When Do I Fix the Toilet Myself or Call the Plumber?

For some security problems, it can be tough to know when to try to fix the problem yourself or turn to a vendor. Deciding this shouldn’t start with talking to someone that wants to sell you something. But how do you determine when it’s time to call in a vendor?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us for this episode is our special guest, Katie Ledoux, CISO, Attentive.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Palo Alto Networks

As cloud attacks increase, how should AppSec respond? Hear from Daniel Krivelevich, CTO of AppSec at Palo Alto Networks, as he dives into modern application security strategies that can help teams defend their engineering ecosystems from modern attacks. Watch now to level up your AppSec program.

Full Transcript



[Voiceover] Best advice for a CISO. Go!

[Katie Ledoux] A great piece of advice I got from one of my first bosses was to avoid multiyear contracts. I think that’s especially true if you’re using a product for the first time because it’s really hard to know until you’ve battle tested it whether it’s going to be the right long-term solution for your company.

But even if it’s a tool that you think you love, things change really quickly out here. Vendor could stop investing in your product, their customer support could become garbage, you could be incorrect about the number of licenses you’re going to need two years from now, three years from now. So, it can be tempting when a vendor pitches a multiyear contract at a lower rate, but I think it’s very rarely worth the level of risk you’re taking on.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, producer of the CISO Series, and joining me as my co-host since day one, we’re past five years now, it is Mike Johnson, who I can say now, although I should have been saying before, is the CISO of Rivian. Mike, congratulations for – what is it?

Three, four months you’ve been the CISO of Rivian?

[Mike Johnson] I mean, by the time you’re listening to this, hopefully, yes.

[David Spark] Oh, yeah. Hopefully, hopefully. Hopefully, somebody hasn’t discovered you saying something inappropriate on a podcast.

[Mike Johnson] That would not be the case.

[David Spark] But there is a lot of audio of you talking on a podcast but yet to say something inappropriate.

[Mike Johnson] Thus far. I’ve managed.

[David Spark] By the way, we’re available for those of you just tuning for the first time, we’re available at CISOseries.com. Do you know that we have other shows besides the CISO Series Podcast that are also incredibly entertaining to listen to and incredibly informative? Why not go there and check them out?

I do also want to mention our sponsor – Palo Alto Networks. You know them. They’ve been a phenomenal sponsor of the CISO Series and I’m going to tell you more about how they’re helping you secure your development pipeline. More about that later in the show. All right, Mike, let’s get to the topic. We record a couple of months ahead of time when we do our shows, and I’ve been heavily remiss of bringing up the fact you’ve become the CISO of Rivian.

For those of you don’t know, Rivian is a manufacturer of electric vehicles, more kind of luxury and kind of sport utility vehicle, yes?

[Mike Johnson] It’s outdoor adventure so it really is around vehicles that can take you places that other electric vehicles can’t, most cars can’t. So, that’s really what our focus is is around outdoor adventure.

[David Spark] And getting one of these vehicles was not part of the deal of getting hired, was it?

[Mike Johnson] That is correct.

[David Spark] So you didn’t get one. And you got to stand in line with everybody else because there is a backorder, right?

[Mike Johnson] That is correct. I am in my waiting period and it’s somewhere between one and four months.

[David Spark] Oh, so not too bad.

[Mike Johnson] Not too bad. But for the folks at home, you can’t see this, but I’m holding up two Matchbox Rivians.

[David Spark] Oh, that’s cool.

[Mike Johnson] That I do have.

[David Spark] Did they give those to you? You didn’t have to pay for those?

[Mike Johnson] Nope. I had to pay for these too.

[David Spark] By the way, can I say something about Matchbox cars? When I was a kid and now you can still buy them for like two to three bucks.

[Mike Johnson] Yeah.

[David Spark] They’ve always maintained incredibly low pricing.

[Mike Johnson] Somehow the whole inflation thing does not apply to Matchbox. I have no idea how they’ve pulled that off.

