David Spark (2:23)

No cassette. Literally, you would load it and you would wait minutes for the program to load.

Brett Conlon (2:28)

I don't think I touched a computer before. The floppy drive, right? Then the floppy drive came out.

David Spark (2:33)

This thing had, like a cartridge for, like, video games, too. But if you want to do your own programming in Basic, you had to load it via cassette tapes. Anyways, this place, it's pretty cool. The history here. And they have kind of like a mini museum all, all throughout. All right, let's get to introducing our guest who's to your left and my left. He is the CISO for the Mount Sinai Medical Center, Ryan Barras. Let's hear it for Ryan.

Ryan Barras (2:57)

Welcome, South Florida. Thank you. Thank you for having me.

Announcer (3:04)

I tell ya, cisos get no respect.

David Spark (3:11)

Quote A CISO does everything related to cybersecurity that nobody else in the company wants to do. End quote. Now, that's how our frequent co host Andy Ellis defines a CISO role in a recent piece for CSO Online. And it captures why this is still the sentiment even 30 years after the first CISO was named at Citicorp. Quote this relatively late comer leadership role remains largely misunderstood. So by the nature of the title, CISOs are in the C suite. But as unfortunately, I think you guys know, they often lack any real organizational power and responsibilities vary drastically between organizations. So some are seen as a C suite, some are not. But ultimately, here's what I want to know, and I'm going to start with you, Brett. Why is it important for people to understand what a CISO does?

Brett Conlon (4:05)

So in my opinion, there's probably no greater threat to a company than a cyber threat at this point. If you look at the amount of loss, the amount of disruption and what kind of damage it can cause, both internal and external to your customers is probably the greatest responsibility that exists inside of an organization. So to me, I think that sometimes we forget what we're actually trying to articulate to the leadership. And then the also that we forget a lot about our job is to develop relationships. The higher you go up, your job is to develop those relationships, create those relationships, create that network and, and have them understand why what you're doing is important to the organization. We Naturally, as CISOs and cybersecurity professionals, jump into action and we just start doing because we want to get things done, but we don't take the time to look at what's the relationship I'm trying to build and what am I trying to solve here? If you take your job and try to explain it to your kids or your parents, they'll glaze over. So try to look at them as your audience and see, say, what can I do to explain this so it makes sense and build that relationship.

David Spark (5:12)

Ryan, I'm going to throw this to you. That's a really interesting point, that a good portion of your job is relationship building. Would you agree?

Ryan Barras (5:19)

Yeah, no, absolutely. I mean, we're facilitators, right? I mean, I Think a lot of organizations make the mistake of seeing the CISO as the police officer of the organization. You know, more often than not, I'm trying to convey the message to folks that, look, we're basically security as a service, right, to the organization. Now, sometimes you come with a stick, right? We're a mandatory service, but for the most part, we're a service to the organization. We're trying to add value from my perspective, and it's a slightly different angle than most CISOs. I mean, I spent the first half of my career on the economic development and business development side, and then I slowly transitioned into IT and IT security. What I found is. And I give presentations in front of students a lot, and I usually tell them, so look, if you're the type of person that likes to take things apart and figure out how they work and put them back together, you have the right mindset. You got to be inquisitive as a security professional. Because ultimately, as a CISO or someone insecurity, you need to better understand the organization often than the folks that are actually doing the work. You know, we have to understand the culture, we have to understand the breadth of the business, we have to understand the risks, we have to understand it. We have to understand the vendors. There's very few disciplines that I believe exist out there that are as broad as IT security.

David Spark (6:33)

But let me ask, because the question is really important of why people need to understand what you're doing and part of them understanding you being able to communicate it well. But we always talk about, well, you really need to speak the language of the cfo, speak the language of that. But there isn't that feeling that comes back. I would just ask, what would you want your C suite to know about your role? If. If they knew this about my role and looked at me this way, everything would run smoother.

Brett Conlon (7:01)

Yeah, I go back to what I said earlier, which is they need to understand that we're here to protect them from what is the greatest risk out there to their company and how that impacts not only their computers, but the operations that they run on and the trust that they've built with their customers. And I think once they understand that and they understand that, as you're telling them and not using any technical jargon, and part of that is also bringing to them that you do understand the business, that you do understand what you're protecting and what drives revenue and where their customers come from. So they can see that you've taken time to learn their business, and then they start listening to and now they know what you're actually protecting them from.

David Spark (7:42)

Well, I mean, it sounds like you just want to be brought into. And correct me if I'm wrong, Ryan. Every risk conversation there is. Yes.

