Dear Abby: Why Should I Trust a Vendor Selling Me Zero Trust? - CISO Series Podcast

Summary5 min read

Podcast Summary

CISO Series Podcast

Episode: Dear Abby: Why Should I Trust a Vendor Selling Me Zero Trust?
Air Date: October 21, 2025
Host(s): David Spark, Mike Johnson, Andy Ellis (not present in this episode)
Guest Co-Host: Dan Walsh (CISO, DataEvent)
Special Guest: Rob Allen (Chief Product Officer, ThreatLocker)

Main Theme

This episode centers on the challenges CISOs face when evaluating security vendors—especially those offering "Zero Trust" solutions. The conversation explores what security leaders should demand from vendors, the pitfalls of vendor over-promises, building layered security defenses, configuration management best practices, and the ongoing tension between business needs and security imperatives.

Key Discussion Points & Insights

1. Budgeting Season and Vendor Approaches

Context: Many CISOs are entering budgeting season while vendors are pushing for end-of-year sales.
Dan Walsh emphasizes:
- Evaluate current vendors and their ongoing value.
- Beware of feature creep—ensure new features don't overlap with other tools.
- "Lead with value, not price. If the value's there, then the CISOs will pay the price." (Dan Walsh, 01:38)

2. Ransomware Crews Bypassing EDRs

Problem: Ransomware players using techniques (e.g., abusing drivers) to disable EDR protection.
Key Question: What's your backup if the main detection layer (EDR) is taken out?
Dan Walsh’s response:
- Defense in depth is not just a slogan.
- Layer technical controls—so no single failure is catastrophic.
- Network telemetry is critical but not sufficient by itself.
- Focus on identity security, resilience controls (like immutable backups), and hardening EDR configurations.
- "With security, it's never set it and forget it." (Dan Walsh, 05:18)
Rob Allen’s take:
- Multiple, different security layers—don’t just stack similar controls.
- Combine detection with controls (e.g., allow listing).
- Detection can't block what it doesn't know—layers help cover blind spots.
- "Layers should be different. They shouldn’t be the same type of layers." (Rob Allen, 05:53)

3. The Credibility of Zero Trust Vendor Pitches

Prompted by: Raghav Dinesh’s observation that too-perfect vendor pitches are a red flag.
Discussion:
- Vendors must be transparent about their product’s limitations.
- Admitting limitations builds trust with CISOs.
- Rob Allen:
  - Pen test feedback is valuable, especially where it reveals real gaps.
  - "If the vendor doesn't understand their own limitations, that's a problem. The bad guys are going to figure out your limitations and exploit those." (Rob Allen, 09:34)
- Dan Walsh:
  - "Admitting to your limitations is the thing that actually builds trust, not the fact that you can do it all." (Dan Walsh, 11:07)

4. Game: What's Worse? (Cloud Security Snafu)

Scenario: Business units have spun up ungoverned cloud resources—some are already compromised.
Scenarios:
1. Pause all new cloud provisioning, demand security compliance, and face business friction.
2. Let teams continue but require mitigation plans (which they ignore).
Dan Walsh: Prefers friction over ignored security; business anger is less damaging than real data loss, especially with sensitive or regulated data.
"Data is trust. If customers are putting their data with you... that's really the mission of the company." (Dan Walsh, 15:23)
Rob Allen: Agrees—ignoring security emails is unacceptable. "Screw those guys... apply security." (Rob Allen, 16:11)
Takeaway: Sometimes security friction is necessary, especially when noncompliance risks sensitive data or regulatory consequences.

5. Configuration Management: What Needs to Change?

Dan Walsh:
- Tired of "you configured the tool wrong" excuses.
- Wants better, more contextual vendor guidance; hopes AI can help tailor configurations.
Rob Allen:
- Misconfiguration is a massive, common cause of breaches.
- ThreatLocker’s new tool, Defense Against Configurations, does automated checks against frameworks (NIST, HIPAA, etc.) and offers actionable guidance.
- "61% of security leaders have suffered a breach because of failed or misconfigured controls in the last 12 months." (Rob Allen, 19:05 from Gartner data)
- Community/AI-driven improvement is possible—solutions will increasingly learn from customer environments and shared intelligence.

