Are RSA and other big conferences worth it? It seems that fewer CISOs are actually walk the floor at these big trade shows. The really big meetings are happening outside of the conference. Why would CISOs attend these big conferences with airfares costing over $1000 and hotel rooms costing $500 to $800 a night? Are the customers and vendors getting priced out?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Jessica Ferguson, CISO, DocuSign.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, SlashNext
Full transcript
Intro
0:00.000
[Voiceover] Best advice I ever got in security. Go!
[Jessica Ferguson] You know, I had someone tell me once that mission number one of security is always to protect the company, regardless of what’s happening around you inside the broader organization, sales, the stock market, anything like that. The mission of the security team is always to protect the company and keep the company secure at all costs, and that’s something that I’ve always taken with me into all my roles inside of security organizations.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series, and joining me for this very episode is the one and only Mike Johnson. Mike, make some noise with your mouth so people know what sounds you make.
[Mike Johnson] I am here. It is a Monday afternoon that we’re recording this. I’m excited. This is awesome. Let’s do this! That’s my voice.
[David Spark] Yeah, that is your voice. I’m going with that.
[Mike Johnson] Yeah, that’s my voice, yeah.
[David Spark] We’re available at CISOSeries.com. For those of you who didn’t know that that was our web address, that’s it. We got tons of other programming. I’m sure you love this show, but we have tons, tons more. Our sponsor for today’s episode is SlashNext – all about phishing protection, multi-channel phishing protection for email, mobile, browser, and API. More about SlashNext later in the show.
Mike, I just got back from VidCon. This is one of the few non-cybersecurity things I do every year, and I work actually at the conference, but I brought my kids there and my wife and had a lot of fun. But one of the big things is TikTok was the premier sponsor there, and as you know, TikTok is short-form video. And also there’s an equivalent to that on Instagram, there’s an equivalent also on Facebook, and there’s an equivalent now on YouTube called YouTube Shorts. So, we are actually exploring this area, but I am going to make a callout to the community here and ask – are there cybersecurity personalities that are on any of these platforms that you really like? Because specifically TikTok, outside of like how to get a job in cybersecurity, I haven’t seen much of anything. Are you a consumer of any of these other platforms, by the way, Mike?
[Mike Johnson] So, I am not because I’m none of them. Because I’m old and I don’t have kids, so I don’t go anywhere near these platforms. But I have heard that there are some folks on TikTok, and I think one of our former guests, Kyle Tobener, has actually done some content on TikTok. It was a while ago, I don’t know if he’s still doing it, but there are some out there.
[David Spark] I’m open to that because I just want to connect and learn more about this because we’re exploring this area ourselves. But in general, the TikTok stuff that I saw, or the most high profile stuff I saw was very focused on just how to get a job in cybersecurity. Which is very valid, but I was looking for more expansive sort of cybersecurity personalities on TikTok.
[Mike Johnson] There’s got to be more out there.
[David Spark] I’m sure there is.
[Mike Johnson] It’s such a big platform, you can’t leave it behind.
[David Spark] I’m looking for advice from my fellow cybersecurity professionals. So, let me know! I’m welcome to hear it. All right, let’s bring our guest. Guess what? I saw our guest at the BSides in San Francisco. She was on a panel, and I had actually reached out to her before. She didn’t respond, and I had to hound her. Just good old-fashioned hounding. And then I ran into her on the floor at RSA, and that sealed the deal. We got her on!
[Mike Johnson] Persistence, persistence.
[David Spark] It works. It does work. I’m thrilled she’s on. She’s busy. By the way, I don’t blame her, and I don’t blame anyone else. Everyone gets unbelievably busy, and they want to do something and just things slip through the cracks, I know how this works. Anyways. Thrilled that you’re on. It is the CISO of DocuSign, a rather recent CISO at DocuSign. Very excited to have her on. It’s Jessice Ferguson. Jessica, thank you so much for joining us.
[Jessica Ferguson] Yeah, thanks for having me, David and Mike. Sorry it was a little bit of a snafu getting scheduled.
[David Spark] But you’re here!
[Jessica Ferguson] We got here, we got here.
[David Spark] We chained you to the chair. We got you for the next 40 minutes or so.
[Jessica Ferguson] This is what my admin is for.
Is this where I should put my marketing dollars?
