For some reason, the ABCs of sales (“Always Be Closing”) in the world of cybersecurity sales has translated into “Always Be Creepy.” Eagerness to make just a connection, forget closing, has turned into extremely forward approaches that would make anyone feel uncomfortable.
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and my guests will be Steve Tran, CSO, Democratic National Committee and Matt Crouse (@mattcrouse), CISO, Taco Bell. It was recorded in front of a live audience in Santa Monica as part of the ISSA-LA Information Security Summit XII.
Got feedback? Join the conversation on LinkedIn.
Thanks to our sponsor, Ostrich Cyber-Risk
[Voiceover] Biggest mistake I ever made in security. Go!
[Steve Tran] Mass deprovisioning users in Okta.
[David Spark] Hold it. What did you do? [Laughter]
[Steve Tran] Almost killed everyone’s email with one click.
[Voiceover] It’s time to begin the CISO Series Podcast, recorded in front of a live audience in Los Angeles.
[David Spark] Welcome to the CISO Series Podcast. We are live in Los Angeles; we are at the ISSA LA event. I am your producer David Spark of the CISO Series Podcast. And joining me as my guest co-host, sitting right to my immediate left, to your right in the audience here, it is none other than Matt Crouse who is the CISO of Taco Bell. Let’s hear it for Matt.
[David Spark] We are available at CISOseries.com and for those of you who don’t know about us, just check out the site. We get lots of great stuff and lots of events, live in-person events like the one we’re having right now in lovely Santa Monica, but also tons of virtual events, so no matter where you are you can participate. Hey, I do want to mention our sponsor. Our sponsor today is Ostrich Cyber-Risk – Analyze your posture. Compare your surface. Mitigate your risk. More about Ostrich Cyber-Risk later in the show. I do want to mention that the name of this event is ISSA LA Information Security Summit, and I will say physically the most beautiful conference I’ve ever seen. Matt, would you agree with me on this?
[Matt Crouse] Without question.
[David Spark] Yeah. We don’t deserve this, kind of us pasty-white security professionals don’t deserve this beautiful sun, beach, and sand, do we? Because we don’t take advantage of it enough.
[Matt Crouse] We don’t take advantage of it enough, but it helps us to remember to get out once in a while.
[David Spark] Yes! It does. We can literally look at the Pacific Ocean where we’re sitting right now, and there is a pool, and I will just say absolutely not a single member actually went into either right now. But I heard supposedly last year, someone actually did that. All right. Let’s introduce our guest today, who you heard just moments ago. By the way, both Matt and our guest have been guests on the CISO Series Podcast before and thrilled to have them here. It is the CISO for the Democratic National Committee, or the DNC as many of you know it. It is Steve Tran. Let’s hear it for Steve.
[David Spark] Thank you for being here, Steve.
[Steve Tran] Happy to be here, as always.
What’s a CISO to do?
[David Spark] So, Peiter Zatko, a.k.a. “Mudge,” the Twitter whistleblower,has people questioning Twitter’s privacy and security practices. Now, as an outside observer, we simply do not have context to what’s going on. But security leaders can’t always push through security initiativethey know should be done. And there are often many business imperatives that thwart the best of efforts, and Derek A. on LinkedIn provided some examples. Some highlights are: The bigger the organization, the bigger the cyber budget. And the bigger the cyber team, ironically, the less you’ll probably be able to do. And despite having C-level cyber leadership, cyber decisions are nearly always subject to sales and marketing vetoes. And lastly, you’re going to find a lot of stuff to fix, you’ll be told why you’re not allowed to fix it.
So, some of these may be sobering realizations, but we all know the cybersecurity professional who is bullheaded and won’t stand for any of this. In those situations, it’s very possible to get a whistleblower who will want to broadcast their concerns. I’m going to start with you, Matt, on this.Is this a real concern for CISOs, sort of like to have someone like Mudge come to the front? And again, Mudge may be completely legitimate but there are always a number of political issues that kind of stand in your way, and I know that, we don’t have to expose any. But if this does happen, how does a CISO handle their staff when best efforts get thwarted?
[Matt Crouse] You know, security leadership is not a fantasyland, we don’t live in Disneyland, we can’t just make up budgets and steer everything exactly the way we want it to do. But we are there to serve a purpose.
[David Spark] You would like to do that though?
[Matt Crouse] Of course. We all want to live in a fantasyland, right? But we are there to serve a purpose, and our purpose is to educate our C-levelleadership about the risks that are present to the business. So, if I wanted to do something related to user authentication or password security or whatever the case is, my marketing team is going to complain about user experience and customer friction and all of that stuff. And so it’s my job to help them understand and weigh that risk against the risk of potentially losing a customer over too much friction in a transaction and meet that middle ground.