6. Are “Window Stickers” for Software Just Compliance Theater?

Prompted by: Adam Iles’s idea for “stickers” (crash-test-like ratings for software).
Dan Walsh:
- Car analogies fall short; software ages differently and faces constant, evolving threats.
- Stickers might have the same limitations as software bills of materials (SBOMs)—point-in-time, not dynamic.
Rob Allen:
- Agrees—constant questionnaires and compliance documentation is already overwhelming for vendors and buyers.
- "Compliance theater is tremendous." (Rob Allen, 26:12)

Memorable Quotes & Notable Moments

Dan Walsh:
- "Lead with value, not price." (01:38)
- "Security is never set it and forget it." (05:18)
- "Admitting to your limitations is the thing that actually builds trust..." (11:07)
- "Data is trust." (15:23)
- "Brakes on a car cause friction as well, and we all like brakes." (17:15, on necessary security friction)
Rob Allen:
- "Layers should be different. They shouldn’t be the same type of layers." (05:53)
- "If the vendor doesn't understand their own limitations, that's a problem." (09:34)
- "Screw those guys... apply security." (16:11, jokingly on unresponsive business units)
- "61% of security leaders have suffered a breach because of failed or misconfigured controls in the last 12 months." (19:05)
- "Compliance theater is tremendous." (26:12, on overblown compliance requirements)

Important Segment Timestamps

| Topic / Segment | Speaker(s) | Timestamp | |------------------------------------------------|---------------------|------------| | Budgeting season, vendor advice | Dan Walsh | 01:38 | | Ransomware disables EDR: defense-in-depth | Dan Walsh, Rob Allen| 03:49–07:30| | Red flags in Zero Trust vendor pitches | Rob Allen | 08:49 | | Building trust by admitting tool limitations | Dan Walsh | 11:07 | | What's Worse? Game (Cloud Security Chaos) | Dan Walsh, Rob Allen| 13:49–17:22| | Configuration management—what needs to change | Dan Walsh, Rob Allen| 17:43–23:36| | Window stickers/"compliance theater" for software| Dan Walsh, Rob Allen| 23:42–27:59|

Tone and Style

Candid and Practical: The hosts and guests speak directly and pragmatically, often with humor (e.g., “Screw those guys,” “We all like brakes.”)
Constructive Critique: Willing to discuss industry weaknesses (like “compliance theater”).
Educational: Frequent references to real-world examples and failures, not just theory.
Encouraging Vendor Transparency: Vendors are challenged to be upfront about product gaps.

Final Thoughts

This episode delivers practical insights for CISOs and security leaders—especially about holding vendors accountable, building real defense in depth, and fostering honest dialogue about limitations and configuration. The panel underscores that real security requires ongoing diligence, not just slogans or checklists, and that sometimes necessary friction with the business is a sign security is being taken seriously. Vendors who align with this reality are the ones CISOs will trust.

For further information, visit cisoseries.com.

