What Does It Cost to Prove Security Is Working?

What Does It Cost to Prove Security Is Working? - CISO Series Podcast

I have no idea what I need to spend to demonstrate our security program is working. What’s it going to take? Or maybe I need just others on my team to just validate that they truly do care about security.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is John McClure (@johnmcclure00), CISO, Sinclair Broadcast Group.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor Keyavi

Data that protects itself?  Now it does! We made data so smart it can think for itself. Secure itself. Stay continually aware of its surroundings. Control where, when and who is allowed access. And automatically report back to its owner. This changes the entire cybersecurity paradigm. Learn how.

Full transcript

[Voiceover] What I love about cyber security. Go!

[John McClure] Yeah, I think what I love most is really the challenge, how quickly the field is moving. Every day is a different challenge. It’s very different from some other fields where you’re really competing against yourself every day. With cyber, you’ve got somebody on the other side of the keyboard, sometimes halfway around the world, that you got to outthink and play an interesting game of chess with.

[Voiceover] It’s time to begin the CISO Series podcast.

[David Spark] Welcome to the CISO Series podcast. My name is David Spark. I am the producer of the CISO Series. And my cohost for this very episode is Andy Ellis, also known as the operating partner over at YL Ventures. Andy, makes some noise with your mouth as you do.

[Andy Ellis] Well, today I’m in Tel Aviv, and I’m about to participate in Cyber Week.

[David Spark] Now, he’s saying that in the future because this episode is going to drop in June, but we’re actually recording this far earlier, around Passover time.

[Andy Ellis] Right, so if I started singing Passover songs people would be like, “What are you doing? Shevat just happened. Get with it.”

[David Spark] I know. It is not that. But we’re going to talk about June in just a second. I want to mention to everybody that we’re available at CISOseries.com. this is not the only show we have on our network. We have other programs as well. Our sponsor for today’s episode is Keyavi. Do you want self-intelligent, self-protecting data? It sounds very interesting. Well, who wouldn’t want that? More about that later in the show. And Keyavi has been a spectacular sponsor of the CISO Series, and we appreciate them sponsoring us as well. Now, what I want to mention – you are in Israel. At the time that this episode airs, I will be at Vidcon. Are you familiar with what Vidcon is?

[Andy Ellis] I am not familiar with Vidcon. I assume it’s a convention for video people.

[David Spark] Yes, it is. Now, here’s the way I like to describe the Vidcon – if you want to ever feel completely and utterly out of touch with the teens of today, go to Vidcon. Because this is an event for all the online video personalities that you have absolutely zero clue who they are, but your kids probably know who they are. And that’s what this event is.

[Andy Ellis] That sounds really cool.

[David Spark] It is cool. Anyways, I run all the sponsored sessions at the event. It’s one of the few non-cyber security things that I do, and it’s a super fun event because I’m actually… I got a good relationship with the general manager of Vidcon as well, but it’s a wild, crazy show. It’s like nonstop entertainment. Screaming teens for people you’ve never heard of.

[Andy Ellis] Okay.

[David Spark] I’m taking my kids there as well, and they’re gaga over personalities I’ve never heard of as well.

[Andy Ellis] I get that. when my kids were little, they played Minecraft a lot, and they got into a lot of the YouTubers. And so there were Stampy Long Nose or something was one of the people that they followed. And so we had to make a cake for my son’s birthday that was the Minecraft skin for Stampy. We’re like, “We have no idea who this person is,” but we were able to find the skin and make a pixelated cake. It was all the rage, and we were the best parents of the week.

[David Spark] Same idea.

[Andy Ellis] Okay.

[David Spark] My kids are also into Minecraft as well. I don’t get it. But again, I’m a clueless dad.

[Andy Ellis] If you know you’re clueless then at least you’re not a clue zero.

[David Spark] Right. I try to be a little bit hipper, but I think about my own parents that were clueless about the pop culture I was into. And so now I’m clueless about my kids’ pop culture, and I think that’s the role of the parent is you got to be out of it. If you’re really into what your kids are into, that’s a little weird, I think.

[Andy Ellis] Not necessarily. You’re bonding with them a little bit. And when they’re tired of you, they will yeet you into outer space and don’t worry about it.

[David Spark] Well, that’s one way to look at it. All right, let’s get into our actual show. I’m very excited because this guest I’ve been working very hard to get onto this show, and I’m thrilled that we finally got him on the show. It is the CISO for Sinclair Broad Group, John McClure. John, thank you so much for joining us.

