David Spark

10 second security tip.

Go.

Johan Balaguer

Think of your entire cybersecurity program as the foundation of your house. A poor foundation makes your whole house susceptible to breaking and falling apart. Always ensure your cybersecurity program is built with a strong foundation that bakes in effective basic cybersecurity controls. I always say go back to the basics.

David Spark

It's time to begin the CISO Series Podcast.

Welcome to the CISO Series podcast. My name is David Spark. I'm the producer of said CISO series. Joining me as my co host, it's none other than Mike Johnson, now the CISO of Rivian. Mike, say hello to the audience.

Mike Johnson

Hello audience. It is great to be heard again, I guess. Yes, I would like to see you.

David Spark

But you know, I just want to mention that you've been on one podcast in the seven plus years, seven and a half years, but you've been CISO three times during this time.

Mike Johnson

I like to say that it's experience, opportunities, changes of scenery.

David Spark

You know, I'm glad you haven't jumped to three different podcasts. Yes, you stay with one podcast.

Mike Johnson

Stay with one podcast.

David Spark

I appreciate it. We're available@cisoseries.com if you haven't checked out all of our other wonderful programming, please do. Our sponsor for today's episode, brand new sponsor, it's Guard Square Mobile Application Protection. Multilayered protection unified with automated security testing. Detect threats in real time and trust that it's your app interacting with your APIs. More about just that later on the show. Mike, this episode is going to be dropping the end of January and that is usually the time that companies have sales kickoff meetings. I have attended a few of these because I do a fun workshop called Business Networking Pickup Lines where I actually train people to do different in person networking activities. It's kind of fun. I should be pitching this earlier, not at the time that everyone's doing it because it's useless now that you're hearing it.

Mike Johnson

Might want to work on that timing.

David Spark

David, I know the timing's off. You know the Steve Martin joke. You know what the most important part of comedy is? Timing. No, timing. It's timing. Have you actually witnessed a sales kickoff meeting yourself?

Mike Johnson

Oh, sure. I've been part of them before myself and I think they're an interesting opportunity for a CISO to actually talk to your own sales team, to kind of be able to share. Here's what you would expect your customers to be thinking about. And it's also an opportunity for you as a CISO to hear what is going to be important and what are going to be the themes that the sales organization is going to have in the year coming forward. So it really is a great opportunity.

David Spark

What I was impressed because I've been witness to a bunch of them and there's two major things that come together. One is the whole sales staff comes together and they get to see each other and they all have sort of boots on the ground experience. So they all trade boots on the ground experience. Like, what are you hearing? What are you hearing? You know, kind of stuff. And they talk about how do you deal with this common either rejection or question or oh, well, I don't know about you, because these competitors like this, like, and they trade that kind of information. And I think that's what it's sort of monstrously valuable for.

Mike Johnson

Yeah, that opportunity to say, hey, this message is resonating. This message is not. And to share amongst each other. Because they might not have had that opportunity, they might not have had that situation that resulted in them needing to have that interaction.

David Spark

And we hear the same thing about CISOs listening to our shows. We have such a variety of CISOs listen and variety that are on the show and they have just sort of their limited experience and by listening to the show, they get to hear experiences of other CISOs. And that's a perfect segue to our guest who I got a chance to meet over in Florida because he lives in Miami. He is the global CISO for the Hard Rock hotels and casinos, none other than Johan Balaguer. Johan, thank you so much for joining us.

Johan Balaguer

Thank you for having me.

David Spark

As a ciso. What do you think about this.

Quote? The real pivot is learning to speak risk, not ransomware. Once you can tie patch delay to revenue, risk execs actually listen. Now, that was one nugget of wisdom dropped in a cybersecurity subreddit post where an experienced technical security professional asked for advice on becoming a ciso. Multiple commenters hammered home that being a CISO isn't about being the most technical person in the room. It's about GRC budgets, board presentations, and enabling the business, rather than being the person of. No one commenter even put it in Star Trek terms. I'd rather be Riker than Picard. The pay is almost as good and the work life balance is so much better. So I'll start with you, Mike. When someone comes to you and says they want to be a ciso, which I'm sure you've heard this before, what is your advice and should you ask them why they want the role before Telling them how to get there.

