I’ve Got Plenty of Risk If You Want More

I’ve Got Plenty of Risk If You Want More

It seems anything that’s added to a business, like a new app or a third party vendor, just adds more risk. Risk definitely piles up faster than CISOs can reduce it.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our guest is Kurt Sauer (@kurtsauer), CISO, DocuSign (at the time of recording, Kurt was the vp, information security at Workday).

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor Stairwell

The standard cybersecurity blueprint is a roadmap for attackers to test and engineer attacks. With Inception, organizations can operate out of sight, out of band, and out of time. Collect, search, and analyze every file in your environment – from malware and supply chain vulnerabilities to unique, low-prevalence files and beyond.
Learn about Inception.

Full transcript

[Voiceover] What I love about security vendors. Go!

[Kurt Sauer] I love security vendors because you never know exactly what you’re going to get. You’re either going to get new information or you’re going to get swag, but you win either way.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of this show. And joining me for this very episode as my co-host, you know him. If you listen to the show, you know this person. If you don’t listen to the show, it’s possible you don’t know this person. But it’s possible to not listen to the show and know this person at the same time. Your parents listen to the show, correct, Mike?

[Mike Johnson] Actually, my dad does, yes. Hi, Dad.

[David Spark] So, my mom does. So, they listen to the show and know you, the same thing. But they could also know you without listening to the show.

[Mike Johnson] I would hope that my parents know me, yeah.

[David Spark] Do any of your other relatives listen to the show?

[Mike Johnson] Not that I’m aware of.

[David Spark] Or listened to at least just one episode?

[Mike Johnson] I don’t know, not sure. No one’s ever said anything to me.

[David Spark] One of my sisters, I don’t think I believe has listened to a single episode.

[Mike Johnson] [Laughter] I don’t think my sister has.

[David Spark] One of my sister’s has been to two live shows. Of which, actually, when this episode airs, we will have done, let me think, I think we’ll have done three live shows.

[Mike Johnson] Wow.

[David Spark] Yeah. If all goes well. Definitely two, possibly three live shows.

[Mike Johnson] Fingers crossed.

[David Spark] Fingers crossed. By the way, if you’re not familiar with us, we’re available at CISOseries.com where you can see all of our wonderful programming. You should check it out. And I do want to mention our sponsor Stairwell. It’s spelled the way it sounds, doesn’t have any weird Qs or Zs or silent Ps in it. It’s stairwell.com. Eliminate the blind spots. They have a really, really cool new technology and I will tell you about it later in the show. Mike, I’m going to ask you a question.

[Mike Johnson] Okay.

[David Spark] Do you trust the census?

[Mike Johnson] This feels like a trick question.

[David Spark] I’m setting you up.

[Mike Johnson] Why wouldn’t I?

[David Spark] I’m definitely setting you up here.

[Mike Johnson] I mean, in aggregate, it feels like something that should be trustworthy.

[David Spark] After I tell you the story, maybe you’re going to change your mind. [Laughter]

[Mike Johnson] Okay.

[David Spark] I trusted the census until I had to take it for my business, and I’ve never done that before. And I’ve actually had my business for 16 years and I’ve never had to take the census for it. But I had to take the census for my business, and part of the process of taking the census for your business is categorizing your business.

[Mike Johnson] Okay.

[David Spark] Which was extraordinarily difficult for me to do. I just labeled myself as an online publisher, media, and I was having a very, very difficult time doing that. Now, I finally found the category, this is something called the NAICS code, which I categorized myself properly. When I finished, it told me that my business was selling gift cards.

[Mike Johnson] [Laughter] Maybe you are.

[David Spark] Gift cards, greeting cards, things like that.

[Mike Johnson] Sure.

[David Spark] So, there’s a support line which was very difficult to deal with and I couldn’t go to the top-level support, I had to go to the next level of support to help me. I go, “All I’m trying to do is help you out by categorizing myself correctly,” and I spoke to the next level support, and I told them what was happening. I was marking it right, but when I got out, it would label me completely wrong. And they said, “Yeah, we’ve been getting a lot of reports like this.” And not like, “Let’s fix it.” Their attitude was, “Nah, just click it, just go through. What you do is you just leave a comment at the end.” So, according to the census, I sell greeting cards.

[Mike Johnson] Well, maybe it’s a missed opportunity. It could be they’re trying to suggest something to you.

[David Spark] It’s very possible.

[Mike Johnson] CISO gift cards? I haven’t seen any, so there’s an untapped market there.

[David Spark] We could start selling CISO gift cards.

[Mike Johnson] Yeah.

[David Spark] The thing that just amazes me is their attitude was, “Let’s just get through this, I don’t care if it’s wrong.”


[Mike Johnson] My hope is that that is within the margin of error, right?

[David Spark] Let’s all hope. But they told me I’m not an isolated incident by any stretch.

[Mike Johnson] Yeah, well, hopefully there’s 2 million of you who filled it out and 100 of you who had this error, in which case statistically it doesn’t count.

[David Spark] You know what we might discover? There might be a huge spike on businesses selling gift cards.

[Mike Johnson] [Laughter] Well, then you’ll know.

[David Spark] And now we’ll know.

[Mike Johnson] If that happens.

[David Spark] You heard the story here.

[Mike Johnson] Yes.

[David Spark] All right. Let me bring our guest in, who you know very well, I’m very excited to bring him in. He is the VP of information security at Workday, none other than Kurt Sauer. Kurt, thank you so much for joining us.

[Kurt Sauer] Great to be here today. Thanks so much.

Walk a mile in this CISO’s shoes.


[David Spark] Mike, in a post on LinkedIn you argued that it’s unreasonable for a new CISO to come up with a multi-year security strategy even though that’s what may be expected of them by the business. You said it’s not possible to gain enough context within a few months. You said at best after three months you could come up with a six-month strategy. So, I got a bunch of questions for you, and they’re all kind of connected. What’s in a multi-year strategy that’s not in a six-month strategy? Once you’ve been at your business for three years, what is it you know that you didn’t know after three months that allows you to make better decisions? And also, how much of this is your understanding of context and what percentage of this is just the changing landscape of cybersecurity that makes a multi-year plan so difficult? Because I just think three, five years ago, you couldn’t make plans back then for what you’re dealing with today, could you?

[Mike Johnson] Absolutely not. And that was really what I was trying to kick off the discussion is really adjust expectations that this idea of coming up with a multi-year strategy within three months has a lot of challenges. There’s the changing environment, the changing landscape, the threats, the attacks, whatever you want to say. But ultimately, within that period of time it’s really difficult to understand the business context. It’s really difficult. What is it the business needs, what is it they’re doing, really? You can look at a business from the outside and think you understand them, but I guarantee you on day one you’ve got a different understanding of what the business does at day minus one before you’ve joined. And at three months, you’ll have a little bit better of an idea, but it’s not like you really understand everything that’s going on.

In terms of what the difference of a multi-year strategy versus the short term, so much of what we do in security is trying to make small changes that add up to something big over time. A lot of the significant improvements in security in an organization, they’re going to take a while. They may take two, three years in order to get there. And if you try and force that within a short period of time, you’re going to fail. So, by laying out a strategy, you’re able to say, “This is where we’re going, this is where we’re heading, and these are all the little things that can add up. And the little things, and this is why we’re doing them, that tell us how we’re going to get there, how we’re going to get to whatever this big plan, this big design is.”

[David Spark] Kurt, you ready to jump in?

[Kurt Sauer] Yeah, I think I would just echo that but reflect it slightly differently. If you look at some of the things that are knowable in a business context, like take for example zero trust. We’ve all heard about zero trust, it’s a big piece of this president’s new cybersecurity strategy, lots of people are moving that way. And you can demonstrate to engineering leaders or product leaders why you need to adopt that kind of approach and it’s sort of a multi-step, multi-year process to get from A to B, and people can kind of understand that and put it in a business context.

But when you talk about having more abstract goals of reducing losses or keeping your exposure levels lower or having a different kind of cyber visibility outside the company, that sometimes is more difficult to sell as a deliverable. And so what you wind up with is this mismatch between stakeholders. One stakeholder being the C suite in the company that is really trying to build a product or deliver a service, and maybe your internal stakeholders inside of the security or privacy or legal piece that is really interested in getting the best of breed solution. And bringing that together, turning it into a strategy that actually eventuates, it’s really difficult to make it happen.

Are we making this situation better or worse?


[David Spark] One year ago, Laurence Goasduff of Gartner wrote an article entitled “Plan to Adopt These 6 Identity and Access Management Tools.” She spoke of the need to connect anywhere, improve user experience, the need to manage keys, secrets, and certificates, leverage latest identity access management or IAM, development guidelines for new apps and APIs, and hybrid cloud and multicloud will drive IAM architecture. Now, there is no question that identity and access management are constant huge issues for a security program, and they keep evolving because weaknesses are constantly found in both security and usability. So, two questions, and I’ll start with you, Kurt. Was this Gartner list, do you believe, on target a year ago and are we moving in that direction, or do we see different challenges for managing identity and access?

[Kurt Sauer] Well, I think the first thing to think about is the environment you’re working in. The cynical part of me wants to say we need to keep up with the acronym, so it isn’t IAM now, it’s IGA, or whatever the pieces are. But in fact, we’re getting a better idea now of what identity means, and I think any list that was created a year ago is probably not up to date today. But I would say that I would posit it’s true that identity is the new boundary of people’s environments, and so you need to be thinking about how it touches every piece of every element of infrastructure that you have in your environment.

[David Spark] Mike, what say you? It seemed a reasonably good list from a year ago, but I will just say the identity play today is way more complicated than it was a number of years ago.

[Mike Johnson] Oh, absolutely. It’s way more complicated, and it’s because of what Kurt had mentioned is that identity is the perimeter. It used to be you would just type in your password when you were already at your desk and that’s all that really mattered, but so much has changed with the realm of identity. And I think that what’s interesting is the list itself. It’s a decent list. But again, Kurt nailed it with the definition of identity itself is evolving and changing.

[David Spark] I want you to both delve into that. The identity, is it because we have different identities of humans and machines? Is it because of how we’re also authorizing people and the fact that we’ve moved into zero trust?

[Mike Johnson] Those are good examples, right? Where you could have two services that are talking with each other, and they need to be able to identify to each other and they need to have an identity. We also have machine identity. My laptop has an identity and that needs to be able to identify itself to our security boundaries. So, yes. Those are some really good examples of how the definition has changed.

[Kurt Sauer] I think if you look over time, David, you think about the original security models we used, it was like the Bell-LaPadula Model for identifying subjects and objects and being able to access sensitive data. And in those definitions, we never really thought about what an identity is. And in fact, an identity isn’t just a person who possesses a password or some secret token, but it may be their environment, the things they’re doing, the environment they’re in. And so there’s so much more to think about today than there was in the 1970s when all the science was created. And I think we’re just now catching up with what we need to do in order to be able to address that environment on an enterprise basis.

[David Spark] And I think a lot of it also has to do with it’s this concept of sort of like micro permissions, like do you need access to this and that. And it used to just be sort of huge categories but it’s being sliced thinner and thinner and thinner as we’re going down. Yes, Mike?

[Mike Johnson] I think that’s one of the evolutions, where we have the ability to apply permissions on a more granular scale than we used to. It used to be you could get access to a thing. And now it’s you can get access to this specific piece of data in this specific location where you’re coming from this particular security boundary and we can have a very granular set of permissions, set of grants.

