David Spark

Biggest mistake I ever made in security. Go.

Danny Jenkins

I think the biggest mistake I ever made was assuming something did what it said on the tin. I pitched for new security. I've done this several times, but there was one in particular. I fought like hell to get a new security product. This is back in 2002. And I said it was going to stop all of our virus problems and it didn't. And I got egg on my face.

David Spark

It's time to begin the CISO Series podcast.

Podcast Producer

Welcome to the CISO Series podcast.

Andy Ellis

My name is David Spark.

Podcast Producer

I'm the producer of the CISO series and joining me is my co host. You love them, you know them, you can't get rid of them. We can't get rid of them. It's Andy Ellis, the partner of the over at YLVentures. Andy, say hello to the audience. Was this Irish Gaelic?

Andy Ellis

That was Irish. My apologies for butchering that. For anybody who speaks Gaelic fluently.

Podcast Producer

Did you listen to somebody else saying it or AI saying it?

Andy Ellis

I tried, but like Google Translate will not actually put it give you the sound for Irish. It's such a difficult language that even Google gives up on it.

Danny Jenkins

So 90% of people in Ireland, I know this, I live there for 10 years, cannot speak Irish. They know how to say sla navalia and that's about it. Which is safe home.

Andy Ellis

Yep.

Podcast Producer

Let me just mention that that's our. Our sponsor guest. That's Danny Jenkins, CEO of Threat Locker, who is Irish himself and. No, no. What are you British? I'm sorry, you're British.

Danny Jenkins

I'm sorry, I'm British, but I spent a long time in Ireland and my wife is Irish, so.

Podcast Producer

I'm sorry, your colleague, Rob Allen, he is Irish. I'm sorry.

Danny Jenkins

Correct.

Podcast Producer

My apologies. But yeah, I kind of assume that you don't hear a lot of people at all, do you?

Andy Ellis

No, but I figured since he lived in Ireland, I would at least give Gaelic a try there.

Podcast Producer

There you go. Let me just say this. Our sponsor is Threatlocker, phenomenal sponsor with the CISO series. Danny is the CEO. They are the Zero Trust endpoint protection platform. Let me ask you this, Danny, and I'm going to ask Andy as well. All of us have gone to big trade shows like Black Hat, like rsa and I know the last Black Hat I saw, you know, Threat Locker had a huge presence. We've all had many, many, many experiences there. What is one thing that you've done that has hugely paid off for you at a conference that you advise others to do as well? I'LL start with you, Andy.

Andy Ellis

Bring a stuffed animal.

Podcast Producer

Bring a stuffed animal in just one or just a lot to give away?

Andy Ellis

No, no. So the trick is like, so when I was with Akamai, we had George the Penguin. When I was with Orca, we had Orkiorca. And like, it's this higher level piece of swag. Everyone's like, oh my God, I gotta find this. I gotta go take a picture with it. Like, I actually had George the Penguin, had his own RSA badge. Cause I was doing keynote talks. And so he just became my mascot. People wanted to engage with it. So everybody who shows up next year and you all have stuffed animals, then you lose the feature of it. But something that's unique and personal and relatable for your brand.

Podcast Producer

And I will just say this. One of the good things of stuffed animal giveaways is often people are at trade shows looking for gifts to give to their kids.

Andy Ellis

Exactly.

Podcast Producer

And that becomes very popular. All right, Danny, same question to you. One thing you've done in a trade show that you advise others to do because it was a huge success.

Danny Jenkins

Okay. And it depends on the type of trade show. We did 850 trade shows last year.

Podcast Producer

So that's a lot.

Danny Jenkins

And some of the ones we do in the MSP industry. And the difference when you're selling to MSPs and selling to enterprises is you're selling to the business owners. So you can get away with a lot more selling to the owner.

Podcast Producer

You're.

Danny Jenkins

You can't do this in an enterprise trade show. Gave away a homma ev.

Podcast Producer

Whoa.

Danny Jenkins

And I can show you the math. We've done it three times and we did the same show three times the year before without it and the same shows. And we tripled our ROI on the.

