A

Fans of the CISO series, we're going to be at RSA next week and we're looking forward to seeing you there as well. Two great opportunities to connect with us. First, on Sunday, April 27, 2025, we're going to be at BSides SF for a live audience recording of the CISO Series podcast. The next night, Monday, April 28, 2025, we'll be at Lucky Strike, co hosting a party with Vanta. Come check us out. We look forward to seeing you there. Join us. Just go to cisoseries.com and click on the Events page and you'll see all the info to register and get tickets.

B

What I love about cybersecurity. What I hate about cybersecurity. Go.

C

So what I absolutely love about cybersecurity is I have a really high altruistic need to help people and so I get to help protect people from the bad guys and I get paid for it. And then what I hate about cybersecurity is that there are bad guys out there and that I have to deal with them.

B

It's time to begin the CISO Series Podcast.

A

Welcome to the CISO Series Podcast. My name is David Spark. I'm the producer of the CISO series, my co host for this very episode, it's Andy Ellis, he's partner over at Wildventures. Andy, say hello to the nice audience.

D

Bonjour. Ou Ceylon. Les le mond ou vous vous trou ver dans le mond. Bon appremedi. Bon soir ou bon nuit.

A

Was this the. Good morning, good evening. All that all in French?

D

In French today, yeah. And my wife always complains that I am the only person who can make French sound like an ugly language.

A

So. All right, well, anyone who speaks French in our audience, please criticize Andy's performance. I would love to hear that. Not just his wife, but our listeners too as well. We'd appreciate that.

C

Anyone.

A

By the way, that's our guest. I'm going to introduce her in just a second. Hold on. I do want to mention that we are available@cisoseries.com and our sponsor for today's episode is Vanta Automate Compliance Maintenance. Manage risk, improve trust continuously. That is key. By the way, we're going to be talking more about just that. Since she just spoke up, I'm going to drag you into our opening little banter here. This is Mandy Huth, who's the SVP CISO over at Ultra Clean Technology. Brand new ciso. Correct, Mandy?

C

That's right. Two months in, it's been a ride.

A

Awesome. Awesome. All right. I'm going to bring something up that I don't even know if you weren't actually on the call yet when Andy brought this up. Andy is. Hopefully we'll have closed on a house by the time this airs.

D

That's the hope.

A

That's the hope. As I understand, Andy, you looked at one house, put a bid on one house, and got one house. Yep. Now, let me stress.

D

And the house I'm currently in, same thing. Looked at one house, put a bid on one house, bought one house, Same thing.

A

Okay, let me explain.

C

I was gonna say, do you usually buy two houses? David?

A

No, no, no. No one.

D

I've done that, too. Mandy. So it's a separate problem.

A

Let me point something out. The first condo I purchased in San Francisco took me a year and a half. I overbid on six places before I got mine.

C

Wow.

A

Similarly, when we moved down to San Diego six months before, we got a place looked at plenty of places. Now, therefore, I don't like you, Andy.

D

So just to be very clear for all the people who are listening, going like, how does Andy stumble into this luck? My wife and I spend years refining our thesis for what our next house will look like every time.

A

And then it literally lands in your lap.

D

No, it doesn't land in our lap.

C

Well, it's like. It does. It does. You put it out into the universe, and the universe responds to you. I bet you that is what's happening.

D

It responds with Zillow. We then search on Zillow for a very long time, like, oh, this is what this neighborhood looks like. Here's what houses are. And then when we're ready, we find the house and we're like, oh, that's the one we want to go look at. We go look at it. It's the right house. We make an offer, we're done.

C

I don't like him either. David.

A

No, we both don't like him. And by the way, I'm assuming most of our listeners don't like him either.

D

I'm just telling you it is easier to buy a house now than it has ever been in the history of America.

A

I'm interested to know. Well. Cause the interest rate's so high. The. I'm interested to know if any of our listeners have had the same kind of luck as Andy or you have the kind of luck that I have that takes forever, by the way.

D

You make your own luck is all I've got to say.

A

David. Oh, really? I do.

B

Pay attention. It's Security awareness training time.

