Cyber Advice So Generic, You’ll Assume It Came from ChatGPT

Cyber Advice So Generic, You’ll Assume It Came from ChatGPT

Shifting Left is so five years ago. Advice and best practices are great, but context is king. Is there a mixture of best practices AND doing what’s right for your business that’s practical?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Steve Zalewski. Joining us for the episode is our sponsored guest Gaurav Banga, CEO, Balbix.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Balbix

Balbix is a cyber risk quantification platform that discovers and manages all your cyber assets, identifies and prioritizes vulnerabilities, and delivers a monetary assessment of cyber risk. This enables CISOs to articulate the value of risk to the board and obtain support and budgets for security programs.

Full transcript



[Voiceover] Best advice I ever got in security. Go!

[Gaurav Bang] Never overestimate how little of what comes out of your mouth is actually understood by your CFO, your CEO, or your board.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I’m the producer of the CISO Series. And joining me, my cohost, my guest cohost, but you’ve heard him as cohost many times before on one of our other shows, that would be Defense in Depth. It’s Steve Zalewski. Say hello to the friendly audience, Steve.

[Steve Zalewski] Hello, audience.

[David Spark] It’s Steve Zalewski. We’re available at Why not go check it out? And maybe you could listen to the tother show Steve is on, Defense in Depth.

[Steve Zalewski] It’s the better show.

[David Spark] It’s the better show? Don’t say that when you’re about to record this show.


[David Spark] Our sponsor for today’s episode is Balbix, automate your cyber security posture. By the way, they are a brand new sponsor. We love having them on. Thank you so much, Balbix. And by the way, I should let everybody know that Steve is actually an advisor with Balbix as well.

[Steve Zalewski] Yes, I am.

[David Spark] He will be giving a little insight as well. Now, before we jump into that and introduce our guest, who you now very well as well, I want to mention a moment of non-tech…of courtesy that I was so impressed by. And I actually just posted a photo of it. But I received… And here, I’m holding it up in the… Here.

This is a thank you note. Oh, you can’t even see this. It’s all bleached out. But it’s a thank you note that I received from one of our guests, Phil Beyer, who’s the former CISO of Etsy. A handwritten thank you note that was mailed to me. When have you received one of those, Steve? Now, I do receive those sometimes from physical gifts, but I was so impressed with the touch of it.

And I would just say can you think of just one thing that is a small gesture like that that has a huge impact that you have received?

[Steve Zalewski] I’m actually looking here… A woman by the name of Autumn who I spent some time with who was interested in getting into cyber security, and she actually sent me a handwritten note as well thanking me for the time to help her understand. So…

[David Spark] That’s huge.

[Steve Zalewski] Yeah, some of the old school courtesies that have died off really are hugely impactful.

[David Spark] Mm-hmm. ‘Cause it takes just a little bit longer to write a handwritten note than to type “thank you.” So, old gestures still work today. I think they work more so because we see so little of it. Let’s bring on our guest. Very excited. I actually just recorded some videos with him, and I was so thrilled with some of his insight which I’m hoping we’re going to hear a lot more here, which I think we will.

It is the CEO of our sponsor, Balbix. Our sponsor guest, it’s  Gaurav Bang. Gaurav, thank you so much for joining it.

[Gaurav Bang] It’s great to be here.

Question for the board.


[David Spark] What are your most successful tactics when talking to the board room? Now, Reet Kaur, who is the CISO over at the Portland Community College, offered these five tips – make the board feel secure, focus on the business, not technology. Compare using industry benchmarks. Zoom out and look at the big picture.

And last, quantify risk. Steve, all of these are very valid, but I’m interested to know what is it that ultimately gets them to trust you and make a decision, because that’s what they want to do. They want to take action, and they want to trust you. Isn’t that point of all communications to the board?

[Steve Zalewski] Yes, it is. Which means walking in and being authentic. Okay? It’s actually these five from Reet are really good, because any one of them can be successful. But being authentic as a CISO as to how you do your job and want to represent that to the board is the hardest thing for a CISO to confront.

Because once they know the type of CISO they are, they can also see the gaps that they have and whether there’s a mismatch between how they’re representing security and how the board wants it represented. And that’s the big ah-ha moment that I had in my years in security to be able to understand it’s not representing somebody else’s view, it’s representing your view.

[David Spark] What’s a classic mistake you made early on that you would tell others, “Don’t do this.”

[Steve Zalewski] Oh, treating security as a set of functional controls that you have to deploy to inflict security on your company and think that that’s what the board wants.

[David Spark] That is a good example, because that’s a super easy mistake to make. And I can see a lot of early security people doing exactly the same thing. All right, I’m throwing this to you, Gaurav. We talked about this very issue. You in fact boiled it all down to two of these things. It’s trust.

It’s making decisions. And lastly, you said money. What is the trigger that ultimately gets this to happen.

[Gaurav Bang] First off, I think Steve said it very well. You have to be authentic because you want to inspire the board’s trust. Without trust, nothing can happen. And there’s a variety of different things you can do to inspire trust. But it all starts way before the board room. You have to collaborate with stakeholders up and down the stack, way before your first board meeting.

The thing about board meetings is nothing should really be a surprise in the board room. A good board room, good board meeting is a very boring board meeting because everything has been said ahead of time to everybody else.

[David Spark] I like to liken this to going to the dentist. You don’t want any surprises. [Laughs]

[Gaurav Bang] So, what can you do in terms of being data driven, being collaborative to inspire trust. So, that’s open. The second piece is… And this is, again, Steve knows this really, really well because you and I have talked about it so much. Boards hire executives to bring solutions to them, not problems.

So, if you say, “Well, I have these controls, and I have more visibility. And we have these issues,” well, the board doesn’t really care because they hired you for actionability. So, they look for you as the expert to recommend to them, make things actionable. You have to bring in risk, and you have to make it actionable.

[David Spark] Hold on, let me pause you right there. When you talk about actionable, does it literally mean, “I’m suggesting these three options.” And you literally give them three options? Or is there more to the story than just that?

[Gaurav Bang] Yeah. Well, ultimately the goal of the CISO, the role of the CISO is not to tell the board what to do but and yet tell the board what to do. And that’s the key thing. The first conversation is about coming to an understanding, a shared understanding, of how much risk can the business tolerate, what is the risk appetite.

And that conversation has to be led by the CISO or at least initiated by the CISO and facilitated by the CFO. And once that is clear then the job is that within this… If you want to get this risk appetite, if that’s our goal, if this is a risk level or acceptable level of risk, this is our tolerance, then these are the next best steps we can take.

And maybe there’s a couple of options somewhere, and there’s a cost associated with that as well.

[Steve Zalewski] Well, let me dovetail on that. Because Gaurav and I talked about this. There’s nothing we would say going to the board. Going to the board with three slides that have 47 facts on them that I’ve deployed 97% of MFA, that I’ve done 100% of my weekly security phishing tests, okay, as a way of demonstrating to the board that you’re secure is the last thing you want to do.

One of the things I learned was to go to the board and tell a compelling story, not reiterate a set of efficiency facts. Okay? Risk is about effectiveness. It’s about protection. It’s about making hard decisions that not everything can be protected evenly. And letting the board have an understanding of how you internalize that and then represent it to them.

An example of that would be when I went to the board and I said, “Look, in protecting the company, I have three responsibilities. Protect the brand, protect the people, and protect the supply chain. And now let me tell you what I’m doing against the risks and the attacks to accomplish that. And you tell me whether you think I’ve got the right balance.” That is a compelling story for the board.

Attention CISOs, your expert opinion is needed!


[David Spark] Cyber insurance rates are growing, and they’re all over the map. I’ve seen reports over the past year with growth from 15 to 110% quarterly growth. Now, what’s worse with this rising premiums is the narrowing of what your insurance will actually cover. In an article on “Fortune,” Shmulik Yehezkel provided advice that to protect what cyber insurance can’t/won’t protect, companies really need to know their adversaries.

Which is always good advice, but not every company has the resources to figure that out. On the cyber security subreddit, there appears to be a lot of stress over the costs of cyber insurance prices going up, and there’s more rigorous examination of the companies they’re ensuring. There’s got to be a breaking point.

At some point, either the insurers are going to stop offering insurance. This has happened in other insurance categories, by the way. Or only the companies who can afford it will get it. So my question is… And I’ going to start with you, Gaurav. What’s working, and what’s not working in insurance? I understand why prices are going up and more scrutiny.

It’s such a new field, changing radically. And I’m sure the actuarial tables look like an EKG chart. So, that’s why these rates go up so much. What works, and what doesn’t do you think, Gaurav?

[Gaurav Bang] This is a fantastic question around what’s working. Well, you can still get cyber insurance if you can convince the right insurer. So the question really becomes it is now a game, can you…how do you convince some insurer to underwrite you. And that’s still possible. What is not working is if you don’t know anything about your cyber security, if you are just looking at cyber insurance as a substitute for your poor cyber security posture, well, that’s not going to work anymore.

[David Spark] Yeah, yeah. I don’t know if it ever worked, but a lot of people definitely had the theory, “We’ll just buy more cyber insurance.” You can’t buy more cyber insurance if your security stinks because they just won’t give it to you. All right, Steve, let me throw it to you. What do you think works and doesn’t work in cyber insurance?

[Steve Zalewski] Here’s what doesn’t work – the insurers do risk pools. And historically cyber insurance has been very profitable because there have been almost no claims. So, everybody wanted a piece of the pie. In the last three years, everybody has realized that it’s no longer profitable. And everybody is pulling back.

And they’re being incredibly conservative in giving you insurance because they haven’t yet figured out how to price it to have that built in profitability that the actuarial tables have given for the other types of insurance.

[David Spark] Yeah, because those seem… They don’t really move that much. Like auto insurance, home insurance… I mean home insurance I think with great tragedies, that’s where you can see huge jumps. When you have floods, fires, and hurricanes, and things like that. But cyber insurance… I mean who the heck knows with these things?

But I want to get to the thing abut needing to have some type of understanding of your adversaries. How will that help get cyber insurance? Does it at all? I don’t even know. Just saying, “Hey, I know who’s going to attack us.” It’s like saying, “I know where I’m going to get into an accident.” Like, I don’t think they want to know that at all.

And maybe they won’t give you insurance if you know you’re going to get into an accident. Gaurav?

[Gaurav Bang] Yeah, I don’t think it’s the most important point. I think the most important point is trying to be able to distinguish between… Just like car insurance. Do you live in a neighborhood where you’re more likely to have a fender bender?

[David Spark] Or get a break in, yeah. Yeah.

[Gaurav Bang] So, New York, which is a busy city, it’s more expensive to insure people in because there’s lots of fender benders than let’s say suburban Texas. So, I think we definitely want to know that. But we also want to know the other side of it – are you a good driver or not. Because that’s the number one thing.

Like it’s more important than whether you’re going to get in a fender bender or not.

[David Spark] Well, that’s a thing you can control, too.

[Gaurav Bang] It’s the dominating factor as well. Kind of think about it – if you don’t have MFA, are you more likely to cause an insurance claim than not? The question is how can I get that information in a systematic fashion and not become like another auditor or regulating cyber security which you don’t want insurance companies to become.

They’re not going to be. So, one of the things that we are seeing is that there is a new almost like a trend in insurance companies – can I get through large pools of cyber security posture data. Inside out data. And can I then correlate it to the losses that I have seen from similar organizations. And that’s the new fad.

It’s like as Steve was saying earlier, they loved it. Then they hate it. And now they’re coming back and saying, “If I’m smart about it, maybe I can make money again in this market.”

[David Spark] Steve, you got some maverick thinking on this subject. Give it to me quick.

[Steve Zalewski] Yes. Which is for CISOs, I would argue don’t try to get cyber insurance anymore. Can your program be built to withstand the protection of the key assets without counting on cyber insurance? Because if you can do that then you have a conversation around is the board comfortable with the level of risks that they have to accept given the size of your program and then introduce cyber insurance.

So, change the game.

Sponsor – Balbix


[David Spark] Before I go on any further, I do want to talk about our sponsor, Balbix. That’s Gaurav’s company. And let me tell you a little bit about them. CISOs at large multinational organizations face many challenges in measuring and reporting their cyber security risk. We are talking about this very issue on today’s episode.

So, articulating security risk is complex and involves an understanding of the threat landscape, application and infrastructure vulnerabilities, current security controls, and its impact on the organization. If CISOs can’t articulate the value of the risk to their board, they struggle to get additional budgets for tools and resources which stalls security programs.

We just talked about this, so we all know this.

Okay. So, this is where Balbix comes in. It’s a cyber risk quantification platform. Balbix discovers all managed and unmanaged assets such as servers, VMs, kubernetes clusters, and even those pesky IoT devices that you may have forgotten about it. It identifies, priorities, and manages vulnerabilities associated with these assets.

All of this data is used to deliver cyber risk in monetary terms that your CFO and board can understand that enable you to get the support and budget to improve your security posture. So, why not check out what they’re doing? This is definitely speaking to our audience. Go to Balbix, the site. It’s just

And why not follow them on LinkedIn while you’re at it?

It’s time to play “What’s Worse?”


[David Spark] Steve, you know how to play, “What’s worse,” right?

[Steve Zalewski] I lived it for years.

[David Spark] You lived, “What’s worse.” All right, Gaurav, you know how this is. It’s essentially a risk management exercise. I give you two crappy scenarios. You have to tell me which one is worse. But I always make our cohost answer first, so you can either agree or disagree with him. All right? Now, this scenario is kind of a classic, “What’s worse.” And I looked at this, and I’m like, “I’m surprised we’ve gone this many years and not asked this one.” It’s a pretty good one.

It comes from Dustin Sachs of World Fuel Services, who’s given us lots of great, “What’s worse,” scenarios. And here we go, Steve. What’s worse? A data breach that exposes sensitive customer information or a ransomware attack that locks down critical systems and brings business operations to a halt.

Now, eventually business comes back but after a lengthy process of both restoring backups and having to pay the ransom, too. So, which one is worse of those two scenarios?

[Steve Zalewski] In my mind? Brand always comes first because that’s an extinction level event if your customers no longer trust you. Therefore consumer data far and away is way more important than business data. Because I can recover the business data. I can’t recover the consumer trust.

[David Spark] But the second I think is a trust issue, too. Because you stop operations for a period of time.

[Steve Zalewski] Agreed. I’ll use Levis for a minute. Okay? If I lose my distribution centers and I can’t send jeans to the stores anymore, once my stores are out of jeans, I’m not making money. But to your point, I have some time. If I compromise all of my customer data on my ecommerce site and all my customer data is out there, I’m going to get fined.

I can recovery from that. But the damage to my brand of customers no longer wanting to buy my jeans, that’s extinction level.

[David Spark] I wouldn’t say that because Target got breached, and they’re still very much in business.

[Steve Zalewski] Ten years ago. Look at now. Even in the last four or five years, the data protection expectations in the US are, what, 100 times worse. And in Europe, they’ve always been bad. People have less forgiveness now in the consumer data because we’ve been really good at telling them how important it is they protect it.

[David Spark] I think people get breached all the time, and they don’t care. I think actually quite the opposite. But let’s see what Gaurav things. Gaurav, do you agree or disagree with Steve?

[Gaurav Bang] I think it depends.


[David Spark] Oh, no. Oh, you don’t know how this game is played.

[Steve Zalewski] You can’t change the rules of the game.

[David Spark] “It depends,” does not work. You’re not allowed to play “it depends.” You have to pick one.


[Gaurav Bang] Let me explain. If I am in a business where confidentiality is more important than availability then Steve is right. If I am a business in which availability is more important than confidentiality then Steve is wrong. And I’m not saying wrong as in like… Steve, don’t look at me like that.


[Gaurav Bang] I know you agree with me. So, that’s why I said…

[David Spark] Right, that’s an excellent “it depends.” But you do have to pick one or the other. So, you have to say in more cases, which one is worse, which one is better.

[Gaurav Bang] In my business case, I would vote with Steve. Loss of confidentiality is much worse than temporary loss of availability. But that’s just my perspective from my business.

[David Spark] Others would have different perspectives. And I did like your “it depends” even though I gave you crap for it.


Please. Enough. No more.


[David Spark] So, today’s topic is automation. This is a super broad topic, but, Steve, I want you to set this up. What have you heard enough about in the subject of automation, and what would you like to hear a lot more?

[Steve Zalewski] If I hear one more vendor tell me how automation is going to save me money…

[David Spark] And replace your staff, too.

[Steve Zalewski] And replace my staff… I’m ready to just walk off the plank.

[David Spark] By the way, let me ask you, did that literally ever happen once? Because that story was told many times. Do you know if that’s ever happened?

[Steve Zalewski] To me?

[David Spark] To anyone. To any human on the planet that they bought a security product and they actually could reduce their staff.

[Steve Zalewski] Yes.

[David Spark] An automation product. I should also mention that.

[Steve Zalewski] Yes. Because robotic automation for SAP and stuff, there are use cases where you can drive efficiency into the organization. Where like under the CIO…

[David Spark] Right. Yeah, but they don’t do the manual testing. You didn’t reduce your staff. You just pushed them off to something else.

[Steve Zalewski] Well, or you got rid of expensive staff, and you’ve used automation. And in doing that, you’ve had some cost savings because… Like Help Desks. If I can have somebody only spend three minutes with you instead of six minutes with you, that’s monetizable by using robotic automation. That’s why I’ve had enough.

What I say is if you can’t demonstrate, “I’m going to be more affective at protecting my company,” not efficient at measuring some arbitrary metric, let’s get in the game, guys.

[David Spark] So, what would you like to hear a lot more of then?

[Steve Zalewski] I want to hear how what you’re doing is going to make me more effective at protecting my company, stopping the attacks, thwarting the attacks.

[David Spark] How automation actually does that.

[Steve Zalewski] Automation does that. You tell me how you’re taking that problem off of my plate and accepting it. And that’s why I say, show me the effectiveness that my responsibility for security to enable to the company to sell more jeans, now you have my attention. And that’s the new minimum bar.

[David Spark] All right, Gaurav, I throw this to you. This is really where Balbix is playing in the wonderful world of automation. I got to assume there was a part of automation that you wanted to steer away from. That might be the what you’ve heard enough about. So, let me know. What is this?

[Gaurav Bang] So, the best way to think about what Steve just said, which is what can automation do for me today, how does it help me protect my business… So, if you take that a part, you really come down to what are we automating. Are we automating orchestration? Or are we automating some thinking that we can’t do?

So, if you cannot look at the problem of protecting the business, we can’t protect everything. It’s impossible. We have to decide acceptable levels of risk, so we need to analyze massive amounts of data, constantly changing data, data from dozens if not hundreds of cyber security tools that we might have deployed, and then based on that analysis we have to prioritize what needs to get done.

And then based on that priority, we’ve got to do certain things and not do other things. Now, this process unfortunately needs to be done day in and day out, 24/7, 365 days a year. And it’s a math problem. It’s a massive math problem. So, Balbix, for example, in our company for some of our large customers in order to do this, we automatically analyze over a terabyte of data every few hours to solve this problem.

And that is what we kind of say…

It’s like if you take the analogy of the human body, what we’re talking about is automation which is akin to thinking. So, the thinking of the infosec program just like how the human brain thinks and decides what needs to happen and what’s not worth happening. So, how does an info sec program, the brain of the info sec program, crunch all the data that is presented to it?

Threat data, vulnerability data, security controls data, risk data from business appetite perspective, continuously evolving and evolving as the business is evolving and then prescribe, or describe, or orchestrate what needs to be done. So, that is the automation problem in our view, and that is the problem that we’re trying to solve.

[Steve Zalewski] Let me dovetail on that. Because obviously you said earlier, I’m an advisor for Gaurav. So, I believe what he’s building is interesting, but here’s what caught my attention – what he’s really saying is when we grind all this data and we’re looking for interesting events, what we’re actually doing is looking for important events that are helping me with my business impact analysis.

That the risks that he is bringing forward and characterizing are aligned to my business impact analysis to know whether those threats are exploitable. And if exploitable, what is the impact on my ability to protect my brand and protect my company? And that’s what’s so interesting is grinding all that data isn’t to just find interesting tidbits, but it’s the mapping to a risk posture for business impact analysis.

[David Spark] And if I’m sort of reading this correctly, this is allowing you to tell… The reason we’ve also been talking about the board, allowing you to tell a more cogent story to the C-level and the board. Yes, Gaurav?

[Gaurav Bang] Absolutely. And this is the only way you can do it. Because otherwise, are you going to say, “Well, my analyst…I need more analysts to analyze the terabyte of data every two hours.”

[David Spark] No, they don’t want to hear that.

[Gaurav Bang] Yeah. Well, it’s impossible. Even a few hundred people would take several lifetimes to look at one terabyte of data, let alone a couple of hours. Every hour.

[David Spark] So, give me an idea because I want to boil it down. Maybe we can tell the story right here. Just give me a 30-second thing, something you’ve seen. Like a behavior you saw and it’s like, “Oh, this wasn’t seen before, and this is the story a customer…we could tell.” Give me an example.

[Gaurav Bang] Oh, it’s very simple. A few Decembers ago…a half year ago in the middle of December, there was this beast called Log4J. You all heard about it, right? And we keep hearing about it because we hear that some people are still struggling with Log4J. It’s like, “Come on, man.” Well, the afternoon Log4J was broke out as a thing…when it got a name, it was… The question is, “Well, let’s find Log4J.” And it was particularly hard to find because two things – one, it’s an embedded [Inaudible 00:27:56] which means it’s not in your registry.

It’s not in your install path. We don’t know how to find it. Because if you can’t find it, we can’t fix it. As simple as that. The second thing was it was constantly changing.

The first day itself, first 48 hours itself, multiple CVs were released about Log4J. So, this is a perfect example where all the data analysis everywhere in the world that was happening simultaneously needed to be distilled down into actionable insights within seconds. So, if you use automation the way Balbix does it… And this is exactly what happened.

Our customers were able to resolve Log4J in hours and days. There are prospects and non-prospects at that time. Non-Balbix users took three, four, five months to do the same thing. And they were struggling with, “Where is Log4J? What instances do we need to prioritize? Which instances are okay? How do we mitigate it?” Because we can’t remediate it.

Not in December. There was a complete lockdown in most of the US data centers of most companies. So, how do we mitigate it? And how do we verify that we’ve done it? Oh, there’s another CV. Let’s do it all over again. There’s another one. Let’s do it all over again. So, that stuff cannot be done by hand.

Well, it could be in two or three months.

It comes down to the fundamentals.


[David Spark] Shifting left is to five year ago. If you want to improve the security of your development process, you need to shift smart. That’s what Jeff Williams of Contrast Security coined, which is the process of needing context in application development if you want to drive down risk. Now, context is the story, said Chris Hughes of Aquia.

It sounds great, but geez, context doesn’t just land in your lap. You have to hunt for it and then make a plan. If we’re always striving for context, should security professionals ignore “best practices” because those never take context into account. You know, people just say, “Best way to do this is set up MFA.” I’m throwing something out.

So, we talk about fundamentals all the time, Steve, on this show. Isn’t there a mixture of best practices and doing what’s right for your business? When does/did shifting left become a bad idea? I mean I’m just throwing that out as an example of a best practice. What think you?

[Steve Zalewski] When shift left translates into least privilege at all costs and implementing that by locking down the company, you have not done the company any service. You’ve done it a disservice. Where shift left means I’m having a negotiation with being brilliant at the basics for the key security controls like identity and access management but understanding where the line is for how much friction I can introduce into the business in implementing this.

Like multifactor authentication everywhere, ever 15 minutes after log off is just too much. So, this shift left to being shift smart is an appreciation that the controls are the mechanism that you use but understanding how you tune that and where the business friction becomes too much and the risk is going to be accepted by the business is where we’re going.

[David Spark] So, there is a need for best practices, but you can’t just apply them without understanding context if I’m understanding you correctly. Gaurav, how would you add to that?

[Gaurav Bang] The issue over here is risk is a parallel circuit. What that means is that the bad guys have multiple routes in. If you proceed too deeply by defending one of the routes, what have you achieved? Nothing. Because the bad guys can still take the other path. So, the trick here in shift left, shirt smart, be more proactive… You have to kind of do that in the broad front which is another way of saying you’re only as good as your weakest control, or weakest link, or weakest door, or weakest window.

And then the other aspect is what Steve was alluding to, which is if you start going so far where you stop the business then most times you get thrown out of the business. Because business doesn’t like to be stopped. When you shift smart, you have to follow risk…decreasing risk and the cost of decreasing that risk to the business.

When you start encountering that, “Hey, I’m increasing costs to the business, and my risk is no longer reducing,” that’s a fine point. You need to back off, and you need to find another avenue to reduce risk because risk is a parallel circuit.



[David Spark] Excellent. Excellent point. And let’s wrap it up right there. Thank you very much, Gaurav. Thank you very much, Steve. I’m going to thank your company, Balbix, for sponsoring this very episode of the CISO Series. I’m going to let you have the very final word. And if you got any special offer for our audience, if you’re hiring, or anything like that, please let us know.

And [Inaudible 00:33:23] you want to talk about Balbix, please let us know more. Steve, any last thoughts on today’s topic? And you can speak to Balbix as well since you’re an advisor.

[Steve Zalewski] Yes, I can. I’m going to reiterate on the fundamentals about shift smart, shift left, and shift right. Okay? Shift left is vulnerability management. Shift smart is friction and risk. Shift right is exploitability. And so shift smart is understanding what we do to prevent the problem and what do we do when an exploit occurs and we manage the problem.

And something like Balbix is not revolutionary, but it’s evolutionary to bring the vulnerability to the table and the exploitability to the table so that we don’t focus on shift left, we focus on shift smart.

[David Spark] I like that. I like that. All right, Gaurav, what would you like to tell our audience about Balbix? And are you hiring, by the way?

[Gaurav Bang] Well, first of all, thank you both for having me on the show. I would just say one thing. It’s just close your eyes. And if you imagine what three or four years is going to look like and then ask yourself, “How am I going to do this [Inaudible 00:34:30] some of the content that we covered?

How are you going to go to board meetings and survive? How are you going to not quantify risk and survive? How are you not going to automate in a smart way, shift smart, shift left, shift right, whatever is appropriate and survive? [Inaudible 00:34:48]. So, if it’s about getting started on the journey of the new way of doing cyber security, well, then come talk to us.

We’ll be delighted to understand and help.

[David Spark] Awesome. So, anyways, links to all of this on our blog post for this episode and also Gaurav’s LinkedIn profile as well. And you can also find Balbix at Huge thanks to both of you, and thanks to our audience. As always, we greatly appreciate your contributions and for listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week In Review. This show thrives on your input.

Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at Thank you for listening to the CISO Series Podcast.

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.