If we had such a great conversation at the conference, why don’t you want to respond to my emails?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Julie Tsai (@446688), cybersecurity leader.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Varonis
Full transcript
Voiceover
Ten second security tip, go.
Julie Tsai
I would advise people to think lazy and to think weird. Think of what is the easiest, laziest way for someone to try to compromise your systems, whether it’s social or technical, and, also, to think weird. What is a creative and interesting thing that would incense someone to just see if they could get away with it?
Voiceover
It’s time to begin the CISO/Security Vendor Relationship podcast.
David Spark
Welcome to the CISO Security Vendor Relationship podcast, my name is David Spark, I am the producer of the CISO series. Joining me is the co-host, for this very episode, it’s Mike Johnson, you’ve heard his voice before, let’s hear it again.
Mike Johnson
It sounds exactly the same, time in time out it has not changed, it’s the same voice.
David Spark
You’re not going through any surgery to have your voice changed, are you?
Mike Johnson
I can neither confirm nor deny.
David Spark
Oh, so, it may actually happen.
Mike Johnson
You never know.
David Spark
Here’s a little bit of David Spark history in radio, I don’t know if I’ve ever told you this, but I used to live in Chicago and I was on a morning radio station called The Loop, which had the most popular morning show, I think it was called the Kevin Matthews Show at the time, and I used to come into the station and do a regular segment called The Baywatch Report, which was a parody of The Soap Opera Reports, but I was doing my review of Baywatch, and I used to actually get video tapes from the station, of Baywatch, review it, write up a report for it, and then be on that morning, because Baywatch would air that night, like a Monday evening, and I would say, “Well on Baywatch tonight this is what you’ll see,” and the reason I mention all of this is because I actually used to get voice recognized.
Mike Johnson
Oh really?
David Spark
Yes.
Mike Johnson
People would just, like, on the street kind of thing?
David Spark
Well, if I’d be at a store, you know, and I’d talk to them, and they said, “Are you on The Loop? Are you on the Kevin Matthews Shows?” And I go, yeah, I’m doing The Baywatch Report. So, that happened for a period of time. Anyways, I want to mention our sponsor first, Varonis. Varonis is our sponsor, they’ve been a phenomenal sponsor, and more from Varonis later in the show. Mike, we recorded this episode a while ago, talking about, hey, isn’t RSA great?
Mike Johnson
Yeah.
David Spark
Or RSA moved the date of the show, so, I want to leave that little banter of us talking about RSA, because people will be listening to it and going, “Are these guys idiots? Do they not realize the show’s been canceled?” All over San Francisco.
Mike Johnson
Yes, yes, more so than usual they’d be asking that question.
David Spark
Yes. So, it’s a bummer that RSA got canceled.
Mike Johnson
It is, I think it’s the right decision.
David Spark
Right decision, by the way, not canceled out, right, it’s moved to June, and, god willing, it’s going to happen in June.
Mike Johnson
Fingers crossed. Better time to be in San Francisco though, I mean, June will be lovely, February?
David Spark
Usually raining.
Mike Johnson
Usually raining and cold, so, I think it’s, all in all, I think it’s a good move, people appreciate it.
David Spark
Yes. I’m glad we made the clarification here. And then soon after, we’ll be Black Hat, again, god willing that’s going to happen as well.
Mike Johnson
Hopefully that works out as well. I have a feeling that one’s more likely to work out given that we just had CES in Vegas and they couldn’t do Black Hat in Vegas. So, it’s a different city, different requirements, we’ll probably have Black Hat.
David Spark
Well, CES is– well they did Black Hat last year, so.
Mike Johnson
Yep, and on the other hand I might be eating my words and we’ll have to rerecord yet again.
David Spark
Well let’s hope not.
Mike Johnson
I hope not. I hope all of this over and we’re all happy at RSA and then happy again at Black Hat.
