Security as a Profit Center? You’re Kidding, Right?

Security as a Profit Center? You’re Kidding, Right? - CISO Series Podcast

What if we could convince management that security is not a cost center, but a means to actually make and save money for the business? The concept isn’t so completely outrageous. Companies are using privacy and security as differentiators, and certain security tools such as single sign on, password managers, and passwordless reduce operational costs in support tickets.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Mary Gardner, CISO, The Greenbrier Companies.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Buchanan Technologies

Short staffed and overworked IT groups can be overwhelmed by the massive scope of a comprehensive cybersecurity program. Buchanan Technologies makes the complex simple with our twenty-four by seven, customized, vetted strategies that identify risks, detect threats, implement security controls, and protect the confidentiality, availability, and integrity of your data. Discover more.

Full transcript

[Voiceover] What I love about cybersecurity, go!

[Mary Gardner] I love cybersecurity for a lot of different reasons, but the biggest one is I continually learn. I can’t think of a day in the last 20 years that I’ve gone home without learning something. I can learn something technical, I can learn something about people, I can learn how to negotiate, and I can learn stuff about myself too.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. Joining me for this very episode is Mike Johnson. You’ve heard of him since episode number one. Mike, make some noise with your vocal cords.

[Mike Johnson] I am here, David. I am excited for another episode and let’s do it again.

[David Spark] I’m looking forward to this. Hey, do you know this? I’m just making sure listeners know this – that we’re available at cisoseries.com. And for this very episode, our sponsor is Buchanan Technologies. They’ve been a phenomenal new sponsor of ours, and we are thrilled to have them onboard. They are in the space of MSSPs, and if you are looking to learn more about MSSPs or what an MSSP should do, pay attention, we’ll have more about them later in the show. But first, I want to mention something, Mike, that we have started. This episode is airing in June, and we started this in I think late March, something on our Reddit space. Now, a lot of people don’t know that there is a CISO Series subreddit. You know this.

[Mike Johnson] I know this.

[David Spark] We have been bad about activating it, if you will. We just sort of pasted episodes and other random stuff there but not really trying to drive conversation. So, something we have started to do is Confessions. Now, one of the wonderful things about Reddit is it has a certain level of anonymity, and we thought it’d be good to maybe ask questions for which people don’t want their identity attached to their answer to the question. So, to give you an idea, here are the first couple we started with. One was what cybersecurity hygiene practices do you know to follow but don’t?

[Mike Johnson] Mm-hmm.

[David Spark] I’m sure we’re all guilty of these kinds of things.

[Mike Johnson] Oh, absolutely.

[David Spark] Yeah. And then the other question is do you get scared if you go too long without an incident?

[Mike Johnson] “It’s too quiet.”

[David Spark] There’s got to be something wrong. So, we will bring these more into the show, but I’m very eager to get more people participating in these sort of anonymous confession posts so please, please jump in and join in the conversation there. You can see they’re labeled with a little green flair tag that says “Confessions,” so look for those and please participate in those. All right, now I’d like to introduce our guest who was introduced to us by a previous guest, Hadas Cassorla, and I’m so thrilled that she’s joining us as well. So thrilled to have her onboard, it is the CISO for Greenbrier Companies, Mary Gardner. Mary, thank you so much for joining us.

[Mary Gardner] Thanks, David and Mike, great to be here.

Why is everyone talking about this now?

3:26.353

[David Spark] In the wake of the teen-led Lapsus$ attack at Okta, a redditor on the cybersecurity subreddit said, “Teens illegally hacking your business have no CISSP, no 10+ years of experience, no degrees, no jumping hoops of lengthy interviews. What they do have is curiosity, that without guidance led them to the dark side.” We’ll see about that. “Not only are we losing on fantastic talent not bridging the talent gap but losing talent to the dark side. It’s high time we re-evaluate barriers to entry in cybersecurity.” To which another redditor said, “What Lapsus$ didn’t have was morals.” Now, this redditor kept banging the drum of, “Oh, if somebody would have shown them the way, they would have joined the good guys.” Mike, I know you have extremely strong feelings about this, but are we losing talented cyber teens? Is there a way to create a pathway of legitimate security careers for mischievous cyber youth?

[Mike Johnson] It’s easy to look in hindsight and say, “Oh, yeah, sure. If they’d been shown the way, they’d have been fine.” But you don’t know.

[David Spark] Anakin Skywalker was shown the way too.

[Mike Johnson] You’re right. Some of us know how that turned out. But at the same time, there’s any number of criminals out there you could say the same thing about. Criminals are criminals, and some of them, no matter how much you’re showing the way, they’re going to go down that path. And at the same time, I wouldn’t classify them as mischievous youth. They cause millions of dollars of damage. This is not just some trolling on a reddit, this is real crime, so I can’t even say, “Hey, Lapsus$ might have been okay.” But there are plenty of people – my peers, Mary’s peers – who did a few things when they were teenagers that they probably don’t talk about.

[David Spark] This is a benefit of growing up in an era where there was no internet, that there is no record of the stupid things we did as a teenager.

[Mike Johnson] Yeah. A lot of that is gone. But it’s an interesting point that you bring up about growing up. I was listening to an episode of Darknet Diaries the other day, and what he was talking about was usually people are taught morals, ethics, lessons from their predecessors, from their parents and so on and so forth. And the people who are coming up on the internet today generally don’t have that benefit. They understand this way better than their parents. They don’t have those opportunities to learn. And that’s an opportunity. That right there is something, maybe schools could teach ethics, “Hey, we’re getting you online…”

[David Spark] Actually, I had an ethics class in school.

[Mike Johnson] And I think there would be a lot of benefit to that, and that would give people some pause at least to stop and think. Now, they may still go do it anyway, they’re kids, but they might recognize that there’s a line, and that’s what we need to be teaching them, that there’s a line that you don’t cross.

[David Spark] Mary, by the way, this exact post, which got a flurry of response, I saw this on LinkedIn as well and it exploded. I mean, the response to this discussion has been enormous.

[Mary Gardner] So, I have a tendency to agree with Mike. I think there’s a definite opportunity to teach ethics because what these guys did was criminal; however, I think we have a group of kids that could be taught security, ethics, etc., and really help us move forward in terms of cybersecurity. I don’t condone what the Lapsus$ guys did. I think that’s way beyond mischievous, but I do think that there are opportunities for us to get in touch with youth earlier. Because we have a huge resource gap in security. Are you familiar with Marcus Hutchins and NotPetya?

[David Spark] Oh, NotPetya, yes.

[Mary Gardner] Yeah. He’s the guy that found the kill switch for NotPetya. He was being honored in Vegas and the FBI arrested him, and they arrested him because he had a history with a hacking group. He had helped them put code together. He indicates that he didn’t know that he put this code together for malfeasance until he was older. But we’re losing out on talent that I think we could shape and grow in an ethical way. So this is a tough one for me because I want to attract kids, and I want to attract them much earlier than what they’re being attracted to cybersecurity, because I think it’s fun. I think anybody in cybersecurity has fun on a regular basis, and I think we can share that joy with our youth and attract them to the field and grow some really top-notch cybersecurity professionals.

Are we having communication issues?

8:32.600

[David Spark] Last Friday I was part of a virtual meetup on the Toucan platform which simulates a virtual party, just like in a real party, by drifting in and out of conversations, anyone can talk with anyone. Geoff Belknap, another CISO Series co-host and the CISO of LinkedIn was there. One of the people I was talking to was looking for a job, and I said, “Oh, go

talk to Geoff. He’s hiring.” The person I was speaking to didn’t feel comfortable doing it with an attitude of “Oh, I’m so small and he’s a big CISO.” Ultimately, I had to push him to go, and Geoff was very welcoming. So, I totally get where this feeling comes from, and we talk endlessly about CISOs being busy, and you have to have a very specific strategy to approach them. But we don’t talk about how CISOs can make themselves more approachable, specifically those people looking for work. So, I’m going to start with you, Mary. We were just talking about this, trying to sort of reach out to young kids. What can you do/have you done to make yourself more approachable? Especially since you’re, I’m going to assume, looking for talent.

[Mary Gardner] So, I try and work with communities and get out there and volunteer at schools, work with my peers’ kids to make myself approachable. But the other thing is just speaking engagements like this and really emphasizing the fun I have in security. One of the things that I tried to tell one of my friend’s kids was that security’s kind of like the skate punks of the ’80s. We’re trying to bring up a generation of people who care about the art and the technical craft of being a security professional, and we’re trying to teach that and embed that in youth.

[David Spark] By the way, that’s a good point to make, and I like the analogy of the skate punks because people who are skaters very much see their sport as an art, and that also people in cybersecurity see their work also as an art as well. That’s a really good way of putting it.

[Mary Gardner] Absolutely. I think it’s about fostering the love of the art in some ways and really engaging people and being a mentor and a sounding board and being available. Not necessarily just to people who want to get into cybersecurity, but people who love technology and want to learn more about it, and eventually, we might attract them.

[David Spark] All right. Let me toss this to Mike. Mike, what have you done/can you do? Because the unfortunate thing is your title of CISO makes you unapproachable to some people.

[Mike Johnson] I think there are places that you can go where your title actually disappears, where you can just be a fellow security practitioner. One of those places are conferences like B-Sides or DefCon or Black Hat. You’re just another person in those areas, as long as that’s how you’re carrying yourself. I remember a few years ago, the company I was working for at the time, we sponsored a booth at B-Sides San Francisco for the sole purpose of recruiting. That’s why we did the booth. And I worked the booth. I showed up, my team was there, they worked the booth, we all did our rotations. And it was just meeting people, just saying, “Hey, hi, I’m Mike Johnson. What can I answer for you?” And we had great conversations. I ended up hiring someone that I ran into. We had met in the past, we kind of reignited the connection right there, and I hired them. And that’s the kind of opportunity that I don’t know that I would have had if I hadn’t of just shown up and been another person at the conference.

[David Spark] Let me throw this also out, and if you’ve ever met a really top-tier politician, they all do this. I remember I met Mayor Willie Brown, the mayor of San Francisco, a number of times. I did a radio show with him, actually, for a period of time. When you talk to him, he’s so zeroed in on you. He made it clear that he was not talking to anybody else but you because he realized you are going to mention that meeting to somebody else, and he had to make this experience as positive as possible, and it was literally engrained in how he communicated, and I’m thinking CISOs could do the same thing. Why not?

[Mike Johnson] Absolutely. Absolutely. And that example with Geoff is a great one. That person’s going to go away and say, “Oh, I met the CISO of LinkedIn. He was awesome. We had this great conversation,” and will tell that over and over again. I think that’s a great example you mention as to what and how politicians handle it is that recognition that you’re speaking to that person in the moment, but you’re also speaking to everyone else that person goes and speaks to.

Sponsor – Buchanan Technologies

13:33.526

[RJ Friedman] One major consideration that CISOs have to take today is whether or not they’re going to hire for themselves or go to a managed security service provider.

[Steve Prentice] This is RJ Friedman, Chief Information Security Officer as well as the lead for the Managed Security Services Division at Buchanan Technologies. He’s pointing out that managed services is not just about the services, it’s also about finding the people to do the managing.

[RJ Friedman] With the Great Resignation and then the Great Migration, everyone moving around, jumping from company to company during COVID, the problems within the cybersecurity industry were only exacerbated. We saw 300,000 to a few million, based on the estimate, of open cybersecurity jobs in the industry, and that was a few years ago. I don’t know exactly what it’s at today, but I know it’s more people that are looking for cybersecurity talent. One of the best benefits that you can get from working with a managed security service provider is that they already have those experts who are trained, who understand cybersecurity from a fundamental level, who go through training, who are specialized in their craft, already ready to go.