Podcast Producer

Show with one Hummer EV giveaway each time.

Danny Jenkins

Yeah. On a million dollar show, 150 grand car gives you three times 0. 10. But it won't work at a show like Black Hat because you can't give away a hommer to a CISO because they become conflicted. Yes, you can give it away to a business owner if you sell to it security companies because they can't be conflicted because they own the business.

Andy Ellis

Good point.

Danny Jenkins

But best payback we ever get. We do it three times a year and it works wonders.

David Spark

What's the starting point for a ciso?

Podcast Producer

When a zero day hits, we usually know the drill. Apply mitigation and wait for the patch. But what happens when the only mitigation is rip and replace? That happened with Barracuda Networks last year, as highlighted by Brian Krebs. Now, we're not looking to throw anyone under the bus, but it's hard for your initial instinct not to see this as a forced upgrade. Organizations have process in place for patch management and decommissioning end of life hardware. And Andy, where do events like this fall and is anyone ready for a zero day that effectively makes hardware end of life?

Andy Ellis

So this is a really, really tough challenge. First of all, we do have to accept that sometimes you just have to end of life a device.

Podcast Producer

Exactly.

Andy Ellis

That you have stuff encoded in the firmware. The firmware is not capable of being upgraded past a certain point. And so all hardware does at some point have to get ripped out. The challenge is when it has to get ripped out, not on a schedule you control because there's a vulnerability tied to the hardware. And that's, I think, what people are reacting to. But I think the challenge has become people think of hardware as a capital investment that lasts forever. And the reality is it doesn't. Like, I actually have this problem right now in my house, which is we have a home automation system that was here when we bought the house and you can no longer actually even get parts for it because they're not making that chipset anymore. There are no fabs left that make the chips that are used in this hardware. So at some point, like if there's a vulnerability, it's a rip and replace. Now fortunately for me, home automation system, I don't want anybody else automating my home. So I have ripped out the network for it and I'm much less worried. Much harder to do that with your email security appliance.

Podcast Producer

Yeah, people aren't ready for end of life hardware, but we kind of all know it eventually. And it's just more of like, I can't do this anymore, Danny. So I guess I got to get an upgrade. It's. We never have this feeling of it's forced, like if I don't do this, the walls come crumbling down. Where do you stand on this?

Danny Jenkins

The first problem is hardware. When you buy hardware, you tie yourself into a fixed life of that hardware and upgrading it becomes very problematic. We're in a world of subscription based security now and that's good because it means your security vendors won't get paid if they don't continue to innovate. It also means your CFO doesn't that he's just made a capital purchase that's going to last forever. So I think when it happens, you've just got to move fast and unfortunately it does happen sometimes. I think the bigger the solution is stay away from hardware based purchases where it's not the software and the hardware are coupled together and your only solution is to get a new piece of hardware. Where possible, use software based services or SaaS based services even better. And then you know you're paying a yearly subscription. The vendor knows a if they want to keep getting paid, they got to keep delivering updates and enhancements and better security.

Podcast Producer

Do you think this is also the reason? Because I mean I have seen the trend and let me see, agree or disagree with me for a shifting away from capital based expenditure business in general to operational based expenditures.

Danny Jenkins

Danny, I think all expenditure is operational whether you like it or not. You buy a car, it's operational. You choose the lifespan of your car. Is it two years, is it five years, is it 10 years? But at some point it's going to run itself into the ground. All expenditure in a business is operational. Everything you do is essentially rented, except maybe if you invest in gold or something like that.

Podcast Producer

But that's actually a good point because what then makes attractive, like you say, SaaS based services. I'm going to throw this to you Andy, is it's operational expenditures without the capital expenditure, which is you're saying everything's operational. So if I can do operational without capital, even better. Yes, Andy.