David Spark
Let’s bring on our guest, someone you introduced me to, and I’m very excited to have her on. She is, as we speak, the Head of Security for Roblox, but, by the time you hear this will have the title of former Head of Security of Roblox, but we’re still very excited to have her on, it’s Julie Tsai. Julie, thank you so much for joining us.
Julie Tsai
Thank you for having me. I am really pleased to be part of this podcast with you two, and I totally endorse the bench strategy with the provocative statement for RSA, I think that is a winning way to go.
Are we making the situation better or worse?
00:04:23:20
David Spark
Is there a “right” management structure in cybersecurity? I recently read two books by Dan Lyons entitled Disrupted and Lab Rats, by the way I can highly recommend both. First, Disrupted’s very funny by the way. Both of these books essentially mock the whole concept of alternative management techniques, such as holacracy or lack of hierarchical structure, which was popularized by Zappos, or enticing staff with candy and team building exercises. So, I’m going to start with you Mike, here, what management structures have you seen work in cybersecurity? And are there some techniques you’ve seen work in some environments but not in others? And how have you seen management styles change over the years? For better or worse for that matter.
Mike Johnson
I’ll open up saying I like candy.
David Spark
So you could be persuaded by candy?
Mike Johnson
I can be persuaded with candy. I might even give you my password if it’s a full sized candy bar I might give it up.
David Spark
Oh, that easy.
Mike Johnson
But, it’s a good question, it’s something that we think about a lot. With security still being relatively new to the professional community, there’s a lot of discussion on what makes sense and what doesn’t. I don’t think any of us are management experts, I’m certainly not, I try and learn as best as I can, and when I think about structures I actually think the hierarchical model works, that one makes a lot of sense to me, and I’ve seen kind of both sides of it, where an overly flat team, maybe that works for software development where there’s defined, precise tasks that individuals can do. But that’s not really the general security engineer’s job. Generally you’re more operationally oriented, you’re working together as a group, you’re not working in a silo, and you can’t be successful in that silo. Where you have those broad, flat teams, that kind of encourages individual silos rather than the team coming together. So I really find having teams with managers that are working on an assigned area, something like that, where the managers are ensuring that all the other teams are working together, that’s what I’ve seen to be the most successful, and the flat models just have not worked.
David Spark
Alright, I throw this one to you, Julie, your feelings about management techniques, and any of these new funky ones you think, oh, I’ve embraced that, this is pretty awesome, what do you think?
Julie Tsai
I would say that certainly my thinking on this has evolved over the last ten, 15 years, and I think when I was younger I was more receptive to this idea that things could be completely flat. But, I think the reality, once you actually have these situations, is that there needs to be leadership, there needs to be direction, and what will happen in a flat hierarchy is you’re going to see some of the assertive or strong personalities start to emerge and become the natural leaders. And what I think a flat hierarchy allows is sort of a reset and a initial equality at the table, so to speak, so people can brainstorm and you can start to draw out, from the beginning again, okay, what are people’s natural skills. But, I think in order for the team and the mission to function there is a natural thing that needs to happen in terms of direction, best ideas, and being able to propagate that throughout the org. Now, that said, I think that the concept of a flat hierarchy versus a more hierarchical one, there’s two major qualities that are really going to address that, one is the start up, not so the maturity of the company. In the beginning stage, for a start up, part of the issue is that you don’t have every single thing you need operational wise in a very specific way, so you have to just trust that people are going to intuit and do things faster than you might be able to prescribe them. And I think the other piece is also just size, sheer volume and size. Like, smaller groups can naturally cohere and self organize better, larger groups you need a lot more intentionality around it.
What’s the best way to handle this?
00:08:44:15
David Spark
Can your continuous integration and continuous deployment, or CI/CD pipeline, heal itself? Are there tools you can put in place to keep your DevOps program in check? Over on TechGenix, Twain Taylor, has a suggested list of open source tools for those teams developing cloud native applications. Just a few suggested tools are, the update framework, which is develop secure systems that automatically download and install software updates, and open policy agent, which is automate your policy tool set and framework across your entire staff. So, Julie, I’ll start with you. Which are your favorites on this list? And what’s your advice to building self-healing CI/CD pipelines?
