We’re Experts At Telling You To Fix Your Problems

We're Experts At Telling You To Fix Your Problems

I don’t need another vendor to find my problems. Finding my problems has not been the issue. That’s the easy part. Fixing them with the staff I have is definitely “the problem.” Vulnerability management must include ways to remediate, quickly.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is John C. Underwood, vp, information security, Big 5 Sporting Goods.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, Pentera

Pentera is the category leader for Automated Security Validation, allowing every organization to test with ease the integrity of all cybersecurity layers including their ransomware readiness, unfolding true, current security exposures at any moment, at any scale.

Full transcript

[Voiceover] Biggest mistake I ever made in security. Go!

[John Underwood] The biggest mistake I’ve ever made in security was coming into a new organization and not really learning the new communication pattern. So, I came in and used the old method of getting projects done thinking I was doing the right thing, and along the way I was creating a lot of work for a lot of people. And four years later, I’m still trying to unruffle some of those feathers.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. And my co-host for this very episode, and since episode 1 of this show, it is Mike Johnson. Mike, for the audience, your voice would sound something like what?

[Mike Johnson] It sounds roughly like this, I think. Something like this.

[David Spark] Has not changed drastically in the 4+ years, 4-1/2 years we’ve been doing this show.

[Mike Johnson] I’d like to say it hasn’t changed in about 30-ish years, but you never know.

[David Spark] Oh. So, you’re going back to puberty when it changed?

[Mike Johnson] I mean, I assume that’s when it last changed.

[David Spark] Okay, all right. We’re available at CISOseries.com. Our sponsor for today’s episode, who has been a phenomenal sponsor with the CISO Series, it’s Pentera – assure security readiness across your complete attack surface. Some really interesting pentesting solutions they have. You’ll want to hear more about this later in the show, I will get to that. Mike, I’ve got a question for you.

[Mike Johnson] Okay.

[David Spark] Have you ever purchased the first generation of a piece of hardware in a rather mature market, if you will? The reason I mention this is I was on actually the show, daily tech news show, Good Day Internet they call it, and they talked about this new phone manufacturer “Nothing.” Honestly, that’s their name. And all I could think is you have all these other manufacturers of phones that have version over version over version and refined things, and here’s a new entrant. Who is going to trust first version of something in a mature market? My question – have you ever done this?

[Mike Johnson] Oh, sure.

[David Spark] What have you bought first version of?

[Mike Johnson] I mean, now I’m now having to go back and think about it, but I can understand the rationale behind it. It’s new and it’s shiny. And sometimes you’re aware that you’re taking a risk. It has to be compelling for you to take that risk though. I think a good comparison is buying the first model year of a vehicle. They go through improvements over five or six years, and then the new model comes out, and then there’s all new things that are wrong. And if you’re buying the first ones off the line, they’re still figuring out things as they go. But there’s a compelling reason to do it. There’s a reason why you want that thing. Sometimes it’s just because, in the case of the Nothing, it’s the new shiny, nobody else has it, it’s something different.

[David Spark] I know. And that’s about as far as it… And I really don’t need to impress anybody from having a cool-looking phone. Which, by the way, this Nothing phone has this sort of cool glow thing on the back. Which I’m thinking you can probably get an add-on product if you want to make the back of your cellphone glow, you can probably do that, that’s not a big deal.

[Mike Johnson] Oh. But now it’s thicker, right? The whole thing is it was within their normal case, so an add-on is going to be thicker. So, if it’s all built in, I know that feature, it’d be kind of cool if other phones would adopt it.

[David Spark] All right. I told you I was going to rope pinball into this.

[Mike Johnson] Okay, yes, pinball.

[David Spark] So, I own two Stern machines and they are the longest manufacturer that’s still been around. And you play a Stern machine versus – and there’s a handful of other new manufacturers of pinball machines out, and those are reasonably good to play – but the thing is you play those other ones, and you can just feel it. They’re just not built as well as the Stern and you’re like, “Yeah, this is what comes when you take 40, 50 years building pinball machines. You kind of figure it out over time.” So, this is my feeling about a lot of hardware is I’m scared to do first generation of things.

[Mike Johnson] [Laughter] But I think that’s fine, right? And fortunately for you, there’s people who are willing to take the risk.

[David Spark] I’ll let them take the bullet. Not me.

[Mike Johnson] Let them return their phone four times before they get a working one.