Mike Johnson

I love the Riker and Picard comment because that really is where I start with. Not so much Riker and burkard, but why? Why do you want to be a ciso? Sometimes it's just, I want to make more money. Like, okay, but is that really a good reason that's not necessarily going to go well for you. If that is the main reason you're going to end up in situations that aren't going to work out well for you.

David Spark

And saying that there are other positions that. That are very similarly paid too.

Mike Johnson

Absolutely. There are senior individual contributor roles that pay as well or better. It really comes down to what is the impact that the person is having. And a CISO role at one company might actually pay less than a distinguished engineer role at another company. In fact, it probably does. So it really does start with, why do you want to do this? And then we can get into the what are your strengths? What are your weaknesses? Once we understand where you want to go and why you want to do that, that's when we can start laying out what is the groundwork? What is the path, the map, as it were, to get there. But you have to start with the why.

David Spark

Let me ask you the question. Why did you want to become a ciso, Mike.

Mike Johnson

For me, it was an opportunity to really lead the full breadth of a program. My focus had been detection and response my entire career. I wanted to bring what I had learned doing that to a whole program and figure out how I can leverage those capabilities, those skills, into areas like product security or application security. Where I was, had been previously so focused on detection and response.

David Spark

All right, I take this to you, Johan. Same questions. Do people come up to you and ask about how to become a ciso and do you give them advice, or do you go down the road of, well, why the heck do you want this job?

Johan Balaguer

I ask them why, and it's because you have to understand where they're coming from, as Mike said, you have to understand, are they just trying to become an authority figure or are they trying to do something that's good? And this, to me, is a passion. I think this is a very exciting and fulfilling position, but it comes with a lot of stress, a lot of anxiety. And I think at the end of the day, what you're trying to do is really defend not only organization, but protects intellectual property of that organization and the customer's data. So you have to come at it from a perspective where you really understand the business, and you come in from a business Enablement perspective versus an authority figure. So understanding why they want to be in this position, I think is going to help them for me to provide them with the information that could really help them down that career path.

David Spark

I'll ask the same question I asked Mike. Why did you want to become a ciso?

Johan Balaguer

So for me, started off at the help desk, worked my way up. I started off in my career when cybersecurity really wasn't a thing. It was more of IT and becoming a system administrator, trying to obtain those Microsoft certifications. And then I had the opportunity to join one of the initial IT security teams where I really started to be in that defender's seat. And it was kind of exciting because you're after the bad guys you're after, you're protecting the organization, you're really trying to stop them. It's kind of a cat and mouse game, but at the end of the day, it's very fulfilling. It's very rewarding to understand that you're really trying to help not only an organization, but you're becoming that enabler for them. You're allowing them to safely run the business and operationalize it in a safe and secure manner. So it's instead of just a mundane task that's traditionally in it, it's one that's, that's very rewarding because every day is different. Every single day, there's a different threat, there's a different risk that we're up against. And you're continuously learning. So this is something where you're just not doing repetitive tasks every day. You're learning every single day on how to do and how to protect that organization, enable it.

David Spark

What about this AI security challenge?

It's one thing to understand the risks of deepfakes, it's another to experience them. Now, Howard Holton, who's the CEO of Giggo and a good friend of the show, got a wake up call after creating an AI voice clone so convincing it fooled his own family. And we've all heard these. They're incredible. His message to employees demand in writing that your company will not create, maintain or use your AI identity after your employment ends. Quote. If they won't put it in writing, you have your answer about what they plan to do with your digital self. Now, for security leaders, you need explicit policies yesterday stating employee AI identities or personal IP non transferable to the organization. Ever. As a security leader, how are you treating the Pandora's box of digital twins? I'll start with you, Johan. Is Howard right that we should already have policies for This, I didn't even think about that. But I think he's right. What do you think?

