https://cisoseries.com/cant-you-just-pop-out-of-zeus-head-a-fully-formed-security-professional/
This week’s episode is hosted by David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Joe Lewis, CISO, CDC.
Full transcript
[Voiceover] What I love about cybersecurity. Go!
[Joseph Lewis] It really is a place for everybody. As an industry, we attract people like boxers and nurses and people from IT Ops and Audit and all kinds of really interesting places, and as a result, we get some of the best people.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of said CISO Series, and joining me as my co-host for this very episode, you know him by the name of Andy Ellis. He’s also the operating partner of YL Ventures, and he’s also the author of 1% Leadership, which has been out selling for the past week, and I’m supposing you’ll bring a bundle of copies to RSA because when this episode drops, it will be smack dab in the middle of RSA.
[Andy Ellis] Yep. There’s a number of places where I’ll be doing book signings. Some, you can buy the book. Some, the book is free depending on who’s sponsoring it and what they’re paying for.
[David Spark] Ah. Now, what could I expect signed in my book? Like, “Best wishes,” or “Don’t let the bad guys get you”? What exactly would I expect besides just your signature?
[Andy Ellis] Well, for you David, I will probably make a pinball reference…
[David Spark] Okay.
[Andy Ellis] …so that you know that I actually thought about it.
[David Spark] There you go. I thought about it as well. Our guest doesn’t know that I have a bizarre obsession with pinball. By the way, our sponsor for today’s episode is Cyolo – safely connect people to work. More about that topic which is, by the way, access to data, people. Access is something that our audience is obsessed with because we address this topic often. All right. For those of you listening, hopefully you’re listening during your week of RSA as you’re commuting to RSA, as you’re falling asleep because you probably haven’t gotten enough cybersecurity information and you want to push more into your skull during this week.
[Andy Ellis] Hopefully you were at my talk yesterday.
[David Spark] Oh, yes. Hopefully, everyone was at it. If you weren’t at Andy’s talk, well, you kind of blew it. I had an unusual situation walking the streets of San Francisco. I was listening to a podcast walking the streets of San Francisco, it was a podcast that a few of my friends did, and I literally ran into my friend as his voice was in my head. That was a very San Francisco moment.
[Andy Ellis] That sounds like a very eerie moment.
[David Spark] Yeah. And I did that, “Oh, my God! I’m listening to you right now!” [Laughter]
[Andy Ellis] I bet he kind of looked at you and for a moment, had that, “Oh, my God. It’s the crazy homeless guy on the streets about to… Oh, it’s just David.”
[David Spark] Yeah, it’s just David. We worked together, a man by the name of Patrick Norton. Those who are geeks would probably know that name as well. He’s also in tech media. I want to introduce our guest for today, but I do want to make a nice little disclosure is that our guest is representing his own opinions and it’s not the opinions of the CDC, the company he works for. So, just make that sort of clear, don’t take anything that he says as any kind of official announcement from the CDC. With that being said, let me introduce him. He is the CISO, brand-new CISO over at the CDC. It is Joe Lewis. Joe, thank you so much for joining us today.
[Joseph Lewis] Hey, thanks for having me, Dave. Really appreciate it.
Why is everyone talking about this now?
3:27.062
[David Spark] We’re going to lose some CISOs if they don’t get some support. Now, that was the message from Dan Maslin a group CISO over at Monash University he had for the community of business leaders. His five-step advice was essentially to understand and support a CISO’s effort to do their job of securing the organization.
Now, cyber literacy is necessary for compassion and to understand the gravity of issues. If a CISO is truly excellent at communicating cyber risk to the board, why would there be a need for cyber literacy? Isn’t that process of communicating cyber risk the process by which the board and C-suite becomes educated? Are CISOs in such a dire situation of poor understanding and appreciation that CISOs are just going to leave the profession? I mean, I know it happens, but is the lack of support causing the exodus now and for the future? I mean, regulations are requiring cyber literacy at the board level.
So, I’ll start with you, Andy. Obviously, money, people, and understanding would go a long way, but business leaders of all divisions want that. What’s unique about cybersecurity and what the CISO needs?
