Every company claims they take cybersecurity “very seriously.” If that’s the case why do we see a dearth of CISOs listed in executive leadership? Is this just a factor of company reporting structure, or do CISOs really not have a seat at the table with the business?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our guest, Ben Sapiro, head of global cyber security services, Manulife.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Query
Full Transcript
[David Spark] By nature of their title, CISOs should fall into the C-suite, but that’s not the case. Why do we rarely see them listed as executive leadership?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this episode, he’s your favorite, since you saw him in the first season of “Sigmund and the Sea Monsters.” It’s Geoff Belknap. He’s the CISO of LinkedIn.
[Geoff Belknap] I’m still waiting for the residual check for that appearance. Somebody let me know what’s going on with that.
[David Spark] Did you ever see that show, “Sigmund and the Sea Monsters?”
[Geoff Belknap] I don’t think I did, but I went through this period where I was doing a lot of shows. It’s possible.
[David Spark] It’s possible you did it. I think it also…it’s before your time, for that matter. My son and I were in Hollywood and actually saw the Sigmund costume in the Hollywood Museum, and I pointed it out to my son. And then I found clips of it on YouTube. And my wife had never seen the show either. It’s distressingly awful.
[Geoff Belknap] I presume this is putting me on the same level as like a Batman or a Superman and not like the Greatest American Hero.
[David Spark] Well…
[Geoff Belknap] Uh, all right.
[Crosstalk 00:01:22]
[David Spark] “Sigmund is the Sea Monsters” is way, way below all of that.
[Laughter]
[Geoff Belknap] “Mork and Mindy” level? And now we’re going way back.
[David Spark] Again, you’re talking about actual programming, where there were writers, and scripts, and actors.
[Geoff Belknap] Well, this sounds appropriate for the CISO Series, because there is no writers, no actors, and we’re all just trying to figure it out as we go along.
[David Spark] And we run around in silly seaweed costumes, looking like sea monsters.
[Geoff Belknap] Speak for yourself.
[David Spark] Hmm?
[Geoff Belknap] But I’m open to it.
[David Spark] Something to consider for future episodes.
[Geoff Belknap] Hey, how about a podcast, everybody?
[David Spark] Let’s do it.
[Geoff Belknap] [Laughs]
[David Spark] Our sponsor for today’s episode is Query, brand new sponsor of the CISO Series. Federated search for security data. If you have a SOC where they’re staring at single panes of glass, you’re going to want to hear what we have to say a little bit later in the show about Query. Thank you for sponsoring us. Every company, Geoff, claims they take cyber security very seriously. I’ve yet to run into a company that says, “Eh, whatever,” with security.
They all say that. But if that’s the case, why do we see a dearth of CISOs listed in executive leadership? Investigative reporter, Brian Krebs, discovered that very few of the Fortune 100 companies list any security professional in their executive leadership, and we’re going to talk about this. But I’m going to ask you the opening question – is this just a factor of company reporting structure, or do CISOs really not have a seat at the table with the business?
And, again, we are not stressing your business or our guest’s business, but we’re talking about this as a greater industry case.
[Geoff Belknap] You know, in my experience, it’s kind of all of the above. An observation that I have is that most of the Fortune 100 are companies that are you might say legacy companies. They’re companies that have been around a long while, and their leadership teams and their leadership cultures have been around a while.
The CISO role is relatively new. It is brand new in the area of executive leadership roles. I think in that case, it is not surprising, but certainly I don’t think it’s an indicator these companies don’t take it seriously. But it is an indicator that what is important to successful companies is changing rapidly, and the culture of leadership does not change quite as rapidly as technology pushes it to.
I don’t think this is an indictment of the role, but it certainly is something I think we’d all like to see change sooner rather than later.
[David Spark] That is a good point that is actually not brought up in the comment, so I’m glad you did bring this up quite early. We’re going to address many of this stuff in our comments later. All right. I have a great guest for us, who we have not had on in a long time, and one of my favorite guests.
So, I’m thrilled that he’s back, and he’s got a new title at a new company. He is the head of global cyber security services over at Manulife, one and only, Ben Sapiro. Ben, thank you so much for joining us.
[Ben Sapiro] Happy to be here as the token Canadian.
Who owns this issue?
4:23.460
[David Spark] Todd Fitzgerald of Cyber Security Collaborative said, “Most executives are rewarded for being risk takers, and the CISO predominantly is there to ‘manage risk’ and facilitate the appropriate amount of risk versus reward. Many executives don’t want to hear that message. The smart ones incorporate the risk decisions and make deliberate decisions on the cyber security risk.” That’s a pretty bold statement.
Sean Kalinich of Richey May said, “A large number of CISOs report to the CFO, which shows the ties to the purse as an expense and not a serious part of doing business.” Again, another bold statement. So, what say to you? Essentially these are people sort of arguing that they just don’t take us seriously when they all say they take us seriously.
[Geoff Belknap] You know, here’s another example of where I think opinions have immerged and evolved rapidly. This is a case where certainly I see it as my job to manage risk, but I see the outcome of my job in managing risk to be so that the organization can take new and exciting risks, so that we can move into new parts of business or new markets.
[David Spark] That is a very good point.
[Geoff Belknap] It certainly has evolved from being the department of no – saying, “No, no, no, there is risk there,” to instead saying, as an executive leader responsible for risk, it’s my job to go, “Ah-ha, there’s risk there. How do I best position my company to be able to take that risk where other companies might not be able to and thereby being a competitive advantage?”
I think this is similar to how people think about the relationship of CISOs or security teams being expense centers. That is one way to apply it. But if you can think about that expense as enabling you to achieve more revenue, achieve more profit, move into new parts of the business, I think then we can move past that. But I think as both of these comments have pointed out, not everybody has gotten there yet. Not every CFO or CEO has figured that out yet, but I think we’re getting there.
[David Spark] And I think this goes back to your earlier comment that it takes a while for boards and executive leadership to sort of evolve with the changing structure of positions as well. Ben, what has been your experience, and do you have sort of the attitude of both Todd and Sean here?
[Ben Sapiro] I don’t agree with Todd and Shawn. I’ll start with an important lesson I learned many years ago from the CISO of Travelers at the time. I didn’t have gray hair and a beard, was much younger and probably much dumber. But she made the astute observation of we don’t have brakes on cars to go slow, we have brakes on cars so we can drive faster.
And so, Geoff, I very much agree that our job is not the no but the how do we enable this safety and strategically for the business to take that risk. The idea of that our reporting to the CFO, or the COO, or some other level somehow diminishes the importance of the work that we do I think is ridiculous.
It’s really about does that leader enable your access to the senior executive, to the board when it’s appropriate. You can’t have everybody on the senior executive team. The CEO has only got so much bandwidth on who they manage, and they have to delegate that responsibility to other people as well. So, for me, it’s always been about can I get access to the people I need to at the times that matter to make the right decisions. And across my entire career, that’s always been the case even though I haven’t sat on the senior executive team. So, I challenge very much the thinking that Sean and Richie have.
How do we convince the C-suite?
8:01.978
[David Spark] Niels E. Anqvist of ZAFEHOUSE.COM said, “Not long ago, I visited a large public organization. When we discuss cyber security breaches and trends, two C-level execs left the meeting room with the remark that they needed to report to the market if they knew anything about vulnerabilities and breaches.” So, they preferred, or elected, or he’s saying so they preferred not to know. That’s an interesting take, that their knowledge would require them for regulatory reasons to report something, so they felt that ignorance was a better way of taking it. This is what he witnessed.
