Andy Ellis (1:57)

Like, there's memorabilia and things that you will keep for a long time. Like, we have pictures and art our kids did when they were kids. And we're like. Like once a decade, we'll open that.

David Spark (2:05)

Hold on. Why are you holding onto that?

Andy Ellis (2:07)

Because once a decade, it's fun to open it up, look through it, and then pack it back up again. It's memories.

David Spark (2:12)

Yeah, that's true. All right, well, the purge, by the way, I usually around December time, we do heavy purges, right?

Andy Ellis (2:19)

But I have an X10 control system. Like literally my family owned an inn 30 odd years ago. We have the X10 control system for controlling all of the candles that we lights into windows.

David Spark (2:31)

I found out through Ancestry.com because my sister did research that I have ancestors who owned two hotels in Harlem actually.

Andy Ellis (2:40)

Wow.

David Spark (2:41)

Yeah, pretty cool. Anyways, if you have not delved into Ancestry.com or a member of your family, does you really only need one family member?

Andy Ellis (2:48)

Well, I have, I have the book. You've made the book on my, on my father's side of the house, we've traced lineage over a thousand years.

David Spark (2:55)

Holy moly.

Andy Ellis (2:56)

And so we have a book. There's like two. There's three different stages of the book. There's the one in England, there's the one for Canada, and then there's the one for the US folks since coming here from Canada.

David Spark (3:06)

And you don't quote that one nearly as your 1% leadership book.

Andy Ellis (3:09)

It's kind of boring. It's just literally a list of names and a lot of lists of deaths.

David Spark (3:13)

Like, well, that's usually what it is.

Andy Ellis (3:16)

A lot of kids died very, very young not that long ago.

David Spark (3:20)

All right, let's jump into this. I want to bring our guest on. He's been very, very patient. I'm so, so thrilled that he's on board. It is the CISO for the Commonwealth Care alliance, none other than Tim Jacobs. Tim, thank you so much for joining us.

Tim Jacobs (3:33)

Good to be here. Thanks for having me.

Narrator (3:37)

There's gotta be a better way to handle this.

David Spark (3:43)

How do you start having a conversation about security when your organization is starting from rock bottom? That came up in a recent cybersecurity subreddit thread where someone working in a large dental service organization asks, quote, how screwed is my company when all they use is Windows Defender and a shared login for everyone to access cloud based system records. Now, commenters suggested showing leadership a list of HIPAA fines. I thought this was wise and that the largest fines are reserved for authorized users abusing access. Others suggested appealing to the legal team, which there may not be one, but an offering to assist in putting controls in place to support policy. So Andy, answer this poster's question. How screwed is his company and where would you start to improve a situation like this?

Andy Ellis (4:36)

So one of the things that I do like about this scenario is there's nothing wrong to undo except potentially that shared password. But even that is better than what a lot of companies have with like, there's a bazillion different passwords and all written down and they're hard coded in a lot of places. You actually have a fertile field, I would say, trying to bring up HIPAA fines and put that in front of your business. It's probably not gonna make you any friends. It's sort of the classic career limiting move.

David Spark (5:01)

Well, but no hold up, but just saying, look, you guys don't want this, nobody wants this. It's not to.

Andy Ellis (5:07)

It comes across as a threat.

David Spark (5:09)

Well, I think you can do it in a way that's not a threat.

Andy Ellis (5:11)

If you're a security person and you walk in and you said if HHS found out what we were doing, these would be our fines. What every executive will hear is, and I am going to go blow the whistle if you don't do what I say.

David Spark (5:23)

I think there's a way. This is actually a question I have for an audience. What's the way to bring up something scary that doesn't come off as a threat or fud?

Andy Ellis (5:32)

So what I would do is, first of all, it depends on what your role is in the company. I don't know if this is the ciso, if this is some random IT person, who this is, but obviously you have to figure out who you're going to appeal to. And honestly, bringing in an outside authority is often much better. So I would look at engaging with a managed service provider, probably somebody who focuses in the Microsoft world because it sounds like you're an entirely Microsoft shop. And basically you can get some pretty quick and dirty services that are just, hey, let's assume we had a breach. What would you recommend? I just want the template so we've got something to start from so that I can go and take that to my organization. Especially because they'll probably need an MSP to go implement all of the security and architectural changes you're going to need. So they might just look at it as a way to sort of get in good with you.