[John McClure] Glad to be here. I’m excited.

Why is everyone talking about this now?

4:22.521

[David Spark] On Twitter I asked this question – what’s your best indicator that your security program is actually improving? And the second question is is anyone impressed besides you and the rest of your team. So, here’s the sampling of the responses. “Your stakeholders start telling you what they did or didn’t do as a direct result of our advice, and they’re proud of it.” That’s from David Peach. “Also after recommending a certain fix and then being called back to do a follow-up pen test, and the original finding was actually patched – that makes my day.” That’s from the Twitter user @ShadowM82. And from Twitter user @InfoSecLogger, “People on the business side actually want to talk to you.” So, Andy, I think all of these were great indicators. Do you agree that these are great indicators, and do you have some of your own?

[Andy Ellis] I love these. Now, I want to say you should have some quantitative indicators as well, but I think too often people focus only on quantitative indicators of activity, not on indicators of effectiveness. But from a qualitative perspective, these are amazing. That last one is actually the most important one, which is the security team’s best function is as an advisor to the business. You’re helping people make better choices. And if people want to talk to you, you can help them more. If they don’t want to talk to you then you can’t help them. That at the end of the day is one of those sort of fundamental measures of how affective you can be. The second one around the pen testing, I like that one. But I think the more important one is actually looking at incidents. When you see incidents that repeat but are less severe. Because some issue happened, but control stopped it from being a worse issue. Those are in my opinion some of the best times where you’re like, “Yes, we implemented that control, and so this was a SEB [Phonetic 00:06:19] 4 incident instead of the SEB 1 that it was a year ago.”

[David Spark] All right, I’m throwing this to you, John. What do you think of these indicators, and do you have favorites of your own?

[John McClure] Yeah, I think so. And agree with Andy on some of those points. You clearly have to have some things you can count I think in a demonstrable way to really show effectiveness. So, [Inaudible 00:06:40] control coverage, obviously, is a big one. Without properly fully deploying across your environment you’re clearly going to have a lack of effectiveness. The question is also an interesting one. We’re talking about the indicator that our program is improving, and the program has so many different lenses that you can look at it through. So, some of them…again, control coverage, time to response, time to remediate, some of those things are easily measurable. But agreed on the business engagement part. I think so often especially years ago security groups, CISOs, etc. were always looked at as an impediment to business. We were slowing things down. We were always getting in the way. We were looked at as roadblocks instead of business partners and business enablers. I think that’s come a long way. I think that’s come a very long way. I think now we’re getting a seat with the board. I think we’re getting a seat at the parents’ table in many ways. And I think that dynamic is really a huge testament to how well your program is doing and the fact that they’re bringing you in at higher level discussions and really looking at you not just as a technology leader but as a business leader.

[David Spark] On our other show, we quoted someone who said that they had a situation where their marketing department found threat intelligence before the security department did, and that was an enormous win they thought. Because marketing was becoming more security minded, and they were looking for this, and they found this. And both the cohost and the guest were like, “That would be enormous if that happened.” If you could have other departments behaving like security, would you consider that an enormous win? Because I got to assume that’s got to be huge. Yes, Andy?

[Andy Ellis] Oh, absolutely. My favorite was whenever IT would roll out a new application. Here’s the new web app that we’re doing, whatever it is. And some random department starts filing tickets against it, and they’re like, “Yep, I found a security flaw here. I found a privilege escalation here.” And I’m like, “Oh, man, our security training to developers on how to be defensive in their code has taught them how to be offensive with other peoples’ code.”

[David Spark] Have you seen this as well, John?

[John McClure] Yeah, we sure have. I think the more people out there we have focused on it, really kind of accepting that security is everybody’s business, and everybody can contribute in different ways…I think that culture to be able to permeate that way is just amazing. Again, I think we’re in the early days of that. I think you really see some of that maturity in some organizations that have really prioritized it and really kind of brought it to the forefront, done a lot of engagement with other groups. But yeah, more people on the battlefield for us the better.

What’s broken about cybersecurity hiring?

