How to Build a Greenfield Security Program

How to Build a Greenfield Security Program

You’re starting a security program from scratch and you’re trying to figure out where to start, what to prioritize, and how to architect it so it grows naturally and not a series of random patches over time.

Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO. Our guest is Mark Bruns, CISO, First Bank.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Keyavi

Myth: Data can’t protect itself. Fact: Now it does! You control where your data goes in the world, who can access it and when. On any device. Anytime. Anywhere. FOREVER. Learn more at

Full transcript

[David Spark] You’re starting a security program from scratch, and you’re trying to figure out where to start, what to prioritize, and how to architect it so it grows naturally and not a series of random patches over time.

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. And joining me for this very episode, you’ve heard him before, if you’ve ever heard an episode of this show before, probably you heard it with this guy. His name is Geoff Belknap, he’s the CISO over at LinkedIn. Geoff?

[Geoff Belknap] David?

[David Spark] Tell us – how are you feeling?

[Geoff Belknap] I’m doing amazing, David, and here we are again at my 1000th episode. No.

[David Spark] It’s not that many.

[Geoff Belknap] Very nearly though, right?

[David Spark] But maybe we will record as much to one day that will be true.

[Geoff Belknap] Perhaps.

[David Spark] I hope so. I hope so.

[Geoff Belknap] What will be true is this is going to be an amazing episode, so let’s do it.

[David Spark] This is going to be a great episode, it comes from an amazing discussion. First though I want to mention our sponsor. Our sponsor has been, by the way, an amazing sponsor. Has been supportive for us really since the very beginning of the creation of the CISO Series. It’s Keyavi, and if you’re not familiar with Keyavi, they make data self-intelligent. And when data is self-intelligent, it can act on its own, and that’s kind of what you want your data to do rather than you acting for your data. More about that later in the show.

But first, I want to mention that our guest today challenged the general audience, specifically the LinkedIn audience, to come up with a list of top five actions if you were going to implement a brand-new/greenfield security program. Now he himself came up with his own list, and he invited the community to challenge it, all in an effort to see if as a community, they could agree on a top five list. Geoff, have you ever had a purely greenfield situation, and did you think about your top five list?

[Geoff Belknap] I have had two greenfield situations, both at Slack and at Palantir, and I’ll tell you – they were great experiences. I thought this was a really interesting post and a great opportunity for me to think about what are the top five things that I would do, and I’m really curious to get into this conversation and see how we think about that.

[David Spark] I was also thinking this is like the heads of Mount Rushmore discussion. You only can put a few up there. Because everyone’s going to argue. I mean, the argument can go on endlessly because there’ll always be, “Well, what about this? Well, what about this?” And all of that “what about this” is important, but you do have to kind of limit to what is most critical. So, it was a great discussion, an awesome debate, and the person who brought it to LinkedIn, who we asked to come on this very show, is none other than Mark Bruns, CISO over at First Bank. Mark, thank you so much for joining us.

[Mark Bruns] It’s great to be here, and this is my first time, unlike Geoff, so hopefully maybe we can do it again a second time sometime on a different topic, but I really appreciate you asking me on here.

How do we determine what’s most important?


[David Spark] Benoit Dicaire of Forcepoint said, “It’s usually a trap to start with tactical activities. I’ll recommend an adult discussion with the stakeholders to understand the business strategy and what they expect from information security.” And Marco Ermini, who’s the CISO over at EQS Group AG said, “It is very important that security is aligned with business requirements, and you focus on building trust with the organization. All the rest comes along as a consequence.” So, this seems like an ideal idea, like, “Yes, there’s a lot of things you can do, but maybe you should have a conversation with the business first.” Geoff?

[Geoff Belknap] Yeah, these guys are both right. Both in the sense that like Benoit says, you don’t want to start tactically, you want to start a conversation with the business. You do want to make sure that whatever you’re doing is aligned with the business. But the reality is you’ve got to start someplace, and you have to start learning what the organization needs. That’s how you’re going to figure out what you’re doing and how you’re going to align what you’re doing to what the business desires. But to do that, like I said, you got to start someplace, and you might as well start with the tactical, frankly, in my perspective. You have to learn what’s going on in the business. If you start going through the tactical, it’s a great way to find out what’s going on.

But I think the important part is to make sure that you don’t make any huge decisions in that first 30, 60, 90 days strategically because you don’t know what’s going on yet, you’re trying to establish that. I think that is the most important thing that I would do, that’s number one on my list, and I think is probably number one on Mark’s list, is figure out what’s going on in the environment. What do you got? What are all the problems? What are you working with? And then go from there.

[David Spark] Because the obvious assumption is, “Well, we need to put locks on the doors.” But in my home, we actually did have locks on the doors, but we replaced a few because we realized, well, we want a smart lock here, and we want two combination locks over here. So, yes, you want locks on the door, but there’s going to be a deeper discussion of that, and if you just put locks on the door, you’re going to find yourself replacing a bunch of the locks because of unique business requirements.

[Geoff Belknap] Yeah, I think it’s more like if you know one of the door locks is broken, great, start there. But then don’t start just replacing all the locks, like you said, if you don’t know that you don’t need to do that.

[David Spark] Mark?

[Mark Bruns] Yeah. So, the big thing for me was is let’s figure out what’s in the environment, period, and that’s what you guys said too. But when we kind of did it at one of the times we did decide to go with different items, we decided to keep the contracts short. And like you said, Geoff, because you don’t know what you don’t know, and you may get a year into it and go, “Yeah, it worked for the first 12 months, but it’s not going to work going forward, it’s not going to scale.” And so that’s where you can start picking out different pieces. Like my second thing was patching, all right? If you walk into an environment and you find out they got a bunch of Windows NT machines they haven’t patched in a year and a half, I don’t care who you come in and evaluate, they’re going to tell you to get to work on that right away.

[Geoff Belknap] Yeah, for sure. I think it’s also a matter of, hey, if you know you need to patch, cool. But what if you need to upgrade all those things first from Windows NT to something modern? Maybe that’s the thing you want people to focus their energy on, not running around doing crash patches everywhere. I think to your point, you really got to figure out what your environment looks like.

[David Spark] Mark, final comment from you. First of all, have you had any true greenfield situations yourself?

[Mark Bruns] Yes.

[David Spark] And did you have initially the discussion, or did you have a combination of tactical and discussion because you saw the Windows NT machines and like, “Well, we don’t really need to talk right now because I need to deal with this right now”?

[Mark Bruns] Yeah, it ended up being a combination of the two. The first one was basically looking at those – no DLP, no this. So, it’s, “Okay, wait a minute. Time out. What products do we already have on hand that we can just implement and don’t have to spend a lot of money?” But then also going back to management, and I did this thing that I’ll say what it is, but you won’t know what it is, I did a maturity matrix with the business all the way through every single step. So, by the time we got to the end, we not only had a plan to go forward, but also a staffing model for the next three years at the same time.

Does it play nicely with others?


[David Spark] Walter Rocchi said, “Asset management and risk assessment, then check gap analysis against all adopted frameworks/builds to measure company security posture.” Drew Simonis of Juniper Networks said, “If by inventory you mean identify the most critical assets you need to know about and focus on, cool. If you mean try to find every PC and server in the place, every cloud workload, every 3rd party technology supplier, etc., have fun, you’ll never finish.” And David Spinks of CSIRS said, “Just to explain my approach, you can do all the analysis – business impact analysis – risk assessments and vulnerability scans you like, but unless there is a budget allocated to fix critical problems you find, then it is a giant waste of time, and yes, I have seen many situations like these.”

So, what you said, Mark, know what your assets, know what you’ve got. But the others are saying there’s kind of got to be a limit to this. And I think what David Spinks said was really interesting was this is all wonderful, just know what your budget is going into this. Because you may not be able to do anything, even if you find a million problems.

[Mark Bruns] Yeah, but I’ll go back to what I said earlier too. Understand what you have in the environment. How many times do we as security professionals, we go out and buy stuff, and you have no idea what else you’ve got with it. So, what we try to do is then focus on, “Okay. What do we already have that I can just put into place without spending a lot of money?” All right? And take the low-hanging fruit out first. Because you’ve always got tools that have additional functionality that you can go buy into cheap at least and maybe keep it for a year or so, and then move on as you can then build out what the rest of your budget’s going to look like going forward.

[David Spark] We actually had a guest on before, and we did a whole episode on this on essentially consolidating your tools. And he just set up a whole spreadsheet about all the capabilities of the tools he had, and the amount of redundancy he had was overwhelming, and he just started crossing things off here and there. And ultimately, slowly over time was able to reduce tools given the contracts he had. Have you been able to see the amount of overlap you had, or just like someone said, “We need this,” and then you just started discovering your own tools like, “Oh. Well, we got this, just nobody’s implemented it”?

[Mark Bruns] Yeah. There was a little bit of both. The other part you’re talking about, going down listing all the tools, we’re really going through a lot of that right now. Okay? Because even though you think you know what you have, when you really get dug into it, all of a sudden you find out, “Well, I’ve got this over here, and I got this over here. So, why am I paying for both?” And maybe one of them’s not completely everything you need, but you know what? It’s good enough. I don’t need to spend another 50 grand to have something else. So, yeah, it ended up being a combination of both in the end, but you really got to look at what you have because my gosh, how many of us have so much stuff that we don’t even know what we have?

[David Spark] Very true.

[Geoff Belknap] Yeah, I feel like this is portfolio management 101 which really is about this is a great way to decide when your program is maturing, to manage the program more effectively. I think going back to starting greenfield and this thought of getting a full picture of what your environment looks like, I know some of the people that replied to the article were thinking about this more literally. And by all means, cool, kick off a scan, figure out what you can see. But I think the intent here is more you have to start the process. All these things, like all of security, it’s really about what are these self-sustaining processes that are going to govern the program of security? And the number one thing you can start with that’s always going to pay you dividends is inventory management. How do you discover new things that are out there you didn’t know were before, whether they be new services, new features, but really like new system, new servers that are running in your environment. Because that will always pay dividends – knowing what you’ve got and knowing what you have to protect – that you didn’t know about last week.

[Mark Bruns] Even down to software because we’re almost 100% cloud. We to this day still find out things people are using, and now it’s like, “Okay, how do we protect that long term when people keep leaving the organization and make sure we’re not paying for subscription services that they don’t use?” So, once again you’re back to understand what your asset inventory is, and like the one guy said earlier, if you’re going to go ahead and just try and find everything all at once, good luck, it’s not going to happen.

[Geoff Belknap] Absolutely.

[Mark Bruns] You’re going to find stuff over years of time, not just months.

Sponsor – Keyavi


[Steve Prentice] There is a myth that maintaining tight cybersecurity within an organization diminishes productivity. Elliot Lewis, CEO of Keyavi, disagrees, and he has the solution to prove it.

[Elliot Lewis] You know, when you look at tight security, that is a broad term. What are we really talking about? When you have to spend more time and effort keeping data contained rather than letting data do what it’s supposed to do, which is be shared, be operational, be able to be sent wherever you need it to, but still maintain all the control of it, that has been the panacea for many years, but it has been unrealized before we did Keyavi’s platform. Now at Keyavi, you have the ability for data to be completely under your control no matter where it goes, no matter what it does. What does this do? It allows businesses to take all of those projects, all of those pieces of information, all of those different revenue-generating ideas, take them off the shelf and dust them off because data couldn’t protect itself before, and it was too risky to do. You’re now able to do it. Your business can change its entire paradigm because data is self-protecting now no matter where it goes.

[Steve Prentice] And as for setup?

[Elliot Lewis] To get this setup is incredibly easy. You just have to decide what architectures that you want to use. Our team can help you figure out the best deployment for you, and we usually get customers set up in less than 48 hours from first initial discussion to full capability of self-protecting data.

[Steve Prentice] For more information, visit

Where do we begin?


[David Spark] Bill Munyon of Harvard Business Publishing said, “Start with the CIS controls. They are both prioritized and segmented into implementation groups, so subcontrols can also be prioritized.” Scott Dickinson who’s the CISO over at AnMed Health said, “If it is a brand new to cybersecurity, start with the CIS Top 20 critical controls.” I should mention that they’ve dropped the “Top 20,” they’re just called the “CIS controls” because the number keeps changing.

[Mark Bruns] I think it’s 18 now.

[David Spark] Is it? Well, they just call it the “CIS controls” because they don’t want to be locked to any number. Anyways, going back to Scott’s quote, “No need to reinvent the wheel. If you don’t have the first 5 CIS controls, other stuff you implement may be wasting your time.” So, Geoff, we’ve actually brought this up on our shows before, like, “How do I start a security program?” And I know Mike Johnson’s mentioned a bunch of times, he said, “Just look at the darn CIS controls, start there,” because they’re kind of ordered in priority. And the first one is know your software and hardware inventory. What do you think? Is the CIS controls just a good guideline to begin?

[Geoff Belknap] I think it is. I think where I would start at a very high level is, just like we talked about, know what’s in your environment and your software controls. Know what your business does and what they’ll tolerate both politically and bureaucratically.

[David Spark] Which is not in the CIS controls, I don’t believe.

[Geoff Belknap] Which is not there. But then step two is really understanding like, great, you understand the full operational picture and sort of the organizational and strategic picture that you’re operating in. The next step is how do you start correcting some of the flaws that you found? And the best place to start is the CIS controls because they will start grounding you. Regardless of the size of your organization and the basic things that you should get done first, I would call these the fundamentals, or sort of table stakes when it comes to your program. And this is a great way to go because you can sort of justify why this versus that, why do we have to have a password policy, why do we have to have 2FA. Well, great, now you don’t have to have that argument and justify it based on your depth of experience as a security person. It just makes the job much easier, and it’s a great place to start and prioritize both budget and resources.

[David Spark] Mark, your feeling on the CIS controls.

[Mark Bruns] I mean, I agree with it also because one of the big things we did at the start is we said in our organization, IT and information security are completely separate, okay? So it’s a little different than what a lot of other people have. I had to actually start and say, “What is the information security group? What is the definition of it? What are the tasks?” And once again, if you’re starting truly greenfield, you have to understand what your responsibilities are, and we still had to define that. And then once you can define it, then you start getting into the controls and stuff and saying, “Okay. Now what is not just these controls, but which ones are most important to the organization?” We’re a bank. All right? We are so heavily regulated, it’s insane. All right? So, I’ve got to take steps that will get us through the umpteen audits that we have to go through to match up, so we stay in business. So, you can have those controls, but you also got to look at it from the standpoint of the business and go, like I said, not horribly, understanding being this regulated, but it does impact your approach because of all that regulation.

What would a successful engagement look like?


[David Spark] Joe Hudson of HuntSource said, “Doesn’t matter if you’ve got great tools or playbooks or budget approvals, if you’ve got the wrong people, you’re in for a steep climb.” And Shawn Sacauskas of Sutter Health said, “So many times, we are at the mercy of our front lines being educated and aware of the risks before our technology even knows it’s coming.” So, this just comes down to the whole situation of people, that this is what you need to focus on first. We’re talking about technology, we’re talking about the business, but it comes down to people. Geoff, yes?

[Geoff Belknap] It’s always people first. People, process, technology.

[David Spark] Mm-hmm.

[Geoff Belknap] But the reality is when you’re starting greenfield, like we said, you’re going to start by figuring out what’s going on in your environment, you’re going to start forming ideas of what you’re going to change, and then you’re going to interact with your people, right? In the sense of like, “Great. What can we actually get done?” Especially if you’re starting greenfield, and that means you have zero people, you’re going to start with going, “What skills and resources do I need on the team versus contract or I can buy a service to do that?” If you’ve already got people, then you’re going to start really digging into what skills do they have, how are we going to leverage these skills to the great success that we need for the information security team? And that can be challenging because this is where you’re going to start to figure out what do I need to hire, what do I need to train, what do we need to develop, and how do I build a strategy around that.

And frankly, this is the hardest part. It’s easy to buy a solution, it’s fairly straightforward to get an MFA solution in place, you can get endpoint security in place. But figuring out what the right skillsets are, where you’re going to find them, and how you’re going to convince them to come join this crazy challenge that you’ve started by starting a greenfield security program, this is a lot of work. And it’s going to be where you as a new security leader, or for a greenfield security leader, you’re going to spend 40% of your time at least on this because this is also if you screw this up, this is going to cause you the most pain going forward.

[David Spark] Mark, how much do you know about your culture when you’re first coming in? Because that’s the key thing is that your culture’s never greenfield, it is something. It could be bad culture, it could be good culture, it could be culture you’re unaware of. How much do you know of that coming in?

[Mark Bruns] I didn’t really know that, even in this one. Where I learned it is I actually went out and hit 26 branches in five days. It was exhausting. But when you get out there, and you can sit down with people and look them in the face and understand what’s going on, it really changed my viewpoint of what we’re trying to do. And I’m going to do a shameless plug here for a friend of mine, Scott Augenbaum, ex-FBI, he’s got this thing called the cybersecurity mindset, and after reading it, I understood that this is the same thing I had to do. I had to start telling people that we’re not the bad guys, we’re not the no people. My job is to keep you from getting yourself in trouble and you don’t even know you’re getting yourself in trouble. That’s what we’re trying to do. And trying to change that mindset with people of saying, “Security first, but there’s a reason why. It’s not because I’m trying to keep you from doing your job. I’m trying to keep you from getting yourself in trouble and you don’t even know you’re doing it.”

[David Spark] Well, but also part of that is not “I’m the grand protector, you can just act like a buffoon in this padded room.” But rather, “Part of my job is to bestow some knowledge upon you so you can do for yourself.”

[Mark Bruns] Mm-hmm.

[David Spark] And that requires a huge security mindset. I mean, let me ask the obvious question. What percentage of your job would be solved for you if you walked into a team that already had the security mindset, Geoff?

[Geoff Belknap] Oh, I’d say 75% of the job is solved right there, right? Gosh, I am scared to reflect on how much of the job I spend day in, day out, just reinforcing the narrative that we are here to help, we’re here to protect the business. We are not here, as Mark’s kind of implying, as like the specialist technology fanboys just implementing whatever expensive shiny thing we can find. We’re here to help the business succeed just as much as anybody in sales and marketing. It’s just that we’re doing it from a protective and a defensive posture instead of an offensive and a progressive or a proactive posture. And in many ways, that’s what guys like Mark and I are trying to do is move it to proactive. We’re trying to predict what the business is doing, what new strategy you’re going to deploy, and what they’re going to need from us to be successful at that, to make sure that they don’t fail. And a lot of our job is just telling that narrative and making sure that it’s landing and crafting a way for people to buy into that and get onboard and see us as a value-add to what they’re doing.

[David Spark] Mark, I’ll let you have the last word on this, and that is are you putting people in your top five and in what way are people in your top five if so?

[Mark Bruns] Obviously, people are in your top five. I mean, everybody always talks about the biggest weakest link is the people. And that’s not saying a bad thing, it’s just what it is. People make mistakes. All right? That’s human nature.

[David Spark] People are actually using the technology. This is the other thing I always point out [Inaudible 00:22:00], “It’s always the people.” Well, people are actually interacting with the technology. The only reason the technology exists is because humans are interacting with it. It isn’t all of a sudden a bunch of machines spun up by themselves, started to talking to each other, and a whole mess of products all of a sudden were created. No. That’s the reason. I always [Inaudible 00:22:21] when they say people are the weakest link. It’s because we’re using the products. That’s it.

[Mark Bruns] Yeah. And people are going to do what they have to do to get their jobs done. All right? I don’t blame them for that. And we’ve made it within technology extremely easy to get access to things. You click a link, you go to the web, and you can use cloud services and all kinds of stuff. We’ve made it extremely easy. And so we’ve kind of put ourselves in this bad situation. But once again, if you can educate people, you can get them around to where they understand that not all that stuff is good. And so at least just take a pause and let’s have a conversation around it. Because they’re going to do what they have to do to do their job successfully, and I don’t blame them for that, I support it. And so let’s just try to make sure that we’re all on the same page as we go through it, so we keep everybody safe. Security’s not my thing, it’s the business’s thing, and it’s your family’s thing. It’s everybody’s.

[David Spark] And we will close on that. Excellent. Thank you very much, Mark.



[David Spark] All right. We have now come to the portion of the show where we ask both you, Mark, and Geoff. And Mark, you’re going to go first. Which quote was your favorite and why?

[Mark Bruns] So, I’m trying to find who wrote it but one of the guys wrote it, and he said something to the effect of, “Wow. I bet you didn’t know you were going to step into this, did you?”

[David Spark] Oh. This is not a quote that I picked?

[Mark Bruns] No. It’s one inside here. This guy basically said, “I bet you had no idea what you were getting yourself into when you posted this, did you?” and it was like… I told you this. The best thing I got out of doing this was seeing the passion, the true passion that people in this profession have to try and get things right. And that to me was what stood out more than anything else is the passion. You read through these quotes, there’s passion in almost every one of them. I’m not saying anybody’s right or wrong, but boy, people are trying, and they’re trying really hard, and everybody wants to get it done the right way.

[David Spark] That so sums up cybersecurity in a nutshell. We’re all eager to get it right. Yes, Geoff?

[Geoff Belknap] Yeah, no, I think I’m going to start figuring out a way to put that on t-shirts. Good cybersecurity and the best parts of this weird community that we’re all a part of are the people that are just trying hard to do the right thing, and understanding like, “Yeah, we’re going to screw up a fair bit, but we’re all going to do our darnedest to try to make it better for everybody else.” What a good way to think about it.

[Mark Bruns] The other thing is this is a community out here. Look how many people replied or had something to say. We’re all trying to help each other. It isn’t like we’re trying to be competitive. It’s like let’s try to help each other get this thing right because it’s so difficult.

[David Spark] This is what I’ve always found fascinating about cybersecurity. Two cybersecurity leaders from directly competitive companies are leaning on each other for advice. I’m assuming banks in your neighborhood, that you know your fellow cybersecurity leaders. Yes, Mark?

[Mark Bruns] Absolutely.

[David Spark] While you may be competitive as businesses, when it comes to security you both want to succeed. Correct?

[Mark Bruns] Yeah, I actually had that conversation. What we were doing for a while is all the Tennessee larger bank guys, we were getting together and talking every couple of weeks. And I had our CEO walk in here one day and go, “What are you doing?” And my conversation with him was, “We don’t view cybersecurity as a competitive piece because if one of us has a problem, all of us have a problem and all of banking has a problem.” And that was the end of the conversation. I have their phone numbers right here, I can text them whenever I want to, and we’ll answer each other.

[David Spark] And the thing is architectural concerns you have are very similar to the concerns your competition has, so you want to know what they’re doing and vice versa.

[Mark Bruns] Yeah. I mean, one of the best conversations we had is, “Who’s the best Microsoft provider for all of us?” Now, in the end, we all came up with no one but…

[Geoff Belknap] Microsoft.

[Crosstalk 00:26:12]

[Mark Bruns] Yeah, that’s exactly what it came up to be.

[Geoff Belknap] Yeah.

[Mark Bruns] But at least you can have those kind of conversations where it’s like, “We’re not trying to be competitive on this. We just all want to get it right.”

[David Spark] Good point. All right, Geoff. I’m going to let you also pick a quote here. Which one was your favorite?

[Geoff Belknap] I am going to pick Bill Munyon’s quote here from Harvard Publishing, “Start with the CIS controls. They are both prioritized and segmented in implementation groups, so subcontrols can also be prioritized,” which is a really fancy way, Bill, of saying, “It’s all laid out for you. Just follow it, it’s prescriptive, it’s easy to apply to your business, it’s a great place to start.”

[David Spark] And we have mentioned that before, and if you don’t know where to begin, it is a great place to start.

[Geoff Belknap] I’ll tell you what – if you don’t know where to begin, start with the episode where we talked to the guys from the CIS group, it’s a fantastic way to dig into that.

[David Spark] Yes, Tony Sager.

[Geoff Belknap] Yeah.

[David Spark] Well, thank you so much, Mark. Thank you very much, Geoff. Mark, I let you have the very last word here, so hold tight, and one of the questions I always ask all our guests is are you hiring. So, hold tight and make sure you have an answer for that. I want to mention our sponsor again – They have been a phenomenal sponsor. They make your data self-intelligent. The trickle-down effect of that is astounding. If you haven’t seen what they do, please go check it out at Be happy to chat with you. I’m going to mention for Geoff, he is always hiring. If for some reason, you wouldn’t want to work for Geoff, you can go to LinkedIn and find a job. But I should mention, and correct me if I’m wrong, if they reach out to you for a job that they found on LinkedIn because they want to work for LinkedIn and you, if they mention they heard you on this show, how far does that get them?

[Geoff Belknap] I will be very embarrassed, both for them and for myself, but it will definitely make it an easy place to start the conversation.

[David Spark] It will because as I’ve said, complimenting people, you can never go wrong with that. All right, Mark?

[Geoff Belknap] I think the more important thing is showing you have an interest in the subject matter is a great way to start the conversation.

[David Spark] Yes. As the passion of people that responded to Mark’s post as well. Any of them could be potentially great people to work with is my feeling. Mark, first question is are you hiring?

[Mark Bruns] As of right now, we’re not hiring. I’ve got a pretty stable group. We try to keep everything…

[David Spark] By the way, kudos to you for pulling that off.

[Mark Bruns] Yeah. I kind of did a rebuild of the staff a couple years ago, and it’s just made it… I brought in people I know, and I got a lot of people I trust, and we keep things very flexible from a work perspective. We just try to keep people happy and stick around, and we’ve been very successfully in the last couple years.

[Geoff Belknap] Sounds like a great place to work.

[David Spark] Well, any final words on our topic today, Mark?

[Mark Bruns] I’ll go back to what I said a minute ago. The biggest thing about doing this, and I will openly admit I was shocked at the replies I got on everything, I was stunned. But I’ll go back to the passion. I cannot get around that, and I’ve talked to multiple people about this, and I’m like, “Just read through the passion and the ability that people want to get it right.” All right? And everybody wants to have a conversation around it because I think we’re all kind of looking for things, and as a community we can figure out what they are and get this thing right and get it better than what it used to be or what it can be in the future.

[David Spark] Very good point. Thank you very much, that was Mark Bruns who’s the CISO over at First Bank. Also my co-host, Mr. Geoff Belknap, who’s the CISO over at LinkedIn. And you, our audience, I can’t mention every one of your names, but I appreciate you, I really do. It’s not me just saying it, I do. I don’t know if you know this, but if you reach out to me via LinkedIn, you will get a response from me. It happens always. Please, if you see an amazing discussion online… Oh, by the way, I have not given proper credit. It was Jesse Rosenbaum over at Varonis who brought this discussion to my attention, so huge thanks to Jesse Rosenbaum for bringing this discussion to my attention. So, if you bring something like this to my attention, I will also let everyone know how appreciative I am of that. So, thank you for your contributions, and thank you for listening to Defense in Depth.

[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please – write a review. Leave a comment on LinkedIn or on our site where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at Thank you for listening to Defense in Depth.