In order to get any work done we try to shut out all possible distractions. That includes messaging apps. But those people who want to connect become annoyed that they can’t reach you.
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Howard Holton, CTO, GigaOm.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, Cyolo
[Voiceover] Best advice I ever got in security. Go!
[Howard Holton] Keep it simple. You’re likely overcomplicating it. The reality is we spend a lot of time as technologists kind of buried in technology and really hearing a lot about various technology and tools that can solve our problems. But what we really need to remember is we’re a business, and we need to be able to run a business. So, let’s think instead of thinking about all of the things that are possible…let’s think about it from the perspective of who are our people, what do we do, who are we, what’s reasonable, and then work back from that to figure out what we really should be doing. So, really keep it simple.
[Voiceover] It’s time to begin the CISO Series podcast.
[David Spark] Welcome to the CISO Series podcast. My name is David Spark. I am the producer and cohost of this very episode. And guess what? I have another cohost here. His name is Andy Ellis. He’s the operating partner over at YL Ventures. Andy, introduce yourself to people who do not know you.
[Andy Ellis] Oh, to people who do not know me. I am Andy Ellis.
[David Spark] That’s it. They don’t need to know any more.
[Andy Ellis] Aw, come on.
[Andy Ellis] I once won a spelling bee at the Sherman Oaks Galleria.
[David Spark] Really?
[Andy Ellis] Which was the setting for “Fast Times at Ridgemont High.”
[David Spark] Now, that is a good, cool piece of trivia. We’ll get to other little brushes with greatness in just a moment. We’re available at cisoseries.com. We have plenty other programs on our show. And our sponsor for today’s episode is Cyolo – safely connect people to work. Aw, we’re going to be talking about Zero Trust here. I know everybody likes it. More about that later in the show. Andy, I was going to talk about something else, but I love the fact that you mention a brush with greatness. Give me another one. I want to know a really good brush with greatness you had.
[Andy Ellis] Let’s see, I once shook President Clinton’s hand.
[David Spark] My wife did that as well. There’s even a photo of it.
[Andy Ellis] I was made to. But it was still… I got to do it. I was in the military at the time at the air force. He flew in through Hanscom Air base, and so at like four o’clock, right as I’m about to leave, we get told, “Nobody can leave the base because we all have to be there when the president lands so that he can have troops in his backdrop.” And he walks the line, presses the flesh. I got to shake his hand. The man exudes charisma.
[David Spark] Oh, I know. Yeah, he does.
[Andy Ellis] Whatever else you might want to say about him, he exudes charisma.
[David Spark] Yeah, I know of the people who…I know who have met him, I hear very similar stories. Now, I’m not going to mention a brush with greatness I had. Actually I was thinking when you mentioned a brush with greatness my mom had in that she was in the summer camp production of “South Pacific,” and Neil Sedaka was her accompanist.
[Andy Ellis] That’s awesome.
[David Spark] I think she was 14. He was 17 at the time. He played and accompanied her on the piano. Now, a not so great brush with greatness – my mom went to high school with Bernie Madoff.
[Andy Ellis] Okay.
[David Spark] Not good. So, two different sides of a coin, I guess.
[Andy Ellis] Two very different… You should have stopped with “South Pacific.”
[David Spark] I know, I should have. [Laughs] Neil Sedaka, much better than Bernie Madoff.
[Andy Ellis] Much better.
[David Spark] All right, let’s get into the show, why don’t we. Thrilled to have our guest on. Actually with a research film we love working with, GigaOm. He is actually I think brand new CTO over at GigaOm. None other than Howard Holton. Howard, thank you so much for joining us.
[Howard Holton] Thanks for having me. It’s great to be on the podcast.
If you’re not paranoid yet, here is your chance.
