Artwork for podcast Great Security Debate
Fantasy Hacker League
Episode 6021st October 2024 • Great Security Debate • The Great Security Debate
00:00:00 01:02:08

Share Episode

Shownotes

In this episode of The Great Security Debate, Dan, Brian and Erik invent (and copyright) the idea of a Fantasy Hacker League then dig into more serious discussions on deception technology, asset discovery challenges, and resource management. The conversation also delves into the impact of budget constraints on security projects, the mental toll on cybersecurity professionals, and the evolving role of CISOs in digital transformation. Issues such as job stress, burnout, and role mismatches among security leaders are addressed, alongside strategic insights on integrating security within broader business operations.

00:00 Introduction to the Great Security Debate

00:39 Humorous Take on Hacker Recruitment

03:16 Fantasy Hacker League Concept

09:18 Microsoft's Honeypot Strategy

22:58 Challenges in Security Budgets and Resources

31:03 The Reality of Full-Time Positions

31:31 Introverts vs. Extroverts in Leadership

32:06 The Challenges of Being a CISO

33:53 Work-Life Balance and Stress

37:04 The Role of Security in Business

39:36 The Future of Security Leadership

41:00 Adapting to Economic Constraints

59:28 The Importance of Enjoying Your Work

01:00:26 Conclusion and Farewell

Transcripts

Host:

Welcome to the great security debate.

Host:

This show has experts taking sides to help broaden understanding of a topic.

Host:

Therefore, it's safe to say that the views expressed are not necessarily those of.

Speaker B:

The people we work with or for.

Host:

Heck, they may not even represent our own views as we take a position for the sake of the debate.

Host:

Our website is greatsecuritydebate.net and you can contact us via email@feedbackreatsecuritydebate.net, or on Twitter, Twitter ecuritydebate.

Host:

Now let's join the debate already in progress.

Speaker B:

So would that be the equivalent of us having a russian or mandarin welcome message in our system?

Speaker B:

So when somebody breaks in and sees it that they are like, oh, well, this is a local, I'm not going to attack this.

Speaker C:

Exactly.

Host:

Yeah, but that goes back to the idea.

Host:

Remember the old idea of the message that says, hi, you've come to this system.

Host:

Illegal use is not permitted.

Host:

Remember the build splash screens?

Host:

I don't think that worked at all.

Speaker C:

But what did work was someone that was like, hey, great work on getting into our system.

Host:

Would you like a job?

Speaker C:

Just like to say like you kindly wouldn't mind leaving.

Speaker C:

Greatly appreciate it.

Speaker C:

But this was awesome.

Host:

So there was an article, there was an article about that.

Host:

There was an article about this is, I think it did not relate to institutional hacking.

Host:

You know, those that were, you know, they were rooted in organized crime or state sponsored, but others that found those kinds of messages, apparently there's some percentage, and this, I wasn't planning on this so I don't have the reference ready, but I'll put it in the show.

Speaker C:

Notes before via text or find it.

Host:

But there was a massive drop in the number of, in the number of times the person would see, see that and would then just stop or not do the final extortion because they were there just to, they were there just to play.

Host:

But seeing that, yeah, that, that confirmation, that affirmation apparently was quite well received.

Host:

So is that, is that going the new robots TXT or security?

Host:

Txt.

Host:

Thank you.

Host:

You found a great thing.

Host:

We really appreciate it.

Speaker C:

Would you like $5 AI algorithm, right.

Speaker C:

Get that embedded in the AI, be nice, treat the attacker with some respect, some level of glorification, and then kindly ask to leave.

Speaker C:

Yeah, what could go wrong?

Host:

What could go wrong?

Host:

Yeah, really?

Speaker B:

As you guys are walking through the institutionalized hacking groups, nation states, and then the criminal begin to wonder, is that like a minor league?

Speaker B:

Do they start bringing them up at some point that, hey, you've, now we're moving you up to the pros.

Speaker B:

You got to.

Speaker B:

Maybe.

Speaker B:

Maybe we could start doing this.

Speaker B:

The hacker draft.

Host:

There you go.

Host:

You've been drafted by the Milwaukee.

Host:

By the milwaukee.

Host:

The Chicago.

Host:

I can't even think of a good word.

Host:

B or c.

Host:

That Chicago crackers.

Speaker C:

You could create a fantasy hacker league, right?

Speaker C:

Like, drafted sandworm, first round.

Speaker C:

Booyah.

Speaker C:

Getting into that Iot, baby, right?

Speaker C:

Like, ooh, who'd you pick up?

Speaker C:

Right?

Speaker C:

Like, oh, I went after that nigerian prince that does, like those.

Speaker C:

That phone scamming stuff, right?

Speaker C:

Try to pick up some low hanging fruit points, right?

Speaker C:

Maybe on a late Sunday game.

Host:

And then it could all be like the Yankees.

Host:

But there's an ethical problem here.

Host:

Most you'd have to, like, agree to follow the rules that you would only use the assets that you've acquired and not go after others.

Host:

So it.

Host:

Otherwise, it'd be like the Yankees who just break the luxury tax every year.

Speaker B:

Screw it.

Host:

We're buying everything.

Host:

We'll pay the extra money.

Speaker B:

I mean, if we're doing this fantasy, I think you could pick up a defense that's on the blue team as well.

Speaker B:

Like, you could pick companies to see, and if they don't, aren't in a.

Speaker B:

You know, in the.

Speaker B:

In the news for a breach for a time period, you're picking up some points.

Speaker C:

This could be, you know, like, football season.

Speaker C:

Like, I did fantasy football again this year.

Speaker C:

Gonna admit I got back in.

Speaker C:

I kind of been removed from some leagues.

Speaker C:

Not forcibly removed, no.

Speaker C:

But, like, a previous company I worked at, so.

Speaker C:

And I can say when I was at Aisha, I no longer work at Aisha, but I was so close with those people, I still consider them family, right?

Speaker C:

I was still part of their league for, like, another year or two.

Speaker C:

And when, like, I came in second or first, like, two years after, I'm not there, and they're like, james, we're probably gonna have to remove you.

Speaker C:

A lot of new people here, and they really want to be part of the league.

Speaker C:

And we had to tell them they couldn't.

Speaker C:

And then some guy from outside the company wins.

Speaker C:

I'm like, totally get it.

Speaker C:

Right?

Speaker C:

Like, breakup.

Speaker B:

It's not.

Speaker B:

It's not you, it's me.

Speaker C:

It's.

Host:

Oh, no, it's me.

Host:

It's you.

Speaker C:

So, like, now I, like, I joined my current company's league GT's, and I find myself now doing that.

Speaker C:

Am I doing the audible book in the car?

Speaker C:

Do I get a little bit of that fantasy sports check?

Speaker C:

Should I be picking somebody up?

Speaker C:

Next thing you know, I'm like, an hour into listening fan, and I'm like, I just wasted an hour of my life.

Speaker C:

This was pointless.

Speaker C:

Because no matter what they say, like, last week, they told me to play Calvin Ridley.

Speaker C:

Zero catches, complete die.

Speaker C:

No, look at, this is like, if it was a year long league.

Speaker C:

Like, this is only so many weeks, right?

Speaker C:

But if you had a year long fantasy hacker league, right?

Speaker C:

What defense do you pick up that you hold all year in the hopes that they don't end up in the news on the dark web?

Speaker C:

You know?

Speaker C:

How many people, like, I'm sitting there listening to fantasy sports.