Loading summary

Transcript80 lines

[00:00]
David Spark
Best Advice for a CISO, go listen.
[00:03]
Rob Allen
To the CISO series podcast. Tell other CISOs, spread the word.
[00:09]
David Spark
It's time to begin the CISO Series podcast.
[00:22]
Welcome to the CISO Series podcast. My name is David Spark. I am the producer of the CISO series and it's so awesome. I'm thrilled to announce we have a guest co host today who you probably know his voice very well because he's been on many times before. It is a CISO for dad event. None other than Dan Walsh. Dan, thank you so much for joining us.
[00:42]
Dan Walsh
It's great to be here today. David.
[00:43]
David Spark
Awesome. And by the way, for those who are not aware, Rob at the beginning, who I'll introduce in just a moment, he mentioned the CISO series and you can find the CISO series over@cisoseries.com kind of easy to find there. Also, if you type CISO series in Google, it'll take you to cisoseries.com as well. You'll get there. Today's episode is sponsored by ThreatLocker. You know them as the Zero Trust Endpoint Protection platform. Well, we've got something new to tell you about defense against configurations. Pretty darn cool. That's coming up later in the show. But first, Dan, you brought up something off recording just moments ago talking about that you're going into and many other CISOs are going into budgeting season. And I was interested to know what should vendors know about when you go into that? Because my thinking is they just want to hammer you at this time. What should they know?
[01:38]
Dan Walsh
Yeah, so while the vendors are going into a lot of them are going into year end. Right. And they're trying to get that last sale before close. I think what they need to know from a CISO point of view is we're evaluating how our current vendors are doing, how the current tools that we have are doing. We're evaluating feature creep. So like when you purchase something on a multi year deal or even on a one year deal, presumably that company is developing new features and how do those features overlap with other vendors or tools in your portfolio? And so I think the big thing is to really come at it from a value proposition like here's how we can add value without necessarily increasing the price and lead with value and not pricing because if the value's there, then the csys will pay the price.
[02:21]
David Spark
Very, very good point. Good tip. All right, let's get into today's episode. Thrilled he's back. He gives me a hard time. We love him regardless and he gave us a great plug at the very beginning of the show, but yet you're already listening to the CISO series. It's none other than the chief product officer over at threatlocker, our sponsor, guest, Rob Allen. Rob, thank you for joining us again.
[02:44]
Rob Allen
Most welcome. Dave, great to be here.
[02:47]
David Spark
Why has this topic suddenly become the center of attention?
[02:53]
What's your backup? When? Ed the Register recently reported that at least a dozen ransomware games are now routinely using kernel level EDR killers before deploying their payloads. Techniques range from abusing legitimate but vulnerable drivers to disable endpoint detection, to targeting specific vendors using hard coded lists to disable kernel hooks. This sparked a conversation on the cybersecurity subreddit that EDR is mitigated. Does network telemetry remain the ultimate truth teller in cybersecurity? No matter how stealthy the malware post breach activity like lateral movement, command and control, and exfiltration must traverse network threat. Actors can't execute these attacks without generating network telemetry. So I'll ask you, Dan, first, if ransomware crews can routinely disable your primary detection layer edr, what's your backup plan?
[03:50]
Dan Walsh
Well, I don't know if routine is maybe the right way to describe it, but the fact that it is a very real threat.
[03:56]
David Spark
Good point. It is a real threat. Yeah. It's not like it's happening because if it was a routine, then there'd be no point for having an edr.
[04:02]
Dan Walsh
Right. But I think beyond that, I think there's a couple things. I think one defense in depth is more than just like a catchphrase or a slogan. These EDR bypasses are real and so they're no longer theoretical. So what that means is like we have to layer technical controls and so if one fails, we don't have a complete total disaster. I do think network telemetry is extraordinarily critical, but, you know, obviously now it's not necessarily sufficient on his own. And so what does that mean? Well, it means we have to look at some of the other layers that are at play here. So things like identity, right? What's your IAM game? What kind of IM events? Or are there any MFA bypasses that are occurring? What about any sort of Kerberos anomalies, if that's in play. And then I think what about resilience oriented controls? So things like immutable backups, rapid restore capabilities, so even if detection fails, we can recover and be successful with that. And then I think the other thing is you have to harden your edr. It's not a set it and forget it, as much as we would like that to be. And so where there's vulnerable drivers, making sure that you're blocking those and you're having multiple endpoint layers, where you're having maybe application allow list or something like that. So I think those are some of the things that you can do again with security, it's never set it and forget it. And I think just making sure that security leaders and security operators keep that at the forefront of their mind.
