It’s extremely hard to tell if a cybersecurity leader is doing a good job. In fact, it’s tough for even them to know. Our best bet is watching for an improvement in the cybersecurity program over time.
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Mark Wojtasiak (@markwojtasiak), vice president, research & strategy, Code42 and co-author of “Inside Jobs.”
Got feedback? Join the conversation on LinkedIn.
Thanks to this week’s podcast sponsor, Code42
Full transcript
Voiceover
Ten second security tip. Go.
Mark Wojtasiak
The biggest thing I can offer is, in this day and age, partnering with lines of business when it comes to security. Especially around insider risk management. Different lines of businesses are going to have different risk tolerances to the data that’s important to them. Partnering them is critical in terms of ensuring protection of that data.
Voiceover
It’s time to begin the CISO Security Vendor Relationship Podcast.
David Spark
Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark. I am the Producer of the CISO series. Joining me on this very episode is my co-host Mike Johnson. Let’s hear it. I believe you have a sound that you make from your voice, is that correct?
Mike Johnson
Yes, I do. I do have a sound and I’m here with my Diet Mountain Dew ready to record.
David Spark
But we had a discussion earlier about how I had no preference towards any kind of diet colas and then you said, “I, as well” and you hold up a Diet Mountain Dew, to which I had to clarify “That’s not a cola.”
Mike Johnson
It’s close enough. It’s just a different color.
David Spark
And a different taste.
Mike Johnson
Details.
David Spark
And I refer to it as space urine.
Mike Johnson
Yes, which I fully accept, because I’m just preparing for our alien invasion.
David Spark
Yes. So, our sponsor for today’s episode, and also responsible for bringing our guest. Actually, the guest who was on Defense In Depth, and now we get to have him over here, I’ll introduce him in a moment, but our sponsor is Code42, who have been absolutely phenomenal sponsors of the CISO series. Now Mike, the day that this episode is dropping is October 26th. It is the end of Cybersecurity Awareness Month. I’m interested to know if you had any plans, because we’re recording this at the end of September, but if you have any plans for Cybersecurity Awareness Month and what you’re going to dress up as for Halloween.
Mike Johnson
So, we do have plans and last year we had a great week long set of events, where we would have internal and external speakers, employees would attend those. The idea was to get them excited about security. Give them some value. And also, as part of that, give them things that they could take away. Talking about what they could do at home, how they could better protect their personal use. So, we’re going to do some more of that and we’ve got a few other things that we’re working on to try and make happen that I look forward to talking about, because I’m so excited. I don’t know that they’ll happen, so I don’t want to, I don’t want to reveal yet, but they’re going to be really cool.
David Spark
So, we record at the end of the month for our November episodes probably.
Mike Johnson
We’ll look back.
David Spark
Well, you’ll tell me if that actually came to pass.
Mike Johnson
Yes. Yes.
David Spark
By the way, have you noticed whether or now, during the month of October, your sort of overall security program improves or doesn’t?
Mike Johnson
I don’t think it really overall improves just in that time frame. It’s not like there’s suddenly everyone’s doing security better.
David Spark
No. But, like, it’s people are “more aware.” I mean, I was just wondering if that affects anything?
Mike Johnson
The way that we’re looking at trying to understand that is we’re going to run a survey, just of the entire company, basically just asking folks hey, as a result of all this, has your opinion changed? And so, we’re going to try and measure it. I don’t think it really changes, but we’re going to ask and use that as a measure.
David Spark
Right. And what are you dressing up as for Halloween?
Mike Johnson
So, for the longest time, my costume has been Mike Johnson, mild mannered, in this case podcast host with a hat. So, I’ll wear a hat.
David Spark
So, you wear a hat?
Mike Johnson
I wear a hat. Yes.
David Spark
And people can still recognize you?
Mike Johnson
I go all out David. I go all out.
David Spark
I’m like that for Halloween. But me, I don’t know, I haven’t decided. My son is obsessed with David S. Pumpkins, the character that Tom Hanks plays on SN and he’s eight years old and I think we’re going to get him a David S. Pumpkins suit.
Mike Johnson
That is awesome. It would have been even better if it was you.
