What questions should we be asking of a consultant’s referrals to see if they’re really worth the money they’re trying to overcharge us?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Ira Winkler (@irawinkler), CISO, Skyline Technology Solutions.

Got feedback? Join the conversation on LinkedIn.

Thanks to our episode sponsor, Varonis

Varonis will help you get meaningful data security results faster than you thought possible. Protect sensitive data, detect sophisticated threats and streamline privacy and compliance. Visit varonis.com/risk for a demo of Varonis’ leading data security platform.

Full transcript

VOICEOVER

Ten-second security tip. Go!

IRA WINKLER

If you expect the user to do something stupid and you don’t plan for it, you’re the stupid one. 

VOICEOVER

It’s time to begin the “CISO/Security Vendor Relationship Podcast.” 

DAVID SPARK

Welcome to the “CISO/Security Vendor Relationship Podcast.” My name is David Spark. I am the producer of the CISO Series. And joining me as always is my co-host, Mike Johnson. Mike, the sound of your voice – let’s hear it. 

MIKE JOHNSON

I am here, David. I am recording live from my fabulous bedroom that I’ve been in this entire time. 

DAVID SPARK

You’re not recording. 

MIKE JOHNSON

I’m recording live. 

DAVID SPARK

Everyone’s recording live (laughter). 

MIKE JOHNSON

I’m live as I am being recorded. 

DAVID SPARK

You’re live as you’re speaking. 

MIKE JOHNSON

I am alive. 

DAVID SPARK

Yeah. 

MIKE JOHNSON

Is that better? I am alive. 

DAVID SPARK

You are alive, thankfully. 

MIKE JOHNSON

Yes. 

DAVID SPARK

Thank you. 

MIKE JOHNSON

Yes. 

DAVID SPARK

Stay that way. 

MIKE JOHNSON

I’m working on it. 

DAVID SPARK

We get a lot of requests for Mike to stay alive. 

(LAUGHTER) 

MIKE JOHNSON

Please keep those coming. Those are much better than the alternative comments. 

DAVID SPARK

I hope you’re not getting the others. 

MIKE JOHNSON

No. Let’s keep it that way. I like it this way. 

DAVID SPARK

All right. Hey, we’re available at cisoseries.com. Do you know that you can get all our programming? We’ve got five different shows. We got the Cyber Security Headlines, which, by the way, is our fastest growing show. 

DAVID SPARK

We have the Week in Review show. We have the video chat that happens every Friday, and that’s a – that is a live show. 

MIKE JOHNSON

(Laughter). 

DAVID SPARK

And then we also have our show Defense in Depth. And by the way, we’re working on more, to let everyone know. So all of that’s available at cisoseries.com. Our sponsor for today’s episode is Varonis – very excited to have Varonis back sponsoring this very show. All right. Mike, we are recording this in June. 

MIKE JOHNSON

Early June. 

DAVID SPARK

It’s actually not going to air until August. And we’re going to call it right now – by August, by the time this episode airs, all of ransomware will be solved, correct? Are you with me on that? 

MIKE JOHNSON

Absolutely. Two months from now, I cannot imagine we’re going to be talking about ransomware anymore. It’s going to be solved. We’re good, right? 

DAVID SPARK

In fact, it’ll be dated that… 

MIKE JOHNSON

Yes. 

DAVID SPARK

…We’re mentioning it even now. 

MIKE JOHNSON

Yeah, like, who even talks about ransomware anymore? That is so old news. 

DAVID SPARK

It seems like the Hula-Hoop. 

(LAUGHTER) 

MIKE JOHNSON

Pet Rock – it is the Pet Rock of security threats. 

DAVID SPARK

It is the – yes, that’s probably the best way to describe it. 

(LAUGHTER) 

DAVID SPARK

We will talk about ransomware later in the show, but it’ll be so quaint. 

MIKE JOHNSON

This’ll be the last time. This is the last episode where we talk about it. 

DAVID SPARK

I don’t expect this to ever – to come up again. 

MIKE JOHNSON

Never. 

DAVID SPARK

All right. With that said, let’s bring in our guest, who, by the way, if you’ve ever attended an RSA Conference, chances are pretty good you’ve had a chance or you’ve seen this gentleman speak. He speaks at many of the RSA Conferences. I’ve interviewed him before. He’s phenomenal on the microphone. And guess what? I asked him to come on this show, too, as well. It is the now-CISO of Skyline Technology Solutions; he’s also the author of many, many books – Ira Winkler. Ira, thank you so much for joining us. 

IRA WINKLER

No, I really appreciate being here. Thanks so much. 

Hey. You’re a CISO. What’s your take on this? 

3:13.544

DAVID SPARK

Ransomware seems inevitable for so many organizations that it’s always nice when we hear a good-news story about ransomware. So as I mentioned earlier, we are recording this in June, when Fujifilm refused to pay a ransomware demand. They restored their network from backups. So, I mean, I – start with you, Mike. What are the backup configurations you should consider to be able to do exactly what Fujifilm did, and what about protections should they threaten to release your data to the public? And when I say they, I’m not talking about Fujifilm, I’m talking about… 

MIKE JOHNSON

Right. 

DAVID SPARK

…The ransom – the extortionists here. What say you? 

MIKE JOHNSON

First of all, make sure you are performing regular backups. Not everyone is. So start there. 

DAVID SPARK

I want to know from you, like, what is a regular backup? 

MIKE JOHNSON

So a regular backup is the old rotation of you do a full backup on a certain interval of all of your data. You do incremental backups on a much shorter interval. It could be daily. It could be hourly. However often your data changes will change how you schedule those backups. And do that on a regular basis. And that means that you have backups. If you need to restore, you know how much you’re going to lose. So if you’re doing hourly incremental backups, at most, when you come back online, you will have lost an hour’s worth of data. That’s how you decide what your schedule is, is how… 

DAVID SPARK

Right, but also – there’s also the time to restore to as well. 

MIKE JOHNSON

Correct, you know, the coming back online. 

DAVID SPARK

Do you have a good idea of what that would take? And, more importantly, like, are you in a way micro-segmented and – or have you talked to other companies micro-segmented should a ransomware get – hit, like, it can’t bleed too far? 

MIKE JOHNSON

It heavily depends on your environment and what your production environment looks like. Some are naturally segmented; just, this is this set of data, and if I just backup that system, that’s all I need to worry about. Some – you might have a very massive system that is spread across thousands of servers, but it may all go back to one central data store. You may just have one data store that you’re then having to worry about backing up. And the nice thing about that scenario is you can have online replicas that are going all the time. So everything that gets committed is written into multiple places at once. 

DAVID SPARK

So the idea is you could have one completely fail, and you could have a failover and literally lose no time, conceivably. 

MIKE JOHNSON

Exactly. And one of the things that’s important – like, I’m glad you mentioned the coming-back-online portion of a backup because not enough people test the recovery side. 

DAVID SPARK

Well, that was the whole thing with the pipeline issue. It took forever for them to restore, and that’s why they paid it but – got money back. All right, let me throw this to Ira as well. Ira, adding to this, I’m sure you’re sort of on the same page. What would you add to this, sort of preparing your backups for – to do what Fujifilm did? 

