Should you monitor your staff? I mean reallymonitor them. Some bosses are installing screen grabbing and click tracking software to monitor employees and by most estimates employees hate it so much that half of them would quit if their supervisors installed monitoring software on their computers. But in some cases an employee’s behavior may lend themselves to being monitored.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our podcast sponsor, Okta
[Voiceover] Best advice for a CISO. Go!
[Ian Hassard] Just recognize that you’re on a journey, and it’s never going to come to an end. Change is scary but normal and just keep powering on through.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. Joining me as my co-host for this episode is Mike Johnson. You’ve heard his voice before, and it sounds, since the day we started this,just like this.
[Mike Johnson] It sounds like this today. It may sound different tomorrow; it may sound different next time.
[David Spark] Mike can’t do voices other than his own.
[Mike Johnson] That’s true. I am good at one voice.
[David Spark] Yes. I think I’ve mentioned this joke that I used to do talking about how bad I was at improv because at improv, you have to do characters, and my whole range is everything from Dave to David. I’ve got that locked down. We’re available at CISOSeries.com. We have lots of other shows. Actually, four other shows on our network. Just go check them out at our site, we’d love it if you’d be a part of it. Our sponsor today is Okta. They are responsible for bringing our guest today, and if you don’t know Okta, where the heck have you been? They are in authentication, identity. If you are in any way touching that in your work, you know about Okta, they are touching your world in some way, and we’re going to talk a lot more about this later today.
But first, Mike, I got a question for you. We are on the tail end of a Memorial Day weekend, and this episode is going to run right after July 4th weekend. People commonly ask, “How was your weekend?” I ask it, yet I never care about hearing the answer. Mike, are you the same way?
[Mike Johnson] Actually, I genuinely care. I think it’s an opportunity to understand what people value, and if you’re paying attention to what they tell you, then you can get an idea of what’s important to them. If they give an answer like, “Eh, nothing,” then maybe they just don’t want to talk about it, or maybe they just don’t have a whole lot going on. Both of those are a good signal. But if they take a moment to say, “I went to the beach, I took my family with me, my children did this thing,” you can get an idea of what’s important to them. So, I think it’s worth asking and paying attention to the answer.
[David Spark] I do ask. I ignore the answer. I couldn’t tell you, by the way, in all the times I’ve asked that question, I couldn’t tell you what anyone ever did for their weekend. Ever.
[Mike Johnson] I think it’s different than absorbing it in the moment and adding it to your overall body of knowledge of a person and being able to name explicitly what they said at that particular point in time.
[David Spark] I have a hard time remembering what I did this weekend.
[Mike Johnson] Well, there you go.
[David Spark] Memory is fading. But hopefully, not too fast, because I do remember our guest’s name, and I do want to introduce him.
[Mike Johnson] That’s a good start.
[David Spark] Our sponsor guest comes from Okta. Isn’t that great? That we have a guest from Okta, so thrilled to have him on. It’s Ian Hassard, Director of Product Management. Ian, thank you so much for joining us.
[Ian Hassard] Thanks, David, happy to be here.
What’s the return on investment?
[David Spark] “What are some examples of ways that achieving security maturity can positively impact other lines of business/the business as a whole?” This question was asked by redditor whaledirt, that’s his reddit name, love it.
[Mike Johnson] Got to love reddit.
[David Spark] By the way, whaledirt, like, I would never think to combine those two words, but I love the combination. In our recent, “Ask a CISO Anything AMA,” we did that, we’ve been doing one a year so far. I’d like to do maybe two a year, ideally. But on the cybersecurity subreddit, which I love the cybersecurity subreddit, huge shout for them. The redditor wants to know as you move up the security maturity ladder,what are the real world positive impacts that result on the business in terms of risk reduction, product development, and prevention. Mike, what do you think?
[Mike Johnson] So, I’m not just saying this because Ian’s here, but single sign-on really is always my go to.
[David Spark] By the way, he has mentioned it when you weren’t here, Ian, I will tell you that.
[Mike Johnson] Yes, yes.
[David Spark] It’s not just because you’re here. This has come up before.
[Ian Hassard] Excellent.