Andy Ellis

So I think the expenditure type doesn't really matter because you expend it capex like you buy a thing, you amortize it across the years, you've turned it into an operational expense through bookkeeping. So while that does matter somewhat, I think what matters far more is are you stuck with the device? Right? That's the key thing of capital is do I have a thing I'm stuck with that I can't afford to pivot. So when we think about operational expenses, don't worry as much about the bookkeeping and more of the do I have a sunk cost that I can't do something with?

David Spark

What works, what's not working?

Podcast Producer

What's the process for setting up a pen test tests? Someone on the cybersecurity subreddit shared an experience of reporting a pen tester to building security who eventually was detained by the police. Now the employee did what they were supposed to do, report someone suspicious on site. But shouldn't the pen test account for something like that? How can we make sure these tests are effective without getting the police involved? Or do pen testers need to make sure they have their story straight just to be safe and have you ever run into this, by the way, Danny?

Danny Jenkins

Actually, very, very recently we ran into this and I'm not sure pen test is the correct word, but we decided to drop a wifi pineapple onto the roof and take over the threat locker. WI fi. Traditionally we've done this before. We did it last year with a drone and we accidentally crashed the drone into the window. So I was explicitly told by the powers that be, no drones this year. So we used a chopper instead.

Podcast Producer

Oh, really?

Danny Jenkins

And apparently when you drop a wifi pineapple onto the roof from a chopper, it causes chaos with the police force because someone thought it was a bomb. So a little bit more extreme.

Podcast Producer

Oh my God.

Danny Jenkins

We recently had a visit from the police into our office because they thought someone dropped a bomb on our roof from a helicopter. And we didn't have a story prepared because we didn't expect someone to call the police. But I think I've never even thought about it until recently. And.

Podcast Producer

And by the way, Khodu was that person who called not an employee of threat locker. Someone else.

Danny Jenkins

Not an employee. Employee. We are directly across from a sports center. So apparently the police were not happy because multiple calls came into 911 about a suspicious attack package, potentially a bomb being dropped on our roof. And there was videos from the gym across the road where people obviously saw this chopper coming around. And now that wasn't really a very subtle pen test anyway, but it was really about a point. I can do it without a drone.

Podcast Producer

So just something much larger. But okay, if you were to do that, let's just say if you were to do that again, I'm assuming you would call the police and say, how can we do this ahead of time so, you know, things don't happen like this.

Danny Jenkins

Yes, yes, we have the police number. They asked us to make sure that if we're doing this again that we notify them ahead of time so they don't get completely freaked out by a helicopter circling a building with something hanging out of it. But I've never thought about it and I've done a lot of pen testing and I've walked into places and dropped rubber duckies and OMG cables into the back of computers. And I've never been caught. With their permission, of course, but I've never been caught. But I never thought once, oh, I could get caught and get arrested. Yeah, well, they should probably have the engagement contract in their hand.

Podcast Producer

Right? This is a good thing. Alert the police before you do a pen test that this could happen.

Andy Ellis

I would just stop there. Alert the police, before you do a pen test. Like, if you're doing any physical pen test and you have not engaged with the police, like, the police love you, you call them, you say, hey, by the way, we've engaged to do this pen test. Or we're engaged. What you really want is the owner of the building to have contacted the police. Like, the person that they know is going to be making the call or that they're going to be calling to say, hey, by the way, we're coming to your building. You should have this. I guess I'm lucky because the first pen test I did involved M16s. So, yes, we made very, very sure that the security forces on the base knew who was doing the pen test, what was going on, and that there were like seven letters covering the person because we were afraid they were going to get shot.

Danny Jenkins

Yeah, you don't want to do that. That's worse than calling the police.

Andy Ellis

Yeah.

Podcast Producer

So, first of all, I know in general, the police a love that you do security testing as well. So is there more involvement with the police beyond, like, you're alerting them, letting them know that should someone contact you, you're aware that this was a test?

Andy Ellis

Yeah, like, if you like. I work on security with our synagogue, and we talk to the police all the time. Like, when there's an event, we're just like, hey, by the way, we've got an event. Here's what's going on. You should expect unusual activity. When we've had a security consultant come in, we tell the police, like, you just build this relationship with your local police force partly so they know who you are and they care a little bit more about your building. Cause you're a great, upstanding citizen who likes to tell them things.