[David Spark] Exactly. All right. Let’s get to our guest on the show. I believe he has a phone that works.

[Mike Johnson] [Laughter]

[David Spark] This gentleman works at Big 5 Sporting Goods, so you know that I’m going to be doing a lot of sports metaphors, but by the way, all my sports metaphors are jai alai and curling, just so you know. I’m going to keep it just to that, nothing else. He is the VP of Information Security over at Big 5 Sporting Goods – John Underwood. John, thank you so much for joining us.

[John Underwood] Hey. Glad to join you guys. Thank you.

Why is everyone talking about this now?


[David Spark] “Almost every cyber security vendor: ‘Our product gives you visibility to…'” said Yaron Levi, CISO over at Dolby in a post on LinkedIn. Now, he wrote this post more than a year ago and looking back today, I see less vendors offering visibility-only solutions, knowing that security professionals want action. They want their tools to be able to take action for them, ideally – so in some way automated – or some direction on how to take action, and not too much things for them to do. So, Mike, I’m going to start with you. Do you think vendors are finally moving away from offering “just” visibility and giving proactive advice and in some cases automation to fix it? I know that most of our sponsors offer these kinds of solutions. I saw actually, after I put this up, I saw that you put a post up very similar to this too as well, Mike. So, what’s your take on this?

[Mike Johnson] I think it’s a natural cycle. If you remember back in the day, state-of-the-art cybersecurity was antivirus. All it did was take action. It would block things, it would delete things, it would prevent things from happening. And it wasn’t good enough to pick up everything that we wanted it to, so as an industry, we bolstered our detection abilities. We added more visibility, more alerts, and so on and so forth, and that was to compensate for the failings of the antivirus. Part of why antivirus actually was so hesitant to flag everything is the only thing that they had was the prevent. They didn’t want a false positive to break a business. So, they erred on the side of, “Well, we’re just going to prevent what we can and say nothing about anything else.”

We’ve had several years of these detection-only solutions. We’ve built up a level of confidence in that they are detecting only the things that we want them to. We’ve had so many discussions about false positives and how they’re the bane of our existence as security professionals. Vendors have shifted to high-fidelity visibility. So, now we’re starting to build our level of confidence to say, “Okay. Just start blocking that. Prevent that. That way we can actually not have to take these actions ourselves.” So, I think it’s really just this cycle of building confidence that the detections have gotten good enough that we’re willing to take these automatic actions.

[David Spark] So, you think over the years we go in steps, is that kind of what you’re saying?

[Mike Johnson] I think that’s what we’re seeing.

[David Spark] That’s a good philosophy. I kind of like that. All right, John. What’s your take here? Do you think vendors are finally moving away, are we in I guess another progressive step, as Mike is describing?

[John Underwood] I know you really like people to disagree with Mike on the show, but..

[David Spark] Please do. [Laughter]

[John Underwood] …I have to agree. I do agree. I’ve been in the industry for about 20 years, and it has gone kind of in the cycle that Mike laid out. And it seems like we’re at this point right now where some minor automation is built into most security tools, and then you can take advantage of that or not. But there’s also usually the MITRE ATT&CK framework that’s kind of built in, so you can kind of reference that. So, now, my SOC analyst or my team can kind of look at this alert, see what it is, and then look at that framework and see what is the next step on this attack path, how do I get in front of it. And so even though it may not be fully automated yet, it’s pointing to what is the next decision you need to make, what do you need to be thinking about. So, I would love to be in a position where the infrastructure is mature enough to handle full automation, we’re just not there yet, but I do see the industry as a whole kind of migrating upstream, like Mike was talking about.

[David Spark] Yeah. And because I have seen the frustration you, Mike, had posted, it’s like, “I don’t need to see more problems. I need to solve more problems essentially.” Of which we’ve all run into. So, let’s just close with this thing, and a quick maybe 20 seconds from both of you. Is there a certain kind of messaging that you’re more responsive to in this kind of way of this sort of remediation effort? Because so many of our vendors, many of our sponsors, are offering some kind of remediation solution. Is there a certain kind of something they do or something they say that gets you to get at least intrigued?

[Mike Johnson] For me, it’s confidence, auditability, and playback, like an undo button. If you give me that, then I’m in, I’m listening, let’s talk.

[John Underwood] Yeah. I wasn’t thinking about the undo button, but the confidence level. We have a tool that’ll tell us like, “This was the alert. This is the confidence level we have on this.” And so if it’s below a certain threshold, yeah, we might not dig into it right now.

