They’re Young, Green, and Very Hackable

They’re Young, Green, and Very Hackable

It appears we’re not providing security awareness training fast enough. That’s because hackers are specifically targeting brand new employees who don’t yet know the company’s procedures. Illicit hackers are discovering they’re far easier to phish.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Gene Spafford (@therealspaf), Professor, Purdue University.

Gene’s book available for pre-order Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us.

25th anniversary of CERIAS

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, Lacework

Lacework offers the data-driven security platform for the cloud and is the leading cloud-native application protection platform (CNAPP) solution. Only Lacework can collect, analyze, and accurately correlate data — without requiring manually written rules — across an organization’s AWS, Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Security and DevOps teams around the world trust Lacework to secure cloud-native applications across the full lifecycle from code to cloud. Get started at

Full transcript

Voiceover: What I hate about cybersecurity. Go!

Gene Spafford: I really dislike the fact that we have people who get exposed to a little bit of the field, think they’re discovering new things, and just keep reinventing the past time and time again instead of making progress forwards.

Voiceover: It’s time to begin the CISO Series Podcast.

David Spark: Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. Joining me for this very episode is the original co-host, Mike Johnson. Mike, welcome.

Mike Johnson: Thank you, David. I’m so happy to be here today.

David Spark: That’s what his voice sounds like, you’ll hear more of it in this show. You know, we’re available at, where there are four more types of shows on the CISO Series you can check out. Please go check it out. For example, you could check out our Headlines show or maybe our Super Cyber Friday show. All wonderful programs that I know you will enjoy. Our sponsor for today’s episode is Lacework. Thrilled to have them onboard. Brand-new sponsor. They are the data-driven cloud native application protection program, or CNAP. More about what that is and why you want it a little bit later in the show.

Mike, we are recording this show on October 6th, and next Tuesday will be the live show that we did in Mountain View. And actually, the two Tuesday shows following that will be shows I did in Santa Monica. And then I’m leaving tomorrow for Chicago, which will be the Chicago show as well. Lots of shows. We’re back to live shows.

Mike Johnson: Yes.

David Spark: We did a few during the pandemic, I think a total of four, but now all of a sudden coming on strong. And this show is airing in December, where we’re going to be doing a live show with the National Cybersecurity Alliance called Convene in Clearwater Beach, Florida, which is going to be on January 10th. Now, you can find more information about that if you go to our Events page. Did you know that we have an Events page now?

Mike Johnson: I did not. How would I find the Events page, David?

David Spark: Where do you think you’d find the Events page, Mike?

Mike Johnson: At

David Spark: What do you know?! Yes! You’d go there. You can find our in-person events and our virtual events. So, our virtual events are Super Cyber Friday, our in-person events are there as well. In fact, the show we did in Mountain View is listed there as well. So, this show, Convene, also listed there as well. So, please go there. We do have a discount code for you to participate. It is all about cybersecurity awareness. We want our audience to attend. All right, I think it’s time to bring in our guest, who I am very excited to bring. Now, those of you who have been in cybersecurity a while will know this person. I’m going to say possibly in the top five – I may be wrong here, but it’s my guess – in the top five most quoted cybersecurity professionals. What do you think, Mike?

Mike Johnson: I think that sounds right. I think I quote him on a daily basis.

David Spark: In fact, if you were to search this person’s name and then say “quotes,” you will find pages of quotes from this person, and in fact, you’ll hear one in the first segment. But let me introduce him. It is the professor – or one, it’s not “the” professor, there’s many professors at Purdue University – but he is a professor at Purdue University, Gene Spafford who also goes by “Spaff.” Spaff – thank you so much for joining us.

Gene Spafford: I’m delighted to be here tonight.

Are we making the situation better or worse?


David Spark: Gene, your 2nd Law of Cybersecurity states, “If we had no computers, we’d have no computer crime.” Now, we’ve heard lines like that, “Oh, the way to get rid of computer crime is get rid of the computers, right?” But you continue this by saying, “But if we had no people, we’d have no computer crime either. We must include people in our plans and mechanisms to protect systems.” This is a perfect quote to introduce Cybersecurity Awareness Month, which is when we’re recording this episode. Now, I want to point out – it took years for people to start using a seatbelt and to stop smoking. Cybersecurity awareness is similarly a long-term marketing effort. Gene, where are we actually making progress with the general populous when it comes to improving the human aspect of cybersecurity?

Gene Spafford: It’s a great question. Let me start by noting that we still have an awful lot of people who don’t use these seatbelts and are still smoking, and those are major problems. When I originally formulated that quote that you recited, it was close to the start of the Center at Purdue – CERIAS – which next year will be its 25th anniversary, and it was intended to highlight that we had a multidisciplinary approach to the problem area. Up until that point, people had focused largely on the technology, and they’re still doing so. I think that’s one of the issues that we’re beginning to see a little bit of progress on. People talking about usable security, people talking about training people in resisting phishing, for instance, and awareness. But we still aren’t quite to the point where we’re taking integrated views of the field as a standard component. We’re still dealing with problems of we don’t know how to measure security in a meaningful way, and so we have a long ways to go.

David Spark: But what are you buoyed by, let me ask you, what buoys you?

Gene Spafford: I think I am cheered by some of the efforts that have gone on to set higher standards to encourage more people to get educated in this realm, the attention that’s now being paid to security mechanisms and processes for small and medium businesses, that you couldn’t find anything 10 years ago that was really oriented towards them. Those are the kinds of things that give me hope, but we’re moving at a much slower pace than the individuals who would want to take advantage of us.

David Spark: That’s a good point, all right. So, Mike, Gene makes a good point that we’re moving slower than the people who want to do us harm. What makes you feel confident that we’re going in the right direction? Or maybe not.

Mike Johnson: I do agree that we are moving slower than our adversaries, whatever name you want to use for them, and I do think a lot of it has to do with the fact that, as Gene said, we’re very much focused on the technology. And while some of that is good – trying to make the technology easier to use, make it more transparent, make it so that it’s more baked in and people don’t have to think about it as much – but if we continue to focus only on the technology and don’t realize that we also have people as part of the problem, then it’s going to kind of continue to be this way.

David Spark: So, let me focus on the people though, which is what Gene really brings up here, is what do you think the people are being more aware of now that they were not being aware of before?

Mike Johnson: One of the things, and kind of going back to the analogy of smoking and seatbelts, one of the differences between those two is smoking, generally it’s a personal health issue, someone is making a decision to improve their own health. What we’re starting to see in the cybersecurity world is people do realize that their own data has value, and that they should pay a bit more attention to it on a personal level. As companies are making improvements in security controls that they’re exposing to people, people are starting to pick them up. I had years ago a hard token for my account, so for my World of Warcraft I had a hard token, and that was me trying to protect my account. And I think that’s what we’re starting to see more of, is people recognizing that as individuals, as consumers, as users, we need to be part of the solution as well.

First 90 Days of a CISO


David Spark: “Consider changing your approach from a controls based/asset-threat-vulnerability assessment to a scenario-based risk assessment,” said Brian Blakley, CISO over at Transact Campus on LinkedIn. Now, we talk a lot on this show about knowing what your crown jewels are, but Blakley argues that the controls/assets risk model just invites confusion, and a scenario-based approach can lead to the elements that may be at risk. He makes a good argument, especially since we often discuss how difficult and how long it can take to discover what a company’s crown jewels are. And if you’re a new CISO, you probably won’t know what the controls are. So, I’m asking you, Mike. For a new CISO especially, does this seem like the right approach?

Mike Johnson: Nope.

David Spark: And why not?

Mike Johnson: First of all, I appreciate Brian putting this out there, putting a thought out there, having folks provide feedback, think about it, talk about things differently. But I think what he’s proposing is something that more mature organizations should be looking at and not where you should start. I think if you don’t know what your crown jewels are, if you don’t know at least where you’re starting, then I don’t know how you build those scenarios. I don’t know how you’re able to figure out what theoretical attacks, what even practical attacks, that you need to deal with. And so if you’re not starting from the basis of what you do know, I don’t see how you build scenarios around that.

David Spark: Here’s my argument. Sometimes people have a hard time telling you because they don’t even know where to start to begin to tell you, but if you were to start to describe scenarios and start to say, “Well, do you have this kind of database and do you have this?” Then people like, “Oh, yeah, that might affect this. Oh, yeah, that might affect this.” That might, in the process of a risk-based scenario, reveal what the crown jewels are, or is that wishful thinking?

Mike Johnson: Well, I think that’s a way of discovering your crown jewels. I don’t think that’s what Brian was suggesting.

David Spark: I’m extrapolating and throwing it out there.

Mike Johnson: Well, I think that’s a good idea, right? You’re sitting down with people and you’re having conversations, and that’s a better approach than giving them a blank spreadsheet and say, “Tell me all of your crown jewels.” Sit down and have the conversation with them, and you will have that exact experience that you’re describing. You will have them figure out things along the way, talk through. Maybe something they didn’t think was a crown jewel, turns out it is. I like that approach; I think that’s a good way of getting at the crown jewels.

David Spark: So, possibly a mix. All right, Spaff, I am throwing this to you. This scenario-based approach, do you think it’s the better way to begin, or it’s far more advanced, as Mike says?

Gene Spafford: Well, I think it depends in part on the nature of the organization. Some organizations have a small number of what you would call crown jewels or a small number of attack pads, and perhaps that makes sense. But I think in the case of being a new CISO, your real crown jewels are your people, the people you already have there, and the knowledge and the experience they have. You aren’t really going to be responsible for creating everything from first principles. You should be talking with those individuals. You should be talking with people outside of the security arena as well, the people who actually have to do the work because they’re the ones that make the company run, and from that find out where are the places where there’s friction, find out the places where losses could cripple the organization, and be sure that you have some controls in place for that.

A CISO is not so much a director as it is a team builder, at least in the organizations where I’ve seen that person be successful. They have to make hard decisions, but it’s really important that they listen and are able to get everybody moving in the same direction.

David Spark: So, this whole philosophy of sort of a different sort of strategy to approach this asset management approach versus scenario-based approach, you’re saying that kind of misses sort of the broader view here, in that you have to look at the people and sort of start from there?

Gene Spafford: Well, I’m saying that’s a good place to start. Scenarios and assets are two of the ways that you can approach that, so are stories, so is history. Part of it is looking do you have the right personnel in place, what has been experienced before. I mean, all of that is part of the process.

David Spark: Right, I know. I think more I’m asking the question is there is a better starting point, I guess is my question. Or is there (A) a better starting point or (B) a way to get to what you want in a quicker way?

Gene Spafford: Well, what is it you want? That’s why I said it’s different for different kinds of organizations, different sizes of organizations, different business organizations, what they have to do. I don’t know that there is a single best way that’s going to apply across all of those, at least not from what I’ve seen.

David Spark: I think we go back to, “It depends.”

Gene Spafford: Yes.

Sponsor – Lacework


David Spark: Before we go on any further, I do want to mention our sponsor Lacework. Thrilled to have them onboard. And let me point out that securing what you build in the cloud can feel daunting. We talk about it a lot on this show. It’s hard to know where your data and resources are, and what is open to attack. Kind of defines what security is. So, to Lacework, cloud security is fundamentally a data problem. And with Lacework, the data that once had you on edge becomes your best cloud defense. Lacework is the data-driven cloud native application protection platform, or CNAP for short. Only Lacework can analyze and automatically correlate data across a multi-cloud environment to prioritize risk and uncover active threats without writing endless rules. Because that gets into a lot of configuration. Which we all have to do, but heck, we don’t want to do it endlessly.

So, their platform automatically learns how your cloud is supposed to run and tells you when it deviates. Ah! That, I know a lot of security leaders want to know. Now, how is this abnormal activity and runtime related to this misconfiguration? Is this vulnerability being actively exploited? Well, with Lacework, you can actually know the answers to these questions. So, their CNAP solves for many use cases – posture management, workload protection, compliance, shift-left security, and others – within one integrated platform. More than 900 companies around the world rely on Lacework to secure their multi-cloud and hybrid environments. And on average, their customers experience a 100 to 1 reduction in alerts – wow – and 80% faster investigations, all due to better context. So, looking to gain control while considering tools and reducing cost? Consider Lacework and make everything you build cloud secure.

It’s time to play “What’s Worse?”


David Spark: All right, Gene. You know that this game is a risk management exercise. I provide two horrible scenarios, and I make both you and Mike determine which of these two scenarios is worse. I will make Mike answer first, and you can agree or disagree with Mike. I always like when our guests disagree with Mike. So, hold tight. All right, this comes from Jerich Beason who is the commercial CISO over at Capital One, and he has supplied us with many great “What’s Worse?” scenarios. In fact, he’s been a guest on our shows before as well. Here we go, Mike. What’s worse? You keep hiring overqualified cyber talent that leave in three months for better opportunities, or you hire mediocre talent with no ambition or desire to get any better.

Mike Johnson: [Laughter]

David Spark: So, you got a revolving door with talent, or you got mediocre that’s never going to go and never going to get better.

Mike Johnson: This is an interesting one because you end up in this case where you have these folks who are coming in, and in three months it’s hard to spin up on an environment and actually have any impact. But maybe in month three, they do something really awesome and then leave. That’s kind of how I’m reading that, is you take your first two months, you try and figure out the environment. Month three, you do something awesome and then you’re out.

David Spark: But then there’s the cost and pain of constantly rehiring.

Mike Johnson: Yep, yep. The other side is folks who are workaday. They’re there, they’re getting things done, maybe not…

David Spark: Mediocre, let me throw that out.

Mike Johnson: No, but “mediocre” means you’re getting some work done.

David Spark: Okay.

Mike Johnson: They’re not bad, they’re not terrible.

David Spark: No, but they’re mainlining. They’re not going to go up or down.

Mike Johnson: They’re fine. They’re fine. And they’re able to kind of consistently get things done, just maybe not at the rate that you want it, maybe they’re not able to really solve the super-hard problems, but they’re there doing the operational things. So, that’s kind of how I interpret these two classes. So much of security is that workaday, show up, do the mundane thing and go home, and that, the organization quite often is powered by that. I think I would prefer to have that.

David Spark: Than the revolving door.

Mike Johnson: Yeah. Because you’ve got this foundation of folks that you know they’re going to be there. You know that they’re going to show up every day.

David Spark: But your security program’s never going to get better. Ever.

Mike Johnson: I don’t know that your security program gets better in the first case.

David Spark: Well, maybe, maybe not. Because you got some super talent on there, they may keep tweaking it every three months like you described.

Mike Johnson: I’m going to steal something Spaff had shared earlier is they might show up and do something completely different, like they’re trying to reinvent rather than move anything forward. And so it’s possible that they actually take things backwards, that they make things worse by ripping out something.

David Spark: I think you’re reevaluating this. I think they’re just good talent.

Mike Johnson: I’m still sticking with my answer that that’s actually the worse one.

David Spark: Well, okay, that’s fine, that’s the worse one. All right. I don’t want to say whatever he said, strike it. Because that wasn’t part of the question, Gene. All right, Gene. We throw this to you. Do you agree or disagree with Mike? Which scenario is worse?

Gene Spafford: When you said one of these was horrible or both were horrible, I was thinking along the lines of being asked to serve on another faculty committee. But…

 [Crosstalk 00:20:31]


Gene Spafford: …really quite as bad as that. Really, it depends on what kind of control I would have.

David Spark: “It depends” doesn’t work in this case.

Gene Spafford: I know. I would probably try and work with the outstanding talent to find ways to make them stay. Why are they leaving?

David Spark: Again, no, this is the scenario.

Gene Spafford: I can’t change it.

David Spark: This is how the game works. They’re not going to stay. They’re out the door every three months.

Gene Spafford: All right. Well then I would probably take the mediocre talent and work on polishing up my resume.

Mike Johnson: There you go.

David Spark: There you go.

Gene Spafford: Because that would at least be some stability. I agree with Mike that having some real talent, they’re difficult to direct. They might come in and rewrite everything in their own favorite language and then leave, and now we’re stuck having to do that again. It can be a real problem. I’ve seen places where you have stars like that come in and redo everything and leave, and the situation’s worse than when they got there. So, mediocre is very often better than exceptional.

Close your eyes. Breathe in. It’s time for a little security philosophy.


David Spark: “The best way to ‘win,’ is not to try to ‘win’ at all,” said Robert Slaughter of Defense Unicorns on a LinkedIn post about playing the infinite game, “It’s to find something you’re passionate about, that you care so much for, that your goal is to just keep ‘playing.'” Now, he pointed to ways you can lose the infinite game such as people who overwork themselves and burn out and eliminate themselves as a player, or your organization’s mission doesn’t stay consistent and you “sale out” for a temporary financial win. So, Mike, I’ll start with you. Are security professionals aware that they are playing an infinite game? Because not being aware may be another sign you’re about to lose.

Mike Johnson: A former guest of our show, Yaron Levi, he introduced me to the concept of the infinite game. I think he may have even talked about it on the show where he was the guest. And I will say I hadn’t thought about it before then. It was an interesting concept to reevaluate the way that we think about our profession. And I imagine that there’s a lot of folks who aren’t aware of this and are trying to win and trying to win at security.

I think that goes hand in hand with one of the phrases that we often speak of in the field, which is there is no finish line for security. And so for that to be true, by definition there can’t also be an ultimate win, like you can’t just win and go home. I think thinking about it in terms of it’s always going to be going on, there’s always going to be work, you can then stop and have your mental shift of finding the small victories, the small wins along the way that let you know that you’re making improvements, let you know that you’re not just stagnating, and give you that little burst, that little feeling along the way. Because otherwise, if you are expecting that there’s going to be that big finish line at the end, you’re going to be disappointed.

David Spark: You said in the middle of your response that you believe there are some that don’t realize that they’re playing this.

Mike Johnson: I think so.

David Spark: Yeah. And that was my main question. I should also mention, if nobody’s read it before, Simon Sinek wrote a great book called The Infinite Game. Not the first person to coin the term, I think since the 1980s it’s been around. Gene, what do you think? Do you think there are security professionals that are just not aware that they are actually playing an infinite game?

Gene Spafford: Well, they’re probably aware that it is a long-term issue, I don’t know that I would phrase it as a game. But there is certainly an analogy to a lot of other things in our lives. As a parent, as somebody in a marriage, I realize that those require constant work, and there is no finish line to cross over if I’m going to continue to keep those going and keep them vibrant. And I know talking to people in other professions, it’s the same way. You have to continue to work at it, you have to have those successes and take pleasure where you can, where things work well, learn from your mistakes, and continue on. Security is definitely like that. It is a process. It is not a set of goals. It’s not like you learn to break the four-minute mile and then you’re done. You have to continue to polish and refine and work at what you’re doing if you’re going to be good at it. If you decide that that isn’t what you want to do, then maybe it’s a good idea to branch off into something else.

David Spark: And again, the infinite game is a concept. It’s not really saying we’re all playing a game, but it is a concept that says, “This just keeps going on, and the way to win is essentially to keep playing.” And I would assume the way to “keep playing” is your business stays afloat, but that’s kind of like the most minimal level of playing the game. I would hope that it would be you play a little higher.

Gene Spafford: Yeah, I was going to say, occasionally for some people it’s Squid game, and the ending isn’t quite so pleasant. I understand the idea of calling it a game because there is strategy, there are players, you are pursuing that. I just don’t think that it would be viewed that way by some people who are in the field, but they do view it as an ongoing process. The good ones do.

David Spark: Let me throw this out to both of you, and quick comments on this. A long time ago, I wrote an article about what games have actually taught you about cybersecurity. Now, I know this isn’t a new concept, but we’re just playing with the word “game” here. I’ll ask you, Mike. Give me a quick answer to this. What game, and it can be anything, it could be a board game, it could be sports, it could be a video game, anything. What has taught you about cybersecurity and what was the aspect?

Mike Johnson: So, I’ll go back to World of Warcraft, and one of the things that that taught me was teamwork and the importance of it. It’s something that we kind of inherently understand as human beings, but where you’re working together for a common goal. And you might fail the first time, the second time, the tenth time, but you finally get it on the 33rd time, and it feels so great. And it’s because you worked together as a team and learned through that process how to work better as a team. That’s my game of choice and really one of the things that was cemented for me.

David Spark: Gene, you have an answer to this? A game that taught you about cybersecurity?

Gene Spafford: I think Mike’s answer is excellent, and I would echo that from several games. I also think that I’ve learned from working some in competitive sports and a few things like that. There will be setbacks, there will be occasions where simply chance deals you a bad hand, and if you quit the game, you’re done. But if you pick up and then go on and continue to try, you’re still in the game. And that’s really what’s important, is that there will be setbacks, but that doesn’t have to mean that it ends unless you choose it to end.

Pay attention. It’s security awareness training time.


David Spark: We’re not providing security awareness training quick enough. Cybercriminals are purposely targeting new employees to gain access. In an article by Susan Bradley on CSO Online, she outlines the techniques of emails coming in from what appears to be a company asking for a new employee’s mobile so they can send a text message. These seemingly innocuous efforts are setups to get second factor information to gain access to a network. Green employees are excellent targets for infiltration, as they’re probably not aware of current procedures, and they’re also eager to please on their first days.

The article then goes in a direction I’ve seen before, warning of all the seemingly mundane things we publish online, and how that it can be used against us. Honestly, people want to share their stuff, and to tell them not to, such as, “Don’t announce your new job,” which this article recommends, is not going to land well with people. In fact, I think it’ll backfire, and it’s advising everyone to be paranoid. So, Mike, I’ll ask you. Are these recommendations of the not posting personal stuff online hurting our cybersecurity awareness efforts? And secondly, given that new employees are attack vectors, they probably need some security awareness training on day one. What do you think?

Mike Johnson: I do think if people keep getting bad advice, they’re going to tune out. If you keep telling them to do things they just are not going to do, and is frankly against their human nature, they’re going to stop listening to you.

David Spark: Yeah, but you’ve heard this a lot, like, “Watch out what you share online because they’ll use it against you.”

Mike Johnson: This is advice that might have mattered a long time ago, but it’s not valid in our world today. Everyone wants to share and celebrate that they got a new job. They have pride in their employer. Telling them not to say that they got a new job is insane. That’s not something that people are going to do. And if I’m showing up in my internal security awareness training class and telling people, “Oh, you shouldn’t post that you just got a new job here. Welcome to the company.” They’re going to tune me out, I’m going to lose all credibility.

And so I think while I absolutely agree with the premise that we should train them on day one, they’re a brand-new employee, we should have in-person training or live training or something that they have available to them on their first day that’s going to best equip them for the threats that are coming. Tell them, “Hey, you’re going to get a text for some random person. You’re going to get an email from someone who claims that they’re one of your fellow employees. They’re going to urgently ask you for something. Stop, pause, think about it, recognize what’s going on, take a breath. And then you can decide what to do with it.” But tell them as part of their training, “This is going to happen,” and you’re getting them at that time where they’re the most impressionable. So, training, day one, absolutely.

David Spark: All right, Gene. I throw this to you. Two issues here. One is the what is seen as good advice but really bad advice because it goes against what people want to do, and the need to train on day one. What do you think?

Gene Spafford: Well, I’ve seen both certainly, working in some of the, for instance, intelligence agencies or banking industry. There are significant penalties for disclosing information, and that causes people to actually be paranoid and sometimes uncomfortable in their jobs, which is not necessarily where you want them to be. And as Mike says, there are people who are proud of their accomplishments, and they want to tell people what they’ve managed and talk to others.

I think he’s right about giving them the early training, but as an educator professionally, one of the big things is to empower people to understand why you’re telling them these things. What is going to happen if that information is given out, and why should they pause before they give it out? Not simply just saying, “Don’t give it out.” That gives them some capability. And furthermore, you have to follow that up by making them aware that if they slip up, they’re not going to be penalized for reporting it, so that you can go back and you can mitigate the problems. That’s the other aspect of lecturing people that doesn’t go over well because it makes them feel if they make a mistake, any kind of error, they’re in huge trouble. Rather than bringing them onboard as part of the team, helping them understand why it’s important to promote the values of the organization and move forward together.

David Spark: That’s a very, very good point. Lecturing to people often doesn’t land well, and that said from a professor at a university. You’re not going to get better validation than that. Do you know when your students are tuning out from you?

Gene Spafford: I do and sometimes it’s difficult when it’s a huge class of people, but I much prefer the smaller classes where we actually discuss the material rather than me getting up and just presenting things at the lectern.

David Spark: Do you ever sort of take a pause and go, “All right. Let’s back it up a second,” because you see they’re not with you at all?

Gene Spafford: Oh, frequently. And I’ve learned to adjust my lectures so that I know places where I need to put extra effort into getting across some of the concepts. It’s part of being engaged as a teacher rather than simply lecturing, reciting notes, and talking to a group, to actually having a conversation with the students, treating them as, I won’t say quite peers, but near peers because they’re going to be in the profession, and engaging them in discussion of the material, and that works out much better in the long run.

David Spark: All right. You just teased something that I want to know. What is one of the most difficult concepts in cybersecurity you have trouble explaining that takes the longest time?

Gene Spafford: I would say that one of the more difficult concepts in some of the advanced classes is the discussion of covert channels, which is not something that is normally bandied about in many business places, but is an issue in the academic study, talking about storage and timing channels, and getting the idea really across to students takes some extra effort.

David Spark: Good advice.



David Spark: That was Gene Spafford, also known as “Spaff.” He is the professor at Purdue University, and he was just our guest on the CISO Series Podcast. Gene, I’m going to let you have the last word here in just a second. But first, I want to mention our sponsor Lacework. Thank you so much, Lacework, for sponsoring. You can find them at They are the data-driven cloud native application protection platform, or CNAP. Thank you again for sponsoring. Mike, any last words?

Mike Johnson: Spaff, thank you so much for joining us. I’ve been a fan of yours for my entire career, so it was awesome to have this opportunity to sit down and chat with you. I picked up a lot from this conversation, I’m sure our audience did as well. One of the things I really wanted to highlight was in that last section, you’re making sure that people when they’re educating folks around security, that you empower your audience, you empower the people that you’re trying to teach, why you’re giving them the advice. That really will change the way that people train on security, if the recipients understand why they’re being taught this, and they understand the stakes. So, that’s really good advice, I appreciate that. I’m sure our audience will as well. Thank you so much for joining us today.

Gene Spafford: My pleasure entirely. And as I get a last word or two here, I’ll just quickly throw out, as I mentioned, next year is the 25th anniversary of CERIAS at Purdue, which is a lot longer than I thought when I started it it was going to go on. And we would like to invite people to come visit, see some of the things we’re doing. I also will mention that hopefully by the end of the year, I’ll have a new book out that I’ve written with two co-authors. It’s called Myths and Misperceptions in Cybersecurity, and it is intended to address some of the things that cause people to make mistakes in how they evaluate security, how they purchase products, and how they interact with each other. So, look for that. It’s being published by Addison-Wesley. Two great co-authors – Leigh Metcalf and DSCI and Josiah Dykstra at NSA – and the three of us have had a lot of fun writing the book. So, I look forward to hearing more podcasts in the series here and thank you so much for indulging me today.

David Spark: The thrill was all ours. Thank you very much, Gene. Thank you very much, Mike. And thank you to our audience. We greatly appreciate your contributions and for listening to the CISO Series Podcast.

Voiceover: That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at Thank you for listening to the CISO Series Podcast.