It’s BAAAACK! The Return of “We Could Have Stopped That Breach”

The CISO Series network launched because of the irritation CISOs had with vendors claiming they could have stopped some breach that happened to another company. For a while that chest pounding subsided, and we thought we were making an impact, until Log4j appeared…

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Tim Rohrbaugh, CISO, JetBlue.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, CyCognito

By understanding risks, attacks, and behaviors from attack surface management data, CyCognito visualizes the pathways attackers will take to exploit your network enabling you the ability to see, understand and eradicate the threat. CyCognito is the only cyber risk intelligence platform that visualizes the attackers paths into your network.

Full transcript

[Voiceover] Ten-second security tip. Go!

[Tim Rohrbaugh] The term authentication gets misused. It gets comingled with something called identity verification. Identity verification is you proving you are who you say you are when you first establish a relationship. Then you negotiate how you’re going to come back. That’s authentication. So, you don’t want to give away personal details and things like security questions if they’re just asking you for another bit of information. Lie. Learn to lie.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. We used to be called the CISO Security Vendor Relationship Podcast, but now we’re just the CISO Series Podcast. Joining me is my cohost, Mike Johnson. Mike, make some noise.

[Mike Johnson] Ahhhh.

[David Spark] That’s him making noise.

[Mike Johnson] Was that what you were after?

[David Spark] No, not really.

[Mike Johnson] That was my screaming fans that are in the background as I’m recording.

[David Spark] I see nothing in the background as you’re recording right now, Mike. I see that metal cat you have in the background.

[Mike Johnson] You’re blowing my cover. You’re blowing my cover, David.

[David Spark] We can’t fool anyone. Our sponsor for today’s episode is CyCognito – identifying unknown security risks. Increase your security intelligence, your threat intelligence. Know more so you can make better risk decisions. More about CyCognito later in the show. But first, Mike, I have done something in my office that I have not done in a long time.

[Mike Johnson] You changed the color of the lights.

[David Spark] No, that I do all the time.

[Mike Johnson] Oh, okay.

[David Spark] But it’s something I’ve always wanted to do, and I keep sitting on it and sitting on it. And I finally did it, and that is I did cable management.

[Mike Johnson] Oh! How cathartic is that?

[David Spark] Do you have a rats nest of cables on the floor under your desk?

[Mike Johnson] I do not. I do not.

[David Spark] You don’t?

[Mike Johnson] I have cable management, David.

[David Spark] Do you, too?

[Mike Johnson] Yes.

[David Spark] I have baskets underneath my desk that are full of cables and power supplies and stuff. There’s nothing on the floor. It’s phenomenal.

[Mike Johnson] Awesome. It’s so… As I said, it’s cathartic when you take this jumbled mass and make sense of it, get it all tucked away nice and neat. You don’t have to look at it, but it all still works.

[David Spark] Yeah, it looks a heck of a lot better I must say.

[Mike Johnson] It makes going to work every day that much easier if your office looks pleasant.

[David Spark] Good point. I was saying to my wife, I go, “What do you notice that’s different?” She can’t tell and goes, “There’s nothing on the floor!”


[Mike Johnson] So, she wasn’t nearly as excited about it as you were.

[David Spark] No, I was far more impressed.

[Mike Johnson] [Laughs]

[David Spark] I would like to bring on our guest. And by the way, this is our third CISO from an airline. I’m very excited about this, and we’re going to actually have another CISO from an airline coming on soon as well. So, thrilled to have him onboard. It is Tim Rohrbaugh, the CISO over at JetBlue. Tim, thank you so much for joining us.

[Tim Rohrbaugh] Hey, great to be here with both of you.

What do you think of this vendor marketing tactic?


[David Spark] Security vendor ambulance chasing behavior around huge security incidents have a way of unnecessarily coming back again and again. Mike, this very show launched because of this issue, and you had posted about it to a flurry of responses from other frustrated security professionals. Now, since you first complained about it publicly more than four years ago, I have anecdotally seen far less of this behavior. Interested to know your thoughts, but hold on. But it doesn’t seem to go away completely, as Erik Bloch Sprinklr noted, with his annoyance of fear driven emails he received from vendors on the onset of Log4j. So, instead of bashing bad behavior, let’s talk about the vendors that did respond well to Log4j. What did they do that you admired?

[Mike Johnson] I think the Log4j debacle, whatever you want to call it, was really an opportunity for companies to show their true colors. The ones that I thought responded well, they showed up to help. They weren’t there trying to toot their own horn or sell you a thing. They were there helping either the internet as a whole, maybe through providing free tools, actionable information analysis. They gave of their own efforts, their own time, their own resources without expecting anything in return. They were genuinely there to help, and that’s really… Those are the true colors.

[David Spark] Can you get into a little more specifics of how they showed their help?

[Mike Johnson] It could have been, “Here are all of the malicious devices and IP addresses out there who are scanning for Log4j.” Like a list of IP addresses. You could do something with that. Or it could be, “Here’s a breakdown of how the vulnerability actually works. This is how you can test yourself. This is an analyzer that can take inbound payloads and let you know what actually triggered the vulnerability.” Those were some of the examples that we saw out there, and none of those companies were asking for anything in return.

[David Spark] By the way, not that you had to, but did you actually take advantage of any advice or any of the services they were offering?

[Mike Johnson] I took advantage of the information, absolutely. It was such a dynamic situation that as information was being updated, as someone was finding and discovering something new, it was being shared. It was being put out there. And that was something that we could use, protect ourselves, and also protect our own customers.

[David Spark] All right, I’m throwing this one to you, Tim. Tim, you like everybody else had to deal with this nonsense. What good behavior did you see from vendors over Log4j?

[Tim Rohrbaugh] First off, you used the past tense. It’s still ongoing…

[David Spark] Yes, yes.  

[Tim Rohrbaugh] …and probably ongoing for the rest of this year.

[David Spark] I know. By the way, this episode…we’re recording this episode in January, and I believe this is going to air in March. So, yeah.

[Mike Johnson] It’ll still be here in March.

[Tim Rohrbaugh] It’ll still be here. So, if you’re not a current vendor…we call them business partners…you’re not going to get into the inbox where I’m going to see you. And if you keep pestering, you’re going to end up in a directory or a folder which I’m never going to look at. But like you said, the thing is is that some of them actually did some really good work. Hopefully they’re the ones that are already our partners, and they shared it with us. The whole industry in itself has been very helpful. I think we learned a lot of lessons in the past. So, if you’re selling on fear, and uncertainty, and doubt and using that moment, it’s not going to work well.

[David Spark] Well, can you give me some specifics or some of the things that vendors were doing? And by the way, I’m interested to know from you, Tim, because this has kind of been our charge since the beginning of trying to improve relations between vendors and practitioners, hence the name of this very show. Have you seen an improvement of that over the past three, four years?

[Tim Rohrbaugh] Yeah, there definitely has been. Unfortunately even vendors have rogue salespeople. But let’s set those aside. I think the vendors that I saw that did a good job were the ones that actually said, “Hey, we got our house in order, or we’re getting it in order. Here’s what we did.” No sales behind it. And like you said, there might be maybe a useful tidbit along with it. So, really tell us how your house was cleaned.

[David Spark] Did you or your team mention like, “Hey, I got some pretty good advice from company XYZ.”

[Tim Rohrbaugh] I’ll say no. We obviously had teams of people out there looking for information and have business partners that are doing it for us with respect to intelligence, but we’ll get into that later. But the thing is is that no, I don’t think anything novel came through a sales outreach.

[David Spark] Well, regardless, Mike, you saw some benefits. And I’m also going to ask you the same question I asked Tim, which is…we come back to it again and again…given this incident, had it happened three, four years ago, you probably would have seen far more ambulance chasing than you saw this year. Yes or no?

[Mike Johnson] I think there would have been. I do think that over time, companies, sellers have learned how to better sell. And this is one of those outcomes. Like Tim said, there are certainly rogue sales folks, but I didn’t see just a blatant industry push to try to use this to sell.

How have you actually pulled this off?


[David Spark] We’ve heard the line before – to catch a criminal, you need to think like a criminal. Tim, you explained this process of developing your threat intelligence with Mary Pratt on CSO Online. And three key points from this discussion. One, threat intelligence guides how you spend your time and money on security. Two, vendor resources and information sharing is key to developing this intelligence. Three, realize criminals also operate as a business and do what you can to drive up their costs. So, Tim, could you explain specifically how you’re reading all of this threat intelligence? And you can give sort of details of, “Oh, we see this, and so we sort of learned this about the threats.” And second, can you provide an example of how you’re actually driving up the costs to adversaries?

[Tim Rohrbaugh] Yeah, from the standpoint of threat intelligence it’s obviously been around for a while. The question is where do you place it inside your organization. For me, along with other industry folks, we figured out that to boil the ocean on control sets and monitoring all of that is just…it’s untenable. So, the question is where would we focus. Are we going to focus just on our impulse, what we think is important based on some kind of mystical risk matrix? No. For us it’s really about we are the defenders. We’re here because we’re trying to come up against criminals and organizations with technical skills. They’re just like the rest of us. They have repeat patterns. And we just need to figure out who it is that’s coming after us or at least create a persona of them and then figure out their tactics and their techniques. And those things have been memorialized in MITRE’s ATT&CK framework. So, it’s under threat informed defense.

So, at the middle of the organization what I’ve done and what I believe most mature organizations should be striving for is to have threat intelligence – the team itself who’s actually going out and trying to figure out who it is that’s coming after you, how they’re going to come after you, and why they’re going to come after you – and put them at the center of orchestration of program improvement. Security program improvement. You had one other question, and that is how to drive up costs. Let me just say really quickly on that one – one of the ways you can think about this is think about like soft crime, fraud. They’re a business, and many times they’ll have multiple levels with criminality inside of them that they’re trying to take advantage of either customers or yourself. And they also have call centers. They also have inbound support. They also have scripts that they have to rebuild, and they have log files that they have to… They have internet charges. Each of those you can systematically drive up costs. You can also drive up costs of those that are not just fraud but coming after you with true criminal intent, overt, and you can take them into systems which lie about what you have, what you have exposed. It’s the old honeypots, but disinformation has become a feature of many products.

[David Spark] Mike, I’m throwing this to you. What you outlined, Tim, seems like a pretty solid plan. Mike, over the years we’ve done this show, you’ve hit on all of these.

[Mike Johnson] Tim really used a good term there that I don’t think I’ve ever used. I wasn’t smart enough to use it, and I haven’t heard much. It’s threat informed defense. I think that’s a really concise way of summarizing the right way to use threat intelligence. It’s very easy for people to just get caught up on using indicators of compromise. “We’re going to feed bad IP addresses into our backend systems, and that’s threat intelligence.” That’s like the way old way of doing it. But what Tim was really highlighting there makes a whole lot of sense. Understand your adversaries – who is coming after you, what are their tactics and techniques. They can’t change their tactics and techniques very easily. That’s part of driving up their costs. They can change what IP addresses they use. So, by understanding and focusing those techniques that they use, using that to figure out what your defenses should be, where you focus your limited resources, that’s what makes sense to me from a threat intelligence perspective. That’s doing it right. That’s where we need to be going with it.

[Tim Rohrbaugh] Real quick I just want to say that I have been in this a long time, too, and I kind of played around with it. I could never say it elegantly, and I really give MITRE credit for identifying threat informed defense. It’s a really great term.

[David Spark] Just as a comparison, Tim, to close out this segment, I really like what you said in the article, and Mike just echoed it. The fact that you’ve got limited resources, and this threat informed defense allows you to make more intelligent use of the resources you have, of people, and money, and time. I’m assuming when you started in security you didn’t start this way. And, again, if I’m wrong on this assumption tell me. But how different is your security program as a result of a more threat informed defense program?

[Tim Rohrbaugh] I’m like many who have been in it for a very long time. I started in the mid 90’s in the government. When you’re inside of DOD, you have very specific well qualified data, and you have very specific threat actors. And in a sense, it’s a more complex program, but it’s an easier one to solve. When you get into corporate organizations even small changes in business practices can change the threat landscape. One public announcement can change the threat landscape. I think the threat actors, the profile is much more dynamic. It’s one that requires us to be very focused on where we put our attention.

Who’s our sponsor this week?

[Jim Wachhaus] Really the primary function for CyCognito is in reducing the total cost of risk management.

Sponsor – CyCognito


[Steve Prentice] When people talk about digital transformation it is often framed as a new frontier for technology and collaboration. Jim Wachhaus is a risk intelligence evangelist at CyCognito – a company that specializes in external attack surface management. He reminds us that the speed of change always comes with risks.

[Jim Wachhaus] Digital transformation has led to a proliferation of assets that are internet facing. There’s a lot of shadow ID that goes into that. There’s also a great deal of assets that get deployed by organizations that are smaller and perhaps more risk accepting. And then those organizations get acquired, and there is a certain amount of brain drain. And then you have unacceptable risks that are being inherited by the overarching company. As one CISO told us, the normal time window to that risk gap being closed is about two years for them. If you think about that from a digital transformation standpoint, we’re moving at the speed of the cloud. Two years is far too long. And as that CISO also said, vulnerability management is just too late.

[Steve Prentice] For more information visit

[Voiceover] It’s time to play, “What’s worse?!”

[David Spark] Tim, are you familiar with the “what’s worse” game?

[Tim Rohrbaugh] No, I’m not.

[David Spark] Well, guess what. You’re going to find out very soon. This is a game where our listeners send in two horrible scenarios. You’re not going to like either one of them. But as a risk management exercise, you have to tell us which one is worse. Good news for you, Tim – I make Mike answer this one first. So, you can either agree or disagree. It also gives you a little bit more time to think about it because Mike hasn’t seen or heard this, and you can’t heard this either. It’s a surprise to both of you. So, here we go. It’s from Jerich Beason, CISO over at Epic. Jerich has supplied a phenomenal number of great “what’s worse” scenarios. And this one is up there. Here you go, Mike. This scenario stinks. Get ready for it. Or both scenarios stink.

[Mike Johnson] Okay, great.

[David Spark] What’s worse – having a 30% MFA coverage gap all for critical applications exposed to the internet or a 30% coverage gap in your asset inventory of which includes infrastructure for critical applications?

[Mike Johnson] So, we’re looking at our internet exposed applications, authentication. We have MFA across 70% of it.

[David Spark] Correct.

[Mike Johnson] Or we have 70% of our asset inventory understood.

[David Spark] Correct.

[Mike Johnson] I’m looking at…

[David Spark] You’re looking at the glass 70% full there.

[Mike Johnson] Yes. With either of these, my glass is 70% full, which…

[David Spark] So, if you look at it that way it’s not so bad actually.

[Mike Johnson] Not so bad.

[David Spark] Yeah.

[Mike Johnson] It’s all about spin.

[David Spark] There you go.

[Mike Johnson] So, I think both of them, it’d be nice to be in a better situation. Absolutely. I would actually think a lot of people wouldn’t look at these scenarios and go, “These both stink.” I think a lot of people would aspire…

[David Spark] Yeah. Well, if you get 70% of people using MFA…

[Mike Johnson] Yes, exactly.

[David Spark] Well, let me ask you this, because I don’t know, is 70% of knowing your assets good or bad? I have no idea. What’s a good percentage of knowing your assets?

[Mike Johnson] On the flip side if you know that it’s 70% then you actually have a concept of what 100% is.

[David Spark] There you go.

[Mike Johnson] So, that’s also not a bad place. That leads me to which one is worse, and I do think that of the two I always fall back to asset inventory being the more important, being the priority. I would obviously want to see 100% MFA coverage, but I don’t know what that 30% of my asset inventory is. It could be some really bad, toxic, important, unsecured systems. At least in the other scenario the flipside is I’ve got 100% of asset inventory and only 70% of MFA. So, I really do think of these two the asset inventory coverage is the one I’d be more concerned about.

[David Spark] I should have changed these numbers and made it like 70% MFA coverage gap.


[David Spark] It didn’t dawn on me it was making too good of a situation. Tim, you could agree or disagree with Mike. And if you don’t know this, I love it when guests disagree with Mike.

[Mike Johnson] He does.

[David Spark] But no pressure. How do you feel on this one?

[Tim Rohrbaugh] Totally disagree.

[David Spark] Okay.

[Mike Johnson] Great.

[David Spark] Great.

[Tim Rohrbaugh] The main reason is…it’s a dirty little secret…none of us really have…when you get over into the tens of thousands of assets, we have a lack of confidence in it. But 70% of… Let’s say you know 100% of your assets, and you don’t have full FMA. Then that means that accounts are going to be misused more than likely, and all they’re going to do is… You’re going to know which assets they’ve taken advantage of. So, I’d rather have 100% coverage on MFA.

[Mike Johnson] Great.

[Tim Rohrbaugh] Or I’d rather have 70%.


[David Spark] I hear, what, 50%…isn’t that kind of common? It also all depends on what you’re using, right?

[Mike Johnson] You mean MFA, David?

[David Spark] Yeah, MFA. Yes. For more critical stuff like on financials, MFA is more heavily used than… How far down the line is MFA being used?

[Mike Johnson] I think it depends on if you’re talking consumer applications or internal applications. The numbers on consumer is very low. On internal applications, 90, 95, 99, even 100% is totally doable.

[David Spark] Okay. That’s the discrepancy I didn’t understand.

Is this the best use of my money?


[David Spark] Manny Singh, a former coworker of mine… I was an IT guy at one time, Mike.

[Mike Johnson] I believe it.

[David Spark] He works for a large testing and certification firm, and he asked, “Are SIEMs really valuable in today’s world to be able to respond quickly, or are they becoming passe? I struggle with the value in preventing or mitigating. I ripped ours out. We have 200+ labs around the world with 30,000+ devices. To pull logs from those systems and get them back into a SOC, normalized, alerted, and acted on takes two long days to action. I see value in using after an incident or forensic issues. I don’t see value without spending a ton of money in headcount and resources otherwise. Waiting for someone to convince me otherwise. Mike, do you want to convince me otherwise?

[Mike Johnson] I’m not here to sell you a SIM. That’s not what I’m going to do. But I do wonder if the classic definition of a SIM is dead. Like the idea of you have to collect all of your data into one place. Everything has to be normalized. You have to apply consistent rules, and you have to build all of that. And it’s heavyweight and slow. I think that probably…the time has passed for that. On the flipside, I do find a lot of value in instrumentation, data collection, data analysis, and building alerts on top of it. In my situation, if I were to add 5,000 more Linux servers, there’s not an additional bit of work that I need to do. It’s not going to take me days to onboard that. I already understand Linux servers. It’s going to be built into our images to automatically forward anything. So, I’m not going to try and sell you a SIM, but I strongly believe that detection is critical. And if you’re not collecting your log data, if you’re not pulling it back into one place, and if you’re not actually taking advantage of normalization, which is critical, then you’re missing out. It’s kind of like showing up to a fight with a hand tied behind your back. You might have preventions set up, but you’re completely leaving detection on the table.

[David Spark] He’s aware of this, and he deals with other things in terms of sort of either detection or dealing with it at the last minute. But I’m going to throw this one to you, Tim. He just thinks it’s going to just take him too much time and resources to make this work.

[Tim Rohrbaugh] It’s a tough one because when we originally started out, SIMs, and SIEMs, and all of that came on…they promised a lot of things. We were promised a single pane of glass. None of that has materialized. But what really is important is to get all of the events into the bare minimum of security data link. And then what we need to do is we need to overlay intelligence on it. The whole reason that we have it there and that we put it together is to put the data into context. Whether you’re normalized or not, you need to be able to put the data into context so that you can report on it and hopefully add technologies like machine learning on it so that maybe you can look for patterns, or it can look for patterns and disclose it to the analysists who are going to see it. But there is one phenomenon today that probably devalues them a little bit, and that is that the intelligence is now being moved into the security devices themselves. And they’re actually doing some of the volume metric monitoring of device, and user behavior analytics, and all of that for you.

Hey, you’re a CISO. What’s your take on this?


[David Spark] Over on the cybersecurity subreddit, a redditor asked, “What 20% of skills give you any percent effectiveness in a cyber security career?” The most popular answer was curiosity, which is a clearer way of saying passion, I believe. Now, one redditor boiled it down to, “If you don’t have the curiosity to ask why and seek an answer, you are dead weight.” Another said, “Technical knowledge/skill is almost useless in this field if you don’t have the curiosity to deploy and expand your knowledge.” Another popular answer was the ability to explain technical issues to nontechnical people. So, both are excellent answers for which you can’t take a class for, get a degree, or put on your resume. So, twofold question. I’m going to start with you, Tim, on this one. How do people show these two capabilities, and how do you as a hiring manager seek them out, assuming that’s what you’re looking for?

[Tim Rohrbaugh] I think you’re taking it from the side of what the user can do, what you as the employee can do. And it’s really about demonstrating self-learning, and self-learning is a byproduct of somebody who’s identified a passion of theirs. And you have to let that come through not only in your work but also in your interviews and everything else. But I think any time you can illustrate what you’ve done on your own outside of work and then how that’s driven your career is important.

[David Spark] And I know that you feel that way about yourself. Is that you’re very much autodidactic yourself and that… So, it’s a very much personal passion of yours to self-learn. May I ask how have you seen that on people that you’ve hired?

[Tim Rohrbaugh] Yeah, it’s really trying to help people once I bring them onboard. So, yes, notice those things, quiz them. I have a trick when I used to… I don’t do this anymore. But when I interviewed folks, the first thing that I would do is I would ask them about their hobbies outside of security. And what I was looking for when we were in person was facial expressions and the enthusiasm of which they expressed themselves. Then I would jump into security in different domains and see if I could see any of that same passion come through.

[David Spark] Why don’t you still ask that question? I think that’s actually a good…

[Tim Rohrbaugh] Oh, because I’m telling you, so now people will know that it’s coming up…

[Crosstalk 00:26:14]


[Mike Johnson] He’s giving up his trick.

[David Spark] No, you bring up a good point here, Tim. That’s like when you’re playing poker or any kind of card game.

[Tim Rohrbaugh] Oh, absolutely.

[David Spark] Knowing somebody’s tell. You can’t hide a tell too easily unless you’re a master. So, what you’re describing…even if people totally know what you’re going to do, it’s hard to hide that.

[Tim Rohrbaugh] I know. And I’ll tell you – what I try to do though is instead of just playing the games with folks, really inside… One of the things that I brought out a couple different places, but it was about using Agile. And by doing that, people can create their own stories, and they can even do it in areas that they’re not responsible for. So, I want people to have the latitude to take like 20% of their time and work in an area that they’re interested in, that they’re passionate about, even if it’s now the one that’s currently assigned.

[David Spark] All right, Mike, I throw this to you in terms of twofold – how do people show it, and how do you seek those people out?

[Mike Johnson] You had mentioned relating curiosity with passion. And I’m not sure that I agree with that because I think to at all be in our industry you have to be curious by nature. I can’t even imagine being in this field and not being curious. It’s almost like self-selection into the field.

[David Spark] It’s like, “Hey, why did someone just do that into our network? Eh, who cares?” [Laughs]

[Mike Johnson] Said no one ever. That’s not how it works. But I do look for passion. I really look for what people have done in the past. Maybe they are out speaking at conferences. Maybe they are writing blog posts. Maybe they are contributing into open-source. Not that they have to do that, but that really is a very quick tell that they have passion about our field that they’re looking to help out others. And now that I’m even talking through this, that’s another thing that I’m looking for is that do you actually want to help. Are you by nature someone who’s going to help out others? And by speaking at conferences, by contributing to Open Source, by writing blog posts, not only are you illustrating your passion, you’re helping out others. You’re raising the game for everyone. And that combination of those two is absolutely the kind of person that I’m looking to join our team.

[David Spark] So, Tim and Mike on this one… Mike I know very much so…you’ve written blog posts that get hundreds and hundreds of comments, and I know that you read most it not all of them. Have you actually…? Because there are certain people I know who just keep commenting on stuff again and again. I’ve built relationships with people initially because I just read all their comments, and you see that they want to be apart of the community. Have either of you actually hired someone from which you just had a sort of comment like relationship initially online, or worked with somebody? Either case?

[Tim Rohrbaugh] I haven’t, but you have… I definitely would be open to it. It is an interesting way… But we do build networks from it.

[David Spark] Yes.

[Tim Rohrbaugh] And also can refer people. Maybe not them directly but definitely other contacts.

[David Spark] Mike, you’re looking up to the ceiling, thinking that the answer is there.

[Mike Johnson] It’s written. I just can’t quite see it.

[David Spark] You need better prescription on your glasses.

[Mike Johnson] Yes, I need new glasses. I can’t offhand recall. But as Tim said, definitely have used it for setting up networks and getting to know people. I’ve met folks or coffee back when that was a thing and had conversations. And some of them might have led down that path. Maybe not all the way to a hire. Certainly to interviews. I’m not going to be the only one making the hiring decisions. But I would actually and pretty sure I have folks that I’ve met through LinkedIn have interviewed for a position on my team.

[David Spark] Well, all advice that we’ve mentioned before. And I will say that anything you can do to show that you actually care for the position, as I had just recently put a position out and it was only the people that actually showed they cared were the people I actually paid attention to. I’m so sort of frustrated by people thinking that this is a numbers game. It is not. Tim, I’m sure you get a flood of resumes, and it’s the people who show that they care, yes?

[Tim Rohrbaugh] I’ll tell you… Maybe I’m kind of old school here, but if you don’t put a cover letter, if you don’t take the time to read it and know about us, I’m not even going to really bother.

[David Spark] Tim, this is exactly what I did. This was the barrier I had on a recent job posting. “Please go to our website and send me a note acknowledging you actually went there.” Of the 50, 60 people that applied, 6 actually did it. And here, you’re going to like this one, Tim, three spelled our company name wrong.


[David Spark] So, you know what I did with the other three? I actually interviewed them. By the way, of those other resumes, those people were way more qualified, had way more skills. But they can’t follow basic directions.

[Tim Rohrbaugh] Absolutely. And you’ve got to show what you’ve done on research front. “Why do you want to help out there? Why do you want to be here?”



[David Spark] Why do you want to be here? Well, I appreciate you being here, Tim. And I want to thank you, Mike, as well, and our audiences as well. But also I want to thank our sponsor, CyCognito. Improve your threat intelligence, everybody. As we’ve talked about on this show already, if you know more about your threats you can make better risk decisions and build a better security program. For more, go to CyCognito’s website, All right, Tim, I’ll let you have the very last word. And by the way, I ask all my guests, are you hiring? We’ve been talking about that. My guess is you are, but I don’t want to put words in your mouth. Have an answer for that in just a second. Mike?

[Mike Johnson] Tim, thank you for joining us. Great to sit down, have the conversation with you, really learn from your perspective. And I really liked the focus on threat intelligence and how you leverage that within your business, within your organization. It’s a great reminder to folks to really think about how they’re leveraging threat intelligence, if they are, or can think about how they might evolve in that direction. But I really liked what your point that you stated around a change in the business process can change your threat profile. That’s something that I think people really forget about is it can be that simple, and now you’re in a different ballgame. You’re on someone else’s radar. So, thank you specifically for reminding folks about that, having your discussion around threat intelligence, and generally sitting down with us today for the recording. Thank you.

[Tim Rohrbaugh] Oh, you’re welcome. And I just wanted to say when you said something about what people were doing with respect to sharing, that’s been one of the bright spots of the last few years. Really if you’re not sharing, if you’re not mentoring then you’re really not helping.

[David Spark] So, Tim, are you hiring?

[Tim Rohrbaugh] Yes, we are.

[David Spark] And if I wanted to get a job working on the security team over at JetBlue, where would I be going to?

[Tim Rohrbaugh] Career page. [Laughs] And do a submission page.

[David Spark] And as you know, if you want Tim to actually pay attention, write a darn cover letter that acknowledges…

[Tim Rohrbaugh] Cover letter. Absolutely.

[David Spark] …why you want to work there. I want to thank you, Tim, very much. I want to thank Mike, and I want to thank our audience for all their contributions. Please send in more “what’s worse” scenarios. I would greatly appreciate that. We like to have them, and we like our guests and my cohost to be challenged. As always, thank you for listening and contributing to the CISO Security Vendor Relationship Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at Thank you for listening to the CISO Security Vendor Relationship Podcast.