[David Spark] Who are the true innovators in cyber security? Is it the attacker or the defenders? Now, in an article on Venture in Security by Ross Haleliuk, he posited that the critical driver of innovation is the adversary who is trying to think of ways to break our defenses. It’s often referred to as a cat and mouse game, and it also may be a chicken and egg type discussion. But who, Andy, do we credit with the innovation? Solutions we have today would not exist if it weren’t for the adversary finding new techniques. I know we don’t want to give the attackers any credit. But where does the innovation in cyber security lie?
[Andy Ellis] This one feels like a false choice to me, and it feels like a very constrained binary question. A lot of innovation is not driven by the adversary. It’s driven by needs for scale, for instance.
[David Spark] Good point.
[Andy Ellis] And even the find a new technique… Let’s just be very honest. 99% of the new techniques are just old techniques recycled in new technologies or new protocols. Denial of service is nothing new. But we should look at things like the Low Orbit Ion Cannon, LOIC, as an innovation in how to conduct DDoS attacks at scale or Botnet herding, and even some of the renting things like… Those are innovation. But I think this interplay just about the attack versus the defense, that’s not where most of the interesting innovation is. Most of the interesting innovation is behind that somewhere. Like how do you manage attacks, how do you manage defenses and manage security posture. Like look at most of our security companies today. In the Cloud, most of them are not innovating around, “Oh, here’s a totally new defense that nobody has ever seen before.” It’s how do we innovate you to get you to do the things that we know you need to do but aren’t happening inside companies.
[David Spark] An excellent point. Howard, let me ask you – do you feel the same way as Andy, or do you believe that adversaries do push us?
[Howard Holton] I actually think I disagree with Andy. The reason I disagree is the question is specific – who are the true innovators. Scale is not innovation. Sure, DDoS attacks have happened over and over again. All this stuff happens over and over again. Where we really try to push and where we really try to kind of solve the problem is these are relatively easy attacks. Why go for a hard attack when I can go for ten easy attacks in the same amount of time?
[David Spark] And I was thinking that as well. All right, he’s holding up… Are these awards you’re holding up, Andy?
[Andy Ellis] These are literally patents I have for solving scale problems in security for being able to do things at planetary scales.
[Howard Holton] Okay.
[David Spark] So, what he’s held up are these two Lucite cubes or actually rectangular cubes that have it appears extremely shrunken versions of paper in them.
[Andy Ellis] Yeah, it’s patent awards.
[Howard Holton] They’re super sweet.
[David Spark] Is that the actual patent written down in there?
[Andy Ellis] That’s the actual patent written down.
[David Spark] You couldn’t read that though, could you?
[Andy Ellis] You can. Not with my eyes at 51. But I could when I got them.
[Howard Holton] Theoretically… It’s like the bible written on a piece of rice, you could theoretically read it. So, back to my point. But I also don’t think it’s the attackers that are the true innovators. I think it does happen on kind of the back end, and I think it’s the researchers that work in this space where I get the most excited. Like I’ve been going to DEV Con for a decade, like probably most everybody else. And I’m sure that I am short the two of you on this podcast. But it was always funny to me that I would sit in a room so that I had a seat for the next talk. The room that I sat in ended up being the more interesting talk while I was waiting for what I thought would be the interesting talk. And it was really those guys doing kind of this odd ball research because they had an idea. They thought they found something, and they spent a year of their life dedicated to this. Of course six months later, you saw the exploit in the wild. A year later, you saw the tool to combat that particular exploit in the wild. So, I think there’s a third audience—not the attackers nor the defenders but the researchers – that I think are driving a tremendous amount of the innovation. Like 80, 90% of the innovation.
What’s the best way to handle this?
[David Spark] Howard, you provided a more expanded, detailed explanation of Zero Trust, which really outlines why it’s so incredibly complex. Of Zero Trust, you said, “You are trusted only to take one action, one time, in one place. And the moment that changes, you are no longer trusted and must be validated again regardless of your location, application, user ID, etc.” How then do you tackle such a huge complex beast? You outlined a rather logical and time consuming approach. From your viewpoint, what are the two extremes of Zero Trust? Meaning what is the easiest to implement of a Zero Trust plan, and what is the most difficult that if you were to achieve it you’d be considered the Zero Trust grand master? I’m interested to know what’s a super easy Zero Trust thing to fix, and what is the holy grail to nail?
