A CISO calls on security vendors to stop the spamming and cold calling. Are these annoyances the direct result the way salespeople are measured? Is that what drives the desperation and bad behavior?
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, Varonis
[Voiceover] Best advice for a CISO. Go!
[Dmitriy Sokolovskiy] Do not, do not, do not make any decisions for the first three months. Ask questions, listen, self-assess, listen, ask more questions, listen. Wait for the end of three months and only then start building your plan.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. And joining me on this very episode as my co-host, it is Andy Ellis, the operating partner over at YL Ventures, spelled with a Y-L. We’re available at CISOseries.com where you can find all of our programming. We’ve got tons of shows with lots more planned in 2023. I want to mention our sponsor today, and they are a phenomenal sponsor. They were awesome in 2022, they are going to be awesome in 2023. It is Varonis – effortless security outcomes powered by automation. More about that, especially that automation part, coming up later. Now, Andy, some exciting news from me.
[Andy Ellis] Ooh.
[David Spark] I took my son and I; we went to a pinball tournament.
[Andy Ellis] I was about to say – I bet it’s pinball related, and it was.
[David Spark] It is going to be pinball related, it is pinball related. And I got to meet someone I was very eager to meet, and it was a little awkward, I will admit. So, he’s probably the best pinball player in the world, it’s arguable, a guy by the name of Keith Elwin, and he’s also designed four amazing pinball machines, one of which I own, which is the Jurassic Park machine. I got to meet him, we took a selfie with him, it was a little awkward, but then I watched this guy play.
[Andy Ellis] Why was it awkward? Did he not expect somebody to want a selfie with him?
[David Spark] No. He was fine, he was smiling, he was great in the selfie, but it was just kind of a weird awkward moment. And I don’t know him from a hole in the wall. I don’t know him at all. But I saw the guy play and I saw some of the other people play and they play at a level that’s so far beyond where I’m at, which is not anywhere near that. And by the way, I was in the bottom quarter of real [Laughter] people performed in this. But I am thinking that I may have to drop it all to greatly improve my pinball skills here.
[Andy Ellis] Well, in case you become a pinball expert and people want to have selfies with you, we need you to practice not being awkward in that selfie moment. So, all of our listeners, RSA is coming up. I want selfies with David for RSA. So, everybody get a selfie with David, post it on social media, tag me so that I can see that it’s happening.
[David Spark] I have done many a selfie and I hope I’m not coming off awkward, which is what I’m hoping I don’t do. I love it when people recognize and they’re fans of the show. I just love meeting fans of the show. I mean, what’s not to like about that? It’s great. But anyways. He was a perfectly nice guy. It was just I think it was moron me, maybe I was fanning too much.
[Andy Ellis] Fanboying a little too much.
[David Spark] Fanboying a little too much, yes.
[Andy Ellis] I will admit I have occasionally been there, especially when it’s something out of the blue. Like I meet football players all the time, I get selfies, totally okay. They’re used to it; I’m used to it. But I’ve done selfies with people who didn’t know that I knew the area they were a celebrity in and sometimes it’s awkward. Sometimes it’s amazing, and it can be fantastic because they’re like, “Wow. You know who I am.”
[David Spark] Well, the other thing that we had in common is that he’s from Carlsbad too as well.
[Andy Ellis] Oh.
[David Spark] So, we had that to discuss. That’s where I live, in Carlsbad. All right, let’s get on with the show, enough of this banter. Maybe I should do an entire episode on pinball. That would not be on a security podcast. There are pinball podcasts.
[Andy Ellis] I was going to say, I volunteer Mike Johnson to be the co-host.
[David Spark] [Laughter] There you go. All right. Let’s get to our guest, for that matter. So thrilled to have this person on. I am very familiar with the technology because I worked with it a ton although I am not an expert on it, but I’ve worked with editors who are experts. We’re talking about the Avid platform. So, anybody who’s a listener who’s a big video fan, they definitely know Avid. Anyways. He is the CISO over at Avid – Dmitriy Sokolovskiy. Dmitriy, thank you so much for joining us.
[Dmitriy Sokolovskiy] Thank you, David. Thanks for having me. It’s an honor.
What’s a great approach from a security vendor?
