If I’m going to be riding my team really hard, how much charisma will I need to keep the team frightened so they stay motivated, yet don’t want to leave?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Jason Fruge (@jasonfruge), CISO, Rent-a-Center.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Expel

Expel offers companies of all shapes and sizes the capabilities of a modern Security Operations Center without the cost and headache of managing one.

Full transcript

Voiceover

Ten second security tip. Go.

Jason Fruge

Unless you’ve already mastered basic security hygiene, I recommend everyone avoidgetting caught up in focusing on stopping zero days and advanced thread actors. Most breaches today continue to be the basic old stuff, so master the basics first. Basic security hygiene, like good asset management, good vulnerability and patch management. These things matter the most. Don’t reuse passwords, make them complex, enable multi-factor authentication everywhere that you can. These things continue to give you the most bang for your buck.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark, I am the producer of the CISO series. Joining me, my co-host, Mike Johnson. We’ve been doing it well over three years Mike.

Mike Johnson

Well over three years and I’m still here and I’m still excited. I’m still ready to go, David.

David Spark

I like that can do attitude.

Mike Johnson

Absolutely. Can do. Can do.

David Spark

We’re available at CISOseries.com. Check us out. There’s lots of things to see there, like old episodes, you can register for video chats, you can register for our newsletter, our twice weekly, or ourdaily newsletter. You can subscribe to our other podcasts. So many fun things to do. Just go to CISOseries.com. Our sponsor for today’s episode is Expel. Thank you so much, Expel, for sponsoring again here with the CISO Series and, if you are interested in detecting and quickly responding to threats, you’ll be interested what they have to say, a little bit later in the show. Mike, this episode, if I time this correctly, will mean that I am now living in my new house in southern California.

Mike Johnson

That’s a long way to air. I wonder how the weather is.

David Spark

Hopefully better than where I am right now.

Mike Johnson

The reality is, it’s probably the same as it is right when we’re recording it.

David Spark

Potentially, who knows.

Mike Johnson

That’s southern Californian weather for you.

David Spark

But, here is the thing that I am most concerned about and definitely on the day this airs I have not solved this problem. That is, I’m going to be building out a new studio in the new house that I’m going to be in.

Mike Johnson

Fancy.

David Spark

I will say this. The room that I have chosen to be my studio and my office currently has a lot of echo in it and, so, I got a lot of soundproofing work to do.

Mike Johnson

I really think you just need medieval tapestries. Hang them from all the walls and it’ll both look awesome and absorb your sound.

David Spark

That would work and, actually, it’s interesting. In this office right now, I do have a blackout curtain that also works really well for soundproofing. You know, there are some option considerations. If anyone listens to TWiT.tv this week in tech, Leo Laporte’s network, I was just chatting with one of the sound engineers, asking for his advice on building out some soundproofing. I’m working with Andrew, the Producer of this show as well; so, we’re going to figure it all out. But I purposely am recording a lot of episodes so, hopefully, the first couple of weeks, I don’t have to do any recordings, I can just work on soundproofing that room. So, we’ll see how that goes.

Mike Johnson

I don’t think mirrors on the ceiling will help.

David Spark

No. That’s something one would do if they had a round bed and they were in the 70s.

Mike Johnson

I’ve just seen them on TV, it seemed like a bad idea.

David Spark

Alright, with that said, let me bring in our guest who, by the way, I’ve interviewed on camera many times and I knew he would be great on the microphone, because he’s always awesome when I interview him on camera. So I said, “ah, come onto our show” and he’s just got a brand new CISO gig. I think he’s only a few weeks into the job; although, when you hear this, he’ll be a few months into the job. But, still, plenty brand new. It is the CISO for Rent-a-Center, I believe their very first CISO, Jason Fruge. Jason, thank you so much for joining us.

Jason Fruge

Thank you for having me. It’s a pleasure to be here with you David and Mike.

First 90 days of a CISO.

00:04:04:10

David Spark

Jason, working at Rent-a-Center, this is not your first CISO gig. But, you’re very green to this CISO gig. I want to know, in your first 90 days as a CISO, what are the mistakes you’re going to avoid, or tactics you’re going to try to improve this go around? I’m going to assume you haven’t been perfect every day that you’ve been a CISO. Am I correct?

Jason Fruge

No, actually, I’m lucky, I have been perfect. No, I’m kidding.

David Spark

One of those fortunate CISOs that’s never made a mistake. I want to know, what are you trying to improve this go around and, what do you need to know, do you feel, before you feel comfortable making sort of critical decisions, if you will? So, talk to me about past mistakes, or things that didn’t get completed the way you wanted and then, at what level do you need to make these sort of decisions?

Jason Fruge

The biggest mistake that CISOs can make is imposing a security program that’s pre-planned for any organization, before they really know the organization. We are hired to tailor fit a security program for the organization we’re hired to protect and, just like any tailored suit, you’ve got to take a lot of measurements, right? That’s the thing that I see most often and perhaps I’ve even been guilty of that a little bit myself, is joining an organization and having this idea of security that I’m just going to implement, regardless of what the business does.

David Spark

Have you had this issue and, Mike, I want your take on this. You were at a previous program and there was one product that you loved using, or one thing that you absolutely loved using. This is definitely going over to my next thing and you realized, it’s not going to quite fit the way I want it to. How do I shoehorn this in? In production, we refer to this often as shooting the darlings. Even the thing you love so much you’ve got to get rid of. Have you had an experience like that? I’ll start with you, Jason.

Jason Fruge

I guess we all have our favorite technologies, but I really do try to put a lot of decision making on my team. Even right now, just starting out Rent-a-Center, I brought forward a couple of ideas for some of my favorite technologies. But I told my team, I want you to evaluate it and I want you to make a decision. I really want to be impartial here. Here’s what I like about this and here’s why I arrived at that previously but, with all the independence you can possibly have, I want your decision on whether this is a technology you want to move forward with, or continue even discussing. Because, if you don’t, let’s not. I really tried to put a lot of that on my team and I feel like that empowerment is critical to just helping them be effective.

David Spark

Alright Mike, I throw this to you. Have you ever had to quote, shoot a darling, if you will?

Mike Johnson

I have tried to make sure that it’s more of the capabilities of a particular product that I’m interested in, rather than the product itself. Those are the attributes that I’m looking to make sure, because I’ve learned from experience they have value, that they might be a really good fit, those capabilities, those features for a new role. I have certainly had relationships with vendors in prior roles that, it was great. The product was great, it worked great for the company and it just was not a fit for my next company. That really goes back to what Jason was saying. You have to make sure that what you’re bringing in, either your mindset, or your experience, you actually use that and tailor it to your new company. If you’ve got a vendor that you have experience with and they’re great and they’re actually a great fit for the new company, great. But, at the same time, it’s not something to just blindly carry with you, because it was successful at the previous company. It may utterly fail in your current one.

Jason Fruge

Building on that for a second, if you don’t mind. I think that sometimes what works operationally and culturally in one company, and works beautifully there, isn’t going to fit in a different company. I think that’s just as important as the technology itself, is making sure that everyone who was involved in that decision to go with that technology because it fits.

Are we making the situation better or worse?

00:08:18:09

David Spark

A user on Reddit tells a tale of having a data breach that implemented some malware and took over his processor. He said, he cleaned it up but then later discovered he couldn’t get into a few of his accounts. While he thought he did everything right, he didn’t completely clean out the malware. So, he asked for help and the Reddit community pretty much said, form at the hard drive and start over. Others suggested to reset passwords from another device that hasn’t been compromised. If what happened to this Redditer happened to you, what steps would you take and assume you’re not buying a new machine, Mike?

Mike Johnson

I’m very much in line with what the Redditers suggested. I’m in the nuke it from orbit category. Don’t try and clean it up. Just take the computer itself and install from fresh media. Format the thing however you need to get fresh insulation media; either buying it from an online retailer, or having a friend’s computer where you can burn a new USB stick and build fresh. That’s one of the categories. One of the categories is the system itself and making sure that that’s clean. The other category is, what happened while that person, or malware was on your computer; the theft of your existing accounts. That, actually, is the more difficult part to deal with. I have no local data on my computer. I can blow it away at any time, I just have to reinstall some software and I’m good to go. I think that’s where a lot of people are. So, it’s really the online space that you have to deal with. I would start with my email account, that’s really the root. If someone has access to your email account, they can quite often get access to everything else. If you’re with Gmail, or Yahoo mail, or what have you, they all have multi-factor authentication, get in there, go into that account, delete any old log-ins. There might be some existing sessions. Kick all those out, set up MFA.

David Spark

A lot of these companies use MFA use the email too; so, you could have an account directly.

Mike Johnson

Exactly and that’s why you start with email. If you just go somewhere else or reset your account, reset your password, it just comes back to your email and, if that adversary attacker, whatever you want to call them, is in your email, they’re seeing that as well and they’re collecting that. Start with your email and work through everything else from there.

David Spark

Right, Jason, what would you add to that and I’m assuming you would do the same.

Jason Fruge

Yes, I would do all of that. You know, I think what Mike’s touching on really is performing a personal threat hunt. When you go into your email box, do you see any second factor security codes that were sent to you? That indicates that they tried to breach that account and if they were in your email they probably did. That’s a password you need to reset. Look in your deleted items, see if they tried to cover their tracks, but they weren’t thorough. The password changes and the questions that you need to ask yourself, beyond formatting my hard drive, beyond changing my passwords, do I now need to freeze my credit? Do I now have identity monitoring concerns?

David Spark

That’s all the far more complicated stuff. Every time I’ve had to rebuild a computer, not because of a breach but just to move to the next computer, I always make a building plan like, oh I’ve got to install this, this, this and this and I’ve found that that has been really helpful. Like, what am I going to add to this machine. The last time I had to do this, literally, I was up and running in one hour, I did it all. I was kind of stunned. Normally it’s a half day project, but I was able to get it rolling that fast. But, as you said, that’s not the big problem.

Jason Fruge

Oh, yes, absolutely. The big problem is, you know, what data might be lost and what are the implications of that data being lost?

Sponsor – Expel

00:12:18:21

Steve Prentice

It’s one thing for a company to say it’s good at something, but it’s quite another when someone like Forrester says it for you. Expel is a managed detection and response organization and, if you want to find them, grab a copy of the Forrester Wave Managed Detection and Response Report for Q1 2021 and look way up in the top right hand corner. The place where everybody wants to be. Here’s Bruce Potter, CISO at Expel.

Bruce Potter

We’re really happy to be all the way in the upper right of the Forrester Wave. When the company started, it was all kind of an experiment to see, hey, does this hypothesis of how we want to do this work? And it turns out it does. We’re really happy to see it play out and we’re super happy to be able to see the impact we make with our customers too.

Steve Prentice

Expel has some very recognizable names on their customer list, including a national food delivery company and a major airline.

Bruce Potter

In respect to one of our airline clients that is both heavily on-premand in the Cloud, we’re able to monitor both environments at the same time and provide the same value and visibility across their entire environment. You can probably expect that there’s a lot of legacy stuff in organizations like that, combined with cutting edge technology and, so, they’re really happy to be able to have one place to go to, to have all those systems monitored. 

Steve Prentice

In other words.

Bruce Potter

Something that Expel excels at is taking a load off your team, allowing them to focus on things that they should be focusing on and getting away from the day-to-day firefighting. So, leave that to us, we’ve got your back. Go focus on what you need to focus on, to make your organization better.

Steve Prentice

For more information, visit Expel.io.

It’s time to play What’s Worse?

00:13:55:05

David Spark

It’s the What’s Worse game. Jason, I know you know how to play this game. Mike, do I need to explain it to you?

Mike Johnson

Could you remind me, David, I forgot?

David Spark

Well, I’m going to remind the audience. It’s a risk management exercise. I offer two incredibly horrible scenarios; usually incredibly horrible. I will say, these are both bad. You have to choose, of these bad scenarios, which is the worse from a sort of risk management perspective, as you’re looking at risk? Everything has risk, some things are worse than others; even when they’re both bad. This comes from Jason Dance of Greenwich Associates. Jason, by the way, has been a phenomenal contributor, given us lots of What’s Worse scenarios and here’s another good one. What’s Worse? You’re getting your Pentest report back from your vendor and there are several rather large and breach worthy entry points, which will take weeks to close. Bad, right? Or, having the Pentesting vendor deliver the report in person and successfully employing social engineering skills to get themselves to critical business data. Mike, which one’s worse?

Mike Johnson

I guess the way that I’m reading between the lines on this is, in the first scenario, you have exposed endpoint setter exposed to the world. Anyone out there could potentially access them. You don’t know if they’ve been accessed, all you know is that these vulnerabilities exist, these exposures exist.

David Spark

It would take, let’s say, a number of weeks to close, but they’re closable, if you will.

Mike Johnson

Yes. The other is, they’re able to use social engineering to bypass your physical security controls.

David Spark

It seems, both would get access to your critical decision data.

Mike Johnson

For me, the way that I look at this is, there’s the exposure and then there’s the opportunity. If you look at motive, opportunity and looking at crime. Here the opportunities are very different. In the one scenario, it’s exposed to the world. Someone sitting in their desk, halfway around the world, can potentially penetrate that particular endpoint. In the other case, they have to show up physically and they have to be there in person. That’s a much smaller scope, smaller opportunity for an adversary to potentially get into your client. 

David Spark

He didn’t say that that can be closed so, that may still open.

Mike Johnson

It may. But the fact of the matter is, the likelihood is so much lower. In the first case, I might already have a breach, it might already be in my environment and I don’t know about it. I think, of these two, the first is the worst; where you’ve got that global exposure. The second one, where it requires physical presence, even if that’s not something I can ever close, I can deal with that. That’s a really small opportunity for exposure. So, I really think the first one is the worst of these two.

David Spark

I throw this one to you Jason and, Jason, I don’t know if you know this, I love it when people disagree with Mike.

Mike Johnson

He does, he does.

Jason Fruge

No I don’t.

David Spark

No pressure.

Jason Fruge

I don’t, I actually totally agree with Mike and I was going to come to it. I would say, by analogy it’s like, you know, what’s worse? Someone breaks your window and steals the checkbook off your desk, or somebody posts your check and account information on Reddit? It’s the exposure. If anybody uses checkbooks. Maybe that’s a bad analogy, who uses checkbooks anymore? Let’s say it’s a credit card.

Mike Johnson

What’s a checkbook?

Jason Fruge

Right.

David Spark

I have them in my drawer, just to look at the number.

What’s it going to take to get them motivated?

00:17:54:06

David Spark

How do you motivate your staff to do more than they can do? Steve Jobs was famous/notorious for pushing his staff to the edge of what seemed to be an impossible task. But his charisma, his threats, his vision, the competitive nature, or a combination of all, did eventually drive his team to do what seemed at the onset an impossible task. As a result, Apple has developed some incredible products, moving the whole industry forward. If duplicating Steve Jobs was an easy task, others would do it, but it’s not. I’m going to start with you Jason. How do you motivate your staff to push themselves beyond initial expectations?

Jason Fruge

That’s a great question and, reflecting on that, takes me back to when I first became a people leader and I didn’t really know what to expect. I suddenly found myself overwhelmed with personalities, with complexities of people complaining about their work, or their peers and, you know, their ambitions and whatever personal crisis. All these things were very complex and it was, like I said, overwhelming. I thought, how can I deal with this. I put it in that context that made sense to me given my background. I kind of rethought and re-framed what I do as people hacking. For me it’s, how do I get that person to do more than anyone thought they could do? That isn’t meant to sound impersonal, it really is the opposite. I really have to spend a lot of time understanding that person. What are their goals? What are their ambitions?

David Spark

Can you give an example?

Jason Fruge

It’s not uncommon for me to, first and foremost, name the kids of everyone on my team. Everyone on my team, I can tell them who their family members are, what they’re going through in their life, because I really have invested that time to get to know them. Also, what we’ll help them with their professional kind of goals. Like, do they want to be just the best firewall engineer in the world in the next five years, or do they want to be in a different kind of role? What is it that they’re trying to achieve and how can I help them get there? I think, when people see that personal investment on both of those levels, they open up and they’re willing to take some chances with you. That’s on a personal level. I think, organizationally, it’s just as important to set a vision and make sure that vision is understood by everyone and agreed upon. But, continuing with that personal part, because I think that is so important, I think that sometimes it’s just problem solving and brainstorming sessions and actively engaging people to say, hey, here’s the problem, we’ve got to figure out how to solve this and having some light and light-hearted debate matters so much. It makes a really effective difference. Because, when people present solutions and if you finally get to a point where you accept it and say that sounds like the right solution, and then you empower that person to solve it, to go execute on whatever that idea was, then, recognize their success when they do it, they’re going to do that stuff more often. You build that kind of trust.

David Spark

It’s about giving them ownership and trusting them with that ownership.

Jason Fruge

100% and I think, part of that trust though also means, you recognize when they do things excellently and you also recognize when they need to do it better. A long time ago someone gave me a book, I think it’s a great book, so I recommend it. It’s called the The Radical Leap. It’s a really good story, it’s a quick read. It talks about, how it’s important for leaders to be vulnerable and make sure that people also recognize that we make mistakes too and we can still work through those mistakes and still be successful. When they see you as a vulnerable person, they’re not suddenly afraid to make mistakes as well and so they take risks and they do things that aren’t guaranteed to be successful, because they feel comfortable. I think empowering people in that way makes a huge difference.

David Spark

Excellent point. Mike, I throw this to you. How do you make your team more awesome than they currently are?

Mike Johnson

I approach it from a perspective of, where are we trying to go? What is that strategy? Where are we trying to improve? Where does the company need us to improve and have that concept, that destination, as it were, in mind, in having the internal discussions, and working with the teams, with the individuals on how this all fits together. On what parts they’re interested in playing, what parts we need them to play because, sometimes those are two different things and where they have these opportunities to fill in the gaps. We need this problems solved, we don’t have someone solving it right now. Hey, that’s an interesting problem to me, I want to go solve that. That’s where you start seeing people step up. I’m a firm believer of giving people the opportunities and, when presented with opportunities, people will step up far beyond what was expected of them; because, that’s not their normal set of responsibilities. This is new opportunities, new options for them. In my mind it’s, how do we fit in with the larger strategy and, then, how do we translate that down to an individual for, where it is that they want to participate and where it is that they want to individually choose to excel? Then it’s a matter of, making sure that you’re giving people the opportunity and the safety, as Jason was saying, to take risks, to make mistakes. What you get out of that is, I’ll take a risk over here; it may not work, but if it does, it’s one of those half quart shots or whatever bad sports knowledge you want to use here. They take that chance and that’s where you really see that surprising success is, they’ve taken a chance because they feel safe to make a mistake. But they also feel safe to take a really big chance that may or may not work out and, when it does, they’ve exceeded expectations.

How do you go about discovering new security solutions?

00:23:49:17

David Spark

Neil Saltman of Anomali and co-author of the book, Cyber Security Sales, available right now on Amazon, go check it out, he has a question.

Neil Saltman

My question for you is on the delineation of when a CISO actually needs to get involved in a purchase. Is there certain criteria that you set forth for your team, where you allow them to make purchases where you trust they’re going to make the right decision, after you’ve given them criteria? Or, do you have to be involved in every decision that’s made? Is it based on cost, is based on prioritization? What are those lines of delineation you draw, whether you say, I need to be involved and I need to know everything that’s going on?

David Spark

Mike, an excellent question. I will toss this to you. What’s your answer to Neil’s question?

Mike Johnson

When I think about this question, it’s the company policies versus the implementation of those policies. Company policies generally have approval levels. If you’re at this level of the company you can approve this amount of spend. The reality is, for most of the spend in the organization, I do have to be involved, but I can choose when I’m going to be involved and, in general, I choose to be involved at the end. After a decision is made, but before any commitments are made. That’s the safety net that the team has. From my perspective, it might be setting a budget; saying, you’ve got x amount of dollars to go and spend on this particular product, I know a few vendors in this space, maybe go take a look at them, bring a few of your own. Or, you have y amount of dollars to spend, I know nothing about it, but this is what we have budgeted. Go tell me who’s best. Go evaluate them. Go have the discussions. Ultimately, those are my favorite ones, where I’m not involved, where I’m surprised that, hey, we’ve done this evaluation, there’s this solution that we’ve never heard of before, but is exactly what we need, and we have an opportunity to have a great relationship with this particular vendor. My preference is actually to not be involved.

David Spark

Your preference is do a lot less work. Is that what you’re saying, Mike?

Mike Johnson

In general, yes. My preference is to kick back, pet my cat.

David Spark

When you were getting hired, is that what you said? “I like to do less work “and they said, “this is the kind of CISO we need in this business.”

Mike Johnson

There’s an old thing in the sysadmin space, that has always stuck with me of, you try and automate yourself out of a job. It’s similar here, right, where you want to empower people to make decisions where they’re able to be autonomous, but set up the frameworks within which they can make those decisions. That’s the difference.

David Spark

Going back, also, to our past segment, as a leader you look awesome, not because of the actions you take, but by how awesome your team is.

Mike Johnson

Absolutely, it’s 100% the team. I’m nothing without my team. Frankly, I’ll go so far as to say, I can get nothing done without my team. If I didn’t have a team, I’m not getting anything done.

David Spark

Mike Johnson is ineffectual?

Mike Johnson

Exactly.

David Spark

Just making sure. We’re going to cut that little clip of me saying that.

Mike Johnson

Yes. Let’s get that on t-shirts. If we can have that the highlight on the LinkedIn post, perfect.

David Spark

Of course.

Mike Johnson

Thank you David, I’m glad you have my back.

David Spark

I am here to support you, Mike.

Mike Johnson

I’ve always known that and appreciated that about you, David.

David Spark

I throw this one to you, Jason. From the onset of what Neil’s question is of, you know, when you need to be brought in for decision-making, what is done with and without you, how much of your answer is different from Mike’s?

Jason Fruge

I think we’re very similar. But I would say, I think solutioning a problem is the more tactical part and I try to stay out of that as an effective executive. I think it’s important to remain in that thought leadership kind of role and not in that more tactical space. But, I love this quote from Einstein who said, if he had only one hour to save the world, he’d been 55 minutes defining the problem and then five minutes solving it. I think defining the problem is where we need to spend our time as influencers, as CISOs to say, let’s really down to what the real problem is and, then, we might not even need a technology to solve it, frankly. But, once we really understand the problem, then we can get to an effective solution and we can go and empower the team and they can do the things like evaluate tech and so on.

David Spark

What is your philosophy of defining the problem then? I’m a big fan of the five whys, of constantly asking why, why, why, why down the road. You’re not in your head, Jason. Do you do the same? Is there something else?

Jason Fruge

I love the five whys. I don’t think it applies in every scenario so, I really try to do a lot of brainstorming down to causable effects and so on.

David Spark

But it gets down to the core problem, that’s what I love about it.

Jason Fruge

100%, yes. It takes out a lot of the bias and speculation about what caused the problem. 100%. Anything you can do to get down to the facts, be unemotional about what the problem is, is a good approach.

Closing

00:28:59:23

David Spark

That brings us to the end of this show and we’ll get down to the facts. We’ve reached the end. Thank you very, very much, Jason. Jason, I will let you have the very last word. By the way, this was Jason Fruge, who’s the CISO at Rent-a-Center; a brand new CISO. I’m just going to quickly ask you this, Jason, because I asked it for all our brand new CISOs. When you changed your profile on LinkedIn, saying that you’re the CISO of Rent-a-Center, what was the level of hammering you got from vendors?

Jason Fruge

I was so popular, it was unbelievable. Before I came back into the CISO, I was on the vendor side for a brief time and I worked with a lot of channel partners and a lot of folks. The amount of phone calls I got with my friends from my previous career, I think, probably exceeded a typical experience. Because I was, you know, in contact with so many sales people all the time. But, yes, it’s a dangerous thing to announce, that you’re stepping back into a CISO role, for sure.

David Spark

I know. Hold tight. I’m going to let you have the last word and, also, we always ask the question, are you hiring? So, have an answer for that. Our sponsor for today’s episode has been Expel. Thank you, Expel, for sponsoring us. Go check them out at Expel.io. Mike, any last words?

Mike Johnson

Jason, thank you for joining us. What I get so much value out of being a part of this show is listening to fellow CISOs and learning from them. I really enjoyed listening to you talk about leadership and clearly you have a passion for that. That came through over and over again and that was one of the joys that I had of being a part of this conversation, was to learn from you. Thank you for sharing that overall knowledge, experience and passion around leadership. I really liked your point about helping to define the problem and that really being a value that you bring as a leader. Not the solution side of it, but helping to define the problem and the value of that. So, thank you specifically for that guidance that people can take home and do something with. But, overall, I really appreciate your perspectives on leadership so, thank you for coming on and sharing with us.

Jason Fruge

Well, that was very kind of you to say that, Mike and I appreciate all of your comments as well. I think, everything you said, I’m just nodding my head, going this is absolutely spot on. I’ve listened to several of the podcasts, I love this series and I think you’re doing important work here. I think it’s educational, I always learn something and I’m glad I got to be a part of it this time. Thank you, guys so much. I’d love to come back anytime and do this again so, thank you.

David Spark

You were excellent. Now you have to answer my question. Are you hiring?

Jason Fruge

Oh. Yes, we have a couple of open positions that predated me, but I still am going through the process of understanding how work gets done. I still don’t feel like I’m in a good position to say, yes, we definitely need to hire some more people at this point. But, possibly.

David Spark

But, if a good candidate is interested in working with you, they should still contact you yes?

Jason Fruge

100%. I’m always looking for, if nothing else, just to build a pipeline and keep some folks warm, who I’d obviously love to have join the team. Yes, if you’re interested, let me know. You can find me on LinkedIn, absolutely.

David Spark

That is Jason Fruge, spelled F-R-U-G-E. It’s not Fruge, which a lot of people, I’m sure, screw it up like that.

Jason Fruge

All the time.

David Spark

It’s a French name, yes?

Jason Fruge

It is, yes. It’s actually Cajun French.

David Spark

Alright, well there you go. He is the CISO of Rent-a-Center. Mike Johnson is my co-host of this show. You are our audience and we appreciate all the contributions you give to our show so, thank you. Keep them rolling in. What’s worse scenarios? If there’s hot discussions on line, questions, concerns, if you record one like Neil did, we love that. There is a way to do that on our site. If you look under participation. Please do it. As always, we appreciate your participation and listening to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”