A

Security awareness training is at best a waste of time time and at worst actively harmful to security. End quote. JM Porup had this opinion seemingly confirmed by a recent study published at the 2025 IEEE Symposium on Security and Privacy. Now study saw failure rates on phishing fall only 1 to 4%. And contextual interactive training doesn't help either. No matter the training, phishing messages around vacation policy and dress code still work. And Porup's point is that with limited bandwidth, employees will always choose to get their job done than care about security policy. Instead, for better security outcomes, organizations should focus on simple top down technical controls. I know vendors who are listening to this. He compares the effort needed to get people to opt in to 2fa where you'd struggle to get 50% adoption versus turning it on and everyone has to enroll to get their job done. The findings on the report is pretty damning. For security awareness training effectiveness, do we need to rethink where we're spending our time and effort? Andy, you were kind of cheering when I said it doesn't work. That opening quote.

D

Yeah. So I just have to say if you know JM at all, this is amazingly restrained given how awful this research points out. Security awareness is. Like the correct answer is security awareness training is blind compliance. We do a thing because we're told to do it and it actively makes it worse. There's a lot of cases like this. One of my favorite examples not to do with training. I was in a hotel in Cheltenham in the uk. So those of you who know what is in Cheltenham, you know who I was visiting.

C

I've been there, you've been there.

D

So you know who I was visiting. And in the hotel bathroom there was a sign stuck to the tiles inside the shower, like clearly written by a lawyer that says, for your safety and comfort, please ensure that the bath curtain is inside the tube and the bath mat is securely fixed to the tub bottom. Right? So you can imagine they got sued or they heard about a story where somebody slipped in a tub and they're like, make sure you do the right things. Do you know what? That bathroom didn't have a shower curtain or a bath mat. It was one of those European half shower walls. And I'm like, so you have now actively made yourself more at risk because you went from being negligent to reckless. You've told me you know there's a problem but you're not gonna do anything about it. And that's where we are with security awareness training. The problem is that our Technologies are fundamentally bad. The fact that somebody can email you a link and you click on the link and a bad outcome happens is the fault of our email system. The browser that you're using, whatever client it is, the web browser and the email transmission, it is not the user's fault. Pretending it's the user's fault lets us get away with leaving the system bad.

C

So, Andy, I don't disagree that But.

D

I hear a but coming.

C

There's not a but. There's not a but, there's an and. It is not the user's fault. And employees are incentivized to only do their jobs right. They don't like security is an add on, it's a bolt on, it's something extra they have to do. When people think that it's a shared responsibility and they understand why, why it's important, they pay more attention. So I don't disagree with the research, right. Phishing Simulation more than anything is only just to keep it top of mind. But I think there's other ways to do it. I think you're communicating with them, you're educating them, you're telling them the why and how it's relevant to their work. Because ultimately, if something bad happens and your business goes out of business, everybody loses. So why isn't security part of every single person's job?

D

So the reality is it is part of their job, and they know that this is not security. Security awareness training, despite the word security at the front of it, has nothing to do with security. And so they rightfully say, you don't care about security, so why should I? If you're the one who's paid to care about security, like, why are you wasting my time? Like, we did annual security awareness training when I was at Akamai. We had to satisfy compliance. And you know what it was? It was a cron job that emailed people a link that said, come here to click the button to say you got trained. And on that page is three paragraphs I need you to read. And that's the entirety of the training. It takes you 30 seconds to skim it and you're done. Because I know this is a waste of your time, so I'm gonna minimize the waste of time. I had links in there to all of the awareness documentation, Said, if you wanna go read it, go for it.

C

No one's clicking on your links. They're clicking on the email links.

D

You say no one's clicking on those links. But I will tell you, at least five times a year, we would get Comprehensive and detailed criticism of those policies by people who had clicked through to read them. Because we said, look, here's the policies. You're welcome to read them, but we're not gonna force you to. But enough people would go read them because they chose to, because they cared about security. And I had told them, I'm not gonna make you read a 90 page document every year just to click a link.

