When cybersecurity needs to cut budget, first move is to look where you have redundancy. That way you’re not actually reducing the security effort. But after that, the CFO needs to know what are the most important areas of the business to protect. Where will they be willing to take on more risk? Because, with less security, the chances of failure increase.
This show was recorded in front of a live audience in New Orleans as part of the BSidesNOLA 2023 reboot conference. The episode features me, David Spark (@dspark), host and producer of CISO Series. My guest co-host is my former co-host, Allan Alford (@allanalfordintx), CISO for Precedent and host of The Cyber Ranch Podcast. Our guest is Mike Woods, corporate CISO for GE.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsors: Conveyor, Nightfall AI, Rapid7
Infosec teams reduce the volume of questionnaires with a customer-facing trust portal and for any remaining questionnaires, our GPT-Questionnaire Eliminator response tool or white-glove questionnaire completion service will knock them off your to-do list. www.conveyor.com
Full Transcript
[Voiceover] Best advice I ever got in security. Go!
[Mike Woods] Probably the best game plan, never blocked or tackled. It’s a Vince Lombardi quote. If you don’t know football, he’s the guy on the trophy. That means you got to execute, and you got to follow through.
[Voiceover] You’re listening to CISO Series Podcast, recorded in front of a live audience in New Orleans.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer and the host of the CISO Series. And joining me as my guest cohost, but you have heard him before… He used to be my regular cohost. It is none other than Allan Alford, who is now the CISO over at Precedent and host of his own podcast, The Cyber Ranch Podcast. Say hello to everyone, Allan.
[Allan Alford] Howdy. I’m the irregular cohost.
[David Spark] For those of you who are just listening to the audio version, Allan is currently wearing a giant purple top hat with a yellow brim, and he fits in perfectly here in New Orleans.
[Allan Alford] I look like a local, not a tourist.
[David Spark] Yeah, he very much looks like a local, not a tourist at all. By the way, for those of you who are listening who are not aware of us, we’re available at cisoseries.com where you can check out all of our programming and our sponsors for today’s event. I’ll be talking about all of them later, but I do want to mention them right now. Conveyor, Nightfall AI, and Rapid7. Huge thanks to all three for sponsoring this live audience recording in New Orleans.
We’re part of the BsidesNOLA event. And this is pretty awesome. This is our first time doing a live show at Bsides in New Orleans. But something pretty darn dramatic happened last night. All the audio gear that was supposed to be here for this event was stolen, and we don’t exactly know when. But a huge kudos to C-PAT and also Najo who somehow late at night was able to pull everything together, get here at five in the morning.
And I think the part that kind of really shocked me, C-PAT, was at about 10 PM you said…you texted me, and he goes, “Hey, what are you doing?” And I go, “Well, I was about to crash.” And you had… I don’t know. You must have been running on adrenaline at that point. you wanted to go out for a drink, and you had to get here at five in the morning.
[Male] [Inaudible 00:01:58]
[David Spark] Yeah. Well, I was quite impressed with that as well. All right, thank you very much. Now, I want to introduce our guest, who is here sitting to my left right here. It is none other than the corporate CISO over at GE, Mike Woods. Mike, thank you so much for joining us today.
[Mike Woods] Thanks a lot, David. Great to be here. NOLA is my hometown. So, very excited to be with you all. So, 19 years in IT. Been with GE the last ten. The corporate CISO for about 18 months. Folks ask me, “What is a corporate CISO?” It’s all of the shared services in a giant conglomerate that GE is. So, think about payroll, HR, finance, all that fun stuff. But also a lot of activity right now.
GE is spinning off into three separate business grade companies. We just spun off healthcare earlier this year, and our energy business, Vernova, will be spinning off sometime early next year. So, a lot of activity to move applications, move teams, all of that fun stuff.
There’s got to be a better way to handle this.
3:17.993
[David Spark] How do you really trust your vendors? Even security vendors. Allan, you posed a great question on LinkedIn as to what are the specific processes of trust but verify you employ. And I’m going to kind of slam the LinkedIn security community here. I was kind of shocked that there were almost no good answers except for Rob Demain of e2eAssure who walked through a very detailed process of vetting SOC and manage detection and response team.
Most of the responses just repeated the trust but verify mantra. So, I’m going to start with you, Allan, on this. Shouldn’t the verification process be ongoing, and wouldn’t a better mantra be constant verification builds trust. And so I’m going to ask you what are great examples of verification ongoing that allows you to build that very trust you want.
[Allan Alford] I’ve got to share a real quick, I did get a DM on that one. And the guy said, “Kidnap their children.”
[Laughter]
[Allan Alford] So, all joking aside though, where I got to with this one is I truly thought probably the finest example of learning how to truly trust your vendor would be being able to get real transparency out of them, which will never happen. But the example I came up with as you’re considering purchasing a vendor and bringing them in, you’re looking at buying the product, ask them, “I want to talk to your angriest customer.” Wouldn’t that just be the coolest in the world, right?
[David Spark] Oh, that is good. That’s quite good.
[Allan Alford] That would be the coolest. They’re never going to do it, but it occurred to me there might be a compromised position, and the compromised position could simply be, “Let me talk to your best turnaround story customer.”
