A

Before we begin today's episode, let me tell you about what else is happening on the CISO series on security. You should know the best and fastest way to learn about new solutions. We've got tackling misconfigurations with Threat Locker. Yeah, cool new tool they have called Defense against Configurations. And over on Defense in Depth Data governance in the age of AI, do we follow the same plan or do we need to essentially create a new plan for data governance with all the influx of AI data, all of that available on Cisoseries.com to subscribe, go to Cisoseries.com subscribe.

B

Best advice I ever got in security.

C

Go. So the best advice I got for security is when you start a new job as a CISO is to adapt to the organizational culture, but not at any price. It means that you need to be aware of where your boundaries are and to assure that they're not being crossed. Even if it means you need to pull the organizations a bit towards you.

B

It's time to begin the CISO Series podcast.

A

Welcome to the CISO Series podcast. My name is David Spark. I'm the producer of the CISO series and joining me as my co host, it's the principal over at Duha, none other than Andy Ellis. Andy, say hello to the audience.

D

Good afternoon folks. Or depending on when you are in the world, good morning, good evening or good night.

A

And what language is that in?

D

That would be American English.

A

How would you do it in European?

D

Had I gone with the Queen's English, it might have been like good afternoon Governor, Little Mary Poppins English for you.

A

There you go.

D

I mean, I guess I could have done given that we had Daniel here, you know, Achar Hatzaren tovim. But then I always have to remember what the right transition sentence is for when you are in the world. And I have to go look that up in Hebrew.

A

We're available over@cisoseries.com where you can find all of our wonderful programming. If you are not checking that out already. Our sponsor today is Material Security Secure. What you your business is made of. Material is a unified detection response platform for Google workspace and Microsoft 365. More about just that a little bit later in the show. Andy, we were talking about swag hunting moments ago and I want to know what is the one or two pieces of company swag that's not for a vendor that you've ever worked with that you have and you really like and you still have it.

D

So the first one is actually going to be from Gardent who was an MSSP a long time ago in the Boston area, they gave out a little guard dog. Looked like a little Rottweiler or something. But the underside of it was a felt for wiping your laptop monitor.

A

Ooh, that's a good idea. I like that.

D

And so I've had that one, I want to say, almost 20 years now. That one wanders around with me. I've still got it. And then currently, and this is one of the pieces of swag that is everywhere, ever useful is charging banks, because the standard of, like, how much power you can get out of one keeps going. So the current one I've got is, I think, from the Cyber Edge group, basically slaps onto the back of my iPhone and charges it. Pick that up, I think, at Cyber Marketing Con last year, you know what?

A

The pieces of swag that I have still and I really enjoy are simple, adaptable screwdrivers where they change to Phillips head or flathead or different sizes. Because I've actually got one at a show and used it to fix my gear on the spot. So it was amazing.

D

I do have one of those, but I have one from Akamai. Our network engineering team made them for all of the network engineers. And I got one and it's a great. It's the Swiss army knife that was focused for network engineers with all of the adapters for the small screwdrivers that most people don't have.

A

Yeah. And I have one that's kind of a small set. I have one that's like a real kind of heavy duty. And all it is is a Phillips head and a flathead that you flip over. And I use them both all the time.

D

Yeah, no, you get some great swag, but you can also get some really cheap stuff.

A

Understood. Let's bring on our guest because we're not just talking about swag this whole time. Very thrilled that he is on and he's all the way from Israel. Thrilled. It is the CISO over at Monday.com, daniel Lieber. Daniel, thanks so much for joining us.

C

Thank you, David. Thank you, Andy, for having me as well.

B

What about this AI security challenge?

A

Well, most tools aren't fully equipped to scan AI models or prompts for malicious code, and attackers are already exploiting that gap. Now, that's Brian Fox from Sonatype, as quoted in a recent CSO online article, not mincing words on why AI sprawl is security's nightmare. AI models are essentially black boxes stored in formats most security tools can't read. Traditional dependency scanners, code reviews and vulnerability assessments weren't designed for assets that are fundamentally unscannable, let alone the scale of staff that can now vibe code their way into a security incident. So, Andy, I'm starting with you. When malicious code can hide inside a file masquerading as an AI model and, and prompt sharing platforms are being weaponized to steal API keys, how do you secure what you literally cannot see?

