Does the Cybersecurity Industry Suck?

In the cyber industry we pat each other on the back and give each other awards, all while the statistics for breaches appear to be worsening, Are we celebrating growing failure? Does the cyber industry suck?

Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Fredrick Lee (AKA “Flee”) (@fredrickl), Flee, CSO, Gusto.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our podcast sponsor, Cymulate

The Ultimate Guide to Security Posture Validation: Learn how to effectively measure and reduce risk through continuous validation of your enterprise’s security posture. Download the playbook here

Full transcript

[David Spark] In the cyber industry, we pat each other on the back and give each other awards, all while the statistics for breaches appear to be worsening. Are we celebrating growing failure? Does the cyber industry suck?

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. Joining me for this very episode is a gentleman you’ve heard before on this show. His name is Geoff Belknap. He’s also known as the CISO over at LinkedIn, and he sounds a lot like this.

[Geoff Belknap] Hello, and welcome.

[David Spark] You’ll hear a lot more of him later in the show. But first, let me mention our sponsor. It is Cymulate. Now, let me spell that for you. That’s how cyber companies have to be spelled, not the way you expect. Anyways, they are empowering security professionals and leaders to manage, know, and control their cyber security posture end to end. And you’ll hear more about them later in the show. But next, I want to get to our topic at hand, and this comes from Chris Roberts. For those of you listening who don’t know Chris Roberts, maybe you should follow him on LinkedIn. He writes some quite incendiary posts, and this is definitely one of them. He is from Hillbilly Hit Squad. That’s I believe his organization. And he claims that we as an industry “suck” because we’re celebrating each other’s accomplishments all while breach statistics grow dramatically worse. He even suggests that people who win awards consider returning them if they truly don’t think they made a real impact on those very stats. So, Geoff, it’s a pretty dramatic claim, but it sure got a rise out of his readers. What do you think?

[Geoff Belknap] I think Chris did exactly what he was hoping to do, which is get people all worked up and talking about it. But I think it’s a great thing to talk about – are we actually making a difference, are things getting better. Spoiler alert, I do think they’re actually getting better. Chris, sorry. But I think one of my favorite people is here with us today to talk about it.

[David Spark] Yes, and we had him on the show in person a long time ago before he decided to grow his COVID beard. And now he’s got quite a substantial one, and it’s growing in two-tone…

[Crosstalk 00:02:17]

[David Spark] …like a 1970’s Buick. That’s what his face looks like. So, I’ll give that image to everybody.

[Geoff Belknap] So, you can just imagine a Grand National hanging from his face.

[Laughter]

[David Spark] Imagine that’s who’s on the microphone right now is a Buick with a mouth. That’s pretty much what it is.

[Laughter]

[Geoff Belknap] All right. Now remember, folks, if you’ve got any Photoshop skills, we want to see what this looks like.

[David Spark] We definitely want to see this. [Laughs] Anyways, it’s Fredrick Lee, but most people just know him as Flee. He’s the CISO over at Gusto. Flee, thank you so much for joining us.

[Fredrick Lee] No, thanks for having me on. I’m looking forward to seeing some of the creativity around this Buick with a mouth. Maybe that’s too fitting.

[Geoff Belknap] It’s going to be thrilling for sure.

Where are we falling short?

3:04.521

[David Spark] Chris Roberts, the author of this post, said, “At the end of the day, we, the infosec folks, have to take some of the responsibility. We’ve got to be the ones to face up to the fact we have to collaborate better with those around us, communicate more efficiently with those inside of our spheres of influences. And Todd Byars of The Computer Dudes Inc. said, “Don’t forget most individuals, companies, and government entities hit by ransomware still do not have backups.” Two different comments here but just stressing the fact that even people when they’re told to do the right thing don’t do the right thing as well. Geoff, what do you think? Again, this fighting your belief that we are doing better.

[Geoff Belknap] Well, I think first of all, I don’t think we’ve ever started a segment with two people that came from the coolest sounding companies ever between Hillbilly Hit Squad and The Computer Dudes Incorporated.

[David Spark] Good point.

