Entry Level Position Available. 15+ Years Experience Required.

Entry Level Position Available. 15+ Years Experience Required.

That headline is not a joke. An actual job listing on LinkedIn requested just that. We’re all hoping this was an error. Regardless, the community response to it was truly overwhelming, speaking much to the frustration of green and junior cybersecurity job seekers who are truly looking for entry level jobs.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Bryan Willett, CISO, Lexmark.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor AuditBoard

CrossComply is AuditBoard’s award-winning security compliance solution that allows organizations to build trust and scale their security compliance program with a connected risk platform that unifies SOC 2, ISO 2700x, NIST, CMMC, PCI DSS, and more across your organization.

Full transcript

[Voiceover] Best advice I ever got in security. Go!

[Bryan Willett] There’s always a Corellian starship ready to destroy the Earth. Meaning there’s always a crisis, manage calmly through it.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of said CISO Series. My co-host for this very episode who’s always amazing on the microphone is the one and only Andy Ellis. He’s the operating partner over at YL Ventures. Andy, let people hear that voice on the microphone.

[Andy Ellis] Show me the money.

[David Spark] Show him the money. Not right now. We’re available at CISOseries.com. Our sponsor for today’s episode is AuditBoard, a brand-new sponsor of the CISO Series, we love having AuditBoard along – connect risk, connect your teams, all at AuditBoard. More about AuditBoard later in the show. But first, Andy, I wanted to ask you this. You have been to a conference, and you’ve seen a presentation by a vendor that they have paid to do that presentation.

[Andy Ellis] Yep. I’ve done that presentation too, just to be full disclosure.

[David Spark] And you’ve done that presentation yourself. I have this horrible sinking feeling when I see a vendor get up and they paid for it, and they are screwing up royally. Like, it hurts me, I want to shake them and go, “Oh, can you start again? Just start again.”

[Andy Ellis] Yeah. In fact, there used to be a conference I was at that one-third of the talks were paid-for vendor talks, 17-minute talks, so some of you may recognize the conference. And a group of us in the room would have a back channel, I think we used Facebook for a while to do it, sometimes we’d use Twitter, and we would just rip apart these vendors.

Because here’s the challenge – if you’re the vendor in that situation, you’re often told, “Don’t give a pitch.” Which is so mean to do. Like, the vendor literally paid for this slot, let them actually just give a naked pitch. Everybody knows that’s what they’re doing so let them do it. But what you have is somebody who’s not a professional at giving a very subtle pitch trying to do that, and they’re bad because they’re really trying to bring it right back to their product. Or they send up somebody who doesn’t know how to give a presentation.

And I’ve seen those as well, where I’m looking at this slide deck and I’m like, “Oh, you had some very technical… You had a senior fellow put some slide deck about their special project. And then you sent it to Creative who didn’t know what they were talking about but just threw up some graphics that didn’t mean anything, sent it back. And now they’re up giving a presentation.” I literally saw that one last month.

[David Spark] Here’s things you don’t need. If you’re talking in front of a group of security professionals, here’s what you don’t need. You don’t need to educate them about cybersecurity. Not necessary at all.

[Andy Ellis] Yeah. Here’s my advice if you’re the vendor and you have that talk, two things. First of all, slides need to be beautiful. No matter what you’re doing, nothing on your slide should be smaller than like 16 point, preferably everything 20 point and above. Simple, clean, easy to read. But realistically, take your sales deck, the one that you would give to a CISO if they said, “Hey, I’m interested in solving problem X.” And now write a talk that goes before that that’s about problem X, that sells problem X to people. Whatever you’re going to solve, that’s the pitch you give them when you’re up on stage, is you say, “Oh…”

[David Spark] I’m also a big fan of showing a demo and let the audience connect the dots themselves.

[Andy Ellis] I mean, if you’re allowed to put up a demo, that’s great. Like, your best thing is put up a demo, do your sales pitch if the conference will let you. But I actually recently spoke at a conference, it was a vendor-sponsored talk, and a week before the conference, they said, “Oh, by the way, here’s our slide deck, and you can’t even put your logo on the slides.”

[David Spark] I hate that when they make you use their slide deck, so you have to force your branding into our branding.