Podcast Producer

So the guy who's essentially the manager of our synagogue, actually, he did it as a more ongoing process where he had regular meetings with the police about, here's what we're doing, here's what we're setting up, engaging with them. So everyone was in sync all the time. Let me go back to you, Danny. Have you done anything sort of either for yourselves, for clients, like, where you're sort of constantly in sync with authorities of any sort of.

Danny Jenkins

So we work very closely. Not so much the police, actually. I mean, we work with the police, but the FBI more so. So we work very closely with the FBI, where the FBI will actually come to us and say, hey, there's a new malware. We're trying to understand it better. Can we give it to you? Can you run it in your environment and we'll constantly have meetings like that. The police tend to have, especially in Orlando, Florida. They're not the most tech savvy cybersecurity unit so we don't do too much with the local police, more so FBI. The police stuff is more just normal community stuff that an offer out when the whole world got blue screen to any law enforcement or schools and things like that that we will send staff on site to help recover computers if they were affected by that incident.

Podcast Producer

Before I go on any further, I do want to tell you about our absolutely spectacular sponsor and that is Threat Locker. So cybersecurity really isn't just about fighting fires. Sure, it's an important part of it, but it's really about making sure they never start in the first place. That's a really good security program and that's where ThreatLocker comes in with Threat Locker's deny by default approach. Nothing runs on your network unless you say so. It's like having a digital bouncer guarding your organization, keeping out ransomware, zero day exploits and sneaky supply chain attacks. Plus you get a full audit trail of every action because visibility is power. ThreatLocker's US based support team makes setup seamless so you can stop worrying about vulnerabilities and start focusing on what matters most. That's why thousands of companies trust ThreatLocker to keep their business running and secure. Take control of your business's CyberSecurity today. Visit threatlocker.com to learn more.

Danny Jenkins

Foreign.

David Spark

What'S Worse?

Podcast Producer

All right, it is time to play what's Worse. All right, Danny, I know you know how to play this game because you played it before. We're gonna play it again. Andy answers first. I love it when you disagree with Andy. Not required, but I love it when you do. Now I'm gonna say this one comes from Chat GPT. We've been actually leaning on ChatGPT to help generate some what's worse scenarios. And this is a pretty good one, I think. It's just we just can't tag chat GPT on LinkedIn when we. Because I always like to acknowledge the person. All right, so ChatGPT gives us two scenarios. Scenario number one, discovering a data breach three months after the fact affecting sensitive customer information. You're going to have to do so.

Andy Ellis

Normal for discovering data breaches. Three months, that's fast normal.

Podcast Producer

Now you're going to have to do an audit. You're going to have to do an audit to see what's been taken. You have no idea. All right, so it's just. It's still normal.

Andy Ellis

But how do I know that there was a data breach if I have no idea what was taken? Like, chatgpt, you got to work on these a little bit better.

Podcast Producer

Let's play along here in that, you know, something happened, but you don't know to the degree what's happened. It could be a little. It could be a lot. And you do know that it does affect sensitive customer data. All right, scenario B. Okay. You're detecting a live, ongoing breach where the attacker is actively exfiltrating intellectual property. All right? So it's coming out right now. It's going on right now.

Andy Ellis

But it's ip, not customer data.

Podcast Producer

Correct. Okay, which situation is worse?

Andy Ellis

The first.

Podcast Producer

Okay.

Andy Ellis

Oh, this one's easy. I like when I get easy ones. Danny may disagree with me. First of all, I got a shot of shutting down the thing that's going on right now. I certainly, from a PR and messaging perspective, like, yes, we got breached, but we caught it as it was happening is a lot better than we discovered it three months later. I would always rather lose my IP than lose my customer data.

Podcast Producer

Okay. Now, the thing is, it's going on also. You don't know the degree of scenario A. Actually, what am I saying? You don't know the degree of either.

