Andy Ellis (1:58)

Yeah.

David Spark (1:58)

My question is, is there a version of do you know who I am that doesn't come off that that person's a jackass? Is there a way to get what you want that does not come off as the line of do you know who I am?

Andy Ellis (2:12)

I guess it depends on what you're trying to do, Right? Like if you are trying to get a privilege that you are expecting? Like, for instance, I go to football games and there are Patriots alumni who are there all the time. Like they have a special wristband or a. Usually a minder who's there. So they get lots of stuff and so I can see them like, they walk up to the bar and they order a drink, and the drink always gets comped. So, yeah, there's a polite way for them to sort of flash their badge, their ID to be like, yeah, you know who I am. Right.

David Spark (2:43)

That is a politer way. Yes.

Andy Ellis (2:45)

Right. So the challenge is, most of the time, when people are saying it is, they're trying to get a privilege that they're not entitled to. Like, oh, I want to be first in line. Do you know who I am? Now, I'll be honest. I have done this at RSA when I'm speaking, which, like, I did not this year. But, like, I've walked up to the line, and they're like, I'll get in the back of the line. And I just, like, point up at the sign, and I'm like, by the way, I'm the speaker. Like, I did this in the keynote when I was doing the keynote hall, and my picture was there.

David Spark (3:12)

There you go. There's a perfect version of do you know who I am? Which is not being obnoxious, just pointing by the way I'm speaking, rather than, hey, moron, working the front door.

Andy Ellis (3:22)

Yeah.

David Spark (3:24)

Because you can't expect them to know.

Andy Ellis (3:25)

You can't expect everybody to know. And you just, like, it's. It just becomes fun. Like, they get this moment, like, oh, that's who you are. And you treated them with. With respect, as a human. Like, that's the real challenge of do you know who I am?

David Spark (3:37)

There is a way to treat people with respect.

Andy Ellis (3:41)

Yeah.

David Spark (3:41)

And to cajole them a little bit rather than make them feel bad about who they are or them not knowing you. Which my attitude is, if someone doesn't know someone, big deal.

Andy Ellis (3:51)

Big deal. Who cares? Like, the best part is if there's a reason that they should know you, you get to introduce yourself to them and have them be blown away by your awesomeness.

David Spark (4:00)

There you go. I just love the egotism that is connected to the phrase, do you know who I am? There's something sort of so beautiful about. Wow, you've gotten to your point in life where you feel entitled to say that line.

Andy Ellis (4:17)

And I suppose that the challenge that I've run into is when I've had people do that is I know people who could throw their celebrity around who don't. That I'm kind of immune to it when somebody's like, well, don't you know who I am? And I'm like, so do I care?

David Spark (4:31)

Let me chalk this up for I don't care. All right, let's get into the show who everyone's going to know in just a minute. He doesn't need to throw his weight around. His weight is thrown around ahead of him. That's what happens. Thrilled to have him on board. He has a connection to the CISO series family actually, which is very nice and we're thrilled that he's joined us. He is the head of Global Information Security over at New Balance, none other than Paul Drepoux. Paul, thank you so much for joining us.

Paul Drepoux (5:01)

Oh, thank you so much for having me. Dave and Andy, really excited to be here. Thanks. You did steal my opener though. Do you know who I am?

David Spark (5:13)

Is this really the right strategy?

David Spark (5:18)

Quote Is it better to have a few rusty cor quarters than a shiny silver dollar? That's how Ira Winkler of Tsai framed the debate over startups chasing Fortune 500 logos right out of the gate. He built off of Jason Cinemore of Confide's frustration with vendors after the RSA conference. He found them obsessed over Fortune 500 meetings while ignoring mid market CISOs who need them the most. There can be a lot of strings attached to a Fortune 500 deal. Months negotiating contracts, scaling before you're ready, supporting complicated legacy environments and burning resources you don't have. But some startups land a Fortune 500 customer early and it legitimizes them instantly. I mean, I know of cases of this their logo becomes marketing without having to do marketing. But that Fortune 500 might not let you say they're a customer, which kills the whole value proposition. So Andy, I go to you what's the right play here in terms of who you're targeting? And for CISOs, if you're at a mid market company watching vendors chase those enterprise logos, does that change how you evaluate their commitment to your success?