[Geoff Belknap] I challenge us to find a better set of quotes. Anyways, I think to Chris and Todd’s point, can we do better, oh my God, yes. We can definitely do better. Are we doing better than we were five years ago? Phenomenally better. I will go back to the venerable Verizon data breach investigation report and just point out if you look at this year’s report, which was technically the 2021 report… It just came out somewhat recently. You’ll see a couple of things that really to me scream we’re doing better. One, there is a summary of how long does it take us now to discover a breach. And it used to be months and months. And famously when we first started talking about advanced persistent threat, you would expect to see these things in your organization for six months, a year, more than that. And now it’s days or less. It really is.

We are finding these things very quickly. And I would posit that that’s even better than prevention. Then the other side of it is if you look at the kind of attack that we’re seeing these days…and I sort of hesitate to call it attack…it’s denial of service, or it’s social engineering. And the fact that it’s no longer the primary way that people find their way in is through an O day [Phonetic 00:05:18] or magically exploiting infrastructure… If we’re calling denial of service the biggest kind of attack that happens, not to diminish the impact of that, that’s not really a hack. And if people are falling back to social engineering as their primary way to convince people to let them into the org, I feel like we’re actually doing a pretty good job.

[David Spark] All right, Flee, I’m throwing this to you. You’re nodding your head all throughout Geoff’s comment. Are you on the same page, and what would you add to it?

[Fredrick Lee] I’m definitely on the same page with Geoff, and also I totally get why somebody like Chris would actually make a quote like that. Yeah, it’s useful for getting eyeballs. It’s useful for getting attention. It’s useful for stirring emotion. It’s also useful for maybe driving business to your own mobile security company. What it is not so great for, however, is actually just recognizing reality. I think one of the things that Geoff said is just spot on. You can actually go back and just look at the data. When you look at what we were worried about in the late 90’s and early 2000’s, we don’t even see most of those attacks anymore because we have improved so much as a community that those attacks aren’t really relevant, and the attackers are having to shift. Now, it may not feel that way because we have much more attention about cyber security now, so now a days when there’s a breach you actually hear about it in the news.

[David Spark] And you hear it in the mainstream news.

[Fredrick Lee] Yes.

[Geoff Belknap] Yeah.

[David Spark] Here’s the big shift, and I’ve mentioned this many times on the show. It used to be…used to a long time ago…these stories would hit the cyber trades and then bubble up to mainstream. Now it’s going the opposite way. It hits the mainstream first, and then they look to the trades to make sense of what just happened. That’s a very different dynamic, and I think that’s why we think things are bad. But again, these breaches are pretty catastrophic as compared to what we’ve seen in the past, haven’t they been?

[Fredrick Lee] They definitely are, and I think part of that is just the nature of the economy has shifted. So, we have a lot more businesses and much more infrastructures that are actually online, and we view the internet now as critical infrastructure in a way that we didn’t in the 90’s. So, when you think about the 90’s, the 2000’s… And clearly I’m dating myself, so people can definitely lean into that whole Buick analogy.

[Laughter]

[Fredrick Lee] But when you think about back in the 90’s, it was an experiment. And back in the 2000’s, it was a toy. Now we’re actually looking at 2020 and beyond COVID standard time or whatever. Then we have to recognize that it’s critical infrastructure. Everybody is on it, and it’s just a larger attack surface. One of the things that I immediately actually thought about when I was actually reading through this and looking at some of this stuff was life expectancy. I know that sounds like a really odd analogy to draw. But when you look at the United States, the overall life expectancy in the United States for some period up until COVID was actually increasing. Even though we were also having an increase in diabetes, an increase of heart attacks and heart disease, as well as just an increase of things like cancer. But that’s partially because the population was growing. But at the same time, there were things that we were doing that was also making the population healthier. So, in the 80’s and 90’s, there was a huge push of actually getting people to actually stop smoking. Tons of people stopped smoking. That actually increased life expectancy overall for America. But at the same time, people were also getting obese. I totally also hear this idea and even the quote from Todd with regards to, “Hey, people still aren’t doing what they need to do.” That’s just the reality of humans and more things for us to actually work on.

What’s going on?

