CISO Series Podcast – LIVE at BSidesSF 2025

Biggest mistake I ever made in security. Go. Number of years ago, I was working on a cyber incident and at the end we put together this beautiful AAR and then came my mistake of not checking the system. I assumed everyone was going to get the work done. And a year later, the same incident, same way happened all over again. The lesson I learned, accountability is everything for Cyber. It's time to begin the CISO series podcast recorded in front of a live audience in San [Music] [Applause] Francisco. Welcome to the CESO series podcast. My name is David Spark. We are live in San Francisco at Bside San Francisco. Let's hear it. Bides. [Applause] [Music] a a mighty mighty crowd sounding much

larger than they actually are. We appreciate that. Hey, my name is David Spark. I'm the producer of the CESO series and joining me on my far left is my co-host. It is Andy Ellis who is a partner over at Wild Ventures. Let's hear it for Andy.

So, for those of you not initiated, that is uh Andy speaking what language? Slovak. In Slovak, he has chosen a different language for each show to essentially do his greeting where he welcomes you to listen at pretty much any time of the day. Yes. Yep. All right. At least that's what I tell you it means. I speak Polish and it's close enough. Close enough. Really? Okay. Good. I didn't This happened. We had a guest who spoke Hindi and who who actually told Andy it wasn't too far off. All right. We're available over at cesoseries.com. And let me just mention our phenomenal sponsors who you can see right here behind me. Uh, Security Scorecard, Nudge Security, and Vanta. Let's hear it for

all three of them for making this episode possible. Let's hear it for them. You're going to hear all about that. Now, for those of you again uh just listening to this, we are in a movie theater in San Francisco. Our logo along with the sponsor's logo are literally the largest I've ever seen them before. Uh, generally when people are in this theater, they are seeing some big budget Hollywood movie with lots of special effects. What? The accountant too will be playing here tonight. The Accountant will be playing here tonight. Okay. We put a lot of work into this graphic behind us of our four logos on the screen. Uh, in fact, we got Industrial Light Magic involved in this

project and uh, I was really impressed at how they pulled it off. So, they did a great job on it. So, kudos to them. Um I want to thank uh Bides for making this possible and uh I want to introduce our our guest who's on stage with me sitting immediately to my left. It is the global head of cyber strategy and transformation for RTX none other than Alexandra Landeer. Let's hear it for her. Hello. Happy Sunday. Excited to be here. Is training the solution to the lack of security talent? The internet is flush with courses in cyber security, some from educational institutions and many from industry influencers. There are the pitches that come with the attractive lure that

graduates of their program will get a lucrative job offer. Too good to be true? Well, until until recently, I had never heard of any person who got a job in cyber in that manner in the sense of no experience in cyber IT, took a course and then got a job offer. Now I wondered does that really happen? So I asked the community on LinkedIn and it turns out it does. Actually about 15 people said that it happened to them although a good number of them had it experience. So but it's clear it's not common and people knew of such cases or were one themselves. So my question is I'm going to start with you Andy. What would it

take for it to be a lot more that you could actually get into cyber just taking one of those courses? And really my question is can you fasttrack a career into cyber security? So I like to think of cyber as less of an entrylevel role and more of an insertion level role and I have seen people successful entry level and usually it's programs that a consortium of companies have all bought into that this program will train people to come in and learn how to work a help desk or am operations. You know here's your entry- level role. We'll teach you just enough to do it and good luck with that. Um, these aren't necessarily the

most lucrative careers out there. Let's just be very honest. But they are opportunities for people who desperately need them. Um, but I think for it to be something more, I think we need to stop thinking of cyber as something special and start thinking of cyber as something adjacent. That almost every career in cyber, there is a non-cyber career field that looks very similar to it. And what we need to start doing is figuring out how do we provide training courses for those professionals to move laterally. Right? If you want to write a research report, you need a journalist to be part of your research report writing team. But who's training the journalists other than the you know security magazines

that we keep hiring them from? But that's kind of a short and small labor pool. So that's how we need to really approach this is how do we take people who have some set of skills and retrain them into cyber. I like that it is an insertion job, not an entry-level job. So how do we sell to all these different roles who want to make the switch over to cyber? Alexander, what's your take? How do we how do we make this an easier thing to fasttrack? Yeah, I 100% agree with the idea of adjacent roles. When I was siso at Collins Aerospace, about a third of my team, um we hired about 70 people over a three-year period. A third

