You look at a top ten list is to see if you made the list. Don’t bother. You’re not on it.

Subscribe to CISO Series podcasts - CISO/Security Vendor Relationship Podcast

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Nancy Hunter, vp, CISO, Federal Reserve Bank of Philadelphia.

Got feedback? Join the conversation on LinkedIn.

Thanks to this week’s podcast sponsor, Code42

Redefine data security standards for the hybrid workforce. Check out Code42.

Full transcript

VOICEOVER 

Ten-second security tip – go! 

NANCY HUNTER

Cyberdefenders do not need to be cyber professionals. Include your whole organization as a part of the solution. 

VOICEOVER

It’s time to begin the “CISO/Security Vendor Relationship Podcast.” 

DAVID SPARK

Welcome to the “CISO/Security Vendor Relationship Podcast.” My name is David Spark. I’m the producer of the CISO Series. Joining me, as always, especially during COVID… 

MIKE JOHNSON

(Laughter). 

DAVID SPARK

…Has been Mike Johnson. We haven’t been doing any live shows. 

MIKE JOHNSON

Not a one. 

DAVID SPARK

Mike, everyone wants to hear the sound of your voice. 

MIKE JOHNSON

So I keep threatening in my mind that I’m going to bring a Speak & Spell for one of these tests. But… 

DAVID SPARK

Yeah. 

MIKE JOHNSON

For now, you’re stuck with my voice. 

DAVID SPARK

Do you own a Speak & Spell? 

MIKE JOHNSON

I’m going to find one. 

DAVID SPARK

Did you own one as a child? 

MIKE JOHNSON

I did. I did. It was so much fun. Of course, you had to make it say all sorts of bad things that you’re not supposed to make it say, and it would do that, which was fun. 

DAVID SPARK

Oh, that’s great. 

MIKE JOHNSON

It would say anything. 

DAVID SPARK

(Laughter) This is like when you first got a hand calculator, and you learned how to, like… 

MIKE JOHNSON

Yep, yup, yup, yup. 

DAVID SPARK

…Turn it upside down and have it spell out 80085. 

MIKE JOHNSON

I – yeah. 

DAVID SPARK

(Laughter). 

MIKE JOHNSON

All technology will be abused by kids. 

DAVID SPARK

Oh, I know. I know. We’re available at cisoseries.com, and we’re at the subreddit of r/cisoseries. And by the way, every Friday, we have an awesome CISO Series video chat, which is a lot of fun. If you’ve never participated, come on; join the community. It’s a ton of fun, and we have the meetup afterwards. You’ll enjoy it. Our sponsor today is Code42. They have been a phenomenal sponsor of the CSO Series, sponsoring many of our programs. And if you are dealing with essentially insider risk or not realizing you’re dealing with insider risk, like the nonmalicious behavior, you’ll want to hear what they have to say at the middle of this show. Mike, we are two weeks – as of the dropping of this episode, we are exactly two weeks away from our third anniversary of doing this show. 

MIKE JOHNSON

Wow. 

DAVID SPARK

And what I’d like to do is ask the community what they think that the CISO and vendor relationship has improved over the last three years. And I like to think that we may have had something to do with it. 

MIKE JOHNSON

Absolutely. It’s all due to us, a hundred percent. 

DAVID SPARK

Oh, yeah. I do want to give ourselves full credit. 

MIKE JOHNSON

Yes. 

DAVID SPARK

But I was hoping that’s some of it. By the way, I’m going to pat myself on the back. Everyone imagine seeing me patting myself on the back. I have had few people come up to me and say that we are a change in the conversation, and if more people listen to this, it would greatly improve the space. I would love to believe that’s actually happening. 

MIKE JOHNSON

I’m sure it is. I’m sure there’s – you know, in all honesty, I think there has been some impact. I’ve had a few people tell me that they’ve changed their approach, and I’ve had a few people tell me that they’ve changed the way that they listen. That’s what we’re all about. And if we can make small impacts over time, it all adds up. 