Speaker C:

How many more people would log in to be like, man, I wonder if there's anything on the dark web.

Speaker C:

I'm gonna totally poop on Eric this week, right?

Speaker C:

He's gone down, right?

Speaker C:

Like, people would actually probably be more diligent.

Speaker B:

Like, you're not even gonna believe it.

Speaker C:

Zero day, I thought it was.

Host:

And this becomes much more.

Host:

This becomes much more possible now with SEC disclosures.

Host:

So you can actually take your rate.

Host:

You can take your results based on the ten k and eight k filing.

Speaker B:

This is interesting.

Speaker B:

I think we're onto something.

Speaker B:

And maybe if you don't want to pick individual companies, you could pick the.

Speaker B:

What are the codes called that define the different verticals that people are in the business codes.

Host:

Oh, the sick code.

Host:

Go by sick code.

Speaker C:

Like, if you got stuck with healthcare right now, right?

Speaker C:

It's be like, oh, my God, I can't believe I'm picking twelve.

Speaker C:

I'm totally getting pooped on with healthcare, right?

Speaker C:

Like, you know, you're putting up zero points, all right, on a monthly basis, just saying, like.

Speaker B:

But you can have a multiplier on that.

Speaker B:

If a week goes by where healthcare isn't in the news for a breach, there's a multiplier.

Speaker B:

Right.

Speaker B:

Because you took a high risk category.

Speaker C:

Yeah.

Speaker C:

So maybe you get four x, right?

Speaker C:

Or if it ends up as a tie, it's like that money back that they're.

Speaker C:

I listen to the radio and they're like, you know, that you can bet on blah, blah, blah.

Speaker C:

And if your team doesn't win, but you tie at this, you get your money.

Speaker C:

It's like, we don't want you to be upset.

Speaker C:

We just want you to bet more.

Host:

That's right.

Host:

Or we're going to give you five.

Host:

We're going to get.

Host:

For every bet you make, we're going to give you five more dollars that you have to spend here.

Host:

It's like Kohl's cash or these other goofy ass mechanisms to try and just get you back into the store, Dickie.

Speaker C:

And think about the different parlays you could do.

Speaker C:

Because I hear those two where they're like, you know which one I really like right now?

Speaker C:

I really like the idea of, you know, I forget it.

Speaker C:

The Sam Darnold over his passing yards, right?

Speaker C:

Be like, sweet.

Speaker C:

Whoever gets hacked this month, I'm taking the over that they go ahead and pay the ransom.

Speaker C:

I'm betting ten k over on bitcoin.

Host:

Should we now talk about manipulation of the results?

Host:

Oh, I'm going to bet heavy.

Host:

I'm going to bet heavy on Cisco getting breached and then I'm going to deploy my own hacking team to breach Cisco in that week.

Host:

And then I'm going to make a ton from both.

Speaker B:

Just love responsible for any actions taken from the information or game that we may purport here.

Host:

Is that legally none of this is real and none of the.

Host:

None of the names that we've named are actually on our list to hack.

Speaker B:

I won't.

Speaker B:

I actually think that would be a ton of fun.

Speaker C:

Like, it would be one of those things, like, hey.

Speaker C:

Like, oh, it could be part.

Speaker C:

No, I shouldn't even say that.

Speaker C:

I did not just say that.

Speaker C:

Like, you're distilling security meetup once a month where it's like, we're just doing a quick check in.

Speaker C:

Just let you know where the leaderboard stands right now.

Speaker C:

Danny Ayla really riding high at the top.

Speaker C:

Drafted really well.

Speaker C:

Got a little sleeper there, right with his flex play.

Host:

He did lose.

Host:

He did lose 30 points because he got called by the FBI for his accuracy of choices.

Speaker C:

Dan was thinking long term, got to give the guy a lot of credit going into the playoffs, knowing that there was a presidential race on the line and the fancy bear might pick up their game.

Speaker C:

Bam.

Speaker C:

He nailed it big.

Speaker C:

Give it all to Dan.

Speaker B:

Team name tariffs for you.

Speaker C:

Did you guys read the article about Microsoft creating the fake azure tenants to pull fissures into their honey pots in all the things that they saw?

Host:

No, I didn't.

Host:

Soup is pretty.

Speaker C:

This was really cool.

Speaker C:

I'm gonna.

Speaker C:

I'm gonna pull this up here, right?

Speaker C:

Cuz, like, now, again, going to the fantasy side, I don't know that anybody would be picking up a Microsoft, right.

Speaker C:

As like a sleeper pick for doing something this crazy cool, right?

Speaker C:

But again, low dollar value idea, fantasy line.

Speaker C:

Boom.

Speaker C:

Microsoft comes in, drops in some fake Azure tenants.

Host:

And.

Speaker C:

And if I read this.

Speaker C:

So Microsoft was using deceptive tactics against phishing actors by spawning realistic looking honey pot tenants with access to Azure to lure cyber criminals in to collect intelligence about.

Speaker B:

But who did they charge for the e five licenses?

Host:

You.

Speaker C:

We all know those aren't free, but with that collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing phishing operations, disrupt campaigns at scale, identify what was cool though, and I'll have to go through it.

Speaker C:

I'm not going to read the entire thing right now, but when I was looking at it last night, like they were catching like some of the information they got, this wasn't just like a nation state.

Speaker C:

They were getting information from everybody.

Speaker C:

Right?

Speaker C:

Like nation state.

Speaker C:

The, the 17 year old, the 13 year old that was just over in Europe or some guy over here that was literally ended up in that honey pot.

Speaker B:

Nice.

Host:

Interesting.

Host:

Really interesting.

Speaker B:

Good on that.

Speaker C:

A lot of cool information there.

Speaker B:

That's creative because I mean, for the longest time, the Microsoft stack and not unique to Microsoft AWS is also at fault for this as well, right.

Speaker B:

That if you look at the amount of techs that have come out of low cost or free tenants email and stuff that have been able to be spun up there, we actually, we were having a conversation with our email provider.

Speaker B:

So not naming who they are, but they were like, hey, we see that you put a hard block on anything that was coming from an, on Microsoft.com domain.

Speaker B:

Yeah.

Speaker B:

Because I think there's a lot of providers out there that don't understand what that actually stands for.

Speaker B:

Right.

Speaker B:

That anything net new.

Speaker B:

Your tenant is something dot onmicrosoft.com.

Speaker B:

if you see any email from there, that should be a dead giveaway that somebody's screwing around with you.

Host:

Yeah, that's funny because I thought the m's on your shirt and hat there stood for Microsoft.

Speaker C:

Oh, well, I thought that was Microsoft Field behind you.

Host:

Eric lives in Windows 95.

Speaker C:

For those of you that were watching the video while listening, I said that comment while Eric was taking a big swig of water and he literally just.

Speaker B:

Almost like, yeah, almost had to protect my tech here recording it.

Speaker B:

It was like a Gallagher event.

Host:

Well, the idea of attack, the idea of honey pots like that is, you know, obviously not new, but be able to extend it that way is good.

Host:

I think we need to do more of that.

Host:

It's hard to, it's hard to find the time inside your organization to actually spin up those kinds of things unless you have a really big, really mature organization like Microsoft resurgence now.

Speaker B:

Right.

Speaker B:

Because I obviously talked about Microsoft doing it.

Speaker B:

As we look at we've started, I mean, under the coin of like the deception vertical, you saw a TiVo come up, get acquired by Sentinel one.

Speaker B:

Pretty cool stuff they're doing, and it's not unique to them in that space.

