CISO Series Podcast (Live)

next up we have a live podcast recording by David spark the host and producer of ceso series ceso series is a media Network for cyber Security Professionals delivering the most fun you'll have in cyber security thank you so much all right um we're going to uh record in just a moment uh just a few things I want to tell you so this is going to be a live audience recording we may stumble on something if that happens we'll just repeat what we said it's all because we just want to get that sound recorded you are part of the show you see this microphone that is pointed at you we are recording you as well so Applause

laughter anything you make that all gets recorded so please feel free to do don't especially at David no feel free to do that as well now one of the things I know I know there's this very strict policy about photo taking here at bid uh I do have a photographer who's taking photos of us and he's planning on taking like silhouette back of head shots and also blurred photos but I want to know because I just want to gauge the crowd and please feel free if you're uncomfortable does anyone have a problem here of getting their photo taken at all just raise your hand if you have a problem anyone no one that is great

there you go that is great thank you very much this is arod audience I can see this Michael odonnell I want to give him full credit he's an amazing photographer you have free reign to shoot photos thank you everybody for that as well all right we are we're going to start I'm just going to tell you we're going to get um I'm going to hit the record button in fact I'm going to hit it now um and I'm just going to ask for 10 seconds silence the audience and then we'll begin the show have a lot of fun uh we will be done in exactly 45 minutes all right here we

go biggest mistake I ever made in security go many May relate to this which is naively trusting a strategic vendor to put the best interest of me as their client in front of their own Revenue targets it's time to begin the ceso series podcast recorded in front of a live audience in San [Music] [Applause]

Francisco welcome to the seeso series podcast my name is David Spark I am the host and the producer of the SE show series uh joining me here on stage is uh the my co-host has been with me it's almost been exactly six years whoa June 1st 2018 was when we started this uh and we are less than a month away from that so pretty the the gentleman to my left that is Mike Johnson who is also the CEO of rivan let's hear it from Mike Johnson hi thank you everyone uh we are by the way for those of you if you heard at the very beginning we are at the uh bside San Francisco event we

are in theater 13 it is a huge uh theater is beautiful what is most Spectacular Now the people in the room can see it and we'll put photos of this up you know when you go to listen this episode go to the podcast but our logo is physically the largest I've ever seen it in my life and it's on this giant movie screen it looks spectacular the other logos that are up there are our sponsors and I do want to mention them let's hear for our sponsors dvo net spy and eclips let's hear it for them thank you very much we will we will be hearing from all of them later in the show so I'm going

to bring in also our guest Now who is the host of our other show defense and depth that is Steve zooki let's hear it for him Steve yay Steve all right uh the question I have for both of you gentlemen is uh we're at bsides it is sort of the precursor to the RSA conference I'm actually shocked at the number of people I ran into here that are only sticking around for bsides and not sticking around for RSA which is was shocking that's actually a first for me in terms of experience I'm sure people have done it before but what's your experience of the big difference between this conference and the other conference bides is very

Community Driven like this is really an event that's for the people who are actually attending it rather than um people who are just showing up to get swag off of a uh off of a vendor like this is really the context the content here so much better uh than RSA because it's by the community and do you feel the conversations are stronger here than at RSA oh I think so they're they're also more real like the these are real conversations here and RSA frankly it's a sales conference so let me ask you I'm going to be attending both conferences is I've had good conferences here or good conversations here should I worsen my discussion when I go over to RSA

worsen uh tone it down a little bit tone it down all right Steve your take oh I this is my best conference the way I look at this these are my peers this is t-shirts and no socks folks okay and when I go to RSA that's t-shirts and socks I can't believe you got Applause for this for socks can't we all just get get [Music] along so are companies taking the air out of the open source balloon now sure open source code is used by the vast majority of all code bases but recently reddis sparked some controversy by changing their inmemory database licensing to no longer let developers use the code noted Steven Von Nichols in

a piece in Computer World they being the developers can still audit it the code but they can't build off it or modify it which is kind of the thing you do with open source so I'm going to start with you Mike on this does this risk killing the Golden Goose of what open source offers to big companies if more organizations follow this practice and I I should notice that I should note that reddis is not the first to do this so Mike what do you think is the argument for this type of Licensing change other than well because money I think your first question of are they risking killing the Golden Goose I think we've

seen this happen time and time again uh and your point about big companies big companies really are going to be fine with this uh they're if they see value they'll license it if they don't see see value they'll Fork it we saw this happen with uh elastic cash which was mentioned uh in the article that was a fork of elastic search way back when but the company elastic is still around today they're still very successful um and I imagine we'll see the same thing that that redis is doing you can argue the reason behind it is they need the revenue to pay for the support services that's required for the people who want to use it you know it seems obious it's

not free uh so there's there's certainly some value there will be some people who will move away uh and and that's what we've seen before we'll see it again all right Steve what do you think on this one so I apply a little creative thinking and I say said is there another reason that they might be taking this position so bear with me on this and I go I blame the lawyers which is it's a third party and fourth-party risk management exercise right if you look at the legal concerns with liability and with some of the new policies that are coming down with regards to both compliance and risk that there's an opportunity that the lawyers are looking

at some of this language and they're the ones saying whoa whoa whoa whoa whoa there's a li ility issue here that we don't want to take on that's my creative thinking as to why there might be something else going on but and and and I feel that that very well well be the case but could there be a situation here where they're changing the licensing because of the lawyers or could be it like a a ruling with no teeth like ah the lip people change the code the lip people modify it they're not going to get that upset about it but or this me just sort of sort of guessing this might be the case you think I I mean Steve has

a point about the lawyers the the lawyers of the companies who might want to wing it are not going to let that happen uh when you've got a large company they're looking at the code they're looking at the licenses for everything that goes in there and if the license actually doesn't meet the like the the expectations of the use doesn't meet the letter of the license then the lawyers will actually not let the company go through could this also be you can't wing it could it Al be a third party risk a regulatory issue that's forcing this to happen as well well and that's just it which was the lawyers are there to protect the company right

they're there to look at any kind of obtuse ways that they could be held liable and so what they're doing is they're covering their tracks right if you ask a lawyer a yes no question what's the answer no okay so they're basically saying no they're protected now we're going to figure out what's reasonable do you think this I mean again we've seen this happen a few times if they're successful with it I mean do you just think this is going to be a Non-Stop Trend I I think this is a bump in the road and we're just going to continue to do what we do yeah I think this is something that's been happening for quite a a long time with open source

and we'll continue to see it happening yep Confessions of a [Music] seiso now cesos the gentleman to my left they stay cool Under Pressure would you say you do that yes absolutely so far so good but not always right have you always been cool Under Pressure I have I don't know let me ask you have you ever lost it have you just like like screamed holy crap not in front of anyone do you have like do you have a closet where you just go in and you screen it's a it's a padded closet that I can go in and just scream when I need take a pillow and shove it in your face exactly all right so there's always

something that can make a ceso poop their pants Now using a more colorful term for poop a redditor on the cyber security subreddit asked what really scares a ciso and it was quite humorous but you know real the most popular response was quote emergency board meeting in 10 minutes another popular one one was management decisions made without being consulted such as an acquisition without a risk assessment or changing Cloud providers on wh and another was new regulations that could put a ciso in court so I'll start with you Steve have you heard of any of these or any others that you know come up with your own list and when you actually heard these like in a real working

environment did you wish you pack dep pens oh I I you know in my experience so Levis and then and prior the one that got me for this is we're going to do an m&a and you're not involved okay there's nothing like being did they say it in a way like making it clear we're doing this you're not involved stay out don't bug bug us was it at that level they basically we knew there was an m&a going on we weren't brought to the table so there's nothing like being disrespected to make you feel like you're a viable and important part of the company right cuz then you're like all right then go buy them but now I'm going to be