DAVID SPARK

It does. And the show’s become successful as a result of it. So I would love to hear an audio recording – so you can just record, you know, an mp3 file and send it to me. Or you can just go to the website cisoseries.com, and under Participate, there’s an option to record an audio clip, and you can just do it there and send it to us. Send it right away ’cause when you hear this, we’re probably going to record it in about three or four days. So send it as soon as you possibly can. All right. Let’s get to our guest for today’s episode – very excited to have her on. Let me read the one quick disclaimer. All of the comments made by Nancy during this show are that of Nancy Hunter and not those of her employer, the Federal Reserve System or the Board of Governors. Now, Mike, I teased enough who our guest is. Haven’t I? 

MIKE JOHNSON

Maybe you should actually introduce her finally. 

DAVID SPARK

I will introduce her. She is the VP CISO for the Federal Reserve Bank of Philadelphia – so excited to have her on – Nancy Hunter. Nancy, thank you for joining us. 

NANCY HUNTER

Thank you for having me. I’m happy to be here. 

That’s something I’d like to avoid. 

3:45.578

DAVID SPARK

How do you go about keeping an eye on the most common threats and building specific security mitigations? Are you tracking the behavior you see in your SOC, or are you watching industry trends? Now, over on CSO Online, Susan Bradley wrote a summary of Red Canary’s most recent threat detection report, specifically against Windows networks. So I’ll start with you, Mike. I’m interested in your thought process. How do you look at a list like this and talk to your team about it? 

MIKE JOHNSON

So before I answer your question, I want to offer a kudos to Red Canary for their report. I love seeing reports like these, that they’re based off of real-world data across a broad variety of their customer base. Most of us only see our part of the world. So thank you for contributing and creating this report. But I also like the fact that they mapped it to the MITRE ATT&CK framework. That allows people to then use those findings in their own environment even if they don’t have specific set of controls in place. They can look at MITRE, look at their own controls and kind of bring them all together. And then they also have these detection suggestions, which are great. I love that they had those in there. So now to your question – you noted that it’s Windows-specific. And that’s really the first piece of advice that I have when I think about this, is, you have to know your environment and know how applicable these types of reports are to you. I’ve got maybe two Windows systems in our environment. 

DAVID SPARK

Oh, really. 

MIKE JOHNSON

And so it’s very rare that I’m seeing a report that really helps us out. But what this does tell us and how I think about it and talk to my teams about this is, this is what’s coming. Eventually, attackers are going to move over into the Mac world. That’s just going to happen. We’re starting to see it a little bit around the edges. You’re starting to see some ransomware, some more attacks that are specific against macOS. It’s a matter of time. So looking at reports like these that are telling you what’s going on into the real world, that gives you a peek in the future. And that then – mapping that to your own environment and what you understand about your own environment really allows you to process these types of things. Mostly, I look at my own environment. That’s what’s most important to me. But these kinds of things help me see around the corner. 

DAVID SPARK

So you’ll start preparing down the road for this knowing that… 

MIKE JOHNSON

Yes, yeah. 

DAVID SPARK

So Nancy, let me throw this to you. I’m going to guess you have more than two Windows PCs in your environment. 

NANCY HUNTER

We do. We absolutely do. And I couldn’t agree more that the first piece is to figure out what you have, and what does normal look like for you so that you can, once you have that base line, figure out where the anomalies are. If you don’t know what you’re looking at, you can’t begin to pretend to do anything about it. So we look at our SOC, what they’re telling us, and we look at everything else we possibly can look at. We look at threat reporting. We look at FBI reporting. We look at every piece of information. And I want to say we don’t minimize it. We actually try very hard to figure out where it’s going to impact us so that we can prepare for the future. Not only do you need to know what normal looks like for you, but you need to know, what are you protecting? So what are those assets that are out there? You need to know who has access to what, and why do they need access? And then you really want to stop opening the door for all of those criminals that want to come in, and I mean that literally and figuratively. So, you know, piggybacking in in a locked apartment – why? Putting things out there and training everybody in phishing – so not just the important people, but everybody. 

