Ambulance Chasing Security Vendors

Ambulance Chasing Security Vendors - Defense in Depth

A good high profile security threat seems like a good time to alert potential customers about how your product could help or even prevent a breach. Seems like a solid sales tactic for any industry that is not cybersecurity.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Angela Williams, CISO, UL.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor Automox

Are you ready to ditch manual patching? With Automox, you can automatically patch your third-party applications, Windows, macOs, and Linux devices with one easy-to-use, cloud-native platform. Try for yourself with our free 15-day trial and have all your endpoints safe and secure in just 15 minutes.

Full transcript

[David Spark] A good high profile security threat seems like a good time to alert potential customers about how your product could help or even prevent a breach. It seems like a solid sales tactic for any industry that is not cyber security.

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me, it’s the one and only Geoff Belknap, who is also the CISO of LinkedIn. Geoff, thank you for joining us today.

[Geoff Belknap] David, thank you for joining me.

[David Spark] Aw, yes, we are joining each other, aren’t we?

[Geoff Belknap] Yeah, you always thank the guest and the host, but do we ever think to thank you? No, we don’t.

[David Spark] More people need to thank me. I need more praise, as I have often said.


[David Spark] Our sponsor for today’s episode is Automox. Thank you so much, Automox, for sponsoring the CISO Series again. All your end points, they get them configured and secured the way you want to do it – easily across operating systems by just a single individual. You don’t need a whole team to do this. Automox will show you how to do it. We’ll talk about that a little bit more later in the show. Our topic for today’s episode, I want to discuss this. So, back during the hay day of Log4J, we all remember that like it was yesterday.

[Geoff Belknap] Some of us have tried to block it out in their minds, but yes.

[David Spark] Jerich Beeson, commercial CISO for Capital One and a former guest on this very show, posted on LinkedIn, “I can’t fight fires and build the fire station at the same time. Stop trying to sell me hoses and trucks in the middle of a firefight.” He was asking security vendors to stop selling him on their solutions to prevent such an issue because as he rightfully explained… And by the way, I think he nails it on this quote here. “Nobody can evaluate it in time, nobody can procure it in time, and nobody has the time for a demo.” So, tying your product to a high profile event is always a good sales tactic. But in this instance where you need someone’s time, it is not the way to capitalize on a high profile event. Geoff, I think Jerich’s summation of why this doesn’t work is probably the most succinct beautiful version I’ve seen. What do you think?

[Geoff Belknap] The important thing I would nitpick on this is these kind of events are great for marketing, not for tactical sales. If you want to update your website or write a blog that explains why your product would help someone like me or our guest in a situation like this or even better, how it has helped prevent something like this during that event, I would love to read that information at a later date when I’m not currently in the middle of firefighting, and digging trenches and fortifications. In the moment is not ever a time that we are going to be able to deploy something brand ne win our environment and certainly not the time that we’re going to be able to read an email exhorting us to do so. So, I think especially like Log4J, we really have to be thoughtful about how security practitioners are busying themselves with their time during a crises.

[David Spark] Excellent point. And we’re going to get into great depth on what you just said and Jerich said in just a moment. And our guest for today, thrilled to have her on. I met her in Chicago. We did a live recording of the CISO Series podcast. She is the CISO for UL Solutions, Angela Williams. Angela, thank you for joining us.

[Angela Williams] Thank you, David. Thank you for having me on today. Exciting time in cyber security. But my name is Angela Williams. I am the senior vice president for UL Solutions. A lot of people want to know, well, what does UL actually do. It really stands for Underwriter Laboratories, but we launched our new brand name a couple months ago. And we deliver testing, inspection, and certification for over 8,000 customers globally.

[David Spark] Yes, and you have all seen that little UL with the circle logo on a bazillion products, so the visibility of you is literally everywhere.

[Angela Williams] It’s everywhere. [Laughs]

[Geoff Belknap] Angela handwrites every one of those on each appliance that goes out.

[David Spark] I’m impressed with your penmanship.

[Angela Williams] [Laughs]

[Geoff Belknap] Yeah, quite consistent.

[Angela Williams] That’s a part of the onboarding process.


What are they doing wrong?


[David Spark] Danita Fleck of Gigamon said, “Vendors who are crises oriented seem desperate to sell their solution/product and not helpful thought leaders.” Diego M. of Leonardo DRS said, “The most opportune time is not the opportune time.” And I believe this is Drs. Andor Demarteau, Shamrock Information Security, said, “If those tools were so perfect and indispensable true info sec professionals would be out of a job.” So, this just refers to what we think is a good time or what a salesperson might think is a good time really is not, and it’s kind of a theme that we hit at the very opening of this show. Yes, Geoff?

[Geoff Belknap] Yeah, I think that’s exactly right. And I think to Andor’s point here, if these tools and solutions were perfect then fantastic. Please after I’m done dealing with what we’re dealing with, show me where it has prevented this for somebody else. Show me how it would have saved me all this time. But no matter how much time your product you think would save me, it won’t save me time in the middle of dealing with that crises. I can’t stress enough that… I think Diego put this perfectly. The most opportune time for you is not the most opportune time for a security organization that is dealing with a problem. And I think we just have to be more realistic as sales teams, as suppliers, as partners about when we can have those conversations.

[David Spark] All right, I’ll tag Angela on that. When can you have those conversations? Assuming you agree with everything that’s been said up to now, yes?

[Angela Williams] Yes, I completely agree with what’s been said. I think it’s important for our strategic partners who have a solution that may be great and wonderful. Just be really respectful of when you’re going through something that’s considered an emergency. And I liken to the extent of when you’re in the hospital in the emergency room, that’s not the time to go sell the doctor a new MRI machine. They’re really trying to deal with customers coming in that need immediate care. So, a cyber security practitioners, I think the best time is once the dust settles a little bit, and everyone has got their right mind, and their head is back on their shoulders again. Let’s then have a conversation of possibly what we need to do to expand and mature our capabilities. But it’s definitely not in the middle of the emergency.

[David Spark] By the way, I like your analogy, too, because an MRI machine is not a small item.

[Angela Williams] It’s not.


[Geoff Belknap] Yes.

[David Spark] That can be quickly procured, and installed, and set up, and trained. And so that’s a really, really good analogy there. The thing is that Log4J, when we have these big high profile events, we don’t forget about it. It does raise everybody’s awareness to we can’t let this happen again. So, yes, it is of great interest. Not in the moment, but you… Let me ask both of you, did you look for solutions on how to deal with this in the future, whether you build it internally or externally?

[Geoff Belknap] Yeah, absolutely. I’ll say for me when we were done with this, we absolutely did a postmortem as I mentioned to Angela and her team did as well, where you go, “Oh, what would have made our response to this even better? What would have made it faster? What would have made it more accurate?” And that’s a great time for you as a vendor to engage or at least be available to have that conversation. I don’t know, what was your experience, Angela?

[Angela Williams] I think it’s just after the dust settled and the vendors could understand seriously how were we impacted, what we had to do to evaluate how bad the car accident was so that we can make sure whatever solution we’re looking for is definitely applicable. It’s not something that we’re just creating more complexity and overengineering our environment for the sake of buying something and saying, “I checked the box. I think I got a solution that will match it.” It’s super important to sit down and talk through the true damage and the true exposure that was there and then make sure that you have great solutions. And then a roadmap beyond that so that you can continue to build upon it. But having very pointed or targeted solutions is never a good deal.

How would you handle this situation?


[David Spark] Paul Hugenberg of Rea and Associates said, “The idea that this is not the time to be sold is true, but I disagree that it is not a time to be helped. It is.” Vivian Liang of Operatix said, “Your house is on fire, and you’re trying to put it out by pouring buckets of water that you have to hand carry from the stream across the road. And those buckets have holes in them. If someone has a hose, any hose, I would hope they would offer to let you borrow it so you could put out the fire and protect your home and family members. Will they try to sell you the hose afterward? Of course.” So, Angela, I like this last analogy that Vivian brought out. If I’m in a fire fight, you could just help me right now rather than sell me. And then afterwards, sell me that thing. Have you had that happen to you?

[Angela Williams] Yeah, I absolutely have. I think when you have a good strategic partner where you can be super transparent about what your needs are and kind of put the BS to the side a little bit and not have to worry about stepping on eggshells, this is where you have a conversation to say, “We’ve been a partner for a while. You’ve got a great solution. I can’t do anything with it right now. But if you can just give it to me for free or give it to me under a trial period so that it’s easy to deploy, it’s not too complex… Let me use it for a second. Let me pilot this out because you’re selling me that your solution is 1,000% going to change my life. But I want to test it first. And then afterwards, if it does do the job, let’s talk about what will this cost me to keep it.”

[David Spark] So, have you ever had a vendor that actually truly helped during a firefight? Like, “Let me… Either my people will come and help you, or we’ll actually deploy our product. We’ll do some scans and research for you.” Has something happened like that?

[Angela Williams] Yes, in a previous life before joining…at other companies I’ve worked for. I’ve had a partner that I’ve had a relationship with for several, several years. They understood. They empathized, and they were willing to roll out a solution, bring their engineers, get them engaged, get it deployed. Because they really wanted to continue that business. Again, that trusted partnership is a two-way street here.

[David Spark] Yeah, and using your MRI analogy, yes, it would be very difficult to do that. But if the company said, “Well, we got those MRIs at a few other hospitals. I bet you we can get you some additional scans if you need that because it’s an urgent time.” And then later, you’re like, “Oh my God, that helped. And those MRI machines were fantastic. Like yes, that’d be wonderful.”

[Angela Williams] I’m actually [Inaudible 00:11:12] too when it comes to that type of model.

[David Spark] Aw. Geoff, have you had this experience where they truly came and helped?

[Geoff Belknap] I struggle to think of a lot of examples here. I think something Angela said is really important. I’m just going to go back to the very beginning here where she said, “I have a trusted partner.” I just can’t underscore that enough. If we’re dealing as security leaders and practitioners…if we’re dealing with a crises, or an incident, or something like that, and you already have an existing relationship with me, and you understand what I have and sort of talked about what we’re trying to put in in the next couple of years, etc., I can engage with you. Because I’m not starting a brand new relationship. You already have some idea of whether I have buckets and I need a hose or etc. But I don’t have time to build a brand new relationship and necessarily to put a bunch of trust in someone that I haven’t built any…I haven’t established anything with.

I don’t have time to sit down and talk about what the incident is, and the kinds of things that might help. If you bring me something, and we don’t have a relationship already, it really has to be a very discreet, simple solution to a problem I’m having. Or it has to be information. I think it’s got to be like IP addresses of a bad guy, file hashes, some kind of information that’s going to accelerate what I’m already doing. But it can’t require the practitioner to stop, slow down, and explain to any of these people that want to help what’s going on so that they can help more. If you require that, it’s really got to wait until after the incident is resolved. And I think by all means, I appreciate the people who send hug ops and want to buy us coffee or whatever it is. That’s very thoughtful. I appreciate it. But really the time for building a new relationship and investing in a new solution is going to be after that thing has passed. I think the moment that thing has passed, I’m more than happy to have teams take a look at what it is that we could build together. But you really have to think about the timing and what’s involved in integrating some new solution into an environment.

[David Spark] Well, what about this just providing additional hands? I’m going to use another example that Steve Zalewski, who is the other cohost of this very show, has said. He used to be the CISO over at Levi Strauss, and his direct competitors, he would say to them, “If you are in a situation…” And he’s actually done this. “My team is your team.” He would lend his teams, manpower, and knowledge to help out. I’m thinking vendors could do that.

[Geoff Belknap] It’s tough for vendors. There’s a bunch of…

[David Spark] I know, because there’s so many things that they can’t say, can’t do, that kind of thing. I know.

[Geoff Belknap] Exactly. There’s skillset issues. There’s legal issues. There might be NDA. There might be PII or PHI, or regulated data involved. It is so difficult. That’s why it’s really hard… Yes, if I’m using buckets with holes in them, and you have a hose, and you’re my neighbor, absolutely give me a hand. But the reality of what Angela and I deal with on a day to day basis is it’s just much more complicated than these simple analogies.

[David Spark] Yeah, I know.

[Angela Williams] Totally. I think going back to my comment about the strategic partners, through my career I have kind of anchored around a couple vendors that have been able to deliver really good solutions for me. They bring the A-team to the table, not the C-squad, when I need something deployed. Especially if it’s complex. And having those constant conversations over the years when something is on fire like a data exposure or data breach, these are the people I know I can call up. And they’re not going to try to oversell me. They’re not going to try to do something that’s going to be disruptive. They’re way more sensitive to the fact that I’m trying to handle the situation and get all our ducks in a row inside of the organization. And that’s why having those key relationships… You can’t have a relationship with everybody. It’s a little hard to do that. But there’s two or three that I use as my back pocket team, and they’ve been very supportive throughout the years.

Sponsor – Automox


[David Spark] Before we go on any further, I want to talk about Automox. If you are having vulnerability management issues, which I can’t imagine you’re not… Everyone struggles with this. You want to hear what I have to say here. Are you ready to ditch manual patching? If you haven’t already, this is the time to be thinking about it. So, every operating system requires critical patches to reduce your risk of attacks or breaches. The problem here is patching and end point management can be agonizing. Oh, if you’ve done it, you know. I don’t need to be telling you. So, with multiple tools creating interruptions that slow down your end users and complexity, takes up all of your IT team’s time. Remember when I tested you at the beginning  that you really just need one person to handle this. Really that’s all you really need here. Modern patching should be easy. And with Automox, it is. Cloud based and globally available, Automox allows you to automate cross OS patch management, dramatically reducing the time, effort, and complexity it takes to manage multiple operating systems. Now you can sleep better at night knowing your IT environment is more secure. Isn’t that what you want? And don’t you want more sleep? So, interested in trying out the platform yourself? So, just go visit That’s spelt to start a free trial and have all your end points more safe, more secure in just 15 minutes.

What are the best ways to take advantage of this?


[David Spark] Peter Špiřík, CISO of SUSE, said, “If you discovery a new TTP of someone exploiting, it is highly appreciated if you share, one, if your product is not vulnerable, let your customers know proactively – two, if your product that the customer has in place has its limits, make it clear. Essentially everything that saves time during the hot phase is useful. And at the same time, everything that costs time without providing new value is direct damage.” And Kevin Egolf of Microsoft said something that you referred to earlier, Geoff. “I might take this approach – send gift cards for Starbucks and Red Bull for you and your team with a simple note, ‘Once the dust settles, and you’d like to learn how we are helping other organizations similar to yours, here is my contact info.” So, I’ll start with you, Angela, on this. How do you feel about…? Because these are two different sort of angles, Peter’s and Kevin’s. How do you feel about the second one of let me just try to make you gifts… It kind of sounds like when someone dies, and people bring over food to stick in the freezer.

[Angela Williams] [Laughs] Yes.

[David Spark] It is a nice gesture because it’s one less thing to worry about. I think it’s a good idea to have one less thing to worry about. So, to a degree, it sounds good. I don’t know, Starbucks and Red Bull though does…

[Angela Williams] It sounds good. It’s just… Yeah. I do appreciate the offer. But when you’re in the heat of the moment, and someone sends you something like that, it does go in the freezer. And you forget that it’s in the freezer. Who takes it out to thaw it? Nobody.

[David Spark] [Laughs]

[Angela Williams] You might get freezer burn and just throw it out because you just don’t need it anymore. So, the second approach is definitely one of those net new, I just don’t know you yet, and I want to get to know you, so here’s something to offer. And hopefully you like some Red Bull.

[David Spark] But I think also the first approach, especially if you… For example, during Log4J, did you get communications from all your vendors saying, “Here’s where we’re vulnerable, and here’s where we’re not vulnerable on Log4J.”

[Angela Williams] Yes, everyone over communicated. Everyone wanted to share. But then you just don’t know who to listen to, which is… I go back to who is sending me this communication, and how do they know what my need really is.

[David Spark] Geoff, what about you? During that time, did you get decent communications from vendors saying, “All right, here’s the way we know we’re vulnerable. Here’s the way we’re not. Or here’s the patch for the vulnerability and what not.”

[Geoff Belknap] I think we did, but I think the more important thing is here, let’s zoom out for a second. These are two perfect examples… Great job, producer. Of how to handle or how to think about if you’re a vendor or a partner in a situation like this, how to think about how you can interact with a security team that’s dealing with a crises.

[David Spark] And I should mention, example one is you already have a relationship. Example two, you don’t have a relationship.

[Geoff Belknap] Exactly. So, if you have a relationship with me already, by all means you can ping me, or text me, or whatever it is. And not just me. And say, “Hey, here’s what I got. Is that going to be helpful for you?” This is the equivalent of like I’ve got a hose, is it going to fix… I think this is already fits your truck, go. And if you don’t have a relationship with the security organization, sure, send some coffee, or pizza, or whatever. Maybe it’ll land. Maybe it won’t. But the other thing you can do is send some information. Just, “Hey, here’s a script of hash file, a domain, just some information about this incident that you’re fighting that may or may not be useful.” And if it was useful, I guarantee you that security team is going to remember it and circle back to you later. And that’s fantastic, and it’s cost you very little. But the important part here is do not try to build a new relationship during the crises.

What aspects haven’t been considered?


[David Spark] Dean Darwin of Traceable AI said, “Too many vendors put very little time into seeing the world through the customer’s eyes and having empathy.” Which is a phrase you brought up, Angela. I think this is key, and this is what I wanted to double down on here. “Get down to solving customer problems or get out of the way,” which is kind of the theme here. I also want to throw out Olivia Rose, who works with Cyversity. And she looks at it the empathy on the complete opposite side. Said, “I hope on their behalf that their sales management gives them a break on this month’s quota push.” Which would be quite nice. Like it’s a problem for everybody right now. Because I think they might get a lot of pressure saying, “Oh, this is a hot time. This is a crises. We’re doubling your quote.” Where literally the opposite should happen. I don’t know if that does happen or not. But, Angela, empathy is the big thing. Can you think of some specific empathy examples and share?

[Angela Williams] Yeah. So, one particular issue we had prior to me joining UL – a vendor realizing that this was just a horrible time to continue a project that we were working with them on because we just couldn’t keep that initiative moving forward. And they paused. They literally said, “We know you have your hands tied. You’ve got a million and one other things to do. We’ll stop right now. We’ll put a pin in it. Let’s pivot and talk about how can we help you with this particular ransomware or whatever it is that’s been exposed in your environment. Can we help? What do we need to do? If not, we’ll just pause until you reach back out to us and let us know when you’re ready.” I love that. I loved getting taken off the hotseat because I know they were really wanting to sell because we were buying something new. But the timing just didn’t happen really well because of something we needed to address.

[David Spark] Geoff, can you…? That’s a great example. Geoff, can you think of an empathy example?

[Geoff Belknap] I think the empathy really needs to come into play when you realize that you don’t always have a solution that’s timely for me in the moment. If you’re standing next to me while my house is burning down, now is not a good time to talk to me about how smoke detectors would have helped me sooner.


[Geoff Belknap] But after I’m dealing with that… And to be clear, just because the incident is over doesn’t mean I’m done dealing with that. There’s a long tail of talking to my members, and customers, and board members, or if there’s a lawsuit involved. We can be very engaged in that. But we will want to circle back around to that. So, I think it’s very important that you have empathy about what a team might be going through at a time. I think Olivia has got a great example here of like, boy, when something as big as Log4J…when the entire internet is basically affected by this thing, you have to give BDR reps a break here for a second and be like, “Listen, no one is going to pick up the phone. No qualified lead is going to pick up the phone right now. Maybe just give it a break for a little bit and think about how you can engage better when everything is done.”

But I think the most important thing is, again, just going back to put yourself in somebody’s shoes that is dealing with a crises and really ask yourself, “What does that person need while they’re dealing with the crises? Is it space? Is it a little bit of information that’s going to help them? Is it pizza and treats? Or is it really the time to have the conversation about your solution?” I think the most important thing that we could take away from this is depending on what kind of solution that you’re marketing and selling, it might be a kind of thing that is very easy to integrate in a crises. And by all means, then you should find a way to at least let everybody know that you exist so that you can contact them during a crises. But let’s be realistic – if your thing is something where it takes a month to integrate, and it might take a quarter before you see some value from it, just give us some space, and we will have that conversation afterwards, I assure you. 

[David Spark] I want to also stress that when an incident like Log4J comes up, not everybody’s product can help for that matter. That’s why it’s a good idea just to be a good community member. This is why I kind of like the providing food example or anything equivalent. Anything that alleviates pressure. Because not only do you have to deal with the incident, you just have to deal with your daily life of where am I getting my next meal. Not that you’re running out of money but more of, “I’m so stressed out, I don’t have the time to go get a meal or make a meal,” kind of a thing. Those kinds of things do sort of help in those situations. So, are you pro…? Just shifting to the, “I can’t help solve your problem in any way before, during, or after because my product isn’t in this space. But I want to be a good community member.” A, have you examples of that, Angela?

[Angela Williams] No. Mostly everyone wants to sell something.


[David Spark] But you would welcome someone just saying, “I want to be a good community member.”

[Angela Williams] I absolutely would. I absolutely would. That would be really refreshing to be honest with you. If someone were to just raise their hand or extend an offer and say, “I know we can’t solve your problem, but how can we help? Please use us as a reference, or a sounding board, or a brainstorming session.” That would be great. But I’ve not had that experience unfortunately.

[David Spark] That’s actually a good point. To actually just… Especially with a very small team. Like, “Hey, I just need some more minds on this problem.” Just even… Because we were talking about they can’t really see stuff, but you could have a conference call and go, “This is what we’re seeing. What do you suggest?” What do you think of that, Geoff?

[Geoff Belknap] Yeah, look, like I said, if you have any resources to offer whatsoever, there is no harm in offering them. I think that is part of being a good member of the security community. It’s a little different if you’re going to follow that up with like, “Hey, you haven’t responded to my email. Please check a box here.” Just don’t make it about sales. But I think the thing to underscore is you can absolutely be a great member of the security community by being a member of ISSA and coming to meetings or otherwise. Just being involved in a way that is not directly sales. Look, when I meet with you, and you’re at an event like ISSA or something like that, I understand your job and my job. We can still build a relationship. It doesn’t have to be direct pushy sales.

That’s okay. But investing in building that relationship and contributing things to the community. And saying, “Hey, I’ve got some resources if you need them.” Those are always welcome. It’s just not welcome to be like, “Hey, can we schedule a call so we can talk about what your problem is?” Just be thoughtful about what’s helpful in that moment. But by all means, I encourage everyone who takes security seriously to invest in being part of their community. It’s okay if you’re a BDR or a sales rep. go out and meet people that do security for a living and put yourself in their shoes – understand what they deal with on a regular basis. It will not only be appreciated by people like myself and Angela. You will be better at sales by learning what your target accounts are thinking about. It’s good for everybody.

[Angela Williams] Absolutely.



[David Spark] Awesome. Well, that brings us to the close of today. There were so many great quotes. I really loved this conversation. I love the angle that it went. I’m going to start with you, Angela. Which quotes was your favorite, and why?

[Angela Williams] I had a couple of them, but I’m going to go with Vivian’s quote around the house is on fire.

[Geoff Belknap] That was a good one. That was a good one.

[Angela Williams] Yes. I love that one because she hit it spot on. While my house is on fire, lend me a hand. Lend me a hose, and then let’s talk about how that hose can be sold to me afterwards. But I love the, “Let me borrow it first because you’re helping me get my house in order and put this fire out. Then let’s talk about what that solution actually did.” That’s a really great beginning of a new relationship if we didn’t have a relationship before.

[David Spark] Geoff, your favorite quote.

[Geoff Belknap] I’m going to break a convention here and just say I really appreciate the quotes from Peter and Kevin, who talked about the two really important things you can do. If you’ve got a TTP or something like that…

[David Spark] From two different angles – I am a partner, and I don’t have a relationship.

[Geoff Belknap] Exactly. Share something you can share or just provide some support that doesn’t have to be about your product so that we can have a conversation later. Fantastic. Those are the best ways to think about this. Just know your product and know whether it’s really going to be something we can talk about or just offer some help.

[David Spark] Excellent. I have said this before – anything you to do to create a true relationship with anybody on a given day versus spamming them will take you so much further. I used to say if you can make one or two true relationships a day, think about where you’d be in just a month. It’s amazing. All right, that brings us to the very end of the show. I want to thank our guest, Angela Williams, who is the senior vice president and CISO over at UL Solutions. Angela is hiring, like most of our guests, and she’ll mention that in a second. Angela, I’ll let you have the very last word of the show, so hang tight for that. Huge thanks to our sponsor, Automox.

We greatly appreciate your support. You can find more about them at If you are struggling with vulnerability management and you want a simpler solution that works across operating systems, patch issues, get things secured the way you want them done and configured the way you want them done, check them out at Geoff is always hiring. And if for some reason you don’t want to work with Geoff, of which today we’re still confused why someone would not want to work with Geoff… But LinkedIn is a great place to go find a job as well. Geoff, any other last thoughts on today’s conversation?

[Geoff Belknap] No, I think I’m just going to underscore always opt to build relationships for the long term. That’s always going to work out well. Because even if I don’t need what you own or what you sell, I probably have friends that do. And if you build a great relationship, we all know the number one thing you’d like to have is a referral from somebody else.

[David Spark] And you have done that. You have referred somebody to a company that you don’t use?

[Geoff Belknap] Every week, all the time. I refer people to people that I trust that have solutions that sound like they could use them. I would absolutely reach out to Angela even if I wasn’t using something but had built a trust and relationship with somebody that I thought could help her.

[David Spark] Excellent point.

[Geoff Belknap] And I would expect and hope she would do the same for me.

[Angela Williams] Absolutely.

[David Spark] All right, Angela, any last words? If somebody wanted to work with you, which it sounds like a great idea, how would they go about doing it, and should they mention that they heard you on this show?

[Angela Williams] Yes, absolutely. So, UL Solutions, go to our website. Click on careers. We are hiring. We’re going through a wonderful transformational phase right now, so I’m looking for thought leaders, strategic leaders in all the different domains within the cyber security space. I will just echo Geoff’s comment about partnership and relationships. These are relationships not only just with vendors, of course, and having that relationship but just other security leaders in the cyber security community – people you can call and say, “Hey, I got a solution. Tell me what your experience has been about it.” And if you’ve found something that didn’t work out, hopefully you have enough people in your community that will not lie to you and tell you the truth about did it work really well, or did the solution not work well. Because vendors are always going to tell you that  it’s always going to work really well.

[David Spark] Always, of course.

[Angela Williams] So, you sometimes just need to balance that out a little bit.

[David Spark] Excellent. Thank you so much, Angela. And thank you to our audience as well. We greatly appreciate your contributions and for listening to Defense in Depth.

[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site,, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at Thank you for listening to Defense in Depth.