[David Spark] In a post on LinkedIn, Randall Frietzsche, CISO over at Denver Health, called on salespeople from security vendors to stop the spamming and cold-calling tactics and be part of the community. Now, I have long argued the reason CISOs keep receiving these annoyances is getting meetings, demos, trials, and sales are the ways that they’re being measured, their performance is being measured, and it is because of this that drives the desperation and bad behavior. So, my question to the two of you, and first you Andy, what new ways could salespeople be measured that would encourage good behavior with CISOs? There’s still this desire to draw a linear path to sales but how often does it cleanly play out that way? And by the way, quick tip of the hat to Jason Dance of StubHub for alerting me to the conversation. Andy?
[Andy Ellis] So, I don’t think we’re going to get away from they’re being measured on sales and, “Let’s measure them on something else.”
[David Spark] No. Sales, yes. But I’m talking about all the stuff before.
[Andy Ellis] Right. The challenge is there’s no measurement of the negative effect of some of these cold calls, but it’s not actually clear that there is a negative brand effect. How many people actually remember the names of all the companies that have sales reps that cold call them and actually really care and do anything about it?
[David Spark] I will give you an answer to that.
[Andy Ellis] I mean, there are some. I’m not saying it’s zero.
[David Spark] But I’m just telling you that I know of one very well-known security vendor that has a field, “Do not contact,” in their CRM. And I knew one of the salespeople, he looked it up, and he told me the whole list of vitriol that they received from specific companies saying, “Do not ever contact me again.” So, there is some measurement of that.
[Andy Ellis] Yeah, there’s some. And some do a great job of measuring that and figuring it out. I think this is a place where analytics would be really helpful, that we as an industry need to actually measure what is effective because spray and pray is cheap and so even if it’s inefficient, the inefficiency doesn’t matter. It’s functionally like a DDoS attack. Like going to Ticketmaster with a thousand people because you only want one Taylor Swift ticket. You don’t care if 999 fail in DOS Ticketmaster as long as you got your one Taylor Swift ticket. That’s the world that we live in is people just want our Taylor Swift tickets.
[David Spark] And Andy’s holding onto them. All right, Dmitriy, let me ask you this. Is there a way you like to be engaged?
[Dmitriy Sokolovskiy] Oh, for sure, there is. And I would like to give Randall a tip there that that is a beautiful rant that he has on LinkedIn, it’s just bravo.
[David Spark] Oh, he got a huge response.
[Dmitriy Sokolovskiy] Yes. Very hard life he’s leading. But I wanted to ask is what is he actually trying to say because that’s just emotions being put on that. It’s a rant, right? But what is he actually trying to say? And I think that behind all that emotion he’s saying that salespeople are needed and he just wants them to be better so that they don’t lose his trust. What he’s really saying in that post that they lost his trust by the way they acted. So, to Andy’s point, I think there is a negative, and it is loss of trust, it is loss of opportunity. And Randall actually goes right into saying what to do to improve the situation, how to build the trust back. He says, and I quote, “Get to know us and let us get to know you.” He actually tells them, “Get involved in the community, bring some positive value. And if you bring the value to the conversation, you get Brownie points.”
He’s very clear also, by the way, on the technical requirements for reaching out to him. He says, “Don’t call me. Don’t email me. Don’t do these things.” It’s pretty clear, just don’t do those things. But what do you do? And those are the things that we want to teach our vendors to do. How to build the trust through interpersonal experience, right? You’re bringing some value, people use your value, and you are all happy about it. In fact, do a cooking show. Do things like that. That’s how you can reach me. I will remember you as a good person that we had fun with and as soon as that occurs, we can get onto pipelines, AARs, and everything else you want to tell me. and that’s repeatable, that’s measurable, and that’s valuable and profitable for everyone.
[David Spark] Andy, did you want to conclude on this?
[Andy Ellis] Yeah. I just wanted to quickly add – Randall I appreciate where he’s coming from – do not follow Randall’s advice. He’s going to start blocking domains because he didn’t like the spam mail. It’s not the first time that has come up. That’s a fast way to an exit when you’re not responding to people who may be the business partner of someone else in the business.
Can’t we all just get along?
[David Spark] My question was are integrators, MSSPs, and resellers leveling the playing field for cybersecurity vendors. So, in an article by Ross Haleliuk on Venture in Security – tip of the hat to CISO Tradecraft to alerting us to this – he talked about how the platform play in cybersecurity seems to aim to consume all the competition. Big companies like CrowdStrike, SentinelOne, Palo Alto Networks, plus Microsoft because they’ve already got an install base of 3/4th of all computers, are purchasing and consuming competition in an effort to provide a one-stop shop. Now, the author alluded to the shifting role of integrators, but I’m starting to see the whole industry as critical to keeping the point solutions still in play, and they’re critical for the entire cyber ecosystem. Dmitriy, do you think without them, would the platform players just consume the entire industry and market?
[Dmitriy Sokolovskiy] I think that’s a yes, but I don’t think that they will ever stop coming. I think the real question is whether a platform, as you just brought up, itself is a necessary useful thing anymore. We’re talking about platform by vendorship, right, potentially benefiting from the unified but ultimately proprietary backbone of whatever kind. And that brings some benefits, and we got to be clear there are some benefits, right? Some people need 80/20, and they only need 80 and that’s good enough. And when viewed at scale, there is value here.
But I think – and as Ross definitely points out in his article – we’re facing an enemy that is continuously trying to improve and continuously trying to innovate. The enemy’s changing its tactics, its tooling, everything all the time very, very consciously. And that always means that at least that 20 remaining percent will be a remaining problem for every one of the big vendors. That’s never going to go away, which means someone is going to be making money on that. And one of those new vendors will survive. Inevitably, it gets picked up by one of the monsters, but that’s not going to change the 80/20 split for the monsters, for the big ones. So, that 20% will always remain and that will be the innovation, the evolution of the industry sort of filling itself, so I don’t think it’s ever going to go away.
[David Spark] Andy?
[Andy Ellis] I hate to say I just agree with what Dmitriy said and just stop there, but that’s mostly where it is. And the obvious question people would say is, “Well, why aren’t the big platform players innovating into that 20% faster than tiny startups?” and the answer is risk. The startups can take much greater risk because they’re betting it all on one roll of the dice. Big platform players can’t, so many times they’re waiting to see what the market actually wants, which puts them a step behind.
[David Spark] Right. Because they’ve got more money than they can take on risk, I would assume. Yes?
[Dmitriy Sokolovskiy] I was talking to one of Andy’s colleagues Lee Orr [Phonetic 00:12:12], and we actually asked them this question – why can’t someone just develop what you’re doing? It’s possible. We talked through it. It’s cheaper. It’s more expensive, more risky for the big company because they have so much to move to get going, whereas a little one can move very quickly at expense of some things big ones can’t afford. Again, back to the risk. Andy’s totally spot on.
[David Spark] What about these companies, and I’ve heard very, very large companies that, and I don’t know how realistic, I mean, this is how they market it, but they say, “Well, we’re a big company but we have our innovation center which is separate where we allow people to work on the next great thing kind of thing, so we’re like a startup within a big company.” I’ve heard that line so many times. I don’t know how realistic it actually is. Andy?
[Andy Ellis] Those can exist, these innovation centers. And what they’re really doing is they’re stripping out a lot of the heavyweight process but what they can’t take away is the business risk. There are startups that you look at and you’re like, “Oh, my God. That startup is going to be killed by regulators.” Because the risk that they’re taking is business ending. That’s not a risk that a large platform player can take, even in a small innovation center inside their business because it’s a business-ending risk. Now, it might be that there’s a way to navigate past the business-ending risk and when the startup successfully does that, they’ll get bought.
[Dmitriy Sokolovskiy] I think these labs are a good attempt by companies like this, and honestly, a lot of startups come out of exactly those labs. Back when I was at CyberArk, that’s exactly what happened. So many startup founders came out of the labs. But I don’t think they can, to Andy’s point, too much risk to handle.
Sponsor – Varonis
[David Spark] Let’s get into our sponsor today. Let me mention that. That is Varonis. Did I mention them at the beginning? Yes. So many security incidents are caused by attackers finding and exploiting excessive permissions. All it takes is one exposed folder, bucket, or API to cause a data breach crisis. Not a lot of fun! So, the average organization has tens of millions of unique permissions and sharing links. Even if you could visualize your cloud data exposure, it would take an army of administrators years to right-size privileges. With how quickly data is created and shared, it’s like painting the Golden Gate Bridge, and that is an exercise that takes an entire year.
