Your Password Is Too Long. Please Shorten It.

Your Password Is Too Long. Please Shorten It. - CISO Series Podcast

What happens when you want to adhere to more secure behavior, but the tool you’re using forces you to be less secure, solely because they didn’t architect in more stringent security when they created the program?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Terrance Cooley, CISO, Air Force JADC2 R&D Center.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor Varonis

Everyday, your employees share thousands of sensitive files with too many people, exposing data to the entire organization – or even the entire internet. Varonis monitors sharing link activity and intelligently eliminates links that aren’t needed – reducing your risk on a continual basis. Discover more at www.varonis.com/cisoseries.

Full transcript

[Voiceover] Best advice I ever got in security. Go!

[Terrance Cooley] Fight through failure, a success is at the other side.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series, and joining me as my co-host for this very episode, many of you know him, his name is Mike Johnson. Mike, let everybody know you’re here.

[Mike Johnson] Hi, everyone, I’m here. This is my voice. You’ve heard it before, you’re hearing it again.

[David Spark] Yeah, you’ve heard it before. You’re going to hear it a lot more today.

[Mike Johnson] A lot more.

[David Spark] So, if for some reason you don’t like it, stop this podcast right now.

[Mike Johnson] I mean, why are you here?

[David Spark] Or mute when Mike’s speaking, but the question is you’re not going to know when Mike stops speaking so…

[Mike Johnson] Well, you know, that’s…

[David Spark] …you just got to get used to it.

[Mike Johnson] You’re just going to have to get used to it.

[David Spark] Has anyone actually been annoyed with your voice, Mike?

[Mike Johnson] Not that I’m aware of.

[David Spark] [Laughter] Like someone would tell you![Laughter]

[Mike Johnson] Could be. Has anyone ever told you they’re annoyed with your voice, David?

[David Spark] No, nobody has said that.

[Mike Johnson] Yeah, so I don’t think that’s a thing that people say.

[David Spark] I don’t think they do.

[Mike Johnson] “I’m not annoyed by your voice,” is not…

[David Spark] No, but there are the Fran Drescher voices of the world that those are empirically known to be annoying.

[Mike Johnson] But at that point, that’s your brand, right?

[David Spark] It is, you’re right.

[Mike Johnson] You lean into an annoying voice at that point.

[David Spark] Well, she gained success of it. Some people don’t gain success from their annoying voice.

[Mike Johnson] [Laughter] There is that.

[David Spark] Right now, everybody’s thinking’ cause I’m thinking of somebody that does have an annoying voice, does not garner success from it at all. It’s just unfortunately what they were born with.

[Mike Johnson] Good to know.

[David Spark] Yes. We’re available at CISOseries.com where you can hear all the most melodic voices you ever will want to hear, including Mike and my own. Our sponsor for today’s episode – a phenomenal sponsor of the CISO Series. They keep coming back year after year, and we love having them, and that is Varonis. Thank you, Varonis, for sponsoring. More about Varonis I’ll be talking about later in the show. But first, Mike, I have said this before, I’ve got a very high tolerance for compliments, but here is the new kind of compliment that I like hearing, and I’m interested to know if you’ve heard something similar. Well, it’s not new, I’ve heard this for a long time. But the impact this show is making on people’s careers. Like, “I learned so much, I’m able to do my job better,” or people got hired connecting to guests on this show. Have you heard something similar?

[Mike Johnson] I’ve certainly heard from folks who’ve appreciated the podcast saying, “Hey, this has helped me, I’ve learned some things, I love the podcast,” but beyond that of, “That thing that you said, that really helped me,” or “That discussion that y’all had…”

[David Spark] Hold it. I want to know one thing that you said that helped anyone.

[Mike Johnson] Oh, I can’t come up with that off the top of my head. That’s not even fair, David.

[David Spark] I know.

[Mike Johnson] But generally, for sure, what people are saying is, “I really like what your guests are saying.” I get that a lot.

[David Spark] Yes. And the other thing that we see, the variation is CISOs who are kind of in their own little bubble in their sort of world like to hear what other CISOs are saying. And I’m assuming you like that just from all the guests we have on this show.

