How to Be So Awesome CISOs Can’t Ignore You

The trick to getting the attention of CISOs is to create an awesome company. Focus on that and the attention will follow.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Katie Stebbins (@ktlgs), board president, Global Epic.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Kenna Security

Kenna Security, now part of Cisco, is the pioneer of risk-based management. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. It leverages machine learning and data science to track and predict real-world exploitations, empowering security teams to focus on what matters most.

Full transcript

[Voiceover] Ten second security tip. Go.

[Katie Stebbins] Make cyber security friends, not enemies, inside your organization. Be friends with the people trying to help you do responsible cyber security. Don’t be an adversary.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. I’m David Spark, the producer of the CISO Series. Joining me as my cohost for this very episode is the operating partner over at YL Ventures. His name is Andy Ellis, and his voice sounds like…

[Andy Ellis] Just like this.

[David Spark] Just like that. We’re available at CISOseries.com. If you have not visited it lately, you should. Because we completely redid the site, and it looks a hell of a lot better. Our sponsor for today’s episode is Kenna Security. They’re not part of Cisco. You’ve heard of them. And Kenna Security has been a phenomenal sponsor of the CISO Series. And if you have vulnerability management issues, which who doesn’t, you’ll want to hear what they have to say later in the show. Andy, I have a story to tell you. You, without knowing it, helped me in an escape room.

[Andy Ellis] Did I have you escape from the escape room, or did I help you accept the suffering of being trapped in the escape room?

[David Spark] You helped me with a task in the escape room.

[Andy Ellis] Oh, excellent.

[David Spark] We were not able to pull off getting out of the escape room.

[Laughter]

[David Spark] But you helped me with it. And here’s how. I will tell you the story. You had done a video a long time ago about the history of cryptography, and you showed an old technique where they take either like a leather band or a piece of paper, and they wrap it around it a stick.

[Andy Ellis] Yeah, it’s a scytale.

[David Spark] What is it called?

[Andy Ellis] A scytale.

[David Spark] They had that in this escape room. And I saw it, and I go, “Oh, this is an ancient type of cryptography.” And I was doing the… When we were done with it, and I showed it to my son, and we passed that little element of the escape room… When we were done, the guy who runs the escape room comes in, and he goes, “What was that thing you were saying about the stick?” And he goes, “No one has ever noticed that that was a former type of cryptography ever.”

[Andy Ellis] [Laughs] Well, awesome. I’m glad I helped with that.

[David Spark] So, you helped me with that because I recognized it from your video, and it was there in the escape room. I thought it was cool.

[Andy Ellis] And here I thought it was just a cool thing to show off and do in PowerPoint one day.

[David Spark] You have brought our guest today, who I’m very excited to speak with. And we’re going to have a really, really awesome discussion with her. She is the board president of Global Epic. It is Katie Stebbins. Katie, thank you so much for joining us today.

[Katie Stebbins] Thank you so much, David and Andy, for having me. I’m really excited to be here.

Got a better answer than, “We’re trying.”

2:51.811

[David Spark] What happens when you expand your view of the purpose of security metrics? Abi Tyas Tunggal of UpGuard has an article about cyber security metrics and KPIs to track. He has some of the more popular ones, such as intrusion attempts and MTTR or mean time to remediate. But other metrics would tell more about the economic health of the resilience of the company such as level of preparedness, patching cadence for you and your third parties. Katie, how can security show its economic value and lead its effort to keep improving in that area? I’m not saying ROI but its economic value and lead the economic effort in keeping improving in that area?

[Katie Stebbins] So, David, I think first and foremost, the language of the metrics and the value has to be in a language that isn’t so cyber security heavy.

[David Spark] Can you give me like an either/or example of that?

[Katie Stebbins] Well, you just used a whole bunch of words in your past sentence that…the metrics were around threat reduction, and containment, and all of these different things.

[Andy Ellis] Intrusion attempts.