So Varonis actually reduces data exposure while you sleep with the industry’s first fully autonomous data remediation. Varonis continually and intelligently removes unnecessary permissions, sharing links, and fixes misconfigurations without any human intervention. That’s the autonomous part I was mentioning. So, because Varonis monitors who uses data, their free incident response team will watch for alerts and call you if they see abnormal behavior like insider threats or compromised service accounts. To see how Varonis can reduce risk while removing work from your plate, head over to varonis.com/cisoseries and start your free trial today.
It’s time to play “What’s Worse?”
[David Spark] All right! It’s time to play “What’s Worse?” Dmitriy, I know you know how this is played. I’m going to make Andy answer first, and then you answer, and I love it when you disagree with Andy. Okay. Here we go! This comes from Jonathan Waldrop of Insight Global, and he has an interesting twist on the “What’s Worse?” so get ready for this.
You’ve got a good security program. All right? So much so your cybersecurity insurance premium decreased by 15%. But when you present the plan to spend that money at the next executive meeting, you’re told, “You’re doing such a great job but for the next 12 months, you can’t hire or backfill, and we’re taking back the budget for the new tools.” So it’s a good situation that you did well and you got a discount, but you can’t do anything with that money now. The opposite situation or the alternative “What’s Worse?” is you’ve got a good security program but you suffer a major breach, and as often happens, you receive an additional 15% in budget for new tools, additional head count, etc. So, it’s a scenario of do the same with less resources or get more resources but dig out of a breach. Which one’s worse? Andy.
[Andy Ellis] I’m going to say the second one’s worse because you got breached.
[David Spark] Yeah. See, that’s what I’m thinking.
[Andy Ellis] You failed in your primary mission which was protect the business.
[David Spark] Do not get breached! But the thing is who’s to say in the first situation you’re not going to get breached?
[Andy Ellis] That wasn’t in the situation. You don’t get to tweak them.
[David Spark] That’s true.
[Andy Ellis] That’s David’s first rule. That first situation, first of all, most security teams do not pay the cybersecurity insurance premiums out of their budget. So, the fact that you were able to save the company 15% and you thought you got to have that money, like no, no, no. That’s not your money. That’s the money that goes to everybody in the business because you don’t want to be taking away your money to pay the cybersecurity premiums. So, I think someone counted their chickens before somebody else hatched them.
[David Spark] So, I feared you’d go that way. It was like open and shut. One case, you got breached, the other case you didn’t get breached. I’m going to stay avoid the breach. But good argument that it’s not your money to even ask for. All right. Dmitriy, do you agree or disagree here?
[Dmitriy Sokolovskiy] It’s hard. I mean, Andy picked the right one that’s a lot worse. I would say that I’ve just experienced the first situation, so I’m actually pretty happy about it. We get to save company money that can be used elsewhere to pay for innovation.
[David Spark] But you don’t get increased budget to do anything else.
[Dmitriy Sokolovskiy] I look at it differently. I look at it we’ve done so well, this is a pat on the back. I’m going to use this as evidence how well we’ve done. And to Andy’s point – it wasn’t my money to start with. But I can get some Brownie points for it.
[David Spark] Ah. So, it’s good political leverage, not financial leverage.
[Dmitriy Sokolovskiy] Absolutely.
[Andy Ellis] Right. Your goal as a CISO should not be to increase your budget. It’s to increase your capabilities. Sometimes that requires more budget. Like there’s times where you just don’t have enough budget. But if you have increased your capabilities as a business so you’re spending your budget really well and really effectively, that’s what really matters, like what did you get done?
[Dmitriy Sokolovskiy] I can disagree with Andy here. Do you want me to disagree here?
[David Spark] Sure. [Laughter]
[Dmitriy Sokolovskiy] So, I think that was exactly the point, lowering insurance premiums for the company. Capabilities aside, everything else aside, if I can do less and still lower my insurance premium, that’s a win-win right across the board.
[Andy Ellis] Oh, that’s absolutely. If you are doing less to achieve the same, your capability went up. You weren’t wasting money.
[Dmitriy Sokolovskiy] It’s hard to disagree with that. I give up.
What I learned from a CISO.
[David Spark] So, Osman Young – this is the pseudonym. You remember, Andy, I told you we had this amazing “What’s Worse?” scenario person who I couldn’t say?
[Andy Ellis] This is our pseudonym now – Osman Young.
[David Spark] And it’s anonymous. So, this person…
[Andy Ellis] OY, what a pseudonym.
[David Spark] Call him Osman Young.
[Andy Ellis] No, I’m going to go with OY, the initials.
[David Spark] Oysman Young?
[Andy Ellis] OY, O-Y.
[David Spark] Oh, just O-Y, oy. So OY, or Osman Young, wrote in, “I suspect that many of your listeners consume the CISO Series content not only because they find it interesting, but because they also have a continuing professional education or CPE requirements to satisfy. If you are an InfoSec recruiter and/or a leader, what sorts of CPE content would you want your staff or a potential new hire to be taking in to demonstrate that they are the real deal and not just a paper CISSP? Does it only ‘count’ if you buy an InfoSec book or take an InfoSec training class?” Andy, the correct answer is listening to this show, by the way.
[Andy Ellis] Of course it is. And I do have to say I really appreciate how Osman worded this because you didn’t emphasize it, but for our listeners ONLY in that first sentence was all in caps, that, “Many listeners consume our content not ONLY because they find it interesting but because they also have a CPE requirement to satisfy.” Versus they consume it not because they find it interesting. That ONLY did really matter. Look – I’ll be honest – I actually hate CPE requirements. The CPE requirements are mostly there so that certification bodies can feel like they’re providing continuous value so that they can keep charging you money for those three or four or five letters after your name.
But if you’re going to do CPEs, you’re going to do any form of continuing education, it should be something that makes you think. Right? You shouldn’t be going off and saying, “Oh, I’m just going to listen to a podcast so I have my hours,” or “I’m going to a conference so I can have my hours.” It should be, “I’m going because I want to learn something, I want to think about something, I want to be challenged, learn a new skill so I can go practice it.” Honestly, I’d rather people spend their time developing new skills and trying things out, even if they’re not core to their mission but something nearby.
If I was in Dmitriy’s team, I would want to see people who are out practicing with video technology, like that’s part of our core business even though it’s not security. Go learn what our core business is and go play around with that and come back and be like, “Oh, my God. I just realized why we can’t connect with these people because we didn’t understand how they operated, and now I’ve got an idea about it.” Anything that will further how your brain can engage on the job, that’s what I want to see you doing.
[David Spark] All right. Dmitriy, what’s your take on CPE credits?
[Dmitriy Sokolovskiy] Andy covered it pretty well, and I really like how he just tied it into connecting with people as a CPE result, and I think that’s very important. I think that really anything you take that is part of a long-term plan would work for me. I don’t care what you do, I don’t care what exactly that is, as long as it’s a part of a long-term improvement plan. Like improv. I know, David, you’ve done comedy before, right? So improv, for example, I could totally take that as a CPE credit because it’s an incredible improver – no pun intended – for everything else you do. Especially as a CISO but no matter where you are on the security team. Getting you to be people related, be able to talk in their language, understand their feelings – yes and – through any situation is an incredible benefit. And by today’s rule, I can’t use it as a CPE thing, right? So that’s a gap. So I would say from my perspective, anything that is part of a long-term plan and oriented at humans being able to influence security culture would be good.
You couldn’t have done better than that?
[David Spark] “Cyber risk is the risk that the board has to address, while digital risk is the actual raison d’être of those policies,” said Ríkharður Egilsson of OECD on LinkedIn. So, as we’ve seen with new directives from the European Union and the US, there is a significant push to make organizations more accountable for protecting digital assets and alerting the community to digital failures because problems with critical infrastructure can have a ripple effect and will require multiple organizations to respond. So said Bart Groothuis, lead member of the European Parliament, “If we are being attacked on an industrial scale, we need to respond on an industrial scale.” So, Dmitriy, I’ll start with you on this one. What do we have in place that will help with this industry-wide communications, and what would you like to see in place to make us even more responsive?
[Dmitriy Sokolovskiy] I would take it a step up and I would say that we want to consider what industrial scale is and how we can apply it. I would say there are three things we need to figure out. We need to figure out what to do, how to do it, and there is also the process of figuring out what and how to do. Those are all three separate things. And I think that development of Agile methodologies in combination with DevOps is really equivalent to the impact of assembly line, best known for what created the Ford empire. And between these two – the Agile being the figuring out how to approach a problem, then DevOps on actually how to fix a problem, and then culminating with big data and automation to find problems, then automation to let business deal with the problems directly. I think that in combination is industrial scale for cybersecurity for our industry.
[Andy Ellis] So I just want to start by if you have to put adjectives in front of the word risk to distinguish between two types of risk, maybe you’re being a little pedantic.
[David Spark] Well, no, but I…
[Andy Ellis] No, I’m actually really serious because when I read this post and it talks about cyber risk is the direct impact of the technical failure. Ransomware shuts your communications down, but digital risk is the effect on the business and the ecosystem. Like if you’re a hospital, you stop serving patients. And I’m like if your distinction is that the board of a hospital is worried about ransomware because the business stops and not worried about ransomware because you stop serving patients, there’s a little issue there.
[David Spark] Right, right. There really is just one thing we’re concerned about – is it affecting the business to operate?
[Andy Ellis] Is it affecting the business and then how does that affect the rest of the ecosystem is, I think, an interesting question. Now, in the United States, we have the ISACs, and the ISACs are really good in the critical infrastructures at doing information sharing and defense sharing. You find companies that are cutthroat competitors whose CISOs are on cordial, friendly relationships. And when one of them has a bad day, they pick up the phone and they call their competitor and they say, “Here’s how not to have the same bad day I just had.” That is the single most effective tool we have found is these trust relationships with trusted communities, sometimes at the C Level, sometimes at the architect level. And honestly, often government gets in the room and people don’t trust the government entities who are trying to facilitate the information sharing.
[David Spark] You really boiled it down to a very, very nice line of, “Here’s how to not have the bad day I just had.”
[Andy Ellis] Yes.
[David Spark] Let’s close with just that. What’s the best advice you got from someone else that was just that? How not to have the bad day I just had. Dmitriy?
[Dmitriy Sokolovskiy] Talk to other people who had the bad days, continuing conversations. Andy, you just mentioned. I came back from New York and a lot of vendors in this industry as well as the customers got in a room together and talked about this. How do we talk to each other so that when one of you, and everyone pointed at Sinclair, has a bad day, no one else has that same bad day. And that’s exactly what came out of that conversation. We’re building a media and entertainment ISAC exactly for this reason.
[David Spark] Speaking of bad days, I just met last week Tim Brown, the CISO of SolarWinds. That guy had a bad day.
[Andy Ellis] Absolutely.
[David Spark] Multiple bad days. He lost 30 pounds in one month after that happened. We’re going to get him on the show actually. He’s going to be coming on the show eventually. But man, the stories he told me of what he went through and the level of abuse. The fact that he’s walking and talking [Laughter] is kind of amazing.
[Andy Ellis] Yeah. One of the things you can do – and I love Dmitriy, you know, talk to people – sometimes it’s also show you can be trusted when the other person is having a bad day and I’ll give an example for this. Back when I was at Akamai, Cloudflare had a really bad day. I was in Israel on vacation at the time and look, I don’t have any special insight into what had exactly happened, but I read their blog and I’m like, “Oh, I know exactly what happened.” And not only did I know exactly what happened, I’m like, “We had this almost exact incident seven years prior.” Not something that Cloudflare would have learned from specifically, so I’m not throwing them under a bus for it happening, but I’m like, “I understand exactly the complexity issues.” And they literally had customers who were saying things like, “Well, Cloudflare, why do you use your own technology for your customer portal? Because when you go down, we couldn’t deprovision.” And I’d heard that a lot at Akamai.
And Cloudflare couldn’t say anything because when you’ve already created a bad day for your customers and they start yelling at you, you don’t get to yell back and you don’t get to correct them, and I’d been in those shoes before. So, I hopped onto Twitter, and I basically had this massive Twitter threat that said, “Look. I don’t know anything other than what the rest of you know but let me just explain some of the issues of complexity that face a platform of Cloudflare’s size.” And I said all of the things that I think Matthew Prince wanted to say but couldn’t.