D

So I think this is an awesome challenge that we're all going to face. But first we have to understand it is a new challenge. I was talking to a founder yesterday in the AI security space, talking about MCP model Context protocol, which I'll be honest, like, I didn't really grasp as well as I should have. And he basically said, look, it's like walking into a Chinese restaurant being handed a menu. You don't just get to order what's on the menu, the menu is a hint for you. And that's all that MCP is this idea that an LLM sits in front of an API and explains the API to you, and then you say you have an LLM in front of your client that says, hey, here's what I want. And your LLMs talk to each other. But the problem is the LLMs can do anything. They're not tightly bound by the API. And, and in a sense, this is the same transition we went to when we went to general purpose computers. If you remember, like electronics used to have everything in firmware. You did exactly one thing, and if it didn't do it well, well, you were kind of stuck. There were no easy upgrades. And then we went to general purpose computers and the world of security exploded because we went from trying to solve a specific problem to solve you have this omnicapable computer that could do anything and might do everything. And I think we're just hitting that again, which is we've gone from APIs that were very tightly defined and we tried to make sure that the API itself wasn't broken to now we've replaced the APIs with General Purpose LLMs, and you have to sort of apply the same principles. How do you prevent the LLM from doing things it's not supposed to do? Like, does the LLM have control over keys? And if so, why? Why does it need to have access to keying material in the same way that you don't necessarily give your web application server access to keying material that's often handled off board that system? I think that's what we have to think about is new design paradigms that tightly control these Agents, whether it's MCP or something else, so that it can act in this general purpose way, but constrained.

A

So we talk a lot about guardrails, but this seems like a really complicated to define and create. Guardrail Daniel Yes.

C

Yeah, I mean, it's quite difficult to define where we would actually need to implement controls. And I assume that every security team is having the discussion about what do we do about AI. Actually, we had a discussion about this recently and we tried to break it down into, let's say, three different categories on how we approach AI security. So the first one is the easy one. It's more of the same, meaning the principle is quite known. Or also currently covering new scope by AI, for example SaaS security. Okay, so now we have AI tools. That's easy. The other one is on the other side and that's where you need like heavy expertise. I think you just said in the beginning about model poisoning and doing something which is more about data sciences that requires significant training and expertise, which is usually being outsourced. I think that's is going to stay the same. Now what's in the middle is all the new domains which are about AI that you need to think about. And I think this comes with a plethora of new vendors that try to hook on these new things. For example, agent security, which is now becoming a topic, and it's really just trying to break it down into different areas and what you need to do. I think the main problem is that in this specific section, what used to be an easy way to distinguish in the past, you had the perimeter by network and then the cloud came in. And now everything is connected. I mean, not just Iot phrasing, but really everything is connected. And it's becoming very difficult to define the roles and responsibilities about who should protect what, because code is now with infrastructure and agents and cloud. So it's becoming a mess. I think the key point is to untangle this and create a vision before you start acting.

B

How can we improve this pitch?

A

Why are cybersecurity companies so terrible at explaining what they do? That was Patrick Garrity of Vulnchek's takeaway at Black Hat, where he found more word salad than substance. It turns out customers don't care if you're first autonomous, automated, agentless, agentic or AI powered. They care about what problem you solve and whether you solve it. Well, we've become so obsessed with buzzwords and technical differentiators that we've forgotten to lead with the actual pain point. I would agree. I mean they used to be really, really good at that and now not so much. So. So I'll start with you Daniel. What else makes a security pitch? Land versus Crash and burn.