[Howard Holton] ZTNA is both what I see as the easiest place to start, kind of what you can implement today that helps move the needle on Zero Trust. It’s also a question of whether or not that is necessarily my first big step. Because unfortunately Zero Trust is a bit of an elephant, and so you kind of have to draw the elephant out first. But you could do Zero Trust. You could check the box. You could move the needle. And then say, “Oh, by the way, we now need to start addressing this as a real problem that can be kind of independent.” The grand master of implementation would be Zero Trust accles [Phonetic 00:09:33] across your organization.
[David Spark] What does that mean? I’m sorry.
[Howard Holton] Restricting data access using Zero Trust philosophy so that you have access to literally only the data that you should have access from the systems you should have access, during the times you should have access.
[David Spark] So, the question that…or the definition you posed at the beginning.
[Howard Holton] Yeah. So, row and column specific accles, right?
[David Spark] Oh, really, really specific. Wow.
[Howard Holton] Really, really granular.
[Andy Ellis] All right. Well, let me give an example that I think might help bridge that, which is imagine that you have a customer configuration system where you’re a SaaS provider, and you have these entries for customers. You have a portal that your customer care team and your technical services, your integrators all use. How do you know when they go to make a change on behalf of a customer that at that moment that’s an authorized change? Most companies it’s just like free for all. Everybody in those organizations can edit any customer. A Zero Trust philosophy approach there would not say that. It would say if they’re making a change there must exist some documented chain that would show why this person is allowed to do it. And if that doesn’t exit, I don’t allow them to do it. And if it does exist then I’m like, “Great, now can I tie the person to other attributes and allow it to happen?”
[Howard Holton] And I would say to take it kind of one step further for that grand master level it’s not just can you make a change to the record, but can you make…is that change to that field in that record appropriate by that person, and do they only have access to the fields that are appropriate for them to view and edit.
[David Spark] That is a level of minutia that I don’t think anyone has even…that is anywhere near… Is anyone near something of that level? I mean it’s hard enough to just figure out what people…what files people are allowed to access and not.
[Andy Ellis] So, you do actually see some of this in some hospitals, especially ones that deal with celebrities.
[David Spark] Yeah. When you log in, like they’ll lock certain fields from you, right?
[Andy Ellis] Right.
[Howard Holton] So, technically GDPR has mandates around data usability that requires you to have that level of granularity. The problem is it fails the reasonability test today because there’s no real good way to do that across your system. But I think we are moving that way, and we’re seeing especially in the companies that do like synonymization…we’re starting to see the applicability of that. Of course they started that with the GDPR, the fact that it’s also applicable under Zero Trust I think is a benefit. I don’t think they started designing it with Zero Trust in mind.
Sponsor – Cyolo
[David Spark] Are you tired of struggling with access nightmares as your business expands? Of course you are. It’s a rhetorical question. Don’t answer. Do you feel like you don’t have enough visibility and control to security manage all the users who need to connect today? Yes! This is what we were just talking about in the last segment. So, the challenge of security operation technology, third parties, or even the new users who joined during your last M and A can open new areas of risk that give security even more problems than before. We have talked about this a ton on this show – the whole M and A thing. Oh, that’s a can of worms. So, Cyolo, that is our sponsor, they built a Zero Trust access solution to address these concerns and give you the control you need to more securely enable your business. Now, what makes Cyolo great for organizations and other CISOs is, guess what, it was built by a CISO. So, CISOs thinking like CISOs. It gives you the confidence to better and more securely access everything and everywhere. Visit cyolo.io. That’s cyolo.io so you can stop your worst access nightmares.
It’s time to play, “What’s worse?”
[David Spark] All right. Howard, you know how this game is played, correct?