Ryan Barras (7:50)

I don't know if it would have to be every risk conversation. But I think the bottom line is, what a CEO wants to know is what is the business impact? How is it going to impact the bottom line when you can speak in those terms, when you can explain them in layman's terms so that they understand what the immediate impact of the work that you're doing actually is? I think that's where you're going to be successful. That is not always easy to do. How do you translate hundreds, sometimes thousands of vulnerabilities that you're trying to address into business impact? Right. Necessarily resonate. How do you even explain the concept of vulnerabilities in IT systems to someone that's maybe technology agnostic? Right. That's a challenge. But I think really conveying what that business impact is and what we're doing to ensure business continuity and revenue continuity.

Brett Conlon (8:41)

So let me just add to that real quick. I'm just going to say, because I've used this example quite a bit when we talk to our board and stuff, but talk about vulnerabilities and that's what we typically hear about. Here are the vulnerabilities, here's what you need to address, here's that. But if you have a conversation, so let's say you're talking to the Starbucks CEO and you let them know that there's a high probability that your point of sale systems are going to go out, will be disrupted for two days, you won't be able to sell any of your product and the mobile application will be down. So that's going to equate to X amount of dollars in revenue. Now he wants to know, well, how would that happen? And that's what the conversation needs to lead with. That's what they care about.

David Spark (9:19)

Wait for our what's worse scenario coming up soon.

Announcer (9:25)

What's it going to take to get them motivated?

David Spark (9:30)

Definitely one of the biggest challenges in our industry figuring out incentives for the critical stuff that aren't business problems, end quote. That was said from Ross Heliluk of Venture and Security, who was actually quoting Adrian Sanabria of the Defenders Initiative. Hallelujah. Goes on to say, quote, industry problems are serious technical, philosophical and operational challenges, citing examples such as memory corruption, vulnerabilities in different protocols, insecure Bluetooth pairing and formal verification of code. So A good telltale sign if it's an industry problem is you'll hear someone say, quote, there needs to be. You know, you've heard this line before, which essentially means somebody else figured this out because it's holding me back and I see no financial incentive to fix it myself. So I'm going to start with you, Ryan, on this. How do you check if you're worrying about a business problem or an industry problem? And if it is an industry problem, what are the possible motivations to get the industry to move in the right direction? I'm going to say it's either new regulations or even more regulations. What do you think?

Ryan Barras (10:38)

So that's a great question and there's no easy answer to that question. So let me kind of unpack that a little bit. So if we go back to determining if this is a business or an industry problem, it really depends on the problem itself. Right? So let me give you an example. Actually, I could even ask for a show of hands here. Who's here has heard of the year 2038 problem? Okay.

David Spark (11:03)

Actually six hands went up.

Ryan Barras (11:05)

Yeah, yeah, that's actually more than I expected. So believe it or not, guys, we're about to relive Y2K all over again in the year 2038. Now, most of us don't know about this, right? I would say that this is probably an industry problem, right? And I won't go into too many details here, but essentially it's very similar to the Y2K problem with 32 bit based systems. Now, how do we address that if it's an industry based problem, looking for a solution. I think forums like this, right, we go to the associations like Issa or Isaca or IC Square or we basically push for conversations, we push for presentations, we have open dialogue and we decide, okay, as a group, how do we move this forward? I don't think regulation factors into this item at all. And this specific item. Now having said that, my background is, I was raised in a European country that was very regulatory and I have to admit my bias is towards regulation because I've seen it work. Having said that, I also don't believe in overregulation, but I think there's a place for regulation and, but it's not going to fix all of our problems. Like, you know, this Y 2038 problem, hopefully AI solves it. But AI is another example of a problem that, yeah, it's specific to my organization, but also to the, to the industry. So I know that's a bit of a broad answer. I'm not sure if it's entirely what.

David Spark (12:22)

You'Re looking for, but you brought up a really good issue. So what do you think? Industry problems, how do you spot them? And I mean, how can we move the industry so we're not all held back from it?

Brett Conlon (12:32)

Yeah, I want to agree, actually. I don't think regulation is going to help. And I'll take, I'll cite health care as a great example. Heavily regulated industry. Look at how many breaches they have. Right. And so now you have an industry problem. Why aren't they able to do something? And then since we have silenced most of the vendors, I'll pick on the vendors a little bit. The industries have certain needs, but the vendors don't always look, look at what the need of the industry is. It's more around. Look at what my product does, and I want to sell that to you. So they think that they've captured a need in the market. And sometimes they have. But if you look at industry problems as a whole, you're going to find out that what a manufacturing company has to address versus what a healthcare company has to address versus what a financial company has to address. All regulated manufacturing, maybe not so much, but definitely health care, definitely finance. The vendors don't really tailor their solutions by the industry, and if they do, they're going to go after what's the most profitable industry. So to me, what would be great is to find a way to sort of almost reverse a conference like this, where the vendors are here to listen to the industry's problems where they're struggling and then see if they can take that back and where they can help. I think that would actually be probably one of the most beneficial things that we could do.

