The Cybersecurity Hamster Wheel of Getting Nothing Done

The Cybersecurity Hamster Wheel of Getting Nothing Done

What are signs your team is getting burnt out? It’s not an imbalance of work and family, it’s feeling you’re having no impact. That you’re working your tail off and nothing is getting accomplished. This happens often in cybersecurity.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Sara-Michele Lazarus, vp/head of trust and security, Stavvy.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, Sysdig

Sysdig is driving the standard for cloud and container security. With Sysdig, teams find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions and compliance. Customers get a single view of risk from source to run, with no blind spots, no guesswork, no black boxes.

Full transcript

[Voiceover] Best advice for a CISO. Go!

[Sara Lazarus] My best advice would be that it’s helpful to really understand who your customers are and what they care the most about, especially if you’re in the process of building a security program.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. Joining me for this episode is the one and only Mike Johnson. Mike often when he talks sounds a lot like this.

[Mike Johnson] I sound like the one and only Mike Johnson. Literally only one.

[David Spark] I believe there are other people that have the same name. Yes?

[Mike Johnson] No, they’re all imposters. Every last one of them.

[David Spark] Ah. Good point.

[Mike Johnson] I am the one and only.

[David Spark] We’re available, as is Mike, we’re available at CISOSeries.com. You can find all our other programming. We’ve got lots of other shows, not just this one, over there. And if you haven’t explored them – I invite you to do just that. I do want to mention our sponsor today, it’s Sysdig – secure your cloud from source to run. More with Sysdig later in the show. But first, Mike, and I don’t think I’ve mentioned this already but…

[Mike Johnson] Mm-hmm?

[David Spark] Hands down, my most successful social media post on LinkedIn was a few months ago. I posted just a single line – I’m happy to announce I’m keeping the job I currently have.

[Mike Johnson] [Laughter]

[David Spark] And it got a ludicrous flood of responses to it! Because it’s amazing how many posts where we get this generic of, “I’m so sorry to be leaving this company,” “I’m so happy to this,” “I’m very excited about my new thing.” But it seems that’s the only time you can make any kind of announcement is when you move on to something else. But there are many of us who stay at our current jobs. Anyways, I just thought nothing of it. I just posted it one day, and I did not expect even slightly the level of response.

[Mike Johnson] It just goes to show you that comedy does live on LinkedIn as well, and people can find humor in things even on the stodgy work network that is LinkedIn. But I think you’re right. There’s a lot of this announcements that are going on.

[David Spark] I think the majority of the posts are announcements on LinkedIn. Don’t you think?

[Mike Johnson] It’s probably fair.

[David Spark] Let me isolate it for you. They are, “I got a new job,” “I passed this test/got an award,” “I left a job,” and “I’m looking to hire somebody.” What more is on LinkedIn beyond that?

[Mike Johnson] When you list them out like that, what I’m hearing in my mind is these are all celebrations. These are the things that people want to highlight because they want to celebrate them. And there’s something to be said for that. I always appreciate other content on LinkedIn as well.

[David Spark] As do I, and our other show, Defense in Depth, is based on that mostly. In fact, many of the segments on this show are like that. I should point out – this is one of the wonderful benefits of Reddit, of which I’ve been spending a lot more time, is you don’t get that on Reddit. At all. I mean, there’s none of that.

[Mike Johnson] No. Some of it is baked into LinkedIn. If you change jobs, you have to tell it not to send an announcement out to your group. So, some of it is just absolutely baked in, and you don’t have that elsewhere. But you’re also, you really are missing quite often that engagement where people will have conversations. That’s what I enjoy about LinkedIn. I’d like to see more of it.

[David Spark] You need to step up your game, Mike. You used to be the master at this.

[Mike Johnson] Yep, yep, yep, yep. Coming soon.

[David Spark] You’ve let it slip. Get back on it, Mike!

[Mike Johnson] Yes. Yes, sir. On it.

[David Spark] I’d like to bring our guest on. Who you introduced me to!