[Howard Holton] No. I haven’t got a clue.
[David Spark] [Laughs] Don’t mess with me.
[Andy Ellis] [Laughs]
[David Spark] All right, two horrible scenarios. I make Andy answer first. Then you can answer. I love it when you disagree with Andy. Which you’ve already done on this show, so I appreciate that.
[Howard Holton] Andy was so upset at my last disagreement that if he could have thrown those…whatever the cubes are at me, I think I’d have a dent in my head.
[David Spark] Yes. If he could have thrown them at your head, he would have.
[Andy Ellis] I wouldn’t have thrown them. I might have dropped them.
[David Spark] All right, this comes from Dustin Sachs of World Fuel Services, a phenomenal contributor to the CISO Series. All right. What’s worse, Andy? Having your backup stored on a ransomed server or having the backups on an isolated system but discovering they are corrupt?
[Andy Ellis] Having them on a ransomed server or having them… Well, so first of all, it doesn’t matter in the long run. Like why are you relying on backups? Let me start with that one. I think the answer needs to be having them actually on a corrupted system. The reason for it is twofold. One is if you need them during a ransomware incident… If they’re also ransomed, you’re not going to waste time trying to deal with them. But if it turns out that you thought they were safe and they weren’t, you wasted a lot of time during your incident trying to recover from backups that don’t work. The alternate thing is if the rest of your systems were not ransomed but the backups were, well, fine, you don’t care about the backups at that point because you don’t need them. So, you get to walk away. So, it’s clearly worse that you had backups on a corrupted system because presumably once I unransom the system I can go back to having backups, and the backups will work. So, I’m going to go with it’s worse to have them on a corrupted system, which actually seems a little backwards.
[David Spark] On an isolated system but discovering they’re corrupt.
[Andy Ellis] On an isolated system but that they’re corrupt. Which basically is equivalent to not having backups but believing you do. So, the real question is is it better to not have backups but believe you have them or to have backups that got ransomed. Those are the real choice here.
[Howard Holton] Okay, so is it better to have loved and lost than never to have loved at all?
[Howard Holton] That’s what it sounds like to me. I’d love to disagree. But I don’t want to say I’ve been in both situations. How about one where you have backups, the backups work, but you’re an idiot and spend a week trying to do a restoration to the wrong version of Sequel. And it seems like the backups are corrupted, but you’ve generated 100% of the problem yourself.
[David Spark] Did you do this?
[Howard Holton] Yes, I did. I did. I did.
[David Spark] [Laughs]
[Howard Holton] I was going to say I don’t want to admit it, but it’s way too specific to actually be someone else.
[Howard Holton] No, that was absolutely me. I actually developed a little shock of white hair from the stress because it was also my accounting system that I was trying to restore.
[David Spark] Aye, aye, aye, aye, aye, aye.
[Andy Ellis] How about not having discovered until halfway through…? Not even halfway through restoration. Until 3 days into a restoration for one month’s worth of backups that you were actually using 95% of your capacity for rights, and therefore it was going to take you 600 days to recover 30 days of backup.
[Howard Holton] Yeah, that’s a good one.
[Andy Ellis] Because nobody had been paying attention on capacity for that specific case.
[David Spark] Let me ask you a quick closing question on this. Because I’ve never dealt with this because I’ve never been an IT person dealing with these kinds of issues. I can just imagine when you’re dealing with something which is taking you hours, days, weeks to recover that you wish there was an eject seat that could just shoot you out from wherever the heck you are at this moment because you just want to be anywhere but where that problem is. But you’re kind of stuck. Does that eject seat metaphor run through your head at any time?
[Andy Ellis] There is some incidents that you would really like to pass off to somebody else, but it’s not because it’s going badly. It’s because it’s not going at all. In the case of this backup recovery, there is some other group off doing the restores. And it’s not until you can come and ask the question, like, “How long will this take?” “Well, I don’t know.” “Well, let’s do the math.” And all of a sudden you’re like, “Wait. This isn’t even feasible.” Then you’re happy because now I have control. Like this process isn’t working. I was sitting around waiting for progress. I wanted to pull the eject seat. Now I can pull the eject seat on that plan and do something.