David Spark (13:47)

I like that.

Announcer (13:51)

Who's our sponsor this week?

David Spark (13:56)

Here's a scenario. Every SOC manager knows a credential, theft alerts, fires at midnight. Your skeleton crew is juggling 15 other investigations. That alert sits untouched until morning, giving attackers hours to establish persistence. Now, what if that changed? Dropzone's AI SoC analyst works like having your best analyst on duty 24 7. The moment an alert hits, it starts investigating. Pulling user activity, checking authentication patterns, analyzing file access, building the complete story. No playbooks to maintain, no custom rules to break. When attackers change tactics, it learns what's normal in your environment. Now, while your team sleeps, Dropzone handles routine investigations and delivers detailed reports. By morning, real threats escalated immediately. False positives get closed automatically. Your team wakes up to actionable intelligence, not an overwhelming backlog. So are you ready to stop playing Catch up with attackers. You gotta go visit Dropzone. Go to DropZone AI and see for yourself. That's DropZone spelled like it sounds. D, R, O P Z O N E A, I. And when you go there, let them know that you heard about them from the CISO series.

Announcer (15:26)

It's time to play what's Worse.

David Spark (15:32)

So we have been playing this game what's Worse since we started the show over seven years ago, and it is our most popular game, what's Worse? And it pretty much has played the way it sounds. I'll give you two scenarios. These are sent in by our audience members. I'm going to give you two scenarios and you're going to have to tell me which one's worse. And there was a little bit of a tease to this, of something you said, Brett, earlier in the show because you kind of alluded to what the what's worse scenario is, even though you don't know what it is. Okay, all right. They don't know what it is. These are all surprise. All right, this comes from Azran Bogovac of Generic. And let me set up the overall scenario first. It's Black Friday. You run a major e commerce platform. The site is up, orders are pouring in, and revenue is at its peak. You're in a change freeze for the next few weeks. And the business is focused on stability above all else. Your security team detects a critical vulnerability in your stack. It's starting to gain attention on X and in security circles. You investigate and confirm that the vulnerability is being exploited in your environment. A small number of fraudulent orders have been placed and less than 1% of customers may have had their PII or PCI data accessed. Your team puts a WAF rule in place to slow the activity based on available signals. But it is far from full mitigation. All right, here are your two scenarios. All right, scenario one, you break the freeze, you take the site offline, and you patch the issue. That stops the attack. But in just that 10 minutes that you needed to do that, millions of revenue is lost for the business and you actually cause major friction with the business. Scenario number one. Now, scenario two, you keep the site running to protect revenue and stay within policy, but you knowingly allow the attacker to continue limited exfiltration of customer data. Which one is worse?

Brett Conlon (17:31)

So I'm going to say hypothetically, I would say taking the site down would be worse.

David Spark (17:37)

Okay, why is that?

Brett Conlon (17:40)

Well, I think you have to look at it.

David Spark (17:41)

I like how you stress hypothetically. This is not my thing hypothetically.

Brett Conlon (17:44)

And I'm going to put a CEO's hat on. I think you have to look at what's the overall revenue damage, right? Because remember, your revenue is powering not just your site and the money you're making off customers, but this is what drives your business, your employees, their benefit, all that stuff. So to me, I think you have to look at it from the perspective of we might have a few people that have their identities compromised and we're going to help them out with that. But overall, we want to keep the revenue going so that we can make sure our business is operating and we can pay all these employees who are working very hard.

David Spark (18:15)

All right, so focusing on the business, do you agree or disagree? Scenario number one, where you take the site offline, lose a lot of money, and you got friction with the business, is that the worst scenario or not?

Ryan Barras (18:26)

Actually, I actually go for the other scenario. I think the other scenario is worse just simply because you don't know what you don't know and the attack is still ongoing. And you also not have to think about the actual damage that you might be incurring at that moment, but also the fallout. You know, think of legal, think of the ramifications after the fact. You don't know the extent of what that means and what the fallout's going to be on that end. And that could be, you know, that could far exceed the revenue that you're losing in scenario one.

