Chances Are We’ll Be Attacked the Day Before Your Vacation

Do the cybercriminals know my vacation schedule? If they’re already in our network, they probably do. Why don’t they share their vacation schedule with me. That way we can all enjoy our time off.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Patti Titus (@rusecur), chief privacy and informatin security officer, Markel.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Sotero

Today’s compliance requirements require a security mindset that focuses on the data itself. We can’t truly protect sensitive data when our solutions only provide protection at the network, application or database level. The good news is that you can now protect the actual data itself. Click to learn how.

Full transcript

Voiceover

Ten second security tip, go!

Patti Titus

Educate people why it’s important not to open an attachment from somebody they don’t know versus just telling them no.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark, I am the Producer of the CISO Series and joining me is the lovely and talented, and I’m wondering how often people refer to him as lovely and talented, Mike Johnson.

Mike Johnson

That’s literally my middle name. It’s Mike Lovely and Talented Johnson. So, all the time.

David Spark

Was it a grandparent was named Lovely and Talented?

Mike Johnson

It’s handed down generation over generation. It probably goes back a good solid ten, 15 generations at this point.

David Spark

Let me ask you, in all seriousness, has anyone in your family done a family tree?

Mike Johnson

Yes. My father was very into it and he put a lot of work into it.

David Spark

My sister is doing that with Ancestry.com. Did we talk about this? I can’t remember.

Mike Johnson

No. Are you about to tell me you’re related to someone interesting?

David Spark

Well, there were a lot of interesting things and we can leave them for another time. But I was just impressed with Ancestry.com and how far it’s come. It’s a really, really cool and impressive platform.

Mike Johnson

And it’s a great way of being able to track people, too.

David Spark

Yes. Well, the fact that also you can merge family trees if you connect to somebody else. It’s kind of wild that way.

Mike Johnson

Yes.

David Spark

All right, let’s get into this show. I do want to mention that our sponsor for today’s very episode is Sotero, who has been, and I say this often about multiple sponsors but I mean it when I say it about this sponsor, and the ones I’ve also mentioned, they’ve been a phenomenal sponsor of the CISO Series. More about Sotero later, they, by the way, play in the world of encryption. But not that boring at rest encryption you hear all about, but the encryption in use, which is quite a challenging task. More about that later in the show. I do want to mention we are releasing this episode on Tuesday November 16th, and guess what’s happening the very next day, Mike Johnson?

Mike Johnson

What is happening the very next day, David Spark?

David Spark

You’re acting as if you don’t know, but we just talked about this before we started recording.

Mike Johnson

I’ve already forgotten.

David Spark

Oh, jeez, you have a very short term memory. You should go see a doctor about that.

Mike Johnson

Listen, that’s my other middle name.

David Spark

Lovely and Talented and Short Term Memory Johnson. There you go. All right, well, really you should think about having that name changed. You should seriously work on that, Mike. Tomorrow, that will be Wednesday, November 17th, I will be live in New York City at the Key Conference. It’s going to be about credentials, actually managing credentials and it’s being hosted by Akeyless and you can be there in person or watch it virtually. Two options there. To do that, go to Akeyless.io/keyconf. But, if you can’t remember that, guess what, just go to cisoseries.com and we’ll have a link to it right there. Cisoseries.com that’s pretty easy to remember. Can you remember that, Mike?

Mike Johnson

That one I can remember. Although I do have it tattooed, so I’ll never forget that one.

David Spark

Where did you get it tattooed?

Mike Johnson

I’m not going to tell you.

David Spark

I ask people when they get these CISO Series jackets to take a photo. You have a cisoseries.com tattoo and you haven’t taken a photo of it?

Mike Johnson

You don’t have that tattoo? I thought that was a requirement.

David Spark

No. First of all, I don’t know if you know, Jews traditionally don’t get tattooed.

Mike Johnson

I did not know that.

David Spark

We traditionally don’t get tattooed. I can’t speak for all Jews but it’s not a common behavior. All right, let’s introduce our guests, I think we’ve wasted enough time on pointlessness up until now, we would like to actually get into the material. This has been a long road and we’re excited that we finally have her on this show, very excited. She is the Chief Privacy and Information Security Officer for Markel, Patti Titus. Patti, thank you so much for joining us.

Patti Titus

David, I have been a huge fan for so long, I’m so excited to be here and talking to Mike as well. I didn’t know that he tattooed anything on himself. I’d like to erase that from my memory bank.