David Spark
Well, so, you know, if you know the routine, these characters that give the B boys a dance and my wife, I may get one of these outfits. We’ll see what happens. Well, the thing is, so I’ve moved down to San Diego and the neighborhood I live in, we’ve been told literally goes all out on Halloween and, like, everybody comes to our neighborhood for Halloween.
Mike Johnson
Okay.
David Spark
So, I’m looking forward to seeing whatever the hell my neighborhood does. But I’ve seen videos. It’s kind of insane.
Mike Johnson
It sounds like you’ve got to show up for that.
David Spark
I do have to show up for it. Alright, with that said, let’s get into our show and our guest. I’m very excited to bring him on, because I’ve had him before and I know he’s good on the microphone. He has written a book. He’s actually co-written a book with another guest we had on this show, Jadee Hanson. He co-wrote this book called “Inside Jobs.” He is from our sponsor, Code42, Vice President of Research and Strategy, Mark Wojtasiak. Mark, thank you so much for joining us.
Mark Wojtasiak
Hey, thanks Mike and David. I always love coming here, so this is awesome. Thank you.
I tell you, CISOs get no respect.
00:05:17
David Spark
Over on the cybersecurity subreddit, a redditor asks, “What is your business’s biggest frustration when managing cybersecurity?” Highlights are kind of the greatest hits on this podcast and they include security training or employees taking cyber seriously. Funding – Getting management to invest in cybersecurity. Users’ simplistic passwords. Management’s understanding of cyber risk and vulnerability remediation. Kind of like, we’ve hit all this. So, I’m going to go with you Mike first, what’s your biggest frustration when managing cybersecurity?
Mike Johnson
So, I had a very visceral reaction when I read this thread and so my answer is I’m really frustrated at the old ways of thinking about security. The idea that training people to not make mistakes is going to solve everything, or that if someone can’t remember a complex password they’re doing something wrong. So, that really is my frustration with all this is I’m left fighting these preconceived notions about security teams because you run into people, they don’t want to talk to a security team because they’re certain they’ll be told “no” because that’s been their experience. So, I find myself fighting that set of notions, that set of ideas to better engage with the business. To have them actually come to us and have conversations. And so, that’s probably my biggest frustration. I don’t know, maybe I could come up with some others, but when I read that thread that’s immediately what came to mind and that was all I could think about was just, you know, people just mad because users can’t remember a password or they’re not taking security seriously. That’s our job. That’s what we need to be fixing for them. We need to be helping and engaging with them.
David Spark
Alright. Good things to be annoyed by. Mark, what annoys you?
Mark Wojtasiak
I’m hard a security or cybersecurity leader, but I know what frustrates me. It’s similar to what Mike said. I mean, it’s the stigma, right? The stigma that security has in a lot of organizations and some of these things on the reddit string, it’s funny, because if I look at, like, you know, management understanding of cyber risk. Employees taking cyber risk seriously. It’s like, when did security get into the education business? Like, all of a sudden it’s you’ve got to educate leadership. You’ve got to educate management. You’ve got to educate end users. And I’m not about to diss security awareness education, because it is a critical piece of the security puzzle and what we can do to enable an organization and reduce risk. It’s a critical piece but, you know, I think of security teams own competency and burnout and ability to grow and develop as security professionals when they have a lot of time and effort spent on taking the, well let’s face it, a lot of the blame for any risk introduced inside an organization. I’m a big believer in collaboration and collaborative organizations and that goes for security too, to what Mike said. Part of that stigma has got to get fixed by security being more collaborative with lines of business and with employees. They’re people, right? People want to work with people, so, like, how do we get the stigma off that we’re some, you know, people in dark rooms behind closed doors that you don’t want to talk to or ever meet or ever get a phone call or email from, and I think that comes a lot from, it’s a two-way thing. You’ve got to reach out to employees and leaders as much as leaders have to reach out to security. I wish we could bridge that gap.
Walk a mile in this CISO’s shoes.
00:09:08
David Spark
Helen Patton at Cisco asks “How do you know when a security leader is doing a good job– now, either for yourself or for others– how do you actually measure that? And I’ll start with you Mike again on this. How do you do it? Because, like, think about you’ve got to hire someone. Like, how do you know they’re going to be a good leader?
