A security program shouldn’t stop at compliance, but that doesn’t mean we should undervalue it either. It’s easy to just say compliance comes down to ticking boxes, but that can still deliver value to a security program. Why is compliance important and why is it often getting a bad name these days?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is our guest, Derek Fisher, Executive director of product security, JPMorgan.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Reveal Security
Full Transcript
[David Spark] For years we’ve heard the admonition, “Compliance doesn’t equal security.” This heavily repeated mantra started to greatly malign compliance. Why is compliance important though? And why is it often getting a bad rap these days?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, producer of the CISO Series. And joining me, I’m going to taunt you again with this, Geoff, because someone brought it up at a meetup yesterday.
[Geoff Belknap] Oh!
[David Spark] Is former child star, Geoff Belknap, now currently the CISO of LinkedIn.
[Geoff Belknap] Child star? Wait, did I forget?
[David Spark] Child actor. You were a huge success in television and film in your early day.
[Geoff Belknap] I thought we didn’t talk about that.
[David Spark] No, we are talking about that.
[Geoff Belknap] All right. All right.
[David Spark] This came up in a meetup I was at yesterday in San Diego where they absolutely loved it that I was taunting you about being a child actor, which actually Geoff has never done.
[Geoff Belknap] I… Yeah.
[David Spark] But we have convinced our audience that you were at one time.
[Geoff Belknap] I have acted up as a child and have been accused of acting as a child, but not a child actor in the commercial sense.
[David Spark] Is there any film or video of you as a child, Geoff?
[Geoff Belknap] No, I think the government seized all that and classified it.
[David Spark] No, because maybe we could somehow, because there’s a lot of new capabilities that Adobe has, somehow drop you into a scene on a television show and make it look as if you were a child actor, and we could try to convince people of this.
[Geoff Belknap] We could do a whole episode on misinformation with this. I think that’d be great.
[David Spark] You know what? This is going to come up, I bet you, soon enough. We will have a misinformation show, but that’s not today’s episode.
[Geoff Belknap] No.
[David Spark] Before I get to that, I do want to mention our sponsor, who is RevealSecurity, a brand-new sponsor of the CISO Series. Welcome aboard. Reveal, detect, and stop identity attacks in your enterprise applications. We’re going to talk more about that a little bit later in the show.
Today’s topic, actually, is an interesting conversation started by Aurobindo Sundaram of RELX, and he brought up our discussion on compliance versus security. Now, if you want to sound edgy in security, you always drop the soundbite like, “Compliance doesn’t equal security,” which, would you say you’ve heard that once or twice, Geoff?
[Geoff Belknap] I have definitely heard that at least once before today, probably several thousand times, in between 1 and 15,000 times.
[David Spark] Somewhere in that range right there. I would say I’ve heard it that many times as well. So, it sounds great, but it really actually undersells how essential compliance is as part of a security program because it actually does have a part.
Most compliance requirements come from peer-reviewed best practices. So, while you shouldn’t stop at those requirements, they can often serve as meaningful benchmarks. So, I’m just going to ask, why do we have this phrase, “Compliance doesn’t equal security”?
Why are we so quick to dismiss compliance as just simple checkboxes, which a lot of people define it as?
[Geoff Belknap] Yeah, I think, the challenge with this is compliance in the context of security really means complying with a law or a regulation or some standard of practice that your industry has to align itself to. And those things don’t mean that you are fully secure, but it also doesn’t diminish the value of being compliant, and I think we’re going to have a great conversation about that today.
[David Spark] And the person who’s going to join us in this conversation, very excited that he’s joining us, it is the Executive Director of Product Security over at JPMorgan, Derek Fisher. Derek, thank you so much for joining us.
[Derek Fisher] Thank you. I am not a child actor; however, I have been confused with the basketball player, Derek Fisher, and I get that. Actually, there was a lull for probably a good 5 to 10 years where I did not get that question. It’s made a recent resurgent where I was asked probably the other day about whether I am that Derek Fisher from the LA Lakers, and the answer is no, I am not.