IRA WINKLER

Well, I think a lot depends also on the size of your organization. If you’re a smaller organization, for example, let’s say you are, like – sorry, not endorsing any product, per se. But let’s just, for example, say you’re an Office 365 customer using SharePoint and everything like that, and your people are constantly – you know, they’re not saving to their local computers; they’re saving to the cloud. You pretty much are able to come back up without any significant losses, if and only if the ransomware is not reasonably sophisticated and starts encrypting the online data that you’re storing, because part of the thing about having some backups, part of the thing about having data stored across all these multiple systems, is that the problem isn’t – a user is hit by ransomware, and that data is hit. The bigger problem occurs – that really shuts down companies is when there’s a lot of shared drives, and the share drives get hit. And depending on if – let’s just say it’s not configured intelligently. When encryption starts on some of the data backups and you’re doing hot spares, the hot spares might get encrypted as well in the wrong environments, and you’ve got to proactively account for that. And then much to what Mike was saying, I’ve seen countless people who get hit by something – and not just ransomware but any disaster – and then all of a sudden, they never try to restore from backups at all. They found their backups were – you know, were corrupted in one way or another. I actually had – I can’t say which organization, but there was an organization that is – I was working – well, talking to more than working with. And they were restoring off of backups, and they had tape backups. And the truck that was delivering the tape backups got into an accident. 

DAVID SPARK

Oh, gosh (laughter). 

IRA WINKLER

(Laughter) And it was like Murphy’s Law of everything possibly going wrong. 

MIKE JOHNSON

Wow. 

IRA WINKLER

And you have to plan for those bizarre things. So again, I wish I could tell you the one perfect answer, but the right answer… 

DAVID SPARK

No, no, there is none. 

IRA WINKLER

Yeah. 

DAVID SPARK

But you make a very good point in that – well, A, redundancy, but, B – that situation with the truck getting hit, that’s hysterical. 

IRA WINKLER

I wish I could who. I can’t say who it was, but I was… 

DAVID SPARK

No, I don’t want you to say it. 

IRA WINKLER

I was talking to somebody, and he was describing – ’cause he was involved in the recovery. And it was like – he’s like, you’re not going to believe what happened. 

DAVID SPARK

(Laughter). 

IRA WINKLER

It was a publicly announced ransomware incident, and then they weren’t reporting because they didn’t want to pay the ransom. But again, I should say it’s a totally different story, though, if it’s a case of extortionware, where they’ve downloaded data. It wasn’t the case of Fuji. But you might have to deal with that as well, where recovery is not the problem in that case. 

Oh, geez, not again. 

9:13.241

DAVID SPARK

On “Defense In Depth,” my co-host Steve Zalewski said, what I can’t do anything about are the people that will get an email and it says, please enter your username and password so I can do blah-dee-blah (ph), and they do it, repetitively. They just trust so much that they can’t imagine that somebody would be malicious. So I’m going to start with you, Ira. Steve doesn’t know what to do with that person. Are they a lost cause? 

IRA WINKLER

I am going to probably never be put on the show again. I think Steve is the lost cause ’cause… 

DAVID SPARK

(Laughter) Really? 

IRA WINKLER

(Laughter) In all sincerity – and I mean this – what was my tip at the beginning? That if you expect a user to do something “stupid” – and I use my Dr. Evil quotes – and you do not proactively expect the stupid and proactively mitigate it… 

DAVID SPARK

But he’s not saying that. He’s saying, I can’t change that person. He’s not saying that I’m not putting other defenses in place. And you’re right there. But he’s saying, can you deal with – I guess the way you deal with a person like that. 

IRA WINKLER

Well, here’s the problem. 

DAVID SPARK

Yeah. 

IRA WINKLER

And I – this gets into, like, what should you do with a repeat clicker and, oh, you can’t blame the user. Yes, you can blame the user. At some point, if they use – like, for example, what would happen if you had a cashier, well-meaning but always just made mistakes giving out too much money? They’d be fired, if not criminally prosecuted. What would happen with a nurse who accidentally just wrongly administered the wrong amount of inoculation? They’d be fired really easily. If you have somebody who presents an imminent risk to your organization on a regular basis and doesn’t stop it – I mean, I hate to say it, but, you know, depending on the level of trust there – and for example, if it’s the janitor, fine. They don’t have any critical access. If it’s an executive assistant to the CEO, if it’s somebody in HR, somebody who handles regular PII, they should probably not be in that position if you expect them to do something like that ’cause, hopefully, Steve is doing exactly what he’s doing. He’s expecting stupid. But, I mean, hopefully, he’s mitigating. But at some point, he’s not going to be able to mitigate everything because the only reason the message got to the user in the first place is ’cause the whole technology infrastructure failed in failing to filter out this phishing message. Then for damage to occur, the technology infrastructure had to allow the user to create damage. A user, for example, doesn’t encrypt every bit on a computer one bit at a time. The system does that. And if you don’t have anti-malware – you don’t have data leak prevention in place proactively and all this, then it’s like, OK, but even that will eventually fail. But if you’re a user, like – much like if an anti-malware consistently failed, you get rid of it. I hate to say it. If the user fails in the wrong position, you have to get rid of them. 