[Mike Johnson] I’ve said time and time again, one of the personal enrichments that I get is meeting CISOs from all walks of life, folks who I would probably not talk to on a regular basis.

[David Spark] Well, here’s a perfect example. We have a CISO who leads a military organization, and we have not had that before on this very show and thrilled to have him on. It is the CISO for the Air Force JADC2 R&D Center, Terrance Cooley. Terrance, thank you so much for joining us.

[Terrance Cooley] Hey. Thank you guys for having me today.

Should you hire this person?

3:51.058

[David Spark] Are you applying a talent-to-value recruiting technique to reduce corporate risk? In a McKinsey & Company article, they suggested mapping how staff can reduce risk and utilize all your resources to hire the HIGH priority role so as to reduce risk the quickest. So, this sounds really logical, but I’m really interested to know does anyone actually do this. So, they recommended actually mapping out the talent and skills needed to reduce specific risk. Mike, have you ever actually done this in hiring and how manageable is this technique? Makes sense, but really can you pull this off?

[Mike Johnson] So, I had to laugh a little bit reading it of who has 150 hires in cyber right now to do at once? It was just McKinsey lives in a different world than most of us.

[David Spark] Yeah, yes. They kind of assume, oh, if you’ve got a team of 150 security people, you got them all one day.

[Mike Johnson] Right, right, just showed up with. One day we had none, the next day we had 150.

[David Spark] I’ll tell you – I worked for this television network TechTV, and they did need to hire, like, 90 people within six weeks. It was bizarre. It was the strangest thing I ever saw.

[Mike Johnson] I think really the gem in this, and I think the thing that people can take away – I agree, what they’ve described is logical – what they’re really saying is, “Figure out what it is you need your ICs to do first. Start there.” Rather than trying to build a leadership team, which I guess isa way that some people operate. I’ve always looked at what does my team need to do, what do we need to be working on, what are our skills gaps, and start there. You’re then hiring the people to do the work, and then you’re on top of that hiring a management team to support those folks, to help them, to provide them the structure and the guidance on actually delivering. The concept makes a whole lot of sense to me, to the point where I can’t imagine doing it any other way.

[David Spark] All right. We’re gung ho on the concept, we’re trying to see how we could actually apply it. Terrance, you live in a world of risk, there’s nothing more than what you do as risk. And I’m assuming personnel in general are applied to deal with risk all the time, manage it. Has this been done in the cybersecurity field and can it actually be applied similarly?

[Terrance Cooley] It can, though I think it does make a few assumptions that don’t fully apply to us writ large. Every single member of our organization or the Air Force big picture has a specialty. That specialty has defined characteristics and we can apply those characteristics to say, “I need this to support this risk.” If I have a deficit in IT, I’m going to go through my Rolodex of IT professionals and I’m going to hire against that space to solve that risk. And then I can be more specific in targeted mindsets, do I have people who have leadership potential who can stand up and lead the teams around them in a technical capacity, do I have people who are manager or people-people that can oversee technical operations and really tailor down the risk from a layered process. But we can get people in onesies and twosies, so I have to look at every risk that I have, map the specialties that I want to that, and either hope I get it or be able to reach out and direct hire against that but never en masse.

[David Spark] So, I’m getting the sense this McKinsey model very much applies to what you’re doing, yes?

[Terrance Cooley] Yeah. In the sense that because of we have a stronger definition of the risks in our environment by nature, a lot of the things we do are steady state and they all lead to one unfortunate but realistic outcome. If I have a risk in my network, it directly ties into an operational risk, tying it to crisis operations, helicopters, planes, people putting their lives on the line. I can directly map every specialty I need to how can this skill support this thing that prevents lives from being lost.

[David Spark] That’s real interesting and I got to assume, I mean, you hire but then you I would assume build your training programs against that as well, yes?

[Terrance Cooley] Yes. And it also depends a lot on the organizations you’ve been part of. I have been part of an organization that had a robust training pipeline that we were still building from the inside, but we had the personnel to do it. In my current organization, we are the training pipeline, I have…

[David Spark] Oh, I would assume, yeah. The people who are working it. So, I got to assume that a percentage of everybody’s work is dedicated to training others as well, yes?

[Terrance Cooley] If not training others, then building the processes that they’ll use regularly so that when someone comes in to replace them, they can just hand that over cleanly. But in my current organization, we don’t have the expectation that 100 people are going to stand up, at least not yet. That’s coming and we are working towards that training pipeline.

Here’s some surprising research.

8:42.101

[David Spark] What are your predictions for the evolution of cyber threats? Now, a cyber threat report from Deep Instinct highlights three trends. First, malicious actors looking for or paying for the weakest link to provide access. And as they say and what it appears to me, it isfar easier and a cost-efficient method to just pretty much find that weak link or pay to get that weak link. Protestware, that’s the self-sabotage to one’s software or weaponizing it to cause harm to its end users. And then end-of-year attacks, and I would ask the two of you and I’ll start with you Terrance, is there some sort of special advantage to attackers to attack at the end of the year, or is it more of a situation that everyone is winding down, maybe their guard is down, but not the attackers? So, what do you think – let’s start with that last one – what do you think of that last one and the others, and do you sort of see some other sort of trends for the new year?

[Terrance Cooley] Yeah. So, end-of-year attacks isa persistent thing across the Department of Defense enterprise as a whole. There’s always an expectation there’s going to be some employee fatigue or your defenders are kind of putting themselves more in the holiday space, they want to relax a little bit. So, what we do is we have a lot of rotations in our organization across the whole outer shell to make sure that people are staying fresh.

[David Spark] So, specifically more in December?

[Terrance Cooley] Yeah. Because we know that the attacker knows that there’s an expectation. So, we know that they know that, and they should know that we know, and it’sa weirdlittle fun cat and mouse game.

[David Spark] All right. So, that is something that you acknowledge and believe, okay. Now what about the other two examples here, the just paying somebody off or protestware here?

[Terrance Cooley] I can see a case for paying someone off, but you’re not going to see that a lot in the government space. There’s a lot of high profile cases where that has happened, I’m not discounting it.

[David Spark] I mean, there’s double agents all the time.

[Terrance Cooley] There’s double agents. But it’s high profile for a reason. Because we’re able to find it out. And through our robust security applications in terms of criminal justice teams that actually research and look for people being bribed and things like that, it’s very easy for us to eventually find them.

[David Spark] So, there are other departments that deal with that that are watching that kind of thing.

[Terrance Cooley] Absolutely. And then when you talk about just looking for self-sabotaging or trying to weaponize, I don’t know that helps, that’s really a Department of Defense issue, so I don’t have a lot to say on that one.

[David Spark] All right. So, I’m going to throw it to you, Mike. At your company, do you have the looking for bribes department?

[Mike Johnson] One of the things to really think about on that line in the report is it wasn’t so much paying off people for their passwords. It’s really talking about this concept of an initial access broker marketplace.

[David Spark] Yeah. Yeah, yeah, yeah, yes.

[Mike Johnson] The idea that…

[David Spark] That’s what I was referring to. Essentially getting some type of access.

[Mike Johnson] Well, but that somehow some group of actors has gained access to a set of environments. They don’t want to do anything with it, they’re not going to monetize that, but they can monetize it by selling it, and we have seen those attacks. That was famously one of the methods that the Lapsus$ groupused earlier in this year. And what I think is interesting about that world is you used to have the attackers kind of being fully vertically integrated. Like, they would have to figure out how to break into an environment, they would then have to figure out how to use that access to then monetize it further. What we’re seeing is now some deregulation, I don’t know how you want to call it, but they’re breaking up into specializations. Teams of attackers that are going to figure out how to get access into environments, usually malware that they’re spreading or they’re somehow tricking folks. And then they’re selling that, and that’s how they’re monetizing it. So, that’s absolutely a thing. I expect to see more of that, and I expect to see especially as people figure out how to deal with multifactor authentication and almost leverage multifactor authentication to take advantage of those initial username/password thefts.

[David Spark] And we’ve definitely seen examples of that. So, let me throw just out to both of you, adding to this list, what would you add to the list in terms of sort of trending of attack behavior that you’re seeing right now? Terrance?