[David Spark] Whoo. That’s an interesting way to help because Steve Zalewski who is our other co-host on Defense in Depth used to be the CISO over at Levi Strauss, and he had good relationships with his direct retail competitors. His take was, “When you’re having a bad day, my team is your team. I’m here to help out.”
[Andy Ellis] And so those were things that I think needed to be said that people needed to be told, “No, it’s crazy talk for you to ask. One CDN to use a different CDN for its customer portal? It would never happen.” Cloudflare couldn’t say that, but Akamai could.
[David Spark] So, I will tell you – I did something like this for sort of a competitor. Yeah, what am I saying? A competitor, but they were doing an event. And they were getting lambasted that there were no women speaking at the event, just lambasted. To which I published, I go, “How do you know they didn’t invite women and they said no? How do you know that didn’t happen? And did you also look that almost all the presentations are sponsored, so the sponsors get to choose who speaks.” And I said that. Boy, that didn’t help because I got trashed for speaking up.
[Andy Ellis] Right, right. Sometimes you got to be careful. Sometimes you’re stepping into the line of fire.
[David Spark] Yeah. I was like, “Well, that’s the last time I’m going to do that.”
[Andy Ellis] Right. Before RSA had invited keynotes, when all of them were just vendor keynotes except for the couple of really big names, people would look at it and be like, “All the first announcements were all the vendor keynotes, and it was all men.” It’s like RSA doesn’t control it and having been one of those keynotes, I’ll tell you – RSA did say, “If you have a woman speaker, we’d really appreciate it.” But it’s literally like there are exactly eight vendors and they know who the vendors are, and they want either the CISO, the head of products, or the CEO, and that’s literally their restriction is those three people. There’s 24 humans you get to pick from. That’s what the gender diversity was in that group of humans. Now RSA had other moves they could make and I’m glad they did make them but yeah.
[David Spark] I’d just point out that doing this is difficult.
[Andy Ellis] It is. It can be very difficult.
[David Spark] But again, I am compassionate to the concern. I’m just saying it is difficult, it’s not easy.
[Dmitriy Sokolovskiy] Walk a mile in someone else’s shoes.
[David Spark] Exactly.
[David Spark] Gentlemen, thank you so much. That brings us to the end of the show. We greatly appreciate, Dmitriy, you being on the show. You were awesome. Thank you so, so much. And I want to thank our sponsor, that’s Varonis. If you didn’t already know this, go to varonis.com/cisoseries and you can start a free trial with them as well. Any last words, Dmitriy? And I know because you did so damn well that you’re probably not flush with hiring. But I know if you’re awesome and you want to work for an awesome company like Avid, they should contact you, yes?
[Dmitriy Sokolovskiy] We have a lot of openings. Not on my team but on product teams and shockingly, they’re all looking for people with security experience.
[David Spark] Ah! Even better. Awesome. Any last words, Andy?
[Andy Ellis] I just have to say I just recorded an audiobook last week.
[David Spark] Oh, what book is this? Did you record my book?
[Andy Ellis] No, it was mine.
[David Spark] Because I never did an audiobook for my books.
[Andy Ellis] My audiobook, 1% Leadership, but calling back to Dmitriy’s earlier point about CPEs for everything, I learned more about public speaking while doing the audiobook because I had a professional narrator as my director in my ear giving me real-time feedback.
[David Spark] About your inflection, yeah. I saw you had a whole Twitter thread about this.
[Andy Ellis] Yeah. It was really just amazing, and I have to say absolutely worth it, so happy I did it, and you can buy the audiobook at all of your favorite platforms.
[David Spark] And that’s going to be available when?
[Andy Ellis] On April 18th is when it will ship to you, but you can preorder it now.
[David Spark] We will have an episode that releases that day and I’m sure this topic will come up. Thank you, everybody, for listening to our show and also for contributing. By the way, we need a lot more “What’s Worse?” scenarios, ones that Andy can’t handle at all. We need it. And Osman Young, if you’re listening, yours are pretty awesome. Everybody else – get up to par where Osman is. Thank you for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.