Mike Johnson
You know, I saw Helen’s post and my gut reaction was, like, shrug emoji! You know, I don’t know.
David Spark
Well, this is why it’s so hard to hire a security leader?
Mike Johnson
It is. And especially, there’s the hiring, but then there’s also the ongoing, right? You know, you’ve been here a year. You’ve been here two years. We talk about how to measure security programs, but not the leader. On the one hand you can look at the program and just use that as a proxy. If the program is successful then, therefore, the leader must be successful. But if you’re doing that, I wouldn’t take just a snapshot. You need to look at that improvement over time. On the other hand, if that improvement has come at the expense of the team members, if you’re burning out your team members, that doesn’t actually mean you’re doing a good job. So, I kind of keep going on this and keep just spinning on it and think about well, how do other leaders in the company see the security leader? I think that really is probably the best measure. It’s highly subjective, but if the rest of the company leadership thinks that the security leader is doing a good job, then they’re doing a good job. That’s actually a good measure. It’s tough.
David Spark
I don’t know if that’s enough Mike.
Mike Johnson
I read through the responses to Helen’s thread and there’s not great answers. Like, nobody has an answer for this.
David Spark
No, this is a tough one. This is totally a tough one.
Mike Johnson
That’s really the best that I can come up with is ask around. Interview, do 360 interviews within the company with other leaders and you’ll get a good fix for it.
David Spark
I think though, your earlier thing is are they improving things? That, I think, it has to do about improvement. Mark, what do you think?
Mark Wojtasiak
I don’t know. I think you hire a security leader like you hire any other leader. You know, if we’re interviewing a security leader, if I’m interviewing a leader on my team or in any department, you know, I want someone who wants a seat at the table, right? And that person, that CISO or the VP security or whatever, they’re interviewing the company as well. Am I going to have a seat this table? Am I going to have a voice? Because I’m a big believer in shared metrics across the business when it comes to security. But I’m a big believer in risk, time and reward, base metrics, and you know, when a leader, when an executive teams or leadership teams share metrics across those three pillars, risk, time and reward. And risk could be risk posture of the organization. Ultimately, the CISO is measured on that. What’s the risk posture of the organization? But what about the risk posture of a department or a business unit or a team or an individual, for that matter? You know, share that risk metric across the lines of business and have that seat at the table. Ultimately, yeah, the security leader is responsible for it but, you know, I think that should be a shared metric.The same with time. You know, there’s so much talk about security built into product, right in the sect of ops and when we launch.I mean, everything is a digital product these days. It’s like, you know, time to market is a critical thing. So, shouldn’t the security leader have a voice into product development and road map and timing and be measured on time to market, time to revenue, time to customer value. Those sorts of things. And then the final thing, the reward, I think the ultimate measure of a leader is the effectiveness in retaining and growing your team and making sure your talent is staying on board, your talent is growing, adding value, you’ve giving them opportunity to add value and grow their influence inside the organization. I mean, that’s the ultimate role of a leader.
David Spark
The only caveat I would throw in that is if the CISO’s given enough money to hire their team. You know, like, they could be a great CISO who’s not given enough money to hire their team and then they lose people because they’re being lured away, you know, for more financial attractive opportunities.
Mark Wojtasiak
Yes, I would say that. I would agree with that as well, in terms of well, that’s a whole other conversation around how you make a business case for more money. So, is it business minded CISO that can make business cases, can have that seat at the table and justify investments in certain area and how do they link to ultimate business metrics, right? How are you being measured Chief Operating Officer, because I’d like to share that metric with you and what’s my contribution to that Chief Product Officer, Chief Technical Officer etc., etc., I think that, you know, budget is always going to be, like, that one tough hurdle to get over, budget and resources, and I think that’s true for a lot of leaders. But making the business case is critical, so I think business minded CISOs is where you’re starting to see a lot of, well we’re starting to see a lot of movement.
It’s time to play “What’s Worse?!”
00:14:28
David Spark
Guess what Mike? We’ve got another “What Worse?” from Jason Dance of Greenwich Associates.
Mike Johnson
Alright, Jason.
David Spark
He gives us tons of great What’s Worse?.” Now, this has a jerk in it, but not in the way that we traditionally introduce it, okay? In a very different way, alright?
Mike Johnson
Different jerk?
David Spark
Now Mark, you know how this game is played, correct?
Mark Wojtasiak
I believe I do.
Mike Johnson
Yes.
David Spark
Two bad scenarios. They both stink. You don’t like either one of them, but as we have been discussing up until now, it’s a risk management exercise. So, you have to look at the risk of the both of these and which one would cause more damage. So, it’s the idea of what’s worse of the two. Alright, here you go. Mike, you, the CISO, are best buddies with your Board. A good situation Mark, okay? Got a seat at the table. They love your style. However, here’s the what’s worse? Your Chief Revenue Officer is a jerk, to you specifically, rains down security decrees that must be done straight away or your Chief Financial Officer is a jerk to you. “Forget it. I’m not giving you any money.” Which one’s worse?
Mike Johnson
Maybe I missed what the Chief Revenue Officer is doing. What are they doing?
David Spark
He’s telling you, raining down security risk decrees. Like, telling you about certain risk issues and he says you’re going to need to deal with this right away.
Mike Johnson
Oh, so he’s bringing problems to me? He’s bringing me awareness of things that I might not have known about and suggesting that maybe I should do something about them?
David Spark
But he’s being adamant about it and pushing in on your case.
Mike Johnson
This one is actually pretty easy to me, right? Like, I think the Chief Financial Officer, who is just keeping resources such that I can’t get anything done, that one seems a lot worse than the Chief Revenue Officer who’s basically giving me cannon fodder for going and getting funding. I mean, if I can go and say look, we’re not getting these deals because we’re not doing A, B or C and
this is stated very clearly and backed up by the Chief Revenue Officer, we’re best buddies. That’s easy.
David Spark
Well then, maybe it isn’t as bad. So, alright.
Mark Wojtasiak
This isn’t bad. That’s an easy one. I agree with Mike. That is is an easy one. It’s like, you know, if there’s a decree from the Chief Revenue Officer who ultimately, you know, is about the ability to do business with industries or customers or whatnot and there’s a decree and he’s a total jerk, I’m like, I’m swallowing my pride and latching onto that, because there’s this common word between a Revenue Officer and a Financial Officer and that’s revenue right, or money. So, if there’s money to be made there’s money to be had in meeting those needs of that Revenue Officer.
David Spark
A good point.
Mike Johnson
I love that.
David Spark
You know, a very good point here in that this is actually a direct line to getting what you want.
Mike Johnson
Yep.
Mark Wojtasiak
Yeah.
David Spark
Alright. So actually not bad at all.
Mike Johnson
Yeah.,
Mark Wojtasiak
It sucks that he’s being a jerk.
Mike Johnson
But who isn’t these days?
Please, enough, no more.
00:17:52
David Spark
Mike, today’s topic is Security and Awareness Training. Perfectly timed for Security Awareness Month in October. So, Mike, what have you heard enough on this topic and what would you like to hear a lot more?
Mike Johnson
So, one of the things that just really bugs me is the just train the employees and that’s all to phishing. Like that, over and over again we still keep getting the, you know, hey, just buy this module and that’ll solve phishing and just, people make mistakes. Let’s treat them as people and understand that mistakes happen. So, what I’d like to hear more of is how you engage these employees. How you actually engage them to help improve the security of the organization.They’re willing to help How do you do that? How do you have those improvements stick over time to your point about, you know, is it just a spike during Security Awareness Month or is it actually sustaining? So, that’s what I’d like to hear more of.
David Spark
Sustaining is the key, right?
Mike Johnson
Yes.
David Spark
Alright, Mark, I’m throwing this to you. This is in your wheelhouse. What have you heard enough about with Security and Awareness Training and what would you like to hear a lot more or maybe you’re doing more?
Mark Wojtasiak
I’ve heard enough about the blame game, I guess, if you’re referring to employees as stupid or they’ll never get it or what. At the end of the day, they’re just trying to get their jobs done, just like anyone else is.
David Spark
And I will say, my other co-host, Andy Ellis, referred to the infamous “Wall of Sheep” that’s at Black Cat. He detests that, because the whole point of that is to say hey, these people are idiots and let’s applaud their moronic behavior that we got them. That does not imbue the rest of the community to want to be friends with the security community.
Mark Wojtasiak
No, exactly. It’s like, you know, just as much as fear mongering doesn’t necessarily work from a security vendor marketing to a security buyer, fear mongering to an employee in some wall of shame isn’t going to work either. It’s not going to change behavior, it’s not going to change what have you. I mean, yes, this is near and dear to my heart because I would love to see us take a more positive approach to training. A more data driven approach to training.
David Spark
What does that look like? What do you mean by a positive data approach?
Mark Wojtasiak
At Insider Risks we introduce Code42 Instructor, which is when you think about every mistake an employee makes, whether it’s accidental or whether it’s negligent, is a teachable moment, right? A mistake is just an opportunity to learn something new and course correct. So, why aren’t we taking those mistakes, because we know when they happen at the moment they happen, and deliver training that is presumes positive intent? Training that’s not preaching, it’s teaching. It’s like a human talking to a human saying hey, we understand you’re trying to get some stuff done, we understand etc., but we talk about give the employee why. Like, why is this important? Talk to them about, you know, you have open file shares. You’re Mac book is synching to iCloud. Were you aware of that?
David Spark
Can you actually sort of paint the picture of, like, I did something wrong? Give an example of that and what all of a sudden is this teachable moment I’m receiving and literally go through the mechanics of it with me.
Mark Wojtasiak
Yes. So, here’s an example we hear all too often. I’m working on my home PC remote. I’m working on my work PC remote. My monitor’s not big enough. I don’t have enough storage space, whatever the reason might be. I want a bigger, faster machine to work on something. We see a lot of IT admins do this actually. And they email themselves a file to their personal email. Now that corporate file is sitting on some home device that’s unmanaged. That event, though not malicious in nature, presumed positive intent, would trigger some sort of responsive training to that employee in the moment, saying hey, we realize you did this. This is why that’s against policy. This is, you know, to keep corporate data safe, to keep yourself safe, to keep your co-workers safe. Here are the sanctioned ways to share files or to move files around.
David Spark
So, this instructors program, if I understand correctly, if I’m an organization that’s deploying something like this, I’m assuming there’s a series of, like, defaults or I’m orchestrating it to the environment that I’m in and then I have to feed it. Like, in the example your said oh, I have to feed it. Well, here are the two or three ways that we safely share files kind of a thing, yes?
Mark Wojtasiak
Yes. So, it will depend on the organization. So, when you think about the Instructor lessons, there’s three different types. There’s what we call proactive lessons, which you can send out proactively around compliance or culture or policy and that sort of thing. Situational lessons. A departing employee. A new employee. And you want to educate that employee on understanding their rights to data. What can they bring into the organization, what can they take out of the organization. So you’re situationally training. And then the responsive ones, like the example I gave, is like, when an event happens that poses risk to the organization, it triggers training to that employee. Now, and the organization can take advantage of it. Instructor is content. It’s training content. So, when you purchase, you get a pack, a content pack of, like, 15 plus lessons, situational, proactive and responsive, and they can deploy them in any way, shape or form. So, the beauty of, like, Code42 Instructor when combined with, like, a Code42 Insider, which is the thing monitor and detecting risk from employees; accidental, negligent, malicious, that magic is where you get that context of what education does an employee need when. And that’s ultimately what we’re trying to do.
David Spark
Mark, do you have any sort of beta results of, like, how this sort of context based training has worked?
Mark Wojtasiak
Yes, the biggest beta was ourselves. So, one thing that our CISO implemented, contexual awareness training at Code42, but since we’ve been building Instructor the last few months, at least all the lessons, and we’ve got some early adopters of the product kicking the tires and in terms of, like, responsive, contextual training in the moment that risk happens, early results are great in terms of, like, the feedback we’re getting from the style, the tone. Right now we’re looking a lot at the style and the tone of the lessons and the applicability to the environment. Like, what types of lessons to include Office 365, Slack, Google, iCloud, departing employee US thumb drive use, personal email use. It’s like, almost building out that library of what organizations really need in terms of contextual awareness.
Is this where I should put my marketing dollars?
00:24:49
David Spark
Gabriel Friedlander of Wizer suggested we hire a marketing manager for the security team. I referred to this as a security culture czar in a previous episode. In general, I think he’s right because security communications, and I see this in security media as well, is truly horrible when it comes to branding. And there are a few shining stars, but in general, the industry stinks when trying to build a brand others kind of understand and care about. And those are the two key words “understand” and “care.” So, Mike, do you believe this is something that’s happening now, needs to happen or would be nice to have, but it’s far down the totem pole?
Mike Johnson
So, the first thing I have to ask is do people still use the word “czar?”
David Spark
I just used it.
Mike Johnson
But do people other than you?
David Spark
I am people.
Mike Johnson
Okay. You’re a person, you’re a person. So, I think there’s a few things here. One is the policy aspect that Gabriel mentions. I mean, we have these policies, their purpose is to make sure that people understand what’s expected of them. You can’t go to someone and say “Well, why did you send this file out that you weren’t supposed to?” And the response is “I didn’t know I needed to do that.” So, you do have to go through those discussions. You have to have that stuff written down. It doesn’t have to be a dry 30 page doc. A good first step, and this is something that we do, is work with your internals docs team, the people who write customer facing documentation, to help write your policies in more approachable ways. They can help the policy read like a human rather than something that’s really intended to put people to sleep. So, that’s step one is use those resources you already have. And I do think we’re seeing more and more of that. So, second, and this is another thing that we’re starting to do, is using engagement surveys. So, understand feedback from your employees. How do they feel about the security organization? Use that as feedback to make adjustments. Don’t just assume how your company looks at you. Go and ask. Go and find out and make adjustments from that. And then the third is, as I mentioned when we were talking about Security Awareness Month, is have some internal events that are fun. Take advantage of the fact that there’s other events going on in the world during the month of October. You can tap into those. You can make security fun.
David Spark
Yeah, you don’t have to just necessarily go to your own events.
Mike Johnson
Exactly.
David Spark
By the way, there was a great setup for me in that did you know that every Friday we have the CISO series video chat Mike?
Mike Johnson
Well, tell me all about it David?
David Spark
They’re a lot of fun. We do it every Friday at 10:00 am Pacific, 1:00 pm Eastern. It’s a ton of fun.
Mike Johnson
I like fun.
David Spark
And yeah, we play games and it’s silly and then we have a meet up afterwards, where people get to have one-on-one conversations or group conversations with their friends, their cyber friends, or make new cyber friends.
Mike Johnson
Cyber friends, I like it.
David Spark
There you go. Alright, I’m all about fun. I’m throwing this to you Mark. This whole idea of call it a security culture tsar, a market manager for security whatnot, how much of this have you seen, do you think it’s necessary or is it a nice to have here?
Mark Wojtasiak
I’m a big believer in, and I know you’ve had Jadee Hanson on the show before, I’m a big believer in security just being more visible. Like, I remember when I started at Code42, it’s like six years ago, and one of the first on boarding experiences I had was Jadee talking to us. Like, here’s the CISO talking to us new hires about security at Code42. Like, what does it mean? A safe environment. You know, how they approach security. Introducing the team, who they are. And, like, just getting that human to human kind of affiliation or kind of acknowledgment is a big step, so a tsar, like a dedicated person to, like, go out there and celebrate security, I think it’s just like more of a department thing. It’s more of that. I think it’s a role of the leader too. Like, is a leader really the face of security at the organization?
David Spark
You think Mike should be a tsar, is that what you’re saying and he should re-title himself “tsar?”
Mark Wojtasiak
Mike is a tsar. He probably doesn’t want to use the title tsar.
Mike Johnson
That’s totally on my business cards.
Mark Wojtasiak
Could be guru. Guru is another good word.
David Spark
How do we feel about that term guru?
Mike Johnson
Oh gosh! The only people that give themselves that term are the ones that I’m concerned with.
David Spark
Well, it’s like influencer. You can’t call yourself an influencer. Someone else has to say it.