Johan Balaguer

It's very interesting. I kind of put myself in a musician's position. They record music. Their voice is out there continuously being replayed. And I feel like I need to start collecting royalties if this is the case. But definitely I think there should be policies in place, governance over this. Because at the end of the day, while anything you produce for an organization will always live with that organization.

David Spark

That's fine. But it's the creation of something new with your likeness.

Johan Balaguer

Correct. And that's the thing is they're reusing you. Right. Even if you leave that organization, it's of saying that they still have the right to your intellectual self. So going back to maybe I should be getting royalties for it and getting paid for it even after I left that organization.

David Spark

Well, you. You should have negotiated that up front.

Johan Balaguer

Now we. Now. Now we need to start to think about that right in our employment agreements. But this is an interesting case. Organizations continuously have to battle with AI and the deep fakes. At the end of the day, it's very difficult to protect against. Because it's so much better each and every day.

David Spark

No, but this is not so much about the protection issue, but it's just your identity, your voice, your likeness. Will they use that after you leave? And I didn't even think about it, but it's something. Yeah, you should actually consider because it's. Usually the situation is when you work at a company, the material you create while working there is. Is ownership of the company. That's pretty standard. But it should be clear that that ends when you leave too.

Johan Balaguer

100% agree.

David Spark

Like there's no more that you can create with my likeness, voice and all that.

Johan Balaguer

I 100% agree. And if we write that into an employment contract, I would expect royalties.

David Spark

Well, there you go. But yeah, if they start doing it, or you can sue them, for that matter. All right.

Johan Balaguer

Correct.

David Spark

Mike, I throw this to you. Has this, by the way, has this ever come up? Because Howard's mentioning is the first I've heard of it.

Mike Johnson

I don't think I've seen it come up for companies, you know, as Johan was mentioning, it's something that is very common amongst artists. Yes, either voice artists is a big one. I don't disagree with Howard's points that such a policy is necessary. I don't see this as a security problem, though, like the ownership of intellectual property.

David Spark

Well, a personal employment problem. Not a security problem, but a personal employment problem.

Mike Johnson

Exactly. And so this is not something I'm putting a whole lot of effort into.

David Spark

But if you were hiring someone and they requested this, would you put it in the agreement?

Mike Johnson

I would defer to company policies. Like, this is not. This is not something that for me as a ciso, that I'm going to.

David Spark

Decide, yeah, it falls under HR in the business.

Mike Johnson

Falls under hr, also falls under intellectual property, that legal aspect. They're the ones who should be weighing in. But one of the things I'll point out is we already have this happening pretty regularly. If you join a company, you're going to go through all sorts of new hire orientation and there's going to be recordings of like, I'm so and so. And I think this policy is very important. I challenge you to look at how many people are still with the company when you're watching those videos. Like that is already a thing where an employee's likeness is continuing to be used after they've left a company. So I think it is novel that it's something new, but at the same time I really do think that it's something that companies should be thinking about it. But this isn't a security issue. No.

David Spark

And not so much csos.

Mike Johnson

No.

David Spark

We should have never brought this subject up is what you're saying.

Mike Johnson

I have better things to do, David.

David Spark

So.

Mike Johnson

Yes, yes, indeed.

