Listen to the podcast below.
Transcript
00:00:00
best advice I ever got in security go gosh it had to be skipping out on empathy we had a big project we needed it support to get a vulnerability management client rolled out they had to do their own server hardening we thought this was great do both of them at once they did not agree wish I would have put myself in their shoes you’re listening to ceso series podcast recorded in front of a live audience in San Diego [Applause] [Music] [Applause] welcome to the seeso series podcast my name is David spark and we are recording
00:00:45
live in as you heard San Diego specifically La Hoya which for those of us out here we know that that is part of San Diego uh I’m the producer of the ceso series joining me as my guest co-host is the man sitting to my left Gary hlip the ceso of soft Bank investment advisors let’s hear it for Gary we we are available at cesos series.com and our sponsor for today’s episode is inro nonhuman identity and secrets security platform thank you entro for sponsoring uh we are actually at the planet cyber set conference not
00:01:22
the first time we’ve done this we’ve been invited back before I’m gonna actually uh ask you a question that not related to this but uh Gary you have been pitched by a few vendors in your past yes uh yes okay are you the person that actually reviews products yep yes you do you do actually review the products yourself you don’t have like staff members doing that well I mean we do it together oh you do it okay so do you see something and then you hand it off to a staff member or a staff
00:01:53
member brings it to you or probably both ways yeah honestly both ways normally I you know see something I want their input mhm cuz uh traditionally they’ll be doing more work with it than I probably will be and they’ll know from a practitioner point of view from an operations point of view some extra things that we might want to be concerned about but you know we usually do it together as a team is there the the reason I’m asking this because this I I ran into somebody at a vendor not
00:02:18
security vendor but a vendor that we use and they never pitch me they actually pitched someone who works with me and he made a really good argument for the product and it by the way it was very affordable so it was not difficult to say yes to it but I it just made me realize like if they had come to me it would have been a useless effort completely so I’m interested what are some of the sort of the arguments that your staff makes that says we really need this in environment typically when my staff and I are looking at something
00:02:48
I just don’t buy things usually there’s a problem that we’ve got that we’re trying to fix if we’re going to be replacing something it’s a like for like okay you know so basically going to put in a technology that’s going to improve the current security we have and maybe offer new Services as well and then another thing we look at too is how easy is it for my staff to be able to do things with it you know the reporting the visibility um the automation piece as well if it’s going to be integrating
00:03:14
with other things in the stack is that data transfer or that you know that data inference between the you know the various pieces in the stack does that do very well okay so actually you have a very sort of elaborate venting process all right I just want to get a little feedback all right let’s bring in our guest he’s been very quiet until now but you heard him at the very beginning of the show to our far left joining us for today’s episode is the VP of security n it over at DNA Nexus Keith McCartney
00:03:40
let’s hear for him thank you glad to be here I tell you cesos get no respect how do cesos close their credibility gap with the business it’s not their technical Acumen but the Cassandra that’s always warning of cyber Doom now this is a well documented issue and a recent Trend Micro study found that 79% of ceso respondents felt boardroom pressure to downplay cyber risks now the reasons for this pressure were pretty eily split between being perceived as nagging overly negative and just being dismissed out of hand by the
00:04:27
board that’s definitely a rrap a cisa wants to avoid void so I’ll start with you Gary on here what’s a better approach or maybe that is a good approach I don’t know your take maybe a compliment sandwich to get a cyber risk concerns across what do you think and and do you fear this that you that you know or maybe in your past you feared this well I mean in my past yeah but I mean I I look at myself as a business executive and I just I use technology and people and process and Frameworks to
00:04:55
manage risk so when I when I go and I talk to a board and I also serve on boards and I advise boards the whole Doom and Gloom thing that’s one small piece you know when I’m there it’s this is the funding that we have the projects that we have ongoing this is how we are supporting the business this is the current efforts that we are integrated with when other departments I am a business executive that’s talking about how we’re supporting the business and the Doom or the risk piece is a small
00:05:22
piece of it if you go before the board and you got five minutes to talk to them and all you talk about is the sky is falling you’re doing it wrong because you’re not going to be invited back board members know is that is that the key what do I say to get invited back well it’s not so much what you say to do to be invited back is what you say that’s pertinent to the business that makes sense so they they get kind of excited about what you’re saying oh this is really relevant to what we’re doing
00:05:49
right now and so what I go ahead and I do is I find is okay I’m supporting compliance and I’m supporting legal and I’m working with certain projects and yes I’m reducing risk and yes we are concerned about about attacks on our portfolio companies and we’re concerned about so what I do is I talk about how we’re doing that support and how we’re helping the business move forward and be Innovative and then at the same time I also talk about the risks that we are reducing so I’m getting it across that
00:06:15
we are dealing with these risks and we are dealing with attacks but you want to go ahead and kind of sandwich that in with what you’re doing for the business and how you are supporting the business you know because that’s what they want to hear all right Keith I throw this to you agree disagree add would and do you have this fear that you’re coming off as a chicken little Cassandra sky is falling his shoe yeah absolutely I think one of the important things to keep in mind is that these folks are not just
00:06:44
there to talk about cyber risk they’re there to talk about every risk that the business faces and so if you know the context if you’ve done your homework and you know the risks that the board is going to be considering or that the company faces then you can offer your assessment of the Cyber risk in context of those other problems and challenges that your business is facing and by the way Gary elaborated very much are there certain techniques that you have learned over time maybe I made this mistake
00:07:11
before but now I handle it like this because I can’t imagine you were out of the gate doing this right so maybe give an example of I used to do it this way now I do it this way yeah I think you’ve got to really listen to your board members you got to listen to the questions that they’re asking and adjust your approach to fit the information that they need it is important to talk about your program but they’re not going to be concerned about the nitty-gritty details of operations right they’re
00:07:35
looking at the big picture what is it that you’re doing to help the business go out and sell sell more what is it that you’re doing to help the business be more effective operationally changing the time frame it takes to get a new acquisition integrated changing the time frame it takes to get new employees up and running all of these things are helpful when you think about the revenue targets that the business is facing one of the things I’ve learned over my six roles as a siso is that uh each time you
00:08:05
kind of get better because you get smacked and you and you learn when you talk with boards is that uh it helps having a a mentor someone that’s either a board member or someone that regularly reports to the board and they look at your slides ahead of time they look at your presentation ahead of time and and they’ll tell you they’ll start throwing stuff out and you got five minutes why you got 35 slides here are are you stupid you know and you start and you start going through stuff you know and
00:08:28
everything and okay we got to get down the two slides this is what they’re going to be interested in and you want that type of Mentor because you want to know the personalities that you’re going to be talking to you want to establish a relationship you want them to be able to trust you that you can speak about risk and talk about my program is 35 million on the budget line and this is what we’re spending it for and I need that 35 million oh by the way I need another 10% increase but you need to be able to
00:08:51
speak to that and so you want a mentor you want someone that’s going to be able to help you before you go in so you can effectively tell your story and that’s one of the biggest things I’ve learned is it’s about storytelling helping them relate to what you’re discussing and why it’s important to them and important to the business as a seeso what do you think about [Music] this what do we mean when we talk about security engineering a post on the cyber security subreddit argued the definition
00:09:23
can vary between Industries now one respondent defined it as either an architect role where you do the technical designs and review of designs or quote a programmer that implements the designs others defined it as a system admin of security tools a function of evaluating implementing configuring and maintaining a security platform or an information system security manager/ officer for hire so I’ll start with you Keith is the role of security engineering really that varied and what do we need to do to clarify it
00:09:53
so we understand the role and its value especially for hiring yeah I think it is that varied engineering in my mind is solving problems right and the problems that we face as security practitioners are pretty varied I think about it there there is this discussion about is it a technical role or is it not a technical role and I think if you’re in the technology function of an organization or there’s a technology component to your business which is pretty much every business these days you’re going to be
00:10:22
solving a technology problem and if you do that through configuration of a system pushing a policy or through writing code that is solving the problem right it doesn’t mean that necessarily every person with a security engineer title is going to be writing code but it should be something that they’re not scared of it should be something that they’re familiar with Gary what what do you think about the role and have you struggled with this and I’m sure you’ve seen job listing for
00:10:51
security Engineers are all over the map oh yeah same thing I I do believe it varies for each company because when you really look at it from a security standpoint from a management of risk and everything that you’re doing as a syst and your security team each company has unique issues you know whether you’re regulated whether you’re not whether you’re the different Technologies you’re using the different projects and stuff that you’re doing you’re operating in different countries and so your security
00:11:17
program is going to reflect what the business currently needs and so engineering I think there’s some core things that all security Engineers have and and know like you know firewalls you know IDP these are things that you know you know that’s about 60% of the job the other 40% is things that are going to be unique for each time for each business that you’re at and then the more senior you get as you build your teams and you’re a team member and then a team leader and then a manager and then say
00:11:43
you start working yourself up to siso then you start bringing in the soft skills as well I mean it it changes and it’s going to reflect the business so so what I’m hearing I’m kind of hearing two things the role evolves over time and two and correct me if I’m wrong here the role would also change depending on the environment you’re in and has the well you’re the same person Gary but has the role changed in different environments you’ve been in oh yeah it’s basically the needs
00:12:14
of the business and you’ll see the business shift where you know at SoftBank we were a an on-prem and then 2019 we made the decision to totally gut all of the infrastructure and go 100% SAS there’s a bunch of different skill sets that you’re going to start recruiting for now because you’re in a full Cloud environment one of the things I think about too is your security Engineers are advisers to other folks in your business so they’ve got to be able to peer with those folks and they got to
00:12:39
understand what their roles are too right so if they’re peering with somebody and helping with a a marketing website development they’ve got to know a thing or two about how websites are run same thing if they’re peering with software Engineers they got to understand how software is built that’s their job who’s our sponsor this week it is anro and let me tell you about them so as nonhuman identities such as applications apis and devices continue to expand we know that’s happening their
00:13:11
Associated risks and related exposures expand with them that’s kind of true with alltech so this is why intro security created a unique and Powerful feature nonhuman identity detection and response or nhdr for short so intros nhdr capabilities identify potential threats by monitoring behaviors to illuminate unusual usage patterns and unauthorized interactions now that means that if an nhi non-human identity acts outside of its normal parameters like accessing data unexpectedly or interacting with
00:13:48
systems it shouldn’t nhdr catches it in real time so non-human identity detection and response doesn’t just stop at detection it actively mitigates these risks before they can cause damage in a world where a single compromised nhi can bring down an entire organization having non-human identity detection and response in place gives your organization The Edge it needs to stay secure so stay ahead of the curve with entro security and their Advanced detection and response solutions for more just go to their
00:14:21
website it’s entro n. security [Applause] it’s time to play what’s worse all right we all know for those you who’ve heard the show before you know this game this game has been around since the beginning we started this show we get wonderful What’s worst scenarios from our audience and by the way we’re always looking for more so please send them in and uh essentially it’s a risk management game something Security Professionals deal with and we have a great couple of scenarios from John
00:14:56
Hayden with Trend Micro and here it is uh Gary you’re going to answer first and here we go scenario number one your company gets fined for $10 million by the SEC for not being transparent for a breach or your company ceso goes to jail for 24 months for not being transparent in a breach what’s worse oh I don’t want to go to jail I know I know I know okay so I know that you don’t want to go to jail let’s just think about the overall business what would be worse yeah for if you’re talking about yourself personally
00:15:29
I could see that that second scenario for sure would be worse okay all right all right so I’m not going to jail you Gary are not going to jail okay cool okay but you’re thinking about the business okay the business would be the $10 million fine 10 that’s far worse yeah cuz it’s basically the damage to the brand and you know the company and everything else it’ be the fine so it’s worse if it’s you for sure that is for sure I mean that that’s obvious it’s always worse but if it’s your if Gary HP
00:15:56
is out of the equation here cuz I don’t say Gary here then it’s far worse than 10 million bucks well you’re not really telling me why the siso is going well cuz he was that’s just the company he’s not being transparent in a breach we’re just leaving it at that all right so so I would say the company getting the $10 million fine would be worse if I was thinking about the company yes well we’re trying to be thinking about the comp but if you’re being selfish if I’m
00:16:18
being selfish I’m not going to jail exactly all right all right Keith I throw this to you yeah I got kids man no I agree with with Gary on this 100% so again if it’s you specifically it’s worth but so you don’t think cuz yeah 10 million is bad but I don’t know does the the does the brand damage of your ciso going to jail for 24 months could that be worse than $10 million depends all right let’s hear what’s it depends the thing about it is is that siso is going to jail because
00:16:54
they were not transparent about a breach mhm okay all of us you know SOS that have been in mult you dealt with multiple incidents usually the issue is it isn’t that we’re not being transparent it’s the fact that we’re being transparent as can be and the company’s not listening to us that’s typically the problem you know if they’re not being transparent that means they’re hiding things from the company so I mean it’s kind of like you know they’re at fault they put themselves in
00:17:21
this issue where they’re going to prison for two years because they’ve been caught about the fact that they hid some facts and they put their company in trouble the cover of their own butt okay which could speak to the culture at the company possibly you it could and that could be very brand damaging con you know cultures tend to run over SOS quite a lot okay all right I’m throwing this one to you Keith again back again do you think it could be that 24 months could be more damaging than $10 million I
00:17:49
think it’s the it’s the same conversation that that Gary just highlighted is is what what is the cultural problem that caused this issue either the fine or the jail time what didn’t work properly in breach identification and notification very good point all right I throw this to the Audience by Applause how many people think it’s far worse that the company gets f 10 Mill and again I’m taking out of the equation that anyone in here would be going to jail cuz I know that’s
00:18:17
the selfish response so $10 million is at the worst scenario by Applause that was good amount and by Applause how many people think it is the CES so going to jail is far worse that is pretty evenly split I must say that’s I’m kind of shocked by that it’s time to play Fantasy seeso all right we have yet to play this game on this podcast and there’s a heavy visual aspect to it so apologies to the listeners right here but we’re trying to spell this out as much as possible so I need you guys to turn around bring kind
00:18:57
of the mics with you as you turn turn around so Keith is our guest I’m going to have Keith go first here essentially these are your controls this is your you get to pick your team from these controls Keith and essentially you’ll each go one by one and Dutch here is going to be helping us with selecting them so uh your first control which one do you want from this list here I think I’ll go with instant response management okay instant response manager goes Keith Gary which one do you want so I mean if if he gets
00:19:27
one it’s crossed out yeah you see you can’t select it like like picking players for team you both can’t have the same player Gary dude this sucks I don’t like you’re going to see how this game plays out I really don’t like this where where is where is identity on here identity I guess we don’t have we can put it on there we go so we have no tofa on here you got Access Control there access yo there was access control I’ll do I’ll do access there you go Access Control Management there you go we have
00:19:55
it all right that goes to Gary all right go ahead and pick Keith all right I’m between asset management and data recovery is there any like pull the audience here you can you want to pull the audience go ahead you want to go go ahead poly by by Applause how many people think he should pick asset Discovery no one I just go for EDR I guess all right let’s go with data data recovery data recovery you wanted I’m sorry you want a data recovery data recovery let’s go with that one all
00:20:22
right they didn’t even respond I wasn’t even going to pull pull them on the other one all right Gary pick the next one um I’ll do EDR EDR okay and then Keith I’ll do yeah this is tough let’s go with application software security okay application software security he’s got application software security Gary we got five left controlled use of admin all right there you go that’s somewhere on the identity level sort of all right Keith Asset Management go back to that one all right all right Gary three left
00:20:56
do uh email and web browser protections all right two left Keith I will go for security awareness security awareness Keith and Gary you get penetration testing pen testing and red teams all right now let’s go to the the summary page that’s the second tab where it says attack all right so just just quickly before we reveal the attack Keith has Asset Management data recovery capabilities Implement security awareness and skills training program application software security and inant response management Gary has EDR Access
00:21:29
Control Management controlled use of admin privileges pen testing and email and web browser protections all right what’s going to happen is there’s going to be a random attack and then Keith and Gary are going to each argue why they are better situated to handle this attack than the other and you the audience will vote all right reveal the attack what do we have your Cloud hosted logging platform has been compromised all right Gary I will have you go first why are you better situated to handle
00:21:57
this attack well let’s see all right so we’re managing Access Control we’re managing uh admin privileges we got a inpoint detection you know on there I mean I’m used to running uh my EDR Solutions inside my uh my cloud environments all right Keith why do you think you’re better situated I’ve got instant response management all right there you go he he leaves it he just leaves it there he just leaves it no more needs to be said Keith I was really excited about that that was
00:22:31
my top dra pick all right we’re going to throw this to the audience now Audience by Applause how many people think Gary is going to win here with his team of controls by Applause all right there’s about four people who are applauding for you Gary and Keith how many people think Keith is going to win all right Keith wins good job guys Red Alert all cesos on [Music] Deck quote imagine a house where the drywall flooring fireplace and light fixures are all made by companies that need continuous access and whose
00:23:16
failures would cause the house to collapse you never set foot in such a structure yet that’s how software systems are built now that’s how Bruce schneer talked about the market driven brittleness shown in the crowd strike outage he argued the push for short-term profitability leads to situations where everyone runs as leanly and quickly as possible with little redundancy now we need quote infrastructure to mimic nature in the way things fail now he pointed to Netflix’s chaos monkey tool
00:23:49
we all do this actually as an example of something whose purpose is to build resiliency can this kind of deliberate breaking of infrastructure can this be done at scale can we can we kind of build resiliency at scale kind of you know looking at the chaos monkey example which is used within a very closed environment and then what could be an area where we’re going to have a point of failure I mean you don’t have to call anyone about by name but we’re happy to listen if you want to no I don’t think
00:24:17
you can do it by scale okay simple as that we we’re wrapping up this segment well the thing about this is that you’re not breaking what’s causing it and the fact that you know there’s a whole thing about infinite games and finite games right cyber security as a community as an industry is a finite game we’re Stone crazy if we’re think we’re going to be a winner because this thing never ends you know the threats the things that we’re dealing with never ends that drives profitability that
00:24:45
drives getting the product out there as soon as we can that drives this whole Market thing that’s what Bruce is talking about here where you if you’re dealing with an infinite game it’s you’re in the game to play the game you’re not in the game to win which means that you’re in the game to be there for a long term resilience right and by the way there’s a great book The Infinite gay by Simon sck that speaks of that that the the winning of the game is the continuing to be able to play be
00:25:10
able to continue playing so if we take out the point to where the issues that what Bruce is talking about where we’re just hurrying to go ahead and get the market to go ahead and make this quarter’s numbers to make money and instead we’re looking at the fact that we want to produce something that’s going to be around for a long time and that’s good for the community that’s good good for our customers and that it’s going to be resilient and it’s going to be able to take
00:25:33
ax that is honestly what we should be talking about is I mean I I get what he’s talking about about the chaos monkey piece and that you’re constantly breaking and you want to build resilience that way I’m like we shouldn’t be breaking you know it shouldn’t be that way just looking at it from a different point of view all right okay I mean the thing is but the value of breaking is that hopefully we won’t have another incident like the crowd strike incident well well you’ll know
00:25:57
where it’s going to break ahead of time so you could build resiliency at that point I mean I mean I think that’s kind of a basic point in in cyber security I’m going to throw this to you Keith what say you can it be done in scale where could be a possible Breaking Point how do we learn about the next breaking point to so we can build resiliency I think testing everything like literally everything at scale is is going to be a very challenging problem I I do think that there’s parallels though with what
00:26:23
we do already when we build software when we Design Systems and architect them we do a threat model we look at how can this thing go wrong how can we have problems and I I think resiliency or availability if you want to use that word is something that we look at and I think that that’s something that we can continue to do and do more often but I don’t know that we can do it across everything at one time I think it’s going to remain in the component level so when you’re looking at pieces of a
00:26:52
system or you’re looking at a third party and your dependency on that third party you’re going to do the assessment there it it’s funny the the point on chaos monkey because Netflix actually has a a chaos Kong so rather than a component failure it simulates a regional failure and they also have something that they’ve they’ve called the chaos platform where you can can do further automation but I I think with those things you you start to run into this problem where not every component
00:27:21
that we have needs to be multi- region multicloud fully available fully redundant it’s just a cost problem at that point so we still have to make decisions on where we want to spend our limited investment to add the resiliency in what about this AI security [Music] challenge cesos love a good framework they are a critical tool to help push compliance conversations forward as organizations attempt to manage risk but when it comes to AI what are our framework options actually we heard a little from Dutch Schwarz about this
00:28:00
very thing today so se lockme s Madan posted a good Roundup of the existing AI Frameworks showing which ones are designed for cesos like the nist AI RMF and which are more developer focused like miter Atlas so I’ll start with you Keith on this what makes an AI framework so unique have you found an AI framework that works for your organization or does it feel like we’re going to have to start from scratch yeah this is a really great question and we had have had some very good conversations on this today I
00:28:33
think the Frameworks are tending to approach the problem at two different ends so they’re looking one at the governance side of like how do organizations identify and control this risk and then some of the other Frameworks merer is a great example oasp is a great example approach from a very technical level of what your practitioners need to do what do they need to consider when they’re building systems that include these AI components so I I’m really hoping we don’t need another framework I think that’s a
00:29:01
problem that we find ourselves in um we’ve got plenty of them already I think it’s just a matter of looking at the framework for the problem that you’re trying to solve are you trying to solve this organization wide or are you trying to solve this for the threats that a specific system will face G your thoughts yeah I do recommend his article that he posted up on medium for anybody that wants to read it it’s actually really good I was amazed at the list of stuff that’s out there dealing with this
00:29:29
right now and it’s very fast moving and changing I’m used to using Frameworks we’re heavily into geni uh where I work at as well thank God I don’t have a developer team that’s doing this so I don’t have to deal with that side of the house what I find interesting though is that um many of the security startups that are uh that are starting to pop up now that are doing things around AI security are now offering the operation side and the dev side depending on which side you want to use and that’s the
00:29:58
question I’m I’ve been asking them now as they’re developing this is which framework are you using as you develop this tool or you develop this platform and you’re bringing at the market and you know many of them will talk about n or they’ll talk about miter but as as you were just stating Keith they tend to be for specific things they’re not really for everything and I don’t think there’s really anything for everything yet it just depends on the use case of what you’re doing if you are a an
00:30:24
organization a company that’s selling a product and the product happens to have some type of AI capabilities or you’re using llms then you’ll use a specific framework that they’re developing now that tends to be more towards Dev if you’re a ciso you may want to be familiar with that because if you are tasked with absec and product security you want to be able to look at it but really you’re going to be real more concerned about operations in the governance piece where’s all the little
00:30:50
gen tools that are popping up where’s the data leakage that’s happening you know are we doing this correctly are we training our staff correctly you know for prompt engineering and and making sure they’re using the correct tools and and that’s a totally different framework that’s being developed again it’s going to be up to the business let me let me ask a question is there anything that’s unique with AI that Frameworks are not covering or is it just hey this is just
00:31:14
another new technology it’s not the first time we’ve had to deal with a new technology I was actually I was asked that at another conference a couple weeks ago and to me Cyber is cyber we still have issues that we still got to man AG people are still going to be stupid with technology um AI is something new it’s accelerates extremely fast I mean the rate of change has just been amazing but when you really look at it it’s it’s the use of data with new technologies and you got to be able to
00:31:45
understand the controls that you typically have around data and then look at it at scale and look at it how fast it’s moving with these new technologies and so in many ways the controls and the stuff that you’re trying to do are still the same but it’s just it’s a new technology it’s a new approach it’s something you know so you’ve got to learn that to understand the risk that you’re still trying to manage and so you know I try to tell people you know cyber is still cyber the risk are still there
00:32:09
that we still got to manage but this is a new technology that you’re dealing with and you can’t be scared of it you got to get involved and actually use it work with it break it and then help your team be comfortable with it as well so then you can then understand the risk eth anything to add yeah I think there’s one thing about AI that might be a little bit unique and that’s the over Reliance issue and and that is not necessarily an obvious issue for the people that are developing and using and
00:32:35
designing these systems so that’s one that that we got to think about yep it’s time for the audience question speed [Music] round I have in my hand here a handful of questions from our audience these people out here and we got a good amount of time I think I get we can get through all of them just just a few right here so want to get your feedback on these from Emily o Carol at Guido security want your thoughts I’ll start with you Gary for those entering the field now so those green or switching
00:33:06
careers what are the top three and I want to say top three growing roles you believe in cyber that would be a good entry point actually um we did this whole thing about people that are entering and if they’re green and they’re starting I don’t tell them to come in the Cyber I tell them to go in the networks I said you know learn Cloud Learn Python get familiar with AI tools learn networks basically come in on the it side and then pivot all right that’s your 100% agree with that I think find
00:33:36
an organization and an industry that you’re passionate about find a role where you can do support for Technology support for networks development and then help your security Team all right good advice all right hope someone green is listening and adhering to that all right fromal tias from Arlo now we’re going to compare this to a year ago what do you think the stress level of a ciso is today as compared to a year ago higher lower what’s unique Keith you first I I think the individual stressors have have
00:34:11
changed particularly with ls and AI but I think overall the stress level is is probably about the same say probably about the same hold it that was one thing going up and another thing going down so that’s why it’s equal yeah okay what what do you think’s going up what’s going down the the focus on AI is uh up is bringing it up and I I think the the geopolitical situation for a lot of reasons is continuing to be a Hot Topic depending on your industry is there anything bringing it down Gary Gary’s
00:34:42
trying to think uh no I’m interested I’m going to go to the audience here does anyone think there’s anything that’s bringing stress level down anything complete silence so so maybe the answer is then that it’s going up going up yeah you’re we get cisos going before the SEC we’ve got you know companies being fined huge amounts of money for different things that they have security components we’re going to you know before boards and Leadership teams more often you know there’s nothing that I
00:35:19
can see that reducing oh so they just so this is why cesos are getting burnt out because it’s just adding n stop stress am I right I’ve known several that have walked away in the last six months yeah well whole other episode we’ll come back to that all right from Matt Stamper of the executive advisers group and I love this question and I I hope you have an answer by the way for it what’s a metric you used to report that just stopped reporting oh figures Matt would run up at this
00:35:54
one we used to go ahead and report on like how how many things were patched and how many things were unpatched and we quit reporting on that just because it doesn’t really to me it doesn’t really reflect the proper risk of the organization because you’re going to go ahead and Patch specific things that are unique to the business unique to the applications and stuff that you’re using and there may be other things that you don’t patch right away that you may patch later and so having
00:36:21
this whole thing of if you got this many that are unpatched or this many that aren’t patched and you got this many days in between it doesn’t really properly the risk mhm and we just quit doing it and actually the boards would just glaze over they didn’t really care all right yeah same thing we focused on vulnerability remediation SLA like how how well you’re doing versus the the raw number of issues you stopped doing that anything else you stopped doing or just that the the patching numbers we we had
00:36:48
other metrics that we were looking at around identity and access management but it just wasn’t driving the right decisions it wasn’t driving the right insights so we’ve really focused on again as Gary mentioned where our risks are versus where our operations are taking action all right last question comes from Richard Greenberg who is with layer8 Masters and the man who’s responsible for all of us here let’s here for Richard oh you going to clap louder than that there you go all right I like this question and we
00:37:24
are making sure that none of your CFOs are going to hear this episode so we want to know your secrets what’s your favorite technique to get your budget come on reveal Keith have a good business case have a good business case why are we doing this why do we need to do it now and are there other options that are cheaper you’re just you’re just saying yes to that g no I mean it’s you know the um well thing about this is that when I’m doing my budget I never I’m never doing it by myself you know
00:37:54
typically when I am briefing my budget I report to the CTO and so it’s myself and the CTO briefing all of our projects in technology across the organization and then when I brief the specific things that I am doing I tie it into other departments and how we’re supporting the deals teams and how we’re supporting legal in compliance I never do it where it’s security Standalone instead it’s security I’ve got these specific things this is what I’m supporting you’re telling a story you know and so it’s
00:38:24
it’s that so that way they understand impact if you take that away you’re going to hurt these other departments as well and their projects awesome well that brings us to the very end of this episode let’s hear for our guest Gary H at soft Bank B investment advisers and also Keith McCartney with DNA Nexus a huge thanks to our sponsor that’s intro security nonhuman identity and secret security platform remember go to their website entro t. security for nonhuman identity detection and response or nhdr all right
00:39:02
in closing I always like to ask are you hiring so maybe your portfolio companies also within soft Bank advisors also with DNA Nexus are you hiring yes Gary yes I am all right kei’s a quick answer yes I am Keith are you hiring absolutely Reach Out reach out all right you can reach out we’ll have links to their uh LinkedIn profiles they our audience may contact you directly if interested in a role yes but go to the site first just don’t go say hey what do you got for me go to the site do your own research and
00:39:32
then come to them with a specific request I want to thank Richard Greenberg Planet cyers SEC layer 8 Masters and this entire audience for putting on a great show and inviting us to record this episode and also thank you to our audience for supporting and listening to the sees show series podcast [Applause] that wraps up another episode if you haven’t subscribed to the podcast please do we have lots more shows on our website cesos series.com please join us on Fridays for our live shows super
00:40:11
cyber Friday our virtual Meetup and cyber security headlines week in review this show thrives on your input go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show if you’re interested in sponsor in the podcast contact David spark directly at David cesos series.com thank you for listening to the cesos series podcast