After every breach, you hear the same mantra from the attacked company: “We take security and privacy seriously.” It’s lost all its meaning. But what if you truly ARE serious about how you handle security and privacy? Should you say “seriously” twice?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Geoff Belknap (@geoffbelknap), CISO, LinkedIn and co-host of Defense in Depth. It was recorded in front of a live audience at Microsoft’s Silicon Valley Campus in Mountain View, California as part of a regular ISSA-SV and ISSA-SF meeting.
Check out all the fantastic photos from the event here.
Got feedback? Join the conversation on LinkedIn.
Thanks to our sponsors, SafeBreach and Noname Security
We enable security leaders to proactively prioritize remediation efforts and drive ROI quickly by consolidating technology costs around what truly enhances your security posture.
Real-world attacks. Real-time results.
Full transcript
[Voiceover] Biggest mistake I ever made in security. Go!
[Geoff Belknap] Today, probably agreeing to do a live recording of a security podcast.
[Laughter]
[Geoff Belknap] But more broadly, I remember once I was convinced that in order to improve my relationship with my board, I needed to teach them about security, and that was incorrect. But thankfully, several of those board members were great business leaders and were like, “Hey. This is dumb. Let me explain to you how boards work,” and it’s a lesson I’ll always remember.
[Voiceover] It’s time to begin the CISO Series Podcast – recorded in front of a live audience.
[Applause]
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. And sitting to my immediate left is the co-host, who’s been here since day one, since we’ve been doing this podcast, none other than Mike Johnson.
[Applause]
[Mike Johnson] So, day one in this theater?
[David Spark] Not in this theater.
[Mike Johnson] No.
[David Spark] This is the first time we’ve been in the theater.
[Mike Johnson] This is the first time. This theater’s awesome.
[David Spark] Our show’s been around longer than this theater’s been around.
[Mike Johnson] Oh.
[David Spark] This theater’s quite impressive. For those of you who – actually, we’ll have photos of this so they’ll be able to see it – but this is a pretty impressive theater to show PowerPoints, I will say that.
[Mike Johnson] Amazing PowerPoints.
[David Spark] Yeah.
[Mike Johnson] Did we bring PowerPoints?
[David Spark] We have a single slide.
[Mike Johnson] Got one slide.
[David Spark] I’m glad you mentioned that because it has the name of our sponsors for today’s episode. SafeBreach – leverage the attack to improve your defenses . And also our sponsor Noname Security, the complete API security platform. We’re going to be talking about both of them. We are thrilled they’ve sponsored us today. So, I just want to mention to those listening – this is a live audience recording. We are recording live in Mountain View, California, at Microsoft’s Silicon Valley Campus for the – correct me if I’m wrong – this is the ISSA Silicon Valley and San Francisco Chapter, yes? Combined together. Excellent. This is their event; this is a stunning theater. I feel that the quality of the music that’s coming out of our voices right now doesn’t warrant the quality of the theater.
[Mike Johnson] No, no. We’re kind of bringing this down a level.
[David Spark] Yeah, don’t expect either one of us to sing at all.
[Mike Johnson] No, nope. No, no, no.
[David Spark] All right. I want to introduce though our guest who fans of the CISO Series should know very well. It is none other than the CISO of LinkedIn, Geoff Belknap, who is also the co-host over on Defense in Depth. Geoff, thank you so much for joining us.
[Geoff Belknap] Thank you for having me.
[Applause]
How do you go about discovering new security solutions?
2:53.010
[David Spark] “Best of breed is not working for me,” said Richard Archambault, CISO of Arlington County, “I’m standardizing on a smaller set of tools so that I can focus training on a suite/vendor. This greatly lowers my costs. I’m trying to simplify across the board.” Now similarly, Jesse Whaley, CISO over at Amtrak, likens the effort to integrate “best of breed” or really it’s point solutions as, “You have a Ferrari engine, a Cadillac chassis, and a Lexus interior. None of them were meant to work together, and yet you have to figure out how to get them all to work together.”
So, Mike, I’m going to start with you here. I know at your organizations, and you’ve said this on the shows before, you’ve been very engineering focused and integrating point solutions or building your own. But Jesse and Richard probably don’t have such expertise on staff, like I’m guessing most CISOs, and they make a really good argument for never even looking at point solutions and only go to suites given the immense complexity, not only on integration, which is a story we usually hear, but also training. So, I’m going to ask you, Mike. Is it inevitable that most will buy like Richard and Jesse, and we’re just going to see more consolidation of point solutions into suites?
[Mike Johnson] I don’t know that I would classify it as inevitable. And I think one of the things that folks like Jesse, folks like Richard, and really like the people who are selling to them, the people who are building the products, should think about is that integration really is the key. If you truly have standalone products, then I totally agree. I have no time for a standalone product. But if it’s something that I can integrate with other tools, that maybe I have a data layer that’s pulling from multiple places, or you could consider your SIM or your automation frameworks, all of these places where you can get the most out of each of these platforms, pull that together, it is viable to take the approach that’s best of breed. I understand where they’re coming from. I really get that training is expensive.