I think what could have helped here, what could have helped prevent the whistleblower from coming forward, is if the business had some kind of visibility process and acceptance process. I would be willing to bet that all of the allegations that came through in that testimony aren’t documented. They didn’t go through a risk acceptance process. Nobody formally reviewed and signed off and said, “Yep. Okay. We’re all right with having Chinese spies on our staff.” Nobody’s going to do that.
[David Spark] So, let me throw this to Steve now. You know that often there are people who get frustrated, they’re like, “Well, why can’t we do this? Oh, it’s driving me crazy!” It always happens. More I’m concerned about how do you manage your team when they’re frustrated they can’t do the thing they know that’s right to do?
[Steve Tran] It’s tough because security’s a thankless job already, so you’re already starting at a disadvantage in most cases. So, I’m constantly reminding my team that even though it is a thankless job, we got into this business to do the right thing.
[David Spark] And when you can’t do the right thing, you get frustrated.
[Steve Tran] We get frustrated, right? Early in my career, I’ve had this mindset of just that, right? It’s like we need to do the right thing, sometimes I would get frustrated and just look at it in a very black-and-white manner, like it’s all-or-nothing type of thing. If it’s not my way, then I’m just going to be even more disgruntled, right? But then what I’ve discovered over the years, and especially when I progress in my career, is actually finding ways to be more commercially aware, business aware, people aware, emotionally intelligent aware to figure out how to frame and engage where we want the organization to go.
[David Spark] So, Matt, have you ever had a situation where an employer like, “Uh-oh. This might be a loose cannon,” because they’re really getting frustrated? How do you sort of talk them down from the ledge? I’m guessing this behavior happens where someone’s like, “Oh! I’m driving myself crazy! I know this is the right thing to do, and they’re not doing it.”
[Matt Crouse] Yeah, absolutely it does happen. And there’s two ways really to do that, and the first will happen with, it doesn’t matter what the situation is, you have to stay close to your team and not just your direct reports. You have to do skip levels; you have to stay close to your entire team and understand who’s going to be potentially the loose cannon. What’s frustrating people? If you’re not meeting with people that are on your team on a regular basis…
I had a CISO friend of mine once say, “If you have a staff of less than 200 people and you don’t know everybody’s name, you suck at your job as a leader.” You have to be getting to know people, you have to understand what’s frustrating them, what are they going on, and then talk through that with them. We’re called CISOs, security officers, but really it’s a sliding scale of risk, and that’s the way that we need to frame that. Especially when we’re told, “You can’t implement that control because it’s too much.” Well, we need to talk about the risk of that, and are we okay with meeting that risk, are we okay with allowing that risk to go forward.
[David Spark] Steve, is it just a situation of just make sure you’re talking to them, and they don’t hit sort of that apex frustration level?
[Steve Tran] Oh, yeah. A lot of it is communication and I guess psychology, right? In a way, I’ve essentially learned to social engineer people within my organization.
What annoys a security professional?
[David Spark] “One thing no one prepares you for in taking on the CISO role: the exponential increase in creepy unsolicited sales emails from security vendors,and their persistence. Literally, it’s 70% of my mailbox, and it started day one on the job,” said Alyssa Miller who is the CISO over at Epiq, she said this on Twitter. So, whenever I talk to someone who takes on a new CISO role, my first question is always, “How many emails?” andthey know what I’m referring to. It has to do with the sales emails, when they first walked in. And then they light up, giving me numbers in the hundreds, and it’s very common for new CISOs to get these requests as they start their job. And Alyssastressed the creepiness of the emails as in they’re always pushing to “set up a meeting.”
Now, we’ve talked about this “new CISO pounce” before, and this reminds me of the veteran college students who would pounce on the incoming freshmen. So, I’ll start with you, Steve, on this. What’s your advice for new CISOs? Because they really need to be aware of this. Because I remember talking to Jesse Whaley, who’s the CISO over at Amtrak, and he didn’t realize this when he took on his first CISO job. They want to be professional; they don’t want to be rude, but they also don’t want to encourage the behavior. Do you just ignore it all, should they filter it out, or educate them? What do you think? And by the way, you’ve had this happen to you.
[Steve Tran] Oh, yeah. I cleared out my spam folder last week and I’m already back at 500, right? And my LinkedIn. I feel bad because there are people that are trying to reach out to me because I’ve encouraged them to reach out to me, but I can’t seem to find those messages most of the time because it’s just mixed in with a lot of the sales solicitations and things like that. And the way I look at it is I do have respect for the sales rep and the business development units because they have a job to do too, right? And I actually have gotten really good contracts and deals out of cold calls. It doesn’t happen that often, but it does happen, and I’ve even learned from them, right?
Because I feel like if you’re going to solve a lot of complex security problems, it takes a community effort, including the cybersecurity vendor market in a lot of cases. Because I’m often faced with buy versus build, just like many organizations. So, sometimes if I don’t know something exists, it’s great for me to be able to learn from a warm intro or at a security event like this or a conference or sometimes, like on LinkedIn, if it’s really compelling. But also too from the CISO perspective, and especially being new in the role, is also be mindful that you run your program, your strategy, your team. It’s your show, right? Because sometimes I’ve actually had some of these vendors make it sound like if I don’t go with them, then I’m not doing my job right, or there’s…
[David Spark] Oh, yeah. The classic of, “Do you care about cybersecurity?” as an opening line, like, “I think this is my job.”[Laughter]
[Steve Tran] Yeah. It’s like that high-pressure tactic, right? Some people already are experiencing the imposter syndrome, and that does not help at all.
[David Spark] Well, Alyssa mentioned another comment on Twitter. Some woman out of the blue just said, “Hey, I know it’s tough to be a woman in cybersecurity, so I’m here if there’s someone you need to lean on.” I’m like, “That’s pretty creepy.”But I understand there’s this level of desperation by salespeople, like, “What is the hook that’s going to get them to respond?” What’s your advice? Again, I’m assuming this has happened to you as you’ve taken new CISO jobs, Matt.
[Matt Crouse] Yeah. Like Steve said, we have to respect the job that they’re doing. There’s a lot of products out there that are competing against each other, and so many of them are so new that honestly, I wouldn’t know about them unless it was for that person apologizing for their professional persistence and sending me the fifth email of the week. And so I appreciate the position that they’re in, but clearly email is not the way to get ahold of us because it’s not working, and that’s why you have to send me five emails and I still haven’t responded. Some of the times, they have gotten very creepy. Could we talk about the one time that – apologies if you’re listening, whoever you were a few years ago.
[David Spark] But again, you’re not naming the person, so they’re going to learn from this.
[Matt Crouse] I’m not going to name the person; they’re going to learn from it. I did have a package show up at my office one day from a vendor completely unsolicited with golf balls and golf tees and everything inside of it, and an invitation to go play a round at the country club that was right down the street from my house.
[David Spark] Yikes! That is creepy.I’ve heard it similarly someone had sent a single AirPodand had said, “If you want the second one, contact me back,” and they ended up just throwing it away.
[Matt Crouse] Yep. I’ve had that too, yeah.
[David Spark] So, one of the things I constantly hear from new CISOs is, “I don’t know anything when I’m going in day 1, day 30 of the job.” What would be a better way to show the appreciation that you’ve taken the new job without being creepy? Quick response, Steve, what do you think?
[Steve Tran] That’s a tough one.
[David Spark] Just, “Congratulations”?
[Steve Tran] Flowers?
[David Spark] Just, “Congratulations,” would that work?
[Steve Tran] Yeah, some kind of like welcome card or something, I guess.
[David Spark] Yeah. What do you think?
[Matt Crouse] Yeah, I think it’s a very stressful time when you take on a new CISO role, and so something that doesn’t necessarily relate to a pitch that you want to give me. But maybe a bottle of wine or somethinglike that to just say, “Relax. It’s going to be okay. We’ll touch base in six months,” and you’ll remember that.
Sponsor – Ostrich Cyber-Risk
[Voiceover] Who’s our sponsor this week?
[David Spark] Are you tired of filling out spreadsheets and paying consultants to keep track of your cyber risk assessments? I would assume so. So, this can obviously cause many problems, more than just wasting time and money, for instance. How can you keep track of your risk continuously, not just once a quarter while using just a static solution? So, meet Ostrich Cyber-Risk “Birdseye.” Now, thisis a unified qualitative and quantitative cyber risk management application that allows security and risk managers to easily assess, prioritize, and quantify your organization’s financial and operational risks in one application in just hours versus days or weeks. Jeeze, yikes. Birdseye offers an intuitive assessment workload to track your organization’s risk on demand and over time.
That’s a key thing, the “over time” part. And it provides easy to understand shareable reports – that’s nice – to communicate with stakeholders and third parties. Now, I think many of you might think it’s odd that a security company named themselves “Ostrich,” but let me point something out to you. Fun fact – ostriches can actually see two miles ahead of them and don’t just bury their heads in the sand. So, stay head of the cyber game and check out Ostrich today. Now, follow this web address here – it’sostrichcyber-risk.com.
It’s time to play “What’s Worse?”
[David Spark] All right. For those of you who are fans of the CISO Series, you’re familiar with this game, it’s a risk management exercise. We get all these great scenarios from our audience, they send them in, here’s one from a fan, and they’re both bad situations. I have to stress that. You don’t want either one. But as a risk management professional, you have to tell me which of these two crappy situations is worse. All right? And this is kind of a long one, so stay with me. And it comes, by the way, from an anonymous listener who does not want any of this pointed back to them. And they keep stressing to me over and over when they sent it in, “This is fictional. It’s not real.” All right.
Your organization sets out to achieve an information security certification – think ISO 27001. By the way, you’re going to be answering first, Matt. So, Steve, you get more time to decide. Now, if you get the certification, it’ll greatly enhance the brand image as an organization that takes security seriously. To accomplish this, they spin up a net new audit and compliance program. Okay, here are the two scenarios. Scenario number one – after a short period, the organization’s IT infrastructure is brought into 97% compliance with hastily written, vague policies based on generic industry standards, and up to 15% of the compliance was achieved by gaming the metrics. The rushed implementation resulted in numerous system outages, lots of extra operational friction, and lots of damaged relationships; however, the organization achieved its certification and is bringing in measurable extra revenue because of it. All right? There’s a positive there. Stay with me.
Scenario number two – it’s kind of the flip of that. The organization took the time necessary to perform a deep dive analysis of its business processes, a thorough business impact analysis, and countless meetings with stakeholders. It then carefully crafted organization-specific policy that addressed its unique risk profile. The policies are being implemented in a careful fashion that minimizes the impact on affected systems. However, to date, the organization is only 57% compliant with the new policies and has yet to achieve the industry certification which would have brought in all the new revenue. All right. Which one is worse, Matt?
[Matt Crouse] The former.
[David Spark] The first?
[Matt Crouse] The first one is worse. It’s a question of how much integrity do you put into your job.
[David Spark] But I do want to stress the part – it brought in a lot of revenue for the business.
[Matt Crouse] It brought in a lot of revenue.
[David Spark] And it’s about the business, right?
[Matt Crouse] It is, but I believe those chickens will come home to roost eventually.
[David Spark] Okay.
[Matt Crouse] We opened the show talking about that, right?
[David Spark] Right, exactly. So, the bottom line is you’re saying this first situation is worse because you’re just blowing your integrity out the water.
[Matt Crouse] You’re kicking the can down the road is what you’re doing.
[David Spark] Okay, all right, that’s what you say. Steve, what do you think? You agree or disagree here?
[Steve Tran] Yeah, I’m going to take a spicy tick on this. Favorite movie quote, “Show me the money.”
[David Spark] Okay. So, you do think scenario one is not the worst?
[Steve Tran] No.
[David Spark] You think number two is the worst?
[Steve Tran] I’ll take that money, and I’m going to go on a nice vacation on an island somewhere when the rest of the organization blows up because I’m going to be having mai tais.
[David Spark] No. Oh, no. You can’t skedaddle. But you’re actually making a good point. What if that money was brought back in to deal with the issues so you revolved it back in again? What do you think? Because you would have money in scenario one. What do you think?
[Steve Tran] It’s going to be the same issue. If they’re not solving that culture problem, the root cause of the issue that got them there to begin with, right? So, I feel like it’s just the same thing over and over again.
[David Spark] So, you’re agreeing with Matt here, scenario one is far worse?
[Steve Tran] I think so. Long term wise, it’s all about solving the root cause.
[David Spark] All right. Let’s get the audience vote on this. By applause, how many think scenario one is a worse scenario, by applause?
[David Spark] All right. Now scenario two – no money’s coming in and only halfway there. How many people think that’s worse?
[David Spark] One person does. All right. I appreciate your thoughts on that. All right. Let’s go to another scenario here. All right. This one comes from Jonathan Waldrop who gives us lots of great scenarios here. All right, here we go. He’s from Insight Global. Your long-trusted tech partner has been acquired by a company who has a history and reputation of destroying good tech, and you’re beginning to see the downward effects of the new company. You’ve had the tech in your environment for a while, it’s well tuned, and your team knows how to use it very well. What’s worse? And by the way, I’ll start with you, Steve, so you’ll answer first.
One – to avoid a sudden overhaul, you decide to use the platform as long as you can, even though there are no planned improvements/feature upgrades. So, the fear is they’re going to take this and just destroy it, but you’re going to hold onto it as long as you possibly can. All right? That’s scenario one. Two – you remove the old tech because they’re getting bought out by this company and even though you love it, you think it’s going to go downhill, and you onboard three new platforms to cover the various areas as quickly as you can. It takes three because there’s not a single tech that’s as well suited to your environment, organizational requirements. So, which one is worse?
[Steve Tran] Why do you do this to me?
[David Spark] All right. So, this is a tougher decision here. Okay.
[Steve Tran] I would say the former.
[David Spark] The first one is worse? So, you just hold onto it knowing there’s going to be no upgrades even though you love it, and it works really well today, but down the road who knows? That’s worse than overhauling everything? And why is that?
[Steve Tran] Residual risk.
[David Spark] Residual risk?
[Steve Tran] That sneaks up on you.
[David Spark] Dig into that for me a little bit.
[Steve Tran] Yeah. It’s that comfortability, that resting on your laurelsthat eventually bites people in the butt, right? When you feel comfortable, that’s bad in security. You shouldn’t feel too comfortable.
[David Spark] Oh, okay. Good point. All right, Matt, do you agree or disagree?
[Matt Crouse] No, I disagree.
[David Spark] All right, good. We got a split decision here. Why is that?
[Matt Crouse] The second one’s worse because we’re talking about a threefold increase in complexity in your environment.
[David Spark] Good point.
[Matt Crouse] I don’t want to take that on just because some vendor wanted to change their product. I’m going to hold on, and I’m going to ride that product out for as long as it serves its need in my environment, for as long as I possibly can. And if there’s riskthat comes up, I’m going to build against that, but I’m not going to replace it just because.
[David Spark] Excellent point. All right. We take this to the audience right now. Which one do you think is worse? Is it scenario one, by applause? Nobody agrees with scenario one. Scenario two, by applause?
[David Spark] All right. So, by the audience decision, Matt wins.
Where does a CISO begin?
[David Spark] Steve, you started an initiative at the DNC that includes FIDO and passkey, which is what Apple announced in June, in an effort to completely dump the password. So, what does it actually take to dump passwords? Users seem to be really comfortable using an authentication tool that is so vulnerable. And interesting point, Scott Galloway – who is not a security professional but a smart guy, he’s a podcaster, educator, and a frequent guest on CNN and HBO – and he posted positively about Apple’s move to dump passwords. And in general his audience, who are not security professionals, couldn’t see the difference between Apple’s announcement and a password manager, which there are ahuge difference here. So, what was the pushback you got and what advice would you give to other security leaders on a rollout of a passwordless solution?
[Steve Tran] For some reason, anytime I try – and this is just like any organization that’s been here – when you’re trying to simplify something, people don’t believe it. They’re like, “That’s just too easy. I don’t buy it.” They’re used to complex work; they’re used to clicking 10 times to do something. So, when I introduce something where it only requires maybe one or two clicks, it’s too mind-blowing for them, it’s too exotic. I went through this journey when Okta became a thing, and single sign-on was all the rage, and people were like, “I need my passwords, I need my spreadsheet of all my passwords.”
[David Spark] There’s this weird comfort to it. So, what did it take? Give us sort of like the hurdles and how you achieved going over the hurdles to get people to enjoy that comfort. Of passwordless, that is.
[Steve Tran] It’s a lot of seeing is believing. So, this is where it takes a true partnership with all of your resources within your organization, especially IT. IT is your biggest supporter and advocate when it comes to user experience, workplace experience, however you want to call it, being able to create lunch-and-learns or office hours and those event sessions within the office. Like, “Hey, come by to your room whatever and learn more about these initiatives,” and being able to have a person walk them through it, do the demo. When I used to work for Deloitte, one of the coolest things they did was they called it a greenhouse. It’s almost like Disneyland’s an invention, and Tomorrowland. When you talk about it, people may not buy into ituntil you kind of show them and do it. So, we took that same approach where we literally grabbed their hands and like, “Touch this key and touch ID. It’s not going to hurt you.” And then when they realized, “Oh. It just takes one tap to get into everything?” Well, not everything all at once, so centralized authentication’s like another topic.
[David Spark] So the answer really is seeing is believing?
[Steve Tran] Seeing is believing is the key.
[David Spark] All right. You’re starting down this road yourself, Matt. What are the hurdles you’re dealing with?
[Matt Crouse] We’re starting down this road, we went on a slightly different perspective from Steve. Where he’s doing enterprise work, we’re starting down this road on a customer path for our customer journey. And I think while they encounter a lot of the same problems that you’re encountering with people not understanding, people not trusting, people not knowing how to work with that. But I do kind of rely on people that have come before us and that have actually done this really, really well. Everybody in this room has gone through a passwordless experience and probably not even known it, and it was just so frictionless. Your Apple TV or your setup for this or for that. And you just don’t even think about it, and that’s really where we want to get people to. But it is going to be a question of how do we train the user base who is used to going to tacobell.com and you’ll log in with your username or your password or your social credentials, and now all ofa sudden you have this completely new experience. And how do we have to train users that we can’t see, talk to, feel, or touch about how to go through this experience now?
[David Spark] You have a very unique problem because it isn’t just business leaders within the company that could convince people. But going back to you, Steve, for just a second. I want to come back, Matt, to your unique problem. I was thinking – and tell me true or not – is there any value to having non-security business leaders telling the story? Like, “I did this and it’s easy.” Have you done that before?
[Steve Tran] Oh, yeah. That’s like with any security initiative, it’s a community effort. And I really loved Amazon’s approach where their culture is like security is job zero for everyone. It doesn’t matter what role you’re in, security’s everyone’s responsibility.
[David Spark] Mm-hmm. Good point. Okay. Your situation’s different, so how do you think you’re going to be able to disseminate to the consumer who is not an employee to understand the value of this? Like are there incentives? What do you think can work? And what have you seen work?
[Matt Crouse] Well, what I’ve seen work, and I don’t know what we will end up doing, we’re not there yet, we’re still super-early in that journey, but we’re very, very respectful of our relationship with our customer and wanting to understand that they want a consistent experience. What I’ve seen work, honestly, is a hard-cut approach. I don’t think that we’ll follow that approach.
[David Spark] That’s pretty tough.
[Matt Crouse] It’s pretty tough, right, and you risk alienating a lot of your customers. And you risk if one little thing goes poorly in that experience, you do risk losing that person as a customer because now what used to be an easy experience is now a confusing painful experience. And when it comes to my industry, people want two things. They want easy or they want awesome, and we try to deliver both. But if you fail on one or the other, you run a risk with that customer.
What’s your security advice?
[David Spark] “So, as a security professional, what security advice do you give to a common person?” Now, this was asked by a redditor on the cybersecurity subreddit. And some of the great advice that I pulled from the thread that I saw here was: Keep your operating system and software up to date – that’s good. Avoid using admin accounts, create a personal account and use that. Multi-factor authentication, which we’ve heard many times at this event. Password managers, which we’ve also heard.And read the darn pop-up before clicking on it! So, many of these we’ve mentioned before on the CISO Series Podcast. I’m sure the two of you go to cocktail parties where you talk to people who are not security professionals, they ask you for security advice. What are some common things you say to non-security people? And I’m sure many of the things I said here, yes?
[Matt Crouse] Watch what you post online. That’s the biggest one. You don’t realize that each one of us in this room, our personal lives are a threat to our organizations because of what we put online. It is so, so easy to craft a really targeted phishing email against somebody because you saw online that they donate to this certain cause, and they attended a charity gala, and you can masquerade as somebody that they were with, or whatever the case is. I’ve actually run scenarios like that inside my company, and it’s stunning how easy it is to do. So, number one – watch what you post online.
[David Spark] It’s not hard to build a pretty easy story like that. That’s a really good tip. By the way, we’re going to go back and forth on this. Steve, what is a tip you give to the common person?
[Steve Tran] Hacking is not like in the movies – that’s the biggest thing. It’s not reading command lines, there’s no ghost in the machine, it’s simple too. What Matt mentioned, right? We constantly have to de-mystify cybersecurity.
[David Spark] And by the way, when has the last hack happened? And again, we’ve seen one major big hack after another. Every single one of them are the “non-sophisticated attack.” Although some media might want to say the… But when’s the last time we truly had a “sophisticated attack”? I can’t remember.
[Steve Tran] Yeah, I would say this year has been the year of the dupes, right? The Uber breach that happened recently, right? And what LAPS is doing. It’s like they’re just duping people into giving up the MFA approvals or credentials, right? To your point, how many times have a bad actor brute forced a password, cracked a password versus capturing them, buying them in the marketplace, right?
[David Spark] Super common. All right, going back. What’s another tip you give to the non-security person?
[Matt Crouse] Stop using the same password everywhere.
[David Spark] Yeah. Because what mostpeople don’t understand what credential-stuffing is. And I’m assuming you explain what happens.
[Matt Crouse] Explain what credential stuffing is, explain why it’s a problem, and that always leads into a conversation about password managers and then why password managers aren’t scary.
[David Spark] Well, the thing that was the big eye-opener for me, and I had someone sit down and they just typed in my email address and showed me in flat [Phonetic 00:31:51]files some old passwords I used, and he goes, “I didn’t hack. That’s just publicly on the internet.” I’m like, “Oh.” Once I think someone sees that, that’s the big eye-opener for that.
[Matt Crouse] Yeah, yeah. Have I Been Pwned is such a great service for that reason. I’ve done talks internally to the company where I have people pull up that page on their phone, enter their personal email address, and then hold up their phone and show me if it’s red or green, and then look around. And they see that everybody’s also been compromised, and all ofa sudden they don’t feel so bad.
[David Spark] Right.
[Matt Crouse] And they’re a lot more open to having a conversation.
[David Spark] Yeah, that’s the big thing is I don’t think anyone’s got a cleanHave I Been Pwned page. Nobody does. So, what’s another piece of advice you offer, Steve?
[Steve Tran] Yeah, just be careful what you post out there, right? It’s so easy to not be aware of the digital artifacts you leave behind on a daily basis.
[David Spark] Well, what Matt said earlier, yeah. That’s it. Well, this goes also back to the thing that – I’m sure you’ve heard this line before – when people are told about, “Aren’t you concerned about privacy?” and they go, “Well, I’ve got nothing to hide,” and the point is that’s not the point. Thepoint is your information, the basic information like, “I donated to this company, and I was at the gala,” that’s going to be used against you. It might get to someone you care about. That’s the reason for the privacy. I’m assuming you kind of explain that to them.
[Steve Tran] Oh, yeah. And I think another one too I just thought of is simple, it’s like patching your devices, right? How hard is it to just hit an update on your phone or your computer? Exploits work better when you actually have a vulnerability, but if you patch those vulnerabilitieswhat is there to exploit?
It’s time for the listener question speed round.
[David Spark] I have in my hand right here a bunch of questions that I got from a bunch of you that are in the audience right now. And they have not seen these questions at all, so it’s all going to be a surprise to you. I’m looking for quick answers to these. We’ve actually got a good amount of time here that we can wrap this up, so I think we can get through all of these. So, this comes from Eric Barricklow with ManTech, and Eric asks what type… And you can’t say “both” here. I’m going to say we’re looking for a preference here. What types of CISOs do you prefer to engage with – the technical CISO or the managerial CISO?
[Steve Tran] Both.
[David Spark] You can’t answer that!
[Steve Tran] Why not?!
[David Spark] I just said that! You have to have a preference.
[Steve Tran] That’s why we’re here, right?
[David Spark] No. You got to lean… You’re at a cocktail party, you can talk to a managerial CISO or a technical CISO, who are you going to lean a little bit more to?
[Steve Tran] All right. I’ll lean more towards the managerial because I came from a technical background.
[David Spark] All right. Good answer. The idea to learn more, is that the theory?
[Steve Tran] Yes. Learn something I don’t already know.
[David Spark] All right. And…?
[Matt Crouse] Yeah, same here. And there’s no right or wrong answer on this, I don’t believe, but I tend to gravitate in the same direction as Steve for the same reason. I came up as a software guy, and I have a lot more to learn down the managerial path.
[David Spark] All right. This one comes from Gary Landau of Unisys, and Gary asks – what are some new telltale signs your email has been compromised? What are you seeing that’s new that’s like, “Oh. We got a problem here,” that maybe we didn’t see in the past?
[Matt Crouse] Messages in your Sent folder that you didn’t send.
[David Spark] Oh. That’s a good one, yes.
[Matt Crouse] Message “Undeliverables” coming back from invalid addresses that you didn’t send to.
[David Spark] That’s a good one as well. Steve, what else have you seen?
[Steve Tran] New dates people didn’t expect.
[David Spark] New dates?
[David Spark] What do you mean by “new dates”?
[Steve Tran] To Matt’s point, weird messages in your Inbox that you never expected to get.
[David Spark] Okay.
[Steve Tran] Pictures.
[David Spark] Oh. Well, that’ll do it as well.
[Steve Tran] There we go.
[David Spark] All right. Now, this is something that I know I’ve been concerned about because when I saw this a number of years ago, it was like, “Oh, we’re in for real trouble.” How concerned are you with deep fakes? Obviously, there’s definitely an election issue. This, by the way, comes from Richard Greenberg who is the ISSA LA President. So, how concerned are you both with deep fakes and how is it affecting you today and obviously, potentially in the future?
[Steve Tran] What I like to talk about is mental malware, right? It’s we’re all susceptible to it, and anyone that says they’re not susceptible to it, they’re the biggest risk, they’re the biggest target, right?
[David Spark] Yes. Because I guess their barrier is down.
[Steve Tran] How many of us go to amagic show and enjoy the performance, right? And we’re always walking away figuring out, wondering, “How the hell did they do that? That’s like impossible,” right? My concern with deep fakes is them exploiting that mental malware in us, and that’s where disinformation comes from, and it’s social engineering the masses, weaponizing.
[David Spark] And here’s the thing, like with the election situation I was thinking, what I’ve seen. Even if it is revealed to be a deep fake, there’s a period of time a certain number of people are convinced by it and now, all it does is create doubt, and that’s all you need.
[Steve Tran] Somebody may remember, I think it was back in the ’80s, there was this guy, I think his name was like Peter Popov or something like that, where he convinced people that he could heal their cancer, heal them through his powers. And when he was caught and when his methods were revealed, there was a lot of people that didn’t want to believe it. So, that’s my fear with our adversaries weaponizing communication, using deep fakes, things like that. Because even if people do end up learning that it was a fake, they may not want to believe it.
