CISO Series: We Shame Others Because We’re So Right About Everything

https://cisoseries.com/we-shame-others-because-were-so-right-about-everything/

“I hate the ‘blame the user’ model of phishing tests. Phishing tests are to inform you about how bad your email infrastructure actually is. The user is just one piece of it.”

Full Transcript

Voiceover

Ten second security tip. Go.

Edward Contreras

When engaged in a conversation, make sure you’re all using the same definition for common terminology, by stating your definition. You would be surprised how many different ways success can be defined.

Voiceover

It’s time to begin the CISO Security Vendor Relationship podcast.

David Spark

Welcome to the CISO Security Vendor Relationship podcast. My name is David Spark, I am the producer of the CISO series and I am pleased to announce a new co-host. Mike is not gone, but this is a new, regular co-host that will appear, on occasion, on this very show. Very excited to bring him on, I’ve known him for quite some time, you have as well, as probably CSO Andy on the Twitters. It is one and only Andy Ellis, who is now the operating partner over at YL Ventures. Welcome to your inaugural show as a co-host, Andy. Excited to have you on board.

Andy Ellis

Thanks, David, excited to be here and I’m gonna say this is probably the best show so far. Although, is that correlation, or is it causation?

David Spark

We will get into that later. He’s teasing the opening segment, which you’ll hear in but a moment. Let me mention that we are available at CISO Series dot com, every one of our shows. We have five shows. Check them all out. The Defense in Depth show, if you haven’t heard it, or the Cybersecurity Headlines, and also our Weekend Review, or our Friday video chats, all available at CISO Series dot com. And our sponsor for today’s episode is Varonis. Very excited to have Varonis back, sponsoring this very show.

David Spark

Andy, I want to get back to the subject of your very first episode. Now, this is not your first time on a microphone, and one of the reasons I asked you to join as a regular, rotating co-host, here on this podcast is, of all your awesome experience, let me ask what makes a podcast experience, or a podcast recording go well? And what makes one go south?

Andy Ellis

Well, I think to make it go well is a good microphone, let’s just start with that one.

David Spark

Yes, and a lot of people don’t put a lot of value in that.

Andy Ellis

They really don’t, and before the pandemic, I’ll admit I was one of those people. I showed up and I was very excited in my Airpods, and then one day I listened to myself, and I was like, “Oh my god, that’s awful.” So, the microphone. But more important that a microphone has got to be the content the guest brings. Every guest has wonderful things that they can share, but it’s when they can distill it down to something that somebody just hears as this sentence that captures their imagination. I think that’s what makes a podcast successful.

David Spark

Well, I am gonna give you a lot of kudos and credits on that, because you are what I call the sound bite master in this respect. I have been quite impressed with how you are able to do just that, and I would say our guest is pretty darn good at that as well, because we have had him on the show before. Let me bring him on board. It is the CISO of Frost Bank, Eddie Contreras. Eddie, thank you so much for joining us again.

Edward Contreras

Thanks for having me, David. Excited to be here.

Here is some surprising research.

00:03:16:03

David Spark

According to Cisco’s Security Outcomes Study, quote, “A well-integrated tech stack improves recruitment and retention of security talent.” Now, that action was the second most highly correlated result in the study. The first being staying up on best-of-breed technology allows you to stay up with business growth. The “correlation” they’re referring to here is to a certain practice connected to a certain specific result. Now, we’re just saying correlation, we’re not saying cause and effect, but as you know, a lot of people sort of infer that. So, infer if you will there. Now Andy, I want to start with you. I want to discuss how a quality tech stack actually can help with recruitment and retention of talent. There is a ton here to say about overall improved security programs, saving money on turnover, and improved work environment. Do you agree, and have you actually seen this play out in either extreme?

Andy Ellis

So, I think that this is correlation with a shared causal factor. Causal factor is a deliberate approach to building a coherent work environment, that’s gonna result in an integrated tech stack because you’re gonna think carefully about how your technologies work together, how those fit into people and process. And at the same time, you’re gonna deliberately think about how you hire, how you build an inclusive environment, how you match people up to work that is meaningful and valuable. If you don’t have a good integrated tech stack, then you’re probably spending people, doing work that isn’t really valuable. They’re copying and pasting the same alert. So, they’re clicking through false positives galore, and you haven’t really deliberated and thought about it. So, I do think these are related, and I think we do see when people haven’t done that investment on both sides, tying their people to their technology and vice versa. You’re gonna see high turnover and technology that doesn’t work.

