Adversaries Beef Up Their Shiny Object Distraction Campaign

https://cisoseries.com/adversaries-beef-up-their-shiny-object-distraction-campaign/

We are all very easily distracted, and adversaries know that. So they’ll try any little trick to make us not pay attention, look away, or do what we’re not supposed to do all in an effort to break our human defenses. This week’s episode is hosted by David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Shaun Marion, CISO, McDonald’s.

Full transcript

[Voiceover] Best advice for a CISO. Go!

[Shaun Marion] For current and aspiring CISOs, get out and network. Get seen, get heard. I know too many CISOs, especially aspiring CISOs, that think they’ll get that next role, they’ll get the big gig if they just continue doing what they’ve done. And I would tell them to get out, get your name out and meet people, learn new things and meet new people, and that would be the best advice I have for any CISO or aspiring CISO.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. And joining me as my co-host for this very episode, you’ve heard him many times before and here he is yet again. It is Andy Ellis, the operating partner over at YL Ventures. Andy, introduce yourself to the audience.

[Andy Ellis] Hi, I’m Andy Ellis. But David just introduced me, so this is redundant.

[David Spark] [Laughter] We’re available at CISOseries.com where there are other programs on our network. And Andy, I like you to introduce yourself so people get familiar with your voice, that’s why.

[Andy Ellis] Okay. I like that.

[David Spark] Our sponsor for today’s episode is Sentra. Thank you, Sentra, for sponsoring. A brand-new sponsor, I should also mention. You can find them at sentra.io but what is it that Sentra does? Well, they do data security. Data travels. Now, your security does too. More about Sentra later in the show. But first, Andy, something magical just happened here. A match was made, and I believe you and our guest will be going to see a Patriots game very soon. Actually, probably before this show airs. Yeah.

[Andy Ellis] Before this show airs, although he would call it a Cardinals game.

[Shaun Marion] I was going to say. I’d call it a Cardinals game.

[David Spark] He’s a Cardinals game, you’re a Patriots fan, yet you’re getting a ticket from… The two of you are going to be rooting for opposite teams. There will be no animosity?

[Andy Ellis] No. Well, we’re going to be rooting for no injuries, for an enjoyable game.

[David Spark] Oh, between the two of you.

[Shaun Marion] Oh, yeah.

[Andy Ellis] And on the field as well.

[Laughter]

[Shaun Marion] My team is such an abysmal wreck this year. I’m not too worried about any kind of animosity.

[David Spark] All right. Well, let me introduce the voice you just heard right there. That is our guest for today’s episode. It’s the CISO for McDonald’s, Shaun Marion. Shaun, thank you so much for joining us.

[Shaun Marion] Thank you for having me.

[David Spark] And I’m going to just break. I normally just jump to the next episode, but I do have a couple of connections with McDonald’s. I did work for an ad agency that had McDonald’s as a client, so I did handle some advertising for McDonald’s many moons ago. And my grandfather sold bakery equipment that put the seeds on the buns for McDonald’s equipment in different countries. He was like a middleman who essentially he would set up deals for people who wanted to open up kitchens and bakeries and things like that.

[Shaun Marion] Yeah, small world.

[David Spark] There you go.

Why is everyone talking about this now?

2:57.659

[David Spark] Many may be listening to this show and hear you, Andy and Shaun, and think, “Oh, everybody knows them. They’ve got all the support they would possibly need.” And this is actually a great reference to your opening tip, Shaun. But for every person who seems that they’ve got it all together, there was a time they didn’t. It brings me to Olivia Rose’s LinkedIn discussion about needing a cybersecurity hive for your cybersecurity journey. Now, Olivia is a successful repeat CISO looking for her next gig and admitted she was struggling in her job search. Her hive helped her a lot. Olivia said, “If you don’t have a security hive, I urge you to go about forming one or finding one. Ensure you are welcomed and welcoming there, and trust. You’ll find they will be your saving grace more than a few times.” So, Andy, I’m going to start with you. I want to double down on her line, “Ensure you are welcomed and welcoming there.” There are plenty of organizations, and all may or may not be right for you. So, do you have a hive and what does it do for you? And were you part of others that didn’t work out – this is key – how did you know they didn’t work out?

[Andy Ellis] So, I think it depends on what you call a hive as to whether or not I have one or many. I’m in a lot of different organizations but I’ve got a small number that really are that sort of supportive place where I can bring in a hard time and say, “Hey, I just don’t even know what to do here,” and get helpful but brutal feedback. And I think that those are sort of two key words there. Like, when I’m screwing up, I need somebody to tell me non-vindictively.

