CISO Series: What’s the ROI of Nothing Happening?

https://cisoseries.com/whats-the-roi-of-nothing-happening/

On this week’s CISO Series CISO/Security Vendor Relationship Podcast, David Spark and I welcome my colleague Ryan Gurney, CISO-in-residence, YL Ventures to discuss:

– What’s a better sign than “nothing happened” to indicate you did a good job in cybersecurity?
– What happens when your company wants to use a really insecure SaaS product?
– What a CISO-in-Residence does for a VC firm

Full transcript

Voiceover

Ten second security tip. Go.

Ryan Gurney

Availability is critical in security, and hearing about families losing their kids’ videos and pictures due to hardware failure or ransomware otherwise, it’s terrible. Teach your family how to properly back up their stuff. Gift them a year of cloud back up, and sleep better at night.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark. I am the Producer of the CISO series, and joining me, as a co-host for this episode, is Andy Ellis, Operating Partner for YL Ventures. We are available at CISOseries.com, and we have lots of programming or a headline show or a video chat, just go to the site and check it out. I want to thank your company, Andy, YL Ventures, for sponsoring this very episode of the podcast. In fact, I think this will the first time we’ve had two guests from the same organization.

Andy Ellis

Ooh, that’s cool.

David Spark

Very cool. Alright. Now, before we went to record, you were needling me on something that I didn’t have enough nerd cred about.

Andy Ellis

You did not. The Eternals trailer just dropped, the day that we’re recording this, the final one, and we made the comment about it and David’s like, “What’s The Eternals?” So, I think Ryan may have joked, “It was the Avengers in space.”

David Spark

[LAUGHS]

Andy Ellis

And, that still didn’t work. So, I will admit, I’m very disappointed. Like, it’s the Jewish nerd cred because Stan Lee, one of the great Jewish creators.

David Spark

I did not realize that, and we quickly looked it up. His original name was Stanley Martin Lieber.

Andy Ellis

Yes.

David Spark

Which my father-in-law, whose original name was Melvyn Schwartz, and he was a magician in his early twenties, and he literally went by his real name, Melvyn Schwartz, the Magician, which sounds like a gag, doesn’t it?

Andy Ellis

It really does. It sounds like one of those acts on America’s Got Talent that doesn’t go very far.

David Spark

Yes. By the way, his whole thing was, he did a lot of memorization tricks. He could shuffle a deck of cards and memorize the order of the cards, or one of the other tricks he did, he would memorize the Saturday Evening Post before a show, and then, he would pull up pages and he people yell either a page number or the large advertisement that was on that page, and he could tell you what page number it was or the advertisement on that page.

Andy Ellis

That’s a cool trick.

David Spark

Yes, and he only did it in his early twenties, but, the thing was, he was performing under that name, Melvyn Schwartz, Magician, and it was either his assistant or a manager, it’s not clear, but said, “You have to change that name. It sounds like a joke”, and he was in his nineties when he died, and he was of the era when all Jewish entertainers changed their last name. Ironically, none of them ever changed their first name, because Melvyn and Stanley are pretty Jewish first names.

Andy Ellis

Right. But, Mel and Stan, maybe, people don’t realize.

David Spark

Possibly, yes. Anyway, someone said, “You should change it to something like Mel Magic or Mel Powers”, and he liked the name Powers so he changed it for the stage. He liked it so much he legally changed his last name to Powers. His brother, who was not in entertainment at all, whatsoever, also changed his last name as well. So, my wife’s last name is Powers. She’s not in entertainment.

Andy Ellis

[LAUGHS]

David Spark

She’s got the stage name. I don’t, with the last name Spark. Not a stage name, and people have asked me if that’s a stage name.

Andy Ellis

It would be a really cool stage name.

David Spark

Both are good stage names.

Andy Ellis

I mean, David Spark is awesome and it reminds me of one of the people who used to work for me when I was at Akamai, was Larry Cashstaller. That was actually his legitimate name, and we all thought he was clearly in the wrong business. “You should, clearly, be a banker.”

David Spark

Speaking of great stage names, I have a friend who’s a musician named Johnny Nation. Does that sound like a great rocker name? Johnny Nation?

Andy Ellis

That is an amazing rocker name. Oh, man.