They’re young, eager, and want in on cybersecurity.


[David Spark] “Here’s the deal with entry level jobs in cybersecurity – nobody wants to trust someone with no experience to be responsible for any aspect of the security of their organization. Period. End of story,” said Edward Hickcox on LinkedIn, offering what he thought was an open-and-shut opinion. Well, none are. So, the thing is, Edward brings up a very important issue here that we’ve addressed on this show before. But we’re going to address it from a different angle here, I’m going to start with you, John. What can you get entry level people working on that doesn’t get the business jittery? So, the idea is we don’t trust them yet, they don’t necessarily have the skills yet – although you do got to trust them at a certain level because you hired them – and what do you need to see from them to give them access to more? So, give me an idea of maybe first step and second step for someone starting out within your organization.

[John Underwood] Yeah. So, the last few hires that I’ve done were entry level jobs. One of them was an external hire and the other one was internal. And so what we did for the internal one was we took somebody from the Help Desk, and they were, quote/unquote, “experienced in IT, fresh to security.” So, even though they had some of the concepts down from just working in IT for a little while, they’re newbs in the security world. Great, I’ll take that, I’ll work with that, they’ve shown initiative.

[David Spark] And by the way, we’ve heard the Help Desk is one of the best places to mine for talent.

[John Underwood] Yeah. Especially if it’s internal. Like if you have people that want to move up, move across. Great. Let’s do that. Let’s promote some careers here. But the first thing we did when we brought them over was stripped away access. “Okay. You’re kind of starting over. We’re going to put you on the SOC. You’re going to read the speeds and feeds. We will kind of bring you along and have you help with various different projects and initiatives. And as you kind of level up, as you season, we’ll kind of give you more leeway.” It kind of reminds me, when I was in the military, we used to say the two most dangerous things in the world are a new lieutenant because he’ll lead you anywhere and a new private because he’ll follow you anywhere. So, what you want is somewhere in between. You want some seasoning, you want somebody that’s going to question like, “Why are we doing this?” or “Do I really need to push that button?”

[David Spark] So, you need to partner them with someone experienced is what you’re saying?

[John Underwood] Yes. So, we will have the SOC analyst work under the tutelage of a tier two or tier three analyst and work in conjunction with our managed services, just so they’re getting a feel for the ropes, and they don’t have the button for the nuke. I mean, they can’t go…they don’t have full sys admin access or full…

[Crosstalk 00:12:35]

[David Spark] So, the idea is they can’t do too much damage?

[John Underwood] …admin access. Correct, correct.

[David Spark] Now, second question is what would you need to see for them to be able to go to the next level? Like what behavior you’d want to see?

[John Underwood] Oh. What I want to see is initiative at the right times. Good initiative, bad judgment can make for a bad day. But what I want to see is good initiative at the right time, people taking the right action, or leveling up the right questions or events to the next senior person, “This is our situation. We bumped into this. This is what we tried. What do you suggest?” or “This is what I was thinking about doing. What do you suggest?” And if we can kind of get a little track record of this person is reliable, yeah, okay, we’ll give them more.

[David Spark] All right. Let’s move this to Mike. Mike – how does your story differ than John’s?

[Mike Johnson] I’m hearing a lot of similarities. The way you get someone started is with a playbook and mentoring. You tell them, “This is our processes, this is how we run things, and here’s someone who can be there for you to ask questions of.” And if you’re giving them access to SIEM, as John was talking about, the only harm that they can do is miss something, just not flag something that should have been, and presumably you’ve got other folks who have eyes on it. You haven’t built your entire program on the idea that if one person fails, you’re owned. So, it really is this concept of sit folks down with a playbook, give them access to the live information systems, but there is a safety net, both for the company, for the enterprise, but also for the individual so that the mistakes they can make aren’t actually going to harm anyone, including themselves.

Sponsor – Pentera


[David Spark] Hey! Before we get on any further, you remember I mentioned our sponsor Pentera? Well, I do want to mention them. This episode of the CISO Series Podcast is made possible by Pentera, and we love Pentera. So, let me tell you a little about what they do because it’s pretty darn cool. So, today over 60% of cyberattacks involve the use of exposed credentials. We’ve actually seen this in report over report over report. So, now, for the first time, security teams can address this critical threat head-on.

