Could We Speak To Your CISO To Confirm He Received the Cupcakes?

It’s imperative we speak to him. We want to make sure they landed safely. And if he has some available time, maybe we can show him our slide deck.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Branden Newman, svp, CISO, MGM Resorts.

Got feedback? Join the conversation on LinkedIn.

Thanks to our podcast sponsor, Grip Security

Ask yourself – do I know what SaaS my company is using? How do users access them? What data is uploaded and downloaded? Enterprises today are using hundreds and thousands of different SaaS, and have lost control over it.

Grip Security sees and secures every SaaS application. With simple deployment, you can have immediate visibility to the entire SaaS portfolio, and automated access and data governance at scale. This is the only way you could fight the SaaS Sprawl.

Full transcript

Voiceover

Ten second security tip. Go.

Branden Newman

Prioritization is everything in security. From the security strategy to inner price services you provide, it’s critically important that the entire team understands the prioritization criteria if you want them to be the most effective.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark. I am the producer of the CISO series. Joining me for this episode is my co-host, Andy Ellis, the operating partner at YL ventures. We are available at CISOseries.com. By the way if you did not know that we produce five shows on the network, every week. Four weekly and one daily. This is one of those weekly shows but if you are not listening to the other shows, go to CISOseries.com and check them out. Our sponsor for today’s episode is Grip, a SaaS security solution, we will be talking about them later in the show. Check them out at Grip.security. Andy, when I started recording with the other co-host, Mike Johnson, we talked at great length about how bad our banter was at the very beginning. But I feel that my banter with you, our little opening banter has gone a lot better. How would you grade it? And by the way feel free to hurt my feelings if you need to.

Andy Ellis

Well that is a tricky one because we are still early on and I think we are still sort of developing our banter. So it is sort of like when you are flirting on a first date and you are trying to figure out what is okay to say and what is not okay to say. But I think we are at a solid B+ and I think we are headed into A territory.

David Spark

I will go with a B+. Neither one of us has said something sexually inappropriate, so so far so good.

Andy Ellis

That’s right. Done, we are not meeting again.

David Spark

There you go. Alright well thank you very much Andy for keeping us at a B+ and moving upwards to the A range. I am looking forward to that. By the way you, our audience, can tell us how you feel that our banter is going at the beginning as well. I want to bring in our guest right away because we have a really packed, super fun show. And I will say the show is titled CISO Security Vendor Relationship, this entire episode pretty much doubles down on that title, because we are talking a lot about that on this episode. And thrilled to have you on board and our guest, who has been on before but not at his new location where he is at now. It is the CISO for MGM Resorts, Branden Newman. Branden, thank you so much for joining us.

Branden Newman

Thanks for having me.

Why is everyone talking about this now?

00:02:38:19

David Spark

On LinkedIn, I asked the question, “When a security vendor says their product is “military grade,” how exactly should I be impressed?” I got a lot of funny answers like whose military, which branch, and it went to the lowest bidder. But most saw the statement as one of two things. It is either a useless marketing term or they are achieving some specific standard that the military/Federal government uses. I want to address this statement of the military grade because we see it often in cyber security., But I think this gets to a larger question of how do security vendors communicate simply their uniqueness and product quality, Andy?

Andy Ellis

Well I have got to say I think it is very generous to say that somebody who is saying military grade means they are meeting a specific standard. Because anybody who is meeting a specific standard is going to tell you what their specific standard is. I think it is a legacy back, if you go back 20 or 30 years and a lot of the systems development and innovation was happening in the military. And so if you said military grade, sometimes that meant rugidized laptops. Like okay great, something that is going to be hardened and work for the military. I think today it simply means nothing. It is just like these words that are there like big data, kind of means nothing. I think military grade also just basically means nothing. And it is lazy marketing copy.

David Spark

Alright, I am going to come back to my second question but I want your take, Branden on this. What do you think when you hear a vendor mention military grade?