Andy Ellis (6:27)

So actually, first I want to take apart a couple pieces of the argument. Even though I mostly agree with it. I just want to caveat I'm going to end up in the same place. But first of all, I got to say the better to have a few rusty quarters than a shiny silver dollar. Is there a worse analogy to go with no, I'd rather have the shiny silver dollar than a few because few is three, two or three. So yes, I want the shiny silver dollar. This one would have been better if we'd said is it better to have a handful of rusty quarters than a shiny silver dollar? I'll take the handful of rusty quarters.

David Spark (6:57)

Is a few considered less than four?

Andy Ellis (6:59)

Yeah, generally few is two to three. That's my expectations. It didn't resonate. But I'm nitpicking here. The second thing I just want to nitpick is the reason that the startup wants the Fortune 500 is not as marketing to other customers, it's as marketing to get their next round.

David Spark (7:19)

That too. Right.

Andy Ellis (7:21)

They land the Fortune 500, they get a bigger next round, which means they have more money to put into building product. Like that's what their actual ecosystem is. You're a startup with a seed round, you can bring in a six figure deal on a Fortune 500. Boom, you've got your next round right there. Like that's, that makes your a round happen. And so I think a lot of people who are on the CISO side are like, oh, but why would you want to be tied to a Fortune 500? The answer is because I would like to have a lot of money in the bank that I can use to now build the product I need. Because at seed you're not building a product, you're building a feature.

David Spark (7:52)

Right.

Andy Ellis (7:53)

And I think the financial services industry has really sort of distressed this piece of the market because big banks will buy a feature from a seed stage startup and so everybody chases them. That said, if you are a startup like do not pivot everything to going after this hypothetical whale like land customers find your, your fit. You have a feature, you have a buyer, because that's the first step to getting to product market fit. And yes, the mid market CISOs are going to look around and be like, oh, you don't know how to sell to me or you don't want me when that's actually who tends to buy the most product is in the mid market. There's a lot of companies there you, you want to have. If you have a market, it has to include them.

David Spark (8:37)

All right. Now I will say that I know of one case where they did get a blue chip client like right out of the gate.

Andy Ellis (8:45)

Yep.

David Spark (8:46)

And they were able to drop their name and it did allow sort of a, a lot of other customers to fall into place because of it.

Andy Ellis (8:54)

Right. Even if you can't publicly use their name, everybody will just still disclose it in, in customer prospecting calls, private conversations.

David Spark (9:01)

Yeah. Okay, I throw this to you. Paul. Paul, what's your take on this? Do you agree with the don't be chasing the Fortune 500 or heck, if you need your another next round, you got to go for it.

Paul Drepoux (9:13)

I agree with the comment that it's a balance. Right. I mean I spent some time in a startup I joined just between seed round and A round. And I'll tell you, our first paying customer was about a 60 person Textile manufacturing company. We probably spent more at the bar that night celebrating than we got for the. But we learned a ton from that customer, right? I mean they had a bunch of legacy stuff. We were building an endpoint product in the EDR space. So we learned to solve some of those challenges at a smaller organization. That might have been a little bit lower stakes for us, but we could really direct that product at different customer bases than just that Fortune 500. Now the other side of that is we definitely had our bigger sort of blue chip clients as well. I think from, from the CISO perspective, I might get a little nervous with a startup that was, was really directing their, their efforts there because as you said, I start to lose a little bit of, of control as to where the product's going. And the big advantage for someone like me investing in early stage products to use in our environment is I get some direction on that roadmap. Right?

David Spark (10:23)

And we've heard that a lot. That's usually the excitement CISOs have for startups. Right?

Paul Drepoux (10:29)

And I don't necessarily believe that a startup is not going to pay attention to a customer like me or a logo like ours, but they definitely direct where the money is going, like we said. But there are barriers to entry in larger companies. Smaller companies can act much faster and be a lot more nimble there.

David Spark (10:48)

Why is everyone talking about this now?

