It’s a Great Job, But I’m Alone and Terrified

First job out of college and you get the cybersecurity job of your dreams… and nightmares. It’s just too much, and you definitely don’t have the experience to handle it all.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Rick Doten (@rick_doten), CISO, Carolina Complete Health.

Check out Rick’s Youtube channel with the CIS Critical Security Control videos.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Kenna Security

Kenna Security, now part of Cisco, is the pioneer of risk-based management. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. It leverages machine learning and data science to track and predict real-world exploitations, empowering security teams to focus on what matters most.

Full transcript

[Voiceover] Best advice for a CISO. Go!

[Rick Doten] Have script writers on your staff. Whether it’s PowerShell, or Bash, or Python, or Perl. Script writers are really handy to have around, and they’re good utility infielders to get things done.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. It’s weird to say it like that, Mike. I’ve been so used to the much longer name, but I know we’re already a month and a half into the new name. My name is David Spark. I’m the producer of the CISO Series. Joining me, my cohost for this very episode, you may know him since day one of this show, Mike Johnson. Mike, the sound of your voice might be something like what?

[Mike Johnson] Since back when our name was really, really long and difficult to pronounce all in one phrase, so I’ve been here the whole time. I’m still here.

[David Spark] You know what? I have had no problem saying it.

[Mike Johnson] [Laughs]

[David Spark] But pretty much no one else said it correctly.

[Mike Johnson] Yeah, it’s a lot of words.

[David Spark] It took me a good three and a half years to say, “David, time to change the name.” Our sponsor for this very episode has been a phenomenal sponsor over the years. That would be Kenna Security. And Kenna Security, they are now part of Cisco. And one of their founders, Ed Bellis, has told me that I and CISO Series should take full credit for them getting acquired by Cisco. So, that is what I am doing.

[Mike Johnson] Did that credit come with a cut of the purchase price?

[David Spark] No, that’s where it falls short for me.

[Mike Johnson] Close enough. Close enough.

[David Spark] It does fall short. Anyway, Kenna. You may know them. They are vulnerability management experts, and we will be talking with them later in the show. But first, Mike, we were debating what we were going to banter about, and one was the fact that this episode is dropping right after Tax Day. And the other was…

[Mike Johnson] Oh, yeah.

[David Spark] …to discuss my cool new background light that does all these new colors and all these special effects. And I think we’ve agreed that both discussions would be incredibly boring for our audience. Are we in agreement there?

[Mike Johnson] Those are amazing discussions for our audience. We can talk taxes or something that they can’t even see.

[David Spark] Taxes, one thing neither of us have any expertise in.

[Laughter]

[Mike Johnson] Yes, let’s definitely discuss taxes.

[David Spark] Neither of us have expertise. And in combination with that, whatever expertise we have we’re saying after Tax Day, which is even worse. Or actually probably pretty good because…

[Crosstalk 00:02:33]

[David Spark] …you don’t want our advice before Tax Day.

[Mike Johnson] Right.

[Laughter]

[Mike Johnson] Yeah, best to listen to our advice now rather than a few days ago.

[David Spark] This is an impression of me doing my taxes every year. Uh, I think I’m doing it right.

[Laughter]

[David Spark] That’s pretty much how I approach taxes. But I got an even better accountant this year that I’m very happy with. Moving on to that. Let’s just bring in our guest. Let’s not waste any more time that nobody wants to hear anything about. Very excited to have this person because they are a frequent podcaster themselves, and sadly has not been on our show. But we’re remedying it right this very second, Mike.

[Mike Johnson] Fixed. Fixed. Problem solved.

[David Spark] Problem solved. Easy as that. It is the CISO of Carolina Complete Health, Rick Doten. Rick, thank you so much for joining us.

[Rick Doten] Thank you for having me. I love to talk, so I feel like I’m in the right place.

Could this possibly work?

3:29.958

[David Spark] “Is it possible, feasible, practical to run a security program entirely based upon free and open source software, open source tools, and open source intelligence,” asked Rafiq Reiman [Phonetic 00:03:50] on LinkedIn. So, I ask the same question to you, Mike. Can you do it?

[Mike Johnson] I think this is one of those really interesting though exercises. It’s absolutely possible. But when I think about it, it’s a lot like several of our “what’s worse” questions of would you rather have a great team and no budget or a huge budget and no team. And this is kind of the you have a great team and no budget, what do you do with that. so, I think it’s possible. You’re going to have to invest a lot of people in it. That’s the flipside of it is…

[David Spark] But I will mention that when we have that question, you usually lean on great people, no budget, yes?

[Mike Johnson] I do like… Again, in the “what’s worse” world…

[David Spark] In the “what’s worse” world…

[Mike Johnson] Then I do lean towards having great people. And I think in this situation of can you make it happen, yes. I don’t think it’s ideal. I do think a mix between open source tools, the right open source tools, along with some…in some cases there’s commercial services, commercial products.

[David Spark] I know, but that’s not the question here. I want to know how much heavy lifting you would have to do to make this happen.

[Mike Johnson] I answered the question when I said that yes, it is possible. But it really does come down to a people investment to really make it sing. As long as you can make the people investment, absolutely you can make this work. The flipside I would say is if you are just getting started, if it’s a company that’s just starting a security program, or a startup, or something like that, don’t go out and invest millions of dollars in an off the shelf security solution. You can get a long way with open source tools. So, another way of thinking of it is an immature security program can get a lot of value out of open source. As you move up the maturity scale, you’re going to want to add and mix in more and more commercial products.

[David Spark] Good way of thinking of it. Rick, it’s a lot of head nodding going on on your side. So, you feel you can do it, and how much of this have you done yourself?

[Rick Doten] Oh, yeah, definitely. When I was a CISO nine years ago, it was just two of us – me and my friend, Chris Gayle, who is a brilliant hacker and developer. And we pretty much…he pretty much put together a lot of things. So, I think that it’s something that you can do. I like the idea of kind of crawl, walk, run. Like get a feel for the kind of things you need using free tools. Get a feel for what kind of visibility. And then if you find the expensive tool to do that that has these features… Because also you’re going to learn a lot. It’s kind of like playing video games. It’s like you have to go through all these smaller fights to get to the boss battle. And you know what techniques you need to do. So, by going through that process of knowing what you like and what you don’t… Because if you just start from scratch and say, “All right, I was a first CISO, and I’m not just going to sit there and go through the Sears catalogue of, ‘Hey, I need a web gateway, an email gateway. I’m going to pick this, and I’m going to pick that.’” Then I don’t really know what I need. So, that’s why I think it’s an important step to go through, but I totally agree. You’ve got to have the right people.

[David Spark] That is a really, really good point that you can’t be a smart buyer unless you go through open source. Is that really what you’re getting down to, Rick?

[Rick Doten] Yeah, exactly. Or not even just… And yes open source. But if you have some other experiencer with it… Because if I like said, “I’m going to buy a CASB tool…” Well, okay. Well, I can kind of do some certain things myself and then figure out what I want to see and what I want to know. And then when I talk to vendors then I’m like, “Oh, I really like the fact that you have enumerated all the security features of all of these Cloud programs, so I don’t have to do that.” Because that took me a long time to do before by myself.

They’re young, eager, and want in on cyber security.

7:31.790

[David Spark] Information security analyst is number one. That according to US News and World Report’s best jobs for 2022. The role ranks number one overall in STEM jobs and technology jobs. On the plus side, it’s got a great job market and great future growth, and pretty darn good salary – a median of 103 K. But on the low side, high stress and poor work/life balance. So, I’m going to toss to you, Rick, on this one. Why do you think the magazine ranked this job number one? And given that it’s got great future growth, listener Samuel Rugi [Phonetic 00:08:13] asked, “How do you as CISOs expect this role to evolve?” And I’ll add and what can the cyber security industry do to double down on this good industry wide publicity. Because I think this is good publicity, and there’s this great desire to hire more talent. Rick, what do you say?

[Rick Doten] Oh, yeah. This is one of my favorite topics to talk about, and so I’ll try not to go on for 15 minutes on it. Yes, I agree it’s a good number one because it’s also a diverse role. Some people think the security analyst is in the security operations center. But it could be someone working with the GRC team, or it could be someone who’s working with the identity team. It can be anything, but it’s the first step in. And I would disagree that it’s like a STEM job. I have a degree in English literature. It’s all about aptitude and personality. And I don’t really care where you went to school, or what you did, or what certifications you have, if you have the right aptitude and personality, and you understand how to do pattern matching, and problem solving, and troubleshooting, and not give up quickly, I will take that way more than someone with a degree in some fancy school. And so… But this is the first stop. In fact we right now just today was talking to a cohort, a group coming out that we sponsored that were veterans that were being retrained to go into cyber security. And the things that we’re working on is like identifying those with the right personality to come in. But absolutely the security analyst is the right place to start.

[David Spark] All right, I like it. Mike, can you match Rick’s excitement on this topic?

[Laughter]

[Mike Johnson] I think the first thing I want to say is… And this will be a little bit of a downer is I think the reason why it’s number one is just some dispassionate algorithm in US News and World Reports. It’s really just it’s a highly paid position. The unemployment rate is very low. There’s a decent amount of openings. So, I think that’s why that’s… I think it’s actually a really cool job, too. I do think it is… Rick laid it out as diverse. I lay it and think of it as undefined. The term analyst doesn’t mean much. In the past, I’ve used it to simply mean they’re not a software engineer, and that was the way of breaking it down. It was the everything else, which is actually not a great way of thinking about it. Because it really does span so much. And as an entry level position and thinking of it that way, you can go anywhere. You can come and maybe you’re working on a SOC. Or maybe you’re working in a GRC team gathering evidence for compliance audits. It can be anything. It can go anywhere. And that’s the advantage of it being undefined.

[David Spark] Let me just also add… I want to know what can we do as an industry to double down on this really public publicity. To make number one in US News World Report is a big, big deal. What can we do? Also I’m going to add the way they describe it here in US News World Report is really tepid I think is probably the best word to describe the position. It’s a lot more than the way they describe it. So, Rick, you’re nodding your head. What can we do to take advantage of this great publicity?

[Rick Doten] We as an industry have unfairly made us intimidating to get into. And we watch Mr. Robot. We think that we have to have a STEM education or be good in math, and people just don’t think… It’s like, “Oh, I’m not smart enough to be a cyber security person because I’m not good at computers.” That doesn’t matter. Again, personality and aptitude. You’re familiar with the CATA test, which is a cyber security aptitude test at the US Military in the UK. The military used to be able to place people and understand their aptitude for cyber security. That’s available publicly now through an organization called Haystack. My friend, Doug Britton, runs that. And now you can have that available to people can kind of define where they fit and their personality of whether they’re good forensics people because they think slow, good operations people because they think fast, or certain types of detail oriented nature. But I think [Inaudible 00:12:13] to say, “Listen, have you wanted a new career? Let’s see if you are the right personality for it because you could be an artist or…”

My favorite story was like five years ago when the UK first was going to bring people into their military cyber program. They just put an open call cast to say, “Anyone who wants to take the test, if you score highest, you’re going to get a scholarship.” The top scorer that year was a janitor. The next year was a bartender. And so open it up and tell people that don’t be intimidated by it. If you really think this is interesting then we want you to come and give it a go. And going to kind of talk about what Mike was talking about, yeah, analyst is just one of those stages. You’re an analyst, or a consultant, or an engineer, or an architect. They’re just one of the stages, and you’re one, two, three of each. I swear it’s the HR departments in large organizations are the biggest limiter to finding people because to fill these certain slots in these certain paygrade, you must have these certain requirements that people don’t necessarily have. And we lose people who don’t have those requirements, but they’re perfectly capable of doing the job, and our competitors that get them or the bad guys take them.

[David Spark] All right, Mike, I want a quick answer from you. How are we going to double down on this big publicity?

[Mike Johnson] I do think we need to better define what an analyst is so that people actually know what they’re getting into. They know what their career path looks like. As Rick laid out, one path is…it’s a step on a career ladder. So, I do think we need to lay out better what it means so that people understand what is the expectations, what do they have to aspire to to get into the industry, and then what does it look like once they’re in, and how do they progress from there forward.

Sponsor – Kenna Security

13:50.246

[Dan Mellinger] In 2021, I think we had over 20,000 vulnerabilities registered for the first time. We broke 20,000 in a year.

[Steve Prentice] This is Dan Mellinger, who heads up communication for Kenna Security, now part of Cisco Secure.

[Dan Mellinger] No company has the resources to deal with that, so they need to know which ones to start with. That makes being able to, one, quantify and then just understand and cut through all of the noise and find that signal of what is posing an actual risk to your organization. It becomes more important, and it becomes much more important across all of your platforms. So, like your entire technology stack now, you need to be able to figure out what poses the greatest risk and how to action that. This applies to email, to people working at home, remotely phishing and human targets. Log4J was the recent big vulnerability that had remote code access from nearly anywhere. And this stuff isn’t going to slow down. It’s only going to pick up. But we have the tools. We have automation in place that can actually help people and companies take a much more proactive patch cadence, investigation, understand where the true fires are, and put those out instead of trying to do everything all the time which has been the industry norm for 30 years now.

[Steve Prentice] For more information visit kennasecurity.com.

It’s time to play, “What’s worse?”

15:23.250

[David Spark] Mike, I’ve got a question or you. Have you ever been in a scenario that is so horrible…? And, again, I’m talking over the past three years or so. And you’re thinking, “AM I on candid camera? Is this another “what’s worse” scenario?” Have you had some sort of PTSD from “what’s worse?”

[Mike Johnson] So, some of them have hit a little bit close to home, yes.

[David Spark] Yes. [Laughs] There’s been a little bit of vibrating. “Why’d you bring that up, David?”

[Mike Johnson] A little bit of, “All right, so we’re going to do this now. Yes.”

[David Spark] Here we go. I got one from Mike Tulle of Blumira. And by the way, Rick, are you familiar with the “what’s worse” game?

[Rick Doten] I have now derived what it is based on what you’re talking about.

[David Spark] So, pretty much two scenarios. They both stink. You’re not going to like either one, but it’s a risk management exercise. And you have to determine which one is worse. But I always make Mike go first, so you get to agree or disagree. And I love it when you disagree with Mike. No pressure. Here we go. Mike Tulle of Blumira says, “You have an active attacked inside one admin account.” Already it stinks. “You currently cannot evict this person from this account. However, your team can limit their access to one of two options.” So, here are your two options. “They can take over all your DNS for 24 hours, or they can take over a single random executive account for 60 minutes. Which one is worse?”

[Mike Johnson] Oh, okay. So, the scenario is on the someone is in.

[David Spark] They got in.

[Mike Johnson] Now it’s what’s the worst of the two options. So, it is they have access to all DNS, can do whatever they want for 24 hours, or they can do whatever they want as an executive for 60 minutes. Is that kind of what we’re talking about here?

[David Spark] Yeah, that’s it.

[Mike Johnson] Hmm. So, if I think about these, it is what is the damage an executive can do versus what is the damage that one can do if they control DNS. And trying to set aside my current employer, which the DNS is clearly the worst of the two, I think even in your average company it’s being able to adjust DNS and route that wherever they want for 24 hours, that feels like the worst one where anyone visiting this company’s website is going to be redirected to wherever the attacker wants within the environment. They can redirect traffic wherever they want. They could actually probably using DNS take over an executive’s email account. So, I think ultimately there’s definitely damage that you can do when you’re able to impersonate and executive for 60 minutes. I think the long-term damage that one can do over taking over DNS, that’s probably worse.

[David Spark] All right. Rick, I’m throwing this to you. Do you agree or disagree with Mike? He says taking over the DNS for 24 hours is far worse.

[Rick Doten] So, I have to go to a standard CISO answer which is depends.