[Andy Ellis] Yeah. And I was like, “Okay, sounds good.” But they told me to bring my own laptop, so I was like, “Yeah, whatever.” I did send them my normal slides on my template with the vendor logo that I was representing, and they didn’t say anything. But I was like, “That’s some serious hutzpah. Like, I know what the company paid to have this speaking slot. No. You’re not having me get up there and have zero acknowledgement of the person who sponsored it.”

[David Spark] I hear you. This, by the way, this could be a whole episode in itself. Like, we could be a whole episode on just this topic. So, anyways, just really my visceral reaction of I just wanted to go, “Hey, can we do a do-over? Hold on.” And let them shake them up, go, “Just skip all that, let’s start later.” [Laughter] All right. Let’s begin our official show and bring in our guest, who I’m very excited to have. By the way, I’m going to give the kudos to Neil Saltman who introduced me to this gentleman right now. That is why he’s on this show. It’s none other than the CISO over at Lexmark, Bryan Willett. Bryan, thank you so much for joining us today.

[Bryan Willett] Hey, I’m thrilled to be here.

Are we having communication issues?

5:13.134

[David Spark] “What is the value of security operations if you’re not detecting and dealing with an incident? What do I pay you for?” This was a question Dom Goldthorpe of BAE Systems heard someone in higher management ask. So, it got me thinking about additional value we can pull out of a resource without hitting the burnout of staff, and this is actually what Dom was saying. So, I’m going to start with you, Andy. So, what’s your answer when you hear a line like this about what value can you provide if you’re not detecting or dealing with an incident?

[Andy Ellis] So, I think you need to start by understanding that within a security organization, actually within any organization, you really have three different tempos that people operate at. You have people who manage process, and they operate at this very slow cadence that is continuous work, they do the same thing every single day. They’re actually not really good at incidents, I’ll be really honest, they’re not prepared to spike up. Your compliance team is not the people you should generally have doing incidents. You might have somebody on that team who loves incident work, that might be a sign that they should be on a different team. You have transactional teams that tend to do deep dives. Architecture teams are often in this boat, that they go heavy and then they pull back.

And then you have incident teams, and incident teams are basically they work at half capacity most of the time, at least that’s the idea. Because then all of a sudden, they have to sprint and do all this extra work. Now, you can mix those, and most teams do end up mixing them, but you have to be really cognizant that every time there’s an incident, you reduce the work output across the rest of your organization. So, I just want to sort of start with that to say if you didn’t build an organization that is capable of handling incidents, doing incidents means you’re going to do other things really badly, and you’re going to really start burning out your staff because they did not get hired to do incidents.

[Bryan Willett] I 100% agree with that. And to your point, Andy, when you look at the incident response team that you staffed up, they do have 50% of their capacity there. And when you look at that capacity, you have to look at the business, and what are opportunities within the business where you can leverage them to help further your mission within the business. Whether it be the corporate culture, helping others understand why the security team is doing what they’re doing and how they can assist, right? How they can help the security team accomplish their goals.

Other things that we look at are having them work with the architecture team and the IT operations teams to, one, prevent the architecture team from throwing things over the wall that aren’t ready, right? Continuing to educate them on the faults with the things that they handed off to the operations team and improving that overall handoff process and making sure the requirements are being fed back so that we have a continuous loop there. But one of the things that I really enjoy, and this isn’t directly related to necessarily what the operations team does day to day, but it’s very valuable, and that’s becoming an asset for the sales team.

[David Spark] Could you double down and give me an example of that, of how you’re an asset for the sales team?

[Bryan Willett] Yeah, absolutely. So, when you look at Lexmark and the fact that we’re selling products into many verticals within the market, we regularly get questions about, “Hey, you’re an IoT device and how are we sure that you’re delivering authentic products that don’t have malware in them? How do we know your development environment is one that’s secure? How do we know that your manufacturing systems are ones that haven’t been tampered with to potentially tamper your product?” So when my operations team and when my organization engages with overall business areas, it’s with that mind, making sure that those products are not tampered with, and we have processes that help us detect any type of event like that.

[David Spark] By the way, can the sales team, without your help and without your team’s help, can they answer that question cogently by themselves?

[Bryan Willett] No. No.

[Andy Ellis] No.