Speaker B:

This is the new wave that, hey, we finally, for the longest time, acknowledged somebody's going to get in, but if we can now start feeding them some crap data and get them to jump for one of these things, we can start to pick up earlier on what they're after, what they're doing.

Speaker C:

Preston.

Speaker C:

See, I did think that was not beating anybody up here either, but I thought Ativos deception technology was some of the better technology in the market.

Speaker C:

The acquisition, though.

Speaker C:

So like at that same time when you had crowdstrike by Preempt and then Sentinel one bought a TiVo and everybody was looking at it, not necessarily for TiVo's deception technology, but more on some of the stuff they were doing around identity.

Speaker C:

And everyone's like, yep, we just bought an identity solution.

Speaker C:

We're going to integrate one agent, still one agent, right.

Speaker C:

And at the end of the day, like after a set period of time when x number of engineers, or I'll just call them like, the overlays are no longer there anymore, I don't know that there was a core understanding of how to position the deception technology of a TiVo, and it was really good stuff.

Speaker C:

And it was like all that momentum that they had talking about it.

Speaker C:

And I'm not going to say that I know stuff that I don't know, but when you have a lot of salespeople or engineers that all leave a.

Speaker C:

And then you have the rest of the company that's trying to work on the identity piece, it was like the deception technology kind of almost got left behind in the story.

Speaker B:

Yeah.

Speaker B:

So this is not, this is a conversation I've had with a couple tech CEO's recently that I think certain technologies, they have to start recognizing that their position is not only a market position and where they fit from a technology stack perspective perspective, but also from a maturity roadmap and the companies that theyre targeting, and I dont think they often get that, that certain companies are further along that, hey, ive got a lot of legacy tech debt.

Speaker B:

Ive got to pay down.

Speaker B:

Ive got to fix the architecture now that weve got that and thats where were going to spend our time.

Speaker B:

Now we can start bolting on some of the cooler technologies and start to take advantage of that.

Host:

But if you don't buy the new cool tool now, you'll, your company will die.

Speaker C:

That's where some of the pen testing I shouldn't call it pen testing as a service.

Speaker C:

The sass, PTA solutions and breach and attack solutions.

Speaker C:

So I'm talking like.

Speaker C:

And if we're going to name names like the Pantera, the horizon threes, the on defense, etcetera, what I thought was cool is some of them, or at least one in particular, is now working in the honey pot piece.

Speaker C:

So it's almost like working in tripwires.

Speaker C:

So, like, as you're doing your.

Speaker C:

Your patch Tuesdays and then your breach and attack Wednesdays, to confirm that all the patches were done correctly, appropriately, or if you deployed a new this, that it was configured correctly, and then they're leaving behind, as they're doing those simulations, leaving little things behind right when they find gaps or this or that for whoever comes next to hit the bell.

Speaker B:

Interesting.

Speaker C:

I'm like, that's actually pretty cool tech.

Speaker C:

So instead of just giving me, like, I do a pen test once a year, twice a year, right?

Speaker C:

I put this in.

Speaker C:

Yeah, I get the breach and attack simulation part.

Speaker C:

You can scan way more ips really, really, really fast.

Speaker C:

But then I got a lot of work to do.

Speaker C:

If you leave something behind that rings a bell right now, it's like, sweet.

Speaker C:

Now it's that honey poppy.

Speaker C:

Sorry, go ahead, Eric.

Speaker B:

No, I was just going to say, I think that's a perfect example of an evolution that's super cool, but still predicated on the earlier tenants.

Speaker B:

And, you know, I'll pick on the CIS 18, right.

Speaker B:

That until you know what assets you have, where those assets are, that deploying something like that, you're doing a shotgun approach of thinking that you understand where it's being deployed and what you're protecting, when actually some of your biggest risks probably fall outside of that known container of assets you have.

Speaker C:

Knowing both you and Dan, though, I mean, you guys would sign a document if your bot management came to you and said, dan, do you know where 100% of all of our assets are?

Speaker C:

Sign this document that.

Speaker C:

Yes, you do.

Host:

No, no.

Speaker C:

Right?

Speaker C:

Like, now, there are things out there from an asset discovery, et cetera.

Speaker C:

But again, you get into that, like, what are we capable of doing on our own, right, from a maturity standpoint?

Speaker C:

And then what would we invest in to help us figure that out faster?

Speaker C:

And if you're one of these companies that I'll say, like, let's say Fortune 500, right?

Speaker C:

Like, if you're this big today and you've been around that long and have so many legacy old assets out there, deception technology would be really cool to put in there, right?

Speaker C:

Because I don't even know where everything is.

Speaker C:

Right.

Speaker C:

But if I could get some stuff at different gates, right.

Speaker C:

To be alarmed or get stuck in.

Speaker C:

Sweet.

Speaker C:

And maybe I'm investing in some type of asset discovery solution.

Host:

But.

Host:

But a very large but.

Host:

Um.

Host:

The idea of putting.

Host:

Yes, I have the large but, um.

Host:

But putting things in.

Host:

Into an environment where you don't understand the environment.

Host:

Not even.

Host:

Let's not even say fully, let's call it 80, 90% throwing a mechanism in there, and then you end up spending a lot of time chasing against things that may or may not be true.

Host:

That, to me, is a resource strain that combined with spending whatever it was on the tool that you'd only getting 20% of usefulness out of in the first place.

Host:

I am so fundamentally stay at basics until you are to a maturity point where you can make small, measurable steps forward.

Host:

That throwing that stuff in.

Host:

In an environment, unless you know you're wasting both your own money and your resources money.

Speaker C:

And that's why they named it a honey pot.

Speaker C:

So, honey on the glycemic index, very, very, very low.

Speaker C:

So when you look at fructose versus glucose and that process, from a diabetic standpoint, it is way healthier for you, regardless of how much of it you eat or where it spills.

Speaker C:

Right.

Speaker C:

Like, that's why they call that a honey pot.

Host:

Yeah, but I'm out $100,000, and I sent seven people running after you after stuff that doesn't matter.

Speaker B:

Yeah, that's not Brian.

Speaker B:

Hashtag cyberpubear.

Speaker C:

Well, you tell the board, like, yeah, but, guys, it's super low on the glycemic index.

Speaker C:

Like, this is way healthier for us.

Host:

But I bought a honey pot.

Host:

Are we using it?

Host:

Well, no, but we bought it right now.

Speaker B:

Hopefully, you're not running it on vmware.

Speaker B:

And it now just went up ten x 20 x in cost.

Speaker B:

Oh, two, actually.

Speaker C:

I got a great how to pull that together.

Speaker C:

You're correct, Daniel.

Speaker C:

I will agree with you.

Speaker C:

Because outside of being low on the glycemic index, the idea of honey and where honey comes from, if you're buying honey at the grocery store, mass produced, coming in a jar from God knows where.

Speaker C:

Yes.

Speaker C:

You're getting the good sugar.

Speaker B:

Tell us something.

Speaker B:

Is that a Michigan cup that Dan was just drinking from?

Host:

Yes.

Speaker C:

Oh, my gosh.

Speaker C:

It is that back up.

Speaker C:

There it is.

Speaker B:

Okay.

Speaker B:

All right.

Speaker B:

Just wanted to call that out.

Host:

Yes.

Host:

Because I.

Host:

I reuse and do not throw away from.

Host:

It's from the game.

Host:

From the Wisconsin Michigan basketball game I went to.