of those individuals had never worked in cyber. And the adjacency was exactly how we did that. We found a prek teacher who could take super complicated topics and distill them down for a 5-year-old and their grumpy parents. Right? If you can do that, you can train anybody about cyber security. How do you find those adjacent skills? And then certainly if training is a way that you learn, it can help you um really come together around that topic and help accelerate once you've landed that job. So my question is for an insertion job, so someone who doesn't have any traditional cyber security background, what are the kinds of questions that you would want to ask them to realize, oh yeah, they want to

do this, they're prepared for this, so I think a big question I often go for is, do you like to break systems? And I don't mean computer systems. And I'll give an example since you brought up the prek teacher. I'm uh in Massachusetts and my kids were in uh pre-K program when Massachusetts decided that uh after every meal the teachers were required to make sure that all children brush their teeth and they knew that that parents would want to opt out. So they also said teachers were not allowed to tell parents that opt out was a possibility because they knew that all the teachers would be like of course I'm going to opt out. So what did the

teacher do in my classroom? came and met with me and my wife beforehand to explain this policy to us. And I said because they knew I would be like, "Well, I can opt my kid out, right?" And she's like, "Well, yes, and we have forms for that, but we're not allowed to offer them." Wink wink, nudge, nudge. And so when they then briefed the parents on like back to school night, I asked the question and the teachers like handed it out. That's a security professional right there. Somebody who when presented with the system said, "How do I beat the system?" That's what I want to look for. By the way, I recommend if you've not read Bruce

Schneider's book, The Hacker's Way, it speaks to this at at great volume. Same question to you, Alexandro. What would be those questions you'd ask to see if that person's prepared? What is the last crisis you encountered and how'd you survive? That's a good one because it doesn't matter. We all face crises on all sides of our lives. Whether it's I accidentally ran a stop sign earlier today and got pulled over and was late to a meeting or maybe it's my kid is sick and all of a sudden I'm late for the big meeting at work or maybe hundred different things. If you can survive chaos all around you, that's ultimately what makes a good cyber professional.

That might not have been the best decision. [Music] Okay. If online courses don't land a job, should you turn to hacking to sell your services? Now, that's what Nicholas Cluster allegedly tried to do at a health club, gaining access to the organization's IP cameras and fiber router. He pulled this routine at a few organizations and is facing an indictment for his trouble. Now, a conversation on the cyber security subreddit called this optimistic red teaming, but it speaks to what people can do when they get desperate for a job, even if it will likely blow up in their face. I'm going to start with you, Alexander, on this one. Have you ever seen other examples of candidates going too far, thinking

outside the box to prove their worth? And this could be good or bad. All right. It could be a combination of eagerness andor desperation. What have you seen? So absolutely have seen this and some companies entice it through things like a bug bounty program, vulnerability disclosure, it etc. This was definitely not a bug bounty program in this case. Companies don't like that and so certainly understanding the the business, the industry that you're in I I think is a key piece here. Um, but also state by state laws vary and so you can wind up in legal trouble. And if you're the kind of person that's willing to wind up in legal trouble, there are very particular types of companies that

look for those services. I would say it that way. Have you worked for any of those types of companies? I worked for Booze Allen and we did a lot of consulting with uh different government agencies who happen to do some cyber offense occasionally. Oh, okay. So, you have some experience with this. All right, Andy, I take it to you. What's your experience of people being a little too eager? So, I see people doing an awful lot of stalking and then admitting it like, okay, what what does what form does the stocking take place? I'm going to I get this all the time. I get vendors do most of the stalking, but I've had candidates do the same thing,

which is they do the research on a person and then rather than using the research to inform a conversation, they make it the point of the conversation. It would be like if you're going to go on a date with somebody and you stalk them a little bit and find out that they have a dog and so you make sure you're going to talk about dogs. Okay. Talk about their dog. Not okay. I get in my inbox all the time people be like, "I saw that so and so connected with you about this thing and because of that you should interact with me." And I'm like, and at this point now you're just using AI to do it. You're not even doing the

leg work yourself. But the number of people that I've had go into my background and like read a whole bunch of things. I wrote and then reference them blatantly. Like don't reveal that you did the stalking. I'm okay with the stalking. Just No. No. But but if you hold this, there's a certain level. If you're going deep into the archive maybe and hitting multiple. Yes. But if you recently posted something and go, Andy, I really like what you wrote about this, this, and this. Just that's cool. That could be cool. Like I had somebody reach out to me who's doing a job search and said, "Hey, I just heard this episode on the CISO series. I read your, you know,

first 91day guide for a CISO. I'd like some advice about this specific thing." Like that's okay cuz that's not stalking. I've had people like pull up a post I wrote 10 years ago that is not one of my popular ones and reference it. No, but they can research and find and that will come and reference in a way that was part of a sales call. Not that they wanted to talk about it. They just were referencing it like and I tell you the number. So I get pitches for the CESO series all the time which is great. It's wonderful. I'm thrilled in demand but it always follows exact same format. I loved your last episode when so and so

you had Alexander and Andy. It was wonderful. Next line. I was just happen to be thinking that the CEO of our company would be a great guest on your show. Always the same exact format. Always same format. Um but let me also throw out that there is one creepy way that used to happen a lot, not so much, is that uh LinkedIn lets you know that somebody looked at their profile. I've had people say, "Oh, I saw you looked at my profile. What would you like to talk about?" I mean that's like the vendor tactic of somebody your company was went to my website and now you must be interested. Okay. And this is why see correct me if I'm

wrong Alexandra. Do you bail when you see a book a demo button? Don't say it too loudly but very often. Yes. Yes. Because Yeah. That's because you don't want to be what I mean it's uh sales pitches aren't always effective. Seeing something in practice talking to a sysopier and hearing hey I'm working with this vendor on X and here's the problem they really solved for me that those are the companies that I go after and try and understand what they're doing. We by the way we hear that story. I think I want to build a deep fake company, which is like the blind demo that you can click the book a demo and you get a different deep fake will

attend the demo for you, but they have no idea who you are. I love that. Somebody wants to steal that idea, let me know. I just want like two points. Who's our sponsor this week? We have a lot of great sponsors and I want to talk to you about Nudge Security. So, let me ask you a question. How big is your SAS attack surface? You can actually find out with Nudge Security. Their patented approach to SAS discovery finds all SAS accounts ever created by anyone in your organization and alerts you as new apps are introduced. The best part, you'll have a full SAS inventory in minutes, even apps introduced before you deployed nuts. Now, for each SAS app discovered, you'll

see the list of all users. MFA coverage, SSO enrollment status, breach history, and more. You'll also have a full inventory of apptoapp ooth connections, scopes, and risk scores with the ability to revoke risky grants with just two clicks. Now, Nudge Security also includes playbooks to automate tedious, timeconsuming tasks like user access reviews, employee offboarding, and more. You can actually take control of SAS security and AI governance with Nudge Security. Why not just start a 14-day free trial? See for yourself. You don't even have to do the demo. Just go jump in right away. Go to their website. It's nudgecurity.com/coseries. And please add the CISO series so they know we sent you there. So, nudge geudgecurity.comeries. Check them out.

It's time to play What's Worse! All right, I know that both of you are very familiar with this game, and I'm pretty sure that our audience is very familiar with this game as well. And uh this is how it's played. We have usually just two bad scenarios, but the this actually have three. So, you're going to rank them worst to best. Rank ordering, not not just picking one. Not just picking one. What's the worst? What's the second worst? What's the least worse, if you will? And this one you might actually have to write a note because it's kind of it you'll see it's a series of different combinations. Is this combination worse than that combination worse than that combination?

That kind of a thing. All right. Comes from Jay Dance of StubHub. And just to remind you, Alexander, I'll make Andy answer first. So, you get to agree or disagree with him and give your rationale. I like it when people disagree with Andy. Okay. That's the best rationale. Yeah. All right. Here are the three. Uh J Dance I I mentioned J Dance at StubHub who's gives us phenomenal what's worse scenarios. Here you go. Here are the three scenarios. Scenario number one. No. In fact, I can just even show it to you right here. No asset management and no offboarding process. No asset management and no offboarding process for users or for assets? I'm going to say users. Okay. I'm going

to say users. Good. Good clarifier. No incident response process and no asset management. It's pretty bad. Okay. No offboarding process and no incident response process. So let me review these again. So there's no offboarding, asset management, incident response and essentially combination. You only get Yeah, essentially we only get one of three. So there you go. No asset management, no offboarding, no instant response, and no asset management and no offboarding and no instant response. Which one is worse? So I'm going to go with the best of these. the least bad is going to be that first one where at least I have incident response. I know I screwed no matter what. See, and like this is one of my my soap boxes is is if