[David Spark] Yes.

[Katie Stebbins] Intrusion, yes, exactly. So, myself, working in a different department, is never going to use that language on an everyday basis. So, when I’m in a meeting, and I’m hearing about that as metrics around the economic health of the company, I’m probably going to tune you out. Because you’re not putting it in a language that’s specific to what I care about. And I think there’s a translational piece that we have to be specific on if we’re going to make this everybody’s conversation about all of our economic health at a company.

[David Spark] Can you give me an example of how you’re using sort of more digestible noncyber security language?

[Katie Stebbins] I think a lot can be done through storytelling. And so I think when we use technical words instead of creating a story that explains a scenario that then gets people thinking, “Oh, if that scenario happens, that’s going to affect me. That’s going to affect my department. And suddenly that’s going to affect my budget.” So, I believe that we could do much better storytelling within an organization to have everyone realize that it’s about them. So, I think that’s first and foremost. And then second of all is the storytelling about how each of us as employees has a value to contribute to the solution set.

[Andy Ellis] Let’s take the patch management ones, because there were like three in that list that were about patch management and how many vulnerabilities you patched. Who cares, for one thing, how many patches you issue. But if you told the story of patch management as a maintenance activity… You said, “Look, as a business we have SLAs for how often we patch. And the rest of the business doesn’t have to deeply look into it.” But you say, “Look, we were able to do all of our patching 85% of the time within SLA, so we were nondisruptive to the rest of the business because we did it as a plan.” Now you’re talking a language that other people can interact with. When you say, “Look, because of other things going on in the business, we’re only able to do our maintenance 50% of the time on time.” Now all of a sudden other business leaders are like, “Hey, what’s going on that you’re not able to do basic maintenance at the correct cadence?”

[Katie Stebbins] Andy, that’s a great word. Maintenance is a really great common denominator word. Everyone understands what the word maintenance means, and we all understand how bad deferred maintenance is, right? So, that’s a great way for us to have a common conversation around what happens when we put something as important as security, data security, our company on deferred maintenance. That’s a conversation we could have.

[David Spark] Aw, so that’s a good point – replacing vulnerability management with maintenance. And they understand the need that there is maintenance. So, it’s interesting – I just put out a tweet asking people what’s more important to get your point across. Is it data or storytelling? And you kind of very much…and most of them also said this – that storytelling really is the best way to get it across. Because ultimately what you’re trying to do is get action. And through a story, you can do that. Can you give me an example of how action can come out of storytelling?

[Katie Stebbins] Sure. The more germane to this conversation is I once heard someone who’s an ethical hacker talk about his experience hacking into a power plant that he was hired to hack into. The whole story of how all the people at this company were affected and part of the chain of communication of how they hacked in, I sat there going, “Whoa, that could have been me.” I’m in that story. I’ve done that. And suddenly I put my brain, “I need to ask more questions about what I do on a daily basis and how to make sure that what I’m doing is not a problem or a vulnerability that I just learned about.”

What’s it going to take to get them motivated?

7:45.617

[David Spark] What are some fun ways we can get everyone being more cyber security minded? Over on the cyber security subreddit, a redditor was asking for some new fun ideas for a cyber security culture night he’s trying to get started at his company. One of the suggestions was to watch a movie and then figure out what security controls could have been put in place to prevent the bad thing from happening. So, the author suggested, “Like what would happen in ‘Jurassic Park’ if there were proper insider threat prevention? Or if the mother ship in ‘Independence Day’ had proper antivirus?” So, first of all, what do you think of this idea? I kind of love this idea. I thought it was great. It would make the movie really bad, though. But the idea of what preventive technique can we put in place here to prevent the bad thing from happening. But can you think of what you like about that game or maybe another game you’ve played that just made everyone have more fun around cyber security, Andy?