Julie Tsai
I do think that this is a pretty important concept, and it gets back to good fundamental, so good automation. And some of my favorite things in terms of the self-healing CI/CD pipeline is being able to get automated smoke testing for different kinds of issues built into the pipeline. Now, that might be things like secret scanning during the codes mission phase, it might be running a check to see if there’s certain well known types of exploits that your static or dynamic scanners can catch in that particular pipe line. I think, just as importantly, is building in and making sure that your secure configurations, like for the full stack of the system that you’re deploying are reviewed, and I kind of hesitate to use the word bless, but, basically, this is a known good and this is what we’re deploying out. And you can build those things in throughout your pipeline. And it doesn’t have to be an overly complex thing.
David Spark
Mike?
Mike Johnson
First of all, props to you, David, for not using the bad term, but, unfortunately–
David Spark
I know you don’t like it. And again, it’s your take that it’s a bad term. Not everyone thinks it’s a bad term. Just because you think it’s bad doesn’t make it universally bad.
Mike Johnson
It’s a bad term.
David Spark
He’s referring to DevSecOps. Just saying it creeps him out.
Julie Tsai
Do you like if you move it around? Every permeation of it, of course.
David Spark
SecDevOps.
Julie Tsai
Yeah.
Mike Johnson
Yes, yes.
Julie Tsai
Yes, exactly.
Mike Johnson
Yeah.
David Spark
DevDevOpsOpsSecSec.
Mike Johnson
That would be better. Like, if it was DevDevSecOpsOps or something like that, maybe that’s– so anyway. I think in general it’s a good list, like, there’s frankly tools on here I wasn’t even aware of. So I’m really glad to see Twain sharing this out. For me, my favorites are really on the run time side. We leverage Prometheus very heavily, we leverage Fluend, these are the tools that are giving us observability and monitoring of what’s going on, what’s going through, it’s frankly more on the CD side, like the deployment side is where I’m focusing on. I’m also, at team Falco in the past, it’s gotten better, and again, it’s that visibility that I really see. What’s interesting to me is, all of these tools are open source, like, every one of them is an open source tool, and I’m constantly amazed at the innovation, that people out there kind of starting as hobbies, sometimes it’s companies that are spinning out or sharing something that they’ve built internally, and that’s kind of my meta takeaway around thinking about how you’re going to make your CI/CD pipeline resilient, how you’re going to make it self-healing, is look at all of the open source technologies that are out there and start figuring out what works for you, try them, integrate them, when they don’t work, find something else. And all that you’re out is some time. And that’s really the way that I think about this is, hey, all of this open source tooling is out there, let’s take a look at it.
Sponsor – Varonis
Steve Prentice
Zero trust is a big topic of conversation in cybersecurity, but, as Matt Radolec, Senior Director of Incident Response and Cloud Operations at Varonis tells me, sometimes it doesn’t quite go far enough.
Matt Radolec
A lot of organizations are thinking about least privileged, zero trust, limiting the amount of things, resources, data, devices, network connections that are available to people within their organization, and one of the things that I think often gets missed from that zero trust strategy is applying it to data, you know, the files and the folders and the sites that we all have access to. Often we find that more than a quarter of all of the data within our organization is open to every employee.
Steve Prentice
He says a lot of organizations look at these, like identity or access problems, but it all turns into what Varonis calls sensitive data, and that causes a real risk because of what happens next.
Matt Radolec
We talk a lot at Varonis about what we call the blast rays of an attack, we think that organizations have a pretty solid understanding of their attack surface, you know, what things are out there, what devices, what servers or applications are exposed to the web that an attacker could come after, or what in-boxes are exposed that they could send phishing emails to.
Steve Prentice
There is no detective control that is going to present a zero day threat, but, when it happens, he says, how much information can any one user get to?
Matt Radolec
These are the kind of questions that we focus on with organizations, and really focus on reducing that blast radius, or assuming that one of these things is going to happen, how can you do something about it.