9:16.860

[David Spark] Best Reddit subject line goes to DeezSaltyNuts69…classy name, I know…for the following title, “Certifications are not like Pokémon cards. You do not need to collect them all.” An enormous debate ensued on this, and the Redditor’s argument is that you don’t need it to get past HR and that many of the companies offering certs are just doing it for a money grab. And CompTIA became a requirement for the US Department of Defense. So, use cert sparingly…again, this is what the poster said…to fill in some knowledge. Certs alone don’t qualify you for a role. Now, conversely one Redditor just said they like learning and getting a cert is a bonus. So, if someone is going to dog me for having certs, I don’t want to work for them. I see the question of what certs should I get all the time. What’s the reality for those trying to get into cyber security and also for more seasoned professionals? I’ll start with you, John.

[John McClure] Yeah, I think this is always an interesting topic and that I get asked about frequently. Again, bit of a religious argument, I think. Some really passionate people on both sides. I think it really depends where you are. I think kind of the last portion of your question was key. If you’re just breaking into cyber security, I think a cert or some type of education, background in that way can help kind of fill some gaps where you really don’t have that experience on your resume to kind of lean back into. And then for the more seasoned folks, obviously a lot more experience, you don’t see necessarily a lot of organizations requiring them. Though periodically, again, DOD… And as a government contractor for over 20 years, definitely saw that. And at some level, you got to set a bar. And so wherever that bar, whether it’s with a cert or with some formal education, I don’t think it’s necessarily a bad thing. But I do not hire just based on certs. And rarely is it even a requirement when I’m looking for experienced people.

[David Spark] All right, I’m throwing this to Andy. I’ve seen situations where very green people are collecting certs, and they’re not collecting experience. What kind of flag does that throw up?

[Andy Ellis] The first flag that it throws up for me is that they can’t get the experience somehow. Let’s be very honest with everybody here – recruiting is not anyone’s friend. The requirements that are often on these jobs are certifications, are insane amounts of requirements. Like entry level jobs that say you got to have a bachelor’s degree, two certs, and five years of experience. That’s not an entry level job anywhere. But nonetheless, we see them. So, if you have certs, here’s my challenge to you – go and look for a job. Pretend that you are an analyst either fresh out of college, or you’ve just got an associate degree, and you want to go get a job as a cyber security analyst entry level in a SOC. And go look at what the requirements actually are on those jobs before you start dissing people who are collecting certs. These people who may not have experience, but they’re trying to learn. So, think of the cert as a replacement for a college program because many colleges don’t have a good cyber security program.

On the flipside if you’re the person who’s collecting certs for whatever reason, when you’re looking for a job, what the certs do is they help you get past the recruiter. And then more likely than not, they are a negative to the hiring manager and to the people who are going to interview you. So, downplay them on your resume because all that you need is to have them on your resume somewhere for recruiting to be happy, for whatever AI filter they’ve got to be happy. So, put them down at the bottom of the second page of your resume. Just list them there in a small font. You don’t have to say, “Oh my God, I got 12 certs at an entry level job.” Don’t put them in the top, saying, “My name is Andy Ellis, CISSP, CEA, blah, blah, blah, blah.” Because that draws attention to the fact that you’re a cert collector, and there are people who will have a bias against you because of it. So, at that moment, minimize the bias, stick it down at the bottom. That gets you past recruiting. And now you show up, and you get to talk about why you’re the right person for the job.

[David Spark] I want a quick answer from both of you on this question because I have seen this posted umpteen times. I mentioned it. You, John, said you get it as well. A very green person does not have their first job in cyber security. They say, “What certs should I get?” How do you answer that question, John?

[John McClure] Short answer is Security+.

[David Spark] Security+. Andy, how do you answer that?

[Andy Ellis] Any of them. Whichever one is convenient and inexpensive for you, just go and learn something. If you want to be a pen tester, go get a CEH, as much as I hate that name, by the way. The Certificate Ethical Hacker. I think it’s the worst branding ever. Okay, maybe not the worst, but it’s really bad. But that’s a great thing to go study because if you’re green, you’re not trying to get the cert to say you’re great. You’re trying to get the cert to say, “I learned,” which is why Security+ is good. It’s why CEH might be good.

Sponsor – Keyavi

14:28.679

[Steve Prentice] Keyavi is a company that helps its clients mitigate the risks associated with data loss. As CEO, Elliot Lewis, explains, this means coming from the problem from both directions, prevention, and recovery, and finding ways to make both secure by focusing on that common factor, data.

