21 “Dark Side”-Approved Ways to Threaten Your Prospects

21 “Dark Side”-Approved Ways to Threaten Your Prospects

For those security practitioners who leave a job to go work for a security vendor, please stop calling it “going to the dark side.”

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Jason Mar-Tang, director of sales engineering, Pentera.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, Pentera

Pentera is the category leader for Automated Security Validation, allowing every organization to test with ease the integrity of all cybersecurity layers including their ransomware readiness, unfolding true, current security exposures at any moment, at any scale.

Full transcript

[Voiceover] What I love about cyber security. Go!

[Jason Mar-Tang] I love that the field is so broad. You could focus on anything you like. So, when I describe to people what I do, I say it’s almost like it’s healthcare. “So, you’re a doctor. What kind?” You could be a cardiologist, a dermatologist, podiatrist, or whatever. There’s so many. There’s something for everybody in cyber security. You can get really, really deep into the bits and bites doing forensics or really high up such as getting involved with policy, and governance, and compliance. Or something in the middle. Each part is important, and they all play together and need to be strong if the posture of the organization is going to be strong. That’s what I love – the options are just endless.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. I’m David Spark. I’m the producer of the CISO Series. We’re available on cisoseries.com, where you can find a lot of other programming besides this show. But don’t go anywhere. You’re listening to this show right now. And why don’t you give a big round of applause wherever you’re sitting right now? If you’re at the gym working out, or you’re in your car, I want you to take your hands off the wheel and start applauding for my cohost, Mike Johnson. Mike?

[Mike Johnson] You can put your hands back on the wheel. Please put your hands back on the wheel right now.

[David Spark] [Laughs]

[Mike Johnson] Hi, David.

[David Spark] Hi, Mike.

[Laughter]

[David Spark] Bad advice from your friendly podcasts hosts.

[Mike Johnson] But I do love the idea of people just randomly clapping in the middle of who knows where. I love it. I love it.

[David Spark] You know what I do? And it drives my wife completely bat S crazy is… And it’s been a while since I’ve watched jeopardy. But whenever the daily double comes up, we’re sitting in the room, I do applaud.

[Laughter]

[Mike Johnson] I’m sure she really does appreciate that.

[David Spark] She is completely over that joke. [Laughs]

[Mike Johnson] But what I love is that you don’t drop it. That you just keep doing it.

[David Spark] Oh, no.

[Mike Johnson] And making it worse every time.

[David Spark] And that also she doesn’t like.

[Laughter]

[David Spark] I’m really pushing my luck in marriage. All right, hey, I want to mention our sponsor today who has both hands on the wheel at ten and two. It’s Pentera – assure security readiness across your complete attack surface. Actually they have a very impressive continuous pen testing solution. We’re going to actually learn more about that today. And in fact, they brought our guest. But before I bring our guest on, I do want to mention one of our listeners. Eli Edelkind of CAVA. And, Eli, I guess I can’t remember when I said it, but I did mention…or maybe it was Andy who mentioned it, what the best animal was or sort of the best metaphor for cyber security if you will. And Eli thinks the best representative of cyber defenders is a sheep dog that protects the herd, keeps the wolves at bay, also is loyal, and is always loyal in fact. So, what do you think? Do you think the sheep dog would probably be our best representative mascot for the cyber security industry?

[Mike Johnson] The problem is when someone says sheep dog, I go back to when I was like a kid. Like less than ten.

[David Spark] When you’re thinking about the Bugs Bunny routine, the cartoon.

[Mike Johnson] Well, there’s the Bugs Bunny routine. There’s also the fact that my aunt and uncle had a sheep dog. And when I was around five, I would ride the thing like a horse.

[David Spark] You could actually get on it?

[Mike Johnson] Yes. It was that big. Or I was that small. One or the other. Unfortunately that’s my memory of sheep dogs. I think they’re amazing animals.

[David Spark] Was that dog loyal? Did the dog bite you?

[Mike Johnson] It did not. It was more than happy to let me ride around. It would be very protective. I certainly remember that as well. I think it’s a decent metaphor.

[David Spark] Metaphor. But think about this – you had a sheepdog or your grandparents had the sheepdog, right?

[Mike Johnson] It was my aunt and uncle.

