How to Be a Security Vendor CISOs Can’t Ignore

How to Be a Vendor CISOs Can't Ignore

There are vendors that CISOs can’t look away from. Who are they and what did they do to get so much attention from CISOs?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Saša Zdjelar, svp, security assurance, Salesforce.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, Sysdig

Sysdig is driving the standard for cloud and container security. With Sysdig, teams find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions and compliance. Customers get a single view of risk from source to run, with no blind spots, no guesswork, no black boxes.

Full transcript

[Voiceover] What’s a great approach from a security vendor? Go!

[Saša Zdjelar] I think the best approach is when a vendor tells me what problem they’re going to solve and how that’s going to reduce risk instead of telling me about the characteristics of the product.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. My co-host, who you’ve heard since the very first episode which was June 1st of 2018, it is Mike Johnson. And Mike recommends that you do listen to that first episode, of which I recommend you don’t. Why is that, Mike?
[Mike Johnson] It tells you how far that we’ve come. It really gives you that recollection and understanding that we actually have gotten better. And so start with where we were, then come to where we are, and just see our growth.

[David Spark] So, you’re saying go ahead, listen to fingernails against the chalkboard, and then come and actually have something nice into your ears.

[Mike Johnson] Right. So you understand that we actually were really bad a while ago, and now we’re really good. And that’s how you know the difference.

[David Spark] And my advice to everyone doing podcasts or videos, whatever, the way you make good podcasts and good videos, you make a lot of crappy ones first.

[Mike Johnson] Yep. Start somewhere and then you’ll end up somewhere else.

[David Spark] Hey, we’re available at CISOseries.com. We have lots of programs on our network. Why not go check them out? And our sponsor today, they’re an awesome sponsor for us – Sysdig – secure your cloud from source all the way to run. More about Sysdig and about how they can secure your cloud in the whole development stage later in the show. But first, Mike, I’m going to ask you a question. Have you been extremely excited about something, and then when it happened, it was the world’s biggest disappointment?
[Mike Johnson] Oh, no, never.

[David Spark] Never?

[Mike Johnson] No. That has never happened in my life, David.

[David Spark] That’s the sarcastic never. It has happened to you.

[Mike Johnson] Yeah.

[David Spark] Give me an example because I have a really good example of it that I was extremely excited about, but I was monsterly disappointed by.

[Mike Johnson] Oh, gosh. Maybe you’ve got a vacation coming up, and you’re all ready to go, and you’re all packed, and then your flights get canceled, or you arrive where you’re going to, and your hotel is terrible.

[David Spark] Oh, yeah. I’ve had bad hotels. That’s no fun.

[Mike Johnson] Those come to mind when you ask me that question.

[David Spark] So, here’s my experience, as you know, and I’ve spoken about this on the show, I’m a big fan of the pinball.

[Mike Johnson] Mm-hmm.

[David Spark] I had not been to the new location of the Pinball Hall of Fame in Las Vegas, and I had an opportunity while I was at Black Hat.

[Mike Johnson] Right.

[David Spark] And I’d been to the old location multiple times, which was not on the Strip. Now it’s on the Strip, very close to the Mandalay Bay which is where Black Hat was. It was a monstrous disappointment. Because of the 150 machines that are there, a good 30 of them were just broken and not working. And of the ones that were working, they were in such poor condition that playing them was a lot of no fun.

[Mike Johnson] So they should have been classified as broken too.

[David Spark] Yes. Monstrous disappointment.

[Mike Johnson] That is very disappointing.

[David Spark] And the thing is, the old location just wasn’t as popular, so people weren’t hitting the machines that much, so the machines didn’t break as much. Now that it’s far more popular, people are breaking machines. And machines get broken. I mean, it’s a metal ball banging things, so that’s how it happens.

[Mike Johnson] And hands banging hard on those buttons on the sides.

[David Spark] That’s not as much of the problem as the darn metal ball whacking into things constantly.

[Mike Johnson] I can see that.

[David Spark] All right. So, my complaint has been filed. I just want you to know that.

[Mike Johnson] I am sorry that was such a letdown, David.

[David Spark] Mm-hmm, it was.

[Mike Johnson] I can feel it, and I personally apologize for you.

[David Spark] From this moment on, this show will be nothing but on the upswing.

[Mike Johnson] Yes.

[David Spark] Because our guest, who I met at Black Hat and interviewed at Black Hat, is phenomenal. He currently works where you used to work, Mike – Salesforce. He’s the SVP of security assurance. None other than Saša Zdjelar. Saša, thank you so much for joining us.

[Saša Zdjelar] Thank you. It’s my pleasure to be here.

Why is everyone talking about this now?

4:27.962

[David Spark] The upcoming trial of Joe Sullivan, former CISO of Uber, who is facing criminal charges that he defrauded drivers by covering up a massive data hack, is a very hot topic of conversation right now among security leaders. Now, we are recording this episode in late August, so much may change between now and when you’re hearing this. And I have seen posts from both Robert Rodriguez, who’s the founder of SINET, and Jamil Farschi, the CISO over at Equifax, all talking about this, driving a lot of conversation. And it’s putting a lot of fear into security leaders as to their liability, whether they’re covered by the D&O insurance, their directors and officers, that they would be protected by personal financial issues. Mathieu Gorge, CEO of VigiTrust and author of “The Cyber Elephant in the Boardroom” asks, “Do you feel personally threatened as a CISO, either threat of losing your job, damage to reputation, or even litigation threat?” Now, don’t necessarily have to answer for yourself, but rather what you’re hearing other security leaders saying. Mike, I throw this to you.

[Mike Johnson] So, whenever I see this discussion come around, there’s this dumb trope that’s floated around for so many years of CSO stands for Chief Scapegoat Officer. I really don’t think that’s the case. Certainly, people are worried about losing their job.

[David Spark] Well, we’ve seen examples of this in the past, of a CISO getting dumped after a breach, but it’s been a long time.

[Mike Johnson] That’s really my point is this very rarely happens. There are a few cases. It’s certainly nonzero. There are people who’ve lost their jobs after breaches, but in most cases that’s actually when a company needs their CISO the most. That’s a bad time to go be dealing with a breach and hiring a new CISO or having a leaderless security team. It’s a terrible time to do that. And so I’m not going to say it doesn’t happen. But I think the reality is it doesn’t happen as often as people perceive it to, or frankly, maybe people think it should happen more than it does, but that’s just not the case. I think frankly, going beyond that, the litigation concerns are even less likely to happen. Joe’s situation is unique. The only other cases that I’m aware of, of lawsuits against CISOs or legal action against CISOs, is when there’s been insider trading, and anyone could be charged with that in those types of situations. A CISO is not in a special situation. So, I really do think that it’s reasonable for this to be a concern, but it shouldn’t be so concerning to be paralyzing or so concerning that you pass up opportunities because someone’s not wanting to put you on their D&O. It just doesn’t feel like that big of a deal to me.

[David Spark] It’s interesting. I’ve seen the gamut of responses to the “I’m not worried about it too. I’m extremely concerned and I’m going to be watching this closely.” Saša, where do you stand?

[Saša Zdjelar] Well, I think the perception out there is still very much like what you’re describing, David. I think a lot of CISOs feel like they might be one breach away from being sort of associated with that activity, even if they’re not personally liable, even if they’re the most necessary function right after the breach, kind of like what Mike mentioned. That’s definitely true. It’s not uncommon for month two, three down the road for the decision to be sort of, “It’s time for us to move in a different direction. You’re associated with that event. It’s time for some fresh leadership in this space.” I think those are all still kind of the sentiment on the street for what will happen to a CISO in case there is some sort of a very substantial cyber event.

[David Spark] But what about the concern that a business will throw liability on you or that the business will say, “We didn’t tell him to do it. That person did it on their own, and now you should go after them, not us,” kind of a thing.

[Saša Zdjelar] Yeah, I haven’t personally seen that happen. I think I’m with Mike on this one, that I think that is uncommon, and it’s a good thing that it is. I don’t think it changes the sentiment for a CISO to feel like they’re a breach away from being thrown under the bus, but I don’t actually practically see that happening in real life.

[David Spark] More my concern is – and this I’ve heard from CISOs – that maybe at past jobs you’ve heard this, or you’ve heard CISOs talk about this, where the business wants the CISO to do something that they do not think is as ethical. Because this Joe Sullivan case seems pretty darn unethical and potentially criminal, which is what he’s maybe liable for. Have you done or has anyone else that you know of been faced with issues like this?

[Saša Zdjelar] Yeah. I mean, I think some of the folks who I know are folks that the whole industry knows. We’ve had this come up in disagreement in path forward and decisions made with Facebook, right? Many, many years ago. And it’s the reason why their CISO chose to leave and is pursuing different things right now. I think we’re seeing some of that play out live in the last 24 hours. Again, we’re recording this in August. By the time people hear about this, it will be much more of a common story, but just in the last 24 hours, we heard about Ludge [Phonetic 00:09:49] and kind of some of the things that happened at Twitter and the disagreements there, who said what to whom. I don’t want to get into that now, but I think again, it’s an example of where the CISO would have wanted to pursue a different course of action. Sounds like there wasn’t alignment on that. The CISO chose to distance themselves from the organization. That is a repeated pattern that I think we know several very prominent, both companies and CISOs, that have been faced with that decision.

[Mike Johnson] I’d argue that this applies to CFOs, this applies to general counsels, this is not unique to security. You can end up in a situation where you have a significant disagreement with the leadership, with the culture, the value of the company. You shouldn’t be there. You should take off yourself and move on. That’s not unique to the CISO role.

[Saša Zdjelar] Yeah. I heard a fantastic tweet just today, actually, from one of my favorite InfoSec people, Daniel Miessler. He made the comment that a lot of people hire these extremely prominent cybersecurity personalities, but then somehow expect them to act in a way that’s not consistent with why they became those personalities. Of course, you’re going to expect that this person acts with the utmost ethics, and you shouldn’t be surprised then if they’re not willing to make that compromise due to some cyber event that happened or a business decision. You hired them because they’re awesome. You should have every expectation that they will continue to behave awesomely and with the highest ethics in situations that come up like this.

Confessions of a CISO

11:17.286

[David Spark] What techniques do CISOs deploy to cut through the marketing noise? Wall Street Journal’s Cheryl Winokur Monk asked the question we’ve been grappling with since day one on the CISO Series. And tip of the hat to Mark Eggleston who’s the CISO over at CSC for bringing this article to my attention. Everything mentioned in this article is something we’ve addressed many times on this show: email filtering, pursue instead of being pursued, warm introductions – that being a big one – and partners instead of sales transactions – another big one. I go back to a Steve Martin’s quote, “Be so good they can’t ignore you.” So, I’ll start with you, Saša. Can you think of vendors that were so good that you couldn’t ignore them? What made them achieve that status?

[Saša Zdjelar] Yeah, actually. Several come to mind, two specifically. I would say what made it hard to ignore them is just their ongoing repeated pattern of when there was something big that happened, you know, some new malware family in the case of an EPP vendor, EPP VR vendor I’m thinking of. Anytime something happened that was late breaking or zero day or appeared kind of in the Twitterverse and was a big deal for corporations, they would have content out within minutes espousing to how they natively already protect against this threat, not, “You need an agent update,” not “You need a version or you need to upgrade,” but “Our agent as of a year and a half, two, even three years ago – version going back that far – natively protects against this.” And when you do that once, it’s sort of like, “Good for you, you got lucky,” right? When that happens repeatedly for advanced threat after advanced threat, it just starts kind of being in that category that you described of “be so good they can’t ignore you.” After a while, I just couldn’t ignore that vendor anymore. I said, “Okay. Let me learn a little bit more about what makes the secret sauce because clearly, they’re doing something right if they can natively protect immediately against some of these most advanced malware families coming out.” That was in the case of an EPP VR vendor.

[David Spark] Let me ask a very quick question, follow up on that. How exactly did they word it? Because one of the things that – Mike, this is the early days, this is how I got connected with you – is often a vendor would say, “Well, if they had our product – company XYZ – they wouldn’t have been breached.” Which that all drove the ire of many CISOs. So, how would they word, like, “We protect this without being obnoxious about it,” I guess is the way I’m asking. Saša?

[Saša Zdjelar] I think in their case, they weren’t trying to be very nuanced about it, honestly. I think they knew they had an advantage, and they very much were playing up to it to say, “No need for us to do research and get back to you soon,” because those are the types of answers you usually get. “Well, our research team needs time to look at this.” Meanwhile behind the scenes, they’re scrambling to develop new behavior engine updates and DATs and whatever they’re doing. In the case of this vendor, they were pretty on the nose about their marketing because they had the luxury to be able to do that. They would say, “No need to install a different product. No need to have extra layers of security. We protect natively, and we’re the only product that does at the moment, and if you run us you’re protected.” It was pretty in your face marketing.

[David Spark] All right. Mike, same question, can you think of vendors that were so good you couldn’t ignore them?

[Mike Johnson] I’m somewhat along the same lines of what Cheryl was suggesting, which is it’s kind of related to the warm introduction. What I like to see is companies who turn their existing customers into champions. And what I mean by that is if I have a problem, I’m going to go ask my peers, I’m going to ask my community, I’m going to go ask Saša, “How have you solved this problem?” And if I get one person to come back and say, “Hey, this is who we’re using. We’re really happy with them. They helped solve this problem,” like, great.

And again, kind of to Saša’s point, if I hear that once, okay, maybe you just got lucky. But if I’m hearing that consistently, if I’m hearing that from 5 different voices, 10 different voices, that really gets my attention. Those are going to be the ones where I know that that’s someone I want to talk to because they’re making those existing customers successful, they’re solving the same problems that I have for those customers, who are people who I trust. That’s what I look for. Turn your existing customers into champions, and that’s going to get to me, I’m going to hear about it, and you’re going to jump to the top of my list.

[Saša Zdjelar] I mean, nothing beats a customer endorsement, right? When the customers become your sales team because you’ve won them over so completely, nothing beats that. You can’t buy that kind of marketing or advertising, right?

[David Spark] No. I’ve heard that they’re worth their weight in gold.

Sponsor – Sysdig

16:13.105

[Steve Prentice] Sysdig is a cloud and container security company that covers all major cloud providers and manages cloud security issues including container and Kubernetes environments. It is also the creator of Falco, the open source standard tool for continuous risk and threat detection across Kubernetes, containers, and cloud. Sysdig contributed Falco to the Cloud Native Computing Foundation, and it has been downloaded over 30 million times. Anna Belak, director of technical thought leadership at Sysdig, explains why that’s so cool.

[Anna Belak] The reason that’s pretty cool is open source is very transparent, so you know what you get, and if you have any questions you can get right into the Git repo and check it out, you can contact our staff or the CNCF to find out more, and everything is totally clear. So, if you wanted to know what detections are available, like which rules are in the tool, you can just open it up and they’re all there. And you’re more than welcome to contribute or request [Inaudible 00:17:07].

[Steve Prentice] This puts Sysdig in an enviable position.

[Anna Belak] Because Falco is our pedigree, it also kind of like signals that we are the shepherds of the de facto standard for threat detection for Kubernetes. We are a Software as a Service offering. We began by securing the most modern workloads that people build and deploy today. But as we grew our business, we expanded our coverage to all the major cloud providers and security issues that are fundamental in securing your container and Kubernetes environments as well.

[Steve Prentice] For more information, visit sysdig.com.

It’s time to play “What’s Worse?”

17:47.497

[David Spark] All right, Saša. Are you familiar with this game “What’s Worse?” we play?

[Saša Zdjelar] I am familiar with the small blurb I’ve read about it, yes.

[David Spark] Okay. Really, it’s a risk management exercise. We give you two bad scenarios. You have to tell me of these two bad scenarios, which one’s worse. And Mike, I will just say this gentleman, Jorge Lopez of Peloton Interactive, has got your number. Because he picked, I think, the two things that really grind your gears, okay?

[Mike Johnson] All right, Jorge. Let’s see what you’ve got.

[David Spark] And he’s putting them back to back on you. Here we go, Mike. You got a brilliant jerk on your team, all right?

[Mike Johnson] Of course.

[David Spark] Or a single pane of glass that’s so engrained with your team that they hardly know the UI or the capabilities of the tools that feed into it. Now, the UI, by the way, refers to the user interface of each individual tool as well. All right, Mike, which one’s worse?

[Mike Johnson] So, Jorge, I see what you’re trying to do here, and I applaud you for it, but I’m going to stick with my answer – the brilliant jerk is worse.

[David Spark] Worse than a single pane of glass that you have no insight into?

[Mike Johnson] The reality is you can make that work, you can function. Especially if your team is just so caught up in, “We’re making this single pane of glass work perfectly for us.” Yeah, we don’t understand the individual components, okay. But at least you don’t have a toxic coworker who makes you dread coming to work every day. Brilliant jerk is worse.

[David Spark] But, I’m just throwing this out, the brilliant jerk is still brilliant and could actually do more than that single pane of glass.

[Mike Johnson] And will be the only one working there when everyone else quits.

[David Spark] Maybe, maybe not. All right, Saša, I throw this to you. Do you agree or disagree with Mike? And by the way, no pressure but I do love it when guests disagree with Mike.

[Saša Zdjelar] I wish I could, and maybe you could ask me a different one, but on this one I’m going to have to wholeheartedly agree. I just think the long term tax that you’re paying with the brilliant jerk just couldn’t possibly outweigh the other scenario. I just think that the toxicity is not something that you can sustain. And like Mike said – he’ll be the last brilliant jerk probably looking at that single pane of glass because no one else will be working there.

[Mike Johnson] I do like the way that you put that for the long-term tax. I think that’s a great way of thinking about it.

[David Spark] Maybe it was a team that was put together for some network operation center at a conference and was only going to be together for a week. What about that situation? You work with a brilliant jerk, or you have the single pane of glass you’ve got no insight into. And again, it’s a temporary network.

[Mike Johnson] You’re changing the scenario.

[David Spark] I’m just throwing this out here. I’m just going to see if I can get you to sway.

[Mike Johnson] We were told that we couldn’t change the scenario. I’m not swaying.

[David Spark] You’re not swaying.

[Mike Johnson] You know I’m not swaying on that.

[David Spark] Saša, would you sway? It’s not long term. It could be over in a week.

[Saša Zdjelar] I think there, I could maybe be a little bit more convinced that some temporary pain might be worth it because I can put a bookend on, again, that tax. Long term – no way you could convince me. But I think short term, depending on the scenario and how much I needed their brilliance, I could be persuaded.

How have you actually pulled this off?

21:13.324

[David Spark] How do you retain “must have” employees? Now, at Black Hat this year, I interviewed Jason Haddix who’s the head of security and risk management at Ubisoft on the techniques he deploys to keep his best people on staff. The quick answer is there is no one technique but rather a lot of touchpoints that involve ongoing recognition of work done, and personal touches of meeting with staffers and not talking about work. So, I’m going to start with you, Saša. Think of your best staff members. What do you do to keep them and what have you found works the best?

[Saša Zdjelar] First of all, I think I want to throw out a giant shout out to Jason Haddix who I think is one of the smartest people in InfoSec, also happens to be a very good friend. And the talk that he did at the CISO Summit on this exact topic got rave reviews because I think it unlocked a number of techniques that people kind of hadn’t thought about in retention. So, I would echo some of what he says, but I would add a couple more. I think he’s definitely on to something, to the extent that you can, to get to know the people outside of a work context. I think when you build a relationship with someone that goes beyond the zeros and ones and packet Ninja stuff, and you get to know their families, you get to know kids’ birthdays and what they’re into in hobbies, and you then can begin your one-on-ones with those sort of anecdotes and asking about, “Hey, how’s your sister? I remember she had that thing.” I think that goes a longer way than people realize. So, some of the techniques I’ve used are exactly along those lines.

[David Spark] By the way, do you keep a notebook to make sure you remember all your staff members’ personal little tidbits?

[Saša Zdjelar] It’s so funny you mention that because I do work for a CRM company, and it almost feels like I would want to deploy a CRM solution to help me manage this, especially in orgs of scale. But I actually do. I have a little notes file where I try to scribble down kind of the pertinent bits that I think would pay good dividends down the road to be able to reference when I’m talking to some of the folks on my team. So, yeah, I do actually. It’s, I think, an important aspect of kind of bringing a human connection. And I think Jason did a great job articulating some of those non-monetary or non-compensation ways of getting people to feel like they have a sense of belonging in a company that goes beyond a paycheck.

[David Spark] One of the things he also mentioned was the critical nature of true recognition rather than attaboy pats on the back. But rather like awards and literally plaques and things that you give to people. Have you done things like that, and do you think that’s necessary?

[Saša Zdjelar] I think it’s not by accident that going back hundreds of years, you can find examples of people handing some sort of a totem to someone to recognize their contribution. I think there is something ingrained in all of us that likes seeing that kind of recognition, whether it’s an anniversary award or some kind of a special tchotchke made for the successful completion of a particular project. I think those things go a long way. One of the questions he asked of the audience during that talk is kind of a show of hands how many people still have some kind of a glass statue or medallion or challenge coin or something from a time when you were part of a group that achieved something together, and just about every hand went up. Because there’s a reason why we hang onto those mementos, and I think it’s because they actually have some sort of intrinsic value to us. So, I think he was, again, on to something very valuable there, that while that doesn’t cost you much to do, it actually ends up having a much higher value and reward on the back end for the person who receives it.

[David Spark] I agree. All right, Mike, I throw this to you. Thinking of your best staff, what do you do to keep them and what have you found works the best for you?

[Mike Johnson] So, when I think about this, I think of I want to make sure they have interesting problems, give them the tools to tackle those, support them, ensure that they’re part of a team so they don’t feel like they’re in it alone, and get out of their way. The people who thrive under that, those are the folks that I like to work with, and I think I want to make sure that I am supporting them with those tools, with those capabilities. And what usually happens is that works out pretty well, but I’ll give it a caveat that it really does depend. Every person is going to be motivated in their own way. What I described does not work for everyone. I cannot say that that has been universally successful. Because you do have to tailor it for everyone, and frankly, my personal management style doesn’t work for everyone, and that’s something that we all have to recognize.

[David Spark] And I would watch out. Some people, and I’m going to be honest, I was like this myself, will get a little cynical about sort of the gifts that are given for working extra hard. I worked at an agency, by the way, who had the thing where you can kind of give these sort of special company points out to fellow employees if they helped you out. And then you could cash them in to go to the company store to get like a t-shirt or a bag. But the way it worked out is if you worked 20 extra hours, you could get a bag or a t-shirt. The economics of it were actually insulting when they did it like that. I wished they didn’t do it, and maybe a true award or true public recognition would have been better because it was quite insulting, the “go shop at our store” attitude.

[Mike Johnson] Yeah. And sometimes that recognition comes in the form of a promotion. That’s one way of doing that public recognition. Sometimes it’s going onto a Slack channel, we’ve got one internally that’s just called Gratitude, and you just go in there and say, “Thank you, Person X, for helping out in this way.” That is public recognition that costs you literally nothing except for the time to punch those keys on your keyboard, but it’s tremendously valuable to a lot of folks. The fact that you invest that time is worth it, and it’s valuable to that person, sometimes even more valuable than a monetary promotion or a plaque of some sort. Showing your gratitude helps.

[Saša Zdjelar] And a lot of research has been done in this space, and there are categories that have been well researched and analyzed that people fall into for this kind of stuff. Some people are kind of the easy answer – monetarily driven. So, for them, unless they’re getting something of monetary value, the recognition is not going to feel like recognition. But for others, it’s they want to be just acknowledged in a public forum, for example. For other people, the last thing they want is their name in a public forum, but they would really appreciate a handwritten or a personal email to just them. Then others want status. So, okay, for a month because of the amazing achievement, this person gets that VIP parking spot closest to the building. That’s a little bit of an older concept when we still had parking spots and buildings. But it’s sort of the status. For other people, it’s charity to say, “Because I’ve done this, I earned an extra day or week that I can put towards my favorite charity and donating my time,” or “The company in my name will donate some amount of money to my favorite charity.” So, just knowing what kind of makes people tick and what really makes them feel like they’ve been recognized is very important. Not everyone is driven by the same thing.

What’s the best way to handle this?

28:27.580

[David Spark] How do we maintain data security and collaborate while maintaining data confidentiality? Saša, you asked this very question, and it seems collaboration opposes the ability to have data confidentiality. So, what have you done to move into that direction? Now, often the solution that’s offered is anonymizing data, but in most cases anonymized information can be triangulated thus obliterating the confidentiality you fought so hard to create. We’ve had Davi Ottenheimer of Inrupt on this show, and he’s talked at great lengths about putting the control of an individual’s data back into that person’s hand and let them make the choice. It is Inrupt’s charge to do that. So, Saša, what have you seen that makes you believe this is possible, that the control could be back to the individual? Or there’s another way we can do data confidentiality and still share? What gives you hope, I think is my question.

[Saša Zdjelar] Yeah. I think what gives me hope is seeing some of the really, really cutting-edge latest, like still in stealth or startup company solutions that are coming out to finally tackle this problem. So, I’ve been sort of dealing with this issue for almost 20 years, especially in my former employer where there was always this spectrum of concern. There’s the stuff on the highly collaborative side, which usually means there’s very little security in it because everyone has to be able to access it, everyone has to be able to co-author it, everyone has to be able to access it at the same time, freely share it. That usually puts some guardrails around just how much security you can apply to it. On the opposite end of the spectrum is extremely tightly managed, highly secure, highly encrypted. Well, just the way cryptography and math works, it means only one person can have a public/private key pair checked out at the same time. You can’t co-author, it makes content collisions very common, it’s hard to access, you have to assert identity to access it. So, it’s sort of the spectrum of highly collaborative or highly secure, and it’s only some solutions that I’ve seen very, very recently that are trying to tackle this problem in earnest and try to offer kind of, if not the best of best worlds, sort of good enough of both worlds, where a third party can have access to data and can collaborate on the data without taking possession of the data.

That’s a common problem when you work with a law firm or with a consulting company, that they say, “Well, securely share this with us, and then we will analyze it and get back to you.” Yeah, but all the mechanisms to really share it securely usually imply package it up in some sort of highly encrypted artifact, and then get it over to them. Which often means put it on a thumb drive or email it to them. Well, at that point, you’ve lost control, right? They have the file or the blob, they’re going to do something with it, but you have no idea how they’re going to actually be stewards and custodians of that data. You don’t know if they’re going to print it, you don’t know if they’re then going to have it on desks, it’s just a very hard problem to solve. If you don’t give it to them as a file. If you say, “Well, here it is on our end, you can access it.” Again, the mechanisms to do that and do it securely and highly collaboratively are actually quite weak. It wasn’t until recently I’ve seen some solutions that really try to tackle this problem in earnest with sort of the person retaining the control of the content.

[David Spark] Mike, what gives you hope here?

[Mike Johnson] I think it depends. You kind of have to start with who are you trying to protect yourself from, who are you trying to retain confidentiality with. A good example, and one of the things that we’re actually starting to see play out in the commercial space, is providing confidentiality from your internet service provider. Apple recently released a product called Private Relay. There’s another company named INVISV that released something called Pretty Good Phone Privacy. And the idea there is you have two parties who are involved who have access to part of the information, but neither of them has access to all of it. So, you don’t have a case where Apple knows what websites that you’re going to, they just know where you’re coming from. The company on the other side, the second party, doesn’t know where you’re coming from, but they know where you’re going. And unless they collude, which is not outside of the realm of possibility but highly unlikely, you actually have some separation.

So, this is a different way than what Saša was talking about which is very data oriented. But it does give me hope that companies are starting to really take privacy seriously to the point where you have hundreds of millions of users in the case of Apple who are going to be using this kind of a product and never know it, and it’s providing them a level of confidentiality that they weren’t even aware maybe that they needed. And it’s just them clicking a button and it’s on. That gives me hope that we’re heading into the realm where this is possible.

[David Spark] The question is is there enough demand for it. Because what you’re asking, Saša, at the very beginning of this segment, seems ideal, but there doesn’t seem to be enough coordinated complaining for the solution. Yes or no? Agree?

[Saša Zdjelar] Agree. I think we’re just starting to see the demand slowly build. I think some of this is also changing because of some of the laws that are going on the books in various places around the world, right? As Australia adapts some of the similar laws to what we have in the United States, a little bit similar to like ECPA from ’86 and others that provide under increasingly nebulous circumstances the government the ability to ask for data, in many cases under a blind subpoena or a sealed warrant. I think more and more of these protections are starting to come up through general counsel and kind of corporate boardrooms as needed for protection, but it’s a very slow ground swell that’s happening in the demand for those solutions.

[Mike Johnson] I do think what we’ll see is it’ll be driven from the consumer side. Apple is using this as a way of differentiating themselves from other companies out there.

[David Spark] Yeah. They’re using it pretty hardcore in their marketing, I see it even in billboards.

[Mike Johnson] Exactly. And they’re going to keep driving the public discourse around it to the point where it will come into the corporate environment, just like the iPhones did in the first place. I remember back in the day, I was at Salesforce, I had a Blackberry, and we fought tooth and nail from a security perspective of, “We will never have iPhones.” Well, obviously we know how that worked out, and I think we’re going to see the same thing where Apple is going to continue driving the public discourse around privacy to the point where people will start asking for it, and it will make its way that much more and more into the boardroom.

[Saša Zdjelar] If you look at some other trends, let’s take this to an even higher level, the impact of kind of consumer on enterprise. It wasn’t that long ago where an enterprise could absolutely tell its customer user base, their internal user base, that, “We update this application every five to seven years when it’s end of life because the disruption to the upgrade would be too big. We can’t regression test this,” and then look at what started happening in the consumer world, right? People wake up and their iPhone updates 42 apps overnight constantly, everything is constantly kept up-to-date, and they don’t feel like they have reliability in operational issues. And they take that sentiment into the enterprise, and they say, “Why can’t all my apps always be updated? Look at what’s happening with SaaS applications. Those are always updated. Why can’t we be faster at adopting some of this stuff?” So, it’s not the first time. In fact, I would say it’s become the norm where consumer sentiment and consumer expectations around technology use end up forcing the hand of the enterprise to adapt a lot of similar kind of user experience and user interface sort of expectations.

[David Spark] Excellent.

Closing

36:43.204

[David Spark] A good point to close on. Thank you very much, Saša. That was Saša Zdjelar. Which by the way, I’ve worked very hard to pronounce his name correctly. Did I get it right there, Saša?

[Saša Zdjelar] You got it exactly right.

[David Spark] Thank you. He’s the SVP of security assurance at Salesforce, and his name has been butchered more times than he can count. But he was awesome on this show, I absolutely loved it. I really liked when I asked you can you think of vendors who were so good you couldn’t ignore them. The ones that were on the money every time a breach happened who just said, “Don’t sweat it. We got you covered.” If I understand, they were only speaking to their current customers rather than complaining, “Oh, those idiots who didn’t have us, they got screwed.” Which is not the most polite way to talk about them. Anyways, I let you have the very last word, Saša, and one of the questions I always ask all our guests is are you hiring. My guess that a company the size of Salesforce, you are. But I’ll let you mention that. I do want to mention our sponsor – Sysdig – secure your cloud from source to run. Sysdig.com – you’ll find more about them. Thank you so much, Sysdig, for sponsoring this episode. Mike, you next.

[Mike Johnson] Saša, thank you for joining us, I really enjoyed the conversation. We covered a lot of ground. It was kind of all over the spectrum here. But one of the things that I really liked was the discussion around CISOs and whether or not they should be worried about their jobs. And you brought up the ethics and making sure that people understand that you’re going to hire folks, they’re going to have ethics, and you’re going to need to make sure that the ethics of the person and the ethics of the company align. And if there’s a mismatch there, it’s not going to work out. I appreciated you bringing that up because that’s something that I think a lot of people don’t really think about. But in our profession, ethics are very important to all of us who are in it, and the companies that we’re working for need to understand that. So, thank you for really bringing that up and having that discussion, but generally joining us, and the exploration of topics that we went on today was awesome, so thank you so much for joining us.

[David Spark] All right. You get the last word, Saša, and are you hiring?

[Saša Zdjelar] We are hiring. We are hiring and we’re looking for the best of the best in security and more broadly, but I certainly represent security and we are looking for the best so please go take a look at what the opportunities are to work at Salesforce.

[David Spark] And if you’re a brilliant jerk, don’t bother?

[Saša Zdjelar] Well, like I changed my mind on if it was temporary, there’s probably a conversation to be had if you’re a brilliant jerk as well.

[David Spark] I don’t know if anyone introduces themselves, “By the way, I’m a brilliant jerk.”

[Saša Zdjelar] Actually, in total honesty, it’s very interesting that at Salesforce, I think that would not get past kind of the screen filters. Mike knows well, he’s been there in the past. Just the culture and the kind of ‘ohana family approach, I think, would very quickly find those people as very likely not good cultural fits.

[David Spark] Very good point. Thank you very much, Saša. Thank you very much, Mike. Thank you to our sponsor Sysdig and thank you to our audience as always. We greatly appreciate your contributions, keep them coming. Again, just give up on the brilliant jerk scenarios, we’ve tried a ton of them. I thought this one because these were two things that I know Mike hates, and I greatly appreciate Jorge Lopez’s attempt here. They were two subjects Mike detests, but he really hates the brilliant jerk even more is what I understand. Thank you, everybody. We appreciate it. And thank you for listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.