[05:26]
David Spark
So I'm going to toss this to you, Rob, pretty much kind of the same question. I mean, EDR has failed before, but like in anything in cybersecurity, all security defenses at one time do fail. And that's why we have defense in depth as well. What are the other mitigation points you think for when EDR essentially can be bypassed?
[05:49]
Rob Allen
Well, first of all, just to absolutely agree with everything Dan said, I mean really, I couldn't have put it better myself. Layered security is important. And the other part about layers is layers should be different. They shouldn't be the same type of layers. We've spoken to organizations and I know of organizations that have layers of EDRs, for example, fundamentally all looking for the same known bad things and very often falling over each other when they do actually find them. So different types of layers. So one thing that we espouse is both detection but also controls. So as Dan mentioned, allow listing. Allow listing is a perfect example of a control. It's blocking things from running. They shouldn't be allowed to run. Combine that with detection. So if somebody's trying to run something they shouldn't be able to run, you get alerted about it. And that's a really good example of a well balanced security posture, a well balanced security stack. So as I said, basically everything that Dan said makes perfect sense. But there are other ways that EDRs can fail. So obviously this is one example where they're actually going after the EDRs to try and stop them and shut them down. There are other ways that detection can fail, so zero days, things that have never been seen before. There are also ways that EDRs fail, but they're failing to detect the bad things. Because one of the problems with detection is you pretty much need to know all of the bad things in order to be able to block them. So again, that's another method of, I suppose you could call it EDR failure. It's just bypassing an EDR because it doesn't know that this thing is bad, so how can it block it? So again, comes back to why layers are super important when it comes to protection.
[07:30]
David Spark
Will we really ever achieve zero trust.
[07:37]
If it makes too much sense? That's the Marwaris saying. Raghav Dinesh of IBM recently shared on LinkedIn arguing that when vendor pitches feel too perfect, you found your red flag. He outlined the psychology of influence in cybersecurity sales. You probably know the techniques even if you can't name them. The 90% true pitch charisma masking contradictions and the breathless claim that quote I fought for you with no proof to back it up. Why don't we apply zero trust to vendor pitches? A vendor who can't explain their solutions limitations. By the way, we hear this all the time from CISOs that they want to know a solution's limitations. But vendor who can't explain their solutions limitations probably doesn't understand them either. We all have seen our fair share of vendor red flags, but what are the questions we should be asking? And I'll ask you, Rob, and should every vendor be prepared to answer them? And I'm going to just say give you kudos first before you even answer, Rob, you've been good at dealing with some of the super tough questions that I've seen CISOs throw your way.
[08:49]
Rob Allen
Well, I was going to also say thank you for throwing the question that beats up on vendors to the vendor.
[08:57]
David Spark
I'm throwing it to you first. No, but, no, I'm giving you kudos because I have seen you handle really, really tough questions very well. And the thing is, no one product can do it.
[09:07]
Rob Allen
All right, well, as we just discussed, as we said a moment ago, no one approach is the only true successful approach. It requires different solutions, it requires different approaches. So it's detection, it's protection, and we may speak about this a little bit later. It's configuration. Ensuring that your configurations are straight and correct is a large part of it as well. I mean, it is a really good point about if a vendor doesn't understand their own limitations, then that's a problem. Because realistically, if you don't understand your limitations, then fundamentally the bad guys are going to figure out your limitations and they're going to exploit those limitations. So absolutely. And again, look, a lot of it's about knowing where potential weak spots are. I mean, one of the things that gives me great joy is we often have customers of ours who are subjected to penetration tests. That is incredibly valuable information for us to get back. I got a message from a very