[David Spark] Aunt and uncle. They had the sheepdog, and you loved riding it. And now you’re in cyber security. I think Eli prophesized this to happen.

[Mike Johnson] Yes. Well done, Eli.

[David Spark] Yes, very impressed. All right, let’s bring our guest onto the show. What do you say?

[Mike Johnson] Let’s do it.

[David Spark] Let’s do it. I am thrilled to have this person on. This person is somewhat a neighbor – lives in southern California like I do. Got to meet him in person. It’s great. And thrilled that he’s on this show. It’s going to be awesome. He’s the director of sales engineering over at Pentera, Jason Mar-Tang. Jason, thank you so much for joining us.

[Jason Mar-Tang] David, thank you so much for having me. And you’re right, I live in southern California. But I promise you and your audience I will try and keep my New York accent because that’s where I’m from to a minimum.

[David Spark] Staten Island as I understand, where you are physically right now.

[Jason Mar-Tang] [Laughs] I am physically in the room that I grew up in as a kid. I have this weird wallpaper, and it’s been interesting coming back.

[David Spark] What posters did you have on your wall when you were a kid?

[Jason Mar-Tang] I had a bunch of geeky things, a bunch of professional wrestling posters. I was a huge WWF back at the time…WWF fan. A lot of video games. Typical nerdy type stuff for sure. For sure.

[David Spark] All right. Well, we welcome all nerds to this show.

Why is everyone talking about this now?

5:16.384

[David Spark] For those security practitioners who leave a job to go work for a security vendor, please stop calling it going to the dark side. So, I posted this request on LinkedIn stating that we’re all in the same fight together, but I understand why security professionals say this line. Because once they go to work for a vendor, their motivation shifts from protection to sales. But if you’re not protecting, you’re really not selling. But honestly my main reason for being annoyed with this line is that it’s an old, tired joke, and it’s not funny. Honestly. It’s my history of being a comedian. So, it ranks up there with the line, “If I told you, I’d have to kill you.” I hate that one as well. Don’t tell me that one. So, Mike, this show’s initial intent and purpose was to improve relations between vendors and practitioners. I think not saying going to the dark side is just one small step. It’s a minor thing. It’s just one small step. But, Mike, over the years, what other small steps have you seen that have made improvements in the vendor to /practitioner divide?

[Mike Johnson] First, David, I want to thank you for making that post. I saw that, and I was like, “Oh, finally, someone has come out and said it.” Because it really is…

[David Spark] It irks me every time I hear it.

[Mike Johnson] It irks me. It irks me as well. However, words do have power. And I do think that stopping referring to working for a vendor as the dark side, that does help perhaps people correct this us versus them mentality. That was one of the reasons why we started this show was it was a versus them. And that’s something that, again, we’re all in this together. And continuing to repeat that really does imply that we’re not in this together. But to your question, one of the things that I’ve always said for quite some time and I appreciate is when security vendors are sharing research, I love this. They’re investing their time, their effort, precious resources into something that they’re then making freely available. Quite often you don’t even have to sign up. It’s just there. It’s there for you.

[David Spark] By the way, quick tip to all vendors listening right now – that is something that we willingly report on on Cyber Security Headlines. If you send it to me, I send it to my reporters that consider it for a story if you send us some research you’ve done. Go ahead, Mike.

[Mike Johnson] That helps get your word out. That gets your name out. But it also spreads the research far wider where people can actually do something with it. I really find that so valuable. It’s just free to me, and it helps enrich the rest of the ecosystem. One of the other things I’m starting to notice is more and more these security vendors are hiring CISOs themselves.

[David Spark] Yes, referring to them as field CISOs, which is another story all together.

[Mike Johnson] I’ll actually correct that. These are the internal…the security of the organization. Challenging a little bit of the concept of you can’t sell and protect at the same time, but these are the internal that keep the company secure. And we’re seeing more and more that. And those people are coming from somewhere. They’re coming from other parts of industry. And you’re seeing a little bit of a shift in perceptions from fellow CISOs. Like, “Oh, I know this person. I’ve worked with them in the past. I can trust them.” It’s a personal relationship. I think as we see more and more of that, there is these security vendors are continuing to grow in size. They need internal CISOs. They need them to be experienced. They’re going to get them from elsewhere. And what are you going to do? Stop trusting that person that you’ve been working alongside for the past five or ten years? No. It’s that person. And they have seen something in this. So, I think we’ll see more of that, and I hope that people will stop saying this line.

[David Spark] I agree. All right, I’m throwing this one to you, Jason. A, how do you feel about the line? B, what small movements…? And, again, I’m not saying… But it’s just improve that divide. What have you noticed?

[Jason Mar-Tang] Yeah. When I saw that, it really made my day. I was like, “Wow, someone is advocating for the vendors’ side of things.” I’ve been doing this a really long time, and before I started someone was like, “How do you…”

[David Spark] I think people are thinking I’m more altruistic than I am. Really I just hate the joke.

[Laughter]

[David Spark] That’s really where I’m coming from. [Laughs]

[Jason Mar-Tang] At the same time though, I mean everyone jokes. But to Mike’s point, words have power. And I think too often… Like I was saying, even before I started, people are like, “Oh, you’re going to get into sales? You want to be the sleazy sales guy?” And I had to even think to myself, “Do I want to be the sales guy?” But in reality, we’re here to help. And everyone I think has had bad experiences all over, but sales has this negative connotation. And of course you’re going to run into some bad eggs here and there. But it builds over time, and it builds this bias. But to Mike’s point, I think we all agree we have to be in this together. The bad guys are having at it.

[David Spark] But they’re in it together, too. That’s the thing we always kind of point out. Like they’re really good at sharing information. [Laughs]

[Jason Mar-Tang] Exactly. 100%. So, why not tag team? And more often than not, the vendors you’re talking to are in business for a reason. There is something special or something unique that you might need help with or might need some augmenting for. And to answer the question, what we’ve seen or what I like personally being on the vendor side, aside from the research which I completely agree with Mike, is also just being honest. The last thing you don’t want to do is fit a square peg in a round hole. So, any time someone asks me a question… And no product is going to have it all. Products often have a focus. And security, everyone knows is very broad. So, you could say, “Aw, I want A, B, C, D, E, F, G.” Well, look, I got A, and B, and C. And I can do this for you. But E and F, that’s not a great fit.” And I’m just honest because I want to make sure that you understand I’m not trying to sell you snake oil or something else. And with that, I think it’s important to understand that if a salesperson is saying yes, yes, yes, yes, yes, yes, that’s a red flag. Be wary. Because no product does it all.

[David Spark] In fact one of the best ways to build trust we have heard from CISOs is tell me what your product’s limitations are. They like to hear that.

[Jason Mar-Tang] That’s a great question. I don’t hear it every often. When you do, I go, “All right, I’ll shot straight.” Part of it is I don’t like to beat around the bush.

[David Spark] I do it also with the sales of this show. I tell people…I go everything we have has got a positive and a negative.

[Jason Mar-Tang] It’s like life.

Could this possibly work?

12:43.942

[David Spark] “Would you apply to a company with a recent cyber incident?” asked a Redditor on the cybersecurity subreddit. Multiple redditors responded, saying, “Having a security incident is a good motivator or a company to hire security professionals.” Now, how companies respond to an incident is far more telling than actually having one given that mature companies have security incidents all the time. We’ve said this multiple times, and it was echoed on the discussion thread. Jason, I’m going to start with you. If someone is interviewing for a position and they know a company is dealing with an incident or dealt with one recently, should they ask how they dealt with it? And if you were the interviewer, to what level would you explain what details should an interviewee expect from such a question? I guess how deep should we go with this kind of questioning?

[Jason Mar-Tang] I think they should because it can be very telling to more of the culture and how the company itself responded to the team’s needs. So, I think everybody understands security is just it’s never ending. It’s tough. And nothing changes the mindset or changes initiatives, unfortunately, like having an incident or having a breach. So, I think that the questions shouldn’t be too deep. You shouldn’t expect nor should someone, the interviewer, disclose details that they can’t disclose. But questions that are surrounding how has the culture changed, or how is security being viewed, or what processes…what’s getting better, and how has this specific role changed as well can also really give some good insight to where the company is going. And hopefully it’s for the better. That’s the mindset. We should be always improving. And I think if it’s been disclosed, it’s fair game. We need to discuss things that have happened open and honestly because it can happen to anybody, and it has. I’ve been a part of it. It’s not fun.

[David Spark] Mike, has an interviewee asked you this question? Specifically, how’d you deal with an incident.

[Mike Johnson] Not for a specific incident. We have had questions around how do you deal with incidents in general, which I think is an interesting conversation. And to Jason’s point, I really like the what is getting better question. Where I’m having interviewees asked about our incident response is really trying to understand how mature is the program. I think you can judge a lot of the maturity of a security program by how prepared they are for something to go wrong. If they’re not ready for it then you know it’s not a mature program. So, simply trying to understand…

[Crosstalk 00:15:31]

[David Spark] May or may not be a red flag because maybe you want to go into a company that doesn’t have a mature program, and you want to be the one that matures it.

[Mike Johnson] Absolutely. It’s around gathering information to help you make a decision as to whether or not this is what you want to get yourself into. And if you really want to come in and mature incident response, awesome. Please. A lot of more companies need that kind of experience and drive. At the same time, if that’s not something that you’re interested in and if you’re not interested in joining a very immature security program then it’s a hint that maybe this particular opportunity isn’t the right one for you. You gather information, and you make your decisions.

Sponsor – Pentera

16:16.316

[David Spark] Jason, you work with customers one on one, yes?

[Jason Mar-Tang] Absolutely.

[David Spark] Okay. Here is what I want to know. With Pentera… And I want to talk about Pentera for just a second here. But what has been like the most eye opening experience? What a customer has said to you about finally moving towards a world of continuous pen testing. What have they said to you? Like, “Oh, now that we’re doing this, this is now what we can do.”

[Jason Mar-Tang] I think the most rewarding thing is the fact that, “Wow, now we’re being X percentage more efficient. So, we’re actually able to get more done because we’re doing this continuously and autonomously,” which is really cool because that means, hey, we have value. And we’re actually able to help people on their day to day. Depending on, again, are they doing it day to day. And that’s really what we want to get to. We want to help organizations do this more often than not with Pentera with our product.

[David Spark] Awesome. Well, let me just mention a little bit more about your product right now. For those who are paying attention right now, this whole episode is sponsored by Pentera. And Pentera, by the way, has been a phenomenal sponsor of the CISO Series. So, I don’t know if you know this, but today, over 60% of cyber attacks involve the use of exposed credentials. And in fact, we have seen this umpteen times reported. So, now for the first time, security teams can address this critical threat head on. Pentera collects an organization’s leaked credentials and automatically tests their exploitability across the external and internal attack surface. Pentera automates the moves an attacker would make in the live IT environment and dynamically maps out complete attack kill change, helping to prioritize remediation actions according to their context in real time. So, Pentera’s customers find that leveraging the platform as part of their exposure management strategy increases their ability to identify security gaps, improves the efficiency of remediation processes, reduces expenses, enables them to better benchmark their cyber resilience over time. Kind of like what Jason was just talking about. And ultimately maximizes their security readiness, and that is what you’re trying to do when you pen test. If you don’t pen test efficiently and effectively, well, you’re not improving your security readiness. That’s what Pentera can do. Check them out at pentera.io.

It’s time to play, “What’s worse?”

19:00.040

[David Spark] All right, Jason, you know this game is played, right?

[Jason Mar-Tang] Oh, sure. [Laughs]

[David Spark] Two crappy situations, both stink. You’re not going to say, “Give me more of that.” Although we have had a few cases of this. But rarely. But you have to tell me which one is worse. I always make Mike answer first. So, here we go. This comes from Richard U. He has a longer, more involved name, but he usually just goes by Richard U. He is the CISO over at Standard Charter Bank, and here are the two scenarios. You have a state of the art IAM platform, but the role based access privileges and security matrices are really outdated. The business uses the platform for quarterly access reviews for their teams and applications, but it’s largely a tick box exercise and huge unauthorized access persists across. Okay?

[Mike Johnson] Okay.

[David Spark] You’re giving me the stink eye here already. I can see it.

[Mike Johnson] Well, I’m trying to predict…I always try to predict what the other side is.

[David Spark] Well, the other one stinks, too.

[Mike Johnson] Okay.

[David Spark] So, you got no IAM platform, but business painstakingly and manually has to review accesses on a biannual basis, which leads to extreme business frustration because the time expended on it is seen as unproductive to other prioritized business outcomes. Security is seen as a headache, etc. But it actually gets the job done. Which one is worse?

[Mike Johnson] So, as I understand it, the first one…

[David Spark] You actually have an IAM platform.

[Mike Johnson] Right, so you have an IAM platform. So, I’m thinking about the outcomes here. So, the first one, the outcome is you have a lot of access that is unmanaged. Probably you have access creep. But it’s very easy to manage.

[David Spark] There’s a lot of unauthorized access happening in the first one.

[Mike Johnson] So, there is access that shouldn’t be happening.

[David Spark] Yeah, and it’s quarterly.

[Mike Johnson] Yeah, so quarterly reviews is when you drew up but don’t actually make any improvements?

[David Spark] I don’t know. It’s not clear.

[Mike Johnson] Okay, yeah.

[David Spark] [Laughs]

[Mike Johnson] So, the second one is you actually have right sized access, but it’s a toll and a tax on the business. That’s kind of what it sounds like we’re talking about here.

[David Spark] All right, they both stink.

[Mike Johnson] They both stink. And as with, I don’t know, half of these I just kind of have to pick one and argue for it because they both stink.

[David Spark] And by the way, Jason, I always like it when you disagree with Mike, so be prepared to take the other side if you want to. Don’t have to.

[Mike Johnson] It is true. He does like that.

[David Spark] By the way, kudos to Richard, by the way. Usually I hate it when I read the two and you go, “Oh, this one is easy.” Obviously not easy for you.

[Mike Johnson] Yeah. No, this one is not easy, and I think it also hits close to home for a lot of people in their security careers with manual access reviews. The one that’s worse is the one where you have a lot of unauthorized access. The first one is the worst. It sucks that you have that overhead of the manual reviews, and everyone hates the second one. But at the end of the day, you can actually sleep a little bit better. You can have conversations. You can talk with customers, the board, and so forth saying, “We’ve got the right amount of access.” And you’ve got less friends in that situation, but at least you’re protecting the business, and you’re protecting the customers.

[David Spark] All right. That’s what Mike went with. Jason, do you agree or disagree with him?

[Jason Mar-Tang] I actually agree. So, sorry, David, but I think he’s got a point. But I think, you said something really important around the second one. It’s super painful. It takes forever, but it works. Where in the first option, you have a solution, but there’s still unauthorized access. And from my perspective, from the vendor security, it’s like oof, that’s my biggest fear. I don’t want to engineer a solution, sell you something, and then find out later on even if it’s years down the line that it’s not working. That just kills me outside. So, for me even if you’re doing something really manual and painstaking…

[David Spark] And by the way, when Mike said, “You’re not going to make any friends.” Nobody on the security team is going to get invited to the prom with option two.

[Jason Mar-Tang] But do you ever?

[Laughter]

[Jason Mar-Tang] Do we ever get invited to the prom? But at least if you’re going through the process, you could say, “Man, this is rough. Here is why it’s rough.” But you can start to gather requirements and say, “This is rough because of A, B, and C. Let’s maybe try and find a solution that helps us with A, B, and C.” Because you’ll know exactly why it’s so painful.

Please. Enough. No more.

23:50.834

[David Spark] Today’s topic is pen testing, and I’m going to start off with a few what I’ve heard enough about because we talk about this enough on this show. And I’ve heard enough that you should actually do it, meaning do pen testing, and do it more than just for compliance reasons. And actually try to fix what you se on the report. Honestly it’s just good preventative medicine and hygiene like brushing your teeth. It’s just something you should do to stay cyber healthy. Okay, now that I got that out of the way I’ll start with you, Mike. Without repeating what I just said, what have you heard enough about with pen testing, and what would you like to hear a lot more?

[Mike Johnson] First of all, I’m laughing over here at cyber healthy. That’s a good one. I like that one. So, the thing I’ve heard enough of is frankly it’s one of my pet peeves…is when penetration testers are making unreasonable recommendations. Like, “Oh, just shut down that entire product line or completely disconnect this from the internet.” And it gets really frustrating when you’re getting those kind of recommendations in a report. The flipside of that, what I would like to hear more of is how penetrations help find solutions, how the testers are able to help solve the problems that they’re discovering and not just making recommendations that just cannot be followed.

[David Spark] All right. I am now throwing over to you, Jason. You’ve been in the pen testing game for quite some time, so I bet you you’ve heard plenty of what you’d like not to hear, again. And what would you like to hear a lot more?

[Jason Mar-Tang] Yeah, I think it’s really tough because we hear, “Oh, we want to do it all. Oh, we just try and pen test on as much as we can.” It’s like we need to have a little more focus, and I’d like to see more of that. And I think more of us need to generally switch into the mindset and start thinking more like the attacker with a little bit of focus. It almost goes back to what we were saying before around identities and things like that. It’s like, “Well, what if we run specific types of scenarios? We know that this is a challenge. Let’s run a specific risk assessment on our AD environment. Or we just implemented a new third party or we’re trying to. Let’s specifically test that.” Those SLAs and the effectiveness of that instead of trying to boil the ocean because that never works. So, we need to do more of this and do it continuously. So, yes, we don’t want to do it just for compliance reasons, but we want to have a pulse and say, “Are we good?” You asked a very powerful question earlier – are you ready. How many of us can say, “Yes, we’re ready,” confidently. Or say, “No, we’re not.” But to Mike’s point, maybe we actually have some really good things that we can focus on and improve.

[David Spark] But that brings up a really good point. Is think about… I know you’re really into martial arts, and that is part of the whole thing with martial arts is being constantly at the ready. And when you’re not at the ready and can’t handle things, it’s an uncomfortable sort of status to be at. Let alone when the thing actually happens.

[Jason Mar-Tang] 100%. I love that you brought it there. Have you seen me in person? I’m not a big guy. So, walking around, I’m always on the alert. Someone comes up and tries to… You got to be ready. The same thing. I could walk around with a little bit more ease knowing I know how to handle certain situations. It’s the same thing. If we’re ready and we’ve done these drills, drills, drills, drills, drills, and we’ve tested, tested, tested, we’ll know we’re in a good spot to the best of our ability, and we can even answer and say yes when someone is asking questions. And God forbid it happens.

[David Spark] I know you have sort of a continuous pen testing solution and that you offer sort of solutions specifically for ransomware attacks and the kill chain pattern for that. Is that your most popular scenario, or is there something else? Explain.

[Jason Mar-Tang] It’s definitely a popular one. Once we started to implement that, it was like whoa. Because everybody… It’s the everyone is scared of that. Rightfully so. It’s one of the worst things that could happen to you, and then you’re going to go scramble for some Bitcoin. But I would say that along with that, looking now especially on what lives on the outside from the identity perspective and seeing what are attackers obtaining on the dark web and then being able to cross that information and say, “Oh, was this account still active? What would happen if this account was actually compromised and they do have it, and it’s out there?” All those what if scenarios that play out is a great way to see, “In this case we’re good. In this case, no, we’re not.” And just how many mindsets of how many different scenarios can we run. It’s limitless. You can do it as often as you want.

[David Spark] Actually, have you had customers that actually played out a what if scenario, and that what if scenario did actually happen, and they were ready?

[Jason Mar-Tang] We were talking about if someone was to have an identity…yeah. When you know, you can at least have the guardrails up to make sure that what we’re expecting to actually happen did occur. So, I obviously can’t disclose anything, but yeah.

[David Spark] I just need companies and what happened.

[Laughter]

[David Spark] Thank you very much, Jason.

Pay attention. It’s security awareness training time.

29:38.076

[David Spark] Should we abandon phishing tests? And if so, what should we replace it with? Mike, on LinkedIn you posted about the fruitlessness of phish testing employees and that the open rate numbers are meaningless because you don’t know the quality of the actual phish that was used to test employees. As we’ve all seen, you can always design a better phish that will get employees to click. You argued we should focus on the “so what now” aspect of a phish test. So, if someone does click on a phish, what do you do now? While that’s all good, doesn’t the “so what now” portion kind of lean on the cyber employees mostly? And have you abandoned phishing tests yourself, or are they a necessary evil? And if you were to abandon them, what do you replace them with, and what’s your “so what now” strategy?

[Mike Johnson] I don’t phish test our employees. I don’t see value in doing it. I haven’t seen the value in testing phishing of employees in a very long time.

[David Spark] So, it’s not a necessarily evil in your world?

[Mike Johnson] I don’t see it as one. There are other ways of showing that you’re educating your employees. A lot of folks use the phish test numbers as proof come audit time that they trained their employees. I think there’s other ways of providing that proof. So, no value in doing it. For me, I focus on what are the possible ways an employee can make a mistake. And building protections around those. Maybe they actually do fall for a phish. Maybe they do enter their password on some remote website. If I’ve got decent multifactor authentication in place then that’s not going to result in a compromise of my environment. I now have signals that I can use that say, “Hey, I now have a successful password authentication from this user and a failed multifactor authentication challenge. I now know that at some point this employee fell for a phish. And now I can go back and address that particular education issue.” But the important part is the compromise didn’t happen, and that’s really what I was trying to get folks to focus on when I made that post is try and recognize that humans are going to be humans. They’re going to make mistakes. And if you’ve built the entirety of your security program such that someone clicking on a link can actually compromise your entire environment then that’s really the problem that you should deal with, and that’s something that your security organization should be handling, not just getting mad that someone clicked on a phishing link.

[David Spark] All right. Jason, what’s your feeling about phishing tests?

[Jason Mar-Tang] Yeah, Mike has an excellent point, and it flashes me back to when I was still working and living in New York. I was with an organization. I was there for a presentation, and the CIO walked in. And he was so heated, and he was like, “Oh, we spent all this money on this training. And still they clicked.” And it just goes to show you that, forget about it. Someone… It’s going to happen. You just have to be in that mindset. So, I think to Mike’s point and what… I completely agree, have the controls in place. I’ll take that one step further and say you have the controls. Let’s make sure they work, so let’s run those “what if” scenarios on multiple levels from you have people in finance, people in HR. You have developers. You have your IT folks. Run all these types of scenarios to see exactly what the blast radius…like we like to call…what’s the blast radius if this were to happen. And to Mike… Great, put them in place. Let’s test it out and make sure that we’re good.

Closing

33:42.540

[David Spark] Excellent point, Jason. And that brings us to the very tail end of this show. I want to thank your company, Jason. That’s pentera.io. If you’re not there right now you must be driving or working out because I assume everyone is going to rush this very second to get there. Do you have a special offering or anything you’d like to say to our audience about Pentera, Jason?

[Jason Mar-Tang] I’d love to. Come check us out, pentera.io. We would love to have a conversation and understand what you’re doing today, how we can help augment and make it a little bit better, and bring us in. We’d love to come in for a day and show you exactly how automation can make your lives a little bit easier when you think like the attacker.

[David Spark] Let me ask you – if they just want to talk about martial arts and weightlifting, will you have a conversation with them about that?

[Jason Mar-Tang] Oh, please. I could go on forever about that. Yeah, let’s do it. [Laughs]

[David Spark] All right.

[Jason Mar-Tang] In fact I’ll take you for a workout after the day is done.

[Laughter]

[David Spark] Mike, any last thoughts?

[Mike Johnson] Jason, thank you for joining us. I appreciate your perspective all the way from when you opened the show with your love of the field and how broad it is. I’d never thought of the correlation with the medical field, and I think it’s a good one. But I also wanted to all out what you were saying about penetration testing and the value that it provides to build confidence in your security program and gives you more ease of how you’re going to react in the face of an attack. So, I thought that was a good way for folks to think about penetration testing. So, thank you for sharing your insights. Thank you for joining us. And I really appreciate you being here today, Jason.

[Jason Mar-Tang] Gents, thank you. This was a ton of fun. Awesome.

[David Spark] All right. Thank you very much, Jason. Thank you very much, Mike. Thank you very much to Pentera as well. And to our audience, I always say this, we greatly appreciate your contributions. But I’m going to throw this out. I need some more “what’s worse” scenarios. We have one “what’s worse” person who’s sent in a couple that have been extraordinarily great, so I’m really pushing you. Get creative with your “what’s worse” scenarios. I want to see how creative you can be. Please send them in. I need more. Bye. Thanks for listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the CISO Series Podcast.

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.