[Howard Holton] Oh, I would agree with that. At the same time, any time you have to click the restore button, there’s I think a level of anxiety that lasts anywhere from…
[David Spark] Oh, yes.
[Howard Holton] …20 seconds to, “Oh, dear God. Oh, dear God. Why is this taking so long?”
[Andy Ellis] Yep. That’s why I’ve become a fan of never restoring and trying to build as much operational process as you can that gets you to you don’t ever restore. It’s a holy grail similar to Zero Trust.
[Howard Holton] No, I actually agree. I think the second you’re forced to click the restore button, everything else has already failed.
[Andy Ellis] And you’re probably about to fail again, and you just don’t know how.
[David Spark] Yeah, nobody clicks the restore button and goes, “Oh, I’ll just click the restore button, and everything will be fine.” Everyone panics when they hit that button.
[Andy Ellis] Right. So, how can you design systems that don’t require a restore button? I’m a firm believer that laptops should not be backed up.
[Howard Holton] Yes, I agree.
[David Spark] Yes.
[Andy Ellis] They’re disposable items.
[Howard Holton] Yes. Especially when your CEO leaves them on top of multiple cabs in New York City.
[Andy Ellis] That is probably from a former job to Howard’s current employer. And if it his current employer, plausible deniability.
[David Spark] Howard has revealed a lot about his past work.
[Howard Holton] Yes. I’m actually pretty good. I tend to not to ever tell stories from my current position.
[David Spark] Yeah, that’s a good idea.
[Howard Holton] And it gets me in a lot less trouble.
[David Spark] Let’s just hope you don’t want to get hired back by any of your former employers.
[Andy Ellis] What’s going to happen though is this episode is going to air, and somebody is going to call Howard and say, “So, you know that anecdote about the CEO and laptops? I thought you said you didn’t tell things about our current employer.” He’s going to be like, “What? Really?”
[Howard Holton] Oh, I hope not. I hope not. Although I will be calling you if that happens because I’m going to blame you directly, Andy.
[Andy Ellis] Absolutely. Go for it.
Well, that didn’t work out the way we expected.
[David Spark] About six to seven years ago, the security industry woke up to the whole concept of asset discovery as the most important first step to building a security program. The often used line of, “You can’t protect what you don’t know,” was accepted by everyone. So, my question is why did it take so long for APIs to be recognized as an asset to be discovered. What security leaders know about their API environment is a colossal mess. I’ve seen reports where half of APIs are unmanaged or abandoned, and three-quarters of security leaders haven’t done a complete inventory of their APIs according to a report by Opinion Matters, said John Gold in a CSO Online article. So, I’m going to start with you, Howard, on this one. Why did this take so long? Were security leaders complacent, not thinking it was a problem? Or was it not a problem before, and now it is? And since APIs are so programmatic, will discovery alone solve a lot of the problems? It’s a lot of questions, I know.
[Howard Holton] It is. I’m going to try to break them down. So, the first one is unfortunately I think entirely too often we put ourselves in the SEP scenario, which for those who read Douglas Adams, that’s a someone else’s problem scenario. Where we hear API and we go, “Oh, that’s a development problem.” And then we hear security, and development says, “We don’t do security. That’s a security problem.” And we kind of make it an SEP. The challenge is yeah, we’re already bad at kind of our hardware asset management. You start adding in software, and then software I’m not aware of, as in doesn’t show up on a project plan somewhere. And it becomes far more complicated, far more complex. And the stats I’ve heard is Ghost APIs, those Ghost APIs that I’m not aware of in my environment, are anywhere from 80% to 400% versus those I’m aware of. As in…
[David Spark] 400%. How do you get 400%?
[Howard Holton] Yeah. Well, if I’m aware of 100, there are 400 more that I am unaware of in my environment.
[David Spark] Oh. [Laughs]
[Howard Holton] I know there are vendors that have abandoned API support in their tools, and yet the API is still there. They just don’t document it anymore. It’s a massive problem. And documenting that the API exists alone does not come close to solving the problem. Although it’s a very good first step.
[David Spark] All right, Andy, what’s your take on all my questions here?
[Andy Ellis] I really love Howard is using the SEP model. I was going to say security folks are more like toddlers covering their ears and going, “Lalalala. I can’t hear you.”
[David Spark] So, you think that’s what happened? Why APIs got to where they are now?
[Andy Ellis] This isn’t an API specific problem. When you say six to seven years ago we woke up to asset discovery, no, security has always known about asset discover. It’s just as some point you can’t ignore a specific set of assets anymore. And so six to seven years ago, you sort of see this, “Oh, we actually have to integrate knowledge of all of our enterprise assets.” And Axonius is born and some other vendors as well. And solve that problem for us. But they don’t look at SAS. They didn’t look at Cloud workloads. They didn’t look at APIs. They didn’t look at OT. Like we can just walk down the list of assets that weren’t there. And because security organizations don’t have tractable approaches and because none of their peers are demonstrating an approach that works, we just ignore the problem and let sleeping dogs lie. And so all of a sudden API, people have realized, “Wait, API is web traffic.”
Like that’s a web server sitting on the other end, and it’s just not being connected to by a user. It’s being connected to by another program. The fact that we ignored APIs for so long is interesting, but I also think for many people they’re like, “Well, what do I do with an API?” So, I discover it. Now what do I do? People also need to think about once you’ve done API discovery, what do you do next. What does it mean to secure an API? What are the security systems and protocols you want to put in place? Because that’s actually even more interesting than the asset discovery is what do you do once you’ve discovered the asset.
[David Spark] But I go back to the classic you can’t protect what you don’t know and the fact that so many of these… I reported on a previous episode from some report that in just one year we’ve doubled the number of APIs that are being used. And I was just thinking, well, if it’s going to continue at this rate, this is going to be unwieldly. But this was an episode I did with Mike. He was saying well, no, because it’s so programmatic I wouldn’t be so worried about the growth rate. Would you be worried about the growth rate?
[Andy Ellis] I wouldn’t worry about the growth rate. Also simply because things are… They shift, and growth rates aren’t consistent over time. So, sure, you double. But are you doubling off a small base? And at some point you’ll hit saturation? And he’s also right about the programmatic nature of it. But here’s the real reason that we get to bury our heads in the sands – ask any CISO this question. You go in front of your board, and they say, “Hey, put up a list of assets and how well secured they are. What are your classes and how well secured they are. And by the way, I’ve got 12 new asset classes that you don’t know anything about their security. Do you want to put that on that slide for next week’s board meeting?” And any CISO who says yes should probably go talk to their CEO and find out what happens when they put that slide up that says, “Oh, we have 12 asset classes that we don’t do anything about because they’re intractable problems.” We get told to ignore those.
[Howard Holton] I think it’s also burying your head in the sand and more just, “There are 400 fires right now in security, “I’m given the budge to fight 6. So, I’m glad that you added another thousand. Can you put that fire with another fire for a minute while I try to handle the ones I’m funded to do something about?”
[Andy Ellis] It’s 2023. You only got funded for four.
[Howard Holton] Oh, yeah. That’s true. That’s true. My budget was cut from last year. I appreciate it.
How would you handle this situation?
[David Spark] A redditor on the cybersecurity subreddit has had it with cyber. He posted a long post just railing against pretty much everyone who simply causes roadblocks and makes his job of actually doing cyber more difficult. I want to call out his last comment, which was, “Try to sit and focus on solving at least one darn problem.” He used other language there. “Without being needled by Teams, Slack, email, phone calls, SMS, Jira, etc. Meetings and more meetings that just stop me from getting actual work done.” I have suffered this before. And all these elements are designed for collaboration and making the business run. But at the same time, they prevent people from actually doing their job. I’m going to start with you, Andy, on this – how do we reduce or control this behavior essentially of all these things this person listed off so you don’t get a seemingly talented cyber person running to get out of the industry? Which is how they feel.
[Andy Ellis] So, I would just want to start say this is a leadership problem. That how are you building an organizational structure that people can work in affectively. I read the post, and I think the person had some good feedback. And they had some things that I said, “Hm, that sounds like they’re at a really toxic organization.
[David Spark] Yeah, they were really, really frustrated.
[Andy Ellis] This is somebody who’s really frustrated. But some of these things are easy to solve. Like, “Oh, you’re getting spammed by vendors. Learn how to say no quickly and just move on.” I have the equivalent of an auto responder that I just press a couple buttons, and I say, “No, go away.” And it works.
[David Spark] I highly recommend… I have what is known as a Texas Banter [Phonetic 00:27:56], a tool called PhraseExpress, which is available on PC and Mac. Highly recommend it.
[Andy Ellis] Yeah, I just set it up as a signature file, and I can easily in mail.apps [Phonetic 00:28:01] switch between signatures and say, “This is my vendor go away signature.” And send. Look, there are ways to solve this. But they are about organizational leadership. How are you protecting your people? Protecting their wellness, protecting their serenity so that they can actually get their job done. Some of what this person was complaining about was being in highly under resourced organizations like there was no exchange admin, and therefore the security team was trying to make changes on the exchange server. That’s just a level of dysfunction that some good leadership isn’t going to solve.
[David Spark] All right. Howard, your thoughts?
[Howard Holton] I think that’s a great kind of sum up. I’m going to go a little bit… I don’t disagree, but I’m going to go a little bit different because leaders that are listening to this that are stuck in those organizations, you probably should recognize modern corporations don’t value leadership. They train you to manage if you get training at all. They don’t train you to lead. I spent a lot of time talking about kind of lessons learned from COVID with organizations. The thing that I wish they would have learned more than anything else is you have to have leaders and stop paying bad leaders to be managed. If I need to see you eight hours a day, I’m a bad leader. My job is to enable my people and remove roadblocks because they’re doing the actual work.
[David Spark] Let me pause you on that. So, this is a common thing that I hear from people of like, “I don’t want to cause waves. I don’t want to mention this.” But as a leader, if you’re struggling with something, you definitely want your people to tell you. So, if I was this individual, what would be the right way to approach you about my problems?”
[Howard Holton] I like to think I’m easy to approach. I actually have something that is canned that I read to every candidate before I hire them. And then I reinforce that frequently. That really is… I have one on ones. I make sure my one on ones are incredibly open. I start by asking what can I do better and different. What, again, can I do better and different. And my one on ones are not my meeting. They are my employees’ meeting. As in they pick the topics. They run the meeting. I set no expectations other than receiving feedback. It’s not a time for me to give out information. It’s a time for me to receive information. And that’s the best thing that I as a leader can do. And my expectation with my people is if I’m going to be open and transparent with you, I need you to do the same. Otherwise we can’t be successful together.
[David Spark] Andy?
[Andy Ellis] I love what Howard said. Look, I just do have to make a pitch for my book.
[David Spark] I know. You pulled out your book there.
[Andy Ellis] I can’t not. If you want to learn to be a better leader, “1% Leadership” on sale April 18th. Or on sale now, delivering April 18th. But Howard just hit on a perfect one which is you have to listen carefully to find your blind spots. If somebody walks into your office and tells you something unbelievable, your first answer should not be, “That can’t possibly be true.” You need to stop and listen. Even if they’re wrong about the cause of what they’re experiencing, what they’re experiencing is real. And you cannot be heard shutting them down, or they’ll never come back and talk to you again.
So, if you say you have an open door policy, what that means is when somebody walks in and says something to you, probably the strongest thing you will ever say at the end of that is, “Look, I really hear you, and I want to understand more. I’m going to look into this, and I’ll come back. I’ll tell you what I’m doing about that.” Which might be you’re going to come back and say, “Look, I think there was a miscommunication. Here’s what I see you heard. Here’s what I went and inspected. Does that resonate with you? Maybe this wasn’t a big deal.” Or you’re going to come back and be like, “Holy God, I did not realize that me sending Slack messages was making the whole team drop everything they were working on to answer an idle question that I just put into Slack. To me it was an idle question. Hey, if you’ve got five minutes.”
[David Spark] You’ve had your own behavior put in check, yes?
[Andy Ellis] Oh, absolutely. In fact I have chapters about that in my book literally where I tell people… I had somebody who came in. We had literally fired a highly productive sales vice president – one of the most productive ones we had – for sexual harassment.
[David Spark] Well, that wasn’t in my list of complaints here. [Laughs]
[Andy Ellis] But I was like, “Look, we have a zero tolerance policy for sexual harassment in the company. Look what we just did.” And I had somebody who looked at me and was like, “Huh, that’s cute that you think that.” Because that was not her experience.
[David Spark] Oh, you were patting yourself on the back.
[Andy Ellis] Right. She’s like, “Yeah. No, we tolerate sexual harassment all the damn time until it becomes so blatant that we have to do something about it.” But I had to listen to that to hear and be like, “Oh, what’s going on that I might be able to do something about rather than ignoring it until it’s so big that I get to pat myself on the back? Because of course we dealt with it when it was that bad.”
[Howard Holton] I would also say as a leader… Again, I don’t disagree with anything Andy just said. Except no, and encourage your people to tell you no. The best thing I can get from my people is they say, “No, I can’t do that now. No, I don’t have the availability to do that. No, we don’t have that capability. No, we’ve never been trained to do that. No, we can’t do that to a level that we find acceptable.” Any of those things. Or, “No, I’m not working. It’s after five o’clock. It’s after my normal working hours. I can do that tomorrow.” And be okay accepting that. You as a leader are there to enable your people. That’s your job. So, if you can’t take no as an answer and be adult enough to say, “I’m okay with no,” you probably shouldn’t be in leadership. I don’t mean to make a very firm statement, but I think that’s a pretty firm one for me. I don’t want to work for someone that can’t take no, and I really want no.
[Andy Ellis] I want to repeat what Howard first said because I want people to walk away with that – which is the crises we have today is too many people who are promoted into management and only taught the basics of personnel management. There is no investment in leadership development until people are already senior executives, at which point it’s wasted. Because they’re not going to listen unless it affirms their own beliefs about their leadership. So, if you are a junior level manager or you want to become one then you need to invest in your own leadership development training now because your company is unlikely to do so.
[David Spark] Excellent point. Now we’re going to wrap it up. Thank you very much, Andy Ellis. Thank you very much, Howard Holton, who is the CTO over at GigaOm. Check them out at gigaom.com. And for your Zero Trust discovery and solution needs, please check out our sponsor, Cyolo. That is cyolo.io. Safely connect people to work. Thank you very much, Cyolo, for sponsoring this episode. Hey, Howard, do you got anything to push is to over at GigaOm? What should we all know?
[Howard Holton] Oh, we’re producing a ton of content, kind of constantly. I would take a look at our radars. I think the audience will appreciate our radar. It’s written by engineers. It gives nuanced necessary for modern organizations to make decisions. There’s no light switch contained within it. I think that would be a great place for people to look.
[David Spark] Excellent. Yes, the radars actually give you a very, very nice overview of the category and the players in that category as well. Highly recommend them as well. Thank you very much. And I want to thank our audience as always. We greatly, greatly appreciate your contributions and for listening to the CISO Series podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headline – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at firstname.lastname@example.org. Thank you for listening to the CISO Series podcast.