We promise if you just let us poke around your network, we’ll find something wrong. Everyone has something wrong in their network.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Phil Huggins (@oracuk), CISO, NHS Test & Trace, Department of Health and Social Care.

Recommended from Phil: National Cyber Security Centre in the UK

Got feedback? Join the conversation on LinkedIn.

Our sponsor for this week’s podcast is VMware

Full transcript

Voiceover

10 second security tip. Go!

Phil Huggins

People matter. Listen to what they’re saying. Don’t just wait for your turn to speak. Put yourself in their shoes, care about what they care about and, in return, they’re going to care about what you care about.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark. I am the Producer of the CISO series, and joining me, as always, especially during the pandemic, is my co-host, Mike Johnson. The sound of your voice gets presented now.

Mike Johnson

Hi. I’m here. I’m glad on the right show. I had this moment of, “Wait, am I in the right place? Am in the right area?” But no, I’m actually in the right place. It’s good to know.

David Spark

Are you moonlighting on other podcasts that I should know about?

Mike Johnson

Well, I’ve been trying to get onto The Price Is Right, and it’s just not working. So, I guess, this will just have to do.

David Spark

Let me ask you a question. Is The Price Is Right your favorite game show? If not, what is?

Mike Johnson

It actually is. Like, way back, I remember middle school and elementary school when I would be sick and off school…

David Spark

Oh, yeah, and that’s what you watched.

Mike Johnson

…I was watching The Price Is Right. Even now, today, I tune into it every once in a while, and it drives my wife nuts, but I still do it.

David Spark

I was a fan of The Price Is Right, but my absolute favorite show is Match Game. I know they redid it with Alec Baldwin, but Gene Rayburn was the original host. The whole thing was that they said slightly naughty things during daytime. I don’t think they said the word “whoopee” to refer to sex, but they did say euphemisms for breasts, like “boobs” and “bazungas”. To an 11-year-old boy, “Oh, my god! Adults are saying this on television! I can’t get over this.”

Mike Johnson

A whole new vocabulary.

David Spark

“This is amazing! This is incredible!” What a great lead-in to mention our sponsor, by the way. Our sponsor for today’s episode is VMware. You know VMware from virtualization but, as you know, they also deal with security, and they’re very focused on the east/west traffic, essentially, what happens when someone gets in your network and starts rooting around. Well, they’ll have more to say about later in the show. Mike, I do want to mention one other quick thing, though, other than game shows. I’ve mentioned this once before, but enough people know about this, and I want to let them know, we have, by the way, tons of subscribers to our Cyber Security Headlines show.

Mike Johnson

It’s a great show.

David Spark

It just keeps growing. It is doing so well. We’ve brought on a brand new reporter, Sean Kelly, who is doing an awesome, awesome job. We have three excellent reporters. But one of the things that you may not know is, obviously, they write up their headlines completely, they take that full copy and they put it in the blog post. Guess what? You can subscribe to that. So, if you don’t want to hear them reading the news, you could just read the news, and get it delivered to you inbox everyday. The way you do that is you just go to cisoseries.com, click “subscribe to the newsletter” and there’s an option to subscribe to our twice-weekly newsletter and, if you want, our daily one, which just the headlines and nothing else.

Mike Johnson

Perfect! You get that delivered into your inbox and read it at your leisure.

David Spark

Or, listen to it at your leisure.

Mike Johnson

One or the other, and you’re still getting the news.

David Spark

We give you options.

Mike Johnson

You get options.

David Spark

We give you options, that’s the idea. All right, if you’re not doing that yet, do it! With that being said, let’s bring on our guest. I’m very excited to have him on, he’s going to bring some much needed class to our show. We don’t lie. Pretty much, we believe anyone with a British accent brings class to our show, which we do not have.

Mike Johnson

We do not have class. No. No class here.

David Spark

It is the CISO for the National Health Service Test and Trace Program, Phil Huggins. Phil, thank you so much for joining us.

