At one point a sales representative will get so desperate trying to get a reply from a prospect that they’ll resort to some tepid attempt at humor. We’ve all seen the email that is trying to understand why we’re not replying. And the salesperson tries to make it easy for the recipient to respond by just pressing a single digit. 1: You’re too busy, 2: You didn’t see my email, 3: You really wanted to respond but you’re stuck in a well.
Question: Has that ever worked for anybody at any time?
This week’s episode of CISO/Security Vendor Relationship Podcast was recorded in front of a live audience at the SF-ISACA conference in San Francisco. It features me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is my other co-host Andy Ellis (@csoandy), operating partner, YL Ventures.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to all our sponsors, Code42, Sotero, and Constella Intelligence
Full transcript
Voiceover
Ten-second security tip. Go!
Andy Ellis
It’s time to get rid of remote administration. You’re all used to trying to get rid of local administration, and not letting your users do things, but if you get rid of remote administration, you can stop a whole bunch of ransomware and malware from lateral movement.
Voiceover
It’s time to begin the CISO/Security Vendor Relationship Podcast, recorded in front of a live audience in San Francisco.
David Spark
Welcome to the CISO/Security Vendor Relationship Podcast. My name is David Spark – I’m the producer of the CISO series. To my immediate right is the co-host for this episode, Mike Johnson. Mike, make some noise so people understand who you are.
Mike Johnson
I guess the audience is making some noise for me, which is pretty awesome. Yes, I’m here – I’m to the right, even though if you’re listening to this, that doesn’t matter to you.
David Spark
It doesn’t matter, but there are people here watching us, because we are live at the SF ISACA Conference in San Francisco, and we are the closing keynote; we’re wrapping up this whole show. These people are exhausted after three days of education for the CPE credits. I don’t know if you know this, but this show, that you’re watching now, actually is a demerit to your CPE credits.
Mike Johnson
Sorry.
Andy Ellis
Oh, there goes the whole audience.
Mike Johnson
Close the door! Close the door!
David Spark
Don’t let them out! The other person you just heard speaking is Andy Ellis, who is the operating partner at YL ventures. He is also my co-host, so Andy, let’s hear your voice again.
Andy Ellis
I think I’m a co-host, but today I’m officially a guest.
David Spark
You’re officially a guest.
Mike Johnson
Quote-unquote.
Andy Ellis
Quote-unquote.
David Spark
Now, I do want to mention that everything that you hear on our show, and other stuff, can be found on our website, CISOseries.com, and God-willing, by the time people actually hear this episode, we’ll have launched CISOseries.com.
Mike Johnson
Oh, the new website, finally.
David Spark
There’s a new website, and you said, “Oh, nothing ever happens with a new website launch.”
Mike Johnson
It all goes perfectly. Every time.
David Spark
I hate to burst this bubble, but we were about to launch, and we noticed a major, major problem that we had to deal with.
Mike Johnson
I’m shocked. I am utterly shocked.
Andy Ellis
And when you have a problem, it’s a DNS. It’s always DNS.
Mike Johnson
Unless it’s PGP.
David Spark
This was an upgrade for a WordPress theme that literally removed a feature that we had, and that is making things a little more difficult.
Mike Johnson
Oh. We want that feature.
David Spark
No, we do want that feature. Alright, I do want to mention our three sponsors. They are Code42, Sotero, and Constella Intelligence. We are thrilled that they are sponsoring this live show here, as well, and you’re going to hear a lot more about them later in the show. But first, I want to talk about the Verizon data breach investigation report, of which we just had Chris Novak speak about here on this stage – he’s one of the authors of the report. I just want to bring up a few interesting little tidbits and get your quick reactions to it. First: business email compromise has actually doubled over the past year. Is that a shock to you, or can you see more people getting suckered by social engineering?
Mike Johnson
It makes a lot of sense because there’s a built-in theme to get people’s attention, and then there’s also that folks are more remote. You used to be able to just turn around and go, “Hey, did you send me this email?” “No, I didn’t send you that email.” But the reality is, right now, you can’t just turn around and do that.
David Spark
What do you think?
Andy Ellis
No, I totally buy that, and even if it’s not checking with the person next to you that they sent the email, it’s when you get that crazy email – and you know it’s fake, and so you tell everybody around you, “Oh my God, guess what I just saw!” That was a big part of our security warnings programs. Nobody really talked about that, but just the education of the people around you defending taught you how to defend, and I think we’ve lost that.
David Spark
Here’s another little tidbit I thought was interesting. He showed the stock price of companies six months after they’d been breached. These are public companies – their stock price versus the NASDAQ – and the interesting thing is, there wasn’t a sizable difference, positive or negative, to whether you had a breach or you did not have a breach.
Andy Ellis
So I think we should start the index of breached companies, which buys stock one month after breach, and sells it five months later.
Mike Johnson
I think you’re on to something.
Andy Ellis
Yeah, we could see how this works.