[Andy Ellis] I think cybersecurity, I don’t just want to say it is unique, but it is new and it’s a dramatic change in the flavor and complexity of the problems. Think of the industrialization era. At the beginning of industrialization, people didn’t understand factories. So, when you wanted to talk about the risk of heavy machinery to craftspeople who had always just worked with small devices, there’s a whole set of just understanding they need to get, and sometimes it takes a while and people get their limbs crushed. And we’re in this era where trying to understand the complexities of this risk is a challenge, and most people are making decisions by gut anyway.
And so the problem is if you have to educate somebody every single time you bring a new risk to them, you run a different risk which is the moment you start to talk about the risk, people use whatever their current understanding is to make a decision about it. And the rest of your conversation trying to give them background is completely useless. So, the reason we need that cyber literacy is so when you walk in and say, “Hey, here’s the shape of a problem,” they have references to draw on to immediately make a decision.
And since Joe’s here, I’m going to sort of use an interesting parallel. Let’s take, gee, COVID-19 which we all I think just lived through. How many people when it first came out, where this is a novel thing, were drawing on their own frame of reference from the flu or measles or whatever it was to make decisions, even though we needed a while to learn more about what was going on and how the different vaccines worked and everything.
And if you don’t do that basic education so everybody has the same set of knowledge about the environment, when they’re making their gut decisions they’re not making decisions based on the data that’s around them, they’re making it based on their priors that don’t relate to what’s really going on.
[David Spark] Awesome, awesome point. They got to have a base level. Joe, have you experienced both sides? The board/C-suite without the base level, and the board/C-suite with the base level. What’s the difference in communications?
[Joseph Lewis] So, my experience has been very much on the latter where we don’t have a lot of understanding at the board level, right, for the cybersecurity-type topics. I think the regulations that are trying to move in the direction of requiring the board to have some sort of cyber literacy are well-intentioned but probably not going to accomplish the goals that we all expect they will.
[David Spark] Yeah. I mean, honestly, no board-level member goes, “Oh, my God. It’s a rule now. Better study up.” [Laughter]
[Joseph Lewis] I better get smart.
[Andy Ellis] Yeah. It will make the CISO shortage worse. Because your experienced CISOs will all become board members instead.
[Joseph Lewis] Right. What I think is this is a two-way street. I think if a board is truly trying to understand the landscape of their organization, they need to be vested in trying to become literate at cyber. But it’s also up to the CISO to be able to go and have that conversation in a meaningful way that they can understand the topics that are being brought to them. If I’m going to bring a – to your point, Andy, about bringing a problem to the board – if I am going to do that, I’m not going to do so without the context that would inform should they lack that context already once. I’m going to make sure that I’m bringing that supplemental information, so I don’t get a decision that’s based on a preconceived incorrect assumption.
What do you think of this vendor marketing tactic?
8:09.475
[David Spark] On Twitter, Lesley Carhart of Dragos said, “Is it only because I’m an InfoSec person or does anyone else see an interesting ad for a product you actually want or need, jump through screens or hoops, and then totally give up in disinterest when they require an email to get pricing or product details?” Now, I looked at Dragos’ site and they do have information on their site, but I couldn’t find pricing. Now, this is extremely common in cyber, so I don’t want to slam Dragos here by any stretch. And I would say in many B2B industries as well this is very common practice except for the SaaS model where you can sort of purchase on your own that way. It’s rare to find pricing right away.
But Lesley brings up a good point that I’ve mentioned many times is that without making information easy, interested prospects bail, and therefore vendors have no idea how many potential customers they’re losing. I cannot stress that enough. My main complaint is the lack of video demo and requiring visitors to “book a demo.” Dragos ironically has both, has a video demo and a “book a demo” button. But again, not unusual. So, I’ll start with you Joe here. What can be done to not lose these people, the people who want more information, don’t want to be tied? Because I’ll tell you, and I’ve heard this from so many CISOs, they don’t want to give their contact information because they do not want to be in the marketing funnel. So, what do you do to not lose these people? But, I mean, I guess it’s a balance game here.