[David Spark] I’m quite impressed that they have held that pricing. It is impressive. All right, let’s get on with our show, why don’t we? Enough of this. Our guest today I’ve wanted to get on for a while. I’m going to admit it, she won’t admit it, maybe she will admit it, but she was nervous about coming on.

Understandably because the two of us are incredibly scary human beings.

[Mike Johnson] Especially you, David.

[David Spark] Yes. Incredibly scary. I will, by the way, mention that I went to an event and I was trying to corral kids and I got my best title ever. I had the title “the human megaphone.”


[Mike Johnson] Perfect.

[David Spark] I love that.

[Mike Johnson] Perfect.

[David Spark] All right. Thrilled finally to have her on. She’s the CISO of Attentive, Katie Ledoux. Katie, thank you so much for joining us.

[Katie Ledoux] David, I am so pleased to be here now that, I’m sorry, Mike, it sounds like I’m actually getting a Rivian vehicle before you. David did say I was reluctant to come on the show, he offered the vehicle, that was really what sealed the deal for me.

[David Spark] I honestly don’t remember doing this at all. I really must have been incredibly drunk.

[Mike Johnson] [Laughter]

[Katie Ledoux] It’s locked in. It’s locked in now.

[Mike Johnson] Well, congratulations.

[Katie Ledoux] Thank you so much.

[David Spark] Not from me.


[David Spark] Seems I had to buy someone a Rivian.

It’s time to measure the risk.


[David Spark] “We don’t have a cyber risk quantification problem as much as we have a problem relating CRQ to something meaningful to the business.” This was in a LinkedIn post by Duane Gran of Converge Technology Solutions. He was echoing the most heated topic in a recent CISO Society group meeting.

Suggestions of meaningful outcomes, said Gran, were revenue, operating cost, capital efficiency so insurance fits in here too, and enterprise value, and how you calculate that who knows. Question – I’m going to start with you, Mike – do you struggle quantifying risk? Is this a continuum? Some risks are easy to quantify and others incredibly difficult, I would assume.

If so, walk us through the easy to hard. And if the hard ones are likely risk, how do you manage them?

[Mike Johnson] As an industry, I do think we have this problem quantifying risk. I’m no different, I’m not a magician over here. And you’ve really landed on the problem is that some are easy to quantify and some are hard, and that’s where I have my challenge. If I’ve got a set of risks, I can quantify these.

Get this other set, I can’t quantify. That makes it uncomfortable to build an entire program around risk quantification.

So the way that I think about it is you try and break it down and look at the classic risk equation of impact versus frequency. How often does it happen or potentially happen and what is the cost to the business of it happening. Sometimes you can end up in this place where the frequency is easy to quantify, like phishing, it happens all the time.

The impact is difficult. You don’t really know what a particular phishing incident is going to cost you. Versus the flip side, a ransomware incident that takes your entire, in my case, factory offline, I know exactly how much that will cost. The frequency is impossible to estimate.

So it’s really difficult to go down that path from a quantification perspective, and that’s really left me with qualification. I just look at high, medium, low, and go from there, and that’s where we are today. Over time, I’d really like to get to a point where we can quantify, where I can have a conversation with a business and say, “This is how much this risk will cost you,” or “This is how much we need to spend to reduce this risk.” That would be a really great place to be.

I’m not there yet but that’s where I want to get.

[David Spark] So, Katie, my question to you – are you more advanced than Mike? Are you the one who can actually take the risks that are difficult to quantify and the ones that are easy and actually create a security program out of it? How do you do it?

[Katie Ledoux] I’m actually doing less risk quantification than I’ve ever done before. I’ve taken a massive step backwards in the quantification of risk because it wasn’t giving me the outcomes that I was looking for. So I’m doing risk management at Attentive differently than I’ve ever done it before, differently than I’ve seen other organizations do it.

[David Spark] We are hanging on the edge of our seats. What is your solution?

[Katie Ledoux] We have four top risks. Everything we do rolls back up to those four top risks. Mike, you mentioned ransomware. If you are in an industry where you’re really worried about ransomware, that’s one of your four top risks. We’re going to figure out what does it take for our organization to mitigate that risk to an acceptable level, we’re going to build a roadmap to get there, and we’re going to work our way through the roadmap.

There’s going to be authentication, access management projects on there, like putting critical systems behind FIDO 2, there’s going to be endpoint protection projects on there, there’s going to be incident detection projects on there, but they all roll back up to that one big risk. And I have found here that is really helping us stay focused on the why behind that work.

I mean, honestly, it’s scary to admit that I’m [Laughter] doing less quantification than I have before, but I’ve just found that it prevents something that I like to call risk register disease where every time you identify a new problem, you go through all of these cycles of, “Okay. Well, let’s write a 12-paragraph essay about it and then let’s try to quantify it and then let’s put it in this risk register where it just marinates for the next two years,” and this helps us really stay focused on…

There’s an endless amount of security work we could be doing and this really helps us stay focused on our biggest risks. Massive disclaimer – I don’t know if this works at an organization that’s much bigger than ours. I assume that’s much more complicated. At our size organization, this is what’s working for us.

The other thing we can do with those four top risks is we’re doing tabletop exercises with our executive team to walk them through each of those four in detail. So, what we are maybe lacking in quantification, we do have… Because why do we need to quantify this? As a leadership team, to make decisions about where to make investments.

I have found that trying to quantify the risks, a lot of times I got to a number that felt pointless or [Laughter] it ended up feeling abstract or incorrect to me. But now as a leadership team, when we can walk through a risk and all of us understand, “Okay. These are the factors that could lead to this incident occurring.

This is what it feels like when the incident happens. This is the impact on customers.” And then work as a group to decide, “All right, now what’s the right investment to put into mitigating that risk?” That’s getting the outcomes that quantifying risks didn’t get for me.

How a security vendor helped me this week.


[David Spark] Katie, you said, “I think it’s weird how many people start building out a pillar of their security program by going straight to a vendor. For example, if you’re building out your cloud security program, going straight to a cloud security vendor instead of starting by evaluating whether you’re doing basic cloud hygiene.” Now this happens, I believe, because that’s exactly how these solutions are marketed.

There are numerous cloud security vendors and they would love to receive a call, but they can often help you find issues you can’t find. So, many of our sponsors do just that with free scans. But let’s discuss at what point should you fix the toilet yourself, and at what point do you need to give up and call the plumber?

And often, isn’t there a situation where you can glance at it and say, “Oh, no. I’m just calling the plumber.” So Katie, what are the questions security professionals should be asking themselves if this is a problem I can fix or not?

[Katie Ledoux] I shouldn’t have said that it was weird because it’s not weird that security people start with a vendor. I get why. Especially if you are in the CISO role, I understand why it’s easier to articulate that you have or maybe feel that you have checked the box around cloud security when you can name a cloud security vendor.

It’s easier to articulate out or to show other people that you have done it. And of course we know that bringing in a vendor creates more work. It is often important meaningful work that also reduces your risk, but it is more work for your team. So rather than starting with a vendor, I would love to see more of us starting by really wrestling with the problem that we are trying to solve.

So if we are talking about cloud security, really thinking about, “Well, what are the risks that I am trying to mitigate? What am I trying to prevent? How could these incidents happen at my company? Why would this happen and what do I need to do to mitigate that risk?” And then bring in vendors when they are really part of that solution and just don’t talk to a vendor until you have done that.

It’s so easy to have someone outside of your company try to tell you what the problem is, especially when that version of the problem benefits them and gets a deal closed, but being really thoughtful about the issue might be basic cloud hygiene, or that may be where you need to start before you’re ready to bring in a vendor.

But once you start that conversation with a vendor, they’re going to put tons of pressure on you to make you and members of your team believe that the only way to mitigate risk at your company is to use their solution.