4:28.883
[David Spark] What’s the value of the trade show floor at RSA? Lital Asher-Dotan, who’s the CMO over at Hunters, asked this question of the LinkedIn community. With roundtrip flights costing well over $1,000 and hotel rooms at $500 a night, why would a CISO pay that expense to walk a trade show floor to see new security products when they could just ping colleagues on Slack for recommendations and get a demo over Zoom and then make a purchase decision?
While that rationale is solid, we all know that RSA acts as a kind of a gravitational force that draws security professionals to one location, causing hundreds of additional satellite events to happen simultaneously. Plus, the trade show floor, seemingly bigger than ever, was packed with more than 450 vendors. So, who is that trade show floor for and is the education at the sessions worth all that expense? If RSA ceased to exist or even scaled down, then goodbye to those satellite events. Are vendors paying a necessary cost so we can all get together? What do you think, Mike?
[Mike Johnson] The math question is always an amusing one to me because it’s a $4 BART ride.
[David Spark] For you, yeah.
[Mike Johnson] And I’m already paying for my hotel.
[David Spark] So, it’s definitely not $1,000 for you to get there.
[Mike Johnson] It’s significantly less than $1,000, but it’s a fair question. It is time and expense that people are spending in order to be there. I know that I see a lot of people mocking RSA, mocking trade shows, but the reality is the presentation rooms are packed, the show floor is as busy…
[David Spark] Yeah, it was pretty busy. And it was, I think, half the audience this year, and that floor was plenty busy. And every spot for sponsors was filled on the floor, and the floor was bigger than I’ve ever seen before.
[Mike Johnson] And that right there should tell you that there’s value if there’s that many people going.
[David Spark] This was also the first one since COVID, so people were clamoring to come back.
[Mike Johnson] There’s that but if you look at the one back prior to COVID, and year after year, RSA has been growing in size.
[David Spark] Yeah. Oh, yeah, yeah. It just gets bigger and bigger.
[Mike Johnson] So, there really is – I don’t know if it’s CISOs who are walking the floor – but the reality is that center of gravity that you mentioned, I can meet with 15 of my vendors in one day, face to face.
[David Spark] Yeah, that’s pretty huge. I got a lot… I had 30 meetings at RSA. That’s unbelievable.
[Mike Johnson] That’s an opportunity that’s not available outside of it. So, that center of gravity that’s created by the vendors, there’s so much value in that. But at the same time, the material that is presented at RSA, that’s the draw. The vendors are paying to create that draw. If there was no presentations, if it was simply just a trade show floor, it would not be attended. But that combination of valuable material, the trade show, and as you also mentioned, all of what’s going on around it, everything that’s happening within a four-, five-block radius, that’s all very compelling.
[David Spark] Right. But that can’t happen unless that trade show…unless RSA is as big as it is. That’s the point I was trying to make. So, now, one of the things that people say is, “Well, CISOs aren’t on the floor.” Well, I ran into Jessica who is a CISO on the trade show floor, so I have evidence that CISOs do go to the trade show floor. Do you like to go to the trade show floor, Jessica?
[Jessica Ferguson] No.
[Laughter]
[David Spark] Was it purely an accident that I saw you there?
[Jessica Ferguson] So, it was actually purely an accident, funny enough. I had a really new employee, brand new into security, and I was like, “Okay. I’m going to take you down on the trade show floor, just so you can kind of see what it’s all about and walk around with the new employee, and that was serendipitously how we met up.
[David Spark] Okay.
[Jessica Ferguson] Honestly, I feel like all the CISOs I talk to, nobody’s on the trade show floor. I take pride in the fact that no vendor scanned my badge while I was there because I get enough cold calls as it is. But I do agree with what Mike said and what you said. I feel like the bigger draw to RSA is around the events that kind of get held around it, the vendor meetings. Like, it is the one place where you can go where I can run into a bunch of different CEOs from different companies that I’m working with that I need to meet with, and I can literally get 30 meetings all done in a period of a couple days and then move on. So, I think that is the value for it.
There is an interesting question of who it all is for, particularly the trade show floor, and I’ve wondered that question as well. Because I get so many cold calls, LinkedIn, I have people doing open source intelligence on my employees to go email them. The marketing around security can be a little bit obnoxious if not nauseous. And so I think that I do ask that question, on who is the trade show floor for, and it almost feels like kind of a self-perpetuating sort of situation.