Pentera collects an organization’s leaked credentials and automatically tests their exploitability across the external and internal attack surface. So, Pentera automates the moves of an attacker in the live IT environment and dynamically maps out complete attack kill chains, helping to prioritize remediation action according to their context in real time. You get to actually see it in sort of a simulated environment, not actually happening because we want to see it that way first.

So, Pentera’s customers find that leveraging the platform as part of their exposure management strategy increases their ability to identify security gaps, improves the efficiency of remediation processes, reduces expenses, and enables them to better benchmark their cyber resilience over time. Ultimately, it maximizes their security readiness and that is what you want from a pentesting solution. So, do you want to learn more about this? You got to go check them out. So, go to Pentera.io.

It’s time to play “What’s Worse?”


[David Spark] All right. John, you know how this is played, correct?

[John Underwood] I do.

[David Spark] All right. This is actually a short and easy one. Well, actually, I don’t know if it’s easy, but it’s a short one.

[Mike Johnson] Usually the short ones are the hardest ones.

[David Spark] I don’t know. Again, I got to get you on with…we have this new guy who’s been sending in stuff. He’s anonymous but we’ve been using a pseudonym for him, and he’s been writing these very long, extremely creative ones. By the way, I’m throwing the gauntlet down, Osmond Young, he’s personally my favorite submitter of “What’s Worse?” scenarios. We have a lot of great submitters but his creativity and what he has drawn out has been pretty spectacular, and they’re really, really tough.

[Mike Johnson] Is he using ChatGPT to create these?

[David Spark] No, he is not, not that I know of. He could be, who knows?

[Mike Johnson] He could be.

[David Spark] It could just be ChatGPT sending me these. Who knows? But this comes from Dustin Sachs of World Fuel Service, who submits lots of great “What’s Worse?” scenarios. And here you go. Now, it has to do with a security incident. I just want to say assume the security incident is equally bad in the two situations.

[Mike Johnson] Okay.

[David Spark] So, this is what he says, Mike, what’s worse, a security incident on Christmas Eve or a security incident the day before payroll?

[Mike Johnson] Wow! That actually is interesting. Because what you’ve got is the security incident on Christmas Eve, you have your teams are generally spinning down, your staff levels are a bit lower.

[David Spark] Also many of them may be gone.

[Mike Johnson] Right, right. Your levels of staffing, the human power that you can bring to deal with the incident, is dramatically reduced. The payroll example is you’ve got a clock ticking and potentially if payroll is wrong, you’re paying something incorrectly in all manner of bad ways. So, this is actually an interesting one. Again, just going to pick one and roll with it.

[David Spark] You’re going to pick one and roll with it.

[Mike Johnson] What I’ll say is I’m going to go with the Christmas Eve one, and the reason is for a few reasons. One, the payroll example, I have an opportunity to catch that and roll it back. There’s this window for financial transactions that you can roll it back if you catch it quick enough. There’s still a risk there. For the other example, on this Christmas Eve, a thing that you catch, you don’t have as much opportunity to actually claw anything back, to roll anything back. So, it could be several days, and by the time those days have passed…

[David Spark] But why is it like… The thing is the payroll is just one thing. Payroll could be affected on Christmas Eve too. It all could be.

[Mike Johnson] Oh, sure. But that’s what I was saying, right? Is if it is payroll impacted on Christmas Eve, there’s now this lack of resources to handle the incident, to deal with it, to try and pull it…to try and undo the damage.

[David Spark] But the thing is it could also not have to do anything with payroll.

[Mike Johnson] Sure. You said that these are equal severity.

[David Spark] Severity. But it could be payroll affected but payroll may not be running for another week or so, or it may have just run. That’s the thing.

[Mike Johnson] Sure.

[David Spark] Like it might run just before Christmas.

[Mike Johnson] Everything that I’m really latching on here to is the ability to, whatever the impact is, to have any way of rolling it back.

[David Spark] So, you’re saying Christmas is way worse just because of the sheer your manpower’s not going to be there.

[Mike Johnson] And the likelihood of actually being able to handle it is much lower.

[David Spark] Okay. That’s your argument. All right. John, you want to agree or disagree with this one?

[John Underwood] Oh, this is tough. Listening to you guys go back and forth, man, I quit, I’m done.


[Mike Johnson] That makes a good question.

[John Underwood] Right, right. I think I should disagree.

[David Spark] I think we should play the “What’s Worse?” game of, “This or this or just quit!”