Mike Johnson
Yeah. Put your money where your stats are.
David Spark
Wasn’t there an AI bot that would buy stock depending on what Donald Trump said?
Andy Ellis
Oh, I could totally buy that.
David Spark
But it didn’t actually work. I think that was the bottom line. Here’s the other interesting tidbit, and the last one I want to throw out. You know that little colored warning that you get at the top of your email that says “This is an external email”? He said it becomes more effective if you change that color over time. So this month it’s red, next month it’s yellow, the month after that it’s green.
Mike Johnson
Interesting.
Andy Ellis
I totally buy that. So humans are hardwired, like all animals, to ignore our environment. Because there’s too much in it, we’re always filtering it out, and so things that don’t change, we stop noticing – it’s literally inattention-blindness. So by changing it, it causes us to look at it again.
Walk a mile in this CISO’s shoes.
00:05:13:04
David Spark
How do you go about making a business case for further investment in cyber security initiatives? Now this is a question posed in the CISO Survival Guide by Scott May, and was recently posted by Greg Anderson. For this question, the article offered advice such as getting supporters, trying to sell it to the customer, and understanding how it would get funded. I’ll start with you Mike: what have been your strategies, and how widely do those strategies vary?
Mike Johnson
I thought this was an interesting survey, and one of the things I really wanted to highlight was understanding how it will get funded. I think a lot of folks, especially earlier in your careers, don’t realize that there’s a finite amount of money that a company has to spend, and so you just assume, “Hey, if I’m going to go get another dollar, it’s just coming from somewhere, and I don’t really care about that.” But understanding where it comes from helps you understand the business, which kind of leads into the next part, of understanding how your business makes money. If you don’t understand how your business makes money, it’s that much more difficult to say, “Well, here is where I need my funding. Here’s what I need.” Say you’re a B-to-B company, it really helps to talk with your customers, understand what their needs are from a security perspective, and that then helps you make a valid business case internally for, “Hey, we should actually spend some money. This will help us either get new customers and retain existing ones.” But if you don’t understand that, you really have a hard time making a business case for it.
Andy Ellis
And I think involving the business stakeholders is key to the success of that. If you can say, “This will bring in more customers,” then the head of sales needs to agree with you.
David Spark
That’s a good point. Very good point.
Andy Ellis
Because you’ve just signed them up for bringing more revenue.
David Spark
And they’ve got to believe.
Andy Ellis
And then they’ve got to believe that. You also shouldn’t walk in with a hard and fast proposal. If you say, “Here’s a risk area, and this is the one true way to solve it,” everybody’s going to say no. If you walked in and said, “Here’s a cheap we can tackle it. It’s not great; it’ll reduce our risk maybe 20%. Here’s some outliers we’ll still have, here’s the medium way, and here’s the platinum way.” Nobody will ever spend on the platinum way, it’s just there so you can get the medium way. But give people an option, so they can buy in and be part of the decision-making, because then they will champion the choice that they drove towards.
David Spark
It’s the classic sales technique of, “Your budget is X dollars. Let me just show you the top-of-the-line stereo that we have here. I know you’re not going to buy it, but I just want to show it to you.” And so the idea is, when they get the, the medium-level item, they know what they’re missing out on.
Andy Ellis
Right, but they know they got a deal. And they’re like, “I could have spent an arm and a leg, but this works.”
David Spark
Let me ask, also: do you get the sense that there are some cybersecurity people that have this sense of entitlement? – “You need to spend it, because that’s the way it should be,” – and they don’t think about the business at all in this respect?
Mike Johnson
Yes. I think there’s a lot of that going on.
David Spark
Would you say more than should be the other way? Do you think that’s the predominant way that they’re demanding budget?
Mike Johnson
No. I don’t know that it’s necessarily the predominant way, but it’s certainly more than it should be.
Andy Ellis
I think the further you are away from the budgeting process, the more likely that is going to be predominant. An architect who is not part of budgeting will probably come at it with a, “Well, you should just do this,” whereas a CISO, who’s closer to the budgeting process, probably is a little more nuanced in that conversation. We hope.
David Spark
You hope? Last thing: just give me one quick tip from your history of getting budget. What was one effective technique that worked for you?
Mike Johnson
For me, it was going to some of the other leaders, and having conversations in advance, and kind of convincing them that they need this, that it’s actually something that will help them. Then, when the decisions are happening with the rest of leadership, they’re in there helping defend your ideas, and maybe even defending them when you’re not even there.
David Spark
Do they in some cases actually propose it, rather than you proposing it?
Mike Johnson
I think it should still be my responsibility to propose it, because it is something that I’m requesting, but it could be something that they’re talking about in other conversations with other people, when you’re not in that particular conversation.
David Spark
The reason I bring that up is that I have a friend who is a comedy writer for Ellen, and he said the only way he could get his jokes on the show is if he made the producer believe he wrote them, and then he could get them on.
