We’ve heard the question “How secure are we?” many times, and we know what it really means.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Kevin Morrison, CISO, Alaska Air.

Got feedback? Join the conversation on LinkedIn.

Thanks to our episode sponsor, Enso

Enso, an Application Security Posture Management platform, helps security teams scale and gain control over their AppSec programs. Enso discovers application inventory, ownership and risk to easily build and enforce security policies and transform AppSec into an automated, systematic discipline.

Full transcript

Voiceover

10 second security tip, go.

Kevin Morrison

The third-party audit of your environment, understand the legacy connections that exist and making sure that you understand what all of those are and if they’re truly required for business.

Voiceover

It’s time to begin the “CISO Security Vendor Relationship” podcast.

David Spark

Welcome to the “CISO Security Vendor Relationship” podcast. My name is David Spark, I am the producer of the CISO Series and joining me on a semi-regular basis is my co-host Andy Ellis, who’s the operating partner over at YL Ventures. Andy let’s hear the sound of your voice.

Andy Ellis

Hey, David, I’m happy to be the rotisserie co-host, since I’ve been sort of rotating around a little bit here.

David Spark

Now that you’ve mentioned rotisserie co-host, we all have this wonderful visual of you on a spit, rotating around.

Andy Ellis

I suspect there’s awful lot of people who’ve been looking forward to that for many years.

David Spark

[LAUGHS] We are available at CISOSeries.com. We have five programs, we do four weekly, one daily, our headline show is daily, and we have a live show that we do every Friday at 10 am Pacific. More and all of that is on our website at CISOSeries.com. Our sponsor for today’s episode is Enso. Eliminate AppSec chaos. Bring agility and scalability to your AppSec program. More about that later in the show. Andy, I am thrilled to hear about you put a proposal in for a talk at RSA, and it is on blockchain, which is extraordinarily hot. We don’t talk about it nearly as much on this show, but could you give us just a taste of what that proposal is and maybe we can drum up some interest from this audience to essentially leverage the RSA board to their decision making board to push for your talk. What is that talk going to be?

Andy Ellis

Well, you know there was a talk being given by somebody else about whether or not blockchain was the solution that we needed to fix TCP IP and I decided I would do a generic version of that talk applicable to any technology, titled, “Is blockchain the solution we need to whatever?” The answer is no. have a nice day. You can now spend the rest of my talk time getting drinks.

David Spark

So, if you wanna see Andy actually say that in person, I mean, you heard it now, but you can see him say that in person, definitely push for this with the RSA board. I think that’s a great idea. Andy.

Andy Ellis

Thank you.

David Spark

Alright. With that being said, let’s bring on our guest, who I’m very excited to have on the show. He is the CISO with Alaska Air, it is Kevin Morrison, Kevin. Thank you so much for joining us.

Kevin Morrison

Thank you David, good to be with you.

How scared should we be?

00:02:53:15

David Spark

On the cybersecurity subreddit, one user is astonished with how poor his multi-national bank security is. To secure an account at this bank you use a six to eight digital numeric-only password with no multi-factor authentication. There were more than a hundred responses to this redditor’s post with the most popular being “Sounds like you need a new bank.” Now, this is a really obvious red flag. Now, I’m gonna start with you, Andy. What are some obvious and not-so-obvious security red flags you’ve seen with potential business partners? And when does a red flag scream, “Run away”? And when do you say to yourself, “Let’s investigate further and maybe we can do business with them”?

Andy Ellis

You know, I saw this one, and I was dying laughing because I had the exact same story, and I think the worst ones are the ones that are employee based vendors. Think about the financial services firm that handles your employee stock options, or the benefits firm that handles disability processing. They have some of the worst security practices and there’s no leverage because the person who buys it isn’t directly impacted. I recall many, many years ago and I won’t name the very large investment bank, but similar thing, six character password and if you needed a password reset, it asks for your mother’s maiden name. And so I put that in and it didn’t work, so I had to call in, they said, well, what’s your mother’s maiden name and I told them, and it worked for them. And I’m like, “I literally typed this into your website.” He says, “Well, did you put it in all caps?” And I said, “My mother’s maiden name isn’t in all caps.” But that was just how they’d entered it into the system. And so, you know, I the, not yet the CISO but certainly the person in charge of security reached out to our finance team and said, “Hey, can you put some pressure on this vendor to improve things?” And it was one of those mutual relationships, we were also a vendor to them. So about three days later I get a phone call from a senior executive at the financial services firm that basically says, “Look, I recognize you want to improve security but we also like using your service, so which one do you wanna have more?”

