Turns out cybersecurity professionals lie on their resumes. They add degrees and certifications they don’t have. They omit degrees for fear of looking overqualified. And sometimes, they flat out invent jobs. But given the responses as to why people do it, it’s because they’re trying to get by the unnecessary barriers of cybersecurity hiring. Does that make the lying justified?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is David Nolan, vp, enterprise risk & CISO, Aaron’s.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, Varonis
Full transcript
[Voiceover] What I love about cyber security. Go!
[David Nolan] I love the diverse and creative people it attracts to our industry. I’m always excited to meet these new people to our industry and learn the cool things they’re working on and how they’re creatively solving these solutions. I truly believe this is one of the fastest industries that moves, and it’s due to this type of people that we’re able to really keep pace.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And joining me as my cohost, you know him very well, his name is Mike Johnson. Mike, say hello to our very nice audience.
[Mike Johnson] Hello, very nice audience. It is a pleasure to be here with you today.
[David Spark] We are here with them. Although at this very moment, it’s just you, me, and our guest, who I’ll introduce in a moment. But it feels…
[Mike Johnson] But it feels like we’re all here. I can feel the energy even though they’re not in the meeting with us right now.
[David Spark] Yeah. I’m not buying that.
[Mike Johnson] I’m feeding from it, David. Don’t take this from me.
[David Spark] Hey, I do want to mention our sponsor. A phenomenal sponsor of the CISO Series. They keep supporting us again, and again, and again. And we adore them, and I want to thank them for sponsoring us again. That would be Varonis. You know Varonis. Effortless security outcomes powered by automation. They’ve got some pretty impressive stuff in that respect. And we’re going to talk a little bit more about that later today. But first, I want to tell you a quick story, Mike. I went to Boost Mobile. I had never considered using Boost Mobile, but someone told me about it. Again, it’s as cheap as $15 a month. I had some old phones. I wanted to give one to my son, so he could use the phone.
[Mike Johnson] For your burner phones, too. Boost Mobile is great for burner phones.
[David Spark] Never thought about that. Okay. So, I go to Boost Mobile, set it up. You’re doing the whole process. They have to take your phone and do it. And at one point, the woman says, “Oh, what’s your pin?” And I’m like, “Well, I’m not telling you that.” And I go, “Give me my phone.” And I entered it and handed it back to her. Then a few minutes later, I say, “How many times do people tell you their pin when you ask that question?” And she said, “Every single time.”
[Mike Johnson] [Laughs]
[David Spark] Every time. And I was like, “My God.”
[Mike Johnson] I mean, imagine, all you need to do is you go to a whole bunch of people, just put on your Boost Mobile uniform, and say, “Hey, just give me your pin.” It seems like a great opportunity there.
[David Spark] Honestly the way she said it though was so casual. Like it was like, “Oh, Mike, what’s your last name?”
[Mike Johnson] Exactly.
[David Spark] You’d be like, “Johnson.”
[Mike Johnson] “What’s your pin?”
[David Spark] She said it like. Like, “Oh, and I just need your pin.” And I can… And she said every single time. I was I guess the anomaly.
[Mike Johnson] This is the world we live in, David, and this is why we can’t have nice things.
[David Spark] Well, what I keep hearing about working with difficult users, I realize they’re all Boost Mobile customers.
[Laughter]
[Mike Johnson] I mean at the same time, imagine putting yourself in their shoes. They are getting difficult customers who just want their phone fixed.
[David Spark] Right.
[Mike Johnson] They don’t want to deal with any of that. Whatever that is.
[David Spark] No, but the thing is that everyone freely hands over their pin to the lady at the Boost Mobile store.
[Mike Johnson] Get the problem solved.
[David Spark] I was shocked. Anyways.
[Laughter]
[David Spark] Let’s bring on our guest. Thrilled to have him on. We had him on our headline show, and I said, “Come on over here. Come on over to CISO Series Podcast.” It is the VP of enterprise risk and CISO over at Aaron’s. None other than David Nolan. David, thank you so much for joining us.