David Spark (18:51)

All right, we have a split decision here. I'm going to send this to the audience right now. I want to know from the audience, which one do you think is worse? By applause, Just applaud again. Worse. Not the one you like, not the one you choose, but the one that would be the end up with the worst scenario. Scenario number one is you break the freeze, take the site offline, lose millions, and the business is annoyed with you. Buy applause. How many think that's the worst scenario? Only about five or six. Not a lot of people are with you on this. All right, but scenario number two, keeping the site running to protect revenue and stay within policy, but knowingly let the attacker go out with the data. How many people think that's a worse scenario? And I will just say, and I can look at the entire back, some of them are not playing the game. They did not applaud either one of them.

Brett Conlon (19:41)

Well, I noticed that too. And I saw a lot of people back there that just raised their hands in support of me. They just didn't want to clap. See, there you go. Yeah, so I win.

Announcer (19:53)

It's time to play a brand new game.

David Spark (19:59)

All right, I'm very excited. You are all in luck because we have yet to play this game in front of an audience. It's such a brand new game. We don't even have a name for it yet. But I'm going to describe what it is, and it's a fun game, and you're all going to get to play along as well. We went to RSA and we asked a bunch of security professionals a number of questions. We're going to play four rounds of this. What you're going to hear is three different voices answering the same question. So you're just going to hear the answers, what you have to do and essentially wait till the clip finishes. What you have to do is try to guess what was the question they were asked that they're answering. If you can't get it, we throw it to the audience. All right, here comes the first one. Remember, it's three voices. Wait till all three answer and then jump in if you think you know the answer. Communication, Understanding what the team is going through and being able to balance or socialize that with leadership, empathy, innovation, and a really broad understanding of the business.

Ryan Barras (21:01)

Determination, perseverance, and thick skin.

David Spark (21:05)

What was the question?

Brett Conlon (21:06)

What makes a good cybersecurity professional?

David Spark (21:10)

Kudos. Good job on that. I'm impressed. All right, you jumped in. You got it. All right, let's go to the next one. It's cybersecurity's department of. No, it is the end all, be all. Once everything's in place, you're good to go. It's a user's fault. More data equals better security. All right, you want to guess what this is? Ryan, you think you know what the question was?

Ryan Barras (21:32)

I'm drawing a blank. I'm not really sure of this one right now.

David Spark (21:34)

Brett, you think you know what it is? I'm going to go to the audience. If you can't get this one, what.

Brett Conlon (21:38)

Is the reason that the breach occurred?

David Spark (21:42)

Anyone think they know what the answer is, yell it out. What do you think? What are some misconceptions of cybersecurity? That is correct. Yes, sir. All right, very good. All right, round three. Okay, so right now we got one for Brett, zero for Ryan, one for the audience. Here we go. Next one.

Brett Conlon (22:05)

My job is to help keep you safe in a digital world.

Ryan Barras (22:09)

I try to help so that bad.

David Spark (22:11)

Guys don't take what is yours.

Ryan Barras (22:13)

I'm always picking up somebody else's money. Mess.

David Spark (22:15)

I help protect organizations against bad guys.

Ryan Barras (22:18)

What does a cybersecurity Professional do.

Brett Conlon (22:20)

What do they sound like?

David Spark (22:21)

Hold it. That is half correct. I'm going to make you. There is. I'm going to just say, who is the audience?

Brett Conlon (22:30)

God, I hope it's not the board.

David Spark (22:32)

No.

Brett Conlon (22:33)

You're trying to explain it to kids.

David Spark (22:35)

Yes. Correct. Yes. Explaining to a kindergartner. Very good. All right, good job. Two for Brett. All right, this is last one. Here we go. One of those slippy things that you.

Brett Conlon (22:45)

Grab and they slip out of your hand immediately.

David Spark (22:47)

Stuff that you have to carry through tsa. Electronic gizmos that look like they're a bomb or something like that.

Ryan Barras (22:53)

Pam, spray cans for a privileged access management vendor.

David Spark (22:59)

What do you think that is?

Brett Conlon (23:01)

Networking after having a lot of drinks at a social event?

Ryan Barras (23:04)

No. Ryan, what are the available solutions cybersecurities work with?

David Spark (23:09)

No. Anyone? Anyone think they know this one stuff? No.

Brett Conlon (23:18)

Is this swag you get from vendors?

David Spark (23:20)

Okay, yes, swag you get from vendors. But one little element at defcon. Well, no swag you get from vendors. But they listen to how they were talking in that clip. Here, I'm gonna play it one more time. One of those slippy things that you.

Brett Conlon (23:35)

Grab and they slip out of your hand immediately.

David Spark (23:37)

Stuff that you have to carry through tsa. Electronic gizmos that look like they're a bomb or something like that.