Branden Newman

I definitely lean toward the direction of it being completely useless marketing hype. I would even we are talking about armor and bullets or something that maybe it would be more relevant. But even then I am sure I could go on the commercial side and find better stuff that is being used in the military, because they have to be able to scale it and use it completely at scale. So to me it means virtually nothing. If anything is putting the military ahead it is their people. And you can see this, I am sure Andy is well aware, the Israel’s are pumping people out of the military that are creating great products. But that is their brains not the tech that is military grade in my opinion.

David Spark

Well both of you have actually served in the military correct?

Branden Newman

Yes.

Andy Ellis

I have yes.

David Spark

So you feel that they are kind of appropriating something that you did and it sort of white washes? Or you do not think much of it one way or the other?

Andy Ellis

Well given that the tech we used to do information warfare when I was in the Air Force, was all commercial technology. I deployed CISO routers, network systems border guards and wheel group net rangers. There was nothing military grade in our information warfare capabilities there. Like Branden said it was the people, and I have never heard anybody with that take on it and I love it.

David Spark

Same with you Branden?

Branden Newman

Yes I also take no offense whatsoever. I was happy actually to get to a more agile stance on the commercial side where I could buy stuff quicker.

David Spark

Yes. Perhaps military grade means it where it is going to be slow to buy this. But let us get to the second part of this question which is– and I know there is no simple answer to this, you are not going to have the oh, it is this phrase, everyone should use this phrase. But is there is there ever a quick way that a company explains their uniqueness– and we are actually going to get to a game of this at the end of the show– but have you found this ever to happen Andy? That they can do it quickly?

Andy Ellis

Well each vendor has to do it a different way. That is part of communicating your uniqueness, is there is not one way to do it. The trick to doing it is to come up with an analogy that is going to carry over. So someone can say “oh I understand.” When I was at Akamai, I would say “look we are the shopping mall of the Internet. What do you buy from a shopping mall?” It is a trick question. You do not buy anything from a shopping mall, stores buy from a shopping mall, the ability to get closer to you. And boom, everybody got that when I said that is what I do for the Internet. So it is a unique [INAUDIBLE] proposition.

David Spark

So it is like when you pitch movies, we are like this movie but in this in space, something like that? That is actually a good way to put it. Branden, have you any more ideas?

Branden Newman

Well in general I would say any of this military grade or compliance stuff is not super useful unless you are in a very niche area that has to have that specifically. So I would leave that completely out. I think to Andy’s point it is basically value proposition in as simple terms as you can possibly present. And that is usually where the struggle is. You go down the rabbit hole, I really like the analogy that Andy brought in. You use something that gets the points across very quickly of your value proposition. And if you do not know that in your company you are behind already.

Looking down the security roadmap.

00:07:23:01

David Spark

Earlier this year, CISO Series conducted an Ask Me Anything, an AMA, on the cybersecurity subreddit. We got a flood of great questions, and here’s one of them. I am going to go with you first Branden on this. “Where do you see the biggest gaps in the data security marketplace with vendors? If you were to start a data security company, what would it do/sell?”

Branden Newman

Yes this is a fairly hard question for me. I am a big proponent of data governance and it being one of the number one things that you have to do when you are in a security program. And all too often I see companies that have been running programs for 10 years that do not take data governance or data security specifically into account the way they should. So I am definitely on board with it being one of the most important things. If I were starting a company or where the gaps are, to tell you the truth I think we have a lot of the areas covered, but we have lots of novel approaches that are not being implemented at companies. And I think this is because the real problem is changing of processes and changing of company culture in way that you can actually implement the things that are out there. So I suppose if I was going to start one myself it would be more on the consulting implementation side, to show people what right looks like, to drive that thing across the finish line, instead of just having a piece of software that I expect them to spend years implementing.

David Spark

Everyone says that solutions are people, process and technology. And while we have tons of solutions for technology and we have got lots and lots of training for people, I do not see a lot of process solutions coming out. That is what I have noticed. Andy, where do you see the biggest gap?