[David Spark] Well, your angriest customer that became your best customer because that happens a lot.
[Crosstalk 00:04:58]
[Allan Alford] And I think the vendors just might be willing to let me have that conversation with that customer. So, that was one thing I thought of. But we did a whole show… Paul Marino, who’s a CISO over in Europe… We did a whole show on this whole idea that you can go through the steps. You can get a referral from a friend. It always starts with a referral. Almost every CISO buys based on a referral.
Check the first box. We got a referral. You can do a POC. “Hey, they look good in the POC. Check the box. I checked them out.” You can go through all the proper steps and still get completely burned. You can find out after you’ve inked the deal and one and a half years into your three-year contract that they’re absolutely losing your information and doing all the horrible, wrong things. So, the vetting and verification process, you do have to be constant.
I’m in full agreement with that. And I think there’s measurable steps that can be taken. I think a lot of is starts with metrics. I think some of it has to be put in the contract. You have to hold them accountable and tell them, “We’re going to measure you in the following ways over time,” and just press that and hold that.
[David Spark] All good examples. All right, Mike, what are the ways you do the…? And by the way, do you agree constant…?
[Crosstalk 00:05:56]
[Mike Woods] Yeah, exactly. One item you could think of here is are they going to agree to overwatch capabilities. Are you going to have a watcher of the watchers or not? A lot of vendors do offer that. But I totally agree, the continuous improvement process that you need to put on your vendor to make sure that they’re following through on their obligations is critical. You’ve got to have the basics, too.
Basic metrics of mean detection time, response time, number of incidents resolved. But the scope is important, too. Where are they obligated in that contract? And you mentioned the contract. That’s very important. Where are they obligated to operate? At GE, we have a very large enterprise, as you can imagine. We have a lot of OT. We have a lot of enterprise technology, and we actually have different vendors for different purposes.
In some cases, jurisdictional restrictions. So, certainly having that constant verification is going to be critical in order for us to be confident in the operations, incident response, things of that nature.
[David Spark] Let me pause you for a moment there. In both cases with you guys, is there a case where you’re doing the verification process…? And I got to imagine something falls through the crack. I can’t assume… It’s not a desire to all of a sudden dump the vendor but find out what happened and right the ship, yes?
[Allan Alford] Yeah.
[Mike Woods] Yeah.
[Allan Alford] Agree.
[Mike Woods] Agree.
[David Spark] So, what do you do in a scenario like that?
[Mike Woods] Well, it depends on the nature of what happened, what was the slip up.
[David Spark] Give me sort of a scenario. You don’t have to give me a real example but give me an idea.
[Mike Woods] I’d put it this way – the way I would look at it is if they missed something that they were obligated to monitor, got through, and we still had an incident or if we had a containment failure because the product didn’t work. We’re going to pull them in and do an after action report. After the incident is resolved, and we’re going to go through that with them. And that’s going to be something that we’re going to continue to hit them with on a continuous basis.
We’re going to build a rigger and go over this. We’re going to look at the environment to see where else are we exposed potentially to that same situation. So, it’s going to be more of you’re going to be on the short list at that point as a vendor. You’re going to have to come to the table and deal with this more. Otherwise we’re going to be looking at that contract on when we’re going to exit.
[Allan Alford] Reserve that right to audit.
[Mike Woods] Absolutely.
Is this the best use of my money?
8:02.937
[David Spark] So on a previous episode, I quoted a CISO who said when he was starting out in seeking a mentor, he didn’t look to another cyber professional but rather a CFO. Now, a very unusual tactic that greatly helped him when he eventually became a CISO. Not many security professionals have that kind of foresight, so they now need to learn to work with a CISO. So, Allan, you were heavily quoted in an article by Evan Schuman on Dark Reading about the importance of making the CFO understand the impact budget cuts have on cyber security.
If the CFO understands the important areas that they need protecting when it comes time for budget cuts, you can ask the CFO what areas would they like to reduce protection. Something will change. You can’t deliver the same service for less money usually. So, another tip was meeting with other security personnel to see what they could reduce, where do we have redundancies. So, Allan, how have you handled budget cuts in the past, and has there been a noticeable impact to security as a result?
Did risk truly go up when you did the budget cuts?
[Allan Alford] Yeah, so we had a really good presentation earlier this morning talking about risk and talking about storytelling. I think it’s very important to make sure that you have both perspectives in mind when you tackle this because this idea that we have a risk tolerance level that’s been measured… We are at 8.7 here at company Acme Corp. Nobody knows what their risk tolerance level is in some sort of measured magnitude.
“We are an 8.7.” That doesn’t exist. But what people do know is stories. What people do know is this thing over here, I really care about. And this thing over here, I care about a little less. And this thing over here, I care about somewhere in the middle. And it’s really a conversation about the actual stories, the actual events themselves. “What if this data got jacked? What if these customers’ information got out the door?
What if this service was shut down? What if that data was ransomed?”
If you can have specific stories upstairs then you can start to talk about specific risk addressing upstairs, and you can build a risk model, and you can budget and build your entire cyber security program around that risk model. And now you have slider bars. It’s inevitable that you go through the full exercise, build your full budget, and then guess what happens? “Oh, by the way, there’s a budget cut.” “Great, no problem.
