You want an awesome job in cybersecurity, and you want to ask the right questions. What are the right answers, and which ones are red flags that should cause you to run?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Renee Guttman, former CISO, Campbell’s, Coca-Cola, and Time Warner.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our podcast sponsor, Okta
[Voiceover] Best advice I ever got in security, go!
[Renee Guttman] Send three thank you notes on a Friday to someone or a team that did something for your program that week. Tell them what they did, why it was of value. That way your team will become more approachable, and they just might call you when something goes wrong.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer for the CISO Series. Joining me as my co-host for this very episode, you’ve heard him before, it’s Andy Ellis, the operating partner at YL Ventures. Andy, thank you so much for joining us.
[Andy Ellis] Thanks for having me and happy anniversary to my lovely wife Giselle, 18 years today.
[David Spark] Ah! Congratulations! That’s awesome. We are available at CISOSeries.com. Information about their anniversary not available there, you’ll have to contact Andy for that. Our sponsor for today’s episode is Okta. You know them. All about authentication, identification. More about Okta later in the show. Andy, we normally banter, but we are actually under a little bit of a time pressure, so we’re going to just jump right into it and introduce our guest for today’s episode, who you’ve had on your podcast before. And this has been a long time coming, wanting this guest on our show, I’m so thrilled we’re finally going to have her on. It is the former CISO over at Campbell Soup, Coca-Cola, and Time Warner. For which you mentioned, she’s the Super Bowl CISO, right?
[Andy Ellis] Right. Everybody that Renee’s ever worked for seems to do amazing Super Bowl ads. So, she’s a Super Bowl Ad CISO.
[David Spark] Super Bowl Ad CISO. And we’ve also had the CISO who does the Super Bowl on this very show, the CISO over at the NFL as well. But maybe we’ll get them all together one time. But right now, we just have her on with us. Renee Guttman, thank you so much for joining us.
[Renee Guttman] Thank you for having me.
Well, that didn’t work out the way we expected.
[David Spark] “Data breaches and data loss were the top concern last year,” said John Yeoh of the Cloud Security Alliance in their Top Threats to Cloud Computing Report, “This year, they weren’t even in the top 11.” That’s referring to data breaches. Now this from an article by John P. Mello on CSO Online. Yeoh rationalized that cloud users are getting away from worrying about end results, the data breach, and focusing on the root causes like data access, misconfiguration, and insecure applications. The list includes poor credential/identity management, insecure APIs, and misconfiguration. It all appears to be the “to do” list of the security providers who’ve been making waves over the past three years. One main and very debatable argument of moving to the cloud has been cost savings. This list appears to say cloud security is not simple at all, and all these problems beg the implementation of new tools to buy, install, configure, and have talent on your team to use. Andy, has the cloud just created a bigger security problem that’s creeped up on us?
[Andy Ellis] So, I’ll say yes, but first I just want to just nitpick the findings here of this survey because when I read the survey – and it wasn’t really a survey, it was a focus group – and first of all, of the top 11 threats, number 8 was accidental cloud data disclosure, and 11 was cloud storage data exfiltration. So, it doesn’t sound like they weren’t worried about data breaches and data loss. It’s literally called out in their top 11. So, I’m going to challenge the overall finding, but let’s dig on the, yeah, lots of work that has to be done in the cloud. The benefit of cloud is not cost savings. Anybody who says that it’s cost savings, that was the 5-, 10-year-old model, where you had a bunch of servers that you weren’t using heavily and, yeah, if you put them in cloud, it saved you a little money. Cloud is about transformation and speed and time to market. It means you’re not reinventing the wheel for every single application you’re trying to build. You get to build on top of the shoulders of giants.
The downside is when you were building in your own data center, you got to take advantage of a lot of infrastructure and people you weren’t paying attention to who were securing and supporting your applications. And now when those same developers go throw that app out into the cloud, there’s nobody necessarily securing around them like there had been, and so security teams need to move to the cloud too. There’s a lot of work that still has to be done there. Now, fortunately there’s a lot more tooling that operates inside the cloud native environment to help you do that, but that is vendor money you’re going to be spending and supporting, and hopefully we see more and more vendors providing consumable tools in that space.
[David Spark] A pretty solid argument, Mr. Andy Ellis. I throw this now to you, Renee. I’m going to ask the same question, when you first started getting into the cloud, which I’m sure you’ve done at your previous employers, did you realize how big the cloud security problem was, or did you find it was something that was creeping up on you and you were slowly adding tools over time?
[Renee Guttman] So, firstly, I read the survey too, and I don’t think there was anything net new in that survey that caught me off guard. It’s stuff that’s typical. Things you should be doing like properly configuring your system. So, whether you did that on prem or whether you did it in the cloud. I will say thing – I read the Verizon data breach investigation report. It’s been out for 15 years now. Do you know what we used to worry about in 2008? We used to worry about tapes falling off trucks. So, thank goodness the cloud took that away from us. Has it crept up on us? It’s different. It’s just something different, we have to learn how to manage it. I think the big challenge that people have is people went into it thinking there would only ever be one cloud, and there’s not one cloud, it’s a multi-cloud environment. Marketing is generally at AWS, the corporations at Azure. I mean, you pick your cloud, and I think that’s what people have to come to terms with. So, they can’t continue just to buy everything for every cloud, and they have to look at reducing some level of complexity and managing cross-cloud. I think that’s the real challenge.
[David Spark] And I think Renee had a really good point in there that I want to make sure people heard. Multi-cloud isn’t what we thought it was going to be. I think we all thought 10 years ago multi-cloud meant that our flagship applications would be portable and would be in Azure and AWS and GCP, and that isn’t happening. What it is is org by org, people pick different clouds, so you’re supporting different apps in all the different clouds.
[Renee Guttman] And that’s the challenge. It’s complexity.
Hey, you’re a CISO. What’s your take on this?
[David Spark] An anonymous listener asked this question, and actually it was very much pointing toward you, Andy, so I’m going to throw it to you first. “You’re looking to land your first CISO role. During your interviews, what are the top two or three questions you should ask during the interview?” So, you wanting the CISO job. And then goes on to ask, “What are some red-flag answers thought that the panel/hiring manager might give that would make you steer away from that particular organization?” Andy?
[Andy Ellis] So, I think this one should have gone to Renee, she’s had more CISO gigs than I’ve had, so I’m really looking forward to her answer. But I’m going to start with first question is what are you looking for that your last CISO didn’t bring to the table? Or if you didn’t have a CISO, what do you need to transform in your business that makes you want to have a CISO? Red flag might just be, “Well, our customers insist we have one.” Okay. That probably means you don’t actually have an interesting mandate, you’ll be sort of a caretaker, but that’s okay. Second, how are you planning to measure success in 180 days, one year, and five years, and that sounds like, “Oh, my God. Five-year planning?” You need to know if they have a plan for five years that, “Oh, this is the transformation that we expect to have out of the business.” And then brass tacks, what are the budget changes that are tied to this transition? What did the budget for the security team look like a year ago, and what do you think it’s going to look like in one year? Because that’s going to tell you sort of what your marching orders are. Are you trying to do new things or are you just trying to continue with what’s going on?
[David Spark] Awesome. Three tips. Renee, what would you add to that?
[Renee Guttman] So, I think there’s two types of CISO roles now, and there may be more. You’re either being brought in to build something from scratch, or you’re being brought in to do a transformation. So, I think you have to come to terms pretty quickly with what are you there for. Are you there because it’s net-new, it’s a greenfield, or again, it’s that transformation. Again, if it’s that transformation, then I agree with Andy. What will be different now? What do you expecting from the new CISO perhaps that the old program didn’t provide to you? Like, what were the challenges there? So, what are you looking to address? And again, how will you measure success?
Some of the red flags for me would include things like, well, how many people on the team have left within the last year and why. And then the other thing, that I would want to know how we’re going to resolve disagreements. I still think a lot of CISOs report to the CIO, so I think you have to kind of come to some understanding of how… I wouldn’t want to call it disagreements, but let’s just imagine that you two get offside, right? So, you don’t necessarily agree with what the CIO has to say, or he doesn’t agree with you. And I think there has to be some kind of arbitration mechanism because it’s not rocks, paper, scissors that you’re going to do in terms of trying to figure what the right move’s going to be.
So, one of the things that I’ve always done is look for some kind of… Again, the organization either has something in place, but what’s the check and balance going to be if you’re not in agreement with your boss? One of the other CISOs that I know actually asks the question, “If I do assessment of the team, and I find that I have to let 10% of the people go, can I do that?” And that’s a question that they feel pretty strongly about that they need to hear a yes answer.
[David Spark] Wow. That’s good insight there. Let me ask you – you said greenfield and also digital transformation. Since you’ve had many CISO roles yourself, have you done both, yes?
[Renee Guttman] I have. I find the transform harder. I do. In fact, at one transform, I knew that I was being brought in to transform the team, and one Monday I had three resignations on one day. In fact, actually, I only had two on Monday. On Tuesday, another guy came in and said, “I’m resigning today. I would have resigned yesterday, but I was afraid that you would have a heart attack if three people resigned on the same day.”
[Andy Ellis] Yeah, and that’s the key on transformations. Transformation can mean two different things. One is tear this thing down and build it new, and one is take it to the next level. And if you’ve got a tear it down mandate, and there was no turnover before you showed up, you should expect there to be an awful lot of turnover because those people were comfortable and happy and enjoyed the program it was. And if you’re going to change it to something new that doesn’t have all those old elements, you’re going to expect a lot of turnover. And if you’ve been told you can’t fire people, boy, do you have a problem. You’re going to have to lay people off if you’re doing an organizational transformation. There are people who just don’t fit.
[David Spark] Renee, were you scared your very first CISO role?
[Renee Guttman] Terrified. Terrified. And I will tell you that’s where the power of the network comes in. That’s why this is the best industry bar none to work with. Because I remember getting my first big CISO role, going to RSA, telling people that I had to do a strategy within X amount of days, and people literally gave me everything I needed to basically hit the ground running. And I will tell you that’s one of the best parts of being in this profession.
[David Spark] That’s an interesting thing. I mean, had you not had that help from your fellow CISO community, you don’t think you could have pulled it off?
[Renee Guttman] I think I could have pulled it off. I felt this was a big help in terms of just the speed and knowing what a better destination would look like. Yeah, I could have pulled it off. I find the hardest part about this job is the visuals and the messaging. And that’s where when people show you how they message, and they’re willing to show you their presentations, to me that’s the most important part. Everything else you can kind of do. But the visuals, like, I tell people, “If you could do anything over again, what would it be?” And I’d say learn to draw. Do something besides stick people. Because it’s the visuals, I think, that are so important in this role.
[Andy Ellis] Make friends with marketing and the creative team.
[Renee Guttman] I worked for one company where the CIO had basically an artist on the program, on the team, and we needed that.
Sponsor – Okta
[Steve Prentice] Digital transformation is only getting faster. And with that, the risks to security, not just from bad actors, but from customers and employers, continues to rise. Jameeka Aaron is CISO of Auth0, the product unit of Okta. Here’s her take.
[Jameeka Aaron] There’s acceleration of digital transformation. I think at this point, they’ve said we’ve accelerated digital transformation by seven years, and so where we protect has changed. We no longer have the ability to really geofence from a geographical perspective. We no longer have the ability to silo off via firewalls and intrusion detection systems that reside in offices. We have to move our technology to where our employees are and where our customers are, and they are everywhere. They are using every kind of vector to log in, from biometrics, fingerprints, eye scans to identity using social media. And so we really have to go where the customers are.
So, I think for us, that means rapid deployment of multifactor authentication, single sign-on. Our newest product is called Credential Guard which helps to combat credential stuffing fast. We really have moved along with the technology. And right now, we know that 89 to 90% of attacks are still executed using phishing attacks. And so multifactor authentication is probably the most important product that anyone needs to put in front of their workforce or their sign-in solution.
[Steve Prentice] For more information, visit Okta at okta.com.
It’s time to play “What’s Worse?”
[David Spark] Renee, are you familiar with this game?
[Renee Guttman] I am.
[David Spark] Awesome.
[Andy Ellis] Renee has lived this game for much of her career.
[Renee Guttman] Well, I’m actually waiting to hear, I’m hoping it’s something that I’ve seen before.
[David Spark] Well, maybe, maybe not. This also comes from an anonymous listener, so like the last question. Some people just don’t want to be identified. And I can understand from the last segment because they don’t want their employer to know that they’re asking the questions about getting a CISO role. But this is an anonymous one for “What’s Worse?” and I think it’s a situation where these situations may have happened. All right. Your organization has been hit by ransomware. Your sizable on-premise estate is encrypted, and the threat is persistent. That’s your setup.
Here are the two situations. Hundreds of your end users are merrily working on encrypted laptops and have no EDR or AV on those endpoints, and no way of finding out which laptops have been compromised. Not good. Situation number two, same thing again, everything’s been encrypted. The threat actor lets you know that they have been poisoning your data for months, and you don’t know what data in your backups you could trust. Andy, which one’s worse?
[Andy Ellis] So, I know we’re not supposed to modify these, but I’m going to assume that the first scenario does not include the concept that my data might have been poisoned for a very long period of time.
[David Spark] Right. Yeah, it doesn’t include. We only know that for in the second scenario.
[Andy Ellis] Yeah, but I should always hypothesize it might have happened. But for this “What’s Worse?” I’m going to take that the second one is the what’s worse. Like, if I’ve got data that I can no longer trust, that’s worse than not having a bunch of my data and not having a bunch of my users able to work. I can always send my users to the Apple store or the Microsoft store if those still exist and say, “Just go buy a new machine. We’ll onboard you; we’ll hook you up with Google Drive. Just start working.” But if the answer is, “Oh, I can’t trust anything that I’ve got anywhere in my data store,” I am screwed.
[David Spark] That’s a good answer.
[Andy Ellis] So, I say number two is worse.
[David Spark] Renee, are you on the same page or do you disagree? Which by the way, hold up, before you answer, I do love it when you disagree with Andy.
[Andy Ellis] But I love it when you agree.
[Renee Guttman] Listen. If my users can’t work, they’re all going to be upset and mad at me, right? If the data’s poisoned, they might not ever know. So, that may be…
[David Spark] The thing is you don’t know. You could start testing to see how far back your data has been poisoned.
[Renee Guttman] Yeah. I mean, I guess I could start testing it and see, or I could just pretend that my data was crap to begin with, and therefore…
[Andy Ellis] Throw it all out.
[Renee Guttman] How much worse is it?
[Andy Ellis] Right. All right. But our two scenarios here are both forced digital transformation?
[David Spark] Mm-mm.
[Renee Guttman] Yeah. Look. I think there’s a lynch mob either way, so they’re both bad.
[David Spark] Yes, right. Now, this is the “What’s Worse?” game. You have to pick which one is worse.
[Renee Guttman] I know, I know. But I don’t like the idea of having bad data that I’m conscious about that… Okay, maybe I’ll go back to my yearly backup. Maybe that’s the answer, and I just pretend that we haven’t really been in business for the last nine months and everything’s fine. That’s what I’ll do. So, having the users lynch me is worse.
[David Spark] Do you think that’s going to happen?
[Renee Guttman] Do I? Absolutely.
[David Spark] How angry have you seen users get?
[Renee Guttman] We have put so much friction. We should just change our jobs to the chief friction officer. I think users, honestly, they should be mad at us. We’ve made their lives impossible, and then we throw rocks at them when they fall for a phishing simulation. So, I think deservedly, they should be unhappy with us. We should be better at thinking through what can go wrong, and I don’t think we do that enough. Now, you’ve put me on a tear because I think that for every nine requirements, somebody should be required to come up with the anti-requirement which is the thing that you never want it to happen, and then you should try to figure out how you build that in so that it won’t happen to your system.
[Andy Ellis] That’s a great system architecture and all of your testing should tie into that. When you release new software, anti-requirements, “This software should not do X,” and if you don’t have test cases for that, you’re not doing QA right.
[Renee Guttman] Yeah. I’m for the anti-requirement. We used to do this, by the way. We used to call it abuse cases.
[Andy Ellis] I have a friend who likes the medical terminology, he’s like, “These are the dangerous side effects of medicines.” Like, every medicine you take has a list of things that if they go wrong, this is a warning. Software should do the same thing.
[Renee Guttman] Yeah. So, going back to the “What’s Worse?” I mean, we should be planning for that, David. So, neither. I mean, what’s worse is the fact that I as a CISO did not plan for either of those scenarios. That’s what’s worse.
[David Spark] Oh. We’ve never had that.
[Andy Ellis] Renee falling on her sword for the anonymous listener.
If you haven’t made this mistake, you’re not in security.
[David Spark] “A legacy system in any system that becomes mismanaged or forgotten introduces complications, which run the risk of driving vulnerabilities to the larger IT environment,” said Dirk Schrader of NNT in an article on DarkReading. In the article, Schrader says problems happen because the concern becomes how do we keep this functioning device functioning and not the greater security issues that are often introduced often by these new IoT interfaces. All the advice suggested Schrader presented sounds great in theory, but not really in practice. Such as cross-training so knowledge of the device isn’t locked into just one person and adding compensating controls. Are legacy systems just a ticking time bomb or have you seen success in managing them? Renee, what’s the longest you’ve seen a legacy system successfully stay in use?
[Renee Guttman] Well, firstly, legacy systems are a fact of life, and the reason that that is true is because when you’re in manufacturing or if you’re on a cruise line, those systems are being built with a 30-year shelf life, right? That’s how long they should be in operation. So, you’ve got to figure out how to deal with legacy. The longest that I’ve ever seen a system is one that I actually inherited, I’m not going to tell you which company, but I started, and I started my 90-day plan. And I found out that we were using a system that I think went out of support, my team, okay? A security system, was using a system that went out of support probably 10 years before I even joined that company. And they had already tried once to get rid of it, and everybody was afraid of it.
There was one guy that knew how to make that thing tick. I mean, bubble gum, Band-Aids, you name it, that’s how the thing worked. And honestly, I thought I was going to go in and do X, I thought I’d been brought in to do Y, and I spent almost the first six months putting together a project plan to get rid of it. And people were terrified. I mean, I was scared. I had one lady come in and say, “This is going to fail. We’re all going to crash and burn.” And I said, “I wasn’t brought here to fail, so we have to plow through.” Yeah, it was awful. I mean, honestly, that’s something I would never want to relive.
[David Spark] I get the feeling that legacy systems just drag down the entire security team because it sort of inappropriately takes up way too much of their time, yes?
[Renee Guttman] It did. It was all that we could do. So, everything that I had thought that I would do within the first six months. Not only that, there was no funding for that project, so I had to take every dollar in my program and basically redirect it to get rid of that system. I’m glad I did. In hindsight, it was the smartest thing that I probably did, but it was also terrible.
[David Spark] I think you make a good point that physical machines are designed for 30 years, where nothing in technology is designed for 30 years. A fraction of that. Right, Andy?
[Andy Ellis] Oh, absolutely. I’ve got a fun legacy system sitting in my house right now. We bought our house six years ago, and it has one of these whole home lighting systems. I got cool magic buttons I can push. We can reprogram them, but the hardware that it’s made on isn’t manufactured anymore. So, sure, it might last for the next 30 years, but they’re not releasing any software updates for it yet, no new firmware. Now, look, I put a control around it, I said, “Okay. This is designed to be internet controllable. No.” Pulled the plug on it. Now that means that when I need support, I cannot get support cheaply. I have a company that supports it, but they charge me an extra hour for anything I’m doing because I happen to be half an hour away from their offices, and they send somebody to my house because they can’t access it over the internet.
So, that’s the security trade-off. It means I’m not doing updates on a regular basis because I didn’t want to do the effort building some wacky firewalling proxy to enable brokered access to it, which is what most organizations would do instead. Sometimes you throw technology onto legacy systems when the right answer’s just to say, “Nope. We’re just going to isolate it and spend a little bit extra supporting it,” but not let it build this sort of lifecycle of legacy support.
[Renee Guttman] On the flip side, I remember there was one attack that happened, and because we were three versions behind the current software, we didn’t have the problem. So, I mean, it can actually be a silver lining.
[Andy Ellis] Yeah, I hate when those happen and the engineering manager is like, “If I had listened to you and upgraded this system, I would be having a crisis right now like everybody else does.” I’m just like, “F you.”
[David Spark] Renee and Andy, here’s a question. Does anyone ever get cross-trained on legacy systems? My theory is no. Nobody out there does it. Renee, this one person you said that knew everything, did that person ever cross-train anybody else?
[Renee Guttman] No because that’s… Well, no.
[Andy Ellis] No because it’s not a career advancement maneuver.
[David Spark] Right, exactly, that’s my point.
[Renee Guttman] Right. It’s job security if nothing else, right?
[David Spark] Exactly. I’ll tell you a funny job security role. I wanted to learn how to install a certain light bulb in a headlight in my car. And I bought the headlight, but I couldn’t physically install it. I took it to a mechanic, and I said, “Would you guys install this?” And the guy said, “Give me 20 bucks. We’ll install it.” And I go, “Fine.” So, I hand the light bulb to the mechanic, and I go, “Do me a favor. Wait a second. I want to see how you actually install it.” From the point that I turned around and handed a $20 bill, and then I turned back, he did it. That’s job security right there. [Laughter]
[Andy Ellis] He’s got the right tool to pop something off, insert it, and put it right back again.
[David Spark] Just the speed just amazed me.
Sit down everybody. It’s cyber community circle time
[David Spark] When Wendy Nather of Cisco coined “The Cybersecurity Poverty Line” she was pointing to a basic issue that so many organizations without proper resources and money can afford minimum levels of security protections. Now, the equivalent of locks on the doors, if you will. But given the number of breaches happening because of poor security by third party and even fourth party vendors, this problem affects those even well above the poverty line. So, large companies can require their suppliers to maintain minimum security requirements, but medium-sized companies don’t really kind of have that level of clout, said Jeetu Patel of Cisco in an article by Jessica Lyons Hardcastle on The Register. So, the security poverty line is an interconnected problem. What can be done to get all organizations over the hump? I’m going to lean on you, Renee, first here. Is it more regulations? Is it a security tax that would go towards those companies that are dealing with security poverty? Or maybe a required service by security teams to bring others up to snuff? Or still every company for themselves? Renee, what do you think?
[Renee Guttman] Well, I think every company for themselves is not working because that’s what we do today. So, David, I have a real problem with this because I’m seeing it firsthand that there’s a lot of companies, institutions, organizations that don’t have the funding. I actually just moved, and I called the town to see if they could send me a copy of my tax bill. And they said, “We would except that all of our systems have been hacked.” And so that made me wonder whether 911 was actually also working or if that was also compromised. So, I see this as a big issue.
I think part of it is that I’ve always had the luxury of working for big companies, and so part of it is big companies throw rocks and try to impose their size of security on the smaller companies that they partner with, and I think that’s part of the problem. So, two things. I’m convinced that there’s a skinny list, and one of the people that was on your podcast, David, I thought did a great job of identifying five things that he thought were critical – MFA, endpoint, patching – I think there’s a dirty dozen of things that really have to be put in place and people have to get those right.
The second thing – and Andy, you said this on a podcast – vendors, I think, should be accountable for ensuring that the products that they sell can be utilized effectively by the clients that buy them. And I don’t care if that means that they have to go partner with a smaller MSP that can support that product and make sure that it works effectively. But I think there’s also some responsibility back on the vendors not to oversell something to a smaller company.
[David Spark] Good point. Andy, your thoughts? What’s the answer to the security poverty line issue?
[Andy Ellis] So, I don’t think there is a clear answer here, partly because there are choices that companies are making. Do you want to move fast and adopt the latest technology? Great. You’re probably inheriting security problems with that. So, that’s a challenge. Now, that doesn’t mean we couldn’t do something like transformation grants to get organizations into reasonably standard platforms. Like, we see this in a lot of the nonprofit community. There’s grants for security in the physical world that says, “Hey, if you’re a house of worship, there exist grants to help you harden your physical security,” but there’s no grants to help you harden your cybersecurity.
I just say, “Hey, how do we just do minimal digital transformations?” Not necessarily to, like, oh, this latest and greatest dot-com special that just showed up today, but to proven technologies like MFA. Like how do you roll that out just to help your users be better? Maybe there’s an opportunity for grant money that would help here, but I’d be careful about trying to do something systemic because generally just things are like, “Oh, hey, let’s take businesses that are making poor decisions,” which might be just tied to money, or it might be tied to executive dysfunction, “…and throw money at the problem,” isn’t going to solve the executive dysfunction problem.
[Renee Guttman] I mean, what if I could just create a pattern, okay, like something that I could go and take off the shelf. And I know this is sort of naive a bit but, again, can there be six or seven things that as a small/medium business that I could successfully implement and work with somebody to help me operate over time? Because again, the cost of a product is, what, 10% of the cost to really own it and operate it over time? So, it’s not buying things. The other thing is they can’t recruit, right? So, I think there’s real opportunity, David. And you’ve had some great sponsors, and I’ve checked into some of them, and some of them are really oriented towards these small/medium businesses. And I applaud them because they’re probably working 10 times as hard as maybe some of the bigger projects that they could be going after, trying support these smaller companies. So, I think there’s still opportunity to support these companies, and some of it requires services.
[David Spark] All right.
[David Spark] Well, that brings us to the very end of our show. Thank you very much, Renee. You were a rock star, that was spectacular. I loved that. And I appreciate your support of the CISO Series. First, I’m going to let you have the very last word here, Renee. First, I want to mention our sponsor Okta. Thank you so much, Okta. Anyone who listens to this show I’m sure is aware of Okta. Well, they’ve got lots more on authorization that you’re going to want to check out. Please check them out at okta.com. Andy, any last words?
[Andy Ellis] Nope.
[David Spark] None whatsoever. Because he’s got to run, unfortunately. Renee, any last thoughts, pitches? I know you’re kind of in the, I’m going to guess, retired, semi-retired mode, just advising, what’s your story now?
[Renee Guttman] I’m actually working with medium-sized businesses, David, and that’s how I’m finding out that we’re really gapped here. The other thing is I will say try to find a way to give your people Friday afternoon off. Every time I make a phone call, I find out that somebody’s on a call that should have been off that day. We’re burning people out here, and we got to solve that too.
[David Spark] We’re going to be talking more about that on our series. Thank you very much, Renee. Thank you very much, Andy. Thank you very much, audience. We greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOSeries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com. Thank you for listening to the CISO Series Podcast.