Attract the Best Candidates with Crappy Benefits and Low Pay

If you’re up against Google, Facebook, or Apple for hiring talent, chances are pretty good that your company is not going to match their pay and benefits. If they’re the bar for salary and benefits, your business’ offerings will inevitably be subpar. How do you build your employer brand to contend in areas you can’t compete?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Dan DeCloss (@wh33lhouse), CEO, PlexTrac.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, PlexTrac

PlexTrac is a powerful, yet simple, cybersecurity platform that centralizes all security assessments, pentest reports, audit findings, and vulnerabilities. PlexTrac transforms the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize analytics, and collaborate on remediation in real-time.

Check out to learn why PlexTrac is the perfect platform for CISOs!

Full transcript

[Voiceover] Biggest mistake I ever made in security. Go.

[Dan DeCloss] The biggest mistake I ever made in cyber security was when working for the Department of Defense on a consulting engagement and hit the configure all with the DISA Gold Disk, which basically bricked the entire system. That was not fun. The fall out was many reports of what happened and a pretty sleepless weekend.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. Yes, that is your first hearing me say that, but you’ve probably said that yourself. And I’m going to get to that in a second. I’m David Spark. I’m the producer of the CISO series. Joining me is my cohost, Mike Johnson. Mike, the sound of your voice.

[Mike Johnson] I’m here, David. I’m very excited for the impending announcement that you’ve already kind of announced.

[David Spark] Yes, I’ve already announced it. By the way, we’re available at And before I make any other announcements, I want to announce our sponsor. Our sponsor is PlexTrac, who has been a phenomenal supporter of the CISO series and all of our program… In fact, they’ve been on all of our programming. They’ve sponsored all of our programming. This is phenomenal.

[Mike Johnson] Awesome.

[David Spark] And they are the proactive security management platform. We are going to be talking about that very topic later in the show. But I do want to mention what I said at the beginning of the show. We have officially renamed the show to the CISO Series Podcast. The editorial of the show is the same. CISO-Vendor relationships is still very much part of our content. It’s just that nobody could pronounce the previous title.

[Mike Johnson] [Laughs]

[David Spark] So, after, what, three and a half years? It took us this long. We finally made the decision to finally just shorten it. And since it’s our flagship show, we realized we should just call it the CISO Series Podcast, which by the way everyone else was already calling it that.

[Mike Johnson] But, David, I finally got to the point where I could pronounce it, and now you’re changing the name. This is…

[David Spark] Oh. [Laughs]

[Mike Johnson] I just got it. I just got it.

[David Spark] So, by the way, let me ask you – whenever you told anyone about the podcast, did you actually ever say the full thing, or did you just say CISO-Vendor podcast?

[Mike Johnson] I did. I actually did pronounce it the whole way through. Because a couple times very early on on the show, you corrected me that I couldn’t even say it right on the show. So, I got it right.

[David Spark] [Laughs]

[Mike Johnson] But it was always a mouthful. It was always, “Okay, I’m going to tell you the name of the podcast. Now, just hold on. Just sit there for 30 seconds. I’ll get it all out. It’s a mouthful.” But I would always get there. Now it’s much shorter, and I think even more to the point. So, I’m really excited about the name change.

[David Spark] Yeah. And now people will be able to remember it and pronounce it. WE were trying to think of other alternative names, and he goes, “But everyone is already calling it this, so why don’t we just go with what everyone is calling it?”

[Mike Johnson] Done. Good answer.

[David Spark] Yeah. All right, let’s get into the actual show because nobody wants to talk about a name change at all. Nobody does.


[David Spark] I’m very thrilled to have this person on because I’ve had him on the video chat. I’ve had him on Defense in Depth. And now we get him on this show, too, as well. It is our sponsored guest, Dan DeCloss, who is the CEO of PlexTrac. Dan, thank you for joining us again.

[Dan DeCloss] Hey, thanks for having me, as always. It’s fun.

Let’s look under the hood.