David Spark

It is. It’s perfect.

Andy Ellis

He’s got to sell jeans, with that name.

David Spark

[LAUGHS] Alright. By the way, the Nation is the name of that, but what am I saying? His wife is the voice of this podcast. The voice you hear on the bump burners is Jules Nation, and her husband is Johnny Nation, and they are the Nations of the show. It all comes around altogether.

Andy Ellis

It does.

David Spark

Let’s get into the show. Enough of this nonsense. Let’s introduce our guest, who is the CISO in residence for YL Ventures. By the way, the third CISO in residence from YL Ventures we’ve had on this show, and we’re so thrilled to have him with us, it is Ryan Gurney. Ryan, thank you so much for joining us.

Ryan Gurney

It’s a pleasure to be here. I’m so glad to be here, and my mom wanted me to be a doctor, with my last name.

David Spark

[LAUGHS] That’s better than saying, “He should be a mortician.” [LAUGHS]

Why is everyone talking about this now?

00:04:52:01

David Spark

Jeremiah Grossman of Bit Discovery launched a great conversation on LinkedIn about Application Surface Management, or ASM, which appears to be asset management 2.0. Now that we have the capability to know what we’ve got, let’s make some sense of that knowledge. But, Grossman pointed out a number of ASM vendors have been purchased by bigger companies to become, well, a security sweep feature. It seems a wise and inevitable buy for these larger companies. But, could that be dangerous to the growth and adoption of ASM. I’m going to toss to you, Andy, on this. And will it create vendor lock in and a lack of unified standards. Grossman argues that ASM needs to be on its own, but, if it’s already happening I think the cat’s out of the bag. Yes, Andy?

Andy Ellis

I don’t know if the cat’s, necessarily, out of the bag. But, let’s just take a step back and not worry about the product for a moment, and just think about what the CISO needs, right? And, from that prospective, ASM, just like asset management, is part of the CISO solution. Like, just because you know where your assets are, you have to now do things with it, and the same thing for Application Surface Management, which is really just recognizing that systems aren’t just machines any more, but than an application is a system, even if there’s 70 applications on one machine, those are 70 systems, and that’s all that attack surface management really is. So, we can separate out the idea of how you buy it, from the fact that it does need to be an integral part of your solution. And look, YL Ventures, we just sold our stake in Axonius, which is doing fantastically as an asset management system all on its own, but then, you can look at a number of other vendors who have integrated asset management systems, so I don’t think there’s only one way to skin this cat.

David Spark

Good point. What’s your take on it, Ryan? Do you agree?

Ryan Gurney

Yes, I do agree. It’s also very telling, when you see innovative security leaders like Jeremiah and H. D. Moore, their next start ups are really focused on this area, so they obviously see it as an interesting problem. Regarding lock in, I don’t feel that that’s necessarily true. I think whatever suite purchase these products, they need to have completeness of what they’re looking at, and if there’s any sort of lock in or any limitations on that solution, people are going to look for something else.

David Spark

So, initially, you’re not as concerned with lock in right now? Or, are you, Andy?

Andy Ellis

Well, I’m a little concerned. But, I’m not a lot concerned. The little concern I have is, I have seen things that said they were holistic solutions, but they only showed you the systems that they could manage, and so, somebody like that buys an ASM, are they going to hide the applications that they don’t interact with? And so, that is an argument for an ASM that just focuses on completeness, because, if they’re bought by somebody who doesn’t focus on completeness, there will, of course, be attention within that company to pivot the ASM away from completeness.

David Spark

Within this ASM space, what is it that the CISOs are clamoring for, specifically, Ryan?

Ryan Gurney

I think they just want to be able to identify, in certain areas, the assets that they need to know about, right?

David Spark

But, I know that the big issue here is context. Like, what are the most critical issues we’re dealing with?

Ryan Gurney

Right, and so, you need to know what those assets are, and you need to know things like, what are the risks? How are we managing them? Who owns them? And, it’s interesting, like this goes across end points and infrastructure and all the way into applications, all the way across the board, and so, I think you’re seeing different companies come up with solutions. Some of them are a little bit of a Swiss army knife. Some, like you said, have been purchased. But, what I think we’re seeing mostly is, is companies that are putting discovery as part of their platform. It’s a piece of their platform.

