Work from home seemed ideal until you realized you were working at all hours with people all over the world. It would actually be a nice respite to have to commute and leave work at a reasonable hour.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Adam Glick, CISO, Rocket Software.

Thanks to this week’s podcast sponsor, Code42

Redefine data security standards for the hybrid workforce. Check out Code42.

Got feedback? Join the conversation on LinkedIn.

Full transcript

Voiceover

Ten second security tip. Go!

Adam Glick

Reassess your password policy. It’s probably antiquated, it doesn’t represent the current threat landscape. Are you still enforcing regular password change intervals? Why? Even NIST said to get rid of them. Tell your auditors to take it up with NIST 800-63b.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark, I’m the producer of the CISO Series. Joining me, as always, is Mike Johnson. Mike, you know, I get so many letters–

Mike Johnson

[LAUGHS]

David Spark

I’m lying here. I get so many letters of people saying, “My favorite part is when you ask Mike, ‘let’s hear the sound of your voice.’ So I don’t want to disappoint our audience.

Mike Johnson

So set me up here. I feel like I jumped the gun.

David Spark

You did jump the gun. Mike, let’s hear the sound of your voice.

Mike Johnson

[LAUGHS] I’m here. I actually had to bribe my cats to leave the room earlier.

David Spark

What is a cat bribe?

Mike Johnson

It was white fish cat treats. They really like them. They smell terrible.

David Spark

You never bribe me with them.

Mike Johnson

Well, that’s probably better for everyone.

David Spark

I guess you don’t like me as much as your cats.

Mike Johnson

I will offer you some next time, David.

David Spark

We’re available at CISO Series.com, we’re on the subreddit r/CISOSeries. Every Friday we have a super fun video chat. Please join us, they’re a lot of fun and then we do this really fun Meet Up at the end of it. Our sponsor for today is Code42. Hey. Do you have issues with insider risk? We all do and I’m talking about the non-malicious type. People just trying to get their job done. Well, if this is something you’d like to know a little bit more about, we’re going to be talking a little bit more with Code42 later in the show. Now Mike, before I jump into our show fully, you I know have listened to the Cyber Security Headlines show, our daily six minute news podcast, which has been growing like crazy, it’s like quadrupled in size since we started it in August.

Mike Johnson

Awesome.

David Spark

And you know what it is, podcasts have been a hard time actually growing during the pandemic, ironically because that commute. You would think, “Oh, everyone has time because they’re home.” No, it’s because we’re not commuting.

Mike Johnson

Yep.

David Spark

Luckily, we’ve been doing OK. But surprisingly, or not surprisingly, because the Headline show is only six minutes long, you don’t need a commute to consume it.

Mike Johnson

My commute from, like, my bedroom to my office space in my house, it doesn’t quite take six minutes, but it doesn’t take long to listen to the headlines either.

David Spark

When I’m getting the kids ready in the morning, it’s when I listen to it. So when you’re getting them ready, that six minute dose, it’s like one of those jolt of “Hey, I know what’s going on in the world.” Now, here’s something a lot of people don’t know. Do you know that you can actually subscribe to just that feed? Just the eight most important cybersecurity news stories of the day? If you go onto CISOSeries.com, click register for the newsletter, at the very bottom there’s a little check box that says, “Yes, I want to receive the daily newsletter.” And that would give you just that. And I haven’t actually announced that at all and surprisingly, a lot of people have discovered that, so we’ve got a lot of subscribers on that too.

Mike Johnson

We have a smart audience.

David Spark

They’re very, very bright. Alright, so I want everyone to know that you can actually subscribe and get those eight stories in your inbox. If you would actually like to hear a very talented reporter read them out loud to you, also subscribe to the podcast. That’s my tip of the day. Alright let’s bring in our guest today, who I discovered is also a Dungeons and Dragons nerd. I started playing that with my son and one of our sponsors, actually, one of the co-founders that sponsors and his son as well. Anyways, we had him on Defense in Depth and he was awesome there, and it’s been a while and I said, “Hey, we got to get him on this show.” So, that’s what we’re doing. It is the CISO of Rocket Software, Adam Glick. Adam, thank you so much for joining us.

Adam Glick

David, thanks for having me, excited to be back here and Mike thanks for the box of white fish cat treats.

Are we making the situation better or worse?