Mark Wojtasiak
That’s to coin you an influencer.
David Spark
If you say it of yourself, it’s kind of pompous.
Mark Wojtasiak
Yeah, I’m a security research and strategy guru. Like, no. I don’t think so. It’s like tsar, right? It’s the same sort of thing.
David Spark
Well hold it. Who do you know call themselves a tsar?
Mark Wojtasiak
Oh, I don’t know. I haven’t that term since like the Clinton administration.
Closing
00:30:17
David Spark
I used it. I’ve got no problem using it again. Alright, I think we’ve exhausted this topic right here. I think that we’re close of this very show and I want to thank my guest Mark Wojtasiak who, by the way, he has a “J” in the middle of his name. Don’t let that confuse you. You don’t pronounce the “J.” But I’m gonna get to you last Mark. You get the last word here. But first, let me thank your company Code42 for sponsoring this very podcast and just being a phenomenal sponsor of the CISO series in general. We greatly appreciate it. For more, you know what you can do, just go to code42.com. But you’ll give us more instructions in just a second. Mike, any last thoughts here.
Mike Johnson
Mark, thank you for joining us. What I really liked was you kept coming back to how the CISO relates to the business and the criticality of that and how it really ties into the success of the security organization of that leader themselves and I like how you kept coming back to the importance of a seat at the table. And the one thing that I really kind of took note on and wanted to come back to was your point about security needing to be more collaborative and you’ve made mention about the security team needs to be more visible. There’s really a lot of that reminder that folks need is don’t go hang out in the basement, get out there, be involved, be in front of the business and it’ll really help you be successful and it’ll help the company be more successful. So, thank you for that reminder and giving some really great examples for folks.
David Spark
Mike, what’s more visible than a tsar?
Mark Wojtasiak
A guru.
David Spark
A CISO point Mark.
Mark Wojtasiak
A CISO with a hat.
David Spark
A CISO with a hat on Halloween, of all things. Alright, Mark, by the way, I always ask our guests, are you hiring? Are you hiring?
Mark Wojtasiak
Oh, we’re always hiring.
David Spark
Always hiring? Everyone’s exploding. This whole business is exploding and people with their security teams are exploding. Any specific pleas or offers you have for Code42 Instructor for our audience, let’s hear it and anything else you’d like to say, let’s hear it.
Mark Wojtasiak
No, I want to thank both of you again. I always enjoy coming on and having these conversations and fresh banter and shooting from the hip from time to time. You know, I think we’re really passionate about what we do at Code42. I think our company purpose is to secure the collaboration culture and we take that to heart, right? We believe that in this day and age the best companies are the ones that are collaborative companies across all lines of business and in our approach to securing data in those cultures is different and unique and our approach to security is rooted in how we practice security at Code42, with Jadee at the helm, and we’ve taken a lot of that and applied it to how we think about product and how we think about helping security teams build their brands and reach across the lines and form relationships with the business and it’s a passionate, passionate subject for me and I believe education is a bit piece of that. Employee education is a big piece of that. So, not only a seat at the table, but an opportunity with Code42 Instructor, combined with Code42 Insider, to really build out a risk management program that is designed for the way businesses operate today.
David Spark
Excellent. More at code42.com and guess what, it’s spelled just like the way you hear it. I mean, do you happen to own the domain name codefortytwo.com?
Mark Wojtasiak
I believe we do. I’m not sure, but I think we do.
David Spark
Well, it’s code the number 42.com.
Mark Wojtasiak
It’s 42, yes. Somebody owns it now. The Hitchhiker’s Guide, that man.
Mike Johnson
Make sure that they own it before this episode airs.
David Spark
That was Mark Wojtasiak, who currently is the Vice President of Research and Strategy at Code42. I am going to be putting a pitch in to make you the tsar or guru– I’ll let you choose– over at Code42. I think it would be a much better title for you. Thank you Mark, thank you Mike. Thank you our audience as well. We always appreciate your contributions and you’re listening to the CISO Security Vendor Relationship Podcast.
Voiceover
That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a revue. This show thrives on your input. Head over cisoseries.com and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the CISO Security Vendor Relationship podcast.