But I also think if you’re accepting as inevitability that we’re only going to have these suites, you’re really missing out. The best of breed products quite often are going to give you a lot more than what these platforms can give you. And we’ve seen this before. We’ve had platforms in the past, we’ve had promise that you can just go and buy one thing and it’s going solve all of your problems. The one that I always remember is McAfee EPO. I don’t even remember what EPO stands for other than it was terrible.
[David Spark] Well, I guess we’re never going to have them as a sponsor. Great.
[Mike Johnson] They have moved on. And I think you would actually find a lot of them that would have bad memories themselves. And I think it’s because there was not really that integration framework. So, I think that’s really where we’re headed today, we’re going to continue to head, is the ability to integrate best of breed products together as the future.
[David Spark] All right, I’m going to stress again what Richard and also Jesse said – we’re trying to simplify. What do you think? Just everything’s going to be consolidated? Because this is far too complex? And I’m going to say for most CISOs, granted, plenty of CISOs like you, Mike, and I’m sure you have a huge engineering team, Geoff. What’s going to happen?
[Geoff Belknap] I think it’s inevitable that we see more and more integration, right? This is a software industry. All money is made by bundling and unbundling things, all easy money. But I think where you’re going to see more and more people gravitate towards this bundled future is if you’re a security program and you’re just starting out, or you are investing newly in a security program and you want to accelerate that growth, you’re going to start with an integrated or best of suite or best of breed approach.
[David Spark] Wait, you’re kind of mixing things.
[Geoff Belknap] I’m sorry.
[David Spark] Best of suite, best of breed, those are the two opposites we’re talking about.
[Geoff Belknap] You’re going to decide which way you go. You’re going to start almost certainly best of suite, right? You’re going to start with a cluster of things that work together very well.
[David Spark] Because you want to get up to speed fast.
[Geoff Belknap] You want to get up to speed fast, and you want to get your legs underneath you in terms of how does your program operate, how can you focus on the problems you need to solve without focusing on having to solve integration issues. Now as you get your feet underneath you, I think you’re going to find that, like, then you’re going to start branching out. You’re going to like, “Well, I like how this thing works, but it doesn’t work perfectly for me. I might build a solution for that.” And as you start to go down that path, as you start to get to the maturity, then you’re going to start to see, “I’m going to work on integrating. I really want a best of breed solution for this thing.” So, I think it’s sort of like there’s a timeline, and depending on where your security program is, you need that tightly coupled interaction. As you move along, it becomes less and less important to you, and you’re going to focus on where you really just need something that stands out.
There’s gotta be a better way to handle this.
7:59.681
[David Spark] So, one week before recording here, Patreon announced they laid off their entire security staff of five people. And Patreon, for those of you who don’t know, is a service for content creators to receive ongoing payments from fans to keep creating their content. Now, Patreon said they were using outside vendors for security, but they were kind of vague as to what exactly that was. And as Ira Winkler of Walmart pointed out, the knee-jerk reaction of many is to dump on Patreon, but he argued having your security outsourced may be a good solution for Patreon as they possibly could get better ongoing talent and service. So, I’m going to start with you, Geoff. When would it make sense for a company to completely dump their security team and completely outsource it? And if you were to outsource it, what the heck would that look like?
[Geoff Belknap] First, I want to say, it’s so surreal to hear the bumpers. When we’re recording these, it’s very unique.
[David Spark] I want you to know that I recorded a live show with Andy Ellis, who is the other co-host, and he goes, “Oh, that’s what they sound like,” and I reacted, “You haven’t heard the show before?”
[Laughter]
[Geoff Belknap] To be fair, I listen to the show, but it’s just it’s different. So, here’s my take on this. If you’re looking from an outside, you’re looking at an organization that has, maybe, been accused of dumping its whole security organization, your immediate reaction should be like, “Uh-oh. That organization is troubled or is in trouble.” If that company is deciding that the only thing it can do to save itself is release a mission-critical part of their success, then you have to think like, “Well, they must have really needed to do that.” I think in most situations, if you decide, “I’m going to outsource almost all of my security or all of my security, generally it’s a very mature organization that has decided that they’re so mature they just need some outsourced organization to help them keep the wheels on the bus, keep things going. But you are almost never going to get innovation from that outsource provider. You’re going to get I can turn the crank, I can do the transactional things, but I can’t decide what would be this neat new way to optimize security, and I think you really have to understand what you’re getting when you outsource, what you…the best you can hope for is efficient operations.
[David Spark] So, Patreon, and again, I don’t know the business that well, but I’m thinking Patreon does take payments, they take a lot of little payments for many people and actually have to distribute money to many people. So, there’s a lot coming in, there’s a lot going out. I don’t know if that could be simplified with outsource. What do you think, Mike?
[Mike Johnson] Well, that’s an interesting point, and I think they actually made the same argument. All of their payment card processing is outsourced already. So, I think they said they use Stripe, and that means that they have outsourced that particular part of the problem to a service provider, and the security of credit cards is actually now Stripe’s problem, or it has been from the beginning. And part of the argument that you make when you look at these types of thought processes is it’s not necessarily just the fundamentals of what a security team does, but what is important related to security for the company. And if at Patreon, their biggest concern is their credit card information, it’s already dealt with. They actually don’t have to worry about that.