[Terrance Cooley] I definitely have an opinion on this. I think the number one successful technique that I’ve seen in my environment is phishing, and they’re becoming way, way, way more sophisticated. But what I’m actually expecting to see more of a trend of is when you talk about vendors, they have a kind of standard process that they use for when they’re sending things out. I expect to see more phishing attempts look like vendors but actually start to be more targeted in, “Hey, I know you have this kind of a problem. We have a tool that can support it.” If someone comes to me and can solve one ofmy problems, I am going to be more interested in that conversation,[Inaudible 00:13:57] say it, right? So, if you can find a problem that I want solved, you have my interest. And if you can leverage that, social engineer your way through, I can expect to see some people make their way through the cracks here and there.

[David Spark] Good one. That’s a great example, by the way. And by the way, we hear that all the time.[Inaudible 00:14:13] was like, “Yes. If you don’t have a problem… I’m going to listen if you’ve got a solution for it.” Mike, what trend are you seeing?

[Mike Johnson] Well, first of all, I want to react to what Terrance said which is, David, we have to be careful, we’re educating the attackers. We’re providing them the roadmap on how to get into these inboxes. I think the thing that I’m expecting to see more of is API attacks.

[David Spark] Oh, yes. And we just did a recent show on this stuff. I’ll just throw out – from what I’ve seen and my own education in API security is how unbelievably complicated this issue is.

[Mike Johnson] Yes. And that’s why I think you’ll see more of it. First of all, you haven’t seen as much of it because it’s kind of hard to abuse, it takes a lot more effort on the part of an attacker, but it’s risen to a point where it’s worth it for them to figure out. And then the complexity to actually secure them is going to give the attackers some runway, at least through the next year.

Sponsor – Varonis

15:17.236

[David Spark] Before I go on any further, I want to mention our sponsor Varonis. We greatly appreciate Varonis supporting this episode of the CISO Series. So many security incidents, as you know, are caused by attackers finding and exploiting excessive permissions. All it takes is one exposed folder, bucket, or API to cause a data breach crisis. So, the average organization has tens of millions of unique permissions and sharing links. Even if you could visualize your cloud data exposure, it would take an army of admins years to right-size all these privileges. With how quickly data is created and shared, it’s like completely painting the Golden Gate Bridge, which someone does and it takes forever. Not one person but many people.

So, Varonis reduces data exposure while you sleep with the industry’s first fully autonomous data remediation.Varonis continually and intelligently removes unnecessary permissions, sharing links, and fixes misconfigurations without any human intervention. Because Varonis monitorswho uses data, their free incident response teamwill watch for alerts and call you if they see abnormal behavior, like insider threats or compromised service accounts. To see howVaronis can reduce risk while removing work from your plate, head on over to varonis.com/CISOseries, you can remember that, and start your free trial today.

It’s time to play “What’s Worse?!”

16:54.095

[David Spark] All right. We are here for “What’s Worse?!” Terrance, you know how this game is played. I do make Mike answer first, and I love it when our guests disagree with Mike. Mike, here is the scenario, and by the way, this comes from Dustin Sachs of World Fuel Services, he’s given us lots of great scenarios. In fact, he’s one of the people who loves what the CISO Series has done for his career, so we greatly appreciate and we appreciate that we are helping him out. This is a”What’s Worse?!” scenario that I’m surprised took this long to come up because it seems like this is an obvious one. Here we go. What’s worse, 100 small security incidents spread across the entire week, all manageable but 100 of them, or one massive incident at 5:00 PM on Friday?

[Mike Johnson] Oh, interesting, Dustin.

[David Spark] So, it’s death of a thousand paper cuts or not.

[Mike Johnson] Yeah. But the thing is I feel like I live the other one all the time.

[David Spark] That’s exactly what I said to Dustin! He’s going to say, “That is my normal week.”

[Mike Johnson] Yep. Everything’s going fine, Friday at 5:00 PM rolls around. I get a little Slack message that says, “Hi, Mike,” and I just put my head in my hands because I know where that’s going.

[David Spark] In your career, how many weekends do you think you’ve had ruined?

[Mike Johnson] Honestly, not as many as folks might think but more than one. I’ve certainly had to leave a voicemail with my wife on more than one occasion with some bad news like that. But I think for these two, I would much rather deal with the one incident. It sucks. Both of these are terrible, but at least the team will rally around that and have a feeling of like,”This is something that we can get our hands around,” rather than “Oh, my God, another one, another one, another one, another one,” and it just feels like it’s never going to end. So, while both of these suck, just that constant, constant drip…

[David Spark] That constant beating of the drum.