Andy Ellis

I would be torn. One of them very similar to where Branden went, which is I think tooling is actually an approach here, which is it has got to be easier to manage things like PII. There are way too many places where you see companies with PII scattered everywhere and there is not common tooling and libraries that they can easily adopt. So Branden went for the help people implement, I think that we also need to simplify the implementations. Ways to better manage PII across an enterprise. Or if I was going to go to the process approach to match you David, I actually think there is a GRC problem here. Which is I think we think of GRC as just like check the box and we do not think of it as process management. To say hey, here is an initiative we want to drive across a company, how do we manage that across 10 years? We are also focused on how do I just get the check list done for this next year? And I think technologies to help you say here is the standard we want to achieve, here is our asset inventory. Where are we against that initiative for that whole asset inventory? And when are we going to achieve it?

David Spark

Is there a possibility, and I do not know what the potential of this is, and this kind of speaks to the process issue. But most companies have some type of project management tool out there. My question is how well they are tailored specifically for cyber security and could a more cyber security tailored project management tool have an opportunity in this space? What do you think?

Branden Newman

I would see that the GRC piece that Andy brought in is kind of the closest you get to that? And if I was going to pick something else it would have been the GRC integration because if you use it correctly it is actually following the entire system life cycle, and the implementation of all the controls that you are doing across the security program. So it kind of is like the project management of security. I call it the engine of the overall security program.

Andy Ellis

It is the oversight across all of the projects. We have project management tools but what we did not have was tools to manage project management.

David Spark

What would that do to an environment if you could do something like that? How would your environment change?

Andy Ellis

Your environment would change because it would be hard to forget things. The challenge that somebody has, I cannot imagine Branden’s challenges but when we were warming up he started listing all of the resorts he is responsible for. And so imagine that he just had this idea, he is like okay we are going to do this security thing in all of our resorts. How easy would it be for him to forget, we did not implement it on that last resort. I am not going to name one because I do not want to get in trouble. But how many of our projects are like that? We do it in our flagship system and then it gets forgotten as we start rolling it out. The project manager leaves and that is where we really get bitten, is keeping track at the sea level of where do we stand on 17 different projects across 30 different parts of our company? So we would be able to say let us go hit that resort or that part of our system, because they have got 12 projects that they have not even started on. And let us push them to do either all of them or which one matters. Right now we drive each one in isolation and only when we remember them.

Sponsor – Grip

00:12:24:12

Steve Prentice

Organizations are undergoing rapid digital transformations, including having gone from very little or zero SaaS presence to today where they might have too many to govern manually. And that is where Grip Security comes in. Here is Idan Fast, CTO and Co-Founder.

Idan Fast

Grip Security does three things. The first is allowing companies to know and have visibility into which SaaS applications they’re using across the company, and which users are using which SaaS applications, so the visibility part. The second is providing an access management solution that works both for SSO on boarded applications, but also for password based applications. Allowing you to control access in a centralized manner that works for the entire SaaS portfolio automatically. And the third thing is governing how data flows between applications and users and devices, in allowing visibility and policies to be set on.

Steve Prentice

And this sometimes digs up some surprises. Like…

Idan Fast

We find a Devs Ops tool that the security team does not know about. And Devs use just to do their day to day work. And sometimes you have hundreds of different Devs that are signed up to the tool and it is password based and it is Shadow SaaS. Then looking back you see that you have tons of different developers that already left the company but still have access to this application. And they still have access to the entire production environment. We help companies detect it and automatically revoke and remove the access of the user from the application.

Steve Prentice

For more information go to Grip.security.

It’s time to play What is Worse?

00:14:08:10

David Spark

Alright you both know how this game is played. It is usually two bad situations. This one, one of them kind of has a little bit of good in it. But it also has a little bit of bad. You have to determine which one has the heavier risk attached to it, hence the which one is worse? I always make Andy go first. So you hang tight Branden and by the way always love it when the guest disagrees with the co-host. Get ready, this comes from Jerich Beason, who is the CISO over at Epiq and also a former guest on this very show. What is Worse? You are sending a security team member to a training that gives them some good information and skills, but also some inaccurate and antiquated information, to the point it would be dangerous if it were actually applied. Or you never get any budget to send team members for training at all. Which one is worse? Andy?

Andy Ellis

This one is kind of a challenging one because… I think I might go with the bad training. So I am going to call that bad training. If I had to spend the energy to re-train them then I might as well spend the energy without the budget to build the training myself. Because I am assuming that either I can deal with the person who got badly trained, in which case I can deal with the people who do not get trained at all. But if I cannot do either one I would rather not send anybody off to be trained, rather than send somebody who is going to be trained and who is going to bring back dangerous approaches.

David Spark

And you will not know what the thing they learned was bad?

Andy Ellis

If there is no way to mitigate those dangerous approaches, I would rather not have that training.

David Spark

Alright so good mixed with bad is far worse than none at all, you are saying?

Andy Ellis

Yes.

David Spark

Brandon where do you sit with that?

Branden Newman

Well I was already to disagree with Andy, and listening to your original statement on the risks, I was thinking that a lot of the training I send my people to has some has a ton of legacy things in there. But when you got to the point where you said it is going to be dangerous to implement when they come back and I would not know where the needle in the haystack was for that. I would rather start up an internal mentoring training program, than have that situation where they could damage our environment.

David Spark

Lets slow down, I should have qualified. You cannot all of a sudden start your own training program, it is either they get the training or they do not get the training. Whether it is from you or anybody else.

Andy Ellis

This is the challenge. It is always these thought experiments that are like the trolley problem. Where the correct solution to the trolley problem is to shoot the person who set it up.

David Spark

Excuse my ignorance, I do not even know what the trolley game is. What is it?

Branden Newman

One person or hit three people.

Andy Ellis

You have control of a trolley and the track that its on has five people on it. Or you can flip a switch, which will get it off that track and instead of killing five people, it will now kill one person. But you have made the decision to kill the one. What do you do?

David Spark

Well I also made the decision to kill the five if I don’t hit the switch.

Andy Ellis

No, no, no.

Branden Newman

That is a non decision.

Andy Ellis

You are not the person who owns the switch. There is nobody in front of the trolley car, you are just a passenger. You could just be the passenger. Or you could step up and choose to kill the one person. It is one of these philosophy games that are set up that it is kind of sketchy. And the correct answer is always kill whoever set up the trolley cart problem. If you do not they are going to keep killing people.

David Spark

Yes okay, now I understand. I definitely have heard the variation of this game before. So going back, I am sorry, I should have qualified. You cannot just all of a sudden set up your own training, because of course that would be a better solution. So it is either no training at all– I should point out no training at all they are going to make mistakes that are going to be dangerous.

Andy Ellis

Sure, if they are not trained they will make mistakes that are going to be dangerous so maybe I will change my answer then.

David Spark

So where do you stand? Andy do you stay on the same side?

Andy Ellis

I am going to stick with mine because I think that if you want to take it to the absurd extreme and say look my people are just going to show up and they are never ever going to get training, and there is no on the job…

David Spark

No they will learn over time. But they will learn by making mistakes.

Andy Ellis

…right but I would like them to have, make those mistakes where we can see them and we can grow as a team, as an organization. Than go off, come back thinking they are an expert and then the people they are going to teach are going to be learning some dangerous stuff. If the answer is I do not have controls to provide good training then that has got to be on both sides. In which case I do not want the dangerous person. If I have got the controls to provide training well in that case I might as well just do the whole training myself.

David Spark

Right but that [INAUDIBLE] let me also point out if you send them to training where they learn good stuff and bad stuff, at least they have learned some good stuff. As opposed to when they are not trained at all and they are just flying by the seat of their pants, making mistakes, and they are making it not in some comfortable sandbox over at the training center, but on your network. Do you still feel good about that?

Andy Ellis

If we are basically saying that the expected distribution of choices that they are going to make is neutral. That the same amount of good is tempered by the same amount of bad…

David Spark

Well I do not know that yet. You do not know that, hence this is the risk management. If I knew that answer at the beginning of every What is Worse game there would be no point in playing the What is Worse game.

Andy Ellis

Exactly so I get put on the constraints when I give an answer.

Branden Newman

Within reason, which we did.

Andy Ellis

Within reason.

David Spark

Branden do you change you answer at all? Where are you standing on this?

Branden Newman

No, I think they are the same scenario, if I cannot put any kind of Dev environment in place or internal– so lets say we take training off this table. I would at least put some kind of controls in place where that guy untrained before he has ever touched a system cannot work in Prod for example.

David Spark

Okay there you go.

Branden Newman

I would still take the no training then and let them learn by the seat of their pants in Dev, and just not them until I have seen some good quality changes put into Dev environments before they ever get released on Prod. So I will keep my answer.

David Spark

Good job.

What annoys a security professional?

00:20:20:15

David Spark

On two different threads, Kevin Beaumont of Arcadia Group and Mike Higgins of Amazon, asked, “What is the pushiest sales tactic you have seen in InfoSec?” Some techniques mentioned were “hey did you get that email I sent you or did you get the gift I sent? And here is a gem of a one. “I would like to talk to your CISO to verify the cupcakes we sent were delivered” I like that one. Here is another one. Social engineering the reception to initiate meetings or to get phone numbers of executives. Another one. Vendor conducted a demo to a team member and after the demo vendor contacted the CISO saying that their team member endorsed the product and they needed to begin purchasing. I am going to start with you Branden. What is the most pushy tactic you have seen? And do you believe this behavior is the result of desperation, just trying to make sales quota or do you think it is something else?

Branden Newman

First off I guess I have seen all of these. Like most CISO’s I am super end of burn out with hundreds of messages a day in all of the avenues. I guess the most pushy is one you mentioned which is this name dropping type of deal. The worst has been when they name dropped somebody that is either on the board or the CEO or something and make some kind of claim that they already have something worked out with them. And that makes me then in turn reach out to that person and cold call them basically, and say so and so said that you are working with them or have a business deal with their company or something. And then you look like an idiot when they go I never heard of those people before. So I just stop doing it.

David Spark

But not only that you know that technique will literally always fail because they will always be called out. And their lack of sort of truthfulness and validity will fall apart. Yes or no?

Branden Newman

It definitely fails when it’s in my team. Sometimes they even name drop people in my own team and I am like of course I am going to check with them, and that turns out not to be true.

David Spark

The thing is they know you are going to check with them and they are going to find out they were lying.

Andy Ellis

It clearly works with somebody if people are doing it.

Branden Newman

That is what I am thinking. I saw them start pivoting and going with people that were two or three layers either horizontally away from you in the company or something. That it would be awkward for you to keep approaching them, so I guess it must work somewhere. But I would say that out of desperation or not, I guess that depends on the company. I have heard of many companies that just keep upping their quotas, where they are really driving sales people on the ground. And I see other companies that are leaving it all on the bonus structure of the sales people. So I think it can be driven either way. Maybe you are just promoting it if you have one of these companies that is just constantly raising quotas.

David Spark

Good point. So Andy, the pushiest sales tactic you have seen?

Andy Ellis

I have got two that are tied for me. One was a security vendor who literally showed up every week. The account rep physically came to our offices, walked up to the main receptionist and would drop off packages for me. Not even just mail me random gifts. And I am getting these things and it is like here are energy bars, here is a set of air pods. And I am like what is going on? After a month then they reach out and say did you get our gifts? And I am yes and due to ethics rules I have already passed them off to other people. Please stop. That was a fascinating one, was the physically dropping them off. The other one was actually an academic who had reached out to us and said I know you have a lot of data and you understand a lot of risk, I would like to explore something with you. One of the people in my team was interested, took a conversation with them and talked about risk. And then we were sent a bill. They said well you have made a deal with us. I was literally like do you have a contract? They said well no but I just presumed. I said you do not get to charge us for your time where you are doing research and you wanted access to our data. So those were my sort of my two most pushy. I actually think the behavior in general, not at the most extreme ones, but in general is driven by a consequence free environment. If you are a sales representative, these do not blow up in your face. They might blow up in your company’s face.

David Spark

That is a good point. A consequent free environment because if you have an environment like that, you would not do these kinds of things.

Andy Ellis

A lack of understanding of the CISO. I think most CISO’s ignore sales tactics. I have a vendor rebuff email where literally I am getting emails…

David Spark

I have seen it. It is actually a blog post as well.