[Elliot Lewis] So, we took a look at the entire issue of data loss prevention, data loss control, data leakage control. The entire cyber market is based on one premise only – data cannot protect itself. And when you look at the cyber market, it’s really broken into two types of technology. The first type of technology is trying to keep the data under control. That’s identity, encryption, leakage control, loss control, antiviral control, all the things you can think of that try to keep data in place, under control, and under proper access. The second half of the cyber market is all the issues around threat intelligence, SIEM, IDS, IPS. In other words all the tools you use to chase after that same data that left anyway because the first half couldn’t keep it under control. Why? People use their data. Data is meant to be used. So, how do we solve the problem? The entire issue of cyber security is data cannot protect itself. Keyavi changes everything because now we made data self-protecting, self-aware, and intelligent, and perpetually under control, and self-reporting in near real time.

[Steve Prentice] For more information visit keyavi.com.

It’s time to play “What’s Worse?”

16:04.438

[David Spark] All right, we have a new “what’s worse” scenario. And, John, you know how this game is played. It’s a risk management exercise. Both options stink. But you have to determine of the two crappy options which one gathers more risk or carries more risk with it, and you don’t want. And I always ask Andy to answer first. If you disagree with Andy, that’s what I like. If you agree with him then I’m bummed. So, do you want make me happy, or do you want to make Andy happy?

[John McClure] I got you. I got you.

[Andy Ellis] The rules are we can’t modify the scenario even if it’s weird. Like, “Oh, I would mitigate it with this other practice.”

[David Spark] Yeah, it is what it is.

[Andy Ellis] It is what it is.

[David Spark] So, I have a “what’s worse” scenario. It comes from Jim Sheldon of Basin Electric Power Cooperative. It is, “Which is worse when performing asset management?” Key, when performing asset management. “Using your DNS system to verify hosts discovered by the vulnerability scanner or using your vulnerability to scanner your DNS system is configured correctly?”

[Andy Ellis] I’m trying to figure out how these are not the same scenario. So, I guess the question is my vuln scanner found a bunch of hosts. My DNS knows about a bunch of hosts. And so I’m trying to reconcile the two. And so one question is did I start from the DNS, or did I start from…? I’m lost on this question, David. Do you see where I’m going with it? I look at both sets of results.

[David Spark] I was asking our other cohost this very question. And so I asked him for a little clarification on this. It’s not a problem of knowing what the total population is. One assumes the DNS knows the full population, so you’re using that for the answer…for the hopefully 100% answer. And the other assumes that the DNS doesn’t know, so a vulnerability scanner is a way to discover the full 100%. So, both stink because neither is intended to be an asset management tool. That’s why it’s key.

[Andy Ellis] Oh, that’s right. I guess here’s the problem that I have is it seems like there’s an assumption that in an ideal world my DNS system knows where all of my assets are, but I totally know it doesn’t. So, I guess I started from the, well, I’m used to living in the world where I use a vuln scanner to reconcile what’s going on. So, I’m going to say it’s worse to assume that the DNS was correct and that you were using the vuln scanner as the secondary system. I think I’m more used to, yeah, just do the vuln scanning of everything.

[David Spark] So, use the vulnerability scanner to verify your DNS system [Inaudible 00:18:37] is better than the first option.

[Andy Ellis] Yeah, I think so.

[David Spark] Okay. All right. John, how do you feel on this one?

[John McClure] Yeah, tough question. And you’re right, I think they both suck, but in terms of which one is worse I think both of them are pretty bad ways to try to figure out asset management. I think that a properly configured DNS system unfortunately is not going to give you better information than a scanner, a vuln scanner in this case, because the vuln scanner actually can conduct discovery in a very different way than DNS responses would perhaps help in finding all sources. That being said, not that it directly feeds DNS, but I think you could actually get an amazing amount of asset information looking at your ARP tables, at your switch level, and getting it that way which probably is significantly better than the vuln scanner options.

[David Spark] So, which way are you going?

[John McClure] Well, so between DNS and vuln scanning, vuln scanning to me will find more hosts, will be doing clean sweeps and NMAP scans. We will get more responses from our assets than we would be via assuming DNS is fully and properly configured.

[Andy Ellis] The one challenge I’ve got with this scenario is that either of these is awful if you do anything in the Cloud. You probably don’t have DNS configured. And if you don’t already know where your systems are, your vuln scan isn’t going there. And so whichever one you picked you have completely missed your Cloud infrastructure, have a nice day.

If you haven’t made this mistake, you’re not in security.

20:14.215

[David Spark] What security flaw often gets overlooked? Now, this question was asked on the cyber security subreddit to a flood of responses. The most popular answer was free lateral network movement and no data confidentiality classifications. The Redditor complained they saw that in practically every new client. Other overlooked issues included not having a nontolerance policy towards security violations, security awareness training, and users not locking their desks up when they walk away from their desk. So, the first issue seems a failure of the security team not actually implementing these controls. And the rest are around security culture. Is this a case of they haven’t gotten around to it yet their security program hasn’t matured to that point, or is this endemic? I’ll start with you, Andy.

[Andy Ellis] So, I didn’t like any of these answers except for that very first thing about free lateral network movement. I think that one is too vague. I think if you were to say zero tolerance for security violations…

[David Spark] I thought that was pretty strong.

[Andy Ellis] I don’t know any companies that really… That’s not true. I know a couple that do. But they’re very hypersensitive around classified information. So, let me expand on this free lateral movement. Let’s take say SolarWinds or Kaseya, or in fact any ransomware out there – the single biggest overlooked security problem is administrative access that can move laterally.

[David Spark] I should qualify they talked about that, too, yes.

[Andy Ellis] Great. So, if that was in there, that’s the single thing that everybody is overlooking – this, “Oh my God, we have sabotaged our business as both IT and security professionals by creating this lateral movement nightmare that is just killing off our businesses with ransomware.” Because most ransomware is moving with something like Mimikatz or either it’s using Eternal Blue…yay, Windows…or Active Director…oh, yay, Windows…to move laterally and take out our enterprise. That’s the single most overlooked thing. Everything else is pocket change. Security awareness training, let’s be honest… Most peoples’ security awareness training programs are awful, and people just sit there going, “Please just let me click through this and be done because I’ve worked here for five years, and it’s the same video that won’t let me shift focus. So, I turn it on, and I pull out my Kindle because I can’t do anything else on my computer. Then every so often I turn, and I click. And I just ignore the program.” What does that do but teach people to hate the security professional for wasting their time? If you spend 60 minutes per employee on something like a security awareness training, every 2,000 employees you have in your company you destroy one FTE per year. 60 minutes costs you one… And that’s an FTE assuming that they didn’t have any other administrative BS on their head. If they’re at the normal like 25% loading rate, it only takes you 1,500 hours to destroy another FTE.

[David Spark] We had just done a thing on security awareness training on Defense in Depth, and studies show that 15 minutes a month of just awareness is actually far more affective, just 15 minutes.

[Andy Ellis] Probably, especially if it’s targeted and interesting, and like, “Here’s something that’s relevant to you rather than this compliance base we’ve got to teach you everything training.”

[David Spark] All right, John, what do you think of this list here, and…? I got to agree with Andy that the free lateral of admin accounts seems like the most dangerous.

[John McClure] In terms of the overall list, agreed on number one. You have to have tolerance. I think if not, again, we’re just creating a ton of friction with the business. We are there to help the business, support the business, again, enable the business, help them move quickly. So, to create friction and just kind of being immovable on things just isn’t normally why we’re there. Agreed. Some exceptional situations perhaps where you just kind of got to die on that hill, but I think that’s very rare. The other ones, same. Security awareness training… Actually I think that’s being done better at a lot of places. I think there’s some companies that have really made those a bit more entertaining. I think you got to embrace some of those newer ones. Much more interesting videos, funny videos. They’re not the dry videos and exceptionally long ones. We usually do three to five minutes a month actually, and we’re working on significantly more targeted training. But, again… And we get feedback on those that it’s engaging. They enjoy it. They’re watching it.

[David Spark] By the way, are they willing to tell you what they don’t like, too?

[John McClure] They are. They are. So, there’s a survey that goes out with ours at least in terms of…that we get quite a bit of feedback on, shockingly. I didn’t think that many people would actually respond to those optional surveys. But we get fantastic feedback in terms of the content, the length of the training, whether it was relatable, etc. And we’ve had really good success with that. In terms of kind of the last one, agreed on the lateral movement. I think it’s always a hard one, especially if you’ve got a large, deployed enterprise already. It’s one thing if we’re building a new system. A lot easier to tackle early on. Later, really hard to untangle a 10 or 20 year scenario of a network that’s grown over time or through acquisition, etc. But I think we kind of hit it at the end of that question or the end of that response was is the identity piece. I think you’ve heard… AWS coined it years ago, I believe. But identity is the new edge. So, I think AD protection or protection of your IDP, your identity platform, is key to helping stop some of that lateral movement.

