I guess because it’s a pandemic, and we really need them, just this one time, we’ll let the CISO hang out at the cool kids’ table.
This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Jadee Hanson (@jadeehanson), CISO and CIO, Code42.
Thanks to this week’s podcast sponsor, Code42
Got feedback? Join the conversation on LinkedIn.
Full transcript
Voiceover
Ten second security tip – go!
Jadee Hanson
When starting a new security program at a company, don’t assume that your personal risk tolerance matches that of the company, the CEO, or the Board. Before you go out implementing controls, changing things, take time to understand the risk posture of the organization, to better understand the type of program that you will need to implement.
Voiceover
It’s time to begin the CISO Security Vendor Relationship podcast.
David Spark
Welcome to the CISO Security Vendor Relationship podcast. My name is David Spark. I am the producer of the CISO Series. And my co-host, Mike Johnson is here. Your voice, Mike.
Mike Johnson
My voice. My voice is here, I think I’m here with it.
David Spark
You know, it’s like my voice is my password.
Mike Johnson
Exactly.
David Spark
You know, those financial institutions, they are doing that now.
Mike Johnson
From Sneakers.
David Spark
Oh, did they do that in Sneakers?
Mike Johnson
Yes, yes, “my voice is my password, authenticate me,” I think is what it was. To let in the door.
David Spark
We’re available at CISOseries.com. Also on the subreddit of r/CISOSeries, every Friday we have a super-fun video chat, and to join that just go to CISOseries.com, and click the “Register for video chats” button. Our sponsor today is Code42. They have been a phenomenal sponsor, sponsoring a lot of our different programs. They are incredibly focused on the insider risk now, on the non-malicious element, and we’re going to talk a little bit about that on today’s show. In fact, they’re responsible for our guest today. Before we get to that, I do want to mention two things. One is a little bit of David Spark trivia that you may not know, Mike.
Mike Johnson
Oh, hit me with that!
David Spark
The reason I’m bringing it up is because, on the day that we’re recording this, something hit the news today. My mom went to high school with Bernie Madoff.
Mike Johnson
Oh! Okay!
David Spark
Completely irrelevant to anything, but Bernie Madoff passed away, I think yesterday. When I found out that my mom went to high school with Bernie Madoff, I found her year book and scanned his photo. He was a locker guard, and he was on varsity swimming.
Mike Johnson
Oh, locker guard.
David Spark
I do not know what a locker guard means, but that’s what he was.
Mike Johnson
Evidently you can go far, if you start as a locker guard.
David Spark
Far with embezzlement, obviously. I do want to mention one quick thing though. Black Hat looks like it’s going to be the first big security conference that’s going to have it in person. I’m going to ask you, are you going to go?
Mike Johnson
No.
David Spark
No. You’re not even thinking about it?
Mike Johnson
No. I’m not even thinking about it, mostly because I need to plan ahead, and it’s really hard to know, between here and there, what the world looks like and whether or not that will be safe, so I need to go ahead and plan. I went 20 years between the first Black Hat that I attended and the one that I most recently attended, so I can probably skip a year.
David Spark
Alright, well, I would like to go and I’m going to see what the world’s like, and I can make a last minute decision.
Mike Johnson
I look forward to hearing about it.
David Spark
So we’ll see, I would like to, but I’m a little nervous about the obvious health implications as well.
Mike Johnson
Yes, yes.
David Spark
Alright, let’s bring in our guest. I had her on a video chat before. You and I met her at our live shows, both in San Francisco and LA, so thrilled that she’s here – it is Jadee Hanson, the CISO, and I understand CIO as well. Yes, Jadee?
Jadee Hanson
Yes.
David Spark
CISO and CIO, over at Code42. Thank you so much for joining us.
Jadee Hanson
Thanks for having me.
Walk a mile in this CISO’s shoes
00:03:48:18
David Spark
I want to know how popular the two of you have become since the start of the pandemic. The reason I ask is, an article on CIO.com, by Esther Shein, states that CIOs have become really hot commodities within the organization, and other organizations, so being pulled away, seeking a more aggressive digital infrastructure. Now, Stan Waddell, CIO of Carnegie Mellon University, noted “that the CIO has always been seen as a strategic partner, but the pandemic has definitely accelerated its value.” So, have you seen the same with your CIOs, and other CIOs? And, did this trickle down to the CISOs as well? When you answer this, think about your engagement with the business, prior to the pandemic, and now, how are you treated differently? I’ll start with you, Mike.
Mike Johnson
Well, it’s hard to think back to prior to the pandemic.
David Spark
I know it seems like a million years ago.
Mike Johnson
I really had this moment of, wow, that’s over a year ago, at this point. I think, right now, anyone that’s helping companies remain productive during the pandemic, is certainly productive. Whatever your role is, if that is one of your main focuses, then you’re going to be very popular, because the company really needs you to excel in order for the company to remain productive. I don’t think I was any less popular then, or treated differently. Maybe that’s just my ego speaking, who knows? But the engagements certainly changed. What we were talking about early in the pandemic was certainly different than what we were talking about a month prior. A lot of it was, how do we make people fully productive from home – an entire company? We were already remote. We also had these concepts, but how do we take the 50% of our company who was used to working in an office and make them productive at home? Giving folks advice, documentation, self-help, the ability to really scale that kind of support, the ability to operate in a more asynchronous way – documentation processes around that. That’s kind of the way the engagements have gone, in order to really make those folks productive. That’s the kind of shift that I saw early on.
David Spark
Alright. Jadee, I throw this to you. Have you become far more popular since the pandemic?
Jadee Hanson
If my popularity is determined by how busy I am, maybe slightly more popular.
David Spark
But I’m also saying that the eagerness of the other C-level employees, and the Board to you – “we got to get Jadee, we got to get Jadee,” maybe more so now than ever before, yes?
Jadee Hanson
When we transitioned to work from home – I have the CIO role as well as the CISO role – and so we had to figure out ways to enable our entire workforce, through different devices, docking stations at home, think about even the right chairs to sit in, the right monitors to have at home. And so that was all on the IT side. On the security side, we focused largely on what is all the tack that our teams need to use, while working remotely, and then how do they do that securely? We had a bit of a shift where there were some applications that required a VPN and required you to come into the network, that we’re now pushing to use the native cloud application, so none of that VPN access is even needed. I think more and more companies are moving towards that approach, if they haven’t already. And even with the return back into the workforce, if companies aren’t thinking about that, it definitely feels like something they should be thinking about.
David Spark
And don’t speak for yourself here, but one of the big things in this article was just the desire for other companies to hire other CIOs. Have either of you heard from your friends that they’re getting some amazing offers during the pandemic, that they had never received before?
Jadee Hanson
Both Mike and I share some of the same Slack chat groups, and there is probably a role a day posted, of a large opportunity that is out there. I think it’s very difficult for employees to switch roles during the pandemic, where everything is very virtual. But certainly, I’ve seen a ton of movement, so we are figuring it out.
David Spark
Mike, what have you seen?
Mike Johnson
As Jadee said, we do see these roles come up. We see our friends moving from a previous opportunity to a new one.
David Spark
Are they more lucrative now?
Mike Johnson
I think it’s really hard to separate the pandemic effect, and the rise of the importance of security. It’s so combined right now that it’s difficult to say that the more lucrative offers are as a result of pandemic. It maybe, but I also think a lot of it comes down to people needing a bit more of a push to actually make a change. So there’s probably hiring bonuses going on that we don’t hear about.
There’s got to be a better way to handle this
00:09:12:23
David Spark
An article on TechBeacon by “Nanker Phelge”, that’s a pseudonym, wrote that “these compliance checkboxes to third party surveys are not actually providing any security for the supply chain. But at the same time, one popular philosophy, adopted by security professionals, is the Checklist Manifesto, by Atul Gawande, which espouses the use of checklists to manage complex issues.” Jadee, do you find the value in using checklist to manage the complexity of the supply chain? If not, what methods have you used to try to make sense of the absurdly complex issue of supply chain management?