[David Nolan] Really excited to be here David and Mike.
Why is everyone talking about this now?
3:57.054
[David Spark] What everyone in cyber is definitely talking about now is the Whitehouse’s national cyber security strategy. Mike, you called this a landmark we’ll all look back on as cyber security professionals. And John Overbaugh, who is the CISO of ASU who commented on this…he read it as a wish list of security good practices but nothing definitive. So, what is this, Mike? Is it groundbreaking or sure sounds like a good idea? And lastly, the one item that piqued my interest and John Overbaugh’s was the shift the burden of cyber security to organizations best able to handle it. Could you say this about anything? I mean we’re going to shift the burden of highway construction to engineers and construction workers. So, don’t most people view the burden of cyber security on the shoulders of the security team? I know this is something we talk about a lot. And isn’t that something security teams are trying to get away from? So, don’t they want to make it everyone’s responsibility, or this a call out to vendors to get their products working properly? What do you think, Mike?
[Mike Johnson] One of the things that I think people missed…maybe just misunderstood about this document is that it’s a start. Our government is set up such that you can’t just have one body of the government dictate that there’s going to be massive changes. They need to lay out this document, the strategy, to talk about where we’re going to be and give a path loosely in that direction. Even putting that out there, even actually laying out where we want to go is significant. We haven’t done that before. And I think that’s really part of what I think folks are missing is that it’s not going to be the silver bullet by putting this document out there.
[David Spark] I must say, but the fact that they did it and they wrote it actually quite well… Not in a lot of mumbo jumbo. It’s very well written I must say.
[Mike Johnson] And from what I understand, I’m not sure that they named all of the industry representatives who are part of it, but there was absolutely security industry representation in the creation of this. This wasn’t just people who haven’t been there, done that. These were folks who have been in the trenches for a long time who helped to contribute to this. And that’s what made it something that is interesting and something that is compelling and a path that we can take. I think there’s some other things in here that folks might have missed. There’s going to be new regulation from regulators. If you are currently say a drug manufacturer, a pharmaceutical company, the FDA is going to actually start laying down cyber security requirements. That’s not happened before. That is moving things forward. So, I think ultimately this is a big deal, and it’s going to build. We’re going to look back at this as this document that was delivered that has set things in motion.
[David Spark] All right. Still confident that this is a big deal. David, how do you feel?
[David Nolan] Yeah, I agree with Mike. It’s a start, like he said. I look back to all the programs I’ve made, probably Mike has made, and all good security programs start with a vision first. And that’s specifically kind of what I see this as. They even specifically say, “It is a path.” And I see this as a good first step. Naturally it’s going to be the full solution. The rubber is going to meet the road on how affectively they can practically implement this. So, I think that’s really the way we should be approaching this. Not as a dictionary on how to solve security for the US. But specifically the shift of burden question you have, it really reminds me of discussions we’ve had on this podcast before where we’ve discussed that users may not be your first line of defense. They can’t be your only line of defense. So, I think when I think about it, I see the inferring that products and solutions must take into account a secure by default mindset where we or product manufacturers in this case or software manufacturers make it easier for those users, and we don’t just depend on them. So, I see it less as a shift of accountability but more as setting the expectation to do more by those who really have the means or the resources to do it.
What’s broken about cyber security hiring?
8:21.054
[David Spark] Cyber security professionals lie on their resumes according to a survey conducted by AccessCyber. Now, one of the organization’s educators, Gotham Sharma, posted some of the findings and significant percentages of survey responders admitted to listing a degree or certification they didn’t have, omitting advanced degrees for fear it would make them look overqualified, inflating job titles, extending their actual job duration by an average of one to three years, and 15%…this one I love…completely invented jobs. Now, why did they do this? Here are some of the quotes. They lied because, “I knew I could do the job if I just had the opportunity.” Another said, “No one would ever consider my technical skills if it didn’t look qualified on paper.” And they also don’t think employers value self-taught. And they needed to add keywords to get past the hiring software. That one I hear a lot, by the way. So, these behaviors didn’t come out of a vacuum. That’s what I want to point out. There’s no condoning of lying behavior, but when the system seems rigged against certain peoples’ skills development that they may feel forced to lie just to operate within existing hiring processes. David, could this be in their minds, or is it really what’s happening?
[David Nolan] Yeah, unfortunately I’ve caught a lot of people contradicting themselves specifically from their resumes, and the one I see a lot is they often take credit for more than they’ve personally done. So, taking credit for group work, things like that. I don’t think this is something that should be normalized, tolerated, or any of that stuff of course. But I also don’t think this is new to our industry or a new practice in general. I think this is something that’s been going on for a while. I’ve heard a lot of quotes like this even outside of our industry. So, I think it’s just something that definitely occurs. However, I do feel in our industry there is many cases where we somewhat have an overreliance on specific checkboxes or titles specifically. So, the CISO title is one of those. I think painting that as a requirement is a challenge. I hear it all the time from security leaders I talk to where they’re worrying, “I don’t have the CISO specific title.” But they have the role.
[David Spark] I hear that one a lot as well.
[David Nolan] Yeah, exactly. And I think requiring that specific title versus focusing on their experience or their qualifications can be really damaging to us. So, this could be an example, to your question, why some consider inflating their job titles. But I have an idea. I think we can all help change this just a little bit, little by little. So, what I try to do… And I think we can all do this is when interacting with our others or our peers in the industry, don’t ask them what their title is. I feel like we always start with that. “What’s your title? What’s your title? What’s your title?” But ask them, “What do you do for the company? Tell me about some cool things or some interesting problems you’re solving.” I think this can slowly help us breaking down that expectation of having a specific title and really opens up for people to get excited about what they’re working on and help break this down just a little bit.
[David Spark] Good point. Mike, now I’m going to just make a guess here that you fully condone lying on resumes. Yes?
[Mike Johnson] No. I do not.
[David Spark] Oh, but you had to pause there for a second. I think you were contemplating.
[Mike Johnson] It was a dramatic pause, right? It was one of those dramatic pauses.
[David Spark] The reason I just bring this up… I just want to [Inaudible 00:11:51] I think people feel somewhat compelled… People don’t do this if they don’t think it’s going to give them an advantage or they feel that they’re being compelled to this behavior. Again, not condoning it. But I think there’s a sense that people are being compelled to do this.
[Mike Johnson] I think there’s a few different aspects to that. One, yeah, cheating helps. Generally that’s going to help get you forward. But it’s going to harm you in the long run. I think some folks don’t stop to think about that. There is the aspect of maybe some people feel compelled. But at the same time, they need to stop and think about what they’re lying about. So many of these things, they come up on a background check. A very, very simple background check that pretty much every company requires. And you might find yourself with a rescinded offer, and that’s not a good place to be. So, there’s a danger here. People think there’s no downside to it. That it’s all upside, that it’s just going to help me get ahead. But there’s actually a danger that can result in you losing your job or losing the job offer. And folks need to think about that aspect of it. The flipside, you’re not going to be qualified for every job out there, and that’s okay. There’s other jobs out there. There’s other jobs that you’re qualified for. There’s a ton of jobs in cyber security. Even with the lay offs that we’re going through, there’s a lot of hiring going on in cyber security. So, look for the one that you do have the experience with, the skills for, and apply for those and go after them hard. Really double down on your skills and talk about what you’re doing, and you’ll be better positioned as a result for those. So, rather than just doing sort of a scatter shot approach that is inflating your resume with the hopes that it gets attention from someone, target roles specifically that match your background, match your skills. Go after those, and you’ll end up in a better place as a result.
