HomePodcastCISO/Security Vendor Relationship PodcastAfter a Breach It's Really Easy to Calculate Risk

After a Breach It’s Really Easy to Calculate Risk

There’s no question calculating risk is trickly. Because once you understand your risk then you can assign budget appropriately to reduce your risk. OR, you could just wait until you’re breached and you’ll know exactly what your risk is and how much it costs.

This week’s episode of CISO/Security Vendor Relationship Podcast is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Dan Walsh, CISO, VillageMD.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our podcast sponsor is deepwatch

Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together.

Full transcript

Voiceover

Ten second security tip. Go!

Dan Walsh

Part of our job as security leaders is to train our business owners on how to manage risk. This means how they should act as risk owners, how they should treat risk, whether through mitigation, acceptance, or some other risk treatment. So, as a security leader make sure you’re doing that as part of your risk program.

Voiceover

It’s time to begin the CISO/Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO/Security Vendor Relationship Podcast. My name is David Spark. I am the producer of the CISO Series. By the way, if you haven’t been to CISOseries.com lately, go! We completely updated the site and it actually looks professional, like a real media site. It’s kinda cool. My co-host today, who was my co-host on day one, is Mike Johnson. Mike, let’s all hear the sound of your voice.

Mike Johnson

So, I’m here, David and I do want to give so much kudos for the new website, it’s an amazing website. I find it so much easier, for me, to use it and I’ve been using it since day one so, I highly encourage folks to look at it.

David Spark

We publish nine podcast episodes a week plus we have other things that we’re posting during the week on social media and stuff, we’re posting more than 20 things every week. And with regards to the old website: I launched it when we were just doing one show, which made sense, but now that we have so many shows, it just didn’t make sense anymore. We would post things and they’d get buried instantly.

Mike Johnson

Yeah, it worked fine for one show, did not work well for a podcast empire.

David Spark

Empire, that’s what it is.

Mike Johnson

That’s what the new site works for.

David Spark

Empire. Alright, our sponsor for the new podcast empire – or this show, which is part of the new podcast empire, is Deepwatch. They do advanced managed detection and response for a distributed enterprise. So if you are in a distributed enterprise and you need some help in detection and response, pay attention in the middle of the show, we’ll be talking more about Deep watch. Now, this is December 7th, and this is the first time you and I, Mike, have spoken since we did our live show in San Francisco, which we did a lot of live shows prior to the pandemic, and this was your first one since coming back. We had a small crowd, but they were so appreciative and so wonderful.

Mike Johnson

It was an amazing crowd. They were there, they were so excited to be there – they were so engaged, they gave great feedback, and they participated. It was an amazing crowd and it was a great way to return, for me, to return to the live shows which are just such a different feeling. You get such a different vibe, different energy being there in person.

David Spark

And by the way, if anyone listens to it, this was the episode that dropped this week, which is the 9th November. So if you back to the 9th of November episode, you can hear it. They sounded like a crowd of well over a hundred, even though they were not a crowd of hundred.

Mike Johnson

Yes. They were actually a crowd of 1,200 is what they sounded like. I mean they really were out there, and being loud, and being present.

David Spark

We greatly appreciate it. And I’m going to say this, and I said it to you right afterwards, and said it again to you and Andy Ellis, the other co-host, on stage with me, the two of you brought it. I honestly think it was the best live performance we’ve ever done.

Mike Johnson

It was a lot of fun to sit down next to Andy, elbow him in the side and really–

David Spark

Did you actually elbow him in the side?

Mike Johnson

Yeah, maybe once of twice. But I think Andy gives as good as he gets.

David Spark

He does. Our guest for today’s episode is a return champion, he’s been on many episodes. A great supporter of the CISO Series, we love having him on. Thank you for coming back again, Dan. It is Dan Walsh, the CISO, VillageMD, thanks for being here.

Dan Walsh

Thanks for having me, David. And I would just echo Mike, congratulations on the new website, it’s beautiful.

David Spark

Thank you.

Let’s see what they’re talking about on Reddit.

00:04:09:16

David Spark

One of the most popular posts this year on the cybersecurity subreddit is from a security professional reflecting back in ten years in cyber. It’s a really long post and he brought up some really cogent points and I’ll just mention a few: One, no one cares about your stats, mostly because cyber stats don’t translate to business stats, which are usually in terms of ROI; two, read the news for your boss; and three, art and marketing have a place in cybersecurity, they’ll help you convey your points. These are just a few that I’ve picked out but, the post is awash with great insight. I’m going to start with you Mike, what was your favorite and why?

Mike Johnson

What I really liked was the undertone. Something that the redditor kept bringing up over and over again, weaving into their points, was something that you hear on this show all the time from our guests, talking about how you relate cybersecurity in business terms, how you understand what your business does. The redditor walked through an exercise that they did to figure out how they could speak about security in the terms of their business. That’s something that’s a great tip, but they also walked through a good example on how to do that, which I think is a great thing to take away. Ultimately it’s meet your leaders where they are, find that common ground. You’re not trying to turn them into cybersecurity experts – that’s your job, that’s not theirs – but by finding that common ground you can really make some progress.

David Spark

Dan, did you have some favorite tips on this?

Dan Walsh

Yeah, I did. I’m going to go right back to the old SOC days but, I did like number eight, where it says you’re probably doing threat intelligence wrong. I still think this is being done wrong at a lot of large companies.

David Spark

And give a little detail, wrong in what way?

Dan Walsh

So, essentially, what the author said was that early in their career they were looking at threat intel reports and they were looking at IOC’s, IPs, domains or whatever and then looking them up manually in their security tools like, in their SIM, to see if there’s any correlation or connection and then providing that data to their SOC team. The reality of it is today, most, if not all, data is actually enriched, if you buy the right security product. The redditor went back and asked his SOC team at some point, if they were actually using what he was giving them, and the answer was, no. So it never actually contributed directly to helping the SOC team preventing incidents or responding to them. As I look across companies today, knowing colleagues that are in different SOC teams, especially a lot of the bigger ones, they’re still doing a lot of this and I just think, frankly, it’s a waste of time, so that one really resonated with me. I also liked the point about reading the headlines. The reality of it is, your boss probably isn’t reading the same headlines you’re reading. The headlines your boss has probably read in the last year about this are probably the pipeline shut down, the meat supply shutdown and solar winds, and maybe a couple of others. The reality of it is is we’re seeing headlines everyday that, as security professionals, it’s sitting us back in our seat and our jaws drop open. They’re not reading the same.

David Spark

So I’m going to give ourselves a little toot on the horn. Brett Conlon, who has been a guest on our show before, he listens to our show, Cyber Security Headlines – a daily show, only six minutes long, in which we give you the eight most important cybersecurity stories of the day. He says, at least once a week, he’s bringing one of these stories to his team to discuss in terms of that issue. These stories then become issues that you need to discuss so, great point. I want to address one point that you said, Dan, and both of you want to answer. I think there’s a lot of time one team is doing something for somebody else and nobody cares. How often is that happening? It just seems like, it’s “Look at this awesome thing we did for you!” gets met with “We don’t care!” and it just falls off a cliff.

Mike Johnson

I think that’s a great example. I don’t know if you’d call it bias but, your perspective is not the same as someone else’s. You may think this thing is really useful and really valuable and you’ve kind of built it for yourself, where the reality is you need to be building it for those who are going to use it. That’s the failing there: when someone else is not using it, you didn’t build it for them.

David Spark

Dan, have you see this as well?

Dan Walsh

I have and usually if you see this occurring frequently it’s an indication that you have a lot of [silence] on your team and your team’s not well-integrated. So, to Mike’s point: everyone’s a customer, everyone’s a vendor and you want to make sure that you’re building things that your customers want, and that includes your internal customers.

Government CISO versus private sector CISO.

00:08:59:16

David Spark

States are at a real disadvantage trying to hire cybersecurity pros. Now an article in the AP was passed around on the cybersecurity sub-reddit, and there were a lot of cogent comments about how the government is unnecessarily hurting themselves – specifically we’re talking about state government – by having unpaid internships, and restrictions on drug use which I thought was an interesting point. Another redditor said, “State government jobs and cybersecurity will spend hundreds of thousands in contractors while paying the regular state government employees about half of what the contractors get.” Another redditor, quoting a survey by the International Information System Security Certification Consortium said, “The $95,000 average salary for state government cyber employee lagged behind Federal by 25,000 in 2020.” That is essentially more than 25%. So the budget seems to be there, because of the contractor payments, but changing is not going to happen any time soon with bureaucracy. I’ll start with you Dan: what are some ways to get state governments moving in the right direction?

