How to Market “Zero Trust” Without Making CISOs Cringe

How to Market “Zero Trust” Without Making CISOs Cringe

Just the words “zero trust” often causes security professionals to shiver. In general, CISOs are on board with the concepts of “zero trust,” we just think they’re uncomfortable with how it’s being used for branding and marketing efforts.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is David Cross (@mrdbcross), SVP/CISO for Oracle SaaS Cloud.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Protegrity

Protegrity empowers intelligence-driven organizations to use data to drive innovation with secure analytics and artificial intelligence, without fear of violating compliance or jeopardizing privacy. To make this vision a reality, we protect sensitive data anywhere and everywhere to create secure data agility that aligns with the speed of modern business.

Full transcript

[Voiceover] What I love about cybersecurity. Go!

[David Cross] It’s always dynamic. It’s always changing, it’s something you can always learn, and it’s always ongoing. And so one of the things that really comes out of all of that though, it’s a way that you can actually help other people and protect them. So, when you think about jobs, how can you possibly turn that down?

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I’m the producer of the CISO Series. And my co-host for this very episode, and since episode number one, is Mike Johnson. And many of you know Mike because his voice sounds a lot like this.

[Mike Johnson] I really just like your highlighting of number one – number one, number one – that’s what always resonates in my mind.

[David Spark] Mike, you are number one.

[Mike Johnson] I appreciate that.

[David Spark] In my mind.

[Mike Johnson] I totally believe that.

[David Spark] You know, we’re available at I know you know that, Mike. I’m just clueing the people who have just tuned in for the very first time here. And our sponsor for today’s episode is Protegrity – you need to fuel your decisions with quality real-time data. Guess what? The Protegrity platform protects your data so it’s ready to be used. More about Protegrity later in the show. Mike, you know, and I’ve mentioned this many times on the show before, that I have an extremely high tolerance for compliments.

[Mike Johnson] From what I hear it keeps getting higher too.

[David Spark] Right. I have not yet found my limit.

[Mike Johnson] Don’t know where it is. Just got to keep going.

[David Spark] This is like boxers who challenge people to punch them in the stomach, “I can take any punch.” I can take any compliment.

[Mike Johnson] Hey.

[David Spark] That’s how good I am.

[Mike Johnson] That’s brave putting that out there.

[David Spark] I am the Floyd Mayweather of compliments.


[David Spark] So, I just got one today that, I’m sorry, I have to say. And this is somebody giving me way too much credit. It comes from Matt Rosner at ReliaQuest, and he said this, “Has anyone ever told you that you sound very similar to Neil deGrasse Tyson? I’d say you’re the Cybersecurity Neil.”

[Mike Johnson] Oh. You need to put that on a t-shirt. That needs to be on a t-shirt. That needs to be on a t-shirt.

[David Spark] I am considering that.

[Mike Johnson] Or you could put it on your LinkedIn profile too, just have that be your description on LinkedIn.

[David Spark] I’m the Cybersecurity Neil deGrasse Tyson?

[Mike Johnson] Yeah. I mean, it has been presented to you and awarded to you by someone else, therefore you can run with it.

[David Spark] Someone else, exactly, I am. My other one that I heard was someone referred to me as “a DJ at a CISO rave” and I go, “That’s pretty awesome too. I like that one too.”

[Mike Johnson] The “rave” part I question, but the DJ part I can buy.

[David Spark] Yeah, I know. You question what a CISO rave would even look like. It would be kind of depressing, to tell you the honest truth.

[Mike Johnson] Yeah. It’d be an interesting place. But the DJ part, I buy.

[David Spark] Well, I appreciate all of it even though I have little to no musical talent as my parents will tell you after spending way too much money on clarinet and piano lessons, for which nothing has been produced of that in terms of my own musical talent. Let’s get to our guest at hand. Our guest I met because he’s come to our Super Cyber Fridays, and he is, as I understand, an investor in Toucan which is the video engagement platform we use when we do the meetup portion at the end of our Super Cyber Fridays, and it’s super-fun. If you’re not familiar with Toucan, it’s a really, really fun platform to do meetups. Anyways, I have really enjoyed getting to know him, and I said, “You know what? You should come on the show.” And it is David Cross, he is the SVP/CISO for Oracle SaaS Cloud. David, thank you so much for joining us.

