_Saying_ “We’re 100% Secure” Is Not the Problem

_Saying_ “We’re 100% Secure” Is Not the Problem

It’s pretty darn easy to just utter the words “we’re 100% secure.” Pulling that off seems universally impossible, but some organizations are adamant about certain types of safety so they aim for 100%.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Yoav Regev (@yoav_regev), CEO, Sentra.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Sentra

Sentra’s Data Security Posture Management Solution not only discovers and classifies cloud data, but ensures it always has the proper security posture. No matter where the data is moved or copied, Sentra can identify the type of data, who has access to it, and how it’s meant to be secured.

Full transcript

[Voiceover] What I love about cybersecurity. Go!

[Yoav Regev] It’s endless, unlimited, and it’s always changing. It’s the core and the basics for the digital world we live in today. It’s amazing.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the said CISO Series. And joining me as my co-host, you know him, his name is Mike Johnson. Mike, grace us with the sound of your voice.

[Mike Johnson] Hi, David. Hi, everyone. Happy to be here. A new year. Well, I guess. You’re hearing this well into the year at this point.

[David Spark] End of February is when people are going to hear this. We’re recording this…

[Mike Johnson] It’s a new year for recording for us.

[David Spark] It is actually our first recording in 2023, correct. That is Mike Johnson. We are available at CISOseries.com. If you’ve never been there, boy, are you missing out and there’s no reason you shouldn’t be there. I would say go there right now, but you’re listening to the show and I want you to focus on that. The web address for it is CISOseries.com. We have a lot more shows there, and they’re a lot of fun too, but let’s focus on this one. Our sponsor for today’s episode is Sentra, they’re at Sentra.io. Data travels, we all know that. Now, your security travels too with that data. We’re going to learn more about that later in the show. But first, Mike, I want to point something out.

[Mike Johnson] Okay.

[David Spark] We have done very well with the CISO Series with this podcast, with our other programs. You know what? I don’t think we’ve ever won an award and I’m totally fine with that.

[Mike Johnson] That’s not why we do it. None come to mind and that’s totally fine.

[David Spark] I am completely fine never winning an award.

[Mike Johnson] Yes.

[David Spark] I mean, it’s always nice to be recognized but I think we’re already getting recognized, which is great, and we greatly appreciate our community because they let us know that they’re fans of the show and that’s really what matters.

[Mike Johnson] Yes. It’s the recognition that matters. The award itself? Whatever. It’s a representation of that kind of appreciation, but we get that through our community, we get that from folks coming…

[David Spark] But again, the security awards are so insular. I’m going to toot my cousin’s horn. My cousin is the producer of the PBS NewsHour. She’s won, I think, seven Emmy Awards, and I’ve been at her house multiple times. It’s kind of impressive to see Emmys on your shelf.

[Mike Johnson] That is. That’s impressive.

[David Spark] That’s one thing I am confident saying. We will never, ever win an Emmy Award.

[Mike Johnson] Please don’t offer us an Emmy Award. We won’t accept it.

[David Spark] The last one she received, the wings on the Emmy were ever so slightly bent up, and because of that it didn’t fit on the shelf with her other Emmy Awards.

[Mike Johnson] Oh, how disappointing it must have been.

[David Spark] I know, I know. It’s a rough life.

[Mike Johnson] Yeah, yeah, somebody’s got to do it.

[David Spark] By the way, Emmy Awards are not cheap. What do you think an Emmy Award costs? You win one and you have to pay for it. You know this.

[Mike Johnson] I did not know that. That I didn’t know.

[David Spark] Oh, yeah, yeah. You’ve got to pay for it. How much does an Emmy Award cost?

[Mike Johnson] Okay. Now I’ll drop my number down to five grand.

[David Spark] Oh, it’s not that high. My God. Five grand for an Emmy?

[Mike Johnson] I don’t know. I’ve never bought an Emmy.

[David Spark] Five hundred dollars for an Emmy Award.

[Mike Johnson] Oh, okay. Well, I mean, for most of the people who are winning them, I think they can afford $500.

[David Spark] They can afford it. But no, sometimes they will shell out the money for producers who really can’t afford it.

[Mike Johnson] Well, that’s cool.

