Managing my own risk is tough enough, but now I have to worry about my partners’ risk and their partners’ risk? I don’t even know what’s easier to manage: the risk profile of all my third parties or all the exclusions I’ve got to open up to let third parties into my system.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Bruce Potter (@gdead), CISO, Expel.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Expel

Expel offers companies of all shapes and sizes the capabilities of a modern Security Operations Center without the cost and headache of managing one.

Full transcript

Voiceover

Ten second security tip, go.

Bruce Potter

I had a friend who put this off for too long and got burned by it. All you iPhone users, take five minutes, go to settings/passwords and change all those weak and compromised passwords now before it’s too late.

Voiceover

It’s time to begin the CISO Security Vendor Relationship podcast.

David Spark

Welcome to the CISO Security Vendor Relationship podcast. My name is David Spark, I am the producer of the CISO series. Joining me, as always here, it is my co-host, Mike Johnson, and we like to indicate that you are actually here by giving some sound from your voice. So, make some sound from your voice, Mike.

Mike Johnson

I’m here, my cat’s here, all of the eavesdropping microphones are here. We’re all here.

David Spark

I was hoping for a grunt, but you actually formed words. Okay, that works.

Mike Johnson

They eventually come out, it just takes a little bit of work.

David Spark

Hey we’re available at CISOseries.com. All our shows, the headline show, Defense in Depth, this show, our Friday video chats, everything is available at CISOseries.com. You want to participate in that, you want to listen to that, that’s where you go. Our sponsor for today’s episode is a returning sponsor, we are thrilled to have them back, it is Expel and they’re responsible for bringing our guest today. But before I introduce him, this is August 3rd when this episode is dropping. It should be Black Hat wrapping up. There is an outside chance I may be going, I’m actually moving and I will move just a few days before Black Hat begins and, if my stomach can handle the hysteria and moving is not too much, I will try to make it out to Black Hat. I originally wasn’t going but now I’m contemplating trying to go. So, I hope to actually be there.

Mike Johnson

More power to you.

David Spark

There may be some vendor gifts there because I know it’s a popular thing.

Mike Johnson

Might be.

David Spark

Just before we went on to hit the record button, you were showing off in Zoom your vendor gift you just received. Could you tell us what this is?

Mike Johnson

Yes. So it wasn’t actually a threat to any of you all on the recording. But I received from this vendor, randomly out of the blue, a 15″ knife with, like, a 10″ blade on it. The thing weighs like 3 or 5 lbs, something like that. I’m sure it’s meant for carving animals, like someone delivers you a moose or something and you could use this knife to carve up that moose.

David Spark

Guess what’s coming next in the mail?

Mike Johnson

I don’t have a need for that. I hope they do not send me a moose.

David Spark

Maybe they thought you were Crocodile Dundee.

Mike Johnson

Maybe, because it would actually put his knife to shame. This thing is crazy.

David Spark

So, you would be saying “You think that’s a knife!”

Mike Johnson

Exactly. Yes. I would be one-upping Crocodile Dundee with this thing.

David Spark

We always go with ’80s references on this show.

Mike Johnson

Yes. We’re up to date, modern, we’re hip.

David Spark

Let’s bring our guest in. Very excited to have him back. It was a thrill to have him on last time. For those of you who don’t know, he is the guy who founded this really popular conference called ShmooCon, which is insanely popular. They sell tickets out in literally an instant, seconds is how fast they go. Everyone who produces an event is jealous. The only people who have been able to pull this off are big rock bands, and our guest. That’s how much of a rock star he is. He’s also the CISO of our sponsor, Expel, thrilled to have him with us, Bruce Potter. Bruce, thank you so much for joining us.

Bruce Potter

Cool, thanks for having me. Happy to be here.

Okay, what’s the risk?

00:03:50:23

David Spark

On the cybersecurity subreddit, user lostcauseandhope, love that by the way, left the following comment regarding our continuing fears of third party risk. “I remember back in the day, you could just block outbound internet access to key assets and be done with it. Unfortunately, now with Microsoft and other cloud-based everything, you can’t keep things locked down and still run an organization. Just to get Defender Endpoint running, you have to open up a huge list of exclusions, and it’s only going to get worse as people open the holes in their baskets.” Here’s my question to you Mike and Bruce. What’s easier to manage, the risk profile of your third parties, or all the exclusions you’ve got to open up to let third parties into your system? And I don’t even know the answer to this. Is it possible to just focus on one rather than the other, and actually still have a good security program? Mike?

Mike Johnson

I want to challenge lostcauseandhope on the idea that you can’t block things outbound anymore. If you look at clients versus infrastructure, versus your servers, whatever’s running your environment, those are two very different profiles in terms of outbound communication. Clients are going to talk to the world. You have to do very specific protections there. But my servers don’t need to just talk anywhere on any port. I can and do have egress filtering. It’s a doable thing. That should be a rare thing and you should be able to scope it down. Even if you’re connecting back to Office 365 or Azure or something like that, you can still at least scope it down to all of Azure, which as big as it is, still smaller than the whole world. I do think that there is opportunity to do that, it just takes a little bit of work. Find out what those IP addresses are, toss them into your infrastructure automation. You can keep the list in one place, you keep it up to date. When you need to update it, you push it out and everything is now working with that. Another tip that I have is usually your outbound connections these days are all HTTP based of some sort. Set up a proxy, have all of your infrastructure go through that proxy, and then block all other outbound access. Any direct outbound access can’t work, the proxy then gives you the ability to log what’s going on, and the ability to do enforcement. I do think it’s possible, you just have to put some work into it.

David Spark

Would you follow the same plan, Bruce?

Bruce Potter

Yes, I think in general I would. One of the challenges that I’ve seen is that when you go to determine does this host talk to something on the internet, if it doesn’t it’s easy. But if it does, and you go ask the vendor, “What do I need to leave open? What are you going to talk to?” Often times the vendor can’t come back and give you a salient answer. Then you’ve got to go play detective and it’s a distraction to have to go do that, right? If your staff’s chasing down ports and “Hey, this box isn’t working right, or the service isn’t working right,” it feels like the 1990s. Is it not working right because of the firewall? So, we’re blaming the same things we were decades ago. I get really frustrated with the state of play when people are building software and it’s impossible to track down what it’s doing. It doesn’t excuse it, but the reality is you’ve got it inside your enterprise, it’s doing something productive and having to chase down IPs to go fix it is in some cases really tough.

David Spark

I know one of your frustrations was having some automated visibility into how secure your third party is. There are players out there that give a score and a rating to it, but how automated is that, in that current state? What can you know?

Bruce Potter

Not a lot. I think Mike’s idea putting the thing behind a proxy and instrumenting it yourself is your best bet. And we see this even more as we go into containerized systems and server lists and that kind of thing where things are running in smaller enclaves and we have better instrumentation. The smaller chunks of your infrastructure that you can monitor and instrument and then be able to put these filters in place, the easier it is. The only problem I have with that is that then to Mike’s point, it’s great to have all this stuff in one list and one place, but if you have a bunch of developers making individual decisions all over the place, suddenly you’ve got policy enforcement happening everywhere in the enterprise and it gets far more complicated to track what you’re actually blocking and not blocking.

What would you advise?

00:08:32:01

David Spark

On the cybersecurity subreddit, a redditor asks, “What’s the best way to showcase past work while applying for jobs?” The most commonly echoed advice was, “have a good Git repository.” I’m going to start with you Bruce on this. Is that enough? I mean, what if you’re not a developer and you don’t have one? Does a homepage work? Your LinkedIn page? What portfolio materials have you actually seen that you were so impressed by that helped a candidate at least land that first interview?

Bruce Potter

First of all I haven’t heard the term homepage in a stretch, so.

Mike Johnson

Homepage.

Bruce Potter

Yes, there you go. So this is something I’ve thought a lot about and I feel pretty passionately about. When I was starting I was doing cybersecurity stuff all the time, at work and at home. I founded this new group with a bunch of friends in Alaska and we set up websites and we were publishing stuff and going nuts. I realized later that I’d spent a huge chunk of my young adult life doing work for free, right? Building my own name for myself and all that kind of thing, to the expense of my personal life. I started a family very young, had my first child when I was 22. Well, my wife had her first child when I was 22.

David Spark

Thanks for explaining that to us.

Bruce Potter

Yes, just making sure that we’re all clear. It really was shocking how immersed I got and didn’t realize it. So, I struggle a lot with how much you should spend on building that kind of brand and portfolio and how much you should spend doing the things in life that you actually want to do. When it comes to what impresses me in the process of recruiting and talking to someone, if someone can clearly articulate “Here’s a thing that I did, here’s a think I was responsible for,” regardless if it was work or in their spare time, that’s what I’m really interested in. I don’t expect that they have a big online presence and all that kind of thing. What I really expect is they can articulate concretely, “I did these things,” and if there’s no online record of it, so be it.

David Spark

Mike, what say you, and can you think of something that somebody impressed you, either a story or something you saw that you brought them in for interview?

Mike Johnson

I think the ones that have impressed me are speaking at presentations. What I have certainly done is, certain conferences I really have a lot of respect for, SchmooCon being one of them. I look at who speaks at those and I say, “huh, that’s actually the kind of person I could use, could help enhance our team”, then I go and do a little bit more research. That’s kind of the initial hook as it were to then go down the path of where else have they presented? Are any of those presentation materials online? Can I really get a feel for them, frankly without ever talking with them, so that I know it wouldn’t be a waste of their time for me to actually have a conversation with?

Bruce Potter

That’s a really good point actually, presentations, because it makes it clear that they know how to communicate.

Mike Johnson

Exactly, they know how to teach and someone who can teach, who can present ideas to others, they’ve reached a point where they probably have internalized that knowledge themselves and can really bring value to a company, to an organization.

Bruce Potter

May I also say does your brilliant jerk radar go off also when you see these things?

Mike Johnson

Sometimes. And you can really get a feel for someone when they’re doing those presentations. You can look at how they’re presenting, you can even look at some of the attitude. I generally would prefer someone who’s a little bit pensive on the microphone, rather than someone who is just super crazy confident because it feels almost like an act at that point.

Bruce Potter

I think that’s a great point and even the things that come out, if they’re belittling a user or that kind of thing is like an instant trigger where you’re like, “Oh you and I are going to view the world very differently,” and if they say it on stage to 1,000 people, you know that they’re going to say it when they’re back in the office, right?

It’s time to play “What’s Worse?”

00:12:36:04

David Spark

You know how this game’s played, Bruce. I offer up two scenarios, they both stink. They’re given to us from a listener, and you have to choose which one of these two horrible scenarios is worse. Just a basic risk management exercise. Mike always goes first, and I always like it when our guests disagree with Mike. No pressure there. Alright, I like these two scenarios, Mike. Get ready.

Mike Johnson

Okay, great.

David Spark

Jonathan Waldrop from Insight Global, who’s actually given us lots of good stuff in the past, he offers up these two scenarios. Scenario number one. You experience a breach because your security vendor successfully attacked your network to help sell their own product.

Mike Johnson

Oh, gosh.

David Spark

I know, hold on. Next one stinks, too. You hear of a critical vulnerability, and you ask your team to research to see if your organization is impacted. Your team says “No” and then within a week, you are successfully attacked from that very same vulnerability. Which one is worse?

Mike Johnson

So, on the one hand you’ve got an adversarial vendor. You’ve got someone who has no qualms attacking you just to try and sell things. You’ve got a terrible relationship, not someone that you want to give money to and frankly if you’re already giving them money, you feel really bad about it. The other is, your team is investigating, they’re doing everything that they can and they come to a conclusion that we’re not vulnerable. And then it turns out that you are, and that is visited upon you in the worst case possible. They both suck. I think the reality is, the latter. It probably happens to companies, where you actually do that investigation, you can’t find the evidence, you’ve done your due diligence, you’ve really tried. You’ve worked your bleep off in order to show you’re not vulnerable.

David Spark

Doesn’t work like that. You don’t bleep yourself after you actually say the word. [LAUGHS]

Mike Johnson

I thought I’d give it a shot.

David Spark

We can get by with that word on this show.

Mike Johnson

Okay that word is okay, good to know.

David Spark

Yes. By the way we do have to bleep explicit things, we are a non-explicit show. Go on.

Mike Johnson

Yes, well that was what I remembered, because you’ve warned me about it before.

David Spark

Yes, we can actually get in trouble for these things.

Mike Johnson

Yes. Let’s not do that.

David Spark

I don’t want to get in trouble. Go ahead.

Mike Johnson

Frankly I would prefer having the team who’s really working hard, they’re really trying and they just miss it.

David Spark

You’re being far kinder. You don’t think that your team’s a complete screw up and think “Why didn’t you catch this?”

Mike Johnson

I feel if my team’s a complete screw up then I’ve failed.

David Spark

Yeah, okay, so is that worse? When you fail?

Mike Johnson

But at the same time, I’m human. My team’s human but I’m not assuming that my team is incompetent. I’m assuming I have a great team. They just made a mistake and that’s going to happen. I think the adversarial vendor is actually the worst.

David Spark

The far worst. Alright, I throw this to you, Bruce. By the way, Mike painted his team in a very, very rosy light in that second scenario.

Bruce Potter

Yes, for sure he did, and regardless of their competence, I think I’d still disagree with Mike. I think that in this case, in the first instance with the vendor, you have a named adversary, who has admitted what they’re doing and from a response perspective, it’s super clear what I’m dealing with, right? These folks came up, they tried to sell me something after they hacked me, I am 100% going to go after them with all force and solve my problem. If I get attacked on a vulnerability that we thought we were clean on, and it’s just some random nameless person on the other side of the internet, I got a whole different investigation on my hands. They may not be domestic, there’s all kinds of things it might be, and I’m blind and having to do normal IR. If I have to do IR when someone walks up and said “I’m the one who owns you,” I think that’s the better of the two possible outcomes.

Mike Johnson

I agree with you, Bruce. I’m changing my mind. I agree with you.

David Spark

No, you can’t change your mind.

Mike Johnson

I have done that. Bruce has convinced me.

David Spark

Bruce is right, you are wrong, you got to stay wrong.

Mike Johnson

Bruce is right. But I am a person who can admit when I’m wrong and I’m doing so in this case. I was wrong.

David Spark

By the way, Bruce, you’re the second example I’ve watched Bruce change his mind because of what the other guest said. By the way, I believe it was Adrian Ludwigover at Atlassian who did it to you before.

Mike Johnson

Yes. Good company. That’s good.

Bruce Potter

Yes.

David Spark

Pretty impressive, Bruce. Good job.

Please enough! No! More!

00:17:22:23

David Spark

Our topic today is a timely one. Well, sadly, it’s always a timely one. We’re recording this in June and it’s coming out in August, and I think I feel safe to say that it’s still a timely one in August.

Mike Johnson

It’s been solved.

David Spark

Yeah. How much egg would be on our face by August? The use of ransomware has been solved. Boy, would we look foolish.

Mike Johnson

I would wear that egg. I would actually be a very happy person to be wearing that egg.

David Spark

Alright, so our topic is ransomware solutions. Mike, what have you heard enough about with regards to ransomware solutions and what would you like to hear a lot more?

Mike Johnson

I think the thing that I hear the most about ransomware and I guess you could actually look at it as a part of a solution, which is so much of the discussion is around whether or not to pay the ransom; if you should pay the ransom or not. Everyone’s going to give you second thoughts regardless of what you decide, and there’s so much discussion around that, just the ransom itself. The flip side, it doesn’t help people prepare. I’d like to hear less about the sensational side of it, that’s just not helping anyone. What I’d like to see more of is discussion around actionable capabilities, things that companies can actually do to make them resilient to current ransomware. Ransomware is different than the way it was the last time Bruce was on the show two years ago. It’s evolved in that period of time. We really need to talk about what’s latest in terms of ransomware and keeping that up to date both from a prevention and at least a rapid recovery perspective.

David Spark

Isn’t that what we’re supposed to talk about in cybersecurity anyways? Like with threats in general?

Mike Johnson

One would think. Yes.

David Spark

Alright, Bruce, I throw this to you as well. Start off, tell me what you’ve heard enough about and what would you like to hear a lot more of?

Bruce Potter

I’ve certainly heard enough about “Hey you should just patch your stuff,” and somehow that will magically solve the problem. We’ve been trying to solve IT hygiene for a long, long time, and it’s still a complicated hard problem. I give companies credit, we’ve made a lot of progress, but you still end up with systems that fall behind and can get compromised. Beyond that we’ve seen an uptick in BEC style attacks, that don’t have links in malware, it’s literally a phone number. You call and somebody decides to hand over some credentials or do something silly, give access, and the next thing you know, there’s an attacker inside your network and nothing to do with a patch. This trope of “Oh patch everything and you’ll be fine,” I think doesn’t really hold water any more. What I’d like to hear more of is really how to deal with it from the moment that you detect it? How do you stop it from getting worse and deal with the remediation activities? I think to your point, ransomware has changed quite a bit over the last few years. It was not that long ago that basically the payloads would land, and they would just start encrypting things and run around and find shares. There was no human really involved in the matter, it would phone home, and some human would start to get involved and figure out how to get paid. What we’re seeing now, as the stakes have gotten higher, is a lot longer dwell time from the adversaries between the time of initial access and when they actually commit the deed and go and encrypt everything. So that recon period is when they’re discovering “Where are we? What do we have access to? How much do you think we can get for this? Oh it’s a water plant, oh it’s a shipping organization” whatever it is. They’re getting in there, they’re manipulating the back ups or manipulating credentials, doing all the things, before they flip the switch. All that really is is time to detect them and stop them, right? The longer they dwell without doing the bad thing, the more chance you have to be able to stop it from becoming a catastrophic event for your organization. The idea of focusing on coverage and effectiveness of your security signal, “Do I have sensors everywhere I need to? Do I have EDR deployed everywhere I’m supposed to have EDR deployed? Do I have full visibility in the network? Is my SIM ingesting everything it’s supposed to ingest? Is my MDR getting all the signal that they’re supposed to get?” You know, that’s the first step. Then the second is really focusing on efficiency and automation because once you detect it, you’ve got to move fast. What you don’t want to do is flip the big switch that says, “Encrypt” because from that point forward it’s a public event. You’re going to have to deal with it and it’s a fire that there’s no hiding from. So, from the moment you realize a bad thing is happening, how can you close that gap through automation and better remediation techniques to make sure that you get them out of there as fast as you can before they can flip the switch?

David Spark

So there’s two things, there’s automation and then there’s the personnel. Actually, for those people who don’t know, Bruce and your son developed a fun sort of table-top game that combines the model of Dungeons and Dragons, a game called “Oh No’s” which is open source that you invited me to play which was a lot of fun. I’m interested to know with the combination of, and your experience, which I know detecting threats and moving fast is what Expel does, what have you seen in your experience with these rise of ransomware? What works for moving fast and what does not?

Bruce Potter

I think that the biggest key is to get the human out of the way as much as possible. A lot of times there’s still the judgment call of “Hey a bad thing is happening,” and the human has to make the final judgment, like this is actually a bad thing. But when it comes to getting all the investigative actions and building up to the moment that the human has to make that decision, get them away from the consoles, get them away from having to dig through things manually. Everything we do is by API and automatically fed to our analysts so that they can just get all the information at once, make a decision quickly, and then press the big button to start the remediation process. I still firmly believe the humans need to be in the loop but only for that little decision to say “Yes, this is a really catastrophic thing,” and then let the robots do everything else. That’s where we’ve really seen the most success because the adversaries aren’t dumb, and if they realize that they’ve been had they’re just going to try to be faster than you. They have pretty good C2 and so if you’re not eradicating them quickly, they could still pull the switch and cause a really bad day for you.

David Spark

Can I dig a level deeper on this automation part?

Bruce Potter

Sure.

David Spark

What is the element of automation that you have found to be the most critical?

Bruce Potter

I think the first is around the harmonization of security signal to be able to get to the point and say “This is a high fidelity alert,” that there’s all this noise in your enterprise and all these things that you could look at, this is a thing that you really need to look at. So, just digging through that chaff to get to the point where a human gets involved. The second thing is really the automation around the investigative actions because any incident that you’re investigating, alert that you’re investigating, is an experimental science. You have a hypothesis. “I think this is what’s going on, and I want to test the hypothesis.” I want to be able to pull process lists and user records and when this person’s logged on and where they’ve logged on from, and by and large analysts do those things repetitively all day long and there’s no reason for them to do it. The system should just present them with all that information when it comes to performing those investigative actions. When the analyst is armed with “Here’s all the information you need to make the decision, and here’s all the investigative actions you need to really make the determination,” it all comes together at one time without them even having to ask the question, that’s where we see the most success around automation.

Challenge Accepted.

00:24:56:04

David Spark

This past 16 months has been severely crappy for everyone. But we’re going to play the glass half full game. I’ll start with you, Mike. What of this new all-remote-work environment are you going to take with you and encourage others to do as well, when we move into a hybrid work environment? Now, I know you have a hybrid and a remote team yourself, so this wasn’t a huge leap for you this period of time. My feeling is unless the job requires in person, my educated guess is that no-one is ever going back to in person full time. I just don’t see it happening. Mike, what’s your take, and what was the best thing that came out of this?

Mike Johnson

I do hope people remain open to the work from anywhere concept. I think some companies will revert to old habits, but from a security perspective, from the perspective of your team, really being open to finding that talent wherever they are, and making it so that they can actively participate with your team, you really get so much upleveling when you can hire people anywhere. You have to keep time zones in mind. One of the things that I’ve learned the hard way is the importance of time zones. Not necessarily physical proximity, but if you’ve got someone who’s kind of isolated off in their own time zone, that’s a bit more of a challenge when it comes to keeping them productive and frankly keeping them feeling like they’re part of the team because they just feel very remote due to the time zone. So that was one of my learnings and something that I would suggest people have to keep in mind. But you also have to make sure that you’re giving the opportunity for people to feel like they are part of the team. With meetings, make sure that if you end up this hybrid situation where you have some people sitting in a conference room and some people on the other side of a video conference, making sure that they feel part of the meeting as opposed to there being all these side conversations that go on in the room that they can’t participate in.

David Spark

I would say prior to Covid and video conferencing, I think that happened a lot.

Mike Johnson

I think it did. I certainly witnessed it and it’s something that we’ve tried to actively work on prior to Covid, and then certainly as part of Covid, everyone’s remote so it’s kind of easy. But I participated in a conference, an internal meeting of my company a week or so ago, where half of the people were in a conference room because everyone was vaccinated, and were starting to allow that kind of a thing, it was off at a hotel. Half the people phoned in remote, but the people in the room were cognizant of those of us who were remote and actively worked to keep us engaged. So I think that’s one of the things that people really need to focus on going forward, that is a learning from all of this that we should keep with us.

David Spark

I take this to you, Bruce.

Bruce Potter

Yes, I totally agree with that. I think just from a tactics perspective, one thing that’s helped us manage the in person versus remote conversations are the in person people, we started handing off a physical object as the talkie stick. You can’t talk in the room unless you have the talkie stick, and it’s almost completely annihilated cross talk and the sidebar conversations that would exclude the remote parties, but even with the audio encoding and the way that Zoom and other clients choose where to highlight audio, it would just overdrive and you can’t hear anyone else speak. Just practically, the technology doesn’t support it, so the physical talkie stick has been really great for us. I’d also say, I’ve worked remote for a long time, and while our company, Expel, had maybe 20% remote, a lot of it was sales. There weren’t a lot of remote non-sales people in the company, and when I would participate I always felt I was in the back row. Like there’s a camera in the back of the room but we have a camera and there’s a microphone, so you could kind of hear and you could kind of see, but it wasn’t ideal. At the time I didn’t think much of it, I was just used to it. Then you realize that it’s not good for collaboration, it’s not good for feeling included, but even that, there’s all kinds of studies that I’ve read recently that talk about your ability to comprehend and actively engage in conversation based on the quality of the audio and the video. If your audio quality’s low, in particular, and if your video quality’s low, your brain has to spend more time interpreting what it’s hearing to then allow that to be internalized and processed and whatever. Then you’re really not actually thinking about what the other people are saying, you’re just spending all this time trying to listen through the static, like it’s an AM radio.

Closing

00:29:56:02

David Spark

I cannot agree with you more. There was a study I posted on LinkedIn a while ago, that showed something like 19% people agree if you have good quality audio and it’s one of the things we stress quality audio on this programming. I swear, if you have not during this pandemic purchased an external wired microphone, not Bluetooth, they’re awful, just purchase one. They are as cheap as $35, really good, and that move alone will greatly improve your meetings and communications. And true telepresence solutions are spectacular. Not Zoom, but if you’ve put in a room that has a true telepresence, that’s phenomenal as well. Well, that brings us to the end of the show, Bruce and Mike. Thank you so much. Bruce, as I predicted, yet again, got to give myself credit, you were phenomenal.

Bruce Potter

Thank you.

David Spark

I love when I’m genius in being able to identify guests who are going to be really good and taking full credit for that. I want to thank your company, Expel, for sponsoring this very episode. And I really loved the conversation that we had on ransomware because, honestly, we could make an entire show on ransomware. This topic is so rich and, sadly, making mainstream news constantly, and we report it all the time on our headlines news show. But just the need to respond fast, I cannot agree with you more on that. That is key. Anyway, I’m going to let you have the very last word and also I always ask “Are you hiring?” So make sure you have an answer to that, but first, Mike.

Mike Johnson

Bruce, thanks for joining us. I always love when we have the chance to sit down and have a conversation with you. I always learn so much and so thank you for that opportunity to sit down and have the conversation. I also want to go back to the discussion on ransomware and I wanted to highlight your point about companies really needing to focus on the coverage and effectiveness of their controls, and really zooming in on that as top priority. That’s a great tip for people to spend time on. It’s not easy, but it’s worth it, so, thank you specifically for reminding our audience of that. But, in general, thank you for coming on the show, sharing your insights, your experience, your knowledge with our audience, I really appreciate it. Thank you.

David Spark

Bruce, are you hiring? Any last comments, and if Expel is making an offer to our audience, we’d love to hear it or how they can connect with you or learn more about Expel. Go ahead.

Bruce Potter

Sure, yes, we’re definitely hiring, we’re continuing to grow. Things have been going real well for us lately so we’re in the upper right quadrant of the Forrester Magic quadrant so that has been a good thing for us. Which causes us to hire which is nice. I think that people that know me know I’m pretty passionate about cybersecurity. I’m here trying to do the right thing and help everybody that I can. I really like Expel and what we’re able to do with our customers and make their organizations better. In particular, things like ransomware where we can find them find the [emissary] quickly get them out quickly and get you back on to doing what you need to do, which is make your organization more secure. If you’re interested in something like that, reach out to us, you can find us at Expel.io and we’re happy to have the conversation.

David Spark

Awesome. Thank you so much, Bruce. Thank you, Mike, and thank you our audience, as always, I greatly appreciate your contributions. Go ahead, send in some more bad ideas, and by the way if you agree with me that Mike doesn’t have the right to change his answer, please pipe up in the comments because what game just someone says “Oh, I’m going to change my answer because of what the other person said.”

Mike Johnson

Those are the best games.

David Spark

No. That doesn’t fly at all.

Mike Johnson

Those are the best ones.

David Spark

I think Bruce called you out. Thank you very much, Bruce. Thank you, Mike. Thank you audience for contributing and listening to the CISO Security Vendor Relationship podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”