[David Spark] Ross Young of the podcast CISO Tradecraft put together a really insightful Pareto chart showing which NIST 800-53 controls stopped the greatest number of distinct MITRE ATT&CK mappings. Now, the top three…but it’s a long list, by the way…but the top three were information system monitoring, baseline configuration, least privilege. I don’t think that’s a major surprise right there. But what’s interesting is at a certain point, adding additional controls provides a small but really negligible improvement in your security program. Again, visually what you can see here. And we’ll link to this, by the way, on the show. So, how does his chart map with the CIS Controls, Mike? And second, when do you know when to stop implementing controls?

[Mike Johnson] [Chuckles] The halting problem is always a fun one. So, I started actually mapping all of this to the CIS Controls to try and really be able to answer your question, and I gave up about a third of the way through.

[David Spark] Because it looks like there’s a good 30 in there or something like that.

[Mike Johnson] It’s a long list. But I do think there is a lot of overlap. If you take just these three – monitoring is CIS Control 8. Configuration management is CIS Control . And least privilege is kind of peppered around. So, there is some correlation with CIS. But I do want to kind of point out that this is a mapping of 800-53 to the number of techniques in ATT&CK. It’s not so much of the most prevalent, most used techniques. So, it’s kind of a quantity versus quality discussion that you kind of need to think about there. But it’s not surprising to see there’s not a perfect overlap. You would expect that when you’re prioritizing based on what’s actually in the wild, it’s going to look different than what’s here. And CIS, they think about it in terms of what they’re really seeing in the wild, and that’s how they order their list.

[David Spark] All right, I throw this one to you, Dan. Dan, what did you think of this list? I think this was very interesting given it was showing the impact of the controls. And do you have a clue of when people should stop implementing controls?

[Dan DeCloss] [Laughs] Yeah. No, it doesn’t surprise me. I think obviously I would have put like system configuration as one of the top ones. That makes a lot of sense. Because a majority of the internal techniques that an attacker is going to be utilizing is taking advantage of system misconfigurations and least privilege… Those all make very logical sense. Yeah, I don’t think you ever stop… You’re always in this kind of evaluate, and assess, and improve mentality in perpetuity. Because things are always going to come out and change. So, I don’t see ourselves ever stopping. I think that this is a good breakdown of, like, “Oh, here’s the biggest bang for our buck and where we should get started.” I like that concept. And like you said, it’s not that big of a surprise.

[David Spark] But what’s interesting about this – this is the controls mapping against the MITRE ATT&CK framework. But is there another way…? And I’ll start with you, Dan. Is there another way to know whether this sort of additional control is adding any impact, or…? It seems so impossible to measure sometimes. Because we have often dozens and dozens of controls. How do you break down which ones do…? You’d essentially have to drop all of them, see how well this one is working. And then drop that one, bring up another. You know what I mean? But sometimes they work in concert with each other. What do you think, Dan?

[Dan DeCloss] Yeah, I almost like to think of it in reverse. By testing the attack techniques, you’re actually getting better coverage to assess where…how well you’re doing with those specific control configurations. I think it’s logical… Yeah, certain controls are going to have a lot more broad coverage. System configuration covers a lot of techniques. So, I almost kind of think of it in the reverse of if I’m testing these things, then it helps validate whether I’m meeting a good threshold of compliance with these controls.

[David Spark] Mike, what’s your feeling of how well each additional control is helping?

[Mike Johnson] I don’t start with a, “Here’s a list of controls. Let’s go implement them.”

[David Spark] Oh, yeah. I mean it’s over time. Sure.

[Mike Johnson] You have to think about it the other way around, as Dan was talking about. That from my perspective, it’s, “What are my risks? What are my maturity goals? And then what are the controls to accomplish those?” That’s the direction that I come from. It’s a very interesting chart, but I think someone who started with just this chart and started working their way down, they’re going to miss a lot, and it’s not going to really land them in a good place.

Why are we still struggling with cyber security hiring?


[David Spark] What are you doing to build your employer brand to actually attract cyber security talent? Everybody looks to the big companies like Google, Facebook, and Apple. They have amazing employer brands and can offer amazing benefits. What are you doing to build your employer brand and attract cyber talent to your business? Have you had someone just approach you to say that they really want to work for your company, and they proved it, and you just found something for them and hired them because of that?

[Dan DeCloss] That’s a good question. At PlexTrac, we’re a young startup. So, definitely early on, you’re doing a lot of the recruiting. You’re selling the company and the idea. Now that we’ve grown, we definitely get people coming, “Hey, I’d love to work for you.” It’s indistinct roles. And it’s like, “Yeah, we’re not really hiring for that.” And if we find somebody that we’re like, “Oh, we got to get this person on the bus. We’ll do it.” So, I think that you’re going to have a mix of that. In previous jobs, I’ve definitely hired people, especially in security roles, where it’s like I knew we needed to have them. We almost just called it like a generalist or a utility player, so to speak, because they were that skilled. So, it probably just depends on the culture in the company and really what your budget is, too.

[David Spark] Mike, are you doing to build your employer brand so people say, “Hey, I want to come here.” Again, specifically for… There’s the general employer brand that it’s no matter what position you’re in you want to kind of work for the company, and then there’s the cyber security employer brand.

[Mike Johnson] So, for us, it’s we try and get out there. We try and participate in the community, speak at conferences, blog posts, security research. All those help build your brand within that community of talent that you want to hire from. That’s kind of the key thing is targeting them participating. And people are going to go, “Oh, hey, I know who you are.” Especially given that there’s a lot of people who don’t want to work for Google. They don’t want to work for Facebook. They don’t want to work for Apple. Those are huge companies with huge security teams, and people recognize that it’s easy to get lost in those environments. So, for us, it’s a matter of, “We’re here. These are the areas that we’re looking for in security. These are the kinds of skills that we have. What we’re looking for is people to come and join who like to do these types of things. And oh, by the way, you can still have huge impact with us as an individual. You can come in and impact the entire company.” Versus if you go into Google, your impact is small relative to the company. It might actually still be big globally, but it’s small relative to the company.

[David Spark] Dan, I’d like you to close on this. Being a startup, this is I think one of the big attractors of the startup is that not only your impact can be big, but the amount of red tape you got to go through is little to none.


[Dan DeCloss] Yeah, it’s nice to be nimble. We definitely use the phrase that actually was used when I was being recruited to startups. Like, “Hey, you have an opportunity to have your fingerprints all over this thing.” That will motivate certain people. That’s the kind of person that you want to attract – someone that’s going to be intrinsically motivated and excited about the mission and those kinds of things. Then as you grow, you’re going to attract different people, and you have the flexibility to be able to do that. But yes, it’s fun to be in a place where you can make a difference, and you’re not having to deal with a lot of bureaucracy for sure.

[David Spark] I will say this – years ago I used to do some work for, the recruiting platform. I remember going to a tech fair, hiring fair. I was shooting some videos and interviewing people and asked, “What would attract you to go to a company?” And I was surprised that money only came up like twice out of like the 40 interviews I did. But what you just said of having impact, working on something that’s interesting was the predominately most popular answer.

[Dan DeCloss] Yeah, it makes perfect sense. And I think that’s… I had an old boss, too… I’ve been mentored by people like, “Hey, money is only going to take you so far.” People have intrinsic worth and want to make sure that they’re making a difference and challenged. Those are the kinds of people you want to hire.

It’s time to play, “What’s worse?!”


[David Spark] All right, you know how this game is played, Dan, right?

[Dan DeCloss] Yep. Yep.

[David Spark] As always, I make Mike answer first. This “what’s worse” scenario, which is a real story, he says, Aaron Weinnberg.

[Dan DeCloss] Oh.

[David Spark] From InstallNET International. What is worse? A security team that is understaffed and under budget or a well-financed by underperforming managed security provider?

[Mike Johnson] Okay, so I think what you’ve got on the one hand on the first one, it is your own team.

[David Spark] Your own team. They could be very talented. We don’t know. But you don’t have enough of them, and you don’t have enough money. The other one is you’ve got a well-paid managed security provider, but they’re not performing.