[David Spark] So, that’s their biggest security problem, so it seems that all the security issues now might be quite minor, and innovation may not necessarily be something they need. So, Patreon – again, we’re just guessing here – could – or educated guessing per what we know – be a really good candidate to dump your security team. Could they?
[Mike Johnson] I don’t know that I would go that far.
[David Spark] Okay.
[Mike Johnson] Because there’s some scuttlebutt as to why they did all of this, and it’s not just cost savings. But Geoff made a really good point that if you’re looking at a company that is not mature and has dumped a mission-critical part of their company, you have to wonder about is that company going to be around for much longer.
[David Spark] Well, Patreon I hope is going to be around for much longer, they’ve got a lot of customers.
[Mike Johnson] I hope so. But at the same time, you have to wonder what is next, and what led them to say, “Well, we can save so much money doing this, of laying off five people,” that somehow that’s actually going to save Patreon. Sometimes it is an indicator that there’s something else going on. But to your point, your question, years ago I’d heard that I think it was McDonald’s, and they may have changed, they had no in-house security operations at all. All they had in house was security architects, and everything was outsourced. And that worked out very well for them because they did have the innovation from the way that the architects were thinking about it and the way that we’re going to bring everything together, but the actual day-to-day operations of the security team had been outsourced. So, there are models that can work, but you have to really give some thought to it.
Sponsor – SafeBreach
13:27.346
[David Spark] Are your security tools doing their job? Well, I think everyone wonders that, for that matter. But can they actually stop attacks? That’s what you want your security tools to do. So, instead of spending more on security, wouldn’t it be better to just optimize what you have and see if it’s actually working? Yes, that would be nice.
Well, this is exactly what SafeBreach can do and tell you. SafeBreach’s industry-pioneering breach and attack simulation platform doesn’t only test the efficacy of your security, it leverages real-world attacks to provide visibility into your ecosystem’s response and deliver remediation guidance. So, you can improve security posture, drive down risk, and ensure you’re making the most of the tools you already have in place. So, utilizing over 25,000 breach methods – that’s more than 24,000, I should point out – SafeBreach’s Hacker’s Playbook is the industry’s leading collection of attack data with new methods added within 24 hours of major alerts. So, don’t take my word on it here. Just see how your controls stack up against actual attacks by running a customized, no-cost ransomware assessment today. This is all you need to do: Contact SafeBreach to discover the power of continuous security validation – your way.
It’s time to play “What’s Worse?”
14:53.720
[David Spark] I do not need to explain this game to either one of you because you’re very familiar with it and given the amount of applause we got of the people who’ve heard the show, most of the audience knows this game as well. We get horrible situations from our listeners, and then I pose the two situations to you two, and you have to, from risk aversion, choose which one is the worst scenario. All right. We’ll try to squeeze in two if we can here. We’ll see what we can do.
All right. This comes from Jonathan Waldrop of Insight Global, who’s given us a lot of good ones. This is not a “brilliant jerk” situation, Mike, but it is a “difficult person” situation.
[Mike Johnson] It sounds like you’ve renamed it so you can’t call it a brilliant jerk problem.
[David Spark] No, it isn’t. No, not in any way is this brilliant jerk. So, you’ve got a team member who works well with others on the security team but isn’t respected or listened to outside of the security team, and people actively avoid working with this individual. They have even complained to their managers about your team member and are encouraging you to fire them. All right? That’s scenario number one. Geoff, you know you have to answer second after Mike does. All right, scenario number two, and by the way, audience, I’m going to want you to vote on this as well. Scenario number two: You’ve recently promoted an individual to a manager role, and while they think they’re doing a great job, it’s not going well at all. The smart, hardworking, trustworthy individuals they now manage are threatening to quit unless that manager is removed. So, which scenario is worse?
[Mike Johnson] I just feel so sorry for the first person. It’s like the person who gets picked last for everything, and I feel so sorry for them. But when I think about it, it’s really a manager on my team, I’m responsible for making sure that they’re responsible for their team, that they are keeping their team happy, that they are understanding that the career of the people on their team is in their hands. They can actually make those people’s lives…their careers can be damaged as a result. And that to me is the more important part, is that’s taking care of my own people.
[David Spark] More directly affects you.
[Mike Johnson] It’s not even more directly affects me, but it’s more…
[David Spark] Your responsibility.
[Mike Johnson] I feel it more near and dear to my heart.
[David Spark] So, scenario two is worse? That’s the individual, you recently promoted an individual.
[Mike Johnson] Yes.
[David Spark] So, that’s the worst scenario.
[Mike Johnson] Yes. The worst scenario is the manager who’s running everyone out.
[David Spark] Okay. All right, I throw this to you, Geoff. Do you agree or disagree with Mike on this?
[Geoff Belknap] As a leader, I’m going to go with the manager can always do way more damage than a brilliant jerk. Oh, sorry, not…
[David Spark] It’s not a brilliant jerk scenario.
[Geoff Belknap] Not a brilliant jerk.
[Mike Johnson] Not brilliant jerk, Geoff.
[Geoff Belknap] An amazing producer or a great co-host? Thank you. Come on. These are the jokes, folks. We don’t get any better than this. I think a bad leader can always destroy the culture that you’re working so hard to build.
[David Spark] But the other one’s a bad leader too. It’s just they’re not directly under that person. They’re just interfacing poorly with other people.
[Geoff Belknap] Sorry. The first one’s a manager or just an IC?
[David Spark] The first scenario, sorry, it’s just a team member. I’m sorry, you’re correct.
[Mike Johnson] So that was just an IC.
[Geoff Belknap] Not “just” an IC. Hey! This is aside for all you IC’s – you’re beautiful and perfect. But yeah, look, I think not a brilliant jerk, but an IC who is being toxic, for lack of a better word, that’s damaging, and that can cause trouble, but not nearly as much trouble as knowing that that manager will do nothing about it or will make things worse. A leader is always going to be able to amplify toxicity way more than an IC.
[David Spark] All right. By applause, how many people think the worse scenario is the first one where the team member just can’t work with other people outside of the security team? By applause, anybody?
[Geoff Belknap] Don’t you dare disagree on that.
[David Spark] No one. No one. Oh, my God. All right, so the second scenario, everyone agrees that’s the worst one. With the manager that everyone… All right.
[Applause]
[Geoff Belknap] That’s right.
[David Spark] That, I guess, was an easy one for everyone to come to solution on. All right. Let’s go to the second one. I’ve got three quick scenarios for you; you’re going to rank them from worst to best. I’ll start with you, Geoff, on this.
[Mike Johnson] Yes!
[David Spark] Here are the three ones.
[Mike Johnson] For once!
[David Spark] Scenario number one: The board demands employee monitoring software. Scenario number two: Every week, your employees are uploading PII to a different unapproved SaaS app.
[Geoff Belknap] Oh, God! All right.
[David Spark] And number three: Given the CEO’s predilection to click on phishing emails, you quarantine all his or her emails.
[Geoff Belknap] Eh. Eh. All right, so we’re going worst to best?
[David Spark] Worst to best. Which one’s the worst?
[Geoff Belknap] Oh, man! I feel like – whoo!
[Mike Johnson] I look forward to your answers, Geoff.
[Geoff Belknap] Yeah. It’s a good thing this isn’t recorded, and no one will think about how I…
[Crosstalk 00:20:24]
[Mike Johnson] It will never come back to you.
[Geoff Belknap] I’m going to go with my first instinct which is if the board is wading in and leaving their oversight role to management and saying, “Install this super creepy software,” that seems bad.
[David Spark] So, you’re thinking that’s number one on bad?
[Geoff Belknap] I think that’s the worst.
[David Spark] Next is PII to every unapproved SaaS app.
[Geoff Belknap] I think the PII and unapproved SaaS app is problematic, although I feel like I have more ability to manage that problem. Like, if I go to the CEO thing, that seems solvable.
[David Spark] Quarantining every single CEO email.
[Geoff Belknap] I don’t think email is that critical, and they always have a backup.
[David Spark] Okay, so it’s in the order I said them. So you think, in the order I said them, that employee monitoring software by the board – number one. PII – number two, in terms of worst to best, and quarantining the CEO’s emails.
[Geoff Belknap] Yeah, yeah. Good job, David. Yes, you’ve done well, you’ve done well.
[David Spark] I’m just repeating what you said. All right, Mike, I throw this to you.
[Mike Johnson] I agree.
[David Spark] You agree? As simple as that?
[Mike Johnson] Yes. It’s that simple.
[Geoff Belknap] Good discourse we have going here.
[Mike Johnson] It’s so much easier when you’re second in these questions. I need to do this more often. Can I do this more often?
[Geoff Belknap] Can you be a guest on your own show?
[Mike Johnson] Yeah, can I be my own guest?
[David Spark] No. Because usually we only do one of these but for a live show, we often will do two.
[Mike Johnson] A bonus.
[Geoff Belknap] You see what we do.
[David Spark] I’m throwing this to the audience. Does anyone disagree with the order of this?
[Mike Johnson] And why?
[David Spark] And why, and you can shout it out. Anyone disagree? So, I think we got universal consensus. Oh, wait! Bill is disagreeing.
[Bill] I thought number two is worse.
[David Spark] You thought number two is worse, that the PII going out to all the SaaS apps?
[Geoff Belknap] I mean, that’s pretty bad.
[Mike Johnson] That’s pretty bad.
[David Spark] It is pretty bad. All right.
[Mike Johnson] Yeah.
[David Spark] I agree with Bill.
[Geoff Belknap] It just also feels very pedestrian. Like that kind of problem happens all the time everywhere. Maybe not at the scale that you’re describing.
[David Spark] The first one just has a lot of red flags on it.
[Geoff Belknap] The first one is really worrying.
How scared should we be?
22:18.646
[David Spark] So, when a company has a security incident, it’s as if by reflex they’re required to publicly announce that, “Yes. We do take security and privacy very seriously!” It’s become like kind of a cliched checkbox, hasn’t it?
[Mike Johnson] That’s a requirement.