A

By the way, I wanna tell you a very quick story. Last night I ran into a woman was the head of HR for a company I worked for 19 years ago. And I hadn't seen her and I was like, oh my God. And I said to her, you know what, I have to divulge something and reveal something to you. When I left the company, I quit. When I left the company, you said to me, I cannot take any files out the door with me. And I said, yes, of course. And yes, of course I did leave the company with files.

D

Everybody does.

A

Everybody does. And she smiled. She goes, yeah, whatever, right.

D

What you're trying to do is make sure they don't take specific types of files.

C

That's right. And so I think that's where Andy, I absolutely agree that what the research does say one, I think we do need to communicate the why and help people understand how it's relevant to their job. And I think that technical controls that make it easy to do the secure thing is really what our responsibility is.100%.

B

What's broken about cybersecurity hiring.

C

How will.

A

We create the next generation of cybersecurity professionals? Caroline Wong, director of cybersecurity at Teradata, recently published a Forbes piece about developing cybersecurity talent. One option she highlighted was apprenticeships. Now these allow for recruiting individuals from a variety of backgrounds and giving them a clear path into the industry. One of the benefits of cyber is you can come from practically any background, but at the same time, everyone wants to participate, struggles to find a path to entry, and those who want to hire struggle to offer coach and advice. We have heard this a lot. So I'll start with you, Mandy. How can businesses do this without having to create another branch of the business to accommodate the apprenticeship program? What do you think?

C

I love that you asked me this question because what I see in my life is that in my professional life is that we spend six to nine months finding someone that can step into a role, right? They need to be able to hit the ground, right? Running in and it just takes forever to find that person. Why don't we have a pipeline and Spend that six to nine months training someone the way that we need them to work right side by side. Now, what that does take one. It takes intentionality. Right. You've got to create a pipeline from internship to co op to rotational to actual job offer. And if you have people in that pipeline, you are going to be build good talent. But it also takes intentionality that you have to have good teachers. And that is the one thing that I think we're missing. Right. We all have the best of intention and we don't put the foundation in place to actually get them to the end of that road. Right. Because they don't have people taking the time to educate them. And I think that's where we really have to focus. And I think we can do it. We have to do it if we're going to have enough people to fill the jobs we need.

A

Andy, your take on the whole apprenticeship element, because should we formalize something like this? I mean, it just seems like more work for a business to be doing that.

D

Yeah. I'm not a big fan of the apprenticeship, but I see where Caroline is headed and it's in the right direction. I think Mandy landed on the key point, which is we have to commit to training. And that's not just the people coming in, it's our own people. The first thing you should do is commit to developing every member of your staff and saying, how do I train you to get to the next job? Which is cybersecurity experience, it's management experience, it's leadership, it's interfacing with the rest of the company. There's a whole host of skills. And once you've committed to doing that, now it's easier for you to take people in and say, well, this person needs more communication training and less cybersecurity training because I'm bringing in a technician. Or this person needs more cybersecurity training, but less communications training because I just hired a reporter. If you have a research team whose job is to publish research and one of your people is not a former journalist, you're doing it wrong. Because that is actually the person who brings in all of the skills that you need. And yes, they aren't a cybersecurity expert the day they walk in the door. Maybe you got somebody off the security beat, but you can develop that better than you can teach somebody how to write English.

C

Absolutely. No, I think you hit it spot on. And Caroline is always thinking of really interesting ways to do that. And as you said, apprenticeship maybe, but it's really about it's. Not a one and done. And are we training our own people to help them train the next generation?

A

Which, by the way, can I just. I want to double down on what you just said, that this is the number one problem, I think around remote work is one of the advantages. When you're in your 20s and 30s, really your early 20s, and you go to work, yes, you get the socialization of the office, you get the ability to work together, but you need to be around the people who are older and more experienced and learn from them when you aren't there learning from them directly. You can't really train up to be like them because you're going to be replacing them. And I think that's a major, major problem with remote work.

C

100%.