Sponsor – Varonis
14:03.558
[David Spark] Before we go on any further, I do want to mention our sponsor, Varonis, and please listen to this. You’re going to appreciate what you hear. That has to do with about all the security incidents we hear. They’re caused by attackers finding and exploiting excessive permissions. We hear this again and again all the time. All it takes is one exposed folder, bucket, or API to cause a data breach crises. Now, the average organization has tens of millions of unique permissions and sharing links. If you could visualize your Cloud data exposure, it would take an army of admins years to right-size privileges with how quickly data is created and shared. It’s like painting the entire Golden Gate Bridge. That ain’t easy. So, Varonis actually reduces data exposure while you sleep with the industry’s first fully autonomous data remediation. Sounds pretty good, doesn’t it? So, Varonis continually and intelligently removes unnecessary permissions, sharing links, and fixes misconfigurations without any human intervention. It’s kind of like your automatic cleanup crew of all the things that just shouldn’t be lying around, if you will. So, because Varonis monitors who uses data, their free incident response team will watch for alerts and call you if they see abnormal behavior like insider threats or compromised service accounts. Nice to have someone looking at you for you. So, to see how Varonis can reduce risk while removing work from your plate, head on over to their site, veronis.com. But then add the /cisoseries. So, veronis.com/cisoseries. And start your free trial today.
It’s time to play, “What’s worse?”
15:48.830
[David Spark] It’s time to play “what’s worse.” David, you know how this game is played, correct?
[David Nolan] Oh, yeah.
[David Spark] You know it well. All right, I was going to do another one, but I just got a “what’s worse” scenario in today, and I was like, “Oh, this one is…”
[Crosstalk 00:16:08]
[David Nolan] Okay. Let’s do it.
[David Spark] I want to try it. And I’ll say this – Mike, we’ve never had anything like this before.
[Mike Johnson] Okay.
[David Spark] Get ready.
[Mike Johnson] I’m ready.
[David Spark] This comes from Dave Murray, who’s the CISO of Enact Mortgage Insurance. And it’s inspired by a true event. Scenario – he’s looking to purchase a new IT product or service. The vendor is relatively new, small, and does not have a SOC2, so they send a security questionnaire like the SIG. Which is worse – number one, the questionnaire comes back with a lot of red flags, but explanations of what they’re working on to mitigate the risk or eliminate the problem. Very detailed responses.
[Mike Johnson] Okay.
[David Spark] Okay? Scenario number two, the questionnaire is flawless. Not a single questionable response.
[Laughter]
[David Spark] Which one is worse?
[Mike Johnson] So, I think this one is actually very easy. When you’ve got a vendor like this who is very young, the idea of a spotless set of answers that everything is what you would want it to be, that seems highly, highly unlikely and high suspicious.
[David Spark] Suspect.
[Mike Johnson] And in general I would always rather someone show me their dirty laundry and how they’re going to fix it than tell me that everything is fine and nothing to worry about. You’ve essentially got the… It’s the Wizard of Oz. Pay no attention to all of the problems behind the curtain.
[David Spark] So, are you under the assumption…? Because we talk about there’s no such thing as 100% security. There never could be a flawless questionnaire?
[Mike Johnson] Correct.
[David Spark] It just could never, ever exist?
[Mike Johnson] Correct. Especially for a very early company.
[David Spark] But, now, let me also point out, it is a flawless thing. Does that mean everything is wrong? Because the other one is riddled with red flags.
[Mike Johnson] Well, I’m picking which is worse, right? Neither of these are great. These both suck.
[David Spark] [Laughs] Right. But the thing is I know you always go for the known rather than the unknown, and you’re assuming that number two is definitely unknown.
[Crosstalk 00:18:20]
[Mike Johnson] I’m assuming that there’s something wrong in number two that they’re not telling me, and so I’m starting… We just had this conversation. I’m starting this relationship with a vendor who’s lying to me, and that just… That’s never good. That’s not going to go well. So, yeah, this one is actually very easy.
[David Spark] I knew you were going to pick that one, but I was very amused by this scenario.
[Mike Johnson] [Laughs] It’s very amusing. It’s very amusing. Especially that it’s inspired by true facts.
[David Spark] All right, David, which one…? Do you agree with Mike on this? Again, it’s what’s worse here. And do you agree with him? And B, have you ever seen a flawless questionnaire?
[David Nolan] Yeah, I think before I address this I just want to make Mike aware, I got a gift today with a letter on it here that says, “Do not agree with Mike.”
[Laughter]
[David Nolan] So, it turns out the rumors are true. But unfortunately, David, I do have to agree with Mike on this one. I’m a big fan of partnering with these vendors. So, it’s a big red flag to me if you have a “flawless” questionnaire. Especially on some of these hundred plus questionnaires. Like if we’re being honest and not just doing our yes/no audit level responses, I think it’s just impossible if we’re honest with ourselves. So, I’d rather partner with them and like, “Let me see your dirty laundry.” Like Mike said, we’ll work on it together. It gives me a better idea of maybe where we got to mitigate a few things before we enter into that relationship. But I think that is totally, totally achievable to work through with that vendor. The flawless one, run away.
[David Spark] So, here’s my theory – for the young vendor that’s sending out flawless questionnaires, I think maybe they learn because no one accepts them how can they not accept this. Everything is correct on our questionnaire. And then they realize, “Oh, wait a second, we can’t be doing that.”
[Mike Johnson] So, here’s the thing – what will probably happen is there will be some people who will accept that questionnaire. They will actually get some uptake on that. They’ll get very mixed signals as a result. And one hopes that they will learn, but there will actually be plenty of people who don’t even look at the answers of the questionnaire. This is one of the dirty little secrets of third party risk management is a lot of these questionnaires that people answer are never… Those answers are never reviewed. I’ve heard people put in like the green M&M clause kind of thing where they speak something into their answers just to see if anybody is reading them, and they don’t get read. So, they’ll actually get some people who will take the perfect questionnaire.
[David Nolan] Yeah, if I see no findings from an EVRM I push back instantly or vendor risk questionnaire. It’s a red flag for our team, too. Or for me to our team.
[David Spark] I know a software developer that put in his end user license agreement, you know how everyone clicks “okay” and… He has buried in it if you read this and you email me, I’ll send you a thousand dollars. It took months before he ever sent any money.
[Laughter]
[David Spark] He did send them money though.
[Mike Johnson] Nice. Good for him for following through.
[David Spark] But it was kind of amazing.
If you haven’t made this mistake, you’re not in security.
21:35.000
[David Spark] Businesses take risk as it’s often the way to become successful. You have to take a chance to see how the market will react. If it will purchase your product. And depending on the industry, there could be different types of volatility of that risk. Can that same type of risk apply to cyber security? Can cyber security professionals take risks in the work that they do, and could there be big “cyber payouts” if they succeed? David, you alluded to that this is needed in order to innovate and automate. So, give us some examples of how the cyber security department would take a big risk and what would that payout look like? Had you done something like this and succeeded? And in some cases, have you failed? Because, again, it’s all about risk.
[David Nolan] Yeah, I love this one. I think it makes especially new security people really nervous because we’re in the business of risk. And then you say, “Take risk.” And suddenly they freak out.” But I think taking risk can certainly lead to innovation in an industry. I think the bigger point here we need to think about is challenging the status quo. That’s one of the big risks. It’s really easy to fall into what’s comfortable and what has worked in the past in our industry. I honestly think doing things the same way involves more risk than innovating and trying new things. But the approach to this concept does matter. My background is in development, and I’ve always embraced the concept of lean development. Kind of doing those small changes where you test different concepts really quickly, things that you could back out really easy, use feature flags, etc. And the overall risk is pretty low.
But it allows you to try things, test theories. I think this can be applied to security as well. But if you have this innovation and you can try it in those small batch sizes, the terminology fail quickly often applies in this space. I think you can modify your approach, and you can continuously learn from what you’re doing. So, I think you asked for examples. I think there is one or two. I got one from my personal experience, but the one that a lot of people talk about is in chaos engineering. So, having that resilient enough of a structure where you can take risks. You can fail. You can break things even and lead to bigger gains. That’s the one I always hear in the industry.
But the one I love talking about from my personal career was when we had technology teams that were moving over to infrastructure as code. And your initial security gut in this is to resist and say, “I can’t apply the normal concepts. I can’t put X tool on top of that because it’s new, and it’s fresh, and I don’t know how to deal with it.” But what we did instead is we embraced it. So, take a risk, right? We were able to deploy an approach of what we called security as code. So, it matched right along with infrastructure as code. The cool thing about that is we integrated the security right into the pipeline, and we were able to actually better evaluate the stance of security on these infrastructure as code deployments. And we could do it live. We could do it right then. We could reverse changes. We could almost do a compliance based approach. And it was great. So, it was faster. It was easier. It was more consistent protection and governance than kind of your traditional security model. So, sometimes when the business is an early adopter of technology, to support and enable that business, we have to be willing to be an early adopter as well. And sometimes that requires innovation and an actual development on our own for new security products and approaches.
[David Spark] Excellent example. And, Mike, I’ll throw this to you. In David’s example right there, he had… The only way you innovate is you take risk. I don’t know if there’s a safe way to “innovate.” Innovation by its nature requires risk, and it paid off for him. What has been your experience here?
[Mike Johnson] Well, first of all, I like the concept of security as code. I think that’s an awesome way of thinking about it. But one of the things, one of the risks is when there is an new technology and we look at it from a security perspective as to how that new technology can enable security, but it requires us to think in different ways. To do things differently than we have in the past. And that’s where the risk comes in. The saying used to be nobody ever got fired for buying IBM. We’ve got similar concepts and paradigms in security which is nobody ever got fired for patching everything within 24 hours. Intentionally bad examples, but there’s so many ways that we think about managing risk in security that are built on top of assumptions that may not exist anymore. And if you’ve got ephemeral infrastructure and if you’ve got ways of dealing with that ephemeral infrastructure then you can actually have a more secure environment, but it requires you to think about things differently. That’s one of the big risks of security is just breaking with the foundational paradigms that we’re used to and doing something differently that you then have to turn around and justify. You have to explain why you’re doing it that way, and that’s one of the big risks for changing the way that we think about security.
[David Nolan] Yeah, I’ve seen… Mike, to kind of jump onto that. I’ve seen folks come in with their security requirements, and they’ll take something like serverless, and they’ll say, “You must apply this agent.”
[Mike Johnson] Right. [Laughs]
[David Nolan] And then it’s like, “Hello, you can’t do that.” And what I find is that’s the people who don’t take risk and ultimately fail at security. But if we’re willing to flip that model and we talk to the business to say, “Okay, what are you trying to achieve?” And then we do it in a secure way, that’s taking a little risk from what we’re used to. But you know what? That’s how you innovate.
Are we making the situation better or worse?
27:30.790
[David Spark] David Yaffe of Estuary said of ChatGPT, “Entire classes of problems can’t be solved by AI for years until an architectural change is realized. We’ll be living in a world with tons of content, all with varying ‘resolution’ and ‘accuracy’ until then.” So, everyone is focused on the lying of an AI engine that’s based on a combination of truths and lies that fill the internet. What we’re kind of all struggling for is a truth engine really, not an AI engine. And we want some means to get to that truth. Now, I posit that the way you get to that truth is to rely on vetted sources, but even that will only just get you closer. Are we complaining for something that we’ll never be able to obtain, or should we just be happy with improvement? Mike Johnson?
[Mike Johnson] One of the things I heard somebody say about ChatGPT is the confidence it can project when giving an inaccurate answer. It can tell you something totally wrong and be extremely confident about it. And that’s one of the…
[David Spark] It’s what we do on this show.
[Mike Johnson] It’s very much like this show. In fact, dear listener, we’re actually all ChatGPT. We are. We are.
[David Spark] We have led you down a very dangerous road.
[Mike Johnson] Yes. Yes. [Laughs] One of the things that I think about with that though is the interface with ChatGPT is you ask a question, and it gives you an answer. Prior to ChatGPT we would ask Google a question, and it would give you thousands of answers. And it was then on you to figure out.
[David Spark] Nobody looks at anything more than the first three or four.
[Mike Johnson] Right. And those first three or four might actually be wrong. Those could actually also be wrong answers. And what you have in those scenarios is you as the human are trying to figure out what’s right and wrong. I think at the end of the day, people have too much of an expectation of ChatGPT, that it’s going to give them the right answer. I think it’s one of those technologies that approaches magic for folks, and so they don’t quite know what to expect of it. And so they really… They’re expecting more of it than it really is capable of delivering. We’re just not going to get this all knowing, all seeing oracle that folks are looking for. I think you’re right in that that’s what people want. And maybe we’ll get there in our lifetimes, but we’re certainly not there today.
[David Spark] I just suggest everyone listens to me. David, what do you think? Do you think I could be the grand oracle that could answer everybody’s questions?
[David Nolan] Gosh… I don’t know what’s worse. That could be one of our segments.
[Laughter]
[David Nolan] ChatGPT or David Spark, which is worse.
[Mike Johnson] There you go.
[Laughter]
[David Nolan] Yeah, I think I really agree with Mike here, but I think it’s something we can work towards over time. I kind of…as you said, posit back to you, do you remember early in the life of the internet when universities wouldn’t allow students to user the internet for quotable sources?
[David Spark] Really? This I did not know.
[Mike Johnson] That was a thing.
[David Nolan] That was a thing. And you had to go find the book, and you had to quote the book from the library. But we’ve grown beyond that. And now to think that the internet is a primary source for a lot of university students.
[David Spark] Well, nobody cracks a book anymore. Only the internet.
[David Nolan] Exactly. So, I really think that example is what we need to play here. I think over time we can progress, and we can get there as well. So, now while I do believe there’s a lot of good business cases here that there could be value for ChatGPT, I think it can be a good tool, like we talked about on the podcast before, for generating ideas, for generating that base content that then you work from, that then you edit. And then you go. But…
[David Spark] In fact I think it was Dan Walsh… I believe he said this, is that he wrote into ChatGPT… And I’m going to obliterate this. But I think he just said write a security program for me. And what it was good for and what a lot of people have trouble with is writing the first draft. The fact that it can write the first draft for you and you can edit it… Because I know I edit a lot better than I can write a first draft, and I think a lot of people are like that. That’s of enormous value.
[David Nolan] Yeah, I’ve heard people use it for content that’s large like policies or the beginning content when you’re stuck on a presentation or something like that. I think you can’t trust it, like you’re saying though. I don’t see it as an all seeing eye as Mike said. I’d be wary of it as a source of fact because even large data sets, they can be poisoned by bad information that can permeate that model for a long while.
[David Spark] By the way, I want to say to our audience if you have not heard an episode of Defense in Depth from many years ago…I think about three years ago we did with Davi Ottenheimer called Machine Learning Failures, oh, wow, does he go into great detail about why things screw up. And it is not difficult to poison a database. Really easy. It takes… It’s a fraction… I think it’s a fraction of a percentage or maybe two percentage it takes to just poison it.
[David Nolan] Yeah, and I think we’re seeing that in real time just with more poisoning of bad data on the internet.
[David Spark] Or poisoning of good data. You’re taking the bad data and poisoning it. Yeah.
[David Nolan] I think the interesting thing here is it’s obvious wrong answers that we’re catching, but what about those not obvious wrong answers or those slight misstatements? Those are what’s going to get us in trouble with ChatGPT.
[David Spark] That’s a good point. So, okay, Mike, what’s worse, following your advice or ChatGPT?
[Mike Johnson] We should ask ChatGPT that question.
[David Spark] That is a good… Although it will not give opinions of individuals. You know that. That’s one of the limitations it has.
[Mike Johnson] You can be craft in the way that you ask the question, and you could get it to answer that question if you really wanted to.
[David Spark] By the way, we had a listener that asked ChatGPT… And I posted it on LinkedIn. About like writea script of David Spark hosting CISO Series Podcast. And I read it, and it was really generic. Because we have our transcripts of our episodes. You would think we’d just go and siphon some of the words from the transcript, but it didn’t really do that. So, I was kind of surprised.
[Mike Johnson] Well, it claims that it’s…their corpus of data is only up through like 2021 or something like that.
[David Spark] Well, we have transcripts from 2021.
[Mike Johnson] Yeah, it was just early stuff at that point. But I asked ChatGPT who the CISO of my company was. And it gave me the name of some random person who have never worked for my company and has never been the CISO. But actually I said, “Can you tell me more about this person?” And it gave me their LinkedIn. It actually gave me, “This is the person.”
[David Spark] So, it went to the source and pulled you back incorrect information?
[Mike Johnson] Correct. And I argued with it, and it doubled down. So, I was like, “No, that’s wrong.” It was like, “No, this is correct.” And it just kept going. But it was confidently giving me an incorrect answer.
[David Spark] I don’t want to… And we’re just going to save this for a whole other episode, but did you hear that whole New York Times journalist who did that whole thing with…and got those very weird responses back? Did you read this? David, you’re nodding your head. Listen to New York Times, the Daily. There’s actually two episodes of New York Times, the Daily about this. And the responses were like out of Isaac Asimov’s iRobot of like the robots taking over. It was really disturbing.
[Laughter]
[Mike Johnson] Awesome.
Closing
35:24.783
[David Spark] Yeah, all right. That brings us on that happy note…
[Laughter]
[David Spark] That brings us to the end of this show. I wat to thank Mr. David Nolan, which I will let you have the last word here. But first, I do want to mention our sponsor, Varonis, who did an awesome job sponsoring today’s episode. So, thank you so much. varonis.com/cisoseries. That’s where every single listener is going to go immediately after listening to this. So, if you’re driving, pull over, go to varonis.com/cisoseries. Thank you. Effortless security outcomes powered by automation. And if you are jogging, by the way, and listening to this episode, stop wherever you are, knock on whoever’s door is on front of you wherever you happen to stop, and say, “Can I use your computer? Because I need to go to varonis.com/cisoseries. Mike, any last words?
[Mike Johnson] I was going to add that they should also ask them for their pin number.
[David Spark] Right.
[Mike Johnson] Knock on their door, ask for their pin number, and then use their computer.
[David Spark] Yeah, I need to go.
[Mike Johnson] David, thanks for joining us. I really loved the part about the innovation in security, and I really think we need to think more about that – what are our opportunities. You gave some great examples for folks to think about. Thinking about what is the business really trying to do rather than just making an assumption and kind of learning from that as frankly challenging convention of security but also thinking about how you can apply technology in new and interesting ways. I love the security as code concept. So, thank you for sharing those nuggets for our audience. It was a pleasure sitting down and chatting with you. Thank you, David.
[David Spark] Mr. Nolan, any last words? And by the way, I always ask our guest are you hiring.
[David Nolan] We are full up at this point, so…
[David Spark] That is… Kudos to you Mr. David Nolan. Any last words for the show?
[David Nolan] You can check me out on LinkedIn if you want to talk shop. This was more fun than anything, so I appreciate it. Thanks for having me.
[David Spark] Thank you very much, David. Thank you very much, Mike. Thanks to our sponsor, Varonis, and thank you to our audience. We greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the CISO Series Podcast.