So, Thomas Struan of Celsoior Technologies said, “Considering the federal government is seeking jail time for CISOs, it doesn’t exactly make a lot of people want to volunteer to be in the crosshairs. If you make a simple mistake, you could be wearing an orange jumpsuit. Financial liability with indemnity is one thing, but criminal liability is entirely another.” So, I think, honestly, anybody in the C-suite can be found liable if there was some malfeasance done at the organization, for that matter. So, I don’t think that puts CISOs in any unique place. You’re nodding your head here, Geoff.
[Geoff Belknap] Yeah, I think I talk to CFOs, and general counsels, and CEOs. It is not a unique position for a C-level executive of any kind to potentially be in jail if they’re not adhering to their or following their fiduciary duty. I also feel like this is a great quote from Niels. I feel like this is play stupid games, win stupid prizes.
If we’re going to pretend…if our strategy for securing our enterprise is to pretend nothing is wrong and then maybe blame the CISO when it is, that’s not going to play out how we want it to play out. But certainly I think both of these things are indicators that this job is very serious. Now, it comes with stress, and it has always been serious, but now as we’re looking to make sure that everybody in this role evolves to the actual C-suite, whether you’re directly reporting to the CEO or indirectly reporting to the CEO, it is reasonable to presume that it comes with serious consequences for performing the job poorly.
That’s just part of the deal.
[David Spark] Ben, Niels and Thomas definitely have a glass half empty look at this situation, but I also get the sense that they’re saying like, “If we’re dealing with stress, if we’ve got important issues, we need to be ‘heard.’” But there’s a difference between being heard and being on executive leadership. Where is the dividing line, do you think, here?
[Ben Sapiro] Governance structures. I hear what Niels…or I read what Niels and Thomas are talking about, and what they’re really talking to is do the organizations have proper governance structures, and are they being followed. I know that there is a lot of anxiety in the broader community about, “Oh, I could be called up. I could land up in an orange jumpsuit. I think those are some very particular cases. And clearly, I’m not a lawyer, but I think at least from what I’ve heard and conversations I’ve had, there is unique aspects to each of those.
I think the thing that keeps any executive, any leader, any director of a business, any officer of a company out of the hotseat is the ability to say, “Hey, I followed the rules that we all agreed to as leadership in the company, and I can demonstrate that there is a great paper trail for it.”
And so when I read stories like this… I’ll describe it as what Niels said, is ignorance is bliss, that really just screams that the governance structure needs to be set up properly so that people don’t have this unnecessary anxiety of, “Well, if I hear this, I have to report this to the market.” No, the governance structures, if they’re properly in place, would allow me to then have a thoughtful conversation and decide what should or should not be reported in a very repeatable fashion. Same for the orange jumpsuit risk.
[David Spark] Let me go back to Niels’ comment here about people wanting to leave if they heard the information. I mean, I don’t know, I’m sure if you’ve heard this before, Geoff. And I don’t know what the labor laws are in Canada, Ben, but I know that if an employee reports something to their manager about maybe some employee misconduct, sexual misconduct behavior, the manager is required to report that.
And I know many times, they go, “Just so you know, if you are telling me this, I must report this.” And then that becomes sort of part of the conversation, like, “This can’t be something you and I talk about, and we’re private about it. I’m required to report this.”
And so does it fall under that kind of thing? Like, “Hey, just to let you know, if we’re going to be talking about this, it’s not just staying with the two of us. It’s getting reported,” kind of a thing.
[Geoff Belknap] It’s basically what Ben is saying, where governance is really important here. But culture underlying that is also really important. If somebody comes to me in a different scenario and reports sexual harassment, this is not a scenario where I’m like, “Buh, buh, buh, buh, don’t tell me, because then I have to do something about it.” My [Inaudible 00:13:19] The positive culture is I want to know about it because I want to action that immediately. I don’t want to work at a company where something like this is going on.
[David Spark] Does anybody ever come to you saying, “Can I talk to you in private, just between the two of us?” And it is something like, “But I have to report this,” kind of a thing? Do you ever have those situations?