00:04:10:22

David Spark

Microsoft just conducted a work from home study and the stats are pretty depressing. As reported by Chris Matyszczyk of ZDNet, here are some of the highlights. One: The share of IMs being sent increased 52% between six pm and midnight. Ouch. 61 percent of leaders described themselves as “thriving.” And their subordinates not making decisions are thriving 23% less. 37% of employees say companies are making them work too hard. So, Mike I ask you, what can CISOs do to balance this inequity that’s resulted from pandemic work at home operations?

Mike Johnson

Yeah, I can’t imagine describing myself as “thriving” right now, that’s a strong word.

David Spark

Thriving, maybe thriving in terms of success but thriving in terms of life balance? Maybe not.

Adam Glick

That’s a big word. But I do think the Microsoft study is showing that it’s a broad concern and it’s not just for CISOs to solve but it is as leaders, we should be talking with the other executives in our companies. We should be having conversations at that level to figure out how we can have the broad impact within the company.

David Spark

Have you had that conversation?

Adam Glick

Fortunately, my company was already having that conversation. I’ve been fortunate to be a participant in the conversations that we already had our leaders really pushing through.

David Spark

Can you sort of give any tips or advice of something that you did that helped alleviate, I’ll just say it in a broad term, the pain?

Mike Johnson

I think one of the big focuses is around when you’re communicating with your teams. And we’ve really tried to give some guidance to leaders, managers, within the company. Don’t be sending emails all all hours of the day. Don’t be sending a slack message that, you know, it might be six o’clock for you but it’s eight o’clock, nine o’clock, midnight for somebody else and they’re going to feel compelled to respond.

David Spark

Compelled to respond, yes.

Mike Johnson

And so it’s really more around us patterning these behaviors for our teams such that we’re not putting stuff in front of them and expecting them to wait. We’re actually waiting to put it in front of them when we want them to look at it. So one of my favorite features of Gmail is schedule send. I use that so often. There are options and features, plug ins, what have you for Slack that can do similar things. And I really think just simply changing when you’re sending communications out really gives your teams permission to not respond outside of working hours.

David Spark

Good tip. Throwing this to you Adam. What have you done to balance, and what’s your reaction also to this study?

Adam Glick

Yeah, “thriving”? Really? Who are you and what do you do? Mike hit all the important things. You know, respect people’s time outside for work. It’s sacred now more than ever. We’ve got to be mindful of the stress this pandemic has put on individuals, not just from a work standpoint, but from a personal standpoint. Does that junior engineer on your team live in an apartment with six roommates and sleep and work out of a tiny New York bedroom? What are people going through outside of the “office”? For me it’s been checking in on the team. You know, not just on work related conduct, but them as people. How you doing? What’s working? What’s not working?

David Spark

Is it as simple as what you’re just saying, or is it a little bit more formalized? Or are you just sort of pinging them Slack like, “What have you done for fun this weekend?” Or like how does it play itself out?

Adam Glick

I think it works like that from an ad hoc standpoint. If you’re setting up formal meetings to check in on someone’s personal mental health, you’re doing it wrong. You’re not a human, you’re forgetting the human. It comes in just how we operate and how we function as a manager. It comes as when you have your one-on-one with your team, start off with the first little bit, “Hey, what’s going on? How was the weekend, what did you have going on? What are you up to?” And always have that opportunity to have that feedback loop. What’s working, what’s not working? What changes can we make to improve your quality of life? Do we want to shift the schedule a little bit? Work earlier, leave earlier? Work later, leave later? You know, find out what works for your team to make sure they’re successful.

Are we having communication issues?

00:08:42:07

David Spark

What do we want the board of C-Suite to know about cybersecurity? Helen Patton, advisory CISO of Duo Security, and a guest on this very show, asked this question on LinkedIn. One of the most popular answers to this question “What you want the board of the C-Suite to know about cybersecurity?” came from Chris Zell of Wendy’s who said, “We are function of risk management, and that ultimately we are here to protect revenue.” And the second good one was from Eric Lankford of Birdville ISD who said “Cybersecurity is everyone’s job.” Mike, I know you have a savvy board, how would you answer Helen’s question, assuming that your board already is cybersavvy? What’s the next level you want them to know beyond this?