[Crosstalk 00:18:38]

[David Spark] No, no. Oh, you don’t know this game.

[Rick Doten] But I’m going to describe it. No, no, but I’ll describe it, and I’ll land on something.

[David Spark] Okay.

[Mike Johnson] All right.

[Rick Doten] And so, again, you asked to do it in a risk based manner, right? And [Inaudible 00:18:48] we kind of weigh these things, and we talk through them. And so in one case taking over an executive’s email… If the adversary doesn’t know anything and they’re very technical, they won’t know what to do once they have the executive account. They’re going to try to figure out, “Well, what’s important? How does [Inaudible 00:19:04] work?” And so they’re going to kind of fumble around, and they’re going to kind of figure it out. Unless it’s a targeted, well-funded adversary who knows exactly what they’re doing, and then that would be really, really, really bad.

[David Spark] Yeah, but you don’t know which one it’s going to be.

[Rick Doten] Right, you don’t know which one it is. It’s Schrodinger’s Cat. So, I would guess I would say that yes, DNS would probably potentially do… But then again it depends on the business that we have. Is that a bad thing to us if we’re not a retail shop it would be very, very bad. So, going back to where I’m going to land is I guess I would say I will have to agree with DNS because there are more likely scenarios that DNS would go bad than a scenario that if I had an executive account then I would be able to do worse things.

[David Spark] Let me alter the question just a little bit. You’re both agreeing on this. If it was a scenario like you described, Rick, where it was a targeted executive account, they’re going after a specific person… They know this person. They know who they are. They know their connections, all that. Would your answer and, Mike, your answer…would it change at all?

[Rick Doten] Oh, yeah. Absolutely.

[David Spark] Yours would change to the other. What about you, Mike?

[Mike Johnson] I think mine stays the same, but I think I would tweak the question a little bit. If you actually wanted to get me over to the other one, I think the way is if it’s actually an unsophisticated adversary. If it’s someone who doesn’t know what they’re doing.

[David Spark] Oh, then they wouldn’t know what to do with DNS, but they would know what to do with…

[Crosstalk 00:20:28]

[Mike Johnson] They wouldn’t know what to do with DNS, and as impersonating the CEO there’s actually some very logical things that you would do there. And there’s playbooks that work for any company. You don’t actually have to have the inside knowledge. I think there are reasons. To Rick’s point, it depends. But in the generic sense, DNS is just always a bad thing.

How would you handle this situation?

20:46.963

[David Spark] Recent college graduate just got a great cyber security job. Problem is the individual is all alone and is terrified. They have to do security audits on client sites, provide recommendations, and push security solutions. The person said there are other security people on different teams but doesn’t want to bother them. Now, on Reddit, the community came out in droves with one saying, “Go ahead and bug the other cyber leaders on other teams. They will probably be willing to help. If not, you should look for another job.” So, this is a really, really green person. And I’m going to throw this to you, Rick. How would you recommend this fresh graduate bite off what seems like an insurmountable task given his minimal experience?

[Rick Doten] Yeah. No, that’s a failure in management. I’ve been in this situation. I’ve managed this situation. And if you’re not walking in, having a mentor and have someone to be able to walk… Because this is a very big four accounting kind of thing where it’s like, “Hey, you’re smart. You have good grades. You came from a good school. Here’s a playbook. Go to this customer and then follow this playbook, and you’ll be fine.” That is awful. Shame on them, and this is what’s all bad in our industry. So, I would tell them to leave right away. Like you’re not in a good place. Find someone who understands, respects you, and will take care of you, and will mentor you because as having run consulting teams for much of my life I would never put somebody in that position.

[David Spark] All right, so your advice is run.

[Rick Doten] Yes.

[David Spark] Mike, what’s your advice?

[Mike Johnson] What I would suggest… First of all, my wife and I, we constantly joke about the dog who catches the car. You land a role, and you’re like, “Oh, crap. What do I do?” And I think we’ve all had that moment – wonder what you’ve gotten yourself into. But I really agree with Rick that there’s a failure of management here. If you’re hiring someone and not giving them a mentor, you’re setting them up for failure. They will never succeed. They might just quit. And so that’s really something that management needs to address. That said, to this person, if there actually are other folks that they can go and talk to, they should go and talk to them.

[David Spark] And that was the big advice on the Reddit thread, yes.

[Mike Johnson] No one is going to feel like they’re being bothered if someone who’s in their profession comes to them and says, “Hey, I need help.” They’re going to be there for them. They will give them that help, and they’re not going to think that it’s a bother. So, absolutely they should go and have that discussion, find their own mentor, and go from there.

[David Spark] Let me ask you. Have either of you have a panicked person call you and go, “Oh my God. I’m in over my head.” How do you talk them down from the ledge is really the question, Rick?

[Rick Doten] All the time. It’s like make them realize that they actually do know what they’re doing.

[David Spark] And how do you do that? That’s a good…

[Rick Doten] Yeah, so I had this… Like 18 years ago, I was running ethical hacking teams. And we… I vividly know this and remember this. And we were doing an active directory audit, and one of my hackers… I’m like, “Okay, here’s what you do. Just take a look at it. You know what would look good, what wouldn’t look good. Take a look.” And he goes, “Well, I’ve never done it. I’m not an expert.” Because they’re all perfectionists. And it’s like if I haven’t written a book on it, I don’t feel right doing it. And so I had to like calm him and saying, “Walk through the skillsets that you have. This is what you’re going to do. Does this make sense? Do you see that you would add value?” And then once he got in, it’s like, “Oh, yeah. As soon as I looked at it I could see right away what needed to happen” But it’s that transition from not doing to doing what they were most uncomfortable about.

[David Spark] What about you, Mike? Have you had that panicked call before?

[Mike Johnson] It’s usually it comes from someone who has taken a new role at a new company. Maybe we’ve known each other in the past, and so they’ve reached out and said, “What have I done?” And for me I kind of walk them through, “Well, what did you think you were going to do? What was your expectation coming into this role? And is that different than what you thought it was?” And if it’s different, that’s then a different discussion of first is Rick’s scenario of this person actually knows exactly what they’re doing, and they just need that reminder. And that’s where I start with those conversations is is this different than what you thought you were doing, and let’s go from there.

What we’ve got here is failure to communicate.

25:06.155

[David Spark] “Since security people don’t get applause when nothings happens, how do you let the rest of the company know how well the security team is doing?” I asked this very question on Twitter, and here is some of the responses. Jason Kursted [Phonetic 00:25:31] of IBM said, “Point to the daily headlines and say, ‘See that. that didn’t happen.’ Well, to us obviously.” And Owen Curie [Phonetic 00:25:40] of Edge Scan [Phonetic 00:25:40] said, “Vulnerability metrics, mean time to respond, detection rate, ongoing improvement measurements.” I’m assuming to essentially promote those things. And Ad Hacking Your Life [Phonetic 00:25:53] said, “I report improvements on a quarterly basis against the same quarter the year before.” And last, Rob Barrons [Phonetic 00:26:00] of Cool Blue [Phonetic 00:26:01] said, “I put an X days without a breach slide in my report.” Now some of these are said in jest, but what’s your advice? And how important is it do you believe to make sure the rest of the company knows what the cyber security team is doing? I’ll start with you, Mike.

[Mike Johnson] I think I’m going to start with the I put an X days without a breach slide in everything. That’s just going to be on my presentation template going forward. I think that’s awesome. No, I think realistically this is one of those where you need to measure over time. You need to figure out what a baseline is, and then you can report how you’re doing against that baseline. And one of the things that we did November last year was we actually went to the company and asked them how they thought we were doing. And we’ve taken back that feedback. It’s in the form of an engagement survey. And you’re able to gather the sentiment, and that gives me the baseline of does the company know the job that my team is doing. And then I can go and tweak from there. I can go and say…from there determine we need to be more visible, or we need to be more…

Maybe there was something that we were blocking some projects, and we can learn from that. And all of that is really gathering the ground truth of what the rest of the company thinks we’re doing. And then you measure that again. We’re going to measure it again come the end of this year, and we’ll keep looking at that going forward and tuning and tweaking. So, that’s one way of looking at it. Another way is if you are in an environment that uses OKRs. I don’t even remember what OKRs stand for. But it’s a way of measuring programs, engineering efforts. And that’s a model that you can fit into. That’s then something that is already being reported on, get your metrics in there, show them over time. And that’s a ready made way of displaying how well the team is doing. So, use existing tools. Use what’s already there rather than trying to make something new for yourself.

[David Spark] Rick, I throw this to you. How important is it that the rest of the company knows how the cyber security team is doing?

[Rick Doten] So, I look at it is like qualitative and quantitative. And what, Mike, you described and what some of the examples were were like good, quantitative things that kind of measure stuff and [Inaudible 00:28:28] things. But it’s really this is a human comfort feeling is I want them to know that we’re on it. And that means that they need to understand that we understand the business. We understand what our threat landscape is. We understand our environment. We understand our adversaries. We understand our user base. We understand the dynamics of the different seasons and of different things and that they are comfortable. And so when they are comfortable to know that they can come to us and say, “What do we think this is,” or, “How do we address it.” And we of course execute on that by saying, “Hey, I heard we had this issue. What happened?” “Well, this happened. This happened. We figured this out. We isolated and fixed it. Great.”

That they don’t have to worry about it. So, it’s that comfort factor that they don’t have to worry where it’s like, “Are we going to catch that? Are we going to respond to that quickly enough? Is this going to impact business?” And so that kind of emotional aspect… And we all have done like the risk versus security discussion at the beginning of a presentation. One is a calculation. One is an emotion. This is where we kind of lean into the emotion. And, Mike, I appreciate what you said about asking what they want to see because it may not be what you think it is. And they’ll just say, “I just want to be comfortable. I just want you to comfort me and make me feel comfortable that this thing is happening or that this thing is not happening, and this is the way I want you to show it.” Great. I’ll give it to you that way.

[David Spark] What about just good old fashioned shoutouts to the team? Because I think about this one manager who managed a finance department at a media company that I worked at. Nobody knew  what the finance department was doing. Nobody could care less what the finance department was doing, to tell you the honest truth. But he really went out of his way to say, “Hey, let me tell you how awesome everyone is in the finance department and what they’re doing. Oh, that’s great.” And it was a really nice thing to do to acknowledge his own staff and just literally give some basic props. I mean I’m thinking simple things like that really probably go a long way. You’re nodding your head, Rick. Yes?

[Rick Doten] Yeah, certainly for team morale. Because a lot of us do this for the sake of doing it and for the greater good. It’s like, “Listen, I don’t care if anyone knows about it or if I take credit for it. I know this happened, and we did a good job. And that’s great, and we all feel good.” But then as a leader, I will totally give kudos and give all the credit to the team and make them feel good about that. So, yes. One of my funniest stories back when I was a consultant… This was like 15 years ago. I remember actually exactly who it was, and I’m sure he’s retired now. Gary Hodge was a CISO of US Bank in like 2005, and he always said…he goes, “If I get to the end of the year and I had a breach, they didn’t think I spent enough money. But if I get to the end of the year and I didn’t have a breach, they thought I spent too much money.” So, you’re kind of like in a catch 22.

[David Spark] Yes. [Laughs]

[Rick Doten] So, understanding that you’re in a no win situation is just, “Okay, how am I just going to make you feel comfortable? Because I’m not going to prove it with numbers.”

[David Spark] Mike?

[Mike Johnson] It’s interesting what you just said there, Rick, about you can’t prove it with numbers, and it really is about comfort. And I think that does apply to what you’re talking about, David, of the kudos for the team. Getting out there and being a cheerleader for your own team, speaking up in broad company wide communications, making sure that you’re giving credit to your own team. I do very little. My team does the work. And being there…

[David Spark] Do you make sure everyone knows that?

[Mike Johnson] I actually do. I try and make sure that… Again, it’s like giving credit where credit is due.

[David Spark] That I’m doing very little… I’m your boss. Just let me remind you. You’re working hard, but I’m doing very little.

[Mike Johnson] Yeah, that’s absolutely the communication on a one on one is like, “Hey, I’m just sitting here in my big chair. You’re the one doing all the work.” No, it’s really the…

[David Spark] Oh, you should have doubled down on that, Mike.

[Mike Johnson] …giving credit where credit is due.

[David Spark] [Laughs]

[Mike Johnson] No, I’m definitely not doubling down on that, David. Because that’s not what it’s about. It’s about giving credit where credit is due in the appropriate venues. And that’s a great way of helping with that morale. This is a thankless job, and being able to get in front of the CEO where your team is also hearing it and hearing that you’re giving them kudos, that goes a long way.

Closing

32:37.113

[David Spark] And that brings us to the very end of this very episode. Thank you very much, Mike. Thank you very much, Rick. Now I want to wrap this all up, but first I want to thank our sponsor, Kenna Security. Kenna Security, also part of Cisco, for which we’re now taking full credit. Before Ed Bellis, one of the cofounders and CTO, said I wasn’t taking enough, so now we’re taking full credit for them getting purchased by Cisco. So, thank you very much for letting us do just that. It would have been nice if we got some of the purchase price, but we’ll take what we can get.

[Mike Johnson] We’ll take the credit at least.

[David Spark] We’ll take the credit at least. We’ll take that at least. But we thoroughly appreciate them. And if you don’t know, you can go find them at kennasecurity.com is where you can find them. Vulnerability management needs. Go check them out. Rick, I will let you have the very last word, but the question I always ask all my guests is are you hiring. So, make sure you have an answer for that question. Mike.

[Mike Johnson] So, Rick, thank you for joining us. At the end I usually try and go through summarize my feeling of the conversation, and I’m having a hard time doing that because you brought so much. We were in so many different places. We were talking about building small teams with open source and how you do that, and talking about how you’re looking at how you can bring in veterans into security. So, it was just all over the map. So, really what I want to thank you for is the vast experience, and knowledge, and conversation that you brought to our audience so that they were able to benefit as well. And I also wanted to have one quick call out was you mentioned Schrodinger’s Attacker, which I love that concept. They don’t exist until they’re observed. I love it. I’m going to try and use it from here forward, so thank you for that little sound bite. But in general, thank you for joining us. Thank you, Rick.

[Rick Doten] No, my pleasure. Loved it.

[David Spark] Thanks for calling that out again, Mike – Schrodinger’s Attacker. Rick, so any last thoughts? You want to plug your organization? Are you hiring? Anything else?

[Rick Doten] Yeah, we’re always hiring. This is a… Until we get all these people into a pipeline into our industry it’s a zero sum game, and everyone is poaching everybody else’s people. So, we are trying to get good people, and we’re going to try to treat them really well so they want to stay here. We have positions all over the place in all types of different roles. We’re building a very big IT center of excellence here in Charlotte, North Carolina as our east coast headquarters, and so it’s a very exciting time for us. Otherwise the only other thing that I would say is I have a YouTube channel. You can go look that up – Rick’s Cyber Security Channel. And I’ve gone through the CIS Critical Security Control because I was on the editorial panel and was part of release 8 this last year. And I’ve got the video for each of the different 18 controls and what changed between version 7, version 8, why we got rid of something, why we added something, and give a little detail about how we got to it. Because it was an enormous change, and I honestly kind of felt bad about it. So, I wanted to give more information to the industry.

[David Spark] So, if anyone is going to complain about it hey should blame you?

[Rick Doten] Yeah. And I say that all the time. I’m like, “Listen, I helped make this decision, so I’m the one to blame if you don’t like it.”

[David Spark] And we’ve also had Tony Sager from the CIS controls on this very show, and he’s great as well.

[Rick Doten] Yes. Yes, Tony is a good friend.

[David Spark] All right. Well, thank you very much, Rick. Thank you very much, Mike. And I want to thank our audience as well. We greatly appreciate your contributions and for listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to the CISO Series Podcast.