David Spark

Very good example. Now, Eddie, I’m gonna throw this to you. And I’ll just add a little story of my own. I used to cover the Interop conference, and they used to have this amazing temporary network that we’d build up and tear down every year. And I used to do a video tour of that network operation center, and it was always the latest and greatest, and also the latest and greatest talent working as volunteers in there. And this video was always one of my most popular videos because people always want to see the latest and greatest. How much of that affects hiring and retention, do you believe, Eddie?

Edward Contreras

You know, it’s a tricky question. The way I see this is, it really depends on when that leader comes into the organization. If you have a green field, and you have the opportunity to get the latest and greatest, aim for it. I think the reality is, most of these programs are built, and if you inherit something and you want to bring in good talent, you have to simplify the stack. You have to be able to really play to the strong points of your employees and what they’re doing. I was with a company and we did bring in a really great technology piece, but it almost took a PhD to manage it. And unfortunately, we only had junior skill set people, so it was a misalignment. We had to figure out… and this is where you figure out causation and correlation… if we had a turnover, was it because the stack was too complicated? I think a good leader can identify that and make a business decision, but sometimes that decision is made before you even get there.

Andy Ellis

I think Eddie just argued that a poorly integrated tech stack requires you to hire security unicorns, which is a challenge. A well-integrated one lets you hire people who can do pieces of the job, and provide value even at lower spill levels.

Edward Contreras

Well put.

David Spark

Perfectly said, both of you.

Does shaming improve security?

00:07:09:01

David Spark

On Twitter, Fredrick Lee, AKA Flee, CISO, Gusto and a past guest on the show, said, quote, “Security features should be free. It’s disgusting, embarrassing, and unethical for companies to charge more for 

security features such as SSO, MFA, data destruction, et cetera. Please shame other companies.” Now, there’s even a website out there called “The SSO Wall of Shame” which calls out services that charge to implement SSO. It hasn’t been updated, it looks like, in a good year, but my question for you, Eddie, is how is a non-security vendor adding a security feature and then charging for it any different than a security vendor just selling security service?

Edward Contreras

It’s an atrocity, in my opinion. This is something that needs to be embedded in the platform. If you think about, especially, single sign-on products, where they say, “we do integration” and then they charge you, so they can replicate that fee across multiple customers. I think it’s just really bad practice. What we do at our company, and what we started practicing, is really looking at that contract. When it comes to contract renewal, do we have a clause in there that says the product needs to be able to perform to our needs, our expectations? And getting something in writing. So, if you do have a vendor like that, contract negotiation is a great way to address that. But if you don’t have the teeth to your vendor management program, there may be a fee that you have to charge for that single sign-on. But it is disastrous when vendors do that.

David Spark

I would argue that it wouldn’t be a bad idea if they do the reverse, and give a discount if you start adding security features. I will tell you, I am a user of Mailchimp, and if you deploy multi factor authentication, they actually give you a monthly discount for deploying MFA, which I did and I saved a few dollars per month. Andy, I want to go to my earlier comment. I’m intrigued, what do you think is the true difference between a regular company charging for SSO and MFA, versus a security company, selling security services?

Andy Ellis

I’m going to disagree with the premise, to start with. First of all, I think a wall of shame is a horrible idea. In general, I’ve always thought the Wall of Sheep, done in Vegas for security summer camp is an atrocity that people should stop doing.

David Spark

Explain what the Wall of Sheep is.

Andy Ellis

The Wall of Sheep is people who sit and watch the network traffic and detect unencrypted passwords traveling across the wire, and then publish your user name… with a redacted form of your password, hopefully… to say, hey, look here’s the people who are doing something imperfect.

David Spark

Here are the buffoons who aren’t as smart as us.

Andy Ellis

Yes, aren’t as smart as us. And let’s just be clear, that’s a problem our industry has had for decades. Everybody thinks we want to prove that we’re smarter than they are, which means they don’t want us in the room.

