Host

What I love about cybersecurity. Go.

Adam Holland

I love the unique aspect of how we work across all verticals and industries, which not only brings a constant diversity in the challenges we face, but means we have a way to bring people their fascination and motivations into roles which align to their growth needs and the impact that we want to make.

Host

It's time to begin the CISO Series Podcast.

David Spark

Welcome to the CISO Series podcast. My name is David Spark. I am the producer of the CISO series and my co host for this very episode. He is the partner over at Wildventures. It is Andy Ellis. Say hello to the audience, Andy.

Andy Ellis

Good afternoon, folks. Or depending on when you are in the world, good evening, good morning, or good night.

David Spark

That's his Johnny Carson golf swing sign on. That's it. Hey. Our sponsor for today's episode is Vanta, a spectacular sponsor of the CISO series. For years they've been supporting us automate compliance, manage risk, improve trust, continuously. Thank you, Vanta, for supporting the CISO series. By the way, for those of you who don't know, we are available@cisoseries.com please go check us out there now. Andy, I have brought this up on the show before about the line, do you know who I am in that sort of sense of. I think we see it more in the movies or more in television, but I don't know if I've actually heard someone say it because it's an indicator of I'm a jackass. But I do love that because I'm a big fan in, like, in movies and television of the Pompous Jerk or the Pompous Idiot.

Andy Ellis

Are you a fan of the Pompous Jerk or the existence of the Pompous Jerk as a trope?

David Spark

Well, I love the character the Pompous. Well, the Pompous Idiot, like the Gaston in Beauty and the. You know, the guy who's so charming, so great, so fantastic, but he's an idiot or a jerk, all in the end. Have you actually ever heard somebody say, do you know who I am? In the context that I'm referring to?

Andy Ellis

Yes, I used to work in the hospitality industry.

David Spark

Oh, I'm sure you heard that plenty.

Andy Ellis

So, yes, I am actually familiar with that trope. And it goes one of two ways. Yes, one way goes straight to a confrontation, and the other way, actually, you can often use this to fleece somebody because they have just told you that they have a massive but fragile ego. So it's like, no, I don't. Who are you? Tell me. And like, boom. You're a bartender. Boom. You're ranking in the tip at that point.

David Spark

Really? I'm way impressed.

Andy Ellis

Oh, yeah. No. The bar I used to work at was in Vermont, and we got the New York State Bar association would have their conference, and this was back in the 90s, and people were on expense accounts. And the way in which lawyers would brag to one another was who could buy more stuff and spend more stuff. And one day, I had these three partners from three different law firms. They were friends. They had this deal where they rotated who bought which meal across the course of the weekend. They're at my bar before dinner. They hadn't separated that as a check. And so they were gonna roll it into the dinner check. And I'm like, no, no, no. You have to settle up here, because I get screwed if you give my tip to the. There's no way I'm gonna see my money. So the three of them are like. They're like, okay, we'll do this. And they start negotiating. Then they bring me over, and it's like a $250 check. Just to give you an idea. Pre meal drinks, $2.50 for three guys.

David Spark

So they're pretty well soused at this point.

Andy Ellis

No, no, no. They're not well soused. It was all top shelf things. When you're doing, like, $20 to $50 a shot still liqueurs, it adds up quickly. So they said, well, we can't figure out who should do it. So we've decided you get to pick which of us get. And I'm like, okay, here's my proposal. Why don't all three of you pay the check? And they're looking at me, and they're like, okay. So they handed me three credit cards. I put $250 on each credit card, and I walked away with a $500 tip because I was willing to pander to their egos.

David Spark

That works great. That is, by the way, a very good tip. Pander to people's egos. You'll get a big tip.

Andy Ellis

Your goal is rarely to be right. It is to get something done.

David Spark

Good advice for a lot of things here, which has come up on the show. And why don't we start a show and bring in our guests? I just met our guest at a conference in Dallas, Texas, and I am thrilled to have him on this show. It is our, by the way, third fast service restaurant, Ciso on the show. This is our hat trick.

Andy Ellis

That's amazing.