David Spark

I may be speaking out of turn, but is XDR, maybe, the grand tool that’s going to weave all of this stuff together?

Ryan Gurney

I think XDR is a very powerful tool. But, it’s an operational tool for integrating the alerts as things happen. Where ASM is really valuable, is in the future risks that you’re worrying about, is that it tells you were everything is. Now you have to feed that into an AppSet program or into a data security program, so that you can now correct problems on those systems, but if you don’t know what those systems are, you can’t then do the correction.

Are we having communication issues?

00:09:16:16

David Spark

What do you do when your company wants to use a really insecure SaaS product? A reddit user on the cybersecurity subreddit, was asking for help on how to voice his concerns of an application that has numerous red flags around access to admit rights, customer storage of data and passwords, and a complete lack of PCI compliance. This was just his initial review. I mean, he has no idea what else is there, and senior management has invested a lot of time and money into their planned use of this application. So, I get the sense that this person isn’t high up on the totem pole and he’s really concerned how they will be perceived when they voice these concerns, like, maybe, of a Chicken Little kind of screaming. So, if you were in this person’s shoes, Ryan, how would you suggest they handle it, or how would you handle it in this case?

Ryan Gurney

In this case, it sounds like they’re still in the planning stage, which means this guy’s lucky, right? Someone asked for approval before using this SaaS app, and this example, you would hope that the user feels like these issues can be raised to the security team, and that they are addressed. However, often, the weak security SaaS apps sneak past the vendor reviews, and some users who are okay with using an insecure SaaS will, probably, just sign up for it. The user may not know it’s not secure and, frankly, just wants to use a tool that helps them in their job and business. As a CISO, I prefer not to slow down the business, but it’s also your responsibility to manage the risk. So, the known apps is one thing. It’s the unknowns that’s a completely different story.

David Spark

But, again, this guy is not a CISO. So, imagine you are an entry level or, maybe, mid level security person and you see something that looks like a total catastrophe. What would be your method to bringing this up, Ryan?

Ryan Gurney

I would raise it to the owner of the application. I would list out, here are the key things that it’s missing and, in these cases, this person honestly brought those up, and I would go to management and try to address those things and look to the solutions we already have inside our house that we can deploy to help here. Now, that may be received interestingly.

David Spark

That’s a polite way of saying, it may cause some serious problems? 

Ryan Gurney

Right. But, at the end of the day, you’re responsible for your customers’ data, your company’s data, and it’s one of those areas you just have to explore.

David Spark

Andy, who would you handle it, thinking of yourself back in those early days? Because, here’s the thing, there’s the Andy Ellis of today and there’s the Andy Ellis of 20 years ago.

Andy Ellis

The 20 years ago Andy Ellis, I don’t recommend following his path.

David Spark

[LAUGHS]

Andy Ellis

Because where was some career limiting moves in there. But, I’ll give you the advice. So, from over 20 years, it’s similar to what Ryan said, but with a little different spin on it. Don’t tell them what the problems are. Tell them what the fixes are to those problems. So, you see a set of risks, make recommendations and say, “If you wanted to use this vendor, here are ways to mitigate the risks that they pose”, some of which is work that you would push on the vendor, some of which might be work for the business owner, to say, “You’re going to need to have a process to do X”, right? So, they can see, of yes, of course, everybody wants to do what’s right for the business, and, the problem is, if they’ve already decided to do this, you just look like you want to say, “No” if you show up and say, “Here’s 75 red flags.” Instead, you show up and say, “There are some red flags, but I’ve got a plan. Here’s what we need to do”, and now, you’re putting that onto the business owner to say, “Do you want to do these things?”

David Spark

That’s a good point, and I want to go back to something you said, Ryan, about approaching the company, the actual vendor. I think, even before you mention to the company, talk to the vendor and say, “I brought up these five, six issues, and here’s what they said back.” If they respond back and say, “Well, we don’t think there’s a problem”, or, rather, they say, “Oh, crap. Thank you for telling us. We’re going to work on this right away.” You know what your future dealing with that vendor is, right, Ryan? And, have you had those kinds of conversations where there was that red flag of future communications too?