David Spark (10:54)

Is the next generation not paying their cybersecurity dues? Quote limewire for those of you who don't know, is one of these download services where you can download music and movies illegally? Quote limewire taught me to trust nothing that came from cybersecurity. Subreddit post about why people who grew up in the 80s and 90s might have better cybersecurity instincts. Back then, you built immunity through exposure to countless small threats. Click the wrong ad banner, download wrong song, you use the wrong thumb drive and you'd spend hours reinstalling Windows. I've done that. Now the Internet is sterile. Even pirate sites look like Netflix. Young people grew up with iPads and Chromebooks that are locked down. That means no tinkering, no troubleshooting, no learning the hard way. One commenter thought Gen Z is as computer illiterate as Boomers, end quote. But others pointed out that age isn't a strong indicator of cyber risk. Being overwhelmed and under pressure is what increases risk. So is this generational immunity real, Paul? Or is it just nostalgia for doing things the hard way? And we hear that a lot. When I was young, we had to do this and that. Paul, what's your take on this?

Paul Drepoux (12:15)

I think it's quite real. Not necessarily because of the exposure to smaller threats. My take on this would be 80s and 90s people. We grew up watching these things get built. We probably had a home computer that wasn't connected to anything, and then we got to dial up, and then we got to wired Internet, and then we embraced a world where there was basically wireless Internet delivered everywhere. So it leaves you with this conceptual understanding of how things work and how things come together and what the implications might be on certain things. So as technology transitions from one phase to another, you have this analogous view of how those pieces come together and really where the threats might be. I think folks that might be growing up now. I mean, I look at my teenage daughter, she grew up in a world where the Internet was always in the palm of her hand, Right. So that becomes magic to a lot of people. I think of the Arthur C. Clarke quote. Any sufficiently advanced technology is indistinguishable from magic, right?

David Spark (13:11)

Yes.

Paul Drepoux (13:12)

So folks that weren't exposed to how these things were really developed, more or less from the ground up, just don't have the fundamental understanding as to how they work and how they can break.

David Spark (13:22)

Good point. All right, Andy, I throw it to you. You grew up in this era. You, I'm assuming, may have reinstalled Windows once or twice. More than that, were you a little bit more, I guess, wary, I would say, of these things as a young person.

Andy Ellis (13:37)

So I think there's a couple different things going on. And one thing here is sort of a selection bias, which is, yes, there are a number of people who grew up in the 80s and 90s who are wizards, because they understand this very, very deeply. But that doesn't mean everybody from our generation did. So I think that's a thing we should pay attention to now. It does mean that when you have deep expertise, you understand things like leaky abstractions. One of my favorite blog posts ever from, like, 23 years ago, Joel Spolsky wrote about the law of leaky abstractions, like what happened when Java got created, but memory management still leaked through as a problem, even if Java wasn't doing it. And if you didn't understand how memory worked, you would not understand why your Java program was breaking because you assumed memory was infinite and scalable. But it turns out it's actually not under the covers. So, yeah, we have a leg up when we actually understand the technology underneath the magic. But I think what's happened is we've looked at the people who became experts coming through that and are then comparing them to the mass of people who are coming later. And that's an unfair comparison because we're sort of comparing the 1% to the 90%. Like in my house, I have two kids. My eldest could care less how technology works. Like it's just a tool. Their focus is elsewhere. My youngest, like, this is the guy who taught himself how to reinstall Windows because he's the only one with a Windows box in the house because he wants to do gaming. So he's a great systems administrator. He understands how Windows works. Both of them. I tried to teach them good cyber awareness and good risk awareness. I think they've got their heads on straight. And that's mostly because we tried to put them in situations where they would learn. And I don't think that's about the technology. I think that's sometimes about removing the safety net. For those of you who are not from the 80s, you should go watch Stranger Things if you haven't watched it already. And recognize that demons aside, that was the life we grew up in. There was no safety net. We had no phones. It wasn't that we didn't have like the magic of the Internet. No. We had no way to call our parents. We got kicked out of the house in the morning and we were not expected to come back until the evening. We got into trouble. We had lots of life learned lessons there.

David Spark (15:49)

I can't imagine you got into trouble, Andy.

Andy Ellis (15:51)

Oh, you have no idea.

David Spark (15:53)

Tell us one quick story. Go.

Andy Ellis (15:54)

So my favorite story is when our previous house, I was giving a friend a tour in it and we had three upstairs bedrooms. Two of them were for the kids, one was for my gym. The one that was the gym was the nicest of them, but it had an external patio. And I said I wasn't putting my kids, who were about to be teenagers, into a room with an outside door because I know how much trouble I got into as a teenager with an outside door. And my mom said, you never got into trouble? And I said, no, I just never got caught.