D

I think there's two different problems there and we should separate them. One is most places don't know how to teach people other than through adjacency osmosis. Like fix that. If you want to be a remote work establishment, that is possible. But the other one is there's a lot of opportunities that we never write down. And that's what you miss if you're not in person. There's a conversation happening two cubes away that has nothing to do with your day job, but it's interesting. And you listen and you expand and you grow. Those are the real opportunities you lose. You become so much more of a specialist when you're a remote worker because you're not even hearing about the things that aren't necessary for your job.

A

Who's our sponsor this week? It is vanta. They are our sponsor this week and they've been an absolute spectacular sponsor of the CISO series. And let me clue you in on something about Vanta that you may or may not know. Let me ask you a question though. Do you know the status of your compliance controls right now? And when I say right now, I mean like right now, this very moment. We know that real time visibility is critical for security, but when it comes to our GRC programs, we usually rely on point in time checks. But get this, more than 9,000 companies like Atlassian and Quora have continuous visibility into their controls with vanta. Here's the gist. VANTA brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting. And VANTA helps you get security questionnaires done five times faster. Well, using AI, obviously now that's a new way to grc. You can learn more about doing just this if you go to Vanta's site and go to vanta.com but go vanta.com CISO you want them to know that we sent you there. So V A N T A dot com Ciso, go check it out. Get continuous reporting in your environment.

B

It's time to play what's worse.

A

Mandy, you're familiar with this game, right?

C

I saw the. I listen to this game. I don't know how to prepare for this game.

A

This one is tough.

D

You don't get to prepare for this game at all. You just say. You say, I agree with Andy and you're fine.

A

No, no. Do not listen to him at all. All right? I think this one is tough. And I hate when I set it up. And I go, I think this one is tough. And then Andy, you go, oh, this is easy. I truly think this one is tough. All right.

D

Okay, let's see how you did.

A

All right. Well, it's not how I did. It's actually. But I did choose, I think, a good one.

D

Well, it's how you did in choosing it.

A

And in Dustin Acts of Cyber Risk Collaborative. He's the one who wrote this.

D

Okay, but Dustin usually does some good ones.

A

He does some good ones. He also does some very silly ones too. But this one's. This one is a true. What's worse? Two scenarios.

C

I'm really getting scared. Okay, I'm ready.

A

Get ready. The good news is Andy answers first. So you just hang tight. You agree or disagree with Andy, and then you have to give your reasoning too. Sometimes people agree, but for different reasons. That also can happen too. All right. What's worse? You're discovering an advanced persistent threat. An APT group has had access to your network for a year. Pretty bad.

D

Only a year. We're looking good.

A

Only a year. Looking good or realizing your incident response plan has significant gaps during a real time attack. Which one's worse?

D

Oh, the first one.

A

The first one's worse.

D

I know I'm gonna make you upset.

A

You're good. Why is this so easy for you?

D

Because I ran incident response like I was responsible for the. But.

A

No but. There's significant gaps in it.

D

That's okay.

A

There are always significant gaps.

D

There's always significant gaps. If you're not discovering significant gaps when you're doing a significant incident, then you're probably not looking close enough.

A

So. Hold it. The only reason that this is the first scenario is worse is because the second scenario, which is bad, happens all the time.

C

No, but the second one Andy, you're right. We should be practicing it anyway.

A

Right?

C

So even if there are significant, significant gaps, we know most of it.

D

We know most of it.

C

Right. So I don't. And. But I'm really worried because if you've been in there a year, my logs probably only go back nine months.

D

One is I have been owned for a year and the second is I need to improve my processes. I'm going to take improve my processes over being owned for a year. So here's the reality which is at the core of incident response. You can either say you have no gaps or you have all the gaps and you're always in both of those states because the correct answer is you have empowered somebody to run the incident who has the authority to spend the company's resources commensurate with the level of incident they have. If that is true, you ultimately have no gaps because that person is capable of closing them in real time. If you don't have that, then you have the only gap that matters, which is you don't actually have an incident response program at all.

C

Right. 100% incident commander is in charge. And if they've practiced and even if there are things missing.

D

Right.

C

Sorry, David. I agree with Andy on this one. It's 100%. The first one's worse.