Steve Prentice
For more information visit varonis.com/CISOseries, that’s V A R O N I S dot com, forward slash CISO Series.
It’s time to play What’s Worse.
00:14:27:17
David Spark
Julie, this is your first time playing this game. I don’t think you know about this game, do you?
Julie Tsai
It sounds compelling.
Mike Johnson
Oh, you’re going to love it.
David Spark
The title alone gives it away. Here’s how it works, fans of the show send in two scenarios that both stink, you’re not going to like either one of them, but, you have to determine from a risk management perspective which one is worse. I always make Mike go first so you have time to either agree or disagree with him, I will let you know, I like it when people, or our guests, disagree with Mike. By the way, I should just say, I like it in general when people disagree with Mike.
Mike Johnson
Just people in general? Yeah, thank you David, I appreciate that.
Julie Tsai
But Mike is easy to disagree with because he’s really so civil about it, he’ll always just give it back to you very easily.
Mike Johnson
Thank you, thank you Julie.
David Spark
I think all our listeners love the term DevSecOps, why don’t you send him a card or an email.
Mike Johnson
Oh, curse you, David.
David Spark
Here we go, this comes from Jason Dance of Greenwoods Associates who’s given us tons of phenomenal What’s Worst scenarios, so thank you again, Jason, once again. Let me just give you the set up. Your employer, who is large and has 50,000 end points, is acquiring a competitor that has 10,000 end points, here are the two possible scenarios, What’s Worse, due diligence is made hard because both the CEO and CIO tell you everything is secure but doesn’t give you much evidence to prove it, nor any network access to check for yourself, so, you have a month before the ink goes to paper before they finalize the deal. So, you have no network access, but you’ve got a month to figure this out. Or, you’re welcome to the network with wide arms to check for yourself, but you only have three days to completely evaluate their security posture before the deal is going to be signed. What’s Worse?
Mike Johnson
I have never witnessed either of these, David. So, Jason, thank you again, and I think these are actually unfortunately real world scenarios. Where I find myself is being one of those trust but verify folks, and, if I look at these two situations the first one is totally just trust but you can’t verify, and the second one is you can only verify because you’ve got to do it really quickly. And, as usual, these both suck. But, frankly, I’d prefer to have, even if it’s just a three day window, I would prefer to have that window to go and take a look as much as I can, and I really think three days, I’m assuming 24 hours each day, we can actually get pretty far in what is really nine days, if you can’t do the math. So, I think getting a little creative.
David Spark
So you’re going to have your team working in three eight hour shifts?
Mike Johnson
I will hire people.
David Spark
So, you’ll turn three days into nine days.
Mike Johnson
That’s my plan.
David Spark
That’s some creative work around there. Okay, so the worst scenario is the first one where you’re given a month but no network access. Alright, Julie, agree or disagree with Mike here?
Julie Tsai
I am sad to say that I agree with Mike in this scenario, and also, once you’ve been doing things long enough you can infer quite a bit of information off of some quick but concrete information or scans or tools that you run in.
David Spark
Give us an idea, what could you infer? What would you see that you could then infer?
Julie Tsai
Well, of course, you would start running all your internal scanning tools, the end maps and the map scripting engine things, just to see what kind of things are showing up in vulnerabilities. Now, as Mike has said, with all these great open source tools that are out there, or, you know, hopefully you have an even more powerful arsenal at the company you’re at, you can dial in a lot of stuff and get a lot of information very quickly, as long as you have access. And then, from there, be able to put together some kind of knowledge about how easily were you able to span different types of networks, what kind of data are you picking up, what are the privilege elevation levels of certain things, how clean are the users and groups where the services are running at, or things brought down to least privilege access, and so just based on what I would call the level of care, you know, like when you look at anything you can do the sort of inspections, and say, hey, you know, someone put some attention and detail into this or they did not, and you would be able to infer a lot more from that. What I think would be actually, I would suggest, an even more interesting question to this What’s Worse is, instead of a month with no information, a month with not technical information but you have access to the people and you can interview them versus the systematic detection, and then it’s a matter of your relative strengths and style, like, where can you pick some more things out of.