Sponsor – Code42
00:09:58:01
David Spark
It’s Code42. Security teams rose to the challenge during an unprecedented crisis, helping their organizations to suddenly support an entire remote staff while keeping data safe – effectively overnight. Now, as organizations gradually and cautiously move out of adapt-or-die mode into the post-pandemic era, security teams have the opportunity to re-imagine data security. Code42, the Insider Risk Management leader, is here to help. With Code42, security professionals can protect corporate data and reduce insider threats while fostering an open and collaborative culture for employees. The Code42 Incydr product allows security teams to effectively mitigate data exposure and exfiltration risks without disrupting legitimate collaboration. The Code42 Instructor microlearning solution is an Insider Risk education offering that improves Insider Risk awareness by focusing on the creation of holistic, security-oriented cultures. To learn more visit Code42.com/showme.
Pay attention – it’s security awareness training time.
00:11:17:12
David Spark
Andy, I want to know this: how do people actually change their behaviors? How do people change their behaviors? In a commentary on Dark Reading, Javvad Malik of KnowBe4 noted that doctors tell him to watch what he eats and work out regularly, and when he hears this he nods in agreement, but that’s where it ends. He likens this to the same challenge of security awareness programs. Making someone aware of an issue is not enough to stimulate a behavioral change. Would it make sense to start with a deep understanding of how people can make behavioral changes, and then build education around that? How have you seen people change and how have you fit security programming within that?
Andy Ellis
So I think you need to tie it to the outcomes, and show that you’re a coach along that path. I sat down with my doctor, before Covid, and he looked at me and my numbers, and he said, “You’re a little overweight. My job is to be your coach, to help put you in the right position. Do you want to be there when your kids get married?”
David Spark
That’s a doozy.
Andy Ellis
Right? And now that starts the right conversation. This isn’t about “I should just be healthy,” this is now about longevity, and working around that.
David Spark
That’s a good trigger.
Andy Ellis
I actually did a great job – I brought my weight down, I brought my cholesterol down, and then Covid happened, and I’m now working to get back to where I was. But in the same way that often when we talk to people in the enterprise, and we tell them what to do, it’s disconnected from the “why,” and in fact, sometimes, it doesn’t even help. Like, we tell people not to click stuff. How many people have changed jobs at some point, and the first thing you have to do is click on a bunch of links, or you don’t get paid. So telling people not to click things disconnects from their reality, and they don’t see how that would tie to defending the enterprise. What’s the real problem here? But if you say, “We don’t want to have you authorize something without your permission, so make sure you’re not on a website and logging in without knowing why you’re there.” Change the conversation to connect to the outcome, rather than just being a lecture.
David Spark
That’s a great example. Mike?
Mike Johnson
So I think it’s an interesting question about the fact that we’ve constantly been approaching this from a security mindset and mentality – of course you don’t click on things, of course you don’t open emails. Everybody knows this, but the reality is, as Andy is saying, that’s actually how people operate. They have to open emails, and there’s certain people in your company that have to click on basically every link that’s sent to them, because that’s their job. You have to make sure you’re thinking about the outcomes, but what I would really like to see more of is the behavioral psychology approach to security – actually talking people who understand how people think, getting their feedback and advice, and approach people from a human personality perspective, rather than being 100% security. We’re seeing some of that with the gamification concepts with leaderboards, and trying to encourage people to do the behavior that’s beneficial, and here’s the advantage of that – here’s why that actually really matters. So I really do think it’s maybe a little bit less, even on the security outcomes, but more about thinking how people think, and approaching them from those perspectives.
Andy Ellis
And a key piece of that, in relation to how humans think, is that the example I gave is actually a dangerous one. If you’re a security person and you say, “the company will be out of business if you don’t do this,” people will want to argue with you. So my biggest recommendation to apply human psychology is always downplay the risk. If you’re the security professional, educate someone on the facts, and if you think the risk is somewhere between a five and a nine on whatever your magic scale is, sell the five. If you try to sell the nine, they can easily argue that it’s anywhere below that, but if you sell the five, they can argue with you, but now they’re going to argue up, and say, “Why are you downplaying this? This is much, much worse! Oh my God, I have to fix it right now!”
David Spark
So it’s making you more aware of security?
Andy Ellis
It’s making them more aware of security, because they walk through the process of talking themselves into believing that the security is a problem.
David Spark
This goes back into “make them think that they wrote the joke.”
Andy Ellis
Exactly.
Sponsor – Sotero
00:16:13:03
David Spark
We also have Sotero as a sponsor. Now, I want to start off with one question: does your company protect its data with security solutions designed to provide network security? Probably. Or security for applications and databases? If your answer is yes, why not use a security solution designed to protect the actual data itself? Well, the good news is that you can – you can protect the actual data itself, and you can do it easily with data security solutions from Sotero. Sotero has a single-pane data security platform that protects structured and unstructured data wherever it resides – and even if the data is being used. This is something you definitely want to look into if securing sensitive data is at the top of your list – and if it’s not at the top of your list, why isn’t it? Visit their website at soterosoft.com.