David Spark

By the way, if you don’t photograph it, Mike, then everyone has to imagine it and that could be worse than the actual photograph.

Mike Johnson

It’s better for me, worse for them. It’s all good.

Why is everyone talking about this now?

00:04:57:03

David Spark

On LinkedIn, Ashish Rajan of the Cloud Security Podcast asked “What role is the quickest to a CISO role?”. He created a poll with the options of Red Team, Blue Team or GRC, which was far and away the most popular option with 71% of the votes. But, Christopher Zell, CISO at Wendy’s, had the most popular response. He argued that it’s none of the above, and he sees no advantage to one discipline nor anyone would want to be a CISO quickly.

Mike, what about the very first job you had in cybersecurity? Had you become a CISO immediately after that first job in security, how badly would you have screwed up and what didn’t you know that would have caused a disaster? By the way, I’m saying that you would have screwed up, would you have?

Mike Johnson

Yes. Yes, absolutely.

David Spark

How badly? What are we talking about?

Mike Johnson

I think anyone who would have hired me at that point as a CISO, they would have just been in for a rough time. I’m sure I would have found a way to mess everything up. Not just a little bit but a lot.

David Spark

It’s hard to isolate one thing.

Mike Johnson

Yes. It’s really hard to say which one it would be. The reality was my technical skills at the time were pretty good. I wouldn’t have understood the importance of relationships, getting buy-in, writing things down, training. My lack of experience and knowledge on the people side of security is what would have really been the problem. That’s what would blown up in my face. That’s where I think I would have failed spectacularly on the people side. Coming back to the question on LinkedIn, I really agree with Christopher that there is no single path.

David Spark

And we’ve seen that. We’ve had such a variety of CISOs on to prove that.

Mike Johnson

I think if you went back and looked at all of the CISOs that we’ve had, different paths for everyone. There might be some similarities but there’s not a singular path that I think anyone could say “well, that’s the right path.”

David Spark

Also, no singular background. We’ve had people with non-technical backgrounds as CISOs on the show.

Mike Johnson

Absolutely. I think that’s what we need in the field. I think it was actually be really bad if there was one path to CISO, because of how strange our job is and how varied the needs of our companies and our teams are. If you didn’t have folks coming from all those different walks of life, I don’t think we would actually be very effective as a field in terms of helping to defend our companies and our networks.

David Spark

All right, Patti, I throw this to you. Think about your very first job in cybersecurity, your next job you’re a CISO, how badly would you have screwed up?

Patti Titus

Boy, I have to tell you, my first job I was in the Federal Government, and the benefit is you get a lot of people telling you what to do. I had a great team starting out. I feel like I’m going back in time 100,000 years but it was when the profession was brand new. CISOs was a new title, so how could you screw up something that had no definition?

David Spark

Ah, you had that advantage.

Patti Titus

I like to say I’m a pioneer, David. I do have to say that I think it really depends on what kind of company you’re working in, so I agree with Christopher. If you’re in a tech company, like a high-tech company out in Silicon Valley, they want somebody that’s a whippersnapper and incident response or red team. You’re in a Fortune 500 and you almost have to know more about risk management, translating that cyber risk into dollars and value proposition. It really kind of depends what the company would be, but I’m telling you if somebody said to me my first first CISO job, “I’m going to make you the head of some major Fortune 500”, I probably would have said that I was going to go work for another Federal agency.

What’s the ROI?

00:09:14:13

David Spark

On CSO Online, Mary Pratt has an article about the new ways to calculate cybersecurity value. In the article she referenced the most valuable metrics of mean time to discover and mean time to contain and we’ve talked about this many times on the show. But there are pressures to show ROI. Most of the time that’s not possible and what’s happening is they’re imposing a financial metric on security. Regardless, there is a need to somehow correlate security behavior to business actions. How can a certain metric show that the business was made safer from more harm or risks? They referenced to security metrics being either leading, lagging or coinciding indicators of certain business behavior. For example, employee churn and retention rate are a leading indicator threat risk. The article went on to say the metric should allow the board to make decisions whether or not they want a security program tightened or relaxed, depending on what their risk appetite is. Patti, are you getting more pressure to prove cyber’s value, and have you had success trying to tie metrics to certain business behavior?

Patti Titus

First of all, I think it’s a bit of a slippery slope. What you’re trying to explain on one hand is the cyber value at risk. You’re trying to explain to your executive leadership that the company’s making an investment in your cybersecurity program. The threat actors are not equally attacking people, so think about it this way. I put up a set of front door-type security parameter products, and my CFO says, “tell me what the value proposition is or the return on investment of us putting that up.” It’s very difficult to say “these are all the number of bad guys we kept out”. Although, you can pull in statistics to say “we’re seeing multiple millions of port scans and penetration attempts at the front door.” The difficult part is to say, “and we kept everybody out.” I think the problem that you run into is, first of all, I think it’s interesting that there was the conversation around the Board saying to tighten or relax. I would say the Board would never say relax. But I do think the Board might say, “let’s take a pause on that investment because we have a competing priority.”

David Spark

That’s the way the define relax.

Patti Titus

It’s a competing priority. They want you to pause doing something, but the other portion of that is bringing in the risk that’s being introduced by not doing something. This has been a challenge for a lot of CISOs. When we look at it and we say “well, I know we need it and you should trust me. You hired me because you trust that I know my trade craft.” I’ve got to tell you that that doesn’t cut it. You’ve got to be able to show a business case on the cost benefit analysis, plain and simple.

David Spark

This goes to your opening tip. You don’t just tell people “don’t do that”, you give an explanation, so it’s through your explanation they build your trust with you.

Patti Titus

Security’s really about story telling. You’ve got to take a bad thing that happened to another company and turn it into a story about what you’re doing to ensure that your company doesn’t suffer the same sort of fate. It’s a challenge. I’ve gone to many, many conferences looking for the silver bullet of “show me a dashboard that I can show to an executive and a Board of Directors that’s going to work in any company.” I would tell you that, depending on the vertical market that you happen to be in, every organization is looking for something different. There is no silver bullet.

David Spark

That’s a good point, it changes industry to industry. Mike, are you getting pressure to show cybersecurities values? I’m going to guess no. You have a pretty advanced organization but did it become a need to show something else? Do you want to impose a new program to prove this program’s helping kind of thing?

Mike Johnson

As you guessed, I’m not getting the pressure to say, “what is every dollar giving us back?” but you have to justify your spend; there’s no such thing as a blank check. Companies have to know what’s going to go on with the money that they’re spending, because they’re accountable to somebody else, and they have to be able to show what they’re doing. I do have to and am expecting that I would have to, this is not a bad thing, I need to write those justifications. That’s a normal thing.

David Spark

It’s part of the job of being a CISO.

Mike Johnson

It is part of the job, frankly, of being an executive period.

David Spark

No executive in any department could get away with this.

Mike Johnson

Exactly. You have a budget that you’re responsible for and security or not it’s a little bit more difficult to show ROI for security. ROI in security isn’t really a thing, but you do still have to show and explain what you’re doing and why you’re doing it.

David Spark

That goes back to the story telling that Patti was just saying.

Mike Johnson

Yes. What I try and show is this is how this expenditure, whatever it is, be it on people, technology or services, is going to help us improve our security, how that’s going to help our customers. That’s part of the story telling. Again, you’re not going to say X amount of dollars, but that it is improving and how it’s improving, that’s part of the story telling and that really goes a long way towards explaining why you need to spend that money.

Sponsor – Sotero

00:15:29:23

Steve Prentice

Advances in technology come with additional threats, as we all know. Although there are thousands of tools available to be applied to individual sectors, Purandar Das, who is Co-Founder and President of Sotero, believes that to use, share and monetize data security and with confidence there needs to be a better and more encompassing solution. That’s where Sotero comes in.

Purandar Das

What we bring to the table is a single platform that enables organizations to protect all of their data assets, regardless of where they are, all the time, but also add the ability to use the data in its protected state. We’re doing a couple of things. We’re simplifying data protection. It’s high time that happened. When you think about the technology advances that have happened over the last three years, the one area that’s never caught up has been security. It just keeps getting more complex and more painful to manage and deploy. It’s time that there is a single fabric in a simplified approach to enabling the best data protection.

Steve Prentice

He points to the never-ending increase in criminal activity that comes from the complex nature of today’s ecosystems.

Purandar Das

Criminals have millions of entry points or access points socially engineered, as well as physically engineered. What we’re enabling our organizations to do, or empowering them to do, is to adopt the technology in all of its complexities to drive the business forward, but also stay in charge of their data.

Steve Prentice

Learn more at soterosoft.com.

It’s time to play What’s Worse?

00:17:15:16

David Spark

Patti, I know you know how to play this game. Do you in general agree or disagree with Mike?

Patti Titus

Only because you want me to, I disagree with him, but I have to say about 95% of the time I agree with him.

David Spark

Okay. Well, let’s see how you do this time. Mike, I think this is a tough one but I may get the “no, it’s not a tough one”, and I think it has to do with the lop-sided nature of this. It comes from [UNSURE OF NAME], the CISO of Epic. He asks, “What’s worse, having one malicious insider on your security team”. I know already you’re thinking that’s worse. “Or ten malicious insiders in any other part of the organization?”. The key is they have to be knowledge workers. It’s one in your team, essentially acting as a mole, making things miserable, or it’s ten in other departments of the company and they do know what they’re doing.

Mike Johnson

I’ll tell you, David, this is not an easy one.

David Spark

Really?

Mike Johnson

There’s different orders of magnitude here and I’m not taking the it depends route on this. If you’ve got someone on the security team who’s actively working against you, so imagine there’s an incident going on, and they are poisoning the well of evidence. They are making it really difficult for you to respond, that’s the worst case scenario of that kind of an insider. Versus ten other insiders, who knows where they are? They could actually have more privilege, more access, more knowledge than the security team. They could have that admin level of access that literally gives them access to anything. I actively work for my security team to not have significant levels of access in the organization. We get only what we need to do to our job.

David Spark

Right, but it is a malicious insider so could be a security person with admin access. It could be ten admins versus one admin.

Mike Johnson

Exactly. It could be folks on the finance team. I mean, it really could be anywhere in the organization. These really both suck, so I’m going to pick one and they’re both bad. The one I’m going to go with is the worst, simply on quantity, is the ten insiders.

David Spark

All right, ten insiders. I thought you were going to go with the one in the security team of the insider jerk. I should point out that this malicious insider is not a jerk at all, quite a nice, friendly person.

Mike Johnson

Well, that would have changed the whole thing. If you’d told me it was a malicious insider, brilliant jerk, then it would have been a much more difficult decision.

David Spark

You think?

Mike Johnson

No.

David Spark

All right, Patti, do you agree or disagree with Mike?

Patti Titus

I’m sorry, David, but the quantity is worse than the one insider that I can probably contain and I probably got that guy on a watch list anyway. It’s the ten people who could take the company into a whole 10k spiral, your financial misstatement. You said finance so you set me off on the wrong direction, David. You led the witness.

David Spark

By the way, you don’t have to speak for yourself but maybe a colleague has mentioned what’s the highest number of malicious insiders at any one time do you know that anyone’s seen? Do you know?

Mike Johnson

I’ve no answer. I literally don’t know. The most that I’ve ever heard is someone say one. But I’m sure that there is more.

David Spark

Simultaneous, that seems like it would be crazy tough.

Mike Johnson

The flipside, if it’s a big enough company, if you’ve got 200,000 employees, the numbers just say that you’re going to have more than one.

Patti Titus

I think it depends on what’s going on in the organization as well. If you are going through a multiple outsourcing arrangement, you could have multiple people with elevated privilege that have got their finger on the bottom saying, “I’m not going to get what’s due me when my job gets outsourced, so I’m going to leave a little present behind when I leave.” That’s the scary part when IT people leave a company you are always worried about what kind of present is left behind that you don’t know about.

Walk a mile in this CISO’s shoes.

00:22:10:12

David Spark

On past episodes we’ve discussed the trend of increased attacks late on Fridays, just before a long weekend or a vacation. As a security leader, who has a staff who actually wants to go on vacation, how do you manage what is probably going to be increased attacks on or before holidays and your staff actually wanting to take a vacation at that time? And at the same time you need to manage 24/7 operations. What if many people want that same Christmas vacation? Mike, a Redditor actually asked this very question, specifically about going on long holiday leaves. This is especially true if you have staff in Europe where long vacations are the norm. How do you manage that coverage?

Mike Johnson

I’ve seen a few ways of dealing with it. One is simply making trades, folks can pick which holidays are most important to them, and you likely end up with some people willing to trade off the end of year holidays for something else, or maybe work part of them. I’ve had plenty of folks on my teams in the past, they don’t celebrate Christmas. For someone like that, it’s a down week, most likely and that’s the first thing to go looking for; look for those traits, look for those opportunities. It actually works out doubly as long as you have a concept of on-call and escalations.

David Spark

I used to work for a television network and if it was a situation like “can you work” I’d be like, “Oh, I’d be happy to work”. This was my big realization about the holiday week. You don’t see this much anymore, but if you turned on any of the news, it was always Jews and Asians on camera.

Mike Johnson

Again, not everyone celebrates the same holiday. Right there, now that I’m thinking it through, that’s another advantage of bringing diversity into the field. That’s absolute opportunity right there.

David Spark

All right, Patti, how do you handle this issue?

Patti Titus

This is my big pet peeve, I have to admit. It’s called resource planning and when Covid hit, there was everybody didn’t take any vacation and you get to the end of the year and everybody says, “oh my gosh, I have a whole month of vacation I need to burn.” All year long I was saying, “take time, take time off”.

David Spark

They do that use it or lose it thing, like “oh my God, I better use it.”

Patti Titus

Yes. We do allow some carry over, but it’s a small amount, so it’s hardly worth it for some folks. This is looking at specific jobs and when people are in those jobs you have to be realistic and say “look, you’re an incident response person, you’re seven by twenty-four by three sixty five, on call”. Yes, we rotate them so who’s going to pull the short straw? It’s also an opportunity and I’ve done this in several companies that I’ve been a CISO, let’s look at an outsourcing arrangement so that we’ve got a hybrid model of FTEs, full-time equivalents. And then we’ve also got contingent workforce where they’re willing to work through because they’re getting the benefit of continuing to have pay where they’re a contractor and they may not have the benefit over the holidays, where some companies look at furloughing their contractors at the end of the year. That can be quite painful for people, so when you’re in a specific career field you might as well know that there is no real vacation, unless you’re going to some island where there is no communications like Fiji, which I’ve been known to do. I have worked through the holidays and I find it’s the best time for me to work because I’m here, it’s usually a skeleton crew, and we can get a lot done. But we also have maybe some additional parties and I might bring in a cooler of beer or something.

David Spark

Again, you might get attacked which doesn’t make things easier. From my history of working holidays, because no-one else is working you’re not doing any sort of transactional business during that time. You’re not setting up meetings at all with anybody.

Patti Titus

Yes, it’s a huge benefit. I do have to tell you, though, the team that’s usually working here are kind of my steady Eddies. They’re people who have been with me since the beginning, and that’s our time to go, grab lunch, grab breakfast, have a conversation about what’s just been going on. I think some of the people take advantage of the time to say, “gosh, it’s time I can spend with the boss, because she’s going to be here.” If anybody was clever they noticed all during Covid, I was in the office while everybody else was working from home. Largely because my internet didn’t work but that’s a different story.

What’s a CISO to do?

00:27:35:18

David Spark

On Dark Reading, Jai Vijayan has a piece on lessons from major data breaches. Issues such as third party risks, opportunistic attacks versus targeted attacks, to software assurance practices. All of these issues are on a CISO’s radar, but everything ebbs and flows in terms of where you can focus your attention. Mike, were there any breaches that happened this past year to cause a shift in focus of your security program?

Mike Johnson

It was technically late last year, but I would be shocked if anyone said that the solar winds and breaches like that didn’t get their attention and force you to take another look at your program. For me, it was this very vibrant and stark reminder of the importance of asset management; knowing what I had, knowing who used it, to be able to go around and say with confidence “no, we don’t use any of the solar winds technologies, we’re not impacted by this.” I really think that got everyone’s attention, I would be surprised if it didn’t. Then you had a reminder later in the year with the Kaseya breach, where, again, it was “am I using Kaseya somewhere that I wasn’t aware of?”. The shift in focus for me was to really concentrate on asset management. Both of those breaches and all the ones around them was really what brought it front and center for me.

David Spark

Good point there. Patti, I don’t ever want to say you weren’t thinking about this but just caused your focus to shift as a result of the news.

Patti Titus

Yes, I agree with Mike. It was a little bit stark to wake up and realize that those things we’ve been thinking about for a really long time with the supply chain, it finally had hit home where a content management system delivering an upgrade could be compromised. That was pretty big news. I think the other one is just the total increase of the ransomeware attacks. That has really reprioritized our disaster recovery and getting our immutable storage in place.

David Spark

What about the evolution of ransomware attacks? How they’re milking that initial attack to essentially make it even more painful, not just “hey, we’re encrypting your data pass to get it back” but there’s all the other things that are attached to it and how they copy it will expose you, that even a backup alone isn’t going to prevent you from recovering it. How has your focus shifted as a result of that? There’s more things you need to concern yourself about like getting legal involved as well.

Patti Titus

Yes, I have a really great relationship with my legal department, that’s usually my first step when I join a company, that and procurement. I have to say the evolution of the ransomware attacks, I was pretty excited when I heard on your daily series that [UNSURE OF WORD] Corp had closed shop. I’m like “phew, that’s good, where are they going to pop up next?”. It didn’t take them too long, it took a couple of weeks. All in all I think it’s really strengthened the relationship. You mentioned my title, David, I’m the Chief Privacy and the Information Security Officer, the refocus of not just security but back to that data protection, data privacy. Being both hats has helped me think about how are we encrypting and handling data in its entirety through its life cycle from the time it comes into the company until the time that we delete the data. It’s a challenge every company has, we’ve become a globe of data hoarders. I mean, there’s exabytes and petabytes of data where a gigabyte was a big thing back then. You’ve got so much more data and it’s in so many more places; it’s in the cloud, it’s in a SaaS app, it’s on Prem. There’s so many more places that you have to look and apply the right type of risk treatment and risk management. I do think that the ransomware completely changed the direction of my security program where it added a whole other swim lane, which goes back to the conversation about ROI and budget. Here’s your budget, work within the confines of that. Well that’s great but we have this emerging threat that we need to deal with. Taking those into consideration and looking at how you build your defenses, it’s been a fascinating year and a half as we’ve watched this grow.

David Spark

Mike, I know you also work with your legal department as well. How did these big breaches and your conversations with them change or shift? They knew it was on their radar but all of a sudden you’re now honing in on these.

Mike Johnson

For us, I can’t say that it changed. When we look at the legal responsibilities that we have to our customers, those haven’t changed and our relationships haven’t changed. What has changed is the customer’s actual legal concern; what they put into the contacts. I would say customers are paying a lot more attention to the security requirements that go into their contracts, and that’s raised the perspective and changed the way that the legal team thinks about those contracts. We have more conversations about the exact language; “can we agree with this” and “is this already common practice”. I would say that’s been an evolving situation over time, and the third party supply chain breaches is what really pushed that and has pressured that.

Closing

00:33:52:19

David Spark

And that brings us to the very end of this show. Thank you very much, Mike. Thank you very much, Patti. I want to thank our sponsor for today’s episode and that is Sotero. If you’ve got issues with encryption, or maybe lack thereof, or maybe you have your run of the mill at rest encryption. If you’re looking for end use encryption, which why wouldn’t you, then you would want to take a look at sotero.com. Patti, as you know, since you are a regular listener, I’m going to ask you are you hiring? I know you have a spectacular staff that’s been with you since practically day one, but are you trying to grow that? I want you to answer that in a second. But, first, Mike.

Mike Johnson

Patti, thank you for joining us. It’s always great to have someone on the show who’s listened to the show a lot and to sit down and have a conversation with that person and hear from them is always a wonderful thing. Thank you for joining, specifically I wanted to thank you for reminding everyone that security is about story telling. That’s a strong reminder for all of our audience, not just the CISOs, not just the vendors. Everyone think about the stories that you’re telling with regards to security, and that will go a long way for you. That’s a great point for our audience to remember, security being about story telling. Thank you for that nugget and that reminder and in general thank you for joining us.

David Spark

Awesome. Patti, any last words and, again, are you hiring?

Patti Titus

Any CISO that says they’re not hiring I can’t imagine that, so yes, we’re always looking for great talent.

David Spark

Almost everyone said it before but during the heart of the pandemic that actually decreased. I would say it was 50/50, but now it’s almost everyone saying, yes, but go ahead.

Patti Titus

We’re hiring globally, too. Don’t just think U.S. Mike, you’re so very welcome. It’s always nice to make a connection with another CISO. Our grass roots efforts are what keep us going and without those connections we don’t have a trusted source to go to to ask all the hard questions, even harder than playing What’s Worse.

David Spark

Thank you very, very much, Patti. Thank you very much, Mike. And thank you to our sponsor, Sotero. Again, if you are listening to this on Tuesday, or maybe even very early Wednesday morning, I’m over at the Key Conference. Come join us, either virtually or in person. We hope to see you there. Thank you for listening, and contributing to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.