[Mike Johnson] …will drive people nuts.

[David Spark] All right. Terrance, I throw this to you, 100 very manageable security incidents over the week or 1 nasty one at 5:00 PM on Friday?

[Terrance Cooley] I was so ready to be a dissenter, I was so ready. But having lived through large breaches, large-scale individual breaches and dealing with that, that is something that is just more comfortable to work through. A hundred breaches? Now I’m like, “How do I keep my team from…”

[Crosstalk 00:19:28]

[David Spark] It’s not 100 breaches, it’s 100 incidents.

[Terrance Cooley] It’s a hundred incidences…

[David Spark] That are, again, I just want to stress “manageable.”

[Terrance Cooley] Manageable but I now have 100 different chains of custody, 100 different things that I’ve got to update all my stakeholders on, I’ve got 100 different meetings that I’m now keeping track of. That’s just the plates to juggle. If my team doesn’t go insane, I sure will.

[David Spark] All right. So, you pretty much are the same responses, Mike, is that it’ll just drive you crazy

[Terrance Cooley] Yeah, it’s the grind that just wears you down.

[David Spark] And you add the fact that it’s the domino effect of each one will just be overwhelming.

[Terrance Cooley] Yep. That you just lose so much in an action economy.

[Mike Johnson] I think something else I’d like to just highlight that Terrance said that I think folks don’t really recognize is there’s the incident itself and then everything that goes on around that. And you don’t really realize how much goes into the follow-ups, the communications, all of the work that goes on outside of dealing with the thing that really adds up.

[David Spark] So, I didn’t realize, and you tell me. What percentage of incidents can you sort of shut down and not make anybody else’s issue?

[Terrance Cooley] I wouldn’t say there’s a hard percentage, I would say a lot of it depends on the scope. Because first you have to get a sense of how bad is the incident, which means you’re building a rapport, you’re doing assessments on it, you’re getting a sense and wrapping around. Okay, is this something that’s beneath our threshold? And you have to do that every single time.

[David Spark] Yeah, okay. So, the answer is there are no small incidents.

[Terrance Cooley] No.

Maybe you shouldn’t have done that.

21:03.866

[David Spark] So, on the heels of our “What’s Worse?!” segment, I’m going to ask this question, and I’ll start with you, Mike. What is the worst security behavior you’ve seen from an IT vendor? So, the reason I’m asking this question is it came up in a conversation I overheard a few CISOs discussing, and I’ll give you the two examples that I overheard. One was a vendor’s tool had a problem with the company’s long passwords, so they lowered the password requirements so they could work with the tool. That seems bizarre. And then another vendor just had issues with a VM, so they lifted all the security requirements to get access to the VM. What’s the worst you’ve seen?

[Mike Johnson] So, my favorite is where you have these phishing test platforms and people use them to phish their own employees, and the first step is you have to go in and whitelist, allow list them, in your own mail program to allow them through because their phishes get caught in your own automated testing.And so just this idea that you’re testing the awareness of your employees by lowering your own defenses drives me nuts. So, that’s my favorite example.

[David Spark] So, the answer is the phishing company should be able to break through your defenses.

[Mike Johnson] And why is that a good test of employees?

[David Spark] Their product should be good enough to be able to break through your defenses.

[Mike Johnson] And if they’re unable to do that, then maybe their phishes aren’t all that great.

[David Spark] Yeah. That’s lower it so our service will actually work. All right. Terrance, what’s the worst behavior you’ve seen?

[Terrance Cooley] It’s not directly IT vendor but I think it’s close enough that you can take something from this. Back when I was doing my program management under IT security days, we had a vendor who was responsible for shipping out some of our equipment, high power amplifiers, from one place to the other. They didn’t have good change management processes. So, there’s a code we use in order to track all of our shipments. In the middle of doing a shipment, they changed the code itself so that it used a different format, so the object went, instead of going to Africa, it went to New Jersey, and they couldn’t find it for a month.

[Laughter]

[Terrance Cooley] Needless to say, we don’t work with that vendor anymore.

