We’re trying really hard to keep our customers’ data safe, but we all know given the number of attacks happening, our number will eventually come up, and we’ll lose your data just like every other organization you trusted.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Sandy Dunn (@sub0girl), CISO, Blue Cross of Idaho.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Expel

Expel offers companies of all shapes and sizes the capabilities of a modern Security Operations Center without the cost and headache of managing one.

Full transcript

Voiceover

10-Second Security Tip, go!

Sandy Dunn

To solve this security challenge focus on the human first. Worried about insider threat? Why? Is the environment toxic, do you have poor HR screening? Is your policy hard to locate or understand? Fix those items first and then worry about your technology solution.

Voiceover

It’s time to begin the CISO/Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO/Security Vendor Relationship Podcast. My name is David Spark, I am the producer of the CISO series. Joining me as always, it’s my co-host Mike Johnson. Mike? Are you there?

Mike Johnson

I am here and I actually do know my left from right even though in Zoom land they’re swapped.

David Spark

Yes, we were joking about that before we went recording. We are available at CISOseries.com. We are available at the subreddit CISOSeries as well and you should know that every Friday we have a super-fun video chat, so join us every Friday 10 AM Pacific, 1 PM Eastern. Just go to CISOseries.com and click the register for video chats button. Our sponsor for today’s episode is Expel. Thank you so much, Expel, for sponsoring us again, a return sponsor, we always love that. They detect and respond to threats in minutes. You will want to hear that they have to say a little bit later in the show. Alright, Mike, it is officially a sign of the change of the times because it looks like I have booked the first live audience recording of the CISO/Security Vendor Relationship Podcast.

Mike Johnson

Wow!

David Spark

Post-COVID that is, we had many prior to COVID. Post-COVID.

Mike Johnson

Alright.

David Spark

So I don’t want to say the details of it yet because actually it has not been signed, but I got a verbal agreement and I am going to be doing it and if all goes well, it’ll be late August. We’re doing a live show in front of not a huge audience, an audience probably about just 30, or actually it could be up to 60. Somewhere between 30 and 60 people.

Mike Johnson

Well, it makes a lot of sense to have a smaller audience right now.

David Spark

Yes. We used to have audience of over 300 actually.

Mike Johnson

Right, and that would be a little bit uncomfortable right now.

David Spark

Yes.

Mike Johnson

I think it makes sense to start small and grow back up to 300.

David Spark

Yes, I want to get up to 300, but we are going to start small. But I am very excited to do that. And here is the other interesting thing, I was looking at our stats. Do you realize that five out of seven of our most popular shows of all time were live recordings?

Mike Johnson

I did not know that. I can understand why though, because they are so interactive, they are so dynamic.

David Spark

Well, just the excitement of that live audience, I mean, honestly if I could do a live show every time I would do it. I mean, it would be fantastic.

Mike Johnson

You know, as one of the co-hosts, you feel that energy and it gets you more excited and more into it. That energy then comes through in the recording, so I can see how it all makes sense.

David Spark

Well, I look forward to this live show and many, many more.

Mike Johnson

Yes.

David Spark

Hopefully everyone will stay healthy and safe and we can pull this off successfully. Please! With that being said, I would like to now introduce our guest who you know, who you met at one of the last events we all went to, which was B-Side San Francisco 2020 and we did a live recording there too, which we did in one of the movie theaters there, which was the largest I had ever seen our logo ever on one of those jumbo screens.

Mike Johnson

It was a massive screen, you could not avoid that logo.

David Spark

I also took a photo because the sponsor’s logo were there as well. Alright, our guest for today is the CISO for Blue Cross of Idaho, Sandy Dunn. Sandy, thank you so much for joining us.

Sandy Dunn

Well, I am very excited to be here, I am a big fan of the CISOseries and glad to be here as a guest.

Why is everyone talking about this now?