David Spark

What was the end result of that?

Andy Ellis

They eventually fixed it, like a decade later. But they basically said if we kept pushing on it, they would stop giving us money, and it’s not like we were gonna stop giving them money.

David Spark

Alright. I throw this one to you, Kevin. What is the red flag situations that you’ve seen and how have you dealt with it? And when it is run away and when do you say we can work with this?

Kevin Morrison

In this day and age, we definitely look for organizations that we partner with to have a mature incident response plan. If they don’t and as a partner to us, depending on what they’re providing, if it’s a connection to us or if it’s a soft rated service, whatever it might be, there’s still going to be some dependency on that vendor providing some service or good to us. So having some way to understand the risk associated with that and making sure that they’re well prepared and have practiced their incident response in this day and age is critical.

David Spark

Have you seen anything as bad as sort of the six digit numeric only password with a finance?

Kevin Morrison

Fortunately not, I think that one takes the cake. I think that person is right with the comments they’re received to run away and look for a new bank.

David Spark

OK, so let’s say you have a partner or you’re looking at a partner that has a pretty poor incident response plan. I got to assume the quality of their service versus how poor their security is, you know, you’re weighing those, you know, this has an amazing service with crappy security. You’re like, I think we could try to work with this, I guess I’m assuming don’t want to put words in your mouth, but what do you do in a situation like that?

Kevin Morrison

We look to understand what is the criticality of what they’re providing to the business, right? So what’s the dependency there? Are there alternatives? Why have we selected this particular vendor for this particular service? And what are the timelines involved, right? Is the business hot and heavy on this and they need to get this done ASAP? Or is this something that we can come back to the drawing table and recommend alternatives for something else that would be a little less risky to the organization.

David Spark

And when it comes back ASAP, what do you do?

Kevin Morrison

Well, at that point, we can say, OK, here’s the risk associated with it. Here’s the controls that we can look to help them put in place, to mitigate, or these are the drop dead bare requirements that we need to make sure that are in place before we can accept the risk associated with that. And to that extent, it’s not our job as a security organization to accept risk. It’s our job to highlight what that risk is and if the business is OK with it, then, you know, we’ve documented and make sure that we have truly communicated what that is and what the alternatives could be.

Andy Ellis

Sometimes there’s a useful trick you can do here. Which is you say, look, they don’t have a good incident response plan or this plan or that plan, and we recommend that the business implement a process wrapper around that to help migrate the risk. And now you’re basically being very directive to the business about what they need to do to mitigate the risk. And once you phrased it that way, then it’s really hard for them to ignore the problem.

What’s a CISO to do?

00:08:08:06

David Spark

How necessary is it to know patterns of where and how criminals are going to attack? An interesting article by Vince Warrington, on ITProPortal, outlines some new attack and revenue schemes by cybercriminals in gaming, education, and home networks. I’ll start with you again, Andy, on this. Does your security program actually change when you read stuff like this, or is it more just interesting to note? And if not this, over the history of your working in cybersecurity, what were some pivotal changes in cybercrime that caused you to make a significant change in your security program?

Andy Ellis

So, it’s really important to use this data, really to touch base on your own understanding of the industry. Like, you made bets about what was going to happen in the future and designed your program to defend against it, so as the criminals are changing, or any advisory, whether they’re a criminal or not, you wanna make sure they’re changing within the envelope you planned for. ‘Cause if they’re changing outside of that envelope, maybe you do have to maybe change your system. But hopefully you don’t. So this should really just be a thought exercise that says, “Hey, here’s what they’re doing, we’re defended against that, right?” and if we’re not, oh, now we have to do something. And I’d say my pivotal moment that was massively disruptive was Operation Aurora when we started to see nation states breaking into enterprises and doing lateral movement. And out of Operation Aurora, you know, Akamaibuilt its zero trust service Enterprise Application Access, Google went and did Beyond Corp. like, a bunch of us made that big shift. Because that was not in our model of what we really needed to worry about.

David Spark

Good example. Alright, Kevin. What’s your take on this? When you read this kind of stuff, do you adapt? Do you do a thought exercise like Andy did? And was there a pivotal moment for you that you did a major shift in your security program?

Kevin Morrison

Yeah, similar to Andy, I think it’s a combination of both for it, you adapt and have a thought exercise around that and understand, OK, where are we in the maturation of our program? Do we have the controls in place that can address X, Y and Z, whatever the new risk is or the new threat. So to that extent, yeah, we looked to make sure that we’ve got the appropriate controls. But, it’s a cat and mouse game and it will continue to be that way. If you focus on having good hygiene and doing the very basics very well, you can mitigate a lot of the risk that exists out there. I know they’re called APT but to be honest, I love the advance persistent threats that exist out there, if you’re doing what we’ve been preaching for the last decade in having a Defense in Depth approach across all the different, you know, variables within information security, then you can be successful. It’s not to say it’s fool proof, right? Because the saying goes, it only takes one person to click on it, right? So you know, they’ve gotta be right once. You gotta be right a hundred percent of the time. So, but I think focusing on those hygiene elements and really doing the basics well, can certainly help. You know, it’s your last question. I think recently the volume of ransomware attacks has us and other companies focused really heavily on, we’ve been preaching about this for a while now, but here are the controls that we believe will help detect, prevent, mitigate the risk associated with this. Are we prepared?

David Spark

And you know, we were just recording this on a completely separate episode and I asked, “Is this a question of being able to protect? Or this this about building resilient organization that can get up to speed with ransomware.” Are you shifting your focus as a result, like, it’s gonna get in, the question is, how do we stay resilient against it?

Kevin Morrison

Yeah, great question and I think it’s both. I think it’s being prepared to hopefully prevent it, where possible, and to be resilient if and when it does occur. Making sure that you’ve got appropriate segmented back ups and the strategy associated with that, etcetera.

Sponsor – Enso

00:12:20:14

Steve Prentice

The high velocity of R&D allows organizations to rapidly introduce and change applications but it also creates complexity for AppSec teams who struggle to continuously manager their application security posture. Enso is an application security posture management platform that helps teams build and enforce security policies and transform into an automated, systematic discipline without interfering with development. Here is Roy Erlich, CEO and co-founder of Enso security.

Roy Erlich

We do it by tapping into existing DevOps and R&D tools and data on the specific relevant pieces of information that we should take care of from application security perspective. After we gained the full visibility and gathering the control, we start and take the same approach by gathering to the different obstacles and controls in order to make sure that we all the data both from R&D and AppSec inspecting in a single pane of glass.

Steve Prentice

Roy tells me they differentiate themselves through the use of their automated ASPM tool. ASPM enables users to spot the most important assets and remain focused on protecting them.

Roy Erlich

Enso introduced a new category to disable security wall. While there are a decent numbers of players in the traditional AppSec domain, Enso’s focus is on collecting the right data, performing a smart analysis and enabling autonomous enforcement a one stop shop for AppSec team.

Steve Prentice

For more information, visit Enso.security.

It’s time to play, “What’s Worse?!”

00:13:59:23

David Spark

Kevin, I know you know how to play this game. It’s pretty much a risk management exercise, and Andy, you are going to have your first case of a What’s Worse, where they’ll be more than two options here.

Andy Ellis

Ooh. Do I have to rank order them? Or do I just have to pick one?

David Spark

You can order them if you want bonus points. Kevin, you get to agree or disagree with Andy and, by the way, I always love it when our guests disagree with our host, so please, please if you feel inclined to do that, I support it. This comes from Jason Dance of Greenwich Associates, who notes, by the way, he thinks he read this somewhere else and he just can’t remember who he was going to give credit to, so we’re going to give credit to Jason here, but if you actually wrote this out there, or published it, feel free to pipe up, I’ll give you credit.

Andy Ellis

I’ll laugh if I wrote this.

David Spark

OK. [LAUGHS] Maybe you did. Alright, as a result of a major cyber breach, you lose one of the four. Your customers’ data, your employees’ personal data, your suppliers’ data, one year of revenue. What’s worse?

Andy Ellis

One year of revenue.

David Spark

One year of revenue?

Andy Ellis

Yeah.

David Spark

That’s really quick, out of the gate, why is that worse?

Andy Ellis

It just wiped the businsess out, you’re done. Everything else you can recover from.

David Spark

Really?

Andy Ellis

One year revenue, your’e done.

David Spark

So there are companies that have pretty big coffers of well over a year of revenue.

Andy Ellis

OK, there’s probably a handful of companies that for whom, maybe the one year of revenue isn’t that interesting. But one year of revenue is pretty nasty to almost any business. Like, especially if you still incurred the costs that normally went with it. Like, you didn’t say one year of profit, you said, one year of revenue. So I assume they’ll have the cost for the year.

David Spark

Yes, you’re eating the cost for the year, so.

Andy Ellis

Not a lot of companies have that bit coffers.

David Spark

OK, go ahead, Kevin.

Kevin Morrison

David, are you asking which is worse to lose?

David Spark

Yeah, so one of these four incident happens.

Kevin Morrison

Right.

David Spark

Which one is the most horrible of the four.

Andy Ellis

And just to get the bonus point, I would say next to that would be my employees’ data.

David Spark

Employees’ data two.

Andy Ellis

And then customer data and then supplier data. And I know I probably have a lot of people who will disagree with me on the employee versus customer, but I actually think the employee because the employee doesn’t have as much control contractually with you about what you do with your data, so I should think it’s more reprehensible to lose it.

David Spark

OK, so we have ranked in order one year of revenue, then employees’ data then customers’ data, then suppliers’ data. Alright, Kevin, where do you stand in What’s Worse? Again, the worst scenario of these four.

Kevin Morrison

Yeah, the worse scenario for us would be a little different. I don’t necessarily disagree. As a matter of fact on the first one, losing one year revenue would be significant for us. So, to that extent, I would say number two for us is losing our customer data. Because the brand damage associated with that, the trust element that goes along with that, that would be pretty significant. And then after that would be employee data and then after that would be our supplier data.

David Spark

You essentially said the same as Andy but you’re just swapping the customer and the employee data, correct?

Kevin Morrison

Correct.

Andy Ellis

And he works in a consumer brand, that’s completely the appropriate ordering.

David Spark

Alright. But that you did note that it is very possible that people would disagree with you on the customer and employee, and right there, Kevin disagreed. Alright, good question and we’re giving full credit to Jason Dance and if you came up with this yourself, pipe up, but until then, Jason gets full credit.

It’s time to measure the risk.

00:17:44:19

David Spark

On LinkedIn, Scott Barnabo of US Army Europe and Africa asked, “What are some effective methods to mitigate the risk of onboarding entry level cybersecurity personnel who do not have prior job experience?” Answers debated that these “entry level” people must have some experience to reduce the risk and they were referring to certifications, at least. But others offered a let them do the work, but have a senior person observing. But that would pull the senior person away from other duties potentially increasing risk in another area. So, I’ll start with you, Kevin on this. How do you handle a situation like this?

Kevin Morrison

Yes, as a matter of fact, we’ve got two interns with us right now as we speak, who are about to start their senior year in college and don’t have any true real world experience. So there’s definitely job shadowing, there’s mentoring. There is the opportunity for them to shadow different areas of our cyber security teams. But to that extent, you know, if somebody’s coming on as an FTE, with the organization, and they’re new to cybersecurity, I’ve had someone over from IT in the past who has worked closely with the team on responding to different incidents at different facilities that we’ve had with a different company. I understand you’re taking a chance on these individuals, but at the same time, if it’s somebody internal, that they know the systems, they know who to go to, the culture etcetera, then bringing them on and over to the team as a new cybersecurity person is a lot less risky, I would think, than bringing somebody in from the outside who’s brand new to both the organization and cybersecurity.

David Spark

Have you graduated up interns to full time employees?

Kevin Morrison

Sure have. Yeah. On a few occasions. And they’ve been fantastic employees.

David Spark

Do you feel that bringing them on as an intern and having them sort of get familiar with your network environment, that when you bring them on full time, that that is a significant reduction in risk, just that little step right there?

Kevin Morrison

I do. I think it provides them an opportunity to get familiar with the environment and make less mistakes. Or fewer mistakes.

Andy Ellis

You just saved me from correcting you there, Kevin.

Kevin Morrison

I know.

Andy Ellis

[LAUGHS]

Kevin Morrison

You know, as they make fewer mistakes because they’ve gotten to know the environment, they know who to go to, who to ask the questions to, know when to ask for a helping hand on X, Y or Z, and it provides us with the ability and the knowledge and insight into their work behaviors within the work environment to understand, is this somebody that we’re gonna need to have a little bit more hand holding? And a longer runway for getting comfortable within the environment? Or is it somebody that’s, they’re quite comfortable with the tools that they’re gonna be responsible for, or in the processes and relationships? There’s a number of different questions about, but I do think it reduces the risk.

David Spark

Alright, I’m throwing this one to you, Andy. You have brought on, I’m sure, a few interns and a few entry level people in your many years. What are the techniques you do to reduce the risk? And do you believe the intern step is a significant risk reducer?

Andy Ellis

First I want to say that if you’re asking this question, this is a great opportunity for you to pause and recognize that you probably do not have a great learning culture. That you aren’t set up to support people developing in their careers. And that’s OK to, ’cause you’ve asked the question, and so now you know that that’s a place to go invest in. Because if you’ve invested in that, you’ve built a system like this isn’t an issue. Like, yes, you’re bringing in an intern. The goal of bringing in an intern is so they can figure out if they want to work for you, not the other way around. We did the intern projects and you know there are so many people who do the intern program, it’s like, “How do I make sure this intern is successful at doing the work?” And I’m like, “How do you make sure the intern decided they’d like to come back to work next year when you give them a job offer?” if they happened to get anything useful done, that’s just gravy. And we wouldn’t hold that to the interns when they walked in the door. And their minds would be blown. They’re like, “I thought this was unpaid labor.” “No, we’re paying you and we’re paying you to learn if this is the place you want to work.” And then when they show up. You have this first year person. But guess what? They just took a bunch off work off of the person you hired the year before and they’re starting out by running process. Yeah, we don’t expect you to understand how to do a design review, but first we’re gonna expect you to keep track of which design reviews have been done and which ones haven’t been done and who’s doing them and then you’ll shadow somebody doing one, or whatever you job is. And so that’s just how you build the pipeline. Because the reality is, the world is not junior people and senior people. Like, that’s not binary here. You get from very junior people to less junior people, to moderate people, to occasionally senior people, and if you don’t have a path for hiring that junior person and developing them all the way up to become a senior person, you know what you’re not going to have? Anybody.

How would you handle this situation?

00:22:49:16

David Spark

Andy. Years ago at a party at RSA I remember asking you how you respond to the question “Are we secure?” It is a trick question, which you pointed out during the interview, but it still gets asked. Daniel Hooper, who is the CISO at Varo Bank, asked for how others handle it. Responses ranged from offering cat-mouse-cheese metaphors to explaining we’re doing the best we can with what we’ve got. How do you answer the question? And, I’ll go so far to ask if your senior leadership is asking the question, are you as a security leader failing? Shouldn’t they know better than to ask that question? And what question about the status of your security program would you prefer to hear from senior management?

Andy Ellis

I love this question because the response answer to the question reveals a lot about the mindset that you’re going to experience. Sometimes people are just asking for, from curiosity, they don’t have the language that we would be most comfortable with. But they say, “Are we secure? And you say, look, we’re taking reasonable precautions given the size of the investment that were making. And of course, I’m the person who’s going to ask for more money if you tell me I can ask for more money but that’s not a good indicator. All of my peers could also ask for more money and do more with the money. So, there’s a lot of great ways to sort of dance around this. But if you have somebody that’s really aiming for a yes/no answer here, that should be a really big red flag. If you have a CEO who needs you to say, “We are secure,” period, I think you have a significant problem in the business. You should not say that it’s your fault but this doesn’t mean you have failed at communication. It could be that they’re just in a really rough spot. And so if you can understand what are the specific things that they’re worried about, so that you can give them as much confidence as possible.

David Spark

Before you jump to the second part. I like the fact that to figuring out what they’re saying. My classic feeling is, if they’re asking that question, they literally just read about the most recent ransomware attack and they say, are you concerned about ransomware, it’s that your specific concern?

Andy Ellis

It might be that. If they’re surprised by something, like, “Oh, there’s an incident that should never have happened,” and now they want to know that an incident like that will never happen again. And you’re sitting here, going “By definition, I didn’t know about that incident the day before it happened. I thought we were covered there, clearly we weren’t. And so now you’re asking me are we covered against all other possible incidents I haven’t predicted, the answer of course is no, because I don’t know. I think we are.” But it’s a rough spot to be in because you have people that want to pay you to stay up at night and they won’t really want to hear that the world’s a little bit uncertain.

David Spark

Alright, pause on what you do want to hear because I want to hear Kevin’s answer on this first part. So I’ll ask you, Kevin. How do you respond to the “Are we secure?” question?

Kevin Morrison

You know, David, fortunately in my time in presenting to a few different boards, I’ve never been asked that question.

David Spark

Oh, you’re lucky.

Kevin Morrison

Yeah. And I’ve often wondered what I would say.

David Spark

Andy’s quite impressed. Pause for a second. You have heard this question, yes?

Andy Ellis

I have heard this question, actually not from the board. No, I haven’t had it from one board director but I’ve heard it from CEOs.

David Spark

CEOs, OK. Kevin, you have lead a charmed life as a security leader never to have heard the “Are we secure?” question.

Kevin Morrison

Well, I’ve heard a variation of that, “How secure are we?”

David Spark

Yes, that’s the same thing, yes.

Andy Ellis

Well, it’s not the same he hasn’t have to answer binary.

David Spark

That’s true, OK. So how do you answer? I’ll say you can answer either one. How do you answer the “How secure are we?” or “Are we secure?” questions?

Kevin Morrison

You know, if executives did ask “Are we secure?” You’d have to say no, because unless you’re unplugged from the internet or turned off all the computers, you can never say.

Andy Ellis

Yeah, but then you don’t have a business.

Kevin Morrison

Exactly. You know, there’s a risk of doing business online and that includes cybersecurity incidents. In this day and age, I think that’s just part of doing business, so, as far as answering the question, “How secure are we?” If you’re measuring yourself against framework, whether it’s ISO 27001, this cybersercurity framework, CIS 20, whatever that might be. And you’re saying, based on our risk profile, and based on where we are as a team with how long it’s been in place, the maturity of what we’ve got, etcetera, at that point you can gage and start to measure and trend your program over time and say, “This is where we are.” And then have a third party come in and do their own assessment and compare and contrast. This is where we think we are, maturity wise, that kind of provides a view for whoever’s asking the question. But that’s our assessment. Let’s bring in somebody else to either say, “Yeah, we agree” or we disagree. And if we disagree then where are the shortcomings and what do we need to focus on priority wise?

David Spark

Let me throw this back to you Andy, my second part. What would be the perfect question you would like to hear? And it can’t be, “I think you’re phenomenal, I want to give you a raise.”

Andy Ellis

You rephrase the question, how much of a raise.

David Spark

How much of a raise would you like?

Andy Ellis

The right question is, “What is the most worrisome risk that we are accepting?” because every security program has to draw a line. Every risk mitigation program draws a line, and if you assume that everything above the line is correctly prioritized, then the right question is, “What’s the thing that’s just under the line?” So that you can understand, as a business, that you have drawn the line in a reasonable place. Because you should be worried about whatever that thing is, but you should recognize that here’s the 20 things above it and there is 20 things in the non-security space above it and 50 things over in finance and yes, you’re comfortable at that risk, that makes you all a little bit worried, is an appropriate decision for us to make, that we shouldn’t be shifting funding around.

David Spark

And has anyone ever asked you that question?

Andy Ellis

I’ve made them ask me the question, they didn’t really want to hear the question or the answer, but I think that’s the question that we should be talking about is, “What’s the thing that worries us most that there’s nothing we can do about it right now?”

David Spark

Which is the more targeted variation of the classic, “What keeps you up at night?”

Andy Ellis

Right. But the important piece about this is for the board and the CEO to understand that this is not the security team making a bad choice, that it’s under the line, it’s the line couldn’t go any lower. And everything above the line is more important than that one.

David Spark

OK. Kevin. I throw it to you, do you have a question you prefer to hear?

Kevin Morrison

I don’t know necessarily that I I’d prefer to hear one. I think Andy highlighted that pretty well. As the different questions get asked through board conversations, in my current board, it’s really a discussion. There’s no PowerPoint. We provide a memo, but it’s really a discussion, so the questions vary. And to Andy’s point, it’s “What’s keeping you awake at night? What’s the biggest risk to the organization? And what are we doing about it?” So sometimes that will stay the same for a few quarters and sometimes it’s front and center. Case in point in Q1 when everybody was talking about solar winds and third party supplier breaches. Right? Because you’re putting that trust in those third parties that are coming into your environment. And there’s not a lot that we can do at this stage to prevent that type of activity occurring within your environment, if you’ve got those trusted relationships. And it’s a software update that you’re downloading. Right? So those are the types of questions that vary from conversation to conversation.

Closing

00:31:03:13

David Spark

And we will end our conversation right here as well. Thank you Kevin Morrison. Thank you Andy Ellis. Kevin, stay put for a second because I’m going to let you have the very last word and the question I always ask our guests, especially CISOs is, are you hiring? So please have an answer to that. Andy, any last words for our guest or on any of the topics today?

Andy Ellis

I want to highlight something Kevin started with when he talked about legacy connections into your environment and challenge our listeners to think about how many of the big breaches came through companies that none of you had heard of? How many people knew who Solar Winds was? Or Kaseya, or who the Ukranian Tax software company, whose name I can’t remember is? Right? Tons of these breaches are coming in through connections that security teams have been dismissing and ignoring because they’re not in our bailiwick, they’re run by somebody in IT. And I think that’s a place we need to pay more attention to as a discipline. 

David Spark

Good point. Kevin, any last words and are you hiring?

Kevin Morrison

As I mentioned at the beginning of this show, I really think hygiene is the biggest focus.

David Spark

We talk about that a lot on this show.

Kevin Morrison

Yeah, I believe it. It’s something that we’ve tried to move the needle on for quite some time, unfortunately I think organizations are now understanding the risk that exists out there and what we need to do to reduce the risk and mitigate it. So I’m encouraged by the conversation that is occurring at a hiring level now. Are we hiring? Fortunately we’re in a position where we just back filled our last few positions and some natural attrition that’s occurred over the year. So at this point we do not have any open positions.

David Spark

Oh, one of the few. But do you still take on interns?

Kevin Morrison

We don’t have any intern positions open, and the two that we’ve already filled on the team, so we will do interns again next summer, we do them every year.

David Spark

OK. Excellent. Thank you very much, Kevin, thank you very much, Andy. And a huge thanks to our sponsor Enso. Eliminate AppSec chaos. Just check them out at Enso dot security. And I want to thank our audience as well, we always greatly appreciate your contributions and for listening to the CISO Security Vendor Relationship podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”