Speaker C:

But if you're worried about your security, your posture, right, the idea that maybe we have some allergies in there, things start to flare up in the spring or during, you know, election season, et cetera.

Speaker C:

It's the local hunting, right.

Speaker C:

In your environment that is best for you.

Speaker C:

That's the stuff that they give a little bit into your cereals, your tea, etcetera, to your children.

Speaker C:

Its like giving yourself a little bit of that sting of every plant in the environment in very low dose amounts with the sugar and other things in there, right.

Speaker C:

So that your body ends up building up immunity to the pollens, right.

Speaker C:

And thus reducing down those seasonal allergies.

Speaker C:

So, Dan, to your point, totally agree.

Speaker C:

If youre just throwing random honey in there aint going to work.

Speaker C:

You got to figure out your local environment and go get a honey pot.

Speaker C:

That makes sense for the allergies in there, right?

Speaker C:

Like, come on, guys, local honey.

Speaker B:

What?

Speaker B:

And now what if we just start becoming, what if we get local cyber bees?

Speaker B:

Can we just better, because they're, they.

Speaker C:

Understand your environment even better.

Speaker C:

Like what happens when you, like when you have all these almond orchards and everything else that are bringing bees from Michigan out there and then those bees hang out, but they don't really know the environment.

Speaker C:

Hang out with a bee, they shouldn't have come back with a little something something and boom, beehive dead.

Speaker C:

Right.

Speaker C:

Like you got to know the local environment.

Speaker C:

Absolutely agree with you there, too, Eric.

Speaker C:

Great point.

Host:

Are you advocating for a cyber bee in every, in every port?

Speaker B:

It is actually kind of funny that you bring this up because I was talking to somebody last night.

Speaker B:

We were grabbing some beers and talking about how their sales.org is structured differently from a company they were previously at.

Speaker B:

And the kind of the national marketing and push for sales versus being able to create regional pockets that start to understand organizations and where they are.

Speaker B:

And just the vast difference between the coasts, Midwest, and the speed at which companies are moving what they're actually looking at.

Speaker B:

But if you try to take that holistic approach, just like bees and honey, right.

Speaker B:

You got to have that local touch.

Speaker C:

Yeah.

Host:

Yeah.

Host:

You really do.

Host:

I want to flip to something else, though, in that discussion.

Host:

And it's about resources and budgets.

Host:

The fact that throwing money at tools, throwing resources at tools, it was, you know, this was a lot easier in a day in which the, we were seeing information security budgets stay or grow.

Host:

I think we're starting to see the, well, we've, now, I think we can all agree we've seen the end of the, of the unfettered growth of security and security budgets.

Host:

The, there's just, I guess we're having to do more with less for the first time in a very long time.

Host:

And as a result, we started to hear more from people about, I guess, overwork, unhappiness in work, doing things they don't want to do.

Host:

I mean, I'll be very frankenous.

Host:

I, if I have to fill out one more security questionnaire, I'll probably throw something, which, by the way, my afternoon is filling out security questionnaires.

Host:

But the, but there's all sorts of this going around in organizations.

Speaker B:

Real quick, what I'm hearing, Brian, is GTS should actually send Dan a questionnaire about his involvement in the upcoming Michigan, Michigan state tailgate to understand the controls that he has around the environment, what's being brought.

Host:

I got, my controls were all thrown out the door when they made it a late game and now have completely made me unable to go.

Host:

The, the, just the idea here that we're starting to see real pull on this environment.

Host:

I think organically this and our field has already been one that's very taxing mentally because of, because of the topic area, because of continuous bombardment, because of continuous threats.

Host:

There's never a downtime, there's never a good day to take a vacation day.

Host:

All of those kind of things that come in just naturally in the infosec field, but then later on to it, we need you to do even more.

Host:

We need to take the existing people and use them in more ways, despite the fact that the outside threats are growing and we can't buy the tools we need to, and we need to, um.

Host:

Or we can buy the tools, but we can't really get the people to run them.

Host:

I guess I I'm, I'm really curious about impacts.

Host:

I'm really curious about the experiences you guys have had and seen with people, you know, people you work with, obviously keep names out of it.

Host:

Uh, but you know, that how this is starting to play out and what can we do about it as a field?

Speaker C:

I'll say, go ahead, Eric, if you want.

Speaker C:

I was going to say I've seen a massive.

Speaker C:

How do I say this?

Speaker C:

Almost everyone that I work with on a personal basis, from my job standpoint and what I do in terms of companies I work with, I would say one out of the ten is okay or intent where they're at, the others are not.

Speaker C:

And then across that entire ecosystem, I have, like, I guess I got to take this, like, with a grain of salt.

Speaker C:

But I have never in my life seen as many security projects pushed, hunted or kicked in the last six months.

Speaker C:

vendors were worried in like:

Speaker C:

And I'm like really, really surprised.

Speaker C:

Even companies that have gone through situations, I'll refer to them as incidents.

Speaker C:

Right.

Speaker C:

Or even breaches for that matter, from a budget standpoint, be very, not just conservative, but as like, just kind of like, hey, we're cutting a.

Speaker C:

We're cutting, we're cutting.

Speaker B:

Yeah.

Speaker B:

From my perspective, I begin to wonder if we're all right.

Speaker B:

So I think we can agree the days are gone of money being thrown after an issue without questions and justification.

Speaker B:

Right.

Speaker B:

I think that was the boom that we saw in security.

Speaker B:

So as the money dries up, that is just being thrown around forces you into a position that you have to be better at justifying.

Speaker B:

Why?

Speaker B:

Why should I invest in this?

Speaker B:

What do I get as an organization?

Speaker B:

What's my risk offset to be able to make that, that investment?

Speaker B:

And I think we're starting, this is going to shed a new light that we have not evolved enough as security leaders being able to tell that story that we cannot continue down this path of bolt on technology after bolt on technology just for the sake of, oh, this is super cool, it does something new, right.

Speaker B:

That I think that we need to start looking through the lens that as we think about all these different tools.

Speaker B:

And I think it's fascinating now that if you look at a lot of the different security technology, not as much the ups, the kind of new starts that are coming in and disrupting some of the industry, but we're starting to see the acquisition palos buying them, checkpoints buying them and starting to.

Speaker B:

Not that I'm advocating that we go back to an era of platforms because we've done that on an episode, I think everybody refer back to that, you know exactly where we stand.

Speaker C:

But you're starting, unless it's a fantasy hacker season, it will be on a platform.

Speaker B:

But you're starting to see this Venn diagram now with so much overlap on what is offered from these different platforms.

Speaker B:

And I think that now more than ever, we are in a heightened level of tool scrutiny that we need to be able to not only try to seek out net new spend, but take the hard path and starting to repurpose spend that were constantly having to start looking at some of your partners that you already have in the ecosystem and sort of like, was yesterdays decision the right decision today?

Speaker B:

Or can I take that spend and maybe find somebody that's almost as good in the space that I bought them for, but also adds this, this and this feature to give us a broader perspective.

Speaker B:

And I think this just, this is where we had to be to start working harder and understanding and rationalizing what we're doing.

Host:

Yeah, there's probably, Dan, if I could.

Speaker C:

I was gonna say, if I could interject there, too.

Speaker C:

Eric, I really do agree with you.

Speaker C:

But I also think to the point of that, like, I look back, not because I planned any of this, but like, 16 years in automotive working for the same company.

Speaker C:

Even at the end of ten years, it was very hard to understand the entire business that Aishin did right.

Speaker C:

16 years did give me a very, like.

Speaker C:

That's why I always revert back to automotive from like, a large supply chain.

Speaker C:

The idea of quality control, production control, etcetera.

Speaker C:

It's very easy for me to go back to that because I was in it so long.

Speaker C:

But when people change from vertical, vertical to vertical to vertical, every company, two to three years, if you're a good extrovert and you can understand business well, and you can tell that story, great.

Speaker C:

But the number of people that were in security, that were introverts, that just got promoted because they were the security guy and understood that security environment, I see a paradigm shift in two things.

Speaker C:

One is there is not a limited budget.

Speaker C:

There never was.

Speaker C:

But throwing money at stuff just doesn't happen anymore.

Speaker C:

So you really got to be able to explain it, right?

Speaker C:

It used to be like, quality problems in manufacturing.

Speaker C:

That was our number one line, right?

Speaker C:

So as things happen, you just threw money at it, right?

Speaker C:

But at some point, you're like, why don't we just go back and rebuild the entire line on the next generation vehicle and remove all this added bolt on crap that we were doing.

Speaker C:

Second thing there is that help that you were getting.

Speaker C:

You had the people working in security today, the cisos, the directors, the admins, et cetera, are working longer hours than they have for a long time.

Speaker C:

I can say that just sitting in my position and having it on the phone at some of the hours I do, where when they were some of these analysts that were like, when I was contract, I was done at 8 hours.

Speaker C:

At 9 hours, I'm working more hours for less pay.

Speaker C:

Like, I'm not even sure why I wanted the full time position, because I don't see a road at the end of the tunnel, because I've been passed up two times already, because there's no budget to promote me right.

Speaker C:

And I'm like, that is a very disheartening thing to hear.

Speaker B:

Sure.

Speaker B:

So I'm gonna go tangential for a bit.

Speaker B:

I think the, if we start to boil this down on introvert versus extrovert, that's a crutch.

Host:

Yeah, right.

Host:

Totally agree.

Speaker B:

It's way more nuanced than this.

Speaker B:

I just had this conversation with one of my peers and came out of leading a two day strategy session.

Speaker B:

I mentioned to him at the end, I go as an introvert, I go this is going to suck.

Speaker B:

That I had to lead it because it was the right thing to do and it made sense to do it from security focus and just the lens that I was coming from.

Speaker B:

But you pay for it at the end, the next day just completely drained.

Speaker B:

With that in mind, I go back to something Earl Dubie said at one of the talks back at CSa.

Speaker B:

He was doing a fireside and he looks at everybody.

Speaker B:

He goes, you think you want to be a ciso, you don't want to be a ciso, right.

Speaker B:

That everybody looks at it.

Speaker B:

That, oh, it's the title, it's the control, it's all of these things.

Speaker B:

But there is, there needs to be a retrospect that you can be an introvert but you still have to find those opportunities because that's part of the job to be able to connect in with people.

Speaker B:

If you go in purely tech focused and go, I'm just going to do the typical gremlin, no lights, not going to talk to anybody, thats not the right role for you.

Speaker B:

And yes, you are going to add a ton of stress to yourself in doing that.

Speaker B:

But I look at it as youre talking about the amount of time that has to be spent.

Speaker B:

And Im going to preface this, Im not advocating that leave your companies in a precarious position, but have had conversations with a number of people that put in way, way, way too many hours and what they end up doing is, but if I don't put in the number, the hours, then this is going to fall apart, the metrics are going to look bad.

Speaker B:

I go yeah, but you're actually masking an underlying issue because you're doing that.

Speaker B:

That if somebody looks at your metrics, pick on a help desk, right.

Speaker B:

That if I look at abandon calls or how long first time resolution, stuff like that, you're making it look like nothing's wrong.

Speaker B:

And this is, it's counterintuitive.

Speaker B:

But if you don't step back and put healthy boundaries in place to protect yourself, to protect your team, that is going to continue and it's going to get worse.

Host:

Yep.

Host:

A hundred, a hundred percent.

Host:

And the way to affect change is to in there.

Host:

What is, what causes the, what causes the pearl?

Host:

It's the sand, it's the agitation.

Host:

What causes change in an organization is the pain.

Host:

And I use that term lightly, but sometimes you have to have, the organization needs to understand that there's pain or there's no impetus to change it.

Host:

Right now.

Host:

None of this is negligence.

Host:

None of this is, you know, abandoning it all.

Host:

But in cases where the, the catalyst becomes, we clearly know, we clearly see we have a need for this because something's not getting done.

Host:

Things are taking too long.

Host:

We're not meeting SLa's.

Host:

All of these kinds of things are the inputs that gender generate the necessary kind of change and help understand in the bigger priority, guess what, security leaders.

Host:

This is exactly what happens in the rest of the organization.

Host:

The people who aren't in guardian fields, in protector Fields, who don't feel this ethical, heartfelt need to solve all the problems and make sure that, no, that the breeze will never hit their faces, those kinds of things.

Host:

Um, and we got to change some of that.

Host:

Everything that I just heard.

Host:

Yeah.

Host:

Was, was correct.

Host:

But I think there's also some other elements here I think it less has to do with.

Host:

I think you guys are both talking about things at a personality level, but I think there's something a little more about we need to take it up one more level and look at the type of role that's involved, the type of CISO role, the type of security function that's there.

Host:

I, um.

Host:

And then that helps to dictate the kind of person that can go into that role, you know.

Host:

Um, as it happens, I'm doing a, um, uh, are two of our, of the show's friends.

Host:

Um, yeah, Jess Byrne and Jeff.

Host:

Jeff Pollard from Forrester are just finished a new update to their, what it, their future of the CISO research, in which there have been six archetypes of cisos.

Host:

Uh, it's really good research.

Host:

Um, it's paid research.

Host:

So if you're a Forrester client, go to it.

Host:

I'll put the podcast version of this into the, uh, the public podcast into the show notes.

Host:

Uh, but, uh, go take a look at the research.

Host:

But as it happens, in December, I'm, they asked me to come out and do some, do a panel at their security and risk summit, uh, in which we're going to talk exactly about this, about the archetypes.

Host:

And I think the archetypes like the, um, the post breach Ciso, like the policy and risk CIso, like the transformational ciso.

Host:

Like all these kinds of things dictate different personality types, different needs, and they're in different focuses.

Host:

Like, there's one that's more of an operational, see?

Host:

So, like the run, run the bank kind of person, which I have no interest in.

Host:

Like, as soon as it gets to running, it's boring to me and I'm out and I want to, I fall into different categories.

Host:

Um, I think that has less to do with, you know, with my, what has a lot to do with my character traits.

Host:

But I think it's an under important to understand the nature of the job you're stepping into in the organization.

Host:

Uh, and look at the characteristics you bring.

Host:

So I don't think it's the introvert extrovert that, you know, the run the bank one, the operational can very easily be done by an introvert because it's just crank or the policy, the policy wonk one absolutely could be done by an introvert.

Speaker B:

I agree with you.

Speaker B:

And I think in a lot of cases that sometimes it takes time for somebody to figure out what is it they really want.

Speaker B:

Right.

Speaker B:

If I look back to early my career, that I had a conversation with a recruiter, and one of the comments I made at the time is I don't want to go into an organization and build up a security program again.

Speaker B:

Now that I look back at that, boy, was I wrong, because I started to recognize the same thing, Dan.

Speaker B:

I have no interest in just being there to run, to keep the lights on.

Host:

Steady state bores the crap out of me.

Speaker B:

But at the same time, I also recognize that if we almost think about this in the context of crossing the chasm, right, the early adopters and stuff, that as you look at a company that does not have a security program today, while should be only a few of them, I'm probably not the right fit for that as well.

Speaker B:

Because I see there are those cisos out there that are much better at having, much better on a personal level, that are connecting with people and being able to help them understand why there's a need to start investing in this whole new area that we've really never paid attention to before, or just falls as an add on hat to somebody else.

Speaker B:

There's others out there.

Speaker B:

Not to say I can't do it, but there's others out there that do it way better.

Speaker B:

But once that need is realized, to be able to come in and then build out a program hundred percent like that's.

Speaker B:

That's what I see as my sweet spot.

Host:

Yeah.

Host:

But I think the mismatch is a lot of what's causing people's challenges too.

Host:

Don't get me wrong.

Host:

Organizational constraints, environmental constraints, economic constraints, costumers, customer constraints.

Host:

Where people aren't buying this, it has to do with this across all this is not just.

Host:

In fact, I'm going to specifically exclude security software.

Host:

That's a byproduct, it's trickle down portion.

Host:

But if you look at just revenues in general, people buying things in the b two c world, things costing more so you can buy less, salaries not necessarily going up in association with that.

Host:

In the b two b world, everyone is contracting their budget, so everything is cutting.

Host:

So there's outside forces that we can't avoid.

Host:

No matter whether I'm in the right role for my, the right role archetype for my personality or my characteristics or nothing.

Host:

So then you have, and I share this with both of you, and I'll put this into the show notes.

Host:

It was Blackfog had a, had some research recently on cybersecurity.

Host:

Leaders under pressure is the title of it.

Host:

24% of currency sellers are looking to leave their role, but 55% are open to new opportunities.

Host:

The 24% are actively looking to leave, which I guess in a 10% churn world isn't too much higher than a normal churn life.

Host:

Uh, but 54% over half would take something if it showed up.

Host:

Um, but here's the part that, that's really interesting.

Host:

93% say stress and job demands are driving their decision to leave.

Host:

Um, the stress that the job.

Host:

So, you know, it's fine to say, I'll put on my best, um, chief people officer hat for just a minute and say, look, you know, it's, it's fine.

Host:

We can always hire another one.

Host:

There's a lot of people out there.

Host:

No, there's not, says the narrator.

Host:

But any kind of churn like that in a role that's become so business specific, so sorry, so business important, it's part of selling, it's part of go to market, it's part of internal operations.

Host:

Anything like that that causes a ripple.

Speaker C:

It's.

Host:

It's.

Host:

It's almost like when you change a CFO or almost like when you change, you know, a cooze.

Host:

I dare say we're not quite at the same level yet, but I think a level of impact or level of ripple, but I think it definitely is getting there.

Host:

So this is pretty big, this number of churn, this amount of overstress this amount of job demands and environmental.

Host:

So what can we do about it?

Host:

How can we fix it?

Host:

Short of hiring more people and working less hours?

Speaker B:

Saw the light bulb over Brian's head go on.

Host:

No, that's just because Kelly turned on.

Speaker C:

The turned on the lights article that also highlighted to the number of hours that somebody's working today versus when they.

Speaker C:

Versus having somebody that was a staffed not staff employee, but staff augmentation, somebody that was a contract employee.

Speaker C:

e, man, I'm literally working:

Speaker C:

Like, but I'm being paid the same amount of money.

Speaker C:

Like, this just isn't worth it.

Speaker C:

My stress level is higher.

Speaker C:

I also look, I think in the last year or two, especially with companies being breached, this is going to go to culture.

Speaker C:

And it's not just my personal opinion, but, like, what I sit and witness now in my chair in working with companies across North America, in a japanese culture, working at Aishin, if somebody screwed up the launch of a vehicle, they didn't get fired.

Speaker C:

They had something that they referred to as a window seat, right?

Speaker C:

And, like, in american culture, you'd be like, so you're telling me if I screw something up, you're going to give me a window seat on a high floor?

Speaker C:

Dude, that sounds awesome.

Speaker C:

But the reality is there you get a window seat on a high floor to look over the world, right?

Speaker C:

It's reflection as the world goes by.

Speaker C:

But you're kept there to understand the problems that were faced.

Speaker C:

Like, they don't get rid of you, they're going to build you up to become better.

Speaker C:

There's not a single CIsO alive that I think would say, yeah, I'm working for a large company, and I know if we get breached, they're going to keep me on to make sure that I get better.

Speaker C:

No.

Speaker C:

And with what I've seen in the last six months, like, the feelings that people have gone through when there's been something bad that happened, think about when you.

Speaker C:

When you have true fear, you resort to self preservation.

Speaker C:

You start to make decisions just to protect yourself.

Speaker C:

I have witnessed some very startling stuff where it's like, I.

Speaker C:

I tried to do everything I could.

Speaker C:

Now I'm fearing for my job.

Speaker C:

Now I'm fearing for my not life, but I'm fearing for my job and my well being, right?

Speaker C:

And I'm working so many crazy hours, I don't know if I even have time to go find something, right?

Speaker C:

And they're not happy.

Speaker C:

And there's a personal like that impacts your family.

Speaker C:

Dan, that presentation you sat on with Christy Fosi.

Host:

Oh, yeah.

Speaker C:

When she talked about, like, what changed from COVID till now.

Speaker C:

The ability to work more hours is what changed.

Speaker C:

Right.

Speaker C:

When you're not in the office.

Speaker C:

Although.

Host:

Although, to be fair, that's been the case for remote workers since well before.

Speaker C:

COVID But now you have, like, as it in that stressful executive leadership position.

Speaker C:

That 30 minutes drive home to go pick your kids up was a time to kind of.

Speaker C:

And now I totally agreed with her.

Speaker C:

I am still on a call as I'm picking up my kids, right.

Speaker C:

And when they're getting into the car, I haven't even had a moment to let 30 minutes to unwind, to get ready to be that parent.

Speaker C:

I'm like, guys, guys, I got five more.

Speaker C:

Yeah, right.

Host:

Yeah.

Host:

No, I get it.

Host:

As somebody who commuted, I took a train every day and it was 45 minutes of the best time of my day because I'd get up in the morning, it was early in the morning.

Host:

And you get up and you'd read.

Host:

I'd read the financial Times that I read the Wall Street Journal and I read the Tribune.

Host:

And then I'd listen to 20 minutes of music.

Host:

And then I'd get there and it was.

Host:

And then on the way home, same kind of thing.

Host:

It was ability to, like, really put compartmentalization between your life.

Host:

This is also before BlackBerry, but this is also before blackberries.

Speaker C:

Wall Street Journal for me, can you summarize this?

Speaker C:

Right.

Speaker C:

So instead of, oh, I got it.

Host:

Such a cop out.

Host:

Unpopular opinion.

Host:

AI is a cop out.

Speaker B:

At the expense of sounding unempathetic, though, to that, I get it.

Speaker B:

There is a real fear around job loss and what's going on at the end of the day, we knew this going in.

Speaker B:

This isn't anything new.

Host:

Right.

Speaker B:

Like, I came into the current role that I'm in, knowing that if something happened at some point, I'm going to be finding something else.

Speaker B:

Now, if we would have put the lens back, I think if we go back all the way back to TJX and target some of the bigger original breaches, right.

Speaker B:

Then a lot of us at that time would have said, all right, it's a death sentence.

Speaker B:

Right?

Speaker B:

I went through a breach.

Speaker B:

Now I'm not going to be able to find another job.

Speaker B:

That's not the case anymore.

Host:

Right.

Speaker B:

There's almost an element that it's a badge of honor that I've heard Cecil.

Speaker B:

Those that are trying to break into the Cecil ranks that were shut out because they've never gone through an incident or a breach because they don't have that experience, that experience.

Speaker B:

And I'm sure, and Dan, hashtag truth.

Speaker C:

I literally had someone reach out to me and say, hey, we're looking for somebody.

Speaker C:

This guy gone.

Speaker C:

And we're looking for somebody that has experience of going through a breach.

Speaker C:

Literally, like, that was requirement a.

Speaker C:

And then came BCD.

Speaker B:

I mean, it's no different than some of the other executive ranks that are out there with the.

Speaker B:

And I think in a lot of cases, we would agree in a CE role role, especially in bigger companies, that you could screw things up terribly, get a wonderful parachute, and then go do it again somewhere else.

Host:

Sure.

Speaker B:

I don't think cecils have risen to that ranks.

Speaker B:

Just my personal view, just throwing that out there.

Speaker B:

Cisos haven't risen to those lengths yet, but I am starting to see some of that grow now.

Speaker B:

And knowing certain people that, in their current contracts, had built in language there, what happens if I get let go because of some type of event?

Speaker B:

So I think we're growing in that direction, and that comes with the territory of holding bigger roles, making bigger decisions.

Speaker B:

And, I mean, look, for the longest time, we've been asking, we want a seat at the table.

Speaker B:

We want a seat at the table.

Speaker B:

All right, you got a seat at the table.

Speaker B:

And now we start to look back and go, well, I'm afraid of the risk of what happens with that.

Speaker B:

Ask for it.

Host:

Yeah.

Host:

And I don't think this comes back to two things.

Host:

Um, a theme that we've.

Host:

We think we've all, both you and I have said a lot, Eric.

Host:

I think, Brian, you agree with being the CISO is not for everyone.

Host:

And the.

Host:

And what I.

Host:

In the podcast, the Forester podcast, I think Jeff said it perfectly, and I texted him right afterward because he said it was a quote, you don't want to be the CISo.

Host:

And it really, you really don't.

Host:

99% of people, security practitioners, et cetera, don't.

Host:

You really don't.

Host:

And if you do, you probably don't understand the role.

Host:

And then there's the 1% that do.

Host:

Uh, because we are gluttons.

Host:

We have the right.

Host:

We have the right personalities, we have the right interests, et cetera.

Host:

But it's not a role for everyone.

Host:

It is not the next bigger role.

Host:

And I think this is really important, as people do career planning.

Host:

It is not the next bigger role for a networks director, or it's not necessarily the next bigger role, and it shouldn't be seen as that because guess what?

Host:

It's a business job.

Host:

It is not a technical job anymore.

Host:

And if it is still in your organization a technical job, you're doing it wrong.

Speaker C:

Like, hopefully there's not a ton of ctos that listen to this.

Speaker C:

But I'm going to go out there and say, like, I hope there are.

Host:

Because that means we're getting good, good viewership.

Speaker C:

Even CIO's maybe don't want to be in that position anymore.

Speaker C:

But to be the CTO working with the CIO and the CISO, it's like, yeah, I use the word digital transformation in my interview.

Speaker C:

I use the word AI in my interview and I know that I can pull in and get massive budget because I'm the chief technology officer.

Speaker C:

I need to change things and get all this new tech.

Speaker C:

That's what technology does, right?

Speaker C:

Like I'm saying that half jokingly.

Speaker C:

I'm not also look at it when I see the amount of money spent in the data storage, the, all the weird data analytics, the amount of money being spent on consultants to come in to consult on AI right now and come on in and it's like, and I'm talking to your same security team and they literally just told me like, yeah, we're going to push that again.

Speaker B:

But this is.

Speaker C:

Yep, we know we need that.

Speaker C:

We're going to push that.

Speaker B:

This is where we have to start being creative.

Speaker B:

So I think the one thing that I see, and maybe it's just because being in the industry that I want to see it this way, I think security is uniquely positioned and having purview across the entire organization.

Speaker B:

We have to understand purview is in.

Speaker C:

The Microsoft product purview or purview as.

Host:

In you're not licensed to say that word.

Speaker C:

Yeah, Microsoft, no purview.

Speaker B:

Thanks.

Speaker B:

Not a sales pitch.

Host:

I have no idea what it actually means because they keep changing the names and so I just give it up.

Speaker B:

I don't get it.

Speaker B:

Yeah, when they mention it now, I'm sorry, what tools did I originally know that you collapsed in there?

Speaker B:

That you're now asking me to pay another license?

Speaker B:

Okay, off the.

Host:

But I do want you to come back to this.

Speaker C:

I'm going with the think.

Speaker B:

I think we're uniquely positioned to see across the organization.

Speaker B:

And if we only use the lens of our propeller hat and look at it from our own security perspective, we've missed the opportunity.

Speaker B:

There are opportunities to fix inefficiencies, to draw, draw, drive innovation across the organization.

Speaker B:

And this goes back to a conversation I was having with a vendor that plays in the OT space and protecting the plant floor.

Speaker B:

And as I was talking to them, I go, you guys have not hit economies of scale yet that your install base isnt big enough, that your cost structure is now going down.

Speaker B:

And what that means is that to try to purely position yourselves as a security organization, a security play, the cost is so high you're not going to gain traction.

Speaker B:

But if you find the right maturity level and the CSO that actually views themselves as part of the overall business organization, you can start to reposition it.

Speaker B:

That hey, I can now use this technology to get better data off of my machinery.

Speaker B:

I can aggregate it, I can use it to make decisions that directly has a business impact on, by the way, it's way more secure that's put in there, which is an added benefit.

Speaker B:

That's we need to be the.

Host:

So I don't.

Host:

Brian, I need.

Host:

I need to come into this one.

Host:

Yeah, I need.

Host:

There is, there's so much about what you just said that needs to be.

Host:

I want to repeat it.

Host:

The information security, and I'm purposely not using the term cybersecurity because this is above that.

Host:

This is about information.

Host:

It's about data flow.

Host:

It's about.

Host:

It's a broader topic.

Host:

Is so well positioned to be the new enterprise architect for the organization.

Host:

I just finished about five months worth of data mapping activities and some of this is related to the privacy portion of my role.

Host:

But it's also equally to.

Host:

Yeah, if you don't know what you've got and where it's moving, how can you protect it?

Host:

Portion of my job.

Host:

And I can argue, and this is across 15 brands, I could argue that I am one of a very handful.

Host:

Count them on one, maybe slightly into two hands, people that has a true understanding of the whole organization.

Host:

And I don't say that to be glib.

Host:

I don't say that to be bragging.

Host:

I say that to be that we, through the nature of what we do, in order to protect it, you've got to understand it and you've got to understand how we sell it.

Host:

You've got to understand how we, how people buy it.

Host:

You've got to understand where it sits.

Host:

All of the above.

Host:

And I think that that then lends to a change in information security leadership, which changes to be much more advisory.

Host:

And this comes back, Brian, to your CTO question, your CTO comment that, that the CTO then becomes an extension and enabler to execute that.

Host:

The CISO says, here's how we're going to do it.

Host:

We'll advise you, we'll give you the information, we'll come bring back the things that you're doing, and we will tell, will help give you the risks.