[Joseph Lewis] There is no easy answer. Fundamentally, I think you’re stuck in a loop, right, because you need more information in order to make a decision as to whether or not you’re interested enough to make a decision. And these vendors have an uphill climb into generating that interest enough at a level where somebody like me would be willing to sit down and have a discussion with them, but also not locking themselves into any one particular public pricing model or any type of specific GUI interface. I mean, that’s another thing too is they don’t want to do product demos in a public way because they’re changing products so often that it doesn’t look like what it’s supposed to. So, this is not an easy answer. But for me, I’m less of the market where I go looking for specific products, either via vendor ads or anything like that. More so I tend to think of this from a project management perspective. I start with a really good set of requirements and then I let that dictate which types of products and vendors that I’ll go look for.
[David Spark] You’ll begin your research that way. Actually, I think what Dragos did, they had the “book a demo” button and a video demo so you can do either one if you want. I think actually that’s a pretty good solution.
[Andy Ellis] And a lot of times you’ll see vendors will do a shallow demo that’s pre-recorded on the website and the “book a demo” is a walk-through that’s going to take you more deeply through the product.
[David Spark] Right. I know no vendor wants to hear this, but I just hear it so often. I mean, is there fear of competitiveness, why they don’t want to show that online and/or the hackers will know too much, something like that?
[Andy Ellis] I don’t think it’s about the hackers. I do think there is a concern of like if you put your whole pricing rate card up, which says, “Oh, here’s the tiering, here’s what the cutoffs are,” the person who gets the most value out of that is your competition. Right? They’re going to pull that and be like, “Oh. Exactly where do we go nail them when we’re competing with them?”
[Joseph Lewis] And same thing on functionality too, right? They’re going to look at the demo and say, “Wow. I don’t have that feature or that function, so maybe I should go put it in place because I could do so at a cheaper market space than somebody else can.”
[David Spark] The thing though we have heard is when a CISO asks for ballpark pricing, that means they’re doing the numbers in their head to see if they can fit it into their budget. And if you can’t do that… And this is just in a phone call conversation or email if they have gotten to that point. So, how do vendors in your experience answer that question of ballpark pricing?
[Andy Ellis] So, ballpark pricing I’ve never had a problem getting out of a vendor. If you call up a vendor and say, “Hey, I’m looking at my budgeting for this window. I’m just looking for ballpark pricing, I’m not going to hold you to it, but I need a range. What’s the range?” and they’re going to say, “Well, how big is your environment?” Because obviously, it’s going to scale, and they’ll give you a ballpark. And sometimes you’re going to say, “Look, I’m just going to let you know right now, I can’t even put that into my budget.” So, you’re already starting negotiation, or you’re going to put it into your budget so that you can aim for that. But be willing to, like if you want the vendor to give you a number first, tell them you’re not going to hold them to the exact number.
[David Spark] Well, that’s why you always give a range, yeah.
[Andy Ellis] Right. But they are [Inaudible 00:12:57] give you a range and they know that they better not come in above the top of the range they gave you.
[David Spark] Yes. [Laughter] Exactly.
[Andy Ellis] So, you are going to hold them to that number. That said, I want to push back on all the people who refuse to give email addresses. You need to learn to be able to tell vendors no. That if a vendor has you in their marketing funnel because you have interacted with them, and they send you email…
[David Spark] Hit the darn Unsubscribe button.
[Andy Ellis] Hit the Unsubscribe button, respond and say, “No, I’m not interested at this point.” I have a vendor rebuff email, I can say no. Most of the registration walls are soft. You can put in any email address. Feel free to put in mine if you want.
[David Spark] [Laughter]
[Crosstalk 00:13:39]
[Andy Ellis] But at the end of the day, what’s the problem? If you are interested in this vendor, why don’t you want to let them know that, yeah, you have touched them a couple of times in the past? That you might actually be a lead they want to reach out to and offer you something to get you a little across that goal line.
[David Spark] Joe, do you have any problem saying no to a vendor?
[Joseph Lewis] Oh, I don’t have a problem saying no to anybody. But my default go to is eat@atjoes.com. That’s the email address I’ll put on forms if I know that it’s a soft wall.