C

Oh, that's a strong one. I actually had an interesting discussion about it this week with an SDR do cold calling. So I actually sat down and explained to him what I expect. So I told them, I mean, first of all it's about how to approach, but the two main things I told was that they need to understand the problem. They usually come in and say what the solution is without understanding the problem. And this is mostly for sales guys that come in with a strong sales background, but usually with a very, very weak to non existing technical background. So when you start to discuss with them, they have no idea why you reject them and it's very hard to explain to them. And among those that do have technical expertise, and that's point number two, they usually are unable to differentiate what would make their product succeed and others fail or vice versa. For example, if I have, let's say a strong Mac dominated organization with endpoints and you try to sell me an endpoint solution that is strong with Windows but not with Mac, then obviously you should know in advance to ask me about this and that it probably loves to succeed. But there could be kind of, I want to say ignorant, but they're kind of oblivious to this criteria, to be honest.

A

All right, Andy, I'm going to guess you have one, maybe two opinions on this subject.

D

Oh, I have so many opinions, by.

A

The way, just to set everybody up at Black Cat, Andy was literally writing down all the copy that he saw on the signs in the booth. And you wrote up a massive amount on this. And actually we can link to this in this episode on the blog post, but go ahead, andy.

D

Yeah, so 34 of the 359 vendors that I got data on at Black Hat said that they were the, the first, the only, the 100% like superlatives. Like so 10% of the vendors claimed to be the outlier. I will tell you 20% of the vendors, I have no idea what they actually did because their booths either said nothing or they were trick or treat. They're Halloween themed.

A

Some of them actually do have candy. So you could trick or treat.

D

They have candy. No, but you trick or treat for swag. But there were a handful of vendors that it was more about the booth design than it was about the company.

A

And that's true. I've seen there was one that was built like a high school locker room That I thought was quite entertaining.

D

There was a high school locker room that was. Zafran was the high school locker room. Rapid 7 had the bar, saloon. Torque had the big giant truck. Sorry to call out a bunch of vendors here, but I think what happens.

A

By the way, I just want to say that's not that bad. I mean, that's a kudos to the design company that brought it in.

D

Maybe that's what you wanted. Maybe that draws in what you're looking for. But I will say that one of the biggest challenges you end up with here is you're actually catering to other marketing professionals rather than the buyer. Or you have great swag and you're catering to the people who just want to do swag collecting. Like, if you want to be amazed, go walk outside the show floor right as it closes on the last day and look at how many people are walking out with like two or three bags because they walk around to the booze and they're like, what do you not want to take home, by the way? And they're just collecting piles of stuff.

A

Can I just say, like, if I hired someone and paid for them to fly out there, go to the hotel, not working in the office, and they come back with $5 swag, a bag of it, I'd be furious.

D

Well, they're not going to tell you they did that, David. Come on.

A

No, but you would see it on their desk eventually, or they're taking it.

D

To their kids or they're doing something with it. Who knows?

A

Yeah, I know. I must say that. I must say that when I saw a stuffed animal, I would bring them back to my kids. Yes, that's always fun.

D

Right? So I think. But to Danielle's point is you have to actually understand what truths the buyer needs to believe before they're going to buy from you and do what your truths are match theirs. And so I have what I call, like the nine truths model. It's really simple, is do they have a location, as Daniel said, Like, if you're a Mac shop and they're selling a Windows solution or vice versa, like, your location just doesn't even match. Is there a problem? Is this urgent? Is this the owner? Do their peers think they own it, do their stakeholders want them to fix it? And then you can talk product marketing. Here's how you could solve it. My solution is the best and you should get money for this. But if they don't have those nine truths in their head and you don't resonate with them, they're just going to walk past 359 booths. Nobody is walking through looking to see what you do. They're walking through, looking for a problem, right? The two best booths I will give was. I'm now blanking on their names. It was the two people who had Vibe coding on the side of their booths, right? And I was like, this is brilliant because everybody's talking about Vibe coding. We already talked about it today. And now if that's your problem, you're walking looking for the problem. And you're going to end up at either backslash booth or Mirror security's booth because they were the only ones who said Vibe coding. You were looking for the problem. That resonated with you.