Mike Johnson

I first wanted to give Chris Zell some credit. I mean that was a really good answer. But I also want to go back to what Kristin Davis had said when she came on this show as a guest. Her job was to educate people on security risk, and I think going a little bit beyond what Chris said is reminding ourselves that our job is to educate on risk. So I think that’s a slight change there, but when I think about the next level of where boards should eventually get, I want to get to the point where they don’t treat us as special. Not because they don’t care. There’s always going to be the concern they’re always going to care, but cybersecurity should just be another part of the business.

David Spark

That they already Grok. 

Mike Johnson

Right.

David Spark

They don’t feel that they’re in a cloud above it.

Mike Johnson

Yes, finance, legal. All of these other operations that are fundamental to a business operating correctly, even if it’s not necessarily sales and revenue. It’s a core function of the business and that’s really where I want to see us get. I want to see us get to the point where we’re excelling by being mature with regards to security, that we’re kind of in the same boats, where we’re not being looked at as something scary anymore. That’s the next level to me is kind of being boring.

David Spark

Adam, do you want to be boring?

Adam Glick

I do not want to be boring. I do love the “how and why do you present to the board?” question, as if there’s some magic recipe that we can mix up and will always work.

David Spark

But I would assume, because we always talk about the board being a bunch of doofuses when it comes to cybersecurity, but there are plenty of boards that are cybersecurity savvy. So I’m interested to know, what’s the level you go beyond that, even?

Adam Glick

For me, it’s finding that right level. It’s not easy and it’s not the same, I think. Whenever you go into the board, and I’ve presented to public boards, private boards, it’s our job to accurately and concisely relay risk to them. It’s their job to go, “Ow that hurts,” or, “That’s OK, we can take a little more pain in that area.” If you have a cybersavvy board, don’t be afraid to get into the weeds a little bit. Tell them a little bit about the metrics and numbers and the specific aspects of your program. I think it’s going to be different board to board though. You’re not going to be able to present the same way to all of them.

David Spark

Of course.

Adam Glick

For me, when I go in the first time and say, “Here’s who I am, here’s what I do, here’s what I’m about,” and I’m going to make a bunch of mistakes and hopefully they’re a candid board and hopefully I’m going to get some general advice on what to change and by the second or third time I feel like I’m a flow. I feel like I have a well oiled machine and I’m telling them what they need to know in the manner they want to see it.

David Spark

Do you find yourselves, either of you respond to this, dynamically responding to the board, like you’re kind of reading the room, if you will? You start to say something and you’re losing them, and like “Alright got to back up, we got to explain some things?” Mike, you’re nodding your head.

Adam Glick

Absolutely.

Mike Johnson

Absolutely. You really have to read the room. Like whenever you’re presenting to anybody, you have to respond to how they’re taking in what you’re sharing. And I think that’s especially true when you’re talking to the board where you’re representing the company.

David Spark

Do you have an A-B plan when you go in? Like you have a presentation set, but hey if they’re not buying this, I’m gonna switch this gear? Like something like that?

Mike Johnson

No, I wouldn’t quite call it an A-B plan, but you do have back-up talking points ready to go.

David Spark

OK.

Adam Glick

And it’s always that. It’s always I’m going to come in and I’ve got my agenda, here’s the things I need to present, here’s how I’m going to present them. And there have been a couple of times where I’ve realized, OK, I need to get to the next slide, I’m losing them quick. Or you get that question out of left field and it’s like, I was not prepared for this, but let’s talk about it, let’s go into it. You’ve got to be on your toes. One thing I’ve found is, you absolutely have no idea what you’re going to get into and what specific detail they’re going to want to dig in on more. And so you’ve got to prep for all of it and you’ve got to be ready to pivot.

Sponsor: Code42

00:13:26:06

Steve Prentice

Have you heard the one about the consultant who did some network integration for a company, got fired and then got revenge by hacking in and deleting all their files? Mark Wojtasiak is Vice President of Research and Strategy at Code42 and they are expects at bringing this problem to the fore and, of course, taking the steps to elimination it.