David Spark (6:18)

All right, I'm throwing this to you, Tim. Tim, you work in healthcare and I'm sure you've seen small medical offices, hospitals that are just a little behind and not up to par. What do you do to not scare the bejesus out of them for something that could be as egregious as this?

Tim Jacobs (6:35)

Well, I think the hippophynes are interesting, but. And this would scare the bejesus out of them, but just going and unplugging the computer and say, okay, do your job. You're basically operating in an environment where the likelihood of a ransomware attack to completely cripple your ability to do business is very high. You need to take actions to defend against that because that breaks your business. The fine aspect of it is part of it, but people always assume that's for the really bad, egregious actors and don't really think about what happens if I can't do work.

David Spark (7:09)

But isn't the whole point of the HIPAA thing is to show even before the ransomware is an if, the HIPAA thing could be, oh, this is definitely happening.

Tim Jacobs (7:19)

Correct. But the HIPAA thing is you're operating in an environment that's you're not doing due care to make sure those sort of things happen. And likely in that environment, you haven't thought of, you don't have cyber liability insurance, you don't have that sort of get out of jail, somebody's gonna come and help me out switch. Either you're operating in an environment where something breaks, it's going to be very detrimental to the business.

David Spark (7:41)

So do they respond well to the unplug the computers now run a business kind of response?

Tim Jacobs (7:47)

It depends on who you're talking to.

David Spark (7:49)

Well, my feeling is this is two crappy ways to deal with it on two different sides of the coin. Unplugging the computers run your business versus which sounds like it's a metaphorical thing you do, or scaring them about HIPAA things. You gotta start with one. Which one do you start with?

Andy Ellis (8:04)

Andy, go get advice from a peer executive in the company. Go find somebody who is successful and respected in the business and ask them this question. Say, look, I think what we're doing is unconscionable. Maybe I'm wrong, convince me I might be wrong, or give me some advice on how we should broach this topic. Because I don't wanna walk in and say we have to spend a billion dollars fixing security cause nobody will wanna do it. What's the way in this organization that successfully gets things done? And honestly ask every peer executive who gets to weigh in on the decision so that each of them feels like your trusted confidant who's going to support the proposal that ends up coming forward.

David Spark (8:43)

All right, close this one out. Tim, agree with this?

Tim Jacobs (8:47)

No, I think that makes sense. You're crowdsourcing to get disparate views, gain consensus, and ultimately force a business decision in terms of. In this case, this is the options that we have available to us. Let's make a decision and we can manage risk based off of that.

Narrator (9:05)

Attention, CISOs, your expert opinion is needed.

David Spark (9:10)

Quote, successful crisis management does not begin when the crisis hits. Yes, it starts well before any incident occurs. I think we can all agree with that. So planning a robust policy framework and a security culture built on readiness are key to crisis management. But as Andrew Akin of Doc Drew pointed out, leaders need to have some key traits to take advantage of all these tools when the crisis is happening. These include a proactive vision, adaptability, empathy, and accountability. But the one that stood out to me is decisiveness. And this is. This is just what I want to focus on right here. Tim, that one seems the hardest to define as a timely Decision by 1 CISO can be seen as rash or arbitrary. So I'm interested to know what. And hopefully we can kind of walk through this in the heat of the moment. What questions do you ask yourself before making a critical decision? Because you have to make a series of them. What do you ask yourself?

Tim Jacobs (10:12)

I first start by asking myself what is known versus unknown. Do we have the right people working on the right issue? And then are the right people communicating with each other as information unfolds so that we can have an effective response and not just end up all sitting on a conference call trying to figure out what's going on while the situation is getting worse? So what practical information do I have? And you would have had to have practiced that in advance, have prepared for this in advance. That helps to make it easier for other people to. To be decisive, to know what their roles are and to help recover.

David Spark (10:49)

And what I'm hearing here, and correct me if I'm wrong, you very focused on the continuous communications of people working on it. That and also information known and unknown, that even if you do make a decision and all of a sudden information comes in and points out, oh, no, that's a wrong decision. The fact that the communication channels are open, you could potentially shift. I'm assuming that's the point of this.