A

Before I go any further, let me tell you about Material Security. Now, we all know that every era of cybersecurity has inspired purpose built security for important assets. So EDR for endpoints, IAM for identities, and CSPM for cloud workloads. We're familiar with this. Yet somehow the system that modern companies really live in, Google Workspace, is still protected by a patchwork of tools created for different purposes. So documents, data, communications, and accounts all live in Google Workspace. It's time to implement dedicated protection for this very specific critical infrastructure. So Material Security is the first and only detection and response platform purpose built to defend Google Workspace. Other point solutions treat Google as an afterthought, leaving you with massive gaps in coverage. Material provides continuous protection across your entire environment before, during, and after an incident. The platform automatically identifies vulnerabilities and suspicious activity, reduces the impact of a breach, and protects sensitive data even when credentials are compromised. No. Sophisticated email attacks, risky misconfigurations, shadow it, account takeover, all of this stuff. Material not only monitors everything continuously, it applies, fixes and steps in to make sure information only flows where it's supposed to go. So if you're ready to stop trying to fill the gaps and start getting ahead of threats, check out Material Security. You can learn more at their website. Material Security. And it's spelled just the way it sounds, the word Material Security. And let them know that you heard about them from the CISO series.

B

It's time to play what's Worse.

A

Daniel, you are familiar with this game, correct?

C

Yeah.

A

You're familiar. All right. You're ready for it.

C

I'm ready for it.

A

And you know that Andy has to answer first, and then you can agree or disagree with him. All right, this one is an interesting what's Worse in the sense that it's actually two good things with a negative twist attached to them. And so you'll see what I mean. This comes from Jonathan Waldrop, who's a former CISO over at the weather company. He's given us a lot of great what's worse scenarios. So, Andy, here we go. What drives a what's worse here? So the CISO thinks they're doing a great job because no one provides feedback to the contrary because others don't know how to talk to the ciso. In actuality, there's a great deputy behind the CISO that is actually running the show. That's scenario number one.

D

Okay. Doesn't sound bad. But if you're in that scenario as a company, like, come hire me, and I will help you learn how to talk to your ciso. Okay.

A

Scenario number two.

D

Couldn't avoid that pitch. Sorry.

A

There you go. The program is running well, but the CISO doesn't articulate the value well, and the executive team views him as an overpaid manager. So which one is worse? So understand both programs are going well for different reasons, but the perception of what's going right and wrong or understood is different. So in the first scenario.

D

Wait, so in the first one, you have a great deputy who's running the.

A

Program, but they assume the CISO is doing well?

D

They assume the CISO is doing well. Like, nobody's on the ciso.

A

They're doing badly, but that CISO isn't doing bupkis. They're not doing anything.

D

Okay. They're a placeholder who's okay.

A

But the second one is the program's doing well, but perceived as an overpaid manager, but the CISO is doing the work.

D

Oh, second one's the worst.

A

Just because of the perception?

D

Yes, yes, because perception is reality. But at the end of the day, the fact that you have a program that works isn't what's important. I mean, it is important. Just to be very clear. It's about how are you making sure the business makes wise risk choices into the future. It's not about how well you're securing what's in your bailiwick. It's how you make sure the executives are doing the right thing. And if the executives do not respect you and do not trust you and. And they think you're just an overpaid manager who can't communicate. When new and novel risks come up, the business is gonna do the wrong thing. Now, the first case, like is also actually has some issues with it, but at the very least, at least the competent deputy is protected from the executives. And maybe at some point, they'll figure it out, but you've at least got a program that works. The CISO appears to be respected and trusted, so as long as they're not screwing it up when new things come up, you're. As long as the deputy does a good job of sock puppeting the ciso, which I've been that ciso, just to be very clear.

A

But also I want to point out, in the first scenario, others just don't know how to talk to the CISO at all.

D

But it didn't say that they thought the CISO was bad, right? No. I think in the first one, they're giving the CISO all the credit for what the deputy is doing.

A

Well, in a sense, but nobody communicates with him.