What would you advise?
00:19:20:11
David Spark
What are the questions to ask during an interview that reveal the most about how a company handles and prioritizes cybersecurity. On the Cybersecurity Subreddit, a redditor offered a series of suggested questions and some insight as to what the answers would reveal about an organization. Questions such as, how different is the day to day and real nature of the work compared to the job description itself? Where do the security directives come from? Are they from the bottom up or top down? And, within which organization, is it risk, IT or security has its own organization, etc., does security actually lie? So, two questions for you Mike, first, which one question here, I just gave some samples, there’s a much longer list, here, or of your own, do you think is the most revealing? That’s key, they want to know what’s the most revealing. And, second, these questions in many cases are pretty direct, do you think people will get truthful answers out of them?
Mike Johnson
So, I think overall it’s actually a pretty decent set, there’s a few editorials where the person is drawing some conclusions for some of the answers that I disagree with, but, it’s a decent set. The one that I think is probably the most useful from the list is, how long has the CISO been in their position? And I disagreed from the, well, if they’d been there ten years it’s going to be a static environment, maybe, maybe not, but I look at it from the other side, if the CISO has only been there a few months, if they’re actually a very new CISO, and you’re joining the team, change is coming. It’s change for the better, presumably, but you would be entering an environment that is likely going to be different than what it is right now when you’re interviewing. So, I think having an idea of how long the leader has been there will actually give you some information, but, from the other side of the spectrum rather than where this person was describing. And, for the answers, a lot of these are just facts, like, a lot of the questions there’s not really an interpretation.
David Spark
Well, I like the, how different is the day to day to the real nature of the work compared to the job description, that’s like saying is this a bogus job description?
Mike Johnson
Yeah, and so there are some subjective ones on the list, that being one of them. And I don’t know if you could get the right answer, the reality is, interviews are two way sales, you’re both trying to sell to each other, and so you’re going to get probably a polished answer when it comes right down to it, to a question like that.
David Spark
Alright Julie, your take on this list?
Julie Tsai
Yes, it is a good list, and I love the meta question about whether or not you’re going to get honest answers to the test stuff. It makes me think about an interview I did in my slightly more naive days, where I had just asked the person I was interviewing with about the integrity level of leadership, and, of course, the person had given a good answer, you know, in terms of the words used, and he was not wrong in terms of the upper leadership, like, to this day I still think that leadership had excellent integrity, but, looking back, the real signal was the weird smile the person gave me at the time.
Mike Johnson
Oh wow.
Julie Tsai
So, right, yes. So, in these things I think the body language and the meta language you get out of people is even more important sometimes than the words that they’re saying, you know? And that’s why it’s sometimes useful to ask these things. Now, I do think it is good to tailor the question a bit, you know, kind of figure out how full on direct you want to be, but, I would say that first question, I would infer something like that based on what are they asking you in terms of what you’re good at, I think usually that will tell you as much as anything about what they want you to do day to day, you know, what the nature of that job is, and you’d be able to pick up a little bit about delta. The second and third questions I think are really quite spot on, and I think organizational design is the subtle sort of bug-a-boo that’s very, very important in the security world, there’s a lot of letter writing about that, and how organizations mature, and it’s a tough problem for people to get their heads around, because it’s not just a technical issue, it’s also a social and ethical and legal issue, and you have to know all those dimensions and how these can play out to understand why it matters. So that is usually sort of like a higher level sort of thinking, I think, about where things need to be. One question that I found to be useful is also how do you tough risk decisions get resolved, if this entity or stakeholder has a firm opinion on this, this other entity or stakeholder has a firm opinion on what, what breaks the tie, and what’s the method by which that happens?