David Spark

That’s not good for anybody.

Andy Ellis

As somebody who used to be a platform vendor, we had customers who didn’t want certain security features, and they wanted to negotiate a lower price for that, because they weren’t going to use them, so why should they pay for them? So, what’s the difference between negotiating things down, versus negotiating things up? That said, I love it when vendors do take security seriously and come up with ways to incentivize their users. Mailchimp’s discount, Fortnite, when you activated MSA and it gave you a gift to send to a friend. So, the friend would be, like, “Hey, how did you get this gift back?” “I turned on MSA. Why don’t you and send one back to me?” Those are the things that are brilliant. I like Eddie’s approach, when you’re buying you should know what is and what isn’t included. You certainly should never be surprised if you signed a contract after stating SSO is a requirement, and then they try to hit you with an extra fee. I think that’s a failure in vendor management on both sides. That’s not okay. But I don’t think it’s necessarily a problem to say, look, it’s more work for us to integrate this thing for you, and therefore, you’re going to pay for it. Now, at some point, everybody is going to be using it, and therefore, it probably should get rolled into the platform fee. That’s just good business, but that doesn’t mean it must be that way.

David Spark

Eddie, what do you say? Do you believe this is good business?

Edward Contreras

Every business is here to make money, I can agree with that statement. As secure you want to be, ultimately it’s about revenue. I think Andy’s last statement was spot on; ultimately this is going to be common. This is everything that you need to do business in an interconnected world, so if you can’t do single sign-on in a way that isn’t just unique to one connection, but you can replicate it across multiple vendors, I don’t think you should charge for that. When you go to a vendor and ask for their product, that product should come with the things you expect, and the bells and whistles like reporting, auditing features, charge for those because I’m getting use out of them. With single sign-on, we’re protecting both of our companies, and I would even say indemnification clauses should get changed if I don’t get my security requirements.

David Spark

That’s a good point. Again, and I’m just arguing for the companies here, often most of the cloud based solutions have multiple tiers of services. Many of them have a free tier and then work their way up. My question is, why shouldn’t this be on one of those tiers, like every other service they offer?

Andy Ellis

I think you should look at the lifespan of a feature. The day we first started doing SSO, back when people had to hand-build their SAML integrations, that’s a top tier feature and you’re going to pay through the nose if you want to be the first person to have SAML integration with one of your vendors. Today, I’m with Eddie, I think everybody should offer SSO. I think if you don’t, you’re going to have a hard time selling into your major enterprises, because they expect it. And if you’re a buyer at a major enterprise, it’s on you to make sure that everybody knows that SSO is a requirement and, if they surprise you with it later, then maybe you kick them out and go with one of their competitors. But these things are just going to have that life cycle; at some point they become expected, baked into your base platform, but they’re always going to start out in a higher service tier.

David Spark

I agree. Seat belts, at one time, were considered a luxury, but I don’t see anybody charging for them now. Times have evolved.

Sponser – Varonis

00:13:45:07

Steve Prentice

At Varonis, zero trust is a big topic of conversation in cybersecurity, but as Matt Radolec, Senior Director of Incident Response and Cloud Operations, tells me: sometimes it doesn’t quite go far enough.

Matt Radolec

A lot of boards are just thinking about least privileged zero trust, limiting the amount of things, resources, data, devices, network connections that are available to people within their organization. And one of the things that I think often gets missed from that zero trust strategy is applying it to date. You know, the files and the folders, and the sites that we all have access to. Often, we find that more than a quarter of all the data within an organization is open to every employee.

Steve Prentice

He says a lot of organizations look at these like identity or access type problems, but it all turns into what Varonis calls sensitive date. And that causes a real risk because of what happens next.

Matt Radolec

We talk a lot at Varonis about what we call the blast radius of an attack. We think that organizations have a pretty solid understanding of their attack surface. You know, what things are out there, what devices, what servers or applications are exposed to the web, that an attacker could come after. Or what inboxes are exposed, that they could send phishing emails to.

Steve Prentice

There is no detective control that is going to prevent a zero day threat, but when it happens, he says, how much information can any one user get to?

Matt Radolec

These are the kinds of questions that we focus on with organizations, and really focus on reducing that blast radius. Or assuming that one of these things is going to happen, how can you do something about it?