[Mike Johnson] And the second one is the idea that you’ve outsourced to this?

[David Spark] Yes, that’s the idea.

[Mike Johnson] Okay. Okay. So, you’re paying a lot of money to an outsourced provider, and they’re not doing what you want them to.

[David Spark] Exactly.

[Mike Johnson] I really think that’s the worst one of this one. This one doesn’t feel difficult to me. We’re always understaffed. I’ve yet to meet anyone in security going, “I have everything I need.” So, we’re always understaffed. We’re always under budget.

[David Spark] No, but we’re talking extremely understaffed, extremely under budget. You could do the things you want to do, but you really can’t. [Laughs]

[Mike Johnson] Again, I think we’ve all been there, done that at some point in our careers. Really the one that I’m spending a lot of money on and not getting results, that feels like the worst one.

[David Spark] All right. That was easy for you. Dan, you were nodding your head. I’m feeling that you’re going to agree with Mike on this one.

[Dan DeCloss] My gut initially was like yeah, that seems obvious. The one question I would have is like so this is a well-funded MSSP. We have a little leverage there to say like, “Hey, you’d better. You’d better start performing. Here’s the metrics…” So, I’d almost say if you can’t stretch your understaffed and under budgeted team any further you’re going to just burn them out. So, that might feel like a little bit of a worse scenario because you…

[David Spark] That’s a very good point there, Dan.

[Mike Johnson] It is.

[Dan DeCloss] So, I’m going to go with the understaffed, under budget because you’re just not going to get ay security where you could at least eke out some with the underachieving but well-funded team.

[David Spark] I like that answer, because… Mike, you were saying we’ve all been there before, but Dan puts up the good point of this ain’t going to last too long – the underfunded, under…

[Mike Johnson] It’s a very valid point, and I think that team will burn out.

[David Spark] And by the way, have you both…? And I’ve been at… Have you both been at companies where you are an underpaid staffer and yet you see the company overpaying contractors who are doing work that you know you could have done?

[Mike Johnson] I work in government contracting.


[Mike Johnson] The answer is yes.

[Crosstalk 00:15:24]

[Mike Johnson] …federal government.

[David Spark] Yeah, there you go. It’s aggravating beyond belief. Yes, it is.

Please. Enough. No. More.


[David Spark] So, today’s topic is proactive security. We’re talking about sort of essentially getting ahead of what could happen to you I think is what we mean by proactive security. So, Mike, what have you heard enough about with this sort of idea of proactive security, getting ahead of what might happen to you? And what would you like to hear a lot more?

[Mike Johnson] I think most people, when they hear proactive security as a concept, where they go is prevention. Like, “How do I just stop the thing from happening?” That’s immediately where the mind goes.

[David Spark] Prevention versus detection.

[Mike Johnson] Right. Right. Or like in the CSF world, it’s the P. It’s protect. Again, that’s where everyone goes. But I think the flipside, there’s more opportunity to think about it as you described it – how are we thinking ahead, how are we trying to get ahead of ourselves. But mot people when they talk about it when I’m hearing about it, it’s really all-around prevention. So, I’d really like to hear more of, “ All right, that’s great. Prevention is awesome. But what else is out there? How else can we think about security with a proactive mindset?” I’m here to hear more. I’d like to learn more.

[David Spark] Well, it’s like the common philosophy a lot of security professionals think is if you can think like an attacker then you can be sort of proactive. Do you guys have those “think like attacker” discussions, Mike?

[Mike Johnson] We do. I could go off on an entirely different rant about the “think like an attacker” mindset. But that’s certainly something that comes up. That is a way of thinking. It’s something that you should keep in mind. I don’t know that that’s necessarily proactive security, but it’s certainly a way of trying to get ahead of what might come your way.

[David Spark] It’s a way of thinking about it. All right, Dan, I’m throwing this to you, and I know that this is your mantra now for PlexTrac. Let’s just start with what have you heard enough about with when people think about proactive security?