good customer yesterday, basically saying this organization had been subjected to a penetration test and the Penetration testers were amazed that this was the only environment that they weren't actually able to drop and execute the things that they were trying to do. That kind of feedback is incredibly useful and incredibly valuable. But to be honest, what's even more useful and more valuable is when they actually say to us, hey, look, we found this way in. We managed to get around the protections that you're offering by doing X, Y and Z. That kind of information from our perspective is absolutely gold because it tells us the holes that we need to fill. But yeah, it's an absolutely valid point that if the vendor themselves doesn't understand the limitations and the approach of the products that they have, then it is a pretty big red flag.
[10:49]
David Spark
That is a pretty big red flag. But I would also throw out, and this is what we heard from CISOs and I'll talk to you, Dan, on this is admitting to your limitations is the thing that actually builds trust, not the fact that you can do it all. Would you agree with that, Dan?
[11:07]
Dan Walsh
100%. I mean, we just got done talking about Defense in Depth has to be more than a slogan. And that applies to tools because not one tool is going to cover every layer, every domain, every aspect of the program. So I think a really good vendor understands where their tool is strong and what other strong tools it can be a compliment with. So yeah, I mean, if it's a, if it's, there's no such thing as a silver bullet. And I think admitting that and then having a critical understanding of how your product fits into the rest of what the security team and the CISO are trying to deal with makes you a trusted partner, not just someone who's trying to sell some software.
[11:44]
David Spark
Hey, just a little break to tell you what else is going on on the CISO series on our show. Security. You should know the fastest way to learn about brand new security solutions you'll find. Turning trust into a growth engine with Safebase. And our latest episode of Defense in Depth is a great one. What soft skills do you need in cyber? We go through the details of what works best for cybersecurity professionals. Check it all out@cisoseries.com before I go on any further, let me tell you about something brand new from ThreatLocker. And that's defense against configurations. It delivers clear visibility into system risks by continuously scanning endpoints built directly into the ThreatLocker agent. It identifies misconfigurations, weak firewall rules, risky USB permissions, and default windows settings that weaken your defenses so you can address them before they're exploited. Findings are also mapped against compliance frameworks including NIST, CIS and HIPAA, and ISO 27001 with actionable remediation guidance to simplify security hardening and audit preparation. The platform updates daily, providing administrators with the most current view of their environment without added performance impact, additional agents or complex integrations. By consolidating configuration risks into a single dashboard threat locker, defense against configurations streamlines compliance, reduces attack surfaces, and strengthens overall security posture. You can see how ThreatLocker makes it easier to secure and maintain a compliant environment and go to their website. Go to threatlocker.com CISO now add that CISO so they know that you heard about them from the CISO series. Remember threatlocker.com CISO.
[13:49]
It'S time to play what's Worse?
[13:54]
All right, both of you have played this game many times before, so I'm just going to throw it. I throw it to Dan first. Here is the scenario. It comes from Azrin Bogovitz of Generic and here's the setup. And I'll give you the two what's worse scenarios. The setup is you are a CISO of a global company. You find out that different business units like marketing and engineering have created their own cloud subscriptions for sandbox use. Some have security tools, some do not. Now a few hosts are already compromised and the teams act surprised and unaware of the risks. Here are your two scenarios. Scenario number one, you pause all new cloud provisioning and tell the teams that they must stop and go back to deploy the required security tools. This upsets the business and puts security in the middle of friction. Okay. Or scenario two, you let the teams continue to provision but ask them to submit mitigation plans. The problem is they have not been replying to your emails or attending your meetings. Dan, which one is worse?
[14:59]
Dan Walsh
Probably number two.
[15:01]
David Spark
And why is that?
[15:02]
Dan Walsh
Well, I think one of the questions that wasn't answered, one of the pieces of context that was missing was like, what is the data that is actually being compromised?
[15:11]
David Spark
Oh yeah, let's just assume there's some sensitive data in there.
[15:15]
Dan Walsh
So it's sensitive data. I would say, number two is worse.
[15:18]
David Spark
So number one, creating the friction and making everyone angry with you is not worse.
[15:23]
Dan Walsh
Not when it comes to the sensitive data. I don't, I don't think especially, I think data is trust. Right? And if you, if customers are putting their data with you and also along with their trust, that's really the mission of the company in a lot of ways. And so I think that that is one place where I think it's okay for security to have a little friction.
[15:43]
David Spark
All right, but the second scenario where they just. They're ignoring you flat out, this isn't working.
[15:50]
Dan Walsh
Yeah, that's not working at all. Because again, especially if there's regulatory implications, like, let's say, like you're violating GDPR or you're violating hipaa, you know, in a very bad way, timing is everything. And addressing this swiftly and in a responsible manner is everything.
[16:06]
David Spark
All right, I throw this to you, Rob. Do you agree or disagree? Which scenario is worse?
[16:11]
Rob Allen
Once again, I wholeheartedly agree. Dan has pretty much laid it out. What I would say is they're not replying, they're not responding. Screw those guys. I mean, that's just rude, apart from anything else. But again, for all the reasons Dan outlined, even leaving aside potential violations of things like HIPAA and gdpr, the fact is, I mean, first and foremost, you probably shouldn't allow people to spin up random things and random pieces of the cloud. So there's.
[16:43]
David Spark
Well, they were initially in sandbox environments that essentially, like in Jurassic park, they found a way.
[16:50]
Rob Allen
Again, they didn't reply, they didn't communicate. Screw those guys. Deploy the tools, apply security.
[16:57]
David Spark
So it looks like you're gonna get friction in any case.
[17:00]
Rob Allen
Well, probably. But if they complain, then just say, you should have answered my emails. You should have replied when I contacted you beforehand.
[17:07]
David Spark
But the way you're playing this scenario, 1 and 2 are gonna become equal because you're gonna infuriate the business.
[17:15]
Dan Walsh
I always do with a smile, David. Just do with a smile. And by the way, by the way, brakes on a car cause friction as well, and we all like brakes, so.
[17:23]
Rob Allen
Agreed.
[17:26]
David Spark
Please, enough.
[17:28]
No more Today's top configuration management. So, Dan, I'm going to ask you the simple question of what have you heard enough about with configuration management? And what would you like to hear a lot more?
[17:43]
Dan Walsh
So one, and this is like Grumpy.
[17:45]
David Spark
Dan, our favorite Dan, by the way.
[17:48]
Dan Walsh
I feel like Grumpy Dan would say, every time my team notices a gap with a new tool that we buy, their response is like, we didn't configure it. Right. And my response to that as well, we need a little more guidance because you just sold us this amazing tool, so illuminate us in the ways of configuration. So I think that's one that I'm just tired of hearing about. I think what I would like to hear more of, and I think this is where like AI and all the promises and hopes and dreams that people have in that can really help assess and evaluate how should a organization configure something, given their, their context, their environment, what's important to them? And, and I think vendors leaning into that to make their tool more effective and more governable and more manageable is something that I think has a lot of opportunity.
[18:33]
David Spark
All right, I throw the same question to you, Rob, and I know by the way, Threat Locker is most recently playing into the configuration management game. What have you heard enough about with configuration management? And what would you like to hear a lot more?
[18:48]
Rob Allen
Well, Dan actually made a really good point. There's a couple of ways of looking at this. So configuration of tools is absolutely a important aspect to be considered. So again, there's no point in selling a tool to somebody and they have no idea how to use it, and they don't configure it properly, and then they get breached as a result of that. So our assistance and handholding in setting up tools is extremely important. But there's also general configurations, shall we say, within an environment, things that can be exploited or are exploitable. I was actually in Brazil recently at a Gartner event, and one of the slides that the Gartner gentleman had was that 61% of security leaders have suffered a breach because of failed or misconfigured controls in the last 12 months. 61% in the last 12 months because of failed or misconfigured controls. So one of the things that we've recently announced is a tool called DAC Defense against Configurations. And it's basically running a series of checks. I think at this point it's about 100 checks. Ultimately it'd be about 170 checks on every machine that has a threat locker agent installed, Checking for common misconfiguration, things that could be done differently, things that could be done better. Mapping it against various frameworks. So we mentioned gdpr, we mentioned hipaa. It's not always an easy thing to say. Well, look, okay, we tick this box, but do you really tick that box? The likelihood is on some machines or part of your environment, you may not. You may think you do, but you may not. So that's what Defense Against Configurations gives you. It's an actual check to make sure that the controls and the configurations that you think you have in place are actually in place on every asset within your environment.