Steve Prentice

For more information, visit Varonis.com.

It’s time to play What’s Worse?

00:15:30:13

David Spark

Andy, you have played What’s Worse before, but more importantly, you are now going to be answering first, as Mike does. So, you have elected bear, because it is up to you, Eddie, to decide whether you agree or disagree with Andy. And I always like it when people disagree with my co-host. As everyone knows who listens to the show, or if you’re listening for the very first time, What’s Worse is a risk management exercise, and there’s two bad scenarios. Actually, these are two good scenarios that have bad elements.

Andy Ellis

It’s scenarios?

David Spark

They’re good scenarios with bad elements and you have to pick which is the worst of the two. This comes from Jerich Beason, who is the CISO over at Epiq, also a former guest on this show. He throws out this What’s Worse scenario. Andy, you’re up. A team of 15 security newbies and interns, straight out of college, that are hungry and full of emotional intelligence, and they’re so affordable you’ve got some good budget for tooling. Or, you’ve got five security ninjas with 15 years of experience each, who are super nice, but also crazy expensive. So expensive that you have no more budget for tooling. Which scenario is worse?

Andy Ellis

This is one of those that’s challenging, because I would just want to split the difference. I’m going to hire two and half ninjas and seven and a half interns.

David Spark

No, you’ve got to go all or one.

Andy Ellis

I’m going to assume, by the way this one is phrased, that my ninjas aren’t truly ninjas because they can’t build tools. Because that’s the obvious answer: I take my five ninjas and I build tools with them.

David Spark

They can have engineering talent.

Andy Ellis

I’m going to assume that that’s the cop-out answer, so I’m going to say that’s the worst approach. I’m going to have five people who are horribly frustrated and will leave and be annoyed that I’m not spending more money on them. Instead, I’m going to take those 15 and not only will I get tooling, but I can invest in their development and eduction, and I will have 15 ninjas in a couple of years.

David Spark

Rob Rec said that he has had cases, and you and Eddie, tell me if you’ve done this before, where a very senior person left and he replaced them with two extremely green people. That worked out way better in the end. Have you done that?

Andy Ellis

That’s absolutely what I did. Whenever we had a senior person leave, or when a business partner would say, look, we need a principal architect of support from your organization, I would pretend that they were twisting my arm: “Well, I guess I can provide one, and in fact I’ll send somebody that we already have, and I’ll backfill them onto a different project.” I’d promote a senior architect to principal architect, assign them to that task. Then I’d promote an architect to senior architect, a senior researcher to architect, a researcher to senior researcher, an associate researcher to a researcher. And now, all of a sudden, I’ve got a spot to hire one of my interns from last year, to come in as an associate researcher. And boom, I just did that and I got to promote a bunch or people. Because one thing we all know, is that the promotion budget that HR allocates us, tends not to be large enough to keep up with promotions, unless you have high turnover. You have something like ten, 12%. If you’re at zero percent, which I was at in my last gig for 15 months, you have to come up with ways to promote people.

David Spark

Eddie, I’ll throw this to you. Do you agree or disagree that having that ninjas only is the worst scenario?

Edward Contreras

To add spice to the conversation, I’m going to go in the opposite direction. The 15 young interns: a lot of times, people in an organization will get comfortable and bounce ideas off each other. But if all the ideas are being bounced within the same group, being able to understand business logic and not just security… because the most secure network is a disconnected network… how do you balance business with the needs of security? It does take some tenure to get there. You need to understand the ramification of this rule, or this policy, being triggered, or me working this alert? Sometimes you can get a junior crew that can work an alert for 24 hours straight, and they end up on a wild goose chase. So, I would say the younger group has its complexities. While there are benefits of growing, and I’m sure Andy is a great leader and will grow a great, talented core group, I think the reality is there’s probably going to be a business impact with the younger group.

David Spark

I’ll also throw this at you, Andy. Who is going to train those 15 people? Is it going to be you?

Andy Ellis

Obviously it’s going to be me. Either I’ve got to train the five people on how not to do certain pieces of work and how not to get grumpy about not having tooling, or I’m going to have to train 15 people. I’ll take the 15 people any day.