David Spark

It is the CISO for the Wendy's Corporation. None other than Adam Holland. Adam, thank you so much for joining us.

Adam Holland

Yes, it's great to be here today.

Host

How is the CISO role evolving?

David Spark

The CISO as a bridge to the business is well worn territory on this show. We talk all the time about, quote, speaking the language of the business. I don't want to sound like a broken record, but we've got more to say about this here. But Jeff Hancock recently posted on LinkedIn about how to move beyond just translation for CISO. He said that the next step. Step is to show the business opportunity that cybersecurity presents. That's the key thing here, essentially framing it as a competitive advantage. He also suggested CISOs level up their relationship with the C suite and it by positioning themselves as a trusted partner. Now this can be done by involving executives in the cybersecurity roadmap and scheduling regular updates rather than only showing up when there's a problem. Andy, have you seen CISOs have success moving from a translator to to a strategic partner with the business? I know this is your language, so.

Andy Ellis

It is, but I sometimes worry when I read articles like this that people are putting the cart before the horse, right? You cannot just say, I'm going to be the strategic business enabler. And now you are one. That's like putting on the trappings of an adult while you're still a kid. The secret here is to understand, are you actually a business enabler and what does that look like? And to do the work and at some point people are like, oh, I want you in the room. Because when you bring a problem to me, you put it in language I understand. You understand that like I'm trying to roll out product, you're trying to stop me from rolling things out. And at some point something has to give. The person saying stop is the one who has to give. So if you show up and say, hey, there's some risks here, here's how we get your product out safely. You just start talking in that language. And let's be really honest, when I started and I was at Akamai 20 odd years ago, we could say that cybersecurity was a strategic advantage because no vendors were taking it seriously. Everybody is now taking it seriously enough that it's no longer a strategic differentiator to be like, I'm the most secure vendor out there except in a handful of places, right? So you don't just get to walk in and do that, but you can say, how am I using security to advance the business? Reduce your operational costs by having you have maintained software. How Am I looking ahead to be like, oh, we're going to get rid of passwords, and I can do that more securely. And everybody in the business loves me because I've reduced how many times they have to type a password that they didn't want to memorize. Or I can say there's some way to be more secure and sell a product like, that's the holy grail. Don't always shoot for that. But if you can sell a product that actually make somebody more secure, great new business line. But you don't just declare you're going to do that.

David Spark

Right? And this is Steve Zaluski's classic line that we've quoted many times over. And he used to work for Levi Strauss. He would say, how does this help me sell more jeans?

Andy Ellis

Right.

David Spark

All right, Adam, I'm throwing this to you. You were like acknowledging when Andy was referencing passwords here. How do you frame it in either competitive advantage, strategic advantage. How do you sort of, when you talk about this, when you do this, sort of speaking the language of the business, how do you make that approach.

Adam Holland

So it agree it starts even a little earlier than just putting it out there? Because if you don't find a way to build that relationship before you come in to strain it in some way and demonstrate that consistent authenticity, then you're just. You sound like a bumper sticker, red in a few seconds at a red light, and you're not going to have that kind of success. So you. You move from what is not just what does this cost, but what does it create? What is it going to allow? How am I going to let the business move faster and to speak into the terms that they understand and resonate with them? And not just scary security language.

David Spark

Right? And I get the feeling that most CISOs have moved on for that, but don't you have to kind of twist the screws a little bit on scary security language? Like, Andy's looking at me like, oh, my God, what are you saying?

Andy Ellis

No, the language that you used, which is such a classic security framing is the problem. Right? If you need to teach somebody about security because you need them to internalize risk, great. Like, you scare people so that they believe. It's why we tell fairy tales to our kids. What is the story of Little Red Riding Hood? Don't talk to strangers. How do we make sure you know not to talk to random strangers? Is we scare you with the wolf eating you. That's the reason for the story. If every night you beat your kid up because they talk to somebody random and you're like, don't ever talk to any humans. You're not actually helping. What you're doing is you're saying, stop listening to this person. You're becoming the grownups in the Peanuts cartoon. Wah, wah, wah, wah, wah. You're just speaking for the sake of hearing. You're not trying to twist the screws for the sake of being like, look at me, I know what I'm doing. You're trying to say, how do I get you to do your job better? My job is not to keep you from doing unsafe things. It's to help you do things safely. Very subtle difference. But once you have that in your brain, you'll never say that I want to twist the screws on someone.

Adam Holland

Yeah, that's a, it's a great way to put it. We, I mean, you see it even if you look at the restaurant industry and I can go out there and demonstrate how to protect the business and what we do. And that's a part of that building that relationship and that consistency. But I also want to talk about how we're going to enable speed, how I'm going to keep people focused on their job and at that window with that customer and not just dealing with security and complexity and tools. It's a total package, that business conversation, business leadership, as opposed to just coming with security terminology.

Andy Ellis

In fact, I'll give an example. And I'm not going to name which fast service restaurant does this, but there's at least one of them that the point of sale terminals that you have to tap for Apple Pay, Google Pay, etc. Don't reach out to where the customer is. So the customer has to use face ID or whatever on their phone to activate payment and then hand their phone to somebody inside the restaurant when you're in the drive thru, who's now going to tap it. Like I understand there's probably some security reason logic that came in and said, hey, we don't want this device to be reached out the window, we want to protect it, blah, blah, blah. But what you've done is you've put the customer at risk because you haven't said, how do I make quick tap payment fast and safe? In Fed, we've just made quick tap payment safe by removing a bunch of problems, but we've transferred the risk. Those of you who do drive throughs might recognize who does this. Maybe it's just localized. Might be the one near me that's doing it. Who knows.

Host

How have you actually pulled this off?

David Spark

75% of executives credit their success to mentors, according to a survey from the American Society for Training and Development. But as Christopher Gross pointed out in the Harvard Business Review, typical mentorships tend to bring together people that already share common identities, backgrounds and experiences. You're more likely to mentor someone you see yourself in. Yes, I can see this happening. Instead, he makes a case for bridge mentoring, which bridges together people from different backgrounds, where there is more of an exchange of understanding, collaboration. So, Adam, we know you're big on recruiting from non standard backgrounds, but when it comes to this type of bridge mentorship, how should potential mentees look to approach a CISO when they don't have a lot of commonalities drawn? And how do you even get the process started? And also I would think from the mentee, they would like to see themselves in the mentor as well, don't you think? I think it kind of goes both ways.

Adam Holland

It does. There's still human dynamics involved and what do we find in that connection with each other. But a lot of it starts now in that digital search and how you're finding those mentors. And I think a lot of the success comes from in ways to move beyond those differences or maybe even a lack of. Some of the common points you may see on their Resume or their LinkedIn is to show that commitment to learning and that you're there to find a mentor and a teacher, not just a hiring manager, not the immediate secret sauce to promotion and success, but that you're there to gain information from them and to bring and demonstrate that by what you know and what you're hoping to share with that mentor as well. And now you create a common curiosity and a tinker mentality amongst each other and then build on that.

David Spark

All right, Andy, you are very, very passionate about this topic as well. But again, it's this human dynamics the mentee wants to see. Oh, I could become like this person. And if that person is similar to me.

Andy Ellis

Yeah. So I think that that aspect of mentorship is highly, highly overrated. Especially if you look at the folks of our generation, our career paths don't exist anymore. You can't get to where I am by following my path. You have to follow your own path to get to somewhere similar. So if you look at me and you say, well, I could be like Andy, the answer is probably, no, you can't, because Andy could no longer be like Andy. If a junior version of me who thinks exactly like me can't get to where I am today. Just that path doesn't exist. What's important, I think is to really break this mentorship concept down into three categories. There's what people really often think about a mentor, which is a short term, usually somebody for a year or two who's going to give you sort of advice and guidance. It's very transactional. Honestly, you're working with this person, it's ongoing, but at some point it just stops. And the reason it usually stops is because there's not a tight relationship outside of the mentorship. There's another one, which is what I love. It's called, often called a rabbi in the military. You might think of it as a sponsor, which is somebody who is deeply invested in your career and they're going to follow you and watch you for a decade or more and they're going to find opportunities for you way better than being a mentor. You can almost never ask someone to do this for you. It's. They see in you that it's worth their investment and they're going to invest their reputation in your career. Like they will go tell other people that they should hire you. I've had this where I've had a major company call me up and say, hey, we want you to consider taking this job. And I'll be like, no, but I know somebody who's not on your radar that you should go hire. And I'll give them a name, non traditional. That somebody who's one of the people I'm a rabbi for. They didn't even realize I put them in for it. And I said, hey, this is the person. You do your own diligence, but you're going to want them. They got the position.

David Spark

Adam, let me ask you, and this teases something that Andy just said. The marketplaces change. I think about this, like with colleges. I think about where I went to school and I think about how difficult it is to get to school now. It's like I couldn't get into the school I applied for. Now, the way it works, do you think the way you got into cybersecurity and how you built up, could you do it in this environment? And if the answer is no, how do you mentor in a new environment that would be more of a struggle for you if you were in the same shoes?

Adam Holland

You know, Andy has a great point that I came in based on experience, certifications, things that I had in the law enforcement life that at that time weren't common in the private sector. So that path is different from that starting point. So I would say the entry point, entry level maybe still has some common ground. Some ways to be able to translate into. But from that point forward, it's all been through the mentors, through the relationships, through non traditional using current to meet new. And each role that I've been in, including this new one, have come by way of introduction through mentors and people putting my name in the hat. And I think that is the part that's changed. You've got to understand the value you bring. Sharing that curiosity, what you want to do with those people you're talking to and demonstrating that value that they're going to put your name forward. And then there's a pressure on the mentors ourselves that we're thinking in this different way now to put those names forward, that I'm not interested in this position, but I've got a name for you. The value we add in the talent boards that we trade in CISO communities now is extreme.

Andy Ellis

Yeah, that's a really key thing. If you are a mentor or a rabbi or whatever you want to call it. You need to have a list of names.

Adam Holland

Yes.

Andy Ellis

So that when somebody reaches out to you, you're not racking your brain. This is one of the biggest failures in the development side of human management, which is that people go to, they get asked a question like who do I know that? And they think about it immediately. First name comes to mind. It's honestly whoever most recently did something for them was visible, et cetera. You should just have a list and be like, oh, you need somebody to go talk about system safety at scale. I've got a list of six people that are my go tos of if I can't do that talk, here's who I'm go recommend.

David Spark

Our sponsor this week is Vanta. They've been a fantastic supporter of the CISO series. And let me ask you a question. Do you know the status of your compliance controls right now? Like this very moment right now? We know that real time visibility is critical for security. But when it comes to our GRC programs we rely on point in time checks. But get this. More than 9,000 companies like Atlassian and Quora have continuous visibility into their controls. With Vanta, they can answer that question what your compliance controls are right now. So here's the gist. VANTA brings automation to evidence collection across 35 frameworks including SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting. And they help you get your security questionnaires done five times faster with AI. Now that's a new way to GRC. Learn more about Vanta at, go to this website vanta.comciso so v a n t a.comciso you want to add the CISO at the end so they know where you came from. Go check it out.

Host

It's time to play what's Worse.

David Spark

Adam, are you familiar with how this game is played?

Adam Holland

Yes, I am.

David Spark

All right, there are two crappy situations, and you have to choose which one. We have a new contributor, someone I don't think we've received a what's worse scenario from. And Andy, this is kind of an intriguing take what we have here, because we haven't had what's worse than this that provide these two before. So it comes from Peter Goodet of Manage X Value. And here are your two scenarios. Number one, your risk domain teams are fighting for budget to mitigate their respective risks. But as the business leaders do not understand their irr internal rate of return on their investments, they provide funding based on the most recent risk events in the news. That's how you get your money. If it's in the news, that's how you get your money. Or second option is risk leaders have to hope to have a risk event in their domain so they can get more funding for their risk mitigation program. So what's worse?

Andy Ellis

Wait, isn't that the same?