defensive and the second one that got me was board meeting in 10 minutes that wasn't so bad it was when I had an incident that was going to have to go up to the board okay because in that case the poop storm starts coming downhill because now I'm preparing myself to go it's got to go to the board that's going to create an awful lot of work that was of my doing because when you communicate to the board it's a whole different set of people now that are trying to protect their butts well I want to dig a level deeper on that one what happens when you go to the board that becomes like you're

just making my life more difficult I know you need this information but what is happening in that moment that's really making your life more difficult well in an incident if it stops at the CEO we have good relationship they know what we do they understand right once it goes to the board now you get the board secretaries you get all the other PR people that manage the board relationships and Communications and so now the CEO doesn't own it anymore right the board does and so now he's in line so I got to make him happy for how he's going to message it up to the board that's the hard part I got twice as much

work all right I throw this one to you Mike again you can answer same stuff as Steve or just whatever scared the crap out of you I I think one of the things that really is most important is to actually not get flustered um everything that you you laid out there Steve we know that but you do have that pillow in the scream room right I I I do okay um um but at the same time you have to manage all of those situations like things are just changing all the time this is this is normal incidents happen you have m&as you have to Pivot with these and it really is important to actually stay cool the entire time even

if you're screaming in that pillow when you go when you go home but I want to know of all these things which are the ones I know on outward face you have to be Mr Cool and Collective and we all see that Mike but which is the one that makes you really want to do that well so one of the reasons why we're able to stay cool um is because we don't tell secrets what we do not tell secrets so I I'm I am not going to share any of those with you or our audience um but you cuz our role is really like we're quite often a therapist we're a lawyer we have to have folks trust us and that's both

for they're going to give us some bad news and we don't panic uh and they're going to give us some bad news and we're going to manage that and keep that in confidence so there there's nothing you can reveal not a one nope just keep trying but your least favorite your least favorite you got to have a least favorite nope it's all good see this shows how good Mike is with crisis management put in a crisis look how he manages through the crisis and doesn't communicate anything that doesn't need to be said Well Done Mike well done thank you Steve I'm easy who's our sponsor this [Music] week we have three phenomenal sponsors and let me tell you about one of them uh

it is eclipsion the leader in supply chain security for critical software firmware and Hardware in Enterprise infrastructure now ceso series listeners can learn more about eclypsium by visiting their site eclipse. cspark that's my last name now there you will find the quote Ultimate Guide to supply chain security an OnDemand webinar presented by Paul asadorian called unraveling digital supply chain threats and risk a paper on the relationship between ransomware and the supply chain and a customer case study with digital ocean if you are interested in seeing their product in action you can also sign up for a demo and you get that all that at the site I was telling you before eclipse. comom spark that's

spelled let me give it to you e c l y psiu m.com [Music] sspark it's time to play what's [Music] worse all right no stress here at all no stress no stress we have uh we have a what's wor scenario and this is a silly one comes from one of our favorite what's wor submitters Dustin sack all right of world connect fuel services and uh here we go I make you answer first Mike for those of you not familiar with what's worse two horrible scenarios neither one you like but you have to determine by a risk management which one is worse all right here we go okay these aren't horrible they're more embarrassing okay so much better yeah

scenario scenario number one a smartwatch that sends your heartbeat data to advertisers or a fitness app or I'm sorry let me say that again what's worse a smartwatch that sends your heartbeat data to advertisers or a fitness app that posts your failed workout attempts on social media without your permission okay um say those again so it's got a smartwatch that's selling your heartbe data to advertisers so they know essentially if you got high blood pressure or whatever the heck's going on with you or a fitness app that tells you that you're just failing at your attempt to stay fit yeah the second one is peer pressure so the the first one is uh your data is going off to a company somewhere

kind a a version of your health is going up and who knows what they're doing with it like odds are they're selling it to somebody else and they're making money off of it the second one is is really just enforced peer pressure forced peer but and and flat out embarrassment right and specifically they're posting your failed workout attempt to make it clear you know Mike Johnson supposed to run today and he didn't and he ate a bag of Cheetos they they're good Cheetos very um so small bag of Cheetos so medium um so the first one you have someone who's basically profiting off of your health data uh and who knows what's going on the second one is just some

embarrassment like the first one is a privacy Invasion M um one's a privacy well but you you also lose track of it like you don't know what's happening after that the second one like hey I didn't run I ate a bag of Cheetos whatever um so I really I really you kind of be mocked by your community but that's why I'm using the thing in the first place like you you buy both of these things going in what they're doing right I'm I'm not like surprised and I'm not you know I'm not being forced to go around with this watch on I'm making the choice it's like the people get the uh the Internet connected scales and they

post their which is that is brave I don't I don't understand that either um but so again the first one I don't have as much control with what happens with that I the second one I bought it because I want to be shamed and I want to be shamed into working out so the first worse all right Steve take it to you all right I would say it's going to depend upon which one of those apps my wife all can't can't be on depends no you know how it depend there's no there's no it depends you can't change it you know that works try dang then I would say the worst one is the one that

my wife also has my app and can see that data so you think the second one's worse so I I would say the second one is definitely worse absolutely all right I'm going to throw this one to the Audience by Applause how many think the first scenario is worse and that's the one where the Smartwatch sends your heart data to advertisers by Applause how many people expect that to it's good amount all right that's a good Mount now the second scenario the one where you're embarrassed the fitness app post your failed workout attempts on social media without permission by Applause how many people like few a few people well it looks like Mike has won that one all that matters

is I one there you go what is Dave's mom talking about all right so this is a new game we've played it a few times and uh Mike we play actually if you listen to Tuesday's episode you'll see the hear the first round of it uh I have interviewed my mom about cyber security and she doesn't know a lot about cybercity I'm going to say very very little in fact okay so I said just take your best guess effort on what these terms mean so they could be a cyber security threat or it could be a category it could be an acronym although I spelled out what the acronym is or it could be um some kind of a technology

all right so I'll play the first one I will give you a big hint the first one's easy all right heard that before because she does actually know what this thing is all right so I'm the first one's a softball all right here we go here's the first one as a cyber security person I'd be worried that somebody in my organization is a troublemaker all right Steve what is that Insider threat that is correct Insider thread all right good job I like your mom there you go she's my favorite mom now it gets tough and I'm going to tell you that uh all these answers are incorrect they are not correct she is not explaining what the thing is

correctly but again you have to use reverse logic you know what these things are but if you were hearing these terms for the very first time and you were not in cyber security what would you what would your best guess effort be okay sure here we go and then we if they don't get it right I'll throw to the audience see if you can figure it out here we go get ready in some medium like kids would get together and push each other uh that sounds terrifying what do you think that is uh kids getting together sounds like Tik Tok to me no kids remember don't think security she's just heard this term for the first

time kids get together together and kick kick each other push each other push each other push notifications no anyone want to take a guess at this one what do you think cyber bullying no good good answer that was good anyone yesing what king of the hill no no you're all wrong yes someone back there what no pen testing no but that that that's good guess all right you're going to you're all going to be surprised no get ready it is sand boxing okay all right we see how this game works got it got it sand boxing all right here we go here we go next one everybody that's a cool moment hold got to Play It Again here we go it's from a

large organization trying to go through you to another organization trying to work their way through get your list of people somehow or get something from you what do you think that is Mike social engineering is what I go to no no that's if she was explaining it correctly yeah okay wait let me get Steve's answer first hold on I I'm speechless LinkedIn is it Linkin okay what do we got from the audience man in the middle is correct man in the middle is correct man in the middle all right Mike and I gave that one to the audience okay we didn't want to make it feel bad we didn't go audience very good all right this last

one is the toughest one oh great they get better but you're going love it okay than get ready here we go well when my subscription to one magazine gets mixed up with another magazine and I get the wrong thing all spoofing okay think I can't stress this enough think about the very individual words of what this is and what could that be subscriptions mixed up interception Steve come on Steve you know this nope no he's dumb all right take a guest in the audience wait hold I'm hearing Lots what no I didn't cross site scripting is correct nice cross nice scripting the audience was amazing on was awesome you know I'm getting I didn't think anyone

would get that that is awesome that was great you and I Mike better find another day jobs here cuz this isn't looking good for us somebody knows my mom very well yeah I was I didn't know your dad was in the audience who's our sponsor this week the external attack surface continues to expand as organizations grow along with the number of assets and the perimeter now I'm talking about our new sponsor net spy here for the security teams looking for continuous visibility Beyond a pentest net spy can help start identifying and reducing risk to known and unknown assets with the help of net spies aack surface management solution and the expertise of their Security Consultants reduce the noise validate

and prioritize critical risk and start protecting what matters most visit net spy.com let me spell that for you it's ne.com what's broken about cyber security hiring

so why do some cyber security interviews feel like you're attending trivia night or speed dating now over on the cyber security subreddit which by the way if you don't read that there's lots of great questions and topics that come up there if you haven't noticed we pull a lot of our content for for or their conversations there for the show so one redditor on there complained about that for senior positions interviewers asked trivia questions to challenge their cyber knowledge but then when asked about their expertise in a certain area they just wanted a yes or no with no context is this just a byproduct of HR requiring hire managers to ask the same questions to all candidates what

shouldn't you be asking senior Security Professionals and I'll ask you Mike are open-ended questions a waste of time or a valid chance for the interviewee to brag about their security prowess so first of all bad interview questions are bad interview questions it doesn't matter if you're asking the same one uh of multiple people conversely the fact that you're asking the same question of multiple people multiple people doesn't make it a bad interview question I personally make sure I'm asking the same questions of every candidate because I want to be able to compare the responses but hold it but we're talking from like Junior to senior position you feel the same way all all the way because it if you're actually

trying to compare multiple candidates and you're asking them different questions you're not comparing them MH and you should be making these questions up in advance you should write them down it's reasonable for HR to actually require you to ask the same questions and by going through that you're doing the candidate a service by yourself being prepared if you're making the questions up on the fly if you're making them up in the interview itself that's not going to give you a good measure and it's a terrible interview experience and that's where you end up with these trivia questions I very much remember being asked while I was interviewing for a security architect role way back in the day it

was what is the number of TCP ports okay I can answer that question but it's not a valuable answer for you I had someone else ask me what is the number of bricks in Brazil and that was actually a really difficult question that revealed how I thought so the questions matter but trivia questions don't help at all and correct me if I'm wrong you've mentioned that you've actually asked what's wor scenario questions in interviews before well these are great um because what you get out of it is on the spot critical thinking but also what is most important is explaining how you got to that answer just answering you know a is worse than b you want to know more you want to

explain your answer and so that is your opportunity if you are being asked what seems like a binary question recognize that it's a bad question but expand upon it that is your opportunity to brag about yourself your your whole interview is your opportunity to brag about yourself but as an interviewee you can control the flow and so if you're getting bad questions just turn it around and go from there all right Steve I throw it to you um what do you think questions should and shouldn't be asked and do you think they should all be asked sort of equally from Junior to senior or are there certain questions you shouldn't be asking senior which is

Isen you the complaint that was made in this Reddit post yeah and and I like Mike's answer but maybe it's just because I've been in the in the market a long time like Mike political reality entered that question to me okay and there's some political realities that we all understand which was one could it be that your reputation and the recommendations that the HR team has already done has made this basically an irrelevant interview which is what they're doing then is they're asking you questions cu the decision's already been made okay so now they're asking you fun questions hey you know how many because we got to fill the time let's know each other in Ence the

interview is over what we're starting to do is build a relationship because we're going to be working with each other okay and so that's why when do you assume hold on when do you assume that like how do you know if you're going in like already got the job and and so whatever my answer is it's just a relationship building effort or or you should be thinking about it that way so that's what I'm saying as the having met on both sides of the camp here right that's what I'm saying is sometimes the questions that are being asked here may be an indicator of decisions being made so I'm trying to bring you to be

awareness that you can look at well the question is stupid but think about the context of what's Happening Here is there a set of questions like this where there's an indicator the other one one is the decision is made and you're not it okay and so we're just going through the motions which is your fod for the process CU you have to interview X number of candidates inter number candidates okay and so why Mike's answers were absolutely right about how to answer it that's why I kind of took it from a different perspective to go think about kind of the political reality of as these questions are coming out if there's a consistency there realize it maybe these circum ances

going on so that you're able to also respond in an appropriate you know mode where you may not get upset if they're easy questions because you may realize oh wait kind of like we're already dialed in and so we're building relationships understanding security [Music] sales do we need minimum requirements for cyber security know in sales so cyber security seems fairly unique in that where else do sales people have little to no underlying knowledge of their product of course as David Columbo noted on LinkedIn not every role needs its knowledge thinking marketing managers and other non-technical roles but the danger lies in sales evolving to senior positions without a deep understanding across vital security areas we know salespeople are hustling

hard and some are very aggressive but but what knowledge and I'll start with you Steve do you expect them to have from Junior to senior so sort of gauge your response here and at what level is a cool that they simply don't know so I'll go from Junior to senior so if you're an SD and you're brand new out and you're Dialing for Dollars so to speak okay you've been given a script that's a get out of jail free card right you you've got a a marketing degree or a sales degree and you're just following through so you read the script I get it okay in which case it's just a process and they're following it and they don't

know okay once you get beyond the junior level I personally demand a much higher level of expertise because if you're a senior guy coming in and doing that and I'm saying so you're telling me that selling sneakers and selling security is one in the same no Enterprise security sales and protecting companies is very different than telling selling you sneakers and talking about the color of the sneakers or the tread on the bottom and I think that's where historically we've been letting the senior sales and marketing teams get away with murder here is because they've been selling us sneakers into a security Enterprise environment and we just can't do that anymore in which case don't let the door

hit you in the ass all right what do you expect and by the way do you I mean have you found yourself to literally write off a company because the sales team was just so unknowledgeable like that like they they were kind of Clueless in the way you just described uh this is my classic when I was at Levi Strauss and I've done this and you know it we've quoted them many times you quoted me which was Sal team comes in and I watch and I give them about 12 minutes and then I I respectfully say I appreciate what you said I have one question how does what you do sell more jeans if you can't tell

me how it sells more jeans then it's not interesting to me do does anyone actually have a good answer to that response so about a third of them have no clue and I say thank you very much for your time I'm done about a third of them actually respectfully say we've never been asked this before but will you give me the opportunity to come back and 2 weeks for 30 minutes and take a shot at it which case I say respectfully yes and about a third of them actually say you know I thought about this but my sales and marketing teams would never let me put that collateral together let me give it a shot

all right well that's that's actually an impressive series of responses all right Mike what do you expect in terms of Knowledge from sales teams Junior to senior my expectations are the same it's really what am I willing to forgive uh I mean to to Steve's point about the junior SDR you know maybe I can Veer off their script very quickly and they you know they they're not there they're not ready for it they're they're in a white space and they're not quite sure what to do with it I can forgive that but if it's someone who purportedly understands the product inside and out I'm not willing to forgive that I'm not willing to let them

make things up or make promises that they can't possibly deliver on that's where we're just like this this just is isn't going to work I don't believe in your product I'm not going to make a purchase um you know thanks and um have a nice day do you do you ever throw challenges like what Steve uh you know you know how does this help me sell more jeans so I've been toying around with asking how it will help me sell more cars um I I haven't quite gotten there yet but I I think I think Steve's got the trademark so I no I've got I've got to figure out a licensing Arrangement um he set that up so you can ask the

question have have you asked the how does it help me sell more cards cuz you should no no because the the reality is um that is a Nuance that people really aren't going to be able to answer it's very selling a car is very different than selling a pair of jeans by the way um what answer are you looking for someone soone someone's asking what answer are you looking for with the how you selling how does that help me sell more jeans um so net it out that you're going to do two things for me either you're going to tell me how this is going to make my security team more efficient okay then I'm able to do more

with less or you going to tell me how you're going to make me more effective at stopping the attacks which is my ultimate responsibility so that I can triple the revenue of the company without tripling the the Reven the cost of my security team those are the two answers I'm looking for and also call out something that you said once Mike on a previous episode of if it's if it's like a vendor like uh Levis and where you can see like the online sales process and you can see oh I can see where this could be a security you know problem at this step he goes how can s you well I see this step is probably a

major security issue and we can help you with that step yeah I I do think going and doing some research on the company that you're talking to understanding the ways that security could go wrong an adversary could get in something bad could happen and having basically you pre-answer that question in your pitch you know I I see you have an online shopping cart you know are you looking at for these types of attacks based on what I'm seeing in your code you're not I'm not expecting the SDR to be able to answer that but that is where they should recognize that they're going to get over their ski quick very quickly and they should bring in you know SEC

sales Engineers security Architects and I'll dovetail on that which was so I talked about efficiency and Effectiveness and I think that's really important because the difference between doing more with less and doing less with less right and ultimately addressing our responsibility to stop the attacks not just try to eek out every scent out of our resources but if you look at it from a business perspective I'll go back and this is what we used to what we did to the board is we went up to the board and said we have three responsibilities we have to protect the brand we have to protect our people we have to protect our supply chain and that is how we sell more genes

with security so align to those three responsibilities and you start to have a really interesting business conversation who's our sponsor this week we have another awesome sponsor and that would be dvo let me tell you about them dvo replaces traditional Sims with a realtime security data platform powered by hyperstream d's integrated platform serves as the foundation of your security operations and includes data powered Sim sore and ueba with AI and intelligent automation your sock can work faster and smarter so you can make the right decisions in real time visit doo.com to learn more it's a simple site to go to d.com check it out it's time for the audience question speed [Music] round all right we actually have a good

amount of time for these questions so here we go gentlemen I've got a bunch of questions in my hand from uh fine people here at the bside San Francisco event excellent and this one comes from Jim McCloud and Jim McLoud asks either one of you jump in on this actually it's kind of What's worst scenario situation would you rather be attacked by a bear no no would you rather be attacked by an AP or the NSA wow uh gez I think I'd rather be attacked by the NSA um because it's the what happens next right with an AP who knows what they're going to happen what they're going to do next you actually kind of know what the NSA is going to do

and what they're going to do with it so all right well I'm going with NSA cuz I just got a free pentest against the nation state there you go oh that's good that's good okay uh this one comes from yummy am let me do that again comes from yummy oh yummy aoui uh with well simple and he asks as aiso and again this could be a very long answer but just give me one example here either one of you jump in as a ciso how do you demonstrate value to the business I mean look you're getting a big paycheck how do you demonstrate you are delivering value to the business why are you looking at me you

you have the you have the quote this is the jeans answer so it my suggestion for everybody right now is protect your people right social engineering attacks are the number one way that that we consistently get through because people are the weakest link and so what I would do is focus on the social engineering attack Focus us on you know the fact that that is just getting worse and not better is the number one way that we're trying to slow things down that's how I would net it out yeah and actually what you just said there about slowing things down that is one of the things that's key for me is working with the business without

slowing things Downs this is how we can help the company remain secure be even more secure without actually being a pain for everyone so it's really around productivity of the workforce is where we can help all right next one from Ross Hal luk who if you haven't se he published the book cyber for Builders Ross good guy good guy and I love this question in an era of consolidation what are the areas where seaes are still compelled to purchase and look for or to look for and purchase Point Solutions H Point Solutions uh usually where you see these is emerging uh technologies that your traditional security players haven't figured out a solution for um or isn't

necessarily a skill that you have on your team um if you look at the rise of the cloud back in the day no one really knew how to secure that and so there was a lot of Point products that came around very quickly now they've all become massive companies in their own right but that was an area where we had to look at Point products Steve I me take a slightly different uh TCT on that I'm going to say if you look at the Fortune 500 that are heavy legal and Regulatory driven therefore they have large audit teams they do lots of audits and the assessments against hipper PCI or whatever where the maturity of your

security program is is what they're trying to do then they're always upping the bar so now I'm having to go find Point products to address incremental evidence of compliance as they're poking holes at small areas now that I've got the big ones in pretty good shape all right next question quick answer on this from Joe galuska of net rise in their current state and I want to stress that in their current state what do you believe is the value or efficacy of es bomb's software bill of materials what do you think um I think that as bombs are something that are very difficult to really operationalize uh and without having uh without having it be Turtles

all the way down like there there's the s bomb of your suppliers there's their s bomb there's their s bomb there's their s bomb and it really feels like one of those things where unless everybody is doing es bombs you're not going to actually get any that's why I said the current state right so the current the current state it's not good um and at best I can get some information from my suppliers uh but I I've got four or 500 suppliers that are giving us parts that go into our vehicles I'm not getting s bombs out of all of them all right do you have a quick response to this one Steve th that's an

aspirational riskmanagement process and we're going to get better over time and we absolutely have to do it but it's going to be a slow Journey all right last question and I cannot stress this enough you may not Dodge this question all right I'm very good at dodging question you dodg one earlier 26 seconds left so if we wait long enough here let's keep it up we might be that's not my timing that's not my timing this comes from Misha so of ainia okay either one of you jump in and you cannot Dodge this question which seeso are you jealous of and why I'm jealous of Steve um because he he has retired uh and he is living a life that

I look forward to Le to Leading soon so I am jealous leaving or living soon living living soon so you're telling your current employee that you want to go and I'm telling them that my plan is to retire someday someday okay so he is jealous of you Steve who are you jealous of and you can't just return the favor that's why I went first um so I'm GNA say Jim ralth because I think Jim is I gave a little bit of Jim's history so people understand the context so Jim ralth another well-known ciso major Fortune 500s um why I call him out is because he is one of my mentors that I aspire to to

say how do I pay it forward right when I get out of the operational role and take all that experience what's the right way to pay it forward to make the security Community consistently better at stopping the attack and that is the end of the ceso series podcast uh let's hear it for the audience here at bside San Francisco [Music] all right thank you very very much I want to thank all the people here at bsid uh San Francisco they've been phenomenal totally professionally run uh event uh this has just been a blast was our second time doing it here and we had a great time I want to also thank our absolutely fantastic sponsors for making

this happen that's a dvo net spy and eclips let's hear it for all of them [Music] and uh let's hear it also for my guests right here that's Steve zooki on the far left and Mike Johnson's been with me since day one almost a total of 6 years I want you to know when I first met Mike I took him out to lunch I dropped the bomb on him in that I wanted to do a podcast with him literally first time we met each other and for some dumb reason you said yes I also had hair he had hair yeah had more hair that he had that back then but I appreciate it and I

appreciate uh everyone else here we greatly appreciate appreciate you uh contributing and listening to the seeso series podcast [Music]