Jadee Hanson
I certainly feel this on both sides. As a vendor, we get asked all of these questions. We have to fill out all of these checklists. And then, obviously any product that I’m buying, I’m perpetuating the issue, and I’m asking my vendors to fill out the checklist and answer all of the questions.
David Spark
And by the way, just for my definitions, you’re asking them to fill out checkboxes for compliance reasons? Checklist is more like task oriented.
Jadee Hanson
Yes, absolutely. A colleague of mine, we joke that this problem of really understanding vendor or supply chain security, is kind of a billion dollar problem because we just have not figured out how to solve it in a really effective way yet. I have an example that came up earlier this week, where I was talking to a colleague and I was talking about a product that we are using. He mentioned that they evaluated it a year before, and the security was terrible, and they didn’t have any investment in security whatsoever. Even that really intangible, qualitative information about this particular vendor would be really great to have. But there’s really no way of surfacing that type of information, so that the rest of the security community can absorb it, and can make the right decisions, based on purchasing their product or not.
David Spark
Mike, checkboxes for compliance and checklists to simplify steps of a complex issue – what’s your take on using checklists to simplify, and do you use it, or do you use some other method?
Mike Johnson
I don’t think I understand the differentiation between these two that you’re trying to make.
David Spark
Checkboxes are, do you do this? Check, yes I do this. Checklist is, I’ve got this complex task in front of me, of trying to make sense of dealing with the supply chain. Here are the tasks that I need to do, to go through to deal with it. Checklists are usually more involved than checkboxes, I would say. There are probably more checks on a checklists, than there are checkboxes for compliance reasons. Are you following me on all that?
Mike Johnson
I think I get it. So, a checklist is a way of turning a process, that maybe you have in your head, and writing it down and making it repeatable. A checkbox, as you said, is yes, no, questions along the way.
David Spark
Yes. Are you doing this? Yes I am. But if you were to look at the checklist, it could have 25 check items on it.
Mike Johnson
I vividly remember, when the SolarWinds breach came out, that there were jokes about the checkbox approach to approach to security. That, surely, if people would have just sent out the right questions that this would have been solved. I think, at the same time, that’s really minimizing the amount of work that we need to do, when it comes down to vendor security. It’s a lot more than just, do you do this? Yes or no. A checklist approach, of how do you do this? And having that be a question that you’re asking every time, might give you some insight into the vendor, and how they think about security.
David Spark
Have you done that, Mike? And, Jadee, I’d like to know your answer to that.
Mike Johnson
We try and get into that when the initial answers come back a little bit weird. What we’re sending out is a list of questions that range from yes, no, to describe the process. We might have a deeper discussion based on those answers. A list of answers to checkbox type questions might actually be enough for us to go, “Oh, that’s weird. Let’s have a conversation about it.” Then we have the deeper dive, then we’re getting into the, here’s the questions that we need to ask. Here’s the list of information that we need to gather.
David Spark
Jadee, have you had the chance to ask the “how are you doing this?” rather than “do you do this?”
Jadee Hanson
Yes, we do something similar, and I would say that it’s still point in time, and it’s not great. This is a really tough problem to solve in security. Unless you’re part of the security team at that company, you’re not going to know where the skeletons are buried with a checklist, checkboxes, interviews, you won’t know.
It’s time to play, “What’s Worse?”
00:14:53:12
David Spark
Jadee, I know you know how to play this. For our listeners, listening for the first time, this is a risk management exercise. Two horrible situations – you’re not going to like either one of them, but you’ve got to pick one, because one of them is always worse than the other. I always make Mike answer first. You get to respond, either agree or disagree with Mike. I always like it when people disagree with Mike.
Mike Johnson
True.
David Spark
Mike, this comes from Neil Saltman of Anomali. He’s given us a lot of good What’s Worse scenarios. What’s worse? Patching critical systems on – get ready for this – an annual basis, or letting your users keep their passwords as long as they want to? And there’s no MFA, by the way.
Mike Johnson
I think Neil broke me. Those are just two such vastly different scenarios.
David Spark
And they both stink! Would you say they both stink?
Mike Johnson
I don’t like either of them.
David Spark
No, I didn’t think you would.
Mike Johnson
These are both terrible.
David Spark
You know there’s a lot of companies that are operating on these environments.
Mike Johnson
Hopefully they’re not dealing with both of them. My heart goes out to any security professional that is having to face both of these simultaneously, much less one or the other.
David Spark
So which one’s worse here?
Mike Johnson
On the one hand, you’ve got your critical systems probably exposed to the Internet, probably have their services constantly being battered and attacked, and there’s likely a vulnerability in there. If you’re only patching them once a year, in those 365 days, one of those systems is going to get compromised – guaranteed, it will happen. It’s just a matter of how deep it is, how far it goes. On the other hand, where you’ve got users who can have a terrible password.
David Spark
For sure they’ve got passwords that have been exposed.
Mike Johnson
Yes. But, that’s only giving you user level access. You now have to pivot. You now have to go from there to something else, to something else, to get to the data that you’re after, presumably.
David Spark
It could be your admins, too. It’s everybody.
Mike Johnson
Again, probably still have to go somewhere else. The admins probably don’t have something local. So, for me, the one that’s definitely compromised, within five minutes of you turning it on, the first scenario, that’s the worse one for me.
David Spark
The patching once a year? Alright. Jadee is nodding her head, but she nodded her head at everything, so I don’t know where she’s leaning. Are you leaning to agree with Mike or disagree with him?
Jadee Hanson
I have to agree with Mike right away. Patching critical systems only once a year has to be absolutely worse. David, you said, no MFA, but the scenario was no MFA, and the passwords stay forever. So I’m going to assume that there could be strong complexity in order, and if that’s the case then they’re actually following the latest NIS guidance.
David Spark
Yes, they could have a very complex password, that’s possible.
Jadee Hanson
Your scenario was no FA, and it was that the passwords never get changed. So a complex password that is in place forever is not necessarily a bad thing, because we’re not changing our password, we’re not introducing risk that someone’s writing it down. They’re not taking the risk that they’re writing it on a sticky note, and putting it on their desk.
David Spark
I’d be more concerned about the fact that they’re probably duplicated the password somewhere else, but you don’t know, it could be anything. Who knows?
Jadee Hanson
It could be anything. I agree with Mike, the fact that it’s a user account definitely is a little bit less of an impact, versus one critical system that is absolutely going to have critical vulnerabilities over the course of the year.
Please! Enough! No more!
00:19:16:04
David Spark
Today’s topic is insider risk. I’m going to start with you, Mike. What have you heard enough about, with regards to insider risk, and what would you like to hear a lot more?
Mike Johnson
This one is easy for me, and Jadee and I have actually had past conversations about this, so she already knows what I’m going to say. It really is this past approach that every employee is suspicious. That’s the way that everyone has talked about insider risk. It used to be insider threat, was what everyone called it. So, I’ve heard enough of, all of your employees are out to get you. Just stop. Let’s not start there. Let’s start somewhere else.
David Spark
If that’s the case, maybe you shouldn’t have hired him.
Mike Johnson
Exactly! Just have no employees, you don’t have a problem there. But, what I’d like to hear more of is, a lot of the breaches that we hear about, in the Verizon Data Breach Investigations Report, just on the news, a lot of those are due to mistakes. Humans are humans, they make mistakes. So I’d really like to hear more about how these solutions help with employees who just make a mistake. How can be make environments safer for our employees with these types of solutions?
David Spark
Alright Jadee, and I know, by the way, that is your charge. But tell me what have you heard enough about, if it’s the same as Mike or something else? And what would you like to hear a lot more? And please, tell us what you’re doing over at Code42.
Jadee Hanson
We’re trying really hard to help security teams solve this problem. I agree with Mike, we used to approach this problem thinking of our employees as malicious and that they’re threats to our organization. We’re trying to flip that on its head, and we want to think about employees as really just trying to do their job. In a lot of cases, just like you and me, we make mistakes, and we know that our employees will make mistakes. My team runs our insider risk program, and 98% of the stuff that they dig into is non-malicious. The tools that we allow employees to use today make it really easy to make mistakes, and data sharing make it easy to send stuff to the wrong place, make it easy to accidentally upload stuff to your personal Google drive, versus your corporate Google drive. These mistakes happen. So, for us, we think that it’s really important that security teams have visibility to all the corporate data, and where it’s going. But we also think it’s equally as important that security teams follow up, in a very presumed positive intent manner, reaching out to the individual, assuming that it is non-malicious, until they know it absolutely is malicious.
David Spark
What are you, specifically at Code42, doing to deal with this problem, that maybe others are not doing right now?
Jadee Hanson
In terms program builds, we’ve done a ton of research, and partnering with Forrester, Gartner, you name it, to help security teams develop these programs. Insider risk is different than rolling out an EDR solution and addressing alerts that come up. Insider risk is a holistic program in a company, and so you need ways to work with HR, you need ways to work with legal. You need acceptable user policies. You need holistic programs. And so we’re trying to equip security teams with all that. In addition to that, we’re obviously equipping security teams with the right technology to support the visibility aspect that I mentioned. So, with our product, with the product that my team uses, our code phrase, insider product, we’re not asking the security teams to write specific policies, cross their fingers, and hope that something hits a policy. We’re trying to give the security team complete visibility, to all the exfiltration vectors that employees may accidentally bump into, when pulling information out, or sending information in a certain way. Things like accidental upload to a personal sharing storage location, we’re absolutely going to give you visibility to that. Moving files to a VM, or a USB, or an external drive of some sort, we’re give you access to that. In addition, emailing documents out, anything like that, where we know that there’s very easy ways for files to leave an organization, we’re going to try to cover all those exfiltration vectors, making sure that the security team has that complete visibility on all those different place.
David Spark
And that’s a key thing that you keep saying – visibility, not blocking. You want them to do their job, it’s just you want the security team to know what the heck they’re doing. Right?
Jadee Hanson
Absolutely. I’m a recovering DLP user myself, and it was really hard because you would block very legitimate business processes, with the technology that we implemented, and we don’t want to do that. We understand it’s our job, as security professionals, to enable the organization, and so we want to make sure that we’re enabling the organization, but we have to do it in a way that the security team still has the tools and the visibility that they need, to make sure that they’re keeping the company safe.
David Spark
Last question. I want to know, and this could be an anecdotal thing that you got from a customer. What is something they’ve implemented, they’re like, “Oh, now that I can see this behavior, we’re now able to do this?” And was it something you didn’t expect? What has been the biggest impact that you’ve seen with your customers?
Jadee Hanson
I feel like I have stories that I could tell all night. The one kind of more common one that we hear a lot is, security teams will say, it’s our corporate policy that we don’t use personal Dropbox, or a personal Box. Then they’ll implement our technology and they’ll see over half of their company moving files to personal Dropbox, or a personal Box, and certainly they’ll have to address that with larger education and larger awareness. That’s probably the most common thing that we see.
David Spark
People don’t always do what you tell them to do.
Mike Johnson
So strange.
David Spark
It’s a shocker.
Jadee Hanson
Exactly. Policy doesn’t always work, if it’s just written down.
Is this where I should put my marketing dollars?
00:25:55:02
David Spark
Fernando Montenegro of S&P Global Marketing Intelligence asks, “To a CISO, What’s the value of white papers?”
Mike Johnson
I love white papers. I am going to assume we’re talking about vendor white papers? What is really value to me is, a white paper is generally a deep dive. It’s really going beyond just the surface. It’s beyond what you’re seeing on a marketing website. It really talks about features and functionalities of the product. It’s giving me examples. It’s really showing me how the thing works, rather than telling me how it works. It’s kind of the checkbox versus checklist, that we were talking about earlier. It’s one thing to tell me that it works, it’s another to show me, and I think the white papers really go a long way, in some ways more so than even a video does, because it really does give that deeper dive. It’s walking through the interface, it’s walking through the configuration, showing me how the use cases manifest. Those are the values that I get out of white papers, that I’m just not going to get out of, essentially, the glossies that you get on a marketing website.
David Spark
Good point. Jadee, what’s the value of white papers to you?
Jadee Hanson
I’m with Mike. I love white papers. This might be my own perception, but I believe white papers are written by technical writers, and technical writers focus on how things work. I learn in pictures, and I need to see the architecture, and I need to see the deep dive technical aspect of what’s going on. I think it’s really important to have that, when you’re trying to even understand a technology. I was on a call earlier this week and I was confused because the word cyber was in front of everything, and it was very marketing. I stopped for a minute, and I said, can you define cyber in all of this content that you’re showing me, because it’s confusing and it’s out of place? I think, for security teams, their jobs are hard enough, with all the extra buzzwords, and the extra language, I think technical writers have this ability to just focus on how things work, and that is really appreciated in the security world.
Close
00:28:33:18
David Spark
That brings us to the end of the show! Thank you so much, Jadee. I love that. Do you remember the name of the white paper you last read?
Jadee Hanson
I read a white paper from JupiterOne, last week, on how their product works.
David Spark
Thank you very much. Have you got any special ask or offer from Code42, or anything else you want to tell us? And, the question we always ask CISOs who come on the show – “are you hiring?” So be ready to answer that question. But I want to thank your company for sponsoring this episode of the podcast, and also a heck of a lot of other stuff too. So, thank you very much, Code42, for that. Mike, any last words for our guest?
Mike Johnson
Yes. Thank you for joining us, Jadee. It’s been great knowing you the past few years. We’ve had these conversations, that I’ve always thought were really intelligent, and I wanted to share with our audience, so I’m glad you were able to come on and share your insights. I like your exposure of your CIO hat, and sharing some of that with our audience. I don’t think they hear that very often.
David Spark
That was news to me as well.
Mike Johnson
That was great to share. Also, I really appreciate your die-hard approach to it’s insider risk that we’re talking about. It is mistakes that we’re trying to deal with. It’s not an assumption that people are malicious. And I like your point of presuming positive intent. Thank you, specifically, for sharing those insights, in general for coming on our show, and having a great conversation.
David Spark
I’m going to throw this in – presuming positive intent, yet half of your company is ignoring your policy, and I think the attitude is, it’s positive intent, but their attitude is, how bad could this be? And then, that’s where the education comes in. Right, Jadee?
Jadee Hanson
Absolutely.
David Spark
So, Jadee, are you hiring?
Jadee Hanson
I am hiring, yes. I have two open roles. They are product application roles, so they are security roles that work directly with our Scrum teams. I would love to hear from you.
David Spark
Awesome. Is LinkedIn the best way to contact you?
Jadee Hanson
Yes, reach out to me on LinkedIn if that type of role sounds like something you’re interested in, I would love to hear from you.
David Spark
By the way, for those people listening, Jadee spells her first name J-A-D-E-E, Hanson H-A-N-S-O-N. Alright, any last words you want to say about Code42, to let our listeners know?
Jadee Hanson
Just a reminder, at Code42 we are really trying to change the industry, as it relates to insider risk. We want to help you figure out how to build the right takeover program, and ultimately help you in solving this problem through the right technology as well. If this is something that your company is looking to address, I would love to share our perspective on this. We also have a very easy way to look at our technology, on our website, code42.com. We have scraped the repos and created an interactive way to play with our technology, without ever having to talk to anyone. So, you can flip over to explore Insider demo, and that is an easy way to interact with the technology and check it out for yourself.
David Spark
That’s very cool. Let me also mention, Jadee, you are the author of a book called Inside Jobs, which you co-authored with a couple of other people, one of them being your co-worker, Mark Wojtasiak. You can pick up Inside Jobs at Amazon.com. Thank you so much, Jadee. Thank you, Mike. Thank you, Code42, as well. And thank you, audience, for all your amazing contributions. We greatly appreciate it. Keep sending them in. Send us questions. Send us great discussions. Send us more What’s Worse? Scenarios. We’re still trying to stump Mike on the, “what is worse than the brilliant jerk?” Nobody has stumped him, or found anything worse than brilliant jerk. So that is the goal. Thank you everybody for participating and listening to the CISO Security Vendor Relationship Podcast.
Voiceover
That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to CISOseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly, at David at CISOseries.com. Thank you for listening to the CISO Security Vendor Relationship podcast.C