David Spark

Moving on. This is a warning though, to the listeners. This is something to concern yourself. Make sure it's in your agreement. Before I go on any further, I do want to tell you about our spectacular sponsor, and that would be Guard Square. Now, mobile apps today have become, as we know, an inescapable part of life, ranging from financial services to healthcare, retail and entertainment. Users trust mobile apps with their sensitive personal data. But a recent survey showed that 72% of organizations experienced a mobile application security incident last year. And 92% of the respondents report rising threat levels over the last two years. Meanwhile, attackers who want your users personal data are constantly finding new ways to attack your mobile app. They reverse engineer it, they repackage it, and distribute this modified app via phishing campaigns, sideloading and third party app stores. By taking a proactive approach to mobile app security, you can stay one step ahead of these attacks and maintain the trust of your users. That is where Guard Square comes in. Guard Square delivers mobile app security without compromise, providing advanced protections for both Android and iOS apps. Combined with a mobile application security testing to find vulnerabilities in real time. Threat monitoring to gain insight into attacks, you can actually discover more about how Guard Square Provides industry leading security for your mobile apps at their website and it's easy to find. It's GuardSquare.com, that's Guard G u a r d square sq u a r e dot com. And when you go, let them know you heard about them from the CISO series.

It's time to play what's worse.

Johan, you know how this game is played, right?

Johan Balaguer

Yes, I do.

David Spark

All right, I'm going to make Mike answer first, but then you will answer as well. This comes from Louis Zhang of AIA Australia. And we have two scenarios and I'll just sort of briefly say the first is on the cloud, the second is on prem. All right, here you go. Scenario number one on cloud. Good logs, no budget. You're the CISO of a small to medium enterprise. A ransomware attack hits, you have no choice but to pay the ransom to survive. Good news. Your cloud logs tell the full story and how the attackers got in and what they took. Thanks to your past self for configuring them correctly. Pat yourself on the back. Here's the bad news. After paying the ransom, the legal fees, the cloud bills, you've got zero budget left to improve security. Now you must rebuild your defenses using only your existing tools and team so you are spent. Okay, no more money. Okay, Scenario number two, it's an on prem. You got bad logs and very little budget. But you have budget. Same company, same ransomware hit. And yes, you're the CISO again. This time you're on prem with no usable logs. You pay the ransom, but you have no clue how they got in. The board gives you a small budget, enough for one new tool, one extra full time employee, one project or limited consultancy with one clear message. Make sure it never happens again. You're unsure where to start, you're completely blind. But at least you've got some money, a couple of vendors to lean on and the freedom, also the pressure to decide and act. Will the attackers come back and when? Only luck will tell Mike which one's worse.

Mike Johnson

So I'm trying to remember with the first one, did you actually make changes after the as part of your cleanup?

David Spark

No, no changes have been made. But you have really good logs and you know the full story of what happened.

Mike Johnson

Okay. For me, from my experience, I always want to know what happened. I always want to have that visibility into. Here's exactly what happened. Because even if I can't go and spend new money, I can move existing money around. And if I know exactly what didn't work as expected, I can now go fix that. I can concentrate on that area without necessarily bringing in new resources to do this. The solution for ransomware isn't buying a new tool. That's never the answer. The answer is always understanding what happened.

David Spark

I think many vendors might want to argue with you on that.

Mike Johnson

I would be happy to have that conversation with them. The real issue is knowing what happened and being able to effectively change your controls to prevent that from happening again. If you don't know what happened and all you do is go and bolt on another tool, it's going to happen again and you're going to have egg on your face at best that you were given money and that you didn't stop it from happening again.

David Spark

Well, you didn't know what the heck was going on. All right, Johan, do you agree or disagree with Mike with these two scenarios?

Johan Balaguer

I think I agree. It's, it's like what they say, you can't protect what you don't know. So having the logs fully understanding what happened and having that staff that you currently have helps you rebuild. Right. Helps you enhance defenses, enhance all those controls. I rather know what happened, how they got in, so I can plug those gaps in, secure and protect that house better than I did before. Because at the end of the day, if you don't know what exactly what happened, you, you may be protecting the wrong thing, or you might be trying to close a door that really didn't really need an extra protecting.

David Spark

That's a good point. Yeah. So it's wonderful. The second scenario, you got more budget, but you may be just spending it blindly on the wrong things.

Would this person be a good fit for the job?

Quote, jobs are sport contracts instead of marriages, said Doug Mayer, CISO at wcg, who shared a post about developing staff not just for the current role, but to help them grow and eventually make a difference. Elsewhere, he republished a post from Jessica Neal, Netflix's former chief talent officer, who argued we've turned professional transitions into personal betrayals. Doug pointed out that quit and stay employees who mentally check out are far more damaging than someone who honestly says they're ready to move on. What does good career development actually look like in cybersecurity? How do you create an environment where people can have honest conversations about their future without killing their present? This is a really good, sensitive subject because I'm sure, Mike, you have a lot of talented people you, you want to keep them. But, you know, people's lives move on. They change, they evolve. And you've seen these posts on LinkedIn who go say it's bittersweet that I'm leaving company XYZ. I had such a wonderful time, but now I'm moving on. It's not that they don't like it. It's just sort of a life change, and we all have them.

Mike Johnson

There could be any number of reasons why somebody's leaving a company. Some of them are very personal. Something a manager years ago told me that's always stuck with me is my priority is to try and make you happy and successful in your current role. If that doesn't work, I'll go and help you find something else in another team within the cybersecurity org. If that's not working, I'll help you find something else within the company. If that doesn't work, I'll help you find something outside of the company. And that's really stuck with me because it is recognizing that growth means different things for different people. And it is also that you're investing in a person. And that payoff might not necessarily be in their current role, but it might be. I've had boomerangs, and those are amazing. Where you have someone who leaves your team, goes and does something else, adds more skills that didn't necessarily have the opportunity to gain in their current role or even in their current company, and they come back and they've got some amazing new skill that you can now go and apply. And that's because of the investment in helping that person be successful wherever they are.

David Spark

That's a really good point. And yes, that is a strong skill for a manager to have to be able to support an employee who wants to leave. Even though you both very much like each other and you both appreciate your talent. Johan, have you seen this happen? Has it happened to you? Have you done it to somebody else? What's been your experience?

Johan Balaguer

I've seen it happen. Not just me or two others. I fully support it. I think career development is extremely important, especially in our field. I always tell my entire team, I said, if you feel at any time that you're bored or look around, go look at the other teams, raise your hand, offer help, or ask if you can work on a special project. I want you to grow. I want you to learn. I want you to continue to develop. If you end up leaving the organization or my team, I welcome that. I hope that our paths would cross again. Maybe I leave the organization, I join another organization, and I know that this person was a fantastic employee that I can go ahead and recruit myself. So, you know, at the end of the day, I think it's very rewarding. I think it speaks volumes about the leader that you are and the one that you, you know, you project yourself not to your team, but also to the organization that you're continuously building highly skilled personnel that are regarded very highly, not just in the organization, but across the industry. I think it also goes into that you want to start thinking about succession planning, right? Because at the end of the day, I always want to, you know, I want to train up and who's going to replace me eventually. So I'm all about it. I think it's great. I think someone who does not allow that is not really being a good leader.

David Spark

I had a conversation with a young woman who had her boss, the CEO of the company, make her feel guilty about wanting to leave. And it was. And like she was telling me the story, it was clear she really liked the CEO. I know you're shaking your head. Hold on, hear me out, hear me out. And I was shaking my head when she was telling the story too. I'm like, oh my God. It was so clear. She really liked this guy who was the CEO of the company. And yet he was making her feel guilty. And what it sounded like he was a first time CEO. He was scared about losing her because she was very talented and his reaction to it was essentially a very bad one. And instead of realizing that he made her feel guilty and she did things she shouldn't have had to do to appease him, not look out for herself. And when I kept saying, oh my God, he shouldn't have done that, that was so wrong. She goes, oh, but no, no, he was really, he's really. I go, I get it, you really like him. I'm sure he was a really nice guy, but he was scared and he made a mistake. I'm sure you've seen this, Mike.

Mike Johnson

Yes, I have absolutely seen it. And it was something that you mentioned earlier, that young managers, they have a fear of losing someone. And the reality is they just need to get used to it. This is something that happens in business and quite often we talk about insecurity. It's not that the incident happened, it's how you handle it. This is the same thing, like how you handle an employee departure says potentially a lot more than the work that you do to try and keep someone because they could have any number of reasons that they do need to leave. We've had people relocate, we've had people who've had changes in their family. Those things you just can't change or help as a business.

David Spark

You got to support as much as possible.

Mike Johnson

You have to support it and you have to have the mechanisms to support it.

David Spark

Just because you got visibility in your exposure management program doesn't necessarily mean you understand how attackers can exploit your environment. We got that coming up next.

This week's security tip is brought to you by Tenable, the exposure management company.

Visibility alone does not equal security. Dashboards can tell you what's exposed, but they can't always tell you what will actually be exploited. To understand the real maturity of an exposure management program, security teams need to go one step further and simulate attacks, not just detect vulnerabilities. Breach and attack simulation As a tactical component of a continuous threat exposure management that BC TIM lets teams safely test how an attacker would move through their environment using known exposures. These simulations are commonly mapped to the mitre, ATT and CK framework, the industry standard for modeling real adversary techniques. So teams are validating defenses against how attacks actually happen. Now this creates closed loop validation, confirming that prioritization reflects real world attack behavior, not just theoretical severity. Like a numeric this is a 10, that's a 2, whatever. Without simulation, teams risk fixing what looks severe on paper, while missing exposures that are quietly exploitable. And while breach and attack simulation isn't a complete solution on its own, you it helps answer the harder question if an attacker got in today, where could they actually go? By integrating breach and attack simulation into a continuous threat exposure management program, CISOs gained confidence that remediation is reducing real risk and not just improving metrics.

This has been your weekly security tip. To learn more about exposure management, go to tenable.com. Protecting Critical Infrastructure from Attackers where to.

Start Quote Critical infrastructure isn't just the power grid and water supply anymore, end quote. That's how Ross Halleluke of Venture and Security framed a recent public cloud outage. When aws, Google, Microsoft, Stripe, cloudflare, Okta, or any number of other platforms go down, hospitals, banks, logistical networks and national services can be disrupted, often more severely than if a local utility failed. We're still looking at the world like it's 1990, but these cloud providers and SaaS platforms have become a backbone on which modern businesses and governments depend. So I'm going to start with you Johan, on this. As a ciso, how do you build resilience when you're critical infrastructure is a stack of third party apps you don't control. Should we be treating these vendors with the same scrutiny we give to traditional critical infrastructure? If so, it's going to take a lot more work and money as you know, Johan, I mean, do you accept and recognize these tools as kind of critical infrastructure?

Johan Balaguer

You do, but unfortunately our hands are kind of tied when it comes to some of these big names out there. So I think you have to go, like I said, you have to go back to the basics. You have to really understand what are your critical applications, some of the infrastructure, and you have to bake in those resiliency controls. Sometimes it's just going back and pulling out that pen and paper and writing things down. We've seen a lot of these outages where it's brought down major organizations, a lot of third parties, fourth parties. So at the end of the day, if you understand those dependencies, you understand kind of the infrastructure and the architectures that are running behind them, you can start to really, as part of your resiliency program and your plan to start to bake in what happens if they go down? Right. What are the processes that we're going to follow? How do we kind of fail over and still allow our business to continue to function and run without dependency of these major critical infrastructure components?

David Spark

Yeah, I mean, you have to play worst case scenarios, don't you?

Johan Balaguer

All the time.

David Spark

All right, Mike, it just sounds like what Johan said. Well, we don't have control over aws. They deliver. That's one of our suppliers. So we just have to build redundancy should something happen that's out of our control. Yes.

Mike Johnson

I've worked for cloud providers in the past. A couple of them fit the definition of critical infrastructure. In Europe they actually have definitions of critical infrastructure that include Internet services. We don't have that in the U.S. but that does exist elsewhere. And these companies do take that responsibility seriously. But there is a shared responsibility. They can only do so much. They can heavily invest, build in redundancy, resiliency, rapid failover. But sometimes your application needs to be architected to take advantage of it. You know, US east one going down. If your application can't fail over to US west, you're kind of stuck.

David Spark

Sponsor. And that is Guard Square. Remember G U A R D S Q U A R E guardsquare.com for mobile application protection. Any number of things, Multi layer protection, unified automated security testing, detect threats in real time or something that might actually come through. And interacting with your API data center.

Mike Johnson

You have to think about is that something that you can tolerate? Can you tolerate the time that it takes to fail over? And if you can, then maybe it's okay that your applications are down for a few hours. The world didn't end when US East 1 went down. And I think that's something that folks really aren't paying enough attention to here is it certainly was a bad day for a lot of people, but things did go on and maybe a lot of companies learned their risk tolerance that day.

David Spark

I should also mention that this also is very dependent on your business. A casino is essentially a financial institution. You have a lot more concerns than other businesses that don't all the time have to have money flowing. Johan, you look at this different. I don't even know. Where were you before? Hard Rock?

Johan Balaguer

Human Capital Management Organization. And if we think about it, it's the same thing, but we were the cloud provider.

David Spark

Okay?

Johan Balaguer

Right. So we had to make sure that we were continuously not only maintaining our systems, but making sure that we had all the resiliency baked in because if not, people wouldn't get paid. Right. So it's very important to go back to is what's the worst case scenario? Always thinking about, like you said, you know, I live here in South Florida. We're very prone to hurricanes, and guess what? Some of our data centers were here. So we always think about, okay, if a hurricane was to pass through this state, where would we fail over to? How would we move not only some of our infrastructure components, but the people that support it? Right. We have to get people on planes. And sometimes, especially during a hurricane, that means you're also taking their families with them. So because it's going to be a while until power is restored and, and all the critical components are back up and running. So going back to accounting for all that, making sure that you even have even paper copies of Playbooks, right? Because if the systems and the power is down, you can't get those digital copies. So we're going back to the basics. We joke around and you think about how we used to transact credit card transactions with those little papers and taking imprints of credit cards, maybe you need to start doing that too. So you have to think of every single which way that you can continue to operate the business and ensure that we can maintain the minimum standards to operate effectively.

David Spark

And you make a good point because I've had conversations and really it takes individuals, consultants, sometimes to just keep asking questions. What about this? What about this? What about this? Because oftentimes the reason you fail at this is you don't even know the questions to ask. Yes, Johan, of course.

Johan Balaguer

And it's not only that, it's asking different people because sometimes you don't understand the true dependencies or interdependencies between one thing or the other. So it's making sure that you're relying on multiple stakeholders really digging into how the business operates those processes.

Mike Johnson

Right.

Johan Balaguer

Those procedures. Because sometimes someone stood up a system that they integrated and no one knows about it and it's a critical application or function that supports the entire organization.

David Spark

Very good point. Well, that brings us to the tail end of our show. Thank you very much, Johan. Thank you very much, Mike. I want to thank our sponsor and that would be Guard Square. Remember, go to their site guardsquare.com for mobile application protection. Multi layered protection unified with automated security testing. Detect threats in real time and trust that it's your app interacting with your APIs. That is Guard square.com Johan, thank you so much for coming today. Are you hiring at the Hard Rock?

Johan Balaguer

Thank you for having me and yes, we are always hiring. Please look at career site and we'll be welcome to join you into our team.

David Spark

And I'm assuming if they have heard this on the show they can contact you via LinkedIn.

Johan Balaguer

Yes, yes, always available on LinkedIn.

David Spark

All right, so look at the job site. Is there something appropriate for you? Contact Johan. We will link to his LinkedIn page from the blog post for this very episode. Mike, as always, thank you so much and thank you to our audience. We greatly appreciate your contributions and for listening to the CISO series podcast that.

Wraps up another episode. If you haven't subscribed to the podcast, please, please do. We have lots more shows on our website cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity headlines. Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark Direction directly at david@cisoseries.com. thank you for listening to the CISO Series podcast.