8:47.932

[David Spark] Peter Moskvich of Connect the World said, “This year will be the breaking year for many organizations who do not and didn’t take IT seriously in their organization. Many will realize how big of a role IT is playing in their daily life.” And Jason Popp of GEICO said, “And yet major majority percentage of organizations still lack CEO support for company wide security accountability.” Okay, so these are people doubling down on the “we suck” and mostly because not a lot of people have been taking cyber security seriously. But my feeling is given what was just said that so much of cyber is in the mainstream news, you can’t avoid this. Right, Geoff?

[Geoff Belknap] We can’t avoid it. But the reality is now we know so much more about it than we ever knew. First of all, we know that attacks happen to everybody. We know what motivates those attacks. Where maybe five years ago espionage was one of the key motivators here, and it still is, but what has rocketed past that is there’s just financial motivation for all of these things. I think if you look at ransomware, where ransomware has always kind of been around, people have innovated. There are criminal enterprise sized and organized organizations that are…they’re just using it to make money. They’re innovating, like anybody who’s building a business is doing is innovating. So, now we know you don’t have to be a defense contractor to be targeted. You just have to be able to be easily monetized. I think that drives a lot of people to make this a priority. I hope people like Jason and Peter are not running into this problem at scale that nobody cares anymore because, frankly, you don’t have that option. If you don’t care, if you’re not investing in it, the attacker has an opinion, and they will come for you. I don’t mean that to be all fuddy, but it will happen. It’s just the natural inertia of the world.

[David Spark] All right, Flee, I throw this to you. The complaint is that people haven’t been taking cyber seriously, and it’s like they’re eventually going to take it seriously now. And maybe that’ll improve situations. Where do you stand? I mean I know in your organization you take it seriously.

[Fredrick Lee] Yes, obviously. Obviously Gusto takes it seriously. I think I would say that it’s actually obvious that all companies take it seriously. Where we hear this feedback or maybe these emotions from security practitioners is that disconnect between the rest of the C-level and how they prioritize security versus how we prioritize security. And so yeah, from a security professionals standpoint, it doesn’t feel like people are taking security seriously. But if you go into any boardroom, you go into any C-level boardroom, they all know about security. They all care about security. But they also are balancing other risks around the business, and so it may not feel like security is the priority. But I would argue to say that security probably shouldn’t be the number one priority for a lot of businesses. There are other things that are necessary to keep the business running. But from a security practitioners’ lens, it might emotionally feel like security isn’t given the amount of attention one would like.

There’s this thing I always think about when I think about security teams. Security teams kind of have a tendency to want to be parasitic in an organization as opposed to being symbiotic. And I feel like these quotes are actually indicative of that. What I mean by parasitic… A lot of times security organizations want everything inside the org to be about security, and security is the number one thing that everybody is thinking about. All the funding should be going to security, etc. And it’s all about making every single aspect of the business risk free. I want to be explicit that people are trying to pursue zero risk. Whereas when you actually have a good security team that’s actually more aligned with actually being symbiotic then [Inaudible 00:12:48] building the business along, and they actually recognize there are going to be some tradeoffs.

They know that the company takes security seriously even if security isn’t the number one budget line item. I think that’s where some of those disconnects come from. You have to realize that we as security practitioners, we’re kind of these what I’d classify as angry optimists. The reason why we see quotes like this is we, as security practitioners, we know that there can be this ideal future, and we’re frustrated that we’re not there today. But there’s that pragmatic aspect in the middle which is why companies don’t have perfect security across the board. They’re not following every single guideline, not every single best practice. But that doesn’t mean that they don’t care about security, and it doesn’t mean that they are intrinsically vulnerable in a way that other companies aren’t.

[Geoff Belknap] I feel like the underlying message here I think from you, Flee, is the balance of equity here always has to be going towards the business being successful versus the business being free of risk.

[David Spark] Oh, yeah. Exactly.

Sponsor – Cymulate

13:48.174

[Steve Prentice] The beauty of extended security posture management is it optimizes a company’s existing security controls, allowing people and incident response plans to be the best that they can be. Here is David Klein, director and cyber evangelist for Cymulate, with his thoughts on what security practitioners need to know.

[Dave Klein] The security practitioner pitch is really…say it’s running production. It’s easy. It’s light touch, ready in minutes, but yet comprehensive. It covers the whole stages of the kill chain, pre and post exploit. And like real attacks [Inaudible 00:14:22] the attacks live off the land and pivot when they’re blocked to other things, yet it’s easy to manage because it’s Software as a Service. So, all threats are updated 365, 24/7. So, you’re always on top of the latest threats, but you can leverage existing staff and skillsets, no coding required. And the best part is we have a very active community, and we have a free academy, which will even get you [Inaudible 00:14:44]

[Steve Prentice] Cymulate’s services include breach and attack simulation – how well are my security controls and security processes performing, continuous automated red teaming, how can an adversary breach my defenses, and advanced purple teaming, how do I craft and automate assessments and assurance unique to my environment. For more information and a free trial, visit cymulate.com.

What are they doing wrong?

15:18.558

[David Spark] Okay, we’re going to get into the topic of awards, which Chris Roberts really got upset about, which is a very different topic than what we were just discussing earlier.

[Geoff Belknap] Who all is winning awards?

[David Spark] Well, hold on. Predrag Petrovic said, “The thing is that people like awards, and catchy vendors like to sell their products to clueless customers.” Robert Hodges of Global Learning Systems said, “It doesn’t help that there is a ridiculous amount of money being made ranking people and handing out awards.” That is very true. M. Bowman of ICT Contracts said, “Too many awards that mean jack diddly squad. Too many conferences talking about possibilities of actually doing. Too many excuses.” And Phil H. of Pinnacle Biotech said, “Awards never stopped an attacker, nor will they ever.” I like that last quote.

[Geoff Belknap] We’re so deep in our feelings this episode.

[David Spark] There you go. So, Flee, let’s just start. How do you…? First of all, have you ever received a cyber award of any kind?

[Fredrick Lee] I never have. And companies I’ve worked for, we probably never could because we were doing real security.

[Laughter]

[Fredrick Lee] I totally get it. There literally is an entire industry. I’m going to name any names of vendors that might have various quadrants and things like that that you can pay your way into. I won’t name those names. But we’re all familiar with that. And oddly enough I actually do agree with these quotes – that to some extent our security industry has done ourselves a disservice, especially on the vendor side, at overemphasizing some things and not emphasizing core fundamentals of security. And unfortunately also sullying the reputation of security because yeah, there definitely are organizations that have been sold these ridiculous packages. And somebody told them, “Hey, you buy my SIM, and you’re going to have no more security problems.” Or, “Hey, you buy my next gen whatever you want to call it…my next gen SIM, my next gen AV, my next gen DAS, whatever…NG whatever…” And fundamentally they don’t work, and it’s really expensive. More expensive than humans. More expensive than basic things like checklists. And so it does – it gives a sour taste in the mouth of those people that are making decisions. And so the perception of security definitely goes down. The reputation of security definitely goes down. The belief that security can be affective definitely goes down. I am unapologetic about blaming vendors for this because vendors have been a large part of the problem here, of this whole idea of trying to sell silver bullets. I can’t tell you about how many emails I’ve gotten because of Log4J.

[David Spark] Oh, yeah. We’ve talked about this endlessly on the show.

[Fredrick Lee] Yes.

[David Spark] Let me also point out that we had Haroon Meer of Thinks Canary on the show.

[Fredrick Lee] Oh, yes! He’s a real security person though. He’s not a vendor. He does security.

[David Spark] But the point that I want to make is about the awards is that he created a fictional person that came from a fictional company, paid for an award, and that fictional person from the fictional company won.

[Fredrick Lee] Oh, I totally believe it.

[David Spark] Yeah. Geoff, your feelings…? First of all, have you won an award?

[Geoff Belknap] I don’t think so. None that I know of. But I did want to say, Flee, David, David, and the staff and I got together, and we just wanted to say that we have decided that you are the best on this podcast on today’s episode.

[Laughter]

[David Spark] Look, he’s holding up… What is that?

[Crosstalk 00:18:50]

[Geoff Belknap] This is Jean-Luc Picard doing a facepalm, which I feel like is the most appropriate award for best CISO.

[David Spark] Yes.

[Geoff Belknap] You know what, guys? I guess I say guys because most of the quotes here are from guys. You don’t have to talk to a vendor just because they won an award. I actually feel for vendors. One of my first startups that I did was a security vendor. I learned a lot doing that. And what I did learn is, boy, it’s hard to get your name out there. And marketing and product folks are looking for any way to sort of differentiate themselves from their competitors. There’s an entire cottage industry that, yeah, is… There are trade magazines that will put your product on the front page for a certain amount of money. Forget the fact that no one reads that magazine. There are definitely awards and rankings of CISOs, and I’m sure I’ve landed on some of those, that I’ve never heard of before, and I’m very flattered to be considered a top whatever CISO.

[David Spark] You know why you make these lists? Because someone put you on one list. Because I’ve done this myself. I’ll be totally honest. When you make a list, you go to find who made a list beforehand. You take from that list, and then you go to your friends. “Hey, do you know a good CISO?” “Oh, I know Flee. He works over at Gusto.” “Okay, let me add him. Who else do you know?” “Oh, I know Geoff Belknap. He’s over at LinkedIn.” “Oh, okay. Anybody else? Okay, I think… I only have 43. I need seven more. Anyone can think of seven more?” And that’s how you make a list of 50 of the best CISOs.

[Geoff Belknap] And how you make money is you say, “Hey, we’re going to feature you. Would you like to pay $10,000 to be featured as one of these award winners?” But the bottom line is none of us… I’ll speak just for myself, but I suspect Flee is also operating this way. None of us are making decisions on what we buy based on who’s an award winner. Also none of us are deciding what we buy anymore based on what an analyst firm specifically has said about them. Those times are gone. That was the 90’s, maybe the early 2000’s. This day and age, most people are starting the process of looking at what they might buy by seeing who’s out and what noise they’ve heard. But really everybody who cares about security, and that’s anybody who’s doing security, is buying what they think will work best for them. So, I wouldn’t worry too, too much about awards.

No one said it was going to be easy.

21:01.795

Interviewer: Michael Figueroa of MassCyberCenter at the Mass Tech Collaborative said, “If we’ve been saying the same things for decades then our approach has failed, and we need to hack it to move the needle forward. I think that starts with changing our perspective and stop blaming.” So, Flee, let’s focus on what would you like to change in the public’s perspective of the security industry?

[Fredrick Lee] Oh, man, I love this quote. It’s actually really complicated, but I’ll say what I would like to change, I guess, is making security more human and more approachable so it actually is easier to understand. And people actually really do understand that direct impact to them, and what are some of the things that I can do about it. One of the things that I somewhat actually disagree with on this quote though is perspective. I totally hear it. It feels frustrating to say, “Hey, we’ve been repeating ourselves for years. We’ve been repeating ourselves for decades.” The name of the game in security when you get right down to it is cultural change. Cultural change is one of the slowest things, and it requires lots and lots of repetition. So, to some extent, security has to work like Coca-Cola ads. You still see Coca-Cola ads today. It’s because it’s that constant reminder and embedding that into our culture.

I think that’s one of the other thing that we really have to lean into more as security is actually embracing repetition, embracing constantly saying the same thing, and leaning into what some might consider annoying, but others hopefully find opportunities in this notion of constantly drilling this in and changing culture. We talk all the time in security that we’re supposed to be these awesome hackers and social engineering. Let’s actually social engineer. Let’s actually change culture. Let’s actually hack the culture so that people are getting aligned with security and embedding that.

[David Spark] I love that. If we are the great social engineers, let’s social engineer our own culture. That I love. Geoff?

[Geoff Belknap] 100%, yeah. First of all, I think I am definitely stealing the Coca-Cola analogy because I feel like culture change is the most important thing, most important part of what we do outside of making sure that we’re protecting our organizations. I’m often talking about the fact that being a great security leader, one of the tools you have to have is being a great storyteller. You have to be able to draft a narrative that lands with people. We’re not manipulating people. We’re just trying to have people understand what we’re trying to do. I find that repetition is required to the point ad nauseam. And then when you’re sick of saying something, you’ve almost gotten to the point where you’ve said it enough, and you need to keep going. So, in this case, we have been saying the same thing for decades. Lots of people are making progress, but we’re saying it because it’s important, and we can’t forget it. And there are new companies starting all the time, and there are new initiatives being built all the time. And we need to make sure they’re secure, that we’re using 2FA, that we’re doing backups, that we’re patching. It just should never be far from our minds. Like we all know we should eat less and exercise more, but it has never stopped being something we need to tell ourselves.

[Fredrick Lee] Think about this, Geoff. We all know that you should eat more, exercise…

[Laughter]

[Fredrick Lee] Eat less, exercise more.

[Crosstalk 00:24:30]

[Fredrick Lee] Yeah, the Mississippi in me came out. It’s like yeah, I’m definitely going to be eating more. But actually what you said is part of our culture now. So, think about this – we still see anti smoking campaigns. That was something that the US culture was trying to stop all the way in the 60’s. We’re still seeing that. We’re still seeing notifications to buckle up, etc.

[David Spark] You don’t see them to the volume… I think they ramped up in like the 80’s or maybe in the 70’s. But that was a… And something I actually talked about with Tom Langford, another cyber security leader, is seatbelts and anti smoking didn’t happen overnight, but they did happen. It was a long term campaign. I think the industry has to look at it as a long term campaign.

[Geoff Belknap] And we’re still telling people to buckle up. We haven’t stopped. The problem is not solved.

[Fredrick Lee] Yeah.

[David Spark] But not to… I think it’s second nature with everyone now. And same thing. How often do you see people smoking today? You used to see it all the time.

[Fredrick Lee] We actually won this part of this campaign though. Think about this. At least Geoff and I are old enough to remember when TLS was a debate.

[Geoff Belknap] Oh, yeah. Yeah, or when we decided, “Eh, we only need to encrypt some stuff.”

[Fredrick Lee] Yeah. When access control was a debate, when 2FA was a debate. Those things are no longer debates now, so we actually are winning. It’s just easy for us to actually forget about it because we’re thinking about the overall end journey of somebody as opposed to all those wins that we actually have had in between that fundamentally are improving security.

[Geoff Belknap] I think the other thing that you brought up earlier, Flee, is really important. The threat has evolved. The threat is also rapidly increasing just like all the protective measures we have. So, we can’t stop. This is never going to be a thing like where you beat polio, and you just don’t have to do those vaccinations anymore or whatever it is. We can’t beat security. We’re never going to get to a point where we’re like, “Welp, all done.” It’s a process, and repeating ourselves is going to be a forever part of that process.

[David Spark] I will recommend the book, “The Infinite Game,” by… Oh, I’m going to forget. It’s Simon… Starts with an S. I’ll look it up, and I’ll have that answer for you in a second.

Closing

26:41.369

[David Spark] But we’ve come to the end of our show. I will ask the two of you to tell me what your favorite quote is and why. I will start with you, Flee. What was your favorite quote?

[Fredrick Lee] My favorite has to be Predrag Petrovic, “The thing is that people like awards, and catchy vendors like to sell their products to clueless customers.” Part of the reason why I like that quote is that it’s actually spot on and is one of my biggest annoyances in the industry. It’s part of the reason why so many salespeople hate me. I think Geoff unfortunately had to witness that on LinkedIn himself. It’s like yeah, people would prefer to have a flashy product, flashy sales event, and try to take advantage of customers that don’t have the acumen to actually decipher that what they’re selling is BS.

[David Spark] That’s good, and I like that quote as well. Geoff, your favorite quote and why.

[Geoff Belknap] I’m going to say M. Bowman’s quote here from ICT Contracts. “Too many awards that mean jack diddly squat. Too many conferences talking about possibilities instead of actually doing. Too many excuses.” And I didn’t know anybody else said jack diddly squat, so I’m glad to not be the only one.

[David Spark] I love… I haven’t had the chance to say jack diddly squat on this show.

[Geoff Belknap] Yeah, jack diddly squat. I feel like I need to teach my eight-year-old about that right now, get him out here in trouble with his mom. But listen, I think you have a great point. I also really, really like Michael Figueroa’s point here of saying the same thing for decades. If you have to say the same thing for decades, has the approach failed? I think in our case no, but we have to realize why we’re saying it. We’re not saying it because people have stopped listening, or nobody is doing the work but because it’s an important part of the process.

[David Spark] My favorite quote – Phil H. of Pinnacle Biotech, “Awards never stopped an attacker, nor will they ever.” Because no attacker is going, “Well, wait a second. Didn’t he just win an award from Gardner? We can’t attack them.”