[David Spark] Good point. All right. Mike, she makes a good point that once you make the decision to get a vendor, you’re opening up sort of another can of things that are going to be sold to you. You’re nodding your head.

[Mike Johnson] Yeah, absolutely. It’s one of those things where I can almost envision the PowerPoint slides that you’re going to get, which one of those slides is going to be defining the problem. It’s in every pitch deck that every vendor is going to have and it very much will…the problem that they’re framing their solution solves.

And if you are essentially allowing the vendor to define the problem for you, then yeah, they’re going to walk you down this primrose path of “our solution solves this.”

But what Katie is really saying is start with why. Why do you care about this? Why is this a problem? Why is cloud security such an issue for your company? And understand that, reflect internally, rather than having someone externally scope the problem for you. Because it’s a good chance – again, like she said – it’s a hygiene thing.

Maybe you just go and flip a few settings in AWS and your problem is solved. But if you’re immediately going to a vendor, they’re going to probably try and explain the problem in a different way that’s likely bigger than what your problem is.

[David Spark] Yeah. By the way, the reason I brought up the plumber situation is this happens with any kind of contractor you hire. If you don’t understand your problem enough, you just go, “The toilet’s making a weird noise,” and then that’s the level of your understanding, then this thing will open up.

You know?

[Mike Johnson] Yes. And I think a slightly different analogy I would use is your sink is stuck. You can go down to the supermarket and buy some Drano or you can go directly to calling Roto-Rooter. One of those is going to be cheaper and one of those is only going to sell you on the one solution, they’re not going to try and tell you that your septic tank is also having some issues, and really potentially make the problem bigger than it is.

[Katie Ledoux] I’m going to take the analogy one step further, which is your sink isn’t working and you call a contractor and they’re like, “Let’s retile first.” But while this is happening, you don’t have a functioning sink, you have nowhere to brush your teeth.

[David Spark] But there is something, like sometimes things are discovered, like, “I’m so glad I called you. Had I not called you, I would not have discovered this.” So that’s what I’m saying. They’re not always coming in to screw you over [Laughter] is what I’m saying.

[Katie Ledoux] Absolutely, absolutely. But having a strong sense, before reaching out, of your priorities is going to help you stay focused on the biggest problems. It’s not to say they won’t add value, but you’ll get there when it’s time. It might not be the first thing you should tackle.

Sponsor – Palo Alto Networks


[David Spark] Before I go on any further, I do want to tell you about our sponsor. You know them. They are Palo Alto Networks. They are the global cybersecurity leader and they are a big supporter of our work here at CISO Series. They protect – you may not know this – more than 80,000 customers globally and help them safely embrace cloud native architectures [Inaudible 00:18:46] secure applications by default.

And that’s really what I want to talk about.

Prisma Cloud by Palo Alto Networks is the world’s only cloud-native application protection platform, or CNAP, to deliver security coverage from code to cloud. They help customers break down the operational silos between engineering and security teams to accelerate secure application development and build scalable, predictable cloud workflows.

With numerous native integrations into developer tooling and powered by the industry-leading open-source policy as code name Chekhov, Prisma Cloud unites code builders and defenders across a common framework. Industry-leading threat intelligence provided by Unit 42 and integrated web application and API security capabilities help protect against emerging and zero-day cloud threats.

As the global cybersecurity partner of choice, Palo Alto Networks is a recognized leader across more than a dozen industry analysts and third-party reports and surveys. You know where to find them, just go to paloaltonetworks.com to learn more.

It’s time to play “What’s Worse?”


[David Spark] All right, Katie. You know how this game is played. Usually, traditionally, two horrible scenarios. We’ve had variations of this. I always make Mike answer first and you can agree or disagree with him. I always like it when our guest disagrees with him. Your choice what you want to do.

Do you want to make Mike happy or you want to make me happy?

[Mike Johnson] [Laughter] Yeah.

[David Spark] Remember, I’m the one who talks to the editors. All right. This one comes from Ricky Aldridge of the Mount Sinai Health System and here are the two scenarios. Scenario number one – having all devices and applications discovered and managed but no budget to extend security tooling to all devices and applications.

For instance, you have 50,000 devices but you’re only licensed for 30,000 EDR devices. All right, so you’re only covering 60%.

[Mike Johnson] Okay.

[David Spark] All right. Or having all devices and applications scanned by the vulnerability management platform but you have no people or budget to remediate all the critical, high, and medium vulnerabilities even on the business-critical systems. For example, you have 100+ high vulnerabilities spanning 20,000 systems, desktops, servers, network equipment, but have no assigned resources to fix them.

So you know your problems, you can’t do a darned thing about it. Both of these stink. Mike, which one’s worse?

[Mike Johnson] Yeah. So, I’m trying to mull over the first one and again the comparison of the two.

[David Spark] The first one is just you can’t have enough budget to cover all your devices with EDR. Looks like only 60%.

[Mike Johnson] So, the first one’s about EDR, the second one’s about vulnerability scanning. So I just wanted to make sure.

[David Spark] Scanning [Inaudible 00:21:42]. Yeah, yeah, yeah. That’s kind of where we’re at.

[Mike Johnson] Yeah. So, the way that I’d try and tackle these essentially breadth versus depth problems in security is I would always rather know a thing even if I can’t do anything about it. The unknown is always scarier than the known, even if the list of knowns gets really long really fast.

[David Spark] So your risk register could just get bigger and bigger and bigger.

[Mike Johnson] Well, I could end up having this risk register disease but at least I know about it.

[David Spark] Yeah. So when the feds come knocking about why did you let this happen because you’re not in compliance for anything, you’re just like, “Well, we knew about it. We couldn’t do anything about it.”

[Mike Johnson] Yeah, but in the first one, you’re like, “We turned a blind eye to all of these systems over here and we weren’t even taking a look at them.” They both stink. We always admit that here. I think really the second one where I have this level of visibility and I understand the problems versus the first where there’s this area of anxiety that I know there’s some really bad stuff in there and I can’t do anything about it.

That bugs me.

[David Spark] But it seems also 60% is being “managed” and I’m putting that in quotes in the first scenario, where the other scenario is it looks like nothing’s being managed.

[Mike Johnson] Well, but in the first scenario, you’ve got 40% that’s a complete unknown. It could be an absolute tire fire and you’ve got no idea how bad it is. And the second one, I can’t speak to what other constraints are going on here but I’m assuming that you can do something about it.

[David Spark] The way I see it here, Mike, is second scenario, you know exactly what’s keeping you up at night. First scenario, you don’t know exactly what’s keeping you up at night.

[Mike Johnson] You’ve made my argument for me, David. Thank you.

[David Spark] There you go. Okay. Which I don’t know if that’s good or bad. All right. Katie, do you agree or disagree here?

[Katie Ledoux] Mike, we are so different…

[Mike Johnson] Great.

[Katie Ledoux] …and I love that for us.

[Mike Johnson] Awesome.

[Katie Ledoux] It’s not that I don’t want all of the information. What I worry about with information that I cannot take action on is that it becomes a distraction. I like the level of real coverage I have in the first scenario. I get that not all of my devices are managed the way that I want them to be managed, but it sounds like most of them are, and I can’t imagine anything…

If I had that endless list of vulnerabilities that I couldn’t do anything about, we’ve been given the constraint in this scenario that I can’t now bring this to leadership and get… That’s cheating. That’s not answering the question. Right. So if I can’t take action on those, maybe I like to have them but I certainly won’t show them to anyone else on my team because all that is is a distraction for them and creates that sort of Chicken Little, the sky is falling.

They’re paralyzed by that sometimes.

[David Spark] Let me ask you. In the second scenario, are you even a CISO at that point? Literally you aren’t doing squat at that point.

[Mike Johnson] Frankly, the farcical nature of this is kind of the theme for all of our “What’s Worse?”

[David Spark] “What’s Worse?” scenarios. Yes.