David Spark (16:20)

So everyone creates a picture of what Andy did going in and out of that outside door from his bedroom.

Andy Ellis (16:26)

You can decide anything you would like based on that. But anyway, the point is it's not that kids don't have access to the technology and they aren't tinkering. I think there's just as many tinkerers now as there used to be. I think the Challenge is we have protected them from a lot of risk. That has nothing to do with technology risk and everything with life risk.

David Spark (16:43)

But, Andy, when you and I were growing up with technology, it was the people who were into the technology use it. Truly, everyone uses technology. Everyone's got a mobile phone. It was only a percentage back then, right?

Andy Ellis (16:56)

It was tiny fractions. How many of us had personal computers in our bedrooms when we were kids? Like, I did. Like, when I was in sixth grade, I got a Commodore 64. Like, it was the coolest thing ever. I was like, the cool kid among the geeks.

David Spark (17:10)

It's still pretty cool. Do you have, by the way, any of these old computers still, or.

Andy Ellis (17:14)

No, no, no. I donated them a long time ago.

Paul Drepoux (17:17)

I've got an office full of them. I still have my Commodore 64.

David Spark (17:21)

Strongly recommend a visit to the Computer History Museum in Mountain View.

Andy Ellis (17:25)

Yeah, I wish I had a good way to get rid of things now. I now have a bin that is labeled Necromagnetic hygiene for, like, every laptop or tablet we had in the last 15 years that I just have not gotten around to.

David Spark (17:36)

Purging shredder. Maybe that's an urgent message from your CEO. Or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers turn to AI to power increasingly sophisticated strikes, Doppel uses it to fight back. Their digital risk management dismantles attacker infrastructure, while human risk management builds team resilience through simulation and training with automated takedowns, multichannel coverage, and AI defenses that build intelligence with every fight. Doppel works relentlessly to protect people, brands, and trust Doppel, outpacing what's next in social engineering. Learn more by going to their site. It's doppel.com that's spelled-o p p e l.com dopple.com and when you go, let them know that you heard about them from the CISO series.

David Spark (18:42)

It's time to play what's Worse.

David Spark (18:47)

All right. Paul, do you know how this game is played?

Paul Drepoux (18:50)

I don't.

David Spark (18:51)

Well, simple as this. Two crappy scenarios. I make Andy go first. You have to tell me from a risk management perspective, which one is worse? All right.

Andy Ellis (19:02)

And the rule is, we can't really modify this scenario. So you can't say, oh, like I inherited not having a team. The first thing I do is go hire a team. No, no, you don't actually get to have a team in that scenario.

David Spark (19:13)

Right, Right. You can't all of a sudden, change it. These are the parameters. This is what you got to work with. But this is a very different sort of take on our traditional watchworths.

Andy Ellis (19:21)

Okay.

David Spark (19:22)

Okay. This comes from Ryan. Rene Rosado of rsm. Here you go. And again, there's kind of two parts in each half of this scenario number one, Andy, your company is suffering from a major DDoS attack right before an IPO. And all the time this is happening, you also have to watch a three hour elementary school musical in which your children are not in the show and you don't know anyone else's children in the show. You have to sit through this.

Andy Ellis (19:51)

Why do I have to sit? Ryan? I need that. Ryan. Renee. I need to understand, like, why am I actually here if it's not my kids? You can't tell me. I have to. Without a story. I need a story.

David Spark (20:01)

This is just the scenario. By the way, I'm the one who adapted this. I'm the one who actually edited that part. She had something else that was a little more depressing, and I took it out. That's it.

Andy Ellis (20:12)

Okay.

David Spark (20:13)

So you could ask me. I'll tell you a perfect situation. We were at a friend's house who was actually helping produce an elementary school musical that our child did go to at one time.

Andy Ellis (20:24)

Okay.

David Spark (20:25)

We helped her.

Andy Ellis (20:26)

I mean, this one I've got a good answer for. So this is not going to be the worst.

David Spark (20:30)

We helped her out with the designer and stuff. And at the end of helping her out, she was so thankful, she said to us, I'll get you free tickets to the show. And all we can think is, because we didn't have any children in the show, like, oh, God, what are you nuts? I'm not going to that. I'm not out of my mind.

Andy Ellis (20:47)

But I will say. We'll say you're on the board of the school. That does it.

David Spark (20:51)

Okay, we'll do it. That's only scenario number one. That's scenario. I have to give you scenario number two.

