HomePodcastCISO/Security Vendor Relationship PodcastIf We Don't Talk About Cyber Risk, Will It Go Away?

If We Don’t Talk About Cyber Risk, Will It Go Away?

Risk is scary. Cyber risk is scarier. Not because it’s worse, but mostly because we barely understand it. We’ve gone this long not understanding it. Maybe just ignoring it will allow us to wish it away.

On this week’s episode of CISO/Security Vendor Relationship Podcast we have our first in-studio guest (since we moved the studio). Joining me, David Spark (@dspark), producer of CISO Series and Mike Johnson is our in-studio guest TJ Lingenfelter (@tj_555), sr. program manager, information security, Taylormade Golf.

TJ Lingenfelter of Taylormade Golf with CISO Series producer, David Spark. On the monitor, co-host Mike Johnson.

Got feedback? Join the conversation on LinkedIn.

Thanks to our podcast sponsor, BitSight

These are challenging times for security professionals. From managing third party supply chain risk, to quantifying financial exposure, to reducing the likelihood of ransomware, BitSight helps security and risk professionals create more effective cybersecurity programs with cybersecurity ratings and analytics. Learn why Moody’s, the Department of Defense, and other leading institutions partner with BitSight at www.bitsight.com

Full transcript

Voiceover

Ten second security tip, go!

TJ Lingenfelter

Get in front of people, get face time. It’s impossible to lead through email or to get buy-in through email, you have to get in front of people.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark. I am the Producer of the CISO Series. My co-host is Mike Johnson. Mike, could you make some noise of some sort, so we know that you’re actually there?

Mike Johnson

This reminds me, I need to get one of those little clacker things that I can shake.

David Spark

But that’s not the sound of your voice.

Mike Johnson

Oh, but you said, “make some noise” so that would be some noise.

David Spark

No, I was asking for your voice.

Mike Johnson

Well, I guess if you want my voice.

David Spark

You should do a whole episode in Morse Code. What do you think?

Mike Johnson

I cannot do that. Although, someone was talking about a speak and spell, and I think that’s an option at some point.

David Spark

There you go! There was a really hilarious routine, I’m sure it’s on YouTube, that Albert Brooks did on The Tonight Show through Speak and Spell. Look it up, I’m sure it’s there.

Mike Johnson

That sounds amazing.

David Spark

We’re available at CISOseries.com if you haven’t checked out our brand new website, it’s pretty darned awesome. You can find more stuff there. Our sponsor is BitSight, and if you’re interested in credit ratings of vendors and third party risk management, you’ll want to hear what they have to say later in the show, so stay tuned for that. But first, two things I want to mention. One is that I just got back from New York City, where I did a live recording of the podcast. People should have already heard it, because it would have dropped two weeks ago. It was great. It was the biggest crowd we’ve had since the pandemic, my third live show since the pandemic.

Mike Johnson

What was the vibe like? How did it feel?

David Spark

You know what? People were just ecstatic to be out and Akeyless was the sponsor and they actually hosted this huge conference called KeyConf, and it was in a stunning venue called City Winery in New York City which, by the way, I highly recommend if you want to throw an event somewhere in New York.

Mike Johnson

Sounds swanky!

David Spark

Very swanky, just a beautiful space. It was really well set-up to do an event like this, extremely well set-up for just that. So, highly recommended. But, more importantly, I want to mention that I have my first in-studio guest right now. Our guest today is physically sitting right next to me.

Mike Johnson

Yes, I can see him.

David Spark

It is TJ Lingenfelter, the Senior Program Manager for Information Security at Taylormade Golf. TJ made some noise. I’m so thrilled you’re here!

TJ Lingenfelter

Hello, everyone. It’s great to be here in person.

David Spark

Alright, so here’s my question, and I hope this is not embarrassing, but with a last name like Lingenfelter, you must have had a lot of maybe not so nice nicknames as you were growing up?

TJ Lingenfelter

That is absolutely true.

David Spark

Would you like to share one or two of them with us?

Mike Johnson

Oh, come on!

TJ Lingenfelter

Yeah, I don’t know if it’s very clean or not clean, this show.

David Spark

Oh yeah, we have to keep it clean here!

Mike Johnson

We’ve got to keep our PG rating!

David Spark

I’m assuming you weren’t a big fan of many of them.

TJ Lingenfelter

No. When you are changing Lingenfelter to finger-something, it’s never good to hear that.

Mike Johnson

It doesn’t go anywhere.

David Spark

It’s just that name is just asking for it, unfortunately.

TJ Lingenfelter

Yeah, unfortunately.

What’s the best way to handle this?

3:34

David Spark

TJ is my first in-studio guest, as I just mentioned, and we met at dinner just recently of a bunch of fellow cyber peeps, and one thing that’s unique about Carlsbad, where I live and TJ works, is that there’s a ton of golf companies, manufacturers of golf equipment right here in Carlsbad. TJ works for Taylormade, and I want you to explain to our audience, why are there so many golf companies right here in Carlsbad?

TJ Lingenfelter

Well, North San Diego County is huge in aerospace and with golf we use the same kind of engineering. Think about what does it take to make a jet? You need lightweight materials, you need something to be streamlined, you know, with air resistance and all that. And so, where else are you going to get engineers that are great at that than around aerospace? That’s perfect right here in Carlsbad where Hughes Aircraft was, Northrop Grumman. We have Boeing, we have so many that were all here in North San Diego County that it just made sense that you would have a golf industry here using those engineers.

David Spark

So, what are the golf companies here? Taylormade, Callaway, who are the others?

TJ Lingenfelter

Ping, Titleist, Cobra and you could just keep going. All the big ones.

David Spark

There’s more than that?

TJ Lingenfelter

Oh, yes, because it’s not just the major golf equipment manufacturers, but it’s a lot of the companies that support that, so that makes shafts, grips, you know, all the different parts.

David Spark

Oh wow! So, there’s a lot in there. Alright. The reason I’m bringing this up, it’s not just to amuse myself here, what TJ and I discussed over dinner and what I’d actually like to pull off on this very show is to have the security leaders from some of these golf companies come on the show and talk about their industry-specific security issues. Now, here’s my question to both of you, and Mike, I’m going to have you start first. How do I address it and make the pitch so they want to come on, not be concerned, and actually see this as good for themselves and a good public conversation as well? How do you think I should approach this, and what are ways you believe competitive companies can help each other and be more secure?

Mike Johnson

So, first I’d suggest that the first time they come together shouldn’t be on the show.

David Spark

That is good advice, yes.

Mike Johnson

So, maybe host a dinner.

David Spark

I’m thinking two tacos maximum per person.

Mike Johnson

As long as they’re big tacos, that’s fine! That works out well. But you can meet privately and have them get comfortable first and build that shared trust, that’s the key thing for getting a group together that maybe is not used to getting together or especially if they are competition. And that gives them an ability to recognize that they’re not going to be surprised by each other. You don’t want to be surprised.

David Spark

Now what would be the attractor? Because I know when you were at Lyft you knew the security leaders over at Uber, and I’m assuming you talked regularly, yes?

Mike Johnson

We talked.

David Spark

Okay, you talked at some interval.

Mike Johnson

At some undisclosed interval.

David Spark

What would be the attractor to this? What is the thing that I could say that you think would be of value?

Mike Johnson

There’s two different aspects. One, there is potentially shared adversaries: an adversary that’s interested in one of you is going to be interested in all of you. Maybe you’re the first one to see that adversary, you can then share that with others. Maybe you’re the second, and someone is willing to share information with you so that you can be prepared. The flip side is you’re likely to have similar defenses in mind. You’re likely, given the businesses that you’re in, you have probably built similar types of controls. In mentioning Lyft and Uber, we had back end computing systems that were on the similar side, therefore we kind of knew we would probably build similar defenses. And so you can learn from each other’s mistakes so that you don’t make one yourself. There’s really just a lot of shared both adversary and defenses and concerns that you can kind of get out there and share and learn from each other, and learn as much as you teach.

David Spark

TJ, we brought up this discussion over dinner, and you seemed very gung-ho about this. What would you like to know from your fellow golf competitors?

TJ Lingenfelter

I agree that we probably share a lot of the same struggles. We’re in the same industry, we’re protecting the same types of data, so we probably have a lot of things we can talk about. I like the idea that Mike brought up about starting with a small gathering. For us, the easy answer to that is the golf course. We should just all get together and go play a round of golf, and we could talk casually. I think to build that trust we need to start without getting into specifics, keep the topics more general, like we were just saying. What is important to our industry? What are the data elements that we’re all trying to protect? What kind of struggles are we seeing? Then, if we want to get deeper into more specifics, some things that have actually happened that we could all learn from. I think that we need to try and devise something that’s similar to in the medical field, the morbidity and mortality conferences they have, where they can be absolutely open with every detail of what happened, then learn from that. We need a safe space like that. Infosec as a whole needs a safe space like that, where we can all get together and really get into the bitty-gritty of events, of incidents, and just you know, what’s happening out there that we could all help each other with. I just feel like there’s so much concern about liability or looking negligent, or revealing vulnerabilities out there that we all don’t really want to talk about the specifics, and that’s a shame.

David Spark

So, that sounds like the before conversation and then coming on the podcast!

Mike Johnson

So, what you might also think about, have you heard of the Chatham House Rules before?

David Spark

Yes.

Mike Johnson

So, the idea is you can talk about what was discussed, but you can’t attribute that. You can’t say, “I heard this from so-and-so,” but you can say, “I’ve heard of this kind of concept before, I have learned about this,” and then you can still use it, you can still bring that back. But that’s also, again, a shared trust that you’re then talking into this group and you can understand and trust that it’s not going to be repeated and attributed back to you. That allows you to open it up a little bit more. I totally agree with you that the total open kimono of, “These are all my vulnerabilities”, it’s a little bit uncomfortable.

Are we having communication issues?

10:28

David Spark

From an anonymous listener, and you’ll realize why this listener requested to be anonymous. I know who it is. This person works in a non-profit, they’re the topmost security person at this non-profit, and they report to the CIO with also an additional person underneath as well. All together, they are managing a 4,000 person company, and I believe this security person has someone below them as well, maybe a few people, but not a lot so they’re dealing with a lot at a 4,000 person company. Anyways, here’s the request, “As part of the process of creating a more robust security program and get context and a deeper understanding of what’s at stake, I want to meet with key stakeholders to discuss cyber risk from a business risk perspective, starting from the top. The only problem is that to do that I need to get the green light from the CIO. Apparently, he’s not an easy person to deal with and gets triggered by the word “risk”. I need to somehow explain the situation to him in positive terms only. What should I do if I can’t get past this barrier?” So, I think there’s two questions, “How do I get past the barrier and, if I can’t do that what do I do?” I’m going to start with TJ.

TJ Lingenfelter

Okay, well this one kind of hits home a bit, because the word “risk” actually just seems like that’s what we do in infosec, number one.

David Spark

Well, all business does risk, too.

TJ Lingenfelter

And we run an actual, like, risk-based program, and so there’s no way for an executive to hide from that or not want to talk about it, because we actually have to have a talk every week about risk, every months about the actual risk register and what’s on it, what are we adding, what are we moving, what has changed? Do we have to adjust our risk appetite? All of that is always coming up and is just out in front all the time. So, hearing this, the first thing I would think is shift the program to more of a risk-based program and so it’s not a taboo subject, it just is the subject that you’re talking about. I think, in addition, that also puts more of a clear way to see what’s going on in the program, because there’s actually numbers associated with that, there’s metrics that can go with that. I think that’s just a whole other topic to go over is what are we doing about metrics in infosec, and this could be a way to do that.

David Spark

Good answer, by the way, I like that. What do you suggest, Mike?

Mike Johnson

I think there’s an opportunity to at least first change the discussion, not to tackle the term “risk”, not to use that but you can come back to it. If you sit down and talk with the other leaders, and just simply ask them what is the most important to them, ask them about the crown jewels, you can then take that and you can come up with your ideas of potential frequency.

David Spark

So, don’t actually ever use the word “risk”?

Mike Johnson

Don’t use the word “risk”, don’t introduce it yet. Because I really think T’s advice is very sound, you need to shift the program to discuss risk, but if you can get people just first of all thinking about things that are important, you can then come back. They’re now used to talking about what’s important, so you can then come back and say, “We’ve been talking about risk all along. You’ve been soaking in it, you just didn’t know it,” and then you’re able to change the whole program, as TJ was talking about, to be about risk. Just first highlight this is what’s important to us, that’s all they need to understand, and then you, dear listener, you can take it from there and start thinking about frequency and impact and now you’re talking at least internally about risk, and then everyone will come along with you down the road.

Sponsor – BitSight

14:30.152

Steve Prentice

BitSight is a company holding a unique position in this industry. It started ten years ago, with the idea of becoming the Moody’s of cybersecurity. Jacob Olcott is Vice President of Communications at BitSight.

Jacob Olcott

The gap that we saw back in 2011 was that organizations doing business with others were largely in the dark about the cybersecurity performance of those third parties, and so, in a similar way that Moody’s brought information, data and insights into the creditworthiness of organizations, BitSight is bringing data and insight and analytics into the cybersecurity performance of organizations around the world.

Steve Prentice

This makes the recent announcement of a landmark partnership with the actual Moody’s a remarkable opportunity for organizations to protect their future in a world where creditworthiness now extends to security posture, something that BitSight can keep very close tabs on.

Jacob Olcott

What goes into the rating includes information about open ports and exposures, infections that may be resident inside of an organization’s networks, vulnerability management issues, patching cadence, security hygiene or security diligence records. We use that to create the daily BitSight rating.

Steve Prentice

To learn more about BitSight, its services and its partnership with Moody’s, visit BitSight.com.

It’s time to play What’s Worse?

16:02.818

David Spark

Get ready, Mike!

Mike Johnson

I am ready, I’m here, let’s do it!

David Spark

TJ has started listening to the show, he knows what the What’s Worse segment is.

TJ Lingenfelter

I do.

David Spark

Two horrible scenarios, they both stink, just from a risk perspective which one is truly worse? This comes from Jerich Reason, CISO over at Epiq, former guest and a frequent What’s Worse contributor. Thank you so much, Jerich. Here it is. Mike, you’re answering first.

Mike Johnson

Okay.

David Spark

“You have unknowingly acquired an organization that is already compromised with data actively being ex filtrated.

Mike Johnson

That’s bad.

David Spark

That’s bad. Or you’re acquiring an organization with multiple unknown backdoors that bad actors are aware of and will exploit soon. So, it’s you’re getting exploited as we speak or it’s probably going to happen, possibly through multiple avenues.

Mike Johnson

So, I think the difference between the two is the first one it is one known adversary who’s actively stealing your data; the other is multiple unknown adversaries that are going to be stealing your data.

David Spark

Well no, it’s multiple unknown backdoors, so we haven’t said how many adversaries in each case. We just know you’ve got a hole now that is being actively compromised, or you’ve got multiple unknown holes – and I know you always like to go for the known – that bad actors are aware of and they’ll probably exploit it soon.

Mike Johnson

I think the worst one is the unknowns.

David Spark

Yes, you always go to unknowns, I know you do.

Mike Johnson

Because the reality is, even though they’re both terrible, that even though the first one is bad, at least you know and have some understanding of what’s going on and then you can figure out how to deal with it. The second one, it’s going to just suddenly bite you out of nowhere, and you’re going to then spend the time to figure out what’s going on. So, I think the second one with the unknowns really is the worst of the two.

David Spark

Alright, TJ, do you agree or disagree here?

TJ Lingenfelter

I do not agree.

Mike Johnson

Great!

David Spark

Alright, good! Why do you disagree here?

TJ Lingenfelter

Well, for me an active exploit, that is a hit to the reputation of your company, and that is what I’m there to protect. You know, I’m there to protect the reputation. When I worked at UPS and they would always say, “You’re there to shine the shield.” So, when I see something that says “active exploit” immediately I’m thinking, “Now, there goes the reputation.” With the unknowns, that’s not happening now and that is my job.

David Spark

So it’s like a Buddhist philosophy, “live for the moment”.

TJ Lingenfelter

Yes, that’s right. I would rather go in and tackle all the unknown stuff. I mean, that’s what I like to do, I like to go into a program and figure out what I need to fix, and I look at that as something exciting. The active exploit, no, I don’t see that as exciting; that is bad.

David Spark

Split decision!

Mike Johnson

There you go, David, you got your split decision.

David Spark

What I always like.

Mike Johnson

Without even prompting for it this time.

David Spark

I didn’t even ask for it. Did you hear me on a previous episode say, “I like it when people disagree with Mike?”

TJ Lingenfelter

I did not.

David Spark

Oh! Because I say that a lot.

Mike Johnson

There’s a lesson there, David.

David Spark

Keep my mouth shut?

Close your eyes. Breathe in. It’s time for a little security philosophy.

19:31.152

David Spark

“The value of privacy is a relative concept. When there are options of price and convenience over privacy, most of us choose the former,” said Zen Chan, a security consultant, in an article on Medium. This is akin to the Privacy Paradox which states “While we value privacy, we do little to preserve it.” And even if you wanted to protect your privacy and be anonymous online, it’s essentially impossible to pull off. And at the same time, governments are forcing organizations to protect individuals’ privacy even though individuals don’t seem to do anything for themselves. Are we fooling ourselves that we can maintain privacy for ourselves and organizations can do it for us as well? TJ, what do you think?

TJ Lingenfelter

In some ways, I think, yes, we’re fooling ourselves a little bit, because we’re fighting with what you mentioned, that paradox of what do people really want to keep private and sometimes it’s nothing at all, when they want to get something for what they’re giving up, and that happens every day. And also, a lot of times we’re asking people to tell us what they want to keep private when they don’t really know. Every time you go to a new website, you have to answer that question, you know, what cookies do you want to allow? And every time you install an app you have to look at all the things you’re saying “yes” to. Oh, you have access to my camera, you have access to my photos, you’ve accessed my microphone, and say “yes” to that, because you want the convenience of using that thing.

David Spark

I downloaded an app that I immediately deleted, and this was because one of my sponsors asked me to do it because of some document they were sharing, and in the moment I downloaded it said, “Can we have access and edit and delete your contacts?” Are you nuts? I can’t believe it was even asked. That’s the cojones! How do they even ask a question like that?

TJ Lingenfelter

Absolutely! The problem is, people are saying “yes” to that.

David Spark

Yes, because nobody reads it.

TJ Lingenfelter

Right, and that’s the issue, is people are saying “yes” but we as an organization have to protect that data, and so they’re being loose with it, but we can’t be, because we now have the responsibility to keep something private that they are actively saying they don’t want to keep private. That is a tough place to be.

David Spark

Mike, is this an uphill battle and we’re fooling ourselves that we can pull this off?

Mike Johnson

So, I take a slightly different approach, that if you’re actively giving someone a choice on what to do with their data, you’re helping them with protecting their privacy. If you’re giving them no choice, and you are doing whatever you want with the data, then that’s not giving them even the opportunity. I certainly agree that bombarding them with requests isn’t really helpful but, at the same time, giving them a choice is better than not. If someone is then choosing that they want to broadcast their Social Security number on a billboard, you know, okay, you’re making that decision, but that’s different than your Social Security number being shared without your knowledge to who knows where. It’s a different arithmetic, as it were.

David Spark

But also, isn’t the issue here that the complexity of how your personal data is abused is so confusing, to all of us for that matter, even working in security? When we saw what Facebook was doing with privacy and with our data, and how complex the matrix was, like nobody can really wrap their head around this. So, if it stays complex and people are still confused, and also the most mundane information, how it’s often used against you, then the people can’t see it, feel it, touch it, so they’re like, “I don’t know, I don’t care,” kind of thing, yes? TJ?

TJ Lingenfelter

Oh yes, and I mean just think about the fact that they could say you’re allowing them to have access to your photos, and now your photo ends up on some website in a commercial. And you didn’t say that was okay, but you don’t think you did, but then actually you did. So, where is that line drawn when you’re giving permission to use photos but not really, but you don’t really know? So, it’s like this question is out there, to what degree am I allowing? To what degree am I saying, “yes” to this access?

David Spark

And, after the fact, people realize it and then they get upset about it. A perfect example, when we go to an event sometimes, they share the list of attendees with us and we’ll add them to a mailing list, and the attendees are given the option to opt out of having their information shared with the sponsors or whatever, and there’s inevitably going to be one or two people saying, “I didn’t agree to share this with you!” They didn’t make the connection in their head, “Oh no, this was one of the sponsors at the event that you said ‘yes’ to,” and that always happens, Mike. It’s just that people aren’t making the connections.

Mike Johnson

Well, there is some amount of people aren’t making the connections, and some amount of needing to be careful with the way that you’re communicating this with folks so that it’s not confusing. I’m not saying that your example is necessarily confusing or not, but one of the dark patterns that companies take advantage of is they try and make it confusing for you to even understand how your data is going to be used, and that’s by intent so that they’re still able to use it but say that they’ve informed you.

David Spark

I can’t remember who did this, but remember in one of our earliest episodes, Mike, there was some company that had this extremely simplistic chart of how your data was going to be used, and it was not in any legal gobbledygook at all, and we talked about how great it was because it was in human language and it made it clear how it was actually going to be used. If more could do that, make it really simple, which we’re starting to see in these sort of cookies, “opt in, opt out” type things, but I’ll tell you those cookie things weren’t as simple as this chart that we had seen. Again, this was an earlier episode, and I wish I could remember who did it.

Mike Johnson

I think we’ll see more of that, and I think we’ll see the continuation of regulation that is requiring companies to act in certain ways. Frankly, that’s what we need to see out of the regulation, not strict what you can and can’t do with the data, but how you can gain the consent required in order to do certain things with that data.

David Spark

And isn’t that really what regulation is, TJ? I mean, it’s designed to protect the individuals from things that they can’t do to protect themselves, and that you need government to intervene. It’s the same thing.

TJ Lingenfelter

Yeah, it’s supposed to work that way.

David Spark

Let’s hope it does! Fingers crossed.

Is this a cybersecurity disinformation campaign?

26:58.164

David Spark

Which cyber buzzwords should be put to rest? On CSO Online, Michael Hill put together a list of buzzwords that should be ended because they’re either non-descriptive or encompass too much. Now, terms like zero trust, AI-powered security, hacker and people are the weakest link, and we’ve talked about all of these on the show before. But, the author introduced some other terms that should be amended, such as ransomware, SIEM, digital transformation and cyber kill chain. So, of the new ones you hadn’t previously seen, Mike, because some of these I hadn’t seen on a list of buzzwords before, which one did you like the best, meaning, that, “Oh, yeah, it is a buzzword and it needs and needs to amended”? Did you disagree with any of the assertions the author made? Were there any there that you felt should have been on the list?

Mike Johnson

So, my first question is, where was Michael when the term “cyber” was introduced?

David Spark

Michael being the author of this?

Mike Johnson

Exactly. I think that’s something that he uses over and over again, and that term used to bug the crap out of me.

David Spark

No, but the advantage of having the term “cyber” is that you can modify anything with “cyber”: Cyber ninjas, cyber tech, cyber talk, cyber anything, cyber pirates. It makes it cooler.

Mike Johnson

But the fact of the matter is, it was a buzz word when it was introduced, and I don’t understand this need to continue to push back on terminology that makes sense to the common person. We need to be meeting people where they are, not trying to constantly redefine terms. It feels like it’s almost like a waste of time. We need to recognize that some of these terms are out there, and we need to use the terms that folks understand. Now, that said, there was a couple that I did agree with. I do think we need to stop using the term “hacker” to actually mean attacker, but at the same time people know what “ransomware” means. Why are we modifying that? That’s a well-understood term that’s in the newspapers.

David Spark

Well, he said that ransomware involves sort of a larger experience there.

Mike Johnson

And that’s fine, just leave it alone. You know, we don’t need to redefine the term to be more expansive. We know what it means. We’re using that term when we’re sitting down with folks who aren’t necessarily as educated, and then we’re sitting down with people who innately understand what ransomware is, we don’t need to redefine it. I don’t need to see a need to modify any of these.

David Spark

Alright, TJ, I now throw this to you. Like the “AI-powered security”, that’s a common one, but were there terms that you never thought of being overused or being a hackneyed term? And then were there others that you were, like, “Oh, why didn’t he mention this?”

TJ Lingenfelter

You know, I agree with Mike that “ransomware” is still usable. I think that still has meaning, and I think that that explains something pretty specifically.

David Spark

I think, by the way, lay people can get it, too.

TJ Lingenfelter

Yes. What I don’t like, the kind of made-up things for marketing, and one that really bothers me that is over-used is “next gen”.

David Spark

Here is my question! I’m throwing this to both of you, define “next gen” to me.

TJ Lingenfelter

New.

David Spark

New! It’s just new.

TJ Lingenfelter

That’s it, right? It’s just new.

Mike Johnson

I think new works even better than next gen.

David Spark

Now, let me ask you, does “new” in cybersecurity make you want to buy it?

Mike Johnson

“Next gen” doesn’t!

David Spark

Well, but what about new? New works when I’m buying fruit. I want to buy new fruit. I don’t want to buy fruit that’s two months old.

Mike Johnson

It’s an unnecessary modifier, both of them are.

David Spark

Yes. Okay. Next gen, good, was there another one that drives you crazy?

TJ Lingenfelter

I don’t know about another one that really drives me crazy. I’m not a big fan of just the way that “zero trust” is being used.

David Spark

It’s being attached to everything.

TJ Lingenfelter

Yeah, actually. It’s like there are so many pieces to that, and you speak to different people and they have different ideas exactly what that means. It’s, in many ways, a nearly impossible goal to reach, it’s more like something that you are working to achieve. But just overall it’s overused. It’s thrown out in every conversation I feel like I have about infosec right now, and it’s just kind of annoying at this point. That’s another question you want to ask someone, is can you really truly define what you mean by that? Because I’ve had other people tell me different things. Some people are saying that, you know, it’s continuous authentication, others continuous authorization. Are they both, is it one? You know, what are we really talking about?

David Spark

Well, according to the latest sort of cybersecurity mandate from our government, they want us to all adopt a zero trust architecture, so they’re on board, and they gave their definition of it as well. But I agree with you, I think the reason a lot of people put “zero trust” on is that they know they want to build a zero trust architecture, and they see a product that has “zero trust” attached, they’re like, “Oh, we could include this in our architecture.”

TJ Lingenfelter

You know, everything I get out of the government, you know, some of it’s good and some of it’s bad. I’m not going to jump on board with everything they throw at us.

Mike Johnson

What they’ve given us is yet another definition of zero trust.

TJ Lingenfelter

Right.

Closing

32:29.974

David Spark

Go with it or not. That brings us to the very end of the show. Thank you very much, TJ. TJ, I’m going to let you have the last word, but first I want to thank our sponsor at BitSight.com. Remember, third party risk or just vendor analysis grading, take a look at them. They’ve got a very interesting solution over there. Mike, any last thoughts?

Mike Johnson

TJ, it was a pleasure meeting you sitting down and having a conversation.

TJ Lingenfelter

Thank you.

Mike Johnson

Thank you for coming on the show. So, it was great getting your perspectives. I end up usually chatting with CISOs who are in the tech industry, so it’s always great getting outside of my bubble. Thank you for giving me that opportunity, and I’m sure our audience appreciated it as well. I really like the point about aerospace engineers and golf, I would never have clued into that in a million years, so I’ve taken something specific away from this.

David Spark

That’s why the golf industry is smarter than you, Mike!

Mike Johnson

That’s what I’ve learned today, is the golf industry is smarter than me.

TJ Lingenfelter

You’d be amazed at the brains that work in our company.

David Spark

So, here’s the thing, I do want to get all these golf security leaders together, and you suggested going on the golf course. It’s a great idea, but I don’t golf although I own a set of clubs, but seeing me on a course would be the most embarrassing thing.

Mike Johnson

You can take a nice walk, David.

David Spark

I’m thinking I could caddy for the rest of you. What do you think?

TJ Lingenfelter

Sure!

David Spark

I’ll drive the golf cart, I’ll caddy for the rest of you. What club would you like? I can hand off clubs. TJ, now, you get the last word here. Are you hiring, which I believe I do know you’re hiring one right now, one position already?

TJ Lingenfelter

Yes, absolutely. We’d love to grab a senior engineer right now. We have a spot open immediately.

David Spark

It’d be ideal if you were in the San Diego area, I will say that.

TJ Lingenfelter

Yeah, you can’t play golf remotely!

Mike Johnson

Jet, working on it!

TJ Lingenfelter

That’s right, yes.

David Spark

There are video games, too. Let me ask, any other last thoughts on our conversations today?

TJ Lingenfelter

I just wanted to reiterate the topic of getting face time, you know, get out there, talk to people. Get on the golf course and do it!

David Spark

If you have to. If that’s the way you have to. Caddy if you need to! That’s what I would do. Thank you very much, TJ. That was TJ Lingenfelter, who is with Taylormade and also Mike Johnson, my co-host, for this episode. I want to thank our audience, as always, for all your amazing contributions. Keep them coming in. You got a great question? The question we had today was fantastic. Or a What’s Worse scenario, the tougher the better, we love them. Thank you for your contributions and thank you for listening to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”

RELATED ARTICLES

Most Popular