[Andy Ellis] Yeah, so I actually start with a step back and say the game is cute, and these are active ways to engage people. What you have to first do is make sure you’ve removed disengaging activities. Like if these are people who when they suggest security improvements you’re blowing them off, no number of games is going to solve that problem. So, the first thing I always recommend people do is talk to everybody in your company and say, “What’s the easiest security improvement we could do that you don’t understand why we haven’t done it?” And then either go do it or figure out why it’s not possible and come back and educate them. Do those activities first so that people hear that their suggestions are taken. And then you can come in and do these positive engagements. I actually like doing the opposite, which is to say, “What had to be true that they thought this was a reasonable control?” Consider the Death Star in “Star Wars.” Everybody is like, “Oh my God, how do you have this drop two proton torpedoes, and it blows up?” And I’m thinking, “You have to drop two proton torpedoes without computer guidance because only a master force user can make that shot, and you have to be the best small craft pilot in the galaxy.” And unfortunately the person in command of the Death Star thinks he’s both of them. Literally Darth Vader is the best small craft pilot they’ve known and the best force wielder, so they thought that was a reasonable last point of flaw. “We’re protected.” Which makes a lot more sense to say, “Oh, now, I understand how developers might make a decision that in retrospect turned out to be bad.”

[Katie Stebbins] [Laughs]

[David Spark] Katie?

[Katie Stebbins] I love all the “Star Wars…” I’m a “Star Trek” person, not a “Star Wars” person.

[David Spark] I like both. I’m cool with…

[Andy Ellis] I like Trek.

[David Spark] So have you played this game with sort of fictional stuff to see what security controls should be in place?

[Katie Stebbins] When I was thinking about this, I thought about something…rewinding a little bit more, which is what I always think is fascinating is asking my team, “How many devices do you bring in to work every day that are connected to our network?” Playing a bit of connected device bingo and having at least a beginning conversation around giving out some prizes for the person who’s got the most freaking connected devices in their purse, which sometimes can be…

[David Spark] What’s the highest number?

[Katie Stebbins] Oh, I think people can have up to 10 devices that are talking to something. Don’t you think?

[David Spark] [Laughs]

[Katie Stebbins] And so starting with something like, “What did I bring to work? What does it look like? And why is that a problem, and how are these connecting to the network at work? And how are they protected?” So, that’s one. The other is administrator access bingo. Who knows how many things they really have administrator access to? Man, if you go through all those controls, there’s some crazy winners on that, and most people don’t even know they have them. People assign me administrator access all the time, and I’m like, “Should I have that? Do I need that? I have no idea.” But I’m like, “Whatever. I’ve got it.” So, I think we need to start with some of those basic vulnerability places because then we make it ours. Then we can personalize it and start to begin our brains to go through the journey of, “Okay, I got 101. What’s the next level of complexity?” Let’s think about how video games are done. The first level is the easiest thing to clear. Easy Sudoku game. And then you got to bring them along on a more complicated level and engage them at a more complicated conversation and more complicated puzzle.

[David Spark] And do you find that they kind of play along with that?

[Katie Stebbins] Well, I’ve never really taken this all the way out. I’m imagining in my head this would be an interesting exercise. And if I had to imagine something at my own place of employment where I would engage my employees, this is what I would do. But none of my employees that work with me have any idea about cyber security. I mean at my day job. My Global Epic job is all international cyber security people. My day job, I’m at Tufts University leading a nutrition institute. They all have administrator access controls and a lot of connected devices, but they’re nutrition experts. So, we have to begin the conversation where they are. Everyone can begin a conversation with all your special, little, handy dandy gadgets you just brought to work.

[David Spark] What’s the most you’ve leveled somebody up, Andy? From they could just be a nutrition expert up into like a greater understanding of cyber security. Have you sort of taken them on that journey before?

[Andy Ellis] You can take a lot of people on a lot of different journeys, so most is an interesting question. You go to like who ended up the highest, or who started the lowest.

[David Spark] Whichever. Whichever way you want to take it.

[Andy Ellis] We bring librarians on this journey as security professionals. That’s always one of my favorites. Katie is nodding her head, for those of you who can’t see it. We bring journalists along on this path. My favorite is teachers. Teachers understand security in ways that would shock you, but they don’t even think of it as security. They’re just thinking about it as, “I have children to protect, and so what are the things I’m going to do versus not do.” But somebody who has that mindset, I can now just translate that into anything. Like, “How do you protect this system, this data, this asset?” And they understand what works and what to throw away just because some administrator thought it was clever, but it’s actually a bad idea.

[Katie Stebbins] And, Andy, we forget that cyber security is very maternal. You just said it. It’s such a maternal exercise. Protecting is so maternal, and we never allow it to live and breathe that way, which I think is a complete misstep.

Sponsor Segment – Kenna Security

14:28.056

[Dan Mellinger] It’s an interesting time to be in vulnerability management in general.

[Steve Prentice] This is Dan Mellinger, who heads up communication for Kenna Security, now part of Cisco Secure.

[Dan Mellinger] At Kenna, we pioneered this whole concept of risk-based vulnerability management, and that was a new concept back in 2010 when the company was kind of starting. It was really a new concept in 2018 when I joined the company. No one had really heard of this. But now, like if you look at CISA and Jen Easterly over there, so the government is starting to take a risk based approached to vulnerability management at the federal level. And it’s really cool to see that adoption. With Kenna when we first started measuring this stuff on any given month, any company was roughly like 30% of them were reducing their vulnerability debt. And then you had a big 60% of the number who were either treading water or falling behind on high-risk phones in any 30-day period. And now we’ve run these same numbers two years later. We’ve got 60%. We flipped that of people are actually reducing their vulnerability debt. 10% are knocking it as they come in, and now we have less than 25% are falling behind. It’s just amazing to see that kind of improvement over the course of just two years. So, cyber risk is much different than just remediating all vulnerabilities.

[Steve Prentice] For more information, visit Kennasecurity.com.

[Voiceover] It’s time to play, “What’s worse?”

[David Spark] All right, Katie. This is a game you may not know about, but it’s a game…risk management exercise where I give you two scenarios. They’re both horrible. You’re not going to like either one of them. But you have to tell us from a risk perspective which of the two is worst. Now, Andy, normally I would give this, “What’s worse,” scenario to Mike Johnson because he’s got this frustration with brilliant jerks. There is never a scenario where he wants a brilliant jerk on his team, all right? But I’m throwing this… It’s going to be about brilliant jerks. I’m throwing this to you. And this comes from Jonathan Waldrop, who is with Insight Global. And here are the two scenarios. Your boss is a brilliant jerk, or you have a brilliant jerk on your team. Which one is worse?

[Andy Ellis] Oh, the brilliant jerk on my team.

[David Spark] Worse than the…? Because you can manage the boss, you think?

[Andy Ellis] Because I can mange the boss.

[David Spark] You can’t manage the person your team.

[Andy Ellis] Because my primary job as a leader is to invest and develop the people who work for me. And if I have that brilliant jerk… The rules of the game, Katie, are I can’t pretend I’m going to make the jerk better.

[David Spark] No, no, he stays a brilliant…

[David Spark] …or she stays a brilliant jerk.

[Andy Ellis] Or they. That brilliant jerk is toxic within my organization, and I cannot invest in protecting and developing the people around them.

[David Spark] But let me argue. If you have a brilliant jerk as a boss, it’s a lot more people that are toxic.

[Andy Ellis] They might be toxic to the entire organization, so organizationally that might be worse. But for the situation I’m in as a leader, I can manage that and create my enclave of a healthy environment for staff who can be developed, and trained, and grow.

[David Spark] So, you would be the shield to the rest of your department…?

[Andy Ellis] Yes.

[David Spark] …from your boss? All right, Katie is nodding her head, saying no, no, no. You’re disagreeing. And why is that?