[John Underwood] I think I’ll have to disagree. I think what is probably going to be worse is the payroll issue. And the reason I say that is because we run through multiple tabletop scenarios with the infrastructure team, with the security team, with the executives. We don’t do that a whole lot with the business side – with HR, with payroll. If something goes south over there, it may be a little bit to get everybody back together to figure out what’s going on and to unwind that. So, not that I trust the security team more, but I trust we’ve done enough training that I can get enough people together in one spot at one time, that we can come to some kind of solution and mitigate whatever’s going on on Christmas Eve. As opposed to something just before payroll. That, and I want to make sure people are getting paid. That’s always good.

[Mike Johnson] That is highly valuable.

[John Underwood] Yes.

How have you actually pulled this off?


[David Spark] We hacked the hackers! Good news story of the DOJ, FBI taking down Hive ransomware after spending months inside the gang’s systems. Essentially, they were able to get the decryption keys from Hive and distribute it out to all the people who Hive sent ransomware, thus nullifying the ransoms. Now, we talked about this on Cyber Security Headlines, and while we’ve spoken before about how you shouldn’t hack back, and that this was an enforcement agency response – Mike, I’m going to start with you – is there anything us lay people can do that may exist in some gray area of hacking back? It seems all we’re doing in cyber is just protecting ourselves and not fighting back. We’re never getting to the root of the problem. Is there any way we can just get closer to the problem to stop it?

[Mike Johnson] No. Don’t go into this.

[David Spark] Just a flat-out no?

[Mike Johnson] Don’t go into this gray area. I recognize that people want to do something, but you’re not entitled to break the law just because somebody else does. And in fact, what you’re doing is we’re talking about vigilantism, and I actually went and looked this up. The Oxford Dictionary definition of a vigilante is a member of a self-appointed group of citizens who undertake law enforcement in their community without legal authority, typically because legal agencies are thought to be inadequate. And that’s really what we’re talking about here is we don’t feel that…

[David Spark] But this is where I’m getting into the gray – yeah, yeah, we know they’re hacking back – but is there something? Like let me throw out this idea. Is there some way that you could scan the hackers to then provide that information to the authorities? I don’t know, I’m making things up here. But is there something where you could provide information, like make their job easier? Like I’m on citizen patrol and I’m helping them out.

[Mike Johnson] One of the things you have to be careful with what you mentioned is sometimes you’re poking the bear. And while you can look at it as, “I’m gathering more information for law enforcement,” what you might end up doing is angering the attacker more and they might take more interest. They might go different avenues that they weren’t previously looking to pursue because you’ve poked them. So, you have to be careful from that angle as well. What you can best do is passively gather as much information as you can. What are the techniques that they’re using? John was talking earlier about the MITRE ATT&CK framework. Build the attack chains, clearly organize your information so that what you’re handing over to law enforcement is easier for them to deal with, is easier for them to parse. Maybe there’s signatures, fingerprints, that the attacker is leaving behind. Share those as well. But don’t go active. There’s really only bad down that path.

[David Spark] So, the idea is provide the data from your viewpoint within your own organization rather than entering in?

[Mike Johnson] Exactly.

[David Spark] John, is there any other gray area we can play in that would help the authorities? We’re against truly hacking back but for the authorities, that’s their job. What can us as the normal citizen do to get closer to the problem rather than batting off things like we’re Wonder Woman’s gold bracelets?

[John Underwood] As a security leader in an organization, I want to do nothing that attacks back. Like Mike said, I think you said poke the bear, pre-show I was kind of thinking I don’t want to stir the hive. We’re talking about possible nation-states or groups that have nothing to lose and a point to make, and I don’t want to get in the crosshairs. I have enough problems trying to do this on my own, trying to protect my organization, my clients, my people. I don’t want to go poking the bear. Observe and report. That’s kind of my stance. I know there are groups, independent groups that will try and find IOCs and help law enforcement with human trafficking, things like that. That’s all well and good but as far as it comes to my organization, it’s hands off.

[David Spark] So, just to summarize, and correct me if I’m wrong here, you do not poke the bear at all, you don’t go in there, that’s not your space. But if you can provide information within your own organization, data that you collect provided to the authorities, do as much as you can from that respect?

[John Underwood] Yeah. ISACs, FBI, info sharing, all that’s great, but I’m not trying to hack back. Especially if maybe somebody’s proxying off another company and now I’m hacking that company. I don’t want to be in that position.

[David Spark] Have you ever had employees just flat out frustrated? Like, “I can see what they’re doing! I want them to stop this! I know how to stop this!” Do you ever have that from an employee?

[John Underwood] I’ll be honest, no. No, I haven’t.

[David Spark] You haven’t had that.

[Mike Johnson] What I’ve seen in the past is I’ve had my team share, “This is the Facebook profile of the person and they just checked in, this is physically where they are in the world today.” You can get to that point, but what are you going to do? Are you going to just show up? No. So, you have to be really careful about spending your time gathering information that is not terribly helpful.

Mike’s confused. Let’s help him out.


[David Spark] Mike, you were bold enough to come out and admit you don’t understand the security concerns around ChatGPT. Now, I question those as well. Now, we’re recording this at the end of January, and who knows? By the time this actually airs, will there be a ChatGPT-led cyberattack? We’ll have to wait and find out. So, you don’t understand the concerns around ChatGPT. My question is – did the 160+ comments to your question convince you there is something to worry about here? Or is this just the shiny new object for us all to get all riled about?

[Mike Johnson] So, first of all, I want to thank everyone for actually participating. I put these out there because I genuinely want to understand and I appreciate that folks approach it from that angle of trying to help because I’m not the only one who asks these questions, who’s wondering. Not everyone has the opportunity to ask 30,000 people at once, and that’s what I really appreciate, that folks engaged in these questions. So, first of all, thank you. What I really took away from it was a reinforcement of something somebody else had said about ChatGPT, and what someone said was ChatGPT has this amazing ability to confidently give wrong answers. It will be very convinced and it will try and do everything it can to convince you.

[David Spark] I thought that was the theme of this podcast – constantly give wrong answers.

[Mike Johnson] That’s what we’re here for. I’m telling you, David. It’s coming for our jobs. The examples that were given that I think most appealed to me were where people were talking about ChatGPT writing code or writing documentation or writing things that people aren’t going to check on their own, they’re just going to trust it.

[David Spark] Actually, haven’t we seen a few examples of some programs actually fully written by ChatGPT?

[Mike Johnson] Yes. Exactly. And some of them are right, but some of them are very wrong, and it’s very difficult to tell the difference. And if you’re just going in and you’re giving it that trust, kind of going back to the earlier comment about someone green in cybersecurity, you’re just giving them the keys to the kingdom. That’s where the harm is going to come. So, if people are just taking the answers or the code that ChatGPT is writing and then just blindly implementing it, that’s going to set us up for security vulnerabilities going forward. That was my biggest takeaway from those conversations, things that I’m now worried about.

[David Spark] Good thing to worry about. All right. John? Do you have anything to worry about with regard to ChatGPT or are you putting your full blind trust in it?

[John Underwood] [Laughter] I’m sure like anything new, there’s the power for good and evil, right? So, I do see a lot of people kind of a little bit afraid about what could be with ChatGPT. But honestly, I’m a little bit more interested in what it can do for us, and so I look at it more as an augmentation tool. In playing with it a little bit, I was having it write simple little policies for me. I was having a problem being concise on system hardening, I was wanting to get down in the weeds, and it put together a really concise system hardening policy for me. Great. I’m able to take that, mold it into what we need and put it out there. So, like Mike was saying, we want to not trust it blindly. Take it, use it, and deploy it. There’s just so many things that this can do. I’m very interested for the future.

[Mike Johnson] I like that example that you gave, which was take a perhaps verbose policy and compress it down and make it more concise. I think that’s a very interesting use case.

[David Spark] But wait. So, did you feed your verbose policy and say, “Can you summarize this for me?”

[John Underwood] No. What I did is I asked, “Write a security policy to address system hardening for Windows operating systems, AIX OS, and macOS.” And the first one, I gave it a limit of 400 characters, and then the next one I gave it a limit of 4,000 characters, and both of them came back pretty spot on.

[David Spark] I mean, honestly, people want perfection to spit out, but for those people who write a lot, most writing is editing. So, if you could have someone write the first draft of anything for you that you could edit, how awesome would that be?

[John Underwood] It’s awesome. I started looking at this thinking I want to kind of revamp most of my policies and make them shorter, make them more concise. And of course, I’m not going to blindly take what it spits out, but man, I could use that as a starting point.