Andy Ellis

I don't know the degree on either one of them, realistically. Like, who knows? But I have to treat scenario A like it's, you know, all my customer data got breached. Until I can prove otherwise, we're no longer in the world where you get to put your head in the sand and say, we don't know what data was breached, therefore we had to pretend nothing was breached. Like, now you're in a world where if you think customer data was accessed and was stolen, you have to treat it as if it was. Unless you kind of have proof on the other side of it. Like, if you're a responsible ciso, like, that first one's pretty bad.

Podcast Producer

Let me ask you, if the situation was different, like, say you were a Lockheed Martin.

Andy Ellis

Yep.

Podcast Producer

And it was the intellectual property of Lockheed Martin that went out the door versus the customer, would you still feel the same way?

Andy Ellis

I mean, it might, but the question is, like, which intellectual property? Like, the design schematics of all of their planes, certainly all the commercial planes they're shipping out anyway. Like, because you have to ensure that when a plane lands somewhere, if it needs repair, that the schematics for that plane are being delivered to that airport. Because every plane Is different Now, obviously, if it's a jet, I don't remember which one. Lockheed Martin, I think they're the F16, but somebody will correct me. That might matter a little bit more, but that's different than just being intellectual property. So I'm gonna go with. From almost every circumstance, I think a is worse of just a data breach in the past that I've only discovered, but I don't know how bad it is. Like, I'd always rather catch the bad guy in the act.

Podcast Producer

All right, I throw this one to you, Danny. Same thing. Do you agree or disagree? And if you agree, do you agree for the same reasons or different reasons?

Danny Jenkins

Pretty much. This is pretty boring. I'm afraid I agree for the same reasons. The only time I could think it would be worse is, like I said, if we were actively at war with someone and they got all our weapons stuff and that's. But that could change the trajectory of the war, then maybe that would be a different scenario. But in 99% of scenarios, losing the data is always worse.

Podcast Producer

Customer data.

Danny Jenkins

Customer data is almost worse. And not to mention, we're a security company. What we do isn't super secretive. Everyone. Everyone knows what we do. Everyone knows how it works. And you have to be pretty transparent on how it works anyway, so I think losing customer data is the worst scenario all the time.

Podcast Producer

All right, that's good answers, both of you. I will talk to ChatGPT to do a better job next time.

Andy Ellis

Yeah, yeah, really train that thing. Try GROK next time. Let's see how it does. We could try every week a different AI.

Podcast Producer

AI tool. Okay, but I'd rather have submissions from our audience. And that's a call out for you, audience. Send in some more submissions.

David Spark

Please.

Andy Ellis

Enough.

David Spark

No more.

Podcast Producer

So if you ask cybersecurity professionals about user training, you'll either hear that it's the linchpin of a successful cybersecurity strategy or that humans are the weakest link and a lost cause in cyber. So there are a lot of strong feelings on both sides, Andy, though, I'm going to start with you. What have you heard enough about with regards to user training? And what would you like to hear a lot more?

Andy Ellis

Well, I've almost heard everything I would like to learn about user training. I'm tired of almost every argument I've seen in this space because they come down to refusing to admit that your security system is weak and you're going to blame the user and say, oh, they need to be better at spotting a phishing attempt. Not, oh, we need to make sure phishing attempts just don't work because clicking a link doesn't matter. What I'd love to hear more about is user training that is actually focused on giving them skills to do their job. Normally not that's focused on awareness. Like that should be a side benefit. But how are we getting better at helping humans to do their jobs that safely but effectively?

Podcast Producer

That's a very interesting take. I like that. All right, Danny, I throw this to you. Both questions I ask, what have you heard enough about with user training? And what would you like to hear a lot more?

Danny Jenkins

So I've heard enough about user training, period.

Podcast Producer

Like Andy.

Danny Jenkins

And I would like to see in terms of user training, I would like to see a lot less training. And I will tell you why this is so important.

Podcast Producer

This is interesting.

Danny Jenkins

We're a security company, so under X number of compliance requirements, our users go through more training than you can possibly imagine. And by the way, it does no good if your user is going to click on that link. You can reduce the risk a little bit by training them, but not a significant amount. It's smarter to put dual factor authentication and stop untrusted software running and do sensible things like that. I think every employee that starts at ThreatLocker, or 30% of employees that start ThreatLocker, receive a text message on their personal number from someone pretending to be me asking them to buy Best Buy gift cards. They get emails from a Gmail account with my name asking them to do something. They're very, very common attacks. I think we should focus on one page of data that are most likely to happen to that employee and train them on that, because then they'll remember it. When you give someone five things to do, they'll do them. When you give them 500 things to do or 500 things to learn, they won't learn any of them or they'll learn five that you don't have control over. So pick five things, train them on those, and accept the rest have to be dealt with by good IT systems and processes.

Podcast Producer

All right. I love this challenge you have right here. And I want to go back and forth on this. All right, Andy, we're going to do this the five things you want. And I know this can be different for different people in different roles. What was the very first thing you would train someone on?

Andy Ellis

So what I love is I love this idea of five things. And the training should not come from the security team, it should come from the CEO, because the five things are I, the CEO will Never email you and ask you to do something unusual.

Podcast Producer

That's good.

Andy Ellis

You shouldn't expect to hear an instruction from me unless you're my admin or one of my direct reports. So if you get something, go ask your boss. Boom, there's number one. Number two, I am never gonna ask you for a gift card. If you get a text message that claims to be from me, I want you to send it to me in email because I'm gonna make fun about it and use it as a reminder for everybody else. And you'll get a kudos for bringing it up. Like, those are like my top two right there is if I'm the CEO and I'm reaching out to you, it isn't me. I don't even know what my next three would be. Cause I would just like those two.

Podcast Producer

But hold it. I just wanted one I wanna go hit. Then hold it. Okay, I'm coming back to you. Danny, what would be on this top five list? I love this idea of a top five list.

Danny Jenkins

So you want me to. Obviously two of them have already been.

Podcast Producer

Answered, but do you agree those are good ones? Those are good ones, Yep.

Andy Ellis

So take number three.

Danny Jenkins

They're good ones. The only thing is, I would say is I'm never that polite in emails as a CEO. So if I send you a polite email. So I agree with those two. I think if I had one thing to say, I would say, do not wire somebody money over X amount unless you have called the public number of record and spoken to the department to confirm the bank details. I don't care if you got an email from them. I don't care anything about it. That's probably one of the top things I would do to anyone in finance who wires money, only people who wire money.

Podcast Producer

Yeah, yeah.

Andy Ellis

In fact, I would just be like. And you can't change banking details just to tweak that one. Like, any change to how we will send someone money, including starting one, needs to have that very clear authentication of who that human was.

Danny Jenkins

We were getting investments once, it was about $20 million. So they email me and say, can you send me your number so I can call you to confirm your bank details? So I sent them my number and they called me and they said, can you confirm your bank details? So I did. And I said, you know, this was a completely pointless exercise. So what do you mean? I said, well, either if mine or your email had been compromised, you don't know my voice, you don't know my phone number. Yeah, like the number could have been Switched out. And she said, well, what am I supposed to do? I said, ask the person I've been working with. My phone number. Find it on Google.

Andy Ellis

Yeah, I recently had had that. I decided not to tell them because I just wanted to get the money.

Danny Jenkins

But no, she already had the details. She was just confirming them, so. Right. But. And then she wired me the $20 million.

Podcast Producer

That's a great case of procedure gone wrong. It's like they just don't know the procedure. All right, hold on. We've sort of wrapped up this sort of element of how the CEO communicates and the transfer of money. What would also be on this top five list?

Andy Ellis

So I'm going to add in now. I could do this because of where I worked at the time, but you will never type your password into anything. I want you to go passwordless with Fish proof of multi factor and certs on devices, and you're never going to type in a password.

Podcast Producer

That's a huge leap. That's a much bigger leap than the other two.

Andy Ellis

Right. Because when you. And if you're asked to type in your password, you should tell me the CISO so I can go hunt down that system owner and get them into our passwordless environment.

Danny Jenkins

Danny, I think that's a difficult.

Podcast Producer

I would love that to be the case, but that's a tough leap.

Andy Ellis

But I think. Let me then make it more generic so Danny can agree with this. For any control that you think you have implemented across the enterprise, you tell the employees that if they ever see a deviation, that they should come tattle on the system owner and tell you so you can hunt down the system owner to do the right thing.

Danny Jenkins

We do it for limited systems and I think about how many accounts we have. Bear in mind we have accounts with nearly every other software vendor in the world, because that's what we do. And we run on their systems. But we have systems. We have our CRM system, which is proprietary. We have our invoicing system. We have our active directory. There are certain things that we have very strict procedures in. I think if you focus on the ones that are going to end your business when they go wrong, rather than trying to focus on the 500. Because again, if you tell the user never, then they'll say, but I have to enter my password into Netflix, which we play in the conference room.

Andy Ellis

No, no, but your company password doesn't get entered anywhere. It's what you type to log into your laptop and then you never type it anywhere else over the network.

Danny Jenkins

Okay, but it's all A different system. So the company password, yes, you type in, but your active directory or your intune or not intune, whatever it's called now, it keeps me naming your ad the new version of it.

Andy Ellis

Oh, whatever.

Danny Jenkins

Yeah, the password, yes, that is we should never type in. But in general, I think the problem is I spoke to a user recently and I said to them, why did you click Enable macros? And they said, well, why wouldn't I? And I said, well, it's giving you a warning. And then they pointed out to me, look, when I download this from the Internet, it gives me a warning, and I'm supposed to click on that. And when I download this, it gives me a warning, I'm supposed to click on that. How do I know which warnings I'm supposed to click on? And I think when you talk to someone who isn't it savvy, and you say this is your company password, they actually don't know the difference between their active directory password and the icloud password.

Podcast Producer

That's a very good point right there.

Andy Ellis

Right, let me hold it. Right, so that should be your North Star as an IT system is how do you get to a point where your employees are not doing over the network passwords for authentication?

Danny Jenkins

They need second factor. Anyway.

Podcast Producer

All right, I want to call back one thing you said, Danny, though, which I kind of liked. And I think it's actually. Correct me if I'm wrong, I think this is a strong philosophy of threat locker in that maybe. I'm sorry, take that back. I think, Andy, you said this was don't do anything that will cripple the business. Were you the one who said that?

Andy Ellis

Yep.

Podcast Producer

Okay. But I'm taking this to Danny because I think this is very much true in that this whole concept of the way you look at zero trust, the idea of deny by default, in that let's do this in reverse. What are we going to train them? Well, let's first think about what will cripple the business, and then let's train from that aspect. I mean, that's gotta be your philosophy here. Yes, Danny.

Danny Jenkins

Yeah. I mean, that's our philosophy in general, but it's that for security, we always start with what will cripple the business. And you'll notice I said over a certain amount with the wires too, because sometimes it's not worth the validation. We'll lose $5,000. We're not going out of business from it. It's not worth someone spending two hours trying to validate bank details. But I think start with what's crippling the business. And that's what we do because we're about blocking untrusted software because we know that the users can't identify what's good and bad. Leave it to the IT professionals.

David Spark

What's the future for a ciso?

Podcast Producer

Let's gaze into our crystal ball and think about the future. So Ross Haliluk was thinking about what new cybersecurity roles will take off in the next decade. One that stood out was a role focused on behavioral psychology with a cybersecurity specific focus. The idea being if we can better understand how people make decisions, we can use that to guide better security outcomes. This is kind of a tip of the hat to what we were just talking about. So the other standout was a cybersecurity economist using a blend of game theory, statistics and value evaluation to give us a new lens to look at this industry again, something we were talking about. So I'm going to start with you, Andy. Will the social sciences be the hottest field for new cybersecurity roles? And are you already seeing people effectively filling these roles right now, or have you seen another new trend? What do you think on this?

Andy Ellis

So I think of this as a skill rather than a role. And just to be very clear, I've been on this for over a decade. So I think this is, you know, Ross is late.

Podcast Producer

I think at this point I would agree with that. But it'd be interesting if it evolved into that further down.

Andy Ellis

No, I actually don't want it to be a separate role, except maybe as an educator within the team. And here's why. And so I did a keynote on this at RSA, like 12 years ago. @ this point, managing risk with psychology instead of brute force. And what you want to have is that the people who are engaged in talking to other humans, which is your whole security team, should understand behavioral psychology. They should understand, oh, the reason that we tell you about a risk is actually not so that you will fix this risk. This is an amazing thing that most people don't realize. Why do we tell you about a risk? Because we want you to believe that you have a higher risk profile than you currently do because risk homeostasis will cause you to take some action to reduce risk. It might be this one, it might be something else. But you have to believe about the risk. If I tell you about a risk and you don't believe it, then you say, oh, Andy's always over the top. I can ignore everything he tells me because my risk is listening to Andy not paying Attention to Andy. And so, like, everybody needs to understand how human psychology works, how people react, how they're making decisions. It can't just be one person on your team.

Podcast Producer

All right, I throw this to you, Danny. Same thoughts about these sort of two takes on the roles. Is it going to be a role or just a new skill that you're going to see attached to roles? And if so, what roles?

Danny Jenkins

I don't think it's a role. I think it's a skill, full stop. And I don't think just about that. I think all positions in business should be focused on, I'm trying to solve a problem. How do I solve that problem? Is there a person that can solve it? Do I need to get someone into help? And that's just general business, not just security. I think we're kind of trying to use magic and intangibles to solve tangible issues. And it's completely bullshit.

Podcast Producer

By the way, those not watching Andy is loving what Danny's saying right now. Go on, Danny.

Andy Ellis

Yes, Danny, keep going.

Danny Jenkins

Yeah. There is no magic to this. There's things we don't know about insecurity and we should always assume we don't know stuff. The reality is we just got to put proper security controls in place. We've got to put proper processes, proper checkpoints, proper speed bumps without stopping the business from running and stop trying to use magic and deliver tangible security and secure systems.

Andy Ellis

Yeah, And I think the key point on that is the magic is important in understanding how to put in those controls. The magic doesn't replace those controls. You should understand human psychology so that when you put in place a control that doesn't work and gets in the way, you're not surprised when people go around the control and do something else because they're trying to get their job done. What you don't say is say, well, we don't have a control, but let's try to manipulate people into believing we have one.

Danny Jenkins

Yeah, you can't manipulate people. They're always going to get around something that stops them doing their job.

Podcast Producer

All right, well, that brings us to the tail end of this show. And this was a great show and by the way, unintended. But there was interesting thread that kind of went through all of our segments today. And essentially I like the idea of boiling it down to simplicity, looking at what would cripple the business and understanding the logic of how we would get to the point of crippling the business and how we can come back and stop that from happening earlier on. And again, also I think this feeds into the philosophy of Threat Locker too, which is a sort of deny by default, which prevents sort of the bad crap from happening further on if you sort of deal with it at earlier stages. Huge thanks to Danny for sponsoring this episode. ThreatLocker, remember Zero Trust Endpoint Protection Platform. You can find them@threatlocker.com it's spelled the way it sounds right there. Danny, I'm going to let you have the very last word here. Any thoughts? I'm almost positive if you're still hiring a Threat Locker. Correct.

Danny Jenkins

We had 40 something people start last week.

Podcast Producer

Oh my God.

Danny Jenkins

So a lot.

Podcast Producer

So yes. And so any last words for our audience about Threat Locker? Anything else?

Danny Jenkins

I would just say threatlocker offers a lot of security in our platform, the most important of which is block untrusted software. Allow what you need, nothing else. Period.

Podcast Producer

I love it. Thank you so much for supporting the CISO series. Thank you very much Andy. And thank you to our audience as well. We greatly appreciate your contributions. And for listening to the CISO Series.

David Spark

Podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity Headlines. Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.