Ryan Gurney

For sure, and that’s a good telling sign, right? How mature are they as a company? I had this experience at one of the companies I was at. They wanted to use a plug in in sales force, an application in sales force, a very small, immature company, but interesting use case, and they said it was key to their business, the sales organization, and we looked at it, found all the issues, we talked to the CISO, and this is really important, try to have CISO conversations. Raise them. But, they weren’t going to be able to fix it in time to put deployment, and so, what you, ultimately, have to do is put the risk back on the head of the sales organization and say, “Listen, do you accept the risk of this?” Ultimately, guess what? Nobody ever wants to accept the risk, and they slowed down deployment until they were ready.

David Spark

That is the key line. You, ultimately, have to get to that. Are you going to accept the risk of that? And, if they’re cool about it, yes. But, if they want to throw it back in your face, then they’re no longer accepting the risk. Good point.

It’s time to play, What’s Worse?

00:14:22:17

David Spark

Alright, Ryan, I’m assuming you’ve heard a few episodes. You know what this is like. We give you two pretty crappy scenarios. This one is actually, kind of, a mix, good and bad, in each scenario. You have to figure out which of the good, bad mix is worse. It’s, again, purely a risk management exercise. You have just figure which one will be the worse scenario. I always make my co-host answer first, so that will be Andy. So, Andy, are you ready?

Andy Ellis

I guess so. I used to like when I was a guest and I got to listen to the co-host and then tell them why they’re wrong, so going first is a fun challenge.

David Spark

[LAUGHS]

Andy Ellis

Maybe that’s what worse, going first.

David Spark

I want you to know. Here’s the big challenge on you, Ryan. We’ve only had this happen twice, and Andy’s a brand new co-host here, twice we had cases where the guest changed the mind of Mike or other co-hosts. So, again, assuming you disagree with Andy, and, by the way, I always love it when someone disagrees with the co-host, again, only two CISOs have pulled this off, so it’s a very high bar to hit.

Ryan Gurney

I seem to recall I was one of them.

David Spark

You were not one of them.

Ryan Gurney

Didn’t I changed Mike’s mind on one thing? Maybe I don’t remember.

David Spark

I don’t think so. I think, what it was, it was the two people who did it was Bruce Potter, who’s the CISO of Expel did it, and, also, Adrian Ludwig, who’s the CISO of Atlassian, those are the two who have done it.

Ryan Gurney

Okay.

David Spark

This is from Jesse Whaley, who’s the CISO of Amtrak, who we’ve had as a guest. Here we go. Scenario. You are hiring or promoting a deputy CISO and a potential successor and have two top candidates. Candidate number one. Deputy CISO that has deep technical acumen and will easily be able to communicate with the team and drive internal success but is not business savvy at all. Or, the complete flip of that, a deputy CISO that is very business savvy and will easily communicate with the business, but does not have the technical acumen to drive the internal security team. Which one is worse?

Andy Ellis

So, I always lead with, it depends, and here’s why.

David Spark

This game does not allow for, it depends.

Andy Ellis

No, I will explain, and then, I will tell what I pick.

David Spark

Alright.

Andy Ellis

It depends on the structure of your organization.

David Spark

Yes, so assuming what you already have in place.

Andy Ellis

Assuming what I had in place, I mean, just go with that, because I’ve actually gone both routes. I think I would actually go with the deputy CISO with the more business savvy, and the reason that I’m going to do that is, ultimately, the decision to promote them to a CISO is not mine, because, when I leave, it is the other executives, and if I’ve got a technical deputy CISO with zero business savvy, they have no chance of getting that promotion, and so, now all of my development work is gone. If I have somebody who’s got the business savvy, but not the technical sense, they can get the promotion, and then, they can then fill in with that technical savvy as whoever their next deputy is, and I can help them recognize that gap. But, I’m assuming, for the purpose of this thing, I don’t have the ability to correct their weakness, so I’m not going to cheat and say, “Well, I’ll just correct the weakness.” That’s how I would do it. So, I would go with the business savvy but no technical savvy.

David Spark

By the way, there would be no worse if you could correct the weakness in any scenarios.

Andy Ellis

Right. I think I may have done our previous one and you yelled at me. So, I can learn.