David Spark
That’s a very good question. Let me ask you this one, and this is one that’s not security specific but it’s a question that I have asked, I get the same answer, and then when I work for the company it is exactly the opposite, and that is, do you promote from within? They all say yes, they don’t. No, that one drives me up the wall. Have you seen this too, Julie?
Julie Tsai
Yes, yes, absolutely. There are some companies that culturally you just know, people have to say, oh yes, generally speaking they will not want to hire the top leader from within, they just have a culture of hiring from outside and everyone understands that. So, if you manage to make it up there it’s good on you, but that was against the odds. There’s other places, and I think this also is a lot of start up aspiration, will tend to want to promote from within, and do it for as long as they possibly can. There’s both good and bad reasons why that ends up stopping, right, the good reasons, of course, is that hey, the company is growing at stratospheric levels and expanding, needs, really quickly, need these experts today, pronto, so you start bringing people in. And then there’s all the human dimensions, the tough reasons why sometimes things don’t go a certain way. So, this is definitely one of those watch what I do not what I say kind of questions, and if you can kind of observe your network or your LinkedIn information on where you’re seeing a lot of leaders come in from, that gives you your answer.
It’s time for Ask a CISO.
00:25:36:13
David Spark
I’ve got a question from a CISO and a vendor on how to improve relations. First, from an anonymous CISO, who said, “I really do want to engage more with vendors as a sort of research and development, ongoing thread, but, haven’t figured out how to do that, what are the best methods for doing this efficiently?” And then, from a vendor we’ve heard this question actually many times before, “What is the post event protocol for someone who stops by your booth at an event? What kind of follow up or reach outs are intolerable to CISOs/other professionals?” I’ll start with you, Mike.
Mike Johnson
So, two different questions, two different answers, and I think for the first one on engaging with vendors more, what I’ve found interesting/useful in the past is to have relationships with venture capital organizations, they have portfolios, they have multiple companies that you can kind of freely be introduced to, and, there’s a theme, like it’s all going to be security companies, you can kind of establish who it is and who you’re not interested in speaking with, and the venture capital, the partners themselves, will really want you to be engaged, they really want you to have those conversations that gives them feedback, that also helps the particular company, whoever you’re talking to. So, it’s a nice two way street, a very symbiotic relationship. So, I would say for that, engage with the venture capital world, and that’s a very efficient way to find groupings of companies to engage with. That was the first question. The second one, on post-event, I really think that depends on how the event came about, what are the ground rules, how you engaged at the event, so, if you go up and someone is offering you a cheap [UNSURE OF WORD] to scan your badge, you should expect that they’re going to follow up with you and you should not be upset about that. You have exchanged something of value for something of value. Which is more valuable is a different question, but, the reality is, you can’t get grumpy.
David Spark
Still, here’s the thing, and we see this all the time and I’ve seen this too, where people check the box, yes, you can share my information, and then you send them something and goes, “Why did you send me this? I didn’t sign up for this,” because they don’t remember, and so, that nonsense happens, but, what would be a welcome follow up I think is what the vendor’s asking.
Mike Johnson
Well, so, a welcome follow up would be additional information, like, “I see you attended this event, here is a bit more, here’s a recording of it, here’s some white paper.”
David Spark
You never watch those recordings do you?
Mike Johnson
I sometimes do.
David Spark
Oh you do, okay.
Mike Johnson
Especially if I don’t actually attend the event. So, I think there’s additional follow up information that you can enrich the experience.
David Spark
Julie, answer either of these questions, or both?
