David Spark

Ten second security tip, go.

Danny Jenkins

Simply block remote desktop client from being able to reach out to the Internet because attackers are using it to connect to remote servers and exfil data.

David Spark

It's time to begin the CISO Series Podcast.

Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO series. And joining me since the very first episode, it's none other than Mike Johnson, the CISO of Rivian. Mike, say hello to the audience.

Mike Johnson

Hello, audience. Good to be with you again.

David Spark

You will hear that voice periodically, multiple times all throughout this show. We're available over@cisoseries.com, you can hear all of our programming over there. Watch it, read it, anything you want to do. Lots of ways to consume this programming, but don't go anywhere now. Stay with the show. Our sponsor for today's episode is throwing Threat Locker. Meet the world's leading zero trust platform. And in fact, we're going to be talking about just that. In fact, their core principle of default. Deny that coming up later in the show. But we're going to be talking with actually the head honcho of Threat Locker in just a moment. But first, Mike, we are now in December.

Mike Johnson

Yes.

David Spark

And here's something I've run into year over year over year in just business in general.

Mike Johnson

Ready to do it again, too.

David Spark

Great in December is everyone seems to think that business comes to a screeching halt.

Mike Johnson

Wait, it doesn't.

David Spark

Unless you're in retail. Retail is a whole different story. Yes, but it's like the number of conversations I've had with people in December that says, oh, let's talk about at the end of the year, as if nothing can happen in the month of December. And I used to take it personally and now I realize this is just the way people behave. Behave. That's their mode of operation. All right, I won't take it personally. We'll just wait till January. And so 1/12 of the year, people seem to not be able to do any work. Now, I know in cyber you can get plenty of attacks during the holidays. Yes.

Mike Johnson

I mean, it can happen immediately. What was it log 4J occurred over.

David Spark

Christmas, was it in December? Log 4J.

Mike Johnson

Yeah, it occurred over the Christmas break one year. So yeah, it can be really, really bad.

David Spark

But isn't that kind of classic? Like they used so many of the tactics by the malicious hackers is to use the holidays against us?

Mike Johnson

Oh, quite frequently. Yes. And I think that is one of the challenges that we in cyber face is if there is an incident over the holidays quite often the teams that we depend on might be off on vacation. So even though we're minding the shop, the teams that we need help from might not be. And so maybe the tip for folks here, make sure you've got your pager rotations set up for those teams that you depend on so you know how to get in touch with them while they're not there.

David Spark

That is an extremely good point. We only think about our own team, not everyone else we're going to have to engage with. Yep, that is a phenomenal tip. All right, let's get to our guests at hand. By the way, Threat Locker has been an absolutely phenomenal supporter of the CISO series and we adore working with them. We're actually fully supportive of their philosophy and we're going to be talking a lot more about that here on the show and couldn't be happier to have the head honcho who we've had on multiple times on the show, our sponsor guest, the CEO of Threat Locker, Danny Jenkins. Danny, thank you so much for joining us.

Danny Jenkins

David, thank you for having me here today.

David Spark

What about this AI security challenge?

Noise from lab based AI attack research is drowning out the actual risk to enterprises, said calendly CISO Yasser Abusulam on LinkedIn, pouring some cold water on security leaders who were wringing their hands on over real world low risk AI threats. His hit list of what not to worry about includes and this has to do with AI data poisoning, model theft and model inversion. Instead he says focus on prompt injection, supply chain compromise, weak access controls and over privileged agents. All right, this is some harsh talk. Mike. Do you agree with these listed AI non concerns versus concerns? Why or why not? And if so, what's at the top of your AI concern list?

Mike Johnson

I really think Yassir's meta point here is don't follow the crowd. Like don't just read everything that you see on the headlines and assume that is your threat or your risk. You really need to think about what matters to you and your company. As you said, not everybody is building or training their own models. Some are like, just because you're not a frontier lab doesn't mean you're not training your own models. But you do need to think about what makes sense to you. I'll go even further to say not everybody actually needs to be worried about prompt injections, even though that's on his list. A lot of companies do, but not everybody does. So it's a good list and I agree with it. I mean for me, prompt injections Hallucinations, access controls over privileged agents. These are all the top of my list. But it really depends on the use case. That doesn't apply to every one in particular.

David Spark

Danny, I've been to many conferences. There's a lot of fear around AI security issues. And I think what it is is kind of a free floating anxiety because people don't really know exactly what to be afraid of. What's your thoughts on this list of concerns versus non concerns?

Danny Jenkins

Okay, so I actually think the biggest concern is, is the obsession with building AI security tools.

David Spark

Really? Okay.

Danny Jenkins

I can think of one particular case where a CISO came to me and said, we have to deliver AI security immediately. This is our biggest priority. How can you help us deliver AI security not from AI attacks, but to implement AI to stop attacks. And I said the first thing you need to do is figure out what you want to defend. And if AI is a good tool to defend against that, then implement it. There's no way in the world you should go into a problem with a solution. It's crazy. And it's almost like the board are so scared about falling behind, they're Putting pressure on CISOs and C Suite. What are we doing to drive AI forward? How are we using AI in our company? Whereas what they should be saying is what problems do we have and could AI help us solve those problems? And I think that's the biggest risk right now. And everyone's closing their eyes or blindly put blinkers on to say let's focus on AI and not focusing on the bigger issue. And of course we do have AI issues. We have 4 billion people that can now write malware that had no intention of doing it before and no ability to do it before. We have phishing emails that look better than they ever did in history. But you shouldn't be going into any problem with a solution without understanding the problem first.

David Spark

So I like that. Is that the biggest threat is no intention around AI usage, like just AI for AI sake. Yes, Danny, absolutely.

