It Sure Is Fun to Complain About Security Vendors

It Sure Is Fun to Complain About Security Vendors - CISO Series Podcast

Next time you’re annoyed by a security vendor’s pitch, instead of firing back at them at what an idiot they are, or complaining about it on social media, why not see if you can find a friendly manager at the vendor company and explain what happened so they can actually address the problem appropriately?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Rob Suarez, CISO, BD.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Trend Micro

Trend Micro
Trend Micro Cloud One, a security services platform for cloud builders, delivers the broadest and deepest cloud security offering in one solution, enabling you to secure your cloud infrastructure with clarity and simplicity. Discover your dynamic attack surface, assess your risk, and respond with the right security at the right time. Discover more!

Full transcript

[Voiceover] What I love about cybersecurity. Go!

[Rob Suárez] What I love about cybersecurity is working in healthcare and protecting what matters most to society, and that is patients – their safety, their privacy, and oftentimes, some of the most vulnerable moments in their lives.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series. And joining me for this very episode is Mike Johnson. Mike, your voice, what does it sound like?

[Mike Johnson] It sounds a lot like this with maybe a little bit more caffeine. Or less.

[David Spark] You know, I recognize that voice because I’ve heard it a lot. For, in fact, four years I’ve heard this voice.

[Mike Johnson] Four years, same voice.

[David Spark] Four years. I cannot get over that. That’s great.

[Mike Johnson] Amazing.

[David Spark] This all started me taking you out to lunch and dropping the idea of, “Hey, what do you want? You want to do a podcast with me?”

[Mike Johnson] Why not?

[David Spark] And you thinking, “This guy. I do not know about this guy.”

[Mike Johnson] This guy. This guy.

[David Spark] [Laughter] We’re available at That’s where you can find this show and all the other shows on the CISO Series network. Our sponsor for today’s episode, who has been a great sponsor since really practically the beginning of our show, and that is Trend Micro, and they do a lot of things, and we’ll hear more from Trend Micro later in the show. But at this moment, I’m going to give the audience a little behind the scenes as to how this show gets produced.

[Mike Johnson] The magic.

[David Spark] The magic, if you will. We always have just a quick banter for just a minute at the very beginning of the show. And what I do is I always say to Mike, “Mike, give me something. What are we going to banter about this first minute, opening minute of the show?” And you know what Mike does? He provides absolutely zero help.

[Mike Johnson] I stare blankly, and then David figures it out. It works every time.

[David Spark] It does work every time, I must say.

[Mike Johnson] Every time.

[David Spark] Like you said, you are my muse and that’s your…

[Mike Johnson] Absolutely.

[David Spark] …completeblank stares of, “Gee, I don’t know.”

[Mike Johnson] It works.

[David Spark] And I finally figure it out.

[Mike Johnson] It works every time. It’s a great recipe.

[David Spark] So, just so the audience knows, Mike’s help is no help, which is actually some help.

[Mike Johnson] It’s all of the help. It works every time.

[David Spark] Let me ask you – is this how you run your cybersecurity department? Someone from your team comes to you, goes, “What are we going to do in this situation?” You go, “I don’t know,” and then they figure it out?

[Mike Johnson] It’s amazing. It’s called active listening, David.

[David Spark] Yes?

[Mike Johnson] You listen, and they walk themselves through it, and then they figure it out.

[David Spark] Figure it out.

[Mike Johnson] Every time.

[David Spark] Do you know what you are? You are like kind of the opposite of the cooler. You know the concept of the cooler at the casino, who just kind of he’s just sort of walking bad luck, and he makes everyone lose at the casino? You’re the equivalent of the walking good luck, the opposite of a cooler.

[Mike Johnson] Exactly.

[David Spark] In that you don’t have to do anything. Everyone wants to know your secret, Mike.

[Mike Johnson] It’s just innate. It’s just who I am.

[David Spark] It’s impressive. And by the way, when people constantly ask about the path to a CISO, I want to know the path to the do nothing but just have that aura of having an effect on everyone on the team. That is the skill we all want to pull off.

[Mike Johnson] Project positivity, David.