David Spark

[LAUGHS] You would pick the one that has the business savvy, so the worst one…

Andy Ellis

Right. I’d pick the business sense so the worst one is the technical with no business sense.

David Spark

Right. Okay. Ryan?

Ryan Gurney

So, as much as I’d love to argue with Andy, I’m not going to argue with Andy on this one. I completely agree with him, and here’s a couple of reasons why. One, I think it’s important CISOs know their strengths and weaknesses, and I’m not strong in technical ability as much as I am in business acumen, so, if I’m already in the seat and I have a deputy that has more business acumen, it’s going to be an easier transition for them. Also, I think, number two, when you know your weaknesses, you surround yourself with a solid team, and so, there would already be a pretty solid technical team there that this person could draw upon. So, those are my reasons. You need to be able to talk to the board and the CEO, and I think business acumen is vital for that.

David Spark

Now, I’m going to throw this argument out to both of you, and that is, if you don’t have someone who can drive the team then who’s driving the team? Then, is it your job, as a CISO, driving the team? The deputy CISI can’t do it? And, is that’s what’s happening at that point?

Andy Ellis

Do I have a chief architect? Do I have a fellow? I have a leadership team that drives the team. The deputy CISO isn’t running every single project. For me, in fact, the business acumen probably means that I have somebody who understands the value of professional managers and professional program managers to augment and drive the team, and not just say, “Let’s take every technical person and promote them into management”, which is something I have seen, teams led by non business savvy technologists do, and you end up with a dysfunctional team.

David Spark

Let me also throw out to you. What is easier for you, personally, on a day to day basis, is it easier for you to have the technically savvy or the business savvy deputy CISO, Ryan?

Ryan Gurney

I would say the business savvy person, because part of the consideration is, if something happens to you, that person’s going to have to take your seat, right? And so, communication wise, I really think a CISO’s job is more around risk management, and so, understanding risk is a key component of business acumen, to me.

What’s a CISO to do?

00:19:50:24

David Spark

I’m going to go so far as to say, YL Ventures owns the branding of the “CISO-in-Residence” concept. We’ve actually had YL’s previous two CISOs-in-Residence on the show, and if you do a search on the concept on Google you, Ryan, and your predecessors, own the first few pages of search results, so kudos on that. So, usually, when a VC firm has a “an in residence” expert, such as a lawyer, it operates as a consultant advising the startups on their beginning needs, and we’ve debated whether startups need CISOs at all, and, not surprisingly, the security community says, “Yes, startups need CISOs”, but, when you’re just trying to get to market, initial dollars should be put into product and marketing and, additionally, many argue that any security plan you make, as a startup, will, inevitably, be scrapped for growth. So, Ryan, do you agree with that last statement, and, if so, how do you manage that inevitable change? I’m going to ask a couple of extra questions here. Is CISO-in-Residence just a fancy name for an advisor, and what kind of CISO would be attracted to this type of position?

Ryan Gurney

Yes, I agree when you’re getting to market, I mean, you need to be focused on revenue generating projects. But, however, a couple of things. First, while we mainly invest in security startups, and if you own security and you’re building that platform, you’d better have a good security story internally. You have to. And then, definitely, we help our portfolio companies with their security plan. That’s part of my role. But, it’s not the biggest part of my role. The “CISO-in-Residence” term is more around a strategic person that’s helping them with ideation ideas and pitches to the CISO community, on how they would market their product, and then, of course, I’m available if they want to talk about their own corporate internal security plans and issues.

David Spark

So, the CISO-in-Residence is very specifically relevant to the fact that YL Ventures is so security focused with their investments?

Ryan Gurney

For sure. It’s a value add that our founders and our portfolio companies, I think, really appreciate.

David Spark

As a CISO, you’re helping the portfolio companies, you know, they’ve been invested in and you’re trying to get them going. But, what about the companies who have yet to have investment that YL is looking at them at this point, or, heck, they’re just out in the world and they’re trying to figure out how to get investment?

Ryan Gurney

Yes, that’s a huge part of my job. So, I’ll meet with folks that we’ve identified or who have come towards us, and I’ll work with them on their ideas, and see if they make sense, and then, even come up with some of my own that they might be interested in. So, we work very closely together and collaborate and work with our venture advisors to then discuss some of those ideas and see if they make sense for them in their CISO communities.

