Are CISOs inappropriately putting pressure on themselves and is that behavior in turn hurting all CISOs?

Subscribe to CISO Series podcasts - CISO/Security Vendor Relationship Podcast

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Andy Ellis (@csoandy), operating partner, YL Ventures.

Got feedback? Join the conversation on LinkedIn.

Thanks to this week’s podcast sponsor, Orca Security

Orca Security provides instant-on security and compliance for AWS, Azure, and GCP - without the gaps in coverage, alert fatigue, and operational costs of agents or sidecars. Orca detects and prioritizes risk in minutes ﹣ not months ﹣ and is trusted by global innovators, including Databricks, Lemonade, Gannett, and Robinhood.

Full transcript

Voiceover

Ten second security tip. Go.

Andy Ellis

You should use multiple Chrome profiles so that you can separate your cookies and log-in credentials between your work and personal use. I personally have like six profiles because I work with so many different entities and companies, but really important to separate those so that you don’t accidentally mix work and personal.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark. I am the producer of the CISO series. My co-host is here. He’s going to grace us with the sound of his voice. Everyone get ready. In fact, I’m going to suggest everyone sit down when they listen to this because it’s such a momentous occasion. Let’s hear it. The sound of your voice, Mike Johnson. Wake up, Mike.

Mike Johnson

I figured a dramatic pause would be like the optimal thing to do when there’s just that much build up.

David Spark

It looked like your eyes were closed. 

David Spark

That’s the sound of his voice.

Mike Johnson

I’m here. This is the sound of my voice.

David Spark

We’re available at CISOseries.com. We’re available at the subreddit CISOseries. Every Friday we have our awesome CISO Series video chat. Please join us for that. And on Thursday evenings, you may not know, 7 PM Eastern, 4 PM Pacific, we do the cybersecurity headlines weekend review, 20 minute wrap up of all the week’s stories with some context from a cybersecurity practitioner, offering some advice or their opinion on the stories, if you will. And I want to mention our sponsor for today’s episode is Orca Security. Detect and prioritize your cloud security risk. If this is something you’re trying to do a lot faster, like in minutes, you’ll want to hear what they have to say in the middle of the show, so stay tuned.

David Spark

Alright, Mike, our guest. I’m going to rope our guest in right now because this has a lot to do with what I want to banter about the beginning. It’s Andy Ellis, who is a legendary CISO. I don’t want to hand you too much, Andy. But you’ve been CSO, CISO for quite some time. You made hall of fame which, by the way, I didn’t even know they had a CSO hall of fame, but now officially they do or maybe the company who did that is just trying to make a quick buck by creating this hall of fame. But regardless, you are well-known in the Twitterverse as CSO Andy, and now you are working with YL Ventures as their operating partner. Glad to have you here, Andy. Thank you for joining us.

Andy Ellis

Thanks for having me, David. I really appreciate it. “Legendary,” I think I may have to go put that on my resume now.

David Spark

Please do. And you can quote David Spark.

Andy Ellis

Yeah.

David Spark

Here’s what I want to bring up. I was listening to this other podcast that is not a tech podcast, a sports podcast, which I don’t listen to a lot of but this one’s really good. The 30 For 30 from ESPN, which they also do a TV series, but their audio version is spectacular, and the one that I listened to was entitled “Yankees Suck”, which is about the intense hatred that Boston fans had for the Yankees. And I went to a summer camp where everyone was a Yankees fan. I was the only Red Sox fan, and to watch the Yankees constantly beat the Red Sox, they could definitely beat the Celtics in baseball, but beat the Red Sox, was depressing. And then when they finally beat the Yankees on their turf and then won the World Series, it was spectacular. But you came into Boston at the tail end of that, yes Andy?

Andy Ellis

Absolutely. I came to Boston in 1989 for college, then went into the military, and came back in 2000. So, I got to see more of the rise and kind of ignored the fall that came before it.

David Spark

Now, I also want to bring this up because I’m a huge Celtics fan. You’re from LA, you’re a Lakers fan. You do not like the Celtics. Am I correct on that?

Andy Ellis

That is correct. My wife and I agreed, my wife is originally from Boston, that we would not be a basketball house.

Mike Johnson

That’s the easy way of dealing with it.

David Spark

Wait. So your wife must be a Celtics fan, yes?

Andy Ellis

She is a Celtics fan, and every so often we needle each other a little bit. The way I look at it is either the Boston basketball team is doing well and I will celebrate as a Bostonian, or the Celtics are doing really badly and I will celebrate as somebody who hated them growing up, and it’s only their mediocre seasons that I can’t figure out something to root for.

David Spark

I used to have a joke about this. I hate the Lakers. Could be from the Celtics. I hate them. The only way I would ever root for the Lakers is if they were playing the Nazis.

Mike Johnson

That’s pretty harsh. Yeah. That’s a pretty extreme distaste for that team.

Andy Ellis

I will say one of the hardest things I’ve ever done in my life was to buy my son a Celtics jersey.

David Spark

Oh, wow. That must’ve been tough.

Andy Ellis

I will still never buy any Jets gear. At least the Celtics are not the Jets.

David Spark

May I ask you this: Did you see there was a great three-part series on ESPN about the Celtics-Lakers rivalry? Did you watch that?

Andy Ellis

I did. I watched it. It was fantastic.

David Spark

Truly fantastic. If anyone hasn’t seen that, fans of NBA during that time, it’s a must watch.

Andy Ellis

Well, I think what’s funny for people who didn’t grow up with it is recognizing how rarely those two teams actually even played each other in the finals.

David Spark

But that rivalry was so intense, and also just listen to the players talk about how much they hated each other.

Andy Ellis

Oh, they hated each other, the rivalry was intense, but it wasn’t like they kept playing in the finals. They kept playing everywhere else, but whenever one went to the finals would be the year the other one fell short most of the time.

Why is everyone talking about this now?

00:05:40:11

David Spark

On LinkedIn, Gary Hayslip, CISO, Softbank Investment Advisers put together a great piece outlining why he believes the hiring process for CISOs is considerably broken. In extreme summation, he said the issue has to do with increased competitiveness and the amount of commitment the business puts into cybersecurity, especially at the top levels of the organization, meaning the C-suite. And lastly, he says many organizations don’t know what kind of CISO they want to hire, a strategic or technical CISO and variations of that. I want to focus on this last part. Michael, do CISOs know what they want, and what would help them figure that out?

Mike Johnson

I don’t want to make generalizations here and speak for all CISOs. I can speak for some of the folks that I’ve spoken with, and I think you have to break it down into multiple time CISOs and first time CISOs. Those who’ve been CISOs at multiple places, they know what they want. They’ve had the experience, they have the scars, and they know what types of roles, what types of companies they want to be a part of. And the first time CISO, I don’t think they know what they want, or they might have an idea, but until they’ve experienced it, they can’t be sure, and they’re likely wrong.

David Spark

I should also add, it’s also what the company wants. What does the company want? What does the CISO want? So, do you answer that differently, obviously for the company and what they want in terms of hiring a CISO?

Mike Johnson

I do think that’s really important. Finding that match of what is the company after. I don’t know that I like the technical versus strategic CISO. It seems there’s a lot more overlap than I think the article was giving credit for, but I do think companies who’ve had a CISO before, again, the analogy holds, they know what they’re looking for or what they’re not looking for. If they haven’t had a CISO before, odds are they still don’t know what they’re looking for, and that’s where the interview process becomes really important, to have the conversation where they’re talking to the prospects, the people that they want to hire, and that’s the opportunity for the people who are interviewing to say, “I don’t know if you know exactly what you’re after.”

David Spark

Well, wouldn’t that be a red flag, too?

Mike Johnson

It usually is, and that’s usually something that I think experienced CISOs, when they’re interviewing with these companies who are hiring their first time CISO, they know what to look out for. They know the questions to ask that are going to give them those red flags.

David Spark

Alright. I’m tossing this to you, Andy. When I spoke to Gary Hayslip, not part of this article, he said constantly, when he was looking for his CISO role when he had left his last one, and now it’s Softbank investment advisers, the job description all over the map for the CISO job, what are you seeing yourself?

Andy Ellis

So, I think that’s a really accurate way to look at it. Let’s start by looking at other C-level executives. If I say “chief marketing officer”, I think we all know what that means. That’s the person who reports either to the CEO or to the chief revenue officer sometimes. They’re in charge of all marketing for the business. They’re an operational function that drives a lot of the business. If I say “chief people officer” or “chief HR officer,” same thing. Usually reports either to the president, to the COO, or to the CEO, but again, we understand what that job is, and I could do that for every C-level position. Now, CIO has a little bit of nuance around it depending on whether the company is technology oriented or not, and whether or not they’re segregating corporate technology from business technology. You might have a CIO who runs the company but doesn’t run the go to market arm of the business because it’s a technology company, in which case the CIO has a smaller role than they might have in a different business. How many CSOs actually work for the CEO? It’s almost none. It’s not really a C-level title the way that we often think about it. You’re the head of security, but you don’t work for the CEO, that’s the exception rather than the rule, and almost every other C-level executive, the norm is that they work for the CEO. So that’s our first disconnect, is we don’t know what that job is.

David Spark

Well, I should mention that we did have an episode of Defense in Depth where we talked about for the whole episode about who the CISO reports to, and there was some significant discussion of CO. But in general, it was CIO.

Andy Ellis

Right. In general, it’s CIO. Sometimes it’s under legal. It’s in different places, so let’s start with that, that the job isn’t even well defined. So we’re not even talking about whether the company wants a specific type of CISO. It’s, “Is this a CISO that’s really just a director of IT security with the C-level title? Is this somebody who’s driving product strategy? Are they part of the go to market arm of the business?” These are all different parts of a job that a CISO might have, and I think companies definitely don’t know, and I think Mike was onto something about the match. The match that I think seems to work most clearly is the recovery CISO, which is a company has a problem and they need somebody to fix it and they’re going to give almost carte blanche to this CISO, and there are some amazing CISOs that specialize in that. They come in, they’ll turn around a company, implement a great security framework, and then they’ll go to somebody else who has a problem.

It’s time to measure the risk.

00:11:21:03

David Spark

Neil Saltman of Anomali hosts a regular event of CISOs that I’ve attended, and one of the CISOs had a question. Quote, “I would love to know if there are CISOs who would be willing to share a sample output of their risk assessment.” I’m looking at the two of you. “Or, show us how they actively manage their compliance requirements. What tools they use and what they would do differently. These are the kinds of things that no one really teaches you and the NIST guidelines are massive and not a good fit for smaller companies.” Mike, Andy, can you give us a sample output of your risk assessment, and explain how you actively manage your compliance requirements. Obviously interested in experiential advice and why you chose these decisions. What helped you make these decisions? Andy.

Andy Ellis

Sure. So, let me separate and say these are two different problems. Compliance requirements often produces a risk assessment, so they’re not completely distinct, but compliance requirements is about protecting the past. In the past, you said you did a think or somebody else said you needed to do this thing, and how well you do it. That’s all. Risk assessment is about safeguarding your future, recognizing you have a thing you have to go fix. For compliance requirements, how we manage them, first of all, because it’s about protecting the past, we hired a librarian. A librarian sits at the middle to keep track of all the things we do, the things we’ve said we do, how you keep those updated and ensure we keep doing them. We built our own GRC dashboard. I actually wrote that in PHP 4, for those of you who would like to make fun of me, 17 years ago. Universal program management tool to keep track of everything. At some point, they finally replaced it. More work to replace it than it had in the first place..

David Spark

Well, it was dripping oil back then.

Andy Ellis

Well, it was, and it’s actually still around because it was a universal tool that solved things like vacation tracking for the company, but now there’s a dedicated compliance dashboard that we just treat as copy and paste from the previous year. Here’s the database mapping of controls to things we have said. So, every year, you just treat those things you’ve said as things that need review. Is this still true? Great. When you discover a gap, “Oh, there’s this requirement and we don’t have a good thing,” we say that can then go into risk assessment. Recognizing that the auditor is your adversary. Can you say a thing that is true about this that will satisfy the auditor? If the answer is no, you’re going to have a risk challenge. When it comes to risk assessment, I like to split risk into four quadrants, like everybody, think high to low, and it’s about benefit and cost. So you could think of benefit as risk, but I think benefit is reduced risk. If I did something here, how much safer am I? And things that are low benefit, low cost, those should just be changed request. I don’t even want to see them as the CISO. If somebody could churn this out and a month later we are fine and it doesn’t require an executive, just go get it done. Things that are low cost and high benefit are incidents. I need to know about them because I need to make sure we pay that cost right now because we get a lot of benefit out of it. Think about zero day vulnerability patching. Low cost, high benefit to deal with it. Then there’s the things that are high cost and high benefit. Those are the hardest things to measure because these are things you should consider doing, but they’re going to take a lot of investment to do. You probably can’t do a lot of them at once, and that’s where you’re really going to have to do heavy risk assessment. I’ll come back to that in a moment because I just want to tell the fourth quadrant before I talk about the risk assessment. Fourth quadrant is just your exposures. These are the hazards that you’re doing to live with because they are very expensive to mitigate at very low cost. Think of the simple one. If you’re a company with a headquarters in a downtown area, you can’t have a perimeter that’s a mile away from your data center. Somebody wants to blow up your building, that’s a real threat that could happen, probably not very likely, so low benefit to trying to relocate the company, but high cost.

David Spark

Alright, Mike. He gave a pretty complete answer. I was just looking for one sample. What have you got for me?

Mike Johnson

Well, I want to go back to Neil’s question. I think it’s a weird question to ask of, “Hey, why won’t people show me their risk assessments? Why won’t you show me your list of unmitigated concerns?” That’s just not going to happen. So, I think the idea of showing my list of risks to someone I don’t know doesn’t make sense.

David Spark

Is it like, “Hey, let me show you the different ways people can break into my house?”

Mike Johnson

Exactly. It’s almost like leaving that sign outside of your house to say, “Here are all the ways you can break into my house. And oh, by the way, I’m not home right now.” It really seems like a bad idea. But I think what he might be looking for is what Andy answered, which was, “Here’s the ways we think about risk. Here’s the categories that we’re looking at of compliance risk, of security risk, and how we classify and put things in different quadrants.” Our approach is different. We look at modeling risk in terms of dollars at risk, and looking at the costs to mitigate those particular risks. It’s just a different way of doing it, and every company does it differently, and answering that kind of question when you’re asked can give a particular vendor, “Well, here’s how we would sell to them. Here’s how we’re going to present our solutions to them,” and that would give them an idea of how to interact with me. So I think that’s a good question to ask, and a decent question to answer.

Sponsor – Orca Security

00:17:21:24

Steve Prentice

Orca Security is a young company, just three years old, and it’s on a mission to help its customers manage two key cybersecurity categories defined by Gartner as CSPM, Cloud Security Posture Manager, and CWPP, Cloud Workload Protection Platform. Patrick Pushor is principle technical evangelist at Orca Security.

Patrick Pushor

These are sort of two modern cybersecurity categories that I think every organization with a significant investment in the public cloud, namely infrastructure as a service platform, AWS. Azure,JCP, shouldn’t really be without. At Orca, we’re combining CSPM, which measures how all of your cloud security controls are configured, and the CWPP, which measures similar risks but down at the workload and data levels. Things like how your operating systems and your virtual machines are configured. The two are really inseparable, right? Observations on the cloud side inform security decisions you’ll make down inside your house. If I find malware in a virtual machine, what’s the very next question I might have as a security analyst? I’d want to know how exposed it is. Is this remotely exploitable? And that question you can’t answer without consideration of your cloud security controls.

Steve Prentice

Perhaps one of the best endorsements of their approach is the behavior of the competition.

Patrick Pushor

That’s certainly been validated by other vendors going out and acquiring the one side they didn’t built in-house. They feel the same thing. I think the difference at Orca is that we’ve really built the product from the ground up to share observations from side-to-side.

Steve Prentice

For more information, visit Orca.security.

It’s time to play “What’s Worse?”

00:19:04:02

David Spark

Andy, I don’t know if you know that we have this silly game called “What’s Worse?” on this show, where I present two horrible situations, and you have to choose between the two, which is the worse scenario. So, you’re not going to like either, I’ll start with that, but one is worse than the other, and that’s your determination.

Andy Ellis

Can I just predict that I’m going to answer, “It depends”?

David Spark

No. No. “It depends” does not work in this game at all.

Mike Johnson

Nice to go ahead and get a jump on that.

David Spark

I make Mike answer first, and I always like it when people disagree with Mike. So, just setting you up there.

Andy Ellis

Yep.

David Spark

Mike, guess what? We’re doing another try at getting you to choose that the brilliant jerk is not the worse scenario. Now, this comes from someone who’s anonymous, does not want to be named.

Mike Johnson

Oh, great.

David Spark

But I thought he came up with a really good scenario, so I think you may pick the other option.

Mike Johnson

Alright, let’s see.

David Spark

Here we go. Scenario one: You’re a manager for a team of brilliant jerks.

Mike Johnson

Oh, a team? A team of them. Great.

David Spark

You’ve got a whole team of brilliant jerks. Maybe that actually works, because then they’re all obnoxious. It may be better to have a whole group of brilliant jerks.

Mike Johnson

Lock them in a basement. They’re great down there.

David Spark

Or, get ready for this, you work for a company that you’re embarrassed to work for. And by the way, the whole industry knows it, too. Which one’s worse?

Mike Johnson

Wow. A team of brilliant jerks. So they’re really productive, but no one else in the company wants to talk with them or work with them.

David Spark

Pretty much, yeah.

Mike Johnson

So they go off and solve their own problems, wonderful.

David Spark

And they probably don’t even talk to each other.

Mike Johnson

Yeah. Great, yeah. A bunch of lone gunmen, as it were.

David Spark

Yes, probably like that. So, the whole concept of a team, forget it.

Mike Johnson

Yeah, no team. No team. Just a bunch of individuals. That’s great. On the flip side, working for a company that you’re embarrassed to work for. So, the reality is there’s got to be some reason why I’m at the company in the first place.

David Spark

Somehow, things switched over. There’s no “It depends” here. You somehow got stuck here. You moved to a location. This was the only CISO job. You had to do it to feed the family.

Mike Johnson

Remote work isn’t an option. Yeah, I have to feed the family. I have to feed my cats, and they’re expensive.

David Spark

Yeah. The frisky buffet has gone up in price.

Mike Johnson

Yes. Ultimately, this is, again, about me, about how people think about me, about what my peers think about me, and the other is about the company, the team that I’m working with, and the broader team, and I’m not so worried about me.

David Spark

Really? You’ll fall on the cyber sword here?

Mike Johnson

Yes. Much better than releasing more than one brilliant jerk. A team of brilliant jerks on a company, it’s really just going to make for a terrible environment. So, I’m still sticking with the brilliant jerk is actually the worst one in this. Nice try, anonymous questioner, but I’m still there.

David Spark

So, Andy, just so you know, we’ve had a bunch of these what’s worse scenarios where the brilliant jerk is one option, and we’ve been trying to figure out what will get him to turn away, and no one has yet found it. Alright, Andy. Which one is worse in your mind?

Andy Ellis

Well, I’m going to disagree with Mike here.

David Spark

Good.

Andy Ellis

And not just because you asked me to. For me, this was a no-brainer. This is really simple. I’m a people leader. If I have a bunch of brilliant jerks at work for me, that’s an epic challenge. I’m assuming I’ve come into this organization, or maybe I grew it. Look, I was a brilliant jerk myself.

David Spark

A reformed brilliant jerk?

Andy Ellis

Right.

David Spark

So, which part? The jerk stuck around, the brilliant fell away? What happened?

Andy Ellis

The brilliant faded away, so now I’m just a jerk. But as a leader, which is what a manager ought to be, this gives you an opportunity to take this group of people and show them the ways in which they’re being massively successful. You’ve said they’re brilliant, so we’re presuming there’s a lot of success, but at a really high cost, and you can teach them the skills and put them in the places to succeed, and you can forge an amazing organization out of that and you can have fantastic success and build an inclusive culture if you do it correctly, because it’s probably not very inclusive, the day that you’re starting with that. But for me, that’s my lifelong passion. I would absolutely take that in a heartbeat. Now, I’m very blessed that right now I’m not working with a lot of people who are brilliant jerks that I can see. They might be jerks outside my viewpoint. I recognize I might have blind spots, but I would rather take that, easily.

David Spark

So, this is a callout to any company that currently has brilliant jerks, that you want the challenge. Is that what you’re saying?

Andy Ellis

Well, I’ve got a lot of challenges on my plate right now. I’ve got a lot of work I’m doing and I’m very happy with it. But no, I am happy to consult with anybody in that role. If you’d like some leadership advice, somebody just to mentor you on the side, come talk to me.

Hey, you’re a CISO. What’s your take on this?

00:24:23:07

David Spark

David Schwed of RTI asked if anyone has used a vCISO through an MSSP. Have either of you heard of such a thing, and would there be benefits or a problem? Now, Taylor Leymann of AWS said, “vCISO for MSSP? Sounds like paying for someone to write the proposal that hires the MSSP. The two shouldn’t go together.” Would there be any specific benefit of hiring a vCISO through an MSSP? Who should consider slash not consider, Mike?

Mike Johnson

So, this is a new one to me. I’ve not heard of this concept before, but I can see where it might make sense for some folks. At the same time, I can also see where Taylor is coming from. There’s an obvious incentive for the vCISO to just simply recommend the solutions from the MSSP.

David Spark

Excuse my ignorance here. Do a lot of MSSPs have a vCISO on staff?

Mike Johnson

I can see where the might. If you think of a large company that provides a lot of different security services, providing a person who can kind of drop in and implement a security program for a company that doesn’t have one.

David Spark

Wasn’t that what Alan Alford was doing at his past job?

Mike Johnson

I’m not entirely sure.

David Spark

I think he may have.

Mike Johnson

I think he wore multiple hats. Alan wears, of course, multiple hats, so that might’ve been one of the hats that he wore. But if you’re a company that has no security program, a vCISO that can say, “Look, these are all of the products that are our company has. We have do all of these. I know them all very well,” and that might be good enough for the particular company, to say, “Great. We had nowhere to go. We’ve now ended up in a better place.” At the same time, you need to make sure that the vCISO is really going to be giving good recommendations, that they’re not just selling their own products. It’s entirely possible that their products really are that good. And so, it’s okay if they’re selling their own products.

David Spark

Well, I would assume they believe in it, yes.

Mike Johnson

They certainly believe in their products, but there’s also the possibility that they truly are that good. And if you go and ask for references and talk to other people who have used this particular vCISO before or used the MSSP services before, that can give you an idea of what are the pluses and minuses of getting that all in one place. In a lot of ways, it’s the one-stop shop mentality. It might be perfectly fine for some people.

David Spark

Alright. Andy, have you ever heard of such a thing?

Andy Ellis

So, I have. Actually, today I was talking to an MSSP, and the vCISO was included in their pitch. Although, it was interesting because they didn’t want to call themselves an MSSP. So, they recognized that the MSSP label had some challenges. I think that if you’re hiring an MSSP and getting a vCISO is part of that, that makes reasonable sense. If you’ve just decided, “Look, we don’t have a security program. We’re going to outsource it to an MSSP, and we don’t have a head of security either, so we’d at least like somebody to come in and write the policies and be that titular head, and we might recognize that we’re not getting the best solution, but we’re getting solutions implemented that will make us better.” I think that’s the thing a lot of people don’t recognize, is our job isn’t to have perfect solutions sometimes. It’s to get the maximal benefit at the cost we can afford to pay.

I tell you, CISOs get no respect.

00:28:01:23

David Spark

During our cybersecurity subreddit AMA, user MJSaaS asked a ton of great questions, and here’s one of them: What are the biggest misconceptions people who work in cybersecurity have about the role of the CISO? How do these misconceptions make your job more difficult? I’m going to throw a co-host of Defense in Depth, Steve Zalewski, who’s the CISO of Levis said, “The biggest misconception I see is often held by the CISO themselves. They often believe that technology is the answer, given that they come from a highly technical background. Second, they believe their role is to make the cmopany secure and the people are supposed to do what they say.” So, Andy, I’ll start with you. Are CISOs creating a worse problem for themselves or is it others in cybersecurity?

Andy Ellis

I think we could spend a long time listing all the people who are helping make this problem worse. CISOs are certainly on that list, but I think so is everybody around them. I think that misconception that Steve is talking about, I don’t think that’s just driven by the CISOs. I think that is often driven by the people around them in a culture. When you look at an organization, if the person at the top represents the skills of the organization, you probably do have a problem because, by the time something gets to a CISO, it’s already been through all your technical experts. If you’re just another technical expert, there’s a very good chance that you’re not adding any new value at that point. Whereas, if you’re the businessperson who understands the technology and can trust your experts, you can potentially add new value and solve problems, but I do think that the biggest misconception people have is that the CISO can just do everything. That they personally will solve every problem, and I’ve certainly seen that. You would delegate something that seemed really important, but you had somebody who was better at it, or maybe they could use that growth opportunity and people around me would be like, “Andy, why don’t you just do that?” I’m like, “I have a day job, which is leading a team of people, not personally solving problems.”

David Spark

Mike, that is the sign of a good leader. Having a great team that obviously can do the things that they can’t do, but they can understand and orchestrate the team.

Mike Johnson

Yes, absolutely.

David Spark

So, what makes your job the most difficult of the people who work in cybersecurity, and could it be the CISO themselves? Are you your worst enemy?

Mike Johnson

We do have to be careful that we’re not creating more problems by chasing whatever is current. What I’m getting at here is my current issue is vendor questionnaires about vendor security questionnaires because of our reactions to the recently supply chain vulnerabilities and breaches. We’ve kind of pivoted to, “Let’s just questionnaire the heck out of everyone.” You know, “Have you been compromised by this breach? Are you talking to all of your suppliers to see if they’ve been compromised by this breach?” We’ve brought this on ourselves by pushing this on others, and now everything is coming back around full circle. We’re having everyone worry, probably overly, about these particular breaches, and also solving them ineffectually by just asking people questions, “Have you been breached?” I think that’s an example of some of the over-pivoting that we sometimes bring upon ourselves by chasing whatever is the latest problem in the world.

Andy Ellis

And can I just say that those questionnaires, I love them because they’re the worst OPSEC failure of security teams in history because they’re all modeled on one of five basic templates. It’s the BITS SIG or PSI or ISO 27002, whatever. And then they add these questions at the bottom, and those questions are basically the list of breaches that that company has suffered, and what they thought the root cause was. They want to make sure you’re not going to be breached the way they were in the past. And so, I would always get joy out of reaching them. It’s like, “Yeah, we’ve got stock answers to all these– Oh, this question. Let me go look in the news and just correlate your breaches to these questions and now I know how you got breached.”

Close

00:32:23:11

David Spark

Simple as that. Awesome. Andy, I have interviewed you multiple times in the past. I was very excited to have you as a guest here as well because I knew you would deliver. And guess what? I was right. I always like to take credit for knowing that my guests were going to be fantastic.

Mike Johnson

Good job, David.

David Spark

I know. I’m so good at this.

Andy Ellis

Well done.

David Spark

Five stars for me. Alright. Thank you so much, Andy. You were awesome, on the mark. Greatly appreciated. Huge thanks to our sponsor, OrcaSecurity. You can actually find them at just Orca.security. They are for detecting and prioritizing your cloud security risk. And if you want to do that a lot faster, go check what they have to say. And I also want to thank you, Andy and Mike. Mike, I’ll let you speak first, and Andy, you get the last word, and I always ask our guests if they’re hiring, but are you involved in any of the hiring, Andy? Hold that thought. I’m going to be interested to know for the YO companies. But go ahead, Mike. Any last thoughts? 

Mike Johnson

Andy, thank you for joining us. I’ve been a fan of yours for a while. I’ve learned a lot from you, and thank you for coming on the show so I have the opportunity to thank you for all of your contributions that have allowed others to learn from you along the way. So, thank you for joining us for that. For this episode, I really appreciated your focus on people, on leadership, on the business, and really reminding folks how important all of those are, and how key those are to the job of a CISO. So, specifically, thank you for that guidance, but in general, just thank you for everything that you’ve done for the community. I really appreciate it.

David Spark

Look at all those kudos. Alright. Andy, any last words? I’m interested. Are you involved in the hiring for the YO companies or not at all?

Andy Ellis

So, first, let me thank Mike. That was really, really touching, and I’m not sure how I can follow that up with anything now. But, David, to answer your question, I’m peripherally involved. So, any time any of those companies are hiring, YL sort of curates and says, “Oh, here’s all of the job postings so you can see them on our website,” and I’m often asked, “Hey, do I know somebody who might be interested in this job?” So, if you’re out there and you’re somebody that I know and you’d love a recommendation for one of those jobs, absolutely. Go find that job listing and say, “Hey, Andy, I’m interested in that job. Can you give me a reference?” I’d absolutely be happy to do that. But I myself am not doing any direct hiring, which I’m very happy for. I think hiring is a really hard job. I think most people do not invest as much time and energy as it truly does take to hire great and amazing candidates. And in the spirit of thanking people, I actually want to channel Mike’s thanks onward. There have been a ton of people in my career, the folks who’ve worked for me and around me, who’ve really helped me develop that style of leadership. I didn’t become a not brilliant jerk or a brilliant not jerk naturally. There was a lot of investment and work in there and a lot of people who really helped me along the way, and I think a lot of them know who they are, and if they’re listening, thank you and I do appreciate it.

David Spark

Let me ask you a question about that. I feel that all of us have gone through the young and obnoxious stage where you think you know everything. You know, that period of time. Was there a moment that you had that put you in check, if you will?

Andy Ellis

So, I think there’s a series of moments, and I’m going to pull two out in the interest of being brief. One was I was trying to get attention onto a security problem and I was in front of our executive committee, and I turned to the CEO and I said, “How would you feel if this problem affected you personally?” I was very graphic about exactly how it would happen, and the room went dead silent. After the meeting, my boss, who was also in the room, comes and he says, “What the hell were you trying to achieve?” And I’m looking at him and said, “I was trying to get people to pay attention to how bad this problem is.” He says, “Really? Because it sounded like you were threatening the CEO that if they didn’t fix this, you would do this to them.” So, he says, “Before you open your mouth, understand what you’re trying to achieve,” and those words have really just stuck with me for a very long time about the power of our voice. And even when we don’t think it, we come across like a jerk. Most people who are brilliant jerks don’t think they’re jerks. And so, for me, that was this really powerful moment. And a second one was on Blind Spots. I was speaking one of my female staff and had made some comment about zero tolerance for harassment, and she looked at me and was just silent for a moment and said, “Oh, Andy. I could tell you stories, but I don’t think you’re ready to hear them.”

David Spark

Ooh.

Andy Ellis

Right? And it really made me examine that just because we don’t see something, doesn’t mean it isn’t happening, and that the people who should tell us don’t feel that it’s safe to do so, and it’s on us to make them feel safe, not on them to feel safe. And so, that’s really key in creating an inclusive culture, is people learning that, when they bring you bad news, you’re not going to shoot them, even if you’re not happy with that news.

David Spark

That is two amazing pieces of advice, and I love closing on that. Thank you very much, Andy Ellis. Thank you very much, Mike Johnson. And thank you, audience, as always. We greatly appreciate your contributions and listening to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”