Andy Ellis (20:55)

I know, but I like to understand the scenario before we go to the next one.

David Spark (20:59)

Okay. Scenario number two.

Paul Drepoux (21:00)

Those are concurrent scenarios. I don't get to choose which of those.

Andy Ellis (21:03)

Yeah, that's. You get both of those.

David Spark (21:06)

You're dealing with both of these things at the same time. Your company is suffering from a major DDoS attack right before IPO.

Andy Ellis (21:12)

Right. So assume the DDOS attack starts as you walk into the performance.

Paul Drepoux (21:16)

Okay.

David Spark (21:17)

Yes. And you get the notification right before the ipo. You have to. Now, granted, you have a team that works for you. Like, you don't have to deal with it.

Andy Ellis (21:24)

Yep. Okay.

David Spark (21:25)

Or your organization is the root cause of a supply chain attack that hits your customers and you have to chaperone a sixth grade field trip to New York City. Again, you don't know any of the children. None of them are yours. Which scenario is worse?

Andy Ellis (21:40)

Wait, you don't know them or they're just not yours?

David Spark (21:42)

They're not yours. They're not yours and your kids are not friends with them. You just have to deal with somebody else's sixth grade kids.

Andy Ellis (21:50)

So this one's kind of funny.

David Spark (21:53)

Yeah, it's plenty funny. I think this is hysterical.

Andy Ellis (21:55)

I'm entertained.

David Spark (21:57)

They're both awful from all angles here.

Andy Ellis (22:00)

No, no, the first one is actually not at all awful. Because what I'm literally gonna do is I'm telling my team, go pick Akamai or Cloudflare and turn it on.

David Spark (22:08)

Boom.

Andy Ellis (22:09)

My DDoS attack is dealt with. Like, we literally have vendors who solve this problem. I am the wrong host to get this.

David Spark (22:15)

I know, I know.

Andy Ellis (22:16)

As the guy whose patent is on solving this problem. But this is a 15 year old solved problem.

David Spark (22:22)

Let's assume you're not turning this on. You just. You're getting hit.

Andy Ellis (22:25)

I'm getting hit. So. But I can deal with it. Like, this is not like getting hit with a thing that there's no dealing with.

David Spark (22:31)

I'm gonna assume you can't all of a sudden. Cause yes, that would be a simple solution to this problem.

Andy Ellis (22:35)

No, no, it's an incident to manage. Like, DDoS attacks are easy to manage. Like, if you wanna give me an incident that sucks, DDoS is not in the suck. I'm the root cause of a supply chain failure that I assume is across a large environment. That's a much worse problem. These are just not even comparable to me. And so the. And like, that's happening and I'm on a chaperoning 6th graders where I have to pay attention to them. Like, this is not about whether I know them or not. This is. I actually have sort of a duty and responsibility as a chaperone.

David Spark (23:07)

Yeah. During the three hour elementary School Musical, you could use that as a nap.

Andy Ellis (23:11)

Right? Like elementary School Musical, I'm like, great, I'm on my phone solving the incident. That totally works. I'll have some parents nearby glaring at me. So I'll pretend I need to go to the bathroom, step out, deal with the incident. But if I'm responsible for sixth graders, I can't do that. So it's difficult for me to manage this painful incident while shop running.

David Spark (23:29)

You make a very good point.

Andy Ellis (23:30)

So number two is worse.

David Spark (23:31)

Paul, do you agree or disagree here?

Paul Drepoux (23:33)

I agree entirely. Number two is far worse. A supply chain attack like that that's impacting my customers is hurting other people. It's hurting other organizations. So from a pure cyber risk standpoint, that one is far worse. To me, the DDoS is hurting us, but it's recoverable. Like Andy said, you know, in, in general, the, the pain point for me in both of these scenarios is the dealing with other people's children side of it. My, my, my daughter and 16 year old daughter again, she does competitive dance. I love to watch her dance. It is so amazing. Watching other people's children dance for extended periods of time at competitions and recitals. That is. That's torture part.

David Spark (24:12)

That's complete torture.

Paul Drepoux (24:13)

That, that is is a more painful part. But the. So this on the Cyber end though, 100% supply chain. Supply chain that I'm responsible for. That's the worst scenario.