[David Spark] So, Naomi Buckwalter of Contrast Security posted a meme mocking this line and Twitter’s response to whistleblower Peiter Zatko’s, aka Mudge’s claim about Twitter’s security. And Buckwalter said this, “It’s going to be very difficult for Twitter to attract high-quality security people now.” Now, Dick Wilkinson of Proof Labs said quite the opposite, that he would jump at the opportunity. So, I will start with you, Mike. Does Mudge’s announcement affect positively or negatively on Twitter’s ability to hire? If not that, what are issues that can damage a company’s ability to hire talented cybersecurity people?
[Mike Johnson] So, the scenic [Phonetic 00:23:23] is always that after an incident, the security budgets go up. And a way of looking at this is now that the whistle blowing has happened, the attention is going to be on Twitter, the budgets are going to go up, and that’s going to really attract a lot of people to solve interesting problems. I don’t know if that’s the case, it’s hard to say. I don’t know that ultimately it actually affects things one way or the other. There’s some people who would never actually want to work for Twitter, period. Pick any company out there and there’s some people who would never want to work there. And I think at the same time, there’s always going to be people who would really want to work there, and I don’t think that this announcement will change those people’s minds. So, at the end of the day, I don’t think it affects positively or negatively.
[David Spark] But let me ask this, Mike. Would something like this, like you’re hearing – and if you agree or disagree with whatever Mudge is saying – you’re like, “Oh, that’s a challenge. I’d like to attack that.” Would that in any way affect you or no?
[Mike Johnson] What I think people might be thinking and reading into this the wrong way is because Twitter may or may not have great security, there’s a perception that I can’t get anything done, they have terrible security, why would I want to work there? But I think the real concern is more around whether or not there’s internal support for the security program, and that’s hard to know based on the headlines. It’s hard to know if there really was…
[David Spark] Oh, Mudge seems to be disclosing a lot.
[Mike Johnson] But I think at the same time, one needs to be aware that there’s two sides to every story.
[David Spark] Yes. Sometimes more than that.
[Mike Johnson] I’m not here to defend Twitter, I’m not here to defend Mudge, but I don’t think we have the full story. But I think there are things that a company, if they’re not taking security seriously, that’s something that I’m not going to really want to work for.
[David Spark] All right. Geoff, now no pressure here, being that your company might actually be a competitor to Twitter in some way.
[Geoff Belknap] Not really, but okay.
[David Spark] Okay.
[Geoff Belknap] I think in this case, we have to think, perception is reality. When you’re a talented individual looking for a new role or something to sink your teeth into, yeah, money might come into play, and maybe you’re looking for a fancier title. But if you’re a really unique talent, you’re somebody that I want to recruit to my team, there’s like three things that really end up coming into play when that happens, and I think it’s opportunity, motivation, and support. Opportunity – like is there something for me to work on, is there a challenging thing for me to do that maybe nobody’s done before? Maybe it’s just a really unique opportunity that I get to solve the problems that a wayward company might have, allegedly. I think there’s motivation – is that organization motivated to resolve that? And then support – are they going to support you? Are they going to be there? Do they want you to fix that problem? I think there are probably financial institutions that have money laundering problems, that maybe they’re not so interested in you solving those problems. I think in this case, if I’m a uniquely talented individual, this opportunity in front of me is very juicy and interesting to solve.
Sponsor – Noname Security
26:45.124
[David Spark] Gartner predicts that APIs will become the top attack vector for web applications in 2022, but many organizations do not know where to start. So, to help you get prepared, Noname Security is hosting a series of virtual and in-person API Security Workshops for technical professionals. By the end of the four-hour workshop, attendees will be able to: Articulate the underlying security risks when deploying APIs; Identify the leading techniques that hackers use to exploit vulnerable APIs; Understand and protect against the OWASP API Top 10; Navigate the Noname API Security Platform to discover all the APIs running on their network, including legacy and shadow APIs, as well as monitor API traffic for anomalies and remediate threats. By attending, you’ll earn CPE credits – we could all use that – and an exclusive kit with Noname Security swag. So, to learn more and register, visit nonamesecurity.com/workshop.
That’s something I’d like to avoid.
27:54.651
[Geoff Belknap] Why is that so upbeat?
[David Spark] “All these resources and talks on how to get into cybersecurity, not enough on how to get out,” said Ken Westin of Cybereason on Twitter. Now, if I was Cybereason I’d be worried about Ken at the company. But a friend of mine, Liz Brown, wrote a book called Life After Law, offering advice on how to use the law degree you have to find new fulfilling employment outside of law. So, I’m going to start with you, Geoff, on this one. Are there any occupations outside of cybersecurity for which cybersecurity expertise would be valuable? What would your advice be to someone wanting to leave cybersecurity? And no, your answer can’t be “don’t leave.”
[Geoff Belknap] Boy. I feel like every Monday, people like Mike and I have this conversation of like, “Should I go? Where can I go? Do you think golf courses are hiring or something?”
[David Spark] This one, I’m intrigued. Are cybersecurity skills transferable?
[Geoff Belknap] Oh, yeah, I think so. I look at all kinds of skillsets from people that I want to bring into cybersecurity, I think it goes the opposite way too. You have to inherently be curious… Well, no, you don’t have to be, but it’s really helpful for you to be curious, for you to be somebody who thinks about problems a little orthogonally or differently than everybody else, and you have to be a motivated learner. I think there are a lot of career paths where that’d be very helpful.