[Dan DeCloss] I think I’ve heard enough talk and would like to see more action. Hear more about the wins that you’re getting and actually implementing it. I think people love to talk about the pentest that they did last year as opposed to how are you doing this in a periodic and continuous basis. So, I’d like to hear more about how you’re implementing it into your overall strategy.

[David Spark] I guess maybe how are you looping this entire process, I guess if you will? As in you’re testing, you’re evaluating, you’re refining, you’re testing again, and essentially the circle of cyber security life, if you will.

[Dan DeCloss] I like to think of it as this is how you can actually show progress and improvement. So, like, “Hey, if you wanted to see how well you could be doing against the MITRE ATT&CK framework or the CIS Controls, how are you measuring your ability to make a difference on those controls?” So, the only way you can do that is by assessing it and implementing different components of a proactive strategy. Like tabletop exercises, Purple Team collaborative engagements, penetration testing, proactive risk assessments. Really what we’re trying to get is that, “Hey, we spend a lot of time, and a lot of effort, and a lot of money on the reactive and the responsive side,” which is very knee jerkish. And it’s very tactical. Like, “Okay, we just got…our VPN was popped because we didn’t have MFAs. We better go do that.” As opposed to being in a proactive mindset of like, “Hey, where would our biggest gaps be, and how do we assess how we’re doing there? Which controls are working the best? Which ones aren’t?” So, I really view it as a paradigm shift in how we approach getting a return on investment from our security investments already.

[David Spark] Let me go to you, Mike, just for a second on this. Do you believe that if we are only reactive…? And again, this is sort of like a shoot from the hip answer I’m looking here.

[Mike Johnson] Hot take.

[David Spark] Hot take if you will. What grinds your gears? Do you think that a reactive security mindset is what is contributing to burn out?

[Mike Johnson] I think what we’ve found ourselves is we quite often feel like that’s the only thing we have. Like the only thing we can do is react. It’s hard to go out and convince someone, “Hey, you need to go and fix this thing.” It’s much easier to go out and convince them after that thing has already been broken. So, I think there’s some amount of you can call it learned helplessness, of backed in a corner where we are thinking reactively and not spending as much time on the proactive side of things.

[David Spark] All right, so this is one I want to come back to. That one of the complaints that is often heard in cyber security is how do you show a win. Well, if you are doing as you just describe, a proactive development where you’re iterating and showing actual improvement, that’s something you can show. My feeling is that would not contribute to burnout because people would see it as a sort of show some sense of success there. And actually, by the way, this is where I want to sort of open up a platform for you. Please explain how you’re doing this with PlexTrac in terms of sort of building this sort of proactive loop if you will.

[Dan DeCloss] Yeah, yeah. Absolutely. No, thank you. So, yeah, we really empower our security teams to manage the workflows around those proactive elements of their security program. Being able to manage their tabletop exercises, their Purple Team engagements, being able to consolidate all of their pentests into one spot and even write their pentest reports more affectively and efficiently, and aggregating all that together. And then being able to show, “Hey, here’s who’s remediating them. Here’s the progress we’ve made. Here’s… We have analytics for year over year comparisons and comparisons against different business units,” and things like that. So, it really helps to go like, “Here’s where we started.” And we continue to get into this mindset of we’re going to do assessments periodically, continuously while we loop in those annual audits and those requirements for any regulations. But being able to aggregate all those proactive assessments together, show the progress we’ve made on fixing the issues that were identified. But also, “Hey, as we keep going, we’re having less and less issues in this area, but now we’re showing more gaps in these areas,” because that just really shows maturity. So, it really is this feeling of control and actually having more control in terms of like we know we have a gap in lateral movement let’s say. Being able to detect lateral movement, so we’re going to start testing that on a continuous basis and be able to show progress over time.

[David Spark] Let me ask you a question about… Think of your most successful customer. Like the one customer that really got your application, embraced it, and really worked it hard. What is it that they did that made them so successful with your tool?