David Spark (24:21)

But hold it, I'm throwing this out. Say you don't have Akamai or Cloudflare to help you out with the DDoS attack. Which I. Which you are correct. It's very manageable. Let's just say. Hold on.

Andy Ellis (24:30)

Okay, so I will invent a solution. I already did.

David Spark (24:34)

It's just before an ipo. How much is this damaging your ipo, do you think?

Andy Ellis (24:39)

Not. Not very much at all. No, I don't think so. And look, the kid thing doesn't actually bother me. I don't think either of those are negatives other than. And I'm probably bored at this elementary musical, but I actually think educating and entertaining other people's kids can be fun. That's why I'm on the board of trustees of a high school, because I actually think that's like the greatest privilege you have is to create this environment for them. So I don't find it a problem that I'm in New York City as a chaperone other than I can't also do my day job of being a security professional because I have this responsibility that I take seriously.

Paul Drepoux (25:12)

Yeah, that one takes you out of the game for much longer as well too. Three hours. Look, our teams have dealt with incidents, all of us here. I'm sure three hours is sort of a blink in most larger incidents.

David Spark (25:24)

Yeah. So it would be magical if it ended in three hours.

Andy Ellis (25:27)

Yeah, yeah. Try being a chaperone for a high school trip to another country, which I've done part of. And that's a very different time constraint.

David Spark (25:38)

What about this AI security challenge?

David Spark (25:44)

We don't need faster answers, we need better questions. Stuart Winter Tier argues that in the age of AI, knowledge isn't the edge anymore, synthesis is. LLMs can recall anything quickly, but they can't weigh trade offs like we did in our last game with contradictions or ask what are we not seeing. The value now belongs to what he calls the specialist generalist. Someone deep enough to master something, wide enough to connect it meaningfully to something else. Someone who can sit in the intersection of disciplines. He frames synthesis as the hardest skill. Knowing what matters, not just knowing more. So this synthesis capability. Paul what separates effective security leaders from technical experts? And if synthesis is the hallmark of the CISO role, which I kind of get the sense is from his description, how do you demonstrate it before you get hired and when you're on the job?

Paul Drepoux (26:45)

Paul I think it is. Obviously the specialist generalist is a really great way to put that Security is a broad problem set and yes, with its deep dives, at any given time you might need to deep dive into, into different topics. I think having the ability to do that is, is probably one of the most important capabilities of a security leader. Right. And it's something that people in this field should definitely look to grow very, very early on in their career. I saw this when I was in threat research roles, right? Being able to again look across a broad set of problems, but really dig deep where we need to is super important. Someone asked me one time, how do I get to be a great threat researcher? And this person at the time was in a sales engineering role, customer facing role. And I said get good at using Google. You know, you're going to have to dig into a lot of things that nobody is an expert on in this organization and you're going to have to become one overnight. And that's the synthesis aspect of that. You don't have to have all the answers in your head. I do sort of wonder about these AI tools and how we're using them. You know, one interesting point from last year that I was thinking about was the situation that Anthropic was dealing with the exploitation or the misuse of their Claude tooling. One of the aspects that they mentioned in that write up on that was that the tool hallucinated to the threat actors and gave them false data about valid credentials or data or whatnot. It really takes an expert to understand the output of these tools and understand what to trust and how to use it. It's super important.

Andy Ellis (28:18)

So I Want to pivot on that concept of the expert. And there's a term that's often called deep expertise, which is when you understand a system well enough to understand its constraints. And we've always known that person. There's the running joke about the mechanic who knows how to fix the boiler, exactly where to bang on it and why that works. And one of the challenges that we have is there are very few people who have deep expertise. But even rarer is the ability to synthetically have deep expertise to walk in to a system you don't understand, but engage with it as if you had deep expertise. To say, this system has to have constraints, I don't yet know. Let me go figure out what they are. And I like to think of that not as the specialist generalist, but the generalizing specialist that you can walk in and become a specialist in almost any field. And let's take LLMs as one of those. If you understand how an LLM basically works, what you recognize is that LLMs are non deterministic. The hallucination is a specific form of non determinism. But it's the fact that this is a constraint that they have is they're trying to synthesize human behavior and humans don't repeat things. Which means anytime you want to ask an LLM to run a process over and over and over again, it is not going to work because it's non deterministic. It's going to do a different thing every time it runs the process. Now having an LLM create a process and create an automation that will then just run the process over and over again would be what you would do. Right. And so that's an example of how somebody who can think about constraints of a system might walk in and say, hey, here's what I need to do. What do people not think seeing. And that's one of the biggest challenges you've seen. You see it at every level of an organization where somebody who believes they have expertise walks into an adjacent system and never says, how are the constraints here different? How might this system behave differently and how will that change the decisions I make about how to use it? People make fun of executives that do this, that walk into the room and say, well, why don't you just. And I like to say that just is the most dangerous word in the business ecosystem because it means the person didn't understand how the system works.