Andy Ellis (11:12)

Yes, correct.

Tim Jacobs (11:13)

And it's also defining in advance. Ideally, this is when we're going to give you the updates so that the teams who can help respond from a technical perspective, a communications perspective, a legal perspective, have time to go and do work, as opposed to everybody just getting in and trying to figure it out on the fly. So being able to make good decisions as the information comes in and changes.

David Spark (11:36)

That'S a really good setup. All right, Andy, what would you add to that? Because I very much like Tim's answer here.

Andy Ellis (11:42)

Yeah, no, I love the answer. A key piece I'd add is that you have to understand the cost of your decisions. When I was at Akamai, we often discussed this as, like, what size credit card do you have? And your credit card is measured in incidents. So if you're in a severity one incident, the highest level, your credit card has severity two incidents on it. You can go create severity two incidents to fix a severity one incident. That's okay. You can't go create another severity one incident willy nilly because you're just moving laterally. So once you start understanding the cost, like, yeah, I'm gonna go create a severity three incident, I'm getting out of severity one incident. If it cost me 30 SEV3s, that's okay, we'll go clean that up later. But by examining the cost, it also lets you say, what are the bad outcomes that could happen? Because what you do wanna look for is not just the good, like, oh yes, we fixed this. Oh, we broke something, we didn't make anything better, let's fix what we broke. That's what Tim talked about. The communications, that's important. But you have to sort of say, it's like taking a medicine. Some medicines have bad side effects. You want to know what the bad side effects might be so that you can look for them. Because remember, you're not in a static system. You might have other bad side effects showing up from other incidents. So you need to know which ones to pay attention to and which ones don't really matter.

David Spark (12:59)

Now my next question for you, Tim, is, and this is something that doesn't, wouldn't wait till the actual incident. But how do you make it clear to your team that you have thought it out in like the way you've described it to me here?

Andy Ellis (13:14)

Sure.

Tim Jacobs (13:16)

So first thing is to have a breach response plan defined with the right people, decision making authority, responsibilities in advance. Practice IT routinely at an executive level. At minimum once a year, your IT teams practice it more frequently from a technical perspective. But a key part of that is also asking the question, if what we identify to be the risk is so significant that we need to sever connectivity from the company to the Internet, does the leadership understand what that will mean if we need to take those actions to save the business? So instead you could run into a situation where the livelihood of the company is at stake. If you fail to make a good decision quickly or to make the right decision quickly, people are often a little bit more risk aversive. It says, well, wait, we can't ship to customers, we can't service patients. This is where business continuity comes into it. And making sure that the key decision makers understand that in advance and can account for that. If we do have to go offline. Gives you license to say, listen, trust me. I'll let you know when it's time to break glass. And I'll give you the information to make that decision. But we can't sit there and debate it for six hours.

David Spark (14:33)

I've got big news in cybersecurity. Threat Locker just dropped a powerhouse of new solutions and enhancements, making their zero trust endpoint protection even more seamless, even easier to manage and and even faster to deploy. First, the new Threat Locker insights taps into millions of data points globally, giving you real time intel to make smart security decisions fast. And let's talk patching instead of spending time researching and deciding on every pending patch. ThreatLocker patch management handles the what, when and how for you. Cloud control shields your Windows 365 tenant from phishing attacks. That and token theft. Two of the biggest Microsoft 365 security gaps. Then there is the new user store. Users get instant access to pre approved applications. No waiting for approvals. Easy for it, seamless for users. And those pesky websites no one should access through your business network. ThreatLocker web control lets you block them with an agile pre categorized database. No extra integrations, just seamless protection. Now what hasn't changed? Well, the gold standard US based Cyber Hero support team answering calls in about 60 seconds 24, 7 with unlimited support. That's service you can count on. Over 50,000 companies worldwide choose ThreatLocker. For more visit their website. It's threatlocker.com, spelled just the way it sounds. Go there to learn more about their suite of zero trust solutions.

Narrator (16:16)

It's time to play what's Worse.

David Spark (16:21)

All right, Tim, are you familiar with this game?