We’ll just throttle back this one, this one, this one, this one. We already have them in priority order. We already know which risks we care about the most. We know which ones we care about the last.” Ratchety, ratchety, ratchety. You’re good. You’re home free. Everyone is on the same page. Everyone knows the whole story.
[David Spark] So, when you build a security program, are you literally thinking down the road, “This may have to go back.”
[Allan Alford] Yeah.
[David Spark] And essentially you can adjust easily for that.
[Allan Alford] Yeah, absolutely.
[David Spark] Mike, you’re nodding your head. So, you can…
[Mike Woods] We’re all Scotty from Star Trek.
[Laughter]
[Mike Woods] It’s ten hours, and the captain gives you five. And you get it done. So, for sure. I totally agree with what Allan just mentioned. Realistically you can spend an unlimited amount of money and get hacked. I think we all know that. So, looking at your estate and deciding. One of the other things, deciding what you’re going to protect and maybe what you’re going to mitigate. Maybe what you’re going to use insurance for.
I think it’s important. You should be doing that. Not every business will have enough funds to protect everything to the top level that they would want to do from a cyber perspective. So, you’re going to have to make tough decisions, force rank potentially. So, one of the things that we’ve employed is… There’s numerous models to do this. But the simplest thing is the must and the likes from a cyber perspective.
I think the other thing you need to work with your finance and your operations teams on is how simple can we make the environment itself. The simpler the environment is, the easier it is going to be for us to secure it. And making sure that the teams understand what that really means from a financial perspective. “Hey, we’re spending eight million dollars on this system. By the way, if we got rid of three or four parts of it, now we’re spending five million on it.” Things like that.
It really is a function of the controls, and the controls are a function of what does our environment look like.
[Allan Alford] Yeah.
[David Spark] One super quick question, 30 seconds left in this segment. What is the one thing once you became a CISO that you didn’t know before you were a CISO and you started to work with the CFO…what did you learn that you didn’t know beforehand, Allan?
[Allan Alford] I’d say 90% of the toys that I inherited were irrelevant. And the conversations around those toys with the CFO were completely detrimental. That’s probably the biggest two lessons right there. That half your tech stack at least is probably unnecessary. This is back to what Mike was just saying about tech stack rationalization. Half of it is useless. I can almost guarantee it. Especially if you do this per risk model.
You’ll quickly determine that the 13 things you have, you only need 7. Then talking to the CFO in terms of those toys, forget it. You’re going to shoot yourself in the foot.
[Mike Woods] Yeah, I’ve learned a lot. SG&A. We are all SG&A. If you don’t know what that means, talk to your CFO. But that means overhead in simplest terms.
[David Spark] What do those letters stand for?
[Mike Woods] It’s administrative is basically what it is. But simplest terms is that learn and understand how the financial planning and analysis, FDNA work happens at your organization. Every organization is different. At GE, it’s quite complicated given the different businesses we’re in, the different countries we’re in, and things like that. But that was the biggest thing for me is learning that process so I can best take it to the advantage of my team and the advantage of the company to better secure it.
Sponsor – Conveyor
13:33.830
[David Spark] We have three wonderful sponsors, and I do want to mention one of them right now. And that is Conveyor. So, does the mountain of security questionnaires in your inbox make you feel like a two-dollar umbrella in a hurricane? Then you might want to check out Conveyor, the end to end trusted platform helping infosec teams reduce incoming questionnaires and fly through the ones they have to complete.
Give customers access to a self-serve trust portal where they can download documents and find answers to their questions. For any remaining questionnaires that sneak in, use their GPT questionnaire response tool or white glove questionnaire completion service to knock them completely off your to-do list. Want to hear the latest?
Conveyor’s GPT browser extension helps you take their GPT questionnaire response technology to wherever your questionnaires live. In portals, Word docs, and more so you can get precise answers exactly where you need them. Got a complex questionnaire in the world’s scariest portal? Pop open the browser extension and get AI generated accurate answers in seconds. Best of all, the extension cites your knowledge base sources so you can easily add a new fact or edit your knowledge base and regenerate the answer you need all without disrupting your workflow.
So, Conveyor is on a mission to end questionnaires and ready to be your end to end platform for building customer trust and automating your security reviews. Now, you’re going to want to learn more, so what do you do? You go to conveyor.com. Go there now.
It’s time to play, “What’s worse?”
15:26.467
[David Spark] All right, all right, all right, all right. So, for those of you who are not familiar with our show, we have a game, and we’re going to play it right now. In fact, we’ll play two rounds of it. Called “what’s worse.” And here’s how “what’s worse” works – our listeners send in two horrible…usually two horrible, horrible scenarios. And you’re not going to like either one of them, but it’s your job as a security professional, really as a risk professional, to tell me which of these horrible scenarios is worse.
So, I’m going to start with you, Allan. You’re going to answer. And then, Mike, you either agree or disagree with what this is. Neither of them have seen this, and also I’m going to want the audience’s response as well. All right. The first scenario, this comes from Chris Shull, who is the CISO over at Washington University in Saint Louis, my alma mater. Was very excited to get this. So, here it is – “What’s worse?” We’re starting with you, Allan.
Leading infosec in an organization with, one, you have really good, maybe even great technical defenses but lousy security awareness, behavior, and culture. The leaders and users who just don’t seem to care. Or… And this is what’s interesting. Usually when we get this, we get the flip, but it’s not exactly the flip. You have mediocre technical defenses, so not horrible but just mediocre, and kind of aware users who don’t always do the wrong thing, but also they don’t always do the right thing.
So, which one is worse, Allan?
[Allan Alford] The first one is worse. Because with the second one, I can actually work with both. I can…
[David Spark] No, no, no. Whoa, whoa. Slow down with… Here’s how “what’s worse” works – this is the situation. It never gets better than what it is. So, it’s always going to be mediocre on both sides.
[Allan Alford] First one is still worse. I’ll take mediocrity over broken people and culture.
[Mike Woods] Agreed.
[David Spark] Listen to that. About a handful of people are applauding mediocrity.
[Applause]
[Allan Alford] They are. Because at the end of the day, broken people and culture is far more detrimental to everything on planet earth, not just your organization.
[Applause]
[David Spark] All right.
[Allan Alford] Jack Daniel agrees.
[David Spark] All right, so that was a pretty quick answer on that one. All right, Mike, what do you think? Do you agree or disagree?
[Mike Woods] No, I’d have to wholeheartedly agree. The mediocrity, you can work with and you can apply hopefully technology…
[Crosstalk 00:17:53]
[David Spark] Again, I can’t stress…
[Crosstalk 00:17:54]
[David Spark] You’re going to stay mediocre.
[Mike Woods] You can apply maybe some technology. But what you can’t fix is, I think you said it for the first examples, is the leadership play. If the leaders are just bad and not interested and that’s never going to change, that’s going to be worse than mediocre.
[David Spark] All right, very, very good. All right, that was a quick one. So, we’re going to go the second scenario. This one I think you’re going to have fun with. All right, Dustin Sachs from World Fuel Services, who by the way got hired by listening and being a member of the CISO Series community… So, we’re like yentas. We make matches. All right, here we go, which is worse… Allan, again, you’re going to go first.
Which is worse, having your online shopping account hacked or having your mother on Facebook posting embarrassing photos and stories about you?
[Allan Alford] Oh, by far the mom on Facebook.
[Laughter]
[David Spark] Are there that many embarrassing stories about you? And photos?
[Allan Alford] Well…
[David Spark] [Laughs] You can handle your account being hacked.
[Allan Alford] I can neither confirm nor deny the existence or presence of any such materials, artifacts, photographs, evidence, or audio recordings. I can just say that my stuff online has been hacked before, and it wasn’t that big of deal.
[David Spark] Yeah, you dealt with it. But your mom telling any story about your childhood…
[Allan Alford] Oh, dear Lord. Yeah, no. Yeah, no. Just no. Mom, just stay off the internet, mom.
[David Spark] Mike? Do you agree or disagree?
[Mike Woods] I’ll be the contrarian here. I’ll disagree. I’ll go with…
[Crosstalk 00:19:18]
[David Spark] So, you were a perfect child growing up?
[Mike Woods] No. No, certainly not.
[Laughter]
[Mike Woods] But I am very aware of what is on the…whatever you put on the internet is public. That’s always been my mantra. So, I’ve been very clear with my family on what they should and should not do, so I’m okay with it.
[David Spark] You’re okay with it. So your mom…welcome her to Facebook, go to town, say whatever you want?
[Mike Woods] Yeah, it’s all in good fun.
[David Spark] All right. By the way, I did not ask the audience for their opinion on the first one. So, let’s do this. Let’s go to the first one. Do you agree or disagree? So, it’s the two scenarios. Really good, even get technical defenses but lousy security awareness. That’s scenario one. Or scenario two, mediocre on both cases. By applause, which one thinks is worse scenario number one? By applause.
[Applause]
[David Spark] Worse. All right. And by applause, how many people think mediocre on both ends is actually worse? Anyone?
[Male] I think it sucks.
[David Spark] All right, the sole one going out on that one. All right. The second one of which is worse, having your online shopping account hacked or your mom posting embarrassing stories and photos of you on Facebook. Okay, which is worse? Is it the online shopping account hacked? By applause.
[Applause]
[David Spark] I would say a little more than half. That’s a little more than half.
[Allan Alford] Yeah.
[David Spark] And by applause, how many think mom posting the embarrassing stories?
[Applause]
[Allan Alford] Oh.
[David Spark] Oh. Some of you are applauding both of them.
[Allan Alford] [Laughs]
[David Spark] Because I think John and Rachel, you applauded both of them. No, John definitely applauded both.
[Allan Alford] You’ve been caught.
[Male] I don’t care as long as they don’t see my private wish list on Amazon.
[Laughter]
[David Spark] We will have to find out what Jack’s private wish list is on Amazon.
Sponsor – Nightfall AI
21:09.351
[David Spark] We have tons of wonderful sponsors. Hey, let me tell you about Nightfall AI. All right, did you know that employees share five times more active AWS keys in Jira than GitHub? I didn’t know that. That’s what today’s sponsor, Nightfall AI, used by leading organizations such as Splunk, Exabeam, and Oscar Health…it’s what they found in a study they conducted in 2023, this year, across thousands of enterprises.