DAVID SPARK

How do you feel about that, Mike? Would you – if you had a user like what Steve described and they just kept, like, leaving the door open.

MIKE JOHNSON

So I think there’s a combination of understanding what their intent is. Like, if they are maliciously leaving the door open, then you need to have a different discussion. The way that I think about it, though, is very much in line with what I was talking about. Our environments have to be resilient to people making mistakes. 

DAVID SPARK

Right. By the way, I remember having this conversation with the CISO of the city of San Francisco. He goes, you know, you can’t have your whole company go down because someone clicked a link. 

MIKE JOHNSON

Exactly. Exactly. And if that’s the situation that you’re in, you really do need to rethink your own controls. But you can deal with and expect that people are going to make mistakes, that they’re going to occasionally click on that link. They’re going to, frankly, occasionally fall for something that they type in their username and password into the wrong site. But if you’ve got multifactor authentication, if you’ve got single sign on, the impact of that isn’t going to harm your environment. That person can only do so much damage. And that’s – you kind of have to expect and design your environment for someone making a mistake. 

DAVID SPARK

Can you give me, like, one design element you do to deal with something like that? 

MIKE JOHNSON

Single sign on with multifactor authentication – right there. 

IRA WINKLER

Sorry – I’ll just throw in I wrote a whole book “You Can Stop Stupid” on exactly that. 

DAVID SPARK

OK, so if you want to do all those mitigations, get “You Can Stop Stupid” – available on Amazon, yes? 

IRA WINKLER

Yes. 

DAVID SPARK

Go read the book. I will link to it on the blog post for this episode, as well. 

STEVE PRENTICE

The best defense has always been a strong offense. And Matt Radolec, senior director of incident response and cloud operations at Varonis, says this includes adopting a breach mentality, which means you know bad things are going to happen. 

MATT RADOLEC

Once you accept that assume breach mentality or it’s not a matter of if but when – is really thinking about, like, how can you move the detection to earlier in the chain? A lot of organizations, when you start to talk about ransomware, focus on the detective controls that they have for what I call the moment of detonation or the moment of exploitation, as in this is the exact second that the attackers are releasing the ransomware, and files are starting to be encrypted. And from my standpoint, detecting that – that’s your minimum. You have to be able to identify, detect and respond hopefully automatically or block the moment that the ransomware gets unleashed when accounts are being targeted. When lateral movement is happening, when they’re going after service accounts or, you know, putting attacks in on active directory to be able to establish higher-level privileges, often referred to as privilege escalation and lateral movement, when they’re compromising those initial users and taking control of them and starting to access and exfiltrate information, these are the early warning indicators of today’s modern cybercriminals. And if you can identify and stop that, you won’t have to rely on that last line of defense, that detective control around the detonation and exploitation of ransomware. 

STEVE PRENTICE

For more information, visit varonis.com.

It’s time to play “What’s Worse?!” 

15:42.620

DAVID SPARK

All right. Ira, you know how this is played. Mike, you know how this is played. And, Ira, I’m going to clue you in – we have a long-running inside joke here that Mike – his least favorite thing in the world is the brilliant jerk on your team because they essentially poison the team. Doesn’t matter how talented they are. If they’re a complete jerk, they ruin it for everybody else. And so we’ve had a lot of What’s Worse scenarios where one of the options is the brilliant jerk. And Mike always chooses the brilliant jerk. And I’ve put the challenge out to the audience – come up with something so Mike doesn’t choose the brilliant jerk. So I will just say this, that we have a scenario, Mike. And it’s a lose-lose situation for you. 

MIKE JOHNSON

Great. 

DAVID SPARK

(Laughter). I kind of know which one you’re going to pick on this one. But here we go. This one comes from Bryan Zimmer, who’s the CISO over at Humu, who we’ve got as a guest – well, actually, not on this show. We’ve had him on the other show. Here’s his What’s Worse scenario – the one you know. What’s worse? You have a stereotypical brilliant jerk on your security team, or you’re the brilliant jerk and you don’t even know it. 

(LAUGHTER) 

DAVID SPARK

Which one’s worse? 

MIKE JOHNSON

Oh, thanks Bryan. 

DAVID SPARK

I kind of know which one… 

MIKE JOHNSON

Yeah. 

DAVID SPARK

…Way this is going, but I want you to talk us through it, Mike. 

MIKE JOHNSON

This one should be pretty obvious where I’m going to go. So on the one hand, you’ve got someone who is going to be toxic, nobody else wants to work with. But you kind of know who it is. You know that that’s the brilliant jerk. And the other case is you’re the one that nobody wants to work with, and you don’t realize it. That’s the two scenarios here. 

DAVID SPARK

And by the way, let me ask you. How many brilliant jerks you think aren’t aware that they’re a brilliant jerk and nobody wants to work with them? 

MIKE JOHNSON

I’d call it 50-50. 

DAVID SPARK

OK. 

MIKE JOHNSON

Like, I imagine some of them don’t care that they’re a jerk.

DAVID SPARK

That too. Yes. 

MIKE JOHNSON

And they fully understand it. And then there’s the others who just don’t realize it. 

DAVID SPARK

Right. 

MIKE JOHNSON

And some of them – like, that latter case – sometimes you can have a conversation with them and reach them, and they’ll actually change their behavior. 

DAVID SPARK

And have you done that? Has that actually happened? 

MIKE JOHNSON

I cannot recall off the top of my head if I have, but I know that people have had those conversations. 

DAVID SPARK

I want to know – this is a callout to the audience. Have you turned a brilliant jerk? 

MIKE JOHNSON

Oh, I’d love to hear that. 

DAVID SPARK

Not from being brilliant to stupid but… 

MIKE JOHNSON

Right. 

DAVID SPARK

…From being a jerk to being not a jerk. 

MIKE JOHNSON

Yes, turn the jerk side. Keep the brilliant side around. 

DAVID SPARK

Yeah. Yeah (laughter). 

MIKE JOHNSON

So the reality is the worst situation here is if you’re the one who’s a brilliant jerk and you don’t know it, right? 

DAVID SPARK

Yeah, I knew you would pick that. 

MIKE JOHNSON

Like, all sorts of badness is going to happen and you don’t realize it. But I’m still being consistent. The brilliant jerk is the worst one. 

DAVID SPARK

Yeah. Well, it was both options. 

MIKE JOHNSON

Yes. Yes. 

DAVID SPARK

All right. Ira, I throw this to you. And by the way, I should let you know that I always like it when people disagree with Mike. You can agree or disagree, but which option here is worse? 

IRA WINKLER

I will say when people have, in the past, asked me why am I good at what I do, it’s always because I know what I’m bad at. And I learned to surround myself with people who are much smarter than I am at any given point of failure. And I would have to unfortunately agree with Mike that if… 

MIKE JOHNSON

(Laughter). 

IRA WINKLER

…I was the brilliant jerk, it would be a much worse case because everybody – I find these brilliant people to come work for me who aren’t the jerks, and then they end up leaving. And you don’t know why they’re leaving. Frankly, the problem is if management doesn’t realize why everything’s going wrong around them, even if they can say, oh, there’s a brilliant jerk over there and he must be the cause, it’s like, even if you get rid of that brilliant jerk, your problems are just going to magnify because you’ll never keep anybody good around and you’ll be surrounded by anybody who’s like, well, gee, I want a better job. I can’t find one. I’ll just stick around till I do. That’s a bad thing. So again, sorry to agree with Mike, but I have to. 

MIKE JOHNSON

(Laughter). 

DAVID SPARK

I’ll accept it. 

Close your eyes and visualize the perfect engagement. 

19:46.039

DAVID SPARK

Over on LinkedIn, Violet Sullivan with ePlace solutions has an article about finding a cybersecurity consultant. The best part of this article were the questions to ask referrals when vetting a consultant. She recommended these three questions. One – how long did the project take to complete? Two – how clear and actionable was the consulting report? And three – how helpful was the consulting company in remedying the issues found? So I’ll start with you, Ira. Are these the best questions to ask the referrals or are there better questions? Ira. 

IRA WINKLER

I think a better question is, what did they tell you that you wouldn’t have known in the first place? Because when you’re looking there – and it’s like, you know, you could ask the right questions. And frankly, the reason you go to an outside consultant – sometimes it’s for body shop. But even if it is for body shop and you just want them to do what you’re doing, you go to an outside group of people. And frankly, sometimes you even go to multiple groups of people. Like, for example, if you’re going to do a pen test, I frequently recommend that you want to make sure that they’re changing their team or you’re changing your contractor, for example, because they will – frankly, everybody has their hammer, and to them, you’re a nail. And you want someone who might say, hey, you’re – I have a wrench. They have a hammer. You want different perspectives of this. And I think the most valuable question is along the line of, gee, what questions did they ask? Did they sound intelligent and ask questions that you wouldn’t have asked yourself? What did they bring that otherwise nobody else would have brought to the table? And what did they bring that nobody brought to the table in the past? And that’s how you usually know on top of the other things, which are frankly – you know, I hate to say it this way, but more mechanical. Like, did they execute reliably? That’s what those questions were. They didn’t ask, where’s the value, enhanced value you got from using them, which I think is more important. 

DAVID SPARK

Good point. Mike, I throw this to you. 

MIKE JOHNSON

So I liked Ira’s approach there of, what is the enhanced value? What are the things that they’re augmenting that you couldn’t already do yourself? So I think that’s certainly something to add. 

DAVID SPARK

And by the way, let me also echo Ira – and probably you will, Mike – in that this is the sign of also a leader. It’s like, you want to bring on the people who – like you said – who do the things you can’t do… 

MIKE JOHNSON

Yep. 

DAVID SPARK

…Which, in the end, makes you look phenomenal. 

MIKE JOHNSON

That’s the goal is kind of surrounding yourself with people who are smarter than you and… 

DAVID SPARK

Not jerkier than you. You want to be the king jerk, right? 

IRA WINKLER

(Laughter). 

MIKE JOHNSON

Always try and be the biggest jerk. No, no. Don’t do that. 

DAVID SPARK

Go on. 

MIKE JOHNSON

But I do think – and I’ll disagree a little bit with Ira here. I do think you need to ask the mechanical questions. I think that’s important to get not only a taste for what value they’re bringing, but what is the quality of the work. And some of these mechanical questions are getting you, what is the quality? Did they deliver on the statement of work? Did they do what they say that they were going to do. And I also wonder about how much handholding was necessary. How much did you have to manage them on a day-to-day? Or did they actually act autonomously? – which is usually what you’re bringing them in for. You’re not bringing them in for to make additional work for you. You’re bringing them in to take work off of your plate. 

DAVID SPARK

I think also would add to both what you’re seeing is the thoroughness of the questions that they ask of you, not just did the things that you wouldn’t have asked, but I remember, you know, just parallel to this, working with an event producer and the sheer number of questions he asked me that I just – I was like, well, some of these I knew to ask, but I didn’t know to ask this many. It was, like, the sheer volume. I think that’s kind of a key thing probably with a consultant is they’ve got to have a really long list of question. Yes, Mike? 

MIKE JOHNSON

I think so. You also have to be a little bit careful that they’re just trying to dazzle you with their questions. If they’re just going through a checklist of a thousand questions that aren’t really bringing any value, then it’s actually not going to be a great engagement. 

IRA WINKLER

To a large extent, I agree. And I don’t want to downplay the mechanics of that. I’m just talking about, how do I know if somebody’s really good – ’cause I can go to, frankly, a hundred people and get mechanics right. You know? I want to go to those people that I think they did something nobody – at least my current team couldn’t have done and provide the value add, knowing that they’re not going to get everything themselves. But at the same time, you know, you have to get everything proactively right. Sometimes there’s too many questions, too many interviews. When I was doing consultancy, when I was creating awareness programs, I would try to interview people. And you know, we would have a list of different departments to interview to get the culture set and everything. But we found out that after about six interviews, we pretty much were wasting time ’cause there was enough repetitiveness after a certain point. You just weren’t getting too much value-add for the time input. You know, we did do the interviews as requested, though, because we wanted to give people a sense of ownership, even if we knew they were going to, you know, give us the same answers and hope for the best. But you got to understand – this, really at the end of the day, is value-add, and you don’t want people asking questions for asking questions ’cause you also want efficient because the most valuable thing isn’t even the money you’re paying them, it’s your time. And if you’re giving up goodwill by answering questions, by giving questionnaires to your team and everybody else, you’re going to really fail your company. 

There’s got to be a better way to handle this. 

25:39.122

DAVID SPARK

Chris Wysopal, who’s over at Veracode, asked on Twitter – how are security teams dealing with the proliferation of interorganization Slack and Teams channels? Is this an information leakage disaster waiting to happen? Misdirected email is bad enough. This could be worse. So Mike, Ira – and actually, I’ll start with you, Mike. How challenging are the messaging apps? 

MIKE JOHNSON

You have to actually manage them. If you are using out-of-box configurations, then there’s a lot of this cross-organization collaboration that’s just enabled by default. But if you’re paying attention to it, you actually can bring some control to the situation. 

DAVID SPARK

Can you give me an example, like, some basic default, like, keeping stuff within my organization but not shared organizations? 

MIKE JOHNSON

So an example would be controlling who can create shared channels. That’s, like, the exposure. I don’t know Teams, so I’ll just go ahead and say that whenever I join a Team meeting, I spend five minutes trying to figure out where my mic is. But you know, in Slack, a lot of it really comes down to controlling those shared channels. If you’re controlling who can be invited, period – if you’re controlling who can connect a channel to another Slack instance, you’re reducing your exposure – not eliminating it – but you’re managing it to the point where you have better controls over who can establish those channels. The flipside is there’s going to be some times that you need to create those shared channels. And when you’re working with other organizations, you need those channels. And the way you deal with those is you have policies, expectations that you set amongst your team of, here’s how you’re going to interact. And then if you have e-discovery tools, which we do, you can then evaluate after the fact if something was said or was shared in a way that you would’ve rather have not it have been. There’s limited controls. It’s not the same amount of controls that we have for email platforms that have been built up over the years and have multiple ways of dealing with it. So it’s not at that level, but it’s also not quite the wild west if you’re paying attention to it. 

IRA WINKLER

I agree with Mike. And also, the good part is a lot of companies are coming out with tools to plug in to Slack – you know, Slack, Teams and other things. There’s a lot of data leak prevention that’s been starting to be built into those sorts of channels and similar things. So you got to start looking at this. I mean, the problem is – and what Chris is saying is correct to one level. It’s the unintentional error. You know, that’s where that problem tends to be focused. And it is a bit of a problem. And I would kind of almost argue that if somebody’s going to have that level of mistake, they would have that level of mistake on email. I’m not going to – I will admit that I was talking internally because I was asked about a security question, and I did a reply. And given the conversations we had, I thought somebody on the email chain was an internal person as opposed to an external person. And the email went to the external person, even though… 

DAVID SPARK

We’ve all done it with the autocomplete stuff, too. 

IRA WINKLER

Right. Well, even that – like you’re saying, auto complete, reply all. Even after you purposefully try to delete people, mistakes happen. And I tend to think that whether you’re in Slack, whether you’re on – well, being on a phone call, you can eliminate people, although, you know, there were the cases where criminals were able to listen in on anti-terrorism, you know, conference calls that happened before. So these things happen. They’re going to happen no matter what the channel is. But again, if you’re expecting – if you’re in an organization of size that’s relying upon this, where you’re probably going to have these mistakes be more critical, you’ve got to start investing in the new technologies the vendors are coming out with to kind of address this to at least a certain extent. 

Closing

29:54.467

DAVID SPARK

That is a good point to close on right there. It is often the case – this is how companies, you know, build solutions if the core product that everyone sort of relies on doesn’t have a decent level of security. And so some third party comes in and goes, will fix the problem. And then often, the company goes, oh, well, why don’t we just buy you… 

(LAUGHTER) 

DAVID SPARK

…And fold you into our company? Which – we’ve seen that happen many times. All right. I want to thank you, Ira Winkler. Don’t worry. I’m going to let you have the last word here. But first, a few housekeeping things. I want to thank our sponsor, Varonis. Thank you so much, Varonis, for sponsoring us again. We love having you on board the CISO Series. And thank you very much, Ira, as well. By the way, one question we always ask our guests, especially if they’re CISOs – are you hiring? So make sure you have an answer for that question. Mike, any last words? 

MIKE JOHNSON

So, Ira, thanks for joining. I’ve been following you for quite some time in the social media space. So it was great to have you on the show, listen to your thoughts, get your perspectives and have a conversation about your perspectives. What I really liked was you talked over and over again about, expect mistakes. Expect that humans are going to be humans. They’re going to make a mistake and that if you’re not prepared for that, you probably need to spend some time on being prepared for people to make mistakes. So thanks for really reminding folks about that and about that need. It was just great to have that conversation with you overall. So thank you for joining us and speaking with our audience, too. 

IRA WINKLER 

Yeah, no, I’m frankly honored, given your stature, that you enjoy that and follow me on social media, and I don’t sound like a blithering idiot. 

(LAUGHTER) 

DAVID SPARK

 No, no, not at all. A brilliant jerk, maybe, but not a blithering idiot. 

IRA WINKLER 

(Laughter). 

MIKE JOHNSON 

Oh, no. 

DAVID SPARK 

So, Ira, I know “You Can Stop Stupid” is one of your books. You also published a Dummies book recently, yes? 

IRA WINKLER 

Well, “You Can Stop Stupid” is the book that was released in December. Ironically, “Security Awareness For Dummies” should be coming out towards the end of summer, early fall. So you should hopefully be able to preorder it then. But also, “Advanced Persistent Security” was a good book people should also look into. That was in the Cybersecurity Canon Hall of Fame, along with “Spies Among Us,” although that’s not in print anymore, unfortunately. But thank you. 

DAVID SPARK 

I will link to your books on the blog post for this episode. So if anyone wants them, please go to our blog post. I want to thank you very much. Oh, by the way, are you hiring? 

IRA WINKLER 

We are hiring right now. I hate to say, but hopefully, we’re not hiring by the time we need it. 

DAVID SPARK 

By the time this episode drops. I know. 

MIKE JOHNSON 

(Laughter). 

IRA WINKLER 

But we do need – and feel free to reach out to me – we do need some senior Splunk experts, good assessors to make sure we look good on a security perspective, so other people don’t make us look bad. 

(LAUGHTER) 

DAVID SPARK 

It’s a good attitude to have. Thank you very much for coming on this show. I am also a big fan, as well. It’s not just Mike. And thank you, audience, as always, for all your amazing contributions to our show. Keep them coming in. We greatly appreciate it. As always, thank you for contributing and listening to the “CISO/Security Vendor Relationship Podcast.” 

VOICEOVER 

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”