If you’re happy with your best practice of rotating passwords, that’s great for you. Just don’t lay your old-timey “rules for better security” on me boomer.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Robb Reck (@robbreck), CISO on sabbatical and co-founder Colorado=Security, a podcast and Slack community.

Got feedback? Join the conversation on LinkedIn.

Our sponsor for this week’s podcast is VMware

Full transcript

Voiceover

Ten second security tip, go!

Robb Reck

It’s almost undoubtedly true that your security program, can get more value from you focusing on the tools you already have, instead of going out and buying another tool. Folks should sign up as an annual practice. They should get their vendors who they already have contracts with, to come in and do a review of their implementations; help find any new features that they’re not taking advantage of, or any parts of the implementation that are not working well. That’s probably the best ROI you can get on improving your security program.

Voiceover

It’s time to begin the CISO Security Vendor Relationship podcast.

David Spark

Welcome to the CISO Security Vendor Relationship podcast. My name is David Spark, I am the producer of the CISO series. And with me all through COVID is Mike Johnson. Mike, the sound of your voice, let’s hear it.

Mike Johnson

You’ve tried to get rid of me over and over, I’ve been here every week. Every week. You’ve tried, you can’t get rid of me, David.

David Spark

You are like lice, Mike. [LAUGHS]

Mike Johnson

I’m sorry, I’m here. I am not like lice, but I am persistent.

David Spark

What is the least pleasant way I can describe you [LAUGHS], lice.

Mike Johnson

Yeah, thank you, thank you. Welcome to the show, everyone!

David Spark

My co-host, Lice. [LAUGHS] Alright, we’re available on CISOSeries.com. We’re also on the subreddit of CISO series. Our sponsor for today’s episode is VMware. Thank you VMware. It is a thrill to have a company of your stature sponsoring this show. I’ve actually covered the VM World Conference many times. Do a search on “How do you explain visualization to your mom” to see a video I shot back in 2013, at the VM World Conference. It’s pretty darn funny. But they have more to say in the middle of the show. Mike, you know what I did yesterday? I had my high school reunion via Zoom, which I’m sure many others listening have done this as well. And, I will not say the number but we’re talking multiple decades here, and I got a nice compliment of saying the one of us that had changed the least since high school.

Mike Johnson

[LAUGHS]

David Spark

We’re talking visually here, we’re not talking maturity levels. So I was very appreciative of that, but it was great to see some old classmates. It’s one of those things, like “Where are you? What are you doing?” that’s what everyone wants to know from a high school reunion. But I must say, I was on it for just a little while and it was just like, “Yeah, I think I’m done now.”

Mike Johnson

It’s a lot easier to leave.

David Spark

It was very easy, click off. Did my polite, “Goodbye everybody” and then I just signed off.

Mike Johnson

Just bail and go. You hit the button.

David Spark

Again, my high school reunion was very small, because my graduating class was 67, so there were only nine of us actually on the call. So it wasn’t that many.

Mike Johnson

That also means you can’t really sneak off very easily too, when there’s only nine of you.

David Spark

Yeah, everyone sees me going away. One of our classmates actually just left his camera on and disappeared, for the whole time.

Mike Johnson

I mean that’s just like a standard Zoom meeting, right?

David Spark

Exactly [LAUGHS]. Alright, let’s get to our guest today who I’m very excited to have on. I have known him for many years, you know him as well. I’ve interviewed him many times. He’s always an awesome interview, he’s a podcaster himself. The name of his podcast is called Colorado=Security, which not only is a podcast but a Slack community that he created as well. He is now a CISO on sabatical, Robb Reck. Robb, thank you so much for joining us.

Robb Reck

Hey guys, it’s really good to be here. I’m excited too. I’m a little nervous about the lice, and I’ve got to say, you know, coming in first at your high school reunion for not having changed, it really changes the tone of that when I know there’s nine people on the Zoom. [LAUGHS] It’s less of an accomplishment now David.

David Spark

I beat seven or eight others, I know. [LAUGHS]

Close your eyes and visualize the perfect engagement.

00:04:14:07

David Spark

“If we’re supposed to shift security left in the software development life cycle, who is supposed to put security in to the software earlier in the process; the software developers or the security professionals? Software developers are already expected to know a lot and the industry trend seems to be expecting them to take over more and more,” said Rick Woodward of Gibbs & Cox who recommends moving security people into the coding process. So, I will start with you Mike, how much development training would a security professional need to know in order to be effective, to work with developers?

Mike Johnson

I think the first thing I want to make sure folks understand is, I do not think that we need to be turning developers into security professionals. This expectation that developers need to know more and more, that’s not what we’re talking about when we’re building security into the development life cycle. We’re talking about providing a safe environment for those developers to build software, not turn them into security experts.

David Spark

Right, and Rick was saying that you can’t put too much on them, and you’re supporting Rick’s comment here?

Mike Johnson

So when thinking about the security professionals, the ones that I know that have the closest relationship with developers, they’ve been developers themselves. At some point in their careers, they’ve written a lot of code. They’ve written in the modern way of developing with a CICD pipeline, they can sit down and have the conversations with developers, they can look at the code, they understand what it’s doing. At the same time you don’t have to be that, you don’t have to be, you know, I can go and write as good as any developer out there. It’s a great skill if you have that, but if you can at least read code, understand it, understand the logic, you can then provide the feedback to the developer who can then take that and do something with it. You don’t need to do their job, but you need to be able to see the big issues, point those out to the developers that they can then learn from that, and then go and fix whatever that might be.

David Spark

So the ability to just read code, not to actually create the code yourself?

Mike Johnson

Correct.

David Spark

It is considerably easier to read code than it is to create code.

Mike Johnson

Yes. It’s much like regular languages that humans speak to other humans. It’s often easier to read that language than it is to be able to speak that language back to someone.

David Spark

As someone is trying to do that right now with Spanish, I can attest to that. [LAUGHS] Alright, Robb, what’s your take on the level of education a security person needs to assist a developer.

Robb Reck

I think that’s a great conversation. I want to say, I agree with Mike that it’s easier to read code than to write code. I can read some code, but it does depend on the code. I’ve read some code that I’d be much better off starting from scratch than trying to understand what these folks did here.

David Spark

Like assembly language.

Robb Reck

It definitely depends, but I want to break it into a couple of different sections. Mike, I agree with you that we don’t want the developers to all of a sudden feel like they have the burden of understanding everything about how how cross-site scripting works, and SQL injection. What we really need to do for them for the most part, is enable them with libraries and components that deal with most of those problems for them. Hey, you want to do authorization, you want to do access, you want to do encryption? Just pull one of these libraries that we’ve already approved as part of your process. That said, there is another section where I do really want to enable my developers to become security minded, and that’s around what I call business logic flaws, or really, how the business should work. So a good example, one of the most common examples is if you go to the shopping cart on an e-commerce site and you want to order two of something, it’s going to cost twice as much. If you put in negative two of something, we shouldn’t credit you the money for that thing, right? You can’t buy negative two of something. That’s the kind of thinking that you want developers, or QA, depending on your company, to have in mind. Just to think like an attacker. The idea of threat modeling and exposing developers to the threat model for the product that they’re working on. That makes a big difference and I think it helps them, number one feel a little bit more invested in, hey, “Bad guys might try and do these things against my product and I want to think about it”, but I don’t want them to spend all their time worried about “Hey, did I get the syntax for that right from a security perspective?” I think that’s probably less valuable.

What’s it going to take to get them motivated?

9:00.448

David Spark

What’s the scarcest resource to a CISO? Is it headcount or money? Allan Alford, my former co-host of Defense in Depth, and now, CISO over at Trustmap, said it was headcount. When headcount is scarce, security leaders don’t seek out entry level candidates. Outside of “it would be good for the community,” what’s the business incentive for a company to build a more, I would say, hierarchically distributed security team? So you’ve got people at the entry level, at the mid-level, and at the high level. I ask you Robb.

Robb Reck

I just love this conversation and there’s so many things I’d like to comment on here. If we start off by addressing the question, Is it headcount or is it money? I would say that the biggest challenge I’ve seen is where those are different things. If you work in a company where, hey, I can find you millions of dollars in contracting dollars, or in OPEXbut I can’t find you a dollar to make a hire, well, that’s a company where the CISO’s not going to be very effective, I think. You’re in a company that’s giving you these artificial handcuffs that are going to make it really tough.

David Spark

By the way, we hear that all the time.

Robb Reck

One of my closest friends has exactly that problem. He’s got one person working for him with a multi-million dollar budget, and he’s just like, throwing money to contractors, and I guarantee you, it’s less effective than if he could use that money wisely. If you’re in a good place and you’re able to use money where it makes most sense, well that’s not really a big difference between money or head counts, unless of course hiring is a challenge. So that’s my number one point there. Number two, to address the entry level thing. Man, I absolutely just love hiring entry level folks. And I’d say that if you know, many times in my career, many times, I’ve done it two for one. You know, where you have a senior level person leaving, hire two entry level folks to take their place, and wildly successful. I tell you probably 80 to 90% of the time that that’s worked out better for me than having that more senior person.

David Spark

Could you walk me through why that works for you, because this I’d like to dig into a little bit.

Robb Reck

So generally I think getting folks who are passionate and excited for the opportunity. People who’ve been in security for a long time, like me and Mike, we get tired of it. It’s hard.

David Spark

You don’t have the same sort of green excitement you had when you were in your early 20s.

Robb Reck

Yeah, and the effort to go run new things and, the way we’ve always done things gets kind of embedded in the engineers who’ve been around for a long time. I don’t want to suggest that you can do all entry level, you certainly can’t. I can’t go get rid of a team of ten and put in 20 entry level and call that good, but I can take two or three of those senior folks and turn that into a six or eight new additional entry level folks, and that will make the more senior people better, because they get an opportunity to mentor; they get someone watching them who’s really there to learn and those folks take that leadership opportunity really seriously. And it makes this path to make things better insider the organization. I have really learned a lot. Now, you can go too far, and there’s another challenge with it which, two years later you hire someone right out of school for half as much. Two years later they’re worth 50% more than they were when you hired them, maybe 100% more. It’s really hard to afford that steep learning curve at the beginning, but my goodness, it’s so worth it whenever we can.

David Spark

Alright, Mike. I throw this to you about creating the more balanced team if you will. Not too top heavy, high level. Not too bottom heavy, low level.

Mike Johnson

Yeah, I agree with a lot of what Rob was saying, and I really also like bringing in entry level people. I think it’s new perspectives that are able to challenge “We’ve always done it this way.” Where you do have people who are set in their ways, bringing in people who have this new perspective because they’re early on in their career,. It’s great to challenge that sort of institutional stubbornness, I guess would be a way of putting it. But the flip side is you have to have that environment in which they can thrive. You can’t bring them into a place where you don’t have the ability to mentor them, where you don’t have other senior people in the area that you’re trying to grow this person, to mentor them, and expect them to come forward. Expect them to be able to thrive in that kind of environment. So you have to have a good environment if you’re going to bring in those entry level people. Otherwise they’re going to fall on their faces, get really frustrated, maybe even leave the profession entirely because they had such a bad experience. So it’s really important to make sure you have that environment. And if you do, then this can be very successful.

Robb Reck

Let me just say, Mike you’re exactly right. It has to be a strategy. It’s not just that we follow ourselves into hiring entry level people; you have to strategically go after having that right tiering, and the right support for those folks to be successful.

Sponsor – VMware

00:14:00:19

Steve Prentice

Finding the needle in the haystack has never been easy, and the idea is to have multiple points in the network where you can stop a network attack. But Jeff Lindleythe worldwide network security practice leader for VMware says “We have to go further.” East-west, he says, is the new battleground for security.

Jeff Lindley

Steve, what we are finding in the industry is that no matter how strong your perimeter defenses are, attackers, once they find a way into the network, they gradually move laterally, escalate their privileges, find their target. They gather that data and then they’re able to learn the network and exfiltrate that data.

Steve Prentice

This is where the VMware NSX Firefall comes in.

Jeff Lindley

The new battleground is not the perimeter, the new battleground is the identification and the stopping of lateral movement of these attackers, within a customers network. When you look at the existing solutions which are very often physical appliance based, it’s very very hard to sit in line in a customers network everywhere in the network, without having to do massive restructuring of that network. Then you have the age old problem of how does it scale. So where VMware really has been shining is, we have the ability to essentially turn the lights on for a customer, and show them everything from an east-west perspective. All the traffic flows, all of the threats, in a manner that existing security perimeters security vendors can’t get to.

Steve Prentice

For more information visit VMware.com.

It’s time to play, “What’s Worse?!”

00:15:48:23

David Spark

Mike, I want you to know that Jason Dance of Greenwich Associates, and I, worked on this What’s Worse? question together…

Mike Johnson

That’s not fair.

David Spark

…in the hopes that we can turn you on this brilliant jerk issue. I will also tell you that the question is also not fair [LAUGHS].

Mike Johnson

Of course.

David Spark

You will see soon enough. Alright Robb, you know how this game is played, correct?

Robb Reck

Remind me.

David Spark

Two scenarios. They both are horrible. You’re not going to like either one of them, but it is a risk management exercise where you have to determine which one is worst.

Robb Reck

Sounds like, “Would you rather?” and I play a lot of that with my kids. I feel good.

David Spark

So there you go. I will throw this to Mike first. No pressure but I do like it when people disagree with Mike.

Mike Johnson

That’s true.

David Spark

By the way, just in general, this doesn’t have to be this game, I just like it when people disagree with him.

Mike Johnson

That’s also true.

David Spark

Here it is, Mike you know how this starts. You got a brilliant jerk on your team. As long as we’ve played What’s Worse? You’ve always picked the brilliant jerk as being worst.

Mike Johnson

I’ve been consistent.

David Spark

Alright. You’ve got a brilliant jerk on your team that is handling a massive attack very well, but most of the other times being around him, pretty painful.

Mike Johnson

Okay. That’s one.

David Spark

Or, you’re getting attacked by a brilliant jerk [LAUGHS] and… your team doesn’t know how to handle themselves and they’re falling apart as a result. Which one is worse?

Mike Johnson

So, again this is a scenario of short term pain versus long term pain. You’ve got, in the first one, you have the long term pain of having this brilliant jerk on your team. And maybe every once in a while they do something really good. Attack or not, that’s generally the brilliant jerk scenario. Is there some reason that every once in a while they do something really well, but most of the time they’re just miserable to be around. And then the other side is, you’ve got the external pressure, the attacks coming in, but you’ve got a happy team. You’ve got a team who knows how to work together.

David Spark

But they’re falling apart at this moment.

Mike Johnson

In this one time?

David Spark

Yes.

Mike Johnson

And, I’m actually gonna be consistent here David. It was a nice try David, nice try Jason, but even in that scenario where you’ve got an attack going poorly for the company, that team is going to come out of that so much stronger.

David Spark

Let me ask you this question, how is your CEO going to feel about this? That you had the team falling apart?

Mike Johnson

My CEO isn’t going to be in the situation either, right. These are two different extremes.

David Spark

No, but wouldn’t you have to support the business in this situation?

Mike Johnson

I’ll put it another way. How many companies survive having a breach that the company completely screws up? All of them. And how many companies survive a toxic culture that supports the brilliant jerk? Not a lot of them.

David Spark

It’s a good point.

Mike Johnson

So I’m still here.

David Spark

Alright. He remains consistent. Yet we’ve been able to find this scenario. Robb do you agree or disagree with Mike on this?

Robb Reck

So, get a little context. In both of these situations I as a leader have failed. In one I have allowed a brilliant jerk to stay on my team, and the other I have not prepared my team for incident response, which is like step one of what you do when you come in, a leader of a security team. So I’ve failed in both. I don’t like either of those.

David Spark

That’s the idea.

Robb Reck

I’d rather get through this thing without having my company impacted, so I’ll take the brilliant jerk, and I’ll get rid of him right after, because I learned my lesson.

David Spark

You can’t do that. No, he sticks around.

Robb Reck

I can’t ever get rid of him?

David Spark

No this is how the “What’s Worse?” scenario works. That would be the easy answer.

Robb Reck

But then Mike’s not allowed to train his team and make them stronger coming out of this either, right? 

David Spark

They’ll inevitably come stronger.

Robb Reck

Well okay, I have to agree with Mike then, [LAUGHS] if I can’t get rid of the guy later. [LAUGHS] I tried to disagree with Mike, I did my best.

Mike Johnson

It was a good try, Robb.

David Spark

A for effort. [LAUGHS]

Walk a mile in this CISO’s shoes.

00:20:31:01

David Spark

On LinkedIn, Dan Woods of Evolved Media asked, “What’s the hardest part about being a CISO?” Woods said, “It’s that perfection is the expected standard.” If you agree, is there a way to convince the C-suite and board to look at maybe a different standard, or to qualify that standard? And if not, what do you think is the hardest part about being a CISO? And I’m going to throw this to you Robb, because you just left being a CISO.

Robb Reck

I’ll start off by saying I disagree that perfection is the standard, and I don’t think that that’s the hardest part about being a CISO either. I think if you’re in a place where perfection is the standard, you should start looking for your next opportunity. That’s kind of a flippant answer. Really what you should be doing is educating the team that perfection is impossible, and we’re here to learn through iterations. And, my goodness, let me show you have many instances we’ve dealt with, and those make us better in these ways, right? That conversation needs to be happening, and your board of directors should understand that breach response is an important part of what we do as CISO’s. So I don’t think that that is the standard, it’s expected. My take on what is the hardest part of being a CISO is the very nature of what we do, as being here to say “Hey, well let’s make sure we’re doing this the right way” causes friction with our key stakeholders inside the organization; the people who are there to push product, get that out the door as quickly as possible to generate revenue, close this deal and agree whatever contract terms are required by the customer. Those are areas where we are put there to be a counterpoint to what they’re saying, and that friction is really exhausting over time. It’s really hard to always be the one in the room being like, well actually maybe we shouldn’t push that thing out until we’ve got it secured. Maybe we shouldn’t turn on that interface until we actually know what data is moving across it. Being the one in every meeting to be like damping the enthusiasm, that gets really old over the years.

David Spark

Alright Mike, I throw this to you. You were nodding your head that you don’t believe the perfection is the standard expected of CISO. So what do you think is the hardest part? And do you agree that that’s not the case?

Mike Johnson

So I agree that perfection isn’t the expectation. I haven’t run into that, and I think its… folks recognize that we’re human. I can understand how from the outside it might look like a business is expecting no mistakes from a security perspective. Inside these companies they understand that mistakes happen. And I don’t think perfection is really the standard.

David Spark

What do you think is the hardest part of being a CISO.

Mike Johnson

So I really thought about this one, because it was an interesting question, and what I really find is a struggle is, there’s no clear agreement or understanding on what the definition of success for a security team, or for a CISO, is.

David Spark

That’s a good point.

Mike Johnson

We’re still a young profession. Those norms don’t exist to define success. So we end up having to make our own definitions, and it’s kind of weird to measure yourself against a definition that you’re creating. That also feels weird. We don’t have this decades of management consultants and deep thinkers who have really set up ‘this is what success looks like.’ We’re still trying to make it up as we go, and so that’s my biggest struggle that I run into.

Robb Reck

Can I just respond to that. I was thinking about the lack of understood principles there. Accounting comes to mind with GAAP, and the fact that they have a really well understood industry. They know what success looks like, but as we’re talking it occurred to me that perfection is expected of accounting and finance. You’ve got to get those financial reports out perfectly, according to GAAP. And the fact that we don’t have such a well understood standard actually is maybe the reason that perfection isn’t so well understood. I hadn’t thought about that before but, if you’re a CFO and you mess up one of your Q’s or K’s going out, that’s unacceptable.

David Spark

I worked in a company where the CFO allowed embezzlement, and he didn’t know it was going on, I mean he wasn’t involved in it. There was essentially money being stolen from the company, and you would think that would be a reason that a CFO would go. But for some reason he stuck around.

Robb Reck

Good for him I guess?

More bad security advice.

00:24:53:00

David Spark

So this is actually a little bit of a tongue in cheek title, because we’re going to talk about best practices in that they’re not always universal. Robb, you had mentioned earlier that there are plenty of situations where one company’s best practice will not work for another. Alright, give us a few. And, do you simply look to others who have a similar business models to you to follow best practices, or is it something else? When do you know advice is appropriate for you and when it’s not?

Robb Reck

Yeah I mean, this is another of my favorite topics, and it goes back to what we were just talking about with GAAP and accounting. There’s a well understood recipe for success there, there’s not for us. If you come in as a security person and say I’m going to do it just like I did in my last company, you’re going to be alienated right off the bat. You’re the guy who doesn’t understand the culture. So, I think the first thing we all need to do is just understand, how is our culture work at our company. What’s important to us? One of the can’t miss things that we need to make sure we don’t get in the way of. Where are the bodies buried, where is the important data? Once we understand what makes our company unique and successful, you know, what makes Fastlyor Ping Identity, where I used to be, what makes those companies able to achieve their numbers? Okay, well I want to make sure that I secure those, and you build a practice that supports that. And frankly it can look very different from the company across the street. I know you asked me for specifics and I’ll give you a couple. I think reporting structure is one; there’s so much debate about where should it go. And I’ve heard people get up on their soap box “You should never report to the CIO,” or vice versa, and I’ve reported to the CIO.

David Spark

And by the way, we did a whole episode on defense in depth on this very issue.

Robb Reck

So another one, we talked about development, whether you have security engineers in, whether they’re sitting in security org or if they’re in development org, and either reporting structure could depend on how their organization is looking. Firewall management; who should manage firewall or AV, or any of these things. I really think anything that we talk about in terms of how should roles and responsibilities be distributed within the company, I’m open for any of those as long as we understand that the right things are getting done, and we know where this sensitive data is for our company. And the first thing a new CISO should do when they come in, when they walk in the door to a new company is they should say “Alright, what are the three to five things that this company has to do to be successful? How do I make sure that I don’t get in the way of those?”

David Spark

Good point. I throw this to you, Mike. What example of a best practice doesn’t work for you?

Mike Johnson

[LAUGHS] I usually go back to my punching bag of password complexity and rotation requirements. For some reason these still get handed down as best practice.

David Spark

Now we don’t think it’s best practice for anybody. I want something that is truly a best practice for somebody, and I thought the examples Robb gave were good. Like having the engineers with the developers or not. For some yes, for some no.

Mike Johnson

How often are people given the advice, “Don’t open emails unless you recognize the recipient.”

Mike Johnson

Or click a link at least.

Mike Johnson

And don’t click on links in email. That is advice that still gets passed around.

David Spark

But is it good for somebody?

Mike Johnson

I think some people believe in it, otherwise they wouldn’t keep talking about it. And I think one of the things maybe to step back a little bit and think about this topic is, best practice, my things that I think are the right way to do it, are different than what Robb thinks, are different than any other CISO we’ve had on this show, because we’re thinking about our specific environments. But there are plenty of others who don’t get this. They’re just consulting a book, a guide, a whatever, and continuing to follow it. So, you know, amongst us, this isn’t best practice, but it’s still written down and thought of in other environments as best practice.

Robb Reck

Mike, this reminds me, one of the biggest fallacies I’ve learned along the way is that creating a security program or architecture is conceptually difficult. You could spend a weekend with a book and you could write out the perfect security program in a vacuum. It’s when it actually meets the real company, the challenge is, how do I influence this organization over time? I can jam it in day one and maybe day two it works, but it’s not going to stick, right? That influence, it’s nothing to do with what best practices are. It’s all about how does your company act with those best practices? How do you mesh the culture change?

David Spark

Excellent point Robb, and we are going to leave it right there. Thank you so much. By the way, this was a jam packed show. A producer I used to work with said, and I’m sure you’ve heard this line before, just like 40 lbs of potatoes into a 20 lb sack. That’s how much we got into this show.

Robb Reck

I heard that. When I put on a medium shirt, that’s what I’m told. [LAUGHS]

David Spark

Well, Robb is not a medium, for those listeners out here, but you’re an appropriately sized male.

Robb Reck

I’m a svelte XL. [LAUGHS]

David Spark

Alright, Robb, I’m going to let you have the last word; and by the way sometimes they say, “Oh, are you hiring?” but since you’re a CISO on sabbatical, I will say no for now.

Mike Johnson

Maybe he is.

David Spark

You may be hiring, because I know you’re going to be having a new job when this podcast drops.

Robb Reck

I’ll just say, I don’t want any recruiters reaching out to me to help me find a new job, let’s say that.

David Spark

Okay, good. He’s happy with where he’s going.I also want to say thanks to VMware for sponsoring this episode of the podcast. They are actually going to be a very strong sponsor of the CISO series. So thank you so much, VMware. Alright, Mike, any last words?

Mike Johnson

Yes, Robb, thank you for joining us. We’ve known each other a few years. It’s been great, every time we’ve had the chance to have a conversation, so it’s wonderful to sit down and have this conversation, and have people actually be able to listen in. It was great to listen to you talk about your different perspectives on security. The way that you approach things when you’re talking about the perfect organizational structure, and how it doesn’t exist. There are roles and responsibilities that can work at any point, and I think that’s a great reminder for folks. And I really appreciate your different approach to security, and you’re willing to challenge convention. So thank you for always doing that, but especially for doing that here on our show today. Thank you for joining us, Robb.

Robb Reck

Thank you and thank you for being a podcaster yourself, you were very good on the microphone, so I appreciate that. Robb, any last words, and please give a plug for your Colorado=Security Slack group, your show and all that.

Robb Reck

Yeah, so we’ve got almost 2000 people who are part of a big Slack community here in Colorado. Basically if you do security in Colorado we want you to be a part of it. We have a great community. We might not be the Bay Area, but we’re not far behind; we do a lot of cool stuff there. So you go to Colorado-Security.com and find the website. There is a podcast we do weekly, that’s in your favorite podcatcher. It’s just called Colorado=Security.

David Spark

Close

29:31.338

Awesome. And we will link to all of that in our blog post. Thank you very much Mike, thank you very much, Robb. And I want to thank our sponsor, VMware. Thank you for sponsoring this very episode. And I want to thank our audience, who have been phenomenal supporting us. Now that we’re into our third year Mike, very excited about that.

Mike Johnson

The big three.

David Spark

Imagine, this all started with you thinking, I guess I’ll do a podcast with this idiot. [LAUGHS]

Mike Johnson

I mean, how many podcasts start that way? That’s got to be just a traditional origin story of podcasts.

David Spark

I took you out for lunch.

Mike Johnson

Next thing you know you’re on a podcast.

David Spark

You’re on a podcast, there you go. I want my money back for the lunch by the way. Alright, thank you everybody for contributing, and listening to the CISO Security Vendor Relationship podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”