[Mike Johnson] Both in front of your back and behind your back, I will mention SSO as my go to.
[Ian Hassard] I appreciate that.
[Mike Johnson] It really is one of those where you have an ease of use component. People don’t need to remember their passwords; they don’t need to go and change 50 different passwords at any particular point in time. It makes their lives easier. They can even just sign on once in amorning, and they never even have to see a login screen again that day, as an example. It makes their lives easier.
[David Spark] I would add to the word “easier” is more productive, speedier.
[Mike Johnson] Same.
[David Spark] Just think about it. Let’s back up even further. The days even before password managers. The time it would take to, “Oh, this site. All right. Let me look in my book. What’s the username?” Or we try to memorize. Or in those days, we would just use maybe two to three different passwords because you can’t really remember more than that.
[Mike Johnson] And that’s the flip side. That’s the risk reduction for single sign-on is you don’t have to worry about whether or not people can keep 50 different passwords in their head.
[David Spark] They can’t.
[Mike Johnson] Or if they’re just using the same one over and over again because they can’t keep 50 in their head. It also gives an opportunity for when you’re building internal applications. Your developers don’t need to worry about user management. They can go and implement a compatibility with your SSO system whatever it happens to be, and they’re now essentially offboarding all of that management somewhere else. It makes your developers’ lives easier too.
[David Spark] So, I’ll throw this to you, Ian. Trickle-down effects of SSO, and by the way, throughout other security implementations as well, is Mike missing anything first though on SSO?
[Ian Hassard] No, absolutely, I totally agree with Mike. I think that was like the big revolution and to coin everyone[Inaudible 00:06:22]uses the term including Okta and myself, zero trust. It enables you to get more access control, understanding access control, and get into a better muscle memory around what people have access to, and more control kind of centrally, allowing people the convenience but also a lot of really controls that you can manage who gets access to what, and you’ve got a really good inventory of what’s going on there.
[David Spark] So, is there another control sort of up the security chain that you think also has a real world impact? SSO’s a pretty big one, though. I mean, that’s kind of the granddaddy, in my mind, in terms of one simple change that has crazy amounts of ripple effects.
[Ian Hassard] I mean, whenever I’m talking about cybersecurity and the maturity model or ladder, I’m reminded of a Futurama quote which is, “When you do things right, people won’t be sure you’ve done anything at all.” And whenever I’m interacting with CISOs and anyone in a security capacity, I think that every time people come in, they introduce a bunch of new tools. And that is great but at the end of the day, you’re always going to be on the security journey, you’re always looking for the next level up of your organization, there’s always going to be new tools. Today, it’s single sign-on. It’s then multifactor authentication, which I think is extremely important. And now, we’re going into this world where we’ve all gone work from remote which means that we really need to double down and have a really good grasp on access control and beyond authentication, authorization. What are people entitled to access, what are they able to access and when and under what situations.
How would you handle this situation?
[David Spark] What are some alternatives to address the authentication problem? In last year’s State of Secure Identitythat you worked on, Ian, there were some findings that to me all pointed to some shift-left ways of addressing the authentication problem. The report noted that about 15% of all new account registrations can be attributed to bots. Credential-stuffing attacksare on average 16.4% with peaks going over 40%, and attackers are using account information from large-scale attacks. So, one big large-scale attack, if you’re on it, make sure you’re dealing with changing where those kind of passwords exist somewhere else. This knowledge really points to some early preventative tactics you can take to deal with these types ofattack techniques. So, I’ll start with you, Ian. What are the obvious and not-so-obvious recommendations and how does that mitigate these behaviors?
[Ian Hassard] So, first off, this report really focuses on customer identity access management. So, almost everyone listening is familiar with workforce identity management, which is your employee’s login at work. This is your developers building an app, and almost this day and age, everyone has an app. I bought a barbecue that has a digital thing that you log into, and that has a portal that requires me to put in a username and password and identity information there. So, we’re talking largely about that problem. And when we start looking at the world of retail, and we start looking at the world of banking, and we start looking at all these different worlds, bots are a real problem.