D

We define it as a credit card. Like you have an incident commander and they have to be senior enough to have the right credit card, which is if you have a tier one incident, you have severity one incident. They have a credit card to create as many non severity 1 incidents as they need to solve the severity 1 incident. If they have that clout and authority, then you're fine.

A

But let me again, playing the devil's advocate here.

D

I love when David does this. He's like, I thought this was hard. I have to make it work.

C

He really thinks it's the incident response?

A

No, I just thought it was more equal than the way the two of you are approaching it. But no, you make a very good argument. You know, I've got nine months of logs and they've been in there for a year, so. That is a good point. But nothing's happened yet in the first one. But it could just be. The walls could come crumbling down.

D

They have owned my systems for a year. You did not specify nothing had happened yet. What if this was Operation Aurora?

A

No, nothing's happened yet. Nothing's happened yet.

C

At the first, they've gained persistence and you have no idea where they are.

A

The second one is there's an incident happening and you got a giant gap.

D

Yeah. But you didn't say what the type of incident was.

A

We don't know yet. I know there's a lot of ifs on all of these scenarios.

D

Lot of ifs.

A

Lot of ifs.

C

And I. And incident response. Honestly, we always say it's not about, you know, you have to plan that you've been owned. Fine. So you have to know how to recover. Everybody should be practicing that. I feel like please don't let anybody into my network.

D

Yeah. And you should be editing your incident response program and documents every time you have an incident. If you walk out of an incident and you have no edits to make, you did something wrong or you're amazing. Come talk to me.

C

I just. I might have recency bias. David. I just ran my annual. So we do it twice a year. Right. One is a table read through and then we do a tabletop exercise. Right. So I definitely have some recency bias that we just updated that bad boy.

A

Well, this is what happens when you're only a journalist and producer and you're not actually a security expert.

D

Right. I haven't actually lived the pain.

A

You have a very clouded view of what to do. Good and bad. I just thought given that it's happening right now. And the other one is a big if. A big very likely if, an extremely likely if. But the first one's like.

D

No, the first one.

A

I mean the second one. I'm sorry, the.

D

Right. You're seeing it that way. But the first one is a. It's happening now and has been happening for a year. So we just detected that we had been compromised for a year versus we have some incident. We didn't even specify what the incident was. And our response program has gaps. You didn't actually say. And they did all these things. No, our response plan has gaps. Of course it does. Like. Oh, we didn't think about the fact that we have to do end user notification in this region is a gap that I've got to solve in real time. And so I'd better have a robust and dynamic program that can solve gaps in real time.

C

But we have a chance to respond. I mean detection and really containing somebody that's been in my network a year. Oh, that just sounds. That sounds awful. It sounds like a really long, long, long opportunity to practice your incident responsibility.

D

I've had to real time build defenses for the incident of a government wants to be able to log into one of our systems in real time with fingers on keyboard. And we need to surveil and Monitor everything they do remotely. They have physical access. And I don't like I didn't have that in my response plan the day before it happened. That's a gap. Okay. But we had the ability to solve that problem, identify what we were going to do. It's a fascinating story. Someday somebody find me with a glass of wine and you can have it.

C

Sounds like I'm coming to visit soon.

B

As a ciso, what do you think about this?

A

We all like to boil down complex topics into easily understood statements. So let's try this one out. From Ross Haliluk, who is the author of Venture Insecurity. Quote, he says there are only two sources. Two. You can boil them all down. Only two sources of security issues, software bugs and configuration mistakes. So he points out that the former exists due to an industry wide lack of incentives around software quality. There's never a quote, right? Time to focus on security for a vendor. And software engineers aren't compensated for writing secure code because we lack these incentives. Shifting left isn't going to be our salvation for secure code. Instead, we should have security engineers build secure defaults and make them easy to adopt. Now, for configuration issues, he points to CISA's recent Secure by default initiative, which calls for shipping extremely hardened default configurations which with a set of loosening guides to change defaults as needed. All right, Andy, I'll start with you on this. Can we simplify all security issues down to software bugs and configuration mistakes or have we left something out?

D

So we have left a lot out. But I can simplify it even further, which I can say that the only source of security issues comes from a gap between expectation and implementation. The customer expects something and you have implemented something different. Like they decide to use your open source embedded web server to run diagnostics on an implanted dialysis machine. Boom. We have security issues because what you implemented was not designed for healthcare. Right? You expected to implement bug free software. You implemented software with bugs. Boom. That captures his software bugs, right? Configuration is you expect it to be used in one way. It gets configured a way like every nested down. There's like how do you operate it versus what was expected? That's the only source. But the reality is you're never getting rid of that gap between expectations and implementations.

A

All right, I throw this to you, Mandy. Do you think it's all simplified?

C

I love where he's going. And I have to do a shout out, right? Because we always talk about hardening all of our systems. I love that SISA has talked about like secure by Default. And you actually have to loosen your tie. I love that. Right. Because I do think that it captures most of it. But if you think about what the Verizon DBIR says, right, there's system intrusion, there's miscellaneous errors, and there's social engineering. So, okay, yeah, what he talks about is definitely Vuln's, you know, credentials, malware, all of those can be boiled down. But how do you stop the misdelivery of information from like a data exposure? Oops, I accidentally sent this to 50 people and this Excel sheet had a whole bunch of numbers. You can't code for that. I mean, you can try to put technical controls and DLP in. You say, hey, wait, wait, wait. You know, there's a lot of data and you're sending this to a lot of people. So we can, we can do that. But I think they're missing the human piece of it.

A

And also I think everything that comes as a result of social engineering would probably fall into that category as well.

C

Absolutely. And so, yeah, we can get to stricter configurations so that we can minimize the ability of social engineering. We can make our filters heavier. Right. Our email filters, but at what cost to the business and at what cost to the user? Right. Because when you lock it down so much, how do they do business? Or they miss that really key email. Right. So there's just, there's an inflection point that, that pops over. So I don't think it can be just those two things. I think it hits a lot of things. And I'm a hundred percent really thinking about how do we start strong and loosen. And that shows us being an enabler versus us being the police. Adding friction. How about we start with the friction and we become the good guys that are loosening it for the business? Just something to think about.

D

Yep. I actually did a talk on this very topic at RSA last year was it was the talk on you can't measure risk. But I really just talked about, like the hazards that we think of as security issues. Like it's customer needs, product goals, product design, engineering, implementation, operation. Those are sort of the six spots that the gaps between them is where you get a problem. Right. And Manny's just talking to you, hey, look, you should configure it correctly, but you should also operate it correctly. How many people have flaws in how they just operate their software? That has nothing to do with the software misconfiguration.

B

Is this really the right strategy?

A

Are companies missing an opportunity with privacy? A recent Consumer Reports survey found that 75% of Americans across partisan lines support laws requiring data minimization. That would seem to indicate privacy could be an important differentiator in a crowded market. Yet the ISACA State of Privacy report found that just 6% of privacy professionals think their board of directors view their privacy program as a competitive advantage, as opposed to 42% seeing it as compliance driven. The idea of privacy seems to still carry a lot of weight with individuals. And I will just, by the way, after speaking to some university professionals, college students, heavily, heavily concerned, actually more with privacy than security, believe it or not. So my question to you, Mandy, is why aren't we seeing that translated on a corporate level? Or is it? I mean, this is from one report, but it seems globally that privacy still isn't heavily adopted. My main argument, just by the way, is often the business wants the data and that kind of wins out often.

C

Yeah, David, you hit spot on. But I'm going to play the devil's advocate here. The company definitely wants the data and I'm going to tell you my personal preference. This is speaking from my own mind. In my house, I am an Apple ecosystem. And the reason I'm an Apple ecosystem is one, ease of use, right? So I don't lose anything. But two, I have always felt that Apple will go to bat to protect my privacy. That doesn't mean they don't use my data. I know they do, but they're protecting it in a way that I feel is a differentiator for them. Right. You ask me if I'm going to choose an Apple product or an Android product, right? And every time I'm going to choose Apple because I think that their privacy is a differentiator for them. So what companies in my mind need to really work towards. They say things and everybody has a privacy policy, but they don't say we're going to go above and beyond. Right. And they don't. And they don't communicate and act that way. And that's the difference because you can say all the words, but until you actually do those things and people know about the things that you've done to protect them, I think it's going to continue to be a problem.