[David Spark] But don’t you both think this has caused all the problems though? This is my feeling is I can’t manage all these files, all these access things, for all these people, for all these granular… It just seems it’s inevitable things are going to break down, and this is what we hear. Kurt, yes?

[Kurt Sauer] Well, what I can tell you is that in a lot of environments it is really important what you’re doing at the time that you want to take another action. I can list myriad examples of people taking data, not with intent but just because of their actions, taking data out of one environment, putting it unknowingly into another environment because they’re trying to do the right thing, but in the end, they ended up causing a compartmentation failure between two customers or two projects. And then that leads to all the things that happen when you have data mishandled. So, I think the idea of being able to have time-bounded or condition-bounded access controls is very helpful. The problem is you have to architect it into your system. So, if you are just putting it in thinking it’s a slap-dash, put it in, and you can control all your data, you’re probably not giving enough attention to what you need to do to design it so that it works properly.

Sponsor – Stairwell


[David Spark] Before we go on any further, I do want to mention our sponsor. I’m actually thrilled to introduce our new sponsor and excited about this. It’s actually from Mike Wiacek who we’ve had on before. He has a new company called Stairwell, and he’s the former founder of Google’s TAG and Chronicle, by the way. So, Stairwell helps you stay a step ahead of the attackers. See stairs, steps, get it? All right, this is how it works.

Stairwell starts with the premise that the cybersecurity blueprint doesn’t work because attackers know the defenses as well as, if not better than, you do. The very security blueprint that is supposed to protect an organization is actually a roadmap on how to evade those defenses. So, Stairwell took the approach of saying: how do you keep an organization’s defenses out of sight, outside of time, and out of band from attackers? The answer: the industry’s first continuous intelligence, detection, and response platform.

The Inception platform that Stairwell has built automatically uploads every file to a dedicated cloud environment and continuously analyzes every file looking for malware, vulnerabilities, low-prevalence files, and more that you don’t even know to look for – including things that just snuck right by your EDR. So, this gives you better detection, confidence in response, and reduces the costs related to protecting against and responding to cyber-attacks. I’m telling you, this stuff’s really interesting, especially the fact that they’re keeping copies of these files and watching them if they were to change. So, you got to check this out over at stairwell.com to learn more.

It’s time to play “What’s Worse?”


[David Spark] Kurt, you know how this game is played, right?

[Kurt Sauer] I think so. [Laughter]

[David Spark] You do? Not hard. Staying on the theme of IAM, identity access management, we have a “What’s Worse?” scenario on that, and it is brought to us by Leah Livingston of Idenhaus Consulting, and this is Leah’s scenario. I always ask Mike to answer first, so Mike, you ready?

[Mike Johnson] I’m ready.

[David Spark] Okay. We start with this premise – your staff has zero knowledge of IAM. In fact, when they first hear it, they say, “What does that stand for?”

[Mike Johnson] Perfect.

[David Spark] You need to launch an IAM solution and here are your two options. One, your staff, they take the time needed to educate themselves on IAM, governance, complete an RA and a POC. They pick a vendor, they create a strategy, the roadmap for the project, and implement the solution themself. The DIY team, all right? Now this takes three years to deploy a working solution and it costs a million dollars. All right? But they did it all themselves.

[Mike Johnson] Yep.

[David Spark] Two, this is the other option, hire an external consulting firm with extensive knowledge of IAM. Let the firm lead the RA and POC, create the strategy and roadmap, and the internal staff will be the hands-on keyboard executioners of the process. It takes one year to deploy the solution that will probably be better than the three-year solution, but it costs $2 million, and that means 1 million will not be available for other security staff and tools. Which one’s worse?

[Mike Johnson] As we’ve been discussing, identity is really important, identity is really critical, and it doesn’t feel like an area that I want to value engineer. I think it’s worth investing in to get it done right, and so I’m not as bothered by the $2 million versus $1 million part of it.

[David Spark] But you do understand that a million’s going to be taken away from somewhere else, right?

[Mike Johnson] Oh, sure, yeah. I understand how budgets work. I get that.

[David Spark] [Laughter] I’m speaking to a CISO here.

[Mike Johnson] Yes. But at the same time, it’s so foundational, I think it’s okay that I’m going to… Essentially what’ll happen is I will put off doing something else. It’s not like that million dollars, I’m not going to have that opportunity down the road. I recognize that I’m short-term losing it, but it’s all about the long-term gain here. So, I do think the get it right, get it maintainable. The challenge of homegrown IAM solutions is they’re often unmaintainable. You’ll likely find yourself three years down the road, four years down the road, with something that you don’t know how to manage. You can’t hire people who know how to manage it. You’re going to have folks rotate off of a project. It’s going to be really painful over the long run.

So, I really think in this situation I’d rather spend the extra million dollars, get it done sooner, that’s a nice bonus. But ultimately, it’s something that is going to be maintainable that we’re going to be able to support long term. And presumably, again, either of these is meeting all of our needs, but is likely going to better integrate with other solutions down the road because it’s a more commercial approach.

[David Spark] All right. Good, well-thought-out answer. Kurt, do you agree or disagree with Mike on this one?

[Kurt Sauer] I would agree with Mike’s position but I think I would also add in here that first of all, the value proposition that it’s a million dollars gained or lost is a false proposition because you’re not going to be paying out all of that remediation fund for when you have a breach because you had an IAM failure. The other thing I’d say is that as you roll these solutions out, even if you’re using consultants, having that external view is going to help you do a better job architecting the entitlements process so that you have a better solution that actually meets your needs over the longer term and is more maintainable. I think it’s really critical that we see that identity is the new boundary and because that’s the case, we have to really think carefully about how we’re marshalling our resources internally, not think of it as this false proposition of saving money because we’re doing it in-house.

[David Spark] You know what? You bring up a very interesting point there about it’s actually good to have the outside eyes looking at this. And specifically around identity, would you recommend – I’m going to throw this actually to both of you – that no matter what you do, whether you’re doing a homegrown solution or not, that there are some outside eyes sort of guiding you along the way because they’ll see things that you don’t see. Mike, Kurt?

[Mike Johnson] I think if you can, yes, but I would hesitate to make it a requirement because you can get yourself into a corner where you just make no progress at all, so that’d be the one concern that I’d have. But identity is just so important and it’s so easy to get wrong that tapping into someone else’s expertise, there’s a lot of value in doing that.

[Kurt Sauer] I’d also tack onto this by saying there’s sort of the crawl/walk/run approach that you can apply to this, and you need to be able to understand and own your own infrastructure. That’s, I think, a sine qua non. But it’s not a problem to be able to maintain it if you have had somebody come in and show you the ropes along the way. So, I’m thinking particularly about the problem of entitlements connected to SaaS service providers because so many people are moving to SaaS solutions. They don’t have a system that they can configure in the office. They may not actually know or understand all those controls in that SaaS environment. And so getting somebody to walk them through some complicated implementation of IAM or IGA with respect to SaaS services that they’re consuming will help them be able to do the next SaaS service or the next iteration of the same SaaS service as things progress.

What’s the best time to do this?


[David Spark] The internet is awash with advice on how to break into cybersecurity. There are also numerous articles and studies about security professionals wanting to leave the industry. But what there appears to be no advice on is how do you switch roles within cybersecurity. Now, we’ve heard some security professionals say it’s like starting from square one again. Just because you’ve got three years’ experience in this one role, you probably won’t get that lift in another role. First, Kurt, do you believe this to be true? Or is it a case of “it depends,” which I’ve got to assume it is. More my question is what are the lateral moves that make sense, that are reasonable in the cybersecurity space. How do you become a Y once you become an X?

[Kurt Sauer] Well, I think first, before saying, “This can move to that,” I think it’s important to have the people who are leading a security program in any particular company or government agency recognize that it is indeed possible to move in lateral directions. If the opportunities are not made available to the workforce, then nobody’s going to be moving within the workforce. And I find it very easy for managers to pigeonhole people into, “Oh, this is a person in a SOC job,” or “This is an AppSec person, that’s what they do.” I would say it’s maybe more difficult to move from a role that is more abstract and away from engineering into a high-function engineering role without having the requisite experience in that space, but I think that that’s really the only area where you’ve got to really have a clear understanding of the differences in roles. But opening the pipeline starts with management’s saying it’s possible.

[David Spark] That’s the key line. Mike.

[Mike Johnson] You have to make it clear that internal mobility is not only possible but frankly, you should make it a goal. I really find it’s a great retention tool. You can have people who are ready to just leave the company because they feel they have no opportunities to do something else, and they want to go do something else. And if they can’t do it here, they’ll go do it elsewhere. And I think that, as Kurt said, the leadership has to make that available to folks. Otherwise, they’re not going to believe it’s possible. So, I think that’s one side of the equation is leadership has to frankly make it a goal, that’s my perspective, and individuals then need to own their own career. If we’re making these opportunities available to folks, people need to step up and take them. I’m not going to force somebody to do something to force them into a job change. But if they want to do it, I’m absolutely going to support it, I’m going to find ways to make that happen.

Back in Salesforce days, we actually had two people on two very different teams that just did a swap. They spent three months on each other’s team, and for one of those people, it was career changing. That has become their new career. They changed. They essentially went from blue team to red team, and they’ve gone on to be greatly successful in the red team role. And we made that opportunity available to them, but those folks seized it, and because they seized it, they now have different careers as a result. So, it really is important to provide the opportunity, but it’s as important for folks to recognize and take advantage of it.

[Kurt Sauer] Just sort of tack onto that to say when you’re leading people who are doing security or even not security, doing other forms of engineering, and you have people who are interested in a different area of security, don’t force-fit people into training saying, “You need to take this training because it is directly relevant to the job you’re doing right now.” There is this tension all the time around how do I want to spend my training dollars in an organization in the most effective way. Sometimes it turns out the most effective way isn’t directly leading to a result in the next quarter. It may be a result you’re going to see in one or two years. And so you need to sort of refocus your focal point for that money or what’s going to come out from that money spend out a little bit.

And then what you may find is not only do you get a highly functional person in a new area, but you get people coming into that role when it vacates saying, “I’m in a role where somebody was really successful and was able to do something exciting with their career and I’m glad to be in this team.” Right? So, you can have all sorts of positives that come out of it by doing something that doesn’t seem like it has an immediate payoff.

[David Spark] Let me throw this out and tell me if you either experienced this yourself or seen this happen, is forcing a change that is so divergent from what the person is doing and they have not expressed any interest in it, that is a recipe for them quitting. And I know that happened to me. I worked at a company where they just essentially had this opening they needed to fill. In no way was I “qualified” for it nor interested in it or did I ever express interest, but they just needed to fill it, and goes, “Okay. Well, David’s going to do it.” And literally it took me a day or two to say, “No, I’m going to quit.” That’s the answer here. And this stuff happens. It’s such a horrible management move to do something like that. Have you seen this behavior before?

[Kurt Sauer] I’ve certainly seen small amounts of being voluntold for things, but I haven’t seen anything quite on the scale you’re talking about where somebody’s forced into a role they just don’t want to take. I think that would be a recipe for disaster.

[David Spark] Well, it was. I mean, I just ended up quitting.

[Mike Johnson] One of my first job changes was exactly that, so I can totally relate. Someone said, “Hey, you’re moving onto this other team,” I said, “I’m going to go find something else.” Now, I waited till I had something else before I quit. I think it maybe took me hours to make up my mind to decide that that wasn’t what I wanted to do. So, I hope we see less of that today than we used to. This was a very long time ago.

[David Spark] Same. Mine was as well. It was a very long time ago.

[Mike Johnson] But I do think it’s something that folks have to be careful about when you’re a leader that you can drive folks out, and there are plenty of opportunities out there, especially in cybersecurity.

[David Spark] And by the way, and also other people see this behavior. So the damage isn’t just that one person. [Laughter] I’ll tell you the irony of this story is when I left, and I never actually did the job, the management kept referring to it as the David Spark position.

[Mike Johnson] [Laughter] Nice.

There’s got to be a better way to handle this.


[David Spark] How do you avoid creating new risks when you add new applications, or even just update applications? In an article on DarkReading by Jeffrey Schwartz, HSBC CISO Monique Shivanandan noted that her company has rigorous processes for onboarding new technology, but still it’s not the point that they’re reviewing source code. The way they handle it is through “a lot of pentesting and red teaming.” But even if they do approve a piece of technology, “Every software change and every new release can knowingly or unknowingly introduce something new. It’s a constant battle that we’re facing.” So, one proposed solution has been SBOM or software bill of materials, which sounds great, but it’s been really slow to deploy. Also, questionnaires for third-party vendors, but no one seems to think that does any good. So, today – Mike, I’m starting with you – what is the best solution you’ve found for verifying, testing, and reverifying security of new technology, and where would you like to see it go?

[Mike Johnson] So, I think there’s really two ways that you need to think about this, and I’m not entirely sure where Monique is coming from. The way that I read this is internally developed apps.

[David Spark] They were dealing with third party apps too, it seems.

[Mike Johnson] Ultimately, it’s two different solutions. You’re still not looking at a source code. Ultimately at the end of the day, you cannot scale a security team to look at the source code of everything that is deployed, even if you have access to it. That can’t be your approach. The way that I think about this, and putting on the hat of vendor security, of third-party security, you have to start with prioritizing. What is the most important thing? If you’re looking at an application that’s going to just serve marketing materials, that’s not as important. It still has importance for other reasons, but that’s not as important as the place where you store all of your customer data. You need to spend more time on the latter. You’re going to ask questions. If it’s in the form of a questionnaire, you do the best that you can. But ultimately, you’re trying to assess how much you trust that application and how much you trust that company. And from there, you can make decisions of, “Okay, I can trust them with this type of data, but I can’t trust them with this,” or you can say “You know what? I know this company. I am friends with their CISO. I know they do a good job. I’m going to go ahead and go with this company because I know that they have solid security.”

But the thing that people don’t really talk about much there is the vendor and the solution might be extremely secure, but your configuration of it matters. Think of how many breaches have happened because of an S3 bucket had terrible permissions. AWS is one of the gold standards for security. They’re going to pass with flying colors any vendor security review that they go through. But it takes you 10 seconds, if even that long, to accidentally make a change that reveals all of your information to the world. So it’s really key not to just think about the security of the vendor, the security of the product, but the security of your implementation, and the level of investigation and work that you put into that all comes down to your prioritization. How important is this data, and then you figure out how many resources you want to apply to it from there.

[David Spark] Very good point – focusing on the data. Kurt.

[Kurt Sauer] Everything Mike said is true. I would say that people underestimate the amount of effort it takes to prioritize where data are. There’s a whole science to figuring out what your sensitive data is and where it’s located and how you’re managing it. You can only deal with a certain number of external vendors in a security program unless you are just fabulously loaded with resources, and so you have to be able to utilize or marshal those resources in the most effective way. That means that you’ve got a risk exposure, right? That there are some things you’re not going to be able to handle. There are some things that you can’t deal with. And I think it’s just as important to say where it’s okay for you not to spend all of your time and energy because it has a lower payoff, right? So this is just another management of your security program question of where do you spend the dollars, where do you spend your resources, where do you outsource assistance in order to make sure that you have a program that is within your, as they say, risk appetite and risk tolerance.

[David Spark] So, what I’m hearing from both of you is this continues to be a very difficult situation. I mean, I’ve seen vendors desperately trying to solve this, like with rating systems for vendors. But that doesn’t tell you how something works in your environment, and it doesn’t tell you how it’ll behave with what you have. It seems everything just has to start within your four walls before you do any sort of experimenting with anybody else. Am I right here, Mike?

[Mike Johnson] It’s very much what Kurt was saying is you have to decide what you’re going to spend your time on and more importantly decide what you’re not going to spend your time on. And once you have an idea of how you’re going to sort through that, then you actually have a chance. But thinking that you can just outsource it to another vendor who’s going to tell you the security of all of your vendors, it’s probably not going to work out as well as you would like it to.

[David Spark] What you should not do. You onboard with that, Kurt?

[Kurt Sauer] I think that’s an important thing. I think it is also important to identify people who can help you at some scale. So when you look at SaaS vendors and where they’re sitting in your portfolio, having somebody who can assess the security configuration, as Mike pointed out, is pretty important and I think can really save your bacon.

[David Spark] Saving your bacon. Good point to close on for our audience as well.



[David Spark] Thank you very much, Kurt Sauer, who is the VP of information security over at Workday, and Mike Johnson, who still remains the co-host of this very show. Hey, guess what? Our sponsor today, love the fact that they’ve joined us onboard. By the way, since Mike Wiacek who owns Stairwell, after he appeared on this show, his company got bought by Google and we, by the way, I don’t know if you know this, we take full credit for that. Do you know that?

[Mike Johnson] Absolutely. Yes.

[David Spark] We take full credit.

[Mike Johnson] Yes, yes. We however didn’t get a cut of it.

[David Spark] We did not get a cut of it.

[Mike Johnson] Next time.

[David Spark] He did though say that if Stairwell gets bought out… You know what? I have to go back to the recording, see what he says, but I think he’ll take us out for a meal as well.

[Mike Johnson] [Laughter] Fair enough, I’ll take a nice meal.

[David Spark] Fair enough, I’ll take that. Hey, check him out. Stairwell – eliminate the blind spots with Stairwell. It’s spelled just the way it sounds, stairwell.com. Kurt, any last thoughts for today’s discussion?

[Kurt Sauer] No, it was just awesome to be here talking with Mike, it’s been a long time and really enjoyed the content.

[David Spark] All right. And Mike, any last words for today’s show?

[Mike Johnson] Well, Kurt, thank you for coming on, I’m sorry it took getting you on the show for me to be able to get your time to chat with you but I’m…

[David Spark] Oh. So, you really aren’t very good friends, are you?

[Mike Johnson] I am not a good friend. That’s the better way of putting it.

[David Spark] Oh.

[Mike Johnson] That’s the better way of putting it.

[David Spark] It took this many years to find out, Mike!

[Mike Johnson] Yes. Now everybody knows, and it’s actually now recorded. Thank you, Kurt, for coming on. It was so awesome to actually sit down and chat with you and share your experience with our audience. I loved how you kept coming back to prioritization and how both important and difficult that is. And I also really appreciated just kind of the reminder of the importance of identity for folks, and your point about crawl/walk/run with IAM I think is one that people really need to pay a whole lot of attention to. So, thank you for coming on, sharing all of this with our audience, and thank you for catching up. It was wonderful.

[David Spark] Thank you very much, Kurt. Thank you very much, Mike. Thank you very much to our audience as well. We greatly appreciate your contributions and for listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday and Cybersecurity Headlines Week in Review. This show thrives on your input. We’re always looking for more discussions, questions, and “What’s Worse?” scenarios. If you’re interested in sponsoring the podcast, check out the explainer videos we have under the Sponsor menu on CISOseries.com and/or contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.