Julie Tsai
Sure, so, I definitely see that it’s important to stay in touch with what’s going on in the latest and greatest, both on the vendor as well as the OSS side, and in addition to the VC communities that are hungry to know who’s hot, I would also recommend stay connected with your universities, either local or your alumni, because that’s a great font of, you know, where either research and development might be happening or hungry cybersecurity students trying to figure out the next big thing, and just great for idea generation. And I also think there’s a lot of value just to regular, organic networking, keeping in touch with your teams. A lot of times I’ll see an idea from someone I used to work with maybe five or ten years ago, and then in that time they’ve been honing their craft and developing further things, and before I know it there’s something interesting happening there, so, I think good ideas can come from many different places, and to allow for that diversity of outreach. That said, I’ll dovetail that to the second question about what’s intolerable. I think CISOs, generally speaking, tend to be very time pressed, and driven to manage around emergencies and fires, and so we tend to be a pretty impatient lot I would say, and I think that the one thing I would recommend not doing is, don’t continuously try to outreach or badger someone in a way that isn’t working. And there’s no silver bullet here, because it’s fundamentally sales and about understanding your customer, so everyone’s going to have different triggers in terms of what they’ll take in or what they want.
David Spark
I’m emailing you one last time.
Julie Tsai
Right [LAUGHS]. Yes, exactly. Like, “You’ve been really hard to get hold of,” “Wait, I don’t even know you.” They’ll try all those nice hooks. But I think that we are interested, right, we want to know what’s there, but the best sales people are great listeners, like, I’ve got maybe two or five minutes to ask questions at RSA, or I can spend 20 minutes on a pitch, and I’m going to ask some very pointed questions, some of them very directly and some of them subtly, really listen, and then answer directly to those points, and if it’s not a match, just move on and maybe in a couple of years it is a match.
Closing
David Spark
Good answer. And that brings us to the end of our conversation here, thank you very much Julie, Julie Tsai, who’s the former, as you’re listening to this, former head of security over at Roblox. She maybe something else by now, who knows?
Julie Tsai
Well, we’re all many things, right?
David Spark
You are many things, but she maybe sort of holding a new title by the time you hear this. Mike, I’m going to go to you and Julie, Julie, by the way, a question we always ask our guests is are you hiring, I know you’re leaving, but do you know if Roblox is hiring? Are they hiring for your position?
Julie Tsai
They are indeed, they really need security people and it’s a great company and a lot of really talented technologists there, so, definitely give it a shot if you’re interested.
David Spark
Alright. So, I’m going to let you also have the last word here, I want to first though thank our sponsor, Varonis, thank you very much for sponsoring this very episode of the podcast. Mike, any last thoughts?
Mike Johnson
Julie, thank you for joining us, we’ve known each other a few years, I’m glad to finally get you on the show, I think I’ve tried before, so, thank you for finally joining me. But what I really wanted to thank you for, and it was in the last segment, you had said something about CISOs are generally time pressed, used to managing around incidents, and that makes them impatient, and I think that right there is something that folks don’t realize, and people get very frustrated that, hey, why isn’t the CISO responding to me? Or why are CISOs a grumpy bunch? And that right there nails it, and until you said it, I hadn’t ever put it together. So, thank you for explaining that to everyone that that’s the reason why we’re so impatient, and in general, thank you for joining and sharing your insights.
David Spark
You know, Sam Peckinpah is doing a sequel to The Wild Bunch, starring all CISOs, called The Grumpy Bunch.
Julie Tsai
[LAUGHS]
Mike Johnson
Oh, well thank you, thank you.
David Spark
Julie, any last words?
Julie Tsai
Well, you know, I admire what you guys are doing for trying to heal the rift between vendors and CISOs, we definitely misunderstand each other quite a bit.
David Spark
We’ve been at it for over three years [LAUGHS].
Julie Tsai
You know, and I don’t think there’s any shortage in sight for it. I have to say, it took me literally years for me to think of vendors as technologists too, not just the people who are trying to get a piece of my budget.
David Spark
There are people trying to solve the same problem that you are trying to solve as well. Thank you very much Julie Tsai, who we’ll have a link to both your Twitter account and also LinkedIn if people want to get in contact with Julie. You maybe on the market, who knows.
Julie Tsai
Who knows indeed.
David Spark
Thank you very much Julie, thank you very much Mike. Thank you to our sponsor, Varonis, and thank you our audience, as always, for your contributions and listening to the CISO Security Vendor Relationship podcast.
Voiceover
That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”