DAVID SPARK

I just want to ask one question specific to this report. It has a list. Like, you showed, like, No. 1 and 2 were, like, 11 and 12% of the – you know, their attacks that they were seeing. Would you – assuming you’ve got Windows machines in your environment, you’re like, all right – talking to your team – what specific defenses do we have against this attack, No. 1 and 2? I mean, would you have that conversation with your team and saying, hey, where are we missing? How are we dealing with this specific one? 

NANCY HUNTER

Yes, we would exactly have that conversation and not for everything on the list, but for the top two or three because you need to prioritize your workload. You just can’t do it all. 

DAVID SPARK

Right. 

NANCY HUNTER

And here’s the top two or three. Can you tell me, are we exposed? And if so, how? And they will come back and tell you that, we believe this is an exposure, and this is how we’re going to fix it. 

This person is very green in cybersecurity. 

8:19.181 

DAVID SPARK

So that’s a little bit of a tongue-in-cheek ’cause the actual the person I’m mentioning is far from green in cybersecurity. But we’re talking about hiring people who are green in cybersecurity. So on TechCrunch, Lamont Orange, who is the CISO over at Netskope, argued against the cybersecurity skills gap shortage. To get staffing, look beyond classic checkbox requirements. What he looks for now – Lamont said, quote, “one is a hunger to learn more about security, which suggests the individual will take the initiative to continuously improve their skills. The other is possession of a skill set that no one else on our security team has.” So Nancy, I’ll start with you. Two questions – first, if not checkbox requirements, what do you look for? And second, you know, checkboxes are really easy. I mean, I just search for the skill, and you find the person who has it. How do you find the person with initiative, and how do you determine the additional skill set you don’t have that you need? 

NANCY HUNTER

I love green employees. I like hiring people that don’t have a deep skill set because I believe you can train them to do the skill set that you need. So I look for people, like the writer, who are hungry; they have an interest in cybersecurity, but they also need great communication skills because all of that in their brain, if they cannot get it out to others, helps me not at all. So I want great communication skills, and I want them to be able to be trusted. So I ask questions – because of what we do, we have access to a lot of things. I ask questions that will help me figure out if this is a trusted person who can keep a secret. 

DAVID SPARK

Could you give me an example of one of those questions? 

NANCY HUNTER

Absolutely. So I will ask, if you are in a room with a group of people, and somebody tells something that they don’t want to go anywhere else, but you know that it’ll be impactful for the budget, do you let your manager know? Do you talk to the person? Do you talk to legal or HR? That will help me understand what their thought process is and who they’re going to disclose to. 

DAVID SPARK

What’s been the best answer to that question? 

NANCY HUNTER

Oh, I’ve got people that will tell me, oh, I’d talk to everybody – everybody, certainly, you know? Legal wants to know – everybody. And then people who say, I don’t disclose it all; I keep it to myself. Neither of those are great answers because you need somebody who can balance and understand when it’s appropriate to communicate and to whom. So I ask, and people open the door and tell you all sorts of things. I love inquisitive people. And so I look for people when they come in for an interview to come with one or two good questions. Ask me about my business. Ask me about how we run things. Ask me about how they can one day get promoted. Just ask. And I think that those create better employees. Again, but I like the green. I don’t need you to have 15 degrees and 15 certifications. I’m perfectly good with this huge hunger and interest and somebody who’s a good fit on our team. 

DAVID SPARK

All right. Mike, I throw this to you. What say you in terms of dealing with checkbox for clients and finding the inquisitive? And do you agree? Do you like them green? ‘Cause I haven’t heard you say it as aggressively as Nancy just said it (laughter). 

MIKE JOHNSON

So I have long said that passion is the most important thing to me. I do look for people who are passionate about security. And I also like what both Lamont and Nancy have said about people who take initiative to grow their own skills. That’s great. Like, those people are gold. But I do disagree with Lamont. I think we have a skills shortage today. And with the way that I think about training folks is, that’s helping with a skills gap tomorrow. That doesn’t help me with my skills gaps today. So I really do like the idea of training up to people or training people up into their roles, their responsibilities, really helping them level up. I don’t want to be short-sighted and only hire for today. But at the same time, I do have problems today, and I need to solve them today. So I have to be looking from both of these pools. And I’ll also say that if you’re in a position where you’re starting to think about hiring green folks, make sure that you have a solid senior staff to train those people up. If your first hire is green, it’s not going to go well for anyone. So you really have to hire based on your current situation. And I just – I don’t have a whole lot of opportunity right now to be hiring people that I need to put a whole lot of training into in order to get them to help me solve my problems today. A year from now – different story, I hope. 