David Spark (30:24)

Worked.

Paul Drepoux (30:25)

The other most dangerous word is probably only. It only does this.

Andy Ellis (30:28)

Yeah, I always loved customers would never use our system this way.

Paul Drepoux (30:33)

I'm thinking about this from the perspective of a threat actor too. I mean, what makes a good threat actor? Exactly what you were saying, Andy. Someone who looks at the constraints in a system that can be exploited to do something that wasn't intended. Make it do something that's not repetitive. Absolutely. Work outside that loop.

Andy Ellis (30:51)

And in a sense that goes back to our 80s and 90s kids conversation, which is, I think a lot of us did grow up where we had to interact with systems and figure out how to make them do things that they were never intended to do, whether that system is a technology system or a human based system. And like, look, I'm the guy who sits in like walks in and watches TSA every time I fly to figure out all the process vulnerabilities, which I'm not going to list on the air, but they exist. Like I have seen process vulnerabilities in TSA that I understand why they do them. And that's like, oh, if I needed it I would could use that. But I'm not going to because I don't want to make TSA any worse than it is.

David Spark (31:29)

This reminds me of the book by Bruce Schneier, the Hacker's Mind, which speaks to very much what you are all talking about. Yep, I recommend it.

David Spark (31:41)

What's the starting point for a CISO

David Spark (31:46)

quote? When leaders hold everything tightly at the top, it's often not about ego, it's about experience being burned before. That's Rinky Sethi, who's a CISO over at Upwind Security who reflected on what separates leaders who skill from those who bottleneck the ability to trust people enough to let go. She argues that control rooted in fear has predictable consequences. Decisions slow down, people stop taking ownership, strong talent leaves, innovation narrows. But when people feel frustrated and empowered, they step up, think bigger, move faster. Leaders gain leverage instead of control. But how does a CISO know when they cross from healthy oversight into fear based control? Interested on your take on this, Andy? What are the signals that reveal you're holding too tight?

Andy Ellis (32:39)

So I don't like the framing of that as fear based control because sometimes it's just they've never been exposed to how to do it. They don't know how to create systems of delegation. I had a friend who liked to say, look, the CMM model, the Capabilities Maturity model. So they're level one to level five for organizations. The challenge is there are people who don't know how to operate at different levels. If you grew up in a level one organization, heroes. I do it all myself and nobody taught you how to build a level 2 or a level 3 org. It's not that you're afraid. You just don't know how. Like, you don't know how to delegate what delegation even looks like, because you've never been, well, delegated to. I had this challenge, like, early on in my career. My boss had no idea what I did. Occasionally I'd get vague direction, but that's not delegation. That was like this. Such laissez faire, like, I'm not being micromanaged at least. But it didn't teach me how to delegate. I had to learn how to do delegation. Thank goodness I'd gotten that in prior parts of my career, so I was able to use it. So I think the lesson really needs to be, do you have people who are capable of making the decision you made but refuse to make it? That's your signal. If you've got somebody who should have been able to say, oh, yeah, I'll go do X, but came to you and said, what should we do? And you said, go do X, and they give you the look of, yeah, I knew you were gonna say that. And they go, execute. You've got a problem there because you're not delegating. Micromanagement is simply the mismatch between how much supervision somebody needs and how much they're getting. That is, they're getting more than they need. And so you need to learn how to delegate, which is to let go and say, it will not be done exactly the way you did it, but more will happen. And you just need to say, here's the success criteria. Here's how I will measure your success. Go do it.

David Spark (34:30)

I love that.

Andy Ellis (34:31)

Several things from my book, one percent Leadership, available anywhere you buy books.

David Spark (34:36)

Read his book, too. Read. Actually read andy's book on 1% leadership before you read the Hacker's Mind by Bruce Schneier. All right, Paul, I'm taking you. That was a great explanation right there. What would you add to that, Paul, assuming you agree?

Paul Drepoux (34:49)

No, no, I definitely agree. I think one of the ways that I detect that in my world is if people are coming to you to be the easy button, right? Like. Like Andy said, sort of offloading that decision to you. You have to figure out why that's happening. Is that some condition you're creating? Is it a lack of confidence there? I often observe maybe people on my team or on other teams deferring decisions until certain people are in the room, rather than, as Andy said, making a decision that a reasonable person would make. In that scenario, knowing what they know. And that's an area that you certainly should dig into. Right? I mean, if we're doing this job right, as we're hiring the people and building the teams that we're going to delegate to, we're hiring people that are smarter than us in these areas. As we just talked about, these generalists, specialists, specialist generalists that can really understand these problems in ways that probably we as leaders cannot. So I think oftentimes what I'm really looking for my team to do is act independently, make those decisions when I'm not in the room because frankly, they have more information about the problem than I do. And we just have to understand that, as Andy said, it's not always going to necessarily be done exactly the way that I would do it, but, but maybe the way that I would do it is wrong, frankly. And I would rather have competent, great people in those seats to make those decisions and make those calls. As we were talking about before, if I'm at the three hour dance recital and someone needs to make a call in an incident, I need to have the faith that that person A will be able to execute and make that call or push that button. I think having simple rules across the team really helps too. I mean, one of the things that our team talks about is when we're evaluating a condition or the severity of something and whether we need to take an action that, hey, might have some business impact. Is this stopping the shoes? Is this impacting our key business efforts? That's what that boils down to for us. Is the situation creating a condition where either we can't serve our customers or our customer data or something like that is at risk. Hey, in those cases, people have to understand that they need to make those calls, calls make those decisions and leaders frankly have to back them.

Andy Ellis (36:53)

And now here's the advanced skill. So if you're. Once you master Paul's skill, which is right on, like, that's where you need to get to watch out for escalations. Every time somebody outside your organization escalates because they didn't like a decision that somebody on your team made and you overrule the person on your team, that's a failure on your part, not on the person's part.

Paul Drepoux (37:16)

100%.

Andy Ellis (37:17)

Right. And if you make it cheap for people to escalate to you, they're going to keep doing it. So this was taught to me by somebody who worked for me was he said, look, people escalate to you because you can flex on the policy and I can't. So what we would do is he would say, look, we need to flex. He would give them the flex. And then when they escalated because they still didn't like it, I would take the hard line on policy. Here's what you need to do. And so they learned that it was painful to escalate to me because now I was watching, and they couldn't get the good deal that they had. And so they would go back to him and say, hey, can you help us get back to this deal you offered? And now they wanted to work with him. They wanted to stay with the person who was in charge of this. And now delegation works because I wasn't overruling them.

David Spark (38:02)

Excellent. Well, that brings us to the end of the show. I want to thank our sponsor, Doppel, the AI native social engineering defense platform. Remember, just go to their website, doppel.com d o p p e l.com doppel.com learn how to protect yourself from deep fakes at all levels, to all people, and let them know you heard about them from the CISO series. Paul, thank you so much for coming. I love your line. Was, does this stop the shoe? Was that the line?

Paul Drepoux (38:33)

Does this stop the shoes? That's the question we ask.

David Spark (38:35)

I'm going to say this is analogous to a line that one of our other copies, co host Steve Solewski, who's a former CISO over at Levi Strauss, would always say, how does this help me sell jeans?

Paul Drepoux (38:46)

Yeah, think about the why. Think about why we're doing this. Right?

David Spark (38:49)

Yeah. I mean, it all come comes down to the shoes, the jeans, whatever the heck it is. What's the why does this stop the shoes? It's great. Thank you very much for joining us. I'm assuming people can reach out to you on LinkedIn. We'll have a link to your profile on the blog post for this episode. Anything else you'd like to say in closing?

Paul Drepoux (39:04)

Paul, it was great to be here. Super fun. Look forward to maybe doing it again sometimes. Thanks for having me.

David Spark (39:09)

We would love to have you again and again to our audience. As we always say, and I truly mean it, we greatly appreciate your contributions. And for listening to the CISO series

David Spark (39:19)

podcast, that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com please join. Join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity headlines. Week in review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.