[20:36]
David Spark
So let me try to understand this tool a little bit better. What is it you're asking the tool, and how does the tool actually know, I guess is my question.
[20:46]
Rob Allen
Well, I mean, fundamentally we're running on machines so we can check the configuration of those machines. So is RDP allowed from the Internet, for example, is an example of a very basic check. If it is, is it encrypted? That kind of thing. But as I said, There's 170 different checks. Things like can MSHTA run on a machine? I mean, that's something that we've seen commonly exploited. I mean, another thing that's been quite publicly exploited recently is Microsoft's Quick Assist. So Quick Assist is something that's built into Windows, but it's something that attackers are leveraging because they know it's built into Windows. So quite a number of the social engineering attacks that are being perpetrated at the moment, they will ring up. I'm from the IT department. I want you to open up Quick Assist and pop in this password for me or pop in this code for me. Again, your average user isn't necessarily prepared for that. The fact that they're just running Quick Assist, something that's built into Windows, is not going to set off any alarm bells or triggers, but it could very easily give an attacker access to an environment. So again, these are just example of things that could be configured better that you, maybe you want to block Quick Assist out of the box. Obviously it's something that you can do with allow listing, but as I said, it's not just that. That's one or two examples. There's 170 different checks. They're mapped against different compliance frameworks. So it basically tests those things that you may be saying you do, but you don't actually know if you're doing.
[22:08]
David Spark
Now, I don't know if this is in version one or plan for version two, version three, but Dan alluded to hoping AI could guide us the right way. Now, you could ask the obvious questions of is this hard drive encrypted or whatever, you know, certain things like that that are known. But if you don't know what new attacks are and new configurations needed to deal with those attacks, maybe others are dealing with them. Is there a way to learn from the community, to advise others as well?
[22:37]
Rob Allen
Well, as I said, a lot of what we're doing with these checks is mapping them against various frameworks. So obviously frameworks are updated over time, they're changed. New recommendations I suppose come along. But yeah, it's not just frameworks, it's obviously things that we are aware of.
[22:52]
David Spark
Well, it could also be threat intelligence too as well.
[22:56]
Rob Allen
Correct. And as I said, the likes of Quick Assist, the likes of blocking MSHTA to Stop HTA files, which again are a very common method of attack these days. Those are things that I suppose we know about that we can fix, so we can suggest solutions to it. So look, you can set up a policy. Here's a community policy. Just click on download and it'll be applied to your environment straight away. So it's not only about telling you where the holes are, it's also about extension, explaining why these holes are important and how you fix them, how you can have a solution to them. Now, they may not always be Threat Locker related solutions. It might not be something you can fix with a policy within Threat Locker, but at least we'll tell you what it is, why it's important, and how you can fix it.
[23:36]
David Spark
Are we creating more Problems?
[23:42]
Car Buyers get to see a window stick Sticker when making purchase decisions Software buyers could benefit from their own window sticker. This was what Adam Iles recently explored in a blog post for Lawfare. Can we create crash test ratings for code? The proposed quote sticker would combine process attestations like threat modeling, pen testing, and security feature inventories into a single view. But this sounds suspiciously like what SBoM's software bill of materials and security questionnaires were supposed to deliver. And we all know how well those work out with point in time assessments. So Dan, I'll ask you, is there any way that this could be anything other than just another layer of compliance theater? And who's going to analyze all this data when CISOs are already drowning in vendor documentation? I mean, it sounds great. We'd love a sticker. How easy is this to pull off?
[24:42]
Dan Walsh
Yeah, I mean, everyone loves stickers. I think that it's.
[24:45]
David Spark
Even kids. I would say even kids.
[24:47]
Dan Walsh