[Geoff Belknap] “We gotta get out of here.”

[David Spark] “Oh my God.”

[Geoff Belknap] Maybe they should.

[David Spark] “What were we thinking?”

[Geoff Belknap] Flee, we should talk about this afterwards.

[Fredrick Lee] It made me think about Oracle’s unbreakable Linux.

[Laughter]

[Fredrick Lee] Yeah, that definitely didn’t stop anybody.

[David Spark] By the way, thank you very much, Aaron, my producer, just looked up the author of “The Infinite Game.” Simon Sinek. I heard it. It was my first audio book. Essentially a listener just sent me a nice copy of the book via Audible, and I listened to it. It’s also gotten me hooked on Audible, but I highly recommend it. It’s very much the philosophy of the concept of the infinite game, which means you never will come to an end of solving security, like you said with polio. It will not be like that. How do you play an infinite game, which is what security is. It’s an infinite game for that matter. All right, we are at the end of the show. I want to mention our sponsor again, Cymulate. So, if you’re searching them use those letters in that order. I don’t recommend another order.

[Geoff Belknap] For all your simulation needs.

[David Spark] Right. Thank you very much, Cymulate, for sponsoring this very episode of the show. Flee, I will let you have the very last word. And the question I always ask all our guests – are you hiring. So, make sure you have an answer for that. Geoff, I know you’re hiring. Go to LinkedIn jobs. But you can also go to LinkedIn and look for jobs in other companies. Why you wouldn’t want to work for Geoff, I don’t know why. Anything else you want to add to that, Geoff?

[Geoff Belknap] No. No, I think I would love to work with you. If you have an award to send me, please find me on LinkedIn.

[David Spark] Well, yeah. Please send Geoff an awards list, and he would like an award. Flee, are you hiring?

[Fredrick Lee] I am definitely hiring. We’re hiring for every position you can even imagine in security, as well as every single position that you can even imagine in IT, which is also within my remit here. And yeah, thanks so much for actually having me on. And also feel free to send any awards for Flee also to Geoff.

[Laughter]

[Fredrick Lee] Because fun fact, I do real security, so I don’t need an award. [Laughs]

[Geoff Belknap] I’m still pretending. Send me something. Let me be an award winning CISO.

[David Spark] Let’s not knock the people who get the awards as if they don’t do real security.

[Fredrick Lee] No, that is very true. That is very true.

[Crosstalk 00:30:48]

[Fredrick Lee] And there actually are some real security awards. They’re just generally not awards you have to pay for, and there isn’t a vendor army behind those. But I will say this…maybe actually in closing from my standpoint, security is getting better. But we as security practitioners should always be dissatisfied because we can always do more. We can make things better. We can make security more approachable and useable for end users. And fundamentally we can make security part of everybody’s lives and have them love security in the same way that we do. And if there’s anybody out there listening that is interested in building loveable security, as I mentioned, Gusto is hiring. We’re hiring both for security and IT.

[David Spark] They also have cool offices. I’ve been there.

[Fredrick Lee] Yes, and the offices are great. Overall it’s a phenomenal company. But I think one of the key things and where it ties in with security is that Gusto focuses on the people and focuses on the human. When you do that, you improve lives, and you improve security. Yeah, if anybody out there is actually interested in that philosophy and interested in actually doing progressive modern security, hit me up. I’m easy to find.

[David Spark] He is. And we will also link to his LinkedIn profile on our site. And I believe you have a Twitter handle, too, right? Here on Twitter?

[Fredrick Lee] Yes, I am one of the Twitter kids, I guess.

[David Spark] Yes, we’re all Twitter kids. We’re also, by the way, here at the CISO Series huge fans of the product Gusto.com. Thank you very much, Flee. Thank you very much, Geoff. Thank you to our audience for all your amazing contributions. Also a shoutout to Chris Roberts as well for inciting the cyber community on LinkedIn to yell and scream. We appreciate it. Thank you for contributing and listening to Defense in Depth.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. We’re always looking for fascinating discussions for Defense in Depth. If you’ve seen one or started one yourself, send us the link. We’d love to see it. And when any of our hosts posts a discussion on LinkedIn, participate. Your comment could be heard in a future episode. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to the CISO Series Podcast.