David Spark

I’m going to throw this to Andy, because you also work for YL Ventures, I’ve got to assume that this is, kind of, an attractive play for another CISO who would be wanting to do something similar? What makes this so attractive?

Andy Ellis

I think what makes it attractive is, if you think about the job of a CISO, if you’re doing it well you’re looking further and further into the future. You come into a position and you’re worried about, what’s the incident today? And then, the next day, hopefully, you don’t have an incident and you think about, what’s next week’s incident? But, as you mature and you build a program, you’re always trying to solve problems further out, before they happen, and, what makes this really attractive, is you are solving problems much further out for the entire industry, so you get to say, “Look, I really, really want to solve the challenge of the business application security mesh”, or, “The challenge of AppSet program management across the whole industry, and I’m going to help a company solve that problem”, so I get to, basically, run a security program that will then be sold and repeated across multiple parts of the industry.

David Spark

Ryan, I had mentioned this to Andy, actually, off air once. There’s something exciting just watching startups operating, especially when they’re extremely young and all of us, in our older years right now, are showing gray or lack of hair, as Andy sort of quotes, “Not me”, at all, but, there’s certain things that we do when we’re older that we don’t do any more than when we were younger, kind of a thing, and there’s a level of excitement, and tell me how you feel about this, watching people in their early twenties, like, yes, I remember having that eagerness and being able to do this and pull this off because of my age and because I was green to the market. Describe what you’re seeing and how you’re part of that experience and the value you get back for it?

Ryan Gurney

It is super exciting to be part of that. As being part of myself, two failed startups, I know the difficulties in it, but I also know how inspiring it was to just be going and saying, “I’m going to go create something today”, and so, me, being able to partake of that, is so interesting. I explain to my family and friends, this job, I, basically, say, “It’s nice to have a role where people are coming out to come and be excited to talk to you versus a CISO where, sometimes, you’re trying to draw people out to talk to you”, and, in my last company, I’d make fun of that about myself and say, “Hey, if I’m coming to you it’s coming to talk about a risk”, and someone placed a red stapler on my desk where I sat and said, “Property of Ryan”, right? Just as a funny thing, but it’s just the reality, and so, it’s an exciting job for CISOs afterwards, because you get to do a lot of neat things that way.

David Spark

That’s a really good point to make. It’s like you’re the CISO that wants to be seen, not feared. 

Ryan Gurney

Exactly. For sure.

David Spark

Andy, have you seen this experience as well?

Andy Ellis

Absolutely, and I loved your comment about like looking at the work that I did 20 or 30 years ago, and I think we used energy to replace wisdom, and I’m not saying that if you’re 20 you can’t be wise, I’m just saying, when I was 20 and 30, there were times where I just did it all myself. Now, sometimes, that’s because I didn’t have anyone to delegate to. But, as I got further on in my career, I discovered that, even something that I was better at than the people I would delegate to, there were more of them, and so, there’s an art to learning how to get other people to solve problems that is more powerful than doing it yourself, because you have more users already adopting, and so, you look at the startups that we might work with, and you say, “Wow, sure, I can go do any one of those”, but, instead, I get to help 12 of them, and that’s this really big force multiplier. So, maybe, instead of just focusing on AppSet Management, you’re supporting a company like Enso, who’s going to be one of our sponsors here, or, maybe, the challenge of SaaS, and Grip Security or, you know, any of the companies in our portfolio that each solve a different problem, and so, you get to work across 12 of them and solve 12 problems all at once by delegating out the actual execution.

David Spark

Being that you’re working with these 12 different companies, and you’re also looking to get complementary solutions, I would assume, do you cross pollinate information like, “oh, do you know Grip’s doing this and Enso’s doing this, like, if you guys did this it could work more strategically better together.” Does that ever happen?

Andy Ellis

Occasionally, but we do need to recognize that these are independent companies that are not beholden to each other, and so, we have to be very careful about maintaining confidentiality across them. If one company tells me, “Here’s our road map for the next year”, I don’t wander over and share that road map with another company. Now, if I see a synergistic fit, which I have done before, I’ll say, “Hey, can I make an introduction because I think there’s something you two should talk about”, and then, I’ll broker a conversation and say, “I think there’s a place here where you might be able to work together, and I just want you two to know about it”, and then, they’re making up their own minds.