It’s time to play, “What’s worse?”
00:17:29:18
David Spark
Now for those of you who have never heard this show before, this is the most popular segment. This is “What’s Worse?” and the game pretty much sounds like what the title is. I’m going to present two horrible, horrible scenarios – two that you would not like at all whatsoever. But it’s a risk management exercise, and Mike and Andy will have to decide which one of these two horrible scenarios do they actually think is worse? I also want to get your feedback as well, after they determine whether it’s Situation A, or Situation B. We’re going to play two rounds of this – and by the way, they’re always submitted from listeners, so if you have “What’s Worse?” scenarios send them to me. They are always a surprise, so everyone is hearing it at the same time. This comes from Eric Block, who is with Sprinkler, and he asks, “What is worse: having bad end-point protection agents installed that provide great telemetry and log data, or having the best end-point protection agent that doesn’t generate any telemetry or log data?”
Mike Johnson
This is easy. I would much rather have the telemetry forwarded back to the central systems, where I can actually treat all the end points as centers, and gather that information all in one place, and take advantage of that. If the end points aren’t blocking things themselves, I can still do something about it. If a bunch of my end points are blocking the same thing, and I don’t know about that, there’s something systemic going on that I’m just completely unaware of.
David Spark
You’re more interested in information than action.
Mike Johnson
So there’s prevention versus detection is what we’re talking about here. I’m always going to lean a little bit more on the detection side than on the prevention side.
David Spark
Andy – your take? Do you agree or disagree with Mike?
Mike Johnson
Tell me why I’m wrong, Andy.
Andy Ellis
David and I have a little game when I’m the only co-host, which is if I, as a co-host, can make the guest agree with me I win, and if I can’t, then David win.
David Spark
Because I always want disagreements.
Andy Ellis
So in this case, David, you win, because I think if I had an autonomous agent that was really good and effective, and didn’t have my sec-ops team have to wade through tons of telemetry about stuff that it should have dealt with already, I would totally take that. Agents suck, by the way. If I have to have an agent, it’s impacting the user, and all it’s doing is extracting knowledge that then I have to do more work for, but it didn’t actually do anything for me? Yeah, that’s an easy call on this one. But clearly it wasn’t an easy call for Mike, so I think the “What’s Worse” questioner wins.
David Spark
Thank you. And Mike, I’m going to say that Andy is correct. Oh, I haven’t actually asked the audience. Between the two: bad end-point agents installed to provide great telemetry and log data, or best end-point protection that doesn’t generate any log data at all? Which is the worst scenario? Bad end-points with great data: applaud.
Andy Ellis
That means you agree with me, so applaud a lot.
David Spark
Boo? Who’s booing? Now, who thinks the second situation’s worse? That means you’d be agreeing with Mike. Applause?
Mike Johnson
Silence!
David Spark
Someone’s politely applauding. It’s your co-worker!
Andy Ellis
Golf clap from the co-worker of Mike, who wants to still be employed tomorrow.
David Spark
Smart move, by the way. Here comes our second scenario. This is from Jonathan Waldrip of Inside Global. You’re constantly spending money on new tools, but leaving the default configuration in place, so it’s just an endless stray of new tools purchased, that you just plug in, turn on, and do nothing else.
Andy Ellis
Before you do the next one, that one has to be better, because I can’t imagine anything worse than that!
David Spark
Hold on. Having a team that is set in their ways, and they are staunchly resisting any new tech or tools. Andy, you go first.
Mike Johnson
You have a team set in their ways and resistant to any new tech? I will actually take that the first one is worse. Well, if I have a team that refuses to do work, I can replace them. If I have tools that all I do is deploy them and leave them the way they were configured, I have shelfware. I’m spending lots of money that makes me think I’m getting better, but I’m not. I like this one because it’s two very different problems. Usually it’s the same problem with slightly different access. I think I would rather have the team that’s set in their ways, because I feel like I could potentially alter that one.
David Spark
The way this game works is that that’s the situation you have no capability to change it. As good a manager as you are, you can’t change it.
Andy Ellis
I think I’d still take the tools that we never bother configuring, because most tools don’t work out of the box.
David Spark
So that’s the worst scenario?
Andy Ellis
That’s the worst scenario.
David Spark
Mike, which one’s worse?
Mike Johnson
I generally err on the side of people when preferring to have to deal with tools. On the one side you’ve got a group of folks who are problematic, and on the other side it’s the tools that are problematic. I’m going to prefer to have…
Andy Ellis
This is a good one! I’ve never seen Mike stumped!
David Spark
I think you’re stumped!
Mike Johnson
I am stumped, and trying to buy time.
David Spark
You had time, because Andy answered first.
Andy Ellis
I don’t stall for time. I’m sorry, Mike. Should I stall for more time? I have to rethink my answer.
Mike Johnson
What’s worse would be the team of people who are stuck in their ways. If I’ve got tools that I’m not changing the default configurations, that sucks, but I would rather have that than have a team that is working against every idea that I might be coming up with.
David Spark
Alright. So you split again on this one? Asking the audience on this one – which is the worst scenario? How many people think leaving the default configuration in place is worse?
Andy Ellis
Again, booing.
David Spark
I don’t understand the booing during the applause.
Andy Ellis
Because it’s a worse thing. They’re saying “boo” because it’s worse. They don’t want to applaud it.
Mike Johnson
Now you’re trying to get folks on your side.
Andy Ellis
I’m totally trying to work the crowd here! Let’s see if you can beat your one golf clap from last time.
David Spark
So, the other one is having a team that’s set in their ways and staunchly resists new tech and tools. By applause, who believes that’s worse?
Andy Ellis
Oh that’s like an even split.
Mike Johnson
I didn’t get a boo. I got applause.
Andy Ellis
Which included a boo. “Imagine if I said I’m a football game, and which team do you hate worse?” and two teams come out. Like, the people booing are saying that team is worse. I’ll go with that, but I think Mike had the same number of respondents in the applause; mine were just a little more energetic.
What do you think of this vendor marketing tactic?
00:26:36:15
David Spark
Gentlemen: using humor in cold sales. How many salespeople do we have in the audience? By applause – they can’t hear you when you raise your hands, just so you know! Does humor in cold sales ever work? Now you’ve seen the funny emails from people you don’t know, and the gag gifs just appear in the mail. Liran Sheinbox, CISO at Playtika, posted a photo of a spatula, the one you would use for spackling, in a cover letter he received from a salesperson asking if he’d like some help fixing the holes in his infrastructure. Ha-ha. Now, I want to mention Terry Gilliam, who’s one of the founding members of Monty Python, noticed an interesting phenomenon. When people don’t like a joke, they actually get angry, which is literally the opposite effect the salesperson wants. First, have either of you ever received a cold outreach that you found funny and you did respond, and second, have you actually got angry because you didn’t like a joke, and why doesn’t humor work in cold sales outreach? Mike.
Mike Johnson
I can’t think of a time where I’ve ever responded positively to one of those. The one that comes to mind is the “respond 1 if you would like to set up a meeting, respond 2 if you’d like me to come back later, respond 3 if you’re trapped in a well and need me to send help.” It’s always some variation – that number three always changes.
Unknown Male
I think I said that.
David Spark
The first time you got that, it was a little funny. Like, it was funny once?
Mike Johnson
No.
David Spark
The first time I saw it, I was like, “Oh, that’s kind of cute.” I still didn’t respond.
Mike Johnson
No, none of these make me angry.
David Spark
Have you ever gotten angry?
Andy Ellis
First of all, if you’re listening to this and you do sales development, recognize that you have the hardest job in the industry, and even if we are not responding to you, we still recognize that your job sucks, ’cause your job involves reaching out to people who don’t want to talk to you. That said, the joke can not be on the person that you’re trying to reach out to. When you’re making fun of them, like the whole thing with the spatula, you are talking down to the person, saying “You don’t care about security.” Trust me the CISO cares about security.
David Spark
By the way, in general, do you care about this? Do you care about that?
Mike Johnson
Nope. Don’t do that.
Andy Ellis
I have my stock template response that tells people “the answer is no,” so I can at least get you to a quick “no”. Here’s the FAQ. Every so often, I would get somebody who would respond like, “Well, clearly you don’t care about security.” My first response is – and I never send it, so maybe I’m verbally sending it: “Clearly you don’t care about sales.” You just basically went from “I was going to forget about you,” to “Now, I will remember your company’s name, and do not want to do business with them.”
Mike Johnson
Yes. In a bad way.
Andy Ellis
So I think there can be humor. It’s hard if it’s cold, because you don’t have shared context with somebody, but the humor needs to be about a third party, not about the person you’re talking to, and it needs to be original. If you find an approach that works, don’t tell anyone, because if you share it among your sales colleagues, and say, “I did this and it worked!” we’re all going to get it, and now that moment of levity that you got is instead replaced with “Oh my God.” That first time someone said “Press three if you’re trapped under your desk and you need me to call 911,” I thought it was funny. I laughed – it was cute, it was better than everything else I was getting.
David Spark
You’re an easy audience, Andy.
Andy Ellis
But now, like, I probably get one of those a week.
Mike Johnson
Yes. That one is clearly a template that gets passed around. We get these quite frequently, and if it becomes a template, we’re going to recognize it very quickly, and recognize the lack of originality. You’re not really interested in my time or my feedback if you’re just sending the exact same thing to everyone.
Andy Ellis
Yeah. If you’re going to try humor, try self-deprecating humor. I have gotten the one that says, “I know that you’re getting a hundred of these message a day, and you probably–“
David Spark
That doesn’t work, either.
Andy Ellis
It does if it’s then followed with, “Here’s the two-sentence description of your company,” so I might read that. And remember, I’m not going to respond to you, but you at least have that moment where I’m like, “Great, I recognize that you know you’ve got a bad job to do. You made a joke at your own expense and I’m willing to at least read one more sentence.”
Mike Johnson
I think, ultimately, what Terry Gilliam was on to is that everyone has a different sense of humor, slightly.
Andy Ellis
So in fact what you just heard is the things that I thought were funny, Mike didn’t.
Mike Johnson
Yes.
David Spark
Yes. And if you send the same mass email to both of them, one of them would get angry, and the other one would go, “Huh.” But you wouldn’t get a response from either, that’s the key thing.
Andy Ellis
Yeah. You’re better off having people forget you sent the message than having an angry response, but you will never know which one it was, because they’re not going to give you a single.
Sponsor – Constella Intelligence
00:31:56:01
David Spark
Constella Intelligence. Let me tell you about them. Ransomware, phishing, insider threats and other digital attacks cost US businesses trillions per year. The Colonial Pipeline hack that brought down the entire East Coast was the result of a key employee’s compromised credentials. Constella Intelligence allows you to protect all of your key employees from digital risk – everyone from executives, to IT personnel, HR and others by continuously monitoring their digital footprint,detecting threats that others miss with real-time alerts and automated takedown to protect you and your company from a targeted attack. Try them for free atconstellatrial.com. Go there and seeif your data has been exposed. Take charge of your cyber defense strategy with Constella Intelligence. Visit them at www.constellaintelligence.com.
What’s the best way to handle this?
00:33:14:02
David Spark
From our recent “Ask a CISO Anything” on the cybersecurity subreddit, where we do AMAs often, and had lots of great responses. A redditor asked, “I work for a medium size company of 2000 employees where I am the only security person.The problem I am facing is new regulations are hitting us left and right that we need to become compliant, while also keeping the organization secure. How do you identify and prioritize what needs to be done first?” I’m going to start with you, Mike. Is this a no-win situation? It seems daunting.
Mike Johnson
I remember reading this question on the AMA and just thinking, “Yikes.” What a hairy situation to be in. I don’t think it’s no-win, but what I read between the lines of this one is the redditor has kind of taken all of this on their shoulders to go solve, that all of these regulations are their problem alone. I think what they really should think about, is how they can make sure that the business understands it’s the business’ problem, and get leadership buy-in from there, taking a look at the regulations, figuring out what they are, writing them down in terms of the business needs, the business concerns, but also what the security mechanisms are that you can use to help. That then becomes the package that you’re presenting to leadership, getting their buy-in, getting their help, by saying, “These are our problems. These are your menu of solutions. Let’s work together on these.” You are then actually are moving into a place where the business recognizes that this is a business problem, not a security person thinking it’s their problem.
David Spark
What do you think? Is this beyond daunting?
Andy Ellis
So, it’s daunting because we’re missing some information. Obviously the jokey thing to put at the top of the list is go update your resume, and talk to a recruiter. But what I was missing here is, who’s actually responsible for security? They’re the security person, but they work for somebody – that somebody is probably who the executives think is responsible for security. What are the tools that you actually have at hand? Is hiring an option? I assume not, from the way the question was worded, but maybe it is. Are outside partners an option? This is the place where you reach out to [a var] and say, “Hey, I need some help here, do you have a VCISO, an audit firm, a [pentest] firm, and somebody to solve these eight problems for me?” and you can come in to integrate them, because it’s just you. Maybe you have partners inside the organization who build tools that you can use. So it is a daunting task – I’ve been there, although slightly smaller; I was the only one with 500. I turned that into a path to being a CISO by just tackling one problem at a time. Here’s the secret when you have too much work: if you know how to juggle, and somebody hands you three balls and says “Juggle,” you can juggle pretty successfully.
David Spark
By the way, a little tidbit – I can juggle.
Andy Ellis
Oh good, then I can use you for this one, because I don’t think I’ve ever done this one with you, David. If I hand you four balls, and I tell you to juggle, how successful will you be?
David Spark
So I used to be able to juggle four; I can’t any more.
Andy Ellis
So what would happen?
David Spark
You juggle two in each hands, and I’d drop all four.
Andy Ellis
Okay. If I handed you 17 balls and told you to juggle…?
David Spark
I would throw all 17 in the air and they’d all hit the floor.
Andy Ellis
Okay. But the right thing to do is set 14 of them down, and juggle three.
David Spark
That I can do.
Andy Ellis
And that’s what most people forget. They get all of this work, and they try to do it all at once. Instead, pick the things that will provide sustainable value once they’re done. Is there something you can do that will automate, that will scale, and then as soon as that’s done, move to the next thing, but don’t try to push 17 projects forward at once, because none of them will ever succeed.
It’s time for the audience question speed round.
00:37:26:24
David Spark
So I have in my hand here questions from you, audience, for our CISOs, and we’ve got six of them here. In the last few minutes we have of the show, let’s get through as many of these as we possibly can. So, what’s the youngest age you can teach cyber, and what should you be teaching at that age? That comes from Rick [UNSURE OF WORD] of Dynatrace?
Andy Ellis
So I was teaching it to my kids basically as soon as they were born.
David Spark
Really? Had they been on a computer at that time?
Andy Ellis
You don’t have to have them on a computer to start teaching them cyber.
David Spark
What are you explaining this time?
Andy Ellis
We were teaching them things like privacy – when people take a picture of you that’s going to be posted on social media, it doesn’t involve your face. So they might not have recognized that lesson until they were five, six, or seven, but it got to the point that if somebody pulled out a camera to take a picture, my kids would turn away.
David Spark
Really? At what age were they doing that?
Andy Ellis
They were probably doing that around six or seven. But if you were with us, and you took out your phone to take a picture, my kids would turn away from you, because you never let somebody take a picture of your face without your permission. It’s never too early to start teaching lessons that are applicable.
David Spark
I thought you were going to say you were teaching them to remember complex passwords, and rotate them frequently.
Andy Ellis
That was around eight or nine. Unique passwords for every website, have an algorithm to generate them.
Mike Johnson
Memorize them, and then rotate them every 90 days.
David Spark
Rotate the kids? Oh, I would love that!
Andy Ellis
That would be great.
Mike Johnson
Hot swappable. Redundant kids.
David Spark
My wife and I do that with our kids. If we’re getting fed up, we’re like, “I’m handing him off to you right now.”
Mike Johnson
That’s hot swappable adults.
Andy Ellis
We jokingly described our second as “the advanced RMA” for the first.
David Spark
Mike? I don’t know – five or six sounds pretty good to me. I don’t have kids.
David Spark
What could you teach a child at that age, that would be appropriate at age five or six?
Mike Johnson
I really think at those young ages, it’s really just teaching them some common sense practices online, and understanding some of the things that can go wrong. Like, the “don’t talk to strangers” rule, applied to online, seems like a very good one to teach them at a very young age.
Andy Ellis
Yeah. The first time they encounter a griefer in Minecraft, just tell them that griefers are all over the internet.
Mike Johnson
Yes. They exist everywhere.
David Spark
My son is a huge Minecraft fan. Let’s get through the next one. What’s one aspect of data security that’s holding companies back. I know there’s a lot, but just isolate it to one. This comes from CJ Radford of Sotero.
Mike Johnson
As Andy was talking about with trying to juggle 17 balls, it’s trying to treat all risks as equal. Not everything is critical, not everything is low. You actually have to have some nuance to it, and if you’re trying to treat everything with the same level of criticality of concern, you’re not going to make any progression any of them.
David Spark
Andy?
Andy Ellis
I think it’s that data isn’t centralized. People think about data lakes, and data oceans – it’s like data swamps. It is all over your organization, it’s spread out, and every time you turn your back, it moves, and goes into somewhere else. So keeping track of all the data, and applying policy everywhere, that’s probably the single biggest challenge.
David Spark
How would an IT auditor become a CISO, and do you know of any who have actually done this? This comes from Tim [UNSURE OF WORD] who works at Kaiser Permanente. What’s your tip, specifically for an IT auditor?
Andy Ellis
So I think moving from audit into direct practice is part of that. Having the background of being an auditor is valuable and fantastic, but the challenge is, you have a reputation of always being on the outside looking in, and getting your hands dirty, and actually implementing security in any of the domains, so that you have that credibility of having solved the problems, and not just having found the problems.
Mike Johnson
I definitely agree that becoming the practitioner – maybe even changing teams, however that works in your organization – and bringing that audit perspective, bringing that forward, and you can twist that to talking about risk as well. That’s all we talk about as CISOs, is the trade-offs of risks. And that then moves you on that path to whatever’s next, whatever’s next, until eventually you’re a CISO at that point.
David Spark
What’s one tip to improve collaboration with the audit team? Also from Rick [UNSURE OF WORD] of Dynatrace.
Mike Johnson
I think a lot of it is planning ahead, and working with the audit team on what frameworks are important, and the past evidence that’s been shared. One of the things that we’re actively working on is how we make it easier to gather evidence for not only ourselves, but for other teams. That’s making the auditors’ lives easier, and it makes everyone’s lives easier at that point.
David Spark
Andy?
Andy Ellis
I think it’s understanding the different filters of what is a finding, because a finding isn’t “Here’s a control you could have, but don’t have.” It’s actually “Here’s an indefensible absence of a control.” So if they come to you and say, “What are your problems?” and you give them 50 problems, they might publish them all to the board, but they’re now indefensible, so you have to fix all 50. Whereas you might have just said, “47 of these are fine that we don’t have the control. These three we need to fix.” But you didn’t know, as a CISO, that giving them all 50 meant you were going to have to fix all 50 right now and disrupt everything. You’re speaking different languages sometimes, even though you’re in such adjacent career fields, so understanding what it means to be a finding, what risk means, because these are the same words, with different meanings depending on the context of who’s talking about them.
David Spark
Another one from CJ Radford of Sotero, asking, “Where are you investing to most significantly reduce your risk cost? I’m sure lots of places, but give me one significant place.”
Andy Ellis
Well, I just changed jobs, so for me, that’s a big one. But I think if I was looking at it from the CISO, as in, “What are you investing in right now?” it’s really understanding how you’re making the migration to Cloud, because what I think a lot of people started doing is saying, “Well, we’ll take everything we did in the legacy enterprise, and just copy it in the Cloud,” and that’s a really expensive way to not get security. What you really want to do is stop and rethink, and say, “How do I design for that new architecture?” because Cloud doesn’t actually look anything like enterprise, and so Cloud security obviously isn’t going to look like enterprise security.
Mike Johnson
I would actually say Cloud as well, so I’ll come up with another one so it’s actually an interesting answer. For me, it’s instrumentation, and data collection and data analysis – really understanding all of the signals that all of our systems can send, and be there security signals or not, instrumenting just your regular observability systems gives you a lot of value. Taking a look at all of that data, and doing something with that, finding the needles in those particular stacks of needles, that’s really where we’re paying a lot of attention after looking at all the Cloud concerns.
David Spark
Very last question, and this comes from Josephine [UNSURE OF WORD], who is at UCSF, and her husband wants to be a CISO, so she’s concerned, and she wants to know why. What is the secret to managing stress as a CISO?
Mike Johnson
Not being one.
Andy Ellis
I’ll jump with this one first, having just transitioned out of being a CISO. The most important thing is understanding that the job of the CISO is not to be up at night worrying about things that nobody else is worrying about. It’s understanding that your job is to advise the rest of the business, and if the business says they’re going to tolerate that risk, then you have to move on from it. You don’t get to carry that, and say, “Oh my God, what am I going to do? What am I going to do?” Stress is your body telling you that your belief in the world, and the actual world, are not the same thing, and so you need to bring those together as a CISO and say, “My job is to help the company make better risk choices. That doesn’t mean they don’t take any risks. They’re going to take risks. I’m not always going to agree with it, but at the end of the day, that’s the choice.”
David Spark
Mike?
Mike Johnson
I think it’s a really good point to recognize that you shouldn’t be taking it all on your shoulders. For me, from my perspective, it’s really finding outlets, finding other things to do, that you can kind of move your stress with you, to go have that outlet somewhere else, so you’re not taking it out on other people.
David Spark
Like hosting a podcast.
Mike Johnson
Like hosting a podcast.
David Spark
Is this a stress-reducer for you, Mike?
Mike Johnson
It’s more of like a stress-increaser.
David Spark
Oh, it’s a stress-reducer for me.
Mike Johnson
Yes, well.
David Spark
Well. I am glad that I’m helping one of you and not the other.
Mike Johnson
Story of my life, David.
00:47:04:08
David Spark
Thank you so, so much. Well, that becomes the end of our show.
David Spark
I want to thank my co-hosts here, both of them: Andy Ellis, who is operating partner over at YL Ventures, and Mike Johnson, as well, and also a huge thanks to all three of our sponsors here: Code 42, Sotero, and Constella Intelligence. If you haven’t had a chance to talk with them, do so, they’ve all been just great sponsors of the CISO series – we greatly appreciate everything that they’ve been doing for us, and they do actually have some pretty impressive solutions, so please check them out. If you’re listening to this, go to CISOseries.com and check our posts, and you can find more information about them there as well. Additionally, I want to say thanks to SF ISACA for inviting us to be here at the event. We greatly appreciate that. I’ll let Mike and Andy have any closing comments. Mike?
Mike Johnson
I actually just want to echo David’s “thank you for having us.” Great audience here today, I love having the participation. Usually I’m looking at David on a Zoom.
David Spark
This is the first time we’ve got together since the pandemic. It just dawned on me.
Mike Johnson
So thank you for having the event, thank you for being here, and thank you for having us.
Andy Ellis
And I want to say thank you for all the work you do every single day, even though I have no idea what most of you are specifically doing, but that’s okay. It’s understanding that our organizations operate and function because of the work of lots of people who often are not celebrated and heralded. For instance, I’m going to thank the people who are going to have to clean up all of our audio, especially the one who cleans up the moment I slipped and used a small expletive there.
David Spark
I put a note. Well, thank you again, and we greatly appreciate all your contributions, and listening, too, to CISO/Security Vendor Relationship Podcast.
Voiceover
That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”