D

It's like, that's a weird dynamic. Like this one. I actually like this one. Jonathan, by the way, it's very rare that I'm like, oh, this one's really good. Because you took the normal, like, two awful scenarios and gave us two actually fairly normal scenarios. I know a lot of CISOs who are good, but their company doesn't think they are, and ultimately that. That always ends up badly. So I'm gonna go with. The second one is the problem, because if you're not a good communicator, you're not actually doing the job.

A

All right, Daniel, agree or disagree here? Agree. All right. Same reason, different reason.

C

As a cso, I think the first thing I have in my mind is the security of the company. And if the CISO delivers but fails to communicate, then the executive team might think, well, yeah, you know, we're going to sack him and then also his team, and maybe we're going to cut budget and eventually they're going to cut into things which really make difference without them knowing, and they're going to get hit without understanding. While in the first scenario, there are two options. One, they're going to fire the CISO only because they're unhappy with them. But then you have the deputy ciso, which is going to take over, which is perfectly fine. But another option is that the team is losing trust in the CISO because they're taking all the credit or kind of leading without doing the heavy lifting. But in that case, it's less likely that they will be dropped altogether. They probably want to leave one by one, which is not optimal, but still better than the second scenario, in my view.

A

I like it. Good answers, both of you, and kudos to Jonathan for giving us a great scenario.

B

What we've got here is failure to communicate.

A

We live in A model where marketing outpaces innovation. The top vendors spend millions telling you they're number one. That's what Andy said. Meanwhile, real solutions from smaller players rarely break through. End quote. Now that's Dr. Chase Cunningham's assessment of cybersecurity's quote, self licking ice cream cone of misery, end quote. I saw this at Blackhead, hearing identical pitches on the show floor. Quote. We do continuous testing, we're contextual, we remediate automatically. But there's no way to tell who's better. They all sound exactly the same and nobody seems to be proving anything. Now I started to say compare this to the AI tools in the last two years where we could literally watch the midjourney and Dall E improve, compare outputs side by side and choose based in results. I mean, these are the image generating programs and I was introduced to it over two years ago and it was very crude back then, but we all saw it getting better together and it was very visible and we could all see it with our own eyes. But in cybersecurity we just get marketing promises. So I'll start with you, Andy. As a ciso, how do you cut through the hype? But I'd be more interested actually for the vendors. How do they actually show improvement? Like show the equivalent of what we saw in imaging, rather than just these empty marketing platitudes.

D

So I'm like this weird outlier in the marketing and security world, which is I just want to know what you do, tell me what you do. And part of that's because, believe it.

A

Or not, you're not an outlier on that.

D

Because I'm a technologist, I don't care that you're the number one CTEM platform out there. Like, first of all, I was on the board of the first Seatem companies and like half of what people are calling CTEM today, I have no idea what they're actually doing. It's like 18 different things. Just tell me what you do. Oh, we are a platform that collects data from 17 different sources. We disaggregate it. Here's our defining feature. I will know how to plug you into my security program. What's that? 15 second barbecue technology pitch. If you also want to give me the value pitch, that's okay. But I think every marketer has been told do value based marketing, value based selling, but then they all end up gravitating. It's like the ice cream vendor problem. You're familiar with this, the beach ice cream vendor problem. If you have a beach, right? And you have two ice cream vendors. In an ideal world, the vendors are, like, spaced, like 25% and 75% down the beach because then everybody has the minimal walk.

A

Right.

D

But the reality is any vendor that moves towards the middle picks up more of the beach because they're closer to more people. And at some point, you end up with two vendors dead center in the beach. And most people now have to walk very long distances. That's what cybersecurity feels like, is we have all of these vendors gravitating towards the perceived buzzwords that are valuable.

A

Yes.

D

AI this year.

A

Yeah. And by the way, don't put it just on the vendors. I see the VC firms doing this as well.

D

Oh, absolutely. As a former vc, we did it as well. It was like, oh, we see 18 people investing in X. Who's going to be our bet in X?

A

Right.

D

You absolutely do see this. But what it means is that the differences between these companies is really hard for someone to find out. Like, if you're in the app sec world, like, what's the difference between a psy code and a vera code? Technologists might know, but they both come out and they're both like, oh, we're both doing aspm.