[David Cross] Thanks, David. I’m pretty excited to be here, to join, as I mean, obviously, being with the other celebrities, how could I not want to join? Actually, I’ve been following more and more. And for those of you whoknowme throughout the industry, I write little tips in my weekly dossier email, which is not public, but it goes to the companies, and now the CISO Series is one of the things I recommend almost every single week.

[David Spark] That’s what I like to hear.

Should we lower the barrier to entry?


[David Spark] Are certifications a requirement on your job postings? Veteran and security leader Christopher Zell, now at Dell, has certifications but solely because it was the only way he could get past the application tracking system, ATS,or the recruiter. While Chris had 12 years with the Air Force, he didn’t have any degrees or certifications. Employers didn’t care about his experience in the Air Force because he didn’t “have thepapersto validate what he learned.” So, Chris went through the aggravating task of getting hisbachelor in science and more than a dozen certifications just so he would be taken seriously. It was aggravating, he said,and none of it was needed he felt to demonstrate his experience.

So, I’m going to ask you, Mike, as you add more requirements, you’re cutting the eligible pool, but at the same time you are looking for some mechanism to validate knowledge and experience. So, Mike, what do you do on your side when hiring and what can veterans who were in the same situation as Chris avoid the task of having to get the degrees and certs just to get employed in cybersecurity?

[Mike Johnson] So, first addressing the “Do you have the requirement?” part of the question, and I think that’s one of those things that I’m hoping more and more we’ll see less and less of. A certification doesn’t mean you really are able to perform well at the job. It just means you can take a test, in general. And I’ve even gone so far, we had a couple job descriptions where it was listed as a bonus, “It’s a bonus if you have these certifications.”I asked those to be removed because I don’t feel that today they’re really helping folks out. But I will say, listening to Christopher’s experience, I think back in my career, I don’t know, 15 years ago I had a CISSP, I had just passed my CISM. I had certifications, but it was because I was told that that was what I needed to do to show my experience.

[David Spark] And this is what Chris is complaining of, the same thing.

[Mike Johnson] I think that has changed today. Back then, we didn’t have a way of really illustrating our experience. Today, you have GitHub, you have social media, you have meetups and security groups where you can show your experience, show your knowledge in ways that it’s visible, in ways that people can recognize that and see that. And that’s what I thinkcertifications were as a proxy a while ago. So, I do think it’s something that is less and less useful. But I will say real quick – there are still plenty of companies who do require these, and I don’t begrudge the folks who go and get them because they’re trying to maximize their opportunities.

[David Spark] But you make a good point. Your knowledge is going to have to be validated in some way.

[Mike Johnson] Yes.

[David Spark] Certifications is one way. As you pointed out, there’s some alternatives. David?

[David Cross] Yeah, I’d actually like to share a littlestory maybe of myself. It’s almost exactly 26 years ago, I left the Navy, the military. And yep, I’m IT, I’m writing code on the side. How can I get my foot in the door in this, even back in 1996, a competitive IT industry. Because the last five years, I spent all my time in a military combat squadron. How in the world are they going to know what I can do? How do they know what I was doing, right?

So, what I had to do, and actually, I took some of my military leave, that 30 days you get a year, and actually attended a certification course on my own dime, saved up my money, and I then passed a couple of exams to get my initial Microsoft Certified Professional credentials. Why in the world did I do that? I needed something to get my foot in the door, otherwise no one would talk to me. The moment I did that, someone actually started to answer my emails or my calls to get in.