Host:

It really becomes a risk advisor and a policy one a little bit and a little bit of organization.

Host:

But also, I mean, I find myself advising on how to sell.

Host:

I find myself advising on how customers will want to buy this.

Host:

And it's a role that I never thought that the CISO, or in my case, chief security and trust officer.

Host:

And I think that's really important.

Host:

This is the evolution from CISO to trust that that isn't quite as broad or widespread.

Host:

That's what I wanted to say.

Host:

Go ahead, Brian.

Speaker C:

Wholeheartedly, 100% agree.

Speaker C:

Network security infrastructure, what you just said there, like CTO, mapping out where all your data is, right?

Speaker C:

Mapping out where all your data is coming from, understanding your network and how it was set up and why it was set up.

Speaker C:

When it comes time to go through a change or network team or infrastructure teams working on this, if you have that security background to say, hey, guys, this is who we, this is how we've been doing things.

Speaker C:

This is who we've been working with.

Speaker C:

But there's a better way, right?

Speaker C:

Let's look at how we could either a simplify this without having to bolt on security tools later, right?

Speaker C:

Like, I look at some of the network as a service companies.

Speaker C:

You could do that yourself if you were going through a big transition or a big change.

Speaker C:

Even my daughter agrees, right?

Speaker C:

She's throwing the brush out like, dad's going through a transition with his beard.

Speaker C:

We could brush it right now, same thing.

Speaker C:

And then I like, even when we were just talking about the secure web browser, right?

Speaker C:

At the end of the day, like, is that a security budget or is that something that would be useful for so many other groups within the company of other problems that it solves and efficiencies and everything else, instead of making security, try to sell it as a security tool, right?

Host:

Like a group, we stop thinking about it.

Host:

A security budget.

Host:

We think about it as an enterprise budget with security components to it.

Host:

It democratizes security into everything.

Host:

It is not security versus everybody.

Host:

It is not us versus them.

Speaker B:

It is everything has a security budget.

Speaker B:

Comment about creative and using it at the expense of becoming Matthew McConaughey Wolf on Wall street and chest thumping here.

Speaker B:

Going into this year and looking at the economics, there was no way that we weren't going to have some type of business impact, right?

Speaker B:

Consumer spending is linked to interest rates.

Speaker B:

Interest rates were out of control.

Speaker B:

When that gets out of control, people don't want to spend on discretionary goods.

Speaker B:

Right.

Speaker B:

I'm going to pull back.

Speaker B:

So what does that do?

Speaker B:

That hurts an organization.

Speaker B:

So knowing that going in, we were flat on our budget, which was actually a great opportunity to show throughout the course of the year that we repositioned our spend in different tools to find where we could take that money, be neutral, but reapply it to something, gain features without having any additional impact to the financials of the organization, and yet coming out in a way better risk position.

Host:

Yeah.

Host:

It also breeds an organizational philosophy of mutual benefit rather than fiefdoms.

Host:

And my budget, my, my budget, my tools, my world and swim lanes and that kind of stuff.

Host:

And I know there's some organizations that really revel in that, you know, stay in your lane stuff, but I think the more we do blended where we are, um, we're, we're ble embedded advisors across all units.

Host:

We're trusted advisors.

Host:

This comes back to the trust piece.

Speaker C:

It's not just customers talking about asset discovery tools earlier.

Speaker C:

Right.

Speaker C:

And why that could be important.

Speaker C:

We were talking who's like, where could security help a team?

Speaker C:

Like what team is responsible for purchasing all these said assets and keeping track of all of them?

Speaker C:

Sorry, guys, your budget, I'll help you figure out what the best solution or tool is with your budget.

Speaker C:

Right.

Speaker C:

And you over there, it team that does the patching and everything else.

Speaker C:

Did you know there's tools that help integrate into this salesforce solution that you guys bought in the service?

Speaker C:

Now here's one to take a look at versus this piece of turd that you were about to go buy.

Host:

Did you know that my buddy down.

Speaker C:

The street told you you liked it and his cousin makes good daiquiris.

Host:

Did you know that?

Host:

My sim takes in all the logs from the entire enterprise.

Host:

You know what, you don't need to buy an additional APM.

Host:

You don't need to buy additional logging solution.

Host:

Just tap your, your developers put API tools, use the APIs and build something cool to query it.

Host:

It's all there.

Host:

We don't need to buy twice.

Host:

Yeah, same kind of things.

Speaker B:

And it's not, this isn't unique to technology as well.

Speaker B:

No.

Speaker B:

You could use this in the context of headcount and stuff.

Speaker B:

I mean, there's been times where I've taken headcount out for our team because as you start to look at others around you, knowing full well that if they don't get key positions, what happens?

Speaker B:

Things roll.

Speaker B:

I don't want to say downhill because it makes it sound like security's sitting at the bottom of the hill taking everything else.

Speaker B:

But when we need to action something, we need to move the needle.

Speaker B:

The resources that we would typically try to influence outside the arent going to be there.

Speaker B:

And therefore it puts us in a position.

Speaker B:

We have to do all of the work ourselves.

Speaker B:

Youve got to be a strategic part of a much broader team and totally agree with Dan that if we continue to sit there in just this myopic lens, my budget, my people, my tools dont touch, were going to continue that everything that weve gained as a security community is going to start to devolve.

Speaker B:

We're going to lose that seat and.

Host:

Dirty little secret to close out the show.

Host:

If you're enjoying what you do, if you're doing broad work like this, that's meaningful.

Host:

You're going to, you're not going to notice the extra time you're spending quite as much.

Host:

You're not going to feel it.

Host:

It's not going to feel quite so pained.

Host:

And the reality is we do need to do more with less in this world.

Host:

We can't just say, I hit my 37.5 hours, I'm done for the week week.

Host:

It just doesn't work that way.

Host:

So finding ways to keep it enjoyable, to keep it meaningful, to not get knocked down in the, in the GR, in the drudgery and not let that take over helps with the burnout.

Host:

It helps with, with keeping motivated and keeping our organizations motivated.

Host:

It's really important.

Host:

And that's what helps keep the organizations that we serve as safe as they can and helps us be part of the broader business that we sell.

Host:

We are the business.

Host:

We've said this time and time again, it is not security and the business.

Host:

We are the business.

Host:

And on that note, we're out of time.

Host:

Thanks again for joining us.

Host:

We love having you as listeners and as viewers.

Host:

If you're listening to us on a podcast, hop over to the YouTube channel YouTube.com little security debate.

Host:

And if you're listen.

Host:

If you're watching us on YouTube, go to your favorite podcast app and find a way to commute to work and listen to us in the car on your way back and forth.

Host:

As part of the segregation between home and work, you can find us by searching the great security debate in your favorite podcast application.

Host:

Eric Brian, thanks again for another great debate.

Host:

You can find us on our website.

Host:

We're part of distilling security.

Host:

Distillingsecurity.com securitydebate.

Host:

You can find all of our episodes.

Host:

Uh, you can find us on YouTube at security, at great security debate.

Host:

You can find us on LinkedIn, uh, great security debate, search for that, but also part of distilling security.

Host:

Uh, and, uh, you can email us in, uh, security debate at distillingsecurity.

Host:

And, uh, we'll get back to you.

Host:

And if you've hung on this long, go to the YouTube, find this video, go to the bottom and write, I made it till the end.

Host:

In the comments, we'll look for them and we'll give you a shout out.

Host:

Thanks for being here.

Host:

We'll see you again on the next great security debate.

Links

Chapters

Video

More from YouTube