[David Spark] They won it and they’re like, “Well, all right.” And there’s also an entry fee too as well. I mean, it costs money like all these awards programs.

[Mike Johnson] I did not know that either.

[David Spark] Oh, yeah.

[Mike Johnson] Interesting. I’ve learned. I’ve learned some things.

[David Spark] So, when people start slamming the security industry for all this nonsense about, “Oh, you got to pay to submit,” and “You got to pay for the award,” the Emmys does this as well.

[Mike Johnson] It’s good to know.

[David Spark] All right. I want to bring our guest on who is from the company Sentra. In fact, he’s the head honcho there. We only go to the top. Sentra said, “Oh, would you like this person who works in the mailroom?” and I said, “No.” And they said, “Oh, how about this person? They clean our floors here at Sentra.” I go, “No, I don’t want that. Can you give us the CEO?” They’re, “All right. I think we can work that out.” And so we have the CEO of Sentra. Very excited. This person spent 25 years working in Israeli intelligence cybersecurity. Unbelievably impressive. And he gave it all up for the cybersecurity private sector and I’m glad he did. He’s our sponsored guest, Yoav Regev. Yoav, thank you so much for joining us.

[Yoav Regev] It’s great to be here today. Thank you for having me.

You couldn’t have done better than that?


[David Spark] What does it take to have a successful security program, asked David Nolan who’s the CISO over at the Aarons Company, he said this on LinkedIn. He provided a bulleted list of items that were mostly focused on helping the business achieve their goals and on communication and building relationships. Lastly, he said when speaking with executives, focus on using their terms such as “threats to business,” “reducing risk,” and “reducing business impact.” So, these are all items we’ve mentioned on the show before. I’m going to ask you, Mike, because we’ve mentioned this a lot. Here’s my big question. Is this enough of a prescription to be successful or what else do we need?

[Mike Johnson] It’s a good list. I really do like the list. And I especially want to call out the comment about the CISO’s success is heavily dependent on relationship, and he specifically mentions the CIO and CTO. I think on the show we talk a lot about the importance of relationships, but we don’t necessarily talk about with who. It’s great for him to highlight that in the list.

But I’d also say one of the things I don’t see on the list is how you measure success, and I think that’s something within the security field it’s hard for us to do. But when you’re talking in business terms, you do need to find that way of showing the success of your organization, showing how you support the company, how you fit into the business as a whole. And so when you’re talking with the other business leaders, as David recommends, you should be able to talk about the successes, the measures, the metrics that you use. So, that’s one thing that I saw that wasn’t on the list. I think it’s a good list and you’d do pretty well if you hit all these bullet points.

[David Spark] So, I’m going to go tag on your comment, Mike, about showing. Yoav, let me ask you the same question that I was asking Mike. This is a list that we talk about a lot that’s really important. Do you think this is enough to be successful or do you need more?

[Yoav Regev] So, first of all, yeah, I totally agree. It’s a great list and I really like the correlation between the business and the security because many people take the security as a kind of a silo and at the end, security is about enabling the business. So, I really like the correlation of that.

[David Spark] Yes. We talk about that a lot on this show.

[Yoav Regev] And if I need to add one thing, I think it’s a pre-position. So, security, one of the goal of the security is to bring resilience to your organization. I really believe these days breach is way of life and if you have the resilience and you can do that by pre-position yourself about your asset, about your data, about everything that is the most important things for you, this is something that can take the breach and move it from a catastrophe to a hiccup. This is something that I really believe you should add to the list.

[David Spark] Yeah. We’ve talked a lot more. I must say that this whole subject of resilience has picked up dramatically in really the past year because of what you just said, Yoav, of a breach is a reality. Can you give me an example of how yesterday’s catastrophes can be hiccups today?

[Yoav Regev] Of course. Generally, I think it’s not about the breach. It’s about the impact, the business impact. Because you can take a breach and nothing happening because not all of the data was born equal. If as part of the breach someone can take and leak unrelevant data or not the most sensitive and critical data, nothing happens, it’s kind of a way of life, it’s okay. So, this is about the pre-position and if you really, really take care and prioritize as part of that, I think you can really take, with the right approach, you really deal with the breaches and make it kind of a hiccup day to day.

[David Spark] Mike, you close it out. What do you think of yesterday’s breaches, today’s hiccups? Where have we been successful in that respect?

[Mike Johnson] Where I think we’re successful is how we communicate them, how and when. When you look at past breaches, sometimes you wouldn’t even hear about it. You would find out about the breach because you now had a credit check that you totally didn’t expect. Whereas today, it’s basically mandatory when there’s a breach that you get notified. And over time, we’ve gotten better at those notifications, providing actionable, “Here’s what you can do as a consumer. Here’s what you can do as a business.” So, I really think that’s what we’re seeing that’s the change is better handling the communication. And then when you’re on the receiving side, you’re informed and you’re not going to freak out the way that you would in the past. So, I think that’s one of the biggest things that we’ve done to change the way that, frankly, make breaches a bit more routine, maybe than they should be, but that’s the world that we live in, and people recognize it today.

There’s gotta be a better way to handle this.


[David Spark] How do you stay innovative as a security professional and have new fresh perspectives? Now, a few years ago at an Evanta conference, I saw Rob Walker who’s the author of “The Art of Noticing” speak. Now, his book has a series of exercises that challenge you to look at things in your real world in different ways. So, for example, just go out in your world and look for security cameras or look for objects, or of a certain color or certain shapes. While not a security professional himself, his topic was perfect for security pros because it challenged them to look at their environment differently. Now, it’s hard to do this actively when you’re just trying to slog through your day to day of our activities. So, I’ll ask you, Yoav, and I know that being creative, especially when you worked in Israeli military is key. So, is there anything you do to stay fresh in your own viewpoints, change them up, or do you fear getting stale?

[Yoav Regev] So, in the cybersecurity business, you have to stay fresh. The other side, the attackers and the breaches and the vulnerabilities, the pace is amazing. Every other day, there’s a new technique, a new way to do that. So, if you are out of date, you cannot survive. So, yes, of course, I think about it a lot and I like the friction way.

[David Spark] What’s that? What is the friction way?

[Yoav Regev] To meet the people. To meet the people in the front line as much as you can. And by the way, both leaders and practitioners, different approach, different challenges, you have to listen to them. And when I say listen to them, there’s two approach. Learning however also unlearning. The learning one is the popular one, we all know about, we listen, we understand, we take an action and so on. But I really believe the hardest and maybe the most important one is the unlearning. Because to get rid of your historical [Inaudible 00:12:27] and your old paradigms, it’s very, very hard. And to use the historical paradigm [Inaudible 00:12:35] technique with new challenges, it’s very, very hard and it’s irrelevant. So, the combination between the learning of the new areas with the unlearning the old one and to change your mind and your what you believe in, this is the right way to stay fresh and to deal with that amazing pace.

[David Spark] So, unlearning and dealing with the front lines, I like that. Mike, how do you stay fresh and look at the world differently?

[Mike Johnson] Well, I get to cheat a little bit because I’m on this podcast on a regular basis, and so it’s very much what Yoav is saying. You meet people and you talk with them, and I get that opportunity to do that on a regular basis with our guests. And it’s really a good point though about how critical it is to remain fresh. Like Yoav saying if you don’t, then you can end up in the situation where you kind of move into irrelevancy. It’s almost a matter of survival when it comes right down to it because of how much we’re evolving and how our environments change and how much we need to protect.

[David Spark] We all agree that it’s a part of survival but the reason, a linear way to get there, it just requires us to think and look differently. So, one way, as both of you said, is just talk to others who are having different viewpoints, which is key. But beyond that, is there a way that you can sort of, I don’t know, daily challenge yourself and can you do it actively or is that sort of more of a struggle? I mean, be realistic here.

[Mike Johnson] It’s not something that I do intentionally on a daily basis, but one of the things that I do and have mentioned on this show often is participate in various security communities, and I’m active in those, those are debates.

[David Spark] You’re talking about Slack groups that you’re on?

[Mike Johnson] Exactly. I’m trying to solve this problem, “Well, have you looked at it this way? No, that’s a bad way of doing it. Here’s why.” And you can really challenge convention when you’re having those conversations. That’s my daily way of doing it. It’s really again back to having conversations. But within those safe spaces, you can challenge the way people have been thinking and also, they challenge you and that gives you that opportunity to, as Yoav was putting it, to unlearn things.

Sponsor – Sentra


[David Spark] Hey! Before we go on any further, I do want to mention our phenomenal sponsor Sentra. Here’s something I think we all know is you probably don’t know where all the sensitive data in your cloud environment is. That is totally understandable. And you know what? It completely makes sense. Because engineers and developers are supposed to be using cloud data in creative ways to drive business growth. But security’s job is to mitigate the risk that comes – we talk about this endlessly on the show – that comes with all the data movement, and it’s happening a lot, we know that. So, when data gets moved, its security posture can change, or it can simply be abandoned, turning into shadow data, or unmanaged data too, for that matter.

So, Sentra’s data security posture management solution not only finds all of your data, but it classifies it by type, and understands where the data came from, how it’s supposed to be secured, and who can access it – that’s an important one. Their data access graph provides a detailed map of how your data moved from point A to B, and how its security posture changed along the way. Wow. That’s some pretty impressive insight. So, by following your data as it travels through your public cloud, Sentra ensures that sensitive data like PII, PCI, IP, and developer secrets is always secured properly, meeting internal and external compliance standards.

Best of all, Sentra is agentless – oh, that’s pretty nice – can be connected to your IaaS, your PaaS, your SaaS in minutes, and its smart metadata sampling technology means your data never leaves your environment. So, to learn more about how Sentra can secure your cloud data without slowing down the business – we know we don’t want to do that – go visit them, here’s the web address – it’s Sentra.io

It’s time to play “What’s Worse?”


[David Spark] All right, Yoav. You know how this game is played, right?

[Yoav Regev] Of course.

[David Spark] Two miserable options, you won’t like either one, but you have to tell me which one’s worse. I don’t think this listener has submitted before. This comes from Ilia Sotnikov of Netwrix Corporation, they actually bought one of our past sponsors Remediant. Congratulations to everybody involved there. Here are the scenarios. I always have Mike answer first so that gives you more time to respond. As everyone knows, I like when you disagree with Mike. So, do your best to do that, but you don’t have to. All right. Here are the two scenarios. Scenario number one. You have no ownership or discussion of security on the executive level, and security is a part-time responsibility of IT operations. Okay? So, the most you’re getting is part time of IT Ops. All right?

[Mike Johnson] Okay.

[David Spark] Scenario two. The CISO that reports to the CEO has good connections to other executives, but you have no tools, no staff, and no budget. Which one’s worse?

[Mike Johnson] We earlier talked in this very episode about the importance of connections and the importance of relationships and that sort of thing. If I’m comparing these two, I will always take the opportunity where you have good relationships, you have people who are bought in, they’re willing to do the work, which is how I’m reading this, and they’re just looking for guidance. For these, this is actually a very easy one.

[David Spark] Really? Because I just want to stress that no tools, no staff, no budget.

[Mike Johnson] Don’t need tools. If you’ve got folks who are…

[David Spark] You don’t need staff, you don’t need budget?

[Mike Johnson] If you have people who are bought in…

[David Spark] Is your company listening to you say this?

[Mike Johnson] In these situations, the way that it’s laid out here, if you’ve got people who are bought in, willing to do the work, it doesn’t matter if they’re on your team. That’s what people really need to understand here. You can’t solve all the security problems in your company anyway no matter the size of your team.

[David Spark] Right.

[Mike Johnson] The latter is much preferred to the former in this case.

[David Spark] All right. Yoav, I’m throwing this one to you. Do you agree or disagree with Mike?

[Yoav Regev] I’m sorry but I agree because it’s all about the people and you can’t do the opposite. So, of course, you need tools, you need budgets, you need to be on…

[David Spark] I should mention on the first scenario, security is a part-time responsibility of IT Operations, so there are people that do care about it to a degree.

[Yoav Regev] Yeah, but at the end, they cannot have a success on that situation.

[David Spark] You’re not going to have that much success with the other one either.

[Mike Johnson] I disagree.

[Yoav Regev] Absolutely.

[David Spark] You disagree? You think you will?

[Mike Johnson] I think you absolutely can have plenty of success where you have a company that’s bought in on security.

[David Spark] All right. Go back to you, Yoav.

[Yoav Regev] With that, I disagree. Because at the end, it’s a combination between people and technology, between approach and technology. So, as you said before about the crappy situations, both of them, I really believe cannot work. You asked about what is much harder or less better or whatever it is. So, people are more important than technology but only with the combination of both of them you can win.

[David Spark] All right. So, we have agreement that neither of you want tools, staff, or budget. Correct?


[Mike Johnson] You can go with that, David. Yes.

[Yoav Regev] Silence. No comments.

Please. Enough. No more.


[David Spark] Our topic today on “Please. Enough. No more.” is data security in the cloud. So, Mike, I’m going to ask you first, what have you heard enough about with cloud data security and what would you like to hear a lot more?

[Mike Johnson] I love talking cloud security.

[David Spark] This is your bailiwick.

[Mike Johnson] This is my jam. But what I really have heard enough of is the whole concept of relying on vendor risk questionnaires that you can send someone a questionnaire and you can get happy with their cloud, like, “Okay, great. I’ll sign off.”

[David Spark] Does anyone, by the way, read one of those questionnaires and like, “Wow. I feel a lot better now.”

[Mike Johnson] Quite often they feel like checkbox exercises. It’s like you send it, you get an answer. I think people don’t even read them some portion of the time. The point is they can pass with flying colors your questionnaire. They answer everything great, maybe they’ve got a great history of security, and then you start using that cloud and you can very easily make a mistake. You can very easily put all of your data out there and it doesn’t matter how secure that company is, how secure that particular cloud is. And that’s what I’d like to hear more of is how do you make sure that your usage of that cloud is secure. That’s what we don’t talk enough about.

[David Spark] All right. Good point. I throw this to you, Yoav. Yoav, what have you heard enough about with cloud data security and what would you like to hear a lot more?

[Yoav Regev] I hear a lot about trenches [Phonetic 00:22:42] and infrastructure and I think this is kind of the old paradigm. Of course it’s very important to reduce attack vectors and to be in the right position from configurations and many more. It’s very important but this is only the basics. I really want to hear more and to learn more and hopefully to bring more solutions about the data itself. I really believe we need to shift the paradigm. We live in data-centrical world.

[David Spark] I am fully onboard, and we have discussed this many times on the show that the one thing that is a constant is the data. Everything else has been changing. It’s like a whirlwind that circles around this one thing that’s always constant and that’s the data and dealing with the data, and we find these other sort of bizarre ways to manage it. So, let’s get into exactly how Sentra’s handling this. Explain.

[Yoav Regev] So, we took a data-centric approach and we started with the data itself. So, Sentra is a data security platform and what we do, we discover, we classify, we assess, and we secure your data in the cloud. Every piece of data you have in your cloud. And as Mike said before, manual processes are not the best way to do that. So, with Sentra, you can do it fully automated. You just need to connect your environment to Sentra and from that on, I really believe that everything should be fully automated. Because this is the only way to do it with great coverage, to do it on time, and to do it before it become an incident.

[David Spark] Can you drill down just for a second because I want to truly try to understand what’s going on. Give me a scenario of what I’m either looking for and I’m trying to attach security to the data and then the data starts moving and now I’m getting reports of like, “Hey, it’s moved from A and B.” And like what was said earlier in the show, describing your product, like, “Hey, now I know who has access to it. Oh, my God. Wait. Some new permissions just opened up.” Walk me through this a little.

[Yoav Regev] Great. And I’ll give you two examples. The first example is about what you don’t know because you can’t protect what you don’t know about, right? So, let’s take the shadow data, the data that the organization and specifically the security teams are not familiar with.

[David Spark] Someone else is making it and putting it out there.

[Yoav Regev] Exactly. Because it’s not a bug, it’s a feature to move, to share, to create data. This is the amazing part of the cloud and it enable your organization and very good for the business, but sometimes it’s not very good for the security. But I believe the security can take the technology and use it to understand, to control, and to find it in real-time and bring the organization the resilience for that as we spoke about before. So, the first example is the shadow data. Sentra will find every part of your data and will bring you the shadow data. Data that no one touch, maybe. Sensitive data, by the way. It’s not the regular, it’s sensitive data that no one touch in the last few months, as an example. And this is the first time that the security can understand it. And with that, as part of our vision is to find the owner of the data and he can fix it by himself. So, this is the first example, what you didn’t or you don’t know.

[David Spark] Okay. Excellent.

[Yoav Regev] The second example is what you think you know but you know only part of that. So, let’s talk about data movement. Again, it’s a feature, it’s great. All of us are very familiar with data flows and ETLs and manual process and clones and backups and many, many types of processes that move data. It’s great. However, are we familiar with the process that move the security with the data? Because of course, if you have a sensitive data in one place and with a great security control, you want that, when you move sensitive data, you really want to move the security with that, but no one did it for you. Because you know the data engineers and so on, they just move the data because they need it, they use it. Great. So, with Sentra, we can find those anomalies that you have the same data in different places but with different security controls and we can help you to secure it, and again, before it become an incident.

[David Spark] This is a common thing, repeated data, people copying the data, it living in other places and now other people have access to it. Phenomenal. This is great. Close us out here, Yoav. Give me an idea, with your customers, what is it they’re now able to do? I think it’s just more awareness that they didn’t have before and more control, yes?

[Yoav Regev] Absolutely. With Sentra you can regain control your data, and again, you can use it to enable your organization to move faster. Not to be a blocker and slow your processes. You need to move faster and enable your business, so I like the term fast and secure.

How have you actually pulled this off?


[David Spark] On Quora, someone asked, “Why do security professionals say it is impossible to make a system 100% secure and still be usable?” Now, we saw many of the standard answers of, “Well, disconnect it from the internet and maybe it’ll be secure.” Consultant Ian Heggie said, “Well, no system is perfectly secure because to be useful, it needs to be programmed and used by fallible humans, usually connected to a network and possibly the internet.” Now, we start with this belief that we can’t achieve 100% security, but I’m going to throw this idea out there. The airline industry is adamant about secure flights, and they seem to be the closest to achieving this I’m going to call it a milestone. What would it take to move any element of any company’s security in the direction of what I think the airline industry does? Because they’re so adamant about this one aspect of their security. I throw it to you, Mike.

[Mike Johnson] I don’t think it’s a fair comparison. The reality is when airlines are talking about secure flights, they mean the control systems within a plane, and those are by definition disconnected, contained systems. They’re not talking about their reservation systems. They’re not talking about these mainframes that they’ve had sitting around since they started as an industry. I would not want to compare my security to the reservation systems of your average airline. I think that those are not the ones that are held as the standard…

[David Spark] I agree.

[Mike Johnson] …for security

[David Spark] So, good point.

[Mike Johnson] But that said, I don’t even know what 100% security means. It’s a very strange concept. What I think about and have started thinking about a little bit is verifiable security. That this system should have a certain set of security properties. If it ever deviates from those properties, then it’s not secure. But you have to be able to measure those properties, and so you really have to establish what does secure mean, and it’s different things for different folks. It could be that “Hey, this thing is connected to the internet. Just that makes it an insecure system. It is no longer meeting the expectations that I have for that system.” And it could be that “Hey, it’s actually perfectly secure, that people can get in, play around, do whatever the heck they want within the system.” So, you have to really think about, system by system, what 100% secure means. I don’t think it’s a good measure. I think there’s other ways that we should be thinking about what secure really means.

[David Spark] All right. I’m going to throw it to you, Yoav. Do you agree with Mike’s assumption and is 100% security a pointless target?

[Yoav Regev] So, I agree about what he talked about. It’s not all the aviation process, it’s there are different systems with different secure levels. But I like the metaphor. At the end it’s a metaphor, but I like it a lot because in the early days of aviation, planes were so fragile, and they fell down. And we couldn’t take the aviation area to what it is now, the basic and building block in our economy and our day to day. Because at the end, there were a few people, very smart people, many days ago, that they understood that we should take the safe area, the safety, as a major part of the aviation. And I’m not sure that this is what’s happening these days with cyber. But this is our responsibility and I really believe we can do that. And I’m not sure this is the right time, right place, to talk about 100%, but we should take it to the next level because I really believe that none of us will fly tonight with an airplane that there is a 1% that it’s going to fall down, right? One percent, it’s too much.

[David Spark] One out of 100 planes falling out of the sky would not be good.

[Yoav Regev] Exactly. So, why we share our most private data, finance, and reputation and many more and put it in a place that it can go down with more than 1%. And we need to change it. We need to take the approach that they took in the aviation area and start to believe in that area and that approach or that way and to take the security to the next level. And again, we spoke before about the resilience, and this is part of that. Like defense in depth, it’s kind of a solution. Because also in the aviation area, I’m pretty sure that there are many, many technical issues during many flights but airplanes don’t fall down. Today’s on almost every breach, every breach, the end is with a poor, poor security. A lot, a lot of sensitive data is out there. It shouldn’t be like that. We can adopt the approach, we can start to work on that, from training to technology to make our world much, much safer. At the end, we live in a digital world.

[David Spark] A hundred percent agree. We do live in a digital world and all, like has been said, I think it was Marc Andreessen who said the line of every company is a software company now. So you can’t avoid it.

[Yoav Regev] And I would like to add Marc Andreessen said software is eating the world. I really believe these days data is eating the world and this is the new approach, the new way to think about it.

[David Spark] By the way, I don’t even know if Marc Andreessen said every company’s a software company. He did say that software is eating the world though. But someone’s going to tell me who said that line, but I know many people have said that line. I know our audience is going to jump down my throat for getting it incorrect, if I did get it incorrect.



[David Spark] Hey, I want to thank our guest Yoav Regev who is the CEO of our sponsor Sentra. Remember, Sentra.io for all your data discovery and security needs, whether you know about it and you don’t really know where it’s going, or you don’t even know where it is. It’s the shadow data. Check them out at Sentra.io. By the way, Yoav, I’ll let you have a last word and I always ask our guests are you hiring, so be able to answer that, and if you have any special offer for our audience, please let us know. Mike, last thoughts from you.

[Mike Johnson] Yoav, thank you so much for joining us. I really enjoyed the conversation, especially how you kept bringing it back to resilience. That was great to just close on that particular point. But I also want to highlight two specific things that I learned. One was your concept of unlearning, and I think that was a really great way of putting when you’re challenging yourself, challenging your own assumptions. Sometimes you just need to unlearn some things. I like the way that you put that. I also think you’re the first person I’ve heard use the term shadow data. Shadow IT is something that comes up a lot. I’ve never heard the term shadow data before but as soon as you said it, it resonated it. So, thank you for those two little tips, those two little tidbits that…

[Crosstalk 00:35:27]

[David Spark] Yeah, I didn’t even think about that. I kind of glossed over that but isn’t shadow data coming from the shadow IT world?

[Yoav Regev] For sure, yeah.

[Mike Johnson] Yes and no, right? That it can come from your known systems, and it’s being used in a way that you’re not expecting. It’s moving to a place that you don’t expect it. But absolutely, almost by definition, data generated by shadow IT systems I assume would be shadow data.

[David Spark] Yoav, are you hiring?

[Yoav Regev] Always.

[David Spark] Always. That’s what most of our guests say. They always say they’re hiring. So, if you want to work for an awesome company like Sentra, contact Yoav, and we’ll have a link to his LinkedIn profile on the blog post for this very episode. Any special offer? Anything last you’d like to say to our audience?

[Yoav Regev] Yeah. First of all, Mike and David, thank you so much for the opportunity to speak with you both today. I would like to end with a note of optimism. All right? Security’s a game changer that can enabling the business, the economy, and in almost every aspect in our life. And we can do it. With the right approach, we can ensure we can be very secured and live in a data-centric world. So, thank you again, it was a pleasure.

[David Spark] Opening and closing with optimism. I love it, Yoav. What I love about security and an optimistic close. How excellent. Thank you very much. And thank you to our audience. We greatly appreciate your contributions. By the way, I need a lot more “What’s Worse?” scenarios and get really creative with them, all right? I want super-duper creative and ones that are really a challenge. I don’t like hearing Mike go, “Oh, this one’s easy.” Geez. He’s so annoying.


[David Spark] “Come on, really challenge me, I can handle this.” Thank you, audience. We greatly appreciate your contributions and listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.