Mark Wojtasiak

Contract workers, interns, if you’re employed by the organization, whether directly or indirectly, you pose insider risk. Contractors are coming and going, employees are coming and going. I think our recent report had half of the workforce is going to switch jobs this year. In our previous studies we’ve found that employees inherently take data when they leave. And what are they taking? You put in your two week’s notice or a contractor’s term is coming up. A two week notice would trigger a query to look back at the previous 90 days and say, “Has there been any data ex-filtration? Or data risk posed by this departing employee or contractor in the last 90 days?” And we would assess and qualify that risk for the security practitioner. Say, “You have 25 departing employees, here are five that you need to drill into.” And because their data behavior is weird. Are they Zipping files? Are they changing file types? Are they moving files to personal storage devices or emailing files to themselves, or moving files to an unsanctioned cloud device? Are they doing it at three in the morning?

Steve Prentice

And it’s not just those on the way out.

Mark Wojtasiak

In some cases, new employees, are they bringing information into the organization is another interesting insider risk use case.

Steve Prentice

For more information go to Code42.com.

It’s time to play “What’s Worse?”

00:15:08:09

David Spark

Alright.

Adam Glick

I’m nervous.

David Spark

Adam is nervous. Mike, you should be nervous too. I got this one in today and I must say, I may put it up as one of the all time best What’s Worse I’ve seen. This one’s really tough. Now, the way I’m seeing it up front, you may think, “Ah, this is easy.” I don’t know, we’ll see. Here we go. This comes from Mike Tool of Blumira and he asks, “What’s worse? You’ve been called to testify in front of Congress post breach.” Oh, I wish I could have captured that response. Taped that look that Mike just had, that was a good one. Alright, Mike doesn’t like that. Alright, here’s the next one, pretty bad as well. “Or you’ve been asked to keep a breach quiet by your board or management?” Which one’s worse?

Mike Johnson

So I actually didn’t expect that to be the second one. And in a way like my gut reaction is actually this one is pretty easy.

David Spark

Really? OK.

Adam Glick

I agree.

David Spark

Alright I was wrong. I thought this was a doozie.

Mike Johnson

I mean it’s never fun, I don’t think to be testifying in front of Congress. I’ve watched other CISOs have to do that. They don’t look comfortable when they’re doing it, I don’t think that would be a whole lot of fun, but I would rather find myself in that situation than covering up a breach.

David Spark

Right. So you’d rather be honest rather than be a liar?

Mike Johnson

I would rather be honest. And frankly I think more and more we’re seeing at least financial liability attaching to people who are covering up breaches. Like, when you’re covering up a breach, there’s personal concerns that you have there as to whether or not they might impact directly to you, your career by doing that. So I think as bad as testifying in front of Congress, as non-exciting as that is.

David Spark

Think about the exposure you’d get and the celebrity you would get being in front of Congress.

Mike Johnson

You could get screenshots from you on C-SPAN, it’s great.

David Spark

There you go. So Adam, you would think the same way?

Adam Glick

Neither of them is particularly difficult, I think. If you’re testifying before Congress, you have dealt with some type of nation state, some type of really bad incident that’s occurred. And I’m not too sure who or what companies out there think that they could go toe to toe with that type of adversary. For me, yeah it’s way worse to have to deal with that board higher up, whoever it might be trying to ask you to brush a big, major event under the rug. For me it’s also easy because unemployment in cybersecurity is what? Negative three and a half percent at this point?

David Spark

So if you lose your job somebody else will hire you.

Adam Glick

Super easy decision from me, I’m gone.

David Spark

You might actually get hired very easily because you’ve got so much publicity now that you been on C-SPAN.

Adam Glick

I’ve been on this show, what else do I need?

David Spark

Exactly.

Someone has a question on the cybersecurity subreddit.

00:18:10:20

David Spark

On the cybersecurity subreddit, a redditor asked, “I have a cyber analyst interview within healthcare and I’m wondering the kind of questions to expect. If you’re a cybersecurity or information security hiring manager, what kind of questions will you be asking?” So, what would you ask, and do remember what you were asked? Mike.

Mike Johnson

So it’s actually a very broad job description. A cyber analyst, I don’t know what that is, but I would start with the job description itself. One would expect that you’re going to be asked some very specific questions related to your expertise or your experience in those areas. But beyond that like, assuming it’s a security role, just like generic security role here, expect a what’s worse question. That should be a part of every interview.

David Spark

Feel free to mine the ones on this show.

Mike Johnson

Yes, we have a bunch.

David Spark

Obviously not the one today because I was told it was far too easy.

Mike Johnson

That was an easy one.

David Spark

I should have realized you would always pick honesty over dishonesty, so.

Mike Johnson

I should hope that you would realize that.

Adam Glick

Integrity.

David Spark

Yes, integrity.

Mike Johnson

But in terms of the types of questions that you should expect, they should be generally experiential in nature. If I’m asking a question, I’m going to say, “Tell me about a time, tell me about an incident, tell me about an incident that you’ve dealt with, or that you helped out with.” Usually folks have one in their back pocket that they can talk about. You can’t necessarily talk about all of them, but talk about one that you can share something about it. How it went, what you did, what you’re involvement was. Or tell me about a time that you disagreed with the severity of a risk that somebody else said this was a low risk and you looked at it and said it’s a high risk. How did you handle that situation? Delivering bad news. You’re going to have deliver bad news in security. Tell me about a time that you had to do that. And then the last one that I really like to think about is, how did you help someone change a no to a yes? They came to you and they said, “I’ve got this idea” and you just face palm and this is a terrible idea, and no, you can’t do that. How did you work with them to get that into a situation where it was something that was a reasonable path forward? I like that kind of a helping out kind of question. That’s the kinds of questions that you would expect from me.

David Spark

I will say this, your advice on experiential, especially when you’re starting out, couldn’t be more on target. I remember I had a mentor years ago when I was starting out, and I was struggling on some stuff. He said “Do not worry about the money up front, worry about getting the stories. And he could not have been more right because I did collect stories and once I had them, and once I could tell the stories, my believability and credibility shot through the roof.

Mike Johnson

Yeah.

David Spark

Get the stories first. Any way you can. And that could be, you know, volunteering, doing anything, but get the stories. Adam, your advice to this young person who’s taking their cyber analyst interview, and I’m assuming they’re a young person.

Adam Glick

I’ll always interview for form and fit. I don’t ask very technical questions, I let the resume speak to those chops. I’m going to ask you, “Tell me a little bit about yourself, what brought you to this point in your life and your career.” From there I’m going to go to “What are you looking for in a new role?” I want to make sure that this position is right for you, just as much as you are right for this position. So I’ll ask you to describe, you know, what are you looking for in your next position? What do you want to do in our career to move forward? And then onto Mike’s point, he’s absolutely right. I’ll hit you with the experience question. Have you ever dealt with this? Tell me about your experience implementing or operating this thing? And I want to see your thought process and how you work through things. I want to see how you think about problems and how you think about those solutions. I’ll ask a little bit about, “What would your manager say about you? What would they say you need to improve in?” You know, I find this allows people to speak a little bit more modestly about themselves. And I’ll always wrap up to our first question of the day is, I’ll wrap up about them as a person. You know, “What do you do for fun? What do your weekends look like?” Maybe what did they look like, I guess. “What’s the last movie you watched?” What makes you tick as a person, I want to find out who you are, because I’m looking for you as a culture fit with the team.

David Spark

Adam, let me ask. When you interviewed, did you admit that you played Dungeons and Dragons?

Adam Glick

[LAUGHS] God no. Don’t put that. That’s front and center on my resume, so they already know. Level 13 wizard right off the bat, so they know what they’re dealing with.

David Spark

Or do they say, “Ooh, we obviously need to increase your salary.” I cut you off, though.

Adam Glick

No, that was it. I was going to say, what makes you tick as a person? I’m interested in that cultural fit and making sure you’re going to fit on our team. You could be the most talented technologist in the world, but if you’re not a decent human being, I do not want you on my team.

David Spark

I’ll throw this out to both of you. Have there ever been kind of like a hook answer that they said, there was something to sort of like push them over the edge? Something that they said, something that they offered that like just made them that much better a candidate? Can you think of unique people and just aspects that made you feel that way, Mike?

Mike Johnson

What I look for and always look for is someone who’s giving back. Giving back to the community in general, giving back to the security community. And if someone has, to answer Adam’s question, “Oh, on the weekends, I volunteer and help teach seniors how to better protect themselves online.” Let’s talk more. You know, things like that, experiences like that.

David Spark

I don’t even think Gandhi would be willing to do that. That’s just too much. I don’t think he’s got the patience for that.

Mike Johnson

I’ve actually had that answer before. I’ve had someone present that to me.

David Spark

Do you know what my wife have figured out is that I’m tech support for her mom and she’s tech support for my mom. Because neither one of us can handle tech support for our own mothers.

Mike Johnson

You’ve got to plan and stick to it.

David Spark

Adam, what about you? Has something about a candidate just pushed you over the edge, where you’re like, that’s it, that’s what’s going to happen?

Adam Glick

I think one thing for me was I had a candidate ask me at the end of an interview, what they could answer a second time. What kind of question that maybe left some doubt that they wanted a second opportunity for. And that kind of stood out for me because this was someone who wanted to make sure that I had the right impression of them, they wanted to make sure they nailed that question.

David Spark

That’s really a good question, I never thought of that one.

Adam Glick

It’s a fantastic question and I stole it from them, if I’m ever interviewed at an organization.

David Spark

Did you say this question, I’d like to hear you do this one again? Did you actually tell them something?

Adam Glick

Yeah, absolutely. There was one or two questions. Because as someone’s going through it, I’ve got an answer in mind, I’ve got a way that I want them to answer and sometimes they go right forward or they’re close enough and other times they’re not, so absolutely, if someone says “hey, can you give me a second chance on a question, is there anything I could add more context or color to?” I’m going to give them that second chance. And say, “Hey, you answered this this way, could you expand a little bit? Or maybe think about it in a different way and answer that again?” I absolutely want to give them that second opportunity.

David Spark

I’m stealing that one as well.

Adam Glick

It’s a great question.

Hey, you’re a CISO, what’s your take on this?

00:25:26:11

David Spark

A question from our AMA, Mike, we held one on the cybersecurity subreddit and here is the question. It was great by the way, we had 100s of comments, it was phenomenal and we’re going to be doing it again, I believe, in September is our next one.

Mike Johnson

Looking forward to it.

David Spark

Here’s the question. “I’m a young entrepreneur with an idea in the field of cybersecurity.” You’re not the only one, by the way, I should mention that. “And I’m working towards validating my idea with the market and forming partnerships with design partners like CISOs, such as yourselves.” They want to know how they can go about validating their idea and how should they go about doing it? Now I have an answer to this from my viewpoint, but Mike, what would you suggest?

Mike Johnson

I really think when you’re going for feedback, when you’re very early in your ideation or you’ve got some written ideas, you don’t actually want to talk to CISOs yet. Talk with your friends, talk with other practitioners. Talk with other entrepreneurs, talk with investors. Talk with those people who you’re closest too.

David Spark

Yes.

Mike Johnson

They will give you feedback and the important part is, they will give you very candid feedback and they know you better. They can kind of get beyond what you’re telling them and give you even better feedback than someone you don’t know. Start there with those people that you know. Once you have wire frames or storyboards or something that you actually have to show beyond just a description, then it’s time to start with CISOs. Then you can start having those conversations. But again you want to start with friendlies.

David Spark

Or friends of friends too.

Mike Johnson

Exactly. Don’t go two or three steps removed. You’re not going to get good feedback. Those are people who don’t know you.

David Spark

And also, it’s going to frustrating for you to even find those people.

Mike Johnson

That as well. They’re unlikely to give you their time if you don’t know them. So it’s really start with the people that you know and then branch out to people who can give you feedback who have an expertize in an area. Don’t come to me and ask feedback from me on your industrial control systems security. Your product in that area, I can’t give you good feedback. I have no idea, that’s not my area, it’s not my expertize. So making sure that you’re talking with CISOs who are in the area, have the ability to give you feedback on what you’re working on. That’s going to be key and you’re going to find those through friendlies, through connections.

David Spark

Adam, what’s your advice for this young entrepreneur looking for feedback on his or her idea?

Adam Glick

Mike’s right again. Don’t blindly reach out to someone just because they wear the CISO badge. Not all CISOs are created equally. Generally speaking, just right at face value I think about a west coast CISO being different from an east coast CISO. A west coat CISO is going to be much better positioned and more eager to work with a fresh company and a fresh technology. Also if you think about a well positioned and mature organization, they’re probably not going to have the appetite to work with a new company. Your network is absolutely your best bet. Who do you know that you can bounce ideas off of? Who do they recommend? Who are they going to recommend? Build that chain out and I’ll take this opportunity to use my early plug but we’ve got an opportunity with the Silicone Valley CISO investment origination, or SVCI. We’re a syndicate of CISOs position to invest in start ups and one of our new ventures is this catalyst program designed exactly for this purpose. If you’re serious about an idea and you’ve got a good concept, find us on LinkedIn, reach out, we’d love to talk about it a little bit.