A

Apple has kind of led the way of publicly acknowledging that they're trying to use privacy as a differentiator. They have billboards about it in fact, as well. Andy, where do you think companies are shifting on privacy?

D

So I actually honestly don't think they're shifting that much. I think we've seen some of the really big players, Apple and Google are probably near the top of this that have basically said, look, we're here to protect. And they focus on it in different places. I am going to use a Google Web browser before I'm going to use an Apple Web browser because Google has focused differently in that area and I think they're much better than Apple's going to be. But then we are using Facebook. And let's be honest, Facebook doesn't care about our privacy at all. And fundamentally, that's our challenge, which is people say they care about privacy, but then they make choices that make it very obvious that they will trade away their privacy for just about everything.

C

100%.

D

How many people went to use the Little Red Book app, zhao hongshu, when TikTok was being shut down, but literally they went to an app that is the Little Red Book run by the Communist Party of China. Come on. You voluntarily chose to hand your data over to a foreign government, not even a company. Like, people are demonstrating that this is not actually as important as they say. And that's the disconnect.

C

Do you think it's not important, Andy, or are they missing the point when they click on the terms and conditions of one? What they're accepting? And it's not that they don't value the privacy. They value convenience more.

D

Right, they value convenience more. But that function lets us say they're not valuing privacy, at least at the level of convenience.

A

But also take a look at the Cambridge Analytica case, which is the privacy was so obliterated in that. But the thing is, if you looked at the web of how your data was shared, it was beyond anyone's human imagination. Like, what the heck? It's like, what the heck just happened here? It was like a privacy explosion. And I think the problem is it's so damn confusing that no one can really understand how their privacy is being abused.

D

So you can't understand how it's being abused. But at this point, I'm not going to give you the benefit of the doubt if you believe it's not being abused. First of all, we should acknowledge that everybody should say, yep, I know my privacy is being abused and I know who some of the big abusers are. When you demonstrate that, you will figure out how to deal with your privacy away from the big abusers. Now, the fact that there's this big explosion and those big abusers are still abusing your privacy even when you don't use them, completely different problem. Like here, you want my big pet peeve about privacy? The number of people who call my Cell phone to sell me stuff. Let's just be clear. If you're listening to this podcast and you work for a vendor, your company should never call my cell phone ever. Unless I have a contractual relationship where.

A

I gave it to you Girl Scout cookies.

D

I don't want the girl Scouts calling my cell phone.

A

A little girl that's a neighbor of yours calls you to sell you Girl Scout cookies, you hanging up on her?

D

There's a good chance that I might.

C

I won't answer the phone because I don't have her in my contacts.

D

I don't have her. Right. But if a friend across the street.

A

You probably have the parents. She used the parents phone. You know what, I don't think you want to be a neighbor of Andy.

D

But a friend across the street that I have a relationship with. Right. That's different. I've given you my phone number. No, what I get is, I get people who are sending me making phone calls or reach out.

A

I know, I know, it's a big no. No.

D

They've just harvested me somewhere and said, oh, look, we think you're a perfect fit. I get this all the time. We think you're a perfect fit to invest in our late stage company in the non security world. Like really, you didn't even bother to leverage the privacy breaches. You should have. We publicly tell you what we invest in and yet you harvest my data and don't look at the public information. Sorry. My pet peeve.

A

I understand. I recognize it.

C

Hey, Andy. I promise never to call you unsolicited.

D

Awesome. Thanks, Mandy.

A

You're welcome. I promise Andy that if I want to solicit you, I'm going to call Mandy first and have her call you.

D

You're just going to slack me. We know how this works, David.

A

All right, that brings us to the end of this show. Mandy, you were fantastic. Thank you so, so much.

C

Thank you for having me.

A

Greatly appreciate it. Two months into the job.

C

Love it. It's going to be a ride.

A

How's it going?

C

It's going so great. I love when I have the opportunity to make change that really helps a company. And it's the semiconductor industry, so our customers are some of the most important players in that industry today. So I'm super excited to make sure that our customers know that we do protect their data.