[David Spark] Yeah. And people can do that too. I will say this. You make a really good comment about be comfortable saying no. And I’ll tell you a quick story. So, you have seen me at many a trade show doing my man on the street style videos, and I literally have to stop 40 to 60 people, just say, “Hey, can I ask you a quick question on camera?” And I do this constantly. And some people say yes and some people say no and that’s totally fine. And I get more no’s at security conferences because people get a little skittish on camera, totally understandable. But one of the lines I get all the time, and I stop them when they do this, is they go, “I’ll come around later.” And I stop them, I go, “Guess what? I’ve heard that line before. You know how many people come around later? Exactly zero. I’m going to tell you right now, you can say no to me, I can take it.” And the guy goes, “No.” “That’s fine. Have a good day.”
[Crosstalk 00:15:00]
[Andy Ellis] “…call you in the morning.”
[David Spark] [Laughter]
[Joseph Lewis] You’re not going to call. [Laughter]
[Andy Ellis] You’re not going to call.
Sponsor – Cyolo
15:07.204
[David Spark] Before we go on any further, I do want to mention our sponsor Cyolo. You remember? Connecting people to work. So, are you tired of struggling with access nightmares? Even if you’ve got good access situations, you got problems is my feeling. So, as your business expands, there are access nightmares. And do you feel like you don’t have enough visibility and control to securely manage all the users who need to connect today? And again, as you expand, that goes in waves.
So, the challenge of securing operational technology, third parties, or even the new users who joined during your latest merger and acquisition can open new areas of risk that give security even more problems than before. Cyolo built a zero-trust access solution to address these concerns and give you the control you need to securely enable your business. Cyolo was built by a CISO, so thinking like you, giving you increased confidence to secure access to everything, everywhere. Just go to their site, it’s Cyolo.io. Go to that site so you can stop your worst access nightmares!
It’s time to play “What’s Worse?”
16:24.462
[David Spark] Joe, are you familiar with this game?
[Joseph Lewis] It has definitely come up before, yes. [Laughter]
[David Spark] All right. Good news, Andy. Once again, I have a great submission…
[Andy Ellis] Excellent.
[David Spark] …from Osmond Young, again, the pseudonym.
[Andy Ellis] The pseudo, oy.
[David Spark] Somebody else who can’t tell me his first name. This is a long one. I’m going to just prep everyone, sit back, grab a cup of tea. It’s long, but it’s very intriguing. Okay? I will say that Osmond should seek out a future in fiction writing too.
[Joseph Lewis] Yeah. And Osmond, by the way, find me at RSA. Tell David a code word so I will acknowledge you so you can get your own special autograph in the book that you’re going to bring me to sign.
[David Spark] Yes. By the way, Osmond, if you’re going to RSA, I would like to meet you as well. All right. Though there’s a lot of truth to this story as well Osmond has told me. Okay. Get ready, here we go. This is the setup and then I’ll go to the two scenarios. You are the CFO of a small independent rural hospital in Small Town, USA. The year is 2014. You have been handed a financial report that shows your hospital will be insolvent within three months if you don’t take drastic measures.
Scenario number one – leadership decides to close the hospital entirely. For emergency and inpatient care, patients must travel 30 minutes to the next town over, you move out of state to take another job as does the other qualified medical staff. In the years ahead, the lack of quality medical care also leads to much poorer health of the population with higher rates of death from preventable diseases. Patient mortality rates for those needing emergency care doubles, including those DOA or that pass shortly after being admitted. The economy also suffers as individuals and businesses are reluctant to invest in an area with such poor healthcare. Fast forward to today. At 9:15 PM, Mrs. Johnson has a massive heart attack. After waiting 30 minutes for the ambulance to arrive and then a 30-minute ride to the closest hospital, she is pronounced deceased on arrival. Not good! Guess what? Scenario two, also not good, hold tight.