David Spark

And you’ll figure out how to train all 15?

Andy Ellis

Absolutely. I have money for tooling, I’ll go buy some training tools.

David Spark

Great idea.

How have you actually pulled this off?

00:20:38:09

David Spark

On the cybersecurity subreddit, this question was asked: “You receive an email with a file attachment. You must make sure the attachment does not contain any malware. What would you do?” The community offered a ton of advice. Eddie, I’ll start with you. What would you do to find out if this email does not contain malware? How do you create a safe sandbox zone for it?

Edward Contreras

There are so many ways to answer this, if you’re thinking from a corporate view or a personal view. If you don’t have access to the technology stack, I would say VirusTotal is the easy and quickest way to that answer. Submit it, it will tell you whether you should be worried. If you’re in a corporate environment, most of the time you have network detection, you have end point detection, you have gateways. That email should be going through a slew of scanning already, with assumptions of a sandbox that’s right before the user. So I would say it depends on your environment, but if you’re out on an island by yourself and you have one last resort, VirusTotal is where you go.

David Spark

Alright, I’ll throw this to you, Andy, how are you going to handle this?

Andy Ellis

20 years ago I would just have used the command strings. I could read the text out of the document to figure out what I needed, that was always the easy thing. Today, my answer is why is somebody sending me an attachment? I’m going to ask them to stick it into Google Drive and convert it over to a doc or a sheet that I can read.

David Spark

That’s what you’d do. Alright, so you would have to try to contact the person directly.

Andy Ellis

In this day and age, why are you sending me attachments any more? There’s only a small number of things for which I need an attachment, which is usually a signed and executed agreement.

David Spark

You can still send a link for that. I do that all the time.

Andy Ellis

You do that through Docusign at this point.

David Spark

So, you would just email the person back. Here’s the thing: how do you know this is not a phished email? Someone phished you and said, “I’m so and so” and you hit the reply button, and you don’t have their phone number…

Andy Ellis

Ah, well, if I hit the reply button, my mail client is going to tell me. If I’m sending it to one of the domains that I’ve pre-authorized, it will leave their name in blue. And if it’s to any other domain, it’s going to highlight their name in pink to say you’re sending it to an outsider. So, if they pretended to be a colleague at one of my companies, I’ll notice that, and if they’re not a colleague, then I’ll notice that too.

David Spark

Do you have these protections, Eddie?

Edward Contreras

We do, but I think there are some complexities in different industries. I work for a bank. Loan documents come in all the time, wire transfers, AC. Attachments in certain industries are actually commonplace, other industries absolutely right, and even at different levels. So, executives versus analysts versus customer facing employees, sometimes attachments are not only expected, but frequent.

David Spark

My brother-in-law, with his 20 attachments of images, all at full size, that he sends of his daughters, we get those all the time. You must have relatives sending you attached images in email, like 50 mega bites worth at time, yes?

Andy Ellis

Photo sharing.

David Spark

I know how to do photo sharing, but my brother-in-law doesn’t.

Andy Ellis

I invited them to share albums. I just kept putting photos in until they figured out that they could put photos into the same shared album and I would see them. That seems to have worked. It took a few years, but it worked with our relatives.

David Spark

Maybe I’ll sic you on my brother-in-law.

There’s got to be a better way to handle this.

00:24:17:06

David Spark

Matthew MacManus of WeWork asks, “You’ve discussed on the show already that employees should generally not be punished, slashed reprimanded for failing phishing tests. Is there a threshold at which an employee should be reprimanded and where is it the CISO’s role to determine that threshold, as opposed to compliance or HR? So the idea is, you fail X number of phishing tests, or you use the corporate assets for crypto-mining, or you’re continuously visiting known malicious websites?” I’m going to start with you, Andy on this. By the way, have you ever canned somebody for this kind of behavior?

Andy Ellis

Not for failing phishing tests. First of all, I hate the “blame the user” model of phishing tests. Phishing tests are to inform you about how bad your email infrastructure actually is. The user is just one piece of it. The fact that the phishing mail got to them and that clicking the link would be a problem, that’s really your issue, not the user’s. We train users to click links. HR, the first day somebody arrives, they send them a bunch of links that, if they don’t click, they don’t get paid. So, for us to show up and say, “Don’t click links. Oh, but by the way, the once a year security awareness training that we send you, we’d like you to click that link. And the lawyers want you to click the ethics link. But not this link that pretends to be HR giving you a gift card.” This is crazy talk. Let me start there. Now, using corporate assets for crypto-mining, that’s not about a user working with a flawed system, that’s a user doing something malicious.