And so I think the hard thing is, in some ways for many people, especially veterans, and I’m kind of very biased about them, is you sometimes need some sort of an artifact to kind of demonstrate where your skills are. What can you do? And it’s not always about taking these stupid exams and things. Sometimes when I talk to mentees, I say, “Well, it may not be a certification,” but I say, “Go write a blog. Go write some code and put it on GitHub. Go submit a bug bounty or something like that. Create some kind of record of your skills and experience, and so that can demonstrate exactly what you can do, and that will open the door.It’s much easier than it was maybe 20 years ago.”

Well that didn’t work out the way we expected.


[David Spark] SIEMs are failing. According to the 2022 State of SIEM Detection Risk by CardinalOps, enterprise SIEMs miss detections for 80% of all MITRE ATT&CK techniques. They only address 5 of the top 14 ATT&CK techniques used in the wild, and only 25% of organizations that forward identity logs such as Active Directory and Oktato their SIEMactually use them in their detection rules. So, I’ll start with you, David. Am I missing something here, or is this as disastrous as it sounds? Are the SIEMs failing or do the users not know how to configure them or is it both? Or is this a great reason to not do it yourself and hire an MSSP to run your SOC? What do you think?

[David Cross] I think it’s part ofthe environment that you’re in, right? Because the majority of the SIEMs out there right now are really focused on the three standard deviations of most business environments. They want to look at the various attacks, the alerts in the Windows Desktop and Active Directory environment. And the reality is most of the world, 90% of the world has Active Directory and Windows because that’s just the standard user environment. However, we’re all moving to the cloud now – SaaS, containers, microservices – and the SIEMs are not trained and built for those environments. And so how could they be useful if you’re not buying something that they’re marketing towards? So, should we all expect the commercial off-the-shelf SIEMs to be able to detect all these things in the cloud-based environment of financial services or ERP? Not necessarily. So, I think this is something to learn from, and this is why people are building various things on ELK Stackand otherwise and not relying upon these COTS SIEMs anymore.

[David Spark] Mike, what do you think? Is this just because we’re moving to the cloud and that’s why there’s all this sort of lack of knowledge?

[Mike Johnson] I think that’s a component of it. And what David was hitting on was our environments are evolving, but the SIEMs really aren’t. They’re still caught up in the old way of doing things. They’re caught up in all of that library of knowledge that they’ve built up over their years of existence, and the businesses have outpaced them. My environment is mostly Macs, I don’t have Active Directory. We’re very much in the cloud as well as being a cloud provider ourselves. And so the reality is going and buying one of those old school SIEMs, and I’ve used a lot of them in the past, isn’t going to work for us. I think the cloud thing is a symptom of the larger issue of a lack of innovation because they’ve just built on top of these legacy platforms that they can’t get themselves out of. They’re just stuck in the old ways of doing things, and that’s what they know. And it sells for them but it’s not going to sell for them forever.

[David Spark] And I had this comment from a friend of mine who’s a CISO, he actually argues that SIEMs are useless because in the end, you’re going to have to deal with the problem and the fact that they’re not finding most of the stuff anyways. Do you think you could operate without a SIEM, Mike?

[Mike Johnson] So, I’m cheating a little bit in that I have a managed detection response provider who essentially runs my SIEM for all intents and purposes. Their job is to distill the stream of information that comes their way and figure out what the important things are. So, that’s kind of what a SIEM does. At the same time, we dump everything into a log platform that we then go and search, and we can investigate, we can do forensics activities as necessary. So, on the one hand, I could say I don’t have a SIEM, but on the other hand, it’s essentially because I’ve outsourced my SIEM.

[David Spark] Yeah, you’ve outsourced it. What about you, David? Do you think you could operate without a SIEM?

[David Cross] Well, I thinkpart of the element is audit and compliance. You name your favorite audit, you have to have it. Whether it’s meeting and finding the detections that you want, you still have to check the box, and I think that’s part of the reality.

[Steve Prentice] In a world where data is the primary currency of everything we do, the need to protect that data is growing in intensity. Here is Nathan Vega, vice president of product marketing and strategy at Protegrity.

[Nathan Vega] I think there are a couple of things that are driving the mandate for privacy. One, I believe there’s just a greater awareness in the consumer world about their data and what’s happening with it. I think two, data is power, and countries know that just as much as companies, and they’re looking at their citizen data and saying, “I really don’t want my citizens’ data to go to other places, so let’s keep it here local,” in our EU or within the United States or wherever that is. And then I think the third thing is the increase of breaches, increase of attacks, things like ransomware as a service have really lowered the requirements of sophistication for attackers and increased the pace and depth that they can attack our businesses and take the sensitive data from them.

[Steve Prentice] And that’s where Protegrity comes in.

[Nathan Vega] We may use one or more different types of techniques for actually protecting the data, and we provide all those methodologies, whether that’s tokenization, format-preserving encryption, standard encryption, or something else. When we work with customers, it’s really starting with that data use case and the requirement for data, and then working backward to provide the right level of protection across their enterprise, across their multi-cloud environment.

[Steve Prentice] For more information, visit

It’s time to play “What’s Worse?”


[David Spark] All right, David. You know how this game’s played, yes? It’s essentially two horrible scenarios, and you have to pick which one is the worst. This one comes from Nir Rothenberg, who just sends us an endless stream of phenomenal “What’s Worse?” scenarios.

[Mike Johnson] Oh, good old Nir.

[David Spark] Nir is the CISO over at Rapyd. I always make Mike answer first, so you can agree or disagree with Mike. If you disagree with Mike, I win. If you agree with Mike, he wins.

[David Cross] It’s all about winning?

[David Spark] Yes. It’s all about winning. All right. Mike, you get hacked by Lapsus$, and they get access to a customer management portal, what’s worse? They hack you by buying credentials from a few employees, butyou discover the breach in minutes and remediate. Or they hack you through phishing an IT service provider’s credentials, but you only discover the breach in the news after they post screenshots in their Telegram channel. So, what’s worse?

[Mike Johnson] This is quite the hypothetical here, Nir. I’m having a hard time envisioning this actually happening. I’m having to stretch here. So, essentially, it seems to come down to what is the method of compromise and then also the method of you becoming aware. And for me, it always comes down to I want to find out that the thing has happened as quickly as possible.

[David Spark] That would be the first scenario.

[Mike Johnson] And so even though the method of compromise, it’s directly into my environment, I’m going to have to spin up my own IR.

[David Spark] And they bought credentials from employees. That means you’re going to have to axe those employees.

[Mike Johnson] Yep. That’s going to be, for me, a much more difficult cleanup. But at the same time, I’m finding out and dealing with it sooner. I’m able to communicate with my customers faster of what’s going on.

[David Spark] By the way, that’s an easy firing, isn’t it? You sold your credentials? I think you’re gone.

[Mike Johnson] Yeah, yeah. If you knowingly sold it. Now, if you didn’t know what was going on, different scenario. But yeah, if you knowingly did it, yeah, that’s a very easy conversation. So, for me, this one, the second scenario is a black box. It could stretch on for who knows how long, who knows what all went wrong. I think the second one really is the worst case of these two.

[David Spark] All right, David, do you agree or disagree with Mike?

[David Cross] I’m going to disagree from a different angle. And the reason for this is you’re thinking about if you have employees that are being paid and selling their credentials. That means you have a much bigger problem inside your company than just that. That means you’ve got insider problems. That’s not just one person, it’s not just a sleeper cell, you’ve got a rampant problem, and this may be just the tip of the iceberg. And that means you’ve got a much bigger issues to address culturally and from a security perspective, and that’s why I’m very concerned with that first one.

[David Spark] You know what? I think the win goes to David here on this one, Mike.

[Mike Johnson] I’m sticking with my answer but it’s also a good answer, David.

[David Spark] But he’s right. The can of worms that this sucker could open. They’re both cans of worms, but I would definitely be more concerned about the sleeper cell in my company than anything that’s happening.

What’s the best way to handle this?


[David Spark] “Why do security professionals treat the term ‘zero trust’ so negatively, like it’s a hateful buzzword?” asked one redditor on the cybersecurity subreddit. While the principle is universally accepted, and it assumes that the internal network is hostile, the way it’s handled by marketers and others not in cybersecurity appears to annoy cyber professionals. One redditor responded that the annoyance comes from an executive who says, “Just make us zero trust,” as if it’s a switch you can flip. Another redditor noted, “Vendors grab the word and use it in every piece of marketing material they can for every product they sell until it becomes so confusing to people.” And another redditor said, “I think one of the reasons it gets a bad rap is because it’s objectively impossible to fully implement. You will never reach 100% zero trust.” So, David, how should vendors approach zero trust and how should the C-suite understand it?

[David Cross] Well, I really have to make a callout to another former Googler, Maya Kaczorowski. She kind of wrote about it a few months ago when she was kind of discussing zero trust architecture and really used the Google BeyondCorp example. Which is it really misleads everyone. Because zero trust is actually not simple, it’s very, very hard. It’s very complex and it takes many companies many years to actually achieve it. Because it means every user’s using MFA, you need to have all the hardware bound with identities, you need granular application policies and restrictions, you need encryption everywhere, all those type of things. And which companies all have that? None of them really do. And that’s why I think it’s really not possible.

[David Spark] So, is zero trust, which in the term “zero trust,” it implies 100% security. Doesn’t it, Mike?

[Mike Johnson] I think one of the issues around the term is in the security world, we’re very literal, we’re very literal thinkers, and people hear the term “zero trust,” and like, “Oh, it’s just not possible.” The way that I think about it is it’s more of a philosophy. It’s very much what you said. You have an internal environment that you just assume is hostile. Whereas in the past, everyone always assumed they could trust their internal environments, and inevitably, that leads to rampant lateral movement. You just need one entry point, and then you own an entire environment.

So, the way that I think about zero trust is really more of just the philosophy of all of my offices where I have them are coffee shops. My data centers, it’s not that you’re on the inside and you’re now suddenly trusted. Call it what you want but that’s the way that I think about it. And I don’t get too wound up on the fact that the term itself is a misnomer and has really been latched on a lot too much by marketing firms, by analysts, and that’s why we argue so much about the term.

[David Spark] Do you just ignore the terms when a marketer uses it, David, and just kind of move on? It doesn’t sort of affect you in any way, does it?

[David Cross] It doesn’t, exactly that. It’s kind of become the buzzword, it’s just like saying “krypto” or “Web3,” you name it. It’s kind of like “zero trust,” okay, I roll my eyes and move on.

[David Spark] Yeah, and you don’t pay it any heed. Because as we know, zero trust doesn’t come in a box, it takes people, process, and technology all together. So, your advice, let’s just sort of close this out with some grand advice, if you can. If marketers feel they want to use the term “zero trust,” what would be a better way to couch it, Mike?

[Mike Johnson] So, here’s the flip side of what I just said. I think they should keep using it. And the reason why is everyone knows the term now. And there’s a vocal minority who hate the term, but the majority of their customers hear it, recognize it, have an idea of what the particular vendor is selling, and then they can have a conversation. So, as much aslike David I ignore the term, I just, “Whatever,” I think they need to keep using it.

[David Spark] David, do you agree? Add something to that?

[David Cross] No, I think Mike really laid it out pretty well. Because I think you know exactly what they’re going to talk about, you’re not going to be surprised, you know what kind of conversation you’re going to have, and I think that’s a very reasonable way to approach it.

Oh they did something stupid on social media again.


[David Spark] On Twitter, I asked this question, “Do you have an anonymous persona on the internet and if so, what’s the value? So, I got a lot of responses to this question, some from real, some from anonymous people, and the anonymous people were joking, “No, this doesn’t do anything,” and these were very popular anonymous Twitter accounts.

So, here are some of the things that people said. They used it “as a spam filter.” Like, you sign up for different services, and you don’t want to use your real address. Another person said, “Let’s me speak the truth of internal politics in an anonymous fashion, and challenges of what I do. Also minimizes the fear of repercussion.” Another who plays video games and works for the government doesn’t think the two accounts need to be the same, he said, “Do potential employers need to see my forum questions about how to kill someone in the ‘game of the week’?” Another person said, “I use it to ask the most stupid questions I have that I’m so scared to ask myself.” And one more said, “I can just spill the exact feelings and words which I can’t in reality.”

So, I’ll start with you, Mike. Do you have or have you had an anonymous persona online? What’s its value to you? Can you tell me something specific you did with it? Do you encourage it with your staff to have anonymous personas online?

[Mike Johnson] So, the question of do you have “an” implies that I only have one.

[David Spark] So, you have multiple?

[Mike Johnson] I’ve lost track of how many I’ve had over the years.

[David Spark] So, what do you use them for?

[Mike Johnson] So, one of them, I think I’ve even talked about it on the show, but I’ve certainly talked about it in other places. I have a Jeep. I like to mess around with my Jeep, it’s a fun vehicle. I don’t share everything about my life, my job, my responsibility into that forum. I compartmentalize that identity to that world. There’s no reason to bring these two together.

[David Spark] So, the Jeep people do not know that it’s Mike Johnson?

[Mike Johnson] So, another side effect of having a very common name is I can call myself Mike Johnson there, and they still have no idea who it is.

[David Spark] And they’ll think it’s John Doe.

[Mike Johnson] It’s a made-up name, “Sure your name is Mike Johnson, I believe that.” But yeah, I go by Mike on that forum, but again, there’s no linkage between the two.

[David Spark] All right. I’m going to come back to find out more of your anonymous personas. David Cross, do you have any anonymous personas?

[David Cross] No, I don’t.

[David Spark] Do you feel like maybe it’s time to start one?

[David Cross] I think it’s a difficult choice, and it’s very different for various people. The biggest thing I like to think about is everyone can make choices in their lives, and sometimes people need safety in the things that they do and who they are. And I understand that, and I respect that enormously. And myself, sometimes I keep things a little bit separate. Like what I do on LinkedIn is very different than what I do on Twitter. I try to be one personality on Twitter, and I don’t want to intermix it with anything else. But that’s my choice. But I can definitely see a lot of the examples of people that, in some jobs, you’ve got to be careful who you are publicly and because of your position, and I think sometimes that’s where it’s a reasonable choice to have a different persona becauseyour personal and professional lives may be very different.

[David Spark] So, years and years ago, before there was a rather public internet, there was a chat network that literally they had – I don’t know if you remember this, I don’t know how long you lived in San Francisco, Mike. But there was a chat network called like SF Chat where you could literally go to a cafe and put a quarter into a, looked like a tabletop gamesetup like you would play Pac Man on a tabletop, but it was just a keyboard. And you would get into a chat room, a local San Francisco chat room. But you could also subscribe via your home computer and participate there.

And I created two personas on that – one person who hated everybody and another person who loved everyone. And it was a social experiment and the characters’ names were Toe Cheese was the one who hated everybody, and the one who loved everybody was Burnt Umber. Now, here’s the irony. While Toe Cheese got a lot of anger back, the person who loved everyone, Burnt Umber, was universally hated, which I was fascinated. It was quite fascinating that people… This was the thing – whatever you said, I would find a reason that you’re insulting somebody and tell you to stop it. I was kind of like the hyper PC police. I never giggled so much behind my computer as doing that.

[Mike Johnson] So, you were a troll. So, you were an early internet troll.

[David Spark] Well, prior to the public internet. This goes back, oh Jesus, was this the early… Early ’90s, I think, yeah.

[Mike Johnson] Way to be original, David. You were ahead of the times.

[David Spark] I was ahead of the times being a troll. It was, I’m sorry, very entertaining. I did meet the guy who ran the network, and he said, “I think I should thank you because you brought the whole network together. There’s nothing like a threat to bring the network together.” Because he did kick me off, by the way, and he goes, “I’ll reinstate you,” this is when I was Toe Cheese, “I’ll reinstate you if you come on back as a different persona.” And I did, and that’s when I came back as Burnt Umber, only to discover people hated me more.

[Mike Johnson] Okay.

[David Spark] I’d be interested if anyone listening remembers these characters.

[Mike Johnson] But I guess you didn’t run these at the same time, they were serial.

[David Spark] No, they were one after the other.

[Mike Johnson] Got you.

[David Spark] Yeah, yeah. Because the first one got kicked off. Do you have any other anonymous personas?

[Mike Johnson] So, one used to be anonymous and has become public. My Twitter handle is Yanty Slide [Phonetic 00:29:13].

[David Spark] Yeah, you don’t do that anymore.

[Mike Johnson] I don’t tweet as much anymore, it’s been a while. That originally started off as an IRC handle in FNET days way back when. And then when I first got involved in Shadowserver, we all very much kept our identities very quiet because it was really early in the days of trying to fight online crime, and you never knew what was going to happen. So, that was very much a persona that I kept anonymous out of a preference around safety. And stories that I could tell, it was a good idea, but over time, that wasn’t necessary to keep that one anonymous anymore.



[David Spark] Well, you know Mike. He is not anonymous. Mike Johnson is his true, real name. It’s not a persona he plays, he’s been that this whole time. And David Cross is not the well-known comedian, that I’m sure this comes up endlessly with you. But you have been very entertaining, David.Don’t let anyone tell you differently. I’m going to let you have the last word. One of the questions I always ask is are you hiring. I’m going to guess you are, but you can mention that yourself. But don’t say anything yet. I want to thank our sponsor, Protegrity, offering you data protection solutions. Check them out at Thank you, Protegrity. All right, Mike. Any last words about today’s show?

[Mike Johnson] David, thank you for joining us. It’s always a pleasure sitting down with folks’ different perspectives, and what I really liked was you brought that veteran experience that we just don’t hear enough of. And really hearing, sharing your experienceswhen we were talking about the barriers into joining the industry. I really thank you for bringing your story forward there. And also especially the callout, the specific examples that you gave about go write a blog, go contribute to GitHub, go contribute to a bug bounty. Those are great actionable things for people who are trying to break into the industry. So, thank you specifically for those examples, thank you in general for joining the show, sharing your experience, and having a wonderful conversation. Thank you, David.

[David Spark] All right. Well, you’re okay with compliments, aren’t you, David? He can take it. He can take compliments.

[David Cross] I can.

[David Spark] I echo what Mike says. You’re fantastic. Very entertaining on the show, and we love it when our guests with stories, so we appreciate that. Any last words andare you hiring?

[David Cross] Thanks again, David and Mike. I certainly hope that there’ll be an opportunity again to join you. I think this is a very fun conversation. Of course, we’re hiring, we’re always hiring, especially cybersecurity. And if there’s one thing I could call out, speaking of veterans, is since we’re on a podcast here, is that a callout that we now have Oracle, we now have a podcast from our MAVEN community. So, it’s about the veteran community, it’s not just specific to Oracle, and you can find it at and other locations. Just search for MAVEN and help us grow the community.

[David Spark] Excellent. And if someone wants to reach you, they’re in cybersecurity, they’re looking for a job at Oracle, what’s the best way to reach out to you?

[David Cross] You can find me at LinkedIn, and you can certainly find me on Twitter at Mr. DB Cross, so I don’t get confused with the other David Cross on Twitter.

[David Spark] Excellent. All right. Well, thank you very much, David. Thank you to Mike and thank you to our audience. I always say it but I really mean it, and I hope you all can take compliments. We adore your contributions, and we greatly appreciate you listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at Thank you for listening to the CISO Series Podcast.

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.