[Dan DeCloss] We have lots of wins. Our most successful customer would have been like, “Hey…” For one example, “We’re going to start doing Purple Team exercises every Thursday, and we’re going to use PlexTrac to do that. And be able to track and monitor the progress.” And so now they have all this data to show, “Here’s the things that we’ve done, things that have worked, things that haven’t, and improvement over time.” So, it really does… It brings that data and analytical component to the workflow, and it eliminates that feeling of like, “I don’t know what I should be working on, but I feel overwhelmed.” [Laughs]

[David Spark] So, it is bringing an element of metrics, of which we talk about endlessly on this show. And if you’re doing it in more continuous, weekly rather than yearly… Because God knows if you do it 52 times, it’s got to be better than once a year.

[Dan DeCloss] Right. Yep, exactly.

What works? What’s not working?


[David Spark] Continuing from our last conversation, how should you review your pentest results? So, really nice writeup on SoftwareSecured offers some tips such as replicate all known issues. So, after you do the pentest like just do it again. Whatever the known issue is, do it again to see if there are any false positives and to better understand internally what the issue is. Also rate your risk. And lastly, determine a resolution for each risk. So, are you going to eliminate it? Are you going to reduce it, manage it, or just flat out accept it? And then you should obviously implement the fixes, review the process. Now, all these are great steps. I’ll start with you, Mike. Do you have any experiential advice for any of these steps that has greatly benefited you?

[Mike Johnson] The one that really stood out to me, frankly, was the first one that you highlighted here was about the reproduction of issues. The reproduction of findings. But I came at it slightly different for different reasons than what the author was talking about. My way of looking at is that if you can’t reproduce the particular finding, if you can’t do it yourself, then how can you validate if it’s fixed. At some point it’s going to take… Even if you hand it over to an engineering team, maybe it’s a complex issue, it might take them weeks to actually solve the particular issue. You’re not going to call back this third-party tester to do it again. But if you’re able to replicate it yourself, you can now validate that it’s been fixed. So, that one I think is really important for different reasons than they highlighted. I also think about rating the risks. I agree with it, but I’d tweak it a little bit. I expect my tester to say, “Hey, here’s the particular set of risks. Here’s the order.” But what I want to do is look at that ourselves so we can talk about where we disagree and understand why that disagreement is there. Maybe there is a compensating control that they’re not aware of, and we can have that discussion. Or maybe it’s the other way where they’re making an assumption that, “Oh, well, we found this little thing.” And then we go and look at it and go, “You actually only scratched the surface. This is huge. This is actually our highest risk in this particular test.” So, that ranking and rating is really important, and it’s really important to be a dialogue with your tester.

[David Spark] All right, Dan, I throw this to you. I think this is more of a question for your customers in terms of what experience they’ve had with this stuff and how they’ve greatly benefited. So, what have you seen?

[Dan DeCloss] Yeah, I know this was actually unintentional, but this is like teeing up a perfect use case for PlexTrac. I was a former pentester. I started at PlexTrac exactly for this reason – is once we get the results, what are we supposed to do with them. [Laughs]

[David Spark] And by the way, let me just pause here for a second. This story we’ve heard a billion times before is the pentest was made for compliance. It’s shelved, and then you do it again next year and report and create the same damn report. And you did that many times yourself, yes?

[Dan DeCloss] I hated rewriting the same report. Like yeah, they were paying me. But I’m like, “This is not working. This is a problem.” And so that’s exactly what PlexTrac was initially created for was you have these results, now you can actually start to prioritize them. You get the initial rating from the pentester, and now you can assign it out to people. And you can have this collaborative experience in terms of commenting on them. So, really this is what our customers are using PlexTrac for in one use case in terms of being able to manage these pentest results. And then you have those analytics of like how many results got closed out, how many results got risk accepted, those kinds of things. And you have a system of record at that point, too. If one of these issues get reopened or is identified the next year, you can start to learn, “Okay, well, we tried to fix it last year. Here was what we tried last year. And clearly that didn’t work, so now we need to find a different way to fix it.” As well as validation and all those things.

[Mike Johnson] Dan, I have a question for you, and I’ve been sitting on this ever since you were talking about PlexTrac. One very specific question – do yawl integrate with Jira?

[Dan DeCloss] We do, yes. Exactly.

[Mike Johnson] Excellent.

[Dan DeCloss] Yeah, it’s been one of the earliest integrations we’ve ever had. Because yeah, you don’t want to interrupt the workflow of the teams that are actually responsible for fixing them. But as a security team, you want the metrics on how long have these been open, where are they, can I make comments and get feedback.

[David Spark] So, anecdotally tell me this – your customers come to you. What is the situation they’re in? Like, “Oh my God, I need PlexTrac because…” Either like you described, “We’re doing one report a year. It’s the same darn thing every year.” Is that the most common, or is there…? What is the reason they come to you?

[Dan DeCloss] Yeah, I think it’s a mix. It’s like, “Yeah, okay. We want to get more proactive. We want to start doing this on a routine and regular basis. But we also are getting audited periodically, and we want to make sure that we have a good handle on those activities as well.” So, being able to normalize and aggregate all that data, do more proactive assessments, bring in data from other sources like vuln scanners to compare and correlate as well. So, it’s a variety of things, but it’s definitely… We’ve got way too much data that we need to get a better handle on and have more visibility in how we’re fixing these things.



[David Spark] Excellent. Thank you very much, Dan. Thank you very much, Mike. And I want to thank your company, PlexTrac, for sponsoring this very episode and for being a great sponsor of the CISO Series as well. And being, by the way, on the very first newly labeled name, CISO Series Podcast. Notice how much easier I can say it now.

[Dan DeCloss] Yeah.

[Mike Johnson] I’m waiting for the closure of the show, David, to see if you get it right.

[David Spark] I will get it right. Don’t worry about it.


[David Spark] By the way, Dan, I’m going to let you have the last word. And by the way, make any offer you’d like to our audience. And I asked all our guests if you’re hiring, so make sure you have an answer to that. Mike, any last thoughts?

[Mike Johnson] Dan, thank you for joining us. What I really appreciated was you bringing your perspective as a former penetration tester. That’s not something that we hear enough people discussing or coming from that background on the show. So, that way that you think about things, to be able to talk about your history, your experience in that world, I really appreciated listening to that and having the opportunity to talk with you about it. The one thing that really kind of stuck with me was your comment about how you hated to write the same results twice. Like to do two different tests, but you’re writing the same results. I think that’s really something that should stick in peoples’ minds that if your penetration tester is writing the same results twice, there’s a failure somewhere else. So, thank you for that specific tip. But also bringing your perspective as a penetration tester to ours how and to our audience. Thank you, Dan.

[Dan DeCloss] Yeah, absolutely. No, thank you. Yeah, thanks for having me. It’s great to be on the new branded show – the first guest. Thank you for being a great partner with PlexTrac. We are definitely on a mission to make peoples’ lives better and keep them focused on the right things.

[David Spark] Kind of the same mission of this show, for that matter.

[Dan DeCloss] Yeah, exactly. So, yeah, we’re hiring. We’re definitely hiring. So, go to our website and definitely hit us up.

[David Spark] Huge advantages for working for a startup like PlexTrac.

[Dan DeCloss] Exactly, yep. You’ve got flexibility. You’ve got fun.

[David Spark] And you hire virtually, right?

[Dan DeCloss] We do, yep. We’ve got people all over the US, and so we’re on a mission to make the security world better. And so we’d love to have you help us, come solve those problems.

[David Spark] By the way, for those people who don’t know, PlexTrac is spelled Any offer, or anything special, or any way to connect with you you want to suggest for our audience?

[Dan DeCloss] Yeah, definitely hit us up for a demo and mention that you are on the CISO Series, and we will give you a free month of PlexTrac software.

[Mike Johnson] Awesome.

[David Spark] Sounds good. All right. Well, thank you very much, Dan. Thank you very much, Mike. Thank you very much to PlexTrac as well. And thank you to the audience. We greatly appreciate… Listen to this, we’re going to have the new close. I’m going to say this right, Mike. We greatly appreciate your contributions and listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at Thank you for listening to the CISO Series Podcast.  

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.