[David Spark] Now, here’s an interesting thing. Many of our listeners may be listening to this and go, “Andy has problems? Everybody comes to him to ask him questions.” But you yourself fall into issues where you are looking for support from your network.

[Andy Ellis] Absolutely. All the time. Sometimes I’m ahead of it before anybody else sees it. Sometimes I have people reach out to me and just say, “Hey, Andy. You got a problem here.” And that’s an important part of having that support network. And sometimes you’ll find it in a group that already exists. Sometimes you’ll make it in sort of a subgroup of a larger organization. But you shouldn’t expect that you can just walk into some local organization and instantly you’ve got it. You have to invest in being there and supporting others and finding your people that are going to connect with you, that are going to give you those different types of feedback. People who haven’t had the same experience as you have so that you can learn from them as well.

[David Spark] All right. So, let me pause. Nothing like this happens overnight, and it has to happen organically, but to what level can you plan something like this?

[Andy Ellis] I don’t think you can plan for it. I think you can test for it. You can say, “I want to have this happen. I want to be in this place.” And then you can test to see if a given group is achieving that or is achieving part of it for you, and if not, go looking for the things that you need. I don’t think you can walk into a group and force them to be your hive.

[David Spark] Good point. All right. Shaun, I’m throwing this to you. Let’s just start with the basics. Do you have a hive? Do you understand how you actually formed it or was it organic, you could have never planned it?

[Shaun Marion] I do. Like Andy, I have many hives. Organic? So, mine was kind of a life event. I spent 17 years at Honeywell and during that time, I was so – and that’s why I said earlier, talked about networking – I was so focused on the company, on the internal network, building my network internally, and I had reached a point where I owned cybersecurity, physical security, product security. I was the security guy at Honeywell, and I was looking for a new job, looking to kind of step out and I really had no network. I didn’t know anybody, I didn’t have any connections, I had nothing except for internal, and I obviously wasn’t looking there. And so I knew a couple of people and I just started to kind of branch out. Oddly enough, Andy and I are part of a similar hive, actually, and so I know Andy knows Will Lin. I got connected with Will and was like, “Hey, man. Can you help?” And that was my first step in the getting into a hive.

[David Spark] Are you talking about the Security Tinkerers? That group?

[Shaun Marion] Yes. Correct, correct. And so they have this interesting thing, it’s not just unique to the Tinkerers or Slack, but it’s a Donuts app and it randomly connects you once a week with a random CISO or person, security nerd, whatever the case is. And so it’s a bit of a commitment, it’s like 30 minutes a week, but when you’re busy that feels like a lot. But I committed to it, and I have met so many people. In fact, the reason we’re talking right now, I got connected with Dan Walsh over at VillageMD, and Dan and I just hit it off. We had a great dialogue, great connection.

[David Spark] Dan is a phenomenal guest. In fact, we’re recording with him later this week again.

[Shaun Marion] Perfect. Dan is an awesome guy. He and I started connecting outside of that, I think like every other month, and so we hit it off. And a couple of weeks ago, he said, “Hey, do you know this guy Dave? Would you be willing to connect?” so on and so forth. And so that’s how the organicness starts to grow out of this, but you have to be deliberate and you have to commit.

[David Spark] Excellent, excellent point. All right. I want to get though just very briefly to my other point of how do you know a group is not right for you or is it like it’s one of those things you quickly know that you don’t spend even any time to have it even register? Andy?

[Andy Ellis] Well, I think Shaun just gave a great example of a positive test which is he met somebody that he wanted to connect with more. If you don’t have that, that there’s nobody in this group that you want to have that connection with, it’s not going to be a hive for you. Because the hive isn’t this existing org. Like Shaun said, we’re both in this group, it’s the Tinkerers, it’s like 400 people, it’s a lot of people. It has subcommunities within it that are sort of these smaller hives. I don’t do the Donut app, but I do a Friday afternoon call that’s anywhere from 9 to 20 people and so that’s my hive. Those are the people I’m connecting with, which is a different set than Shaun is. Now, Dan happens to be connected to both of us because Dan is totally awesome. Dan, if you’re listening to this, we’re being paid to say these nice things about you.

[David Spark] They are getting literally nothing.

You couldn’t have done better than that?

