Make Your Friends Jealous with Our Hand-Crafted Passwords

I know your friends say they use excellent passwords, but they don’t take the time and care we put into choosing the right combination of letters, numbers, and special characters that’s unique to your personality. Once your friends and the dark web have a chance to see them, they’ll want to emulate you by using your password over and over again.

This week’s CISO/Security Vendor Relationship Podcast was actually recorded in front of a small live audience at The Passwordless Summit in Newport, Rhode Island. The event was sponsored by HYPR, our sponsor for this episode as well. Joining me and my co-host, Andy Ellis (@csoandy), operating partner, YL Ventures, was our sponsored guest, Brian Heemsoth (@bheemsoth), head of cyber defense and monitoring, Wells Fargo.

Live recording at The Passwordless Summit in Newport, RI, hosted by HYPR. (From L to R) Brian Heemsoth, Wells Fargo, Andy Ellis, YL Ventures, and David Spark, CISO Series

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor HYPR

HYPR is the leader in Passwordless Multi-factor Authentication.
We protect workforce and customer identities with the highest level of assurance while enhancing the end user’s experience. HYPR shifts the economics of attack to the enterprise’s favor by replacing password-based MFA with Passwordless MFA. 
Welcome to The Passwordless Company®. It’s time to reimagine Identity Access Assurance. 
Learn More »

Full transcript

Voiceover

10 second security tip, go.

Male Voiceover

Cyber incidents are not something we generally look forward to. But they do provide our best opportunity to reflect on the health of our security controls and our business processes. Leverage the incident to influence progress where it’s needed.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. I’m David Spark and I am the host and producer of this show. I’m here with my co-host, Andy Ellis who is the operating partner at YL Ventures. Thank you to HYPR who is our sponsor. Thank you Andy for coming.

Andy Ellis

Thanks for having me, David. Nice drive from Boston.

David Spark

Same here. I drove from Boston also during which all power went out on my board caused my stepping on the power cord.

Andy Ellis

Usually we blame squirrels or pythons, this is the first time I’ve had the foot.

David Spark

My foot was right on the power cord. It’s very weird to be back in front of people, talking to them face to face, which used to be normal.

Andy Ellis

It did. I appreciated that little bit of familiarity of the table tents, having people’s zoom name underneath them. It’s sort of the physical space equivalent. I got comfort that maybe I was just on zoom.

David Spark

Right now can you read any of their names at this distance?

Andy Ellis

I can read one name.

David Spark

I think we got to go for a larger font size in future events. So introducing our guest joining us is the head of cyber defense and monitoring at Wells Fargo, Brian Heemsoth. Thank you for joining us.

Brian Heemsoth

David, Andy, thank you for having me. And thanks to they Hyper team also.

What’s it going to take to get them motivated?

00:02:28:21

David Spark

How can you make a good impression about the quality of your security? Mike Johnson, my other co-host of this show, posted a browser warning that the website he was trying to visit had an expired security certificate. It gets worse. It was actually from a security vendor. There’s a good amount of branding and user experience necessary in security, to make people feel safe and for them to physically do the right thing, within your site. So Andy, how do you look at your environment? You want to demonstrate that you have secure environment and you want to lead people to take the secure action.

Andy Ellis

So you never want this to happen. It happened to me on my personal website recently.

David Spark

Expired certificate?

Andy Ellis

I empathize. Setting up the crime job is more challenging than you think it is, even with Let’s Encrypt. It can be a seamless experience if you get things right, but nobody knows you’re doing it. It’s important when something like this happens, how did you respond and take action? Did you say, we screwed this up and we’re going to fix it and implement some processes? Or are you going to throw the intern under the bus. It never makes a company look good. The reality is you didn’t set up a process.

David Spark

So Brian, talk about where do you find these moments of where people are confused or uncomfortable, just basic web stats will show in the classic case of E-commerce, people abandoning shopping carts because something spooked them. Or it’s just load time that causes it. What are you looking for to make people feel more secure?