[David Spark] What about you? Deep fakes?
[Matt Crouse] Yeah, that’s a really good point that you made there at the very end, Steve. That even when something is proven to be a deep fake, there’s always going to be a residual undercurrent of belief.
[David Spark] Right. Because you created doubt.
[Matt Crouse] Because you created doubt, and then that is going to create division and discord amongst whatever community and whatever the topic is. It doesn’t matter if it’s an election or something else, and it’s just going to pit people against one another. So, on a personal level, as just a human interacting with reality, I’m pretty concerned about deep fakes.
[David Spark] All right. This comes from Raffi Erganian of Vulnera, and Raffi asks – where do you think you’re wasting time that you’d like to do something better? I’m sure you have something. Anything? Or you’re spending your time perfectly? I mean, meetings is usually the answer.
[Steve Tran] Vendor risk reviews.
[David Spark] Vendor what?
[Steve Tran] Vendor risk reviews.
[David Spark] Vendor… Oh, yeah. That’s a lot of no fun. Right?
[Matt Crouse] Combing through vendor cold calls and emails.
[David Spark] Yes. But you have to work with some vendors, yes?
[Matt Crouse] We do. We do. And I appreciate that they’re there, and we started off the show talking about that. But trying to find the needle in the haystack, I guess, is a better way of phrasing that.
[David Spark] All right. Here’s another question I have here from Andrew Seid of IANS Research. What are you most uncomfortable asking the board about? Do you have something that you’re uncomfortable asking the board about?
[Steve Tran] Budget.
[David Spark] Budget, yeah.
[Steve Tran] Money.
[David Spark] Yeah.
[Matt Crouse] Not really even that. I’m pretty comfortable asking the board about most things, to be frank.
[David Spark] So, nothing concerns you?
[Matt Crouse] Nothing.
[David Spark] All right. Let me throw this one from Mark Keelan of ISSA. Do you have a program for AI ethics? This is kind of a unique thing, I don’t know, it’s kind of a hard thing to ask. Do you have a program for AI ethics?
[Matt Crouse] We do not have a program for AI ethics. We have a program for chalupas thoughthat’s awesome.
[David Spark] Okay, good. Do you have a program for AI ethics? It’s an odd thing, but I understand the need for it.
[Steve Tran] Man, I’m still trying to get people to do the basics – MFA and like don’t click on bad links.
[David Spark] Right. You got to deal with human ethics first.
[Steve Tran] Yeah.
[David Spark] All right. Let me throw this last one out. This is the flip of what I asked earlier from the other person from Vulnera. This is from Terri Brunner of Vulnera. What has been your most effective technique communicating to the board?
[Matt Crouse] Big animal pictures.
[David Spark] Seriously, getting to that.
[Matt Crouse] That’s what I keep in mind, big animal pictures. I want slides with pictures and as few words as possible. If I can have a slide with no words, that’s the perfect slide to me.
[David Spark] So, what is a big… You show a picture of an elephant or whatever?
[Matt Crouse] No, no, no.
[David Spark] What does that tell you?
[Matt Crouse] No. It’s just keep it as simple as possible.
[David Spark] Keep it as simple…
[Matt Crouse] That’s what that comes down to. Tell the story at the simplest level possible that you need to to communicate your message.
[David Spark] Good point, all right. What is your communication technique?
[Steve Tran] Same thing. I think at Avento, we did some together on translating complex topics into simple business context, so it’s really, it’s context, it’s storytelling.
[David Spark] I knew that would come up.
[David Spark] And that brings us to the end of the show, of the CISO Series Podcast. I want to thank our audience for coming on out here.
[David Spark] And a huge thanks to our sponsor, Ostrich Cyber-Risk – Analyze your posture. Compare your surface. Mitigate your risk. More of them at ostrichcyber-risk.com. Check them out.
[David Spark] And to the ISSA – we greatly appreciate it! Big round of applause for my co-host Matt Crouse, CISO of Taco Bell, and Steve Tran,CSO over at the DNC. Let’s hear it for them.
[David Spark] All right. Now, the question – I’m going to let both of you have some closing comments here – the question that I ask both of you is are you hiring, so make sure you answer that. But any closing thoughts you have on today’s show, and please let us know if you’re hiring. Matt?
[Matt Crouse] We’re always hiring for the right people. All the jobs are posted on our website for our parent company – jobs.yum.com. I’m hiring, the rest of the group is hiring, so if you’re a talented person looking for an exciting place to work, come on out.
[David Spark] All right. And Steve, you’re hiring, yes?
[Steve Tran] Yes, but I’ll also say – go vote.
[David Spark] Yes. Go vote. That’s a good point too. All right. Thank you very much, audience. Thank you, ISSA. And thank you, everybody. We greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.