A

So when I was at Black Hat, in one day, I got three pitches from three autonomous pen testing companies.

D

Yep, a lot of those.

A

And they said exactly the same thing, all three of them. And by the third one, I said, just so you know, you're all saying the same thing. And it was surprising to them because I'm in the seat where I'm hearing the pitches. They're not. They're in the seat of giving the pitches, not hearing them. And what they would do is at the end and go, well, how you differentiate. And honest to God, this is what they all say. Well, we're obviously better. Like, no, no. Why? How would I know that? Like, how?

D

Yeah, here's my recommendation for every vendor, which is you don't have to always use this as a deck, but build a deck that explains the attack that you defend against. That just says, here's what the attackers do. Here is how my technology stops that. Whether I'm proactive, reactive, preemptive, whatever it is. Learn that narrative, because what has to be true in the environment will come out. What the threat is. Is this really urgent? How well do you help? But if you cannot explain to me, and this is the biggest challenge that the automated pen testers have is like, what are you actually preventing? Well, we're preventing you from not knowing about the VULNERABILITIES that you can't fix. I can't fix them. Not knowing or knowing isn't going to help me.

A

All right, I'm throwing this to you, Daniel. You get the ear of a lot of vendors. And by the way, the AI story is, that's really what I'm focusing on is what I am seeing is no one vendor is really leaps and bounds ahead of another because the AI quality is moving at the same pace for everybody. So, for example, two years ago with the imaging tools, it was all crude for everybody. There wasn't one making photorealistic back then and one making garbage. They were all kind of making garbage at the time, but they all moved at the same time. And I'm getting the sense that the same thing is happening in security. So what do you do when, like what Andy said, everyone's selling ice cream? Yes, one ice cream may be a little bit better than the other, but they're all selling the same thing.

C

So many CISOs do a lot of POCs. And I think that the ground rule is that if I need to use your product to understand how it differentiates from others, your marketing failed.

A

Good point.

C

So there are two things that we try to do. The first one is we come prepared. We take like the funnel. We look on the market, market leaders, then go to talk with some vendors verbally, and then we'll go to the demo calls with the top three or top two. We ask for demo, not a sales pitch, a demo so we can see the features with our eyes. And going back for a second to what we discussed about good salespeople, they're the ones which are both technical and honest. And they can tell, you know what, we're good because we are cheaper, because maybe in that model we are less good. But this one, we really kick ass from the other competitors. And those conversations are the best ones we had because it's easy to make a decision and to be honest, it creates trust between us and the marketing and the sales team of the vendor, which lasts even beyond our current employment. It goes on for years afterwards. So in my view, these are the two key points. To come ready and to have a good counterpart that knows how to sell. With the differentiation points.

B

What'S the best way to handle this.

A

Quote? The most dangerous CISO isn't one who reports to the wrong person. It's one who mistakes being right about risk for being effective at managing it. Many CISOs fall into this trap of a dictator level authority mentality. According to Carrick Stanwyck, of three Tree tech. He makes a point too many miss. If leadership accepts a risk after being properly informed, that's not failure, that's functioning risk management. That's easy enough to conceptualize, but how do you actually know if you calculated the risk correctly? When leadership accepts your assessment and moves forward, are you confident or just hoping you're right? I'm going to ask you, Daniel, how do you validate your risk assessments are actually accurate when the feedback loop might be years away or never come at all?

C

I think many CSOs make the same mistake of rushing into mapping the organization, trying to understand the controls and everything around it, trying to set up the risk register and come up to the board or the executive management with a list obviously for budget and resources. I think that part of the process is not just about mapping the organization, but doing something that I like to call sensing. I mean, it's maybe a nice word for risk appetite, but I try to get at least a few meetings doing my own boarding with the executive team. And we do a small game of, let's say, adjusting the skills. So I said, let's assume that we approve all the risks on one hand, and let's assume we approve nothing. And then we try to put scenarios in between to kind of gouge how comfortable the organization feels or not. And this is where I kind of start to understand where I came into. And my purpose is to also put myself on the same scale and try to bring us together closer. Maybe I can compromise a bit or the organization. I think when you do that and then you start to discuss about the risk treatment and the risk evaluation, it's much easier because everybody had the same mentality and the same risk appetites based on that sensing.