[David Spark] Right. But in quick defense of the vendors, I mean, this is the number one thing I hear from vendors who want to sponsor our shows is, “We have this amazing product, nobody knows we exist.” They don’t want to be obnoxious but there’s literally 3,000 to 5,000 companies out there trying to get the attention of people like you and Mike, and it ain’t easy and I totally get that. It was the point of this whole show when we launched it was to try to pacify that relationship over time. Yes, Mike?
[Mike Johnson] That is a lot of why we’re here is to try and help that relationship. Because the reality is as CISOs, we actually need the help of these companies and vice versa. But one of the things that I’ll say just kind of on the last bit of who is the trade show floor for, I don’t think it’s for CISOs, I think it’s for our teams. And we are constantly providing the guidance to the vendors – sell to our teams, sell to our subject matter experts. They’ll then bring it to us and then we’ll have the conversation. And I think trade show floors are perfect examples of exactly that.
First 90 days of a CISO.
10:59.503
[David Spark] Jessica, you are a recent CISO at DocuSign, but not new to DocuSign, so their security posture was obviously not foreign to you when you were promoted to the role. So, I got the following question from an anonymous listener who runs a security team and wondered about this first step approach. “I do get a budget every year but right now I’m just of the mindset that before we spend anything, there are a lot of things we can do that doesn’t include ‘buy this thing.’ So, what would be the top three things you could do to improve your security posture without spending any additional money on tools?” Jessica, you first.
[Jessica Ferguson] Yeah. So, I think when you come into an environment, there are a lot of things that you can do without buying a thing. And I think that we do get a little bit into the “buy the shiny new thing” trap in security.
[David Spark] It is fun.
[Jessica Ferguson] It is fun. Right? It ties into the last segment. But asset management, do you understand where your assets are? Do you understand your cloud assets, your software assets, your infrastructure assets? How do you protect those assets? Do you have an IR process to monitor and detect on your protection systems? You can operationalize a lot of things without needing to buy things. And I think even for a new CISO, there’s this mentality that you come into a place, and you sort of need to throw out the old and bring in a new, and that’s how you show value. In my mind, you show value by operationalizing what you have. And there may be legitimate gaps in the “what you have.”
[David Spark] Dig into the tools you got already, I mean, yes?
[Jessica Ferguson] Yeah. Start with what you have. Absolutely.
[David Spark] We’ve definitely heard that. I mean, would that be one, two, and three for you?
[Jessica Ferguson] Yeah. I think that would be asset management protection, ensuring that your protection mechanisms are being monitored, and IR, ensuring that you have a good response process, yes, would be my top three. Absolutely.
[David Spark] Good three. Mike, would yours be the same, similar, different? What would you do?
[Mike Johnson] Very similar. I do think this is a “it depends heavily on the environment” kind of answer. But I really do agree that there’s so much value, as Jessica pointed out, optimize what you have today. Don’t come in and throw out what’s already there. There might actually be very good reasons for it, and you’re already paying for it. One of the things that one of the leaders on my team has taken up on is laying out all of our products, what their capabilities are, and what are those capabilities that we’re actually using. We’ve found that we might have X number of products, and we’re using maybe a third, two-thirds of their capabilities. There might be good reasons behind that, but that’s a good place to start to really understand. You might just have a whole lot of capability that you’re already paying for, so just sit down and figure out what that is.
[David Spark] I’m going to ask you both a quick question, and we’re going to get into this a little bit later in another segment. But have either of you ever reached out to your vendors who you try to “partner with more” because we hear this a lot, that, “I want a partner, not a vendor.” And have you asked them to audit your usage of their product to find where you could get more out of it? But there also may be the fear if you do that, oh, that’s an opportunity for them to upsell to you. Have either of you done so?
[Jessica Ferguson] Yes. Absolutely.
[David Spark] You have?
[Jessica Ferguson] Absolutely. And I’ve requested that vendors that we partner with, like, “Tell us where we’re not using your platform right. If there is an area where we’re just not adopting properly or we’re not integrating in the right way, show us that way.” Because Mike brought up a great point – you’re probably only using two-thirds of your products’ capabilities. I’m a big believer in the fact that we should be using 80% of the capability of a product in order to justify the continued relationship with that vendor and the continued procurement of that product. And if we can’t use the full up to 80%, then we really need to understand why and maybe it’s not a product that’s right for our environment. So, I think that it really is – and this is where kind of the leaders need to step up and really kind of be able to kind of hold that line. Because I think our technologists can tied up in the being tied to a product.
Sponsor – SlashNext
[Steve Prentice] Phishing has long been the scourge of workplace security. A single mistaken click can invite all kinds of trouble into an organization. These cost companies and individuals millions of dollars by taking advantage of people’s trust in the legitimacy of messages and their senders. Jeff Baker, director of solution engineering at SlashNext has a better idea.
[Jeff Baker] So SlashNext is going to protect the mobile device really in a two-phased approach. One is on link-based detection, meaning that when a user makes a tap, whether it’s in a browser on their mobile device, if it’s inside of an app, we’re going to intercept that outbound DNS traffic. And if we recognize that URL is being a malicious link, we’re gonna block the page from loading.
We’re not gonna let the user make a mistake and be compromised. We will, at the same time, educate the users, show them the attack page and explain to them that the type of attack that was attempting to be carried out. Phase two is that SMS text. We call it business-text compromise, similar to business-email compromise.
We’re using natural language processing on that device to look for strong words like “immediate” and “urgent”, capitalization, known list of phone numbers. There’s just many, many permutations, but we’ll use natural language processing to filter those out and get them out of the view of the user so they don’t make the mistake and making that phone call.
[Steve Prentice] For more information, visit SlashNext.com.
It’s time to play “What’s Worse?”
16:55.060
[David Spark] All right, Jessica. Have you heard the show before and know what this game is?
[Jessica Ferguson] I do know what this game is. I’ve been anticipating this.
[David Spark] Good. You’re going to like this. So, for those people who are just tuning in for the first time now – welcome. This is a risk management exercise. We get great submissions from our community. By the way, send me more. I could use a lot more bad scenarios. Again, it has to be two. And I always like, usually people do the flip side, which this one is one of those flip side ones, but two completely unique bad scenarios always throw Mike and our guest as well. So, Mike will always answer first. You can agree or disagree with Mike. Just so you know – I always like when our guests disagree with Mike because I just like it when my guests disagree with Mike, in general.
[Mike Johnson] It’s true. Yeah.
[David Spark] There you go. All right, Mike. This comes from Duane Gran, a regular listener, also very much has participated heavily in Super Cyber Friday. He’s with Converge Technology Solutions, and he has these two “What’s Worse?” scenarios. Number one – you have a dodgy vulnerability tooling that you don’t really trust, but you have a great relationship with system administrators and trust that they will remediate issues. Or the flip side which is you’ve got a top-notch vulnerability tooling that gives great insight and priorities, but you have a strained working relationship with the system administrators and can’t trust that they will actually act on the information. Which situation is worse?
[Mike Johnson] So, this is one of those that everyone in the audience right now is screaming that they know the answer.
[David Spark] It seems simple, but it isn’t here, I think.
[Mike Johnson] And I’m going to pick a side and just double down on it.
[David Spark] All right. And Jessica will hopefully go for the other side. We’ll see.
[Mike Johnson] Perfect. The thing that I always think about with a vulnerability management program is garbage in, garbage out. If I’m handing over crappy findings to another team, at best that’s all that ever gets fixed. At worst, that relationship goes into the toilet. If I’m just sending over, “Hey, this is a thing that you need to fix,” and they go and look at it and it and like, “It looks fine,” and that happens over and over again, then it’s going to end up in a situation where that great relationship goes away, and nothing gets fixed. The other side is I’m giving them perfect information, and they’re taking it in the way that they feel like taking it in, I actually prefer that. My part of the job is making sure that I’m supplying them perfect information.
[David Spark] So, you feel you’re doing your role, and you’re hoping the best happens on the other end.
[Mike Johnson] And again, “What’s Worse?” scenario.
[David Spark] It is a “What’s Worse?” scenario.
[Mike Johnson] Both of these stink. And I think over time, what is likely to happen is that they will begin to trust the data more and more.
[David Spark] No, but we told you, you know how this game works. You can’t change the scenario.
[Mike Johnson] I am not trying to change the scenario; I’m telling you what is likely to happen.
