OK, you showed us our vulnerability. But we really don’t want to fix it now. Could we just pay you off to keep quiet, and to buy us some more time to deal with this in a “not so timely” manner?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Sameer Sait (@sameersait), CISO, Amazon – Whole Foods.

Got feedback? Join the conversation on LinkedIn.

Thanks to this week’s podcast sponsor, Code42

As organizations gradually and cautiously move out of adapt out of adapt-or-die mode into the post-pandemic era, we can expect a second phase of digital transformation: resilience building. This presents an opportunity for security teams. An opportunity to re-imagine data security. More from Code42.

Full transcript

Voiceover

Ten second security tip, go!

Sameer Sait

Work backwards from your customer’s needs. So, thinking about the customer outcome that you want and integrating security into that so that security is seamless into the product and service that they consume.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark. I am the producer of the CISO series and joining me most always is my co-host Mike Johnson since episode number one, which we did June 1st of 2018. We are more than three years old. Mike, let’s hear the sound of your voice.

Mike Johnson

So, we’ve moved on to toddler’s phase, is that about right?

David Spark

We are in toddler phase.

Mike Johnson

We’re at toddler phase.

David Spark

But we are still in diapers.

Mike Johnson

A toddler phase podcast. Yes.

David Spark

[LAUGHS]

Mike Johnson

At least our minds are.

David Spark

Exactly. Oh, my God, speaking of potty anything, I saw something from my son who is moving into third grade and he filled out this form that said, “My year review” and it was just sort of this thing for kids to fill out, like my favorite friend, my favorite colors, my favorite sport, etcetera. And at the very end, it said, “Autographs” and you get a couple of friends to write something in it, and then on the second page of autographs he just wrote the word “poop” and “pee” repeatedly! [LAUGHS] And when I looked at it, I’m like, “Oh, that’s my boy!”

Mike Johnson

“I’m proud of you, son!”

David Spark

Couldn’t be more proud. We’re available over at cisoseries.com. That’s where you can find information, not just about this show but we have four other programs as well that you should check out, and we’re actually, by the way, Mike, in the process of trying to redo the website. That’s a lot of fun. Can I just tell you that?

Mike Johnson

Web design is an amazing thing.

David Spark

It is a lot of work…and it’s a lot of minutiae. It drives me crazy.

Mike Johnson

But it’s great when it works.

David Spark

Well, here’s the problem. When I started cisoseries.com we had one show, our show. Now we got five shows. That site I had, which you’re looking at now, worked great for one show, doesn’t work so great for five shows.

Mike Johnson

Yes, got to figure out how to integrate them all together.

David Spark

Got to move up. Alright, our sponsor for today’s episode is Code42, they’re coming back! They love sponsoring us so much, they’re doing it some more, and we’ve got them for many episodes, so we’re thrilled to have Code42 back with us. They do a lot about insider risk, and most of it being non-malicious, so please tune in to what they have to say in the middle of the show. Mike, I am moving very soon. I’ve been banking a ton of episodes. We’re recording this episode in July, it’s not going to air until October. Maybe I shouldn’t say that, should I? The reason is, I’m moving and have you ever done a major move recently?

Mike Johnson

Yes. Well, it’s been a few years. I try and avoid it as much as possible.

David Spark

Yes, it’s not a lot of fun.

Mike Johnson

No.

David Spark

But what’s funny is at the very end how you’re trying to get rid of everything in your refrigerator, and the odd combinations of food you put together. Your goal is to just empty as much of that refrigerator out as possible.

Mike Johnson

Without just throwing it all away.

David Spark

I find myself making meals that are a waffle, quesadilla and a can of tuna.

Mike Johnson

My gosh, that sounds terrible!

David Spark

It is not the combination one wants, but again, it’s what’s there. I don’t want to go to the supermarket and buy food that’s going to get wasted. So, it’s just days before I move. Alright, when you hear this, I will have already moved.

Mike Johnson

And at that point you will not be eating bizarre food combinations.

David Spark

Let’s hope not.