David Spark

That’s huge, and I want to also throw this out, and this is how I feel when I see people in their teens and twenties and working, I feel they are way wiser than I was back then, way wiser.

Andy Ellis

Absolutely. Yes.

David Spark

Now, again, they may just put on a better presentation than I did, I think, but I felt all I was doing was making mistakes, constantly, an endless stream of mistakes, but, while they may make mistakes, because that’s what you do at that age, period, it just seems that they’re further ahead, and it just maybe because of the knowledge gathering that we’re having today, Ryan?

Ryan Gurney

I agree, and I think, part of it also is, people, college programs and everything are much more focused on security today. When I was going to school there was no such thing. I was in a school of accountancy is where I started. So, I think there’s a lot more insight into it. Also, public data breaches have made people a lot more interested in the field, and, certainly, media, the movies and such, play up the excitement side of the job.

What’s it going to take to get them motivated?

00:28:41:03

David Spark

Over on Twitter, I asked the question, is there a better sign other than, nothing happened, that indicates you did a good job in cyber security today? Mark Eggleston, CISO for CSC, noted two indicators. One, does the board appreciate your documentation of risk management? And, two, employees can actually name the CISO, by name, indicating there’s good messaging by security. So, Andy, do you agree with those two examples that Mark gave and can you give another example of, other than nothing happened, that you did a good job in cyber security today?

Andy Ellis

I’m not sure I agree with Mark because, certainly, everybody knowing your name might actually not be a good sign.

David Spark

[LAUGHS]

Andy Ellis

It might be they all hate you. So, let’s make sure why they do. And, you know, I think boards are still learning how to understand to talk the cyber risk management and CISOs are still learning how to talk about risk management in a way the boards can understand. But, I think you’re really close on something with the, nothing happened. I prefer, something almost happened. Like, if you can point at a near miss and say, “Well, we had this severity four incident, and it only was severity four because of this control. Had this control not stopped the incident, or helped us detect and mitigate earlier, it would have been a clear sev three, sev two, sev one, just like this other incident three years ago that we implemented a control as a result of.” So, when you can point at places where implemented controls have demonstrably made you safer, that’s the most effective way to see that you did a good job.

David Spark

Are your people doing that for themselves, or are they actually showing it, or is it just something that’s just known, but only in the security field? How does that become visible?

Andy Ellis

What I would do, is I would actually watch the severity three incidents and I’d tell people, “Look, if you spot a control that stopped this incident, tell me what it is, even if it’s not a security one, and then, I can, at least, drop that control in a conversation”, and, when we’re doing an incident review for a nearby incident, I can say, “This parallel control that we didn’t have here, but we had here, stopped this incident. Maybe, we should look at implementing similar controls, because we know how effective they are”, and celebrate the person who did the work, so that they recognize that I’ve got their back when, later, someone says, “Why weren’t you working on a product feature?”, they’d say, “Well, I was working on a safety feature that the CISO should have told your boss about.”

David Spark

Ryan? I want to know your take, specifically, to the very initial question, is there a better sign other than, nothing happened, that indicates you did a good job in cyber security today?

Ryan Gurney

I have a couple of anecdotes to share with you at this one, that’s very dear to my heart. So, I had a CEO that I used to ask him, “How do you know I’m doing a good job?”, and he would sit there and look at me, and I said, “You can’t judge me by number of security incidents can you? Because those aren’t always my fault?”, and he sat there for an eternity and finally said, “No. I’m just going to judge you by security incidents because it’s all I have.” And, that was a learning lesson to me that I’ve got to give him more than that, and, one of the things that I’ve found that’s helpful, is to, basically, align yourself with some sort of framework, whether it’s ISO or NIS, and demonstrate that to the board and the CEO regularly that, you don’t have to take my word for it, here are the things we are doing, and it’s aligning with some level of a standard, and even have a third party do that for you. The second thing that I think is really critical here is, if you don’t have a mature security program, you’re likely to see a lot of nothing happened today, right? And so, you actually need a security program to see a lot of things, but that doesn’t indicate it’s bad, it indicates that you’re seeing stuff, potentially, and I once had a CFO say, when we were working on bug bounty, I wanted to raise the bug bounty amounts, and he said, “Why would I do that? That means we’re going to have to pay out more and we’re going to have more issues”, and I said, “That’s exactly why we need to do it.”