[David Spark] They’ll still be buffoons.
[Mike Johnson] I don’t think so. I think we need to assume that humans are rational folks.
[David Spark] But not in this scenario.
[Mike Johnson] But I’m allowing for the other scenario that over time, the relationship will deteriorate. So, both of these are I’m bringing in outside facts. Even setting those aside, if I’m giving crappy information to a perfect team, I don’t like that. I would rather be giving perfect information to a team that just needs a little bit of help.
[David Spark] Oh! It doesn’t work like that! They’re still crappy! All right, Jessica, do you agree or disagree with Mike here?
[Jessica Ferguson] So, I have to agree with Mike on this one.
[David Spark] On the same principles or for other reasons?
[Jessica Ferguson] Yeah. Here’s my thought. I will agree that I have seen more teams bicker over the data, and so if you are giving them crappy data, they are going to use that as a sticking point on, “Well, I don’t need to patch it because your data’s all bad.” I think that I would rather have the perfect data because if I have the perfect data, I can manage the risk with the executives and with the board as a risk management exercise. The benefit of having perfect data and having a bad team is I have perfect data to say, “I perfectly understand what our vulnerability profile is and my team over here just is not mitigating it in time.” Right?
[David Spark] A great understanding of risk puts you in a good position?
[Jessica Ferguson] Absolutely. Absolutely. And as a CISO, my main job is to present risk to my stakeholders and to my board. That is the peak of my job. So, I need to have the perfect data to be able to present that risk well. So, I would rather have the perfect data and manage the team than have bad data and present bad data to my stakeholders.
How a security vendor helped me this week.
22:10.345
[David Spark] In a marketplace, information asymmetry is defined when the seller knows more about the quality of a product than the buyer. And because of this asymmetry, the vendor is not incentivized to bring high-quality products to market, and so we get lemons. Now, this theory was posed by economist George Akerlof in 1970. Information asymmetry couldn’t be higher in cybersecurity where buyers don’t even know how to properly implement products in their complex environments, let alone evaluate them.
So, this paucity of awareness has resulted in about 90% of security buyers not getting the efficacy from their products that vendors claim they could deliver, according to a panel at the RSA Conference. Now, remember this is an economist’s viewpoint, and I’m sure almost all vendors listening would disagree. So, in an article on eSecurityPlanet, Paul Shread points out the incentives around selling and purchasing are not aligned. This is why we constantly hear CISOs say they want a partner and not a vendor. And while vendors may say that, how do they really show that early on, Mike?
[Mike Johnson] For me, this is actually short and simple. Help me solve a problem that your products can’t solve. I was actually talking with a vendor friend of mine this weekend, and I don’t use their products – for reasons, doesn’t matter – but they’re always asking me how can they help. And so I took them up on that. I asked them a question, I said, “I’ve got this particular problem to solve that you might have some knowledge on,” and they gave me an answer, they shared, they helped. And that’s the kind of thing that is partnership gold because I remember that. I’m going to remember that going forward. I’m going to recognize that they’re in it for a relationship, not just a dollar.
[David Spark] That’s a good point. Now, a couple of things. One, I heard this a lot from the Israelis who go out of their way to do exactly what you said when I was in Israel about that. And also I was on a call with a bunch of CISOs and asked this very question. I’m going to add this to both of you, and I’ll have you answer, Mike, and then we’re going to go to Jessica to answer both questions. And that is are there security vendors out there that you really, really like but you’re not a customer? And the group I was with, they lit up, they’re like, “Oh, my God. Yes. Tons.” And mostly, the case is there was just no mechanism that they could bring them into the company for a variety of random reasons, but they had a lot of love for security vendors they don’t yet work with. Would you agree yourself, Mike?
[Mike Johnson] Oh, absolutely. And I think a lot of those scenarios are very similar to what you said. I don’t necessarily have that problem to solve in my company right now, or it could be that problem just never exists in my environment. If someone’s bringing me an amazing Windows desktop security solution, that’s not going to help, but I could still have a lot of respect for the company. There’s various reasons, but there’s absolutely companies that I have a lot of respect for that I’m not a customer of.
[David Spark] All right. Jessica, both questions. One is how can a vendor early on show that they’re going to be a partner, and two, are there vendors that you adore that you do not work with?
[Jessica Ferguson] Yeah. So, I think this question definitely ties up a lot of threads that we’ve been talking about, but I think that one thing that I see in the CISO community is kind of this search for silver bullets. And I feel like there’s this concept of, “I’m a CISO. I’m a 18-month window. I need the first 9 months to be getting the things in and making all the changes and buying all the products, I need the silver bullet, and then trying to make the biggest impact as quickly as possible.” And I think that this really ties back into the question that we talked about earlier around how are we sure that we’re actually getting the value out of the product and regardless of what it is but ensuring that we’re actually making use of it. And if we can’t make full use of it, then maybe that’s the point where we do a change.
And I see a lot of security practitioners do this very rapid change on things. That frankly burns out teams. Like, this has happened on my team where teams have gotten burned out where, “We’re changing product, changing product, changing product,” and we’re changing products in the middle of deploying products, right? And that just leads to kind of a culture of burnout, and I think we need to be really careful about that. But to answer the question, I do think that there are ways that vendors can partner. I think that from my perspective, the vendors that have partnered the best have been the ones that have been able to go deep on the technical side. I worked for a cloud company…
[David Spark] So, they bring like a sales engineer in early on?
[Jessica Ferguson] Or actually not even that. They bring the product managers, like the really, really technical people who are probably in Israel, who come into the calls and can really go really, really deep in the conversation and answer the questions. That is really helpful from my perspective. It really shows the maturity and the thought process behind the product that they’re selling.
I think to the second question – are there security vendors I like but I’m not a customer? Maybe a couple years down the road, I might be a customer, but right now, I’m set with where I’m at. Because anytime we make a change, there’s a cost to that. There’s a cost in people hours, there’s a cost in man-hours, there’s a cost in professional services. And I think that’s something that sometimes we have a hard time wrapping our heads around is you can go make a change, and you may save some money up front, but you may spend more money down the road in kind of more hidden costs, right?
Why are we still struggling with cybersecurity hiring?
27:56.738
[David Spark] So, Mike, you actually inspired this segment because I was thinking about this.
[Mike Johnson] Okay.
[David Spark] And that is what are your real risks around hiring? Because you’ve mentioned many times that just because of your environment, you can’t take on really green people. But I’m thinking all employees are a risk, a new employee’s a risk. No matter what the level, for that matter. So, here’s my question. If prospective employees could understand your risks well, is there something they could do to address them in the hiring process to make them a more attractive candidate, especially if they’re really green? But how would they do that, and have you ever had a candidate address your risk about hiring them?
[Mike Johnson] So, clarifying question. Do you mean addressing the risks that my company has or my…
[David Spark] Well, the fact that if I brought you in, you would create a risk in this way, that way. Like, if you’re agreeing you don’t know this stuff, and I’m giving you access to these kinds of equipment, service, information. Or you don’t know this yet, or maybe just bringing a new person takes risk, period, because I don’t know the person. There’s lots of different levels of not knowing.
[Mike Johnson] Yeah. So, I think in terms of addressing those concerns of hiring that particular individual, a lot of it comes down to how can they illustrate to me that they’re going to be able to hit the ground running and learn quickly. If I’m bringing someone in who’s green, the trade-off that I’m making is I’m going to have to teach them. I’m going to have to show them my environment or teach them security paradigms that we’re learning. If in the interview process, they’re able to say, “You know what? I know I don’t know your environment. I know I don’t know your technology stack.” So, there’s some self-awareness, which is a great thing to show in an interview process, “But I can learn.”
And here’s some examples, “Here’s maybe some documents that I’ve written up on my journeys into cloud security,” or “Here’s some presentations that I’ve given at security conferences.” A lot of these are the same things that we say candidates can use to highlight why they’re a great candidate in general. But they also illustrate that capacity to learn, which is one of the biggest risks of hiring someone who’s more on the junior end of the scale. The other risk being that they’re a brilliant jerk – different issue. But if they can show an ability to learn, then I’ve got a better chance of being able to bring them along, more confidence that they’re going to be able to quickly be a contributing member of the team.
[David Spark] What about showing how they solve problems and that in the process of solving a problem, they create their own safety nets? Like, “All right, well, if I solve this, I’m going to make sure that I have this backup A, B, and C in place, so should something happen, I’ve got…” They have the mind to understand that they are capable of making mistakes, and that they create their own safety net. Do you ever have that kind of conversation with a candidate?
[Jessica Ferguson] Yeah, absolutely. And I’ve often said I can teach anybody security. I love bringing in green people. What you need to have in security is you need to have kind of an insatiable question that you need answered, and it really is the “what’s next” question, right? I have lots of people on my team who are involved in threat models and design reviews. And the reason they’re really good at that is because they never take the answer at face value. Not that they don’t necessarily distrust, but they always are going to ask the “Yes, but what’s next? And what’s next? And what’s next?” Right? And that’s something that’s really hard to teach, but if somebody has that, I can teach them the questions to ask, I can teach them how to do security. It’s the curiosity, I guess, if you want to call it that, that you struggle with teaching.
[David Spark] And do you believe the curiosity can reduce the risk? Like there’s a correlation there?
[Jessica Ferguson] I do. I do. I think it’s really around exposing the problem set. In security, we’re really trying to understand, and in particular – I’m just going to pick on design reviews – we’re always trying to figure out what is the full scope of the risk. And a lot of times, the development teams that we’re working with may not understand the full scope of the risk. They understand their little piece of the world, but they don’t understand the bigger scope of the risk.
And I think it really takes that person who can go, “How does this little piece fit into the bigger thing and impact the bigger security problem inside of the organization?” that is really key. That really separates the really great engineers because a lot of times what will happen is people come in, they’ll do a design review of the little piece that the development team wants to talk about, and they don’t really think about the bigger picture. They’re not looking at the bigger picture. And that kind of looking at the bigger picture and trying to figure out what are the downstream effects of this really is the harder part, I find, in making innate in somebody, right, is that question of the “what next” question.
[David Spark] Excellent point.
Closing
33:30.832
[David Spark] And I love that, and we’re wrapping up on that. Thank you so much, Jessica Ferguson, who is the CISO over at DocuSign. By the way, we didn’t have to sign any contracts for her to come on this show.
[Laughter]
[Jessica Ferguson] Well, thank you for having me. But if we did have to do that, it would be super simple.
[David Spark] It would be super simple.
[Jessica Ferguson] I’ll plug that. How about that?
[David Spark] Okay. By the way, the question I always ask my guests is are you hiring, and I’m sure you are, but hold your answer, I let you have the very last word. And a huge thanks to our sponsor SlashNext. Thank you so much for sponsoring the CISO Series. We appreciate it. More about them at slashnext.com. If you need phishing protection, and who the heck doesn’t, guess what? They deal with it more than just email. Pretty much everywhere. So, check them out at slashnext.com. Mike Johnson, any last words?
[Mike Johnson] Jessica, thank you for joining us today. A pleasure sitting down. What I really enjoyed was your perspectives as someone who’s recently a CISO. Again, tons of experience, but recently taking that role forward, and it’s always great to hear the perspectives that someone has to share from that viewpoint. There’s two things that you said that I really think people should take away. One was your point about you expect a product to be used at least 80% of its features come renewal time. If it’s not being used 80%, it’s out. So, I think that’s a really great benchmark metric for people to think about. And the other thing that you said that I don’t think anyone has said on the show before is that frequent tool changes lead to burnout of the teams, and I do think people need to pay more attention to that. So, thank you for sharing those two very specific points.
[David Spark] Yeah. No one’s made that relationship, that’s a good one to highlight, I agree. All right, Jessica. Any last words and are you hiring?
[Jessica Ferguson] Well, thank you so much for having me on, Mike and David, really appreciate it. It was great chatting with you. We are hiring. I have several open roles, both in compliance, governance, and in security engineering. So, any folks that are interested in working for a awesome cloud SaaS company, we’d love to have you, careers.docusign.com.
[David Spark] Careers.docusign.com, and would it help if they mentioned that they heard you on the CISO Series?
[Jessica Ferguson] Absolutely.
[David Spark] That’s what I want to hear.
[Jessica Ferguson] Plug if you put in that you heard me on the CISO Series.
[David Spark] Please do that. All right. Well, thank you very much, Jessica. Thank you very much, Mike. And thank you, audience. We greatly appreciate your contributions. Keep them coming in, we love them, in “What’s Worse?” scenarios. Thank you so much for contributing and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOSeries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com. Thank you for listening to the CISO Series Podcast.