The security vendor/practitioner sales cycle would go a lot faster and smoother if CISOs would just take an “incentive” for a meeting. Just tell me what “incentive” you would like. I’m sure it’ll cost me a lot less than what I’m spending on marketing and sales.

Subscribe to CISO Series podcasts - CISO/Security Vendor Relationship Podcast

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Allison Miller (@selenakyle), CISO, reddit. Allison is available on reddit at /u/UndrgrndCartographer.

Got feedback? Join the conversation on LinkedIn.

Thanks to this week’s podcast sponsor, Living Security

Why We’re Breaking Security Awareness (And You Should Too)
Attend This Free, Virtual Conference From Your Home, Office, Or Even Your Couch.
Living Security is breaking the mold of security awareness to wage war on the human risk factor with evolved strategies for the way we live, work, and play today.
Join cybersecurity industry thought leaders for fresh, modern perspectives designed to help you change behaviors and reduce your organization’s risk in a world where life happens online.
This year’s sessions will cover:
• Human Risk Management
• Social Engineering
• DEI In Cybersecurity
• Enterprise Security Awareness
• Remote Working Security
• Ransomware

Full transcript

Voiceover

Ten second security tip. Go.

Allison Miller

Every once in a while, just do a self-assessment of your own privacy and security settings in your personal social media accounts. It can be confusing, thinking about what you are trying to share, versus what you are trying to keep secret, and, I think, going in and checking every once in a while is just a good practice.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark. I am the producer of the CISO Series. My co-host, very much as always, all through this pandemic, has been Mike Johnson. Mike, the sound of your voice. Let’s hear it.

Mike Johnson

I am here. I was listening to the earlier podcast that we released today, and I was reminded that I was supposed to bring you white fish cat treats at some point. I forgot.

David Spark

[LAUGHS]

Mike Johnson

But, maybe next time.

David Spark

Please feel free to continue to forget.

Mike Johnson

[LAUGHS]

David Spark

We’re available at CISOseries.com, and we’re on the subreddit r/CISOSeries. Our sponsor today is Living Security, and they have a human risk management platform that actually successfully gets to the cause of cyber security human risk in enterprise organizations. Stay tuned. We’ll be talking about them later in the show today. Mike, I’m going to introduce our guest right now, because we were just, before we went on, we were discussing the fact that the two of us are obsessed with a particular game on the Oculus called Supernatural, which is a workout game and I’ve gotten really into it. My wife’s gotten into it, and our guest, who is Allison Miller, the CISO of Reddit, is also really into it. I will say, Allison, I’ve been a user since day one of Supernatural, that’s how into it I’ve been.

Allison Miller

Whoa.

David Spark

Yes, and they just celebrated their first year.

Allison Miller

Yes, they did. I love it. It’s really fun. I saw a reference to it on a subreddit, actually, and some video clips, and I thought, I need to try that. I need something to keep my Peleton[LAUGHS] company.

David Spark

And, Mike, though, has not jumped into the virtual reality world for fear of motion sickness, and I told Mike, “I’m in the same boat as you, because I watch people playing first person shooters and I get sick just watching them.”

Mike Johnson

No. I can’t watch first person shooters. I’m just expecting that it’s not going to be a pretty experience if I have screens that close to my eyes.

David Spark

But, I don’t get nauseous. Do you get nauseous playing the game at all?

Allison Miller

Yes. So, there’s different technologies, I would just say try before you buy. No point in committing to a technology that would make you ill. [LAUGHS]

David Spark

Seems like that’s a general good tip in general, if it’s going to make you ill just don’t do it. That’s a good tip.

Mike Johnson

The hippocratic oath for technology. [LAUGHS]

Allison Miller

Absolutely. Primum non nocere.

Are we making the situation better or worse?

00:03:03:12

David Spark

“Relying on the end user to make an app secure is, in essence, shipping insecure software”, said Madhan Kangavel on Security Today. Since very people change the default configuration, how do you build security in, by default, while also balancing usability. Can you give an example? I’ll start with you Mike, of how you saw something that was insecure, and then, how did you actually change the default setting to increase security without significantly impacting the usability?

Mike Johnson

I like where he’s coming from with this one. If something is not secure out of the box, does it really matter why? The defaults and, being in a secure state, that should be part of shipping secure software, so I totally agree with where he’s coming from here. I think the best example of insecure defaults made better is when you’re enabling SAML authentication, where you have all of these different applications that people are needing to authenticate to. If you centralize all of that into one place, with SAML authentication of some sort, then the security is better. You’ve got that gateway that’s better securing your applications, but the usability is also better for your employees. They’re only having to log in once, not log into ten different applications. So, it makes their lives easier, so that’s always my go to, is SAML, it both improves security and improves usability all at the same time, and, from personal perspective, MFA is one of those things that I, personally, go and enable. It’s a little bit of an impact on my user experience, but it’s not really that much, and what I get out of it is a significant increase in security.

David Spark

So, the tradeoff is huge?

Mike Johnson

The advantage is really there and, unfortunately, it’s usually off by default. You always have to go through some menus to get there, but it’s worth the effort and, once you’re there, like you said, tradeoff is huge.

David Spark

Alright. I throw the same question to you, Allison. So, a situation where you saw something that was insecure by default, and something that you worked on, you implemented, to make it secure by default without heavily impacting usability.

Allison Miller

So, I agree with the premise, but I think I come at this from a slightly different perspective, having worked on consumer technology. So, there’s a concept that’s big in privacy circles called opinionated design, which is, you want to make sure that you allow for agency, for users to make decisions about how they use the technology, but you can also be smart about how you design the product so that you default to safer experiences. So, an example of how I saw that play out at a large scale with large, good, strong security and privacy outcomes, was how Chrome implemented some of the user interfaces related to safe browsing, which is a technology that’s used to identify if there’s Malware hosted on a web page or a phishing site and, instead of making it the generic, are you sure, yes, no, making it a little more opinionated towards, that’s not safe, so you probably don’t want to click it, it continued to provide agency, so if folks were, for example, security researchers who actually wanted to get to the Malware, of it was a false positive and the user was very confident that it was a safe thing to click on, they could proceed, but the default outcome was the one that was safer, and so, that’s a really effective way, I think, to try and get at this idea which is, you want to enable your users, but you want to reduce the chances that they’re going to be running into bad experiences, and that should be factored into the product design itself.

David Spark

So, let me know if I heard this correctly, but, as part of your product design, you’re alerting, are you sure you want to do this? Are you also in the process of educating them about being more secure, more savvy users, yes?

Allison Miller

I think to a certain extent, but that is not the primary goal. The primary goal is for the obvious easy outcome to be the safer outcome without disabling advance level functionality or features.

What’s the best way to handle this?

00:07:46:16

David Spark

It’s official, mandatory password changes are no longer en vogue, according to Microsoft, who is removing periodic password changes from the security baseline settings it recommends for customers and auditors. Research shows, reported by Dan Goodin, of Ars Technica, that when you mandate password changes, people purposely choose weak passwords so they can remember them, and the usually just update the number at the end. One commenter said, “NIST now recommends that the only criteria that matters is length, and discourages requirements for special characters. They much prefer long pass phrases that vastly increase the character count, while retaining memorability.”

So, in this endless struggle between security and usability, where do you stand on password creation and updates, Mike?

Mike Johnson

When I think about password creation, I go back to this vivid memory of registering for some security related website. I don’t really remember what the site was. My password manager generated a 20 character mixed case password. No numbers. The site didn’t like it, so I was, like, alright, well, what if I do it at 40 characters? Still didn’t like it. 64 characters, still not good enough, and it wasn’t giving me any clues as to what was going on, so I created a shorter password that was eight characters and included a number and it was accepted.

David Spark

By the way, I had almost the identical experience recently. I didn’t go 20, 40, 60, 80, but I think my first one was 15. And they told me, “Too long.”