00:03:57:02

David Spark

If there was ever an opinion piece to collectively cause thousands of security professionals’ heads to explode, it was this piece on the news outlet The Hill, Allen Gwinn, a professor of the Practice in Information Technology at the Cox School of Business at SMU Dallas. Get ready for this. Gwinn essentially went after the entire cybersecurity industry for their failed “industry best practices” and that what they need is a more holistic view of their environment. He argued that the hackers have a better view of our environment than we do. Now, while Gwinn admits to regretting writing the following, “Never hire an information security employee who has ever worked for a firm that has had a security incident,” he did double down on one comment saying companies should “implement a ‘one strike and you are out’ hiring policy for information security leadership whose job it was to secure systems and networks after a major, expensive breach.” I want to give a quick tip of the hat to both Jason Dance and Brandon Greenwood who both gave me a heads-up on this article and the discussion. Mike, I feel pretty confident saying you do not agree with Gwinn’s opinion piece. I saw you just shaking your head, but before that I kind of knew you did not like this. But here is what I want to explore. Can you explain how incredibly dangerous it would be if companies actually followed his advice?

Mike Johnson

Oh, this guy. You know, I saw this article and I did not want to engage on it, because it seemed like–

David Spark

Too late, we are doing it on this show.

Mike Johnson

And here we are. And here we are. I keep trying to get out and keep pulling me back in.

David Spark

Exactly.

Mike Johnson

Almost everything that he writes in the article is dangerous. I don’t know where to start.

David Spark

Well, let’s just start at the one strike and you’re out. Why is that dangerous?

Mike Johnson

I think one of the problems with that is it drives a culture of not admitting mistakes. People might make a small mistake that if it is brought to someone’s attention and can be dealt with while it is small, it doesn’t become big. But if you are in the situation where you make a mistake, you’re fired, you are not going to ever admit to any mistake, period.

David Spark

And I would add to that you live in a culture of fear.

Mike Johnson

Absolutely. It’s all aligned together where you have this Sword of Damocles hanging over you that at any time you could just be fired. That is not a safe environment, no one is going to want to work in that.

David Spark

Right, and who would work for it? So you will not get anyone good to work in your environment.

Mike Johnson

No.

David Spark

It will be a caustic environment. You think working with brilliant jerks is tough, imagine that.

Mike Johnson

It would really be a very toxic environment.

David Spark

That would be it. Oh, my god! That is the worst scenario.

Mike Johnson

It is already played out, David. You can’t use it. You can’t use it. Missed opportunity.

David Spark

Sandy, I want to go to you here. What would be so dangerous about doing this?

Sandy Dunn

Alright, yeah, this article was so completely wrong that I actually wondered whether or not he was intentionally trying to be provocative. I mean, it was so off-base that it just made no sense to me. His follow-up article that he wrote was interesting. He admitted that he used words poorly but he didn’t even admit that his view was incorrect. So, really, what I read into it was this is a person who lacks experience. This is a person who has a little bit of knowledge and not much experience in the actual industry because he clearly does not understand the problems or how to fix them. If somebody on my team had written an article like this, I would have pulled them into a conference room and tried to do some coaching with them. I mean, it is such a poor representation of certainly the culture I try to build and what I believe in.

Close your eyes. Breathe in. It is time for a little Security Philosophy.

00:08:14:11

David Spark

Over on the cybersecurity subreddit, a discussion blossomed on cybersecurity not being a career path, but in actuality, it is a way of thinking. And it is a way of thinking we should develop irrespective of the X number of years we train in that specific field. Sandy, businesses try to get employees thinking about being customer first in their thinking. How could security thinking work alongside that to be part of the company culture?

Sandy Dunn

Yes, a couple different thoughts there. I mean, one of the things that I do agree with which is I do view a role in cybersecurity as a calling not a job. So I think the people who are successful in this role, it is more than just a job to them. It is something that they feel incredibly passionate about and believe in doing the right thing and protecting their organization, their users, the business, and at a higher level our country, when you look at things that happen with some of the attacks that are happening at a nation state level. I think your question is since we in cybersecurity see it as a calling, how do we share that view out into the rest of the organization. Building a cybersecurity culture, I think the thing that you want to do is really break down the barriers. So, often people outside of the cybersecurity team, they do not understand what we do, and we only show up when there are problems, and we are scary, and we use big words.

David Spark

By the way, you can’t see Sandy right now, but, yes, I agree with you, you are scary, Sandy. Go on.

Sandy Dunn

I think what I have tried to do is go out and break that barrier down. Let people know that I am there to protect them and I want to make sure that they are successful in their job. Then reinforce how important what they do is for our success, so they are the human firewall. Nobody understands a fraudulent customer service call better than a customer service agent. They know their job and so when I can deputize them onto the cybersecurity team and say, “Hey, you are part of my team, I need your help for us to protect our organization that we all care about,” then you get their buy-in. Then all of a sudden they’re on your team instead of them seeing it as us versus them. You mentioned it in a previous story that we talked about, building that culture and making it a positive culture as opposed to a toxic culture where people are trying to hide stuff from you.

David Spark

I throw this to you, Mike. What do you think about just this kind of thinking philosophy that sort of bleeds through the culture because we talk about this all the time, but can cybersecurity just be sort of being customer first?

Mike Johnson

I think at the end of the day it is both mindset and career. I like what Sandy was saying where part of the job really is getting across to other folks to think about security. And that they are maybe not necessarily first, but it is on the top of their mind that they are thinking about security as well, as well as doing their jobs. But at the same time we cannot expect everyone to be an expert in security and that means that it really is both, it’s still a career. Back to your customer-first way of thinking, there are the folks within your organization, be that your customer success representatives, be that your revenue org, that they’re most heavily focused on customer first and they are the experts in that. And the rest of us are supporting them in what they are doing there. So, I think it is the same way with security, that our job is to make that way of thinking pervasive within the organization, but not expect everyone to be an expert, to be there, to be consulted, to be available, to help out in our area of expertise that we have honed over a period of time.

Sponsor – Expel

00:12:41:10

Steve Prentice

Organizations need quick, clear answers and Expel puts that right up front. They say when we spot attacks, we go from alert to triage in less than three minutes and we give you the answers you need written in plain English. Here is Bruce Potter, CISO at Expel.

Bruce Potter

Expel is a manage detection and response company and really we are different in the sense that we allow you to bring whatever technology that you have on prem, in the cloud, cloud SaaS, part of the structure. Send us your security signal. We are going to dig through it, we are going to find the things that you need to care about and not only that, we are going to tell you how you need to care about it, how to fix it. We really pride ourselves on being able to find all of the important details, let your team focus on making your organization more secure and not actually having to go fight the fires and detect instances themselves.

Steve Prentice

This clarity starts right out of the gate at the moment of first engagement.

Bruce Potter

When we engage with a company the first thing that we do is really just get a sense of what technologies that you have. Do you have an EDR, do you have a SIM? What does your cloud footprint look like? Things of that nature. When it comes to on-boarding it is very simple, you just give us a bunch of API keys for all the systems and we will start doing just the data. In the first week or so, we will look at everything that you are sending us and help tweak and say, “We should see this but we are not. We would like to see these other things, you are sending us too much data.” And eventually we get to the point where we think you are sending us the right signal and then it is just off to the races.

Steve Prentice

For more information visit Expel.io.

It’s time to play “What’s Worse?!”

00:14:20:03

David Spark

Alright, Sandy, I know you know how to play this game. Mike, this is actually What’s Worse scenario that was posted publicly so we just snagged it. So had you seen it? You may know what this is because it was published publicly.

Mike Johnson

Okay.

David Spark

So I did not even ask the person who submitted it.

Mike Johnson

I might have a study on this one, David. I might be ready to go.

David Spark

You might be, but it is a tough one. I am going to say, I know I predicted this once before and I was really wrong but I am going to predict this is the toughest one.

Mike Johnson

Alright.

David Spark

Alright? Sandy, I always make Mike answer first so you can agree or disagree with him. No pressure, I like it when people disagree with me.

Sandy Dunn

Alright.

David Spark

Alright. Lucas Parker of Mitsubishi Heavy Industries Shared Services Americas posted this publicly on LinkedIn in referencing What’s Worst and me. He said, “What’s Worst? A security product that covers 80% of your assets with 100% efficacy? Or a security product that covers 100% of your assets with 80% efficacy?” Is this a tough one?

Mike Johnson

I actually immediately have an answer.

Sandy Dunn

Oh.

David Spark

So it isn’t tough?

Mike Johnson

Well, I could be wrong. I am always open to that.

David Spark

Well, I’m going to always say that you are wrong.

Mike Johnson

Oh, I appreciate that, David. I am glad we have had that relationship. But really what you are talking about here is this is breadth versus depth. You have got a portion of your environment, maybe even what portion of the environment you have that you have got perfect security, that it is great that you have got it, you know for that 80% you are in perfect shape. Versus you know your entire environment and you know your security is not quite where you want it to be across an environment.

David Spark

By the way, which is I know highly desirable.

Mike Johnson

Right, and that is why the first one is the worst one. I come back to inventory all the time. If I actually know my entire environment and I have some amount of coverage over the entire environment, I am going to be less surprised. So I think that first one really is the worst of these two.

David Spark

This is a security product that covers 80%. It does not say you do not know your whole environment, it is just this product is only going to cover 80% of it.

Mike Johnson

That is almost worst that you know that–

David Spark

You’ve got 20% that’s not being covered?

Mike Johnson

Right. I like that full coverage of partial implementation that I can come back and build on top of later. I can then maybe bring in the other tool to solve that 20%.

David Spark

Yes, you could bring it up to 20% on the other tool as well. Sandy, I am throwing this to you. I guess, we are speaking though, which product works better for you? And I think you are saying the same thing. So, Sandy, what is worst for you?

Sandy Dunn

I have to agree with Mike. I mean, you have got to know what you have to be able to protect it. But it is almost an impossible question because reality is, you should be using an open source tool for that other 20%. There is no reason not to have 100% coverage, so I think you have to start with knowing the entire tech surface and then building out your defense in depth.

David Spark

Good answers, both of you. Alright. Maybe I won’t say you are wrong this time, Mike.

Mike Johnson

Just this once. Just this once.

It’s time to measure the risk.

00:17:44:09

David Spark

What is going to drive your risk down the most? Should you spend the money on a tool or get cyberinsurance? Now I know not all tools are created equal, but do you ever do the risk calculation with cyberinsurance? A group of CISOs I was chatting with did not spend money on cyberinsurance and instead chose to purchase a tool to drive down drastic risk. So, I will start with you, Mike. When does it make sense to shift the risk and get cyberinsurance?

Mike Johnson

First I have a question back to you, David, clarification on this conversation that you had, because I am really trying to process it. They’re saying their company did not spend money on cyberinsurance at all or it did not come out of their budget?

David Spark

No, they weren’t saying that they would not spend money on cyberinsurance at all. I think it was just sort of the security professional mindset that if I had a choice to drive down the risk I want a tool versus just shifting the risk to cyber and to where the company…

Mike Johnson

Okay.

David Spark

…I am sure address cyberinsurance. It was more of a theoretical discussion of, you have got X dollars, am I spending it on a tool or cyberinsurance? And they pretty much universally said tool.

Mike Johnson

Right, so you are basically asking the question would you rather spend your money on risk reduction or risk transference.

David Spark

Exactly.

Mike Johnson

Right? When it comes right down to it though, it is almost unavoidable. You have to have cyberinsurance. Your corporate insurers are going to require it. It is almost one of those questions where it is a fun thought exercise but it just cannot apply in reality. If you are a B2B company, you are going to have your customers demanding cyberinsurance.

David Spark

But isn’t there a point and I am eager for your take on this too, Sandy, where you say, “I cannot reduce this risk anymore.” The diminishing rate of return here, it just becomes too difficult. At this point we have to look at transferring risk with insurance. Doesn’t that calculation come into play at some point?

Mike Johnson

A lot of it really comes down to the big issue that rarely happens. If you spend all of your money trying to be perfect so that this one incident that might happen every five years or every ten years does not happen, you’re going to spend so much money and time trying to deal with that and that is why you would go for the risk, for the insurance.

David Spark

Right, quite simply the diminishing rate of return of it.

Mike Johnson

Yes.