[David Spark] Have either of you had a situation where a vendor – by the way, this just becomes a general third party vendor situation – where the vendor, I guess, was going to do their security at a certain level or couldn’t achieve a certain level and you just said, “Guys, we love you but this ain’t going to work out because you’re not reaching our minimum requirements”?

[Mike Johnson] Usually, that’s just part of the TPRM, right? So, yes.

[David Spark] So, it’s a part of the early process. But security defenses do sort of fall. Do they ever fall or no?

[Mike Johnson] They do and one of the dirty little secrets of third party risk management is people quite often just do it once and don’t come back and check again. And when that comes around for, “I didn’t realize how bad your security is,” is when there’s an incident and you get this vendor notification of a really bad breach that should have been avoidable. And that’s when you have those conversations about, “It’s not us, it’s you. We’re going to go find somebody else.”

[David Spark] You probably don’t have this issue so much in the military, Terrance, because you’re constantly checking.

[Terrance Cooley] We’re constantly checking and I can hold my entire force accountable and I can hold my partnerships accountable.

[David Spark] Here’s the answer – we just simply have to have a security program up to snuff like the Air Force. Right, Mike?

[Mike Johnson] I think there’s positives and negatives to that, David.

[Terrance Cooley] I agree with that statement and will leave it at that.

[Laughter]

They’re young, eager, and want in on cybersecurity.

25:01.851

[David Spark] A security analyst who has been at the job for a year feels overwhelmed. The redditor posted on the cybersecurity subreddit that they’re on a team of 5 analysts with over 10,000 employees. The analyst has the following responsibilities – they monitor two SIEMS, mostly do incident response themselves – those five analysts. They investigate DLP alerts, they have HR and legal investigations, they run phishing campaigns, and they also have to do their own training as well. So, some people responded, “You’re getting burnt out, you need help,” but the most popular response was from a person who had a very similar experience as the redditor and it lasted for them for four years. In the case of the redditor, it’s just been one year. And what kept them there was a fantastic culture and great support. And the company did end up hiring more people and it really launched this person’s security career. So, I really want to double down on this response, of the combination of it’s really tough but fantastic culture. I’ll start with you, Terrance, because I got to think that is the job of the military. How do you create a fantastic culture in a really difficult environment? And what are the elements thatkeep people staying in what seems like an impossible job, but like essentially your opening tip to this very show?

[Terrance Cooley] Ah, yes, absolutely. So, you have to fight through failure, right? I am dual-hatted as the chief people officer, so I have also that perspective from the HR lens. One of the things we did was first we assessed what is it that our employees are looking for, what is it they came here for. And pretty much the number one thing, I think you’re going to see this across any high performer, is they came and they work here for a sense of purpose. They want to know that the things that they are doing has value, that they are trusted, that they are a subject matter expert and will be treated accordingly.

So, we create the environment that we cut a lot of the bureaucracy within the organization to whatever I can control, get rid of the admin. You need to go to someone, you need to go straight to the CO, you don’t need to go through me. You don’t need to go through four levels of administrator to get there. You go and make sure your product is good. I trust you and we will give you feedback if we need a few more tweaks, but I trust your knowledge, I hired you because you have the expertise. And then if I have people who need certain accommodations like remote work, or they really need to focus on work/life balance, but they can work from their home and be just as productive and they have that proven record, I can cut them out so that they can actually remote work from home and figure that out. And then as long as I call and you’re there when I need you, I can make that work.

[David Spark] I like that. Mike, how do you do the combination of, “Yeah, it’s really, really tough but we’re going to make it, because you’re going to want to keep doing this really tough job”?

[Mike Johnson] I don’t think the “it’s really, really tough” has any factor here. It’s a job at the end of the day, and you’re needing to create an environment that people are going to want to be a part of.

[David Spark] Well, I’m just going back to this redditor’s comment of like, “This person has imposter syndrome, they feel overwhelmed, it just seems like too many tasks, I’m drained by the end of the day.” Like, not everybody feels that at their job. You say it’s a job. I mean, that’s an overwhelming feeling, but a lot of people have that and still love their job.

[Mike Johnson] I think it you ask most anyone in cybersecurity do you go home tired every day, they’re going to say yes. That is the reality of our profession. And as Terrance was mentioning, give people that sense of purpose, that sense of mission. And that’s really what compels people in our industry to come and do that every day is that sense of mission. So, give them that opportunity in their career to live that, to trust them. I’m over here cheering as Terrance is walking through how he handles it because it’s absolutely right. Create the environment where you’re trusting people, you’re giving them that sense of purpose, and they’re going to want to work there and they’re going to want to stay.

[David Spark] So, from your world of the military, Terrance, what advice would you give to the private sector people to sort of apply this culture under sort of very difficult circumstances?

[Terrance Cooley] First off, make sure if you say you have an open door policy, actually have an open door policy. People can come to me from across the organization whether they’re direct report or otherwise. They can come straight to me and we have a closed door conversation and you can just get your grievances out. Sometimes people just need to be listened to. If they have grievances they’re looking for solutions, make sure you’re identifying if they’re solutions that I can fix at my level or if I need to upchannel. Let me know what that is or what those are so that I can actually solve them. I have to know what’s eating your lunch so that I can actually give you support. And making sure that you have that trust relationship that, hey, you tell me what you need, I go get it for you, boom, and then what can I take off your plate. There’s a lot of things I have to do but there’s times I do have dead space where if you’re struggling with this thing, maybe you just need someone to sit over your shoulder and help you through a task. Maybe you need someone to teach you a specific capability or a specific tactic, maybe you just need someone to take a thing off your plate that’s really a heavy lift for you. Let me know what those are.

[David Spark] Excellent point there, Terrance.

Closing

30:18.107

[David Spark] And that brings us to the very end of this show. Terrance, you just slammed the knowledge here on this episode, so thank you so, so much. We’ve had guests on before who have military experience but nobody who’s currently working, I don’t think, I don’t think I’ve had anybody who’s currently working for a military organization on our show. We’ve had government officials, but not military I don’t believe. I’ll have to check our past guest list. So, you brought us phenomenal insight on this. So, I am going to ask you if you’re hiring, whether civilian or not, if that’s a possibility. I do want to thank our sponsor for today’s episode, Varonis. Varonis, thank you so much for supporting the CISO Series. We greatly appreciate your continued support of these shows. Mike, any last thoughts from you?

[Mike Johnson] Terrance, thank you so much for joining us. I really appreciated how you talked about people a lot. One of the things I didn’t know and part…

[David Spark] Part of his title.

[Mike Johnson] Exactly. I think you might be the first CISO I’ve met who’s also a chief people officer. I think that’s a very interesting combination and probably puts you in an interesting side of conversations as a result, but it gives you a perspective that I think a lot of CISOs don’t have. So, thank you for sharing that people first mentality. I really liked your point about if you say you have an open door policy, actually have an open door policy, and the fact that a lot of people, they just want to be listened to, and they want to know that they can go and have a conversation with someone, and especially someone who can actually help them out. So, thank you for that tip exactly of have an open door policy and actually live it, but thank you in general for bringing all of your insights, not only from your security perspective but also your people perspective. Thank you.

[David Spark] Excellent. All right. Terrance, any last thoughts, any recruiting requests you may have or hiring, as well? The floor is yours.

[Terrance Cooley] All right. Thank you for all that. I was glad to be on this show. You can find me on LinkedIn, I am generally very responsive to connection requests. If you’re a vendor, please make sure that you ask me for a problem set first, don’t just send me a sales pitch. And for hiring, I am hiring. If you’re military, I have a few special positions. If you’re civilian, there’s a slightly higher bar but we can have a conversation and I can vector you the right way.

[David Spark] And there are clearance requirements, I would assume.

[Terrance Cooley] There are clearance requirements, that’s a conversation we can have, but if you’ve already been cleared before, it is likely you will be cleared again.

[David Spark] All right. We did not have a clearance requirement to have you on the show. We have little to none in that respect.

[Mike Johnson] However, our audience, we’re going to have to have a conversation, I’m sorry.

[David Spark] Yes. We will have to have a conversation with the audience. Excellent point, Mike. Thank you so much, Terrance, that was excellent, I greatly appreciate that. Thank you, Mike, as well. And thank you as always, we greatly appreciate your contributions and listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.