DAVID SPARK

Nancy, very quickly, in just 30 seconds, do you have – like, you say you love green people. Do you have the support staff to train them? 

NANCY HUNTER

I absolutely do. I have a really great management team, and I have a couple of technical resources that are good trainers. And so they’re looking for the opportunity to train someone new. So because of the environment that I’m in, I can allow myself to hire green. 

Sponsor – Code42

13:18.516

STEVE PRENTICE

When we think about insider risk, we often picture employees or contractors as a primary cause, and that would be correct. But as Mark Wojtasiak, vice president of research and strategy at Code42 points out, there are also times of relative upheaval, like when a company merges or gets acquired, where we have to be equally vigilant 

MARK WOJTASIAK

When is insider risk heightened? When is risk tolerance at its lowest? It tends to be in big macro events at the organizational level, like pre-IPO, like merger and acquisition, like layoffs or restructuring. And M&A is one of those use cases where, if you’re an organization acquiring another organization, and that hits the rumor mill inside of the organization, uncertainty emerges, employee uncertainty. What do they start to do? They start to stockpile some information, take some data, move data around. They don’t know if they’re going to be retained in the acquisition. And then the last thing the acquiring company wants is for any of that IP to get on the loose, the intellectual property that they are acquiring via the acquisition to be breached. You know, we think about M&A as one of those times where insider risk is not only heightened, but the risk tolerance of it is at its lowest. We’ve seen a number of customers that have M&A growth strategies leveraging Incydr to help address that problem. 

STEVE PRENTICE

To learn more about Code42 and their product called Incydr – I-N-C-Y-D-R – go to code42.com. 

It’s time to play What’s Worse?! 

14:53.753

DAVID SPARK

All right. Nancy, I know you know how this game is played because you’ve listened to a few episodes. And the whole premise is, you’re not going to like either option, but you got to pick one. And Mike, I always make him go first, so that gives you a little time. And it’s always known that I like when our guests disagree with Mike. So no pressure, but please feel free to disagree with Mike. 

(LAUGHTER) 

DAVID SPARK

All right. This What’s Worse?! scenario comes from Richard Uhunmwahgo of Emirates, and he has the following What’s Worse?! scenario. Situation No. 1, you have a shoestring budget with little or no security debt – nice with the no security debt, which I know that’s unheard of over at the Reserve. You embed security at the right time in the software development lifecycle process, but you can barely do any other thing to improve the security posture because you’ve got no funding. OK. That’s situation one – has a good element and a really bad element. Situation two – the whole place is littered with security debt waiting to be fixed – or explode, rather. But you have 10 times the budget. In fact, as far as the CFO is concerned, you’ve got a blank checkbook to call on any time. Mike, which one’s worse? 

MIKE JOHNSON

It’s almost – for this one, it’s like a which one is best? These are actually both good options. 

DAVID SPARK

They are good options that have a nasty element to them. 

MIKE JOHNSON

Right. But I think they’re both reality, right? You have these situations where you don’t have much budget, but you have these great foundations. Everyone knows what they’re supposed to do. Everyone’s involved in security. You’re not necessarily able to advance much beyond that, but that’s a great place to be. There are companies out there who are years behind that situation that would love to be in that place. And on the other hand, is, you’ve got, everything’s on fire, but you’ve got all the money that you need to try and solve. And that’s also not a bad place to be where you do have this recognition. We know we’re in a bad place. We’re going to provide the funding in order to get there. So this is actually a – neither of these are really bad, which is kind of unusual for us. So I think where the one that I would lean towards… 

DAVID SPARK

Being a situation you’d less like to be in. 

MIKE JOHNSON

The one that I would less like to be in is where I don’t have an opportunity to affect change, where, you know, it’s great to have all those solid foundations, but my nature is to try and change things. My nature is to always try and improve things. And so if I’m stuck in a situation where it’s never going to improve, it’s never going to change, even though that’s a good place to be, I’m personally going to get bored. So when I’m looking at these two from my perspective, it’s really the first one of, everything’s great, but you’re not going to be able to get any better. 

DAVID SPARK

All right, good answer. Nancy, you were nodding your head a lot, so I’m getting the sense you may be agreeing with him, but possibly not. 

NANCY HUNTER

Oh, I’ll go the devil’s advocate to not agree with him. I’m fine to do that. 

DAVID SPARK

OK, great. 

NANCY HUNTER

So I sort of like the case where you’re not given a lot of options because you then can excel at what you’re doing. You can put all your eggs in that basket. You can go for it, and you can make it the best it can be within your constraints because things will change. In cybersecurity, it’s only just a moment. You blink; it changes. And maybe you don’t have the budget right now, but it’s coming. And when they see all the great work that you’ve done in that constrained environment, they’re coming to give you more eventually. So I’m going with just the opposite. 

DAVID SPARK

So I’m going to throw this also out at the two of you regarding the technical debt issue. When it’s that big and that painful, even if you’re throwing all the money in the world at it, it just still seems like a mountain to climb, doesn’t it, Mike? 

MIKE JOHNSON

Absolutely. But at the same time, a lot of folks, myself included – we like that opportunity. 

DAVID SPARK

So it’s the fun of the challenge. 

MIKE JOHNSON

It’s a challenge. 

DAVID SPARK

Yeah. 

MIKE JOHNSON

You can get there. And I’ve seen some organizations that have significant debt. And if you put in the resources, you can get there. 

DAVID SPARK

You agree, Nancy? 

NANCY HUNTER

Yeah. I do agree. And I’ve worked in an organization that actually had a tremendous budget, almost unlimited. And there’s still challenges on both ends. 

How a security vendor helped me this week. 

19:22.914

DAVID SPARK

Jason Dance recommend this post from Helen Patton of Duo Security, who we’ve had on a couple of times as guest, and she asked, when you think about your positive vendor engagements, the vendors you want to work with, what characteristics do you see/experience? Now, this is a very relevant question for this show and good responses where vendors who are self-aware tell you what they can do and share their limitations – want to understand your needs before they sell; don’t upsell before the first sale. So I’ll start with you, Nancy, and I know you know Helen here. 

NANCY HUNTER

I do. 

DAVID SPARK

Picturing your top vendors, what makes them so valuable? 

NANCY HUNTER

One, they deliver what they committed to deliver. That’s table stakes to just come in the door. And they can give you a large enough pool to be able to validate that they actually can do what they’re going to do. But I think the most important thing for me is that they listen to my communications needs. So I get vendors where they say, I’m going to call you every day, and I’ll specifically say, don’t call me every day. That’s not good for me. I want you to email me. And they won’t. I check you right off my list. If you won’t listen to those basic needs, the basics asks of someone, I don’t want to do business with you. And then the last thing that I need is, I need to hear about what you’re doing in the future. So I want you to tell me right up front that we’re not doing this well, but look; we have a plan, and in one year, three years, five years, this is what it’s going to look like. So I love to hear those things as well. 

DAVID SPARK

All right, Mike, picturing your top vendors, what is the aspects that make them so awesome? 

MIKE JOHNSON

I really like what Nancy said there at the end about transparency. Like, that looking forward, looking ahead, being transparent on the road map – that’s really a key attribute that I look for in a partner. I also agree on the self-awareness that was mentioned. I think that’s kind of up there with sharing the limitations of the product. Those seem very closely related. 

DAVID SPARK

Yeah. We keep hearing that again and again. And by the way, I would tell you, part of my sales cycle for this CISO Series is I tell people the pro and con of every… 

MIKE JOHNSON

Yeah. 