David Spark

No. So it has to happen personally in their domain.

Andy Ellis

Oh, I see. So it's either that you're reactive to you had an incident and therefore you get funding, or somebody else has an incident and therefore you get funding.

David Spark

Yes.

Andy Ellis

Like, honestly, this is mostly how the world works. It's a combination of those two. Like, this is not. Like, this is hard because this, like every time we get the what's worse, which is like, hey, the world is currently made up of a blend of A plus B. Which is worse, A or B, I'm like, well, you kind of have both of them and they're good. Just to be very clear, neither one of these is actually that bad. Right.

David Spark

Cause we're talking about getting money.

Andy Ellis

Well, this is like, how do you get money? You get money by risk. That is real and visceral to your executive funders. I honestly, if I have to choose between those two, I think I want to have the one where I get funded based on what happens to somebody else so that I can fix it before it happens to me. Now, I could argue the opposite, which is, well, but you have to wait for.

David Spark

You have to. In both cases, you have to wait for something to happen.

Andy Ellis

Sure. But let's say I'LL use a podcast. I was about to use one of our competitors here, but that's always mean. So let's just take our podcast, right? It's us versus Hacker Valley. And the question is, if Hacker Valley has a bad day, we get money to fix it on CISO series. Correct. Is that better or worse? Then it doesn't matter whether or not they had a bad day. Until we have a bad day, we don't get funding. I think I would rather, based on them having a bad day, get funding. Therefore, the second one is worse, where I only get funding after incidents.

David Spark

But the other issue is the fact that there are risks that are happening and you could be getting funding and wasting money in areas that don't need it.

Andy Ellis

Yeah, but if I'm getting funding, look, it's on me if I'm having incidents and I can't put them in the news in some fashion before my executives. And yes, I'm not supposed to manipulate how this works out. Nir, I know you're gonna. You send email and say, andy's cheating again, but at the end of the.

David Spark

Day, by the way, no one sends an email saying that you're cheating.

Andy Ellis

Oh, Nier does. I talk to Nir. He's like, you cheat all the time. Because I try to restate it. But this one, it's kind of weird in that you will get funding from both of them if I'm only gonna get funding from one.

David Spark

Yeah, it's black and white.

Andy Ellis

I think I'd rather have the slightly proactive funding than the only reactive funding. And honestly, if I have a bad day in location X and I don't have money for it, I will solve the X problem some other fashion. Like if I have to steal my own money, you'll probably.

David Spark

By the way, you'll probably get more funding in the second scenario though, too.

Andy Ellis

You might, but you often tend to lose a lot of control. Like, oh, we just had a DDoS. All of your budget just went away except for DDoS mitigation. Trust me, I've been on the other side of that call when I was selling DDoS services, and a friend of mine is like, I hate you. I'm like, why do you hate me? He's like, well, I had a budget for this year, and then there were DDoS events, and now I don't have a budget because you took it all as the vendor. And I'm like, well, that sounds like a you problem.

David Spark

So you might lose friends in this.

Andy Ellis

Yeah, I didn't actually lose the friend, but it was an entertaining conversation of they weren't proactive. And the reactive isn't actually you got new money, it's we take away all your other money.

David Spark

All right, Adam, are you going to agree or disagree with Andy on this one? Where do you stand?

Adam Holland

Yeah, I'm granting. I know we don't have video, but I'm granting a nod in my head. I have to, I have to agree. I want, I want the money there. I want the abilities to start tying into the other parts of technology and teams that I need support from. But in either scenario, I'm going to fall back on, never waste a crisis. It's going to be I have the money to move or I'm going to get that incremental cost in that second one. And I think it is ironic in this particular set of which is worse is that they do exist and this is the landscape we have to operate in. But it's going to change depending on your audience and, and maybe even the quarter that you're facing.

David Spark

No, but, but take, take the example of. Let's go back to the. The DDoS situation. What if you don't need that much money for DDoS, but there are some very public DDoS events and 90% of your, your budget in. I'm sorry, in either scenario would be that is it has to be spent on DDoS. You're like, well, no, hold on. I can't have 10% for nothing. For everything else. Like, doesn't that become a worse scenario?

Adam Holland

Well, it can, but. But your stakeholders, your shareholders, if you're publicly traded, there, there is a dollar to reputation that you have to consider in that equation as well. So not just what I'm losing and what do I have left to work with for the rest of the year and not have. And no burger bucks left in my case, how am I going to. How am I going to appease the. Those audiences and deal with the threat at the same time?

Andy Ellis

Wait, do you actually have internal bonus burger bucks for budget? That's awesome.

Adam Holland

I use that phrase cause it adds humor to a tough topic. So when I put up my budget stuff. Yeah, it's burger bucks.

Andy Ellis

Oh, I love that. Can I have some fry bucks too?

Adam Holland

Hey, there we go. I like it.

Andy Ellis

Some fry franks.

Adam Holland

Yeah, we start a whole new line of commercially available nowadays.

Andy Ellis

Yeah, Some shake shekels. Nice. Oh, you can run with this one. Yeah. So I think the challenge here is like, what makes this what's worse scenario really hard for us to engage on is it's sort of written from the point of view of somebody who has zero budgetary control of somebody else is deciding what you're spending money on and how much you get to spend. And if that's the case, you're not a ciso. If you're a ciso, you get budget deltas from people, you get priorities from people. But at the end of the day, you're going to move money around and you're going to make things happen and you have to deliver. But if someone comes in and says, hey, we're giving you a million dollars because you just got breached or so, and so got breached, half the time that gave you a million dollars is, I need you to solve this problem. It's probably going to cost you a million dollars. Go find your own money to do it, or maybe you get some piece of it, and if you can save money, you'll go spend money somewhere else instead.

Adam Holland

And rarely have I seen that, even if it's that money that comes in in response to that thing, when the dust settles and some of the calm comes back to the environment, you're usually still going to have to go find that funding someplace else. So that second scenario first feels good in the moment. You won the prize at the carnival, but then you still gotta pay later on for what you've collected.

Andy Ellis

Right. I've had to deal with that where it's like, oh, I have to stand up a whole team to go solve this problem. Except the money ended up coming out of my own budget. So I functionally had to just move people out of existing teams. I wasn't gonna riff anybody, but we moved people and every other team took a hit. It was not a great day.

Adam Holland

Yes, the speaking into existence correction isn't sustainable in the long term, for sure.

Andy Ellis

Yep.

Host

What's the starting point for a CISO.

David Spark

Quote? Being serious about security at scale means meeting users where they are. Trail of bits Engineering director William Woodruff pointed out in a blog post that because all organizations are dealing with a limited pool of resources to address engineering and security challenges, we always need a utilitarian focus on the quote unquote largest demographic of user benefits for security initiatives, AKA the most good for the most people. That sounds good if you're John Stuart Mill, but is there a way to meaningfully operationalize that approach? I'm going to start with you, Adam. If you want to base a security program on this explicitly, what are the variables you need to consider? Like, what is the greatest common good? I have X dollars. I want to benefit the most people for this. I have Got to assume this is what you're doing with your security program. But what are the variables you think about here?

Adam Holland

Yeah, it's a lot to consider that am I trying to change a long term process here, I want a different culture, I want behavior, or I'm trying to go after something that's very specific and current. But all of it comes down to the scale we deal in now and speed at the same time while battling against not just threat landscape, but some of the smallest attention spans that we can gather. Now, because of the devices in our hands and in front of us, it's finding that piece that has, it's typically a smaller percentage of what we used to equate to success that has the better positive outcome. I fix 2% of these vulnerabilities and I, and I take care of 80%. Where traditionally we were kind of gauging based on can I get to 100 on everything that I try to fix. So I'm coming at that. Whether that's a technical problem or a people issue that I'm trying to solve for, I want to find that common ground across most of them. Then I'm going to create a ripple effect. I'm going to have folks that are going to help drive the rest of that process forward if I can get the first few started.

David Spark

All right, Andy, where do you stand? What are the variables we're looking at here?

Andy Ellis

So I really, really like the way you just said that. First of all, I want to just challenge the original question. If you're going to say I have to go take John Stuart Mill's definition of utilitarianism and build my security program on it. I want to treat you like the trolley operator in every trolley problem. The correct answer to trolley problems is shoot the trolley operator, not deal with pulling the switch. Like, don't let them put you in this place of choose between extreme things. The reality is your job is to produce value, find the things that produce value. Now, what is value is you're taking the energy of your people and you're creating positive outcomes for your business. Sometimes that is greatest good for the greatest people. What do I do that makes 80% of my employees safer? The problem is, if I do that all the time, I have 20% of my employees that are disasters. Nobody's helping them. That's a problem. If I said, oh, I'm gonna focus on the outlier 20% who have like serious hard problems, well, my 80% aren't moving up. So you're kind of gonna have to blend your Work across both of them and say, hey, I'm doing some things for the greatest good, for the greatest people. I'm doing some things to reduce really weird outlier risks. And because I'm looking across that and I'm looking forward, I'm a business enabler. Going back to our first section, I. I'm going to look for ways that I'm going to make everybody better off in the future, potentially by doing transformative changes that none of them are asking for. Right. I want to sometimes be Henry Ford, much as he was an awful human being, but I want to present you with a car, not a better buggy whip.

Adam Holland

Yeah, I agree. I like the way that we're taking a look at this on how to balance both your strengths. You want to find those that you have on your people, but not forget about working the other muscles that they've got too.

David Spark

And also you started out the conversation of what is it that we're trying to change? Is this a long term culture issue or is essentially a point problem that I'm trying to address, which have very different variables, I'm assuming? Yes.

Andy Ellis

Yeah. Like point problems. And here's the litmus test I like to use for people when you're working on a problem is you say, look, there's three things you want to do. You either want to really solve this problem, you want to put it on life support, or you want to stop trying to solve the problem. And those are sort of your three things. Like good enough is put it on life support, do the bare minimum. What do I just need to do? I'm not trying to solve it, I just want to take off the rough edges. Or I really want to solve this, fix it. Or sometimes I'm going to live with it. And let's stop investing energy in complaining about the fact that we have to live with this problem.

Adam Holland

I see some parallels right now where we're looking at the rollout of the office productivity AI tools and it's really causing a current focus on this. You know, what are, what am I, how am I going to find the use case, how am I going to build the champion? And then who are my influencers going to be that are going to help me in my absence? Whether it's in my absence of information or budget, which those are going to come into play. And it's really even causing us to look at security differently at the same.

Andy Ellis

Time.

Host

Surprising research just in.

David Spark

Why are we ignoring advances in neuroscience when it comes to security awareness and training? Air Kritika pointed out that we know we can make learning more enjoyable and memorable when we integrate rewards. A little dopamine goes a long way and can create a positive feedback loop. So why aren't we leaning into that with gamification in cybersecurity? Kritika points out that gamification with tier difficulty and new challenges can can actually increase interest and engagement with training. Unlike a lot of traditional training where people zone out over time and neuroscience shows that we can positively impact decision making by reducing fear, giving people a safe space to try and fail without fear can quickly build up positive behavior feedback loops. Of course, gamification isn't perfect either. It can lack time for reflection on why certain actions matter or misalign employee objectives. Focusing on getting badges versus actually improving knowledge. So how can we build a gamification training system that can work long term? That's key for an organization because gamification can be fun for a little while, but all games get boring after a while.

Andy Ellis

Andy so I like the end of this question and I hate the start of this question. Gamification is a tool. It's a thing. What is the point of your security awareness program? If you don't know what you're trying to teach people, then it does not matter how well you gamify it to suck people in. Like what is the point? If the point is to get people to stop clicking things, you're doomed. Because we pay them to click things. Right? And this is the problem. Most security awareness training programs are awful and we make people go through the training program once a year. If you've got somebody who's been an employee for 20 years and every year you make them go through the same thing, of course they're going to disengage. Gamifying doesn't help. But what is the skill I'm trying to build? What outcome do I want? I love this for software engineers. How do I take my software engineers and teach them better coding practices? This is pedagogy. Don't think about gamification. Think of this as education. If my job is to skill you up, then I really better know what skills I'm trying to instill in you. I need to understand how you learn them. I need to provide not just, oh, we're going to sit here for an hour and give you a badge, but how do I get you to practice this skill in meaningful way? And honestly, my experience with 99% of cybersecurity training programs out there is what they're really trying to do is convince the user that it's their fault when something happens anywhere near the user.

David Spark

All right, first of all, Wendy's plays games with its audience. How does that work in the world of security? Do you do this as well?

Adam Holland

We have made a lot of changes as to how we look at the content, the delivery style, the videos, and to get away from that same dry material. And not just gamification, but other rewards. If you're a longer term employee and you have this knowledge base because it's something, there are a few things we need to repeat each year, then you can test out of it and answer a few questions. Get those correct and you move on, you get your time back as the reward. But, but looking at the different content and what that gamification, how that reward works, is it a user group where heads down and it's fast and it's in that app and that's where they're going to get the value, or is it me? As an example here we use challenge coins, right? A common item in law enforcement and military, but we've incorporated that into the workplace and security. And so I show up at a team meeting when I see value out of individuals and others that are driving this message we want. And we present that coin in front of them and their peers and their leadership to bring it out. So it may be digital, it may be physical, but we're creating and demonstrating collaboration, the win for the company and the recognition for the individual, while, as Andy said, trying to find ways to put variables into the content so we don't hit the snooze button too many times on it.

Andy Ellis

Yeah, I love what Adam just said because it's not gamification. Even though a lot of the gamification people come into it, it's rewards. It's saying, we're going to celebrate your victory. You did something great. And it's not always something that I predicted. Like, that's what's really important. The problem with gamification is you're often putting people onto a path that you say, here is the way to succeed. And the reality is I need you to figure out what the path is. You do something awesome. I didn't do challenge coins. I did cake with the CEO. Boom. I got more work done out of teams because I would feed them cake in front of a CEO and laud them and be like, here's all the great things they did. And I had VPs coming to me saying, what security work can my team do so that you'll do that for us because nobody else does.

Adam Holland

That's awesome. I guess back to our word game earlier. I need maybe like, burgers with the boss, right?

Andy Ellis

Burgers with the boss. Yeah.

Adam Holland

Yeah. There we go.

David Spark

I liked it. All right, well, that brings us to the very end of this show. I have to thank our guest, Adam Holland, who's CISO over at the Wendy's company. I'll let you have the very last one, but also a huge thanks to our sponsor, and that's Vanta. Remember, if you want to upgrade your GRC solution, go to Vanta's site. Go to this site, Vanta v a n t a.com CISO vanta.com CISO we greatly appreciate their support. All right, Adam, any last words you have on today's show? And are you hiring over at the Wendy's company?

Adam Holland

We absolutely are. In fact, if you go to my LinkedIn page, you'll see some of the recent positions that I've posted as we continue to grow and invest in the team. So do that reach out to me. We've talked about mentoring and making those connections and reference the the CISO series podcast here as well, so I can make a more immediate connection and be happy to connect with you Also, you know, you talk about last words. I just. I really love the fact that we come together as this community and we share insights. We share the pain and the humor in it at times, and we learn with each other. I saw a friend post the other day a quote. I don't know the author, but it said that smart people are uniquely vulnerable to mistaking complexity for insight. And I love tools like this and communities like this that are helping us find that insight in complicated topics and tasks and problems and we're solving as a community and making each other better along the way. That's all you can ask for.

David Spark

What a great closing quote. Thank you so much. And by the way, we'll have a link to Adam's profile on our site, but he's just Adam Holland, the Wendy's company. You can find him on LinkedIn. Thank you very much, Andy, as always. Thank you, audience, and we greatly appreciate your contributions. By the way, send me in more. What's worse scenarios. We greatly appreciate your contributions and listening to the CISO series podcast.

Host

That wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, ciso. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and cybersecurity headlines. Week in review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.