Brian Heemsoth

There’s a couple of elements to look at. What’s the hygiene of your consumer facing applications? Customers read into that. If the see cert issues, if they see a user experience difficult to navigate, their trust in your brand is eroded. As it relates to the user experience specifically, correct. There’s a huge onus as technology practitioners to use the information available, to make sure that our customers are getting the right experience from our sites. And also ensure we provide our services in a way that’s able to make them successful in what they’re looking to execute with our companies.

David Spark

Give me like one classic example of something that happens regularly.

Brian Heemsoth

The best example is a password reset process. If it’s a difficult to navigate password reset process, customers won’t trust that process. Therefore they don’t trust your brand. If you have the opposite, collaboration between your digital, user experience, security teams to put together a process to make the customer successful, and allows them to reset a password, they’ll generate more revenue for your company and have more trust in your brand.

Andy Ellis

A key point brought up by Jim Ruth brought up in an earlier sessions, was that frictionless experience needs to be priority when talking about security improvement. That resonates with the rest of the business and consumers.

David Spark

We all know it doesn’t come easy. It’s a lot of work to make something seem like it’s simple. What’s something heavy you’ve had to make something seem so simple, but the background action was intense?

Andy Ellis

For us, when I was at Akamai, we went to a passwordless model but it involved every device having a certificate installed on it. We had rolled out 8021X, which I don’t recommend to do on a wired network. Consequently, we had a certificate infrastructure. So when an employee went to a website, there was this certificate authentication that they never saw. The authentication then got pushed to their phone, so they felt they were engaged, but didn’t have to input a password. But that took 10 years to roll out as nobody had done that. Now it’s much easier for people. Sometimes that vision of where you trying to get to is needed to move in that direction.

David Spark

Similar case Brian?

Brian Heemsoth

An example from the customer facing element. Past company I worked at, there was a large deployment of a consumer authentication capability, focused on the binding of users to their devices. All very complex. We have to be able to offer these services to people that don’t have that level of tactical complexity to be able to understand all that. Key for us was choosing technology partners that made the integration seamless and putting those capabilities into our application flows for our customers in a way that made sense. It broke down these complex concepts into simple concepts to understand. And also have flows and engage with models that worked very well for those customers. That was a tough process with many rounds of design, throwing out fruitful ideas but later learned we’re not viable through acceptance testing and finding that mix that worked for our customer base and their demographics.

Is this a Cyber security disinformation campaign?

00:08:09:10

David Spark

Andy, you enlightened me to the absurd restrictions companies have in their End User License Agreements or EULAs. According to research from the organization you co-founded, Transparency in Cybersecurity, a whopping 42% of companies, out of 200 you sampled, have clauses that in some fashion, restrict reviewing their products or at least need approval to publish a review. Many said you couldn’t pentest their product. My first reaction is, isn’t this a blatant violation of free speech? And do you know of any company that has acted on this clause since security products have been reviewed and many not been favorable?

Andy Ellis

From a principle of free speech, ignoring First Amendment, which is an implementation, it’s absolutely a violation of the principles of Free Speech. There are communities where there’s the Chatham House Rule, where as a community decide you’re not going to name somebody who said something. This certainly wouldn’t fit that framework. There’s certain confidentiality agreements that people could have. This really doesn’t fit that framework. The big challenge is we have seen people act on this and even it’s not legally enforceable, that’s okay, they have big pockets. They throw lawyers at you, so unless you’re willing to take that stand against the lawyers, you’re most likely to just go quietly away.

David Spark

Brian, did you even know this existed prior to this?

Brian Heemsoth

I did not.

David Spark

This seems astonishing. Why this is called a cybersecurity disinformation campaign is you see where this could lead, if not already led, you’re not going to get legitimate reviews of software you need to see if the negative reviews are squashed.

Brian Heemsoth

There’s a couple of factors here. One is that part of the interest these vendors have is ensuring they’re protecting their intellectual property. There are certain ways that the product works you’re not wanting to get out to the public. As consuming companies, our ability is to know what we’re signing. Have your security and legal teams read the agreements. Make sure that you’re going to be able to get out of those agreements what you need to be able to be successful with that product. Can you measure success? Can you assure that it’s working well in your environment? Can you collect the information that you need prior to implementation and deployment to assure that you’ll be successful? Then let your wallet do the talking. If you can’t get agreement that will work with a given vendor, find another.

David Spark

ORCA security just got a cease and desist letter recently. What’s the story.

Andy Ellis

So ORCA which is a company in the YL Portfolio and I do work with them. ORCA said let’s test our product against competitor products and post a review. The review was like here’s a video shown on screen of what did or didn’t get detected. Seems like something anybody who was a user of these products could see.

David Spark

A benchmark test.

Andy Ellis

So PowerAlto sent them a cease and desist letter requesting they take this down as RU list says you’re not allowed to do a review. It’s interesting as a lot of these companies, PowerAlto is one of them, have and publish reviews that are favorable. But they don’t want negative reviews.

David Spark

This becomes a problem of if this is true, and all organizations did this, you would never see a negative review of a cybersecurity product.

Andy Ellis

Absolutely.

David Spark

That would speak very well for us in the industry that we’re all doing an amazing job.

Andy Ellis

Our products work amazingly well. The cybersecurity is as perfect as we don’t want it to be.

David Spark

A similar story is I did some work for a small company Rakona, who was writing some negative things about Splunk, which had a history of going after small companies with legal muscle, who sent a cease and desist order. I was named in this order. Rakona stood up to them and declined as Splunk claimed that some of the things in the white paper and things I had written were false statements and claiming slander. Rakona published the cease and desist letter, it went public and negative press came to Splunk. So they bought themselves negative press. End of the story Splunk ended up buying Rakona. Big companies can squash little companies, if this were to hold.

Brian Heemsoth

Well it’s not even the smaller companies. It’s also the individuals. Imagine if you have a security researcher using the product and they want to write a review so that other researchers how to best use the product, these companies aren’t really going after their employer, except as a way of pushing down on that individual. The person most at risk are the individual practitioners who’s employment might be at risk, because their general council got a cease and desist letter who don’t want to deal with this. It was just the reviewer. That’s who I’m most worried about, the individuals who have the knowledge we want, they know how well these products work and where to best use them, are keeping quiet because there’s this chilling affect from these EULAs.

Who’s our sponsor this week?

00:13:59:16

David Spark

It’s HYPR. They’re the passwordless company and they’re sponsoring this entire event we’re having in Newport, Rhode Island. Now HYPR is the leader in passwordless multi-factor authentication or MFA, as we all know. We protect workforce and customer identities with the highest level of assurance while enhancing the end-users experience. Our approach shifts the economics of attack and risk in the enterprise’s favor by replacing password-based MFA with passwordless MFA. With HYPR, customers can finally enable cross-platform desktop MFA, stop phishing and reduce fraud associated with weak or stolen passwords. Passwords and shared secrets continue to be the primary cause of breaches and user frustration. Despite investment in multi-factor authentication, your workforce and customers still log in with password-based MFA every day. This means it’s essentially single-factor authentication. True passwordless MFA makes the attacker go after each device individually. Your attack surface that was once expensive to defend now becomes expensive to attack by re-imaging identity security, you change the economics of an attack, improve your security posture and enhance digital engagement with every log in experience. Welcome to the passwordless company. It’s time to reimagine identity security. HYPR is the leader in Passwordless multi factor authentication or MFA.

It’s time to play “What’s worse?”

00:15:38:24

David Spark

For those of you who have heard our podcasts, this is the most popular segment of the show, so we’re going to play it twice. Two rounds of the game of What’s Worse is essentially what it sounds like. So two scenarios submitted by listeners, both horrible. You’re not going to like either one of them. The vote will be via the applause here. The goal is to work out which one is worse from an anti risk management exercise. Ready?

Andy Ellis

Ready.

Brian Heemsoth

Yes.

David Spark

These are all surprises. Andy first, Brian you get more time to think and you can disagree with the host.

Brian Heemsoth

Try my best.

David Spark

So from Nir Rothenberg and also inspired by Shahar Maor, CISO over at Fiverr. Two people to credit. You push to get this very significant security bug fixed but leave the development hating you. Or you completely delay the fix but keep a good working relationship with the dev team. What’s worse?

Andy Ellis

This is easy. The first one is absolutely worse. The second one is a fantastic approach. I actually don’t think it’s a bad approach as it incentivizes the development team to continue to work with you in the future. At Akamai I had a rule, if the development team found a really awful bug, they got to set the time-line for it within reason. So they were incentivized to tell me as soon as they found it.

David Spark

Like that answer. And the first one is bad because?

Andy Ellis

The first one is bad because you might get it fixed today, but it will slow down every single other thing you have to do. Security is a marathon, not just trying to fix one thing, it’s thousands of things.

David Spark

Now to you Brian, which one is worse?

Brian Heemsoth

As much as I would like to disagree with Andy, I’m agreeing with him. You have a situation where you might with the first scenario, fix that bug, you’re golden. Go home and say we’re in great shape. If you lose that team, the issues that will manifest in the coming weeks, months will dwarf what you had success on and you’ll pay a much more significant price.

David Spark

Good answers. Applause for this. How many think the first one is the worst option? Seems everyone in this room think this. Anyone think the second is worst? One. Two brave souls. I appreciate that. Now heres the second one. Very appropriate for the passwordless conference. This came from Jason Dance with Greenwich Associates. You have no multi-factor authentication but you’ve got unique passwords.

Andy Ellis

Unique from each other or unique from any other password they use anywhere?

Brian Heemsoth

Go for the latter, I’m hoping the former one is assumed.

David Spark

You don’t know. It’s unique from each other. You have no idea if they use it in other locations. No MFA, but unique passwords. Versus, SMS MFA with the same password across all.

Andy Ellis

I’m going with the first one is worse, because I’m relying on a static password that can get compromised in any number of fashions. With the SMS, there is the issue of the adversaries who can clone SMS cards and get involved in there, but I’ve got some piece of interactivity. Both of these are truly awful.

David Spark

They are.

Andy Ellis

A good selection of getting two awful one.

David Spark

No MFA but unique passwords is the worst option. Brian agree or disagree?

Brian Heemsoth

So a security practitioner, this hurts my soul, these are two truly terrible options. I will actually disagree with Andy. I believe that if you’re in a situation where you have unique and strong passwords, as opposed to having reliance on a defeat-able multi- factor mechanism, you probably have bad, but a superior security model.

David Spark

I worked for a company, predating our use of the Internet, every single person had the same exact password, the name of the IT guy.

Andy Ellis

I love that it’s the name of the IT guy. It’s not some random thing. When you think about the case with all the same password, assume they don’t have a password and you’re just doing SMS based log-in. In reality a lot of us have that where you don’t remember your password, do a reset, a code is texted and you log in. So that’s basically all that is.

David Spark

So audience reaction. What is the worst? No MFA but unique passwords across all. About half the room. Worse is SMS MFA with the same password across all.

Brian Heemsoth

It’s pretty close.

Andy Ellis

It’s a one third, one third split there. And one third were like not participating. Either of those awful approaches.

Please, enough. No, more.

00:22:05:15

David Spark

Today’s topic is using passwords and MFA for identity. It is universally known and accepted that a password-only access system is fraught with problems. But at the same time, other non-password authentication systems are little known, difficult to get adoption and as a result are not nearly as widespread. Andy, what have you heard enough about passwording MFA authentication systems and what would you like to hear a lot more?

Andy Ellis

I have heard enough of password plus. We talk so much about MFA, you have a password and then we’re going to add this SMS or this other thing and that’s not an integrated authentication system. I want to hear is integrated authentication systems without password is fantastic, how does it work end to end so that you truly know that the user is who you want them to be? I want to know more about this. I don’t need to hear it’s MFA because it’s a password plus a thing.

David Spark

Password plus a thing is better than just a password. We all agree on that.

Andy Ellis

Sure, because a password is nothing. It’s really just a thing at that point. I want to hear, I don’t want to hear MFA again. I just want to hear passwordless. I want rid of the concept of multi-factor. I want an integrated authentication system that does not rely on a secret sent over the network.

David Spark

Now to you Brian.

Brian Heemsoth

I’ve definitely heard enough about the authenticator experience. The, here’s your token, here’s your push, here’s how you’re going to log on. More focus is needed on the contrary, on how do we make individuals successful with those mechanisms? Of any of the limitations we see today for MFA are very clue-gy. I work for a company where we use one of the common token authentication platforms. And I came here and forgot my token. So I’ve got a laptop and I can’t do anything with it, unless I drive 90 miles home. What I’d like to see is increased focus, increased adoption on that workforce or customer experience, making people successful, understanding what experience is needed to be able to do that and using capabilities like FIDO to deliver a superior security solution. But also superior user experience and more successful workforce and customer.

David Spark

Brian you want modern authentication systems which is a little vague. What is a modern authentication system?

Brian Heemsoth

What we’re looking for is not an authentication system that’s based on user names and passwords and MFA tokens and text messages. Instead uses decentralized authentication. Leverage is an authentication mechanism like FIDO that’s not reliant on the exchange of that secret. But instead has a user to device, to service relationship that promotes secure authentication with a superior user experience.

David Spark

What is FIDO?

Brian Heemsoth

FIDO is an authentication standard. It allows for a user to authenticate to their device securely and completely locally. In turn that device is able to authenticate the user to their service. For instance, I’m on my I-phone, I log in using touch ID facilitated by FIDO. The FIDO library running that device within that container, then authenticates me to the back end service. There’s no password, there’s not secrets traversing the Internet. It’s a very secure, extremely localized authentication.

David Spark

Similar to the chip on the credit card works?

Brian Heemsoth

It is very similar in concept to that.

David Spark

That way there’s no transmission of passwords, you’re asking the authentication question only and that information stays locally. The only thing transmitted is yes, it’s authenticated, not it’s not?

Brian Heemsoth

Absolutely right. A key exchange takes place.

David Spark

That move alone eliminates a lot of problems.

Brian Heemsoth

It eliminates a lot of problems, a lot of risk, a lot of fraud potential and also creates a very pleasant experience for that user. The touch ID, the face ID and they’re in.

Close your eyes and visualize the perfect engagement.

00:26:59:18

David Spark

On the cybersecurity subreddit, a redditor asks “what does a good SOC – security operations center – look like?” There was a lot of advice on types of monitoring, what the L1 to L3 technicians do, training and rotation of responsibilities in the comments. I want to hear your feedback but first, I’m interested in what the make up of the SOC is to achieve the end result? So Andy first. What priority are you designing your SOC for quick detection, quick remediation, customer service and preventative security?

Andy Ellis

It’s hard to separate in those four. I think every SOC is going to be different. The most important thing is the learning. Every SOC you have to be able to know for each person, who do they escalate to once they can’t quickly solve a problem? But more importantly, how do they learn back from that escalation? Too many SOCs are one way. Tier one tries to answer, but when they can’t, they throw it away and forget about it. They don’t get the opportunity to learn so that they can work quickly, remediate and provide better customer service. But customer service drives all of these. How are you making sure that the customers, internal or external, know what’s happening, know when to expect the next communication, understand what happened and understand what you’re going to do to prevent this specific thing from happening to them again.

David Spark

Any kind of fast triage unit as well. Brian, how do you look at the design and development of software?

Brian Heemsoth

There’s three elements that you look at. The people element, which includes having the right people in the role. Having them trained in a way that enables the continuous development of their skills for their own personal development endeavors as well as the skills you need them to learn. You look at your technology strategy. Having the right tools implemented across your environment to be able to prevent threats that you can prevent outright. Then the texting strategy that’s based around the remainder. The things that you can’t prevent from happening. Finally to focus on the outcomes that you’re driving with your security operation center. Security events are going to happen, the key to success there is making those into positive events when they take place. Taking your lessons learned and where do we kill it here and where are we struggling? Do we have a security control that we can make better? Is there a business process that’s flawed? Is there a technology stack that we should look at and do a threat model against? Enact corrective actions to take advantage of all of those opportunities to get better.

David Spark

Have you seen the SOC drastically change the past five years?

Andy Ellis

It depends on the organization. I’ve seen a lot more scale needs within SOCs. That’s a place where there’s an opportunity for improvement. We’re often throwing bodies at solutions as our technologies aren’t adequate. We’re driven by how many alerts can we show you. IBM had a famous report that showed how many alerts there were. That’s exactly the opposite of what we want. We want as few alerts as possible. We’re seeing SOCs are on the upswing of getting larger, running into these talent shortages when what we need to see is SOCs getting smaller, so they can focus on meaningful problems, rather than button clicking up, seeing that alert a dozen times.

David Spark

Brian, the volume of alerts, likened to the problem of information overload. Clay Shirkie who mentioned years ago, we’ve heard the story of information overload from the moment the Guttenberg press came out. That was the first time more stuff could be printed than the human could consume in a lifetime. We’ve always had this problem. He argued it’s always a case of a filter breaking down. So either it’s not set right or we’ve got new technologies that need to be created to make better filters.

Brian Heemsoth

The bright side is that visibility into our environments is better than it’s ever been. We have network tools that tell us everything that’s going on in our networks. We have end point tools that record every button click, every process execution, everything that takes place. The burden created is 10, 12, 20 times more data flowing into our systems than we we ten years ago. That means as security practitioners we can’t just throw people at this. We have to adopt modern approaches to solve modern problems. For me that means responsibly and affectively integrating artificial intelligence and machine learning into our data analytics capabilities. Using those competencies to help identify the security events that we really need human analyst attention on. Similarly, so much of what goes on in a lot of SOCs today is very repeat. Button click, button click, button click, log into this portal, pull this email from an Inbox, put a proxy block in place. A lot of those steps can be automated. If you peel back and do an inventory of what your analysts are spending their time on, you’ll find that 50, 60, 70% of their time is spent doing relatively routine activities. So if you automate that, in the realm of possibility now with the APIs that the products give us, you’ll find that you yield significant resource savings that you can then apply to more advanced threats. Threat hunting in your environment, looking for those indicators of compromise that really require deep human analysis and you’ve got the capacity to be able to investigate.

It’s time for the audience question speed round.

00:33:01:19

David Spark

Andy, Brian, some collected questions from our guests. I wrote some questions that were inspired by the sessions. Your best and fastest answers. This comes from Jim Routh, he’s board member adviser, former CISO, he’s retired but he’s still got his hand in cybersecurity. Authentication is on a spectrum from password all the way to continuous authentication. How do enterprises choose where to be on that spectrum? Andy?

Andy Ellis

How do they choose? I think they need to choose based on the risk of the activity that’s going on. You want to be in a place where every connection has identity based authentication. You know that for this session, this is really coming from David’s laptop. You also have to look at very sensitive things. Do you want to have some form of ceremony or behavioral based authentication to say is this something this person ought to be doing right now? Look they’re in Russia in the middle of the night where they were up in Kansas in the middle of the day. They shouldn’t be doing this right now.

David Spark

Brian?

Brian Heemsoth

I agree. It comes down the use case. For something like an on-line user portal with a high likelihood of fraud risk, you want that behavioral approach to authentication. Making sure that the user is authentic, making sure their device is authentic and that the interactions taking place are not malicious. Other use cases, a decentralized authentication function may be a little bit more of a point in time approach, may be appropriate for the threat model for that application.

David Spark

For Brian. From Bojan Simic, the CEO at HYPR. Jim Routh has been a significant mentor to you?

Brian Heemsoth

He’s been alright over the years.

David Spark

Brian, what’s the most critical thing you’ve learned from Jim?

Brian Heemsoth

When I first met Jim, I was a craft beer guy. I remember the first time I went to dinner with Jim, I got a comment “well we don’t really drink beer at dinners like this, Brian. We drink wine.” And that started many years of teaching about all I know of old and new world wine, which is not that much, not on Jim’s level yet. I certainly know a lot more than I did.

David Spark

Bojan had put up word cloud of the executive order for the nation cybersecurity. I noticed the biggest word on that screen was secure, meaning that was the word that was used the most in the executive order. But in the E of that, the tiniest word was the risk. Does the government not understand that it is a risk management exercise? Or does the public not want to think the government is going to manage the risk? Andy.

Andy Ellis

It’s a little bit methodical but close to the first one. The challenge is that when we write these standards or we have people write them. Most of them want to write a standard that’s going to push their specific solution. Whether it’s EDR or Zero trust. The best written law around security remains GLBA, as it basically said “know what your risks are, know who’s responsible for fixing them and have a reasonable plan to deal with it.” And that’s basically it. Yet we look at our financial services industry and they have basically led because we told them it’s a risk management exercise. There’s a list of a million things to do, yet we seem to fail at doing the basics end of those million things. I think it’s the first, the government doesn’t understand risk management.

David Spark

Brian? The government, the police or any of the military, they’re securing us, they’re not managing our risk.

Brian Heemsoth

The concept and the support for prune and risk management is there. Anyone that works in a regulated industry that has interactions on a regular basis can tell you that. It’s seen every day. The challenge that is uncovered when you try to put together cybersecurity legislation, particularly this type of legislation that’s aimed to provide guidance for technical teams and organizations, it’s difficult to tow that line between risk management and providing guidance in a way that can be implemented by organizations at various levels of maturity and sophistication. Generally, the way to attack that tends to be to lean towards here are the security requirements that you have to have.

David Spark

Good point. Closing with this one. Brian first. So Ed Amorosos of Tag Cyber, had a very pro SBOM, software bill of materials, what is your feeling about the vendors need to reveal their ingredients?

Brian Heemsoth

The more important element here is that the activity takes place. We did have some great conversation here this morning on this topic. As a leader from an organization with a large volume of third parties, when I look at ACME corp or third party A, it’s important for me to know that they have the right controls in their software development life cycle, to know what they’re developing. To make sure it’s free of vulnerabilities, rather than they give me a seven mile long list of everything they’ve put in their application, because what am I going to do with that effectively at scale? So again it’s much more important that we have that validation that the right activities are taking place to develop that software bill of materials and more importantly to take action to risk assess and to mitigate risk that’s identified through that process.

David Spark

Andy I know you snap back at the SBOM concept. And it infuriated you. There was a level of agreement that Brain tended to here.

Andy Ellis

I’m opposed to the public publishing of SBOMs, but I’m a firm believer in understanding what’s in your own software development life cycle. And what you’re dealing with. The challenge SBOMs have is software isn’t food. And the ingredients model doesn’t work, especially not in the software service world. Where your ingredient equivalent would be like going to a restaurant and ordering food and asking them what the personal hygiene products were of the driver of the truck that had brought in some of their food three weeks ago. Like that’s the level of detail that SBOMs are pushing towards in the software as a service world. And that’s hard for somebody to consume let alone to create and grasp that data.

Closing

00:40:11:00

David Spark

That brings us to the end of our podcast. I want to thank our guest Brian Heemsoth, who is with Wells Fargo and my guest Andy Ellis. And I also have to thank HYPR and this awesome event in Rhode Island. Thanks to our audience. Closing comments, Brian you have the last word.

Andy Ellis

So I think we’re at this cusp moment in a lot of different things talked about. Passwordless, SBOMs, and it’s really important for us all to design for the next wave of security and to aim for simplicity over complexity. That’s going to be my plug for today.

David Spark

Brian?

Brian Heemsoth

First, thank you to the HYPR team for having us in Rhode Island. It’s been a great weekend, a lot of great conversation and a lot of forward thinking people looking to solve passwordless challenges across a wide variety of use cases. So I’m super excited to see that. Of course we are hiring and search for information security.

David Spark

Thank you so much. Thank to HYPR and thank to the crowd as well. Thank our audience for their contributions and listening to the CISO Security Vendor Relationship podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.