9:21.842

[David Spark] Honeypots are fake endpoints or devices designed to lure attackers. Another evolution of this type of deception technology are canary tokens, or fake credentials that send alerts when stolen and then used by attackers. Now, in an article on Dark Reading, Rob Lemos wrote that their popularity is to “slow down attackers.” Andy, you’ve said, “Deception technology is about hacking the adversary’s mindset.” And then you also mentioned that you should be actually using that information to bolster your defenses. How did they get the credentials and how are they using those credentials? So, actually, Andy, I’ll start with you. To get their full benefit – talking about deception technology – how should canary tokens be used beyond just slowing down adversaries? Because my feeling – that can’t be enough. Is it?

[Andy Ellis] No. It’s certainly not. And in fact, I think slowing down an adversary is one of the least valuable uses of a canary token. The most valuable thing is a sensor, it’s like tripwire that tells you where an adversary has been. And I’ll give you an example. Many, many years ago, we had a competitor that was showing up right in the middle of our deals. Like, we’re about to close a deal with a customer or a prospect, and the competitor would show up and would say, “Hey, I hear you’re looking at…” our company, or for them, the competitor, “And we can beat them, 50% lower,” than whatever it was. And we had enough sales reps come and say, “Hey, the timing was just weird. Like, we’re putting paper down and they immediately showed up.” To the point that customers would say, “Hey, you have a problem.”

[David Spark] That’s amazing.

[Andy Ellis] So, it gets handed to me. It’s like, “Andy, go figure out what’s happening here.” And this is literally the only sensor I have. So, what do I do? I start dropping canaries everywhere. So, one canary was fictitious companies that we were putting into our CRM system that the phone numbers went to a private detective. And so if you called that number, they had a script that they would answer and that would tell me if the adversary was in our CRM system. They weren’t.

[David Spark] Did you actually write some fake copy for them to see, like fake contracts?

[Andy Ellis] Absolutely. Fake copy. We had to write a whole bunch of stuff. I had a couple of different sales reps that would participate because they were the one handling this deal.

[David Spark] This is like right out of Cuckoo’s Egg, the Clifford Stoll book, it’s the same story.

[Andy Ellis] That’s the same basic idea you’re aiming for. Now, it turns out that instead they were compromising a third-party measurement service that we used at a specific point in our trials right before we put paper down, and so they could see everybody that we did a paid-for analytics on the trial and we would be like, “Oh, that’s who we should go after.” So, it didn’t work out but that’s the idea of what a canary token does is you sprinkle them through your system, so you find where your data breach is happening.

[David Spark] Get some insight. Shaun, are you a user of canary devices and tokens yourself?

[Shaun Marion] We don’t use them. I’m very familiar with them, I have used them before. I was thinking as Andy was talking about other use cases, and the first thing that popped to mind was a teachable moment. I know we’ve all been in the security game for a while. I think I’ve been doing this since about, I don’t know, the late ’90s. I’ve seen an evolution on the engineering side, the software development side, and I think there’s an opportunity here for some teachable moments. And I’m not a fan at all, I think you guys have read this before, saw my perspective, I’m not a fan of the stick, and the carrot and the stick, when it comes to teaching people. I’m not the fan of calling people dumb or stupid or anything like that.

And when I think of developers, I’ve seen this evolution as they have become more security conscious, but they still make mistakes, but I don’t think they make those purposely. So, I think we have the opportunity to maybe shove some of those things in and see, as security experts, and see where they start to pop up, where we can find them and use those to go back to developers and talk about, “Hey, we found this here. How did this get here? Let’s use it as a teachable moment.” There’s so many other opportunities with what Andy talked about and others where we can find adversaries using these and I think those are fairly obvious and have a lot of value. But I would like to look internally how we could use them as teachable moments for our own developers…

[Crosstalk 00:13:43]

[David Spark] Well, you would think if it’s happening in your environment, it’s live, it’s real. I mean, that’s the kind of stuff that’ll stick. Yes?

[Shaun Marion] Right. Yep. Totally agree.

Sponsor- Sentra

13:51.597

[David Spark] Before we go on any further, let me mention our sponsor Sentra. Hey, got data security issues? Of course you do. You’re in business. So, let me tell you a little bit about Sentra. Your data engineers help the business by moving data around and using it in creative ways, right? But for security teams in cloud-first companies, this comes with risk. Yikes! Well, sometimes data gets moved to a new location and forgotten about, or maybe the person who is managing it is no longer managing it, maybe no longer with the company. Other times it might be copied into an environment without proper encryption, or with excessive permissions to third parties.