[Mike Johnson] I think yes, if you can’t do anything, then no, you’re not a CISO of that organization anymore. You’re out of there doing something else. I mean, that’s not a healthy environment by any stretch of the imagination.

[Katie Ledoux] Yeah. At that point we have to just start living off the land. Just start…

[Mike Johnson] Churning butter.

[Katie Ledoux] …plant some crops, [Laughter] churn some butter, you got to go off the grid.

Should we lower the barrier to entry?


[David Spark] No one likes third-party risk questionnaires. To most, it appears like security theater, and it’s pushing off busy work to third parties who go through the motions just to get the work. But it’s not the overall risk but what you’re willing to get for a certain risk. Steve Mancini of Guardant Health argues, “A company takes on risk purposely.

For example, you find a really compelling new startup and choose to be a design partner, you know they won’t have a program equivalent to the megacorp but also perform thoughtful deliberation of what risk introducing them into your environment may pose.” So he pointed out that sending them a 500-question sheet would result in probably 80% of the questions being a big no.

So, each treatment of risk is dependent on the trade-off of working with a specific partner. Mike, I’m going to start with you. How key are they to your business and how replaceable could they be? Have you had these types of deliberations of wanting to work with a desirable vendor and how did you approach their security profile, Mike?

[Mike Johnson] By the way – hi, Steve. He’s totally right here. We need to remember that these are risk decisions and that risk isn’t always cybersecurity risk. It could be the risk of not engaging with a vendor who’s critical to the business, it could be a vendor that could save your company as a whole, and that is a trade-off that we need to make.

We need to make sure that we’re factoring in those risks in addition to the cybersecurity side of the equation. And when you look at a vendor who we’re pretty sure doesn’t have a great security posture but the business has a need to use it, you look at mitigations. What can you be prepared for if something were to go wrong?

What data is at risk?

What I really think that Steve is saying here and the way that I read it is that he’s just saying that there’s not a one-size-fits-all approach to third-party risk management. And it’s totally true. There’s nothing that you can say is cookie cutter and is going to work in every situation. I mean, the 500-question sheet I think is bad all around in general, but the reality is what you’re going to engage when you’re talking to a megacorp, when you’re talking to one of the big cloud providers, you’re going to look at the risk of that very differently than you would look at a small up-and-coming company that’s a very niche player.

[David Spark] Katie, how do you see this and have you tried to work with players that you know they wouldn’t be able to answer a questionnaire?

[Katie Ledoux] Absolutely and this is another are where I feel like we’re taking a different approach and I think it is working for us is I want us to interact with every vendor in our environment as if they have answered no to every question on the questionnaire. I’ve got no security team, I’ve got no policies, there’s no training, there’s no application security program.

There is nothing because all of the time that we spend going back and forth over these questions, if we took all of that time and we invested it in actions that we know truly mitigate the risk that we take on by working with this vendor, we would have a much bigger impact. So doing things like really thorough implementation reviews, really understanding what problem is this vendor solving, what data do they need to be processing in order to solve that problem, and let’s not give them more data than they need [Laughter] to solve that problem.

What systems are they integrating with on our side? Let’s look at those integrations, let’s make sure that we’re not giving this third party more permissions in our environment than they really need to solve that problem.

If I’m doing an integration with Salesforce, let’s say, and the third party only needs Read access, but we do a sloppy implementation and give them Read/Write access, that’s more risk that we’ve taken on. If we are really thorough and thoughtful about the implementation and we do that correctly and we just give them Read access, that’s real actual risk that we’ve mitigated that I just don’t see the same outcomes from going back and forth over security questionnaires.

I wonder. I’m sure you’ve talked about this topic before. If you talk to people behind closed doors of how many vendors that your business partners in marketing, in sales, in other teams, that they really wanted to work with, they really wanted to bring it in, but the vendor answered questions on the questionnaire indicating that they didn’t have a super robust security program, how many times did you really shut that down?