A

That's awesome to hear. I want to thank our sponsor, by the way. That would be Vanta Automate Compliance. Manage risk, improve trust. Here's the key word. Continuously. You want to do that yourself, don't you go to their website. That'd be vanta.comv a n t a dot com CISO. Make sure you add that slash CISO so you know they came from us because then they continue to support us. And if you're going to support them, support us. All it takes is the/ciso at the end of vanta.com. mandy, are you hiring over at Ultra Clean Technology?

C

Absolutely.

A

So just I'm assuming you have a jobs board over there.

C

Yes, yes, yes. Look at our careers and if could.

A

They contact you maybe through a LinkedIn? Not pick up their phone and call you, but contact through LinkedIn. Say, I heard you on the show, I heard you have job position. I'm very interested in this position. I would like to apply if you're.

C

Looking to work for a move in company. Absolutely. Get your do not call me.

A

Don't.

C

I won't answer because you're not in my contact.

A

Call Andy if you're interested in a job at Ultra Clean Technology because he will not be able to help one iota at all.

D

Not at all.

A

That'll be a wasted call.

D

But I probably have an automated response to send you.

A

By the way, Andy, I am doing an SKO very soon and my opening slide is to talk about your letter.

D

Do you know I now have three versions of it because I have one that says you've asked me for money as an investor. So here's the like, please go away.

A

No, but I am referencing your letter.

D

Yeah, right.

A

The vendor rebuff message at an SKO that I'm doing. Next week I'll be in sko.

D

Yeah. I have a security vendor rebuff. I have a business vendor rebuff. And now I have a funding rebuff.

C

Yeah, Andy's definitely going to have to share that with me. I love it that way.

A

Well, you could just look it up. It's public.

D

Yeah. If you Google vendor rebuff, it's the first hit.

C

Vendor rebuff. I got it.

A

Yeah. Speaking of things that are first hits, I don't know if it's still there, but if you and I wrote this article, I'm going to say 25 years ago, if you type in improv sucks, I don't know if it's still there.

C

Are you doing this real time, David?

A

Yes, it is. It is at the top.

D

Improv sucks. You're the second hit.

A

For me, it's the second hit. It's also actually, I'm the first hit as well because in that Reddit discussion they're talking about My article, but I wrote because I used to write for Second City out of Chicago, and I worked as a standup comic, and I wrote this whole article about the Montague Capulet rivalry between improv and standups. And it got a lot, A lot of attention way back when. Let me just say. Also, I don't believe a lot of the things I wrote today back then. So actually, maybe even 30 years ago, I wrote it a long, long time ago.

D

I love Second City's great. We took our kids there a couple years ago when we were doing college tours.

A

I was a I, so they had a whole corporate entertainment division, and we would have companies who want the Second City people performance come, and I'd write some of the silly sketches that they would perform. I was not a performer myself. In fact, that's another thing. Type in David Spark in improv and you'll see me doing a bit on stage about how much I suck at improv. Improv. That's because I'm not good at improv.

D

Oh, and Mandy, since you're within your first quarter of being a CISO there, you should check out my CISO 91 Day Guide.

A

Oh, yes.

C

Oh, it's 91 days. It's 90 plus 1.

D

91. To make it easier to Google. Well, because one quarter is 91 days.

A

Oh, I didn't know that.

D

So if you Google CISO 91 days, they're going to be the first hit.

A

All right, while everyone's Googling something, I'm gonna sign off and thank our entire audience. Cause can I tell you, you know what is hot death for a podcast? Listening to people Google stuff. Thank you, everybody. We greatly appreciate you contributing to the CISO series podcast. Send me some more. What's worse scenarios, ones that are equal, that I don't look like a fool when I say this is tough. And Andy says that was easy. I look like a buffoon.

D

Au revoir.

A

Goodbye, everybody. Thank you for listening to the CISO.

B

Series podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity headlines Week in review. This show thrives on your input. Go to the participate menu on our screen site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly at David at cisoseries. Com. Thank you for listening to the CISO series podcast.