CISO Series Podcast: "Fix it? Let’s Just Get Rid of It."

Date: February 18, 2025
Hosts: David Spark, Andy Ellis, Mike Johnson
Guest: Danny Jenkins (CEO, ThreatLocker)
Sponsor: ThreatLocker

Episode Overview

This episode dives into the pros and cons of traditional "fix it" security approaches versus simply retiring problematic systems and processes. Security leaders—David Spark, Andy Ellis, and guest Danny Jenkins—unpack recent real-world events and emerging security philosophies. Expect practical advice for trade shows, perspectives on rip-and-replace responses to vulnerabilities, operational versus capital expenses in security, improved pen test communication, the role of user training, and a look ahead at the potential for social sciences in infosec.

Key Discussion Points & Insights

1. Trade Show Tactics That Work

• Unique Swag as Engagement:
  • Andy Ellis advocates for memorable booth mascots:

    "Bring a stuffed animal... something that's unique and personal and relatable for your brand." [02:41]

  • Physical mascots (e.g., George the Penguin for Akamai) help brands stand out and increase engagement.
• Big Ticket Giveaways (in the right context):
  • Danny Jenkins shares outsized ROI from giving away Hummer EVs at MSP-focused events:

    "We tripled our ROI on the show with one Hummer EV giveaway each time... But it won't work at a show like Black Hat because you can't give away a Hummer to a CISO because they become conflicted." [03:56–04:11]

2. When 'Fix It' Fails: The Reality of Forced Upgrades

• Barracuda Case—Rip and Replace Instead of Patch:
  • Discussion centers on the Barracuda Networks incident where a zero-day rendered hardware obsolete.
  • Andy Ellis:

    "First of all, we do have to accept that sometimes you just have to end of life a device... The challenge is when it has to get ripped out, not on a schedule you control because there's a vulnerability tied to the hardware." [05:22–05:29]

  • People are unprepared for unscheduled, forced hardware retirements—underscoring the need for flexibility.
• Move Toward SaaS and Subscription Models:
  • Danny Jenkins:

    "We're in a world of subscription based security now... your only solution is to get a new piece of hardware. Where possible, use software based services or SaaS based services even better." [06:48–07:46]

  • SaaS models protect both customer investment and vendor innovation.

3. Pen Testing Gone Wild (and How to Avoid Chaos)

• Pen Testing Mishaps:
  • Danny recounts an incident where a WiFi Pineapple was dropped onto his company's roof via helicopter—only for police to think it's a bomb:

    "When you drop a wifi pineapple onto the roof from a chopper, it causes chaos with the police force because someone thought it was a bomb." [10:22]

  • Main lesson: Always alert authorities before physical security testing.
• Building Positive Law Enforcement Relationships:
  • Andy Ellis:

    "Alert the police, before you do a pen test. ...The owner of the building should have contacted the police." [12:10] "You just build this relationship with your local police force partly so they know who you are and they care a little bit more about your building." [13:13]

  • Discussed regular engagement with the police, especially for critical infrastructure and community buildings.

4. What’s Worse? Game: Delayed Data Breach vs. Active IP Exfiltration

• Scenario A: Discovering a data breach three months later, with sensitive customer data involved.
• Scenario B: Detecting a live attack exfiltrating intellectual property.
• Both Andy and Danny prefer scenario B; immediate detection is key, and customer data loss is generally worse than some IP theft.
  • Andy Ellis:

    "I would always rather lose my IP than lose my customer data." [17:47] "If you think customer data was accessed and was stolen, you have to treat it as if it was." [18:14]

  • Danny Jenkins:

    "Customer data is almost always worse... what we do isn't super secretive... I think losing customer data is the worst scenario all the time." [20:11]

5. The Problem with User Training

• Overload and Ineffectiveness:
  • Most user training is seen as excessive and largely ineffective.
  • Andy Ellis:

    "I'm tired of almost every argument... because they come down to refusing to admit that your security system is weak and you're going to blame the user." [21:21] "What I'd love to hear more about is user training that is actually focused on giving them skills to do their job, not that's focused on awareness." [21:58]

  • Danny Jenkins:

    "I've heard enough about user training, period. ...It's smarter to put dual factor authentication and stop untrusted software running and do sensible things like that." [22:08]

• The 'Top Five Things' Approach:
  • Favor targeted, memorable training over comprehensive, generic mandates.
  • Example (from both Andy and Danny):
    1. CEO will never ask for something unusual via email/text.
    2. CEO will never ask for gift cards; report such attempts.
    3. For finance: Never wire large sums without independent, validated confirmation.
    4. Encourage user reporting when procedural anomalies appear.
    5. Move towards passwordless systems and strong IT process enforcement.
  • Andy Ellis:

    "The training should not come from the security team, it should come from the CEO... If you get something, go ask your boss." [24:01] "For any control that you think you have implemented across the enterprise, you tell the employees that if they ever see a deviation, that they should come tattle on the system owner." [27:13]

  • Danny Jenkins:

    "Pick five things, train them on those, and accept the rest have to be dealt with by good IT systems and processes." [23:31]

6. Future Cyber Roles: Social Science and Beyond

• Behavioral Psychology and Economics in Cybersecurity:
  • Discussion on whether roles like "cybersecurity behaviorist" or "cybersecurity economist" will become mainstream.
  • Andy Ellis:

    "I think of this as a skill rather than a role... the people who are engaged in talking to other humans... should understand behavioral psychology." [31:27] "Everybody needs to understand how human psychology works, how people react, how they're making decisions. It can't just be one person on your team." [32:53]

  • Danny Jenkins:

    "I don’t think it’s a role. I think it’s a skill, full stop." [33:05] "Stop trying to use magic and deliver tangible security and secure systems." [33:42]

  • Both emphasize that social science knowledge should be a security team skill, not a dedicated job.

Notable Quotes & Memorable Moments

• Danny Jenkins (on hardware obsolescence):

  "When you buy hardware, you tie yourself into a fixed life of that hardware, and upgrading it becomes very problematic." [06:48]

• Andy Ellis (on user training):

  "I'm tired of almost every argument I've seen in this space because they come down to refusing to admit that your security system is weak..." [21:21]

• Danny Jenkins (on phishing):

  "I would say, do not wire somebody money over X amount unless you have called the public number of record and spoken to the department to confirm the bank details." [24:50]

• Andy Ellis (on psychology in security):

  "Why do we tell you about a risk? Because we want you to believe that you have a higher risk profile than you currently do because risk homeostasis will cause you to take some action to reduce risk." [31:27]

• Danny Jenkins (on tangible security):

  "There is no magic to this.... stop trying to use magic and deliver tangible security and secure systems." [33:42]

• Danny Jenkins (closing):

  "ThreatLocker offers a lot of security in our platform, the most important of which is block untrusted software. Allow what you need, nothing else. Period." [35:47]

Key Segment Timestamps

• Trade Show Advice: [02:41–04:39]
• Rip-and-Replace Security (Barracuda): [04:44–09:16]
• Pen Test & Police Coordination: [09:22–14:48]
• What’s Worse Segment: [16:11–20:28]
• User Training (Top Five Things): [20:57–29:54]
• Role of Behavior, Social Science in Cyber: [30:32–34:38]

Summary

This episode champions security leadership that focuses on pragmatic, business-aligned solutions. The hosts and guest debunk the illusion that legacy systems can be fixed indefinitely, instead urging a shift toward flexible, updatable SaaS and software-based security. User training should be concise, tailored, and directly tied to business-critical risks—supplemented by robust IT controls, not replaced by user vigilance alone. Finally, the team points to behavioral insight as an imperative skill—but not a standalone job—within the modern security organization.

For security leaders: Focus on what would cripple your business, simplify your security messaging, keep your controls tangible, and always pre-notify authorities before going “Red Team” on your own property.

For More

Visit cisoseries.com or ThreatLocker at threatlocker.com.