David Spark

[LAUGHS]

Ryan Gurney

Needless to say, we raised the bounties. It wasn’t a hard conversation.

David Spark

Ryan, that’s a great point. A key phrase everybody should remember. Absence of evidence is not evidence of absence.

Ryan Gurney

[LAUGHS]

Closing

00:33:00:03

David Spark

It’s like the classic ostrich head in the sand thing, but that does not remove anything at all. It should just make you more fearful of what’s happening. Alright, well, I love these takes on this, and thank you so much, Ryan, for joining us today, and I have to thank both of your company, YL Ventures, for sponsoring this episode. And, by the way, a few of the YL Venture companies have also sponsored, Enso and Grip, and you’ll be hearing, I can’t remember when we’ve got this episode schedules, but, either before or after this you’ll hear it. Everything is before or after, isn’t it? The whole world is.

Andy Ellis

Some things can be simultaneous. It’s the multiverse, after all.

David Spark

Ah.

Andy Ellis

Another Marvel cinematic universe reference that David is going to miss.

David Spark

So, I saw Stanley at a Comic-Con one year, where I was recording. It was the first time I ever said to a client, because I used to go to conference and trade shows and shoot videos, as you know, I met you at one of them. That was the first time I ever went to a conference, I told the client, “Don’t ever send me to Comic-Con again. That’s it. Don’t send me back.”

Andy Ellis

[LAUGHS]

David Spark

It got so packed I remember I had to hold my equipment over my head because I thought it was going to get crushed. And, specifically, I remember it was the moment Stan Lee walked right by me because, all of a sudden, all these people came, and he was an old frail man and everyone was trying to get close to him. I go, “You’re going to hurt him. Like, stop.” [LAUGHS] Alright. Ryan, I’m going to let you have the very last word here. But first, Andy, any last words for the audience on any of these things or for Ryan as well?

Andy Ellis

I think the important thing here is understand why you’re doing what you’re doing. There’s a theme underneath here that, don’t just do stuff because that’s the stuff you think you need to do. Figure out why you’re doing it.

David Spark

I like it. Now, Ryan, one of the questions we ask all our guests is, are you hiring? My guess is you’re not hiring in cyber security within YL itself, but I’m guessing across all your portfolio companies, they are definitely hiring? And, you’re nodding your head, yes?

Ryan Gurney

Yes, for sure, and it’s a constant conversation we have.

David Spark

So, if someone was looking to get a cyber security job at any of the YL Ventures companies, what would be the best way of going about doing that?

Ryan Gurney

I think, typically, going to their website, will be hosted up there, and you can find more about what the positions they have opening are available. Or you can go to jobs.ylventures.com. We aggregate the jobs into that location.

David Spark

Even better and even simpler. There you go. Any last words or comments or suggestions for the community about YL or anything else?

Ryan Gurney

I’m just excited for people to keep innovating and, as a CISO, hey, you have an opportunity to take all that knowledge you have and go build something great too, and don’t limit yourself.

David Spark

Would you say this is the one job you’ve had, Ryan, where you have actually been, I’ll say, a more liked CISO than previous jobs?

Ryan Gurney

No, I think I’m a liked CISO [LAUGHS]. But, it’s a different conversation, for sure.

David Spark

Let me not say, liked, a more desired CISO?

Ryan Gurney

Yes, for sure. But, also, I think, CISOs in your organizations, get involved in product features and management so you get that experience as well. I’ve been involved in a lot of the product features at our companies, and so, you can get that experience while you’re a CISO. There’s more to do in that job that you can provide value than just the risk side of the equation.

David Spark

Excellent. Well, thank you very much, Ryan. Thank you, Andy. Thank you to YL Ventures as well, and thank you to our audience. As I always say, we greatly appreciate your contributions and listening to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”


Posted

in

,

by

Tags: