No, please not another acronym. I can’t take another education cycle on another product segment. Oh, I’m sure Gartner is launching it. And I’m sure they’ll make yet another Magic Quadrant to tell us which companies are in this new market segment. And we’re going to have to buy this report so we understand this new category so we can create yet another line item on our budget sheet.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Ed Bellis (@ebellis), co-founder and CTO, Kenna Security (now a part of Cisco).

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor Kenna Security

This image has an empty alt attribute; its file name is KennaBanner2.png

Full transcript

Voiceover

Ten second security tip. Go.

Ed Bellis

Use tools that are non-security tools for security purposes. A great example would be when I was at Orbitz. Our customer support team used to use clickstream dateand they would use it to identify when customers got stuck at a certain part within the application. But then we could use that same tool to identify attackers who were skipping steps in the application looking for business logic flaws to take advantage of.

Voiceover

It’s time to begin the CISO/Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO/Security Vendor Relationship Podcast. I am David Spark. I am the Producer of the CISO series and joining me on a very regular basis is Mike Johnson. Mike, the sound of your dulcet tones, what would they sound like?

Mike Johnson

They sound like this. They sound like a person who is here with their orange energy drink. So, I’m good to go. It’s exciting.

David Spark

Orange energy drink? What brand energy drink or you don’t want to mention it.?

Mike Johnson

I don’t want to give them this free endorsement that they would otherwise need to pay a pretty penny for.

David Spark

Because they are in cybersecurity as well as our other sponsor?

Mike Johnson

Exactly. There’s a conflict of interest there.

David Spark

It would conflict with our current sponsor.

Mike Johnson

We would not want that conflict at all.

David Spark

In fact, we have the co-founder of our current sponsor on as a guest today. I’m going to introduce him in a second. By the way, we’re available at ciscoseries.com and our sponsor, it’s either Kenna Security or CISCO. I’m not exactly clear. But Kenna Security recently got purchased by CISCO, so our guest is actually an employee for CISCO. But we’ve had him on many times on the video chat. He, by the way, kills it on the video chat, so very excited to have him here and I want to have a discussion with you Mike about something non-security related, but I’m going to bring in our guest now. It is the CTO and co-founder of Kenna Security, now part of CISCO, Ed Bellis. Ed, thank you so much for joining us.

Ed Bellis

Thank you for having me, David.

David Spark

Alright, here is the discussion I want to have. I’ve decided I’m going to start this project of trying to listen to all 500 albums on Rolling Stones top 500 album list, okay?

Ed Bellis

Wow!

David Spark

I am now, I’m going to tell you how far down I am. I am 22 deep, okay? Now, this may sound like an old man complaining, but Sergeant Pepper’s Lonely Hearts Club Band by the Beatles, which kind of is a seminal album…

Ed Bellis

Oh, careful!

David Spark

Kind of a big deal.

Ed Bellis

Careful!

David Spark

…is number 24. Let me mention artists that are ahead of that. Kendrick Lamar, Kanye West, more important than Sergeant Pepper. I’m having a hard time swallowing this.

Ed Bellis

You do sound like an old man complaining. Confirmed!

David Spark

Yes, I do.

Ed Bellis

I was going to say, like, have you seen the meme of the old man yells at cloud?

David Spark

Yes. It’s like Grandpa Simpson.

Ed Bellis

Yes. You’ve got Grandpa Simpson yelling at kids these days and the albums they listen to.

David Spark

By the way, the day that I knew I was an old man, I actually turned on MTV– now this goes by a while ago– and honestly, the following thought hit my head. What are those stupid kids doing?

Ed Bellis

And this was MTV right? Which is already dating you.

David Spark

It’s dating me, yes. So, that was a sign, oh crap, that’s what an old man says. So, first of all, it’s a very interesting list. Obviously, whenever you make a list like this people argue, but I;m just having a hard time with Sergeant Pepper being number 24 on a list, which you’d think should be a little bit higher up.

Ed Bellis

So, you started from the top at number one and you’re going down?

David Spark

I’m starting from the top going down.

Ed Bellis

Alright, okay.

David Spark

Yes.

Ed Bellis

And when did you start this?

David Spark

I just started actually a week ago. So I’m 24 deep listening to 24 albums.

Ed Bellis

An hour-ish per album roughly?

David Spark

Yes, probably.

Ed Bellis

70 minutes tops. But you’re doing a decent clip. I think what you would find is if you look at this list ten years ago, you might actually see the Beatles being higher.

David Spark

Yes, probably.

Ed Bellis

What it’s kind of indicating is over time the Beatles have…

David Spark

Nobody cares about the Beatles.

Ed Bellis

I was going to say they have less and less influence, but you could say nobody cares about the Beatles. Or you could say with ten years there’s more competition.

David Spark

There you go.

Ed Bellis

And ten years from now there’ll be even more competition.

David Spark

And I would tell you, I am no prude by any stretch, but the amount of profanity and, by the way, N word dropping in these albums is astonishing to me and, again, this is not security related, not a security incident, but I know that everyone would have issue with this list, I think. Except Kanye West and Kendrick Lamar fans. They’d probably complain why aren’t they higher?

Ed Bellis

I was going to say, the order of that might not make them happy either.

David Spark

No, they’re going why? Sergeant Pepper should be down at, like, 200 to 300. What is it doing up this high?

Ed Bellis

The one thing that you can be assured of with lists like this is everybody is mad at something about it.

David Spark

Everyone. No-one goes “Oh my God, they numbered this perfectly.”

Ed Bellis

Right.

David Spark

No-one says that. I will say, number one, while a great artist, I adore him, don’t understand why it’s number one, Marvin Gaye’s ‘What’s Going On.” He’s a good artist. A good album. Number one? Yes, I don’t know.

Ed Bellis

Interesting.

How would you handle this situation?

00:05:21:10

David Spark

How do you develop unbiased knowledge about a new technology? There was a time I felt you could do that. But today, it doesn’t seem easy or even possible. Most of the education is coming directly from vendors. For example, I want to do a segment right here on XDR, for the three of us to discuss, and all the information that I found was directly from vendors. Now, vendors will qualify that they just want to educate, but there’s no way to avoid the fact

that the education is going to be biased towards their solution. Heck, because, I mean, that’s just what they know. So, what do you do in these situations when you’re truly trying to learn yet understand the various extent of the technology? And I think is the best solution a research report where ultimately you’re going to have to pay for it? Mike, what do you say?

Mike Johnson

XDR is a great example of the damage that the vendors are doing when trying to define a new segment. In XDR, it’s just taking in point detection response and combining it with cloud detection response. That’s it. They didn’t need to create a new segment or a new term for it.

David Spark

Well, if they want you to create a new line item on your budget they do.

Mike Johnson

But I don’t have a line item for XDR.

David Spark

Right. That’s the point. So they want you to make one.

Mike Johnson

But why would I do that? I don’t go and buy an XDR. I go and solve problems and that’s what all of these vendors are forgetting and all the analysts are forgetting is our job is to solve problems.

David Spark

So, should this be end point protection plus? Is this what we should call it?

Mike Johnson

You don’t need to call it anything. At the end of the day, I have these problems that I’m solving. I don’t think that, you know, vendor X is sitting out there going “We just sell XDR.” They’re saying “This is what we sell.” These are the products that we sell.” I think there’s some amount of the analysts are coming into play here, where they want to bucket vendors together and they might need to create a new segment in order to be able to push them together. So, I don’t know that you can blame the vendors for that, but the fact that they’re doubling down on it is the problem.

David Spark

No. I understand, like, whenever you’re in a new market, like, half of your sales cycle, if not more, goes to just education. Ed, you’re nodding your head.

Ed Bellis

Yes, I am, because I remember when there wasn’t a risk based vulnerability management market too.

David Spark

I know. And by the way, did you watch that change? Did you watch, like, at the beginning 80% of your sales was education, then over time it became 20%?

Ed Bellis

At the beginning it was probably 99% evangelical sales and education, right? And then, over time it did shift and it was a lot of working with analysts. Customers actually talking to their analysts that they’re paying, saying “Hey, is there a solution?” And to Mike’s point, right, so I’ll put on both my hats. So, previous to co-founding Kenna I was on the practitioner side and I 100% agree with Mike. It’s like I don’t go around and look and say “Oh, I’m going to go educate myself on the XDR market to see whether I need to buy an XDR or not.” I go with here are my problems that I’m trying to solve. Are there any solutions out there on the market for these problems? Do I need to build, do I need to buy, is there some sort of combination? Do I need to hire? What do I need to do to solve these problems? And then on the vendor side of the house you’ve got, and to your point, absolutely, you know, you’re going to talk to each vendor and they’re all going to be slanted towards their solution. Not just because they’re slanting their messaging to their solution, but that’s what they believe the problem is that they’re solving.

David Spark

Right. It’s just what they know and, I mean, it’s just the way they’re absorbing the information, the way they’re putting it out.

Ed Bellis

Yes, yes. And everybody’s going to have a slightly different viewpoint and there’s going to be a whole lot of analyst briefings on both sides, both from the vendor to analyst and customer to analyst and eventually they’ll work themselves out into a market. At least that’s how it seemed to work with RBVM and then suddenly, like, I felt like I woke up one morning and there was competitors out there.

What would you advise?

00:09:31:15

David Spark

A redditor has an upcoming SOC interview and they’re nervous. And, by the way, SOC stands for Security Operations Center.The hiring company is

going to give this person a dataset and then 24 hours to analyze it and present on it. He’s asking, what should he do and what should they expect?

Now, what would you want to see and what would wow you? I’ll start with you Mike. And I just want to point out that another redditor also had a SOC interview and got a good question of what would you do if you were alone and something went wrong? Which I thought was a good question too, so I’m interested to know what you think of that question and have you ever asked that one? So, what’s your take Mike here?

Mike Johnson

One of the things that was missing from the post was the level of the SOC role. I’m going to make an assumption that this was entry level, because the person said that they were fresh out of school, so I’m going to assume it’s an entry level role. And with that in mind, I’m expecting an event stream or a set of events that this person is going to be given. Someone else had mentioned packet analysis. I don’t think that’s something that you give an entry level SOC analyst to go de-construct these packets. But you’re going to give them this is a set of what has happened over the past 24 hours. We know there’s some interesting stuff in there. Most of it’s going to be irrelevant, so what I’m looking for is someone who can do an analysis of this dataset, present findings. So, document findings in a way that are prioritized. So, what are the most important things in here that are actionable? Something I can do with it. And then the bonus is confidence levels. You’re not going to be, you know, I am certain that this is what’s going on for every one of them. But if you can have some maturity to say I’m 100% certain about this. I’m 75-ish % confident of this particular finding. That then gives me some insight into the way that you think, which is ultimately what you’re looking for in an interview, is some insight to how the candidate is thinking. So that’s what I would expect is here’s a bunch of events, go and find the interesting stuff and then present that to me in a way that I can do something with it. And if you go into it with that mindset you’re probably going to get what you need out of it. To your question about what would you do if you were alone and something went wrong, I’ve never asked that question.

David Spark

Do you think it’s a valuable one?

Mike Johnson

I don’t know that it’s fair one for an entry level SOC analyst. Like, you shouldn’t have an entry level SOC analyst on their own. That’s a great way to burn somebody out in their first two months of their career.

David Spark

No, I understand. But you may not do it. But it’s interesting what the answer would be and I think that’s what you’re kind of probing for. What’s the value? Is there a value of asking that question, just to see how they would handle themselves?

Mike Johnson

I personally think it’s just almost too easy. It’s, I fall back document processes, I look at history of what’s been done before and I start calling people until I can get a hold of someone. I don’t know that it necessarily provides a whole lot of insight, in my opinion.

David Spark

I don’t think a lot of entry level people could answer the way you just did though.That’s the thing. Ed, I’m throwing it back to you here. All the questions that I just asked Mike are really just getting down to if you were throwing this, like having someone analyze the dataset, what would you add to Mike’s answer or maybe subtract from his answer?

Ed Bellis

I wouldn’t subtract from his answer, because I think ultimately you are just trying to get to what their thought process is. I would say this is not even necessarily unique to a SOC analyst, unless you get down into the details. What you’re really trying to find out is, it’s not that they’re going to know all the answers, especially if they’re entry level, there’s no chance they’re going to know all the answers, right? But do you know enough to how to get those answers, right? And you’re not going to get it in an interview and you’re not going to answer all of those questions correctly in an interview, but what is your next step? Okay, you don’t know this, what’s your next step? And getting that process down, again, that could be SOC analyst, somebody in an old traditional knock world that I used to live in, or anywhere within security or even application development, for that matter.

David Spark

And what do you think about this last question regarding what would you do if you were alone and something went wrong? A good fair question? Value come out of it or might you think that’s nothing worthwhile?

Ed Bellis

I mean, from SOC analyst’s perspective, Mike’s right. You have a bunch of documentation, you have a bunch of play books and if you’re an entry level first tier SOC support person, that’s what you would do. Follow that documented process, follow those play books and go to the next step in the process.

It’s time to play “What’s Worse?”

00:14:40:18

David Spark

Ed, I know you know how to play this game, because we’ve done variations of it on the video chat. But this is the origin. It started here on this show. I always throw the questions. I guess two scenarios. They’re both horrible. This one actually has a mix of good and bad to it and it’s always a risk management exercise, which one you find worse, I always make Mike answer first. I always love it when our guests disagree with Mike. No pressure there at all. Mike, this is another question. Again, Jason Dance of Greenwich Associates, who again is trying to find your breaking point on the brilliant jerk.

Mike Johnson

Oh Jason!

David Spark

This is a running thing. But this is a different take on it all. I kind of like it. I also did a little bit of editing Jason. Apologies on the editing that I did of this. Just very lightly. Alright, here’s the situation. Your CEO comes to you Mike and asks you to hire their relative. You hire the relative. A month down the line you realize the relative is a brilliant jerk. This is, by the way Ed if you don’t know, Mike’s least favorite thing in the world. You tell the CEO about this and the CEO tells you to keep their relative in place. In fact, the CEO suggests that the relative might do well with a promotion to a senior role. Alright, Ed’s smiling on that one. Now, here’s the run Mike. You love your job. Your team is awesome and except for this one thing, you really get along with the CEO. So, what’s worse? Keep the relative or hand in your resignation?

Mike Johnson

I’m handing in my resignation.

David Spark

Really? But you love your job Mike.

Mike Johnson

But the issue is, so there’s normal companies have all sorts of policies about doing exactly what happened here and the reason why they have those policies is because of what happened here. The idea that you’re hiring a relative of the CEO, if they’re very well qualified, you know, if everything checks out.

David Spark

Well, they are qualified. They’re a brilliant jerk.

Mike Johnson

Right. Everything checks out and you’re like, okay, I’ll give this person a shot. But if the CEO is then exerting their influence over the particular situation, that’s why all of those policies are set up and the CEO who’s stepping into doing that, I don’t know what else they’re doing. I don’t know what else is going on in their mind.

David Spark

But this is literally the one road bump you have. Everything else is fine.

Mike Johnson

This could be the tip of the iceberg of all the things that I’ve been blind to in the past and I may love my job, I may love my team but, to me, that’s a sign of everything is going to hell in a hand basket.

David Spark

But your team sees you walk away. They say you’re leaving us with this guy? And they’re now disappointed in you Mike.

Mike Johnson

I’m going to then maybe have some different conversations with those particular teammates, but that just gives me bad feelings all over the place.

David Spark

Bad feelings. Alright Ed, I throw this to you. We’re still not able to sway Mike off the brilliant jerk. Do you keep the brilliant jerk on board? Again, I want to stress, you love your job, you get along great with the CEO. This is the one road bump.

Ed Bellis

Okay. So, real answer would be along the lines of Mike, only because I think it’s more of an ethics issue than anything else. And there’s a line where you just, you can’t cross that. However, for the spirit of this game, and because you encourage people to disagree with Mike, let’s try to play devil’s advocate here. The broader risk management play, as you look at it, is if you are in control there and you are this person’s boss, right, you can effectively relegate him or her to do little to no damage within that role. However, if you up and quit, you lose all of that ability to control that. You lose the ability to David’s point, like, if the rest of your team is going in disarray because now they have to deal with this person. So, the broader risk management play here is to say there’s less risk if I’m there to control it than if I depart.

David Spark

So, this is a risk management exercise. Do you agree with Ed here or no? Again, we’re not taking about your personal feelings Mike. We’re talking about risk. So, what is the riskier play here?

Mike Johnson

Ed summarized, it’s an ethics concern.

David Spark

It’s ethics. So, you don’t see it as a risk play here, you see it as an ethics play?

Mike Johnson

Yes.

David Spark

Alright. But from a worse perspective, would your mind change or no?

Mike Johnson

I have a hard time getting past the ethics of it, because I genuinely think there’s a broader risk to the company as a whole.

David Spark

Okay. Again, he’s a brilliant jerk.The thing is, brilliant jerks are still talented. I have to stress that.

Mike Johnson

They cause more damage than they do good.

David Spark

I know, I know.

Ed Bellis

Exactly. The point is they are negative to the team.

David Spark

Good answers all the way around. Alright.

Please, enough! No, more!

00:19:47:24

David Spark

Today’s topic is vulnerability management. So Mike, I’ll just throw it out to you. What have you heard enough about vulnerability management and what would you like to hear a lot more.

Mike Johnson

I think, unfortunately, this one’s evergreen and I long for the day where this isn’t the what do I want to hear less of? But I keep hearing the oh, why don’t you just patch everything right away? Like that’s the drum beat and I just get so worked up over it. So, I really want to hear less of that and what I want to hear more of is context around vulnerability management. Context around assets, owners, data, exposure. All of that mixed into a prioritization with likelihood, that is then telling the owner of the system what needs to be patched and in what order. And then the cherry on top is adding metrics of the whole thing. So, that’s really what I’m looking for more of is discussion around context, prioritization and looking at program holistically for vulnerability management across an entire enterprise.

David Spark

Mike, we have open job rights. Now, do you have any brilliant jerks on your team Ed or do you weed them out?

Ed Bellis

Definitely we’d weed those out, yes.

David Spark

Okay. Ed, I’m throwing the same thing to you. Now you were in the vulnerability management space with Kenna Security, but obviously when you developed your product there was something you heard enough about and you didn’t want to be that, so what is it you’ve heard enough about in the VM space and what would you like to hear a lot more and what are you guys doing?

Ed Bellis

Sure. I’ll cheat a little bit and talk about a couple of things that I’ve heard too much of. Frankly, one of the reasons why I ended up co-founding and starting Kenna in the beginning was all you ever heard about was oh, just patch everything, right? Just fix it all. It’s not really a problem. In fact, the people that were doing the assessments were saying this to the practitioners. So, definitely heard enough about that. I would say, you know, what I’d like to hear more of, obviously everything that Mike just talked about is right up our alley. I’m not going to repeat everything on the prioritization front. I would say there’s also some automation elements for solving this as well, right? So, there’s two levers that every practitioner has. Here, one is that relentless prioritization. To prioritize the stuff that I can actually fix and should fix, based on risk. But then there’s an automation piece which is to kind of churn through and fix more things. I am tired of hearing things like can’t you just automate generating a bunch of tickets though, because that just pushes the problem elsewhere and you still don’t end up in a good place of actually remediating and reducing risk and fixing those vulnerabilities. So, the two things that I hear a lot of that I’d like to hear less of is fix everything and then a lot more automation or automate the ticketing process over and over and over again. So, it’s high time we solved those.

David Spark

Alright. So, what would you like to hear a lot more and you can speak to what Kenna does too here?

Ed Bellis

Yes, I mean, frankly, this is obviously right up our alley and a little bit of a softball question for us, right?

David Spark

Of course. That’s why we set it up this way.

Ed Bellis

Thank you. I appreciate that. You know, the context is everything, right? And really we talked about this in the What’s Worse segment about risk management. It’s all about risk management, right? So, I want to know a lot about the assets. I want to know a lot about the business processes that are associated with the asset and how important those business processes are. What kind of data they handle. What’s the exposure to the Internet? What’s the likelihood of any one given vulnerability being exploited and then what’s the impact of that being exploited? So I want to understand the holistic risk picture and then I don’t want to be overly burdened in trying to manually determine all this. I can’t have a team that’s poring through massive amounts of spreadsheets to do this. I need to be able to automate some of this so that I can do it quicker, because there’s a lot of assets, there’s a lot of vulnerabilities and not everything needs to be solved. And that’s the one important thing that I would throw out there is you get to a point in vulnerability management where maybe it’s a point of diminishing returns. Maybe your investment would be better off spent in security in another area, at a point where you said okay, I’ve reduced this risk down to an acceptable level, but I’ve got a much higher risk over here that has nothing to do with security vulnerabilities.

David Spark

Let me ask you a follow up. How long has Kenna Security been around?

Ed Bellis

Ten years.

David Spark

Ten years? Okay. That’s a long time in security. And when did you sort of develop the prioritization angle? How far into it? Or was it from year one?

Ed Bellis

It was not from year one. So, we spent probably the first two years of what is now Kenna building the table stakes. So, before you can make sense of all the data you have to consume all of the data. So, imagine all of the integrations you’ve got to build out. The scale that you have to build to take all this data in. So it was all about that. Then, putting some analytics on top of it and then, ultimately, I would say about three years in, we started to get around to the prioritization piece of this, which is to say we started looking in what are attackers doing, what sort of volume and velocity of exploitation events are happening here? Is there malware associated? What is all of this stuff? And then starting to take in more of the asset information etc., So it was probably three years in before we even got around to the prioritization piece.

David Spark

Alright. So, my question is, when you first started with the prioritization and where you are today. Just think about where you were at the beginning and where you are today. What is the greatest change or what has been your greatest learning about prioritization during that time?

Ed Bellis

If you were to look at the overall number of vulnerabilities, if I was to look at every CVE in the national vulnerability database, I would tell you that most of them, well in the neighborhood of 60/70% of them don’t matter. They won’t in any way affect you. You won’t be attacked. They don’t matter.

David Spark

And do you make that now clear to customers, like what doesn’t matter?

Ed Bellis

Very much so, obviously.

David Spark

And at the beginning did you think everything mattered when you started at the beginning.

Ed Bellis

No, I didn’t. I had some bias going in, but I didn’t know to the degree how much was out there that didn’t matter. I thought, you know, some of it doesn’t matter, of course. You know, we’re not going to fix everything and this looks like a low severity issue. But it turns out that that was the majority and that was definitely a surprise.

I tell you, CISOs get no respect.

00:26:34:17

David Spark

So, on Twitter I asked this question. Do you parents know what you do for a living? And I got a flood of responses. Sadly, most of them said that their parents have no clue what they do for a living. So, I’m going to ask the same question of the two of you, do your parents know what you do for a living? And if so, how do they explain it to your friends? That’s what I’d love to know is, in your words, describe how your parents would describe what you do?

Mike Johnson

So, both my parents get it. They have backgrounds with computers. Different directions. They used computers for most of their careers. So, they kind of get the IT world. They understand the computer part of it. And then I also think this concept of cybersecurity, I know a lot of us in the industry chafed at the word “cybersecurity” when it was created, but it’s actually a thing that people understand now and it makes headlines. Every week there’s something in the news about cybersecurity.

David Spark

Let me just point something to that. Do you remember there was a time when a big cybersecurity story would hit and would only hit the trades first and would take some time before it hit the mainstream. That has completely flipped.

Mike Johnson

Oh, it’s inverted.

David Spark

Totally inverted. It hits the mainstream first and then it takes a while for the trades to figure it out.

Mike Johnson

Yes. I really think what you have is the sources for the trades back in the day, they’re now talking to the mainline press because that gets out there and that’s flashier. And then the trades, they want to investigate things deeper and so you have that lag. But, absolutely, it’s inverted. And I think that’s our world today and that’s part of the way that my parents would describe what I do. They’d be like, hey, you know that T-Mobile breach that’s in the headlines as of the recording of this show, you know, my kid’s job is to make sure that their company doesn’t have a similar incident. It’s actually a very easy description.

David Spark

That is a good explanation. I remember, I ran into Walt Mossberg. He was with the Wall Street Journal and I ran into him at a conference and I said “I essentially argue with you through my dad, because he reads your column and he says “Well, Walt Mossberg says this.” So, that’s how he got all his tech information. Ed, your story? Your family?

Ed Bellis

Absolutely no. No way.

David Spark

Your parents don’t know what you do?

Ed Bellis

No. No way.

David Spark

They know that you got bought by CISCO and do they understand that was a good thing?

Ed Bellis

They understand that it’s a good thing. I’m not even so sure. At least I could point to some commercial on TV and say “See that’s CISCO” and then they’re “Oh, you do WebEx” and they’d know. But, you know, I had a better time of it actually. You know, previously, to Mike’s point, as a CISO, at least you can say, you know, broadly speaking my job is to prevent attackers from successfully, you know, stealing data and things like that. Now I’m not going to ever get into what is vulnerability management, so I would explain it this way, right. So, think of it as a company has a lot of computers and some of those computers have weaknesses in them called vulnerabilities. We try to predict and prevent bad guys from taking advantage of the ones that they are most likely to take advantage of, on behalf of different companies. It wouldn’t go over very well though, no.

David Spark

Then when a friend of theirs asks “What does your son do for a living?” what do you think they say?

Ed Bellis

Oh man, he’s in cybersecurity.

David Spark

Just leave it at that. There’s no need to explain anything more at that point.

Ed Bellis

Yes, that’s about it. Yes.

David Spark

So, I’ll tell you one quick funny story, which I may have told on this show before, and my apologies if I’ve said it before, so, if you know, I was with a television network called ZDTV. It later became known as Tech TV. To give you an idea of how old this was, I mean, it was more than 20 some odd years ago. I sent a VHS tape to my parents of appearances I had on the network and I talked to my mom and I said “Did you watch the video? Did you see all the segments that I was on various shows?” And she goes “Yes, I watched all of it. I watched it again with your dad” and I said “Well, what did you think?” And my mom says “The blue shirt. You looked so nice in that blue shirt.” I said “Mom, what about the things that I was saying?” “I didn’t understand any of it. But that blue shirt, you looked really nice in that.”

Mike Johnson

So, what you do for a living is you wear nice blue shirts.

David Spark

I wear it well. They like the blue shirt. So, the basic advice to everyone is wear a blue shirt when you’re on camera or a nice blue shirt.

Mike Johnson

That’s solid.

David Spark

And our listeners here wouldn’t realize it, but Ed is following that exact direction right now.

Mike Johnson

He is wearing a blue shirt as we speak.

David Spark

I am not. I should be wearing one.

Mike Johnson

I didn’t get the memo either.

Closing

00:31:36:00

David Spark

That brings us to the end of the show and thank you so much. I’m going to let you have the very last word. Please make any plug for Kenna Security and CISCO as you would like. I also like to know if you’re hiring. So make sure you have an answer for that. I have to thank your company, Kenna Security and CISCO for sponsoring this very episode of the podcast and being a phenomenal sponsor of the CISO series for quite some time, you guys have been crazy, crazy supportive and we greatly appreciate it. Mike, any last words?

Mike Johnson

Ed, thank you so much for joining us. What I really appreciated was you really bringing your practitioner background to all of your answers. That was very much woven into every discussion was, you know, hey, here’s what I used to do and I think a lot of people, they really need to remember that practitioner perspective, especially when you’ve gone off and founded a company and you might lose some of those roots. The practitioners among us really appreciate when you’re tapping into that. So, thank you for bringing that perspective. And I really wanted to explicitly call out something that you said in the Please! Enough! No More! Section. Your exact words were “Not everything needs to be solved” and I think that’s something that folks really need to remember is you don’t have to fix everything. You need to figure out what’s the most important and that’s what you need to go after and if folks just remember not everything needs to be solved, it will go a long way. So, thank you specifically for that and for coming on the show and for sharing your practitioner perspective.

David Spark

I find it actually enlightening, the 60 to 70% number. I thought that was very interesting. Alright, Ed, any plug, any offer you might like to make for Kenna Security and CISCO and are you hiring as well?

Ed Bellis

We are absolutely hiring. Please come visit us at our website kennasecurity.com to learn more. Of course, we are not hiring brilliant jerks. We just weed those out of the process.

David Spark

So, if someone has that a line on them “I’m a brilliant jerk” don’t even both sending in.

Ed Bellis

Yes, we’ve got a resumé filter on that, so we’ll get you out of the process right away. And then I would always encourage people to come and take a look at some of our very much free and public research as well. So, if you go to kennasecurity.com and click on “resources” we publish a lot of reports on all of the data that I was talking about earlier. We do joint stuff with the Scientia Institute, so the Prioritization Prediction series, I think we are working on volume eight as we speak. But lots of good data in there and all free to peruse.

Mike Johnson

I love those. I’ve read all seven of them thus far. Those are great reports. I highly recommend them for folks.

David Spark

And they’re making them into movies, is that true?

Ed Bellis

Are you looking for a role David in these new movies?

David Spark

I have done one acting role in my life. Again, I don’t know if I’ve mentioned this story. So, I had friends who worked for a production company that produced a show called “Man Moment Machine” for the Discovery Channel and two of my friends were working and they were going to do a dramatization of the Apollo XIII mission. And the chief scientist was this guy named Sy Liebergot and my two friends were working and were looking at some old photos of Sy Liebergot and they go “This guy looks like David Spark” and they go “Do you think we could get David to play the part of Sy in the dramatization?” And, like, “Yes, I’m sure he’d do it.” So they called me up and go “Would you do this?” And I agreed to do it and if you do a search on my name and Apollo XIII you can watch 45 seconds of me acting like Sy Liebergot for the Apollo XIII mission.

Ed Bellis

So, we just need to figure out what part you’re going to play in the prioritization movies that are inevitably coming.

David Spark

Well, what I was hoping is once I got this, I’m assuming that all the sort of the lookalikes for Sy Liebergot, you know, all those roles were going to just start rolling in for me. They didn’t.

Ed Bellis

Keep on waiting.

Mike Johnson

I assume you have your SAG card.

David Spark

I do not. Here’s the other thing I want to mention. I was one of the highest paid people that day and I got $150.

Ed Bellis

For 45 seconds?

David Spark

Well, I was there all day.

Ed Bellis

I don’t want to get your hopes up, but we don’t plan on paying that much for the prioritization prediction movie.

David Spark

Well, there’s my hopes dashed. Thank you Ed Bellis, thank you Mike Johnson and thank you to our audience. As always, thank you for your contributions and listening to the CISO/Security Vendor Relationship Podcast

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”