Andy Ellis

Right and I will send it back which says hey by the way I am just going to get you to a no very quickly. The answer is no. And by the way do not send me a gift, do not offer to take me to a thing. Here is all the reasons why you should not do that. And what is really great is that gets such positive feedback from the sales development community. Because nobody ever tells them not to do this. These are often people, first jobs. They are in a sales culture that is high pressure like Branden just talked about, who are completely insulated from their targets. They are not even the representative who is going to meet with you. Their job is to get you to respond so somebody else can show up. Nobody has told them what our industry expects.

David Spark

My favorite thing about that email that you send out, you have the line of well then how am I going to get to you? And you say you want to get to me? Be awesome at what you do. I will hear about you. And I think that is the key line right there. If you are awesome at what you do, it will come back to me, eventually. Would you agree with that statement Branden?

Branden Newman

Yes sure, I am just waiting on the time that we get off of this bell curve in cyber security and hopefully get to some normalcy in this vendor pitch and aggression.

David Spark

That is a good question. Where are we on this bell curve? What part of the curve are we?

Branden Newman

I hope it is the top.

David Spark

Potentially coming down? Anyone think we are coming down?

Branden Newman

I have not seen it come down at all.

David Spark

Is this the fattest bell curve that we have been at the top for so long?

Andy Ellis

I think we are now starting to see a big wave of hey, I will give you some high end technology item just for taking a meeting. And that that is now being a norm in the start up community. I have worked with a lot of our companies to say hey we have got to tone that down, you have got to stop that. Because an enterprise CISO you will never get back in the door.

David Spark

You do not want to burn a bridge by doing something like that. And we have talked about that. It is essentially they are looking for the easy paths. Because trust me, it is far cheaper just to give CISO’s gifts than to do everything else that is necessary.

Andy Ellis

The value of a first call with a CISO is somewhere between one and $5,000. To a start up that is what that meeting is worth. And so to them they are like well if I have to pay a $1,000 to get the meeting that is worthwhile. But they are not recognizing that there is no way you can pay a $1,000 to a CISO to take a meeting that is going to actually be useful and that is the disconnect there.

It is time to play What is It and Why Do I Care?

00:27:05:24

David Spark

Alright this is a new game for the two of you but our listeners have heard this game before. Today’s topic is email security or human layer security. These companies have categorized themselves as one or both of these things. I have three pitches from three different vendors in this space. The first round the contestants answer what is email/human layer security in 25 words or less. That is the “What is it?” And then for the second round they will explain what is unique about their email/human security solution. That is the “Why do I care?” The company names and individual identities are hidden and only the winners will be revealed at the end. You guys follow? You ready to play?

Andy Ellis

Absolutely I love this topic.

David Spark

Remember it is all in the same category, I am just going to read what is it. I will mention I am going to read three of these. And when I do it for the two categories they are not going to be in the same order. So identify them as one, two or three in each one. Here is the first one. We provide CDR, content disarm and reconstruct, based file protection for enterprise, NS and B clients. We prevent malware before it enters via the email gateway. Number one. Number two. We use technology to empower employees to make the right decision. By understanding normal communication patterns we can detect when something deviates and prevent the spare phishing, misdirected emails or data act filtration. Now number three, and this is actually a list that they provide. Prevent people from making mistakes. Prevent these auto complete error, forget BCC etc. Number two, and this is still number three, I mean they are listing as one, two, three, excuse me. Prevent people from breaking the rules. Prevent these malicious ex-filtration. Three, prevent people from getting hacked, prevent spare phishing. So that is one, two and three of our three different vendors. I will start with you Andy and I will reveal at the very end which of these three you think explained email securities/human layer security the best.

Andy Ellis

I will be honest, I did not like any of the three. But I will tell you what I did not like and I will tell you which one I did not like the least. So number two I just really did not like the opening. I sort of tuned out after like we use technology to do… I am like that is like very company, come on. Number one, great. Okay you explode stuff. Maybe they should have just started with we explode email on the way in if it is bad. That would have been cleaner and simpler. Number three actually I thought would have been the best except that everything was we prevent people from. I really do not like this blame the user approach. The problem is the email infrastructure we use is a complete and utter disaster. I would prefer something that was positively oriented for humans. For example giving humans the tools to protect themselves. I will go with number three but I want to hang that caveat of I really do not like…

David Spark

You feel that that pitch could be improved, if it was written in the way that you should just said? So number three you liked the best. Branden what was your favorite?

Branden Newman

I think they went in order from worst to best, one, two, three.

David Spark

Okay so kind of the same way?

Branden Newman

Yes, the first one, too technical. I mean they already jumped in there a little bit too crazy in the beginning, so I also kind of tuned out a bit on a technicality. The second one was refreshing from the first one, so at least it got really straight to the point. It was fairly vague but got to the point and I thought it was reasonable. And then number three, I thought was the best out of the three, it is always good to have these kind of bulleted lists, or three discreet topics. So I like how they broke it down into three discreet topics. It needs a little bit of polishing from all that stuff in parenthesis because it is hard to understand from the few words what the three discreet topics really mean. But then when Andy said that I am like of course, that makes perfect sense. We should not be saying it in a negative tone, against the people. We should be protecting the people by this or protect your employees by this. I agree with him totally on that statement but number three wins it for me.

David Spark

Okay I will reveal who it is at the very end of the game. I am going to read you one, two and three in completely different orders this time. And this is the Why Do I Care? This is what they are doing to differentiate themselves from the other players in the market. Number one, we take a new approach that does not rely on training, policies or rules based systems. Employees should not have to be security experts to do their job. Our company is here to automatically help them. This next one which has a numbered list. One, machine learning to learn user behavior and spot anomalies in parenthesis in ways DOP cannot. Two, zero trust methodology and machine learning treats each inbound email “guilty until proven innocent to catch sophisticated attacks like supply chain compromise for example.” So that was number two there. Andy is trying to count words I think in his head.

Andy Ellis

25 words really fit that one for number two?

David Spark

I do not know. Well here we go, number three. We differ from the competition because we offer both enterprise and SMB solutions as well as offering the only native CDR security add on for the Microsoft 365 ecosystem. I will start with you Branden on this one. One, two or three, which one did you like the best?

Branden Newman

I think that you did not even need to mix them up because I think we can tell the order that they are in.

David Spark

Yes I did not need to mix these up at all.

Branden Newman

They are so similar in their themes. The middle one, this list again, completely broke down for me I think. I was expecting greatness from number three that won in the beginning and I assume number three is now number two in this one. The first one was fairly vague to me. And I think that is probably the second one in the beginning. I would go probably with the third one, which I believe connects with the number one in the first turn.

David Spark

By the way you got that completely right. I will say that.

Branden Newman

Even though I did not particularly like any of them but I would probably go with the third one if I had to pick one.

David Spark

What is it you liked about the third one?

Branden Newman

It kind of hit on a couple of points that were I guess when you start talking about if you hit a company that has Office 365 and has trouble there, whatever, maybe that will hit home with them a little bit. Although it could alienate the other guys, the G-Suite guys and everything. But the other two, I mean the second one was really, really bad in my opinion the way that they just laid out all of the list of technical things that they do. And the first one was too vague. So I think that they were all fairly bad but number three wins it for me.

David Spark

Andy, I get the sense because of the way you reacted to the second one that you are kind of in the same boat with Branden?

Andy Ellis

The second one they were stuck on their list format and they went really like unlike DLP. No I do not need that in the Why Do I Care? I actually agree with Branden a little bit on the new number three that they did a really good job of getting you to a no quickly, which is really important. If you do not use Microsoft 365, you are not interested in this product. That is actually fantastic.

David Spark

But if you do we are speaking specifically to you?

Andy Ellis

I actually liked the tone in number one. I do agree that it was a bit vague, I really would like them to crisp them up. But I loved how it was positive and focused on the business impact. We are going to implement this, it is not going to affect your users directly. It is not going to require them to do big training. I thought that they have a great value proposition there, they should crisp that one up. And since you are only going to announce the winners I figure I am going to go with number one there for being positive.

David Spark

Okay so we are going to pretty much find out everybody right now.

Andy Ellis

We are not going to find out?

David Spark

No, no you are going to find out everybody. You are going to find out everyone. Alright, so lets start with the winner of the What Is It round? That goes to Autumn Warnock with Egress. They are an email and human layer security firm. You liked the fact that she broke this down but do not be so negative, spin to the positive. I like that. The one that you chose in the second round Branden, that goes to Yehudah Sunshine of Odix. And also they are more of a email security play straight up. They did not claim that they were in the human layer security area. Then the one that you liked Andy in the second round goes to Ben Keller of Tessian. This is the first time we have had all three contestants revealed.

Andy Ellis

Well and you know something? I will offer something as a reward for them, or maybe it is not a reward, it could be a punishment. Those three individuals, I will give you 15 minutes of my time crisping those up, maybe even 30 minutes I will go to. But talk me through the technology and I will see if I can help you crisp up those messages.

David Spark

Now that is a darn good offer. And then do not have to spend one to $5,000 to talk with you?

Andy Ellis

No.

Branden Newman

That is a $15,000 offer there Andy.

Closing

00:36:29:21

David Spark

You heard it right here. Andy is offering it. I want to thank you very much Andy Ellis and Branden Newman for being a part of this show. Branden I will let you have the very last word. I always ask my guests are you hiring? And hopefully you are, so please have an answer for that question. I want to thank our sponsor, Grip, thank you so much Grip for sponsoring. You can check them out at Grip.Security for your SaaS security needs specifically getting comprehensively visibility, governance and data security. Get control of your chaotic SaaS eco system. Again Grip.Security. Andy any last words or any last pieces of advice, any thoughts for Branden?

Andy Ellis

I think Branden is getting ready to be invaded by the security community very shortly. I think I am going to give him a thought for some serenity and some non-excitement during security summer camp.

David Spark

Good point. Actually, just so you know this is going to release well after security summer camp.

Andy Ellis

Okay I will rephrase that then. Branden just got invaded by security summer camp. And since I have to predict what happened to Branden, since we are recording this before summer camp happens, I am going to hope that Branden had an awesome time. That it was very peaceful and he did not have any troublesome folks from our industry pestering any of his resorts.

David Spark

Well hopefully they were paying to be in his resorts.

Andy Ellis

They were paying him to be in his resorts, but they were not pestering his resorts.

David Spark

Lets hope not. Branden, any last thoughts and are you hiring?

Branden Newman

We are hiring. I actually grew the security team by I think 13 FTE this year. We still have at least five or six open positions, you can see them on the MGM career site. Generally speaking I can just say that all of our properties are open. The Vegas strip is absolutely booming, I was down there just the other day, so just in case you are in doubt. The party is back happening out here. We have the Bet MGM app which is online sports betting, getting improved a new state, it feels like every single month, so check that out if you are in to that. And hiring, hiring, hiring remote also in a lot of states. So if you are interested to come and work for a cool team then check it out.

Andy Ellis

And anybody who gets hired by Brandon will have one up on me because I was turned down by MGM Resorts when I applied to work there.

David Spark

Hold it, who turned you down Andy? And how old were you at this time?

Andy Ellis

I was 23 and I was applying to be a bartender.

David Spark

Really? It was not in the cyber security business?

Branden Newman

I think we worked that out for you Andy. If we can talk after this I maybe can still get you in there.

Andy Ellis

A bartender position?

Branden Newman

A bartender job.

David Spark

It is a possible new career switch for you Andy.

Andy Ellis

Going back to the career I started in.

David Spark

You started in bartending? Did you bartend in California?

Andy Ellis

No in Vermont. The listeners cannot see it but I have an award of excellence from the Wine Spectator for the wine cellar that I managed in 1992.

David Spark

Wow, alright, so did you ever pour any hard liquor or just wine?

Andy Ellis

Yes I also poured hard liquor. But it was a small inn and it was nothing of the scale of any of the bars in the MGM’s. It was not surprising that I got the note that said thank you for your application and have a nice day.

David Spark

We will definitely be sure to send a nasty note telling them what a big mistake they made. I want to thank the both of you. I want to thank our sponsor and I want to thank all our listeners for all your awesome contributions and for listening to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.