David Spark

Perfectly on target. Now I’m going to give my advice on this as well because I deal with this, I’m coming up with show ideas and concept ideas. The bottom line is you have to look to see if there’s a market for it. I mean I’ll take it to the core of this, how CISO Series started. I was thinking about this idea of the relationship between CISOs and vendors because I was dealing with this with my own clients who were all security vendors, and then I saw a post that Mike made that was getting crazy responses in social media. Hundreds and thousands of comments and likes and things like that. So it validated it. And one way you can validate an idea is just sort of ask a public question to Twitter and to LinkedIn and see how they respond. If it’s crickets, either you asked the question wrong, or it’s a bad idea because if there’s some passion and eager around it, you’re going to get a response back. So give it a few tries if you don’t get that. And then the other thing is, I’m working on something else right now where I joined some groups, some Meet Ups and I just asked the question to sort of a grand Meet Up group and I got a lot of feedback back. And then I also happened to see something on Twitter that validated it. So, use social media, use events you go to where you can ask questions to get a little feedback. You don’t have to say, “Hey, I got this idea for a product” but rather say, “Are you guys having a problem with X, Y, Z?” and see how they respond to that and how you can address it in that respect. My advice to you.

Mike Johnson

Good advice.

Wrap

00:30:41:15

David Spark

Alright. Let’s bring this show to an end. Thank you very much Adam Glick. Thank you very much Mike Johnson. I’m going to let you, Adam, have the very last word here, but first, and I want to thank you by the way for one of your last tips of what question can I retry again, do a mulligan and do a do over. It’s a great idea, I like that. I want to thank our sponsor, Code42, who’s been a phenomenal sponsor this CISO Series. They’ve been sponsoring us in multiple areas across multiple shows, we greatly appreciate that. By the way, I don’t actually verbalize this too much on the show, although it’s mentioned at the end by our voice out but if you ever are interested in sponsorship of any of our programming, you can email me at David@CISOSeries.com or just go to our site and you will see under the tab “Sponsor” that there’s a lot of information about sponsorship. Alright, Mike, any last words?

Mike Johnson

Adam, thanks for joining us. It was really great to have the conversation, sit down and talk with you, pick your brain. What I really appreciated was basically in every one of these questions there was something about dealing with humans and making sure that other people are being treated as humans and that you’re looking for people who are genuinely good people. I really appreciated how that came through in everything that you were talking about, especially I liked how when you were talking about the interview questions, that one of the things that you’re trying to determine is, is this person going to be a decent human? Because that’s the kind of person that you want to work with.

David Spark

But hold on when you’re playing D&D, you are a dwarf,right?

Adam Glick

I am a human wizard.

David Spark

Ooh.

Adam Glick

Neutral alignment too, so I’m right in the middle.

Mike Johnson

You’re good in D&D, even in D&D. It’s what’s important.

David Spark

He can’t break away from human.

Mike Johnson

Adam, thank you for bringing that general perspective to security, we need more people who are thinking that way. But thank you for sharing your perspectives with our audience specifically. It was great talking with you, thank you.

David Spark

Alright, Adam. Any more plugs you would like to make for your organization, for Rocket Software? And are you hiring?

Adam Glick

Of course, so Rocket recently announced the definitive agreement to acquire ASG Technologies. We expect to expand our technology and global reach, it’s transactions like this that make Rocket an exciting place to be. With that we’re going to be hiring a bunch of talent. We’re looking for security engineers, application security engineers, leaders, managers and just all around good humans. So if you’re one of those people…

David Spark

Human, is that the criteria? They have to be human?

Adam Glick

We will also accept dwarfs and gnomes, but as long as they’re good ones.

David Spark

Alright, that’s good to hear. Excellent. Thank you very much, Adam, thank you Mike. Thank you to our sponsor Code42 and thank you audience for all your awesome contributions. Keep them rolling in. Come up with really good What’s Worse scenarios, I want to hear them because obviously this one was too easy. Thank you everybody for participating and listening to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to CISOSeries.com and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com. Thank you for listening to the CISO Security Vendor Relationship Podcast.