Did you really make that deal not happen? It’s going to be a pretty small number and then you look at how much they’re investing in their third-party security risk program, how many people they have looking at this full time, and it feels like a pretty mind-boggling misallocation of resources.

Why is everyone talking about this now?


[David Spark] “What aspects of cybersecurity are least talked about or misunderstood?” asked a redditor on the cybersecurity subreddit, and here are some of the answers – it’s all about risk management; newbies think it’s all about pentesting; the sheer amount of data and paperwork you will go through – I think we’ve hit a bunch of these already; vulnerabilities, what they really are and are not; communication skills; and just because a new security policy was approved doesn’t mean it’s going to work, there’s lots more to do.

So I’ll say except for the paperwork one, we talk about the rest of these a lot on this show. Mike, is there anything we don’t talk about enough about on this show? And if so, why are you waiting to now to tell me?

[Mike Johnson] So, have I told you about the brilliant jerk problem, David?

[David Spark] This has come up a couple of times.

[Mike Johnson] Okay, okay. I couldn’t remember.

[David Spark] I’ve challenged you in fact on this. And not just me, the entire audience has.

[Mike Johnson] Thank you for the reminder. I had forgotten that that one had come up.

[David Spark] Although we haven’t brought it up in a long time. For those of you just joining in, I’m just going to clue you in.

[Mike Johnson] [Laughter]

[David Spark] Mike is not a fan of the brilliant jerk. In any scenario, if there’s another scenario that does not involve a brilliant jerk, no matter how horrible it is, Mike will choose that scenario.

[Mike Johnson] Yes.

[David Spark] Our audience is yet to find a scenario where Mike will choose the brilliant jerk over it. That hasn’t existed.

[Mike Johnson] Yes. But beyond the brilliant jerk problem, which we talked about, I guess, I really think the policy mentioned hits in the direction of something we don’t talk about enough which is that policies do need to be grounded in reality and making an aspirational policy introduces risk to the company.

[David Spark] That is a good point.

[Mike Johnson] You’re essentially saying, “I do this thing,” when you don’t. There could be a security incident of some sort, there could be an investigation, there could be an audit that unveils the fact that you’re not doing that thing. And so making aspirational policy assertions is dangerous and that’s something that people need to really stop and think about.

Everyone wants to write a policy that is where we want to go, but you have to stop and think about that and recognize that you’re actually introducing risk by doing that.

[David Spark] That is a really good point. And by the way, I would echo that I feel that so much of the just general advice that you find on the internet is advice that people think sounds like a good idea but they don’t actually do themselves. All right. Katie, is there anything that you think is least talked about or misunderstood in cybersecurity that isn’t these big hits that we just mentioned?

[Katie Ledoux] Well, I would say the biggest surprise about my role, based on the way that everyone talked about what being a CISO is, I thought that my job was going to be all about convincing people to care about security, that no one in leadership was going to want to talk about security and I’m going to have to scare them into thinking that it matters.


[David Spark] Which, by the way, we bring this subject up a lot, so yes, that is one thing that’s hardly believed in the industry.

[Katie Ledoux] Yes. And what I have found is that now at two companies where I have run security programs, the people around me care enormously about security and they’re actually very anxious and want to invest in security and take security seriously. And in fact, my biggest challenge is not getting them to care, it is getting them to care about the right problems.

Human beings, including myself, are not always good at risk management when we do our mental models, and that’s why we try to quantify risk so that we can make more thoughtful assertions about what is risky and what is not. I find that when most people who don’t eat, sleep, and breathe security think about risk, they don’t do the Likelihood x Impact risk equation in their head.

They just look at impact. They look at, “Well, we’ve got this vulnerability, we’ve got this issue, what is the absolute worst thing that could happen if this vulnerability or issue were to be exploited?”

But then if you do the exercise with them of, “Okay. Why would someone do that? What do they have to gain from doing that? Is there a monetary incentive?” And that’s not to say that those risks don’t matter, it’s just walking people through that thought exercise because when we focus on a niche risk or a vulnerability that could be exploited but is a lot less likely to be exploited because it does not, for example, lead to any monetary gain from an attacker, it distracts us from the truly biggest risks that are much more likely to happen, might not have such a disastrous outcome, but are still where we need to focus our energy because the Likelihood x Impact equation gives us the biggest output.

[David Spark] That is an excellent point and I love that example as well. Interesting that they were all very much onboard because we love to hear that story as well, but it’s an interesting twist to have to deal with.



[David Spark] This comes to our end of our show. That was awesome, Katie.

[Katie Ledoux] That was so fun!

[David Spark] A lot of hesitation to come on the show and I’m glad I pushed you to come on because you rocked.

[Katie Ledoux] I didn’t say that I hated any genders during that, did I? [Laughter]

[David Spark] No, you didn’t say that. You didn’t say that at all.

[Katie Ledoux] Yay!

[David Spark] What we’re going to do is we have enough of your audio to create an AI voice of you actually saying that.

[Katie Ledoux] [Laughter]

[David Spark] So don’t worry about it. You don’t need to say it.

[Katie Ledoux] I cancel!

[David Spark] We’ll just make sure that those words are said in your voice now.

[Katie Ledoux] I knew that me being canceled would be inevitable even if I managed to [Laughter] not say any cancelable offenses.

[David Spark] I want to thank our sponsor Palo Alto Networks. Do I need to repeat the web address? You know where it is. Yeah. You need to think about them – from code to cloud they are a CNAP platform. More about them at their site paloaltonetworks.com. Katie, I’m going to let you have the very last word, but Mike, any last words?

[Mike Johnson] One of the things I love about this show is getting to have these deep conversations that sometimes something comes out and really just stops me in my tracks. This is one of the huge values that I get out of doing this show is every now and then somebody says something and the little record skips.

Katie, you really brought that several times today. The first one was really talking about just what are your four top risks. Associate everything with those. And that was just this moment of simplicity, really allowing a program to focus. And so I really appreciated that top but just in general all of the great advice that you gave to folks.

This was such an action-packed show. Thank you for joining us, Katie, I really appreciate it and our audience will too.

[Katie Ledoux] Mike, you are incredibly kind. It was so fun to be here. I’m really glad that I had that effect on you but I promise, just like everyone else, I have absolutely no idea what I’m doing.


[Katie Ledoux] We’re all just trying different stuff till something works. [Laughter]

[David Spark] Katie, you were able to string certain words together to make it sound like you did know what the heck you were doing. Very good.

[Katie Ledoux] Well, I’ll report back on what works and what doesn’t because we’re trying some new stuff.

[David Spark] Let me ask you this – are you hiring over at Attentive?

[Katie Ledoux] We actually just made a bunch of really key hires.

[Mike Johnson] Awesome.

[Katie Ledoux] I’ve had four new people start in the last four weeks, so that does mean that the team is always growing. But yeah, and we’re certainly hiring engineers across the company and in security, my team will probably make a few more strategic hires, but we just, you know, everyone else’s layoffs are our gains.

[David Spark] There you go.

[Katie Ledoux] Really excited about our new additions.

[David Spark] So, should people contact you if they’re interested in working with you at Attentive?

[Katie Ledoux] Absolutely. Find me on Twitter or LinkedIn.

[David Spark] Twitter or LinkedIn, we’ll have links to both of those on the blog post for this very episode. Thank you very much, Katie Ledoux, who is the CISO over at Attentive. Thank you, Mike Johnson, who I can now, I’m sorry it took so long, officially refer to you as the CISO of Rivian.

[Mike Johnson] Thank you, David.

[David Spark] All right. I’m expecting and Katie’s expecting a free car. Thank you very much.

[Mike Johnson] Matchbox’s got you covered.

[David Spark] What?! Wait a second. I can’t fit in that.

[Mike Johnson] You didn’t specify.

[David Spark] That is true, I didn’t, you got me there.


[David Spark] Thank you, audience. We greatly appreciate your contributions and for listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input.

Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.