[Steve Prentice] For some perspective, he says look at a bank.

[RJ Friedman] A bank’s specialty is not cybersecurity. It’s basically they have to go and build a completely separate company within their company to deal with the cybersecurity and the digital risks that they acquire, whereas that’s all we do.

[Steve Prentice] For more information, visit buchanan.com.

It’s time to play “What’s Worse?”

15:04.923

[David Spark] Mary, did you get a chance to listen to an episode of our show? Do you know what this game is?

[Mary Gardner] I did. I’m terrified.

[Mike Johnson] It’s the perfect reaction.

[David Spark] You’re terrified, all right. Don’t be terrified at all, Mary. We’re going to have fun with this. Trust me, you will enjoy this. And here’s the part that my son Jack Spark, who’s in middle school, came up with a “What’s Worse?” scenario. And I always make Mike answer first, so here is the “What’s Worse?” scenario. And here’s the big thing you need to know about the “What’s Worse?” scenario. You can’t change it. It just is what it is. Okay? What’s worse, Mike, 10% of your company’s email is randomly deleted, or 50% of all messages in your company are sent to the wrong person?

[Mike Johnson] Oh, Jack. Okay. So, in both of these, in the CIA triad, this is a loss. The first one is availability, like we lost 10% of that, that email is gone.

[David Spark] It’s just gone. It’s vanished.

[Mike Johnson] The second one is integrity, the email went to the wrong place, it was delivered to the wrong people.

[David Spark] Good way of looking at this.

[Mike Johnson] In my mind, integrity is always the worst of those two. When you can’t trust your data, when you can’t trust that it’s where you think it is, it can be really bad. You have no idea how big of an issue that is until you go and dig into it. A loss of availability sucks, but in these two scenarios, I’m going to take the loss of availability as the less worse.

[David Spark] Less worse.

[Mike Johnson] And the loss of integrity, the 50% just went somewhere at random, that’s the worst to me.

[David Spark] Well, but it does have a name and identity to it. So I could write an email to Mary that gets sent to you, Mike, and you know it’s not for you, so there is a way to track it back. So, it’s not a complete loss of integrity.

[Mike Johnson] Oh, sure, but what that was, you may have been sending a message to Mary saying, “Hey, I’m firing Mike tomorrow,” and he’s not going to be happy about it.

[David Spark] No, he’s not.

[Mike Johnson] And that’s a problem, right?

[David Spark] Well, it’s just you found out earlier than you were supposed to.

[Mike Johnson] Right. But that that email never got delivered, eh, you know, it’s actually not as big of a deal.

[David Spark] All right. Mary, I throw this to you. Which one’s worse?

[Mary Gardner] I’m going to go with the integrity issue, so the sending to the wrong people, but I’m going to change the reason for it a little bit. So, I think it’s integrity but it’s also confidentiality. So, as you pointed out, sending the email about firing Mike to Mike – bad deal. But when I send an email to staff about what people are making at the executive level, that’s probably even a worse deal. Or if I send HIPAA data to somebody else, we’ve got a confidentiality problem and probably, potentially, a reportable breach.

[David Spark] I have a friend that when he goes on vacation and comes back, he literally deletes all of his email, and his attitude is if it’s really important, they’ll email me back.

[Mary Gardner] Yep.

[David Spark] Do you know anyone else who does that?

[Mary Gardner] I’ve thought about it.

[David Spark] You fantasize about it.

[Mary Gardner] Yes. Yes, I do.

If you haven’t made this mistake, you’re not in security.

18:37.147

[David Spark] What’s the range you can break things in your environment? I tell my employees that if I point out that they made a mistake to not to take it as that I’m scolding them but rather as a means to improve. In addition, I try to point out some of the worst possible mistakes, and if they did happen it would really suck and we’d be out of some money, but it wouldn’t be catastrophic. Now, in cybersecurity, there are a lot of mistakes that can be catastrophic. In an article on Medium, Gary Hayslip, CISO of Softbank Investment Advisers and a guest on this show, said, “You will break things in cybersecurity, specifically around integrations or lack of integrations across your constantly morphing technology stack.” I’ll start with you, Mary, on this. Do you show your staff worst case scenarios and what they ultimately want to avoid, what is bad but recoverable, and where they should experiment – example, give them freedom to make mistakes?

[Mary Gardner] I give them guardrails. I point out, “You know what? Bringing something down using Nessus is probably a good way to learn, as long as you don’t bring down the FAA tower at the airport.” Just some guardrails, some pointers. People learn through failure, at least partially, so I think it’s important to give people the ability to fail.

[David Spark] Mike, what about you? Is there an area where they can experiment, your group?

[Mike Johnson] Yes, especially when we’re testing out something new. We have canary environments, we have test environments, we have places that we can go and try tools in a safe way, and I expect my team to figure that out. I’m not the one who’s showing them this. This goes back to something that I’ve mentioned on the show several times. We don’t have the ability to hire junior folks into the team right now, and this is one of those reasons. I can’t. None of my managers can be taking the time to explain very carefully, “Here’s what’s safe.” We have senior engineers on the team, I expect them to know this, I expect them to go find the test environments or build the test environments.

[David Spark] Is this really also the nature of your business and how it’s configured right now?

[Mike Johnson] That’s part of it, and part of it is if we had more capacity on the team to teach people and to show them, “This actually is what’s safe, this is what you can do, these are your boundaries,” then that’s something that you can have more junior people on because the junior folks aren’t going to understand that those boundaries exist. You have to teach them. Versus the people who’ve already been there, done that, taken down the control tower with a Nessus scan, those folks are going to understand and recognize that they have to find their own guardrails. That’s one of the differentiators between senior individual contributors and junior.

[David Spark] So, Mary, can you give me an idea of, not necessarily [Inaudible 00:21:44], but a mistake that is made that is very recoverable, it’s like, “Don’t worry, this is a mistake, but just hear I’m telling you this so you learn for the next time,” versus like you said, the catastrophic case?

[Mary Gardner] One of the biggest mistakes that I see being made in security is just mistakes in configuring various firewall rules, and for the most part, that’s very testable, very deployable. You make sure you test it, you deploy it in a safe environment, so one of the smaller, more internal environments, and then you propagate it out. If you make a mistake in the smaller internal environment, that’s fine. If you deploy it to the externally-facing firewall that’s protecting your DMZ, that might not be so recoverable. But again, it goes to Mike’s point of creating safe spaces and having people who know what can be done and when it can be done. I think the more important thing is when it can be done in the unsafe environment.

[David Spark] How consciously, Mary, are you like constantly thinking about, “All right. I got to create this guardrail, I got to create this guardrail, I need to create this safe space. I need to create more testing to production environments, we don’t have enough of that. Too much stuff is going live.” I’m sort of imagining here. How much is that consciously being developed?

[Mary Gardner] Consciously? Minimally, honestly. I don’t have much time to spin the cycles consciously developing it. So again, going back to what Mike said, really need the senior people on my team to help with that and help develop those guardrails and procedures and environments. Do I know it when I see it? Yeah. But consciously thinking about it? It’s minimal.

[David Spark] I appreciate your honesty.

[Mary Gardner] Can I ask the same question to Mike?

[David Spark] Sure.

[Mary Gardner] How often do you consciously think about it at this point?

[Mike Johnson] Consciously? Again, not very often. There are certain systems environments that we are building along the way, and I will ask, “Hey, how was this tested?” so it’s from a reinforcement perspective. But I’m not asking them, “Hey, are you going to test this thing in this particular environment?” It’s more of a expecting that they’ve done it and then asking them after the fact what were the results.

[Mary Gardner] I think at this point in our careers and where we are from a staffing perspective, I think we’re making choices about who we hire and what we can trust them with, and that’s a really important part of me being able to do my job.

Is this the best use of my money?

24:33.851

[David Spark] “Is it possible to position your security team as a profit center instead of the traditional cost center reporting to the CIO?” asked Steve Zalewski, who is the co-host of Defense in Depth. Now, some items that came up in this conversation on LinkedIn were if your supplier has compliance requirements, the maturity of your security program is going to be critical in making the deal and continuing their ability to generate revenue. Another was cybersecurity companies are a good investment, just in general right now. You can position yourself as cost savers like SSO, passwordless, reduction in support tickets. And lastly, it’s easier to understand the cost savings in B2B than B2C, since customers don’t make decisions based on the security of the seller, or don’t make a decision to work with the company based on their security. So, I’ll start with you, Mike. What’s the competitive edge/cost savings/profit center of cybersecurity, you believe? And I know it definitely changes by business.

[Mike Johnson] Yes. And that’s one of the things I do want to highlight, that B2B is very different than B2C here. We have customers who are signing very large contracts. They have expectations. If there was someone who is paying 30 cents a month, we’re not going to waste any time on that. And that’s kind of B2B versus B2C in a nutshell. It’s how much buying power does one customer have, and that helps you understand, “Yeah, we need to shape our security to their expectations, just like we would shape products. We know that they’re going to come to us for this particular product, we’re going to build the best product that we can in that area.” So it’s very similar. I think also in terms of a profit center, I don’t know that security ever gets there for that reason, unless you are the product that’s being sold.

[David Spark] Mm-hmm. Hence cybersecurity as an investment.

[Mike Johnson] Exactly. You’re always going to be somewhat less. You’re not going to be turning a profit. I don’t think a profit center is a possibility. You can contribute to cost reduction, you can contribute to increase in customers, like I mentioned. You can contribute to loss avoidance of regulatory and legal areas. Those are all things that a security team can and should be a part of and be contributing to. You’re always going to be a cost center, but it’s how much of a drag that you are on the rest of the company. And hopefully, you’re an enabler. You’re actually enabling sales, you’re enabling the ability for someone to go and talk to that customer who they know is notorious for having high security expectations. They wouldn’t even show up if you weren’t doing your job right, would not even be an option. So that’s where you can really help out, and you should be helping out, but you’re not going to be a profit center.

[David Spark] All right. Mary, I think you’re nodding at the fact that Mike says you’re not going to be a profit center, but are you onboard with everything else and what would you add?

[Mary Gardner] I would say mostly I would agree with that. I think I’ve seen one example where a security team turned itself into a profit center. That was at a cloud provider. They were providing SOC services to customers. But I think that’s the exception rather than the rule.

[David Spark] And then there’s people have been shaming companies for doing this, but then there’s the charging for SSO.

[Mike Johnson] No, don’t do that. No, not okay.

[Mary Gardner] That’s just wrong. I want to be not considered an insurance policy. If I can teach my business owners that I’m more than an insurance policy and actually participate in cost avoidance and lowering some of what we’re spending in technology because we have an effective security program, I consider that a win.

[David Spark] And are they starting to look to you like that, like, “How can we deal with this better and we’ll reduce risk, save money here?” Are they looking to security to help in that respect?

[Mary Gardner] I think so. I’ve had some great successes in business enablement through security controls. How do we get email accounts or O365 accounts into remote workers’ hands securely, and I think the pandemic really helped us become more of a business partner and less of an insurance policy.

[David Spark] And ultimately, that’s what you want. We talk about this all the time, that’s what you want to be, and to do that you need kind of endless communication with the business leaders, right?

[Mary Gardner] Yeah. And you need to really think about how you’re deploying technology and security to enable the business, reduce business friction. Where can I improve what I’m doing and the way I’m doing it to impact the business less? And there’s ways to do it.

[David Spark] Can you give us an example?

[Mary Gardner] When I worked at a hospital environment, and we deployed multifactor authentication. And in the process of it, we had a lot of pushback from the doctors and the surgeons because they didn’t want another step. But what we did was we showed them that by doing this we could create a carrot where they could access medical records, emails, and other type of data remotely securely. So we enabled them by implementing MFA to work from anywhere they needed to. And it’s a rare day when a security professional gets a thank you note from a surgeon. I kept that note.

[David Spark] You should have that framed.

[Mary Gardner] Yeah. But there’s ways to do it. You also need to listen to what their problems are, right? You need to communicate to them, but you need to solicit their advice and understand what their problems are so you can help them.

[David Spark] A great tip to close with.

Closing

30:51.990

[David Spark] A Thank you very much, Mary. Thank you very much, Mike. And a huge thanks to our sponsor as well, Buchanan Technologies, they are buchanan.com for all your MSSP needs. Check them out. We like them a lot. We appreciate their support of the CISO Series. Mary, the question I ask all our guests is are you hiring. I’m going to let you have the last word, and I also want your answer to that question as well. Mike, your last thoughts?

[Mike Johnson] Mary, thank you so much for joining us. It was a pleasure sitting down and having the conversation. One of the things that I really appreciated was you clearly have a love, a joy for what you do, and it came through in all of your answers, all of the discussion. Your desire to teach others, to share with them. And I really appreciate you sharing that with our audience, especially where some people can be kind of salty in our profession. So, I really appreciate you bringing that lightness that David is over here being salty about. But especially I wanted to share something that you’d said about getting to the youth and talking with them, and you’d said something about cybersecurity is fun, sharing the joy with the youth. And I thought that was just such a great perspective, and I hope we can continue to do that. I hope we can bring some of that joy to the youth, help them understand why we do this, why it’s fun, and educate the next generation. So, thank you so much for sharing your perspectives with me, with us, with our audience. Thank you for joining us.

[Mary Gardner] Thanks, Mike.

[David Spark] Mary, so any last thoughts on our conversation today and are you hiring, let us know.

[Mary Gardner] Unfortunately, no. I want be hiring but I’ve reached my limit for the year.

[David Spark] So you did hire though recently?

[Mary Gardner] Yes.

[David Spark] Great.

[Mary Gardner] I grew my staff by about three.

[David Spark] Nice.

[Mary Gardner] That was great. And I think I really appreciate being involved in the conversation. I think one of the things that we need to do as security professionals is talk amongst ourselves more, right? I learned so much from the conversation today, and thank you, Mike, I think you have a great grounded perspective. And thank you, David, for bringing some really interesting questions to the table, very thought-provoking.

[David Spark] Many people believe that I’m a cybersecurity expect, to which I have to constantly remind them – I have never been a cybersecurity practitioner. I am fortunate enough to just talk to some of the smartest people in the industry and then because of that, people have this misconception that I’m the genius. Not true, whatsoever. But I get the waves of brilliance that fall over me, so I greatly appreciate your wisdom. And your wisdom as well, Mike, and all our guests too, and co-hosts. Well, thank you again very much, Mary. Thank you again, Mike. And thank you to our audience. We greatly appreciate your contributions. I say it all the time and I hope it doesn’t sound like me just being a broken record over and over and over again. But you don’t understand, we do greatly appreciate your contributions. Mike is nodding his head.

[Mike Johnson] Yes, we do. Please, more.

[David Spark] So, if you have always said, “Oh, I thought about doing it, but they probably don’t want to hear from me.” No, I do want to hear from you. Please send whatever your question, concern, and your “What’s Worse?” scenario. We want to hear it. Please send it in. We greatly appreciate it. And obviously, we appreciate you listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOSeries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com. Thank you for listening to the CISO Series Podcast.