Scenario number two – leadership decides to partner with a large for-profit healthcare system who takes over all management of the hospital. To save money, all clinical IT systems are centralized at their corporate offices on the other side of the country. They begin using a remote patient monitoring service that allows the hospital to staff the ICU with just two critical care nurses instead of five, which saves lots of money. Fast forward to today. At 9:15 PM, Mrs. Johnson has a massive heart attack and is taken to the ER of this hospital. After an emergency procedure that saves her life, she is admitted to the ICU. However, a planned security upgrade on the core router results in the network connection to the remote monitoring service going down. In the chaos of the unplanned outage, Mrs. Johnson codes. The nurses do not get to her in time, and she is pronounced deceased a short while later.
The family learns what happened and sues the hospital for millions of dollars. The story hits the national news, and the company is deeply embarrassed by the incident. The overworked, understaffed CISO who pushed for the router upgrade gets terminated even though it was the underpaid, overworked network admin’s fault for not planning the change properly. Since the hospital is no longer profitable, you the CFO get fired and the corporate entity divests the hospital to another company that downgrades it to an urgent care clinic with outpatient-only services. All right, that’s a doozy. Andy, which one’s worse?
[Andy Ellis] Okay. So, I’m going to start and say Osmond, I need you to go read the book Thinking in Bets by Annie Duke.
[David Spark] Oh, I know about this. We’ve brought this book up before because Dutch Schwartz mentioned it.
[Andy Ellis] Because you’re asking me to use resultist-based thinking to take a specific outcome and try to decide based on that outcome, which was the right decision nine years ago. So, first of all, what am I still doing as the CFO nine years later if we’ve already been bought out? I’m still the CFO of this rural hospital, I’m stuck here? Clearly, I’m not very competent. But apparently, I did manage to get a job if I close off the hospital. So, thinking about it from just the CFO’s perspective, totally closing the hospital and moving out of state seems to be the right decision.
[David Spark] Yes.
[Andy Ellis] Systemically, like, Mrs. Johnson’s going to die.
[David Spark] She dies in both scenarios.
[Andy Ellis] In both scenarios. So, even if I’m doing resultist-based thinking, that should not affect the scenarios. Now, if I want to look at it from a societal perspective, are we better off having the healthcare local than not? Seems like probably that’s a net good. Like, we didn’t talk about everybody along the way who had healthcare nearby that was helpful. We certainly talked about the consequences of not having it in scenario one, so clearly we had it in scenario two. And hey, look. We got consequences for bad system management practices, that’s something we never see. We’ve left out the whole conversation about certificate of need laws, which anybody who’s talking about healthcare and hospitals should examine what certificate of need laws create from a shortage of healthcare. It’s a fascinating problem. So, having now thought about this one, for the CFO, scenario one is better, scenario two is worse. For the system, scenario two is better and scenario one is worse. And I don’t know which one I’m supposed to go on, so I’ll go from the systemic perspective, and I’ll say scenario one is the worst scenario.
[David Spark] All right. That was a very well-thought-out answer. Excellent. All right, Joe, Andy thinks scenario one is worse from the more systemic issue, not his personal what my career path is going to be. What’s your answer? And by the way, let me remind everybody, this is not an official response from the CDC. Go ahead. [Laughter]
[Joseph Lewis] No, I agree with Andy. I think the idea, you have to look at the totality of the effect, right? So, you’ve got societal issues, you’ve got economic downturn, you’ve got subsequent health concerns with scenario one. And looking at the holistic approach, I think that that’s the worst of the two options. That said, poor Ms. Johnson, man. I think she just…
[David Spark] She loses out all the time.
[Joseph Lewis] Her ticket came up, somebody punched her ticket, man. I don’t know what’s going on with her.
[Andy Ellis] It reminds of that movie Sliding Doors with Gwyneth Paltrow, I don’t know if you guys saw that, where it’s basically it’s this movie where she almost makes the subway or she makes the subway. And then there’s two subsequent movies interleaving as to whether she got home, and I think found her husband cheating on her or not and what happens and like how much is destiny. So, Mrs. Johnson was destined to die. Lachesis measured her string, her string’s up, Atropos cut it, she’s done.
[David Spark] There’s a number of movies that have shown multiple paths. I know Run Lola Run was another good one…
[Andy Ellis] Yeah.
[David Spark] …that showed the multiple paths. I’m thinking there was the other one about the adult male wonderland, something wonderland about the adult porn star that shows the same story from different viewpoints, which was also quite interesting as well.
[Andy Ellis] Okay. We see what movies David watches.
[David Spark] It’s not an adult film, it’s a film about the actor. It’s actually quite good, and it’s actually…there’s nothing salacious in it whatsoever. But it’s a pretty fascinating story, what happened.
[Andy Ellis] And for those of you that are listening that have not seen Sliding Doors, I did just go look it up and it is a 25-year-old film at this point. So, I guess it’s older than some of our listeners.
They’re young, eager, and want in on cybersecurity.
24:32.290
[David Spark] “The military will take an 18-year-old and turn him or her into a soldier in 16 weeks. They will continually train that soldier over the course of their employment,” said Chuck Mackey of Fortress SRM. I love that quote because every time I hear someone say we can’t train them, that quote nails it on because that’s their job, the military. They take people with zero experience and give it to them, and that’s like the promise of the military.
So, this was a response to a post about how are we going to hire 3.4 million security professionals. And the industry as a whole complains about the lack of talent, yet there is a very proven solution, and that’s training. And many eager wannabe security professionals have complained – and we’ve talked about this endlessly on the show – about the lack of training within organizations. At the same time, organizations don’t feel they can reserve any of their existing staff’s time for training new people because they’re so maxed out with their current day-to-day work.
So, Andy, training is obviously the solution, and everyone knows it, but most organizations struggle to make that shift. I envision a tiered approach to having a formalized training process and for all levels, green to security leader. What would that roadmap look like and how would it take to create a training pipeline somewhat akin to the military?
[Andy Ellis] So, I think the thing you have to look at in the military is not boot camp, which is what Chuck was talking about, right?
[David Spark] Well, no, but he says boot camp to start and then there’s continuation.
[Andy Ellis] But what the continuation is is this understanding that you have a limited tour. I was in the Air Force, and I knew when I walked into a job that within three years, I was out of that job. Possibly to an entirely different career field. So, day one, everything I do is about how do I make this easier for the next person who’s going to be in this job. How do I write it down? How do I make it that less training is required so when that person shows up, they can hit the ground running? How do I make it easier? And how am I learning and how am I learning the skills for the next job?
And that’s the place where I think corporate America and maybe corporate world is really falling down is we want people to become perfect at the job they’re in and then never change. We don’t want to train them for the next job because we’ll lose them, partly because most companies don’t have good internal transfer and promotion paths.
[David Spark] That’s essentially it. You got to build a program, whatever your size is.
[Andy Ellis] But it’s not about the program because I’ve seen people where they think it’s about the program. It’s about the mindset and the philosophy. That every job, you hire people who are not capable of doing the job and they’re going to learn it. And every person, you’re going to teach them skills that they need in their next job. And if you do that, you can build a program up out of this grassroots philosophy, but if you just try to put in a training program and your managers don’t have that philosophy, you’re doomed. The philosophy has to come first.
[David Spark] All right. So, it’s a culture shift. Joe, what’s been your experience?
[Joseph Lewis] I got to tell you, I think part of this is because of the way we choose our cybersecurity leaders. So, you’ve got a great technician that becomes a team lead because he was a good technician. Then you’ve got that good team lead that you say, “Wow, you know what? He’s being a really good team lead. Let’s make him a manager.” Right? And so we don’t reward people for having the correct skills to develop the next generation of cybersecurity leaders. It’s one of the areas I think we as an industry struggle with is…
[Crosstalk 00:28:19]
[David Spark] I will just tell you – I hear the complaints nonstop and I see it so often. So, pick any point, what would be a good like bringing up from green or bringing them up to a leadership position? How do you see working that into the program and making it a philosophy and culture shift as Andy just said?
[Joseph Lewis] You’ve got to have a commitment from upper leadership to invest in the people, right? And then you’ve also got to have a commitment from all levels of the leadership team that it is okay to put those people through training, and it’s okay that we’re going to teach them skills that they will use in their next job, and that’s okay that if they leave us, they leave us for another opportunity. We hope they stay, right? We’ll give them paths to laterals and promotions and areas of greater responsibilities to the ability that we have, but I think there’s just a fundamental acknowledgement that people are going to come, people are going to go, and that’s okay.
[David Spark] I will also throw this out to both of you. If you start building an employer brand where you’re known to train people, people want to come to work for you. Yes?
[Andy Ellis] Not only do people want to come to work for you, people don’t want to stop working for you. One of the challenges I had, I had a team of people, I couldn’t get them to leave.
[David Spark] Well, there’s a thing called firing, Andy.
[Andy Ellis] No, no. But I had great people, I wanted them to go out elsewhere in the organization or even outside the company. We trained them for that. But they looked around and said, “Nobody else is doing this. Why would I leave when you keep giving me opportunities to grow?” And so if you don’t give them opportunities to grow because you’re afraid they’ll leave, they will leave to go find opportunities to grow on their own. But if you give them opportunities to grow, they’re less likely to leave even if they become overqualified for the work you have today. Like, they’ll go find more work to do inside your company.
[David Spark] Good point. Joe, have you experienced this yourself?
[Joseph Lewis] I’ve had people that were well overqualified for the work that they did, but they stayed because they believed in the vision, they believed in the organization, and they believed in the leadership team. So, I’ve seen that as well. But it’s really, you’re talking about culture, and culture starts at the top. You need to have a leadership team that embodies that it’s okay to train and invest in your people and if they end up leaving because of that, well then, the industry and everybody is better for it, I think.
[Andy Ellis] And to Joe’s earlier point, if you’re that highly qualified technical person who was just made into a technical lead, or that lead made into a manager, and you want leadership training to know how to do your job, your HR team is unlikely to provide it for you. But fortunately, we know somebody who just wrote a book on this – 1% Leadership – just out a week ago.
[David Spark] I was just going to plug your book just the same…
[Andy Ellis] I know you were going to but I beat you to it so you don’t have to feel dirty.
[David Spark] No, I won’t feel dirty, but it’s always better when I plug it then you have to shill your own book all the time.
[Andy Ellis] So, listeners, pretend that David just plugged that.
[David Spark] I just plugged it. Anyway. By the way, are you going to do a training program on 1% Leadership?
[Andy Ellis] So, I am right now building out a coaching plan to go with it, so when people say, “Hey, here’s a challenge I have,” they know which chapters to go to. I’ve got a Substack newsletter in which I’m sort of dripping that out. I’m looking at how do I do keynotes or group sessions because I’ve certainly had some demand for that. So, if you’ve got a listener and you want me to come in and talk to your management team at any level about how to apply some of what’s in here, I’m absolutely happy. Reach out to me and chat.
We’ve got listeners, and they’ve got questions.
31:46.165
[David Spark] Unknown and unmanaged assets are a chronic problem that only seems to be growing. We all know and accept the mantra, “You can’t secure what you don’t know.” Steven Palange of TLIC Worldwide asks, “How much do unmanaged assets slow down your incident response and vulnerability management process?” Very good question. I’m going to add to that – what safety nets are we putting in place for what we don’t know? Joe, I’ll start with you. How do you deal with the unknown which also becomes unmanaged assets? Let’s assume you did your due diligence and your best discovery. What do you do with your vulnerability management process, your safety nets, what are you doing to try to compensate?
[Joseph Lewis] So, the success or failure of any incident response or vulnerability management program is about the preparedness, right? You’re going to have to tabletop, you’re going to have to make sure that you have purpose-built training around the idea that there are going to be unidentified assets on the network that pose risk. Right? And so really, for me, it’s about preparation, it’s about having tools and capabilities in place. Like you said, the safety net. But then also making sure that your processes are robust and they’re resilient enough that when you find unmanaged assets – right, not if – but when you find them that your processes are not going to break down. From a holistic perspective, that’s all any of us can do because I think the barrier to procure new IT is too low, and everybody can go out and buy stuff and add things to the network because it plugs in and makes it easy, and we often don’t find out about it until it’s far too late.
[David Spark] I throw this to you, Andy. What do you do for your safety net?
[Andy Ellis] Spreadsheets. And you may all laugh at that one, but here’s what I have found. Most people don’t want to track what’s already ugly in their organization. They know about the unmanaged system. People know about that shadow IT. But it’s shadow IT, the CIO doesn’t want to write it down as an asset that isn’t well-maintained, so you’ve got to start. So, you should take, if you’re a CISO, start your spreadsheet – it can be in Google Sheets, it can be Excel, whatever – and write down the classes of systems that you’re responsible for. High level, we have stuff in public cloud. Like boom, that’s everything in AWS, Azure, whatever, and then…
[David Spark] It sounds like, by the way, you’re describing possibly the cyber defense matrix, Sounil Yu’s thing.
[Andy Ellis] You can use the cyber defense matrix for some of this, but I’m all the way up at the top of the cyber defense matrix. You just have to start, right? Be willing to write down your assets and you say, “This has 85 unmanaged systems,” or really like 8 million unmanaged systems, whatever it is. And you have to be willing when someone says, “Oh, hey, by the way, we do practice X,” say, “But do you do that practice on these systems over here that we think are unmanaged?” And enjoy that uncomfortable silence as everybody says, “Oh, no.” But if you’re not willing to challenge your organization gently and keep pointing out that these unmanaged systems exist, they will forever be a drain.
But it’s really easy for people to stop thinking about them. And when the board asks the CEO, “Hey, I hear vulnerability management matters, are we patching all of our systems?” The CEO says, “Of course we are,” and then turns to the CIO and says, “Oh, are we patching all of our systems?” The question the CEO just asked is, “Are you patching all of the systems you are responsible for?” So, everything the CIO has already ignored is not part of the question, even though it was part when the board asked it, and the CIO turns to one of their directors and asks the question, who turns to somebody. And the answer that ends up coming back up is effectively, “Oh, when Microsoft Patch Tuesday comes out, all of our Active Directory domain controllers are patched within one week meeting the SLA.” And that’s the actual claim that supports the CEO’s response to the board of, “We patch all of our systems.” If you’re not willing to know what “all” means, even the ugly part of it, you don’t have a safety net.
[David Spark] That is a good way of describing it.
Closing
35:56.462
[David Spark] And that brings us to the very end of our show. Thank you very much, Mr. Andy Ellis, author of 1% Leadership, and Joe Lewis who is the CISO of the CDC. Do not mistake any of the commentary on today’s show as official response from the CDC whatsoever, but you can definitely attribute it to Joe Lewis and his personal opinions. Yes, Joe?
[Joseph Lewis] Absolutely, 100%.
[Andy Ellis] Even my opinions, those are Joe’s.
[Joseph Lewis] I’m just [Inaudible 00:36:24] all opinions, I’ll take them all, that’s fine.
[David Spark] By the way, we learned something else today that if you are filling out a form, please use Andy Ellis’s address.
[Andy Ellis] Absolutely. Go for it. I can say no to vendors.
[David Spark] I want to thank our sponsor Cyolo – safely connect people to work. Let me remind everybody of their web address – Cyolo.io. Go check them out. We greatly appreciate their sponsorship and supporting the CISO Series. Joe, are you hiring over at the CDC?
[Joseph Lewis] We’ve got routine vacancies that we’re looking for. There’s a standard public announcement for cybersecurity professionals within the CDC, so yeah.
[David Spark] I’m assuming there’s a CDC job board of some sort, or they could contact you?
[Joseph Lewis] Eatatj@joes.com, yes, that’s…
[Laughter]
[Joseph Lewis] No, the CDC posts, all of their openings are on USAJobs.gov, along with most federal agencies.
[David Spark] Ah, excellent. And do you need clearance for these jobs?
[Joseph Lewis] Some you do, some you don’t. Some of them are public trust, some of them are cleared.
[David Spark] Okay.
[Joseph Lewis] But anywhere in between.
[David Spark] So, all nature of positions in cybersecurity. Well, thank you so much, Joe. Thank you very much, Andy. And thank you to our audience as well. We greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.