So, my first advice is the CISO needs to get a seat at that table. When those decisions are being made, when those development efforts are happening, you need to be there, you need to be involved, you need to be bringing your security pedigree to that conversation. So, that’s first and foremost – presence. Second is you need to establish a middle ground between security and user experience. Nobody’s going to allow you to put in 8,000 layers of multifactor authentication to protect somebody buying shorts on your online eStore. But on a bank, they might. So, it really depends where you are, who you are, what you’re selling, what you’re offering, the user experience. And that’s just the login experience.
When you look at signup fraud, that’s even harder. So, signup fraud, when you look at Nvidia, they sell graphics cards. They get swept up by bots and fenced online on eBay for like eight times MSRP. That’s a different problem that’s harder to recognize, and you need to understand that there’s a whole new world that you need to protect yourself against.
[David Spark] All right. Mike, I throw this to you.
[Mike Johnson] So, I think basically a lot of what I would have to say is echoing what Ian mentioned. I think it’s interesting to talk about the distinction between customer identity management and employee identity management – two totally different things.
[David Spark] Give us a quick explanation of that.
[Mike Johnson] So, it really is is it your employees and they’re logging in from their computer to your internal websites, to your own internal services, maybe it’s to your own mail instances or Office 365 or that sort of thing – employee identity management. Customer identity management is, as Ian was talking about in his example of his barbecue, the applications that you essentially sell to your customers or are using as part of the products or services that you sell to your customers, the things that make your company money, and the identities associated with those. And those are generally going to be orders of magnitude different in terms of size. You may be a 2,000-employee company, you may have millions of customers who are logging in – very different scale and different things that you have to keep in mind.
Again, Ian mentioned the user experience. If it’s really hard to sign up for your services, that customer goes away, they go somewhere else. Your employee is kind of stuck with it, and they can complain, but they kind of have to live with it. User experience really is paramount in terms of that customer identity management, and you need to make sure, like Ian said, that you’re keeping in mind that balance between security and usability. If you sway too far in terms of security, way too hard, you’re going to be uninvited from that table. You have to be a rational speaker at those decision-making points so that you’re being listened to and so that the company’s effectively managing its risk in terms of the customer identity.
It’s time to play “What’s Worse?”
[David Spark] Now, traditionally, for “What’s Worse?” I get a submission from our audience, but I did something slightly different this time, Mike.
[Mike Johnson] Uh-oh.
[David Spark] I went to the Twitter handle Bad Things Daily, which unfortunately…
[Mike Johnson] I’m familiar with it.
[David Spark] …is not updating daily anymore…
[Mike Johnson] Ah, that’s too bad.
[David Spark] …and I just picked two of the bad things. These are actually tabletop scenarios, or things to inject into your tabletop scenarios, so I just picked two of them.
[Mike Johnson] Great.
[David Spark] And so I’m throwing two at you. I hope I picked two that are somewhat equal in badness. They have to do with signature authentication identity, so appropriate for our guest today. All right?
[Mike Johnson] Yep.
[David Spark] Are you ready? And Ian, are you aware how this game is played?
[Ian Hassard] Let’s do this.
[David Spark] You are aware, yes?
[Ian Hassard] I am.
[David Spark] All right. Mike answers first and gives you a chance to agree or disagree with him. I like it when our guests disagree. Here we go. Mike, an adversary has bypassed a digital signature check by exploiting a signature verification bug. That’s one bad thing. Or a companyyou depend on that stores OAuth tokens with access to another company you depend on has disclosed a breach involving those tokens. Which one’s worse?
[Mike Johnson] So, I think what you’re trying to get at here is first party versus third party.
[David Spark] Yes.
[Mike Johnson] Because essentially it’s the same outcome.
[David Spark] Yeah, I guess so. Yeah, I guess so.
[Mike Johnson] For all intents and purposes.
[David Spark] It’s just written a little differently, yes.
[Mike Johnson] Yeah. So, again, they both suck.
[Ian Hassard] Absolutely.
[Mike Johnson] The thing is either of this could be worse than the other. So, I’m just going to pick one and argue for it, then go from there.
[David Spark] Right. And the thing is the information I’m giving you is that’s all the information you get. You don’t know sort of the depth of this problem.