Yeah, I like stickers. No, but I would say, yeah, I think it's the exact same downfall of an S bomb. And what I would say is car stickers are great. They sort of tell you what the features are, but they don't necessarily tell you how resilient the car is going to be. And most people are trading in cars inside of five years. And so a lot of these technologies, some of them are lasting for decades. And I would also say that there aren't active things that are popping up every day trying to destroy the car. So I think that that analogy falls a bit short because of the nature of technology, how it evolves, the nature of the threat environment, new vulnerability. So I think it's a much more complex scenario. But I do like the intention of it.
[25:32]
David Spark
Yeah, I mean, I think that goes back to S bombs, Rob. I mean, everyone loves the idea of it. It's just the execution, isn't it?
[25:40]
Rob Allen
I have a confession to make, David. That is, I'd never heard of an S bomb.
[25:45]
David Spark
Really? Okay, A man is smart as you.
[25:48]
Rob Allen
I mean, it sounds fun. I mean, I like it as a phrase or a word, but I had never heard of an S bomb before.
[25:55]
David Spark
Well, it's essentially this idea of the window stickers, software bill of materials. The idea is when you buy software like you would see, not just like ingredients on a package of any good, you would see the materials that are in it, the food stuff that's in it, the software components. Yeah, yeah. And it's required.
[26:12]
Rob Allen
Yeah, absolutely. Can I just say as well, by the way, the phrase compliance theater I think is tremendous. I mean, I think there's a big opportunity there for somebody who wants to go and take it, which is to actually do compliance theater. GDPR on MAST or something I think would be really, really cool as well. So, yeah, anyway, that's somebody's million dollar idea. Go take it, run with it. But yeah, I thought compliance theater was excellent as well. But no, again, it's a valid point. I mean, one of the things that we struggle with and one of the things we have to do is we have questionnaires coming out the wazoo from various organizations, effectively ticking boxes. Can you do this? Can you help with that? Can you do this? And it is something that is a constant challenge from the vendor perspective as well. So yeah, one thing I would say, by the way, and again, the more observant of the listeners may have noticed that I'm not actually from this part of the world. I was never familiar with window stickers until quite recently. And one thing that I noticed on window stickers in the usa, correct me if I'm wrong here, but the one thing they don't have on them is the price. And that would strike me as being a pretty important detail.
[27:23]
David Spark
Don't they have the price? I think they had the MSRP on there.
[27:26]
Rob Allen
Maybe I've been going to the wrong garages because any ones I've been to, the one thing that is noticeably missing from window stickers here is prices. But anyway, I digress. Yeah, it's a valid point and something that certainly could be improved upon. And again, one thing that we're trying to do is we're trying to build repositories of all the information, all the questions that people are going to ask. So rather than having 100 different questionnaires and trying to fill them out a hundred different ways. Just having all that information available to our people enables them to better answer people's questions.
[28:00]
David Spark
Well, that brings us to the very end of the show. A huge thanks to our sponsor and that would be threatlocker. Remember, to learn about their great new tool, Defense Against Configurations, go to their website, threatlocker.com CISO remember, add that CISO because that's the way you let them know that you heard about them from the CISO series. Again, that's threatlocker.com CISO and huge thanks to both of you, Rob Allen and Dan Walsh, for joining us. Let me ask you first, Dan, are you hiring over there at Dead Event?
[28:31]
Dan Walsh
We are. We're looking for some cloud security application security folks. So head on over to the DataEvent careers page and please apply.
[28:39]
David Spark
And Rob Allen, as I know you said before, threatlocker is never not hiring. Is that true?
[28:47]
Rob Allen
100% correct. We are never not hiring.
[28:50]
David Spark
Yes. And it's almost all in Orlando, correct?
[28:54]
Rob Allen
Mostly in Orlando, yeah. We've got operations in Dublin, in Ireland, in Dubai, in the Middle east, and also in, I believe, Brisbane in Australia. And we're hiring pretty much everywhere, but. Yeah, pretty much worldwide, but headquartered here in Orlando.
[29:13]
David Spark
While I was at their Zero Trust World event, many of the employees there and it seems like a super fun place to work.
[29:19]
Rob Allen
It certainly is.
[29:20]
David Spark
Well, thank you very much, Rob. Thank you very much, Dan. And to our audience, we greatly appreciate your contributions and listening to the CISO.
[29:28]
Series podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity headlines. Week in review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com. thank you for listening to the CISO Series podcast.