[Katie Stebbins] I disagree because I have to have the desire to get out of bed every day and go to my job. And if I have to go to my job every day, and my boss is a toxic, brilliant jerk, I’ve got to tell you, I can’t motivate my team if I feel so unmotivated by the person that I’m working with. And so I hear you, Andy, but I need the mental health to be motivated every day. And in my experience, that happens working side by side with a boss who’s awesome.

[David Spark] I love that answer. Both your answers. Excellent.

How do you go about discovering new security solutions?

18:38.268

[David Spark] Andy, in your famous vendor rebuff email, your best advice is “Be awesome as a company.” As in terms of how do I get to be seen by you is just, “Be awesome as a company.” And I think a focus on that would take a lot of companies really far in terms of being recognized. Also comedian Steve Martin who also famously said, “Be so good they can’t ignore you.” So, take a moment right now and think about those organizations that were so awesome you couldn’t ignore them. How did you become aware of them, and what made you feel you had to learn more? Did you understand their secret sauce of essentially what made them so great?

[Andy Ellis] So, I think that the key is I don’t know when I became aware of them.

[David Spark] Okay, there is no big ah-ha moment.

[Andy Ellis] There’s no big ah-ha moment. Well, actually sometimes there is an ah-ha moment, but it comes well after you’re aware of them. The companies that truly succeed at this really have a flywheel approach to marketing. A lot of little touch point to get it spinning. They’re sort of omnipresent, and they’re not trying to close a deal every single time they interact with you. They are happy if you hear their name, of you see their logo so that you’re like, “Okay, I know who this company is. I hear them public speaking or in an analyst report.” And then maybe when a CISO says, “Oh, I just bought so and so, and I’m really happy with it,” you already have this frame of reference for who that vendor is. And you’re like, “Oh, great. I’ll go take a look at it. What made it work for you?” But what doesn’t work is that hard sell of, “Oh, every time I interact with you, I’m trying to close a deal.” 99% of the time you interact with me, the answer is no.

[David Spark] Would you say the majority of times that you delve into an organization it’s because it was a recommendation from another peer, yes?

[Andy Ellis] That’s certainly going to be a big contributor to it. I don’t know that I’d say the majority, but a significant number is a peer is what triggered it. I was probably already ready for it.

[David Spark] Are there other popular triggers, or is that the main one?

[Andy Ellis] Well, other times it’s I need to go solve a problem, and I’m going to now go say, “Who is in that space? Oh, yeah. I’ve heard of those four companies 85 times, so they’re certainly going to be on my list.”

[David Spark] Okay.

[Katie Stebbins] But, Andy, you and I have had this conversation when we were in Israel together about the rule of the evangelist. WE talked about how a good marketing team that has a good evangelist on it, they do. They creep into your psyche. They become part of the ethos, that thought leadership of an industry. When you reach the status of being a thought leader in an industry as an evangelist, you’re automatically going to have a lot of respect and credibility for the company that that person is representing. And so you and I both agreed that night that’s a brilliant way to approach it, and I still stand by that.

[David Spark] This is kind of what I’ve talked to other companies about. They would love it if there was a straight line, but there’s never been a straight line in selling security products is there, Andy?

[Andy Ellis] Well, no. Because if there was a straight line, everybody would use it. And now it doesn’t work anymore. And in fact this is one of the things I often tell people is if you have a trick that works, don’t share it.

[David Spark] I just literally quoted you on that in a meme actually.

[Andy Ellis] Because the moment you share it, everybody does it, and now it’s not going to work anymore. We had this with the [Inaudible 00:22:09].

[Katie Stebbins] But you know what’s so interesting? And let’s go back to the beginning. We talked about storytelling. I find the companies that I engage with the most are the ones that can tell me a good story and bring me into why I should care. They’re not selling me on data. They’re not selling me on the product. They’re engaging me in a story. And after that, I want to know more and engage with that company.

[Andy Ellis] Then I want to add there’s one piece of marketing that you cannot plan for but you can prepare for. Which as a vendor when you have a bad day, how you handle that bad day is the most powerful marketing you are ever going to have. And 95% screw it up.

[David Spark] Are you talking just basically damage control kind of communications?

[Andy Ellis] The way you do damage control. You had a bad outage. Maybe you had a leak of data. Maybe it was just you were down. How you are visibly handling that and communicating respectfully with your customers, with your competitors, with whomever… Everybody is watching you, and they’re going to remember how you acted at your worst because that’s how they believe you will act whenever they’re not watching.

[Katie Stebbins] Yeah, because that could sink the ship. Yeah.

[David Spark] I have seen companies literally elevate themselves in moments like that.

[Andy Ellis] Yes. Yeah, like the company that elevates themselves, you’re like, “Wow. If that’s how they behave on their worst day, oh my God, I want to work with them on their best days.”

What’s the best way to handle this?

23:36.456

[David Spark] “Is it possible to have a Digital Geneva Convention,” asks Allen Westley of L3Harris Technologies. To remind everyone, the Geneva Convention are a series of treaties and protocols that established international legal standards for humanitarian treatment in war. Now, every now and then we see a glimpse of ethics among cyber criminals, but it’s far from common. So, my feeling is if we can pull off a Geneva Convention during actual war, why can’t we do this online? And as Westley said, “The idea has been around since 2014 with an annual 40% increase in ransomware attacks on critical infrastructure, and the Biden administration is hyper focused on cyber security. Cyber war is warfare, and there needs to be boundaries and meaningful consequences for those that employ destructive technology and malware.” So, Katie, I’ll start with you. Do you think we could actually pull off a Digital Geneva Convention?

[Katie Stebbins] I think we have to try. We’ve pulled off a lot of things in this world collaboratively as lots of countries at the table. I think this is necessary. The fact that we haven’t done it yet I think is actually a misstep. We are too far down this path. The road is too well traveled for us not to be doing this. As you said, we’re in cyber warfare. We have to define clearly what that is. We do have to define the metes and bounds of what’s going to be a war crime in this. And there’s no harm in having it. To not have it, we’ll never know what we’re missing. But I think it’s additive. I think it’s important. And I think it punctuates the seriousness of where warfare in general is headed in our future history of this world.

[David Spark] Andy?

[Andy Ellis] So, I’m a little more pessimistic about this. The Geneva Convention only really binds the great powers – the signatories to it. And we’ve certainly seen that warfare over the last 50 years functionally operates where one side is bound by the Geneva Convention and one side is not. And so we see persistent ware crimes from one set of operators, and the other side even gets close to it, and people freak out. That said, maybe that gives us a path forward. That we should not think of the Geneva Convention as a universal treaty. We should think of it really as a self-binding treaty that each of the great powers sign to it. And while they might have signed all at once, they’re basically saying, “We’re going to abide by this even when we’re fighting someone else.” And so I don’t expect the cyber criminals to agree to a Geneva Convention. Frankly I don’t even know that I would expect certain powers to agree to a Geneva Convention around cyber. But it is possible that we could see some powers do so, and that alone might be worthwhile.

[Katie Stebbins] Yeah, I agree with you, Andy. Certainly you’re not going to see a whole bunch of cyber criminals sitting at the table going, “Oh, this is a great idea. I love this.” But…

[David Spark] Let’s just start with this – getting them to sit at the table or even identifying them. I mean that alone is the problem.

[Katie Stebbins] Well, and don’t forget it’s holding countries accountable that may be also obviously perpetuating the form of warfare or funding this behavior. So, I think that… Andy, I like your approach to it. We have to have some responsibility, each of us. Have some conversation out loud about the metes and bounds of this. And I think right now it’s too hushed. It’s too behind closed doors.

[Andy Ellis] Yeah. I don’t think we’re going to get say Russia and China to agree to something up front. But you could probably get the US to constrain itself in some fashion. And that might then lead to other countries doing so, and now it becomes even almost a marketing tactic of, “Oh, clearly you’re not a reasonable player if you’re not willing to hold yourself to these standards.”

[David Spark] But do you think…? Just say we go to all the other countries to fall in line. Is Russia and China going to fall in line?

[Andy Ellis] It doesn’t matter if they don’t fall in line because part of what we’re trying to do is establish norms. And one way that you can establish norms is by having all the norm following people agree to what they are. You don’t have to say that person who isn’t following our other norms needs to agree before the rest of us will say, “Look, a thing we don’t do is compromise hospital equipment.”

[Katie Stebbins] Right. I completely agree. You’re right, Andy. You have to create norms and cultural norms, which I would hope over time from an evolutionary standpoint just becomes part of mindset. You’re always going to have super nefarious actors that in a time of war are going to do things abhorrent. But I do think we need to create some norms around what makes sense and what doesn’t. I also think what’s interesting is as we talk about critical infrastructure, this world is built on an interconnected economy. And as we’ve seen during COVID, I think cyber criminals are also very aware in countries that if you take down someone’s infrastructure and ability to have an economy, that has so many ripple effects around the world now. You’re hardly taking out one place. You’re taking out a massive supply chain, a massive economic ripple. All of these that impact your own self. Why would China want to bring us down if suddenly we can’t buy anything? That seems a little ridiculous, for instance.

Closing

28:55.109

[David Spark] Very good point. And that brings us to the very end of our show. I have to thank you tremendously, Katie. This was phenomenal. Thank you so much. I’m going to let you have the very last word on this. But first I want to thank our sponsor, Kenna Security. Thank you so much, Kenna Security, for supporting the CISO Series. Andy, any plug you would like to make? And I’m assuming across all of the YL Ventures portfolio they are hiring across the board?

[Andy Ellis] Absolutely! Jobs.ylventures.com I believe is our job site. But just search on jobs YL Ventures, and you’ll find an aggregate for our entire portfolio.

[David Spark] All right. Any last words on our topics today?

[Andy Ellis] I got to say I love having Katie and being in conversations with Katie because she really approaches security in a way that a lot of us as hardcore security practitioners forget to, which is to remember that we are part of a larger ecosystem, and it’s how we interact with that ecosystem that determines how successful we’ll be at our mission. And we forget that at our peril.

[David Spark] Good point. Now, Katie, could you give us an explanation as to what Global Epic is and what your charge is?

[Katie Stebbins] Yeah, I invite everyone to check out Global Epic at GlobalEpic.org. We are an international consortium of economic clusters focused on cyber security. And so we’re about 22 countries, 30 different cities. All economic development professionals like me, as Andy says…people who view this from a different systems level approach who are focused on the jobs in cyber, the startup community in cyber, and the research and development dollar throughput in cyber. This is about the economic development of cyber. It is not about cyber itself. But the two can’t happen without each other.

[David Spark] And what kind of contributions and involvement are you looking for from the community?

[Katie Stebbins] So, when we have CISOs, when we have top level security companies who want to help our cities become better places where economic development can happen hand in globe with cyber security, we need people who are really advanced in the technology and the technical knowledge to help us understand how to build the metrics for what does a healthy economy look like. I believe one of the metrics of a healthy economy should be how secure it is. And right now, we’re separating the metrics on the two. Economic development does not get measured by how cyber secure an economy is, and cyber security doesn’t measure itself by how well it contributes to the larger economic GDP of anywhere. And so I think those metrics need to come together, and we have a lot to do in the midst. Next time I do an economic development strategic plan, I would love a cyber security professional sitting at the table helping us develop the metrics that should be in that plan.

[David Spark] You heard it right here. Thank you very much, Katie. Thank you very much, Andy. And thank you to our audience for your contributions and for listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and cyber security headlines week in review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.