Ryan Barras (23:43)

Pam, spray cans for a privileged access management vendor.

David Spark (23:49)

Who said worst? Yes, worse swag from. There you go. Good job, audience. So high score between Brett and the audience. Good job for both of you.

Announcer (24:06)

You couldn't have done better than that.

David Spark (24:11)

All right. I have witnessed many poor panel sessions, and I've complained a lot about this on the show with my biggest pet peeve, and I hate to say I saw it happening today, being moderators who asked the panel to introduce themselves. And before you ask me why that is so horrible, please name one talk show host, radio or tv, that has ever done it. There's a reason they don't do it. It's not that professional. So that's my pet peeve, and I'm going to throw this first to you, Ryan. I'm eager to hear from you as what's a red flag warning that you're about to watch a really bad panel session? And conversely, I'd like to know, what have you seen that makes a panel session really fantastic?

Ryan Barras (24:58)

So I think the answer of that is really knowing your audience, right? Do the panelists, do they understand? Do they speak the language of the audience? Are they going to stand up there and speak at a technological level that doesn't resonate with the audience. Are they going to stand up there with a bunch of dry spreadsheets? How are they going to engage the listeners? I think that's really the key to successful panelists. Probably the worst. The worst ones I've seen is where I attended a panelist where one of the panelists was insulting the people in the audience. People started walking away.

David Spark (25:30)

I want to know the details. Walk me through that. What happened?

Ryan Barras (25:32)

It was a discussion, actually, it's somewhat political. Was back in the Netherlands, we had a panelist who basically was insulting folks that were immigrating into the Netherlands. And people were walking out and. And they left.

David Spark (25:48)

By the way, I've watched the CEO Larry Ellison, a CEO of Oracle, Larry Ellison, do that. I've watched him insult the audience.

Ryan Barras (25:56)

Well, believe it or not, he can.

David Spark (25:57)

Get away with that.

Ryan Barras (25:58)

I think this particular panelist actually was actually assassinated a few years later in the Netherlands. It was quite shocking, but he was a very confrontational type of personality. So that kind of took a left turn to that question. But, yeah, that was definitely a panelist that went wrong.

David Spark (26:17)

Well, yeah. Well, yeah, try not to insult the audience, but. Okay. So what are pet peeves you have for panel discussions and what sort of excites you? What is a panel session when it does really well.

Brett Conlon (26:29)

Gosh. So pet peeve of mine is when the moderator. So the moderator's there to facilitate the conversation. So if you're having good conversation, then let it go. But when the moderator basically takes all the questions and then starts answering them before they've asked the panel. So that's made it tough. And then I would say I really enjoy panels where either they know each other or they've done it before. And then they obviously are very comfortable with each other on the stage. I think that's some of the most fun panels where everyone sort of let their guard down. They trust the other person that's on that panel, and you can have a good time with that.

David Spark (27:01)

Well, and you bring up a really good point right there is what I think is really good for a moderator is they make it clear, you know, welcome to the David Show. I brought Brett and Ryan here. I'm glad that they're here. And this is why I don't like the introductions, because it makes it clear to the audience you barely know who these humans are. If you know who somebody is, you introduce them. You know, that's kind of how we operate in life. And so it's. It's always good to. It makes a person feel good. About being up on stage. And it's always better for me to introduce Brett than for him to say, you know, your resume on stage or whatever it is. I mean, just. It comes off better and makes the person feel good and sets a good tone as well. What about other things that you've seen that like, you know, the closing for the show or how they get the audience more involved in a panel session? What do you. What is kind of exciting?

Ryan Barras (27:53)

I think the engagement, I mean, like you just did a moment ago, you involved the crowd with, with, with some of these questions with the game. I mean, you know, the activity and you know, again, just the true engagement and participation of the audience is generally what I've seen is the most successful formula for a panel discussion.

Brett Conlon (28:09)

Yeah, I'll double down on that. We were in a panel overseas and it was the whole day of just us coming up and talking at the audience. And there was from all different industries, from all different countries within the European areas and the Asia areas. And they all have different needs. They're all at different technologically advanced areas in cybersecurity. And so we went back to the moderator and said, well, if you want us to come back next year, we want to do like an ask me anything. We'll sit up there and they can ask anything they want and we'll take the questions. It was so popular. We filled up a room this size. It went over time. They gave us another slot and they came back. And to me, whenever you have that good back and forth dialogue, then now you have people who are actually getting their questions answered. And then what happens is someone actually asks a question that the other person really wanted to know about, but they felt embarrassed to ask. And everything just gets better from there.

David Spark (29:02)

By the way, it's sort of a twist on that technique that I like to do and I've seen others do, is they don't wait to the end of the session to take questions. The reason being is sometimes things come up in the middle of the session like, no, I gotta ask the question now because of something Ryan just said. And so I always like, you know, hey, if you got a question, raise your hand at any time during the session.

Announcer (29:26)

What's a ciso to do?

David Spark (29:32)

CEOs should be asking their CISOs. Remember when I said, what are the others need to know about you? But CEOs should be asking their CISOs, quote, tell me what I don't know and should be doing and quote, make me look good. And this was the advice. Nick Ryan, who's the Biso at RSM suggested. So an ideal CEO CISO relationship means the head of the company is looking to you, the CISO as a risk advisor. We talked about this earlier, so I'll start with you, Brett. How can a CISO best address these two questions from a CEO? I think these are two good questions and I'll say them again. Tell me what I don't know and should be doing. This is what the CEO is asking and make me look good. How can the CISO make the CEO look good?

Brett Conlon (30:17)

Yeah, so I'm going to, I'm going to answer this also from the perspective of most of you probably here are not reporting to the CEO. So I'm going to also give you things not to do, which is this is not your moment to go say here are all the things that you need to know about that's not getting escalated up or that I want you to know about. Right. That's not what he's asking or she's asking. What the CEO is asking is really to understand the landscape and how it affects their industry. Give them a good sound bite for something related to maybe even their business and what you're doing about it. And that is really what they want to know at that point in time. So again, if you're not reporting to the CEO, now is not your time on that question to say here are the things that are going on, but if you do have a good relationship with them, it really should just be an ongoing reiteration of here are the things that exist in our industry, here are the things that exist within our company and here's what we're doing about it. And then if there's any innovative or areas that you feel you're groundbreaking in or that you're really leaning in on that would do well for that company and the position it's in for the industry, then let them know about that.

David Spark (31:23)

Let me ask you a follow up question. Have you ever had a CEO relationship and you don't have to tell me present or past, but where you kind of had that communication and then you watched them communicate security issues to somebody else. Have you ever seen that?

Brett Conlon (31:39)

Not directly. Not where they were trying to act as if they played my role per se.

David Spark (31:43)

No, but like give a high. Like, you know how sometimes you will introduce someone and give a high level explanation. Like, you know, Brett explained to me this, this and this about security. Brett, you could continue on like they can sort of give the Cliff notes version.

Brett Conlon (31:55)

Yes, 100%, that's right.

David Spark (31:57)

And you've seen and they do it effectively.

Brett Conlon (31:59)

Yeah, I would think so. I mean, as long as it's not too lengthy and it's pretty short and concise, they do a very good job. Yeah.

David Spark (32:05)

Okay, so that means great between you and the CEO. Great. All right, I'll take this to you, Ryan. Again, the two questions is tell me what I don't know and should be doing. That's the CEO asking the ciso, and make me look good.

Ryan Barras (32:17)

So let me start by answering the second question first. I think first of all, it's my job to ensure that the CEO does look good in the same way that I feel. It's also my job to make sure that my team looks good. If my team looks good, I look good by default. If I'm making my CEO look good, then I'm doing a good job in my role. I think the best way to answer the first question, tell me what I don't know. Is to take a holistic approach to the question. Right. Because a lot of times as CISOs or even CIOs, we find ourselves really pegged in a specific corner that we're thinking purely along the lines of technology and it. Right. But a lot of the problems and a lot of the, I would say even processes that we deal with are often embedded in larger organizational processes and a CEO, to make the CEO look good, you basically need to answer that question, addressing issues that exist within the context of those larger problems of the organization. So give you a simple example. Who here deals with tprm? Third party risk management, everyone. Right? Right. And I think we all know that, you know, there's no silver bullet for that process, but really the TPRM process really rolls up into a of piece procurement process, which should be an organization wide approach. Right. You should have a centralized procurement process of which security is just a part of it. So in answering that question to this, to the CEO, you need to be addressing these issues from an organization wide approach while you're highlighting the issues that you're trying to correct on your end. That's my take.

David Spark (33:47)

All right. Similar to all this, and I'm sure you have heard this before, and I'm interested to know how you answer this. When a CEO comes to you and says, are we secure? How do you answer that question? Brett?

Brett Conlon (34:02)

Yeah, I think that you have to be honest with them on where you stand and just sort of bring it back to here's where we're doing really, really well, and here's where we're focused on in the areas that we're Improving.

David Spark (34:13)

They want a yes to that question. I mean, you can't give that to them.

Brett Conlon (34:18)

So hopefully what you should be able to say is, I feel really good about the position we're in. Or you should be able to say something of, you know, I do have some concerns and we're addressing them and here's how we're doing it. Just, just remember, and I can't stress this enough, even if you're reporting to the CEO, it comes back to the relationships. But as any leader, even yourself, you're not looking for someone to come bring a bunch of problems to you. So it's not the opportunity to come and say, here are all the problems.

David Spark (34:49)

Right.

Brett Conlon (34:49)

It's more around. The question is, are we secure? You have to be honest with them. But you can say, you know, yes, we are, or we feel really good about the position we're in and we have investments here, here, and here. Or you could say, we're definitely playing some catch up in these areas, but we're making as much progress as we can. And then let them bring the conversation further than that.

Announcer (35:12)

It's time for the audience question. Speed round.

David Spark (35:17)

All right, this is our last segment and I have in my hand a series of index cards. I have had conversations with many of you today, and I asked you for questions for my guests up here. They have not seen these, so these are all going to be surprises. Give me quick answers so we can get through as many of these as possible in the little time that we have left. All right, this one I thought was interesting. So this actually, Donnie Stromf of Good at Marketing has actually done this. So he wants to know this question for people who are vibe coding and have created spectacular apps of. Donnie is, like, really impressed what he's created, but he is now realizing he is now a sitting duck with no security. What would you suggest their first step be? To put some security on this spectacular app that they created even though they have no development experience. Ryan.

Ryan Barras (36:10)

So, and this is a. This is an outside vendor that, that.

David Spark (36:13)

This is just someone who's created an app.

Ryan Barras (36:15)

Oh, created an app?

David Spark (36:15)

Yeah. They haven't necessarily connected to you or anything like that, but just I've got this great app and I vibe coded and I have no development experience. I'm a sitting duck waiting to get attacked. What do you suggest? First step?

Ryan Barras (36:28)

So the first step, I would subject it to a scripting review. Right. Essentially you'll review the code, understand what the application does.

David Spark (36:35)

Who should he go to for something like that? Because he's no he just did this by himself.

Ryan Barras (36:41)

I would defer to an outside party.

David Spark (36:45)

So you got to look for a consultant at this point.

Ryan Barras (36:47)

That's probably what I'd say, but probably want to better understand the ins and outs of the app.

David Spark (36:52)

All right. Your advice?

Brett Conlon (36:54)

Yeah. I mean, if you're really trying to launch something that's going to consumers, then.

David Spark (36:58)

You got to have someone take a look at it.

Brett Conlon (36:59)

You do. If you are just sort of messing around with something, use AI. See what happens.

David Spark (37:05)

All right, this one comes from Tyler Peters of Lynx Security. I'm just interested to know what type of cybersecurity marketing do you actually respond to? Is there a kind of cyber marketing you have a positive response to?

Brett Conlon (37:19)

For me personally, I would just appreciate someone coming in if they want to introduce themselves to me as a person, not a vendor, that would be great. You don't have to sell me on anything. You're just developing that relationship and you're creating the relationship. Same thing goes with Vars coming in and saying, here's what you know about me and here's what you know about the business and here's how you can help me. Yeah, I'll just tune it out.

David Spark (37:41)

All right. Is there a type of marketing?

Ryan Barras (37:43)

No. I actually agree 100% with that. In fact, I recently had a discussion with a vendor where we spent about 45 minutes an hour during lunch talking about everything but the application and the offering. And we got to know one another, and it was. It was a really intriguing conversation.

David Spark (37:58)

This sounds more like sales than marketing, though.

Ryan Barras (38:01)

Right? Right. But it was more than that. It was relationship building. Right. And the thing is, from a vendor perspective, we only have this amount of time. Right. And that time you need to use effectively. And you can only spend that time looking at items that solve a solution that you're working with at that moment that fit within the budget, that fit within the needs of the organization, and that will not, more than likely not happen overnight night.

Brett Conlon (38:25)

Right.

Ryan Barras (38:25)

I mean, it's a lengthy process, unfortunately. I always have to tell our vendors. It's. It's. It's a marathon, not a sprint.

David Spark (38:31)

All right, you are both wrong. The correct answer is valuable research reports. All right, what is from Castor Morales? What is AI going to do to your staff?

Brett Conlon (38:41)

I think we're in the hype cycle of AI, but I think it will augment my staff. So I think it's definitely going to help the staff out, and I think it will get certain things that are time consuming and tedious, and it will help speed those up.

David Spark (38:53)

Okay, I agree.

Ryan Barras (38:55)

And I think it's going to level up the skill set.

David Spark (38:58)

All right, From George Antonio of Lean University. This is great. You're in health and also in finance over here. How do you keep up with regulations in your specific industry and also tag to that, like regulations tied to Iot, how do you keep up with them?

Ryan Barras (39:17)

For us, it's really a number of different ways. I mean, there's reliance on partners, there's reliance on industry insiders, there's reliance on sometimes on associations and co workers and colleagues in the industry. Keeping up with it. If we're talking about just staying abreast of what's taking place, then that's the answer we're talking about. Actually the actual execution of it. That's a whole different discussion. I mean, that's a resource allocation issue and that's a more difficult question to answer.

Brett Conlon (39:46)

Yeah. I think you have certain industries, the ISACS are all there and they'll help you keep up with regulation. In finance, you have outside counsel that's responsible for helping you keep up with the regulations. It expands. I mean, there's so much regulation out there now. There's so much regulation in the US alone. The states have different regulations. And you go over to the globe and you've got European Union, Hasbro regulations. Right. EMEA has their own regulations, the Asia.

David Spark (40:11)

Right. So how you're keeping up with it, you're leaning on others to do it for you?

Brett Conlon (40:14)

Yeah, we lean on outside counsel. We lean on some industry experts that come and sort of talk to us about what those regulations are, the changing. And then the governing bodies of those will usually send out alerts, and we'll read those alerts and figure out what we have to do. And agree with what Ryan said, that the solving for it is very different than keeping up with it.

David Spark (40:33)

All right, so last question. This comes from Ronnie Calix of Halion. Give me your top strategy to recruit top talent.

Brett Conlon (40:44)

So we do have strong college partnerships. And so that's sort of how we bring them in. We do the internship pipeline and then really.

David Spark (40:53)

And it doesn't, by the way, the question doesn't have to be specifically for green people too, just any top talent.

Brett Conlon (40:58)

Yeah. So I will say I don't know how you would determine if they're top talent when they're out there, but we tell our team all the time that we want to create an environment where they enjoy working there and they like the environment and like what they're doing. And that's sort of how we bring in and recruit the top talent when they need to come in. So that's how I do it.

Ryan Barras (41:17)

So for me, bringing in and more importantly, retaining the talent, I believe is all about being vested in your staff. Right. And relationship building. And so I'll give you an example. Just yesterday, my team, the ones that are focused on forensics and E discovery, they were looking to learn how to better their skill set. And so I reached out to my former team at my former organization, which I maintain great relations, and they were willing to educate my current team. I thought that was a win that moment, right. To be able to reach out to folks that I've worked with in the past that were willing to educate my current team and bring them up to speed. And so I do try to create that environment where people are happy, enjoy their job. There's so much pressure in the IT security field. I mean, I tried to mix it a little bit with humor. You know, on Monday mornings, the first order of business is asking the Gen Z guys on my team. Okay, guys, what's the Gen Z word of the week? Right. That's how we start the week, right? You know, teach me something.

David Spark (42:13)

All right, hold it. Teach us what has been the last Gen Z word of the week?

Ryan Barras (42:18)

I think it was slay.

David Spark (42:19)

Slay. And can you tell us what that means?

Ryan Barras (42:21)

I think it means very cool. I did the job, you know, I'm slaying the job.

David Spark (42:27)

You don't use that in normal conversation, do you?

Ryan Barras (42:29)

No, no, certainly not in business conversation.

Brett Conlon (42:32)

You could use it with the CEO. You tell them they're slang.

David Spark (42:35)

Yeah, that would work.

Ryan Barras (42:37)

Be worth a try.

David Spark (42:39)

All right, that brings us to the end of this show. Let's hear it from my guests here. Brett Conlon over at American Century Investments and also Ryan Barris with the Mount Sinai Medical System. Correct.

Ryan Barras (42:55)

Thank you, David.

David Spark (42:56)

Yes. Both CISOs at their organizations. And also let's hear it for our sponsor, Dropzone AI. Remember, for 247 SoC analysts that will do the work for you. Go check out what they're doing at Dropzone AI. D R O P Z O N E AI Let them know you heard about them from the CISO series. A huge thanks to the South Florida Issa for bringing us out, for Yosi for bringing us out as well. We greatly, greatly appreciate it. And to this amazing audience, this has been a phenomenal show. This is a two day event. There's a whole other day of this which is going to be a hackathon. So I hope all of you come back for that. Thank you very much. Let's hear it once again.

Announcer (43:52)

That wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website csoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and cybersecurity Headlines. Week in Review this show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.