Mike Johnson

Fingers crossed.

David Spark

Fingers crossed. Alright, let’s bring in our guest. I’m thrilled that he’s joining us. I actually requested he join us a while ago, and he finally came around and said, “Yes, let’s do it!” It is the CISO for Whole Foods, which is owned by Amazon, if you didn’t already know that. It is Sameer Sait. Sameer, thank you so much for joining us.

Sameer Sait

Thanks, David. It’s great to be here, and I hope that you don’t have to eat that bizarre combination and Whole Foods can provide you something a little bit better.

David Spark

I am hoping so!

Are we making the situation better or worse?

00:04:24:18

David Spark

On LinkedIn, Rob Woerner of Cyber-AAA asked, “Would security risk decrease if all software developers used academic citations for code acquired from outside sources in their programs?” Now, references were made by Dan Walsh, CISO over at VillageMD and Adam Shostack, who’s an expert on threat modeling, about using a Software Bill of Materials or SBOM, and in some cases have them automated, noted DJ Schleen of VillageMD. So, this sounds like pretty sound advice, here, but I’ll ask you, Mike, what are the pros and cons of doing this? And walk me through this. How would you actually reduce risk if you did do this? If you believe you can.

Mike Johnson

So, I do think it could help with some risk reduction, and a lot of it comes back to having knowledge of what you’re using, of what’s going on within your environment. It’s giving you that next level of provenance of the code that you’re deploying. You can potentially assess the underlying vulnerabilities of that code because you now at least know what it is. I think there are some cons and some questions come to mind about all of this. The SBOM movement is an interesting one, and I think they might be leaning a little too much into the concepts of open source. There’s this belief that if something is open source it is more secure than something that is closed source, simply because there’s more eyes on it. We know that there are vulnerabilities in open source code.

David Spark

Like secrets literally sitting out.

Mike Johnson

Well, secrets, the go-to is always Heartbleed, which was a very significant industry-wide vulnerability in OpenSSL, and what dawned on us at that point is the entire Internet runs on code written by three or four people.

David Spark

So, why don’t you just hire those three or four people?

Mike Johnson

Well, that’s a different discussion, we can have that discussion. But we can’t just assume that just knowing what you’re using is going to make you more secure. You have to do something with that knowledge. You have to actually assess that code. Then there’s the question of whether you’re getting onward provenance. Just because you’re seeing the next level, do you have the next level beyond that and the next level beyond that? So, there’s still questions to this in my mind.

David Spark

That’s an interesting point. Just because you cited just that act alone doesn’t make it secure and reduce risk, but it gives you some sense of, well, at least I know where it’s coming from. Sameer, how do you feel about this?

Sameer Sait

It’s interesting. I think having an understanding of where the code came from, who was part of building it, these are good data points to start the whole vulnerability discussion and the systemic issues around it, but I think of SBOM as being mutually exclusive, right? So, you’re still going to want to test it, you’re still going to want to assess it. You’re going to want to integrate it into your automated assessment, as you mentioned, that DJ brought up from VillageMD. At the end of the day, these are just steps in risk reduction. There’s no silver bullet here. It’s a matter of understanding lineage, supply chain and potentially continued partnership with the builders and maintainers of this open source software that you’re talking about.

How would you handle this situation?

00:08:06:14

David Spark

On the cybersecurity subreddit, a redditor asks, “I reported a security vulnerability that still isn’t fixed. Where do I go from here?” So, this is a really bizarre and interesting story, and you actually have to piece it together as you look at this reddit thread. Because the original post is down, and that may actually have something to do with this story. But hear me out. The comments are all there, and the original poster’s comments are there as well, and they actually copied stuff from the original post, so, do a little sleuthing and you can kind of figure this out. But it appears the vulnerability was something critical that connected to a utility grid and the company responded to the alert, by this redditor, by giving the bug finders some money but, as that bug finder says, it was not a bug bounty payment, and it is not clear why he was given this money. It’s also not clear why he took the original post down. Some of the redditors feared it was to pay for his silence. There’s some great thoughtful advice in this thread about what to do next, so let me start with you, Sameer, what would you advise in this situation? Because it’s not clear cut, it’s a little bizarre so, what would you recommend?

Sameer Sait

Was it enough money to go to the Bahamas? Because I’d take the money and run, man.

David Spark

I don’t think it was that much! I didn’t get the sense it was.

Sameer Sait

Okay, just checking, yes.

David Spark

Because he didn’t do it, like, “And they gave me a huge mass of money!”

Sameer Sait

Let me just say, this reminds me of a situation when I was the CISO of a product company previously. Somebody posted on, I think it was Twitter, that said, “XYZ company code is a pile of shit,” right? And we chased the guy down and said, “Hey, what do you mean? What did you find in our code. We don’t know?” So, I think, just given the information we have, I would look at this in two ways. One is, are the internal communications channels working? So, when you report something, you get paid. Did the internal mechanisms work to get the vulnerability fixed appropriately?

David Spark

Well, it’s not fixed in this case.

Sameer Sait

Right, it didn’t, right? So, for the person who reported this, are there other mechanisms where they can get to the CISO of the company or somebody else that will do the checks and balances? The second, I think, is probably going to a CIRT or a CSIRT and reporting it publicly so it’s taken care of, because I think this finding actually impacts a utility.

David Spark

Right, and it seemed like it was a critical utility vulnerability.

Sameer Sait

And so, when I think about health and human impact and things like that, you definitely want more eyes on this. That’s what I would do as a next step.

David Spark

Alright. Mike, I throw this to you. What’s your advice and, given the bizarreness of this, are there any unique takes you’d have?

Mike Johnson

Well, this one was weird. I’m trying to imagine a situation where someone just gives me money and I’m like, “Oh, okay.”

David Spark

But where was it explained, “I want you to have some money, but I want you to know this is not a bug bounty payment.” So, that’s the part that I’m confused by.

Mike Johnson

That’s the detail that I feel is missing. What was that agreement that came with that money? There had to have been one.

David Spark

But there wasn’t, that’s the thing. That’s what this redditor says. There was no agreement, some money just came in.

Mike Johnson

I don’t think someone just randomly sends you a check in the mail and you’re like, “Okay, cool.”

David Spark

By the way, let me just point out, if you want to send me random checks in the mail with no explanation, I’m totally cool with it!

Mike Johnson

Good to know. But I think that’s the detail that I feel is missing. So, I think setting aside that particular detail of this exact situation, if you’re running into a situation where you have a vulnerability that you’ve reported to your company, they haven’t fixed it and you’re concerned, like Sameer said, go to a CIRT. There are national CIRTs that can help you out, that have those agreements. If you go to first.org, there’s a list of all of the CIRTs for every country in the world.

David Spark

By the way, is that step one or step two? You should go to the company first, right?

Mike Johnson

Well, I’m assuming that you’ve already reported it to the company. So, you’re in the situation where you’ve reported it, they haven’t fixed it, so what do you? That’s kind of where I’m taking this and going forward. In the US it’s CISA, which is a division of DHS. They’re available, they will help make those relationships happen. They can’t make sure something gets fixed, but they can ensure that a company hears about it, and they can express their own concern. So, there’s those government entities that can help you out, and that’s where I would go as the second tier. I’ve heard people suggest talking with reporters, going to press. I don’t think I would take that route.

David Spark

Let me ask you, Sameer. What situation would you go to a reporter about? If it was something that literally has to be patched immediately because it’s so open, so critical, would you go to a reporter?

Sameer Sait

Yes, I think Mike called it out right. So, you’ve done your due diligence, you’ve reached out to the company, maybe through multiple channels. Maybe you’ve tried to engage them in multiple ways. Maybe you reach out to their PR department of that company, and if you get radio silence and this affects health and human life from a utility standpoint, I would definitely go to a reporter.

David Spark

Mike, would you feel the same way? Is that the moment you’d pull the trigger on getting a reporter involved?

Mike Johnson

For me it’s a last option, but there are certain situations where you would do it. The way that that really plays out is not necessarily that the reporter is going to write an article and it’s going to make the news, they’re going to reach out to the company and likely the company is going to pay attention because they now have a reporter asking them about it. So, that’s really what the reporter gets you is that attention, whether or not they write an article is a completely different issue.

David Spark

I will say that when I send an email out to a company, boy, do they shake in their boots!

Mike Johnson

I believe that.

Sponsor – Code42

00:14:15:19

Steve Prentice

Sometimes an employee becomes an insider risk by accident, through basic actions like sharing files in Google Drive, Office 365 or Slack. Mark Wojtasiak, who is Vice President of Research and Strategy at Code42 says detecting and managing these threats becomes a lot easier with their new product, Code42 Instructor.

Mark Wojtasiak

What’s unique about it is there’s three different Instructor lesson packs. One lesson pack is proactive in nature, meaning you can proactively send employees education or what we call lessons, based on corporate policy and compliance, culture or whatever it might be, with a second lesson pack that’s based on situation. Perhaps you’d have a new employee coming on board, or a departing employee. It’s important to provide education or lessons for those employees, so that they know what their rights are. Can they bring information into the organization? Can they take information out of the organization? And then the third type of lesson that Instructor includes is responsive. This is where a lot of the magic in real time education starts to happen. So, an organization sees that an employee has done something risky with corporate data, maybe they’re syncing their Macbook to their personal iCloud service. That’s basically corporate data leaving the environment. We can provide an education or a lesson to that employee on why that is unsafe for the company, and then how to remedy it.

Steve Prentice

For more information, visit code42.com/instructor.

It’s time to play, “What’s worse?”

00:15:54:07

David Spark

Alright, Sameer, you know how this game is played. Two options, they both stink. These actually have a pro and a con attached to each one. I always make Mike answer first, and I always love it when our guest disagrees with Mike, so get ready. It doesn’t mean you have to, but I’d like it! So, if you want to be my best friend, consider disagreeing with Mike.

Mike Johnson

That’s bribery. That is outright bribery!

David Spark

I didn’t send him any money! Yet. Alright, it comes from Carlos Rodriguez, who’s the CISO over at Citizens Property Insurance Corporation. Here are your two scenarios, Mike. You have a team that is talented, engaged, supportive of each other and trusts leadership, you’re doing a great job. Yet here’s the negative: the security program lacked support, resulting in continuously hitting walls and making little to no progress. Kind of a Yin and Yang. We get the Yin and Yang now in the opposite direction. Your program is supported throughout the company and all objectives are on target with continuous progress, but your team is disengaged, unhappy, worn out, stressed and does not trust leadership. That means you! Which one’s worse?

Mike Johnson

Oh, wow! When this got started I thought this was going to be another brilliant jerk question.

David Spark

We did too many brilliant jerks in a row!

Mike Johnson

So, what you have on the one hand is your team is great, they just have no momentum within the rest of the company. There’s the rest of the company, you need to sell them better, you need to get them on board. There’s work to be done on that front; that’s the work that you have to do. And then the other one, you’ve got a situation that somehow the company is very engaged but the team just isn’t. The team itself is not involved, not executing.

David Spark

And they don’t like you.

Mike Johnson

Like me or not, that’s not really the issue here. I want to be supportive of my team, and I want them to feel that.

David Spark

Well, I’m going to pause here for a sec. Do you think you could be effective as a CISO as being a feared leader?

Mike Johnson

I don’t know that you can be effective as a manager, period, as being a feared leader.

David Spark

Hold it, I’m going to tease this. I have references on an earlier episode. Steve Jobs was a combination of a feared and loved leader of that sort, and those do exist.

Mike Johnson

I think we have plenty of examples where you do have feared leaders who are very successful. At the same time, I do think those are the exception.

David Spark

Yes, they’re definitely not the rule. They always come loaded with charisma, too, on top of them.

Mike Johnson

Yes. There’s a lot of other advantages they have that allows them to be successful. Back to the question, though, I really think of the two, the one that is worse is the team that is kind of disengaged. I think if I’ve got an excited team that’s engaged, it’s my job to engage the rest of the company and get them on board, and I can do that. I can make that sale. It takes some time.

David Spark

Well, see, here’s the thing with the what’s worse. It’s not like you’re going to magically change things, this is just the situation. So, your security program lacks support, whether you can do your dancing routine or not.

Mike Johnson

At the same time, there’s some amount of success that you’re able to have, right? Because there’s portions of the security outcomes that your team owns, and you are able to influence that within the organization. You’re able to have those successes and have some level of success within the company, even though it’s outside of your team. So, that’s why I feel like the disengaged team is the worst one is you’re probably not having any success within your team itself.

David Spark

I think there’s a good argument against this. I’m wondering if Sameer is taking the other side. Sameer, how do you feel? Which one’s worst?

Sameer Sait

I was so looking forward to disagreeing with Mike on this one, but unfortunately I’m of the same mindset, which is having a dysfunctional team versus having a team that is excited, energized, becomes a force multiplier, it takes a little bit of burden off of the CISO to not have to deal with internal strife, along with having to do the external, building trust and driving results, etcetera. This is a tough one, I’ll be honest, and we could turn round and say it depends on the situation, it depends on the size of your team.

David Spark

Well, “depends” doesn’t work in this game, but look at it this way. You have this disengaged security team, but in the same situation the rest of the company is like, “Yeah, we love security, it’s the best. We’re all on board. We’re fully security trained, we’re totally into this.” Doesn’t that have value in it?

Mike Johnson

But what are they doing? Do they have any guidance or idea of what is the right thing to be doing? They’re not getting any of that from the team in that scenario, they’re just excited about security and, again, I’m reading into these scenarios but that excitement isn’t channeled in any particular direction.

Sameer Sait

So, Mike, maybe the company is excited about security because nobody in security is asking them to do anything! “We love these guys!”

Mike Johnson

That’s a great point.

Someone has a question on the cybersecurity subreddit.

00:21:29:04

David Spark

So, let’s keep talking about the worst. On the cybersecurity subreddit, a redditor asks, “A third party application developer needs access to a file share over the Internet, essentially opening a file and print sharing to a server over the Internet. I shut down the idea completely, but that seems to be the only way they can get things to work. What’s the worst that can happen if such access is allowed?” Now, per this redditor’s question, a VPN is not a possibility, though he can’t explain why. So, there was a lot of advice on this thread. I’m going to start with you, Sameer, on this. What’s the worst that can happen in the scenario that they’ve created? Should it just be played out the way it is without a VPN? And how would you resolve it?

Sameer Sait

So, a resolution is something that I can pontificate about, but I was thinking what’s the worst that can happen? I think of it as worst case scenario, right? Loss of data. Has this person been phished? Is there reputational impact if that data is posted on some GitHub site, or on the Internet. Supply chain risk. Are there systems within that environment that could be navigated to? And, frankly, all of these things are possible without over-thinking this. I also think about how many third parties are in my environment. So, if I make this exception, what am I doing about all of that? It’s just the tip of the iceberg.

David Spark

Mike, I throw the same to you. How would you handle this?

Mike Johnson

I’m still scratching my head a little bit on why VPN wouldn’t work but, setting that aside, it was interesting reading the comments that they kind of borderlined on, “Oh, not much,” to, “The world could end.”

David Spark

Yes. Well, the most popular one was, “The world could end”!

Mike Johnson

When I think about it, two things come to mind when you’re exposing a service to the Internet. There’s misconfigurations and vulnerabilities where someone can easily misconfigure the file share, and they’re exposing it to the world. We see so many data breaches out there because someone misconfigured an S3 pocket, and that’s the kind of thing that you could have if you’re misconfiguring a file share. Then, on the vulnerability side, there could be an exploit. There could be a weakness in that service that’s being exposed and now something really bad could happen. Print spoolers have a horrible history of remotely exploitable vulnerabilities. Right now, as we’re recording this, there was recently a directive from CISA for all federal agencies to disable the Windows print spooler services due to a remotely exploitable vulnerability. It’s that kind of thing that you’re really potentially opening up by doing this. I’m not sure how you fix it. I’d figure out how to make a VPN work, that’s my solution. But it’s something that really could go very poorly very quickly, and the person really does need to sell that case, to have people understand what the risks are, to have a little bit more time to come up with a solution that might work.

David Spark

And maybe reassess the VPN idea?

Mike Johnson

Yes, that would be step number one.

What do you think of this pitch?

00:25:12:02

David Spark

We haven’t done this in a while, where someone sends us a pitch and you guys critique it. So, here, I got a pitch for you. It’s a little bit longer than we traditionally accept, but let’s go with it, okay? So, stay with me, here. From Greg Collins of DeepFactor, here’s his pitch. “Implement DeepFactor’s continuous observability for security and compliance platform into the CI pipeline, to identify vulnerabilities at runtime, during development, tests or in production. Runtime observability reduces security vulnerabilities and compliance issues that flow into production or catches them in production as early as possible. DeepFactor alerts are true positives, because they are based on what the application is actually doing. Developers and AppSec teams no longer have to filter through false alerts to work out what’s important and what’s not. DeepFactor doesn’t require any code changes. It can monitor any workload on traditional containers, kubernetes or docker. We are making AppSec simple and easy for development teams.” So, I’ll throw it to you first, Mike. What do you like about it, not like about it? Does this pitch work for you? What would you take away, add or is it all great?

Mike Johnson

[LAUGHS] Well, it sounds amazing. Like, you know, this sounds like it solves all of my problems.

David Spark

Don’t you need something that solves all your problems?

Mike Johnson

If I could have push buttons, just push a button and solve all my problems. First of all, Greg, thank you for opening yourself up for feedback here.

David Spark

Critique and review, yes. I know it’s not easy.

Mike Johnson

So, thank you for that. First, the things I like. I really do like the point about making AppSec easy for development teams. I really think that’s something that security vendors need to focus on more when they’re designing their products is what that experience and integration is with the development teams. That makes our lives easier as security professionals, to integrate your product into our environment, where we’re not having to retrain our developers, where it’s meeting them where they are. So, kudos for that, and maybe lean more into that. I think that’s really a good point and, just closing on that, you could have a stronger message if you lean into that. A couple of other things that I think maybe some other feedback on. There is this mistaken concept that giving visibility reduces vulnerabilities. Those are two different things. So, you’re giving visibility, great. It’s not necessarily in and of itself reducing vulnerabilities. We talked about that earlier. So, I think there’s some more clarity that could be provided. At first, you’re talking about identifying vulnerabilities at runtime, great, but there’s not anything about how you’re reducing vulnerabilities, so talk about that. Then I’m also not sure I buy the “no false positives” premise.

David Spark

That doesn’t exist, does it?

Mike Johnson

Every security product is, like, “no false positives”, narrator voice, “They all have false positives.” So, really talk about that a little bit more, and maybe change the language about that. Vulnerabilities alerts, they’re going to happen. Applications behave in unexpected ways. I think that’s a big claim that is going to have people questioning the overall claim if that’s what you’re opening with, so think about how you’re talking about how you’re dealing with false positives and that integration model.

David Spark

Alright. Good advice. Sameer, what do you think of this pitch?

Sameer Sait

Just to reiterate something Mike said, which is, I like that Greg is thinking about the customer and their experience using a tool and making it easy and simple. I like that. I heard the comment about not requiring code changes, easy deployment model. Great. But is this truly additive? Is it really adding something that I don’t already have in my stack? How does it work in my ecosystem? A little bit of that I would like to hear more about. I don’t think, Mike, we can ever take away from a vendor to say that they are solving world hunger, this is from the DNA, right? It’s the DNA of it. But I think we can talk about some metrics. You can potentially reduce your time to market by 40%, for example. I think a little bit more data driven would be nice, but other than that it’s a pretty good pitch, so good job, Greg.

David Spark

I think it’s one of the more positive responses we’ve had from a pitch. Please, by the way, keep them coming in. I’d like to do more of these, so thank you very much, Sameer and Mike, for your feedback. I know Greg will greatly appreciate it. By the way, Greg is one of these people who discovered our podcast recently and, Mike, you’re going to be amazed by this, he’s gone back to episode number one and he’s bingeing all the way through, and he tells me, “Now I’m only six months behind.” I’m like, “I would start with the recent ones!” I warned you, those first ones are pretty rough! The first few ones I edited myself!

Mike Johnson

We’re sorry about the first few episodes, Greg.

Closing

00:30:33:06

David Spark

Alright, well, thank you very much, Sameer and Mike. This is going to be wrapping up our show here. This was excellent, thank you so much. Now, Sameer, I’ll let you have the very last word here, and one of the questions I always ask the guests is, are you hiring? So make sure you have an answer for that. I want to thank our sponsor for today’s episode, Code42. Thank you so much, Code42, for being such a strong sponsor of the whole CISO series. Again, insider risk, if these are issues you’re dealing with, which, I don’t know why we always say, “If this is something you’re dealing with,” who isn’t? With all our sponsors, everyone’s dealing with cloud security, insider risk. Whether you know it or not, you’re dealing with it. So, anyway, check them out, code42.com. Mike, any last words?

Mike Johnson

Sameer, thank you for joining us. It was great to sit down and have the conversation, always wonderful hearing the experience of our guests. One of the things that I really liked was you kept coming back to the customer experience, and I think that’s something that, in security, we don’t pay enough attention to. We’re not thinking about what are the impacts to the customer, either the end customer or our customer’s customer, or something like that. Your ten second tip, I really liked how you suggested to people to really think about the customer facing outcomes and work back from that, and I think that’s a great philosophy to think about from security. I think that’s something that more folks could really bring to their mindset and how they think about security. So, thank you for discussing that concept, talking about customer experience, and generally for coming on our show, sharing your experience. I really appreciate it.

David Spark

Thank you very much. Alright, Sameer, any last words? Anything you want to plug? Are you giving coupons out for Whole Foods? Do you have a favorite food at Whole Foods, and are you hiring?

Sameer Sait

Oh, wow, that’s a lot to unpack right now.

David Spark

Pick any of the above!

Sameer Sait

So, first is appreciations to you gentlemen, Mike and David, for the opportunity to speak at this podcast. There’s so much to talk about in security. There’s so much to cover. I might go back to episode one myself.

David Spark

Don’t do it! I’m telling you, do not do it! But, I’m telling you, it’s over three years. We still get downloads of that first episode, which blows my mind.

Sameer Sait

That’s amazing.

David Spark

Yes! [LAUGHS]

Sameer Sait

So, in terms of a plug, we are absolutely hiring at Amazon and Whole Foods. There’s a lot we’re doing from a digital enablement, customer retention, customer experience perspective at Whole Foods. I obviously cannot talk about all those fun things that are going to be coming in the next six to 12 months.

David Spark

Amazon and Whole Foods are both brands that are very much about the customer experience, and it breaks it down to a science. Does that bleed into the cybersecurity team?

Sameer Sait

Absolutely. We take that pretty seriously. Every day is day one at Amazon, and we take that seriously, that we partner in business ideation but also the architecture design phase. In terms of hiring, my thing is that there’s a war for talent in security, there’s a lot going on, and I do appreciate all the hard work all our security people are doing, but there’s never enough of us out there. So, we are absolutely hiring, and feel free to connect with me on LinkedIn or other means to talk more about opportunities we have here.

David Spark

Awesome! Thank you so much. Thank you again, Mike and Sameer, and huge appreciation to our community and audience. Again, if you find really cool stories online or you have a “What’s worse?” scenario, anything like that, just feed it to me. You can also record a question over at cisoseries.com. We love that as well. So, thank you, audience, for making the show as awesome as I think it is, and you tell me often that it is, so I appreciate that. We appreciate your contributions and listening to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”