[Geoff Belknap] Absolutely. But in that case, I am happy to hear it. I might not be happy to hear it Friday at five PM where I got to work all weekend as a result.
[David Spark] [Laughs]
[Geoff Belknap] But I’m happy to hear it because I want to make it better. And I would much rather work for a company where they don’t say, “I want to walk out of the room so I don’t have to hear this.” I want to work at a company where people say, “This might be uncomfortable. Let’s talk about it. Let’s action it. If at the end of the day, the lawyers and the compliance folks say we have to disclose it then so be it.” But the important part is you’re disclosing something that you have now addressed. You’re not hiding the issue.
[David Spark] Right. Are there similar cases, I don’t know, in Canada as I described, Ben?
[Ben Sapiro] I’m not an employment lawyer. I won’t comment on that in particular. But what I can tell you is that every company I’ve ever had the pleasure of serving at is there’s always very clear guidelines, and it’s published to everybody, and there’s training on it which says if you encounter certain reportable things, you must report him, and here’s what they are, and it’s clearly enumerated. And I look at this situation that Niels has put forward.
I would imagine that there are very specific rules there, and it just requires a proper sit down with lawyers and compliance people, as Geoff said, to figure out what the rules are. But the hear no evil, see no evil, ignorance is bliss type thing I think doesn’t actually work at all. And if somebody in the company knows something and management ought to have reasonably known about it then they don’t get this, “Nobody told me, so I get out of jail.” What were your governance processes, and were they working properly, and were you making sure that happened.
Sponsor – Query
14:58.650
[David Spark] Before I go on any further, I do want to tell you about our brand new awesome sponsor, and that is Query. You remember I told you, federated search for security data. So, Query is a new approach to accessing, searching, and understanding the security relevant data scattered across your security tools, data lakes, cloud services, SIEMs, and other API accessible systems.
Security teams that can decouple and federate alerting, investigations, response, and threat hunting benefit from a more complex data picture, resulting in faster and more efficient security detection and response, plus significant cost savings. There are lots of gotchas in moving data such as ingress/egress charges and the need for other tools to ETL and transfer or centralize.
By decoupling the analyst’s user experience from the platforms, Query offers an opportunity to go best of breed and maximize each platform ecosystem as fully and cost affectively as possible. This is powerful stuff for analysts and threat hunters. The connections between data sources can be added up through joins as they happen without the need for prebuilt playbooks and brittle automations.
A search for a malicious hash that matches to an internal IP address can then be joined to the host name associated with that IP to the user and so forth, unlocking the story of the data across many distributed and unrelated data stores. It’s your data. Let Query give you the ability to store it in the best place for your purposes and budget. Visit their site. It’s query.ai. Go there to learn more and get started with a free proof of value deployment.
This is not just a security issue.
17:00.690
[David Spark] Bob Zukis of Digital Directors Network said, “Most of these companies still govern cyber security within their audit committees, and very few disclose cyber experience amongst their corporate directors’ competencies and skills.” Thomas O’Malley of DropVault said, “Breached companies prioritize privacy and security only after they’ve been breached and only do so after a breach for regulatory and marketing purposes.”
And Paul Neslusan of Oracle said, “It’s a risk versus reward situation. It appears most companies view the risk to stock value to be low regardless of cyber risk. The historically low shareholder consequences of corporate breaches inform this decision.”
So, Ben, it seems that it’s a situation of you give us the information, and us, as a business, we make the decision of whether to disclose this or not. And, honestly, that’s always the case. You as the security leader, you’re not at sort of the right to publicly disclose it. The business is, isn’t it? I mean, you just provide the information.
[Ben Sapiro] Absolutely. And I certainly wouldn’t want to be in the position of having to make the decision of what’s right for the business. My job is to enable, to make sure that the leadership team understands what’s happening.
And then they’re going to make with the guidance of myself and others informed decisions about what’s appropriate…relevant to our obligations, to our customers, to our shareholders. And this is true of any company I’ve ever worked at. I wouldn’t want to be the CISO and have the sole decision rights on, “Should this be disclosed or not?” This is really about the company itself and what its obligations are to the market and to the shareholders.
[David Spark] Geoff, how deep do these discussions go with the senior leadership in terms of, again, you’re never the one making the actual disclosure, but how does that conversation go with how do you think…? To the level of like, “How do you think we should handle this, Geoff?” Like to what level are they asking you for advice?
[Geoff Belknap] I think, first of all, it requires a little bit of clarification that public disclosure in terms of to shareholders is required by public companies. So, if you’re the CISO of a public company, you are absolutely going to have a much more in depth conversation about this. I think… I want to hedge my bets here a little bit and say good and great companies have an in depth conversation about what detail do they need to share, when, and how do they want to do it.
And almost all of those conversations are about how fast we can do it – how fast can we share the most accurate information in the most impactful way for our customers so that it helps them be protected if they need to be protected. It helps them take action if they need to take action. But most importantly, it helps reinforce the trust that you have between your customers and you.
They know what’s going on, even if they don’t have to do anything. Most of the conversations that I have been apart of or that I am aware of are about like, “What is the line between information that it is useful to share immediately and how fast we can share it.” It is almost never about whether we should share it or not.
That conversation is the sign… If you are a CISO and you are sitting in the conversation, and someone is deciding whether they should do it or not, it is a good sign that you need to move on because those companies are not going to be around for very long. If you have a problem, and you are a major company, and then you are debating whether to disclose it or not, you are going to fail as an organization.
I don’t know why. It might not be the security thing. But the fact that you don’t trust people is a problem.
[David Spark] So, you are distanced from those conversations, the release or not release conversations?
[Geoff Belknap] No, I think quite the opposite. I think you are… CISOs and security leaders are a part of that conversation. But I think, frankly, that conversation, whether to do it or not, is just not happening anymore. The conversation that is happening is, “How do we do this? Do we do a blog on our website? Do we do an email blast. Do we put it on our support website? How do we want to communicate that to people affectively?”
[Ben Sapiro] And when. There’s a lot of good thinking around the earlier you come out, the more confidence your customers will have in you because you’re on the front foot. You’re being open. You’re being transparent. But you said earlier, Geoff, that if you communicate not enough, not the right information, that might lead people to the wrong conclusions or to respond in ways that aren’t going to be helpful.
So, you have to find that good inflection point in these situations of, “I’m telling you now so that I’m giving you most the actionable information and the best clarity around the situation.” But at the same time, I don’t want to wait too long because sometimes clarity can come…like perfect clarity can come many, many, many weeks down the road. I would…
Really when I look at some of these comments, I think that they’re deeply cynical and belong to an age which is not one we’re in right now. Companies are making investments appropriate to their overall market situations and their risk appetites. They are doing that. And they think they’re doing the right things, and that’s fine.
And when someday something comes along that teaches them different, they adjust their preconceived ideas about what’s appropriate and not, and they change their investment plans, and they adjust their risk tolerances. That’s how the world works. Sure, there are probably some small players out there that are not behaving in the way that they should. But, Geoff, to steal your term, great and good companies, companies that have public trust, they do take it seriously. But everybody can be breached, and then you learn from that. You adapt your investment strategy and your risk tolerances from there.
[Geoff Belknap] I just want to build on what you’re saying here, Ben, and reinforce with people… And I think you’re 100% correct. This is not the way companies think anymore. But if you don’t execute well a communication strategy about whatever security problem you’re having, this is how your customers think that you are thinking, and this is not what you want. This is how people are going to interpret it.
[David Spark] And let me just echo something that Andy Ellis, one of our other cohosts said, is when he was at Akamai… I thought this was a very good technique. I don’t know if the two of you do this. Is that whenever they had some kind of an incident, and they were questioning whether or not they were going to announce it, they would get together with the communications team and write up what the announcement would be before they sat down to make the decision.
So, the idea is the conversation was, “We have the announcement already. It’s written. It’s done,” or however it’s going to be issued. “Are we releasing this or not?” And then that… Instead of… Because sometimes you do it the other way, and it’s like, “Release it.” And then it becomes too long to release it because of the number of eyeballs it goes through, and the edits, and yada, yada.
[Ben Sapiro] My brother in law is the head of communications for a particular company, and I share a lot of conversations with him on communication strategy around crises. And he has prepared a number of holding statements for certain types of crises. We hope that they never come true, but he is prepared so that it’s really about what the particular details are versus how to craft these things.
When you look at breaches today and if we go back 10, 20 years, whatever the right number is, that was really the IT person’s responsibility – the head of IT or maybe the head of security, what they were called back in that time. Today, they are multi-party affairs. You’ve got the CISO. You’ve got the CIO. You’ve got the CEO, the CFO. You’ve got regulatory. You’ve got general counsel, comms, and the list goes on. So, a lot of this is very good, of what Andy is describing, is being prepared in advanced not only in comms but in incident response.
[David Spark] It’s part of the incident response process. It’s part of it.
[Ben Sapiro] Yeah. Everybody is getting prepared in advance so they can focus on what matters, which is minimizing the damage and getting back to business and serving the customers.
How do we go about measuring the risk?
24:42.002
[David Spark] Barry Rabkin said, “Insurance underwriters should consider when deciding whether to offer cyber insurance, and how much, and with what terms, conditions, and restrictions.” So, essentially I think what he’s saying here is, “If I don’t see cyber and leadership then maybe that should change how I would insure that company or not.”
So, interesting take on that. Vikram V. of Nandi Security said, “It would be good to have data that showed correlation between security expertise at the C-level and lowered cyber risk in doing business with that company, just to protect the small guys like us who want to take action.”
So, these are two different interesting takes of the value of having that security knowledge at the executive level could affect insurance, could affect working with other businesses. I mean, it seems like a pretty long leap that executive cyber knowledge, executive leadership sort of has a direct correlation to the whole security program. I don’t know, Geoff, what do you think?
[Geoff Belknap] It’s a little bit of a leap. But, look, this is where we’re going. If you don’t have executive cyber security experience or leadership on the team regardless of whether they’re listed on the website or not, you are going to have a riskier operating environment.
If you don’t have somebody advocating for risk management, if you don’t have somebody driving that culture of compliance, if you don’t have somebody sort of ensuring that that expertise is brought to the business strategy and operations the same way go to market experience or financial management experience is brought to it, you are going to be operating a riskier venture. And eventually your insurance rates are going to reflect that. Your churn rates for your customers are going to reflect that.
And it’s never going to be, “Ben or Geoff weren’t on the website, so I’m not going to pay for this.” But there are going to be little things that eat away at that. I think there are going to be forcing functions. Because, look, right now… I don’t know if you’ve renewed your home or car or whatever insurance. Insurance rates are going up everywhere.
People are looking for ways to identify riskier bets than they were…differently than they were previously. This is going to be part of it. But I think just in general, you have to keep in mind, operating your business without this experience is not just like a neat thing. It is essential to make sure that you have coverage here.
[David Spark] Ben, your take here. Is there a correlation, or is this a long leap that’s happening with both the insurance and the cyber leaders means we are going to be safer, if this knowledge is at the executive level?
[Ben Sapiro] So, I’m really excited we’re talking about a topic for insurance because that’s the world I live in. Although to be clear, it’s life and health insurance that Manulife works in, so this is a little outside of my realm.
[David Spark] Well, life and health is hopefully… Well, not hopefully. We believe it’s connected.
[Ben Sapiro] We do. But if you think about the insurance market in general, there is…I’ll call it a loosely coupled correlation. And so something will happen in the world which will then create…cause claims to go higher, which will then ask the underwriters to think about why those claims went up.
Then they will adjust their premiums, so they’re taking an appropriate amount of risk relative to how much income they’re getting. So, everything is kind of like this long feedback loop in the insurance world. Whatever sort of insurance you’re talking about.
[David Spark] Yeah, and the thing is it is a long leap to believe that the executive leadership is hitting the actuarial tables. I don’t know.
[Ben Sapiro] Well, so but they do ask in the underwriting process for cyber insurance…they do ask… And, Geoff, I’m sure you’ve had to fill in your forms in the past 12, 18 months. They do ask who the person is that is accountable for it, and are they of a certain level of seniority. They don’t, at least the last time I did renewals…they didn’t ask whether or not that person was on the executive. They just asked if they existed and what level they were.
[David Spark] And we’re seeing that at a lot of regulations, too, in general.
[Ben Sapiro] 100%. But then that then informs where the underwriters want to be in the tower of insuring 10, 20, 30 million dollars, whatever it is. And they might… Some underwriters might actually consider that as an important point, of, “Do you have a senior leader who is experienced leading your cyber security program?”
In other cases, they might not. But it’ll inform the position they take, which ultimately does inform the rates that you will pay as somebody who’s being insured for cyber security events. So, it’s not a leap to say that these sorts of things do inform it, but the fact of whether or not I show up on a company’s website as being part of the topmost C-suite, no, that doesn’t inform it at all in my mind.
Closing
29:27.598
[David Spark] Well, that brings us to the point of the show where I ask my guest and cohost which quote was their favorite and why. And I know we were kind of challenging some of these comments here, but take it from either angle. I’m going to ask you, Ben, which was your favorite quote and why?
[Ben Sapiro] Well, I think it’s the quote by Shawn around who CISOs report to and the CFO. It presents a preconception around how organizational structures work which I think is wrong, and so I think I enjoyed it because it was one to challenge a lot.
[David Spark] Okay, very good. Geoff, your favorite quote and why?
[Geoff Belknap] I’m going to go with a contrary quote, which is Thomas O’Malley’s from DropVault who said, “Breached companies prioritize privacy and security only after they’ve been breached and only do so after a breach for regulatory and marketing purposes.” Here is the important thing, I want to be clear, this is my favorite quote because I think we need to talk about the fact that this is not true. Most companies absolutely do take your privacy and security seriously.
But if you don’t do anything to establish that or to communicate that to your customers before you have a problem, your customers and the public in general will come to this conclusion – that you did not care about this beforehand until there was a problem, until you were caught with your hand in the cookie jar. You didn’t care about the problem.
You have to be driving that program ahead of time. You have to be thinking about how you build that trust with your customers. And some of the way that you do that is you make sure that your CISOs are involved at the right level and engaged, and then you communicate with your customer base.
[David Spark] Excellent point. Well, that now brings us to the very end of the show. I want to thank our sponsor. That would be Query. You remember? Go to their site, query.ai. Federated search for your security data. Look, you got a SOC. You’re staring at panes of glass. You’re only looking at a portion of the data. Look at all of your data without actually ingesting all of your data.
Take a look and see what they’re doing with Query. Query.ai. But I also want to thank you, Geoff, as always, for being a fabulous cohost, and thrilled that Ben has come back on the show. So glad having you. Now, Ben, let me ask you, are you hiring? Any last comments on this topic here?
[Ben Sapiro] Yeah, a comment is good governance is expensive, but invest in it. It will save you in so many different ways. On the question of if I’m hiring, absolutely. Canada, North America, listeners in the Philippines, Hong Kong, we’re absolutely hiring and looking for great talent. Please check out our job site.
[David Spark] Awesome. You’re hiring all over the place. We love hearing that. Well, thank you very much, audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please, write a review, leave a comment on LinkedIn or on our site, cisoseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.