Don’t Make Me Explain This, Because I Can’t

Don't Make Me Explain This, Because I Can't

If you know a difficult concept very well and you’re incapable of explaining it simply to others who don’t understand it, it’s known as the “curse of knowledge.” It is for this reason far too many talented cybersecurity professionals struggle to educate others.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Okey Obudulu (@okeyobudulu), CISO, Skillsoft.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor Trend Micro

Trend Micro
Trend Micro Cloud One, a security services platform for cloud builders, delivers the broadest and deepest cloud security offering in one solution, enabling you to secure your cloud infrastructure with clarity and simplicity. Discover your dynamic attack surface, assess your risk, and respond with the right security at the right time. Discover more!

Full transcript

Intro

0:00.000

[Voiceover] What I love about cybersecurity. Go!

[Okey Obudulu] What makes the cybersecurity field exciting is often the challenge of solving complex high-stakes problems. Continuous learning is therefore necessary because threats, technologies, and controls keep evolving, so stay curious and keep learning.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of that said CISO Series, and joining me for this very episode is the one and only Mike Johnson. Mike, your voice sounds something like…?

[Mike Johnson] The one and only voice of the one and only Mike Johnson.

[David Spark] It’s a pretty common name. I don’t think you’re the only Mike Johnson.

[Mike Johnson] You just said I was the one and only.

[David Spark] The one and only that is recording with me, I’ll say that.

[Mike Johnson] At this day.

[David Spark] We actually had a Mike Johnson from Facebook on a while back.

[Mike Johnson] We did. That was fun.

[David Spark] Yeah, I’m sure no confusion ever happens there, does it?

[Mike Johnson] No. No, no, no, no. It is, like you said, not exactly an uncommon name.

[David Spark] Good point. We are available at CISOseries.com. We’ve got lots of programs on our network. And our sponsor for today’s episode, you may know them, Mike, because they have been sponsors I think – I have to go back and look – but I think they’ve been sponsors since our first year. They’ve been phenomenal supporters of the CISO Series. It’s none other than Trend Micro. And Trend Micro, they have aunified cybersecurity platform, they have this pretty impressive Cloud One initiative. More about that later in the show. But first, Mike, something non-cybersecurity related. My wife, as a surprise, took me to see – get ready for this, are you sitting down? This is a blast from the past. Took me to see Kool & the Gang in concert.

[Mike Johnson] [Laughter] That sounds awesome.

[David Spark] Okay. Here’s some Dave Spark trivia for you. How many times have I seen Kool & the Gang in concert, Mike Johnson? How many do you think?

[Mike Johnson] One.

[David Spark] Four times.

[Mike Johnson] Oh!

[David Spark] That was my fourth time seeing them.

[Mike Johnson] Okay.

[David Spark] This is where how old is David Spark comes into play here.

[Mike Johnson] [Laughter] How old is David Spark?

[David Spark] The first time I saw Kool & the Gang I was a teenager, and it was 36 years prior.

[Mike Johnson] Okay.

[David Spark] I saw them also in college and I also saw them, they were working at a trade show, or they performed at a party after a trade show as well. And then I just saw them at a casino just last Friday. They’re in their late 70s, they are doing dance moves, they don’t quite have the same vibrancy they had 36 years prior. Are you a fan of the Kool & the Gang? Let me ask you this.

[Mike Johnson] How can you not be a fan? It’s one of those iconic bands, and the fact that they’re still at it, no matter how they’re doing in their 70s, I would love to be at a point where I can give concerts in my 70s.

[David Spark] Oh, I know. The number of performers that are in their 70s and 80s now. Like Paul McCartney’s 80 now and he’s performing. It’s unbelievable.

[Mike Johnson] It’s awesome.

[David Spark] I can’t get over it.

[Mike Johnson] Gives me hope.

[David Spark] So, your rock career’s going to start in its 70s, Mike?

[Mike Johnson] Maybe it starts in my 50s and then I have this awesome 20-year capability ahead of me.

[David Spark] I was thinking in the ’80s, Kool & the Gang and Earth, Wind, and Fire were probably the two biggest sort of pop R&B bands in the ’80s. Earth, Wind, and Fire maybe more in the ’70s too.

[Mike Johnson] I think that’s right.

[David Spark] But they were both huge. And I was just listening again to their music. While as much as I like their music, it’s fun dance music, boy, are the lyrics insipid.

[Mike Johnson] [Laughter] A lot of the most popular bands are.

[David Spark] They are. Still enjoy them thoroughly. All right, enough of that nonsense. Let’s get to our guest. Thrilled to have our guest here, a fan of the show and now a guest. I love when that happens, it’s great. This person is the CISO over at Skillsoft, it is Okey Obudulu. Okey, thank you so much for joining us.

[Okey Obudulu] Super excited to be here, long time listener. Yeah, thanks for having me.

Are we making this situation better or worse?

4:35.150

[David Spark] How important is knowing the crown jewels in your security program? Jesse Lyon of Fuel Cells Works asks, “Are the things that an organization decides to consider its crown jewels always one and the same where hackers are concerned? For example, the SolarWinds and NotPetya attacks caused a lot of damage without going after the crown jewels.” We talk endlessly about knowing and protecting thecrown jewels, but as Jesse points out, that many high profile attacks don’t reallygo after that. Realizing that, wouldn’t a crown jewel-focused security program actually be myopic? What do you think, Mike?

[Mike Johnson] I wouldn’t put those two in the same bucket. NotPetya was indiscriminate. The attackers just released some code, and it went out and caused huge damage to everything.

[David Spark] But SolarWinds was kind of like that too.

[Mike Johnson] But SolarWinds is actually very different. They were after stealing data. That was the whole point behind it. Whereas NotPetya was just destruction, that’s what its whole purpose was.

[David Spark] Yeah, it wasn’t destruction. Yes, excuse me, good point.

[Mike Johnson] And when you look at these two though, you also can see the value of the crown jewels approach. Because for the NotPetya example, you need to know what your crown jewels are so that you have built a BCP program around it. You could have parts of your environment melt down and that’s fine. But there’s parts that are really critical, and if you don’t know what those are, then you can’t be prepared for an indiscriminate attack like NotPetya. From a different perspective with SolarWinds, knowing your crown jewels, that lets you know where you need to prioritize your defenses. I think even in that situation, the argument is going that a crown jewels approach is myopic, I think it really isn’t because it allows you to prioritize. That’s not the only things that you go after, that’s not all that you protect, but that’s where you need to start. And so this is a way of prioritizing where your limited resources should go.

[David Spark] Well, I think I was more saying that to only have a crown jewels philosophy would be myopic of a greater security program. Which, in a sense, I’m thinking you’re also agreeing because you say it’s not the only way to go.

[Mike Johnson] Yes, I agree with that, and I don’t think anyone is saying only protect your crown jewels.

[David Spark] Right. Well, the thing is that attacks come in different ways, as pointed out. All right, let me throw this to Okey as well. What’s your take on this? Are you sort of of the same philosophy that Mike is, and do you think a crown jewels-specific security program is myopic?

[Okey Obudulu] Yeah, I’m with Mike on prioritization. Obviously, crown jewels needs to be prioritized, the protection of them, but while greater focus might be paid to protecting the crown jewels, the overall environment cannot be ignored either. Without a doubt, it’s important that organizations know what those mission-critical information assets are and take all the necessary steps to protect them. But obviously, every malicious actor has different motivations, right? So, for some it might be financial gains, and for othersit might just be looking to damage a company’s reputation or prove a point. So, recognizing that, it is important that we protect the critical assets while at the same time not ignoring the other assets we have.

Are we having communication issues?

8:21.442

[David Spark] “Experts in a given domain often have a hard time communicating with nonexperts. They dive into the weeds; they ignore context; they talk over heads and beyond interest,” said Dylan Walsh in an article on MIT Management Sloan School. This is known to many as “a curse of knowledge,” and these are people who fail to have the ability to digest what you know succinctly for the audience who needs to hear it. And tip of the hat to Dutch Schwartz of AWS for bringing this article to my attention.

So, I have actually made fun of thecurse of knowledgein videos, most notably one I filmed at VMworld years ago where I asked attendees, “How do you explain virtualization to your mom?” Now, what was amazing is everyone at VMworld knows what virtualization is, there’s no question there. But you’d be amazed – and you have to watch this video to see it and just search and you’ll find it, and I’ll link to it in the article – you’ll be amazed how many of them struggled to explain it simply to someone who is not a tech head. So, I’ll start with you, Okey. Have you been guilty ofcurse of knowledgewhen you tried to explain something and what did you do to improve your ability to overcome it?

[Okey Obudulu] Definitely I’ve been guilty, especially early in career. Communication in general has to be tailored to the audience for it to be effective. How we communicate, what words we pick, the level of granularity should all depend on the audience. I would add as well, this one is one our security community is somewhat guilty of, the throwing around of security-specific acronyms.

[David Spark] Yes.

[Okey Obudulu] Which while it might sound impressive, for most other folks that cannot keep up with it, it might actually cause you to lose your audience. Another thing I’ve been guilty of earlier in career.

[David Spark] But if it’s security people talking to security people, most acronyms you can spit out. And I’d actually say this, and this also happened, Mike, early on this show because I didn’t know a lot of the acronyms – feel free to stop somebody and go, “What? What is that acronym?” Feel free. Go ahead, Okey.

[Okey Obudulu] Yeah, no, absolutely. As CISOs though, most of what we do has to do with communicating, right? And we’re communicating beyond our security teams. And for one tip I would say, if there was a tip I had to put out there, it would be to be conscious about the use of acronyms. That’s one of the things I am very careful of.

[David Spark] Take them out or at least define them as you’re saying them.

[Okey Obudulu] Yeah. So, important to define them as you’re saying them and as we throw around new concepts that might not be concepts teams outside of security are used to. Also giving some context around those concepts we’re sharing. However, it is also the case that in some situations, you might be sharing context with an audience with a baseline of knowledge, does not require you to share that context. In which case, you might be oversharing then.

[David Spark] All right. Mike, I’m throwing this to you. Have you been guilty of curse of knowledge and what did you do to overcome it?

[Mike Johnson] Absolutely. And I liked the way that Okey was talking about it as an early career thing. I think we all do that when we’re just getting started, and it’s something that we learnover time. I guess that kind of brings me to my tip which is pay attention to the people who are listening to you. They will give you cues. They will give you an expression or a look or a pause or something to let you know that maybe you didn’t quite land that right, and that gives you the opportunity to adjust in the moment. I think being generally aware that we do have that requirement to communicate, that really is our job. That’s what we do is we take all of this knowledge that we’ve learned over time, and we’re needing to impart it on others so that they know what to do, know what’s expected of them. That’s our job is to really communicate in a way that they can listen to, as a way that they can hear.

So, it’s more of a pay attention situation. It’s almost like active talking. We talk about active listening, it’s active talking, and that gives you that opportunity to adjust and for other people to follow along. I also liked Okey’s point about acronyms because MFA is one that we throw around all the time, and we just assume the entire world knows what we’re talking about.

[David Spark] I didn’t know it the very first time we came on.

[Mike Johnson] Great example.

[David Spark] Yeah. Here’s my tip for everybody. So, I used to do a television show up in the Bay Area called This Week in Northern California, which was like a reporters’ round table show, kind of like a local version of Washington Week in Review. And I would be brought on whenever they’d have like a big tech story. In fact, I remember I was on the show when the first iPhone was released to come and talk about that. And I would write a ton of notes down on whatever the topic was, and then I would have my wife just look at the notes and just ask me questions. And the whole trick was how quickly and succinctly can I give an answer, that was the big thing, can I give a quick, succinct answer. And here’s the other thing and what helped me was the pressure of being on television. If you can’t give quick, good, succinct, simple answers on television, you’re never going to be asked back again. I can’t stress that enough. As someone who’s produced video before, if someone can’t do that, I don’t want them on the show because I can’t have a person like that on the show. So, if you’re fortunate enough to get an opportunity to do television, train yourself to answer quickly and succinctly. Have either of you done TV?

[Okey Obudulu] Not me.

[Mike Johnson] I haven’t but I’ve done podcasts, which is very similar, but it also gives you…

[David Spark] Oh, it’s much quicker, and we have a savvy audience. I was talking to a lay audience.

[Mike Johnson] Sure. One of the other things that I get out of doing this podcast is I can listen to myself. If you ever get the opportunity of listening to yourself, take it, whatever it is – TV, presentations – listen to yourself, and it’ll go a really long way.

[David Spark] It’s tough but it’s worth it.

Sponsor – Trend Micro

14:51.461

[Steve Prentice] We live and work in an era where risks to a company are changing. Bad actors have learned to leverage data in very different ways which continues to change the way that we must look at cybersecurity. Mike Milner is head of product management for Cloud One at Trend Micro.

[Mike Milner] It used to be the big risk was targeted attack, and that’s definitely still anissue. We have APT, advanced persistent threats. But I think increasingly, the real threat is that it doesn’t matter who you are. Attackers have ways now through cryptocurrency mining of exploiting your resources to generate money for them. They don’t care what your data is, but they know they can use your resources. Or ransomware – again, the data doesn’t need to be useful for them, but they know it’s useful for you. So, if they can encrypt it and make you pay a ransom to get it back, again this is a way that they can monetize your environment to help them at your expense. It doesn’t matter who you are, everybody’s at risk.

[Steve Prentice] This, he says, represents an evolution in the needs of every business.

[Mike Milner] It used to be that security was sort of just a function of IT, but really now we’re seeing many cases where the security of a company is a board-level discussion and CISOs need visibility and understanding of their overall organization’s posture, to have that situational awareness in light of all the emerging threats that are affecting the world.

[Steve Prentice] For more information, visit trendmicro.com.

It’s time to play “What’s Worse?”

16:27.646

[David Spark] Okey, I know you know how to play this game. I’m assuming you play along as you listen, correct?

[Okey Obudulu] I do, I do.

[David Spark] All right. I feel pretty confident I know which way this one’s going to go, but I’m interested to see if you could argue the other way, both of you. All right? Stay with me on this one. I think it’s a good argument, I think there’s an obvious way to go that I think you’re both going to say, but I’d be interested to know if you could argue the other way as well. This comes from Mike Toole of Blumira who poses this scenario. During consulting with an internal product team, you can drive your company product in one of two directions. One, weak SMS-based two-factor authentication – we were just talking about MFA – for all customer end users. So, you got weak SMS. Or you go with a very strong security key authentication like WebAuthn and audit logging for only your highest tier customers, but only single factor for all your other customers. Which one is worse, Mike?

[Mike Johnson] So, I think you know which way I’m going to go, but you want me to argue against myself…

[Crosstalk 00:17:48]

[David Spark] Well, just give me the answer the way you’re going to go here.

[Mike Johnson] Sure. So, I will always take some improvement over no improvement, and to be able to get that across the board.

[David Spark] So, number one, weak SMS everywhere.

[Mike Johnson] That is the one that I would prefer.

[David Spark] While SMS gets a lot of crap, it’s not that bad.

[Mike Johnson] It’s better than just password-based authentication.

[David Spark] Way better. That’s the thing, it’s a huge leap from it.

[Mike Johnson] Yes. And as an industry, we tend to let best get in the way of better and that’s one of those prime examples.

[David Spark] So, how would you argue – I knew you would go that direction – could you possibly argue the other direction?

[Mike Johnson] You surely can. And trying to not use the “it depends” part of this, but the reality is the application might be such that you can actually tolerate a compromise due to stolen credentials. A reused password, that is what you’re going to absolutely have happen when you’re not using multi-factor authentication. You’re going to have that situation. And so it might be that your privileged users, the ones that you’re protecting with a strong key-based authentication, a hard token of some sort, that it’s just that important that they’re the ones who are going to be attacked on a regular basis all the time, that they’re going to be SIM jackedleft and right, and it just is intolerable for those accounts to be compromised.

[David Spark] That’s a really good example. And also you could have great disparity between your high tier and low tier too. Could, like financially, that high tier, if you lost one, that could be business crippling.

[Mike Johnson] Exactly.

[David Spark] So, that would be a good argument. I like that. All right. Okey, pretend you didn’t hear anything we just said, which one’s worse?
[Okey Obudulu] I would say the second scenario’s worse.

[David Spark] For the same reason Mike said or another reason?
[Okey Obudulu] For close to the same reasons Mike said. Idea of not allowing perfect be the enemy of good enough, and the fact that SMS protection, while not completely ideal, does add a bit of obstacle in the way of attackers and does increase the sort of levels of difficulty of someone getting their accounts compromised.

First 90 days of a CISO

20:18.393

[David Spark] An anonymous listener asks, “I was wondering how can a security professional make security/business decisions when there is no continuity program in place.” Now, we talk about the first 90 days of a CISO a lot on this show, hence why I named this segment that. And while the leadership role is the most important, it could apply to more security roles. The anonymous listener points out that a new person can walk in to see a security package that is either missing or out of date by three years. This is the way they kind of envisioned it. So, I’ll start with you, Okey, on this. How often does a security leader come into a program and have the sense they’re starting out at square one? I mean, there is some security in place, but without a program to follow it feels there’s constant starting over each time a new person comes in. The program should be more resilient than that, yes? What do you think, Okey?

[Okey Obudulu] Yeah, I’ll absolutely agree. Definitely not ideal.

[David Spark] But let me ask you, have you seen this where each person comes in, it’s like, “Oh, crap. They’re starting out again. They’re starting out again.” And it’s like there’s no continuity here.

[Okey Obudulu] Not one I’ve experienced myself but definitely I’m aware that those situations do happen. Ideally, a departing CISO has a handoff with the incoming CISO, that’s the more ideal situation.

[David Spark] And have you had those situations? Let me ask you that.

[Okey Obudulu] I have had those situations.

[David Spark] I’m sure that makes your life a lot easier.

[Okey Obudulu] It does make your life a lot easier. The next situation would be there’s not a handoff, but there is some kind of a transition document put together for the incoming CISO, and it gives you something to work with coming in. But definitely not ideal if security programs are not building on the successes of previous programs because there are cost implications of having to start over or rip out what’s already investments made in controls and tools, and so not exactly ideal.

[David Spark] I want to though ask the question also not just at the CISO level but essentially anything below that because I feel that might get a little neglected. Have you run into that problem where people essentially who work for you come in, and they’re kind of a little bit floundering, and you need to spend more time with them to get them up to speed? Or how is that best handled?

[Okey Obudulu] Yeah, it is the job of the CISO, like with any leader, to be aware of what all of the domains within that sphere of control are and to ensure that as team members transition in and out, there’s appropriate knowledge being transferred. And where that’s not the case, itis then again on that leader to just ensure that that’s being addressed.

[David Spark] And do you require – because I think this is an important part of the job – that your staff is documenting their procedures?

[Okey Obudulu] Documentation, documentation, documentation, that’s where the magic happens. It all has to be documented. That’s what leads to success. I think it’s always been the case that in most cases, documentation is considered painful, but the value you get from documentation, especially as folks come in and out of an organization, that value cannot be overestimated.

[David Spark] I see, all right. Mike, I send this to you. Because we’ve talked more about the CISO level, I’m more interested in the levels below the CISO in terms of their continuity. Where do you think it flies and where do you think it fails?

[Mike Johnson] I think if you don’t have both offboarding and onboarding plans, if someone is leaving, you need to think about what knowledge needs to be transferred. Maybe they’re spending their last two weeks, as Okey mentioned, documenting. Like that’s all they do is just write things down. Or they’re cross-training. There needs to be this recommendation that this person is leaving, everything that’s in their head is gone. You’re not going to be able to tap into that anymore after they left. So, if they don’t write it down, if they don’t cross-train, that’s gone. That’s what you capture when someone’s on the way out.

And then when someone’s coming in, give them all the documentation to read. Have them sit down with their peers, brain dump as much as possible, and try and take advantage of what the previous person had already done. Sometimes you’re going to have someone coming into a completely new position and it’s greenfield, and that’s then on the manager to write down the expectations, to write down an onboarding plan. One of the things that we do is anyone who joins our team, they have an onboarding plan. “This is where all the documentation lives, these are the things that I want you to read, these are the people who I want you to go meet,” and that helps them come up to speed more quickly even though we recognize that it takes time for them to come up to speed.

Oh, they did something stupid on social media again.

25:37.871

[David Spark] Fallible AKA @snewbill on Twitter said, “I am willing to bet that Rick Astley has done more to prevent folks clicking on unknown links than all cybersecurity training combined.” This was actually a tweet from 2020 that got a new resurgence in 2022. It’s a very funny comment that has an immense amount of truth, I think, attached to it. And there have been variations of this gag of clicking something and getting something unexpected and unwanted, and bait and switch is the essence of what a phish is. And I’m guessing for most of us, we were introduced to the concept of phishing via Rickrolling, and thankfully this gag doesn’t have quite a damage vector of a true phish.

But Mike, as you’ve pointed out many times, it falls into the category of making something personal so people understand. So, can you point to some other techniques that may be funny, non-damaging, or something that can just be done by a non-security person, like Rickrolling, that can help increase a person’s security awareness with just a touchpoint of education, even if funny and silly?

[Mike Johnson] So, as I was listening to you ask the question, I had this flashback. I’ve been on the internet awhile, I’m old, I’ve been around. There were some very specific images that would float around the internet way back in the day that I’m not even going to describe, but you very quickly learned that you had to be very careful about what you clicked on.

[David Spark] Oh, yes, yes. Yes. And I have accidentally seen them myself, and it’s one ofthose I’ve been spending years trying to unsee them.

[Mike Johnson] Yes. And suddenly, they just came rushing back in. So,thank you, David, for it.

[David Spark] One of the just hit me recently.

[Mike Johnson] Thank you for walking me down that path. I think the Rick Astley video, that’s one that you don’t need the brain bleach for. That one’s okay.

[David Spark] No, not at all. Mike, can you give me an example how simple things that really anybody can do can teach us more about cybersecurity? And it doesn’t have to be like the Rickrolling, don’t click on the thing. It could be literally anything. What are simple things we can do?

[Mike Johnson] Humor really factors in; I think it really helps a lot. One of the ones that we did back prior to COVID, and people still work in offices so this one works, is we would hand out sticky notes to our security champions to then put on the monitor of someone who didn’t lock their screen. And that was really just a way of reminding folks in an office environment, that matters. And it was very easy, we’d just havelittle funny sticky notes that were pre-printed, we’d hand out these stacks of them, and people would run around and then just put them on people’s monitors. Put the sticky note there, lock the screen, walk away. And the person would come back, and they would learn.

[David Spark] That is a good one, I like that one. All right. Okey, I’m going to ask you the same question. Simple task that people can do to teach one element of security.

[Okey Obudulu] Yeah, I have an example close to Mike’s of folks not locking their screens and colleagues messing with their logged in session. Not necessarily behavior indoors [Phonetic 00:29:04]but if there’s one thing that was for sure, those colleagues whose logged in sessions were messed with I think got the message and got a little more vigilant. As far as Rickrolling is concerned though, it definitely brings lots of memories back to 2007 and 2008, sometime around that time frame, and a colleague of mine from back then that was just absolutely obsessed with Rickrolling everyone, so some good memories.

[David Spark] My kids are obsessed with it.

[Mike Johnson] It stands the test of time.

[David Spark] It is bizarre.In fact, my oldest son dressed up as Rick Astley for Halloween last year.

[Mike Johnson] Nice.

[David Spark] Yeah. That’s the level of obsession we’re talking about here.

Closing

29:53.910

[David Spark] Well, with that being said, let’s wrap up today’s conversation. Thank you very much, and by the way, great tips last here, specifically around getting people to lock their screen, which by the way, is a very good tip. That is a simple, simple way to find your stuff abused, and just the quick hotkey lock is really the best way to do it. Okay, I always let our guest have the last word and as you know, I always ask our guest are you hiring, so make sure you have an answer to that. I do want to thank our sponsor Trend Micro. Especially if you are in the cloud, going hybrid cloud, trying to secure the cloud, please check out what they’re doing over at Trend Micro. Mike, any last thoughts about today’s recording?

[Mike Johnson] Okey, thank you for sitting down with us today. It was wonderful to just learn and listen. What I really appreciated was how you stressed communication issues and how important that is. And I truly agree, that’s our job. And so thank you so much for walking folks through the importance of communication and how much that matters. And related to that, I also like your documentation, documentation, documentation tip when looking at the first 90 days. Again, so key. So, thank you for sharing your knowledge, your experience, those tips that you shared with our audience. Thank you so much for joining us.

[David Spark] By the way, I think his ongoing documentation is better than the last two weeks of documentation. That sounds likea recipe for disaster if you wait till the last two weeks when they’re walking out the door when they really don’t care and like, “I don’t know, whatever, just do this, bleh. I’m out the door.” I definitely would not want the last two weeks of tips from anybody. Sounds scary. All right. Okey, are you hiring and if someone mentions they heard you on this show, will that help them at all whatsoever?

[Okey Obudulu] We are definitely hiring. Whether it helps them or not, I guess I would say it depends. For one thing, if they’re listening to this show, it means that they’re keeping up with their learning and their security knowledge. So yeah, maybe it does help them.

[David Spark] You know what? I’d love to have a guest say, when I say, “Will it help them in the hiring process?” and I’d like to have a guest say, “Yes. If they say that they heard me on this show, I will hire them immediately.” That’s what I want to hear a guest say. What do you think, Mike?

[Mike Johnson] Oh, I thought you were going to go with the exact opposite, I want to hear someone say, “Nope. If you say that you were on this, I will definitely not hire you.”

[David Spark] No, no. I support our audience. It’s just I want to show how we’re so good at getting hired. People, by the way, have gotten connected and hired through the CISO Series.

[Mike Johnson] Absolutely. But I like the way that Okey put it, which is if you’re listening to this show, you’re paying attention, you’re staying abreast of what’s important out there, and I think that’s exactly the right answer.

[David Spark] That is the correct answer. All right. Well, great. Thank you very much, Okey. Thank you very much, Mike. Thank you to our audience as well. We greatly appreciate your listening and contributing to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.