I did play basketball and actually, Derek Fisher, the famous Derek Fisher and I are roughly the same age, same height. One of us is more successful than the other.
[David Spark] Only in basketball. Let me point that out, Derek.
[Derek Fisher] Hey, I was pretty good in basketball. I could dunk.
[David Spark] Yeah. I would like to see a Derek Fisher versus Derek Fisher one-on-one game is what I’d like to see.
[Derek Fisher] Yeah, I mean, we’re the same age, so we probably have the same aches and pains, so we’ll see how that turns out.
[Geoff Belknap] So, egg on my face. I prepared as if we were talking to the other Derek Fisher, so I’m going to have to throw all my notes out now.
[David Spark] Ugh!
[Geoff Belknap] I just assumed.
[Derek Fisher] I’m prepared to talk basketball, so that’s fine.
[Geoff Belknap] All right, all right, good.
[David Spark] We’ll somehow mix basketball into the show.
Where do we begin?
4:37.246
[David Spark] Shawn Olson of Foundation InfoSec Services said, “Compliance is usually based on some well-established standard, whether it’s a framework or just a giant list of security controls. The point is to establish a benchmark. It’s a solid beginning.
I’m thankful such pressures exist if for no other reason than to force those who need to do better to at least somewhat toe the collective line.” So, actually it’s something for us all to kind of agree to. And Aditya Sarangapani of WNS said, “Compliance standards are only guidelines and frameworks.
You still need to define the processes and procedures that meet the guidelines and your business requirements. You also need to identify the scope of what is compliant.” So, I ask you, Mr. Geoff Belknap, when you are explaining compliance to your team and the value of it, how do you explain it?
[Geoff Belknap] Well, I would point out I don’t have to explain the value of it to my security team. They get it. I think the important part is you have to explain the value of compliance and the difference between compliance and security to the rest of the business.
So, the rest of the organization that you’re working with. Because it would be very easy to just go, “Whoop. We’re compliant. We don’t need to invest any dollars more in our security or privacy program now because we have ticked that box.” But I think a great point was made by the commentary here that compliance is really minimum, right?
That’s the minimum standard. That is an effort by a legislative body or a rules-making body to say, “Look, you have to do at least this much security. And if you do at least this much security, maybe we don’t sue you or criminally impinge your rights.” But being secure and offering a product in this day and age means you got to do more than the bare minimum.
You’ve got to really be out there competing and delivering something that’s worthy of people’s trust. And that, I think, is the difference. It’s people get really upset because they don’t want us to stop at compliance. They want us to keep going.
[David Spark] Understandably. But I mean, I think the way you’ve just defined it, it’s simply the cost of doing business. If you want to be in this industry, like in finance, this is the cost of literally opening your front door. Derek, if you are the cheerleader of compliance, how are you sort of selling it as we should get excited, and this is something we should rally behind?
[Derek Fisher] I hope I’m never in the role of cheerleading compliance. But I think Geoff stated it, I mean, it’s absolutely spot on, I think really comes down to compliance is that you must be this tall to ride this ride, right? It’s here’s the minimum set of standards that are industry defined or it’s already been tires have been kicked on it, and we know that these are good practices and good frameworks that will help an organization reach that security maturity.
I think where the challenges become is that are you just meeting that security, are you just meeting those frameworks because that’s what you need to do to pass an audit or to get your clients off your back or you’re doing it because you want a more secure organization?
And I think the good thing is that a lot of organizations today, and I always kind of point at Apple when I talk about this, not that I’m pushing for them, but they’ve really kind of taken the whole privacy mantra, and they’ve really owned that and said, like, “Hey, our products, we’re concerned about your privacy and security; therefore, we’re building our product around that.”
And I think we’re going to see more of that, and we are, but we’re going to see more of that going into the future where it’s not just about doing privacy because or security because it’s a compliance thing or because we’re being told by a framework to do that, but it’s a selling factor, right?
It’s a differentiator between some products that, hey, our product is more secure. I do feel more comfortable that my data is over there. I do feel more comfortable using that product because it is more secure. So, I think that’s a boat that we’re kind of missing in the sense that we should be selling security to our end users, to our customers and saying, “Hey, we are going beyond this because we actually do care that we’re producing a product that’s going to make you more safe and secure.”
This isn’t just a security issue.
8:51.130
[David Spark] Arnold Rogers-Beckley said, “The company seeks compliance because there’s a compelling business reason to do so.” We explained that. It’s you have to be this high to ride this ride. He goes on to say, “Security tends to be somewhat of an afterthought.” I don’t necessarily agree with that, but let’s go on.
“The problem lies in cases where a particular security measure isn’t considered compliant due to its industry compliance requirement, or worse yet, having to delay or not deploy a proper security measure because it is beyond the compliance requirement.
The tension often is between the ones in the trenches and the ones approving the budgets.
Interested to know your take on that quote, but let’s go to also Sean Lengyel of Simply SecOps who said, “With compliance, people tend to get fixated on ticking all the boxes. This is problematic because many of the boxes don’t do much to lower the overall risk to the organization.
This leads to waste when we all know that cybersecurity resources are always finite and in short supply. Compliance should be a consideration; however, I believe that a risk-based approach should be the priority.” So, interesting comment here at the end.
I’m going to go to you first, Derek. Sean who says all these compliance requirements are sucking our limited financial resources. Do you feel that because you have to feed the compliance need to be able to ride the ride, that after that, what money do we have left for security?
Have you run into this problem before?
[Derek Fisher] I mean, absolutely. Security is always fighting against the needs of the business and getting out to market and getting features out to the clients, right? But again, I think this is another sort of missed opportunity for us is to really think of, and some organizations are seeing it this way, but it’s we don’t complain about having to buy hardware.
Well, now that everybody’s cloud, you know, we don’t… We don’t necessarily complain about the OpEx for CSPs, right? We assume that cost. We assume that that’s the cost of doing business. And honestly, doing security is the cost of doing business. It’s unfortunately, or fortunately, depending on what side of the security aisle you’re on, it’s a means for an organization to be more secure, to be that organization that stands out and is doing the right thing from a security perspective.
That’s the cost of doing business. And yeah, you don’t have to do it. Not to go down the rabbit hole of the self-insuring and getting cyber insurance where it’s like, well, you don’t have to do security, your application can be or your organization can be completely full of holes and you’re going to pay the price for that.
Or you pay to have a more robust organization prepared to handle cyber activity.
[David Spark] Geoff, where do you fall? And I actually want to get your take on Arnold Beckley’s comment saying that there’s this tug between the two and that the attitude is, well, we have to be able to ride the ride, so let’s throw all our money and make sure we meet compliance and whatever’s left over, we’ll deal with security.
That may have been the story years ago, I can’t imagine it’s the story today.
[Geoff Belknap] I have no trouble believing that people are still struggling with this conversation. Although I think I’ll say from my own personal experience in my observed living with me and my peers, most people have figured this out. You have to do the compliance stuff.
You have to do the bare minimum. And that’s really what in most cases the compliance obligations are, the bare minimum. You cannot do only the bare minimum though. Nobody wants to buy a car that has the advertising slug line, “The bare minimum security,” or “The bare minimum safety requirements are met by this vehicle.” Nobody wants to drive that.
Nobody wants car insurance that’s the bare minimum car insurance. It’s not going to help you in a problem. And I think in this case, it’s the very same thing. Now, if you are an organization that hasn’t really thought through that security is a differentiator, that security enables you to take risks and to grow as a business, you’re going to be stuck in this mindset of, “Oh, gosh, I already complied.
Why do I have to spend any more money?” And that is a big red flag for me. I think most people that are stuck in this space need to do the work of figuring out that what their customers deserve is more than the bare minimum. But I think the reality is most people have that.
[Derek Fisher] If I could kind of tack on there a little bit. So, I think the analogy there of vehicle with the bare minimum, sometimes budget requires you or you’re budget-constrained and that is what you have to get. You can get the Cadillac version of security if you can afford it.
But some organizations, we like to say that every organization is a software company, right? Whether you are doing software or not, landscaping companies are software companies, right? They may not be able to afford that massive security budget. I mean, likely they’re not, right?
So, that bare minimum compliance or bare minimum security program is what’s going to win the day in that case.
[Geoff Belknap] I think the main difference is just that you can get a go-kart. A go-kart can get you from A to B. It’s got a brake and a pedal and a seatbelt. But if you’re going to be in an accident or if you’re just going to be driving down the highway at 70 miles an hour, you really don’t want to be in a go-kart.
You’re not going to feel good about that.
[Derek Fisher] I think going down the highway in a go-kart at 70 miles an hour sounds like, yeah, a little dangerous.
[David Spark] We actually did an episode, Derek, entitled Camry Security addressing this very issue of so many companies sell the equivalent of the Cadillac of security when the reality is you really only need to get 80% there, and I definitely don’t need to pay that ludicrous premium for the extra 20% that I’ll probably never, ever use for that matter.
Sponsor – RevealSecurity
14:45.569
[David Spark] Before I go on any further, I do want to mention our absolutely awesome sponsor, so thrilled that they’re on board, RevealSecurity. Now they are an identity threat detection company that enables security teams to quickly detect and respond to threats that involve trusted identities operating inside SaaS applications and cloud services.
Now this can be an insider threat or an external actor impersonating a legitimate or privileged user. RevealSecurity provides the only solution in the market based on patented identity journey analytics that uses unsupervised machine learning to continuously monitor and validate the behavior of human users, APIs, and other entities and accurately detect and alert on suspicious behavior.
Now with RevealSecurity, organizations can protect against account takeover attacks, insider threats, third party or supply chain risk after the point of login. That’s key here. So, where traditional identity preventative systems are pretty much out of the picture, they’re not working, they also do this – RevealSecurity – without the need for creating rules which are noisy and expensive and also require you to know what you are looking for.
When suspicious behavior is identified, RevealSecurity delivers ultra-high-fidelity alerts with deep context. So, the next steps for SOC analysts are clear, eliminating the need to launch a complex and time-consuming investigation to understand the scope of an incident.
To learn more about them, get in touch over at RevealSecurity, that’s reveal.security. Check them out.
Can there ever be agreement on this?
16:35.492
[David Spark] David Taxer of HACKERverse said, “Compliance is about managing liability and security is about managing risk.” Ooh, a great distinction right there. “Most businesses consider both aspects and invest according to the industry and the cost of a breach to their bottom line.” Ionel Chila of Cornerstone Capital Bank said, “Compliance and security go hand in hand and they’re both equal and relevant.
A well-executed compliance plan to achieve the expected standard and framework equals the maturity of your controls. Mature controls ultimately drives to lower your inherent risk. So, hopefully you’re left with manageable residual risk. It is not 100% perfect, but to me, this is a nice combination and complements each other nicely.” Well, I also think these two quotes complement each other nicely.
I like both David’s explanation of the differences between the two and their place, and Iona says like, “Hey, once you’ve done compliance, you’re kind of set up to build a nice security program.” Do you feel that way, Geoff?
[Geoff Belknap] I think so. Look, like I said, and I’m going to be repeating myself here, compliance is minimum viable security. But I find it to be true the other way around, where if you’re running a fantastic security program, compliance comes free with that.
If you are running a fantastic compliance program, you’re not really getting some other things that you would want from a full-fledged security program. But look, if you’re doing any kind of compliance, you are headed in the direction of security. It will make things better than not doing them.
And I think what’s really interesting about Ionel’s quote here is it’s interesting that somebody who works at a bank would say that compliance and security go hand in hand and are equals. And I think that’s because when you’re dealing with banks and people’s money, those minimum-level security requirements that are going to come from a compliance program are extremely high, right?
They are not messing around because you are playing with people’s money. But if you are working in just a random tech startup, like we’ll say AI, there’s no current minimum security requirements for an AI company, and I think this is where we start to get hung up.
Different industries are going to have a different perspective on this.
[David Spark] Yeah, and actually you make a good point with finance, and I know you work in finance, Derek, in that compliance is a little bit simpler equation when it’s literally everything’s in dollars, isn’t it? Yes?
[Derek Fisher] Yeah, and I currently work in finance, I’ve worked in finance for several years, but I came from the healthcare space as well. I’ve also worked in the military space and so forth. And obviously, the compliance and the security controls are vastly different in each one of those.
The ones, aside from the military where you’re building things that blow up, it’s a little different scenario, but in the financial space, you are under constant audits, and you’re constantly assessing your frameworks and ensuring that your controls are mapping to those frameworks.
You have armies of people that are dedicated to ensuring that you are meeting those because, especially for public companies, there are very strict rules and very strict guidelines on how you do things.
And oftentimes you’ll see, to be honest, more security being driven by that compliance in those financial institutions as opposed to healthcare. Healthcare is notoriously understaffed, under budget. Just to kind of go back to that example of every company being a software company, healthcare, you go into the hospital, you go into a doctor’s office, it’s all digital, it’s all hardware and software buzzing around.
But honestly, that’s not their core competency, right? They’re there to provide care to patients that are coming in, and the tech is just there to support. They’re often running extremely old hardware and software that can’t be patched, and yet it’s internet connected, and so you have these massive problems with very, very little budget.
So, I think in the case where you look at a financial institution, where the money is there, the budget is there to do the right thing, the compliance frameworks are there to enforce the right thing, and I think you have a much better standing in terms of getting security in place.
[David Spark] It’s a cleaner explanation, I think, in finance, and I think it’s probably more expensive is my guess, but at least you can see things. And you make a good analogy with health in that health is much messier. And I just did a show recently with two health experts.
And oh my, the situation of the compliance standards and where equipment is, they’re not aligned because what’ll happen is they’ll have hardware that goes out of date that you can’t upgrade the operating system or operate the software, but it’s operating on an operating system that is now outdated.
It’s a giant, colossal mess.
[Derek Fisher] Yeah, when they say outdated, that’s with a capital O. I mean, it is outdated. It’s not uncommon to see these MRI, x-ray machines, these big machines that have been installed in a hospital for 20 years and it’s still running Windows 95.
[Geoff Belknap] Let’s be clear, though. This is where compliance can be a good thing. This is where compliance should be mandating to people who make these devices that they be required to be upgradable, that when they are certified, they don’t have to be locked into the exact specific piece of software they were certified to, etc.
We have figured out these problems. We know how to upgrade things that are critical. We know how to manage things that are critical, just like healthcare devices. But today we don’t mandate, there’s no compliance requirement to change that. And this is where compliance can have a good impact on things.
Healthcare being a security issue is not strictly a budgetary issue. It’s a fact that the policy has not driven people to update devices, to update software, to really treat that healthcare technology environment at the same level of importance as the people that it is supporting.
[Derek Fisher] And I think there’s IoT, right? You look at the healthcare devices that are in hospitals and doctor’s offices. I mean, it’s an IoT device essentially, even though it’s been deployed 20 years ago. And I think the challenge is the example of an MRI machine that’s running an old operating system, an old software that can’t be patched.
Who’s responsible for paying to get that thing removed and replaced? Because the tech was built 20 years ago.
[David Spark] Well, this is where the manufacturer’s responsibilities also come in as well.
[Derek Fisher] Yeah. Look, I 100% agree with the direction and what Geoff’s stating. I think it comes down to the manufacturer saying, “You want me to yank out the MRI machine out of the hospital that you paid for 20 years ago and replace it with a new one?
Here’s the bill.”
[Geoff Belknap] I assure you manufacturers are okay with that conversation. The harder part of this is that the FDA and other people that certify those machines have not updated the process for that to ensure that those machines are updatable or that they have an end of life when they’re no longer able to protect patients’ data.
And I think we will get there. I look at very profitable sectors like healthcare and others that also complain about security and go like, “Oh, this…” There are options we have here other than spending more money.
What are the elements that make a great solution?
24:08.848
[David Spark] Jack Nunziato of DoControl said, “Compliance will always make the organization more secure. But if they’re staffing and executing based on this bare minimum, then there’s really no true belief in cybersecurity and data protection for their customers.
Make it an ethos that supports the company mission.” And Duane Gran of Converge Technology Solutions said, “I’ve seen situations where organizations start with a focus on compliance, but in the process, they improve security outcomes and really embrace the changes.
It really depends on the collective attitude taken at the company. Compliance can be a gateway drug to improve organizations. Some start with an attitude around doing what must be done, but their eyes are open to an array of unmanaged risks in the process.” That is an interesting take.
I’ll start with you, Geoff, on that. I like Duane’s thing is because you got to do this stuff, it’s going to make you start seeing things, isn’t it?
[Geoff Belknap] A hundred percent. If you are not required to do any of this, you would never look into it. And this is why compliance exists. We want people to take due care and invest some of the money for their organization in protecting data, protecting privacy, ensuring the safety of the people that use our products and our services.
And this is a lot of how people come around to thinking differently about security. They have to do some of it. They bring on people to do that job, and suddenly they’re finding lots of things. And I think this is indeed how you start the path to a really strong security program.
And I want to underscore that a really strong security program does not have to be a really expensive security program. It just has to be you’ve invested a little bit of time into listening to the people that are looking at the risks for your business and are thinking about what they can do to mitigate them.
You will be so excited about how more competitive your business could be, how higher growth your business or your organization could be if you’re starting to think about the risk that might impact your business. There’s lots of positives here.
[David Spark] All right, Derek, here’s what I want to sort of summarize with, and tell me if you agree. Because from what I’m hearing, and especially with Duane’s last comment right here, we started with the common mantra of, “Compliance doesn’t equal security.” But what I’m seeing from our discussion right now, really what the mantra should be is, “Compliance allows us to build a great security program.” Do you believe that to be true, Derek?
[Derek Fisher] I do. And I think compliance, we keep saying this, it’s the bare minimum, right? And there’s a lot of organizations out there that just need to know what do I need to do, right? And compliance can get you to that point to say, we look at maturity models, things like that.
It’s kind of the same thing where it’s like, okay, here’s the bare minimum things that you need to do to be secure. And for some organizations, I love the phrase gateway drug because I think that’s what gets them moving. Suddenly you’re building teams.
Suddenly you have a SOC in place. Now you start having security engineers that are working with your developers or with your product owners to build more secure software. And suddenly, you’re starting to build out that security organization. And so I think having some North Star that says here’s where we’re heading and here are the things that we’re trying to achieve from a security perspective that is being driven by compliance, yes, but it is going to make us more secure, keep us off the front page and ensure that our customers are getting a secure product, that’s always a step in the right direction.
[David Spark] I love that metaphor. And I want to close on it. This, “Compliance is our North Star.” Even better than what I said earlier.
Closing
27:57.801
[David Spark] All right. We’ve come to the point of the show where I’m going to ask which quote was your favorite and why, Derek?
[Derek Fisher] Duane’s quote, I think really, and I’m sorry, Geoff, if that was what you were going for. But Duane’s quote really hits home because I think, again, it’s like the gateway drug thing, right? It gives you that first taste and it gets you in motion in that direction, and then next thing you know, you’re building a good secure program.
I spent a lot of my time in the application security space. And talk about trying to build security on a shoestring budget, look no further than application security. You’re often trying to do things with a very small crew and trying to get things done by twisting arms and stuff like that.
And so I think starting from a perspective of at least we’re moving in that right direction and we’re doing it in a cost-effective way really sings to me.
[David Spark] Geoff, your favorite quote and why.
[Geoff Belknap] Mine was stolen but to respect a professional athlete, I’m going to pick a different one. I’m going to go with Shawn Olson from Foundation InfoSec Services.
[David Spark] That was the first quote, so we’re bookending this, the first and the last quote.
[Geoff Belknap] Look at that! I mean, hey, pro tip to everybody, make sure your quotes are first or last. And you have no control of that. But anyway. Shawn said, “Compliance is usually based on some well-established standard, whether it’s a framework or just a giant list of security controls.
The point is to establish a benchmark. It’s a solid beginning.” And Shawn says he’s thankful such pressures exist. And so am I, if for no other reason than to force those who need to do better to at least somewhat toe a collective line. And that’s the whole point.
We want people to meet a minimum bar. At the end of the day, I think in my role, and I’m sure Derek would agree, I’d be fine if everybody’s security program was just as good as mine. I don’t want anybody to have a worse security program than mine because we all, you know, it’s like a rising tide lifts all boats.
It’s better for all of us to have a great security program, and it’s better for all of us if everyone starts from a minimum level that is good for their customers and their clients.
[David Spark] I’ve said that one of the wonderful things about security, it’s the one industry that direct competitors are sharing information and trying to help each other out. Happens all the time. All right. We have come to the end of the show. I want to thank our sponsor, RevealSecurity.
Remember, their website is reveal.security. And remember, they’re going to help you find suspicious behavior after legitimate users are in your environment. Because not every user in your environment, even though they look legitimate, is legitimate – reveal.security.
And I want to thank our guest, Derek. I’m going to let you have the very last word. Geoff, as always, for those of you looking for jobs, there is this great site called LinkedIn.com that has a job board on it. Is it still there? They haven’t taken it down, have they?
[Geoff Belknap] LinkedIn.com is still there. Whether you’re looking for a job or looking to build an audience or establish yourself or share some thoughts or sell some things.
[David Spark] Do you know that CISO Series, we have our own page on LinkedIn?
[Geoff Belknap] That’s right. And it’s quite a good one. You should check it out. Insert link to CISO Series right here.
[David Spark] Derek, any last thoughts on the subject? We always ask are you’re hiring, and I’m assuming people can reach out to you via LinkedIn or just find you on the court where you will be challenging the other Derek Fisher to a one-on-one. Correct?
[Derek Fisher] I’m going to reach out to him. I don’t think he’ll respond to my email, but I’ll reach out to him and see if he’ll be up for that.
[David Spark] He is a subscriber to this show. He’s a huge fan of cybersecurity.
[Derek Fisher] All right, well, tell him to call me.
[Geoff Belknap] You’re going to have to show the receipts on that.
[Derek Fisher] Tell him I’ll meet him anywhere. I’ll meet him in the middle of the country.
[David Spark] There you go. Oh, we will bring the camera crew if that’s going to happen. We would love to see it.
[Geoff Belknap] I always find fighting words is a great way to call out a professional athlete.
[Derek Fisher] Yeah. Nobody wants to stand down from that.
[David Spark] Exactly. I mean, you’re fighting up. It’s always a good idea to fight up.
[Derek Fisher] Yeah.
[David Spark] He’s got everything to lose. You don’t.
[Derek Fisher] Yeah, if he gets beat by me then that’s on him, I’ll still be able to say I played…
[Crosstalk 00:31:58]
[David Spark] You’re going in as the underdog.
[Derek Fisher] Exactly.
[Geoff Belknap] Please, anyone who’s listening to this, don’t fight professional athletes.
[David Spark] No, no, we’re not saying…
[Geoff Belknap] Not based on our recommendation.
[David Spark] We’re competing. We’re saying competing.
[Derek Fisher] Yes, competing.
[Geoff Belknap] Ah, ah, all right.
[David Spark] A fight was a euphemism to reference to the game that the two of them would play.
[Geoff Belknap] Of course.
[David Spark] Any last words, Derek?
[Derek Fisher] No, I appreciated this opportunity to talk. I love the subject and I always like hearing other people’s perspective and be able to provide my own. So, I really appreciate the time and thank you.
[David Spark] All right. Well, great. I want to thank our audience and I want to thank our guest and Geoff as well. And as always, we greatly appreciate your contributions and listening to Defense In-Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.