[Bryan Willett] No, they cannot.

[Andy Ellis] I tried that. When I was at Akamai, we tried that. We basically took our entire knowledge base, we had a customer-facing team that said, “We want to do this. We want to be that team that everything comes to us,” and they basically tried to rewrite our knowledge base. They said, “Oh, we’ll put this up on a wiki – here’s the most common answers.” They did this work, we came back after three months, and we’re like, “Fifty percent of the things you wrote down to say to customers are lies.” Not intentional, it wasn’t that they were bad people, but these are terms of art that the way a security person reads it is not the way a normal businessperson reads it. And they would write an answer down and they’re like, “Oh, this is too complicated and there’s too many caveats, so we’ll strip out all the caveats to make this a simple answer.” But it was a question of like, “Do you do X?” and we’re like, “In this specific case we do X, but it’s not relevant in these other places, and here’s why.” And they would take out everything and say, “Oh, yeah. We do X everywhere.” Yeah, that’s the sort of thing that gets you in trouble when somebody detects that untruth.

[Bryan Willett] So, as a sales asset, getting in front of the customer and explaining to them what your program is, helping them understand what your cyber program is, the steps you take in order to protect everything I described before, and the steps you’re taking to continue to mature. I find that when I talk to our customers and we are transparent about our program, that is probably the biggest compliment we get. I have gotten more compliments from customers when they come back and say, “You know, this has been the best conversation we’ve had because you were open, you were transparent, and we really understand where you’re coming from.

Why is everyone talking about this now?

11:07.689

[David Spark] Mike Miller, CISO over at the Cyber Protection Group, has posted I think the most explosive cybersecurity post I’ve ever seen on LinkedIn. This post got over 70,000 reactions, 5800 reposts, and 3500 comments. What was it? Well, he showed a video of a job listing on LinkedIn for an entry level position for a subject matter expert – right there that should be a warning – that was asking for 15+ years of experience and experience with nuclear. I think this was an error in posting, but could this possibly be legit?

And I’m also going to throw out – also, who needs 15+ years’ experience in practically anything? So, many, including me, think this is simply an error, but the response has been explosive. People have been complaining about entry level job postings requiring 3+ years’ experience, but honestly I was hunting for them, and I couldn’t find them. But I am repeatedly told they exist. If this is real, this is the most egregious example. Even if it wasn’t entry level, it falls into the category of, “Let’s put it out and see what we get,” or “Let’s put our ideal candidate and see if anyone bites.” I’ll start with you, Andy, and you can agree or disagree with me, but why do you believe this is hurting everyone?

[Andy Ellis] So, first of all, I do want to say I saw that one, and I took it with a grain of salt. It’s quite possible that was performative and not a real post. I’m not asserting it isn’t, but we should always… Like, if you can’t go look at it yourself, just a screenshot, recognize it could just be there to troll you. That said, I have seen a lot of posts that have this absolute mismatch.

In fact, I’m aware of one recently where I talked with somebody who was part of editing a post for a principal architect, and they were the subject matter expert who was asked to write up all these requirements. They said, “Okay, here’s your principal architect.” It then got turned into a senior architect and then posted as an architect. But it still had all the requirements to be a principal architect. The person’s like, “This disconnect, it’s like what? You didn’t have the money for what you needed, so instead you just scrubbed off the title and dropped it down like six, eight years in seniority? That’s a little crazy.” So, we do see this.

There’s a lot of things that contribute to it, but this is real, it hurts. It hurts the companies that are hiring because it means a lot of people don’t apply for your jobs because they don’t think they’re qualified because they’re not. Technically, it puts you into a world of hurt because if you post a requirement for a job, and then you later hire somebody who doesn’t meet the requirement, you open yourself up to a discrimination claim. Because somebody who sent in their resume and got turned down because they didn’t meet that requirement now has cause to sue you. And obviously, people can sue you for anything, but certainly my labor lawyers had always said, “Look. If you accept somebody who doesn’t meet the written requirements of a job, that exposes us to liability, so don’t do that.” And yet I see stuff like this where you’re going to hire somebody who doesn’t meet this requirement, right? What’s going on here?

[Bryan Willett] Yeah. And I agree with you, Andy. I’ve gotten the exact same advice from HR on our side. And I’ve seen this not only in security. I’ve seen this throughout the business where we have overqualified the job description, and you don’t end up hiring anybody that’s really qualified for it.

[David Spark] Can I ask – and this is my theory – do people put these hyper, these lots of criteria for the hope of, “Let’s see what we get”? I mean, is that often the reason they do this or no?

[Andy Ellis] No, I think you actually are assuming people consciously make this error. I actually think that it’s a number of organizations in the team that together cause this mistake. Somebody wrote the job description; they were I think very well meaning.

[David Spark] Or maybe a Frankenstein monster job description.

[Andy Ellis] Right. And that just keeps getting edited along the way. It’s like, “Oh, yeah. You’re wanting it to be a level seven. Well, level seven is 15 years of experience.” And the person who’s adding that wasn’t part of the conversation where they said, “Oh, cyber’s a field where we have to pay extra to get somebody in, so it’s going to be a level seven pay grade,” but would normally be a level four experience.

[Bryan Willett] Well, Andy, I would also pose it depends on the maturity of the organization that’s creating the job description. When it is a younger organization, I don’t think they realize what it means. They go out and they do a Google search, they say, “Okay, what’s a job description look like?” They’re going to come up with all of these requirements, they’re probably going to throw it at the board and let’s see what I get. Maybe I get the magic candidate that is going to mature my organization tomorrow.

[Andy Ellis] Yeah. Here’s my advice. If you are a hiring manager, you need to read every one of your job postings after it goes live. Do not trust your organization to post what you asked for.

[David Spark] Why wait till after it goes live? Why not before it goes live?

[Andy Ellis] You should also probably do it all along the way. But when it goes live, you need to go read your job description to make sure that they didn’t copy and paste it into an existing one and, “Oh, that 15 years of nuclear experience was from the job we were about to open but we didn’t open, so we instead put this one in. And oh, we forgot to delete that.”

[Bryan Willett] Well, and I would challenge them to think about diversity in their organization. If they go for the ideal candidate, they’re limiting themselves so much to where they could increase the diversity of the organization, pulling people from areas outside of where they would normally come from in security. And I use that as a firsthand experience, where the CIO who hired me, I didn’t have credentials to be in IT. I had never been in IT; I was out of an R&D organization.

[David Spark] Did you have 15 years’ experience?

[Bryan Willett] I had eight, eight in security, in R&D security.

[David Spark] Hold it. This is what I want to know. Is there ever a time you need 15+ years’ experience in anything?

[Andy Ellis] Oh, I could certainly see if you wanted to hire a C-level executive in the Fortune 1000 that you might say, “I want somebody who’s got 15 years of experience either in management or in this.” But at the same time, I’m not a big fan of that because that’s what’s trying to be a neutral test, but it’s not a good one.

[Bryan Willett] And it’s building status quo. Right? In many of these organizations, you want change agents, and you want somebody who thinks differently. And if they are status quo, you’re not going to get that.

Sponsor Segment – AuditBoard

17:45.128

[Steve Prentice] Third party risk is already a vital priority, and environmental social governance, ESG, is also rapidly climbing up the charts. These are issues that need clear and comprehensive oversight, as Richard Marcus, head of information security at AuditBoard, explains.

[Richard Marcus] We’re seeing a lot more instances of supply chain breaches, right? A breach further down in your supply chain has a ripple effect into your business. And we’re seeing emerging regulation, particularly from the federal government, ensuring that you understand the integrity of your software supply chain’s advanced third party risk assessments, software bill of materials. All of these kind of themes are making it in some ways more challenging to do business if you’re in the software space and selling software, but it certainly illustrates the importance of having a really strong third party risk management program.

[Steve Prentice] And then there’s ESG.

[Richard Marcus] Having a purpose-built solution for that workflow can be really, really handy. There’s a greater appetite for accountability and transparency when it comes to ESG issues, and people want to do business with companies that are ethically responsible. They can feel good that their business relationship is benefiting society in a broad way. And a lot of companies are scratching their heads on sort of how do we do this, how do we assess ourselves, what are the right topics or benchmarks that we should be aligning to, and then how do we report this out to our stakeholders. It’s a challenge that every company kind of across a lot of industries are struggling to solve right now, but it’s something that with a workflow solution like AuditBoard’s can be really easy to make some maturity jumps in your program rather quickly.

[Steve Prentice] For more information, visit auditboard.com

It’s time to play “What’s Worse?”

19:27.317

[Voiceover] It’s time to play “What’s Worse?”

[David Spark] All right, it’s time to play “What’s Worse?” Andy, you had something to say about “What’s Worse?”

[Andy Ellis] So, I’ve started promoting back episodes of CISO Series on social, and one of the things I do is I’ll quote the “What’s Worse?” question. And I’ve had people now start attacking me on social media because they think I’m seriously proposing these as questions. That’s how bad these scenarios get, is people like, “What do you mean? Who are you trolling? Who are you subtweeting by suggesting we could do this?” So, these are fantastic material, I love them.

[David Spark] And I’ve heard many, many times our other co-host Mike Johnson has used these “What’s Worse?” scenarios as interview questions. So, please, feel free to lift them, feel free. All right. Bryan, you’re familiar with this game, yes?

[Bryan Willett] I am.

[David Spark] All right. So, I’m going to make Andy answer first. Remember – if you agree with Andy, he wins. If you disagree, I win. So, please, consider disagreeing with Andy. This comes from Jay Dance, also known as Jason Dance, over at StubHub now. All right, here are the two scenarios. You have no MFA lockout limiting. One of your employees gets attacked with hundreds of MFA requests and eventually gives in, allowing a criminal actor to enter the environment. Sounds awful.

[Andy Ellis] Sounds familiar.

[David Spark] Hold on, I haven’t told you the second scenario. The second scenario is there are MFA lockouts and 40% of the company gets 100% of MFA requests and all get locked out as a result. Which one is worse?

[Andy Ellis] Wait, 40% of the company gets 100% of the requests? Like every time some…

[David Spark] Essentially 40% of the company gets locked out.

[Andy Ellis] Gets locked out at some regular cadence.

[David Spark] At some regular cadence. Or one just gives in and lets a criminal actor in.

[Andy Ellis] Right. And what’s key on this one, Bryan, is we can’t add a compensating control. Like my first thought is, oh, I just put a compensating control around that first scenario to be like, “Sure, I don’t lock anybody out, but I detect it and I notice it and I go call the person and I deal with it.” We’re not allowed to do that.

[David Spark] You’ve got a criminal actor in your environment, the first case, or 40% of your company can’t actually get in.

[Andy Ellis] So, it’s not specified here, and this is where I will say people who are giving us scenarios, you have to sort of say how long. Like 40% of the company gets locked out for what, 10 minutes a day? Or gets locked out and it’s a manual process…

[David Spark] That’s a good point. We don’t have a time period here.

[Andy Ellis] I’m going to assume that it’s a painful thing, they have to open a Help Desk ticket and get let back in. And so that’s what I’m using as my answer. And therefore, that is the worse scenario, that 40% of my company just every day gets booted out of the network, can’t do anything until they open up a ticket. I am pretty sure I’m out of a job right quick if I don’t fix that. Whereas the first one, I’m not out of a job, so just going by straight economic incentive.

[David Spark] But… And I think this is a good point. Well, here, I’m not going to say anything. I’m going to say, Bryan, do you agree or disagree with Andy? And feel free to disagree.

[Bryan Willett] Well, I hate to say it, I agree. I mean, locking out 40% of my users, I would be out of a job pretty quick.

[Laughter]

[Andy Ellis] Now let’s just have some fun, since we both agreed on that one. Bryan, what percentage would be okay to lock out on a daily basis?

[David Spark] Ten, 20%?

[Andy Ellis] What’s your opinion?

[Bryan Willett] I think you’re down in the 1%.

[Andy Ellis] Yeah, I think that’s where I am, I’m well under 1%. Availability is the most important part of the CIA triad.

[David Spark] Right.

[Andy Ellis] If you’re in security and you think availability is not your problem, rethink what’s going on. Availability is the most important aspect of security.

[David Spark] By the way, you make a good point here because the second scenario is known, this is a known situation, 40% locked out. In the first scenario, criminal actor’s in, they haven’t done the damage yet. Let’s say they do a breach. Breaches do not translate into lost jobs, but as you have both pointed out in the second scenario, you’re both out of a job.

[Andy Ellis] Right.

[Bryan Willett] Yep.

[Andy Ellis] In fact, the next person’s also out of a job, and then we won’t have an MFA system at all, and then we’re back into the first scenario’s happening just without the MFA hurdle.

[Bryan Willett] Agreed.

[David Spark] Still good debate.

[Andy Ellis] Also actually can I just do a plug? This is why you should be using FIDO2, and you want to have phish-proof MFA even if you’re not onto FIDO2. So, just shameless plug, like, your MFA should not suffer this problem.

[Bryan Willett] You know, I wonder how many companies who implemented FIDO2 have thought about the disaster recovery around FIDO2.

[Andy Ellis] Yeah. No, it’s a hard problem. We didn’t use FIDO2 because it wasn’t that at the time, but for us it was X.509 certs on every laptop and a duo push to the phone. And my disaster recovery scenario was we will reprovision you from scratch. That’s it. If something happens to your device, go down to the Apple Store, buy another one. We’ll get you set up and stand everything back up.

Can’t we all just get along?

24:32.966

[David Spark] You know what the Internet is awash with? Endless advice on how to secure the supply chain. And let me see if I can sum it up with here’s the advice, “Hey everybody, secure your processes so you don’t screw it up for everybody else.” That’s pretty much in a nutshell, it’s everything I see. So, Bryan, you have hardware you’re selling that requires utmost security and trust in your suppliers. What part of the supply chain security effort is truly building trust in your supplier and having ongoing reassurances that that trust is being maintained? Where can a trust-based relationship work and not work? What verifications are you looking for? Like, there’s a certain point you just have to trust, and there’s a certain point you have to verify, and so where are you building that weird… Like, just give us some ideas of where that’s all happening.

[Bryan Willett] Well, so 100% agree. There is a point where you do have to trust your suppliers. What I would tell people is first and foremost, and you sort of said it in your intro there, is you have to focus on the process, and you have to focus in on the vendors and their process. Getting into the vendors, the controls they have – I hate to say it – going into those vendors and doing a full audit of what are the controls they have, what do they have from a physical security perspective, what do they have from an incoming component perspective, what do they have from a setting up the line and parts that are being queued up to go onto the components that they’re building. All of those are important to focus on because in the end, you want to see that they have a repeatable process there that shows that they know how to test for the integrity of the product they’re bringing into their manufacturing line, and that they know how to test it coming off the manufacturing line for its integrity.

But I don’t solely trust; I also verify. Right? I think the other key part of the process is random sampling of the components that come off from each of the vendors to validate that they have used the components that we designed on the product, that they have not introduced components that are tampered with on the product, that the firmware that’s been installed on the product is authentic. And that what was shipped, what’s going to be on a boat for a really long time, that what was shipped hasn’t been tampered with as well. And that’s all just on the supplier side. You also have to look internal to yourself and making sure that you’ve done the exact same thing on your own development environment, on your own development processes, to ensure that you’re not including, for instance, open source into your product that’s not maintained and that has a lot of vulnerabilities in it.

[David Spark] Let me ask this because everything you’re describing sounds like, yeah, that makes sense, but it sounds like it could bring your team to its knees in terms of constantly verifying this stuff. Where do you find the line? Like it’s good enough, or maybe good enough isn’t good enough. How do you find that line where you’re not killing the team?

[Bryan Willett] Assume 20% productivity hit, right? You go and implement a security development lifecycle on a team, it’s probably a 20% productivity hit on that team. So, just assume that right off the bat. When it gets into validating the supply chain, you have to use your – unfortunately, go back to your statistics – you have to use a little bit of statistical theory here on what is the right sampling rate in order to give you the confidence level that you want and that you’re willing to tolerate within your supply chain? So, it just depends on the volumes, and it depends on what confidence you want in the quality of that supply chain.

[David Spark] You got to make a call on it, I guess.

[Bryan Willett] You got to make a call. It’s just like a security program, right? We are making a risk acceptance call on about everything we do. And it’s the same thing with the supply chain, and it’s important to get in there and understand what that risk is, communicate the risk to the business and the leadership and communicate what you’re doing about it and what risk tolerance you’re talking about accepting and getting agreement and moving forward. But there is a cost, there’s a cost.

[David Spark] Andy, what say you in this situation?

[Andy Ellis] I just want to point out that 99% of our institutional knowledge where it comes to supply chain is about the physical supply chain. It’s about how do you make sure that the components are correct, as Bryan was talking about, the food supply chain, we’ve got a lot of experience in that. Ninety-nine percent of the talk we’re having is about the software supply chain, and it’s not actually about the integrity of the software as it’s coming through, although that is a piece of it. The big challenge that we’re really talking about is, oh, it turns out that this thing that you thought was perfectly okay yesterday is now not. Like, I’m going to put Bryan on the spot here, and I’m not going to make him answer the question because we all know the answer, no reason to make him actually say it. But if you’re a manufacturer of a device like, say, a printer, then you don’t know that that software is good the day it ships or the day it shows up to its end user. Right? You just don’t know.

[Bryan Willett] I agree. Bit rot is a real thing.

[Andy Ellis] Yeah. That’s supply chain but nothing we know about the physical supply chain will help you solve that problem. This is an entirely new problem of how do you deal with fleet management. Because the printer in my house which, Bryan, I’m sad to say is not Lexmark, and I say sad to say because I can’t get it to print right now, so maybe that’s a telling comment. But that’s part of the fleet of the manufacturer as well. That is your brand every day that you have to maintain in somebody else’s house, where they’ve paid for it and they think it’s theirs, but it is a brand interaction if you don’t maintain that device well.

[Bryan Willett] I 100% agree with that, and that is why it is important. And this has actually become a huge problem in the IoT industry, which is why there’s so much of a focus on supply chain security because companies are putting products out there, they are giving minimal support of that product over time, and so then to your point, Andy, vulnerabilities are found in that product and they’re going to be persistent there for years.

Pay attention. It’s security awareness training time.

31:09.352

[David Spark] “What do you think Cybersecurity Awareness Month can or should accomplish?” asked Bryson Bort, CEO of Scythe on Twitter. We’re recording this episode in the middle of October, which is Security Awareness Training Month. So, these were some of the suggestions to Bryson’s question. One is getting security just to be aware of the business, so the opposite way; a push for more empathy, I’m guessing for everybody here; to influence organizations to prioritize security the same way they prioritize productivity; and this I thought was interesting, I’ve heard this one before – we need a Woodsy the Owl or Smokey the Bear level of outreach to hit those outside of cybersecurity. I’m going to start with you, Andy. What do you think of these suggestions and what do you think Cybersecurity Awareness Month should accomplish? And don’t just say “awareness.”

[Andy Ellis] But I love saying “awareness.”

[David Spark] No.

[Andy Ellis] Well, no. So, actually, I used to have this really nice slide in which I talked about the difference between what you perceive your risk is and what your actual risk is. And the job of security awareness is what I consider to be the awareness, which is the increasing of your perceived risk because there’s an existing actual risk you’re not aware of – and here’s what’s fascinating about humans – humans love to have the exact same amount of risk always. They refuse to take risk away. But if you can make them aware of a risk that’s out there that’s real and present and actionable, they will take some action to get back to where they thought they were. So, you actually can drive down the risk, make them feel like their risk actually stayed the same. And that to me is the real purpose of Cybersecurity Awareness Month – is identifying the places where people are at risk, letting them know with something actionable so they can immediately turn around and solve a problem. And they feel good, you feel good, the whole world gets better. And if you can just do this continuously, then over time you build this muscle memory of, “Wow. My security awareness team are the people who helped me get better by pointing out easy things to go solve.” I think that’s the goal of Cybersecurity Awareness Month.

[David Spark] Manage your own risk – yes?

[Andy Ellis] That’s the only way to do it.

[David Spark] What do you think, Bryan? What’s the purpose of Cybersecurity Awareness Month?

[Bryan Willett] I love your answer, Andy. That is an excellent perspective. We use Cybersecurity Month for building our brand. I mean, ultimately. And I agree with much of what he said on Twitter around building empathy, building influence in the organization, all of that, it all is related. But for us, it’s our opportunity because we have some focus from the business because we market the hell out of ourselves to open our books, so to speak. Right? Be transparent. Let them see what is the SOC seeing. We call it tales from the SOC, right? What is the SOC seeing to help them understand what we’re dealing with day in and day out.

Recently, actually last week, we did a share session with our cyber insurance broker. And the intent was to help them understand what’s going into cyber insurance and why are we seeing such huge increases in cyber insurance and what led into Lexmark having the rate that we have. I find that all of those help the population understand why and helping them understanding why then leads to them agreeing, I should say, to the controls that we’re going to put into place. They may not like it, but they’ll get some understanding of why we’re doing it, which helps them agree to accepting it more.

[David Spark] I want to close with this. I like the Woodsy the Owl, Smokey the Bear. What is going to be cybersecurity’s mascot, Andy?

[Andy Ellis] Well, for us, for a long time, it was George the Penguin. So, I’ll leave George out there, the Penguin of Awesome, currently unemployed but he’s got a LinkedIn profile.

[David Spark] All right. Bryan, what do you think? What animal would you like to represent cybersecurity? Or it could be a thing, or it could be a fictional [Inaudible 00:35:27].

[Bryan Willett] Why does a wolf come to mind? I don’t know.

RA wolf? A friendly wolf maybe?

[Bryan Willett] Maybe a friendly wolf. Maybe, maybe. It’s probably…

[Andy Ellis] We do have people who would propose a honey badger.

[Bryan Willett] Ooh, I like the honey badger. I do like that.

[David Spark] All right. Send in your suggestions of what the animal mascot should be for Cybersecurity Awareness so we can essentially have our Woodsy the Owl or Smokey the Bear for our community, if you will. Something adorable, we want something adorable. I don’t think Smokey the Bear was that adorable. Woodsy the Owl is cuter, not Smokey the Bear.

Closing

36:02.256

[David Spark] that brings us to the end of the show, everybody, and I want to thank our guest Brian Willett, who’s the CISO over at Lexmark. Thank you very much, Bryan. I let you have the very last word so hold tight. I also want to thank our sponsor AuditBoard. AuditBoard, remember – connect risk, connect your teams, it’s auditboard.com. Please check them out. And thank you, AuditBoard, for sponsoring the CISO Series. Now, Andy, any last thoughts about today’s episode.

[Andy Ellis] Well, I just want to point out that today is Giving Tuesday, so for those of you who want to give us, give us some advice or give to your local charity, whichever you’d like, and it’s also Chadwick Boseman Day.

[David Spark] He gets a day, Chadwick Boseman?

[Andy Ellis] Apparently he gets a day and if there is any actor who has deserved a day, it would be Chadwick Boseman, and I just wish he were here to know he has a day.

[David Spark] I enjoyed what little I got to see him on the big screen. Bryan – the question we always ask our guests, are you hiring – so let me ask you that, are you hiring?

[Bryan Willett] In today’s economy, it’s very limited.

[David Spark] Oh, so limited hiring these days, but you do have hiring. All right. Well, if you would like to get a job with Bryan, limited opportunities to work on this amazing supply chain issue, how would they go about doing that?

[Bryan Willett] Well, certainly you can go to lexmark.com/careers is a great way to do it. But as always, I’m on LinkedIn, feel free to reach out.

[David Spark] Feel free to reach out. Mention you heard him on the show too. Any other last thoughts about today’s episode?

[Bryan Willett] Thank your teams regularly and often. They don’t hear it enough.

[David Spark] I couldn’t agree more. You can’t compliment people enough. In fact, let’s compliment our producers right now. Aaron Diaz, who’s listening along, and also Andrew Freels, and aw, we have such an amazing team behind us too. Phenomenal, phenomenal people. In fact, if you go back and watch the fourth anniversary show, you can see the entire team that makes this show happen. Thank you very much, Bryan. Thank you, Andy. And you know what? I’m going to throw out a completely irrelevant plug here just because he’s a good friend of mine, and he’s got a comedy special currently on Amazon, stand-up comedian by the name of Robert Mac, the name of the special is called Mac to School. He’s very funny and he’s completely clean, so you can watch it with your entire family as well. Check out Robert Mac’s special on Amazon right now. He’s very, very funny. I approve. Thank you, our audience. We greatly appreciate your contributions and for listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.