This highlights the growing problem of secrets and keys leakage in the Cloud, not just in code hosting software but across other applications like Jira, Slack, and Microsoft Teams. Nightfall helps you protect these secrets by integrating next generation Cloud native data leak prevention directly with these applications. Nightfall is agentless and leverages the most recent advances in AI, enabling you to focus on the risks that matter most.
With Nightfall’s data security and compliance platform, you can find and protect your business’ most sensitive data such as PII, PHI, financial and proprietary data. Data security not only builds customer trust, it helps you stand out as a security leader and stay continuously compliant with leading frameworks including HIPPA, SOC2, ISO27001 and many more. What you need to do is you need to visit Nightfall.ai/cisoseries to learn more and get 25% off your first year’s subscription cost.
Let me spell it for you. It’s nightfall.ai/cisoseries. Why not head there right now?
What do you think of this vendor marketing tactic?
23:06.718
[David Spark] So, Allan, you posted about the dangers of vendor waffling even a little on their capabilities as it quickly ventures into snake oil. And then you mentioned a lack of alignment between marketing and engineering. That right there may be the problem. Poor communications between those creating and delivering the service and those communicating about those capabilities. How do we get better alignment so as to not slowly slide into snake oil?
What should engineering be telling marketing, and what should marketing be asking for if they’re not getting what they need? So, does engineering ever speak up and say, “Hey, that’s not right,” when they see marketing’s efforts.
[Allan Alford] Many, many long times ago, in the dark before times, I was at a startup. And the marketing department had gotten ahold of the latest wave of what the product was supposed to be and had generated all their usual stuff, outward facing and all that. but marketing also markets internally. That’s one of the big things that happens in technology companies is marketing tells the company, “Here’s what we’re doing, and who we are, and where we stand,” and all this.
And they had this brilliant… I’m doing air quotes for those who are listening. Ad campaign. And they began speaking to the whole company including all of the engineering folks who were sitting in the front of the room. And started telling everybody what was what, and who was who, and how was how. And at one point, one of the engineers laughed out loud. The room got quite, and he said, “Marketing, where the rubber meets the sky.”
[Laughter]
[Allan Alford] And that was it right there. I’ve been a vendor CISO. I’ve been a CISO, CISO. I’ve been on both sides of this fence. And at the end of the day, everybody has got a role. Engineering is there to create. Marketing is there to figure out how to position it and to educate sales on how to sell it. So, marketing is kind of the bridge from engineering to sales. And so if marketing is misinterpreting, misunderstanding, misfiring, mis-anything in that relationship with engineering, it’s going to automatically mean that cascades to the sales department who’s going to be running around saying specious stuff and not even realizing it’s specious.
So, it all starts with marketing being more self aware, more cautious, more careful, and having stronger communication with engineering. If you start there, the spill over doesn’t occur, and sales is actually hitting the streets with a much more realistic perspective. So I really think it starts with marketing.
[David Spark] What has your experience been?
[Mike Woods] So, I’ll take it from the customer perspective. The way I look at it, the way I talk to a vendor versus my CIO is drastically different. The expectations in setting feedback riggers is a big part. Just establishing that relationship so you can build some trust. But, again, it goes back to what we were talking about earlier. Verify, monitor, and escalate. If you’re not escalating, can you really get legal backing.
If you say, “Hey, it’s time to go. It’s not working. It is the snake oil now. It’s time to move on.” And build those relationships. It’s extremely important in terms of your ability to influence and get things moving with people.
[David Spark] One of the things that I keep hearing again and again from CISOs is, “Tell me what you can’t do. Tell me where your limitations are.” And I hear again and again that actually builds trust.
[Mike Woods] Oh, 100%. Yeah, especially when the vendor says that before you ask. That is a huge piece. Because if you’re looking at a firewall security product, a Cloud security product… RSA was just las week. You hear all these things, and everyone can give you all the AI you need to make everything happy from a cyber perspective. And the ones that come and say, “This is how we operate. This is what we do.
Here’s where we don’t really operate well or what we don’t really do,” those are the ones I’m going to have at a start of a relationship more trust.
[David Spark] I also get the sense that… And correct me if I’m wrong here. But sales people often have the fear of if I don’t say I can do everything, I’m going to lose the sale. Which is it’s actually antithetical. It’s quite the opposite, right?
[Allan Alford] It is quite the opposite. The biggest lie that any CISO ever bought was it’s on the roadmap. Either it already does the thing, which it doesn’t, or, “Oh, we’re going to have that next week.” Honest and transparent communication as to your limitations and to your competitors. That’s another one. I love sitting down with a vendor and going, “Okay, so who are your number one and number two competitors, and why should I go with you versus those competitors?
You know I’m going to do this research anyway. I’m going to find out who they are. And I’m going to have them sitting in the same chair you’re sitting in right now, so you might as well be transparent and honest with me.” And it’s amazing how many of them won’t still when they’re given that opportunity. And that’s not the vendor I go with.
Would this person be a good fit for the job?
28:00.702
[David Spark] On the cyber security subreddit… Which by the way, we get a lot of stories from there. If you’re not already on that subreddit, highly recommend it. So, a redditor asked here, “In a field as complex as cyber security, what separates a good cyber security professional from a great one? In your opinion, what’s the most important skill for success in the field?” So, some great responses mostly from one redditor included have technical knowledge, don’t be the boy who cried wolf, don’t try to be a hero, be willing to own up to your mistakes.
And lastly and probably the most popular answer was the need for communications and charisma because you’re going to need to do a lot of persuading. And adding, and I love this quote, “If you’re a feral wordy goblin who lives barefoot in the woods, you won’t get anything done.”
[Laughter]
[David Spark] So, what I found most interesting about this thread is many of these sort of advice are the opposite of what we think when we refer to the “rockstar cyber professionals.” Mike, I’ll start with you. What’s the difference between a good and a great cyber professional? And have you hired any feral, wordy goblins?
[Mike Woods] I’ll start with the first part, good versus great. Good takes action, learns, executes, understands the policies, understands the goals, and the visions, and what we’re trying to do as a cyber organization. In summary, kind of does the things you ask them to do. They do them on time. They get the job done. Great, they’re going to do the things beyond what I directly ask them to do. I am not the smartest person in the room most of the time, so I want the smart people on my team to rise up and do the things that I don’t know.
Tell me the story. We talked about that earlier. That’s extremely important. Are they going and doing root cause analysis, PSRs? Are they doing the five whys and getting deeper into the data, doing Gemba Walks if you’re a lean professional? And finally the great ones, I trust them to own it. They’re the ones that look for me for direction, for guidance, and mentorship. I’m moving more into the coaching and less managing.
That’s the great ones versus the good ones.
[David Spark] I’m going to just do something. Is this a little bit of an ego stroke for yourself? Like when one of your team does something that literally didn’t cross your mind, you’re like, “I hired the right people. I feel damn good about myself.” Yes?
[Mike Woods] I think so. It makes you feel like you made the right decision. But as you said, if we go to the goblins part of it, the goblins…
[Crosstalk 00:30:36]
[David Spark] Yeah. Have you hired a goblin? We all have.
[Mike Woods] Yeah. We all have. And one of the things I noted when I saw this question was sometimes a goblin can be hiding a rockstar if that’s out there. So, the example that I had was a great application architect came in, said all the right things, super charismatic, knew what to do and how to portray the story. And when things did not go his way, he became that goblin and did not interact with the team, did not interact with leadership and his peers, and me.
And it just boiled down to where one day he quit. But sure enough, sure enough, one of the members of the team stepped up. He was a front end engineer. Became a full stack engineer and then went from technical leadership now into a people leader and a senior manager. So, sometimes those goblins can be hiding rockstars, so you really have to watch them.
[David Spark] Good point. All right, difference between a good and a great cyber security professional, Allan?
[Allan Alford] Yeah, I’m going to invert the two questions because I think as to the first one, what separates the good from the great, the older I get and the more I’m in this industry, the more I think that the number one trait I look for is humility. I think that the communication piece, as was pointed out, is critical and vital. But one of the single most important things we can do as cyber security practitioners and professionals is recognize the fact that what we do doesn’t matter that much.
[David Spark] Well, that’s a pretty bold statement. Why do you say that?
[Allan Alford] Big picture. The business has drivers and concerns that are far larger than us 90% of the time. And if you walk in the door, kicking in the door with the, “I’m the cyber rockstar, and I know what’s what. Here’s what we’re going to do. We’re going to pay a ton of money and secure this, that, and the other,” you’re going to get nowhere. You have got to have the humility to recognize that your agenda and your mission are just one of many.
And probably not the most important one upstairs. In fact I almost guarantee not the most important one upstairs. Which brings me to the second part of the question. Rockstar culture is… Oh, I want to say a bad word right now. Unnecessary, unhealthy, and toxic. I am a big disbeliever in rockstars. I’ve had them. I’ve been one. I’ve had them on my team. I’ve seen the role. I’ve lived the role. “I’m the savior, and I’m the one who’s going to kick in the door and rescue the kittens from the fire.
That’s me every time. Yeah, you can call me at three AM. Go, go, go, go. Rockstar.” Right? It does a few things. It devalues the contributions of those who don’t have that extraversion and that intensity to them. It creates dependencies that are unhealthy for the organization. Succession planning goes out the window as soon as you start celebrating rockstars. And it’s completing contrary to that humility I just mentioned as the first part of the question.
[Mike Woods] I’d agree with those sentiments. One of the things I also look at is the warrior monk mentality. You want to have those folks that have the type of mentality where if it’s time to go to war, they’re going to grab it and run. And during those times, it can get ugly. But you’re right, the rockstar mentality of, “Hey, I can make anything happen, and I’m going to celebrate that,” can get to be problematic for sure.
Sponsor – Rapid7
33:44.315
[David Spark] We have one more phenomenal sponsor. It’s Rapid7. So, they’re a Cloud security company. Throwing more at cyber security does not work. We know that. not more money, more tools, more data, more nights, more weekends. It just doesn’t. So, here’s an idea – less. Yes. Rapid7 is the only practitioner for a cyber security platform that delivers risk and threat coverage across your entire attack surface, which means Rapid7 thinks, fixates, obsesses really about the same things you do – productivity, effectiveness, not more intelligence but actually maybe less.
Intelligence you can trust. A platform that easily integrates, that grows and changes as you do, delivers one unlimited commitment after anther, and consolidation. It has to deliver for CFOs and CISOs, both of you. We talked about that earlier today. So, check them out at, where else, rapid7.com. It’s just the way it sounds, rapid7.com. Go there, and you’ll see new ways to do more with less and exactly what matters.
It’s time for the audience question speed round.
35:08.194
[David Spark] I have in my hand a slew of questions here from our audience here that I asked beforehand. My guests have no knowledge of these questions whatsoever, but I’m going to ask them. And I think I have about seven or eight of them. Eight. I have eight here. Let’s see if we can get through all eight in the little time that we have left. All right, this comes from Loy Evans of Theom. They are a brand new cyber security company.
They have actually been in sales only three months. So, quick advice, what’s your advice for a vendor that’s only three months into sales? Start with you, Allan.
[Allan Alford] Find design partners.
[David Spark] Find design partners.
[Allan Alford] Yeah, yeah, yeah.
[David Spark] For sales?
[Allan Alford] Yeah, absolutely. As the sales force, you shouldn’t be out there necessarily working your product per say. You should be. Obviously that’s what you’re paid to do. But you should be hunting design partners. You should be hunting people that that early in your company’s evolution can not only bond with you but help shape the product and create real-world need.
[David Spark] I like it. All right. Mike?
[Mike Woods] I would say along with the design partners, business partners. Where are you going for your funding? There’s a nice product. No engagement with them at all, but I love to read it. It’s called Momentum Cyber. You can find it on LinkedIn. It has all the MNA stuff around all the VC stuff, and it’s a huge wealth of information of who’s running these organizations, how they’re getting their funding, who’s buying who.
If you’re a new organization trying to start, take a look at that. It’s very interesting.
[David Spark] All right. This question from Ryne Davis of Navy Federal Credit Union. Now, some insurance companies just flat out stop paying insurance for like hurricane and earthquake in certain locales. What happens…? And I’ll start with you, Mike. When they just stop paying for ransomware. Because that could be happening. What do you think?
[Mike Woods] Backups. I think someone said that at one point.
[David Spark] More backups.
[Mike Woods] Backups.
[David Spark] [Laughs]
[Mike Woods] The immutability of backups is important. I think the recovery plan and making sure you’ve got immutable backups for critical systems. Maybe you can’t afford it for all your systems, but you better have it for your critical ones. Insurance is not that old when it comes to cyber in terms of a maturity model. So, a few years back, they weren’t even assessing you. They would just say, “Here’s the amount of money based on the size of your business that it’s going to cost.” Now you’re getting assessed.
Now you’re getting reviews and needing to provide information. So, I think having your ducks in a row from your control standpoint for recovery is the most important piece.
[David Spark] All right. Allan, quick tip?
[Allan Alford] I think it’s my hot take, David, because I’m going to hot take again. Cyber insurance is for the weak. Transferring risk, you’re lame. You’re just lame. You’re lame. It’s a checkbox requirement. My little one-man consultancy, “I carry a million dollars of cyber risk because I have to.”
[David Spark] Well, there’s some risk you can’t reduce.
[Allan Alford] There is some risk you cannot reduce. Absolutely. So, you’re just supposed to spend money and hope someone else pays an even bigger amount of money on it? No, you’re supposed to reduce your attack surface. You’re supposed to try to figure out ways to not have the risk be risk in the first place.
[David Spark] So, don’t use cyber insurance. It’s a crutch.
[Allan Alford] I’m not saying don’t use it as a crutch. I’m saying, yeah, don’t use it as a crutch. That’s exactly what I’m saying. Use it. Use it as a crutch.
[David Spark] [Laughs] Okay.
[Mike Woods] Not as a crutch, yeah.
[Allan Alford] Use it but not as a crutch.
[David Spark] All right. Ricky Allen over at CyberOne asked this one. Just we’re going to have some graduates. We’re recording this in May. We’re going to have some recent graduates. Give us one quick tip for a college person to get a job graduating. “I want to go into cyber security. What’s a quick tip?” Mike?
[Mike Woods] Don’t stop searching if it’s what you want to do. Keep going for it. There are so many jobs. ISC2 just put out their report for ’22, and I think there’s 480-something thousand. I think that’s the number that they reported for the United States in terms of openings. There are a lot of opportunities. Not everybody needs to be an IR either. There are so many opportunities in risk and compliance.
Maybe you’re not a cyber person, but you understand risk. Half my team is compliance people.
[David Spark] Are you hiring college students right now?
[Mike Woods] We are not, because of the transformation that we’re going through at GE. But we’ve had them in the past. We actually had an organization here with the local universities, so we would hire lots of interns. And actually on my team I still have a few of those interns on my team.
[David Spark] Allan, quick tip.
[Allan Alford] Hot take number three.
[David Spark] Let’s do it.
[Allan Alford] If you look in the mirror and the whole reason you want to be in cyber security is because it pays well, screw off. I don’t want you.
[David Spark] Oh, all right.
[Allan Alford] Get out. Get out. Get out.
[David Spark] All right.
[Allan Alford] You’re here because you have curiosity. You’re here because you have drive. You’re here because you have the noble cause of protection.
[David Spark] All right, let’s see how many more of these questions we can get through. We got two minutes left. Charles Payne of Neptune Media asked this question, quick answer, how do you know you’ve chosen the right mentor? What would let you know that? Either one of you, just jump in.
[Allan Alford] Cool hat. If they have a cool hat.
[Applause]
[Mike Woods] I don’t think you’ll know it right away. I think it takes time. But when the person…you’re able to flip the script, and you’re able to give them guidance, and help them, and flip the mentoree to mentor piece. That’s when you know you made it.
[Applause]
[Allan Alford] One of my mentors posed on LinkedIn just two weeks ago that I was his mentor, and I was like, “Whoa.”
[Mike Woods] It’s really cool when that happens, right?
[Allan Alford] Yeah. Yeah.
[Mike Woods] That’s really cool.
[David Spark] That’s pretty cool. All right. Ben Smith of Netwitness asked this question, which I always ask, and he asked it. So, time machine, go back to the very beginning of your cyber security career. How would you advise yourself differently? Not like what advice you’d give for others, but how would you advise yourself differently?
[Mike Woods] Buy bitcoin.
[Laughter]
[Mike Woods] No, we had an opportunity to. It’s a long side story, but I had an opportunity, and I didn’t do it. But no. I would really focus in more on Cloud. I think when I started, I was racking and stacking. That was 2004. Still physical servers and data centers all over the country type of thing. And we did not take Cloud very seriously back then because it was very new, like a lot of people.
But I wish I would have taken it a little bit more seriously, I think.
[David Spark] All right.
[Allan Alford] I’m going back to my earlier statement, humility and lack of rockstar syndrome. If I could shake my younger self around, I’d be like, “Dude, lay off the cyber and learn the rest of the organization.” That’d be tip number one.
[David Spark] You were not humble at the beginning?
[Allan Alford] I was not humble at the beginning. I was Mr., “We’re going to cyber the cyber out of all this cyber, or you’re just going to get cybered.” I was that guy.
[Laughter]
[David Spark] Cyber the cyber out of it, all right. I like it.
[Allan Alford] I was that guy. And I want to slap that guy now. And, “I’m going to stay up until eight in the morning every morning starting at six in the morning.” I was that guy, too, and that guy also needs to be slapped.
[David Spark] All right. Very last question. From Peder Angvall of Fastly, when is the time to hang it up for one tech and just move on? I like this one. Give me a good response. We’re closing on this.
[Allan Alford] When its efficacy is demonstrated, and measured, and reported almost entirely as overlap. In other words, here I am generating metrics from this tech, but it’s tied into these metrics from this one, and this one, and this one. And it’s almost never distinct, on its own. It’s probably a rationalization…
[David Spark] So, the Venn diagram is a full circle.
[Allan Alford] Of the metrics coming out of it that you’re actually reporting and using.
[Mike Woods] Yeah, that’s what I was going to say is where’s the value prop for the organization. Is it theirs still or not? And some things will go away, and that’s just the nature of digital transformation. You’ll need to build new things to deal with new technology. So, I think it’s when the value prop for the organization is at its end.
Closing
42:59.979
[David Spark] Well, that brings us to the very end of this episode. I want to thank our audience.
[Applause]
[David Spark] A fantastic crowd. Let me close this out. I want to thank our sponsors, Conveyor, Nightfall AI, and Rapid7. Let’s hear it for them as well, making this possible.
[Applause]
[David Spark] Let’s hear it though for our awesome producers, Nazio and C-Pat, who made this all possible. Come on, let’s hear it for them.
[Applause]
[David Spark] Then just in closing, I’m going to let both of you…just a quick comment. Any last words you have on today’s episode. Allan Alford, who is the CISO over at Precedent, also has his own podcast, The Cyber Ranch Podcast. Any last words, Allan?
[Allan Alford] Hit me up on LinkedIn. Especially if my comment about needing to be more humble in cyber security mattering less than you think it does… If that annoyed you, good. Let’s talk. I want to have a real conversation. So, hit me up on LinkedIn. Let’s chat.
[David Spark] All right. And if you took any photos, by the way, Allan is @allanalfordintx. That’s on Twitter. And I’m @dspark on Twitter. So, please feel free to tag us there as well. Mike, any last comments here?
[Mike Woods] No, just thanks, David and Allan, for all of this. This was my first podcast.
[David Spark] Oh, really? You knocked it out of the park.
[Applause]
[Mike Woods] Very excited. So, thank you. I do appreciate it. Hopefully not the last. Hopefully I’ll be on The Cyber Ranch at some point.
[Crosstalk 00:44:32]
[David Spark] We will get you back on another CISO Series show, too. That was awesome. Mike Woods, corporate CISO over at GE. Thank you again, everybody. Really appreciate it. As always, we greatly appreciate the contributions and for listening to the CISO Series Podcast.
[Applause]
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com. Please join us on Fridays for our live shows, Super Cyber Friday and Cyber Security Headlines – Week in Review. This show thrives on your input. We’re always looking for more discussions, questions, and “what’s worse” scenarios. If you’re interested in sponsoring the podcast, check out the explainer videos we have under the sponsor menu on cisoseries.com.
And/or contact David Spark directly at david@cisoseries.com. Thank you for listening to the CISO Series Podcast.