David Spark

Sandy, what is your take on it? When does insurance come into the conversation? Obviously it is in the conversation but do you look at it as a logical question, “No, we shouldn’t be buying a tool for this, we should be dealing with insurance here?”

Sandy Dunn

No. I think you use them for two different reasons. The reality is, you better have been buying those tools, because if you think that you can’t protect your environment and your cyberinsurance is going to cover you, you are wrong. You are going to end up in a situation where they come in and say, “Sorry, part of the requirement to get the cyberinsurance was you had to have these specific security controls in place. So you did not meet the requirements for us to provide coverage.”

David Spark

I am assuming you get some sort of an audit by the security company, yes? Yeah?

Sandy Dunn

You do, and they are getting more mature. I am actually extremely optimistic about the cyber insurance industry. I think it is still extremely immature. I think the insurance providers are covering stuff they probably should not have. They did not do enough due diligence up front, so they should not have provided the coverage. But what I anticipate happening is we are going to see those requirements. Because they have taken this brunt of abuse because of all the ransomware, they are going to come in and actually do a lot more diligent requirements on verifying whether or not you are insurable. Just like with your house, they come in and say, “Okay, do you have your fire alarms? Can we insure this?”

David Spark

What is this pile of crumpled newspaper doing in the living room next to the fireplace?

Sandy Dunn

Exactly. And so I think it will take time, we are not going to get there in the next year, but I think over time cyberinsurance will help us in the cybersecurity field to get those budget dollars, because they will come in. Before it was like, “Oh, we do not want to give you that budget because we will just get cyberinsurance.” And us people in the trenches were saying, “No, that is the wrong way to look at cyberinsurance. That is a poor way of thinking.” How do you call out? What is an act of war? Who gets to make that call? So there is a lot of unknowns but do you need cyberinsurance? Absolutely. Just like Mike said. You want to have it, just like you need health insurance, just like you need flat insurance.

David Spark

Speaking from someone who would know something like that.

Sandy Dunn

You use it for that big event that you do not have coverage for. But you need to be insurable, because remember if you look at the history of insurance, what it’s supposed to do, it’s not supposed to cover people who make bad decisions, it’s supposed to cover good people who just happen to have an event happen that they did not expect.

David Spark

So asking both of you, maybe it was more theoretical among these CISOs, but really the question shouldn’t be asked. You should be doing both. But what insurance is doing, correct me if I’m wrong, is just doing the thing that the tool cannot do which is to deal with the catastrophic, unplanned that may sneak in, to essentially save the business from ceasing to exist. Mike, agree or disagree with that?

Mike Johnson

It is generally for the catastrophic event that is very rare. If you look at the risk equation of impact versus likelihood, low likelihood, high impact.

David Spark

Right.

Maybe you shouldn’t have done that.

00:23:49:01

David Spark

What is the proper way to behave during a breach? In an article on Dark Reading, Samuel Greengard offered some breach ettiquette tips such as “say what you know” and “be ethical and sincere.” Not surprising. All the items we have mentioned on this very show before. So, my question to both of you, and I am going to start with you, Mike, is either through an actual breach you had or maybe a tabletop exercise, what are some rules of engagement you found either the most difficult or the most surprising and you wouldn’t have realized it had you not gone through that experience?

Mike Johnson

So, when I think about breach response I think about ducks. Calm above water, paddling like crazy under the surface. The proper way to behave during a breach is calm. You have to–

David Spark

Appear calm?

Mike Johnson

You have to appear calm.

David Spark

But move your flippers very quickly underwater?

Mike Johnson

Yes, yes, because if you panic, that will cause panic for everyone else and it spirals and it gets ugly very quickly. If you have been doing instant response for a while, you have seen it more than once. But at the same time you have to keep up a sense of urgency. That is the paddling underwater piece. And the thing that I have found the most valuable and have learned from both tabletop exercises and real incidents is assigning an incident commander that does nothing other than orchestrate the activities.

David Spark

Do they get a whistle by the way? Do the incidents commanders get a whistle?

Mike Johnson

If that is what it takes. Their job is to get the updates out, get them to the executives so the executives know what is going on. Making sure that happens on a regular interval. Give people an idea when the next update is going to come. And until you have had an incident, and until you have had the table-top exercise with other folks, you are going to have people swooping in, being nervous, asking for status. Incidents are so dynamic, you do not really know until you have been there just how important that incident commander is and those regular updates are.

David Spark

I’m assuming the first times you did this, there was an incident commander, so, “We need this person?”

Mike Johnson

Correct. What I will say and I will give my team at the time credit that they recognized the need for an incident commander and in the moment it was, “Okay, you are the incident commander.” And that was then established in the moment, and that then became a muscle that we used going forward.

David Spark

So if I was incident commander, I would demand, A, a whistle, B, stripes on my uniform as well.

Mike Johnson

That is all very reasonable and you can even ask for green M&Ms only.

David Spark

Okay. This all works good. Alright. So I like this scenario, the image of the duck calm on top, paddling furiously underneath and having the incident commander. Have you seen this thing kind of play out or need to play out like Mike described, Sandy?

Sandy Dunn

Absolutely, and I think he hit on a key point which is you do have a lot of people swooping in and you need to respond to those people, because they should have an update for it, but keeping that as a specific role so that person is the communication channel and then your people who are doing the investigation are not interrupted. Because if you do not control that, if the incident commander is not managing your people doing the investigation and protecting them, then they are kept from doing the important work of actually understanding what is going on and getting in front of it.

David Spark

So just digging one level deeper on this incident commander, I know in a situation, a very intense situation, there is a lot of information flying from a lot of different people. The whole idea of the incident commander is everything funnels through this person and that person is the one point of truth, if you will. Yes, Sandy?

Sandy Dunn

Absolutely. So incident commander and then also a dedicated person to take notes, keeping track of time, detail what has happened. So you have a very good timeline of exactly what happened and when. So two roles that are not actually in the trenches using the tools or doing that stuff, but they are single-minded, one is doing communications and one is taking notes and keeping track of everything.

David Spark

And let me ask, similar to Mike, I’m assuming you did not have this on day one. You had to develop and realize, “Oh, we need an incident commander, and we need a note-taker.” Yes? You are saying yes and that brings us to the very end of this very episode.

Close

00:28:33:10

David Spark

Thank you very much, Sandy. That was excellent. I love your take on all of this. We had talked originally about this holistic view of cybersecurity and that bled through every single segment on today’s episode. So I greatly appreciate that. And I will let you have the very final word, but first I want to thank our sponsor Expel. E-X-P-E-L dot I-O, detecting and responding to threats, very quickly.

David Spark

Mike, any last words you would like to say to Sandy. And, oh, by the way, when I go to you, Sandy, one of the questions I always ask our guests, are you hiring? So please have an answer to that question. So, Mike, you first.

Mike Johnson

So, Sandy, thank you for joining us. It was really a pleasure sitting down, having this conversation. It really did feel like a conversation. It felt like we had some good back and forth which is always wonderful when that works out. I really liked what you were discussing around security, that it’s a calling not a job. I think that is something that is a good reminder to folks and I think some people might even have felt that and not realized it. So, putting the words to it, I think, will appeal to our audience and I think some of them will take that home and go, “Oh, yeah, that is what I have been feeling all this time.” So, thank you specifically for reminding folks that security is a calling, it is not just a job, but generally coming on, sitting down, talking with our audience and sharing your experience and perspective. Thank you.

David Spark

Thank you. Alright. Sandy, you get the final word. Any last thoughts and please let me know, are you hiring?

Sandy Dunn

It was great to be here today. I love talking with other cybersecurity professionals. I really believe in building your network. Our job can be difficult so you have got to make sure that you have your tribe that helps you recharge your battery and reminds you that it is a calling not just a job. So, I appreciate the opportunity to come talk to you and currently right now we have just filled a position. So thankfully I have a full team right now.

David Spark

Excellent, very few people can say that. Very few CISOs specifically can say that so kudos to doing that. Thank you very much. That’s Sandy Dunn who is the CISO for Blue Cross in Idaho. I was joined by my co-host Mike Johnson and as always I want to thank our audience for their awesome contributions and supporting this very show. Thank you for contributing and listening to the CISO/Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”