[David Spark] Because by the way, I have an amazing skill at doing nothing.I do it quite well. All right. Let’s get on to our show and bring our guest on. Very excited. This was a long time coming and thrilled that he’s joining us. We had a little bit of some setup issues but we’re now in great shape actually. It is the CISO for BD, Rob Suárez. Rob, thank you so much for joining us.

[Rob Suárez] David, thank you so much for having me.

There’s got to be a better way to handle this.


[David Spark] Former NSA Director Keith Alexander called cyber espionage, “The greatest transfer of wealth in history.” “Cybercrime costs the US economy over $100 billion per year, and cost estimates of intellectual property theft surpass $250 billion per year,” said Amit Yoran, CEO of Tenable, in an article on LinkedIn, arguing that due to new pressure from the Security and Exchange Commission here in the US, companies will have to disclose their cybersecurity policies, procedures, oversight, and governance.

Now, companies’ security programs have lived in so much secrecy for fear of revealing any information that could give attackers a leg up. But at the same time, public companies have a responsibility to shareholders and cybersecurity is a real business risk. Already we’re seeing a lot of pushback on the SEC’s proposed rule. Mike, I’m going to start with you. Where could we possibly draw the line of what can be known to the public, but at the same time not offering insight to the attackers? Does that line exist? And by the way, a quick tip of the hat to Jesse Rosenbaum of Varonis for bringing this article to my attention. What do you think? Is there a line?

[Mike Johnson] So, real quick, I want to address one of the things that I’ve seen about this regulation that people are talking about. And the first is the SEC is there to protect the shareholders in the company. They’re not there to protect the general public. So, anything that they’re doing regulatory-wise, it’s for the shareholders of publicly traded companies. But to your question about the line – I don’t know how much detail is really going to be expected. If you look one of the other areas that the SEC regulates, and a regulation that they carry forward, shepherd, is Sarbanes–Oxley. And that doesn’t require companies to dump their entire secret of how they run their business, of how they run their sales or revenue organizations.

It’s all about accounting, how do they have confidence in their numbers. I would imagine we’re going to see something very similar here, where what they’re going to look for from a policies perspective is are they rational, and maybe there’s some third party attestation requirement. We’re audited by a company who looks at all of our financial records, and they essentially sign off. They’re not, again, dumping the full details of that. It wouldn’t surprise me if we saw a world where there is some level of third party audit of policies, that there’s an attestation, “Yeah, yeah, these make sense.” That seems likea more reasonable path than just dumping the entirety of policies that no one’s going to be able to do anything with anyway.

[David Spark] Rob, I throw this to you. So, let me throw out – what level of transparency are we talking about though? Like, give me an example.

[Rob Suárez] Yeah, an example of this is we’ve launched the BD cybersecurity trust center, so you can find that at, and this gives our customers a single source of BD cybersecurity content and information. Because new threats emerge daily in the healthcare industry. And when vulnerabilities emerge, whether it’s in our products or in a third party component, we share that information onthe trust center and provide guidance so our customers can manage potential risk properly. So, I’m not surprised by the changes like the proposed SEC rule. What people may not know is that public companies are already required to disclose material cybersecurity incidents. And the proposed rule would require public companies to disclose material cybersecurity incidents just more rapidly, within four business days.

[David Spark] Right. But sometimes they don’t even know, that’s the sad reality of it all.

[Rob Suárez] Yeah. Absolutely. Also this is mandatory, it would be mandatory, ongoing disclosures. And when we’re talking about the new proposed SEC rule, we certainly want our board of directors as well to be well-informed and prepared for these types of disclosures.

Let’s dig a little deeper.


[David Spark] A recent Health ISAC report details threats specific to the healthcare industry, but it pretty much sounds like what everyone else is dealing with – ransomware, phishing, third party breach, data breaches, and insider threat. But healthcare has a collection of sensitive data other companies don’t have, such as medical records – we just discussed this, Rob – which even a partial one can fetch as much as $50 per record. And then there’s the issue of internet-connected medical devices being manipulated. Rob, what makes medical establishments an attractive target? I’m interested to know about that. And then why are medical records valuable? And outside of havoc, is there any other purpose of tampering with medical devices?

[Rob Suárez] The perception that these criminals prey on is that a healthcare organization would pay a ransom because of what’s at stake. And so again, this is really a reason why cyber attacks in healthcare are increasing, and healthcare is a target for these types of attacks.

[David Spark] That’s a good point. Okay. So, how are you using industry-specific information to make better security decisions, but specifically, among your other sort of people in the healthcare community?

[Rob Suárez] So, David, the communication goes both ways. In some cases, it’s us leveraging resources and information from CISA or our H-ISAC and the Healthcare Sector Coordinating Council. In other cases, it’s BD as well sharing that information with industry. Our environment is so complex and multi-stakeholder, I see the healthcare industry building a really robust of communityof practice and with the help of the H-ISAC and Healthcare Sector Coordinating Council. And at BD, we work together with customers, regulators, security researchers, and other medical device manufacturers. In fact, we share our cybersecurity framework publicly on our trust center so that other medical device manufacturers can borrow from and utilize in their own organizations. And so we also participate in industry working groups in partnership with FDA, with the Healthcare Sector Coordinating Council, and CISA as well to share these best practices.

[David Spark] Excellent. Mike, you don’t work in healthcare, but you have employees with health records, don’t you? Do you have to worry about that? A regular company that… Or you’re not holding health records so that doesn’t become your issue? I don’t even know.

[Mike Johnson] So, we try very hard to not hold those health records.

[David Spark] That’s good.

[Mike Johnson] Because that brings a whole level of additional risk, and there are companies that this is what they do. They’re better at protecting that type of data, and they’re also generally the companies who are responsible for the health insurance of our employees, so it’s nicely compartmentalized. But you could think of it as risk transference at the end of the day. If we did it ourselves, if we collected all that data ourselves, that’s then risk that we have to deal with. Or in this case, we transfer the risk into the hands of someone who can hold onto it better than we can.

Sponsor – Trend Micro


[Steve Prentice] Everybody knows the name Trend Micro, but sometimes a brand sticks in memory representing a certain single area of expertise, and so it’s a good idea to check in once in a while to see what else they’re up to. Mike Milner is Head of Product Management for Cloud One at Trend Micro.

[Mike Milner] So, Cloud One is really a platform for cloud security, and at its core, you’ve got our Cloud One Workload Security which has been number one in market share for over three consecutive years as reported by IDC Worldwide. And surrounding that as part of the Cloud One platform, we’ve added additional capabilities to help with container environments across Kubernetesin the cloud or on prem. We’ve added capabilities of monitoring cloud environments with cloud security posture management, we’ve extended our reach into actual cloud services with our Cloud One file storage security, protecting your cloud object storage against malware. And we continue to push this envelope, expanding into your development environments, looking at open source vulnerabilities, and really continuing to evolve our platform as your IT environment evolves in the cloud.

[Steve Prentice] So, ina sense, Mike’s company has a very simple mission.

[Mike Milner] Trend Micro’s mission is to make the world safe for exchanging digital information.

[Steve Prentice] And as new trends appear?

[Mike Milner] We followthose trends to make sure our customers are secure.

[Steve Prentice] For more information, visit

It’s time to play “What’s Worse?”


[David Spark] All right, Rob. You know how this game is played, right?

[Rob Suárez] Kind of.

[David Spark] Well, the title kind of gives it away.

[Rob Suárez] I think I play it on a daily basis.

[David Spark] [Laughter] Many security professionals do. What it is is I’ll give you two horrible scenarios, but I start with Mike, he answers first. These are given to us by our listeners. They send in these fantastic bad scenarios. You have to decide of these two crappy scenarios, which one is worse? In a sense, which one is higher risk of the two? All right. So, Mike, you’re answering this one. This comes from Jim Nitterauer of Graylog, and he gives the two scenarios. One – a vulnerability scan shows that thousands of devices in a critical production environment are running deprecated OS versions and haven’t been patched in years. The team that owns these systems has no plans to patch, claiming that the environment is locked down and virtually impenetrable. I’m sure you’ve heard that before and you believe it, correct?

[Mike Johnson] Oh, yes. Oh, yeah. Every time, yep. Totally buy it.

[David Spark] Or – here’s situation number two – an assessment of end user devices revealed there is no centralized device management, so end user devices are poorly controlled with terrible inventory management, no configuration control, and no EDR. This company has no centralized corporate network and considers themselves to be 100% cloud-based and cloud first. So, which scenario is worse?

[Mike Johnson] So, on the one hand, you’ve got an environment, we’ll just call it legacy because everything’s deprecated, that is also your crown jewels. That’s the most important stuff. And in the other one, we don’t discuss the crown jewels, we don’t know what this is. We assume that it’s in the cloud. We’re not even talking about that; we’re talking about end user systems. We’re talking about the client systems. So, obviously, they both suck.

[David Spark] Right, right.

[Mike Johnson] The way that I think about this is which ones would I go and tackle first. Thatto me says that’s the one that is the biggest risk. That is the one that’s worse. So, for me, the one that is, “This is my crown jewels. It is unsupported, it is unsupportable. If something were to get in there, it’s game over.” That to me is the bigger risk. I’ve seen those environments where they claim that they’re closed off. I’m happy to tell a story about forklifts at some point related to that. The other side, it’s the client systems, that’s absolutely problematic, that needs to be addressed. But the worst one in these two is the critical environment with unpatchable systems.

[David Spark] All right. Rob, do you agree or disagree with Mike? And by the way, no pressure, I love it when guests disagree with Mike.

[Rob Suárez] I disagree. No, I was kidding.

[David Spark] Great. Oh! Oh, yes! No, I thought you would agree. Yes?

[Rob Suárez] Actually, I agree. David, this was an easy one, actually.

[David Spark] Because I think it falls on the unpatched systems, that’s a giveaway.

[Rob Suárez] Yeah.

[David Spark] Whenever there’s something unpatched, it’s like I want to stay as far away from that as possible.

[Rob Suárez] It’s toxic.

[David Spark] I mean, antiquated. Not just unpatched but antiquated.

[Rob Suárez] Yep.

[David Spark] Patching is doable, but it’s the antiquated.

[Rob Suárez] I think Mike hit the nail on the head. Neither situation is ideal and without more information, I would say the key thing here is business critical applications, business critical. Because in healthcare, business critical is about delivering care to patients. So, that to me is on the top of our priority list. And it’s not a matter of if but really when. Not if we’re going to go fix an issue. So, that other issue with end user devices, that eventually will be fixed, it’s just a matter of when, and you have to prioritize. And if it’s something business critical in healthcare, to me, clear as day, we’ve got to go focus on that.

Can this be measured?


[David Spark] Why do some cybersecurity companies succeed, and others fail? Ed Amoroso of TAG Cyber and former guest of the show penned a great piece on DarkReading suggesting three predictors of cybersecurity success. He based this on his company’s review of 2000 cybersecurity startups. And those three predictors are, one, a belief system, why you’re doing what you’re doing without mentioning your product. Attention to design, this is number two, how elegant has every step of the solution, including the pitch, been thought out? And three, domain knowledge, founders have expertise in this space, not just a serial entrepreneur trying to capitalize on the next wave. So, Mike, I’m going to start with you. Do you think these three predictors ring true, of the companies you know that are successful today?

[Mike Johnson] So, I feel compelled to start with a disclaimer that I am not great at calling the winners and losers in our industry. Some companies…

[David Spark] We have discovered at the beginning of this show you’re not good at calling what we’re going to talk about at the beginning of the show either.

[Mike Johnson] Well, different boat. But sometimes companiesI thinkare going to be awesome turn out to not find commercial success, and some that I think are duds just work out.

[David Spark] I will say I have this history of poor calling it as well.

[Mike Johnson] Yes. That said, I do like the list. I would reword them a little bit. I think the first one is really about passion. We talk about that a lot on this show. If the founders are not passionate about their product, why would I be? And so that first one is really important. The second, it’s around implementation. Is this a thing that I can actually roll out, if I can deploy it. If I can’t, then why would I buy it? Again, not going to be a successful company if you can’t actually deploy the thing. And then the third, there has to be a level of credibility. If I’m in a conversation with a founder about something they’re passionate about, something that they are trying to sell to me, and I know more about it than they do, that’s not really going a long way to establish their credibility.

[David Spark] It’s a red flag.

[Mike Johnson] Absolutely a red flag.

[David Spark] Let me throw this to you, Rob. Have you seen the situation where you talk to a company, from the outset, from whatever the marketing is, whatever you’ve seen initially, the picture like, “Oh, my God. This seems incredible.” And then you talk to a rep, a founder, whomever, and they’re like, “I don’t think they know enough about this, and I’m fearing there may be a lot of smoke and mirrors.” Have you run into this situation?

[Rob Suárez] Well, I can’t say that I’ve seen that particular situation, but I think what’s important for me when I’m talking to a vendor is that the vendor really recognizes our core mission as an organization. Winning in healthcare cybersecurity, I think of patients getting the care they need and when they need it. And if I can find a vendor that shares that and recognizes that vision and the importance of that, again, it’s extremely helpful.

[David Spark] And do you think they do a good job connecting that desire, your need, to their product? Because one of the lines that Steve Zalewski, who’s one of our co-hostswho used to be the CISO of Levi Strauss, he would always say, “How does this help me sell jeans?” And what you’re saying is kind of very similar but specifically, “How does this protect my patients?”

[Rob Suárez] How does this protect my patients? I think that’s a great way to put it. I mean, look, in healthcare, every hospital, every patient environment is different. We have hospitals with 10 to 15 connected devices per patient bed. Some of them with more than 350…

[David Spark] Really?

[Rob Suárez] Some of them with more than 350,000 connected medical devices at one time, yet 80% of hospitals report operating without a dedicated cybersecurity executive. And so this is the context which you work in in the healthcare environment. And our vendors, at this point, it’s not just a technology problem. We can’t just focus on the technology. We actually have to focus on the people as well. The people aspect or the cultural aspect as well is really a force multiplier to solve the problem.

[David Spark] Is there something, and maybe you can think about what a vendor has said to you in the past, is there somethinga vendor has said that said, “Yes. You get it,” and maybe you could echo that?

[Rob Suárez] Yes. I would say it’s great to see our partners focus on how to tailor their approach to this very complex environment that I just described with patients, homes, the pharmacy, these different working environments, these different medical devices as well that all look different, and all serve a different purpose. Some are directly connected to a patient, some are out somewhere else in a completely separate building, but both providing clinical functionality and benefit to our patients’ health. To me, the vendors that actually can recognize the specific nuanced needs and realize this is not just an IT problem, that cybersecurity in healthcare is actually a patient safety, patient privacy challenge as well, again, that to me is extremely helpful.

Are you ready to challenge Mike?


[David Spark] So, it seems, Mike, anytime a security vendor pitches you, they’re essentially challenging you as to whether you’re going to accept this pitch or whether you’re going to complain about this pitch. Because you have – correct me if I’m wrong, Mike – you have a history of complaining about vendor pitches. In fact, it’s kind of how we met.

[Mike Johnson] It is kind of how we got this whole thing started in the first place.

[David Spark] Yes. But it seems that now what I’m going to describe in just a second, it seems that you have turned a new leaf. Yes?

[Mike Johnson] It’s a leaf, yes.

[David Spark] It’s a leaf.

[Mike Johnson] Yeah.

[David Spark] It’s a leaf. All right. Let me describe what I’m talking about to everybody. So, what Mike did is he had a post thatwas titled, “The rant that wasn’t.” And you told the tale of wanting to post an annoying vendor outreach but instead you reached out to the CISO at the vendor and told them the story, thus allowing the vendor CISO to actually find the root of the problem and fix it. At the end, you realized your rant would have just resulted in a lot of complaining back and forth, while the outreach resulted in a positive solution fixing a broken process.

So, as I said, Mike, have you changed? Are you done complaining? Because I know that a lot of people are going to be very upset if you’re done complaining because it is your brand. By the way, I will say that’s a better technique than pointing outbad behavior to the individual who sent the message, I think also, because you’re not the manager. If you send it to the manager or someone with some level of authority, they can find out what’s going on and manage appropriately rather than you just pissing on someone for some matter. So, tell us the tale of why this came to be and yielded a positive result.

[Mike Johnson] First off, I hope that’s not my brand.

[David Spark] It’s not. I’m giving you a hard time. You know that.

[Mike Johnson] That’s not what I want to be known for.

[David Spark] No, it’s not what you’re known for. Let me say this, because when I discovered you, you were complaining a lot about vendors, and this was an issue that we described. And hence the original brand name of our network was the CISO Security Vendor Relationship Podcast because we really wanted to double down on this relationship issue with vendors, which was very contentious at the time. And I’m sorry, you were one of the people leading the charge, which you have softened considerably.

[Mike Johnson] Absolutely. And what I realized at the time, and this is an evolution of that, is I can either be out here complaining, or I can try and help fix it. And this is a continued evolution down that path of taking a step back and saying, “How can this help? What can be improved here?” And in this particular case, this was I reached out to a Slack community that I’m a part of, and I was like, “Blah, I’m really mad, blah-blah-blah.” And someone was like, “Hey. Maybe the CISO over there would like to hear about it.” I thought, “Wow. Yes.” And that really, just that one questionchanged the whole perspective on this. And then when I reached out to the CISO, we had the conversation. They were like, “Wow. Didn’t even know this was going on. Let me get connected to the right people, figure out what’s happened.” And they actually, like, there was a positive improvement that came out of it. Not only did this particular situation get addressed, potential future situations aren’t going to happen as a result.

[David Spark] Right, right. Because you’re dealing with a core problem. Rob, I’m going to throw this to you and say – I’m sure there’s things that irritate you. Do you take a step back and go, “Wait,” instead of just whining and complaining? And again, I don’t know if you’re nearly as good a complainer as Mike is, because he is kind of apro at this.

[Mike Johnson] A plus.

[David Spark] What do you think can be done, and maybe you have done it, to improve a situation rather than whine about a situation?

[Rob Suárez] First of all, I’ll start off by saying I don’t think Mike is a complainer. I think he’s got a point here.

[Mike Johnson] Thank you, Rob. Thank you.

[David Spark] Wow. Rob, you’re not helping me at all.

[Rob Suárez] Sorry. Sorry, I don’t mean to take sides. But it’s easy to focus on all the problems that we deal with because the reality is that we’re dealing with a human problem. Humans are fallible and humans write technology and so therefore, technology will always have vulnerabilities, it will always have weaknesses. And over time, software is like the human body, instead of aches and pains, it develops more and more vulnerabilities. And so it’s just this perpetual growth of vulnerabilities and risk that we deal with and we’re in the business of calling people’s babies ugly. So, for me, it’s actually about changing the perception of cybersecurity, the culture of cybersecurity, and being cybersecurity is actually an enabler. We allow the Formula One race car to move with speed and precision because we’re like the brakes on that Formula One race car.

[David Spark] Yes. We all well know the metaphor. Let me ask a question for both of you, and I’ll start with you, Rob. Do you like it when your staff points out your mistakes?

[Rob Suárez] Oh, I love it. I’m grateful for it, actually, frankly. Because I just said humans are fallible, and I’m included in that too, actually. I’m as fallible as the next.

[David Spark] By the way, I will say evidence, as I’m watching Rob, he is actually human, for those people who…


[Rob Suárez] And so I love it, actually, really. That’s our job. We also have to watch ourselves as well.

[David Spark] I will say this. One of our producers, Aaron, is listening, and he’s pointed out my mistakes too, and I greatly appreciate as well. He’s shocked. Mike, do you like it when your staff points out your mistakes? By the way, do you let them know, “Thank you so much for pointing that out for me”?

[Mike Johnson] Every time. Because if it’s something that you like, you should encourage it, and a way of encouraging is to say thank you. So, absolutely. If someone points out, “Hey, eh.” We have the conversation, I learn more, “Tell me more about it,” and I thank them. It’s part of being human, frankly.

[Rob Suárez] Yeah. David, you have to appreciate here cybersecurity is all about vulnerability. And it’s not just in the technology, it’s in the humans as well. And so I think this is such a humbling industry too, right?

[David Spark] Yes, yes. No matter how high you’re up, one incident can happen and can bring you crashing down.

[Rob Suárez] Yeah.

[David Spark] Yeah. Anyone can get humbled very, very quickly. You know who kind of avoids the humbling? It’s the people who just act as consultants or just act as sort of speakers on the circuit, or just advisors. They don’t have to literally face real risks often, and therefore, they avoid a lot of these humbling experiences, don’t they? That’s where we all want to end up, isn’t it?

[Mike Johnson] I recognize that there’s a joke, but I don’t think so. There’s a responsibility that comes along with our roles.

[David Spark] Yes, yes, yes. But we have seen this where, and this is kind of just in generically, when people retire they kind of turn into an advisory role…

[Mike Johnson] Sure, yes.

[David Spark] …or they start to move their way and to retire. And this is in all businesses for that matter, not just cybersecurity. Where essentially you hand off your knowledge without having to take the pressure and the risk of doing the job.

[Mike Johnson] Yeah, and that’s really key. The responsibility that we have comes with a certain amount of pressure. And over time like, “Nope, I think I’m done with this pressure. I’m happy to hand it off to someone else,” and that means handing off the responsibility.

[David Spark] But you have absorbed all this knowledge and there’s no reason to not partake in some way.

[Mike Johnson] That’s all about helping.

[Rob Suárez] Yeah. And you know, David, you raise a great point. I think having an external partner, a vendor, or a consultant doesn’t relinquish accountability. It’s one of the reasons why I think if you’re working with a third party, to make sure that third party shares the same values and principles when it comes to cybersecurity as your own organization.

[David Spark] Excellent point.



[David Spark] Well, that brings us to the very end of this episode. Thank you very much, Rob Suárez, who’s the CISO of BD, you get the very last word here in our discussion. And one of the questions I always ask my guests is are you hiring, so make sure you have an answer to that. I want to also mention our sponsor Trend Micro. Trend Micro has been a spectacular sponsor of the CISO Series, and we continue to appreciate their great support. So, please check them out. If you’re not already aware of them, they’re at, not hard to find. It’s spelled the way that sounds, unlike many cybersecurity companies. Mike, any last thoughts?

[Mike Johnson] Rob, thank you for joining us. It was a pleasure sitting down and listening to your passion about patient safety, the security and the privacy of the patients that you’re taking on responsibility for as part of your industry. So, your passion really came through, and I appreciated the opportunity to learn from that. There’s a couple tips that I wanted to call our specifically for folks. One was your point in the last episode about we’re in a humbling industry. Absolutely. People really need to remember to remain humble. That is so crucial in getting through the day to day of security.

But the other was maybe a tip to the vendors out there. You had said that the folks that you’re working with, the vendors, they need to recognize the core values, the core vision of your organization. And if they don’t do that, you’re not going to work with them. So, that’s true for anyone. So, for the vendors out there, if you’re trying to make a sale or a pitch to a company, understand that company’s values, and it’ll go a long way towards giving you an opportunity for that conversation. So, Rob, thank you for those tips. Thank you for sharing your passion, I really appreciate it. Thank you.

[David Spark] All right. Rob, you get the last word, and remember – we always ask are you hiring.

[Rob Suárez] Well, David and Mike, thank you so much for this opportunity to talk to both of you. I really enjoyed this conversation and to the most charming and humorous individuals I’ve spoken to in a while. So, again, I appreciate this opportunity. I want to use the opportunity to actually just emphasize here and reiterate – in healthcare, cybersecurity is really about patient safety and patient privacy and global health. There’s a patient at the end of everything we do in healthcare. And so to me, it’s one of the most rewarding experiences working in healthcare and cybersecurity, a rapidly growing industry that is healthcare and cybersecurity.

And we are hiring, by the way, so I encourage you all to reach out as well if you’re exploring new career opportunities. And I do think this is an opportunity as well to focus on diversity and inclusion in identifying individuals from various backgrounds and building them up and upskilling them to join the cybersecurity workforce, given the significant gap that we have as an industry in getting talent. So, anyways, a great opportunity, and I had such a great time talking to both of you. Thank you so much.

[David Spark] You are very welcome. So, a huge thanks to Rob Suárez, to Mike Johnson, to our sponsor Trend Micro. And thank you, everyone, as always, for participating, not complaining. Mike really is not complaining, I like to give him a hard time, he’s a reformed complainer, he is. We appreciate you also listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at Thank you for listening to the CISO Series Podcast.