[David Spark] But here’s the thing that we’ve noticed. For example, for those people who are now seeing like our blog posts. The images that we use now are all generated by an AI. We use the Midjourney tool. And what I’ve noticed with this tool Midjourney is that to get good images, you have to get really good at writing creative prompts. And I can honestly see in the future that people are going to have on their resumes their skill at writing prompts for AI image-generating thing. Because I’ll create images but then I see other images that are generated, and they write so much better prompts and they get more spectacular-looking images than what I’m able to generate. And I think the same thing’s going to be with ChatGPT is how creative can you get using the tool, and this could be another skill you’re seeing on a resume line. What do you think, Mike?

[Mike Johnson] I think what we’re witnessing is almost the birth of a new career path, which is the writing of prompts. I do think that there’s a level of creativity that humans bring that the machines don’t have, can’t have, that that combination – as John is calling it, augmentation – I think there’s something there. And so I do think that you can find people being really creative in writing these prompts and then getting really useful, valuable, interesting outputs when combined with the model. I think that’s absolutely a future that we could see.

[David Spark] So, are we summarizing not to fear ChatGPT. Use the tool for its value and it has some serious value. Of which, John, you’ve already discovered some of it already.

[John Underwood] Yeah. And to tie it back to the beginning of this show, why don’t we just have it write out some workflows and playbooks for us and start there?

[David Spark] Remember, it’s just a draft, you can always edit it. All right.



[David Spark] Well, that brings us to the very end of the show. I want to thank our guest John Underwood who is the VP of Information Security over at Big 5 Sporting Goods. That’s where you can get all your basketballs, your baseballs, your gloves, your bats. Do you sell any jai alai equipment or curling equipment?

[John Underwood] You know what? If we do, I am completely unaware, but we do sell standup paddleboards and boogie boards if you’re near the coast.

[David Spark] There you go. Well, we’re near the coast. I wouldn’t be surprised because like in Miami, that’s where jai alai is really popular, so possibly you sell the equipment in Miami. Who knows? I’m assuming, depending on what’s popular in the area, you have the right equipment for it.

[John Underwood] I would hope that they’re targeting that well, yes.

[David Spark] Yes. All right. Thank you very much. I want to thank our sponsor also, Pentera, remember pentera.io. Get some automated pentesting, figure out how hackers are taking advantage of user credentials and essentially put some plugs in that path. Assure security readiness across your complete attack surface. Mike, any last words?

[Mike Johnson] John, thank you for joining us. I really enjoyed the conversation, especially around ChatGPT. Hearing someone who’s actually leveraging the tool and putting it to use was really neat, and I think your concepts of how you were doing that was really interesting to hear. I also wanted to give you a shout-out for something that you mentioned in the session where we were talking about bringing people new into the field, and you had mentioned that kind of giving people the orientation of asking a question of, “This is what I think I was going to do. Does this make sense?” I think that’s a great way for entry level folks to approach a problem, is kind of come up with a conclusion and then go and ask for advice specifically. So, I think that was a great tip for folks who are new into their career and also for ways for folks to think about bringing on fresh folks. So, thank you so much for your wisdom, your willingness to use ChatGPT and talk about it, and your willingness to join us on the show today. Thank you, John.

[John Underwood] I appreciate it, guys. Thank you very much. This has been pretty fun.

[David Spark] By the way, I didn’t even ask, are you hiring over at Big 5 Sporting Goods?

[John Underwood] The company’s always hiring. Unfortunately in the security team, we’re full up right now.

[David Spark] You’re full? Well, that’s great!

[John Underwood] Yeah, yeah. It’s a good position to be in.

[David Spark] Very few security leaders can say, “I’ve got a full team.”

[John Underwood] Yeah.

[David Spark] Do you want a bigger team? Everyone wants a bigger team.

[John Underwood] I want a bigger team, I want a bigger budget, who doesn’t?


[David Spark] You’re like everyone. I’m assuming people can find you over at the LinkedIn?

[John Underwood] You can find me on LinkedIn at whatever the prefix is, JC Underwood.

[David Spark] Well, don’t worry about it. We’ll have a link to your LinkedIn profile…

[John Underwood] Right on.

[David Spark] …on the blog post for this episode. Thank you, audience! Hey, I need a lot more “What’s Worse?” scenarios. Give me something really good and creative that is very challenging. I thought today’s from Dustin Sachs was excellent, thank you. So, more contributions. Keep on listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.