David Spark

That’s malicious.

Andy Ellis

That we have terminated somebody for. It was almost 20 years ago, actually they ran an IRC server on a production system. They said, “Oh, look, I’ve got this machine, let me run an IRC server”. We discovered it and that was the end of their employment.

David Spark

Was it one strike and they were out?

Andy Ellis

In that case, we had a conversation with their management, who were looking for an excuse, we should say. So, the think to recognize is, if you’re the CISO, you likely don’t have hiring and firing authority outside of your organization; that’s not how corporations work. You’re going to try to convince another executive to fire this person, and often you can point at policies. You’ll often find is the people who are willfully violating reasonable security policies are probably willfully violating a bunch of other practices as well, and their management will be quite happy to have a conversation with you about making an example of them.

David Spark

So, it’s rarely isolated to just bad security behavior.

Andy Ellis

Yes.

David Spark

Eddie, have you seen something similar?

Edward Contreras

We have, and I applaud our GRC team, they’ve done a really good training job. I think the days are gone where someone visits you at the desk and shames you in public, or in front of your peers. It’s now about 30 second, one minute, vignette training exercises, where you don’t really have to interact with the person. They clicked on something, they get their learning opportunity and they go away. What I do feel strongly about are the repeat offenders, and being able to work with them and their managers. So, we do track when we do our phishing exercises, and they way we track is around those repeat offenders and how we get their managers involved. So, I agree with Andy, we’re not in the business of firing employees, it’s about training them, allowing them to be aware, and then getting their managers involved in the training as well. I agree, if somebody is not paying attention to phishing emails, they’re probably not paying attention to other things, and so, handing this off to the manager is a tool for that manager to enrich that employee, as opposed to a reprimand from security.

David Spark

Is failing phishing tests… and I know you’re not a fan of them in general, or using that as a barometer… but is that the thing that we’re constantly failing at, per the examples you gave up front, Andy? Or is there something else that we keep failing at?

Andy Ellis

Well, I think we fail at good mail security in general, and so, we leave it to the user as the last line of defense. Now, that is a line of defense, so, I’m not sitting here saying, look, don’t try to teach and educate the user. But if you’re finding that your people are continuously clicking on things you don’t want them to click on, maybe you should figure out some other control to add in. We added a control that said if mail came in that claimed to be from an executive, but was not from inside, so, said Andy Ellis was the sender, then the subject line had added to it: “Warning, external sender”. Partly because we didn’t want to get caught by any of these executive email impersonation compromises, we recognized it was our fault. If the user does the wrong thing, it’s because we set them up for it. So, we wanted to track to learn what we could do better. I loved Eddie’s approach, that says if I’ve got a person that doesn’t get it, I have to engage. And that’s the key point, is security teams are not fire and forget. When you have a problem, it’s for us to gage and learn, and engage the rest of the business in improving. We can’t just say, oh, it’s that stupid user, let’s just fire them and move on.

David Spark

Because just getting rid of that user won’t solve your problem.

Andy Ellis

Right, you still have the problem.

David Spark

So, Eddie, in your financial environment, your issues are far more sensitive, to put it lightly. Is there a unique level that you have to deal with, given that you’re dealing with so much financial information?

Andy Ellis

There is, and we take a different approach to it. We look at our customers, and customers being our employees, as partners in our security program. We invest a lot in training, so, we don’t just do a once a year compliance effort, we do a monthly exercise. We do targeted training for departments, or high risk areas. We focus on the executive group, the admins, but we tailor each exercise. And again, I have to applaud my GRC team, they’ve been able to understand how to get a message to a group, whether a group is bank tellers, executives or finance. They’ve customized that training specifically for them, so, you’re not just getting a one-time spray that makes no sense. It’s really teaching them, okay, here comes the exercise, here’s what I did, and then here’s my 30 second private discussion afterwards. And the private discussion is really that employee and the website, there’s no shaming going on. But it is required and our examiners expect it, they want to know that the banks are taking it seriously, and if you look at what’s in the news about ransomware, and how ransomware gets into the environment, phishing is typically the conduit. And so, how do you address it? You have to show maturity, you have to audit it, you have to track it.