Dan Walsh

You know, I’ve talked a little bit about this in the past but there’s been a lot of this concept of this cyber national guard situation, where we rotate folks from the private sector, kind of like the National Guard, part-time anyways, to come in and be deployed to help out. It’s going to have to come from the private sector; we can’t expect the government to do this for us. With all due respect, because that’s just not how they work, I think there’s so much inertia in that culture that either something super bad is going to have to happen, – and I’m talking of the levels of 9/11, and I hope that never happens of course – or the private sector’s going to have to come together and basically go to the state government. Maybe start inner-state, maybe start in a locality and say, “Look, this is how we’re going to help you tackle this problem.” But I don’t see it really changing too much, and those are my thoughts on the matter.

David Spark

Alright, unfortunately Dan is giving us depressing advice. Mike, can you do better?

Dan Walsh

Sorry about that.

Mike Johnson

Unfortunately I’m not really going to have a whole lot better advice.

David Spark

You were supposed to provide some inspiration for state governments here.

Mike Johnson

I think if you’re having me on board for being the bright and shiny light, that’s not going to work out well for you in general. First, I want to challenge the premise a little bit, and just remind folks that contractors and full-time salary is not the same thing.

David Spark

I do know that, but we’ve seen how severely it can change. Also, we’ve seen the classic case of you try to explain something to somebody that you need to do something and then they get an outside auditor or contractor to say do the same thing you said, and they’ve just wasted money.

Mike Johnson

Yeah, I mean that’s a different issue. I think folks also need to remember that governments get their funding from our taxes. You want to pay these folks more, raise our taxes.

David Spark

It doesn’t usually go one-to-one on that.

Mike Johnson

It certainly doesn’t but, at the same time, you can’t expect them to start spending more without taking money away from somewhere else, that’s just how it works, and that’s something that folks need to remember when they’re looking at this. That said, I think one of the things that we don’t give enough credit to the State and Federal cybersecurity employees is, they’re very mission-driven. They’re in it for the mission. Anyone of them could leave and go into the private sector and probably earn double their salary. Maybe monetary is not the way that we reward and recognize these folks because we need to find out where that comes from. There’s other ways that we can reward them, to incentivize folks for joining. I like Dan’s idea of a cyber National Guard, maybe that’s a way that we can give these folks some help but, I think if we just keep coming back on the salary we’re not really going to get anywhere, we’re just going to keep complaining about it.

David Spark

I will mention that there is something called the Cybersecurity Talent Initiative which is a public/private coalition connected the best and brightest from both areas and this I learned from our guest on our other show, Anne Marie Zettlemoyer who’s a fan and a strong supporter. Cybertalentinitiative.org for more on that. Sorry Dan, you were about to say?

Dan Walsh

I wanted to just say, there’s tremendous talent in the state and Federal Governments at cyber. I know many of them so let’s not equate low salary with poor performance or poor outcomes, right? I just want to make sure we call that out as well.

Sponsor – deepwatch

00:13:40:08

Steve Prentice

Deepwatch offers a suite of managed security solutions including managed detection and response, end-point detection and response, managed vulnerability management and managed firewall. But Bill Bernard, Senior Director of Solutions Architecture at Deepwatch tells me their belief is that you solve security problems with people first; people supported by fantastic technology and focused on continuous maturity. And they have some unique ways of doing this.

Bill Bernard

One of the things that absolutely makes Deepwatch unique in the marketplace is our squad model. We bring an entire group focused on supporting each and every one of our unique customers so that we can be business-aligned. We don’t believe you can get business alignment through a tool – a screwdrivers doesn’t know if you’re an electrician or an auto-mechanic. The same thing with a lot of the tools that we have in InfoSec, so in order to become business aligned, and to be focused on the things that are important to each specific customer, we need a team of folks supporting them 24 by seven. We found that looking around our own industry there are very, very few MSSP or MDR companies who can explain to you, in some sort of objective way, the value that you’re getting out of them on a daily basis or the state of your security operations program, and so we set out and built a patented maturity model that we use exclusively with our customers to help them understand where they are on their security operations journey, where they’ve been on that journey and how they stack up against their own industry vertical.

Steve Prentice

For more information go to deepwatch.com.

It’s time to play “What’s Worse?”

00:15:20:00

David Spark

Alright, both of you have played “What’s Worse?” many, many times.

Mike Johnson

This is new to me David, can you explain it?

David Spark

I’m not going to explain it to you. I am going to to though say to anyone who’s listening for the first time, this is a game: it’s a risk management exercise and you just have to pick the worst of the two scenarios. This comes from Vince Fitzpatrick of ChristianaCare, a new submitter to “What’s Worse?”. Here are the two scenarios: your SOC analysts understand your SIM and its query language but they don’t have an investigation mindset at all. None. They can understand how this thing works but after that, nothing’s happening. Or, you have SOC analysts that do have an investigation mindset but, they really don’t understand the SIM and its query language. Which one’s worse?

Mike Johnson

This is interesting. So, this is a case where you’ve got on the one hand, a tool that people understand really well but they can’t get the most out of it because of the way that they’re thinking; they’re not necessarily a creatively mindset person.

David Spark

They know how to operate the machine and that’s it.

Mike Johnson

Right. And on the other one you’ve got terribly creative people with bad tools.

David Spark

And by the way, we’ve seen this before, maybe not this extreme – highly creative people that are not mechanically inclined, if you will.

Mike Johnson

This is a very feasible “What’s Worse?”. Some of them are a little bit out-there. I can see these situations.

David Spark

Many of them are pretty out-there actually.

Mike Johnson

I was being kind. This is actually legitimate. I can see this being a situation. The reality is I’d rather have the second situation, I’d rather have the creative folks with the bad tool because they’ll find a way. If it’s a great tool–

David Spark

Well, the tool is fine, they just don’t know how to use the darn thing.

Mike Johnson

But they’ll figure it out.

David Spark

No. This is the whole thing with “What’s Worse?”, it’s not all of a sudden one day they’re going to figure it out, that’s always going go stay the case.

Mike Johnson

They will figure out how to get the most out of it. The tool doesn’t change. They will figure out how to get the most out of it, versus the first one. This is almost like tools versus humans here where your tool is perfect and the humans are just not going to get the most out of it. Or the humans are perfect and the tools are going to let them down. And I’ll bet on the humans every time. So I think the first one is the worst of these two.

David Spark

Oh, right. Dan, how do you feel?

Dan Walsh

I know you like disagreement but I agree with Mike. It’s always people, process and technology in that order; people always come first. And to Mike’s point, you would be amazed at what they’ll be able to do even if they don’t understand the tool.

David Spark

Can either of you give me an example of someone who didn’t understand a tool but was able to creatively figure something out?

Mike Johnson

I’ll use myself as an example. I arrived at a company, they were using ArcSight. I had never used ArcSight before.

David Spark

Is that a backup tool?

Mike Johnson

No, it’s a SIM. And so, dear listener, if I’m giving you flashbacks, I’m sorry, I apologize, but, it’s a very difficult tool to use. And eventually I figured it out. The tool didn’t change.

David Spark

In the example of the creative, they never figure it out – ever.

Mike Johnson

Even if you look at it from that aspect you maybe extract the data and you go and find needles in it.

David Spark

That’s how you feel? Have you had a similar experience, Dan?

Dan Walsh

Yes. There was a point in my career where I had to learn Splunk and it was hard to learn that language. As I was coming up to speed I would just extract it out to a CSV file, because I was very comfortable manipulating the CSV and then taking portions of the CSV and putting it into Excel and then creating correlation from it. I mean it sounds horrible; I’m almost embarrassed to admit that. Maybe you’ll cut this out of the recording! But then I learned Splunk and and it was no big deal.

Mike Johnson

Something you said there, Dan, I think folks probably don’t understand just how much of the security world, how much of the insights come from Excel. We’re so used to thinking in that way, and it’s actually quite a powerful tool.

Dan Walsh

It is. Absolutely. 100%.

What’s your security advice?

00:19:50:16

David Spark

I had a really nice conversation with Jeff Fair who is of the San Antonio Chamber of Commerce, and he is charged with looking for ways to attract cybersecurity professionals to San Antonio. So, I didn’t have any answers for him, so I’m going to ask the question to the two of you. Outside of the obvious personal stuff like, family, kids and living in and out of the city, what do you think would attract a cybersecurity professional to a specific locale and would that change depending on different stages in your career? Dan, what do you think?

Dan Walsh

I’ll answer it backwards. It would absolutely change different phases of your career. Think about moving, you said San Antonio was the market, so think about a kid who grew up in Seattle or Portland where it’s the northwest, it’s a much different climate, or Boston. You’re 20 something years old, here’s an opportunity to come to Texas where it’s hot, they’re completely different state and everything. That could be very attractive. But I would say, I think you actually sell them on the mission and the company more, and if they’re adventurous and they buy into that, then the locale is almost like a second sell. You think about some of these southern towns – Austin and Nashville, and even Miami’s been super hot with some of the tech scene. Those companies that were started there, made those locales, made those cities, the hubs, not because people are attracted to the city. Yes, it’s a nice place to live but, you attract them on the mission and the team first and then the locale second.

David Spark

So he has to work with probably the biggest players in San Antonio to help them promote their specific missions, they’re going to be the drivers, if you will?

Dan Walsh

Yes, absolutely. That’s my thought, yes.

David Spark

I like that idea. Mike, what are your thoughts?

Mike Johnson

So the first thing I would suggest back to Jeff is just a reminder that we’ve all moved to remote hiring, that’s a big thing right now, and figuring out how to weave that into a strategy. I recognize what he’s after here, it’s building the local tax base; at the end of the day, that’s what he’s after. I think it’s going to be an uphill battle to try and convince folks to move to any place, just because of the remote work. Convincing people to move to the Bay Area right now, just doesn’t happen, and so that’s something that Jeff’s going to have to ponder.

David Spark

So, I want to get your advice on how you would handle this situation. Just had a conversation with the security professional, who just put a job opening up. The exact job that he wants, his direct competitor had the same job listing open for about five, six months, and the direct competitor is down the street from them. So, they live close by, they’re now back in the office and have been since the summer, and their boss is against remote hiring – this is the CEO of the company altogether. My argument was well, what is going to be better from a risk perspective? Is it going to be hiring a human being that can be in the office, because they’re very much about the culture of the company or, just hiring someone remotely so they can actually reduce their risk? So, is that the way to approach the CEO or is it something else, Mike?

Mike Johnson

That company culture’s going to be an uphill battle. If it is no remote hiring, I don’t know that you want to buck that. Maybe you do hire someone remote, they’re not going to be successful. They’re going to come in and they’re going to flounder.

David Spark

They’re going to be the only one who’s remote and they’ll be seen as the red-headed step-child kind of thing.

Mike Johnson

Right, they’re not going to get the resources and frankly, people are going to have meetings and not include Zoom links. I mean it will be a bad experience. So frankly, if your company culture is against it, you’re going to have a hard time dealing with that and I wouldn’t tackle that.

David Spark

So, you wouldn’t tackle? Dan, do you feel the same way?

Dan Walsh

I would tackle it because I have.

David Spark

In the way I said it or something else?

Dan Walsh

What I would do is I would say, would you be comfortable if you hired somebody and they came to the office one week a month or something like that? Ultimately if you want to be the most competitive in terms of attracting talent, especially cyber talent. I’m not making fun of the city when I say this but, how many cyber professionals are in San Antonio? Maybe a couple of hundred. How many cyber openings or job postings or roles that are currently filled? Probably a lot more than that. So what’s going to happen–

David Spark

By the way, I wasn’t specifically referring to San Antonio.

Dan Walsh

Any city. Then you’re going to get into a bidding war with all the other local companies or they’re just going to beat you in terms of having a good team because they’re going to go remote.

David Spark

So who’s going to decide to go remote first?

Dan Walsh

And then guess what, you go to the local B-sides and they’re talking to their friends and all their friends are like, “I just got this remote job, and my company’s based in the Bay Area and I work for Mike Johnson and it’s really great.” Then they’re all going to be like, “Why am I going to the office? This is just stupid.” So they’re going to go and work for Mike, right?

David Spark

Hold on, but there are people that enjoy the office experience. My wife very much, for example, enjoys it.

Dan Walsh

Oh, absolutely.

David Spark

And she misses out on it.

Dan Walsh

Oh, 100%. I just think that the focus should be on what the employee wants to do not on what the CEO wants to do.

David Spark

That’s a good point. But, again – I throw to Mike – it’s kind of hard to butt company culture, they might be fighting an uphill battle.

Dan Walsh

Oh, I’m not saying it’s going to be easy.

David Spark

Okay. Alright, good points both of you.

Okay, what’s the risk?

00:25:41:05

Mike Johnson

Why are we so bad at assessing risk? On CISO Online, writer Andrada Fiscutean quotes many experts on the subject and a lot of it has to do with most of us being optimistic about the potential dangers, especially those who don’t actually see the dangers. Also, the sense of being in charge, like how a C-level executive feels, we actually downplay risk. Or we feel safer driving our car than flying on a plane piloted by someone else, while the reverse is actually true: driving is far riskier than flying. Also, when something is far away, it doesn’t feel as risky as something that’s right in front of you, hence the increased security precautions companies add after they’ve been breached. But, actually some never learn and they get attacked again and again and this could be from alert fatigue. So there’s a lot going on here and there’s so many issues. I’m going to start with you Mike, what are ways to bring a clearer understanding of risk to the business without being alarmist?

Mike Johnson

I want to start by reading a quote, and I can’t remember where this comes from, so I apologize for not giving credit but, the quote is: “Humans often overestimate the odds of unlikely or rare events, while simultaneously underestimating how dangerous or risky commonplace events are.” And this is the driving versus flying example that you give. Car accidents happen far more frequently but at the same time we’re used to driving, that’s a commonplace thing for us to do, so we’re not used to thinking about that in terms of the risk. For businesses it’s kind of similar, you have to bring data to the discussion so that you can try and move that bias, you can try and have folks really understand. This is something that happens all of the time and it actually is kind of problematic for us. This other thing that you’re focusing on, Dan had mentioned several of the big ransom-ware attacks of the year, these other things, they’re not that big of a deal for us, it’s unlikely that it’s going to happen. In order to shift people’s perspectives you have to bring data and bring that to the discussion so that it’s not just subjective anymore. You have to remove that subjectivity and the best way to do that is with data. Once you’ve got people off of that, you can have a more reasoned and rational discussion about what the real risks are.

David Spark

Alright. Dan, I’m throwing this one to you. You actually opened with your tip on, essentially, teaching risks to business leaders for that matter. This has got to be part of the discussion because, as you can see, we have a very confusing view of risk, and skewered.

Dan Walsh

We do. As humans, we believe that if I’m doing my best, or I’m doing what’s right, I shouldn’t be punished, right? But the reality of it is you can do all the right things, you can do the best you possibly can and you can still have a breach or you can still have an incident. The other thing I would say too is, I agree with Mike 100% – we need to do the best job that we can at quantifying risk. It’s been my observation and maybe there’s studies behind this, maybe there’s not, I just see a lot of times where the security team struggles to quantify a risk because it’s very hard to do that, and so businesses ask, “If you can’t even quantify it, how much of a risk are we talking about here?” So what I like to do is, I like to take a look at peer companies, or the industry, and show what happens at companies of our size, with our infrastructure maybe or with our security [posture] or the environment that we’re operating in. Here’s some of the news headlines; go back to the news thing and read the headlines to your boss, and here’s what’s going on. I think the other thing, too, is explaining what happens if we do nothing about a risk, and just talking through that, because I also think that a lot of times the business doesn’t really understand the full implications. I mean, if you ask, we’re secure, right?

David Spark

I’ve heard of a couple of cases when someone says they actually showed someone how to do certain simple hacking techniques so they could see how easy certain things are. Do either of you do that? Or actually show them the SOC so they can have visibility into what we see because don’t things change when we actually can see it to some level? I mean, do you ever do this, either of you to essentially business leaders? Dan, you say, yes?

Dan Walsh

Yes. So, we have tools that show blocked phishing attempts by individual. So you take that to a leader and say, “In the last two weeks we blocked 12 phishing attempts; they are really after you.” We also show the number of events that come into the SIM and threats that were automatically mitigated or blocked. And this is how many got through, and this is how many we had to investigate, and then this is how many security incidents that we need to track down. And I do think that that’s compelling, so we do show them that.

David Spark

It forces to make it top of mind for them, yes?

Dan Walsh

Correct. And then think about it from an authentication or identify point of view. There’s these crazy statistics that if you know someone’s year of birth and zip code and gender, you can narrow down with an 88.7%, or something crazy like that, exactly who they are, just having those few components of that person’s identity. And so if you can understand the person’s identity, now all of a sudden, you know, that’s also a security risk. And just letting them know that I just need these three components of your identity and I know, with a very high certainty, who you are, I think that’s also eye-opening for folks.

David Spark

Mike, how much do you pull apart the kimono, the sheets, whatever it is, the curtain to show business leaders what’s going on.

Mike Johnson

One of the ways that organizations leverage the output of red teams is exactly that, where essentially you’re taking a theoretical attack – this is a thing that could happen – and show them that it actually can. Translating something from could to can really has things hit home. And I’ve seen organizations take a red team test result and have a serious pivot as a result because it was something that was theoretical before, this is something that an attacker could do, but we’ve proved it beyond a shadow of a doubt without any insider information and that really gets folks’ attention. I’m not saying you scare people but, it’s again, just a fact of taking something that was prior theoretical and making it practical and that gets people’s attention.

David Spark

Very good. Well that brings us to the very end of this episode. Thank you very much Dan Walsh and my co-host, Mike Johnson. I want to thank our sponsor, Deepwatch, and I want to remind you again, advanced managed detection and response to secure the distributed enterprise, more about them at deepwatch.com. Thank you so much deepwatch for sponsoring this very episode. Dan, I am going to have you speak last but as you know, I always ask: are you hiring? Make sure you have an answer for that. Mike, any last thoughts?

Mike Johnson

Dan, thanks for joining us. It’s always great having you here, having this conversation. What I liked about this one was your thoughts on risk and how you weaved that in. You opened it up with a great tip. You talked about it in this last discussion about explaining what to do, or what can happen if you’re not treating a risk at all and walking folks through that. So I really liked the discussion, and how you kept coming back and talking about risk. But the one thing I really want to give you the most credit for was during the “What’s Worse?”, you said that, people, process, technology, in that order, with people being the most important, I think that’s something that people need to remember, is it’s actually the people that is the most important part of our security program. Again, thank you for coming back, having the conversation. Always enjoy it and I look forward to the next time.

Dan Walsh

Thank you, Mike, I really appreciate it.

David Spark

I wasn’t going to say anything that nice about you. Dan, any last thoughts and are you hiring?

Dan Walsh

Yes, we are hiring. We’re actually hiring a lot of people next year. Right now we’re hiring for a security analyst. But because we’re going to be hiring a ton of people next year–

David Spark

You want to talk to them now?

Dan Walsh

Yes. Reach out to me. Next year is what, six weeks from this recording, right?

David Spark

And you are in Philadelphia yourself. Is VillageMD in Philadelphia?

Dan Walsh

No. I’m in Philadelphia; VillageMD’s in Chicago. We have a big presence in Texas. But we are a remote-first team and so we have people all over the country and we’re going to continue that. We want the best people for the job. So, final thoughts: I just enjoy discussions about risks. I think sometimes as security leaders we get so caught up in maybe like our technical roots. It’s fun to tinker around and dabble around with the cool new tools that are out there, but, Mike, especially as you mentioned with bringing it back to the business, I think that was a theme that kind of resonated throughout. I really appreciated that. And I also really liked Mike’s point about the state and Federal cybersecurity challenges that we have. I think there is a cost there but I also think there are ways we can solve that. So thank you for that as well, Mike.

David Spark

Excellent. When thank you very much Dan Walsh. He is the CISO over at VillageMD. Best way to get in contact with you Dan is?

Dan Walsh

DanwalshCSO on Twitter or just hit me up on LinkedIn.

David Spark

Dan Walsh, VillageMD or @DanwalshCSO on Twitter. I want to thank our audience very much for all their amazing support. I need a lot more “What’s Worse?” scenarios. Make them super-duper tough. They don’t have to be the mirror of each other, they can be two completely random things but equally painful, that’s the whole goal here. So please, send me in “What’s Worse?” scenarios. We appreciate all your contributions. And listening to the CISO/Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”

RELATED ARTICLES

Most Popular