[Mike Johnson] Mm-hmm.

[David Spark] Very excited to have her on this very show. She’s the VP and head of trust and security over at Stavvy, the one and only Sara Lazarus. Sara, thank you so much for joining us.

[Sara Lazarus] Thank you for having me. It’s good to be here.

Should you hire this person?

4:22.466

[David Spark] “What’s the most valuable skill in a cybersecurity analyst?” asked a redditor on the cybersecurity reddit. The overwhelming response was, “It’s a tossup between being a sociable human who can speak to others kindly and having curiosity to understand how/why things work.” Both items we’ve heard many times on this show. Another said, “I always tell people the tech is secondary to playing well with others.” And Mike, echoing your distaste of brilliant jerks, one redditor said, “I work with a few analysts that are incredibly smart, but they are just…” and I’m going to say not-so-nice people, it was a not appropriate word for this podcast, “…and they are difficult to work with.”

So, the irony here, Mike, is cybersecurity doesn’t traditionally attract very social people. I know that’s not everybody, I do not want letters from anyone regarding this, I’m just saying in general, I’m painting a very broad brush. So, it doesn’t traditionally attract very sociable people who can communicate well, yet that appears to be the most valuable skill. What can we do to let the rest of the world know this? Maybe we’ll get a few more cybersecurity professionals. What do you think, Mike?

[Mike Johnson] I know you disclaimed it with painting with a broad brush, but I think that right there is something that we need to do, is stop talking about it as if it is fact across the industry. I don’t think it is. There was a time. Absolutely was a time. I don’t think it’s true today where you’re having a case of the majority of people do not have communication skills. I think they do. My current company, my last two roles previous, every one of them, all the team members that I had had excellent communication skills.

[David Spark] So, I stand corrected. That’s good.

[Mike Johnson] But I think that’s one of the things that we can do is keep talking about it and keep talking about how that’s not the case because I think it scares people off. If you have those skills, and you’re being told, “Oh, this industry is made up of people who don’t have communication skills,” you’re going to go somewhere else. That’s not going to seem like an attractive industry for you. So, I do think that’s one of the things that we need to do is highlight more examples of what we want to see, talk about the positives of communication, the advantages, what we’re seeing out there, the advancements where we’re seeing people get hired and then grow in their career in large part because of their communications abilities. Setting up these examples, showing them to people will really help encourage, “Yes, we should work on these skills. We should improve more.” I do think we still need to put them on the job descriptions, we need to highlight it. But at the end of the day, what we need to talk about is just how it does exist and keep highlighting it and keep encouraging it.

[David Spark] It seems to be the most popular skill, the one that’s most desired.

[Mike Johnson] It’s absolutely critical, and especially in this world that we’re in now where it’s a distributed workforce. It was one thing where you could turn around on your chair and have a face-to-face conversation with someone. That’s one way of communicating, that’s one avenue. But when we’re now having to communicate via text, via Zoom, via email, via Slack, what have you, the skills are that much more important now. So, now more than ever communications is really the thing folks are after.

[David Spark] I will quote Kathy Wang who was on our show before who’s now currently the CISO over at Discord, and she’s a master at distributed teams, and she was the big fan of overcommunications. I throw this to you, Sara. Take the issue of communications, take the issue of curiosity, those were the top two that were desired of a SOC analyst.

[Sara Lazarus] I wholeheartedly would agree that curiosity is super important. I would say it’s even the distinction between being an okay analyst and a great analyst that can think independently and actually write the playbooks as opposed to just follow them. Regarding communication, my expectations on any team these days would be that folks are capable of communicating both clearly and kindly. I’m a big fan of Robert Sutton’s No [Beep] Rule. That’s also the name of the book. But that it’s really important, it’s actually harmful to an organization to have folks who are harmful in their communications with other people, so it hurts both the morale and what you’re trying to do as a business.

[David Spark] You know, Mike is very much pro no jerks on the team, “brilliant jerks” as he has described them.

[Mike Johnson] No brilliant jerks, I’m going to get a t-shirt.

[David Spark] By the way, Mike, the listening audience specifically with our “What’s Worse?” game has been challenging him to “pick the brilliant jerk” as the lesser of two evils, trying to figure out, “What can I throw at Mike where he will want to choose the brilliant jerk over the other alternative?” and it has yet to happen. Right, Mike?

[Mike Johnson] Nothing has stuck so far. I feel like I’m like 10 and 0 or something at this point.

[David Spark] Yeah. We kind of gave up after a while, it’s like he can’t be taken down.

[Laughter]

[Sara Lazarus] It’s not worth it. It’s not worth it for the dynamics of the people on your team, and it’s not worth it to the business, there’s a cost to it. And I think also in this environment where there’s such a shortage of security talent, if people can work anywhere, why would they work for a team that’s not kind?

It comes down to the fundamentals.

10:20.029

[David Spark] Why are we seeing so many zero day exploits right now? In an article on CSO Online by Andrada Fiscutean, the number of zero day exploits or vulnerabilities that were not previously known has doubled between 2020 and 2021. The rise can be attributed to the attractive market for zero days, selling for as much as $2 and $2.5 million. Espionage, third party exploitation, and just sheer complexity of systems just opens up more points to exploit. The other factor is actually the improvement in detection and disclosure. So, maybe it’s not going up, and they’re just more visible right now. It’s not exactly clear. So, it seems the classic response to zero days is just more foundational security and improve your ability to respond to incidents, hence why I titled this segment, “It comes down to the fundamentals.” Sara, is that the “simply said yet complicated to deliver” solution, or is there something else to deal with zero days?

[Sara Lazarus] So, I think that there are two parts to this. So, it is certainly about nailing the basics. Even places that are objectively mature in their response capabilities benefit from focusing on relentless incremental progress and getting better at each response. But the second part of this is that it’s also useful to talk about where these zero days are coming from. Project Zero at Google recently shared their analysis, and they found that half of this year’s publicly released zero days were actually variance on previously patched vulnerabilities.

[David Spark] Which that, by the way, we have seen that a lot. And that becomes one of those things – once you see a big vulnerability, like not to sort of only narrowly fix that one and not discover the edges of it opens you up, and we ran into that one many times before. Go on, Sara, I’m sorry.

[Sara Lazarus] No, I think that’s a great point, David. According to Project Zero, they believe that these zero days could have actually been prevented with more comprehensive patching and more robust regression testing. And so I think as a community, we’ll be better off if we can address it. Not only what folks are doing in the blocking and tackling of response, but actually when they’re addressing previous vulnerabilities.

[David Spark] All right, Mike. I throw this to you. Is fundamentals the “simply said yet complicated to deliver” solution, or is there something more to the zero day problem?

[Mike Johnson] Somewhere along the line, someone described, or I read it somewhere of the difference between easy and simple. The example was a marathon. It’s simple to run a marathon, you just run.

[David Spark] One foot in front of the other, exactly.

[Mike Johnson] Yeah. It’s not easy. And this is very much the same way, is that it’s simple to describe and just focus on the fundamentals, but I can only imagine what it’s like in an environment with hundreds of thousands of devices floating around. That somehow securing that environment, I can’t imagine that being easy. But at the same time, what you need to do, the recipe as it were, is actually well understood. You need to know what your stuff is, you need to know where it is, you need to know how it’s used, you need to know what data it’s on, and you can then apply controls on top of that. And you can usually fall back on the fact that you’re probably not the target of an 0 day. You’re probably not the first organization that’s going to be targeted by one.

[David Spark] But I should throw out the third party issue is the one that gets nasty. You may not be the first target, but you may definitely get the effects of it, if you will.

[Mike Johnson] Oh, absolutely. And I think that’s a really good point. That the 0 days that adversaries are going to burn are going to be on really valuable targets that they can then use to onward compromise others. But that comes back to just don’t trust all your vendors. Recognize that your vendors are targets too and prepare for that. Again, easy to say, it’s understood how to do that, but it’s also hard to execute.

Sponsor – Sysdig

14:48.777

[Steve Prentice] Sysdig is a cloud and container security company that helps organizations secure their applications from source to run. Anna Belak is director of technical thought leadership, and she says Sysdig has the chops to ensure your safety.

[Anna Belak] We grew up as a container and Kubernetes security company, and we’re one of the first innovators in that space. So, we began by securing the most modern workloads that people build and deploy today, but as we grew our business, we expanded our coverage to all the major cloud providers and security issues that are fundamental in securing your container and Kubernetes environments as well. We, in fact, do offer a source-to-run story, so we are helping you scan for vulnerabilities, secure your configurations to ensure that everything’s safe. And then once you are running in production, we continue to monitor your application and detect threats to make sure that you’re actually okay essentially forever. The second piece is we focus very much or a risk-based prioritization of all of these concerns. There are many, many, many problems that appear when you look at security scanning or testing of any kind, and we make sure that we elevate the ones that are the most critical, the most scary, and pose the most risk to your actual business.

[Steve Prentice] They make it very easy.

[Anna Belak] We are a Software as a Service offering, so we host everything for you, and all the magic computations occur in our back end, and then you see a beautiful dashboard for your team to use. The dashboard is designed to be user-friendly, so hopefully your team will have an easy time elevating the most important things to address.

[Steve Prentice] For more information, visit sysdig.com.

It’s time to play “What’s Worse?”

16:24.623

[David Spark] Sara, are you familiar with this game?

[Sara Lazarus] I am familiar with this game.

[David Spark] All right. The way it works, we give a few horrible scenarios… Actually, this one isn’t really horrible scenarios at all. It’s just I think more of a “what do you prefer” and which one could more turn into a not-so-positive scenario. All right? So, Mike, it comes from Nir Rothenberg, and he actually gives three options here. Nir, he’s the CISO over at Rapyd, he’s given us lots of “What’s Worse?” scenarios. Here we go. I think we’ve done a variation of this, and if we did, my apologies if we’re repeating it, but it was so long ago that I think we can repeat it again. But I don’t know, I don’t know if we have. What’s worse? Reporting to the COO, reporting to the CIO, or reporting to the CFO. Mike?

[Mike Johnson] Unfortunately, the audience could not see me roll my eyes when this question came up.

[David Spark] Maybe we’ll throw an eye-rolling side effect in there.

[Mike Johnson] That would be awesome. If there’s a sound effect that is eye rolling, please include that.

[David Spark] Or maybe like a BB in a cannon just bouncing around.

[Mike Johnson] That would work, that would also work. The whole industry obsession with “Where does security report?” just drives me nuts.

[David Spark] And we’ve talked about this plenty on this show. And I know you report to Legal, correct me if I’m wrong, right?

[Mike Johnson] Currently no. So, currently I report to the CEO.

[David Spark] Didn’t you report to Legal at one point or no?

[Mike Johnson] I did at one point, I reported to General Counsel, and that worked just fine. It could work just fine to report to the CFO or the COO or the CIO, all of these can work, all of them are equally fine when it comes right down to it. I know the common arguments are, “Well, the CIO is just going to overrule you on risk decisions that are related to IT because they have their own pet projects, the CFO is going to pinch pennies everywhere and not actually give you any funding, and the COO, their attention is elsewhere, and they can’t help you out.” Those are the common tropes over why those don’t work, but the reality is it comes down to the individual. And as long as you have a leader that you’re working with, working for, who’s supportive of you, is inviting you to the conversations that you need to be a part of, and representing you appropriately in those conversations that you’re not a part of because you’re not going to be in every conversation, then all of these can work just fine.

[David Spark] All right. Now, the way you’re talking, Mike, it sounds like you don’t even want to play the game.

[Mike Johnson] The only way to win this one, David, is to not play.

[David Spark] No! Absolutely not! I will not take that as an answer! You have to. Now, you can go with the tropes, I’m fine with you going with the tropes here. You got to pick one. Which one do you least want to report to?

[Mike Johnson] So, if you were to say, “Here’s a list of three titles,” and you know nothing about the people.

[David Spark] And you’re walking into the company, you haven’t met the people. You got to pick one. Or you got to pick the one you don’t want, I’m sorry. You can order them, “I most want to do this one, least this one.”

[Mike Johnson] You just said that I need to pick the one that’s worse.

[David Spark] I did but I’m also… Because the audience wants to hear your order in three, I know that. I can hear them actually clamoring for it right now.

[Mike Johnson] So tropes, and again, just titles. The CFO is usually very focused on the money of the company, what the company is spending their dollars on. That’s where their focus is, and that’s very much where their focus is going to be. That’s probably the one that I would put lowest on this list. Again, not knowing anyone. The next on the list that I would put would be – I’m just picking at this point – the COO because their focus is in any number of other areas that aren’t going to necessarily be helping you to advance the security of the organization. Of the three, the CIO I actually think is the best because you’re now tying your success to theirs. And it’s not a matter of looking at it like they’re just going to overrule everything. The other way of looking at it is if you’re not succeeding, they’re not succeeding, so they’re then tying their destiny to yours. So, I think of the three, that’s probably the least worst.

[David Spark] You took a while to get there. Boy, did you take a while to get there.

[Mike Johnson] Well, I want it noted that I did not want to play this game.

[David Spark] I know. We all know you didn’t want to play. Sara’s eager to play, right?

[Sara Lazarus] I find Mike’s initial answer really hard to disagree with. It is very much about the individual’s approach to holding that role, and so I would be comfortable reporting in any of these structures. But since that’s not the game, I will play along happily. I should say I currently report to the COO, and that is actually great. He is from the security community, a former CISO, and so this works out really, really well. So, that is my favorite choice if I have to play this game because it’s working out really well for me today. My least favorite is probably the CFO given the typical financial focus and probably not a super-technical background. And so I think that we will work hard at communicating some of the security aspects up the chain there, and so that would probably be my least favorite, not evaluating the individual here. But again, I’d be open to it in real life, not in a game.

[David Spark] So, in general the two of you are blaming Nir for introducing this question altogether. Am I right here, Mike?

[Mike Johnson] Yes.

[David Spark] The blame falls on Nir. Nir, who we do not want to blame because he’s given us lots of great “What’s Worse?” scenarios, yet this one you don’t seem to be happy with.

[Mike Johnson] Again, what it comes down to is all of these can work just fine, and the whole discussion of “Where should security report?” is just such an overdone topic.

[David Spark] It is. There’s many a LinkedIn thread on this topic too.

[Mike Johnson] And they’re all silly conversations at this point.

[Sara Lazarus] David, to be fair, no matter what question you ask for “What’s Worse?” no matter what, I think I would say in real life I would probably want to manage the situation independently, but that’s not the game, so it’s not really just this question.

What’s the best way to handle this?

23:33.349

[David Spark] What are signs your team is getting burnt out? According to Maria Markstedter of Azeria Labs, “If your employee feels they don’t have any impact, feels overwhelmed or like they can’t keep up, feels like they are expected to figure it all out in their free time, or doesn’t get the time to work on interesting things that feed their curiosity.” Those are signs of burnout. Markstedter also noted that people in the process of burnout have a hard time saying no because of fear they’re not contributing enough. This quote is from an interview with Microsoft’s Brooke Lynn Weenig, and thanks to CISO Series reporter Sean Kelly for bringing this to my attention. So, we often hear the cause of burnout being that work-life balance is out of whack, but that seems more like a symptom. Because working hard and getting results often actually doesn’t cause burnout. Markstedter’s comments seem like a pretty good diagnosis and my question – I’ll start with you, Sara – is how do you track these behaviors in employees? Sort of this feeling that I’m not making an impact. How do you track that this is going on, and how do you remediate?

[Sara Lazarus] I would say as a leader, it’s really important to take care of your people. And if you take care of people, they’ll take care of the business, and they’ll take care of you. A good way to track it is through one-on-ones. One-on-ones are really important. Make sure you’re having one-on-ones with your directs and make sure that your managers are having those one-on-ones as well to partner with employees to really prioritize the workload. It also gives an opportunity to observe when people are really just stretched too thin. I think that folks might not realize that they’re headed towards burnout, or they might not feel comfortable talking about it. And so as a manager or a leader, partnering with them to just make sure that the most important things are getting done and really having the conversation with them about it’s not possible to do everything that needs to be done, and so the important part is to prioritize how to focus on what really has to happen.

[David Spark] The part where an employee comes to you and goes, “I don’t know if I’m having any impact,” and this can be a common, common feeling in security. This sort of Sisyphus feeling of you’re constantly pushing a rock up a hill, and you’re not really making any progress. How do you combat that specific feeling? And how do you prove that, “No, you are making an impact”?

[Sara Lazarus] I think if someone shared that with me, I would want to first understand why they felt that they weren’t making an impact, and then to go from there. Is it that objectively, their efforts aren’t being impactful, or is it a perception? Are there blockers, or is it not being recognized by the business? There’s so many different reasons that somebody could feel that way, I would really want to understand why first.

[David Spark] We talk a lot about the five why’s, digging into the depth of why this is happening. All right, Mike, I’m throwing this question to you. I think this is a great diagnosis, by the way, of burnout. Much better than the common work-life balance one. Do you agree? And then secondly, do you acknowledge this and how do you deal with it?

[Mike Johnson] The diagnosis is really solid. This was a great article; I haven’t read it before. I implore our audience to read it because it’s really, really well done. In my experience, what I run into is people will just say, “Hey, I’m burned out,” or “I’m getting burned out.”

[David Spark] That makes life a lot easier if they do that.

[Mike Johnson] It does, but then there’s the, “Okay. Well, now what do I do about this?” But at the same time, people recognize it in themselves. They can understand better than I can as an outside observer when they’re feeling burned out. So, as Sara was saying, these one-on-ones are really critical. You have to have these regular relationships with folks that are not just, “Hey, give me status updates,” but they are, “How are you doing?” That should really be the first question in a meaningful way. You’re not just asking it, “Hey, how you doing?” and then moving on to the next thing. Like genuinely asking, “How are you doing?” Listening to the answer, responding to that answer, trying to pull a little bit more out, and you’ll quite often have someone tell you, “Hey, I’m not feeling so great about my productivity,” or “I feel like I’m swamped, and I’m pulled in 100 different directions, and I can’t get anything done.” So, have the conversations.

But also one of the things that I was thinking about as I was listening to Sara’s answer is showing people how they actually are having an impact is also kind of easy. She’d mentioned prioritizing things. If you’re sitting down and writing out a list for people to work with, and you’re working with them together on that list, they can go off and mark things off. They can cross things off of their list.

[David Spark] I’m obsessed with lists as I’m holding up my to-do list today.

[Mike Johnson] And doesn’t it feel good to mark something off the list?

[David Spark] Can I just say – this is why I’ve tried the digital to-do list items, there’s a bazillion apps for it. There’s nothing as satisfying as taking that pen and scribbling that damn thing out.

[Mike Johnson] Exactly. It’s not the same as just hitting the checkbox.

[David Spark] No. There isn’t the visceral enjoyment of that.

[Mike Johnson] You have that list. These are the things that I have done. And you can show that to a person, say, “You are contributing. You are getting things done. I know it feels like a lot, let’s make sure that you’re working on the right things together, and let’s also work on how we can say no, and how we can recognize you’re underwater right now. Let me help you say no or let me say no for you on your behalf if you’re not feeling comfortable with that.” That helps. I wouldn’t say there’s any magic button for dealing with burnout. It’s all of these different techniques that you have to work on with the employee.

[David Spark] But let me go back to you, Sara, for a second. As a leader – because I know I fall into this trap myself – I don’t know if I’m giving people the right direction to have the impact. So, the problem also can stem from you as a leader. You want people to feel they’re making an impact, and you want to give them worthwhile work, but then again, if they’re telling you that, it comes back to you, doesn’t it?

[Sara Lazarus] I would probably match what people are working on against our roadmap, our security roadmap. So, especially now as I’m program building from a greenfield, I look at what we need to do to mature our program and what’s the most important and align people’s efforts to what we’ve decided already is the most important.

Maybe you shouldn’t have done that.

30:34.601

[David Spark] Could it be prudent from a security perspective to shut down internet access over the weekends when employees are not on the network? It sounds a little like a “What’s Worse?” scenario, but the redditor who posed this question on the cybersecurity subreddit had just suffered a ransomware attack which was very costly and educational. They wanted to know if this idea was feasible or was it taking it too far. So, one redditor said they’re just delaying the problem to Monday, and another suggested group policies to limit login hours. So, Mike, I’m going to start with you on this. Is this whole internet shutdown idea a feasible solution for any business? Seriously, can you think of any business where this would work? If the company truly doesn’t operate on the weekends, could this work or are there other techniques to severely limit access on weekends without shutting off internet access? What do you think?

[Mike Johnson] The way that I think about internet access is it’s very much like electricity. Does your business not need electricity on weekends? Does it not need running water? Cool. Then maybe you can actually turn off the internet. I’ve never worked for such a company like that. I’ve worked for a company that ran factories around the world that people were working union jobs. They didn’t work on weekends, but you couldn’t shut down the internet at the factories on weekends. So, I don’t think that’s very feasible for any organization that I’ve ever run into. Maybe if you’ve got a restaurant that’s closed on the weekends, but the reality is you probably have some systems that are in there that do still need to be getting updates, that do still need to be phoning home, that need that internet access. It doesn’t seem very feasible to me.

[David Spark] Sara, I throw the same to you. Is there any feasibility in this?

[Sara Lazarus] I see security as a partner to the business, and it’s really hard for me to imagine that cutting off internet access over the weekend wouldn’t somehow impact business operations. Availability is important too.

[David Spark] Say you’re a restaurant that isn’t open on the weekends, which why you would do that I don’t know. Yeah, you could be a downtown lunch place that really… Yeah, there are downtown lunch places that barely operate on the weekends. Would it make sense to shut down its internet access on the weekend? What do you think?

[Sara Lazarus] Wouldn’t the security cameras at the restaurant use the internet?

[David Spark] Good point. There you go. So you need it for whatever. It’s always going to be needed.

[Mike Johnson] I think the reality is we just don’t even know what all it’s used for, and that’s a problem in and of itself. You probably should know what your internet connection is used for. At the same time, it’s likely being used for something important because you wouldn’t have the internet connection in the first place. That restaurant, maybe they don’t actually need an internet connection ever if they don’t need it on the weekends. If there’s good reasons to not have it on while they’re off, maybe they don’t need it while they’re on. At the end of the day though, you’re going to end up in a situation at some point where something is going to break, and you’re going to find out that it can’t be fixed because your internet connection is down. And you’ve made whatever it is even worse by shutting down your internet.

[David Spark] Yeah. I see kind of one of these house of cards situations happening where this whole fallout happens that you didn’t even predict will come about. But I want to throw this out there – I know, this is completely antithetical to our show and to our whole mission – there was a time we did not have internet access at all, and businesses did operate. So, it’s physically possible but not in today’s world.

[Mike Johnson] Everything was so much harder then. It was slower, it was more difficult, it was more expensive.

[David Spark] Yeah, but here’s the thing. You don’t know until you have it. That’s the thing. The fact that we all have mobile phones in our hands and can access information at ludicrous speeds. And yet when for some reason the search engine or a web page doesn’t open quick enough, everyone has a panic attack because we’ve been accustomed to a certain level of service through these. Well, but still even when it comes up slowly, that’s still a hell of a lot faster than what we had before, which was nothing!

[Mike Johnson] I equate to watch old horror movies and how much of the tropes are about, well, if you could have just called someone and told them, “Hey, the creature is coming.” Right? If you could actually just call someone and tell them, how different those plots would be.

[David Spark] Well, first of all, in most of them, don’t they cut off the phone lines? Isn’t that the first thing they do?

[Mike Johnson] Well, but if you had a cell phone, then it doesn’t matter if you can cut off the phone lines.

[David Spark] Can’t you just do cell phone jammers of some sort?

[Mike Johnson] Nope. Can’t. I’ll just leave it at that.

[David Spark] Aaron our producer is telling us Scream started off with a phone call. “I’m inside the house,” right? Wasn’t that it?

[Mike Johnson] And imagine how different that would have been without a phone.

[David Spark] That’s true.

[Sara Lazarus] That scenario would be even easier if you’ve already disconnected the internet. You don’t have to cut that.

[David Spark] Good point. Very good point. Good point to close on as well.

Closing

36:24.461

[David Spark] Thank you very much, Sara. Guess what? I let you have the very last word here so hold tight. And one of the questions I ask all our guests is are you hiring, so make sure you have an answer to that. I want to thank our sponsor today – Sysdig. Remember, they are Sysdig – secure your cloud from source to run. More at sysdig.com. Mike, any last words?

[Mike Johnson] Sara, thank you so much for joining us. It was wonderful to sit down and have this conversation with you. I really appreciate that you were willing to join us, have the conversation, share your knowledge and experience with the audience. What I really liked is how in all of your answers, it came through about how you were talking about the people and how important they were. The one thing that I wrote down that I wanted to repeat, going all the way back to the first session, was you said, “Why work for a team that isn’t kind?” and that’s absolutely true. That’s the kind of team that people should be working for, you should be seeking out. And if that’s not the kind of team that you’re a part of, go find another one, they’re out there. Thank you so much for sharing with us your care for people and generally just joining us for the conversation. It was wonderful. Thank you, Sara.

[David Spark] All right. Thank you, Sara. I know you have a few last minute items to add. We want to hear it. Give it to us!

[Sara Lazarus] I do. So, thank you both so much for having me here today. I loved being here and loved the conversation with you. One item that I want to highlight is at Stavvy, I think it’s really important to give back to the community, so does the team. Our co-founder Josh, who as I mentioned earlier, comes from the security community, also supports this. So, I’m excited to share here with all of you that we have released a heat map built by David Malicote on Stavvy’s team that anyone can now use to assess your maturity against the newest version of the Center for Internet Security Controls. So, you can check it out on GitHub, anyone can use it, Stavvy-Security is the handle if you think it might be helpful to you. I also wanted to shout out the incredible trust and security team at Stavvy, really proud of what we’re building together, so if you are listening – thank you.

[David Spark] Awesome. And you are hiring, I’m sorry, I didn’t catch that, with the team, yes?

[Sara Lazarus] Yes.

[David Spark] All right. Well, thank you very much, Sara. Thank you very much, Mike. And thank you to our sponsor Sysdig. And to our audience, as always, we greatly appreciate your contributions. I don’t want this to come off as pat because it sounds pat often, but I do, we do – Mike, you appreciate their contributions, yes?

[Mike Johnson] Yes. All of them. Even when Nir’s sending in answers that we don’t want to address.

[David Spark] So, you really liked that one, the one that you didn’t like?

[Mike Johnson] Sure.

[David Spark] That’s a perfect answer. Thank you, everybody. Keep them coming in! We need more “What’s Worse?” scenarios! More great conversations online, great questions, anything you want to send us that you think would be compelling for the show and our audience, we want to hear it. Send it in. And thank you for listening. And if you haven’t told at least 12 of your best friends, do it right now, I don’t care if you’ve got a meeting right now, tell 12 of your best friends about the show! Bye.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOSeries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com. Thank you for listening to the CISO Series Podcast.