Closing

00:31:11:19

David Spark

Excellent. Well, that brings us to the end of this episode. I cannot speak more highly of how awesome this turned out, Andy and Eddie. Which, by the way, at the very beginning, I was doing the Andy-Eddie, Eddie-Andy introductions, which is what Letterman did at the Oscars one year, when he said Ooma-Oprah, Oprah-Ooma. Which didn’t get a single laugh. I remember it was notoriously one of the worst bits that went over like a fart.

Andy Ellis

It’s one of those jokes that’s really funny in your head, but is funny nunce.

Edward Contreras

You got two laughs here. [LAUGHS]

David Spark

You laugh about not being funny with the joke. That’s the best part.

Andy Ellis

I’m fine with that. Yes, but you got to make fun of David Letterman, that’s also good.

David Spark

Here’s a little bit of trivia for you. Do you know that I auditioned for Stupid Human Tricks and actually went to their offices in New York, when I was in high school? Never got on, but I did audition for it.

Andy Ellis

I want to know what your stupid human trick was.

David Spark

My stupid human trick was, I can juggle, and it was just a dumb juggling trick. It wasn’t anything that spectacular. But I juggled Mr Potato Head, a Twinkie and a Ding Dong and ate the Twinkie and the Ding Dong. Oh, no, it’s a Ring Ding. We’re East Coast, it’s the same thing. The idea is you eat a Twinkie and a Ding Dong, it makes a giant, colossal mess, and that was the humor of it. It’s insane, everything is flying everywhere, and that’s the humor. It’s visual.

Andy Ellis

You’re taking bites and throwing them around?

David Spark

Yes, I’m taking a bite, I’m throwing it. I’m throwing it up, biting, biting, throwing.

Andy Ellis

I want to see this on video.

David Spark

Last time I did it, I was a teenager.

Andy Ellis

You’re about to move out of your house, I think the last thing you should do…

David Spark

Just make a giant mess of my house?

Andy Ellis

Then walk away.

David Spark

And hand the key to the new buyers. [LAUGHS] Thank you very much, Andy. Thank you very much, Eddie. Eddie, you’re going to get the last word. I do want to mention our sponsor again, Varonis. Thank you so much, Varonis, for sponsoring us again. We love having you on board the CISO Series. Eddie, by the way, I always ask our guests if you’re hiring, so, make sure you have that answer. Andy, any last words for our audience, and for our guest?

Andy Ellis

I just want to say thanks to everybody for being here and to David, thanks for having me. And to Eddie, sounds like you have an awesome GRC team, so, my shameless plug of the week is going out to your GRC team, who really seems to understand the importance of knowing the differences in your business partners. That it’s not one business, everybody has a role, and what I heard you saying was the importance of really understanding and meeting them where they are. I don’t think a lot of security teams do that well, and the ones who do need to be highlighted more. So, thanks to your team.

David Spark

Excellent. Alright, Eddie, any last words and are you hiring?

Edward Contreras

Thanks for having me. I’m excited to be back and I’m looking forward to the next episodes, now that Andy will be returning to this. I’ll be looking out for that video. Absolutely, a shameless plug to our company, we are absolutely hiring. We’ve just had new capex approved and we are going to be growing our program, so, if you are in the San Antonio area, or in the greater State of Texas, please reach out.

David Spark

What positions are you hiring for specifically, do you know?

Edward Contreras

We do. It’s an application developer on the security side, a SOC manager and a data governance manager. So, excited that our program is growing.

David Spark

Excellent all the way round. Well, thank you very much, Eddie Contreras, who is the CISO of Frost Bank. My now regular alternative co-host, Andy Ellis, who is the operating partner over at YL Ventures. They’re a VC firm, based in Tel Aviv. Thank you very much. And thank you to our audience, as always, we greatly appreciate your contributions and listening to the CISO Security Vendor Relationship podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”


Posted

in

,

by

Tags: