Like this is the world that most companies operate in. You aren’t doing AI-powered auto remediation.
[David Spark] They don’t get around to squat. [Laughter]
[Andy Ellis] Like you’re weird if you do that. So, that’s normal. That’s not a bad scenario. That’s just every day. The other one, kill a critical business process once a week? Like, you’re not surviving that as a CISO if you let that run for three weeks.
[Richard Rushing] Yeah. Take your SAP system or take your ERP system, the business is dead.
[Andy Ellis] Right.
[Richard Rushing] I agree with Andy that, hey, if you’re looking at the badness of this, but I also, I’ve gone through zero day Fridays for the last couple of sides of it that everybody’s got to go, “Hey, we got a Cisco one running around.”
[Andy Ellis] Mm-hmm.
[Richard Rushing] If that was in the queue, “Oh, it’s come in. It talked to our router.” [Laughter] It’s like I don’t think you’re going to be here next Thursday in a structured manner that’s part of that.
[David Spark] I think there’s a situation where these two sides are going to hit a meeting point and it’s literally a race, who’s going to crush the business first?
[Andy Ellis] Whoever’s going [Laughter] to crush the business first.
[David Spark] [Laughter]
[Richard Rushing] Who’s going to crush the business the first? Is it going to be outside or is it going to be your…? You’re either going to prevent it or you’re going to be responsible for it, I think that’s the issue that you get into.
[David Spark] No, and I understand that you might think it’s worse. It’s worse that I’m responsible for ending the business. [Laughter]
[Andy Ellis] Right.
[David Spark] Directly responsible.
[Andy Ellis] So, I want to appeal to the audience. So, we’re going to do something new, we’ve never done this before. Which is I want to appeal to the audience because I think these two are really off base in disagreeing with me, but I might be really off base.
[David Spark] All right. Yeah. Okay. That’s good.
[Andy Ellis] So, audience – specific question. Is Andy really off base here? I don’t need you to judge the other two. Like, maybe it’s a legitimate disagreement. But am I just really wrong here and I’m not thinking correctly about it? That’s what I’m asking for.
So, give us an answer in LinkedIn, email me, wherever.
[David Spark] In fact, we have an email feedback@CISOseries.com. Just email us at feedback@CISOseries.com.
[Andy Ellis] The problem is that I might not ever see it, but I need to see the answers.
[David Spark] I will forward that to you. Don’t worry, you’ll see it.
[Andy Ellis] Okay. Forward them all to me.
[Richard Rushing] There’s a poll. [Laughter]
[David Spark] Andy will see it.
[Andy Ellis] There’s the poll right here.
[David Spark] Andy will. And in fact, let us know if we can publish it and we’ll clip this and we’ll put the best responses to it online.
[Andy Ellis] Yeah.
[David Spark] All right. Sounds good.
[Andy Ellis] Because I feel really strongly that this one’s easy and I got two people disagreeing with me. So, somebody’s worldview is broken. I want to make sure it’s not mine.
[David Spark] [Laughter] Okay.
How have you actually pulled this off?
25:51.790
[David Spark] “If a single impulsive click can cascade into the compromise of your entire identity, then the real issue isn’t the human, it’s the bad system design,” said Joshua Copeland of Crescendo. And by the way, Joshua, you can’t see this, but Andy’s literally dancing to your quote.
He argues, Joshua, that, “Human error isn’t a vulnerability to be patched. It’s the default operating mode of being human.” I think we can all agree with that.
[Andy Ellis] I don’t like that phrasing, but yes.
[David Spark] Unlike tools or apps, you can tune and configure humans operate on motivations and threats. They’re tired, stressed, trusting, and fallible. We keep designing security that assumes perfect behavior, then blame users when they inevitably remain true to their nature.
But if one click brings down the house of cards, maybe it’s time to stop trying to configure humans and start building systems that work with how people actually behave. All right, since Andy, you were doing the dancing, Richard was not, but I’m sure mentally he was dancing, I’m going to go to you first.
What are some good security design elements that demonstrate that you are building a program for humans to be fallible?
[Andy Ellis] So, let me start by disagreeing with the framing of humans are fallible here.
[David Spark] Okay.
[Andy Ellis] Right? Humans are doing what the human is supposed to do. Like click a link is actually a thing humans are supposed to do. We’re supposed to click stuff when we’re interacting with our email, with our messaging. That’s what the messaging exists for.
So, let’s even move further past – and Joshua, I completely agree with where you’re headed, I just want to move it further – human error is a symptom of a system in need of redesign. If you blame human error, it’s because your system’s at fault. So, I think we agree on that.
I just don’t think that’s human error. I think that’s why did you expect the human to do differently? Like I get Docusigns in my email all the time, especially when I was on five boards. Let me tell you the number of times I was doing Docusigns. The fact that Docusign spam is showing up in my inbox, like people trying to phish me, like that’s a failure of my mail server.
Why are you delivering things that are so obviously trying to screw me over? That’s not acceptable. So, let’s start from that.
When you think about the systems you need, you need to – and I hate to use the phrase zero trust, except I love zero trust. Like, this is the whole model of zero trust was to say everything needs to be validated. I need to validate that you’re still the user.
That’s why I want MFA. And I want phish-proof MFA. But the problem we have right now is we expect people to use passwords that get passed around over the internet. No, like if anything can emulate my computer, that’s a problem, ever. So, the fact that like I have to prove my identity to some server, and now the server gets to be me instead of it’s…
No. Me and my computer and my phone, they are me. You can’t phish me if I click a link on here, there’s nothing to get. That’s where we need to be is this model that it always requires me and my phone to do a thing and stop worrying about making it so easy to bootstrap losing your phone.
That should be the hard moment. It should not be that reading every piece of email is a hard thing.
[David Spark] All right. Richard, I throw it to you. Do you agree with Andy’s setup of the reference that Joshua Copeland said here that humans are fallible, that’s the standard operating procedure, or not?
[Richard Rushing] I agree on the side definitely with Andy that if something is bad and is presented to the user, or the user’s in the middle of the transaction, it’s a problem. Your tools are not configured. You don’t have the right tools. You’re getting stuck.
One of the big issues around a lot of that is those are not metrics we go track and show in a lot of places. So, the executives and everything else, they’ll complain about why I have to reenter passwords, why I have to do this, why? But at the end of the day, this passwordless, other functionalities, you’ve got to make sure that, to Andy’s point, it’s not phishable.
It makes sense. It works in environments. It works for the user on the network, off the network, somewhere else. And I think those are the ideas that we… We constrained ourselves in a lot of our designs for our security principles are still in the world of this was before remote work.
This was VPN access with hard clients that were there, that we had… Until this world where things are outside the world, things are all parts of that.
And I think from that perspective, you have to think as the user in their ability to use things, we’ve unified the messaging to browsers and functionality instead of fat clients. We use the unified client, which just goes to the other side. We simplified single sign-on.
And all those implementations probably need a very, very good relook at and go back to the idea that your authentication, if it’s providing sessions, how long is the sessions? Hey, you can get kicked off of most organizations. You know what? Your Outlook still works if they didn’t boot you off the server that’s there, and it will work for like 72 hours if they haven’t changed the configuration.
So three days. So, I think that’s one of the things to think about and look at from a human perspective of those sites and maybe go to something different. We went with sessions, cookies for the simple fact that it was browser initiatives that’s there.
Maybe we need some level of additional kinds of authentication, compliance, moving back and forth, identification of not only the user, the machine that’s actually connecting as well.
Security tip of the week – Anvilogic
31:56.880
[Voiceover] It’s time for this week’s security tip. This week’s AI-infused security operations tip is sponsored by Anvilogic.
[David Spark] How would your SOC respond to a convincing deepfake of your CEO, or an AI-crafted social engineering attack that perfectly mimics an employee’s tone? These aren’t futuristic hypotheticals anymore. As we all know, generative AI has made it easy for attackers to clone voices, reproduce writing styles, and fabricate entire identities with frightening precision.
The result is a new definition of trust – one in which your team must learn to question what looks and sounds real. AI-infused security operations offer the countermeasure. Advanced models can analyze subtle digital signatures such as timing patterns, metadata, and linguistic cues, to detect when content has been synthetically generated.
SOCs must integrate these AI systems into their workflows, for heightened vigilance and accuracy, but most importantly, teaching analysts to treat authenticity as a new dimension of risk.