So, Sentra is a data security posture management solution that discovers, classifies, and secures sensitive data. By following data as it moves through the public cloud, Sentra ensures that the most sensitive data in your cloud environments always have the right security posture. Easily see who has access to every data asset with Sentra’s access graph, and identify who has access to the data, where the data came from, and how it should be secured. Wow. That is some really good information to know. That would be awesome to know. So, essentially, Sentra is a GPS for your data. So, Sentra is agentless, can be connected to your public cloud in minutes, and its smart metadata sampling technology means your data never leaves your environment. So, to learn more about how Sentra can secure your cloud data without slowing down the business – oh, my God, they’re speaking our language – visit Sentra.io.

It’s time to play “What’s Worse?!”

15:29.195

[David Spark] All right. Sadly, I have to say this is anonymous because this is an extremely creative, well-thought-out “What’s Worse?!” scenario. Bear with me, it’s a little long, but there’s a series of different scenarios here. So, you are the supervisor of a three-person InfoSec team at a small rural manufacturer. Your team is overworked, burned out, and you urgently need to hire a third analyst. Leadership approves a new full-time employee but only budgets enough pay for – get rid of this – entry-level. Ouch. The local talent pool is very shallow, and leadership is firmly opposed to remote work. So, after six weeks, you’ve only interviewed three plausible candidates. So, the “What’s Worse?!” scenario comes down to which one of these candidates will work. I’m going to want you to stack them from worst to best, all right? Get ready. And by the way, Shaun, I always make Andy answer first, so you get more time.

Candidate number one – this person has eight years InfoSec experience. Great! An alphabet soup of certifications. Great! But had great difficulty getting along with others at their last job. In fact, they were fired and spent 30 days in jail after a physical altercation with the CIO. However, they claim to have been humbled and reformed by the experience and are hoping for a chance to reenter the field. All right. Got someone a little violent, that’s a tough one. All right.

Candidate number two – they have no experience at all in IT but have a two-year diploma in information security from a sketchy for-profit school known for its lousy education. They struggled to answer even basic IT questions in an interview; however, they say they’re willing to learn if given the chance.

Candidate number three – after 30 years as a system administrator, they retired in 2015 and have not worked since but are now forced out of retirement. They seem like a know-it-all who’s very entrenched in their old ways and are not willing to learn anything new. In fact, in the interview, they seemed to question the value of information security. Now, I think I know which one you’re going to go with as worst, but I’m interested to know your order. Andy, which one’s worse?

[Andy Ellis] So, I think that third one is clearly worst.

[David Spark] Yes. That’s where I felt too.

[Andy Ellis] In that has no redeeming contributing value to the team at all. So, now I’m choosing between the person who, look, they’re trying to redeem themselves, willing to take an entry-level-paid job, even though they’re clearly more qualified than that.

[David Spark] Eight years of experience, yeah.

[Andy Ellis] But maybe they haven’t actually reformed. But I’m going to assume that if I know that they had that altercation and were arrested, that they told me, rather than me discovering it in the background check process. And normally I would go with I want the second person, that entry-level person, but the description makes it sound like maybe they actually aren’t really ready and able to learn.

[David Spark] Well, they say they’re willing to learn if given the chance.

[Andy Ellis] But if they had two years in an information security program and are unable to converse on basic IT things, maybe I’ve got a little issue with that one. So, that’s the hard one, so I’m going to basically say the easy answer is number three is the worst.

[David Spark] Okay. So, which is the best of the one and two then? Who are you hiring I guess is the question.

[Andy Ellis] So, actually, so this is going to sound odd, normally I would say the first person, the experienced anger management person is the next worst and then go for the entry-level person. But in this case, I’m actually going to flip it.

[David Spark] Okay. And why?

[Andy Ellis] Because I don’t actually really trust either one of them.

[David Spark] Yes.

[Andy Ellis] But I want to go with which one is least likely to be a long-term drain on me, and that’s going to be the first one. That second one has the danger of being somebody who comes in who does like C- level work but sucks down everybody around them because they’re not really ready to learn.

[David Spark] They are willing to learn, just at the point they are they’re struggling because they went to a crappy school.

[Andy Ellis] Maybe they went to a crappy school.

[David Spark] Maybe that’s all the money they had to pay for that.

[Andy Ellis] Maybe that’s what they did but look, the information is out there for free. Like, if you’re coming in to interview for a job, you should have some basic communication skills about the domain knowledge. But the nice thing about that first person is either they will be awesome, or they will flame out.

[David Spark] So, you’ll know very quickly is what you’re saying.

[Andy Ellis] So, I will know very quickly what I’ve got there and if they flame out, great. Now I can take the budget.

[David Spark] Do you think you can duck a punch though?

[Andy Ellis] You know something? Then I get Workmen’s Comp.

[David Spark] Okay. All right, Shaun. You have heard Andy’s very long-winded explanation. Do you agree, disagree? Where do you stand on this one?

[Shaun Marion] I disagree. When you first were giving the examples, number one was my worst. I thought I’m…

[David Spark] That’s the worst.

[Shaun Marion] That’s the worst. Fool me once was my first thought, fool me once. Now, if they’ve had another job in between and I’ve got a chance to say, “Hey, they made a mistake, they’ve redeemed themselves,” I’m not going to be number two though. To me, and I agree with Andy’s point, I don’t need anybody who’s a drain, and to me somebody who can’t get along with my team is a drain. I didn’t like option three, I think that would be my number second worst. Totally agree. Stubborn, set in their ways, we’ve dealt with that. I think as leaders, we’ve all made the mistake of thinking, “Hey, I can be the one that changes this person,” and it just never works. I thought with number two primarily because recently I’ve dealt with a lot of especially younger kids. Kids – that’s relative as I get older. I have kids, my eldest kid is 26. But I feel like sometimes they just need a chance and I feel like if I could lay out some clear deliverables, “Here’s what expected in the first one month, three months, six months,” and we could see that person execute and deliver but be very clear if they don’t then we’re going to have to move on. I mean, you gave me three lemons here.

[David Spark] Yes.

[Andy Ellis] None of these are supposed to be good.

[David Spark] No, that’s the idea. That’s how it works.

[Andy Ellis] If any of the listeners… Because I sometimes get this, I’ll get listeners’ll pop on on Twitter and they’ll go like, “How could you pick option X? It’s not the worst thing.” And I’m like, “They were all bad to be really clear.” If you’re listening and you’re like, “Oh, Andy didn’t pick the new person even though he always says hire entry-level junior people and give them a chance.” Just to be clear – that was supposed to be a really bad choice.

[David Spark] Yeah. The game’s not called “Choose Liver and Ice Cream.” It’s “What’s Worse?!” It’s two bad solutions here.

[Andy Ellis] Although I will note that liver and ice cream are both pretty bad solutions for me.

[David Spark] Are you lactose intolerant?

[Andy Ellis] I’m allergic to dairy proteins. It’s worse than lactose.

[David Spark] Geez! Oy! That’s not good. Now I just want to say to the person who submitted this, who I know who it is but asked to be anonymous, very creative. I really like the thought and time that went into this. So, this person is throwing down the gauntlet to others. I am looking for equally creative “What’s Worse?!” scenarios like this one.

[Andy Ellis] David and I often joke that I win if the guest agrees with me, and David wins if the guest does not.

[David Spark] So, I guess I won.

[Andy Ellis] I actually think it’s the submitter wins.

[Shaun Marion] That was a good question. That was solid.

[David Spark] You know what? That’s a good point. I’ll tell you – the submitter wins when you struggle with it too. I think that’s also there. I’m looking for the one you’re struggling with.

[Andy Ellis] Yeah. I struggle with it and especially if I struggle with it and then the guest disagrees with me anyway.

[Shaun Marion] [Laughter] Sorry, Andy.

[Andy Ellis] So, whoever you are out there – fantastic scenario.

[Shaun Marion] Kudos!

[David Spark] Excellent scenario.

[Andy Ellis] I’m hoping it’s not from personal experience.

[Shaun Marion] Yeah, kudos.

[David Spark] Let’s hope not. Here’s the other thing – if you do want to send us a true story, you can send it anonymously. We have had a couple of cases where people did send in true stories and then the co-host and the guest picked the “What’s Worse?!” scenarios and then I told them what actually truly happened. So, that would be phenomenal too if we could get some of those.

[Shaun Marion] You don’t have to share but I’m just curious if whoever submitted this just got fired from their job for fighting or anything.

[David Spark] I don’t know.

[Andy Ellis] Maybe they are that person and wondering if they have a chance. [Laughter]

[Shaun Marion] Just curious.

[David Spark] That’s a good way to find out! [Laughter]

[Andy Ellis] That’s right. They’ll be calling me up looking for a gig.

[David Spark] “Hey, you say you want to hire me.”

[Andy Ellis] No, I say you were the third worst option.

If you haven’t made this mistake, you’re not in security.

24:11.355

[David Spark] “We often fail to acknowledge that the need for heroics usually indicates a failure condition, and it is not sustainable,” said Josh Yavor who’s the CISO over at Tessian in an article by Owen Hughes on ZDNet. Now, the article quotes a study by Tessian that points out that, “Nearly half of respondents cited distraction as the top reason for failing for a phishing scam, while 44% blamed it on tiredness or stress.” So, I’m going to start with you, Shaun, on this. What are the active behaviors you’re deploying to reduce the stress in your own life as a CISO and how are you doing it for your team, and also the entire staff as well? And Andy, we’ll come back to you, I know you’ve got a bunch on this because you’ve got great examples. Shaun, what are you doing?

[Shaun Marion] Well, I’ll start with a story, and I’ve shared this with others so it’s not a secret. I’ve been there. I was in my early 30s and I went to the doctor, and I was diagnosed with pre-hypertension, anxiety, depression. I’m in my 30s having potential heart issues and I was about 50 pounds heavier than I was now, hated my job, I was stressed beyond belief. In the security world, we say things like, “It’s not if but when. You have to be right all the time.” All those things. We almost set up this behavior like it’s a defeatist mentality and it creates all this stress.

[David Spark] Yeah. It’s like a lose-lose situation.

[Shaun Marion] It is. It is. If you go look at my LinkedIn bio, right at the top I have my priorities in order because I made decision… I make it sound like it was some epiphany but really this was over the course of a couple years to get my priorities in order. Put my family first – my wife, my kids – and then my job and then my hobbies and all those kind of things. But you have to be deliberate about getting your priorities in order. So, what can you do for your team? Well, you can’t do much if you’re not taking care of yourself. So, step one – get yourself in order. Make sure you’ve got… Eat right…

[David Spark] It’s like put the mask over your face before you put it on your child.

[Shaun Marion] Absolutely. Absolutely. For me, I don’t know there’s one answer for every single person, but I think it’s maybe a mixture of things for different people. For me, I got a bike, I started mountain biking, road biking, I started exercising and that started to alleviate some of that. I got a new job, I started spending more time with my wife, my kids, and all that. That was 10, 15 years ago. What that has allowed me to do is try to see this in the people that I surround myself with. Are they burned out? Are they stressed out? I stay in constant contact. I encourage vacations, disconnections. I don’t really care if – and maybe somebody at McDonald’s will come back later or even my former employers – I don’t track people’s vacations. I track your outputs, your outcomes. I don’t really care how long you’re gone as long as you are gone, and you disconnect. We have teambuilding things, but you know what? Teambuilding, I try to do those during the day because I don’t like to take time away from people at night to go spend time when they should be doing the things that they enjoy.

So, if you look, I think I put a LinkedIn post a couple weeks ago, I’ve got my team going to the gym now. No pressure, I don’t try to shame anybody into this, but I started to notice a couple of us were going to the gym at the office, “Well, let’s go together. Let’s start to hang out and do things like that.” We volunteer, we get out. So, I think the word I would use is deliberate. You have to be deliberate. It will not just happen.

[David Spark] Essentially what I’m hearing is you’ve made it deliberate as a part of the culture.

[Shaun Marion] Absolutely.

[David Spark] Everyone staying mentally healthy and physically healthy is critical to getting your job done.

[Shaun Marion] It is absolutely critical. They cannot deliver for me, for themselves, for the team, for the company if they aren’t performing at their peak. So, it’s upon them to tell me what they need, and I do everything I can. You can ask my team. I talk to them constantly about this. And I need feedback from them – how do I enable them and help them to do that better.

[David Spark] So, Andy is so eager to speak up because much of what we’re discussing is in his book. Let me mention the title, I don’t know if any of you have heard of it.

[Andy Ellis] [Laughter]

[David Spark] It’s called 1% Leadership. I already knew it, you didn’t even need to show me that, Andy. Andy, I believe you have a chapter that’s titled on this or something? Go for it.

[Andy Ellis] Literally, your wellness is one of the greatest assets you control. And it is one of the very few chapters that actually has a subhead which is “Be Sure to Secure Your Own Mask Before Assisting Others.”

[Shaun Marion] I love it, love it.

[Andy Ellis] So, I was laughing, David, when you brought that out. And I’ll actually add to that the additional one which is – that was Chapter 13 – Chapter 18, “Serenity is knowing that the crap you’re wading through is crap you chose to deal with.” So, look – first, actually, I want to jump back to the original quote and there’s’ 91% of the people who got the answer wrong. The reason you fell for phishing is your email client sucks. Not because you’re distracted or stressed. But it adds to your stress when you fall for it. Don’t. Right?

Stress is what happens when your expectation of the world does not match the world. You expect that you would not fall for a fraud. Your mail client helps you fall for a fraud. Blame it, blame your IT team. You clicked that link, and somebody comes and yells at you? You just look at them and say, “Why am I getting mail that claims to be from the CEO? Shouldn’t you be blocking that?” Now, Shaun listed a whole bunch of fantastic strategies. I love all of them. A bunch of them are ones I’ve used. At the end of the day, your job is to recognize the energy that your people bring to work is a renewable resource that you cannot burn to the ground. And too many people try to take more rather than figure out how to help them get more and create more.

[David Spark] I want to mention something that you told me a while back that I thought was very interesting, that anyone on your team has the power to tell someone else to go home.

[Andy Ellis] Absolutely.

[David Spark] Explain this.

[Andy Ellis] So, it’s really important to recognize that sometimes when you’re at work, you’re not your best self, and you’re doing harm to your own effectiveness and to your team. Somebody else should be empowered to say, “Hey, you’re having a bad day, go home,” Because “go home” isn’t a threat. It’s go take care of yourself. Or look, you have the sniffles, go home. Like in pre-COVID era I had to tell this to everybody. Now people sort of get it. If you’re symptomatic, try to stay away from other human beings. The one thing I would change about Shaun’s list of things, so I’m going to give Shaun some advice here, which is you should absolutely track time off – to make sure people are taking a minimum amount.

[David Spark] Yes. This was the other thing I remember that you mentioned.

[Andy Ellis] And I think you said it. You want them taking time off. So, qualitatively, it’s in there. But the reason I say that and for everybody who’s listening is when you’re an executive and you tell people wellness is important, but then you also say, “Hey, as long as the work gets done,” what your intra managers hear is that vacation time is not important because the work is what matters. And so you have to put in place processes where the employees actually know that you’re keeping track that they’re getting enough time off, and that you’re correcting managers who don’t let them take time off because the managers will intimidate them.

[Shaun Marion] You have to communicate that in the reverse, so they understand the reason you’re tracking is not to make sure they’re not taking too much but to make sure they are taking the time for themselves. And you’ll hold them accountable to disconnect, to get out of the office, to leave.

[Andy Ellis] Absolutely.

When is the best time to do this?

31:38.482

[David Spark] Could volunteering help with burnout and recruitment? An article in the Wall Street Journal by Catherine Stupp spotlights The CyberPeace Institute which matches non-profits, humanitarian, and healthcare organizations with cyber professionals from the corporate world. Volunteering not only feels rewarding, it fits the ethos of the typical cyber professional, said Janet Roberts at Zurich Insurance Group who started volunteering with the group. “Most of the people I work with in cybersecurity very much like stopping criminals and protecting employees,” she added.

Volunteering does sound great. The obvious negative is it takes away from your own work, possibly making employees feel they need to work harder and possibly get burnt out, or possibly the work just doesn’t get done, but it also may give greener people leadership opportunities. The article argues that volunteering can attract and retain talent. So, I’m going to start with you, Shaun, on this. You did mention volunteering. So, have you done it? Does your team do it? Do you believe it can attract and retain talent? Where do you see the benefits of it?

[Shaun Marion] It’s a tool in your tool belt. I don’t think it’s the tool, it’s one of many. Can it attract talent?

[David Spark] Like the many we just spoke about in the last segment.

[Shaun Marion] Yeah, of course. So, I think it’s a very beneficial thing. Surely, it makes you feel better, it allows you to get away. The one thing I don’t agree with, but I know that many people do, and I understand why they agree, is that when they say, “It takes me away from work and it doesn’t allow me to get the things I need to get done.” Back to my point in my early 30s. What I came to realize, and again, this wasn’t a light switch, this took years probably if I’m being honest, was that no matter what I do, at the end of the day, at the end of my life really, when I look back, A, McDonald’s will still be here. They’ll still be making hamburgers; they’ll still be driving through. I will never look back and go, “Man, I wish I would have given more time to them.”

I will look back and wish I’d given more time to my community, to my family, to my hobbies, to those things. Doesn’t mean I’m not going to just do everything I can to be the best CISO I can, the best leader I can. But back to the volunteering piece, I think it’s a tool in the tool belt. I think it certainly can provide value. Will it attract talent? Maybe some.

[David Spark] Does it retain talent? Do you believe it keeps people?

[Shaun Marion] Yes. I think as part of that tool, it will be one of those things in the tool belt that will retain talent, but it won’t be the only one.

[David Spark] Andy, what’s your thought on volunteering? And have you done it? Has your team done it? Where have you seen the value?

[Andy Ellis] So, I think there’s a lot of folks who get a lot of value out of it. For me, it’s not something that works for me. Corporate-led volunteering to me just always… First of all, it’s rarely the things I want to go do. Like, I do a lot of volunteering on my own and the, “Oh, the company’s going to go do this thing,” like, “Oh, let’s go take a day and do this thing.”

[David Spark] Oh, well, it doesn’t have to be the whole company, I mean, individuals within the organization can be doing their part.

[Andy Ellis] Oh, individuals can go do their own thing. In fact, one of the things that I really did like is when I was at Akamai, we had the Danny Lewin Community Care Days where anybody could have two days off every year to go volunteer whatever they wanted to go do. And there were a bunch of activities that they’d arranged, so that if you didn’t want to have to think very hard about it, you just wanted to go help build a playground or work at a soup kitchen, like boom, you could just go do it. I don’t think it’s going to move the needle in a huge way on its own. I think it’s a tool you can use. It’s a small low-value thing. I don’t think people are going to say, “Oh, I really like working at my company because they have this side thing.” Now, that said, there are organizations that do this amazingly well, but they tend to be oddly shaped organizations. Consider most football teams in America have this amazing philanthropic arm that does a lot of work in the community, and I’m certain that for a lot of the employees of those organizations, that is a huge piece of the mission is, “Yes, I get to work with the football team, and I get to do this stuff in the community.” But I think for most organizations, that “and” is probably not really there.

[David Spark] I’m going to throw one thing out there, maybe a little bit of a red herring here, and I’ve done volunteering myself. But I personally have been burnt by volunteering in the sense that my effort to volunteer fell so flat, was so badly received, that it deterred me from wanting to volunteer, or the organization didn’t know how to appreciate what I had done for them, and it fell flat as well. And some friend had said a line that’s like, “There’s nothing more costly than doing something for somebody for free.” Like, the pain that came as a result of the volunteering was like, “Well, I ain’t doing this again.” Have either of you had this experience?

[Andy Ellis] Absolutely. I’ve had it both ways. One where they just kept wanting more, it was free, so all of a sudden you do one thing and every week you’re getting asked to do more. And until you learn how to say no, that’s a really uncomfortable place to be.

[David Spark] Shaun?

[Shaun Marion] I think we could have a whole podcast on saying no. But to be candid, I haven’t had that experience. But I’m a bit of an optimist when it comes to things and so I’ll give my time, and if they don’t want it or it isn’t valued, then that’s okay. I still feel like I went there with the right intentions to do whatever I needed to do. I’ve never had any really bad experiences. I’ve had some where I felt maybe that the impact wasn’t quite what I thought it would be. I wouldn’t go back and volunteer there again, but it didn’t make me feel like I wasted my time.

[David Spark] All right. Well, you definitely did not waste your time on today’s episode. This was phenomenal. Thank you very much, Shaun.

Closing

37:18.007

[David Spark] I always let our guests have the very last word so hold tight. And the question I always ask all my guests is, “Are you hiring?” so you can answer that question. But first, let me mention our sponsor Sentra. Remember? They are at sentra.io. Thank you, Sentra, for sponsoring this episode of the podcast and being a brand-new sponsor. Remember, if you have data security issues, and I guess if you’re in business you’ve got them, please check out what they’re doing at sentra.io. Andy, any last words? Yes, 1% Leadership, your book, we got it. What else?

[Andy Ellis] I was going to say I used to drive a Sentra.

[David Spark] Well, there you go. That works.

[Shaun Marion] I did too.

[David Spark] Shaun, are you hiring?

[Shaun Marion] Am I hiring? I’m trying, my goal is I’m going to try to fill about 40 positions in the next six months. And I know that’s an insanely high bar, but yes, I’m hiring for pretty much anything at the moment.

[David Spark] So, I’m assuming there’s a jobs board on mcdonalds.com, yes?

[Shaun Marion] There is. And if you checked out my LinkedIn profile, I’ve got a couple of posts there. I know Andy and I have a similar passion here. We’re looking to build out an apprenticeship program, looking to hire some kids out of college. I’m looking for some super experienced people too. I’m looking for the whole gamut. I’ve told my team we’re going to take a couple of risks on a couple of people. Maybe not the liver and ice cream example, but we’re going to take a couple of risks on people that I think are willing to learn and just in need of the right opportunity.

[David Spark] All right. So, if you have punched your CIO in the face, go ahead and contact Shaun, he’s looking to take a risk with you.

[Shaun Marion] He was my number three.

[Laughter]

[David Spark] Thank you very much, Shaun. Thank you, Andy. And thank you, our audience. We greatly appreciate your contributions. And can any of you deliver a creative “What’s Worse?!” like we heard today? The challenge is thrown. Let’s hear it! Thank you for participating and listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.


Posted

in

,

by

Tags: