Instead of Increased Cybersecurity, Could We Just Order Less Risk?

“No business wants more security, they want less risk,” said a redditor on the cybersecurity subreddit. Executives seem to not care about cybersecurity because they’re not talking in those terms. They talk in terms of managing risk. It’s the InfoSec professional’s job to do the translation.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Tom Doughty, vp and CISO, Prudential Financial.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, CYREBRO

Ninety percnet of post mortems show that the high cost of damage from a cyberattack was avoidable, but no one knew in time to stop it. CYREBRO’s SOC Platform is your cybersecurity central command, integrating all your security events with 24/7 strategic monitoring, proactive threat intelligence, and rapid incident response. More from CYREBRO.

Full transcript

[Voiceover] Best advice for a CISO, go.

[Tom Doughty] Avoid optimism bias. I think optimism bias whereby you expect great outcomes and are therefore more likely to achieve them is a wonderful thing in life but a horrible thing in a cyber security program. So, what we really need is CISOs to make sure that we’re exhausting all the reasons reasonably why we might not be okay as opposed to rationalizing all the reasons why we might be.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. I hope everyone has become comfortable with the new name of the show. Joining me for this very episode is the original cohost, the OG, the one who’s been with me since day one, Mike Johnson. What does your voice sound like, Mike?

[Mike Johnson] I’m here, and this might be the first time I’ve ever been classified as an OG. I’m here for it. I love it. Thank you, David.

[David Spark] That is what you are.

[Mike Johnson] I’m going to embrace it now.

[David Spark] We’re available at CISOseries.com. And for those of you who don’t know, we have other shows besides this. Please go check us out at CISOseries.com. I want to mention our sponsor. It is CYREBRO. And they are a SOC. We actually haven’t had that any SOCs as sponsors, and they have a very unique and unusual take on the SOC. So, if you’re frustrated with your SOC or you need to start a new one, you’re going to be interested in what they have to say a little bit later in the show. But first, Mike, I want to ask… I get feedback from our community all the time, but I don’t think I know all the feedback that you get. And I’m assuming you get feedback that I don’t see. And as I have said in the past, one of the things I have learned…because we get lots of wonderful comments about this show…is that I have learned about myself I have an extremely high tolerance for compliments. Hopefully you’ve discovered that about yourself as well.

[Mike Johnson] I’ve had to grow. I think as I got started, my tolerance for compliments was much lower.

[David Spark] I’m proud of you, Mike.

[Mike Johnson] And by being able to observe you in action, David, I’ve been able to really grow my ability to take a compliment.

[David Spark] Okay. Now I want to go to the specific… They don’t have to be compliments necessarily. I’m interested to know what kind of interested feedback you’ve gotten from our community on the show.

[Mike Johnson] What I get is really two camps. One… And it really kind of goes back to the genesis of the show. Is I hear from vendors who are like, “Thank you. This helps me understand the folks I’m talking to, the folks I’m trying to talk to and where they’re at, their mindset.”

[David Spark] And by the way, we’ve heard many times at sales kickoff meetings, they’re saying listen to the show.

[Mike Johnson] That’s one set of the audience is those folks. And then from CISOs, what they appreciate is the conversations that we have on the show with our fellow CISOs – being able to bring folks like our guest today on that other CISOs are then able to learn from, other security professionals who are aspiring CISOs are able to learn from. I’m getting appreciation for those conversations that we’re having.

[David Spark] I also learned something from Shawn Bowen, who is one of our past guests who’s CISO over at World Fuel Services. He said something he’s heard… And I want to make this clear to everybody – this is not the case. Many people didn’t listen to it because they thought they had to be a CISO to listen to the show. Au contraire.

[Mike Johnson] Oh, no.

[David Spark] No.

[Mike Johnson] No. Quite the opposite. Yes, please. If someone is in security at all, hand this along to them.

[David Spark] Yes.

[Mike Johnson] There is things that everyone can learn from it, I hope.

[David Spark] Yes. And it is designed for the wannabe CISOs who want to grow into the role as well.

[Mike Johnson] Aspiring.

[David Spark] All right, guess what? We have one of those wise CISOs, who is not a wannabe. He did it. He made it. He got to the level of CISO just like you as well. And I’m so excited to have him on. He is the CISO of Prudential Financial – Tom Doughty. Tom, thank you so much for joining us.

[Tom Doughty] Thank you.

Okay, what’s the risk?

4:16.003

[David Spark] “No business wants more security. They want less risk,” said a redditor on the cyber security subreddit. It was in response to how do you deal with executives who don’t care about cyber security. And that quote was the overwhelmingly most popular response. So, I’m going to start with you, Mike. Is it possible to talk about risk and compensating controls with executives and never mention cyber security? Have you actually done it? And is it affective with nontechnical business leaders who have a kind of glazed eye look at cyber security? What’s been your experience?

[Mike Johnson] I suppose you could.

[David Spark] That was not a very confident response. [Laughs]

[Mike Johnson] No, because I think it would get a little awkward. The conversation that I imagine is, “Hi, CEO. We’ve identified this risk.” “Oh, what are you going to do about it?” “We’re going to apply risk mitigation controls to reduce the likelihood of successful action against the risk.” I mean, that’s…

[David Spark] Yeah, okay. I get it.

[Mike Johnson] That’s awkward. But leading the discussions talking about the risk – here’s the risk, here’s our concerns. The risks to the business. Talking in those terms, that does resonate with executives regardless of their technical experience. That hits home. Then you talk about, “Well, what are you going to do about it? What controls are you applying?” And that’s where you talk about security as a concept. That’s when you move from… You start off leading the conversation with risk. The mitigations, there are several options, but one of them is you apply security controls. That has actually been successful for me, from my experience working with other business leaders. Technical or not, focusing in talking about risks and risk to the business, that’s what resonates regardless of how technical or experienced they are.

[David Spark] So, Tom, you coming from a business that literally manages risk as its sort of forte… Yes, so having these risk discussions are very much a comfortable experience for your audience, yes?

[Tom Doughty] Yes, it is the life blood of an insurer if you look at it that way. But the way I look at this idea of businesses wanting less risk and not more security, I’m okay with that statement. And here’s why. I think that if you define the risks and help them do their own math along the lines it might describe, it’s perfectly okay…I’ve really become comfortable over the years…having people commit to what you want for their reasons. We don’t have to win every conversation so to speak. So, as an example, if you’re as a CISO having a deep technical conversation about a given technical risk associated with a vulnerability or an exploit path, etc., that’s not what’s important to businesspeople. What’s important to them are the outcomes. Whether positive or negative that you’re helping to achieve in the program. So, yeah, define the risk for them. Let them do their own math. Just give them the inputs to do it.

[David Spark] That’s a very, very good point. Is there though…? And this could be kind of a green CISO mistake, and maybe you’ve made this yourself, Tom. But sort of this eagerness to talk about what your tools you’re using… How do you kind of reel yourself in from that? And did you make that mistake maybe early on?

[Tom Doughty] I was going to say probably but certainly did early on. So, while the role has changed quite a bit, I’ve been at this as a CISO for more than a decade and a half now. And if you’re talking about for example the strategy for a given tool, or service, or combination thereof. There’s not strategy. That’s implementation. That’s achieving outcomes from strategy. So, for instance if I’m in the board room or I’m speaking with a senior business stakeholder, I find myself seldom talking about specific tools. I’m talking about protections, outcomes, what we’re facilitating.

[David Spark] And you can translate that in your head like, “Okay, I know this tool will deliver this kind of outcome,” right?

[Tom Doughty] Yeah, so it’s the what if and what if not type of discussion. And I think it’s really a critical function of a program that a lot of times people think of the CISO function as things on and around this C-SOC function – threat and vulnerability management, threat intelligence, hunting, day to day operations. And that’s all critically important to keep an enterprise out of the soup so to speak. But exactly this kind of connective tissue conversation, not just myself but business information security officers covering down on each line of business, having those plain English discussions are where we need to be. Those people are equally important to the hard-core technical folks in the program for that reason.

What’s the motivation to do this?

9:01.686

[David Spark] So, I had an interesting conversation with Nick Ryan, who’s of Baker Tilly. And he said this, “Cyber security insurance can be the catalyst for better cyber security.” And I thought it was really interesting because I thought about it and go insurance programs of all types allow you to lower your premiums if you demonstrate behaviors that lower risk. So I’m going to start with you, Mike, on this. Have cyber insurance programs changed your security program in a good way? Has it in any way helped the C-level better understand cyber risk issues? And how could cyber insurance programs you think be more affective in driving better security behaviors?

[Mike Johnson] When I think about Nick’s quote and the way that it’s phrased, the word can is doing a lot of…carrying a lot of weight in there. I think he’s projecting into the future.

[David Spark] Oh, yes. Very much so.

[Mike Johnson] Where it could go. Today, my experience is that cyber insurance, it’s not changing the way that we do security. There’s not appreciable discounts for behaving in any particular way. It doesn’t change how we talk about risk. That’s not practiced today.

[David Spark] Let me just describe what he envisioned. Tom, obviously I’m going to be interested in your response to this. Is that he envisioned this tiered thing like tier one you have these compensating controls. Tier two, you have these compensating controls. Tier three… And that your premiums would change depending on how much of these controls you could implement. I don’t know how realistic that is or isn’t. Tom, I’m definitely going to want to know your answer. But, Mike, you first. What do you think?

[Mike Johnson] I think that’s… One of the things that we run into in security is prescriptive security controls coming from outside in are almost always gamed because they’re not tailored to the specific organization. What I could see cyber insurance doing is looking at your third-party attestations, SOC 2, PCI, ISO, whatever. And looking at that but giving a laundry list of exact controls. I have a feeling that’s not going to work out very well. It might seem like a good idea to start, but there will be perverse incentives to game it.

[David Spark] Okay. Tom, what is the reality of this? And by the way, have this conversation ever come up, “Do we have the ability to drive good cyber security behavior?”

[Tom Doughty] We have the ability to drive good cyber security behavior, certainly, but I would not depend upon cyber insurance underwriters to be a catalyst for doing so. So, I’m in alignment with Mike’s thoughts. I think that the answer in terms of is this relevant, and does it drive changes in behavior does vary based upon the size, and maturity, and degree to which you’re already either regulated or paying attention to all of these operating risk considerations anyway. So, I get concerned not so much about larger mature enterprises who have not only cyber programs but affective operational risk programs offering those cyber programs affective challenge. And pick your framework of choice. Whether it be if you’re fed regulated, FFIAC guidelines in this framework, whatever it may be. Insurance underwriting is not a proxy for the measurements by which you should be doing that. I get nervous though on the other side of the equation when, as an example, we are doing our due diligence for service providers that provide critical functions for us, and you get even a hint that they see cyber security insurance as a proxy for an affective program, a proxy for an operating list program, or anything other than potential renumeration after the fact. It’s not a substitute for a control set itself.

[David Spark] I will tell you that many times… We play this game on another one of our shows called best bad idea, and I will tell you as a joke that has come up many times. Like, “Yeah, just dump all your controls and buy a lot of insurance.” [Laughs] By the way, does that ever come up, Mike? Do you hear this? Because this is a fear like, “Let’s just buy more cyber insurance.” Or you don’t think it comes up?

[Mike Johnson] I don’t think it comes up. I think it’s something that we joke about.

[David Spark] Yeah.

[Mike Johnson] It is in the laundry list of how you manage a risk. Transference via insurance is a way of doing that. But I don’t think anyone in their right mind says, “Yeah, ignore all the rest of it and just go all the transference route.”

Sponsor – CYREBRO

13:43.416

[Steve Prentice] CYREBRO delivers the world’s first true SOC platform that operates and functions as a full product. Nadav Arbel is the company’s founder and CEO, and he points out that there are two things in the product that make it very unique.

[Nadav Arbel] One, the brain behind it. It’s super important that people understand that what you monitor for, and how you monitor, and where you look for it is the brain of the SIEM, SOC. And that you get when you buy CYREBRO. It’s more than just the nuts and bolts. It’s an entire research time of dozens of people constantly looking for the next threat, put it into CYREBRO, and tell it to look for it. That right there is a value that your MSFP will not sell you if you buy SOC as a service. That is a core differentiator between us and your garden variety SOC as a service. The second thing is that obviously we have a unique interactive platform. You can interactively chat with our SOC live 24/7. You can go into an investigation and chat with an analyst online while he’s investigating. I don’t know of any other product on the market who offers that level of interaction.

[Steve Prentice] This is why he says CISOs will want to take notice.

[Nadav Arbel] There is so many systems that the output there is so convoluted, and it’s getting worse and worse every day with every new version. You need another six experts just to analyze the output. I’m sure they live that pain day to day. So, they can relate to that.

[Steve Prentice] For more information visit CYREBRO.io.

It’s time to play, “What’s worse?!”

15:18.993

[David Spark] Tom, are you familiar with this game?

[Tom Doughty] I’m vaguely familiar with this game, but I think I could…

[David Spark] The title alone kind of gives it away.

[Laughter]

[David Spark] That’s all you need to know. What happens is I provide two awful scenarios, and then you have to decide of these two horrible scenarios which one is worse.

[Tom Doughty] Sounds like a typical day in the life. I’m ready.

[David Spark] There you go. By the way, these are not actually happening to you. These are fantasy scenarios which would be negative fantasies, more nightmare scenarios. This is an anonymous submission. This person did not want to be…

[Tom Doughty] Oh.

[David Spark] This one I think is good, and I think it’s appropriate for our guest as well. I always make Mike answer first, and I love it when our guests disagree with Mike. Here we go, what’s worse, dealing with a compliance audit issue… And we’ll say it’s a significant one. We won’t say it’s just any sort of mild one. Dealing with a compliance audit issue. That’s situation A. Or situation B, executive management thinking the work is done because you have no compliance issues.

[Mike Johnson] Huh, okay. Interesting comparison. So, you’ve got on the one hand…

[David Spark] An actual compliance issue.

[Mike Johnson] An actual issue that you need to deal with. And on the other is this belief that everything is fine.

[Mike Johnson] Validated because compliance hasn’t found anything. Which I think what’s interesting is a…

[David Spark] False sense of security, if you will.

[Mike Johnson] But it’s also a proxy to a belief that compliance and security necessarily have a very tight alignment that you can measure a security program based on compliance.

[David Spark] And we’ve talked about this a lot, that compliance does not equal security. But another issue we brought up is security does not equal compliance.

[Mike Johnson] Absolutely. That goes both ways. That alignment that there’s assumptions is not there. Frankly I would… I don’t find dealing with compliance issues that scary of a situation. It’s reality. We have fast moving environments. Things just happen. Mistakes are made. And that then leads to a compliance issue you have to deal with.

[David Spark] So, do you think the other is worse?

[Mike Johnson] I do think the other is worse.

[David Spark] And why?

[Mike Johnson] I think an assumption that everything is fine just because there is no compliance findings, that really is… It’s both a false sense of security. But also an utter misunderstanding of the value that a security organization brings to a company.

[David Spark] And it also teases Tom’s opening tip that we got about this sort of maybe false of optimism, if you will. Tom, which one do you think is worse?

[Tom Doughty] Without question the latter is worse. I would rather proactively or pragmatically deal with a compliance or audit issue of some significance as opposed to having to fight the battle of executive management thinking that all is well because there were no such issues. The idea that if you were depending upon compliance to justify your strategic investments in security, that’s probably a slipper slope. There are really declining benefits in doing so. Because that’s not at all to say that compliance is not critically important. It is critically important. But it’s not a proxy for risk management. So, in the former situation, eyes wide open if something were to come up we have to deal with. The very fact that the second choice would mean you’re challenged in being able to get the commitment to do so on a risk driven basis… I don’t even think there’s a contest. The second is worse.

[David Spark] All right. Good, we have agreement.

Why are we still struggling with cybersecurity hiring?

18:56.072

[David Spark] 87% of cyber security leaders believe there is a shortage of skills in their company. Now, this finding is a result for a report by Stott and May and Forgepoint Capital. Traditionally when we hear these kinds of stats immediately there becomes a discussion of hiring, and the need to hire more, and how difficult that is. But think about how much time and money would be wasted just trying to find the people who would have all those skills today. I’m not saying try to imagine. I’m sure you’re dealing with it right now. I mean, everyone is. Jesse Whaley who is the CISO over at Amtrak said, “Don’t try to find a unicorn. Grow your own.” So, instead of looking for key talent, what if today you spent money and time on just training. So, rather you deal with the skills shortage with the people you already have. Mike, I’ll start with you. What do you think of the idea of slashing the recruiting budget and shift it into training? What would that look like? Was this be done for companies of any size? What do you think?

[Mike Johnson] I think this is going to be a very interesting discussion. I really look forward to hearing Tom’s perspective because I do think it depends heavily on the maturity of the company, how long the company has been around even, the maturity of the security team and where that lands. Right now I can’t bring in people who don’t have the skills that I need and train them up. I need folks to hit the ground running because we’re so fast moving right now. I can’t lose six months. I would rather take a little bit longer – three, four months – to hire a person so that they can hit that ground running. There’s eventually a time when I look forward to that changing where I have the capacity in the team. And that’s what this really comes down to is there’s a shortage of skills, and then there’s a shortage of capacity. I could have all of the skills to do everything in security on my team, and I would still need to hire more people from a capacity perspective. One day we can actually turn that corner, and it’s a matter of we can take a little bit longer. We can slow down a little bit. We can skill people up. Maybe bring them from other portions of the company as a whole or hire for someone who’s adjacent and train them up. I look forward to being able to do that. But right now where my company is, we just don’t have that luxury.

[David Spark] All right, so, Tom, your company has been around a lot longer, so you definitely I would assume have a different perspective. What’s your take on this?

[Tom Doughty] It’s a partially different perspective, and I’ll start out the answer by saying it’s elements of both. But here’s why. Especially now with agile methodologies, and agile workforce, and dev ops pipelines as an example that we have to cover down upon in security, we have to learn alongside them. So, there is agility in continual learning, and reskilling, and redefinition of roles that we’re doing. But particularly for the more pointed cyber roles… And I don’t mean security operation roles. But tier three C-SOC analysts, forensic investigators, incident responses, threat and vulnerability management subject matter experts, the external talent pool is a critical part of that equation for the exactly the reason Mike mentioned. There are absolutely people who over time develop into that organically. But you can’t always wait for that to be the bulk of the mix. My C-SOC chief right now in my organization and other leaders including the leader that runs threat and vulnerability management, organic growth over the years within the organization, developing the skills into new skills to do that. But at the same time, threat hunters, C-SOC analysists, we’re looking for best in class people often with defense industrial based background to do that, and you just can’t do all that internally either.

[David Spark] A company I used to work with, Zoho… They’re a CRM, so not in the cyber security space. But they actually have a university where they…from the ground up, they train people 100% on how to work at their company. And we know at really, really big companies, they do have an enormous amount of training internally for that. I was thinking also like Pixar does something like that as well. Could this be…? Just say you had resources out the wazoo, Mike. Do you think you could pull something like this off? Literally just do ground up, full blown training of everything you wanted?

[Mike Johnson] Absolutely. Back when I was at Sales Force, we hired someone in our incident response team who they had experience with computes but not with security. But what they did have was they were coming from a first responder space. I think they were fire or paramedic. I don’t remember which. And that gave them a sense of dealing with critical issues, dealing with urgency with calmness. And in that incident response role, that was what was the most important part. We trained them on everything else. We skilled them up in all of the other areas. But they had that nugget. They had that, “Here’s the thing that we wanted to wrap all of their skills around.” So, yes, you can do it. I don’t think you’re hiring just someone random off of the street. There’s a reason there’s a potential that you’re seeing that you’re then glomming onto and enhancing.

Sit down everybody. It’s time for cyber community circle time

24:44.687

[David Spark] On Twitter I asked the company, “What does a great day in InfoSec look like?” And here is some of the responses. Simon Goldsmith of OVO said, “When someone not in InfoSec does something hugely impactful for security, yet they still say, ‘But I’m not an expert.’” Steven Person said, “When we get to celebrate something outside of InfoSec for exemplifying a culture of security.” And John Sternstein of Stern Security said, “Learning something new, mentoring someone, making progress on your program, saying thank you to others and having others thank you.” So, I’ll start with you, Tom. Which one is your favorite? And for you, what does a great day in InfoSec look like?

[Tom Doughty] Well, I think I’d gravitate mostly towards Steve’s, although they all have merit and the idea of someone or something outside of the boundaries of the InfoSec program itself exemplifying the culture. To me, a great example of that is when a business stakeholder calls out the security function for something that helped them in non security terms. An example might be when some institutional business is either won or supported by demonstrating our control structure in a way that made us the choice. So, that idea helped someone who’s not a security professional be an evangelist for the security program, and that becomes a positive circular feed.

[David Spark] All right. And would you say…echoing, is that what a great day in the InfoSec looks like to you as well, or is there something different?

[Tom Doughty] That’s certainly an example of a great day. There are obviously other great days that go behind the curtain, so to speak, in terms of…

[David Spark] Dealing with incidents.

[Tom Doughty] Well, I sometimes put it as the art of avoiding the negative as opposed to the positive satisfaction of creating the positive. But it’s one of the secret satisfactions, if you will, of security that you need not or should you telegraph all of the potential negatives sometimes. In fact, it’s our job to create an environment where business stakeholders need not worry about that on a day in, day out basis. But we are not just peering over the parapets and waiting for the enemy to come. The enemy is here every day. And that blocking attack limit happens every day. I take satisfaction from the fact that that quiet success remains so. That might sound like a bit of a perverse way of looking at it because it’s actually not a heralded great day. But I think it is.

[David Spark] We talk about this a lot in cyber security, that it’s very hard for cyber security professionals to get recognized for their work. But is there at least some kind of internal like, “Hey, guys, we did this,” kind of attitude?

[Tom Doughty] Yes, there is. And I think it’s a positive to try to do even more of that. I was just having a discussion with one of my directs this morning that touches upon this where I will try to remind myself more of the idea that recognizing extra efforts, recognizing nights and weekends work for something. Sometimes what’s neglected from those recognitions is the why – what outcome did you achieve. It’s not just that you were working on a given CDE or applying some remediation. As a result of that, you helped a given business process. You helped something positive happen that someone doesn’t even think of in security terms but is reality in business terms. That’s something in terms of tying strategy at the enterprise level to actions at the individual level that I think when you can do that, even on a day by day tactical basis, it really makes people more engaged in what they’re doing.

[David Spark] Mike, I’m throwing the question to you. Which of these three was your favorite, and what does a great day in InfoSec look like to you?

[Mike Johnson] A great day is sleeping in, kicking back on the couch, maybe a nap or two.

[David Spark] Do you get a few of those great days?

[Mike Johnson] No. But I can dream.

[David Spark] I should say to listeners that when I mention to Mike that we’re going to have an early morning recording of the podcast, he’s nottoo happy about that.

[Laughter]

[Mike Johnson] Caffeine. Caffeine is your friend. But I think the one that I gravitate towards and a slightly different perspective is John’s. For me, it’s when someone shares gratitude for work that was done by someone on my team. When someone comes to me and says, “Hey, this person, they really helped us out. They’re awesome. I’m glad they’re here.” That just makes me feel so good, and that is a great day. When someone is going above and beyond. They’re actually going out of their way to essentially say thank you for… It’s often a thankless field. Like Tom was saying, when something doesn’t go bad that’s actually a good thing. It’s really hard to celebrate when things are just going fine. And so someone going out of their way to just say thank you, to say thank you about someone on my team, that’s a great day.

[David Spark] You know what? We’re coming full circle, and maybe what everyone who’s listening should think about is maybe they should test the security team’s essentially resolve and ability to withstand a barrage of compliments.

[Mike Johnson] Yes, I like it. I like it. Say thank you to your security team today, please.

[David Spark] Give your security team a big hug today. Albeit, it may have to be virtual.

[Mike Johnson] Virtual hugs, actual hugs, we’ll take them.

[David Spark] It is amazing what a simple email…just sending out to someone, saying, “Hey, you know what? I saw what you did here and there. I just want to say thank you.” The weight of that is enormous. It’s huge. Yes, Tom?

[Tom Doughty] Yes, absolutely. Just the idea that that conveys that it did not go unnoticed and unappreciated. But you can go back to that leap of…and as a result you actually helped with something beyond just that task. Tying it to outcomes, not just tasks, makes it even more to the point you’re making.  

[David Spark] So, I’m going to say DCOS, distributed compliments as a service or something where essentially instead of a DDoS attack it’s a compliment attack. That’s the idea.

[Mike Johnson] I like the idea of a compliment attack. Let’s make that a thing.

[David Spark] There you go.

[Tom Doughty] As long as we don’t automate them because that would kind of delete the whole point.

[David Spark] Yeah, that would be…

[Mike Johnson] Very true. Very true.

[David Spark] Then we don’t want them coming from bots, yes. From people that…

Closing

31:08.630

[David Spark] All right, with that said, let’s get to the end of the show. Thank you. I’m going to issue some compliments right now. Tom, you were phenomenal. Thank you. I knew you would bring it… Especially on our discussion around insurance, which I knew you would have the unique perspective. So, I greatly appreciate that. You’ll have the final word, but I’m also going to ask you if you’re hiring. So, make sure you have an answer for that question. I do want to mention our sponsor, CYREBRO. Check them out. They are a SOC that you could possibly have in your environment. Again, SOC stands for security operation centers, for those who are not up on the lingo of the security people. All right.

[Mike Johnson] How the kids talk these days.

[David Spark] I know. By the way, I do not know all the texting acronyms myself. I feel like a [Inaudible 00:31:56] half the time.

[Laughter]

[David Spark] And just also the inside jokes of all the sort of online things that are happening. Very quickly I’ll tell you this story. Years and years ago… I’m a big fan of the Blues Brothers, and they have this song called “Rubber Biscuit.” I was in the car with my grandfather, and it came on the radio. I thought it was hysterical. It’s just a song of nonsense. And my grandfather looks at me like, “What? What’s so funny about this?” And every time there’s something that my kids think is funny, and I’m looking at them like, “What the heck is this,” this is my “Rubber Biscuit” moment. This is my moment of being completely clueless like my grandfather was. All right, with that said, Mike, any last words?

[Mike Johnson] Tom, thank you so much for joining us. What I really appreciate about being able to be part of this show is to meet folks like you who have been at this you said a decade and a half as a CISO. I’ve got four years maybe. And so it really gives me an opportunity to have a conversation with someone like you to pick your brain. And other folks can hear as well. But I get something tremendous out of this conversation, so thank you personally for joining. Overall I really appreciated how you kept bringing it back to outcomes and really focusing and reminding folks to focus on outcomes. One of the specific things that I want to give credit to you for and thank you for was you had mentioned something about plain English discussions and really talking with people in plain English. That’s a reminder as security professionals, we need to remember that. we need to remember to have those plain English discussions, remove the lingo and the jargon. So, thank you specifically for that and in general for joining us today. It was awesome to have that conversation. Thank you.

[Tom Doughty] Thank you for including me.

[David Spark] All right, Tom. Any last words, a plug for Prudential, and specifically are you hiring?

[Tom Doughty] We can combine those all into one. The answer is yes. If you are a security professional who wants to work on real time problems to real time effect, we are indeed. [Inaudible 00:34:00] in the threat hunting space, C-SOC operation space, and various operational roles. So, check out jobs.prudential.com. And if you have any interest whatsoever, please throw your hat in the ring, and you will not regret it.

[David Spark] All right. And is there any way they can get in contact with you directly?

[Tom Doughty] Certainly. Nice and easy – Thomas.doughty@prudential.com.

[David Spark] Oh, there you go. But you know what? We’ll have that up all on the blog post as well. Thank you very much, Tom, for joining us. Thank you very much, Mike. Thank you to our audience as well. We greatly appreciate all your contributions. If you didn’t know this, if you go to our website, there’s a bit participate menu option for all the different ways you can participate. And I’m always looking for great “what’s worse” scenarios – ones that will truly stump Mike and our guest. So, please send those “what’s worse” scenarios in. As always, thank you for listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to the CISO Series Podcast.