A

All right, Andy, I send it to you. We've been talking a lot about risk and what's the best way to quantify it. But I really like this whole idea of just how do you know if you're making a good decision or not? You could create all these numbers and charts and things and make it look impressive, but really, how do you know?

D

So you just asked the right question, which is, how do you know if you're making a good decision? But those are two different U's. The first U is the ciso. How does the CISO know if the company is making a good decision? And the problem is you can't make a decision about risk without also talking about the whole business context. Right? And you have to understand how humans behave. Humans are not rationalists. Nobody pulls up a spreadsheet to decide whether or not to tie their shoes. Like you just tie your shoes like you say, oh, I shouldn't tie my shoes here because I'm on a busy intersection and somebody in a scooter is going to run me over. Let me step to the side. Like you don't do math to make that equation. That's because you believe in the risk. And that's what our job is as CISOs is we are, I hate to tell this to everybody, we are evangelists evangelizing about risk. It's our job to be informed, to evangelize the right risks. But when the business is going to do something, they are making a risk trade off, right? They're investing time and energy. And yes, future hazards might come in that include security hazards in hopes of some benefit. So if you just come in and say, well, you can't do this because the security hazard is too high, it's easy for them to say, ah, you're just a doom and gloomer. I can ignore you. My only risk is that like you're going to tell me I was wrong in the future, but instead I'll go make a billion dollars. You have to make them believe in the risk. You have to make the risk part of their model so that when they say, oh, I'm rolling out an LLM, oh, right, I got to pay attention to the fact that people might steal everything my LLM has access to. It does not matter that they have the percentage, right? If they don't believe in that risk, you didn't do your job. And that at the end of the day is all we can hope for is that we can get people to believe in the risks that are relevant to them so that they are making wiser risk choices and that those choices are happening at the right level of the company. Some random manager should not be able to say, oh, oh, I'm going to release an LLM with access to all of our production data that anybody can query. Right? That's the point where the CISO doesn't step in to say no. They step in to say, there's so much risk here. This decision has to be made at the VP level and they need to be cognizant of the risk. That's it. Get people to believe that they own the risk.

A

Right? And what I'm also hearing from you is non security people should make generally good decisions about risk. Like, we don't run out into traffic because we know that's risky even though we're not traffic cops.

D

Right? Humans are really good at making risk decisions. The problem is sometimes risk gets really esoteric and the people who own it are more excited about being right and dominant than they are about educating and making people aware.

A

Well, that brings us to the very end of the show. I want to thank our sponsor first of all, and that would be Material Security. You remember Material Security Secure what your business is made of. Material is a unified detection and response platform for both Google Workspace and Microsoft 365. You can just go to their website. Material Security. It's spelled just the way it sounds. Material Security. Hey, let them know that you found out about them through the CISO series. Daniel, thank you so much for coming on the show. We greatly appreciate having you here. Let me ask you this question. Are you hiring over at Monday.com?

C

Yes we are.

A

So how would we go about finding and could someone contact you if they're interested in position? And by the way, are you hiring anywhere in the world or where were you looking to hire?

C

So we're currently hiring the states in the UK and in Israel. You can find the careers on Monday.com websites or you can actually ping me through LinkedIn directly. I'm quite open for discussion.

A

We will have a link to Daniel's LinkedIn page on the blog post for this very episode as well. Well, thank you so much for coming. Did you have a good time?

C

I had a blast. It was amazing.

A

I'm glad. Andy, thank you for making it a great show as always.

D

Hey, thanks for doing all the prep work to make it easy for the rest of us.

A

It's not just me. We have a great production team behind us. Thank you so much, both of you. Thank you to the audience. We greatly appreciate contributions. Send me more what's Worse Scenarios? And thank you for listening to the.

B

CISO Series podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.