Tim Jacobs (16:23)

I am.

David Spark (16:24)

All right. Two crappy scenarios. You got to pick one that you think I. I think this one is balanced, Andy. This is what I say. I think it is.

Andy Ellis (16:34)

Those are like, that's like a red flag. That's like the death flag in an MMO when you're like, I think we're prepared.

David Spark (16:41)

All right, well, these are both bad. Comes from Neil Saltman of a head he's given us.

Andy Ellis (16:46)

Okay. It came from Neil and then fast. It's going to be at least entertaining.

David Spark (16:49)

Well, this one's kind of straight up.

Andy Ellis (16:51)

Okay.

David Spark (16:51)

All right. He's always given us lots of good what's worse scenarios. Here we go. By the way, Tim, I always make and answer first and you can agree or disagree with him. My hope is you'll disagree.

Andy Ellis (17:02)

You should always agree with me.

David Spark (17:04)

Don't listen to him. All Right. Which one is worst for a Zero trust architecture? This is what Neil asks, which one's worse? Is it weak authentication methods or a poorly deployed segmentation with way too many policy exceptions being allowed? Andy.

Andy Ellis (17:20)

Oh, this one's easy. Sorry.

David Spark (17:22)

First one I thought you would lean on that one.

Andy Ellis (17:25)

Root of zero trust is identity.

David Spark (17:26)

Yes.

Andy Ellis (17:27)

If you don't have identity, you don't have Zero trust. Like I know everyone wants to put micro segmentation into the Zero Trust framework. I will say that there are basically three different parents of Zero Trust. Right. There's the one everybody knows which is David.

David Spark (17:40)

Tell me the parents of Zero Trust.

Andy Ellis (17:43)

Who's the father who gets called the father of Zero trust?

David Spark (17:45)

We're talking about Chase Cunningham.

Andy Ellis (17:47)

Yeah, Chase.

David Spark (17:48)

Chase Cunningham, right. Who I ran into at ThreatLocker Zero Trust World Conference. He was there.

Andy Ellis (17:54)

Right, Right. So you've got that.

David Spark (17:55)

He gave a great presentation, by the way.

Andy Ellis (17:57)

But you also. Most importantly, the true parent of Zero trust is Heather Adkins at Google. It is Heather who broke the Operation Aurora and who basically is the architect behind Google Beyond Corp. And it's me who's the architect of Akamai Zero Trust, which actually came to market as the first commercial one. And I will tell you, micro segmentation is the least important thing in Zero Trust. Identity over everything. Because you don't need micro segmentation. If you actually do identity based verification of every single connection you functionally get. App level micro segmentation, you don't need to do it in the network. So not having micro segmentation that work, as long as you can connect to things, which it sounds like you can, great. If you have identity. If you don't have identity, I don't care how good you've done your micro segmentation.

David Spark (18:43)

It's not that no identity, it's just weak identity.

Andy Ellis (18:46)

Weak authentication that's weak identity is functionally no identity.

David Spark (18:50)

Okay, all right. Andy thinks this is easy and he's leaning on the weak authentication model.

Andy Ellis (18:57)

I'm leaning on my own expertise. I'm literally giving a talk on where Zero trust went wrong. Yeah, well, I already did given when this one did. I just did one a month ago.

David Spark (19:06)

Tim, as I understand, is doing the rebuttal to your talk correct?

Tim Jacobs (19:11)

Tim, I would love to do point counterpoint and rebut this just viciously. I can't. I gotta agree with Andy on this one. I'm sorry.

Andy Ellis (19:20)

My favorite thing is how many of our guests say, I would love to disagree with Andy, but I just can't.

David Spark (19:25)

They want to. Well, the thing is, I had the Feeling that you would go with the weak authentication models. But I was hoping this poorly deployed segmentation with too many policy exceptions would kind of lean itself too much, but it's not leaning enough.

Andy Ellis (19:37)

No, I don't need segmentation at all in my zero trust planning.

David Spark (19:42)

So. Okay, Tim, you agree. Why do you agree with Andy here?

Tim Jacobs (19:45)

The authentication is key. We're talking zero trust. If you don't have that, if it's just a matter of poorly designed segmentation, then certainly people can go into can traverse in areas that they shouldn't, but if they shouldn't have access in the first place, I mean, the blast radius is more contained there.

Andy Ellis (20:04)

Right.

Tim Jacobs (20:04)

But if you don't authenticate properly up front, you've sort of missed the whole point.

Andy Ellis (20:08)

And just to be clear, if I've got a micro segmentation advocate or vendor listing, this is not me saying micro segmentation isn't important, but it is not part of zero trust. It solves a different problem, which is you have environments that cannot do zero trust because they cannot do identity based authentication. Think like hospitals. Since we've had Tim here, I suspect he doesn't want to talk about the fact that he's got a lot of equipment that is basically limping along on ancient versions of Microsoft that we won't even mention what they're running because that's all that is supported by the vendor of some healthcare IoT that is making a fortune for a hospital. And all that you can do is micro segment that to keep everything else away from it.

Tim Jacobs (20:52)

As long as we feed the gerbil that's running in the back of the computer to keep the operating system going, everything's good.

David Spark (20:57)

Yeah, I think. Doesn't the gerbil have a longer lifespan than a Microsoft operating system?

Andy Ellis (21:04)

You would be really surprised at how ancient some of the early Microsoft operating systems now are. And they're still running.

David Spark (21:10)

Oh, I know. I've talked to a lot of people in healthcare. It's creepy scary.

Andy Ellis (21:16)

Yeah, yeah, I think I will after this move. I will not have any boxes older than some of Tim's Microsoft deployments. But I cannot say that is true right now.

Tim Jacobs (21:26)

That's an admirable goal, by the way.

David Spark (21:28)

Tim is wisely staying silent here.

Narrator (21:34)

Let's look under the hood.

David Spark (21:39)

Effective threat modeling requires an accurate understanding of asset value. That seems obvious, but what framework are organizations using to value their assets? This might be easier for your most valuable assets. We call them crown jewels for a reason. But outside of that, how much clarity do we actually have into asset value? Within our threat surface. So, Derek Fisher, who's the director of Cyber Defense and Information Assurance Program at Temple University, pointed to various asset valuation approaches, current market value replacement costs, or by the revenue generated over time. And I'm going to start with you, Tim, but are we missing an opportunity with our security controls and if we don't have a clear idea of asset value? Because again, this goes into the whole crown jewels thing. But just saying, I guess we're defining the value in different ways here, so. And Tim, I mean, do you go this far to determine it?

Tim Jacobs (22:38)

Again, I wouldn't focus too much of the value of the physical asset itself. It's more the role of the asset in processing critical data that supports the company that's key. And how it's configured, how it's connected.

Andy Ellis (22:51)

But.

Tim Jacobs (22:52)

But the relative cost of the asset itself is important, but not as key.

David Spark (22:58)

Okay, so where does that importance lie? Like, I mean, my feeling is, well, first, let's start with this. How difficult is just to find the crown jewels? Let's start with that.

Tim Jacobs (23:08)

It's difficult, it's iterative, based on talking to your business stakeholders. And it's just as difficult to be able to do a good updated mapping of where the data flows throughout your environment. There's a new proposal for a revision to the HIPAA rule. If it goes into effect this month, it's going to require that organizations have a clear understanding of where data flows throughout their environment. That they did a risk assessment and evaluation based off of that. That's a lot easier said than done.

David Spark (23:39)

But it's also very hard for people to describe what they are. Andy, I'm going to throw this to you. You don't just say, hey, what are your crown jewels? And they go, oh, here they are, and hand you a spreadsheet. It never works like that.

Andy Ellis (23:51)

Asset valuation is an output of risk modeling, not an input. This is where I think almost everybody gets it wrong. You don't know what your assets are actually worth until you have done risk modeling. And great. Risk modeling does not talk about asset value, except in the case of liquid assets. Like, yes, if you're a bank and you have a stockpile of money, or you're Fort Knox and maybe you do or don't have gold. That's an asset that you can easily. It has a fixed value, irrespective of me. Like, it's sort of intrinsic from an economic perspective that you can value. Everything else has no value until you do risk modeling. I'm a huge fan of Levison's work Everybody who listens has heard me mention Nancy's name at least a dozen times by now. You do not talk about asset value. You talk about unacceptable losses to the business. Right. And I'm going to put Tim on the spot here. Sorry, Tim, but I've done this to the airline folks. What is the worst thing that can happen to your business? What's the worst incident you've got?

Tim Jacobs (24:50)

The worst incident is that we can't deliver care to our patients and people could die or suffer very serious health outcomes. Yes, right.

Andy Ellis (24:59)

Right there. Like he's got human life. Someone dying is the worst thing. Tim, what is the value of a patient's life to you? Right. The laugh is the right answer. It has no value. You don't value it. You don't put a price tag on it. You just say, this is the unacceptable loss. It's like someone dies on my watch, they're not an asset. I don't put them on my balance sheet. That's my unacceptable loss. And I work backwards from it. Now, out of that, you'll discover that you have, like, critical systems, that if this system is not available, I can't deliver care to a patient and I increase the possibility of someone dying. Now, you understand that that's a valuable asset. That's why I say asset valuation is an output of the risk model, not an input to it.

David Spark (25:38)

So this can't be used at all.

Andy Ellis (25:40)

Are you saying I have never seen anybody who started from a let me value all of my assets and then do risk modeling, end up with a usable risk model? I'm sure there's somebody who's done it. I've just never seen it.

David Spark (25:52)

No, but these are reasonable questions, like, what does this data make for the business?

Andy Ellis (25:58)

But you're coming at it backwards. What you're really doing is saying, what is the unacceptable loss to my business? Oh, I lose a product line. Okay, well, if I lose the product line, that tells me that product was valuable. So what is involved in doing it? That's what I say. You work backwards from the business impact of losses, not forwards from the asset. Because you will also find assets you didn't know about when you worked backwards. You say, this is what I deliver. I deliver this form of patient care. And now as I start working backwards, well, what's involved in delivering patient care? What systems do we rely on at each stage? People who are embedded in that can tell you, oh, I need the seven things. Like a nurse will tell you, these are the critical systems to me. But if you started from listing Your critical systems, you might only get six of those. 7 Work yourself backwards from the business.

David Spark (26:48)

All right.

Tim Jacobs (26:49)

And those outputs certainly help as you do threat modeling on continued basis going forward and can be used by the business for other purposes. But agree, it's not necessarily the start.

Narrator (27:02)

Managing security changes for business optimization.

Andy Ellis (27:08)

One.

David Spark (27:08)

Of the often overlooked and underappreciated benefits of a security focus within an organization is that because security is by nature an in the weeds, discipline, attention paid in this area invariably uncovers other unrelated benefits. All right. The security versus convenience spectrum is often cited for cybersecurity. That is taken as a given. But while security enhancements may add overhead, they can also uncover valuable things you might not otherwise find. This was pointed out by Rob Black of Fractional ciso. He points out internal audits can reduce license fees for departed users, code reviews that can improve functionality, not just security problems, and vendor reviews that can show where you can consolidate services between departments. All right, I'll start with you, Andy. Are there any other outright business improvements you've seen from added security measures, aside from keeping the business open in the first place?

Andy Ellis (28:08)

Oh, absolutely. And it's usually getting rid of assets that are unused.

David Spark (28:12)

Yeah, well, they get that lower your.

Andy Ellis (28:13)

Risk because most of the business is kind of afraid to. They're like. And they just move on. Actually, I remember at Akamai we had like networks tied to services. The first time a network was actually deprovisioned completely all the way, so it's no longer referred to in any system. Was actually done by somebody on my security team because she just sort of ran into this like, we have 14 machines left in the network because everybody's afraid to turn them off, but had mapped the safety of what it took to turn off a network and so just went and did it. Like that was really cool that I had somebody who actually would engage in doing that. I see places in the cloud where people do cost optimization because they discover there's a whole bunch of assets that just aren't in use. Oh, let's get rid of those rather than trying to secure them, is certainly a great approach. So to me, I see this all the time in just reducing your overhead and your cost by finding things that are easier to deprovision than to secure.

David Spark (29:08)

Tim, what have you seen from your security that's helped in other places?

Tim Jacobs (29:13)

So one area would be business email compromise. So through shining a light on the way that the company operates, through being able to identify potential phishing incidents, you can identify things like, do we have employees who are communicating Back and forth with an adversary in our accounts payable department, are they transferring money? The typical, like wire fraud transfer that you don't think is ever going to happen is sometimes your security program can identify those communications are happening and then you realize that the business has no control within their accounts payable department to be able to validate when somebody asks you to change the routing information to actually check and do that. So it's a basic control that you would expect to exist in the business that nobody knew was missing until through security. You identify different patterns of behavior and then start to shine a light on it and say, well, why are we doing this?

David Spark (30:08)

So let me ask you, this also goes to sort of a greater issue here in that we see this also for, let's say, efforts for environmental issues. I'm just throwing something completely out. It's very hard to get someone to jump on something just because it'll be environmentally better. And I get the sense that security may have that same problem sometimes that hey, this is gonna make us more secure. But yes, it does reduce risk, makes things wonderful. So are there cases, Andy, where you have led with the not security reason to do something?

Andy Ellis (30:42)

Oh, absolutely. Or actually I've done the opposite as well, where I've used the security reason to give the push to the other thing that was needed. Like how do you get to an agile deployment model? Like, your engineers all want to be agile and they really want to have a CI cd, but if you're a legacy company, there's a good chance you don't have one. But you can go play the security horn and say, oh, I need you to be on agile because it means that we can deploy patches faster. And the reality is you're really pushing on. We need to be able to deploy software faster because you keep not deploying my patches because it's too expensive for you to do software updates. So let's get to fast software updates. That's the easiest thing to do, is tie yourself to the speed of the business because getting your engineers and your IT organization to be faster is always better. So just push for that one.

David Spark (31:28)

What about you, Tim? Have you done something like that where you push the non security reason to get something through somewhat?

Tim Jacobs (31:35)

It would be if we're talking about code validation checks through a SDLC process and using the analogy of just product defects. Take security out of it. But if we're not looking for these checks up front and we're delivering bad code, bad products, you would never deliver a car through an assembly line that hadn't had the right checks, why are we waiting until we've already delivered something to fix it after the fact? More costly, more risk. We need to rework the way we work so we can be faster and more efficient.

David Spark (32:05)

Very good point. Well, that brings us to the very end of our episode. I want to thank our sponsor. That would be Threatlocker. Huge thanks to Threat Locker. Remember, just go to their website, threatlocker.com check them out. They've got an unbelievable suite of Zero Trust Solutions. Tim Jacobs, who is the CISO over at Commonwealth Care Alliance. Thank you so much for joining us. Tim, are you hiring over at Commonwealth Care Alliance?

Tim Jacobs (32:28)

Thanks for having me. And not currently hiring, but always looking to meet people who are interested in security. Cause when there's a need, you never know. Having that network of people to tap on, it always helps.

David Spark (32:39)

And have you tapped on that network in the past?

Andy Ellis (32:41)

I have, yeah.

David Spark (32:43)

So, yeah. I mean, we ask if people have positions open, but it's always a good time to network. There's never not a good time to network, Andy.

Tim Jacobs (32:51)

Absolutely.

David Spark (32:52)

Is there ever not a good time.

Andy Ellis (32:54)

To network while you're sleeping?

David Spark (32:56)

Sleeping, yes. So sleeping is a bad time.

Andy Ellis (33:00)

Sleeping is a bad time. But in general, and the way you should think about networking is networking is about just connecting with somebody and giving to them so that when you need from them later, there's a connection. Most people think of networking as, oh, I'm looking for a job, let me go network.

David Spark (33:16)

Oh, I know.

Andy Ellis (33:17)

A little too late then. That's when you want to exploit your network.

David Spark (33:20)

I know. That's the number of times I've heard that people who don't network, it goes, oh, I got to all of a sudden start networking so I can get a job. And so it's like, hey, yep, good luck. That's what I say. All right. Thank you so much, Tim Jacobs. Thank you so much, Andy Ellis. And thank you to our audience. We greatly appreciate your contributions and for listening to the CISO series podcast that.

Narrator (33:40)

Wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity Headlines Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.