Phil Huggins

Thanks for having me.

How have you actually pulled this off?

00:03:57:21

David Spark

Our research partner, Gigaom, has a report entitled “Digital Risk, Compliance and Data Centricity: The Value of Centralization in a Distributed World. In the report, Arthur John Collins noted that security challenges around risk and compliance are, in order, evolving nature of compliance regulations, keeping up with strategic business imperatives, and managing the fragmented nature of third parties’ management of risk and compliance. Mike, would you agree that these are your top three, in the same order? Also, give one or two ways you’re trying to manage for complexity of these issues?

Mike Johnson

So, I’m not sure about the order. It’s a solid list of concerns, and I think the lists of concerns, and the order that they’re in, is always going to depend on your business. Your customers are how you make your money. It’s always going to vary. But, for these three, when I look at them, what the evolving nature of compliance regulations says to me is, the shifting sands of global privacy regulations. That’s what stands out to me. Most of the other frameworks are relatively static, but global privacy regulations are developing. There’s always something new that’s coming on in that area, so you have to keep an eye on it, and it may, or may not, be important to your business.

David Spark

Does your legal team help you with that?

Mike Johnson

Absolutely! At the end of the day, these are laws. I do not interpret laws, that is the legal team’s responsibility. We have a great partnership with them, so that we can ensure that, as a company, we’re living up to our legal responsibilities, as well as the responsibilities that we have for our customers, and what their responsibilities are. So, yes, absolutely, the legal team helps very much with that one. It’s very much their area.

David Spark

All right. Phil, I throw this to you, do you agree with his list of three, and what are one or two ways you are trying to manage complexity, because, as we know, it’s a tad complex?

Phil Huggins

So,I recognize this list. It’s a great list if you’re a consultancy trying to sell services. The job that I’m trying to do is, I’m trying to protect the mission, or the value, of the business for whom I’m working. I want to make sure those outcomes are delivered. Compliance doesn’t help me do that. Compliance is a useful tool when I’ve got a nice, simple problem, and I’ve got an interesting regulation that tells me how to fix that problem. Most of my problems aren’t that simple. So, to my mind, compliance is probably not at the top of my list, and I think that just reflects on that I’m operational in my approach to security, rather than being governance, risk and compliance focused. With that said, third parties has become a topic of serious interest. I think that’s a serious unsolved problem for the discipline. I don’t think we really know what to do with third parties, and I don’t think we really know what to do with supply chains, and I think there’s a lot of space for innovation and creativity there that I’m looking for.

David Spark

So, hold on. How are you managing the complexity then around third parties?

Phil Huggins

So, as everyone does, we’re running a great big third party program where we send out huge amounts of questionnaires. We do audits. We have conversations with the people who are closest to us, and everything that everyone does. Has it made us more secure? Somewhat. Have we spent more effort making us more secure than it’s probably given us? Yes, that too. I think that’s the problem, we’ve created an industry for ourselves that doesn’t necessarily give us back what we’re putting in.

David Spark

Then, let me just skip and ask one simple question regarding the third parties. What is it that a third party says to you that makes you feel that they’re on the right track?

Phil Huggins

I always have a set of difficult questions that I ask, because I like to see how people respond to difficult questions. One of them is, “Tell me about all your breaches.” Here’s the thing, if they turn around and tell me there have been none, that tells me one or two things: they don’t know, or they’re not telling me.

David Spark

Which are both bad. Mike, he meant that you’d beencut off like, “Oh, my god! We’re cutting him loose now!” Yes?

Mike Johnson

No, no. I mean, it really is, Phil’s absolutely right. A company that says, “We’ve had no breaches” are either lying, or they’re delusional. Everyone has had them. It really comes down to the size and scope of them and how you dealt with them, how you responded to them. I think that’s the obvious follow-up question to Phil’s question. That gives you some great insight into the security culture of a company, how important it is to them and how seriously they take it. But it also gives you some idea of the transparency of the partner that you’re, potentially, getting.

Phil Huggins

That’s key. For me, third parties, over the long term, it’s a trust relationship. Trust allows me to say to myself, I believe what they’re doing. Transparency is one of the ways we handle not having trust. If you’re a new supplier, we don’t know each other, so I need transparency. If you’re an old supplier, and we know you of old, we probably know where you are.

Can’t we all just get along?

00:09:03:02

David Spark

Is it time for a cybersecurity culture czar? We’ve discussed, endlessly, the need to watch out for burn-out, but I’m proposing the new position of the Cybersecurity Culture Czar – someone who would be responsible for helping build the culture of security within the whole organization. But also, work to promote the cyber staff’s work, and try to find ways to connect cyber pros with the rest of the organization. I feel many of these responsibilities already exist in other roles, and I’m going to say, notably, the CISO and the BISO. But what if one person was dedicated to all of this? Is this something worth considering? Would it have an impact? Would it be annoying? Does it exist already as an individual’s role, or is it just nice to have? I’ll start with you, Phil.

Phil Huggins

I think this is the job. This is what I do. My job is to hire good people, let them loose on the problem, and spend the remainder of the time getting the rest of the organization out of the way and getting them listening. This is my job. This is what I do now.

David Spark

You are the Cybersecurity Culture Czar.

Phil Huggins

Absolutely!

David Spark

Are you also promoting what your security team is doing to the rest of the company, and sort of building that culture outside of the security team?

Phil Huggins

Yes. It’s about engaging with the executives upwards, sideways and downwards. It’s about promoting your successes. It’s about being where other people are in their journey and their culture. It’s going to their meetings and living in their world, and you’re bringing the security team along with you. Frankly, you hire good people and you let them do that job. I’ve got time on my hands as a result of that, so I get to go and speak to people and tell them what a good job they’re doing.

David Spark

The reason I brought this up, Mike, is because, years ago, I just interviewed people about culture in general, not specifically on security, and they all said, “Culture just doesn’t happen by accident.” I mean, you have to really work on it.

Mike Johnson

True.

David Spark

They hired full-time, culture people. As Phil just mentioned, this kind is very much in the CISO and the BISO roles, but could there be a culture czar in security similar to when companies hire a culture person?

Mike Johnson

I think there are aspects of the role whereby maybe not all CISOs have the skills and the experience to really project the job, the responsibilities, and the outcomes of the security team across the entire company. It’s almost marketing when it comes right down to it, and not all of us have those skills. I do not claim to be a brilliant marketer. I’ve worked with folks in the past and I’ve got someone for whom it’s kind of their part-time responsibility, and developed that. For example, whether it’s our newsletters that we send out to the rest of the organization, or what our events look like so we can pull people in. There’s more of a pull, rather than a requirement, where there’s an incentive for them join. So, that’s how we kind of think about it – what incentives can we use to encourage everyone to become more aware of what we’re doing, as well as kind of our regular status and the status of our projects? So, I think those are very important responsibilities and hats to wear in a security organization. They can be worn by different people, but it really comes down to their skills and capabilities, and whether or not they have the time to do it.

David Spark

Phil, I see you’re nodding your head a lot there. I mean, it’s already there, it’s already ingrained, but it just takes the work of many – and, primarily, you, it appears.

Phil Huggins

Obviously, it’s my job to lead it. I have a behavior and culture team, at the moment, and I, absolutely, agree with Mike. I’ve got marketers in that team. They come from a marketing background. They don’t come from a security background.

David Spark

Are they specifically doing internal communications for you?

Phil Huggins

Absolutely. They’re doing internal communications and running training. They’re looking at what we want to do to influence culture. This is one of the things that I’ll say, an awful lot of people talk about security culture and have no idea what it means. If you’re not measuring how people behave, and you’re not showing people how they behave, you’re just talking about an interesting concept. So, you’ve actually got to get out there, you’ve got to engage with people, and you’ve got to look at behavior. It’s not about awareness. There’s a CISO here in the UK, Kevin Fielder, and he has a great take on this, which is, “we want people to care, not be aware”. If I can get people to care about security, I’m winning. If I get them to be aware of security, not much changes.

Sponsor – VMware

00:13:37:02

Steve Prentice

VMware is well known in the industry as a virtualization and networking giant, but as Jeff Lindley, the Worldwide Network Security Practice Leader for VMware says, his customers also look to him for its unique approach to internally-focused protection for cloud and on-prem, including their flagship security solution for this, the NSX Firewall.

Jeff Lindley

We have a software defined, network security platform that is able to be installed without any network changes, and it gives you the ability to granularly segment your data center traffic, and stop the lateral movement of attacks, before they’re able to become successful and embedded and then, exfiltrated. Broad-based network segmentation is no better than assuming that just having a perimeter defense is enough – it’s not. I like to think of cyber security as a math problem. It’s an automated adversary against a manual response. VMware is giving you the ability to insert a defensive capability into your data centers that gives you the ability to stop lateral movement in a very automated fashion. We have the ability to very, very simply, scale network cyber security defenses within the data center, without having to make massive forklift changes to their existing architectures.

Steve Prentice

For more information, visit VMware.com.

It’s time to play, “What’s Worse?”

00:15:18:18

David Spark

All right, it’s time for “What’s Worse?” Phil, I know you know how this game is played. Two horrible options – you’re not going to like either one of them – but you have determine which one, from a pure risk perspective, is the worst option. I’m going to make Mike answer first. I always like it when my guest disagrees with Mike, because, pretty much, I like it when people disagree with Mike, in general. All right, here we go. Mike, this comes from Mark Felegyhazifrom Avatao and he has this “What’s Worse?” scenario. “You have no regard for GDPR in CCPA, and you collect sensitive user data without their consent. It’s just a free-for-all, if you will, of data. I can’t consume enough of it. Whatever the regulations are, so be it.” All right, that’s option one. Option two: “You are GDPR obsessed, so much so, you block all business opportunities by consciously discarding all user data to avoid any trouble in dealing with it.” Which one is worse?

Mike Johnson

Wow! I feel like there’s good examples out there of companies who follow both of these paths.

David Spark

Yeah, probably, and we should just call them up, like phone a friend.

Mike Johnson

I think, unfortunately, these really exist in the real world. These are not must made up. So, on the one hand, you’ve got, we’ll just take the risk. We may not even be aware. Where we are aware, we’re just going to accept the risk and hoover up everything that we can.

David Spark

Right. But ignorance is not a defense in law.

Mike Johnson

It is not. The other is, the entire business kind of comes to a screeching halt while you figure out how you deal with the regulations.

David Spark

I don’t even think that happens. I think you just block. You’ve always got to figure out like, this is just the way it is. We’re just going to be all blocking, and marketing be damned, you’re not getting any data.

Mike Johnson

Yes, if it’s that extreme. At the end of the day, though, I still think the first one is the worst of the two, as unfortunate as it would be to business processes and business opportunities to go with the second one.

David Spark

You can still run your business. 

Mike Johnson

You can still actually run the business.

David Spark

Without collecting any follow-up user data.

Mike Johnson

Right.

David Spark

It’s, essentially, running a business without a CRM, in a sense.

Mike Johnson

Right, and plenty of companies do that.

David Spark

Yeah, in fact, one of the major complaints is that security vendors don’t use their CRM. 

Mike Johnson

Right. Right. Remind me to tell you the story about how I used to work for a CRM company and vendors would reach out to me. Really, I just think the risk on the first one is just too much. I would feel very uncomfortable if we were just collecting everything. So, there’s like the regulation aspect of it, and then, there’s the “being a decent human being” aspect of it. How would I feel if I were on the other side of that?

David Spark

I know, you always lean to that decent human being thing. Damn you! Curse wanting to be a decent human. 

Mike Johnson

Yes. Curse me and my decent human being obligations. Yes. So, the first one is the worst for me.

David Spark

All right, Phil, do you agree, or disagree, with Mike?

Phil Huggins

Wow! So, in the first one, I’m not taking any care, and in the second one, I’m driving down the business. I agree with Mike, I think, in my heart of hearts, I want to look after those data subjects. I want to make sure they’re safe. That’s what I’m in this job to do. But, but, if I’m going to kill my business by doing that, that’s also the wrong answer. So, I’m going to come with Mike and I’m going to say, we need to look after those data subjects, but I’m also pretty much aware that’s the end of my employment in that organization. I’ll be honest, I think this is something we need to think about for CISOs, because we are putting people first who not necessarily our employers, and we need protection.

David Spark

Yeah. I think there’s a variation of this. Phil, back me up. While these are two extreme examples, I’m sure CISOs are dealing with ever so slight variations of this all the time. Correct?

Phil Huggins

It’s a constant tension between going faster, knowing more, providing more value, against protecting more and minimizing risk. It’s a constant tension, and that is what we’re paid to do.

What would you advise?

00:19:37:23

David Spark

On the Cybersecurity subreddit, a Redditor who is a security analyst with pentesting experience, who wants to start their own consulting business. “My idea is to go to small and medium-sized companies, perform a network survey, identify any vulnerabilities, recommend a risk mitigation plan, perform pentesting, and provide training to employees on best practices to maintain security of their infrastructure.” Sounds pretty solid. Also sounds like a ton of work. So, lots of Redditors gave advice, like hiring a good lawyer. The Redditor’s plan seems sound, but nothing ever moves that smoothly. So, I’ll start with you, Mike, what hurdles would you expect in something like that, and if you were a target for a consultant like this, what would you want to hear? I get the sense that he’s going to target companies that have little to no in-house security talent.

Mike Johnson

Yeah, I think it’s a great target market to look for the small to medium businesses, right? 

David Spark

There’s plenty.

Mike Johnson

They need this sort of help. They’re not going to have the in-house staff to do it. At the same time, I think one of the biggest challenges that this person’s going to have is convincing their small to medium businesses that they do need this help. Some of them recognize it, and there’s headlines that keep on coming that are making it into mainstream news, that’s getting it in front of them, but the the big challenge is convincing them that they need this type of service. To put myself in their shoes, or in the shoes of a tech leader at a small to medium business, I would be looking for a partner to help me find my blind spots, what I’m missing, and then help me understand how to find them. Imagine if this person were to set up a business with the goal of their customers adopting solid security practices, so they don’t need the services of this company anymore. You’re really trying to ramp them up so that they don’t need you anymore. It will take a lot of work, so you have a lot of runway for making that business, but it will also set you apart from everyone else out there that’s trying to get this hook sunk in their customers that they can’t ever get rid of, and you’ll probably find the opposite happens. If you’re going in and saying, “I’m trying to make it so that you don’t need me anymore,” the odds are that they will actually be a good partner for you forever. They’re not actually going to go away, but it establishes an amount of trust that you’re giving advice and that you’re not just trying to make a buck.

David Spark

I know, trust is critical here. All right, so, Phil, what’s your advice to this Redditor who wants to start out on this business, and what should they watch out for as they start?

Phil Huggins

I think they need to really think about their customer. Their customer is different to how we generally set up consulting in cyber security. Most of the customers of cyber security are big enterprises. They’ve got their own people, and what they want is advice from someone who’s independent of vendors, who can come and tell them what to do, and give it to their people to get done. When we’re dealing with small/medium businesses, they don’t have the people. They don’t have the capacity and they, frankly, don’t have the money. What they don’t need is a bunch of advice in a document which they stick on a shelf and say, “Well, we’ve got that review,” and nothing happens. What they need is someone to come along and say, “You need this configuring and I’m doing it. You need this turning on and I’m doing it. You want to go and buy this product, because I know how it works, and I can run it for you.” Because they need that hands-on help that can get it delivered, and get the outcomes that they’re looking for. I think you really just need to sit and think about the customers, what they’re prepared to buy, how much they’re prepared to spend, and how they want to receive that advice.

David Spark

I think that the line, though, is how much they’re willing to spend. That’s going to be a tough one to figure out. Because, if I think about something like a dental office that needs cyber security help, they don’t budget for this kind of thing, and now, they have to. So, their attitude is, “Little to nothing is what I’d like to spend.”

Phil Huggins

Well, I think this is why we’ve seen the growth of the fractional CISO market. It’s a huge business now, there’s a lot of it. The reason being that they can’t afford people, but what they can afford is someone, once a month, to come in and say, “You’ve done the right thing here. You need to fix this here. I’m going to configure something over there. See you in a month’s time.” It’s not great, but it’s a world ahead of where they are with no people whatsoever.

David Spark

That, I think, is a key point, not perfect, but a hell of a lot better than what they had before.

What I learned from a CISO.

00:24:17:18

David Spark

On our AMA on the cyber security subreddit, MJSaaS asked, “What are the most valuable things you try to learn from your peers in your network, or community?” I’m going to add to this, and I’m going to you first, Mike, can you pinpoint something that you actually learned and acted on because of advice from a direct peer?

Mike Johnson

This is such a great question, a fine example of an AMA-style question. My easy answer is, solutions to problems that I have and they’ve solved. Like, I can just learn from them and I can apply that directly, but really what I try to focus on is the soft skills. I’m always trying to improve my leadership skills and my ways of relating to the business and where I can learn from others. Those come in really powerful to me, because those are great lesson learned that they’ve learned, probably, the hard way. A good example is, I was just recently talking with a friend about how they were implementing quantified security risk management. The idea of applying dollars to risk, rather than red, yellow and green to risk. We talked about where they started and how it was going. I think, they’ve been on that journey for over a year now, and that gave me some opportunity to learn some very exact examples, like how they sold the business on it, and they shared some of their presentations that they had given, both internally and externally, and I can reference those to things to learn from. This is something I want to do in my business. I want to bring that quantified approach to risk management, and this is someone who has all the bumps, bruises, and scars from it that I can now learn from and, potentially, avoid some of those mistakes. I may make entirely new ones, but at least I can learn from that, and that gives me a place to start, based on what they’ve done that I can now bring back to my business.

David Spark

Excellent! All right, Phil, same question to you. What is it that you learn from your community, and can you pinpoint something that you learned and acted on?

Phil Huggins

Sure. So, it’s what works. Exactly as Mike said, “Tell me what works for you, because maybe it will work for me.” We’re at that place in our discipline, right now, that we still need to learn from each other what works. I really ask, “Who’s got a vendor that’s delivered?” because vendors make us cry, and how they bridge the gap to boards, wider business executives, and which standards have not turned into an absolute nightmare when the auditors have turned up. It’s those little things. There’s some great people across the industry that I always listen to. Dan Geer’s a great example and Phil Venables. If you look at Phil Venables’ blog, and you look at my security programs, they look very similar. There was a great example of this where a friend of mine – who shall remain nameless for obvious reasons – got caught between a regulator in one country and a law enforcement agency in another. The law enforcement agency would not reveal the details of a breach, and would not let him reveal it. They knew a breach had happened, and the regulator in the other country wanted those details. He spent a good six months caught between two poles. It wasn’t his fault, but he got the kicking. Listening to him go through that, it gave him so release because it made him happier to have someone else feel his pain, but it was fascinating, because those are the sorts of difficult problems that, as a CISO, you have to solve.

David Spark

So, wait! I mean, that sounds like a tantamount problem. What did you learn, in general, should something equivalent happen to you some day? How should you deal with it? Did your friend have any hindsight, like, “Okay, I now know how to deal with this, should this happen again”?

Phil Huggins

I think, for him, it brought some visibility into a website that was apparently serving people in one country and delivered from another, had components that were being delivered by a third party company in a country very different to where the data subjects were, and what that meant in terms of, specifically, the relationship between the regulators.

David Spark

So, this goes back to our earlier segment about doing the questionnaires, and where is everything coming from? 

Phil Huggins

Yes. I think it was as much to understand that when you get into that problem, you need to address it face on, you need to be up front with the regulator. I think it was mostly to give him catharsis, but it taught me to be aware that that problem is coming, because I’ll run into that at some point, I’m sure.

David Spark

You also bring up a very good point in that CISOs need other CISOs just to vent.

Mike Johnson

Yes.

Phil Huggins

Absolutely.

David Spark

To have someone who can appreciate how painful what you just described is, because I’m sure, when your friend told you this, you had the appropriate reaction. Yes?

Phil Huggins

I went to the bar. Absolutely. 

Close

00:29:12:04

David Spark

All right. Well, with that being said, let’s wrap up this darn show! I want to thank Phil Huggins, who is the CISO for the National Health Service Test and Trace Program, for joining us. Phil, I’ll let you have the very last word of this show – and, by the way, one of the questions I always ask our guest is, are you hiring? So, please have an answer for that coming up. Mike, any last words?

Mike Johnson

Yeah. Phil, thanks for joining us. It was great to have the conversation, but also, to listen to you really explain the value of listening. I think that’s something that, on this show, we talk about the value of communication. But going all the way back to your tip, and then, it was woven into every answer along the way, the value of listening to others. I think that’s something that we need to remind ourselves of on a regular basis. So, thank you, specifically, for that tip, but, in general, for coming onto our show and giving your perspective. It’s always great to hear new perspectives, so thank you for sharing that with me, and with our audience, as well, and just, in general. Thank you, Phil.

David Spark

I want to thank our sponsor, VMware. Thank you so much, VMware, for sponsoring us. You know where to go to find more about them: VMware.com. Now, Phil, you get the last word. Are there any last comments that you want to make about anything that we discussed today? Are you hiring, making a pitch for your organization? Anything like that.

Phil Huggins

I’m hiring. In the summer, I’ll be hiring over 100 roles.

David Spark

What?! 100 roles?! You’re going to become very popular, Phil.

Phil Huggins

They’re government roles, so don’t get too excited, but I’m hiring in the summer. Plenty of roles. Really interesting work and really important work.

David Spark

Do they have to work in the UK, by the way?

Phil Huggins

They don’t have to work in the UK, but it would make life a lot easier. In terms of a pitch, I’m in government now, so I haven’t a company to pitch anymore, but what I will say is, I work very closely with the National Cyber Security Center here in the UK. They’ve been a huge supporter to the program we’ve been running, They produce fantastic content.

David Spark

We have actually quoted some of it on this show.

Phil Huggins

Excellent! They’ve turned it around and they’ve made the engagement with industry open. They’re brilliant. They share information and they help people. I would say, especially, if you’re a small/medium business in the UK, go onto the National Cyber Security Center website and have a look, because there’s advice there that you don’t have to pay for.

David Spark

That is good advice.

Mike Johnson

I’ll just quickly add, I think that’s a great service that they provide, and it’s not just for UK businesses. The advice that they give, you can apply to anyone. So, I would say, globally, it’s good advice and it’s good to follow.

David Spark

But, Mike, what’s the conversion rate? All right, I want to thank you, Mike, I want to thank you, Phil, and I want to thank you, listeners, for listening and contributing to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”