On this day three years ago, Mike Johnson and I released the first episode of CISO Series’ CISO/Security Vendor Relationship Podcast.

Subscribe to CISO Series podcasts - CISO/Security Vendor Relationship Podcast

Our primary goal was to talk about the strained yet much needed relationship between security practitioners and vendors. With the help of our guest Dan Walsh, CISO, VillageMD and plenty of contributors we look back and ask ourselves, “What’s changed and has anything improved?”

If you’re interested in hearing the full story of how CISO Series started, listen to this episode of Defense in Depth with Mike Johnson and Allan Alford where we walk through the origins of what has become a rather sizable media network.

Got feedback? Join the conversation on LinkedIn.

Thanks to our episode sponsor, Sonatype

With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code.

Full transcript

Voiceover

Ten second security tip, go.

Dan Walsh

If you’re a vendor, find common ground with a security leader prior to pitching them, if they’re a sports fan, find out what their team is, if they have hobbies, find out what they are.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark. I am the producer of the CISO series and joining me as my co-host, who’s been there since episode one, three years ago, it is Mike Johnson.

Mike Johnson

I’m here since episode one. Three years later, still here, still having a great time and my voice is the same. Hasn’t changed in three years, believe it or not.

David Spark

No, it has not, in fact, [LAUGHS] I just saw, Dave Bittner, who is the host of multiple podcasts over at the CyberWire, got a review on Apple podcasts, complaining that his voice is changing. [LAUGHS]

Mike Johnson

Oh no. [LAUGHS]

David Spark

Sorry, I’ll fix that.

Mike Johnson

I don’t know about that. Let me mention our sponsor, it’s Sonatype. If you have a development environment and you are trying to get better security hygiene in your development environment, which, by the way, that’s pretty much all development environments, you’ll want to hear what they have to say in the middle of the show. So, thank you Sonatype for sponsoring. Now, this is a big deal. June 1st, 2018 is when we launched this podcast. It was me, after I had written a bunch of articles on this topic, that was essentially, buoyed by some posts you had put up on LinkedIn, Mike. I took you out for lunch, I asked you did you want to do a podcast? You thought, who is this idiot? I want to know, what were the adjectives you used to describe me when you first met me?

Mike Johnson

Oh, I was just thinking about the lunch. It was a great chicken sandwich and that was what was on my mind. You bought me a great lunch David, and that’s really all it took.

David Spark

That’s all it took?

Mike Johnson

Yeah, just good lunch. I’m cheap.

David Spark

These vendors. I didn’t realize how cheap it could be to get in with you. [LAUGHS]

Mike Johnson

No, but really, the initial impression was sort of a who is this guy? Is this really a thing? Can we actually make this work? Can we really say some things that people are interested in hearing? And, three years later, it turns out yes, that people are interested in listening and contributing and it was great that we took that chance. I do want to give you credit David, you took a chance on me. I had never been on a podcast before in my life. I had to go buy a microphone, because I’d never owned a microphone, and you were taking a chance on me, every much as I was taking a chance on this working out and this guy I had just met.

David Spark

We were both major risk takers. Although it, literally, it only took about a month. We did four episodes and, after that, we got our first sponsor came on board and we’ve been pretty solid since then. By the way, that was our first show. Today we now have five shows, four weekly and one daily and, by the way, we’re working on yet another as we speak. So, it has been astonishing how successful we’ve been and really the response from the community. By the way, there is an episode of Defense and Depths we did after the first year, where we had Alan on and you and we just go through a lot of detail of why this started, how it started, how it took off and I’ll provide a link to that. I don’t want to go into all the details now. But, the point of today’s episode is to look back three years ago and today and see has anything changed? Positive, negative, what’s changed from what we’ve done, what’s changed in the environment, but mostly between the vendor landscape, the threat landscape and the relationship between the vendors and the practitioners. Sound good?

Mike Johnson

Sounds great. Looking forward to looking back and providing some analysis of what we’ve seen, what we think has changed, but also getting the feedback from the audience about what they’ve seen change over the three years.

David Spark

And the person who’s going to help us with that discussion is someone we’ve had on multiple times on the show and is a great supporter of the series and I thought he’d be perfect for this discussion; it is, Dan Walsh. The CISO over at VillageMD. Dan, thank you so much for joining us.

Dan Walsh

It’s great to be here tonight, thank you.

Can’t we all just get along?

00:04:36:18

David Spark

I asked fans of the show about what they get out of the show and what they believe has changed in the industry over the three years we’ve been on. Take a listen.

Contributor

We’ve all known in this industry, for a very long time, that there’s been a lot of tense relationships and there’s a lot of change, both in terms of threat landscape and on the vendor side.

Contributor

You created an awareness, first of all, and then a space where CISOs, security leaders, practitioners, security vendors, could all talk to each other.

Contributor

I’m seeing vendors finally change their approach to meet the needs of CISOs and the wider security community.

Contributor

The podcast has done a great job of helping me learn different techniques, tactics and generally, how to be a true partner.

Priscilla Frayne

I do believe the relationship between security practitioners and vendors are improving and, as a security professional working in sales, I have to put my feet in CISOs shoes.

Contributor

It’s nice that someone focuses on that relationship and it has actually sparked ongoing conversation that is occurring both on the podcast and across the industry. And I think that is a huge impact to the community overall.

Contributor

Is that because of David and Mike? Maybe? Will I give the show credit? Yes. Yes I will.

David Spark

I want to give credit to all the people who spoke in that clip. That was Dan Holden of, BigCommerce, Dutch Schwartz of AWS, Mark Nunnikhoven of Lacework, Neil Saltman of Anomali, and Priscilla Frayne of ReliaQuest. Thank you. Great responses from everybody. So, I’ll start with you Mike, I’m eager for your feedback on this. What they had to say and, generally, what you think, how the conversation has changed since we started three years ago.

Mike Johnson

Yeah. I really want to thank all of those folks for taking the time to record, you know, to give us that feedback and give us their perspectives. I feel like, sometimes we’re lacking what everyone is seeing. We can only see what we’re talking about. The conversations that we’re having directly ourselves. Over time, I do feel like the conversation has shifted. Three years ago, the relationship was hostile.

David Spark

Hostile, I would agree.

Mike Johnson

And the public discourse was aggressive about it. Like, it was, not only did you have two sides, I won’t quite go into hate, but it was certainly hostile.

David Spark

Hostile’s good. It’s not hate, because it was just a hostile relationship. They needed each other, but it was really hostile and they still need each other.

Mike Johnson

And I think that one of the things that has changed is there is a recognition of that need and I think, while there may still be some finger pointing going on, we can now have a conversation about it. It’s almost as if, by being out there having this conversation publicly, other’s have realized that, hey, this is actually a conversation that we can have, rather than being separate groups, separate parties, off in our own corners with each other, with our closest friends, talking about that other group over there.

David Spark

Alright, Dan, I take this to you. So, think early 2018 to now, what do you think has been the most significant changes?

Dan Walsh

I agree with Mike. I think the listening and considering, you know, what the other side, if you will, what their perspective is and what they have to say, I think is important in terms of approach. One thing I have noticed is, when I get vendor engaged with me, we’re getting to brass tacks a little bit faster, to see if there’s a fit. Anecdotally, I will say, this year was the first time a vendor called me and said, “Can I have three minutes of your time.” And then literally set a stopwatch and after every minute clicked by told me what time it was and at the end of three minutes said their time was up. I was thankful I was seated for that. I was impressed over that and I actually asked them to send me more information, I’m looking over it right now. But, to Mike’s point, I still think there’s a lot of finger pointing, there’s a lot of shenanigans, and as I joke, machine learning, but this is a ship that will take a little bit of time to turn, but I do think, to Mike’s point, it is going that way.

Hey, you’re a CISO, what’s your take on this?

00:08:37:05

David Spark

Patricia Titus, CISO over at, Markel, she is not a vendor, by the way, and she said the following, “You have a great way of helping CISOs see the value the vendor community brings. That’s not an easy task. Many of us are jaded by opening the door a crack to a vendor and then being slammed with spam. “Why don’t you like me?” And “Why aren’t you answering my emails?” I get hundreds of calls a week and twice as many emails so, naturally, I get frustrated, but I also find that listening to your podcast helps give me perspective and, hopefully, the vendors are listening.” And Robert Wood, CISO for the Center’s for Medicare and Medicaid Services, said, “I think things are improving. People are more willing to show data, get into the weeds, be transparent. There is still a reasonably large gap in the relationship building investment though, which I think really boils down to many vendors just not listening.” So, Dan, do you have more compassion for vendors now than you had three years ago, or did you always have good compassion?

Dan Walsh

I have not always had good compassion. I do have more compassion now. Sometimes I’m not sure if that’s a function of having a little more experience as a security leader and understanding that, just as I’m trying to pursue my career and care for my loved ones, my family with my livelihood, the vendors are trying to do the same. But for vendors who truly want a partner, I’ve had the benefit of having some of those longer term relationships and I’ve had the opportunity to build some very good ones, both on the product side, on the tooling side, but then, also on the services side as well. So, I do have more compassion and looking forward to see if that continues [LAUGHS] or if it goes the other way, but I think it will continue.

David Spark

Following up on the compassion, where do you think that source of compassion came from? I mean, you mentioned it could be just because you’re more experienced. Is there something else?

Dan Walsh

We’re in a very tough industry. I mean, it’s like, if you’re successful you really don’t get noticed that much, honestly. It’s not, like, yeah, you didn’t do it, you didn’t have any breaches or you didn’t have any real security issues, or your risk is managed for the business. It’s like, yeah, of course you had that, because that’s what you’re supposed to do. And so, as a CISO, you’re dealing with all that pressure of trying to just keep the business securely operating. As a vendor, you’re just trying to compete with all the other competitors out there. So your threat landscape is really the sea of vendors that are vying for the attention of the CISOs.

David Spark

And, by the way, that attention isn’t necessarily your direct competitor either for that matter.

Dan Walsh

Correct it’s not, it’s not. It might be a different risk, or a different threat, or a different tool for that particular time and the CISO just doesn’t have time or interest at that point in your particular product. It doesn’t mean that they won’t down the road though. And so it’s important not to screw these relationships up, that’s a bit harsh, but really try to nurture these relationships as time goes on. That’s why it’s really important to be a partner.

David Spark

Alright, Mike, I throw it out to you. You admitted, by the way, when I first saw some of those posts of yours, when I was first writing– this goes back to probably late 2017– that you were one of these hostile people. So, you have become more compassionate. Do you think, by the way, doing this show helped you with your compassion?

Mike Johnson

This show certainly helped, because you end up really listening to other peoples perspectives and I’ve learned from my fellow CISOs on this, some of our guests on the show, and learning about their approaches and how they’ve dealt with vendors. So, this show has helped, but I will say the community calling me out on being hostile to vendors, way back when, that was my wake up call. That was my moment of, yeah, you’re right, I am being a jerk and I’m not being helpful.

David Spark

Wait a second! Were you the brilliant jerk? This is all coming full circle. Oh my God, you were it. [LAUGHS]

Mike Johnson

No, I was just the jerk. I wasn’t necessarily brilliant. I will take no credit for brilliance, but definitely a jerk. So I know a jerk when I see one.

David Spark

Being that you embodied one.

Mike Johnson

Being that I’ve been there, I’ve done that and it was really the community taking me to task and saying, hey, rather than just being out here yelling at people, why don’t you be helpful? And that was the wake up call that I needed and I started the adjustment then and then the show over three years, really continuing to hear these perspectives, continuing to hear both on the show, the feedback, but also on LinkedIn, on our live shows and all these other venues of the vendor experience, the vendor perspective. That’s really given me the recognition that hey, these are my fellow human beings. I can either continue to be a jerk, or I can try to help. And I’ve chosen to try to help.

Sponsor – Sonatype

00:13:37:17

Steve Prenctice

We are experiencing an exponential increase in software supply chain attacks, specifically targeting open source projects. This is where adversaries inject malicious code into open source before it is released into production. Derek Weeks is Vice President at Sonatype and his company specializes in mitigating this type of threat.

Derek Weeks

Sonatype brings a couple of things to the table here. One is we help software development organizations really investigate and analyze what open source components they are using within their software supply chains and software delivery life cycles. We’re not doing this with humans, we’re doing it through automation, aided by artificial intelligence and machine learning that can go in and look at every open source component, every dependency of those components being used and identify are there any security vulnerabilities within these projects? Are there any potential malicious code injections within those projects?

Steve Prentice

Their solution is purpose built for developers, but also widely used by security teams.

Derek Weeks

Being able to observe what’s going on and what the adversary behavior is in those environments, we provide the appropriate feedback to both sides of the organization; development and security, without being too noisy and also providing some direct remediation guidance, so that when problems do surface, they can re-mediate them quickly.

Steve Prentice

For more information, visit Sonatype.com.

It’s time to play, What’s Worse?

00:15:15:21

David Spark

Alright, Dan, I know you’ve played many times before and Mike, as well, obviously. I don’t know when we introduced this segment, but it was pretty early on. I don’t think we did it on the first episode.

Mike Johnson

It was very early. I don’t recall an episode where this hasn’t existed.

David Spark

Yeah, and it’s definitely been the most popular segment. Well, I’ve got one that I came up with, which is a complete departure from all the, What’s Worses, we’ve done before. It is truly an expression and I want to know which expression you like least. Which one’s worse? Get ready. What’s worse? Cyber 9/11, or, Electronic Pearl Harbor.

Mike Johnson

[LAUGHS] Oh wow! Gosh. Nicely done, David. Yeah. Well these have both been overused. They’ve been in our industry for a while now. They’re both terrible. So, kudos on both of these sucking. Which was the way that you put it? Cyber 9/11 versus–

David Spark

Cyber 9/11, or Electronic Pearl Harbor?

Mike Johnson

I guess I’m just going to pick one. These are both–

David Spark

They are pretty interchangeable.

Mike Johnson

And I have a hard time justifying one or the other. So, I’m going to go with, Cyber 9/11, being the one I like the least. Partially because 9/11 is something I experienced viscerally and Pearl Harbor is a little bit more removed from me personally.

David Spark

That’s what I’m thinking.

Mike Johnson

That’s the only thing I can come down to on picking between the two.

David Spark

Alright. Dan, which one’s worse? Cyber 9/11 or Electronic Pearl Harbor?

Dan Walsh

Well, I know you like the sound of these David, but I think I have to agree with Mike. I mean, obviously living through that. Not that Pearl Harbor wasn’t equally as terrible. It’s just that was most of our parents or grandparents generations. I’m sure if someone was alive to see both, and was a cyber security practitioner, they might be able to give a little more insight into that.

David Spark

They’d have to be in their eighties. I don’t know. To be working in cyber security, how many people in their eighties are still working in cyber security?

Dan Walsh

Well, this is true. Maybe they’re retired. Maybe they’re consulting, I don’t know.

Mike Johnson

Or maybe they were involved with early computers and it wasn’t called, cyber security, back then.

Dan Walsh

Yeah, that’s very true.

David Spark

Alright, well there’s agreement all the way round that Cyber 9/11 is our least favorite way to describe a catastrophic breach, I guess we would say, that would cause physical harm.

Mike Johnson

But they’re both terrible. Don’t use either of them.

Dan Walsh

To be clear.

Mike Johnson

Don’t take this as license that the other one is good. They’re both bad.

David Spark

Go right ahead, call it Electronic Pearl Harbor.

Mike Johnson

No, don’t do that.

There’s gotta be a better way to handle this.

00:18:20:04

David Spark

Jeff Ake of Carve Systems said, “Most of the information out there for sales professionals is geared heavily to revenue sellers and those types of tactics, in my opinion, tend to get a negative reaction from technical prospects.” And one of the things I have said, again and again, is selling to security people is not the same as other, I would say, software sales in general. But I also want to add in Dana Gore’s comment here from, Check Point. She said, “I see the CISO Vendor relationships getting worse. One of the biggest reasons, I believe, is what seems to be an ever-increasing threat landscape with an overwhelming amount of vendors and products to go with it. Determining what is worth a CISO’s time and who’s worth talking to becomes a major task when they still have their day-to-day tasks to manage. There are so many ways to 

do things now and a great number of new technologies to consider which, I think, is causing resistance to change and forcing some to hold on tighter to old ways of doing things just to save themselves the headache of vetting an overwhelming amount of vendors and their overwhelming amount of technology offerings.” That’s a really good point. So, while we may think we’re doing a good job and the threat and vendor landscape is growing at an even faster clip, what do you think of Dana’s last comment? That CISOs are suffering decision paralysis. Dan?

Dan Walsh

So, I’ll speak from my own personal experience here. Basically, what you’re looking at, for me, is new threats and risk are always the constant. I think if you have a good network, as a CISO, which I do and you tap into them, you can get probably the top two, or three, or four vendors in a particular space that you’re interested in considering from your peers. Which is what I generally do if I don’t have a previous experience, that particular tool set. But again, this goes back to why trusted partnerships are so critical. So, if you have a vendor that you’ve established a partnership with, or you even have a sales person or a customer person that you’ve developed a relationship with and they move companies, they’re going to float to the top of the list of folks to consider.

David Spark

That’s a good point. Have you purchased a product from a sales person when they jumped from one company to another, Dan?

Dan Walsh

Yes, I have, absolutely.

David Spark

Mike, have you done that before?

Mike Johnson

Absolutely.

David Spark

Okay. That’s huge what you just mentioned. Go on, Dan.

Dan Walsh

Speaking for myself, I think there’s a way forward not to suffer from decision paralysis. But, I would say, if you’re going to go by logos, or by the number of players in a space, vendors in a space, yeah, absolutely. Because it seems like every day I hear about a new security vendor that I’ve never heard of before, that’s nearing unicorn status and somehow they’ve slipped under the radar, under my radar anyways.

David Spark

Well, I’ve talked to research firms who, it’s their full time job is to just know what’s going on out there and they can’t keep up. It’s impossible.

Dan Walsh

Yeah, it really is. And there’s so much money flooding this space and there’s going to continue to be so much money flooding this space, and the VC’s are just really interested in investing because you’re seeing fabulous returns because of all the opportunity out there from a threat and risk point of view. So, it’s going to get worse. I don’t think it’s going to get better.

David Spark

Yeah, I think so. And I’ve been covering the RSA conference for many years and it’s just gotten bigger and bigger and bigger. That’s all it does. Mike, what do you think of Dana’s comment, which I think is just so on point.

Mike Johnson

So, I really am astounded by the number of security vendors that are out there and even more so that there’s more. It’s not quite every day, but it feels like every day there’s a new vendor out there. Some of these founders they’re friends of mine. Some of them are CISOs who’ve seen problems and decided hey, we can go and solve this, let’s go start a company. And these are good ideas that they’re coming up with and I think some of that is related to our point about the threat landscape changing. There are new threats. We’re constantly seeing new threats, but the old ones still hang around and those aren’t going away. There’s this long tail of old threats that are just out there, they’re not going to go away and that, I think, is what leads us to some of the opportunity for these new vendors. Some of it is just, this is gen three of the same thing, but some of it is legitimately a new threat, a new challenge, that we haven’t faced before and there needs to be new solutions for that. You still can’t let you guard down for that long tail, while you’ve also got the new threats. I don’t know about the paralysis.

David Spark

You don’t ever feel decision paralysis? Because think about it this way. A SIEM vendor, how many are there? It seems endless, right?

Mike Johnson

There’s probably a new one starting up next month.

David Spark

During the recording of this podcast.

Mike Johnson

Right, someone’s, like, hey, I’ve got a great idea. I’m going to start a SIEM company.

David Spark

How would you begin? I remember actually seeing someone post about this. How would you even begin to start that? If you’re total green field, I got to get a SIEM vendor, where do you even start?

Mike Johnson

It’s like Dan said, I have a network of friends who have been there, done that, solved the problem. I’m asking around. I’m asking all my peer CISOs what are you using for a SIEM? And I will say, on the forums that I’m a part of, that exact question comes up maybe once a month, because people are looking for SIEM vendors, even though that’s–

David Spark

Do you find people are also bouncing from SIM vendors because they’re not happy?

Mike Johnson

That’s the flip side of it, yes.

David Spark

Dan?

Dan Walsh

Oh, 100% yeah. And I think the other thing too is, as Mike and I ask these questions of our peers, we’re saying and this is the characters of our environment. We have a LINUX environment, we have a Windows environment, we’ve got these types of things we need to monitor for, or these types of inputs and so that helps actually narrow down, fairly quickly I think, like I said, the top, two, three, four, vendors that we would want to consider.

Close your eyes and visualize the perfect engagement.

00:24:38:11

David Spark

Jatinder Singh of Informatica said, “CISO’s are now working a lot closer with security startups, hence products are more tuned to current CISO requirements.” And Aidan Simister of Lepide, said, “I think, on the whole, relationships have improved. It’s still dysfunctional but it’s better than it was. While the pandemic has created remoteness, it’s also provided a commonality which has actually brought people closer together.” And I want to start with that very last comment here, Dan, what Aidan said. Do you think, actually, this pandemic, being that we’re all in the same boat, there has been a level of commonality and a lot of the hostility between vendors and practitioners? I feel, and again, I’m not on either side, but just what I’m anecdotally seeing, I think it actually has helped. What do you think, Dan?

Dan Walsh

I think, for the most part, it has. It’s like an 80/20 rule here. I will say, I agree that I think that pandemic has helped, because now it’s starting off with small talk on Zoom, or Teams or whatever, and talking about maybe you know someone who had COVID, maybe you had COVID and, “How are you feeling?” Or, dealing with the challenges, if you’re a parent and you’ve got kids in school, of them being on Zoom, sometimes literally, on the same desk right next to you. And all these different challenges kind of pull us together just as humans, for that matter, and so yes, I think it has improved. However, I will also say, the number of prospecting emails that have flooded my in box, has gone up, I feel like, exponentially. I don’t know if that’s a function of starting a new CISO role during the pandemic, but it did seem extraordinarily high even before that.

David Spark

Mike, what do you think? I want to actually now go to Jatinder’s comment about working closely with security startups. I know we’ve talked about this in the past and how you like to work with startups because they can be very attuned to your specific needs and they’re very eager to have a big win. So their service is off the chart sometimes, early on.

Mike Johnson

Yes, I think there’s a great opportunity here working with startups. You can, not only give them feedback on the product itself and how to develop it and these are the features and these are the features that I’m looking for, these are the features that my peers are looking for, but, there’s also an opportunity to help them shape their sales, go to market, strategy, that it’s still in a phase where it can be changed, where it is malleable. Where you can give them advice beyond just the product features. And you can tell them, “Here’s how to sell to me. Here’s how to sell to a CISO,” and get them at that stage where they’re still influenceable and that gets anchored with them as they grow. Maybe they’re now becoming one of those vendors that is taking the partnership route, rather than the, I’m just going to spam everyone and see if they answer route.

David Spark

Close with your experience of working with startups, in two levels, in having them help you and you helping them in return. Kind of like what Mike’s just said.

Dan Walsh

Yeah, I mean, it’s good because I’m actually working with a startup right now, I can’t mention the name, obviously, but some of these startups are coming to the space and saying, this is the problem we want to solve, but we’re almost not sure how to do it. Or, this is the problem we want to solve and we think this is how we want to do it. What are your thoughts? And then I give them some insight, or I might make some correlations between across the security domains. So, maybe they’re in the identity space, but I make a correlation to the SOC, the Security Operation Center, and all of a sudden, it’s, wow, that could be an additional feature set that we could put on our product road map and develop that to make our tool more robust. And I will say, to the point that I made earlier and Mike has made several times about partnerships, you really, to me, have the best chance of starting off with a partnership with them because they are eager to learn. I feel like sometimes once startups reach a certain valuation, they almost kick it into grow at all costs mode, and that’s when you start getting more email spams than partnership conversations.

David Spark

Excellent point and that brings us to the end of this episode and what a fantastic first three years. I have to thank you, Mike, for pretty much, launching this whole concept with me, essentially as a media company, because I just initially had started out as just a bunch of articles on forums and then started a media company and I call our official anniversary of the CISO series actually October first of 2018, because that’s when the website launched. But this is the premier show that made it happen and it’s still the most popular show on the network. So, thank you, very much for that.

Mike Johnson

Thank you, David. I don’t actually get the opportunity to thank you after every show, so, thank you for all that you have done for this show, for the series, for the community. You’ve really helped us have this place where we can have these conversations; not only this show, but all the other shows as part of the now media empire that is CISO Series. It’s been great to be a part of that from the beginning, but I also genuinely benefit from listening to this show and listening to all the other shows. So, thank you for all that you do.

David Spark

Well, thank you very much. I did not do all that for all the compliments, but you know what? It doesn’t hurt. And, by the way, this is other thing that’s amazing about this show, and I’m not being facetious when I say it, daily, I get compliments from people telling me how much they love the show and I try to echo it to you and to the entire team, to let them know you’re probably not hearing this, but I just want you to know, daily we get compliments about everything that we’re doing on the CISO Series, so I want to let you and my whole team, let them know that that happens. Dan, I’m not going to you to say, by the way, now compliment us, that’s not what I’m doing. But I want to thank you for coming onto this show. You have been a phenomenal guest and that’s why I asked you to come back and you have privately told me how much you appreciate this series and all that. So, that’s why I thought, yeah, you’d be perfect for this episode. So, thank you very much for coming on the show. Before you say anything though, I do want to thank our sponsor, let me just say that. Sonatype, I want to thank them. They have been a phenomenal sponsor, and I appreciate them sponsoring this episode and they also sponsored, Defense in Depth and a whole mass of other stuff. So, thank you very much Sonatype. Remember, for your security hygiene and dev ops, Sonatype; S-O-N-A-T-Y-P-E dot com. Alright, now Dan, any last words?

Dan Walsh

Yeah, I mean, first of all, thank you for having me on the show today. It was a real honor and I am gonna pile on the thank you love to both of you, because I have learned a lot. I started listening probably two and a half years ago, and it’s an honor to both consume and participate on these shows and I’m better for it as a security leader and I think, just as the vendors are better for hearing the CISO perspectives, the CISOs are better for hearing the vendor perspectives and so, it’s unsurprising to me that this has been a success and I look forward to seeing what’s next.

David Spark

Thank you very much, Dan, thank you very much, Mike. Thank you to our sponsor Sonatype and thank you to our audience who keeps listening, keeps contributing, keeps complimenting. Guess what? All of that helps us keep going. So, thank you very much. We appreciate it. We appreciate you contributing and listening to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”