[Voiceover] To learn more about saving costs and optimizing analyst capacity with a hybrid SIEM and data lake, go to anvilogic.com.
What’s the ROI?
33:46.680
[David Spark] “People don’t change under pressure from a PowerPoint. They change through conversations, pressure from peers, and accountability from someone they respect. That’s mentoring,” said Maman Ibrahim of EugeneZonda. Mentoring can be the force that drives positive metrics, not the negative metrics, which are often the definition of the metrics reported by security.
Implementing mentoring isn’t the real challenge. It’s knowing how to report it and tell the story in ways that connect with executives. How have you, I’ll start with you, Richard, proved that mentoring moves the security program and therefore, can move budgets?
[Richard Rushing] I think it’s coming back to use this training perspective is a good example when mentoring is that. We can buy content and show what content is, but it’s a whole accumulation. We went with the death by PowerPoint training once a year.
We’re moving into at-risk training and things around that. All those elements that you file in, it’s like to the point of we’re not psychologists, we’re not behavioral science, we are not HR, but I think it’s one of those areas where you need that response.
You need to get those feedbacks to understand motivation and people or how they’re doing. And training is one of the key areas, what’s effective and what sucks. And you can use people that do training on a regular basis. You can have your folks of go and look at what generates this.
And I think it’s from the mentoring side of it is how do I find those in the organization?
A digital supply chain is another side of it in your supply chain organization. I don’t know that world. I should in those areas in a lot of cases. And the only way to do that is to ask for help and let me understand what this is all about. All the interconnects and a factory operation and things around those sides of it.
We’ve shied away from that a lot of times, but in most cases, that was something that was definitely necessary to say, hey, reach out to those folks in those business roles and ask what you want to show as how we move something there. These projects don’t have to be security projects.
That’s why they’re projects. You scale them up to include other people and organizations to come back to you, to help you. And that’s the whole thing is I have not that many hands in my organization. No one does. So, how do I get that to come back even further on that side of it that’s there?
[David Spark] Excellent. Andy, your thoughts on the mentoring being the leader of essentially pushing the security program forward.
[Andy Ellis] So, I think we’ve built so many compliance-driven activities that we’ve taken away the energy left for mentoring. Just think about like security awareness training and how much it costs so many companies to do these very bulk programs, like everybody’s got to sit through a one hour video, when you can probably replace the compliance aspect of that with a like, “Click this link,” coming back to our don’t click this link conversation earlier, to just like read the security awareness program, click, move on, five minutes.
And now let’s save mentoring for actually having conversations and say, “Hey, we’re seeing a problem in your organization. Let me go mentor a VP,” rather than trying to get them to tell people to take training that’s worthless. What the real mentoring value is.
Everything he writes in the article’s great, by the way, but the real value is building the relationship that people will then let you talk to them.
[David Spark] Very good.
Closing
37:35.351
[David Spark] Well, that brings us to the very tail end of this episode. Huge thanks to you, Andy. Thank you so much. And to you, Richard, as well. I want to also thank our sponsor, and that would be ThreatLocker. Remember their new tool, Defense Against Configurations.
We have configuration drift. It happens. Tools change over time. Find out the status of yours, where they are, how are they treating your environment? Go check them out at threatlocker.com/CISO. Add the /CISO, easiest way to let them know that you heard about them from the CISO Series.
Richard, thank you so much for being on the show. Are you hiring over at Motorola Mobility?
[Richard Rushing] We’re always looking for good people. You can find us at Motorola/careers.
[David Spark] Excellent. And can they, if they find an interesting job, can they contact you directly through LinkedIn, yes?
[Richard Rushing] Yes.
[David Spark] And we will have a link to your profile on the blog post for this very episode. Thank you very much, Richard. Thank you very much, Andy. And to our audience, as I always say and truly mean it, we greatly appreciate your contributions. Send more “What’s Worse?” scenarios.
Send us an email, feedback@CISOseries.com, if you think Andy is off base in his rationalizing the “What’s Worse?” scenario.
[Andy Ellis] Or if you think I’m off base about anything in general, I’ll happily take feedback.
[David Spark] About anything at all. Or you wanted him to apologize to you during the Days of Atonement.
[Andy Ellis] Yeah.
[David Spark] Thank you for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review.
This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com.
Thank you for listening to the CISO Series Podcast.