DAVID SPARK

…Show that we – you know, you sponsor this, this is the pro; this is the con. This is the pro. This is the con. 

MIKE JOHNSON

That’s setting up a relationship – right? – where you’re sharing kind of, warts and all, what is going on with the product. And that’s going to really engender trust. And that’s what you want in these kinds of relationships. Figuring out how you can turn it into a partnership relationship based on trust – transparency helps with trust. Self-awareness helps with trust. Those are key. I think one of the things that also comes to mind – I’m thinking of, like, the initial first impression. One of the things you had mentioned on an earlier show, David, was bringing technical people to the meeting where you can ask and get your technical questions answered – you know, not having this, oh, well, let me go back and get an answer for you. Have the people in the room is really going to help build that trust that you actually can answer my questions. If you can’t answer my questions right away, I’m wondering how this is going to work out. So so much of it really comes back to trust and setting up a trust relationship with my vendors. When I have that, it’s an amazing relationship. 

NANCY HUNTER

I love that, by the way, the relationship piece, because you’re not trying to just buy a product or service, and you don’t want to replace that vendor every year or two years. But with the relationship, they will grow and work with you. 

Got a better answer than, we are trying? 

23:02.963

DAVID SPARK

Diversity hiring is hard for everyone. Now, I’m going to tell you personally about an experience I had. I personally had an experience where I wanted to hire a woman for a position, and I researched and reached out to about a dozen women. Except for one, they all ignored or weren’t interested. The one woman who responded really wasn’t experienced, but I was willing to take the time to train her because she was eager. And then she changed her mind at the last minute, requiring me to start over. At that point, a white male candidate presented himself who was far more skilled and wouldn’t require as much training. I know if I spent more time looking, I could find a good female candidate, but honestly, I was exhausted, and I needed to fill the position. I have to imagine many others echo my story. They start out with the best intentions, fail and then go with a good solution that doesn’t fill the diversity checkbox. Nancy, I tried, and I know a lot of other people say, I tried, and I know that’s not good enough, but I still have a job to do. 

NANCY HUNTER

So you tried too late. You needed to establish a relationship before you were looking for – to fill a position. There are many, many organizations for you to reach out to diverse candidates. There is a Women in Cyber national organization. There’s Philadelphia Women & Cybersecurity. There is the Black Data Processing Association. There are just so many areas for you to find diverse candidates. So for you to wait until you have a need is too late. Look for the candidate ahead of time. Establish relationships with some of those organizations so they come to you and say, these are candidates that might be good for your position. So don’t wait. Just please don’t wait. The other thing I will tell you is that chances are, that white male may have not been the most qualified or the best candidate, but they might be on paper. So what you find with women is that they often don’t apply for jobs unless they have such a large percentage of the qualifications that you write for that job description. But if you write the job description for what you really need, not the unicorn, but truly what you really need, and you’re willing to accept skills in other experiences, not just the job that you’re looking for, but some transferable skills, you’re going to open up your pool not only to women, but to a larger, diverse group of applicants. And you will find that you might get a few that really augment your organization and make it better. 

DAVID SPARK

I hear you on that. And I will just say, it wasn’t a resume, but it was actually the sample that was sent in. It’s sort of a test work, which was very good at the time (ph). But I totally hear you on that. Mike, again, I think many have done the same exact thing as I have. 

MIKE JOHNSON

Well, I really want to agree with Nancy on the idea that you have to plan for this in advance. You have to recognize that it’s going to take longer, that you’ve got to put in the work. It’s an investment. But at the end of the day, it’s worth it to have that additional diversity on your team. There’s business value. I recognize it’s the right thing to do to support your fellow human and help them be treated equally. But at the same time, there’s business value too, and I think people get lost on that side of it. So you have to think of it as an investment as well that you put in the work; it’ll pay off. You have to talk about what you’re doing, not just that you’re trying. What are your processes? What is the work that you’re putting in? You may not end up hiring the diverse candidate, but you still have to be interviewing them and giving them a fair shot. If you don’t put this work into it, if you don’t give people these opportunities, you’ll continue to have a team that you’ve always had. You know, they might be fine, but you’re really missing out on different perspectives, on really improving your team. I know in security that these folks are scarce. They’re hard to find, but they are out there. 

DAVID SPARK

Oh, I know. I totally hear you. You know, I should have backdated the effort, but I should tell you, I’m still looking for female reporters, by the way, is what I’m looking for. And if you are out there, and you’re listening, and you’re interested, please contact me. So I’m still very much open to it. I just – I had to – this had to move quickly, unfortunately. And my efforts were not initially met the way I wanted to, but that was my effort. So Nancy, you made a great point. I did reach out to a few groups, but I didn’t reach out to specific women-run groups or women-only groups, which is a good point. Mike, do – have you done things like this? Have you, like, reached out to organizations that are essentially diversity-specific, saying, hey, I’m looking to hire in this space? Can you, like, let your group know or recommend someone? 

MIKE JOHNSON

There’s a few that we work with, and we’re really trying to improve our relationships with them. We’re trying to get more involved. But we’ve worked with an organization called Women in Security and Privacy. We’ve worked with WiCyS. And there’s another group that’s not security-specific called Tech Ladies that we are partnering with – always looking for more of these groups that we can help out with. Another one that I’m starting to have conversations with is one called Black Girls Hack, which is a earlier organization. They’re just kind of getting their feet under them. But there’s more and more of these out there. Finding them, working with them, that’s what it takes. Just work with them, and the efforts will pay off. 

NANCY HUNTER

Agreed. And they’re not looking for women-only organizations. They’re looking for male sponsors and support people as well. So it’s just not when you’re just looking, but you can actually help to be a sponsor or a partner or a support person or mentor. 

Close

29:09.420

DAVID SPARK

Excellent point. All right. Well, that brings us to the end of our show. Thank you very much, Nancy Hunter, who’s the VP CISO of the Federal Reserve Bank of Philadelphia. Thank you very much, Mike. Nancy, I’m going to let you have the final word. First, I want to thank our sponsor, Code42, for sponsoring this very event and being a phenomenal sponsor of the CISO Series. Thank you very much, Code42. For more on insider threats, go to code42.com. And that’s just the number 42 dot-com. Mike, any last words? 

MIKE JOHNSON

Well, maybe one or two. Nancy, thank you for joining us. It was such a pleasure having you on the show. It’s always great to see, hear, listen to different perspectives, and you really brought us a different perspective. We end up quite often with CISO who are, like, in tech companies, and that’s a great viewpoint, but it’s really great to get a viewpoint from a federal agency, which is rare for us. So thank you for taking the chance on coming to our show and talking with us. I really like your concentration on people and relationships. That was something that really kind of came through over and over and over again of how important that is to you and how much work you put into investing in people and investing in those relationships. So, you know, specifically, thank you for reminding us about the importance of those, but generally for coming on to our show, giving us a different perspective. Thank you, Nancy. 

NANCY HUNTER

Thank you. Thank you so much for having me. This was a lot of fun. And I really appreciated being here, and I appreciated hearing the different perspectives. And the one thought I will leave with is, when you’re looking for your next job, don’t only look in the profitable organizations. Look in at nonprofits and federal reserves and federal companies as well. It’s great to have a mission and be able to work in a place that is driven by that mission. It makes it a joyful place to go to every day. 

DAVID SPARK

That is excellent to hear. Well, thank you very much, Nancy. Thank you, Mike. Thank you, audience, for all your phenomenal contributions. We greatly appreciate it. And as I mentioned at the top of the show, we are going to be recording in just a few days our anniversary show, and we would love to get your feedback. So let us know what you think about the CISO-vendor relationship. Has it improved over the past few years? Have we had anything to do with it? Or just ask us anything. And by the way, feel free to ask – say something critical, something you don’t like about this show. Why aren’t you guys doing this? We’ll address it. Please. I would love to get an audio recording. You can do that through cisoseries.com, or just record any kind of audio thing, and send it to me via mp3, and we will take a listen. Thank you very much for contributing and listening to the “CISO/Security Vendor Relationship Podcast.” 

VOICEOVER

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”