No organization wants to fall behind on using AI. But securing it remains a challenge. The tools are so new that everyone seems to be starting from square one. How do you staff up AI expertise when so few currently have it?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is John Barrow, CISO, JB Poindexter & Co.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Vanta
Security tip of the week – Tenable
Jump to the full tip here.
To learn more about exposure management, go to tenable.com.
Full Transcript
Intro
0:00.000
[Voiceover] What’s a great approach from a security vendor? Go.
[David Spark] Security vendors, they need to play the long game. Most CISOs have a very fine-tuned filter when it comes to transactional conversations. And so, CISOs are going to buy from people that they trust and they like.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO series podcast. My name is David Spark. I’m the producer of the CISO Series. Joining me as my co-host since day one, it’s Mike Johnson, the CISO of Rivian. Mike, say hello to the audience.
[Mike Johnson] Hello, audience. Great to be with you again.
[David Spark] He enjoys being with you. I even waved. I even waved. I want you to know off the microphone, he is just vitriolic. He goes, “Oh, God, do I have to talk to these people again? No, thanks, David.” No, he doesn’t do that. He is as charming on the microphone as off the microphone.
[Mike Johnson] Oh, thank you, David.
[David Spark] We are available at CISOseries.com. Mike, you know that. I know that. I will tell you for a brief period of time, nobody knew that because there was a Cloudflare outage. But we’re back in action.
[Mike Johnson] We are well past that today, but it was a dark time.
[David Spark] We’re well past that today. Our sponsor for today’s episode is Vanta, phenomenal sponsor of the CISO Series. Automate compliance, manage risk and accelerate trust with AI. We’ll explain exactly how Vanta is doing just that a little bit later in the show.
Mike, I sent an email today that began, “You 1,000% suck.”
[Mike Johnson] Oh, wow.
[David Spark] Okay.
[Mike Johnson] Okay.
[David Spark] All right. Now, if that’s a teaser.
[Mike Johnson] Yeah, let’s see where this goes.
[David Spark] I don’t know what is. Everybody wants to know why I sent an email that began, “You 1,000% suck.”
[Mike Johnson] I want to know.
[David Spark] I canceled a service. I got an email because it was very difficult to cancel. I know that some people have had trouble.
[Mike Johnson] Was it Sirius XM?
[David Spark] No, it was not a Sirius XM. The service we used for the business, we used to use for the business. And I got an email saying that they were going to charge my credit card for another year.
[Mike Johnson] Oh my gosh.
[David Spark] And I go, “I canceled this service.” And then they said, “Oh, we’re so sorry you feel this way. You can go to the settings and go check for yourself.” There is nothing on the setting that shows you cancel. And then when you go to select cancel, there’s nothing to show that you did cancel, nor do you receive an email that says you canceled.
And you can cancel 20 times in a row and it still won’t say it.
[Mike Johnson] Oh my gosh.
[David Spark] And so, I get a bunch of emails telling me that they’re sorry with the way I’m feeling, not, “I’m sorry that our service by default alerts you that they’re going to charge you again.” And so, of course they know they do this. They have not turned this off.
And they said, “Oh, well.” And so I get a mention, “Oh, well, this is just an automatic thing that goes down.” That automatic thing that goes out should not be going out to the people who have canceled their service.
[Mike Johnson] You’d think.
[David Spark] Hence, the, “You 1,000% suck.”
[Mike Johnson] Bringing the story…
[John Barrow] Sounds like a bad ex-girlfriend.
[David Spark] That’s John Barrow, who is the CISO of JB Poindexter, our guest. You said something about an ex-girlfriend. Here’s my question to you, John. Have you “canceled” with a girlfriend and they want to renew for another year?
[John Barrow] Yes. I won’t go into the details, but yes, it was very interesting time.
[David Spark] Well, hopefully they didn’t charge your credit card.
[John Barrow] Yeah, yeah.
[David Spark] Let me reiterate. That is our guest for today. He is the CISO for JB Poindexter & Company, none other than John Barrow. John, thank you so much for joining us.
[John Barrow] Thank you. Glad to be here.
Should you hire this person?
4:09.200
[David Spark] “Security people struggle because AI doesn’t behave like systems they know. You can’t firewall a prompt injection. You can’t patch a model that leaks training data through its outputs.” Now, this is from Chris Matthews of Prezzee. “The AI talent shortage,” he says, “requires people who are both a security professional and an engineer.
Security folks can’t threat model what they don’t understand architecturally.
AI engineers treat security as something to bolt on after deployment. And the unicorn who’s actually red-teamed an AI product in production? Who knows? Three other companies are trying to hire that person right now. If that person doesn’t really exist yet, how do you find and train the person who can learn to do the thing that nobody fully understands right now?
So, Mike, I throw this to you. What does that hiring process even look like? You need someone to do all these sort of AI security things, but no one’s coming out of the box having that skill.
[Mike Johnson] The reality is you don’t hire unicorns. You build them. This is the thing that we do time and time again. Whenever there’s a technology shift, there’s always this period of time where security is working to catch up. And we’re in that cycle again.
So this is a matter of find your skilled security engineers who are already using AI. They’re already there and train them.
[David Spark] I feel in a situation like this, this is a hire within situation because you’ve got to have the people who are not a hire from outside.
[Mike Johnson] Absolutely. That is a bonus where if you train somebody up within your team, they have context. They have business awareness, business acumen, they know what’s where and it then gives a message to the rest of your team that you’re willing to invest in your team.
So there’s so many opportunities by doing this. Going and hiring somebody that you’re probably paying a premium for and it’s still going to actually take months to come up to speed, by the way, because they’re going to need to learn the context, they’ll bring potentially the AI security aspect, but you have to train them on the context.
So you’re really just picking your battle here of I would rather train somebody who has the context rather than try and teach somebody who has the knowledge, the context.
[David Spark] That’s a really good point.
[John Barrow] I agree and disagree.
[David Spark] Okay.
[John Barrow] I agree that you do need to build your internal champions for AI with engineers and whatnot, but also it depends on the size of the company and your team as well. Like with us, we have a pretty lean team and there’s no way our current engineers would have time to do this as well.
And my thought is unless you have a team that’s solely dedicated to AI, you’re really going to be challenged to be successful because my engineers, I mean, their plate’s overfull. They don’t have any additional cycles. But I think it depends on the organization.
I mean, if you have a larger team, that may make sense. And I think you do need over time to build, like said, internal resources that are those experts. But I think you need to have outside help as well for guidance.
[David Spark] But wouldn’t your team… let me throw this back at you, John. Wouldn’t your team relish the opportunity to move to that area and have someone else from the outside take over their responsibilities? I mean, I got to assume there would be people like that.
[John Barrow] No, I think they would love that, but then the work they’re doing now doesn’t get accomplished. The run and maintain and a lot of that gets missed.
[David Spark] Well, I’m just saying that where are you hiring from? It’s like one of those situations we got to fill this position. I either can move a person up that already works here, move them up into that position and then fill that position that person left or the other way around, hire from outside.
Which do you think is easier to do?
[John Barrow] I mean, I think it depends on the and how quick you want to move. I think if you want to move quickly and you want to really start embracing AI as fast as possible, I think you need to hire from outside. I think if you’re being more methodical and you have more time, then yeah, I think you can build out that team internal, but it’s going to take time.
I mean, I think it depends on the speed, how fast you want to move.
Um, is this a good idea?
8:39.609
[David Spark] “The CIA triad, confidentiality, integrity, and availability is both too broad and too narrow. It lacks the vocabulary and context to handle today’s realities.” This is Loris Gutic of CSO Online, poking the bear when he called the CIA triad, “Cold War relic that’s masochistically forcing security teams to retrofit modern concepts into a rigid 1970s structure.” He argues the target doesn’t speak to authenticity or accountability and has no room for resilience or engineering for failure mindsets.
Most people in cybersecurity are fans of CIA. It’s foundational. It’s taught everywhere. But just because something is a standard doesn’t mean it can’t crack over time. I will ask you, John, is the CIA triad still getting the conceptual job done?
[John Barrow] I think everything rolls up to the CIA triad, but it’s not in the forefront of my mind as I’m implementing things or as I’m building out the program. I’m not thinking, “Okay, where does this fall under CIA?”
[David Spark] And it’s not something you hammer home with your team then?
[John Barrow] No, I mean, honestly, the last time I actually mentioned CIA was probably when I was studying for the CISSP, but yeah. I mean, but everything does roll up to it. I think it’s still relevant, but I don’t think cyber leaders and teams are stopping and it’s like, “Wait a minute, where does this fit under the triad?” You’re not thinking that way, but I think you have to make sure everything is done the right way.
And I mentioned on earlier, I know that this is kind of a pivot, but the human element. I mean, the only way you’re going to be successful in any program is to make sure that you’re building those relationships internally with all the business leaders, with your executive leadership team, your C-suite, the board.
And also that you understand the business and that you understand that in order for you to be successful and best protect the company, you have to have those relationships. You have to have that trust built. You have to communicate transparently and honestly.
That’s really how we’ve been able to move the needle in my program is with any major change or whatever, we over communicate. We explain the why. We allow people to raise concerns and ask questions and we test the heck out of it. I mean, we have a huge test group that we test for several weeks and make sure that doesn’t break anything because we really want to minimize that operational impact because the business exists to make money.
And so, as a cybersecurity leader, yes, you want to best protect the counter, but there’s a lot of times where you’ve got to kind of balance that where it’s like, “Okay, with my cyber hat on, I know this is what I should be doing, but the business won’t accept that.” So you got to kind of balanced that.
And I know that’s kind of a left turn or a pivot from CIA triad, but I think that aligns with that. I mean, I’ve been at programs where they come with an iron fist like, “You will do this. You will not do this,” and it doesn’t work. They don’t build those relationships.
They don’t communicate. They don’t really explain the why. They just come in and say, “We’re security and you have to do this.” It’s usually not successful.
[David Spark] That’s a really good point. And I think you’re the one who said this, Mike, on a previous show. We did a post a while ago and I said is there anything on cyber security that is set it and forget it? And you said, “At one point, I believed it was ethics, but I don’t even think that’s set it and forget it.” And kind of like what you just said, John, there is no iron hand.
As much as you would like CIA to stay rigid, it would be nice, it doesn’t apply to the business world, again, is what John was saying. Agree? Disagree?
[Mike Johnson] What I like about what John was saying is the flexibility of the CIA concept allows you to have those conversations with the business and be consistent with them. If you keep changing how you’re talking with the business, that’s going to be a problem.
Everything in security is about those relationships that you’ve built. And I do think the value of CIA is that it is extremely high level. And basically, you can find a home for everything if you really need to. And that’s really where the value comes, is it is flexible.
Too broad, I don’t think so. I really genuinely think that its broadness is its advantage. And that allows you to be able to, when you need to break down into a conversation and you’re having a meeting with a fellow business leader and like, “Well, why is this a security thing?” Well, think about the confidentiality of this data.
It just almost rolls off of your tongue because it is so baked into how we think. And it allows you to have that framework that when you then talk with that business leader again like, “Hey, remember we were talking about the confidentiality of this data?” And it resonates with them because you’re continuing to use the same terminology as part of those relationships because of the flexibility of the CIA concept.
Sponsor – Vanta
14:03.271
[David Spark] Our sponsor this week is the phenomenal Vanta. And let me ask you a question. What’s your two in the morning security worry? Is it, “Do I have the right controls in place?” Or, “Are my vendor secure?” Or the really scary one, “How do I get out from under these old tools and manual processes?” That is where Vanta enters.
Vanta automates manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale.
Vanta also fits right into your workflows, using AI to streamline evidence collection, flag risks and keep your program audit-ready all the time. Not at just a point in time, but just continuously, so check it anytime. With Vanta, you get everything you need to move faster, scale confidently and get back to sleep.
You can get started. If you go to their website, go to vanta.com/CISO. Do me a favor. Just add that /CISOC in. Easiest way to let Vanta know you heard about them from the CISO Series. Remember, vanta.com/CISO.
It’s time to play “What’s Worse?”
15:27.001
[David Spark] John, you’re familiar with this game, yes?
[John Barrow] Yes, yes, I am.
[David Spark] All right, good. This comes from Dustin Sachs of CyberRisk Collaborative. Your two scenarios. Scenario number one, your zero trust model blocks access to the company website to every third visit because you can’t trust anyone, not even yourself, or your zero trust model requires, get ready for this, 13-factor authentication, including voice recognition, retina scans, and dance challenge before you log in.
So everyone does a 13-factor log-in or one out of three fail. Which one’s worse, Mike?
[Mike Johnson] Well, these are both highly farcical. Yeah, so I’m going to go, but my preference is the one that requires the dance challenge. I’m here for it.
[David Spark] So 13 factors.
[Mike Johnson] So here’s the thing. The first one doesn’t have a dance challenge. That’s the worst one. This is easy.
[David Spark] But hold on. 13 factors. Given the time it will take you to go through 13 factors, including the dance challenge.
[Mike Johnson] It’s secure because people will give up. You’ve got the most secure environment.
[David Spark] But then you’ll get zero access.
[Mike Johnson] Great. Security is solved. I don’t see why this is a bad thing.
[David Spark] Oh, I’m taking this to you, John. Which one’s worse here?
[John Barrow] Yeah, I think the dance is worse. I mean…
[David Spark] Wait, wait, wait. Are you saying the dance is better or worse, Mike? Let me go back to you, Mike.
[Mike Johnson] Oh, no, I like the dance. That’s great.
[David Spark] He thinks the first one’s one out of three fails, but you think the dance challenge of 13 factors is worse, yes?
[John Barrow] Yeah.
[David Spark] Why is that, John?
[John Barrow] Because no one’s going to do that. You’re going to break the business.
[Mike Johnson] Because he doesn’t like fun. This is very clear because John doesn’t like fun.
[David Spark] This will get boring real fast. It’s like being in kindergarten and you’re doing some game and you have to repeat the same thing 13 times over.
[Mike Johnson] Oh, can we have Simon says as one of the 13?
[David Spark] People will get really bored really fast.
[Mike Johnson] Red light, green light. Pete and repeat sitting on a wall. Pete falls off. He’s remaining.
[David Spark] So you, you will just crush your employees if you make them do 13 factors to log in, yes?
[Mike Johnson] Oh, yes. Oh, yeah.
[David Spark] What number do you think the breaking point would be? We’re currently a two. What would be the breaking point people say, “I’ve had enough?” Would it just be three or could it be… how high do you think you could go?
[Mike Johnson] I feel like any time we had any additional step, even if it’s just one additional step, people freak out.
[David Spark] I mean, and to be fair, what we have today, two-factor authentication, it’s one of three factors. Any of these 13, there’s probably not 13 unique factors. It’s probably doing something you know 12 times or something you are five times. Like there’s…
[John Barrow] Ten security questions.
[Mike Johnson] Yeah. The reality is we don’t have that many factors available to us.
[David Spark] You never thought of the dance challenge until now.
[Mike Johnson] Well, I’m here for it. I am literally going to send an email after this and ask my team to investigate adding a dance challenge to our workforce authentication platform.
[David Spark] Can I tell you something? It wasn’t exactly, but I was playing one of these Dance Dance Revolution type games with my son. Nothing makes you feel more uncoordinated than playing that game.
[Mike Johnson] Yeah, actually, that’s better. One of the factors is how far can you get in DDR? If you can’t make it past level five, then you can’t authenticate.
[David Spark] That’d be fun to watch.
Could this possibly work?
19:11.426
[David Spark] If you look at the cyber security news, it’s easy for CISOs to become reactive. There’s always new risks and threats to account for. So how do CISOs move into being more strategic? Jimmy Arbelaez of Methodist Le Bonheur Healthcare argued on LinkedIn that this requires bringing GRC to the boardroom, positioning it as an investment to protect revenue and enable growth, not just another compliance overhead cost.
So sounds good, but what’s the actual first step, John, you can take to make that transition to bring GRC to the boardroom and have you?
[John Barrow] Yeah, I mean, GRC is kind of like CIA like we talked about before. It’s concrete, it’s easy to understand. And so, I think leadership understands the importance of compliance, but there’s an extra step to that, obviously, making sure that they understand that being compliant doesn’t mean you’re secure.
Compliance is kind of the baseline, the first step. So, yeah, bringing that, I make sure they understand the top threats to our organization based on our industry, based on what we’re seeing in the wild. And make sure that they understand some of the investments they’re making are going to help us protect against those and to minimize the risk for the business.
And they’re hardcore businessmen. I mean, the bottom line is what the cost, so I have to get really creative. And I know the reason I mentioned that is my next year’s budget, for instance, a lot of companies with the economic uncertainty, there’s been a lot of reduction in force, there’s a lot of budget cuts.
And so, my budget amount for next year is a way less than what it was for this year, but I’ve been able to invest in a lot of great technology to continue to enhance my program because I’m really diving in and leveraging AI startups. And with the startups and the founders, the ones that get it, they understand having my name and the company’s name as an early adopter is more valuable than making a dollar day one.
They need exposure. That’s what really, really hit a chord with my CFO is he’s like, “Wait a minute. So you’re telling me we can enhance the program and you’re saving the company money?” He’s like, “So tastes great and less filling, John?” I’m like, “Yes, sir.” And he’s like, “You’re a wizard.
But I think people need to do that. I know we’ve talked about AI a little bit, but I think not just the business embracing AI to innovate and have a competitive advantage, but from a security side, it’s the only way you can keep up with the volume and speed of the threats and the alerts.
In fact, I had to reduce two SOC analysts, which I only had two stock analysts. I did transition a help desk analyst over as a SOC analyst, but the only way… so we were going to be essentially dead in the water. And so, I made sure that my leadership clearly understood.
I said, “We have to invest in an AI SOC. That’s the only way we’re going to be able to continue to protect the company. So we’ve done that and I’m excited about it. I know a lot of CSOs and a lot of cyber leaders are real hesitant and really concerned about having your level one, level two triaging done by Agentic AI, but it’s been a game changer for me and my program.
[David Spark] All right. I love John’s take on creative negotiations that support the business and your security program. And we’ve talked about this before with regards to working with startups. And I didn’t think that that could all sort of play into a GRC program on top of it all.
Have you had kind of the same experience with your board doing sort of creative, sort of growth in security programs, working with vendors that support business efforts?
[Mike Johnson] For sure. And I really do think, John points out that there’s a lot of opportunity there where you have a startup who’s doing something new, innovative that can really help you out. And what you’re putting back into it isn’t dollars. You’re putting experience.
Those startups, they’re getting something for the discounts that they’re giving. And what they’re getting back is that experience of working with a John who has this experience, who has a real environment and real challenges that they can’t really get elsewhere.
They can probably go and find some other startups to support, but they’re not going to get the same value that they will out of working with John. And we see the same thing where we’ve had some startups. We were actually a very early customer for a company who recently had a very large acquisition and they got a lot of value out of that partnership with us.
We see it time and time again and I totally agree with John. Look for those opportunities. It is mutually beneficial for everybody involved. Just recognize that you’re putting some of your time back into that in order to make it work.
[David Spark] By the way, I will quote of mentor who told me when I was personally starting out a business, I was frustrated with getting my price negotiated down. And when I was talking with… he was in the process of launching his third business. And when I said that to him, he goes, “Oh, geez, you’re starting out?
Don’t worry about the money. Just get the stories.”
[Mike Johnson] Yep.
[David Spark] And I go, “What?” And he goes, “Yeah, yeah. You need the stories to be able to sell the business.” And I was looking at his and it dawned me. I didn’t even look at what he was doing. He had this portfolio of clients that were either completely pro bono or paying him half what he normally would get.
And he was collecting stories and he could not have been more right. In fact, because I remember we did something early on with Microsoft and that story was so phenomenal and having such a blue chip early partner and being able to tell that story, which was one of these things that would look like it was going to become a failure, but turned into a success.
Those are, by the way, the best ones to tell. Business started landing left and right after that. And I’m assuming that’s what all these startups want.
[John Barrow] Yeah. They need exposure. They need early adopters.
[David Spark] They need that story.
Security tip of the week – Tenable
25:27.478
[David Spark] Hey, coming up on this week’s security tip, we’ve got a warning that moving over to pass keys will actually make you less secure, but it’s not what you think. Stay tuned.
[Voiceover] This week’s security tip is brought to you by Tenable, the exposure management company.
[David Spark] Don’t let old passwords become new exposure paths. When organizations move to pass keys, it’s a major win for security. Yay! Pass keys eliminate fishing risks, remove password fatigue and close off entire categories of credential-based attacks, but there’s a hidden danger that often gets overlooked.
The old passwords don’t go away. They linger, active, valid, and forgotten. Unless it’s explicitly revoked, the password just sits there as a legitimate login method and forgotten credentials are some of the most dangerous. They’re more likely to be reused across personal accounts, more likely to appear in breach dumps and more likely to be exploited without anyone noticing.
In the rush to modernize authentication, it’s shockingly easy for old passwords to “take a ride” in a breach and still work inside your environment. This is a critical exposure management issue. Make sure that enabling pass keys automatically disables legacy authentication for every user across every identity store.
Audit for accounts, including service accounts. They’re still configured to accept passwords and integrate credential hygiene into your EM program so outdated login paths don’t become invisible attack routes. When you create the pass key then replace the existing password with a random password of exceptional lengths, give the customer the ability to reset it via email as a standard recovery procedure and then start the process over again.
New password, new pass key. That way, if the database is stolen and/or hacked or the username is compromised elsewhere, a simple password or reused one is never a problem.
[Voiceover] This has been your weekly security tip. To learn more about exposure management, go to tenable.com.
As a CISO, what do you think about this?
27:43.756
[David Spark] “When you say people are the weakest link, what you really mean is we built a broken system, trained no one properly, ignored usability and now we’re blaming the humans who had to navigate the mess.” Love that quote. That’s Joshua Copeland of Crescendo and that’s his unpopular opinion.
And he’s calling out what he sees his lazy leadership. If your users keep clicking bad links, ignoring MFA or finding workarounds, that’s not malice. They’re showing you where the friction lives. Good point. Most policies are written for auditors, not people.
He bluntly said, “Humans are the most honest mirror of how bad our design really is.” Can you actually use that mindset? Every failure is a design problem, not a people problem as a means to bolster your security program. This seems right on the money here, Mike, or does that thinking let people off the hook when they generally don’t follow basic security hygiene?
Also a good point. What’s your take?
[Mike Johnson] This is one of my favorite topics. And it’s the basis of my rant against fish testing employees. If you have set up your system such that if somebody clicks on a link, it’s not them who’s failed. It’s your security program. And that’s really how we need to think about things.
Is Joshua Copeland’s opinion here unpopular? It shouldn’t be. We really should be recognizing that we have humans. They work for our company. We have to recognize that they are going to be humans. We can’t ask them to be any different. So we have to design such that they are going to make mistakes and our system remains resilient.
We have to design our system so that we’re not having them jump through 13 hoops in order to get something done. We really need to recognize that the value of the company, in almost every company, the vast majority of the spend is for employees, is for salaries.
The company needs to get the value out of that and we need to support the employees both in making it easier for them to get their jobs done and recognizing that they are going to make mistakes.
[David Spark] So you are the proponent that yes, people make mistakes, but this is sort of a two sided issue. I mean, you have to have some level of human security hygiene and at the same time you need to build that to a security program and also human behavior does signal where there could be flaws.
John, agree, disagree?
[John Barrow] No, I agree. I agree. I mean, that’s something I’ve really drilled into my team for the last three years with our program is we have to minimize operational impact. We have to minimize operational impact. Everything we do, if we make the controls too stringent or too uncomfortable and there’s too much impact to the business…
[David Spark] Like 13 factors?
[John Barrow] Like 13 factors, they’re just going to bypass our process anyway. They’re going to find a work around. So it’s on us to make sure that we thoroughly test everything, we minimize operational impact, make it as easy as possible and easy for them to adopt to and then they’ll follow it.
And that’s why I’ve always kind of been anti the whole zero trust thing. I mean, I know it’s a buzzword and I have always hated it because if you fully implement zero trust, the company can’t exist. The company can’t operate. I mean, sure, there’s areas where you can implement it and there’s the flavors of it, but I think you have to create an environment where you are minimizing the risk, but it’s risk management.
It’s not risk avoidance, right?
[David Spark] Yeah, well, zero trust is also asking you to bring risk down to zero too, which is not possible.
[John Barrow] Yeah, it’s impossible. And you have to partner with them. You have to talk to them. Like I said, you have to explain the why. You got to communicate. You got to make sure that people are given the chance to ask questions and raise concerns.
Because if your employees, your team members understand the why they feel like they’re partnering with you and that you’re not just shoving it down their throats, they’re more likely to follow your process and your policies.
[David Spark] But let me close out, though, with one quick question for both of you, super quick. Mike, have you seen a human behavior and you’re like, “Oh, we have to fix the security program because people are doing this regularly?” Anything?
[Mike Johnson] Well, again, I think the fish testing is one of those where people don’t trust the security team because we keep fish testing them. That’s something that we have to fix because people are having a behavioral reaction to something that we’re doing.
[David Spark] A negative reaction.
[Mike Johnson] Exactly. That’s something that we need to fix.
[David Spark] And I’ll ask you the same question, John. Anything that you notice of human behavior and said, “Oh, security program needs to change because of this behavior?”
[John Barrow] Yeah, our AI adoption. Our general counsel sent out a mandate, said no one can use the AI until we have guardrails and a policy. So my team, blocked all AI platforms as far as we knew. I’m sure there were ones that slipped through, but as soon as we blocked them, people started screaming, “Hey, why’d you do this?” Well, you saw the mandate.
People are going to do it anyway. So we had to kind of adjust and stand up our AI steering committee and rather than saying, “No, you can’t,” like, “Yes, you can, but let’s partner. Let’s help you do this the right way.”
[David Spark] All right.
Closing
33:31.753
[David Spark] Well, that brings us to the very end of the show. John, thank you so much for joining us. I want to thank our sponsor, and that would be Vanta. Remember, vanta.com/CISO. Go there to automate compliance, manage risk and accelerate trust with AI.
No more manual nonsense. Have it done continuously, no single point in time. Go to vanta.com/CISO. Remember, add that /CISO. Let them know that you heard about them through the CISO Series. A huge thanks to you, Mike and another huge thanks to you, John, for joining us today.
And thanks to our audience. As we always say, we greatly appreciate your contributions. I’m not just blowing smoke here. And by the way, if you cancel with us, I will not send you a note that I’m going to charge your credit card for another year. But we don’t want you to cancel with us.
Please stay with us. It’s free to listen to us. Thank you for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review.
This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@CISOseries.com.
Thank you for listening to the CISO Series Podcast.