What’s the best way to handle this?

25:59.458

[David Spark] Hey, fans of the CISO Series. Your host here, David Spark, made a small error, but I think you’ll still enjoy it regardless. The segment you’re about to hear, I actually asked this very same question of Mike Johnson and Hadas Cassorla in the May 31st episode of the CISO Series podcast. I forgot to delete the question from my list of questions, and I asked it again of Andy Ellis and John McClure. So, same question but different takes on it. Hope you still enjoy it. An anonymous listener questioned, “How do you ask for a team building budget for a remote team? There are teams that are local and spend money weekly on team building, and the team dynamic is just different. Now, how does one go about asking for more money for improving the team dynamics for the virtual teams,” which I’m assuming we all have now. John… And especially probably doing it through the pandemic. Have you dealt with this, and what have you done?

[John McClure] Yeah, we have dealt with it, and our team has grown very recently but also through the pandemic. And for sure it’s been a challenge. I think obviously it’s one thing to have this really highly performing team that you disperse. It’s a lot harder to build a dispersed team from the beginning and create a highly performing team. So, I think it’s a very dynamic in terms of what direction that went as that happened. In terms of asking for money, I think it’s obviously always a hard one. I think there’s ways to tie that back to culture. I think it’s something early on that a company needs to commit to. That while there are people that are remote, there are continued activities that need to occur around team building, around development, around coaching. I think all of that can kind of be bundled into an argument of needing to request that type of support. I think overall at least at Sinclair we’ve gotten fantastic support in terms of really trying to build those teams remotely as if they were local. I think it’s a huge challenge everyone is going to continue to wrestle with.

[David Spark] Can you provide any tip of what you’ve done to just improve team building that’s remote?

[John McClure] Yeah, I think we’ve tried to do some engaging games. I think the virtual happy hours at the beginning of COVID got really old to folks. I know they did to me. By the time it was seven o’clock, I didn’t want to jump back on Zoom. So, yeah, we’ve tried to do some of that that are engaging. Whether they’re kind of things that actually are engaging, things to do on the screen. We’ve done some things around remote praise and things. There’s all kinds of things that are built in different games. And so I think also that building a team doesn’t always need to be a dedicated team building event. I think that you got to work on team building throughout the day, throughout your mission, throughout the entire organization all the way through the year. So, I don’t think also that you only select certain times of the month or the quarter to do team building. I think you got to integrate it into how you operate.

[David Spark] All right, I throw this to you, Andy. What is your suggestion for this anonymous listener about asking for the budget, and what have you done to improve virtual team dynamics?

[Andy Ellis] I completely agree with John on you got to embed things. The biggest challenge we have right now is virtual teams really mean video teams. We have so much evidence around video fatigue, and people want less video time. And so saying, “Oh, we’re doing team building. Let’s get on the video more,” is a challenge. So, often look for how do you integrate it in. One of the companies I work with brought in group yoga. So, we did chair yoga at the start of a team meeting. So, this two-hour meeting had…the first half hour was we did chair yoga with the yoga instructor. And the first thing she said is you can all turn off your video. And of course me being the showoff, I’m like, “Screw that, I’ll leave my video on.” And so I’m the only person that everybody gets to laugh at as I’m attempting and failing to do yoga. And so it’s an example of a way you can spend a little money to spice things up.

[David Spark] But have you done anything that’s asymmetrical? So, being that you don’t have to be on video to be the bonding, yes?

[Andy Ellis] But then it gave us a thing to now talk about afterwards. Because that’s what you’re really trying to build is shared experiences. So, the experience… Everybody didn’t have to watch each other. But how do you get money? Here’s the simple answer. Do you know who controls the money for team building events? It actually comes out of HR usually. They’re the ones who are making the argument about how much money the company should be building on team building events. And what I think happened in a lot of companies for the pandemic is we just slashed all of those budgets because we said, “Look, nobody is going to do a team building event. We’ll just zero that out.” And the CFO was happy. And so if you want to do something, and you’re a budget holder who just wants more money then you go to your HR business partner and say, “Hey, I want to try out some things to see if these would be great ways to improve. Can I have some budget to try out something new? And I promise I’ll write a report about how affective it was.” And often you can get a little money out of HR to try it. If it works then HR is going to advocate for you for more money for everybody.

[John McClure] Yeah, I think also, if I can add, that we’ve also had fantastic support from some of our partners, some of the partners that we’ve invested in and some of their solutions who are willing to support things like that. So, in those cases also, it’s not a spend for us. They’ve committed to supporting some of that for us. So, that’s also been helpful.

[David Spark] I will tell you that my wife does some things are her company that I thought was very interesting. She has like a question of the day, which is some kind of a revealing personal question. One was what ads are being targeted to you, if you’re willing to tell it, which is kind of funny to see what ads you’re getting targeted with. And another thing that her colleague used to do is kind of a two truths and a lie thing – tell you three sort of historical facts, but one of them is complete BS. You have to figure out what it is. It was really creative what the person had done. But that was a really interesting team building thing because he did it every week. Everyone looked forward to it, and everyone liked to debate it. It was just sort of a feather in your cap if you got the right one. Or I think actually it was one true story and two lies. I take it back.

[Andy Ellis] You know something? I love the idea of those except if you talk about lies about people and history, that’s what people are going to remember. It becomes truths to them. I prefer a different variant of the story, which is you have everybody introduce three unbelievable facts about themselves. And they’re all true, but they’re trying to tell you the most unbelievable thing they can come up with. And now it’s an ice breaker. People want to know when I say I was shot at twice but only hit once… Like, “Oh, hey, what’s up with, Andy?” And when I say my father is the one who actually hit me and nailed me to the floor one day with a nail gun, I’m like, “Now that’s a conversation starter we can enjoy, but you don’t remember some weird fact like I claim that one day I dated Nichole Kidman.” It’s like no, I never did. But that’s what sticks in peoples’ heads.

[David Spark] Well, some good advice for team building techniques.

Closing

33:20.315

[David Spark] Thank you very much, Andy. Thank you very much, John. I want to thank our sponsor, Keyavi. Remember self-protecting data, Keyavi is their company name. John, the question I always ask all our guests is are you hiring. I want you to not answer now because I’m going to let you have the very last word. Andy, any last words about today’s show?

[Andy Ellis] I’m really enjoying this conversation because I think we really dug into some of the more interesting nuance about the qualitative nature of running a security program versus just trying to dig into nuts and bolts and quantitative things. And so that was definitely fascinating. And if all went well, just so you know, I just submitted my final manuscript of my book to the publisher three weeks ago.

[David Spark] Congrats. And it publishes next year, correct?

[Andy Ellis] It will publish next April.

[David Spark] Next April. That gives you lots of time to build out your publicity program, which is… I think that’s the reason you have to have that long wait, because you need time to build out that program.

[Andy Ellis] I was told the dirty little secret by my agent. The reason that it is that long is that’s the only way you have a chance of getting a reviewer from a major publication to review it. If you don’t give them that much lead time, unless it is topical… Like if you wrote something about the war in the Ukraine, boom, you’re going to get a reviewer instantly. But if you’re trying to write something that isn’t timely, if you don’t give them nine to ten months there’s no chance they’ll even pick it up to review it. And that’s the cornerstone of major publications, social campaign is can you get a review in the New York Times or the New Yorker.

[David Spark] Good luck. John, any last thoughts, and are you hiring?

[John McClure] Last thoughts… I appreciate the invite to this. I think I was speaking yesterday to a group of CISOs, and I think it’s a really interesting inflection point in terms of the CISO role in organizations. I think discussions like this are fantastic. I think that we’ve historically perhaps done ourselves a bit of disservice as CISOs in terms of being way too technical. I think we’ve really turned that around a bit and really have shown how we’re actually business enablers and business executives. In terms of hiring, yes, we are hiring. Sinclair is…we just really started building out this security program. I’m their first CISO. I’ve only been there about eight months, so we’re building a team of professionals. We are just north of Baltimore in the Hunt Valley area, but are also hiring remotely.

[David Spark] Awesome. And if they want to get in touch with you or look for jobs, where do they go?

[John McClure] SBGI.net is the Sinclair homepage, and there’s a link there for careers.

[David Spark] Awesome. And if they mention they heard you here, what does that do for them? Anything?

[John McClure] Front of the line for sure.

[David Spark] There you go. That’s what I want to hear.

[John McClure] There you go.

[David Spark] [Laughs] Well, thank you very much, John. Thank you very much, Andy. Thank you to our sponsor, Keyavi. And thank you to our audience. We greatly appreciate your contributions and listening to the CISO Series podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to the CISO Series Podcast.