I have a choice, give me incident response first because uh I'm going to have lots of problems I need to deal with and just getting rid of one problem. Instant response lets me take care of the rest of them. So, that's going to be my my least bad of these. So, now I'm deciding whether I'd rather have asset management or offboarding. Um, and I think that the challenge here is offboarding is more binary than asset management is. Like either you have offboarding or you don't. The question is if I have offboarding but not asset management, clearly I don't have comprehensive offboarding. Like offboarding on my core systems is easy. It's my things I don't know about that's

hard. So I think I'm going to go with not having let's see that having no instant response and no asset management. No incident response and no asset management. No asset management is going to be my worst. My next worst will be the no offboarding and no incident response. And then my least ass is the no no asset management no offboarding because in order I'm going to get I need incident response then I need asset management then I need to worry about offboarding. All right I throw this to you Alexandra. Same thing which you can look right here to your right. Yeah. Do you agree? You should look over here. So you so this way now we can really get

into it. I will market this because the challenge on this one is like if you have offboarding without instant asset management, you don't actually have offboarding. You just think you have offboarding. That's why putting that in there is the worst. Yep. I mean I to me asset management is the ERP of your environment for digital. It is the backbone of absolutely everything. You can't do incident response. You can't do offboarding. You can't do anything cyber without asset management. That said, first up, I agree with you. Always IR first. Um, asset management though, if it's good asset management, I would say that's actually the most important of all three. But if it's mediocre asset management, we're going to assume it's

good. Let's assume it's good asset management. Okay. If we're assuming that it's it's good asset management. Well, you now you have you have either good or nothing. Yeah. Good or nothing. I'll take good any day of the week. Yeah. All right. So, what's so what's your order? This was his order right here. Yep. So then I would I agree that the least bad no response and no asset management. So that's one. This was just two. The no offboarding and no instant response. I think no asset. You think that's the second least? The second worst. Ah no asset management offboarding. I actually agree with you I think. Oh no. Gee, why do you want that's the

best agree with me? All right. There's complete agreement here. I got to throw this. I'm going to throw this to the audience. So, I'm going to read them in the order that I read them so you'll determine. By applause, how many think of the three the worst is no asset management and no offboarding? By applause, how many people? All right, we got a few handful there. Second, no instant response and no asset management. By applause, we got a few more. We got a few more. All right, the last one, no offboarding process and no instant response. How many people think it's that? one. All right. I appreciate that. So, the audience is a little off of you.

They chose and I think where you want to go. No, they they they're off you. They chose worst is no instant response process and no asset management. So, agreed with you. But their second worst was no asset management and no off. No, no, no, no. The you're messing up the statistics. The group that picked it as the worst was larger does not mean that that's the consensus as the second worst pick. Yes, it does. No, it does not. Yes, it does. Makes us do rank choice. I need rank choice out of the audience as well. I am going with that. So, you got agreement with Alexander. Slight disagreement from the audience. What is Dave's mom talking about?

[Music] All right, we played this game last year. It was a hit, so we're playing it again. And I just recently interviewed my mother again. So, here we go. I asked my mother to explain some cyber security terms. Surprise, my mother is not a cyber security professional at all. All right. I said the term and she made her best effort to try to describe it and there was no other prompting. Now, all of her answers are varying degrees of wrong with some having an element of being correct. So, this is kind of a reverse logic game here. You all know what these terms mean. Everyone in this room knows what these terms mean. Okay? Uh but my mother does not.

So, you have to think if I've never heard this term before and you were my mother, how would you describe it? Some of you may have mothers who are very savvy. My mother, on the other hand, is not. All right. I'm gonna I think David's mother is more savvy than David gives her credit for. She is savvy, just not in cyber security. She's Okay, so I'm going to play one clip at a time and I can repeat them if you need to hear them again and we'll we'll start with the two of you and if you can't get it, we throw it to the audience. Okay, here is the first one. What the heck is my

mother describing? No way are we going to give you internet service. Denial of service. Bingo. Yes, denial. Distributed denial of service. Very good. Very proud of you on that. Good job. All right, here we go. You got it. Very quick. Jump in as soon as you know it. Here you go, Andy. Here's the second one. Making your CV look awfully good. Making your CD look your CV look awfully good. Come on. You can get resume watching. No. Come on. Thank you. On your resume. Okay, let me let me just start up. She's 100% wrong on this one. Social fantastic. Okay, but listen to what she's saying. Yeah. I'm going play it one more time. making your CV look

awfully good. Look awfully good. Okay, you I know you can get this one. I always feel stupid when they're revealed. I don't think I've ever gotten one right, just to be very clear. Fishing. No, I'm going to throw this to the audience. Phone a friend. Hold on. AI washing. Hold on. C not CVE. No nobody else. No. Oh, I like that one, though. That's a good one. Come on. I I knew it's a who know. No. All right, I have to reveal it. I'm sorry, everyone. It's credential stuffing. Oh, come on. Oh, I love that. See, that's brilliant. That's a brilliant That one. This is where I give her credit for being very savvy. Yeah, you should have gotten that

one. All right, here we go. This one I feel you're going to get this one. I'm going to have Andy. Let Andy try to get this one first. And any Andy who looks bad. So David look bad. The wind comes through a crack. The wind comes through a crack. Come on. You I know you can do this. Don't say anything. Air gap. There you go. Very good. And that's my first one ever. I'm so JJ over there is like you should have known this one. Come on. All right. I'm very proud of you. All right. This last one is is difficult. It is difficult. Here we go. By the way, you can now say you got one right.

Congratulations. All right. There you go. Here we go. Here's the last one. Your boss wants something. Your co-workers say something else. And you're stuck. I will stress this is 100% wrong. Your boss wants something. Your co-workers want something else. Cyber security. Okay, you're thinking correct. Can't stress this enough. It's 100% wrong. Your boss wants something, your co-workers want something else. It's a mis it's a um it is I want to like say it's like someone with active directory but probably you know absolutely not. Um hold I'm going to go to the audience. Audience. What? Man in the middle attack. That is correct. Oh you're the man in the middle. Well done team. Very proud of

our audience here. Hey, I got one, which you know means I'm no longer a zero. Yeah. So, one wrong and the audience got one and each guest got one. I'm very proud of everybody here. Good job, everyone. Perfect. Who's our sponsor this week? As I told you, I'm going to tell you a lot about our great sponsors here. And we also have Security Scorecard is one of our Wonderful sponsors. All right. Today, resilience means more than protecting your own environment. It means securing your entire supply chain. Now, Security Scorecard is leading the way with a supply chain detection and response approach that does more than monitor vendor risk. Their team helps organizations detect, prioritize, and

actually remediate threats across their third-party ecosystem. Now, think about it. 70% of breaches start with a supplier. Security scorecard gives you the visibility to know where the risks are and the export resources to take action before those issues impact your business. Now, it's not just more data. It's a managed service that closes a loop with vendors, reduces risk, and helps organizations build a more resilient, breach resistant supply chain. Now, you can learn more over at securitycorecard.com and start seeing results, not just scores. Why has this topic suddenly become the center of attention? So, some of you mistakenly thought one of my mom's explanations were CVES, but that's what we're going to talk about right here. So, it's easy to dunk on the

CVE program. That's the common vulnerabilities and exposures. But does it fall under Winston Churchill's wisdom of being the worst system except for all the others we've tried. Now, nothing makes you appreciate a partnership like the idea that it could end suddenly. And we experienced that with the CVE program this spring when funding was set to lapse. Now, for a quarter of a century, it's been one of the most impactful ongoing public private partnerships, noted MITER's Alex Summers on Cyber Scoop. Now, we know CVES aren't perfect. They lack context for individual organizations. They're pretty much why whenever it's mentioned, and we've mentioned them a lot on our show, our guests have consistently dumped on it. But I'm going to challenge you, my

guests, to so to show the CVE program some love. All right. So, I'll start with you, Andy. What is something nice we can say about it? And does it go underappreciated in our industry? I love the fact that we can just have a very neutral name for a vulnerability, which is the CVE number, and we no longer have to deal quite as much with the crazy wacky names of trying to distinguish between last week's Active Directory vulnerability and this week's Active Directory vulnerability. We can just have numbers that are unique and specific. And like that is an amazing amount of value. And if you're like, "Oh, but Andy, that's not much." No, that's huge. Like that's what we need it

for. Just numbering. just the numbering system. Yeah, we're getting I won't even say a smattering applause. One person appreciated that. All right, Alexandra, I will throw back to you. What What love can you give to the CV? So, I'll I'll focus on two things. One, similar to what you just shared, Andy, I I think having a common taxonomy to be able to speak about vulnerabilities. So much of what we do as cyber professionals is working with our suppliers, with our customers, making sure that we're passing on information through things like the Isax, having a common taxonomy to talk about these things, a common place to direct people across the organization because cyber is a team

sport. We do not fix everything ourselves, being able to direct people to something that's always there and and available for us until the news the other day. But um having that I think is huge. The other thing, public private partnerships are tough to pull off. The fact that this has been around as long as it has, I think deserves some credit and it there's a number of players that that really have gone above and beyond to make sure that this has continued for such a long time. If you could fix just say one thing in the CVE program, would you? handy. So, I would fix a a disconnect I've seen happen and it's going to happen more and

more frequently when coordinated disclosure happens and a researcher tells a vendor and the vendor fixes it before it becomes public and the vendor says, "Well, I'm not going to report it to MITER and get a CVE number and so it never gets a CVE number because it was never a publicly known vulnerability that was exploitable." Means that we're missing a piece out of our taxonomy. Ah, so it just needs that added, if you will. Good point. Alexander, what what would you like to fix? Everything. Everything. Now, let me just say generally generally the dumping that we get on this show is is just like when you're determining your risk. It goes, well, don't just go

by the CVSs or, you know, they they dump on that. Well, we should recognize that CVS and CVE are different things even though they share two numbers in two letters in common. Yeah. Yeah. Well, and I think organizations need to embrace the fact that we're going to have to put in a little bit of work to understand the context. It's just the reality of the way our systems are. And that actually brings me to the point that that I would want to fix, which is as the world has become more and more connected, how do we make sure that we understand what these vulnerabilities mean in a product environment versus an IT environment or an OT environment

even. So, to me, I think that that sort of ecosystem context is is a critical part that I would look at as well. Yeah. And if we're going to talk about CVSS for just a moment, we should recognize that what CVS gives us is not an accurate scoring system. And that was never really one of its goals. I have the benefit of being the first consumer of CVSS. And its single biggest goal is that we no longer say low, medium, high because everybody wants to argue with low, medium, high. When you can say 6.8, everybody's like, well, I'm not smart enough to argue if it's 6.8 or 6.7 and you can just move on and get on with

actual priority. The problem is a lot of vendor tools are green, yellow, red. Well, so they are endur decks are green, yellow, green, yellow, red. But get out of the vulnerability being green, yellow, red and get to project status there. Mhm. Who's our sponsor this week? The third sponsor I want to tell you about is Vanta. compliance regulations, thirdparty risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? Now, if you're thinking there must be something more efficient than spreadsheets, screenshots, and all manual processes, guess what? You're right. GRC can be so much easier while strengthening your security posture and actually driving revenue for your business. Vantis's

trust management platform automates key areas of your GRC program including compliance, internal and thirdparty risk and customer trust and streamlines the way you gather and manage information. And the impact is real. Listen to this. A recent IDC analysis found that compliance teams are using Vanta, the ones that are using Vanta are 129% more productive. So you get more time and energy to focus on strengthening your security posture and scaling your business. Vanta GRC how much easier trust can be. So you want to see for yourself, you got to go to their website. Go to vanta.com/ciso and learn more. That's van.com/cisso. And please add that so you know that we send you there. Is AI going to help us or hurt us? Yes.

Yes, says Andy. All right, we we actually have some questions. We're going to hit this a little later in the show, but let me ask you this. Quote, "An an analyst's work today looks incredibly different than an analyst job 10 or 20 years ago." Agree with this? Yes. Yeah. Yep. So that's Leslie Carheart of DRAOS who argued on their blog that modern analysts should be doing quote hypothesisdriven threat hunting for threats that their automation will have challenges in detecting end quote. Now we when we talk about automation there's always the argument that it won't necessarily eliminate cyber security jobs rather it will quote free up professionals from mundane tasks and allow them to do more

impactful highlevel work. So I'll start with you Alexandra. What are those higher level tasks that are now possible thanks to the fact the you know some are actually deploying automation and maybe you've seen it already. Yes absolutely have um I think there's a lot of potential here to allow people to take on those higher level tasks but again that question is what are they? Uh so really I think a few different points. one, when you're looking at a sock analyst specifically, I think computers have gotten very good at detecting a lot of types of of threat behavior, but one that has not really been very well solved in a consistent way is when people use legitimate access credentials

to be able to then traverse across and and get to where they're going. Um, so really having a solid understanding of the system, of the people, where they reside, etc., I think is is something that the human brings in in that regard. The other big area that I've seen a lot of automation really help in is is around GRC as well. Oh yeah, there's a lot of compliance things that it just takes time and the more that we can free people up to come up with more sophisticated programs around risk management or accountability like I started at the beginning of the session today building an issues management platform where we really drive the culture change and that accountability

throughout the entire organization that's that's really where I see a lot of potential. All right, excellent answers there Alexandra Andy what's your answer on this? Well, I love Leslie's framing of the hypothesisdriven threat hunting because one of the things I see people who are using AI sort of sometimes over rely on is have AI be the source of truth. Say, go collect the data and tell me what happened. And instead, we have this opportunity to to send multiple agents and prep them differently and say, "Your job, agent one, is to assume that this is adversarial activity. Explain it to me." and a second one to say your job is to assume this is normal activity and go

look at it and explain it to me and then the human can now look at these and sort of hold both truths in their head. It's really hard for humans to do that and basically impossible for the AI but like get the human to now think with the business context and to understand that sometimes the exact same action could be malicious could also be legitimate and you have to be able to entertain both of those. Let your AIs get stuck in a rut. All right, let your AIS get stuck in a rut. Um, was there anything in AI because this whole automation thing has been sold for quite some time and we're actually, you know, it's only within the

last few years that we're really seeing it take fruition. It was initially sold as you're going to be able to to decrease your staff. We all realize that was bunk. But, you know, one of the questions that came up, oh god, and and I'll try to find it. I'll try to quote the person in a second. is that if AI is doing all these low-level tasks, what entry-level positions are left? And building off of that, I think how do you then train people to get to those more advanced levels because they will never have gone through the 101 of cyber that we all built our careers in. And maybe that's a great thing because that will actually drive different ways

of thinking the same way that kids that grew up with a TI83 plus versus kids that had an abacus, very different outcomes. So it's it's really about understanding how different generations learn and and what we can do to to drive the conversations where we value everyone's perspective for the fact that it is different for the fact that it comes from different educational and experiential backgrounds. Yeah, this is that was from actually Chris Pedigo of Exonius who asked that very question. What's your take on that Sandy? So I think if we take an incrementalist approach, we just start plugging AI in and giving it the boring work or the automatable work, whatever, that's the world we're going to end up in. That we

will have nowhere to put in humans. But the reality is we didn't know how to bring in humans and train them anyway. Let's not delude ourselves into thinking that the corporate world is good at bringing in entry- level staff and providing them on the job training to develop them to be senior staff. Which let me hold I want to do a survey of the audience on that. That's a good good thing. By applause, how many people, let's just say any job have come in a job and they so poorly prepared you on day one by applause. How many you got good amount? Yeah. Very bad. I think what we need to do is redesign how we

build organizations and treat humans as AI herds, right? Your job is you have a bunch of AIs that do work for you. What is the human going to do in that world? rather than saying we're replacing humans with AIS, but you don't need like one manager for every seven AIs. Like that math doesn't work out anywhere. So all the mental models we have for how to do organizational design around humans do not work in a blended organization that contains both AIs and humans. It's time for the audience question speed round. I have here in my hand a bunch of questions from you, the audience. And with the little time that we have left in the show, I'm gonna ask as many as I

can and get your answers as quickly as possible. All right, here we go. This is from Arcadia Goyberg of Branch Financial. And Arcade asks, and I love this one. When did you have security theater in your environment? And what did you do to get rid of it? Alexander or Andy? My my favorite security theater is security awareness training where you make people come sit in a room at when I first started it or computer-based training. How did I get rid of it? A cron job with a web page that you click the link that says, "Yep, I came here. I read the three paragraphs. I got trained." Kid you not. 96% compliance with no humans in the loop other than

the person showing up and clicking the one page. Wow. All right. Well, there you go. Uh did you get improved security awareness? I Yes, because I had people who understood that the security team cared about their time and so when we did reach out to them, they gave us their time. Ah, there you go. I like that. Okay. Alexander, what's your security theater story and were you able to eliminate it? That's a big question. So, acceptable use, I don't know what your policy looks like, but most companies I've seen, it's a 50-page document and nobody reads it, right? So, we have a 50-page policy just like every other company, but the thing that that we've done in the last couple

of years is create a one-page and a 10-page version that people actually do read regularly because it's fun, it's entertaining, it's not a 50-page policy. So, to me, having having a a transition there was a big one. All right, here's let's get a quick answer out of this one because I know you could go on forever. Andy, what would this comes from Bar Hoofesh of Bright Security who asks, "What would a point product have to present to make you rip and replace?" So, you have the product already, you know, a competitive product, it's working. The competitor would have to show something for you to go, "All right, taking that one out. I'm putting this one in." uh be able to integrate

within one day and provide better results and work with me to figure out total cost of ownership, not just the licensing, but the people, the support, the long-term full cost to build that business case. All right, someone who appreciates that. All right. From Supro Gosh, uh, fractional CISO said, "If you're doing CISO succession planning and you do not have a deputy CISO, what are your options here?" I was CISO and did not have a deputy. So, I got permission to go hire one. So, that's one option. I know that's the cheating option. Uh, but the other thing was becoming close with our head of infrastructure, head of applications, uh, head of AI and making sure that they

had elements of security. So um so that way there were a few other peers that could potentially step in as well. Um before then again I got to hire the deputy who now is the CISO. All right. You should look at every person on your staff who could potentially become CISO and ask yourself what development they need to become in that position which might invol involve lateral movement or organizational realignment like move sub teams from one of your VPs to a different one so that they get experience. Oh, now I'm managing a compliance team when all I've ever had was architecture before. All right. All right. What is one action CESOS can take in reducing risk that you think most are

not doing? This comes from Mohan Kumar of Box. Either one of you, you could be reducing risk if you did this, but you don't think a lot are doing it. Turn off your cell phone and computer and restart them on a regular basis. Ah, that is a good one. That is a good one, Andy. Write your passwords down. Write them down. Write your passwords down. How many of you have a legacy plan that if something happens to you, your loved ones are able to get into your accounts and do what needs to be done? I have that plan. We have some, not every couple hands go up, but if you don't have that plan going up, that is massive

personal risk on your family. Still alive. Or you if you're still alive. All right. Last question I have for you. Given what you know now, and by the way, there's a politically correct answer and the not politically correct, I'm assuming. This comes from Tai Sabano of Versel. Given what you know now, Andy, would you be a CISO again? Absolutely. Why? I made a lot of money doing it. I'll be very honest. I wait. And not only did I make a lot of money doing it, I changed the world for the better. How many of you use TLS on a regular basis to secure your interactions with vendors like your banks? I did that for you.

You're welcome. All right. So, would you do it again? Yes, I would for the same answer as Andy. Yeah. Changing the world is is a big part. He also made money, he said. Yeah. Well, money, you know, hey, if my boss is listening, a little more. But changing the world, changing the world and rallying a team around an everchanging mission is just exciting. You know, you're dealing with threat actors changing, you're dealing with regulators evolving, you're dealing with customers, suppliers, you you get to integrate as much with the mission of your business as you'd like to. And it's a lot of fun. A lot of fun. Well, that brings us to the very end of

the show. Let's hear from my guests on stage. Alexander Landeer of RTX, Andy Ellis, my co-host with Wild Ventures. And let's hear for our three sponsors. We had Vanta Security Scorecard and Nudge Security. Let's hear for all three of them. Uh I want to thank uh you our audience. I want to thank Bsides as well. And uh we greatly appreciate I mean you coming here in the crowd and also everyone listening to this as well. We greatly appreciate your contributions and for listening to the CISO series podcast.

We are out. Thank you very much everybody. Appreciate it.