[Mike Johnson] I’ve played the game once or twice.
[David Spark] Yes. I’m just cluing Ian in and our audience as well.
[Mike Johnson] Yes. Yes. What I would say is the first scenario where it’s a bug in my own software is easier to fix, easier to scope out, and easier to prevent from happening again. That’s something I have more control over. You could argue, well, maybe you’ve got bad development practices, and this is just a symptom of that, but the reality is you can wrap your arms around that one, you can deal with that one more effectively.
[David Spark] You always like things you can touch. If I can’t touch it…
[Mike Johnson] It makes it more difficult to deal with. And in the second case, it’s more difficult where it’s a black box. You don’t know, again, if this is just scratching the surface, if this is a symptom, and there may be a hundred other issues in there that you have no idea what’s going on, and it’s just that much harder to deal with. Again, the flip side, because I can argueboth sides of this one, is they’re going to be that much more incentivized to solve the issue. They’re going to get so much more pressure from all of their other customers that are really going to push on them to solve it fast and to make sure it doesn’t come back. But between these two, the one that I’m going to pick is the black box is the one that’s more difficult for me to hug.
[David Spark] That is the worse scenario, the second one.
[Mike Johnson] Yes.
[David Spark] Potentially the third party is the worse scenario. All right. Ian is nodding his head, possibly agreeing there. I don’t know. Are you agreeing or disagreeing with Mike?
[Ian Hassard] They both suck, so we agree there. I agree because there’s a whole world of unknowns. When you have a breach of the second scenario occur, the cleanup effort is so unknowable because… If it’s workforce, it’s a little bit easier. You revoke everything and you reissue everything, and everyone has to go through some friction.
If it’s that example we used earlier with like a customer identity solution where you’ve got users that have to log back into your service, they don’t. You kick them out, they don’t. So, you end up going into this whole world of repair. How do I clean up this mess without losing all my customers and making them log in? You’re going to lose some percentage of customers in the cleanup effort there, and you’re going to, as a good CISO would, the incident response is going to end up being we need to revoke, reissue, understand the blast radius of this breach. So it’s scary, and the scope is just unknown on the second one.
The first one is you’re going to be able to audit that fairly quickly. You’re going to be able to understand the breach or the exploit, let’s say, and you’re going to be able to patch that, and you’re going to be able to understand what they got access to and probably be able to access that because it’s not a black box. So, 100% I agree on the black box scenario tokens. And not to mention, adversaries, once they see how you build your product, a lot of what you do with identity is revealed in those tokens and the scopes and what users have what privileges and that. You’re opening your world, identity world, to those attackers to be able to see how you do things. You’re going to have to re-engineer a bunch of stuff.
Please. Enough. No more.
[David Spark] Today’s topic is authentication. Appropriate since we’re talking with Okta, it’s kind of the thing they do. Mike, what have you heard enough about with authentication and what would you like to hear a lot more?
[Mike Johnson] So, it’s a little bit of a rant. Two things here. One – I get so tired of all of the people out there saying SMS authentication is terrible, and passwordless authentication is the future. These are the two things that bug me. One, I agree that SMS as a second factor is not awesome, but it’s better than just a single-factor authentication, and it makes it really difficult for us to have a reasonable conversation if we’re just caught up on that. For passwordless, it’s become such a buzzword concept. Everyone’s talking about passwordless is the future. I don’t even know what that means. There are literally billboards in San Francisco right now, and buses driving around talking about passwordless authentication. I have no idea what that means. So, I want to hear less about passwordless.
What I want to hear more of is what are the improvements for the end user experience, Ian was talking about that earlier. That’s really key to me is how we can make people’s lives easier. And also hear more about implementation details. Like, what does our future look like for improvements around authentication? Where are we going? I want to hear more about that.
[David Spark] I will add this, what I’d like to hear about. Who hashad successful implementations and how did they pull them off successfully? That’s what I’d like to hear. Because it is cool to hear about the new technology, but we all know that there’s people and process that’s involved as well. Just because you’ve got something cool, if people don’t adopt it, forget it.
[Mike Johnson] Absolutely.
[David Spark] Ian, I throw this to you. What have you heard enough about with regard to authentication and what would you like to hear a lot more?
[Ian Hassard] Honestly, I have to agree with Mike. A lot of people rag on weaker factors, and we’re still in a world where people don’t use multifactor. They just aren’t, it’s not on. Like, people aren’t even enabling it. It’s like let’s start there. But people are first to point the finger and say, “No, don’t do SMS, that’s evil. If somebody puts up a stingray next to your house, they’re going to be able to collect all of your SMS information.” The likelihood of that happening is so low, don’t scare people out of doing multifactor authentication. So, I think we agree there. Like, multifactor, good, do it however you want to do it. I think that that’s key.
When I look at where I want to go, I agree on the customer UX side. I think I’d like to see more ecosystem developments to drive better UX uniformly across application builders. We’re in a world where we have Apple, we have Microsoft, and we have Google that make devices and operating systems, and that’s a pretty small number of players that need to actually align on making user experience better. And they’ve all so far gone in three different distinct paths which has made everyone’s life, including everyone that’s listening, difficult because you’re probably listening on some device that’s one of those. Name your Apple, Microsoft, Google thing. It’s just the UX isn’t there.
And we’ve seen a little bit of movement there where there’s a new kind of coalition from those three vendors that are trying to adopt FIDO which drives a lot of that web authen passwordless flows, but you really need to bake this in at the device application OS level, and that’s really one of the things I’d like to see more of.
[David Spark] Question for you, Ian, and goes to my earlier question too. What implementations have you seen that you’ve either used in your training, like, “Oh, my God. They did this really well,” or you’re like, “Oh, wow. We need to now incorporate that because we didn’t see that when we were developing this”? What have implementations taught you, in a nutshell?
[Ian Hassard] So, I’ll give you a few personal examples. You remember Clubhouse, that whole platform when it launched? I was given a link from a friend that said, “Hey, you might want to listen to this, I’m going to invite you to join.” It was sort of like the old Gmail back in the day when you got the five invites and you got to give them out to your friends. I got it; it already had my phone number in because he had text messaged that information to me. The registration was seamless. I was signed up as a user and listening within probably a few seconds because it automatically was able to verify, it knew it was a cellphone, so it was able to SMS me my code. No password creation, I was just in. Logged in, ready to go. That’s an example of a good experience.
Now a little I’ll take you through. I am a gamer. I use Blizzard, and I was doing a password reset flow, which is we refer to everything as flows at Okta, and the experience for me was so poor because it required me to reset my multifactor. But to reset my multifactor, I needed to put a password in. But I was trying to reset my password, but my phone had been reset so I didn’t have my multifactor. So, I was in this vicious cycle, a loop where I wasn’t able to actually reset my password.
So, when you’re thinking about authentication implementations, it’s not just can you log in, can you sign up. It’s what happens when you lose your password, which happens to people. How many people remember their IRS tax filing passwords and all those sorts of things? Like, they forget them because they’re things that you don’t do very often. So, there’s a lot of good examples and there’s a lot of bad examples. And more times than not, the bad examples are ones where people haven’t thought through all the angles for the user experience.
[David Spark] Just quickly, give me a couple other angles, there’s the obvious password reset forgetting, but what are some other angles on authentication that people don’t think about?
[Ian Hassard] So, think about an Amazon experience. If you go to Amazon and you’re not signed in, you can still add things to a shopping cart, and that shopping cart exists somewhere, and that’s called anonymousauthentication. So, effectively, you’re given an ID when you go to Amazon, even if you haven’t logged in, so that you can go and shop to your heart’s content. You’re not prevented and forced to create an account with Amazon until you’re ready to give them money and finish that transaction. That’s a unique experience that you can then… You would call it conversion when you say, “Hey, I’m finally going to put in my credit card and order that stuff on Amazon.” But that experience is a complete authentication flow that a lot of people don’t think about that’s important.
What’s the best way to handle this?
[David Spark] To what level should you and shouldn’t you monitor your staff?Stu Hirst, CISO of Trustpilot, posted this BBC article about a manager that uses software that tracks keystrokes and sends him screenshots of his employees’ screens. Now, while employees did know they were being monitored and could delete non-work related sites from their tracking, almost universally, the discussion on LinkedIn landed on a hatred of micromanagement. Butone person noted that one company caught employees hiding a security incident and because of it, they had to implement this tracking software.
So, two questions, and I will start with you, Mike.Everyone agreed that you monitor employees on their output, on what they actually produce,not their individual actions, like monitoring their software. So, how do you do that? How do you monitor output, and do you ever catch employees slipping, and what cases do you feel you would have to install monitoring software?
[Mike Johnson] Fundamentally, catching employees not meeting expectations or somehow slipping, that’s their manager’s responsibility, that’s not a security problem, that’s not my problem to deal with. That’s something that someone else needs to solve.
[David Spark] Yeah, but you’re the manager of a security team too.
[Mike Johnson] That’s simple performance management. That is we have expectations, they’re laid out, the team members understand what’s expected of them, we have delivery dates, we have an idea of what’s going to be delivered when, and we have weekly sync-ups, weekly check-ins on how things are going. And as long as the expectations are being met, and they’re delivering the way that they said they would.
[David Spark] You don’t care how it magically happened?
[Mike Johnson] Well, I mean, there’s within the realm of ethics and…
[David Spark] Yes, yes, exactly.I’m assuming that as well. But if they did it at 3:00 in the morning to 5:00 in the morning and slept whatever, if that’s the way they like to operate it, so be it.
[Mike Johnson] If it takes them 20 hours a week to get what I think is 40 hours a week of work done, cool. We need to have a different conversation, maybe I can give them more work.
[David Spark] Nobody does that, by the way. By the way, that’s come up, and that’s never happened in the history – well, not the history – in recent history, I’ll say that.
[Mike Johnson] I think it’s unlikely. But in terms of if they’re doing it in the middle of the night, I’m going to worry that they’re maybe burning out. But I’ve had employees who’ve time-shifted on their own. I had an employee who worked out of the UK. He preferred to work later hours, and that worked out very well. So, that’s fine. If they’re doing it the middle of the night, as long as they’re comfortable with it, and it’s their own decision, I’m okay with it.
[David Spark] Ian, what about you? How do you sort of track output, if you will?
[Ian Hassard] I hate tracking output. This is like down the whole path of KPIs, OKRs. We get down to this whole path. One, I agree that this has nothing to do with the CISO function unless it’s your team. And in that case, you have your own OKRs or equivalent outcomes, insert new…
[David Spark] Excuse my ignorance – what does OKR stand for?
[Ian Hassard] Basically your objectives that you’re trying to achieve with the team. You set them on a quarterly basis or a monthly basis or some interval. There’s targets that you use to measure whether or not you’re hitting them, and it’s just generally an alignment tool to make sure that the person’s doing what they’re supposed to be doing, that it’s aligned with company objectives, that it’s aligned with the greater vision of the company. That’s howwe operate at Okta. We actually have a different name for them internally, but ultimately, it’s the same thing. And it’s really, “Hey, is this good for our vision of our company? What does that mean for you? And what are the targets that we’re trying to achieve as a group?” And then that translates down into individual ones.
That has no place in the CISO domain, if it’s outside of your team. Obviously, if it’s in your team, you need to get there. But I’m a firm believer in you get what you measure, and when you look at sales, if you say, “I’m going to count the number of phone calls you make,” versus the amount of money you bring in in a month, which one do you want? Do you want 10 phone calls to hit your quota per day or do you want $10,000? And the answer’s $10,000, so I’m not even going to wait for an answer. It’s going to be that’s the outcome that matters, and a lot of people get distracted by trying to do these micromanagement tactics.
And when you start overlaying that with growing privacy concerns in Europe and other countries, like this just won’t fly anymore. And you’re also dealing with multiple different generations. You’ve got Gen X, you got Millennials, you got Gen Z. And I’ve seen some of the screens from Gen Z, and they’ve got YouTube on one panel, a coding window on the right panel, they’re reading something on stack overflow in the middle panel on a three-monitor setup. That’s not how I operate, it’s how they operate, and they’re more effective than I am. So, you can’t judge somebody based on their screen recordings and those sorts of things. It’s just not a good measurement, and it’s not a good way to identify productivity.
[David Spark] I’m with you 100%. I have my shtick on how I set up my desk. Everyone has their own experience with sort of just desk management. I see people with a giant mess of a desk, I’m like, “I could not function if I had a desk that looked like that, at all.” So, I understand that. So, last question for both of you, and I asked you, Mike, and I didn’t get a full answer from you, so I’m pushing both of you to answer. In what situation would you actually put monitoring software on an employee’s computer? Again, assuming they’re in your team, so you have to watch them, what would the situation have to be where you have to do that, Mike?
[Mike Johnson] So, assuming it’s in my team, that’s if there is some sort of suspicion that they are acting against the company’s best ideals.
[David Spark] So, some kind of insider threat type thing.
[Mike Johnson] Either insider threat, maybe something illegal. And I’m only doing it with HR, with the law department involved. That’s not a decision that I’m making on my own.
[David Spark] All right. Ian?
[Ian Hassard] I can think of two scenarios. One, what Mike said, so we’ll just gloss over that one. Two, if somebody’s traveling to a region where their device might become compromised. Not because it’s that person, it’s their device might be stolen. I’ve been in situations where employees have gone and had. Like, they left their laptop in their hotel room in the safe, and it magically got opened and software got installed on it, and whoa and behold, it’s got some sort of malware on it. That would be the second case for me.
[David Spark] By the way, didn’t even think of that. By the way, this is the thing that I loved having you on, Ian, is you opened our eyes to a few scenarios of authentication, or in this case, something being breached that I didn’t think about. So, very good points.
[David Spark] And that brings us to the end of the show. Thank you very much, Ian. Thank you very much, Mike. I want to thank your company, Ian – Okta – for being a brand-new sponsor of the CISO Series. We greatly appreciate that. I’ll let you have the last word. But first, Mike, any last thoughts?
[Mike Johnson] Ian, thank you for joining us. I really liked your perspectives on authentication. I liked the reminder that we need to think more than just our employee authentication, but also our users, and I don’t think we think about that enough. So that was a great reminder to our audience. Think about your customer, think about customer authentication as well. I really liked your focus on user experience, and I think that’s something that’s really key. And again, I liked how you talked about you could go too far on the security side of things, and then you’re not going to be part of the table, part of the conversations around the decisions when it comes to the authentication system. So, I think that was a good specific reminder is to have people just check themselves a little bit when it comes to user experience and security. But in general, thank you so much for sharing your perspectives, and as David said, opening our eyes into some other areas around authentication that might not be front of mind.
[David Spark] Exactly. All right. Ian, your last thoughts, and a couple of things I always ask – A, are you hiring, I ask everyone that question, and B, if you’ve got any special offers or any ways to connect with you or suggestions for our audience.
[Ian Hassard] Yeah. Well, first off, thanks for having me, it’s been a privilege. We are hiring. So, you can put in your… I think on the marketing side, you’d do great. Specifically, my last kind of parting words here would be for the CISOs that are listening, exactly what Mike said. Get a seat at the table. More times than not, these decisions for how your users’ identity are handled are handled with the development team without the CISO getting plugged in until like five minutes before they’ve launched it or five minutes after they’ve launched it, and then it’s really hard to walk back. So, bring your perspective, bring your security knowledge. I mentioned that a lot of vendors are getting there. Obviously, I wouldn’t do a good job if I didn’t say you’re probably already familiar with Okta on the identity side, you’re probably thinking of workforce and how you manage single sign-on. But also this is something that we can help with. But like I said, it’s an important thing for you to understand, and that’s the takeaway that I want you to get from this.
[David Spark] Thank you very much. Thank you, Ian. Thank you, Mike. Thank you, Okta, we greatly appreciate it. We greatly appreciate your support. And to our audience, you’ve heard me say this before, but take a moment and absorb the fact that I greatly appreciate your contributions. Send me some more “What’s Worse?” scenarios. And we also appreciate you listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOSeries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com. Thank you for listening to the CISO Series Podcast.