Mike Johnson

I never got a password, “Too long”, on this, and that’s really frustrating when you get the password, “Too long.” It’s just amazing that these sites, they’re creating these arbitrary rules that don’t seem to be grounded in any reality. My 64 character mixed case password is stronger than my eight character with a digit in it, and so, it’s really, for me, it’s all about the password managers, and we’re seeing those more and more, that’s more and more commonplace, and it’s really the only solution we have at the moment for just how bad the whole concept of passwords sucks, and having stupid password requirements only makes it worse. It makes people annoyed, and it’s going to drive them to these habits that Microsoft is talking about, where they’re creating a base password and just incrementing a number at the end over and over and over again, and everybody knows that that’s what people do. So, if you see the password, if you find it on a password leak site or some sort, the first thing that a hacker is going to do is just start adding a number at the end and incrementing it, and if that’s what you’ve encouraged your users to do, you’re going to have a compromise.

David Spark

Allison, these seem like the standard response, Mike’s response. I mean, I agree wholeheartedly with all this. It doesn’t look, though, we’re going to get away from passwords any time soon, even though we all agree they stink?

Allison Miller

Well, I don’t know. I mean, I think we should get rid of them wholesale. [LAUGHS]

David Spark

Well, no, I agree, but I don’t think, Allison, that these are going to disappear any time soon. I know you want to but isn’t there a certain level of, we’ve got to deal with it because this is the situation now? Or, you run your organization, I’m going to be the king or queen and I’m going to determine how this is going to go?

Allison Miller

I guess I feel a lot of organizations, and my preference, is that we leapfrog past stronger passwords, and into stronger methods of authentication. So, if you’re a Reddit user, please [LAUGHS] I recommend signing up for a multi factor authentication. We have an app based authentication and I love it, and I signed up for that on any sites where that’s available. We figured out really clever ways to integrate multi factor authentication into internal surfaces as well, you know? So, it’s the better and more secure way for enterprises and users. So, that’s where I stand. I do think we can leapfrog past it, because every website is coming up with their own version of what a good policy is, or how many characters that they’re going to accept and such, and let’s just skip it. Let’s just move past it. That’s, kind of, what I’m hoping for from the future.

Drew Rose

It’s 2021, and we can’t expect that security technology is going to solve threats like phishing.

00:12:41:17

Male Voiceover

These are the thoughts of Drew Rose, Founder, CSO and Head of Product for Living Security, a company that focuses on end users as the best asset of cyber defense. He suggests employees have been through too much, especially in the last year, and current anti phishing, anti-Malware techniques just aren’t working.

Drew Rose

Most people have more precedent things on their mind. When they go and see an email, the first thing they’re thinking about is not, “Oh, I wonder if this is a malicious email?” They have filter it through all of the emotionally charged situations that are in their lives before they get to the rational part of their brain to make that decision. After the year like 2020, it makes a ton of sense why people are still falling for phishing scams, while ransomware is still an incredibly problem.

Male Voiceover

He suggests we need to emphasize and find a better way to change behavior, and this can be done through a more experiential learning scenario.

Drew Rose

We care about the situation there, and we want to give solutions that aren’t hurting their efforts to change behavior, and so, we invest heavily in high quality content, and an engaging system for learning, to teach people about the new threats that can help protect themselves, both at home and the businesses that they work with.

Male Voiceover

To learn more, visit LivingSecurity.com.

It’s time to play What’s Worse?

00:14:14:16

David Spark

Alright, Allison, are you familiar with how this game is played?

Allison Miller

I’m so terrified. [LAUGHS]

David Spark

[LAUGHS]

Mike Johnson

[LAUGHS] Rightfully so. Rightfully so.

David Spark

You’re not the first guest to have said that. Alright, don’t worry, I make Mike answer first. This comes from, Jerich Beason, who is a CISO over at Epiq, who we’ve had a guest before. Here’s his What’s Worse? Scenario. You’ve got a Cloud first IT organization, maybe like yours Mike? That refuses to acknowledge their role in the shared responsibility model. Probably not like your organization, Mike [LAUGHS]

Mike Johnson

That is correct.

David Spark

Or, you’re working for an IT shop that refuses to innovate or even entertain the idea of using the Cloud including the security tools. Which one is worse?

Mike Johnson

Wow. Vastly different options here, where you’ve got the company, on the one side, that’s potentially harming their customers by not implementing that shared security model, not really empowering their customers to secure themselves, that’s how I read the first one. And, the second one is, you’re stuck in your ways. The Cloud is terrible. I’m afraid of the Cloud, and you’re not innovating, and I think the place that I would lean towards being the worst of these two really is the, not acknowledging the shared security model of the Cloud, so the first one of these is the worst, because you’re likely doing harm on others. You’re likely harming your customers. Versus the second one of, I’ve got to hug all of my servers, everything needs to be within my four walls, at least you’re only harming yourself. You’re only harming your own company.

David Spark

And, you’re not innovating, so the company may be stagnating, and it may cease to exist if somebody tried to out-innovate you?

Mike Johnson

And, I think, one of the things we really forget, especially those of us who work in tech is, you don’t have to, necessary, innovate, innovate, innovate. I was listening to a podcast recently about some person who runs a lumber farm, or a tree farm, they grow trees. There’s not a whole lot of innovation in trees, but that’s a necessary thing, their business is doing great, they don’t, necessarily, need to be innovating. So, of these two, the dysfunctional Cloud is the worst one.

David Spark

Alright. Allison, I throw this to you. What say you? Which one’s worse?

Allison Miller

Mike makes some really good points, and not everyone does need to innovate, but I wonder if, maybe, it’s an, it depends, kind of answer.

Mike Johnson

It depends doesn’t work in this game.

David Spark

Uh-oh. Trending into, it depends.

Allison Miller

I don’t know if there’s any rules in the What’s Worse? Game.

David Spark

It’s what you hear. That’s it. There is no “it depends.”

Mike Johnson

[LAUGHS]

Allison Miller

I’m going to color outside of the lines a little bit.

Mike Johnson

Alright. [LAUGHS]

Allison Miller

I do think it depends on your threat model, and I think it also depends on, I feel a bit like some of the roles and responsibilities around the shared model of responsibility for security is blurry in a lot of places, even with the best of intentions, if that makes sense? So, I think that an innovative company, some of them may have the resources, or may have the wherewithal to figure out how to leverage the advanced technology in a way that they’re not, I don’t know, leaking risks into their product or into their customers, in which case, it would be in their best interests to go Cloud and not be stuck with lack of Cloud, because, while not everyone needs to innovate, some folks have a threat profile where you really need the best of great solutions from a security perspective, and those are getting built in Cloud, they’re getting built as Cloud based services, so I think it’s really hard to be a successful company if you can’t figure out how to leverage Cloud, even with some of the discrepancies or lack of clarity in the shared responsibility model.

David Spark

So, you are taking the opposite of Mike on this, as being the worst option. If you don’t go to the Cloud, that’s far worse, yes, Allison?

Allison Miller

I mean, yes, just for controversy’s sake, I think.

Mike Johnson

[LAUGHS]

Allison Miller

I’m an economist, so we always start our answers with a, “It depends”, but just for the fun of it I’ll answer opposite from Mike.

Mike Johnson

[LAUGHS]

David Spark

That’s why we like you.

Hey, you’re a CISO, what’s your take on this?

00:18:59:02

David Spark

Where and how are your intrusion detection systems working overtime today? I’m going to start with you, Allison, on this. An IDS is looking for errant behavior and, to find it, you need IDSs in many forms. Networked based, host based, anomaly based, signature based. As compared to three years ago, have there been any pattern changes in the IDSs you’re watching. Have machine learning efforts improved during this time, and, if so, in what way?

Allison Miller

Well, I was at a bank three years ago, so I was definitely looking in a [LAUGHS] different place than I’m looking these days. I love talking about detection technology. It’s my favorite thing to talk about, and I think the detection problems that we face at a company like Reddit are a little bit different maybe than in other places because we have systems that we’ve built in order to detect certain patterns in content and behavior in Layer Eight, if you will, amongst our users, so that’s really where I have our detection systems working as hard as they can, because, at Reddit, we have a community based model where we have folks who are building communities and trying to enforce their own local policies, and where I want our automation working as making sure anything that’s a site wide safety type issue, or a security type issue for our users, that we automate that so that folks who are trying to manage communities and keep them safe, secure, and vibrant, vital for those users. They don’t have to waste time doing things that we could be automating on their behalf.

David Spark

Good advice. Mike, where do you stand in terms of, well, you haven’t been at the same place for the past three years either, so it’s a similar situation, so you don’t, necessarily, have the before and after look?

Mike Johnson

Well, on the other hand, the two environments were very similar in that we’ve really embraced the zero trust concept, and I really think that changed the world of intrusion detection. Back in the day, the intrusion detection systems that we used to build were all network based. You would instrument the heck out of your network, you would funnel all of your network traffic through these choke points, you would have your sniffers and your snorts and your whatever sitting there and monitoring those points, and that’s just not possible anymore. We don’t have those choke points. So, from my perspective, all of my intrusion detection has really moved to be host-centric. It’s instrument the heck out of the hosts, monitor what’s going on on those hosts, and the network is just the network. It’s just dumb transit. I’m not worried about it, as long as I understand what my hosts are doing. That’s really where I’m watching and monitoring these days.

Allison Miller

If I could just weigh in on that, I think that’s an interesting distinction, because I’ve joked a lot over the years about living my life at Layer Eight, but one of the interesting things about life at Layer Eight is that it really is about detecting patterns of behavior that we would understand as being good or bad versus, for example, detecting a packet is good or bad, and so, zero trust is really exciting for me to look at, figure out who we’re going to approach that, because it marries up the horrible underlying AIM systems of the world with the risk detection type systems, which is a really exciting place for us to put investment and though, because, theoretically, it can enable a lot of activity that, maybe, we would have just restricted because we have these, sort of, dull, blunt access mechanisms and policies.

What’s it going to take to get them motivated?

00:22:54:14

David Spark

On LinkedIn, Chris Roberts, of Cynet Security, asked, “What incentive would get you to take a meeting?” The question which he repeated because someone asked it of him. I don’t believe it’s a question to ask. Security sales are rarely linear. It’s said, it’s an effective combination of the following. Knowing your product, the sector, and where you fit in the roadmap. Conducting open source intelligence on your targets. Building your personal industry brand, and networking with those who know and like your product to get you to the next connection, who may or may not, necessarily, be a target. So, if you do all these right, why do you need an incentive. Sales people ask the incentive question, I believe, because giving a gift is far cheaper and faster than having to do all of the above. So, Mike, I’m starting with you here. Do you agree? Did I miss anything on my list, and which one should a sales person focus on above all else?

Mike Johnson

I really agree with your theory that I’m not going to respond to incentives to take meetings. I’m either going to take it or not. The incentive isn’t going to change my mind, and I do think it is a short cut that people are trying to take, that they’re not willing to put in this work. It’s so much easier to offer an incentive than it is to build up a brand, personal or companywide.

David Spark

But, the thing I always think about, when they offer an incentive, is what an uncomfortable position it puts you in.

Mike Johnson

Yes.

David Spark

It puts you in a crazy uncomfortable. Yes, of course, I would like the lavish thing you’re handing me, but how would my employers think of it? How would I look in the industry? This is not good. [LAUGHS]

Mike Johnson

Usually, your employer is not going to be happy with that iPad that this vendor would like to send you for talking with him for half an hour, and it really does put the recipient in an awkward position, and I don’t think that people stop to think about that. I do like the rise of donations to charity. I think that’s a better incentive, but it’s still an incentive, and it really is better to build that brand that pays off, that’s going to get to a point where I’m going to actually seek you out, or there’s going to be people on my team who are going to seek you out. You’re then changing the model around, rather than trying to make a connection, the connections are coming to you. I think it works. It just takes a lot of effort. It takes time. But, once you’re there, it really pays off.

David Spark

I agree wholeheartedly. Alright, Allison, first of all, I’m assuming you get incentive requests all the time, yes?

Allison Miller

I have to open the emails to understand that there’s an incentive [LAUGHS] being offered, which is step one. But, this angle, this conversation, reminds me of an interaction I had recently which I’ve been thinking about a lot, which is, I’m new in my job, I’m trying to get situational awareness and pull together a road map and a strategy and such, and someone said something to the effect of, “Oh, yes, you need to know what’s going on in your organization so that you know what to buy next”, and that really sat with me because that is not how I think about my job. I do not think about my job as picking things to buy. [LAUGHS] I think of my job as, what problems do I need to solve? And, what am I going to build to solve it? So, while I may build systems out of stock parts, commercially available solutions, I don’t think of myself as someone who goes and buys things. So, I think an incentive, for me, for any folks who are trying to figure out how to get me to read to your emails [LAUGHS] are, I’m looking for ways to solve problems, and what the biggest incentive for me is, if I do have to buy something, then have it be something that helps me solve more than one problem at a time, right? Point solutions are yesterday. Like, point solutions worked when we only had to string together a couple of points, and that our defense was a line, but we, very quickly, became required to defend surfaces, and then, if you have internal and external obligations, you’re, essentially, defending solids. [LAUGHS] So, point solutions aren’t quite what I’m in the market for.

Close

00:27:20:09

David Spark

Well, that brings us to the very end of our show, and, Allison, thank you so much. I want you to know, you’re not the first CISO from Reddit we’ve had on this show. You’re, actually, the second CISO from Reddit we’ve had.

Allison Miller

I heard that. [LAUGHS] Well, we are a social bunch, right?

David Spark

Yes.

Mike Johnson

[LAUGHS]

Allison Miller

Transparency is a really big value at Reddit, so it makes sense to me that we want to talk about this stuff.

David Spark

Well, we appreciate you coming on, and I’ve known you for quite some time, and I appreciate how vocal you are and, really, about how eager you are to participate and help the community. I’ve always seen that about you, so I’ve always been impressed. So, thank you so, so much for joining us on this show, and sharing your wisdom with our audience.

Allison Miller

Thank you.

David Spark

Now, I’m going to let you have the very last word. But first, I want to thank our sponsor, Living Security, with their human risk management platform successfully getting to the cause of cyber security human risk in enterprise organizations. Check them out at LivingSecurity.com. And then, next, Mike, any last words for Allison?

Mike Johnson

Allison, thank you for joining us. It was really a pleasure to sit down, listen to you, learn from you. I really like your focus on usability. That was something that really came through in all of our discussions, was your focus on usability and how security should be usable, and, specifically, I want to point people to the, I’ve never heard of opinionated design, before. I think that’s a great concept, and that’s one that folks should take away and pay a little bit more attention to. I think it’s a great concept. So, thank you for, specifically, that tip, but for joining us and really focusing with our audience and reminding them how important usability is to security. Thank you for joining us.

Allison Miller

Thank you.

David Spark

Before your last words, Allison, we ask all our guests, “Are you hiring?” So, I’ll ask you. “Are you hiring?”

Allison Miller

Oh, we’re hiring. [LAUGHS]

David Spark

[LAUGHS]

Allison Miller

I’m hiring in security, privacy, anti-evil, safety. We’ve got a number of teams, and then, I have many colleagues at Reddit who are hiring. We’re growing really fast, so there’s some fun things going on. Come check us out on Reddit.com. We have our jobs posted. They’re also on LinkedIn.

David Spark

Very good. So, any other last word, beside mentioning that you’re hiring right now for our audience?

Allison Miller

I guess, what I would say is, I actually don’t think of myself as being someone who focuses on usability so much as just really believing, very strongly, that security, privacy, safety, when those things are factored into a product design, it makes for a stronger product, and then, if I get to leave with a word about effervescent joy. Let’s bring joy back to cyber security.

David Spark

I’m all for that. I must say, we miss the networking and the big conferences, I just love seeing all the cyber security people. It’s a fun group to hang out with, I must say.

Allison Miller

Yes.

David Spark

You are. Well, the next best thing is joining our Friday video chats which are a lot of fun, which is an opportunity to do just that. For those people who don’t know, every Friday at 10 AM Pacific, we host a video chat where you get to engage with your fellow community members, and then, we do this fun cyber security speed dating at the tail end. Allison Miller, CISO of Reddit, thank you so much for joining us today. By the way, you are within your first 90 days of being a CISO, yes?

Allison Miller

I’m in my first 90 days of being a CISO at Reddit.

David Spark

At Reddit, specifically?

Allison Miller

Yes.

David Spark

Alright. Thank you, Mike. Thank you, Allison. Thank you, audience. As always, we greatly appreciate your contributions, and listening to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”