But I think more importantly, there are a lot of other industries and careers where being somebody who had cybersecurity experience is fantastic. I think you could go into nonprofit work, and there’s a ton of need for people who are at risk or groups or organizations that could use some help in protection. There are other industries where they don’t have access to the same sort of high caliber talent that maybe Mike or I have access to that would welcome somebody into that space that had that experience. There are a lot of opportunities for people that think about these horrible problems that we think about all the time, and then have the technical skillset to manage them in other places. Whether it be, like I said, nonprofit or government or just civil society. Lots of opportunity.
[David Spark] All right. So, you think they’re very transferable, just from the curiosity factor. Alone, you think? Because security does make you more curious, yes?
[Geoff Belknap] I think it makes you insane, yes. But I think having some cybersecurity experience and bringing that to bear in some other industry that’s not cybersecurity or you’re not doing cybersecurity for less money somewhere else, I think there’s a lot of opportunity for that. I mean, look. I spent a fair amount of time in the policymaking and legislative circles thinking about how can I inform decision making about regulatory compliance or making a new law or thinking about a national security policy. That is an industry where they don’t want to have a conversation about specifically solving a security problem, but having experience there really helps move things forward.
[Mike Johnson] It’s interesting that your friend wrote a book Life After Law.
[David Spark] And by the way, I have many lawyer friends who’ve left. I know that’s one career that people want to walk out of.
[Mike Johnson] I think there’s a lot of parallels between cybersecurity and law though. A lot of what we do is risk management.
[David Spark] Yes. You report to your legal counsel, don’t you?
[Mike Johnson] I did, I did. And even closer, my wife used to be in information security and became a lawyer.
[David Spark] Ah.
[Mike Johnson] I really think there’s a lot of parallels.
[David Spark] So, does that mean you’re going into law yourself maybe?
[Mike Johnson] No.
[David Spark] You’ve got to keep the whole act…
[Mike Johnson] No, no.
[David Spark] …balanced, don’t you?
[Mike Johnson] No. I have seen what that life is like, and I’m not going there.
[David Spark] Okay.
[Mike Johnson] I think the risk management expertise shows up in a lot of places – the legal field, insurance, where you’re looking at disaster management. All of those types of places, those are skills that you really have to have in cybersecurity, that there’s a lot of opportunity out there for those types of roles.
[David Spark] All right. Now, I’m going to throw this to both of you. Geoff, I’m starting with you. You can no longer work in cybersecurity.
[Mike Johnson] Ooh.
[Geoff Belknap] Oh, thank God.
[Mike Johnson] I celebrated a little bit there myself.
[David Spark] What is the job you’re going to take on if you’re not working in cybersecurity?
[Geoff Belknap] Okay. Tell me one person in this room that is unhappy to see a Mr. Softy Ice Cream truck in their neighborhood. Nobody. And I’m lactose intolerant, so it’s a dicey proposition for me.
[David Spark] So, you’re going to be driving a Mr. Softy?
[Geoff Belknap] Absolutely, man. Nobody’s unhappy to get ice cream.
[David Spark] And how are your skills going to transfer over to that?
[Geoff Belknap] Skills? I’m just looking for an opportunity for people to be pleasantly surprised to see me coming their direction.
[Laughter]
[Applause]
[Mike Johnson] As opposed to unpleasantly surprised?
[Geoff Belknap] Oh, yeah. Where they’re like, “Oh, [Beep].”
[David Spark] Have you had the situation where you’ve walked down the hall and doors start closing?
[Geoff Belknap] I have definitely noticed that people can read my mood sometimes, they’ll be like, “Oh, [Beep]. Is everything okay? Should we be worried?” I’m like, “No, it’s just I had to get up early and my kids are sick,” or something.
[Mike Johnson] “I woke up like this.”
[Geoff Belknap] Yeah. I woke up with…
[David Spark] I’m going to say that Mr. Softy is not a serious job venture you would take after cybersecurity.
[Mike Johnson] Why not? That sounds awesome.
[Geoff Belknap] I have to give a real answer to this question?
[David Spark] You have to give a real answer, I want to hear.
[Geoff Belknap] Let’s see. Oh, man. My instinct here is to give the most Silicon Valley answer, cliche answer possible, and I’m sorry. I would really like to spend time investing in cybersecurity companies and things like that. I think helping cybersecurity companies grow and helping companies grow in general is a passion of mine. I think risk management is definitely a part of that. I think cybersecurity…
[David Spark] That’s essentially what Andy Ellis does.
[Geoff Belknap] Yeah. He’s living the dream, so to speak. But I’d be better, obviously, than Andy at it.
[David Spark] But here’s the thing that I comment…
[Mike Johnson] Yes.
[David Spark] Of course you would be.
[Geoff Belknap] Obviously. Sorry, Andy.
[David Spark] Here’s the comment I made to Andy about that. What I thought was impressive with what he was doing is that he gets to meet with these young teams who are very eager, they want to talk about their problems, they see the eagerness, and he can advise, and then he doesn’t have to deal with it. Like, that’s the part that’s magical. You can have the fun of the startup without even having to deal with the startup.
[Geoff Belknap] Yeah. It’s everybody’s dream. No responsibility whatsoever.
[David Spark] Awesome. All right, Mike, you’re no longer in security. What are you doing?
[Mike Johnson] I’m going to take Geoff’s answer one step further and rather than investing, just advising. Like my money’s not at stake in that situation.
[David Spark] Same thing. You don’t have to actually do the work.
[Geoff Belknap] Even less responsibility.
[Mike Johnson] Yeah, even less responsibility.
[David Spark] And that’s what our other…
[Mike Johnson] That’s what we’re after here.
[David Spark] …Steve Zalewski does.
[Mike Johnson] That’s what Steve does.
[David Spark] Yeah, so there you go.
[Mike Johnson] We’ve got Andy and we’ve got Steve.
[David Spark] Both of them are living the dream and you guys haven’t figured it out.
[Mike Johnson] We’re the working people.
[Geoff Belknap] We’re the dopes, just grinding away.
It’s time for the listener question speed round.
34:50.459
[David Spark] I have in my hand right here a series of index cards. I asked the fine people that are seated right in front of us for questions for you. You have not seen these questions.
[Mike Johnson] I just saw one of them.
[David Spark] They’re all surprise… Well, could you read it, my horrible handwriting?
[Mike Johnson] No, I actually can’t read your handwriting.
[David Spark] Good. So, this is Speed Round. That means we’re not looking for long answers here, but we do want cogent answers as well, and answers that may have more value than “I want to drive a Mr. Softy truck.”
[Mike Johnson] That is an awesome answer!
[Geoff Belknap] That was from the heart, David.
[David Spark] I know.
[Mike Johnson] I believed him.
[David Spark] Oh, whatever. All right. What do you think a day in the life of the Uber security team looks like right now?
[Laughter]
[Geoff Belknap] I feel so bad for Latha and her team. It was funny. Before I came here, I was doing a skip level with a group of people at my work, and they asked a very similar question, and I said, “The thing about that is if you’ve been in this industry long enough, you’ve experienced material security events before, and there’s a little bit of PTSD that goes with that where when you hear about it and you’re in this role, you immediately start to feel that dread of, like, you remember how that felt when you were in that role.”
So, I think right now, I hope by now people have slept a little bit and have gotten to the point where they’ve seen their family. But you’re in triage mode, and you’re dealing with it, and it is not my favorite thing to do while you’re also under the scrutiny of a thousand people that want to talk about what’s going on. And I can only imagine – I’m sure nobody here would have done this – but I can only imagine the emails they’re getting from unscrupulous people that are trying to ambulance chase. But right now, they’re dealing with the trauma of this thing that happened, that they feel like they were responsible for protecting against, and maybe they’re asking themselves whether they failed or whether they can try hard enough. And the thing I want to tell them is, like, you probably did your best. This stuff happens, and it’s not your personal fault – unless it is – but you just have to work through it, and that’s part of the industry. And you know what? Any one of us this could happen to, and we would all want to feel supported through something like that.
[David Spark] Mike, do you want to add your two cents to this?
[Applause]
[Mike Johnson] I actually just want to highlight how Geoff closed that, which is the support for those teams. I hope that they feel supported. That’s really the thing that I’m hoping that they have.
[David Spark] And to our listening audience – we’re recording this on September 20th, so when this is released three weeks from now, who knows what’s changed over there? All right. Second question, and quick answers on these, from Aaron Stanley.
[Geoff Belknap] That was quick.
[David Spark] But that was a great answer, by the way, and it deserved a longer answer. What’s the most hyped security category, do you believe?
[Mike Johnson] Oh. How do you feel about whether or not we’re going to have future sponsors with this question.
[Geoff Belknap] Oh, yeah.
[David Spark] I just want the category. I don’t want the name of the companies as well.
[Mike Johnson] Ooh.
[David Spark] And by the way, I’m going to throw in David Rokacz’s question as well because it’s similar to this. What’s the most needed area of security? So, answer both. What’s the most hyped, what’s the most needed area.
[Mike Johnson] The most hyped one for me right now is this whole enterprise browser market. This concept that you’re going to have a browser that is somehow secure and that solves all of your problems. It’s been a very hot space all of a sudden. I think it’s really a solution in search of a problem right now.
[David Spark] All right. And think of what’s most needed, what do you think’s most hyped?
[Geoff Belknap] I think for me it’s a tie between anything blockchain or Web3 because…
[Mike Johnson] But that’s easy though.
[Geoff Belknap] I get a ton of that. And then anything that’s quantum computing or encryption, I’m like, “I think we got a while. We don’t need to worry about this yet.”
[David Spark] All right. Then flip side, what’s the most needed area.
[Geoff Belknap] The most needed are the basics still. It’s still asset management, it’s still consistent, easy asset management, it’s still making patching easy and consistent. It’s all the basics. People still need that stuff, and it can still be better.
[Mike Johnson] Yeah. And I’ll add on the inventory, the assets thing is the data inventory. That’s an unsolved problem.
[David Spark] Inventory in general’s a hot, hot space. All right. This comes from Trevor Pirman of TachTech, and he asks – why do I know really talented cybersec people that have a hard time finding a job?
[Mike Johnson] I don’t know.
[David Spark] All right, that could be the answer.
[Mike Johnson] My go-to answer for that used to be because they’re not where the jobs physically are. That they’re in a place in the world that the employers that can most use their skills are not together. That’s the three-year-ago answer to that question. Today, I honestly don’t know, I don’t know.
[David Spark] Geoff, what do you think?
[Geoff Belknap] I’d say the same thing. If you have a modicum of talent, people are competing for you right now. So, if you know somebody that’s struggling, you really have to ask them like, “What are you applying for? What does your resume look like? Is it not coming across?” Because if you are a minimally qualified, I don’t know, firewall management engineer, people are going to give you competing offers. Now, let’s be clear. In the time that we’re in right now, as this is being recorded, things have slowed a little bit. That is not going to stick for long at all. And so I think if you take the broader view of it, you really should not be having trouble.
[David Spark] All right. Two more quick questions, we’ll wrap this all up. This comes from Kari Powell of SafeBreach, and Kari asks can automation in any way alleviate the talent gap? Because it’s been sold to us that way.
[Mike Johnson] I think there are certain jobs, especially with more and more usage of the cloud, that automation can help with, where your security boundaries are API defined ultimately. I can have one machine talk to another machine and it can say, “This is how the world should be,” and the world becomes that way. It used to be that there were firewall administrators who were managing that by hand, and I think that’s an example of something that technology has moved forward. Off the top of my head, that’s an example, and I think we’ll continue to see more of that.
[Geoff Belknap] I think the bottom line is yes. Absolutely it can help. It cannot, say, take you from not needing to hire anybody, in that scenario. But what it can do is focus the people that you need to hire, right? So, if I need automation, I can either hire a bunch of automation engineers to build automation, or I can spend a little bit of money to buy a solution that can automate away the boring transactional operational work. And then I can focus on engineers that are going to really help me innovate in the places that are unique to my business that need security attention.
[David Spark] All right. And the very last question, and I want an honest answer, and it does not have something that you have personally experienced. This comes from Carlota Sage, who’s a vC. What is the most unrecoverable incident you’ve ever seen?
[Mike Johnson] There was a company years ago, it was a hosting company, like virtual servers or something like that. Somebody compromised them, deleted everything, and they had no backups in the company. They were gone. That was it for that company.
[David Spark] That’s pretty unrecoverable.
[Mike Johnson] That was the one that comes to mind for that.
[David Spark] Geoff?
[Geoff Belknap] That’s a really good example. I think anytime that you’ve had an issue where talent will now avoid you like the plague – which to be clear, I don’t think the Twitter thing is an example of that, I don’t think the Uber thing is anywhere near an example of that – but if you’ve had a security incident, and it involves a response where one of your executives or your security leaders have bungled that hopelessly, you are in big trouble. If you can’t attract talent, you can’t survive.
[David Spark] Have you actually seen that happen?
[Geoff Belknap] I would refer to my Fifth Amendment right against self-incrimination.
Closing
43:02.201
[David Spark] Well, that brings us to the very end of the show!
[Applause]
[David Spark] I want to thank my guest Geoff Belknap.
[Applause]
[David Spark] And my co-host Mike Johnson here.
[Applause]
[David Spark] I’ll let the two of you have the final words, but I do want to mention our sponsors again. You see their images behind me. That is SafeBreach – leverage the attack to improve your defenses. Contact them. You could get a free test of the ransomware attack in your environment. And also Noname Security, the complete API security platform. Again, contact them – nonamesecurity.com/workshop – to sign up for one of their virtual or in-person workshops. Geoff, you get the last word. But Mike, any last words?
[Mike Johnson] First of all, Geoff, thank you for joining us, I really enjoyed the conversation. We chat all the time on Slack, and it was nice to just get a chance to just sit down and have you squirm with some of these questions as well.
[Laughter]
[Geoff Belknap] Yeah. Thanks for that. Yeah.
[Mike Johnson] So, misery loves company. Thank you for joining us. What I really appreciated was the experience that you shared with managing people, being a people leader, the kindness that you show to them, and some of the very specific examples that people can use as tools. So, thank you for sharing those tips. But thank you for coming and joining us today. It was a pleasure.
[Geoff Belknap] Absolutely.
[David Spark] And Geoff, any last words? I know you’re hiring. You always are.
[Geoff Belknap] I am hiring and if you are looking for a job, there’s this neat little website called LinkedIn.com.
[Mike Johnson] I’ve heard of it.
[Geoff Belknap] Yeah, that’s convenient for that. The only plug I have, which is my favorite thing, is to remind people that, hey, your favorite website probably supports two-factor authentication, and if you have not taken the moment to turn that on, you should do that immediately.
[David Spark] Good advice. All right. Well, thank you.
[Applause]
[David Spark] And another huge thanks to our hosts – Microsoft who hosted us in this beautiful theater. Also the ISSA Silicon Valley and San Francisco Chapters as well. And as always to our audience, those here that showed up in person, and also to those of you listening virtually, we greatly appreciate your contributions and listening to the CISO Series Podcast.
[Applause]
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.