Great, you just purchased the cloud. Are you a little confused as to what you’re going to do with it? Not a problem. Let’s get you set up right with a world class misconfiguration. That should leave you open to all kinds of breaches.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Johnathan Keith, CISO, Viacom/CBS Streaming.

Got feedback? Join the conversation on LinkedIn.

Thanks to our sponsor, AppOmni

AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they’re fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who – and what – has access to your SaaS data.

Full transcript

Voiceover

Ten second security tip, go.

Johnathan Keith

The key to success for your cloud security program is to make sure your cloud security engineers and your cloud security architects have relationships and build rapport with your DevOps engineers throughout your program.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark, I am the Producer of the CISO Series and joining me is Mike Johnson, the sound of your voice, let’s hear it.

Mike Johnson

I am here, I apologize in advance if I end up with a hairball because my cat has decided to join me for this recording too, but I am here, and here is my voice.

David Spark

Does your cat cough up a lot of hairballs?

Mike Johnson

No but she actually exhales a lot of fur in general. She’s a very furry cat so I might have the hairball.

David Spark

I am highly allergic to cats and it’s a good thing I’ve not been to your house because I probably would not last long.

Mike Johnson

It would be a problem. Yeah, it would not be a good scene at all.

David Spark

We’re available at CISOseries.com where you can subscribe to any of our other programs, we have four other shows on our network, possibly more coming up, stay tuned. You can subscribe to that, to our newsletter, you can get our daily newsletter as well. Lots of good stuff, all available at CISOseries.com. Our sponsor for today is AppOmni. If you have a SaaS cloud environment and you are struggling with configurations, which ironically is something we’re going to talk about on this show as well, you’ll want to hear what AppOmni has to say later on in the show. But first Mike, I would say the one thing that I have definitely missed sorely through this pandemic is not going to live shows, not having a live RSA, not going to BlackCad, it’s been I would say a colossal bummer.

Mike Johnson

It really has been a bummer to not have that audience interaction. It felt like we have kind of hit our stride.

David Spark

Not just that, just hanging out and meeting people. It’s the one to two times I see the people in person and it’s fun.

Mike Johnson

Yes. I mean you know in general we’ve all had that problem of not being able to see other people, other than through a screen. And in a community like the security community where so much of it is relationships and learning from others, to not have that ability to do that, it does feel like there’s been this gap. And I’m looking forward to live events, the face-to-face events, to actually seeing people in person.

David Spark

So how comfortable are you? I am fully vaccinated, I believe you are as well, yes?

Mike Johnson

I’m fully vaccinated, I’m getting there still; I still have a little bit of anxiety.

David Spark

I actually sat in a restaurant inside once already. I’ve done it.

Mike Johnson

I’ve done that once myself and it was okay. I survived. And it was great to be able to do that again. For larger events…

David Spark

I think what’s going to happen, is we’re going to need to watch other people have events, to will we feel comfortable having an event. But I would say, I’m going to be doing an event, I mentioned it on a previous episode, it’s going to be very small, it’s going to be I think about 30 to 40 people, but we’re going to do a live audience recording at an event. It is now officially sealed so it’s going to happen at the end of August, so if I don’t do a live event before that, my first one will be late August.

Mike Johnson

That feels about right. Like that gives some time to just see how everything settles down, late August.

David Spark

Let’s hope it settles down for that one.

Mike Johnson

Exactly. Exactly.

David Spark

Alright, with that being said, let’s settle up and crank up the excitement of this show and bring on our guest who I’m very excited to have on, because actually many of the people that work at his company, worked at a company that I used to work at, which was DDTV and TechTV, if anyone remembered that, I was with that television network for the first three years. Many of them went on to go CBS Interactive, which is now owned by his company and he’s actually very responsible for that. Plus I do some work for one of the businesses, VidCon, as well, so all sort of under his umbrella. But great to have him on board. He is a CISO for Viacom, CBS Streaming, it’s Johnathan Keith. Johnathan, thank you so much for joining us.

Johnathan Keith

Thank you Dave, thank you for having me as part of your show and it’s a pleasure to be here today.

Why is everyone talking about this now?

00:04:37:18

David Spark

On LinkedIn, the CISO of LinkedIn and my co-host on Defense in Depth, Geoff Belknap asked, “Why do we hear so many stories about incidents related to poor/misconfigured cloud services?” He threw it up as a poll, offering suggestions such as configuration management is hard, configuration drift is a thing, third party access issues, and cloud is an easy scapegoat. Chris Hughes of Rise8 added, “Organizations are quickly adopting cloud while having little to no plan for upskilling their existing workforce or bringing in those with the needed skill sets.” Mike, there’s a lot of reasons possibly here, why do you think we keep hearing about cloud misconfiguration issues?

Mike Johnson

I think if there were one simple answer that applied across the board, it would be solved. The challenge is there’s so many different problems that are cropping up. I do think one of them is what Chris is talking about where there are greater and greater usage of the cloud, where you’re seeing more and more adoption. With more adoption, more opportunity for mistakes, and I think some of those companies, they’re doing lift and shift; they’re just taking this thing that’s been sitting in a data center all this time, you know, moving it over into a cloud and just assuming that everything is going to be fine. And that’s where they’re going to run into problems. If they look at it that way, the controls that are both available, and frankly required, in your average cloud environment, they’re just not going to work. And people who don’t have the skills or the experience in the cloud world, they’re going to go and make these tweaks just to make it work, and that’s when they’re going to see these exposures. It’s too easy to make a big mistake and not realize it, and I think that’s one of the reasons why we keep seeing it, it’s just greater adoption and that skill gap that we keep talking about.

David Spark

Johnathan, what do you have to add to this and do you agree or disagree?

Johnathan Keith

I concur with Mike, I think the greater adoption and the skills gaps is definitely a big issue behind the misconfigurations in the cloud. I think also a lack of best practices and basically in general those best practices were not in place, you know, when an organization was actually on-prem, or actually running a high risk solution, so therefore they brought the same bad habits and the same bad practices into the cloud.

David Spark

Let me just pause you right there. Going back to Mike’s lift and shift comment, how much of the on-prem best practices can be brought to the cloud? Because isn’t it a little bit of a different ball game here?

Johnathan Keith

It’s a much different ball game but I would prefer, you know my organization, we did very little lift and shift because our moving to the cloud was for modernization, so we were intended to get off of legacy technology, get off of legacy application architecture, and the best way to do that was to move into the cloud and to create new best practices and new behavior.

David Spark

And let me ask you, what was your big configuration management challenge then?

Johnathan Keith

My big configuration management challenge was having our cloud security program involved in the strategies and also the migration plans, because we actually wanted to build security in through the development process, so we didn’t want the move from the on-prem solution into the cloud to occur first and then InfoSec being an afterthought. We wanted to be a part of the strategy and a part of the migration from day one, and that’s how we were able to solve a lot of the misconfiguration issues.

Hey, you’re a CISO, what’s your take on this?

00:08:19:12

David Spark

Over on Stackify’s site, Carlos Schults wrote a primer on, “infrastructure as code,” and defined it as, “managing your IT infrastructure using configuration files.” The benefits of IoC can be boiled down to speed consistency and accountability. Johnathan, does the promise of IoC really deliver? Where can you fall afoul?

Johnathan Keith

Yes, I’m a huge proponent of infrastructure as a code. I think going back to our earlier discussion about embedding security throughout the development phase, using infrastructure as a code was actually a key factor to allow us to do that. I think not only does it create consistency, accountability, but it also allows us to embed those best practices from a development level and a development phase before, you know, anything actually rolls out into production. I think where you have to be careful, is you have to make sure that even working with the developers and the engineers, that they clearly understand what the security protocols are, what the security best practices are, and have a direct relationship between the cloud engineers, security engineers and the DevSecOp engineers, so as, for example, a terraform plan is being designed, you have the input from the security personnel before you push anything into production.

David Spark

Mike, how bullish are you on infrastructure as a code?

Mike Johnson

I really like the idea, the implementations can vary so wildly, but really including your configurations as part of your peer review, your configuration management, automated validation and testing, that really transforms an organization. Your likelihood of making mistakes is both amplified, because you can make a big mistake really quickly, but you can also roll that back really quickly, and that’s the key to all of this, is just how fast you can move both in making positive changes, if you’re going through peer review, your likelihood of making a mistake is lessened, but you can then essentially run experiments and try a thing out and roll it back if it doesn’t work.

David Spark

Can you give me an example of what would be like a common mistake in infrastructure as a code and how you pull it back.

Mike Johnson

I mean frankly typos, like you put in the wrong IP address for your log aggregator and you’re off by one and now all of a sudden you’re streaming your logs off to somewhere else, rather than where you expected.

David Spark

Have you actually done that before?

Mike Johnson

I try and keep my hands off the keyboard as much as possible, so it’s been a while since I’ve made a mistake like that but absolutely I have made typos. Fortunately they were much smaller in scale.

David Spark

Johnathan, what are the kinds of examples of mistakes that can be rolled back but are like maybe common mistakes in infrastructure as a code?

Johnathan Keith

I think common mistakes is for example deploying security groups that basically give access to applications publicly, that should not give access publicly to applications. And I think in a lot of cases, with a developer, sometimes that’s just a mistake, it’s not something that he or she intended to do, but they didn’t take the time to take a look at their configurations. One of the things that we do to combat that, we actually have scanners that scan infrastructure as a code before we apply it, to find things like those type of misconfigurations, and making sure that we’re not making, you know, S3 buckets publicly accessible where the content within the bucket itself should be private.

Sponsor – AppOmni

00:11:59:07

Brendan O’Connor

Security that accumulates with interest.

Steve Prentice

This is Brendan O’Connor, CEO and Co-Founder of AppOmni discussing the challenges of SaaS security.

Brendan O’Connor

Security teams are paying attention to SaaS security now more than ever. They have seen and breaches have shown us that it’s a major blind spot and a weakness throughout the organization. Really teams don’t know where to start. This is not a job for someone to manually pick through thousands of configuration settings across dozens of environments line by line.

Steve Prentice

One of the biggest challenges he says is that nothing stands still.

Brendan O’Connor

The continuous rate of change of SaaS applications is not a bug, it’s a feature. SaaS providers or subscription, they are constantly coming out with new features, new APIs, new capabilities, new levers, knobs and switches. The complexity of SaaS applications is growing monthly, as the cloud providers are continually pushing out more. Looking at a system at a point in time, doing an annual pen test, is not going to tell you what you need to know. We need automation and continuous monitoring to enable security teams to keep up with all of the changes that their users are making in SaaS environments, but also the new changes that the SaaS provider is pushing into that cloud environment. What they need is simple and scalable security, they need always-on automation, they need guard rails that keep the business in line, so that they don’t need to review every change manually.

Steve Prentice

For more information, visit AppOmni.com

It’s time to play What’s Worse?

00:13:39:17

David Spark

Alright Johnathan, I explained how this game is played. We offer up two horrible scenarios, you’re not going to like either one of them, but your job is to determine, as a risk management exercise, which one of these awful scenarios is actually the worst. I always make Mike answer first and I do like it when my guests disagree with Mike, no pressure there by the way. Alright, Mike, this one comes from Jonathan Waldrop of Insight Global, and he provides two What’s Worse scenarios. Scenario One: You’re being in a company whose risk tolerance is so low that the expectation is zero breaches and you get fired when there is a breach. Alright? So perfection in number one.

Johnathan Keith

Okay.

David Spark

Or number two, quite the opposite. The risk tolerance doesn’t exist because they just flat out assume a breach. The expectation is that we will be compromised no matter what, so the security budget only covers the bare basics; anti-malware and firewalls and the rest we rely on insurance. Which one is worse?

Johnathan Keith

Wow. So what’s interesting about the second one is it’s like the perversion of the assumed breach mindset, that security has been professing over the past few years.

David Spark

Yes it’s like if you don’t know that you haven’t been hacked, you know you’re a fool, kind of an attitude.

Mike Johnson

I think there’s the attitude around that we try and espouse with assumed breach is designed with the assumption that that will happen, rather than the second example is the fatalistic, “well it’s going to happen, so why should we bother?”

David Spark

And why should we bother being in business?

Mike Johnson

Right. So I think that’s an interesting perversion of the assumed breach mindset. And the first one is I’m going to make an assumption that along with that risk tolerance being such that we will not tolerate any breach whatsoever, that they’re backing that up, that they’re backing that up with funding, with prioritization, with buy-in across the organization. And you know what, I would actually prefer that one, I would prefer the world where I have all the support. It would suck to get fired, that’s not something that I would look forward to, but at least there’s that opportunity to bring all of these resources to bear, to protect the company, the data, the customers. In the second one, you don’t have any of that. You basically have, “yeah we don’t about a breach, we don’t care about security, we don’t care about anything.” I always say one of the things that most important to me in a company is that they care about security. So the second one, where they just don’t care about security, that’s the worst one to me.

David Spark

Alright. Johnathan, I throw this to you. Do you agree or disagree with Mike?

Johnathan Keith

Ooh that’s a close race. I have to slightly disagree with Mike. I think there is no such thing as perfection in security. In security you can never have a big enough budget, you can never have a large enough engineer and architects routine, you can never have enough shared responsibility across your organization. And if you begin to give the misconception to your executive teams, to your mid-level managers, to your customers, that you will never be breached and that you’re invincible, then you’re actually creating false hope and false pretenses for those groups. So for me, I mean the second one would definitely be a concern if I was in an organization where, you know, security was a low priority on the totem pole, but the first one is just not realistic in my world. It’s just not.

David Spark

Alright, split decision, I like it.

Understanding security sales.

00:17:29:11

David Spark

Neil Saltman of Anomali and co-author of the book, Cyber Security Sales, it’s available on Amazon, has a question.

Neil Saltman

What meetings do CISO find useful for their time? What level of preparation is expected, what meetings do you find to be of good use to your account with vendors and which ones do you find to be a complete waste of time? So what’s the criteria of what you would expect people to know and what type of information do you expect to be shared that makes it worthwhile?

David Spark

Mike, got an answer for Neil?

Mike Johnson

You know I feel like a broken record here, but at the same time at least I’m consistent. But what I really expect is that the vendor has done their research about me, my organization, my environment, before they show up.

David Spark

So give me specifics. Like I show up, I’m a vendor.

Mike Johnson

Great example, don’t try and sell me Microsoft security products. Don’t try and sell me exchange email services. Don’t try and sell me Office 365 solutions.

David Spark

You’ve done OSINT and you can tell these things about whether you’re on AWS.

Mike Johnson

These are things that you can find out about my company without talking with me, without spending that time information gathering. Come into the first meeting knowing all of that, and even better, if you don’t have a product that is going to help me for my environment, just don’t waste your time engaging with me. Your time is valuable so find someone who your products can actually help with and engage with those folks. So that’s the meetings that I feel are most worth my time, when it comes to a vendor that I’ve not had any discussions with prior, is where I feel like they’ve done their research, where I feel like I can have an awareness of what their product does, where I can have a deep technical conversation about implementation and I can then leave the meeting saying, I know what the product is, I know how it might work in my environment and I know whether or not it’s something that I would be interested in deploying all from that meeting. I would leave that meeting feeling like it was a worthwhile meeting.

David Spark

By the way, would it be okay, if I was a vendor and came in and say, “we did this [UNSURE OF WORD], this is what we discovered. We discovered A, B, C, D, E, are we correct in what we’ve seen so far, because I want to make sure that, you know, what we’re delivering to you is correct?” And you could like correct me, like, “oh yes, that’s right, that’s wrong,” and would you be okay with that or no?

Mike Johnson

Yes, absolutely, because again it’s you’ve put in the investment, you’ve put in the time and now I feel like you want to have a relationship with me, rather than just sell me a product. You’ve put in time to really potentially create a partnership.

David Spark

And would compliments about your appearance help at all?

Mike Johnson

No.

David Spark

No, okay. Johnathan, I throw this to you. What works for you and can you answer Neil’s question about a meeting with a vendor.

Johnathan Keith

I would absolutely concur with Mike. I do not do very well with the sales calls. When I’m meeting with vendors, I like to have discussions around proof of concept, so I like to know that even if this is the first time I’m meeting with a sales rep, that he or she has absolutely done their homework and they’re coming into this meeting with potential proof of concepts that works for my organization, that works for my tech stack, that works for our overall program, and we can actually start early discussions around what would a proof of concept look like if I decided to buy your product or test your product out. And if we’re not really having those detailed discussions around solutions and options, then you know they’re just trying to sell me a package that potentially probably doesn’t even work for my organization.

David Spark

Can I ask both of you to answer this question. Can you think of a meeting you had, you’re like, wow, that was a great meeting. Not that, you know, you’re like I had to buy this product, but just they handled that really really well. What was the thing they did that they handled really well? Johnathan?

Johnathan Keith

I think for me, you know, working with a lot of our cloud providers, they handle it well because they take a consultative approach. They have actually worked across our organization before, and albeit they may not have directly worked with myself on the security side, the cloud security, they still understand other aspects and they can actually consult to those aspects, and we’re actually having real intelligent conversations around what will work within my cloud security program that is an added business value to who are my customers, which is the other business partners.

David Spark

Alright. Mike, can you think of a specific one and what made it so good?

Mike Johnson

The ones that have really caught my attention the most is when they can think on their feet and pivot and follow me down a rabbit hole, where they weren’t necessarily prepared for a question that came up, but were able to then talk it out and they’re engaged, they have good answers, they then turn it into a conversation where there’s some back and forth and some brainstorming in the moment. Those are the ones that really catch my attention and I enjoy, because it’s not prepared, it’s something that’s in the moment, they’re launching off of their knowledge of their product, taking in my input and we’re then kind of brainstorming right there in the moment. Those are the ones that I’ve enjoyed the most.

Let’s dig a little deeper.

00:23:13:04

David Spark

Over on Fast Company, Karen Eber wrote an article entitled, “Ten questions to ask in a job interview that will really expose a company’s culture.” As noted on the top of the article, none of these questions were, “What is the Company’s Culture?” because that question won’t reveal anything except probably lies. Of these questions, or one of your own, which one do you think would reveal your company’s culture and is it different than the question you’d want to ask if you were trying to reveal a company’s culture? Do you have better questions to ask? Johnathan.

Johnathan Keith

For me, if I’m an interviewer or even if I’m in a case where I’m an interviewee, I’d want to ask questions around cross-functional opportunities throughout the organization. So if I ask someone, you know, what is your cross-functional projects or your cross-functional solutions, and they tell me they don’t have any, that tells me that’s a culture that’s more siloed and more isolated amongst the business units and the business partners, and for a security profession that’s overseeing a security program, that means it’s going to be almost impossible or difficult to be able to communicate cross-functionally across the organization. So that’s an easy way to have an open ended question to learn more about the internal culture of an organization.

David Spark

I like that by the way. Cross-functional is key. Mike?

Mike Johnson

I do want to say I totally agree with the, what is the company’s culture, being an utterly useless question. You’re not going to get anything from that, so I really agreed with that. One of the things that I’ve kind of pivoted towards and I’ve seen other people pivoting towards is a lot of companies will post their values on their public website. You can go and find them, my company posts ours, a prior company that I worked for, they posted their publicly, and I like to read through all of those, understand them and then ask what value speaks most to you and why. And that really gives some idea of is this a values oriented organization? Does this person really even know what the values of their company are? And you can really learn a lot about the culture just from that. From the article itself, one of the ones that I liked was the question about how the interviewer disconnects during vacations. That really tells you if you’ve got, if you’re talking to a company that’s go-go-go, or if they really rate work-life balance as key, that one question will give you an idea of what kind of company that you’re getting into, and you then decide which one you’re looking for. You might be looking for really high growth, high expectation, a lot of work, that go-go-go might work for you, or you might really be looking for a little bit more laid back that values work-life balance. That question gives you an idea of what that environment’s like. It tells you about one of the aspects of the culture of the company.

David Spark

Johnathan, since you’re probably hiring people and trying to make sure if they fit within your organization, I’m assuming, correct me if I’m wrong, that not only are you hiring them for their skill and their potential, but also whether they’ll fit within the team that you have, are there any red flags? And then versus that, green flags that tell you hey, this isn’t going to work or this is going to work?

Johnathan Keith

Absolutely. A red flag for me is during the interview process, if I detect that someone has a lower range of mentality, that they don’t really give me a lot of scenarios where they have worked on team projects or they’ve actually merged and worked amongst their team members or their peers, or either cross-functionally across other organizations, that a lot of their projects they will always reference I and never we. So for me that becomes a red flag because the most important thing is tech skills, in some cases, can be trained as long as you have the foundation, but soft skills are something that you either have or you don’t have.

David Spark

Do you ask the question like, “hey tell me an example of how you worked with a team,” or do you have another way of sort of approaching that?

Johnathan Keith

Yeah we actually have some core competency questions and one of the questions is around not only problem solving, but also around project management, and also working on team projects together. So it’s a very open ended question where the person can’t just answer with a yes or no, they have to give detailed examples.

David Spark

Mike, red or green flags for you when hiring.

Mike Johnson

So I just ask someone if they’re a brilliant jerk and then it’s over at that point, because they just answer honestly.

David Spark

Which by the way we found out in a previous episode that Mike used to be a jerk.

Mike Johnson

I appreciate you bringing that one up David, I can never forget that.

David Spark

I’ll have to get Andrew, our Editor, to put that on a loop for me and I’ll play it on the sound board. Every time I want to feel good about myself I’ll just play it! Johnathan, this is like a running gag on the show because his absolute least favorite thing in the world is having brilliant jerks on his team, because he feels it brings down the whole team, and we’ve done a whole series of What’s Worse scenarios and nobody’s found the scenario that’s worse than that. I think we did find one scenario that was worse and I can’t remember, but it came up in conversation.

Mike Johnson

Yes it was one that we won’t repeat on the show.

David Spark

Well I’ll find it and we’ll bring it back. I’m sorry, go ahead Mike.

Mike Johnson

I really liked Johnathan’s point about trying to figure out how much the person’s involved in working with teams and whether they are the kind of person who just puts their head down and goes away and solves a problem, or if they’re the kind of person who involves the team and works with other people to create a solution. You hope that they’re creating a solution, as a group, that’s better than they could do themselves. And that really is something that I look for, is that concept of team work, how involved they are. So that’s one of the things I look for. Another is the old, “tell me your biggest mistake or a time that you made a mistake and how you recovered.” Because mistakes are going to happen and it’s important to me that people are A) willing to admit that they’ve made mistakes and B) that they have a concept of how to recover from a mistake.

David Spark

I always find that the most fascinating story to. If someone says, “all I do is win, win, win”, well you’re a bore.

Mike Johnson

Hey, we’re done. This is easy, thank you for removing yourself from consideration.

Close

00:30:06:00

David Spark

Alright, well thank you very much Mike and thank you Johnathan. That comes to the end of our very show. Johnathan, I’m going to let you have the very last word here, but one of the things I always ask our guests is, are you hiring, so be ready to answer that very question. I want to thank our sponsor for this very video chat, AppOmni. Again if you are working in a SaaS environment, you definitely have cloud configuration issues, I would check them out. They actually have a great tool but you can sign up and get a free scan of your environment to see what configuration issues you may have. Check it out at appomni.com. Mike, any last words?

Mike Johnson

Johnathan, thank you for joining us. It was great to sit down, have the conversation, I loved your passion about infrastructure as code and that’s something that we don’t talk enough about on the show. We talk about cloud security, we talk about security in general but that special focus on infrastructure as code is something that I really appreciate you bringing to our audience and kind of getting folks thinking about it. I also really like your focus on cross-functional work and how important that is to you, how important that folks on your team aren’t lone rangers, and I really think that was great to kind of hear your passion come through on that. But back to the infrastructure as code, I wanted to go back to the specific example that you gave, a great time for your teams, for security architects to be engaging, is when terraform modules are being planned. That’s a great, I don’t want to say gate, but a great indicator of a time to engage with a team, and I think that’s a good example that our audience can take with them. So thank you specifically for that tip, in general for coming on our show and talking about your passions, it was great having that conversation with you. Thank you.

Johnathan Keith

And thank you. You know I want to thank you and Dave for having this platform available, where we can have these discussions and these open conversations. I think across the security plan as a whole, I mean we look for so many different resources, we read so many articles and they all seem to kind of regurgitate the same thing over and over again. So every now and then you come across this great platform, like what you and Dave have here, where it’s new, it’s refreshing, you can share new ideas and just have that dialog and that conversation that hopefully someone listens to and they take away and get some answers, or even get a solution that they can take back to their organization as beneficial.

David Spark

By the way, if you have had something beneficial from this show, let us know. We’d love to know the story behind it as well. Johnathan, the other question I ask, are you hiring?

Johnathan Keith

Currently within my team I am not. I’ve actually just backfilled two positions about 45 days ago and usually in my group, they were both cloud security architects, and usually there’s about 45 days of ramp up time once we hire someone, so we usually have a space, a gap, in between recruiting, so for now we have it on pause.

David Spark

Alright, well I’m sure you always keep your eye out for talent though in general?

Johnathan Keith

Absolutely, absolutely.

David Spark

Alright, well thank you very much. That was Johnathan Keith who’s a CISO of Viacom CBS Streaming. I was also joined by my co-host, Mike Johnson, as well, and as I always say, thank you so much to the audience for your awesome contribution. Keep them coming in. By the way give us What’s Worse scenarios, any other great sort of issue that you’re dealing with or conversations you see online, send it our way, I will give you full credit. As always I appreciate you contributing and listening to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”