Danny Jenkins

But to the point where people are actually not looking at the other things, they should be looking at their business. The number one priority is let's deploy AI. Let's deploy AI to solve our security solutions, let's deploy AI to solve our IT problems, let's deploy AI to solve our staff problems. Let's deploy AI and the solution is being made. And then they're trying to find problems to match the solution rather than saying these are the biggest problems we have in business right now. This is the biggest security concern we have. How can we deal with that. And if AI happens to be the solution, great. If it doesn't, let's implement the real solution.

David Spark

Mike, I'm sure you feel consistent on that.

Mike Johnson

No, I think it's a very good point of use the right tool to solve the problem. Don't just fall for the shiny. Like AI is shiny right now, which.

David Spark

By the way, this is a chronic problem. Security falls into. AI didn't introduce it.

Mike Johnson

Absolutely. And AI didn't introduce it, but I think it amplified it for sure. I think Danny's point is a good one in that people are being pressured. How can we use AI to solve our problems? And so now they've got this hammer that they're being told to go solve problems with. It's not necessarily the right solution for all things. Not for most things.

David Spark

And going back to you, Danny, I can hear the way you described this security professional. It was not that person coming up with this idea. It was clear there was some outside pressure telling them to do this.

Danny Jenkins

Absolutely. And I think that's what we're seeing consistently. And this was Gartner in Barcelona. So there was a lot of presence from the Middle east there. There was a lot of presence from Europe there, and there's a little bit more control of the board than there is in the US the security seems to be given a bit more of a freedom in the US but whereas in the Middle east, it's very much. We're scared about falling behind. Let's do this.

David Spark

What's the roi?

This is the bane of every ciso, end quote. Now, that's how Steve Zaluski, our familiar Defense in Depth co host, describing demonstrating ROI for cybersecurity initiatives. This is what he talked about in our recent cybersecurity subreddit ama, calling it a dark art, essentially trying to figure out ROI on cybersecurity. And by the way, if you don't know, every month we do an AMA on the cybersecurity subreddit. The CISO series does so after decades as a discipline, we still can't agree on how to prove our worth, meaning cybersecurity's worth. Some swear by financial risk modeling and fair methodology. Others struggle to move beyond maturity models. But everyone agrees companies are no longer satisfied with security as quote, unquote, continuous improvement exercise. It turns out the business responds to demonstrable business value. Danny, is ROI even the right metric for something about preventing losses rather than generating revenue? And again, some argue that you can show security generating revenue.

Danny Jenkins

So I think in some cases it's Very easy to say security is lowering costs where we haven't had any breaches. Especially if you're going from a case where you had X number of malware attacks a year, X number of phishing attacks a year, it's very easy to show roi. I kind of disagree in many cases that I think in many cases the CISO over stresses of need to show ROI because it does get asked. But I think every CEO, I'm a CEO, so we spend lots of money every month. And of course, if marketing come to me and say I want to spend $1 million on something and I can say, they say I'm going to get this many leads when get this many sales, it's really, really, really easy. If security comes to me and says this is a potential risk, this is what's going to happen. I'm not thinking about show me roi. And I think we shouldn't be talking about roi. We should be talking about risk. We should be saying this is a risk. We buy insurance, we have building security, none of which provide ROI unless something happens and then they provide lots of roi. And I think we should be changing it to we're talking about risk and we're talking about taking away that risk. And if we don't take away the risk, then we'll be having a conversation next year about how can we get return on investment and not get breached again.

David Spark

Mike, this is so interesting. This ROI discussion comes up again and again. But it's interesting. There are a lot of other things we spend money on in businesses like the receptionist, the front desk, or the cleaning crew. Who the heck. Lots of just random things and we don't ask for the ROI on those things. So why does security get this sort of special behavior?

Mike Johnson

I don't think we're actually being asked roi. I think some folks in the security industry are trying to push that or.

David Spark

Maybe just prove our worth.

Mike Johnson

And maybe that's what folks are going for. But it's like you said, there are many other functions that aren't being asked to show their roi. The finance org, for instance, doesn't generate revenue for a company. They manage costs. And to Danny's point, there's a lot of value in that. But they're not a profit center. The legal team, very much the same. And so I think I very much agree with Daniel. We need to stop talking about roi. We're kind of shooting ourselves in the foot by continuing to talk about ROI where we're never going to be able to show it. We are a cost center that's okay. There are plenty of cost centers in a business. There are plenty of places that we are not generating profit, not generating revenue, but they're absolutely needed for the company. So I love the idea of talk more about risk, talk more about risk reduction and that's really where we need to get.

David Spark

I mean it just, it's sort of, it's analogous risk reduction to roi. But just to say ROI is just missing the point.

Danny Jenkins

Yes, Danny, it is completely missing a point. And, and to your point, the finance department is just a pure cost center and nobody questions it and well, probably because they write the checks. But we are missing the point that this is a risk. We have to address the risk. Security isn't optional in a business. If you don't do it, you will eventually have massive financial consequences or potential business consequences where you don't exist anymore. I think most business owners, most board members understand that. I think CISOs sometimes want to make this an ROI play to make themselves feel more valuable. When you get into a digital transformation world, you get into ERP systems and order taking systems, you can start showing worth. But security is a cost center, but it's a risk reduction and potentially a business saving cost center. And we don't ever question any other cost center in the business. And we shouldn't be trying to compare ourselves to a marketing department.

Mike Johnson

Yeah, I think the one thing that we're trying to solve for is what is the right amount of security. And we haven't figured that out yet. And so there's absolutely. It is critical, it is required, but how much is enough? And that's why I think people keep trying to push for ROI.

David Spark

Before I go any further, let me talk about ThreatLocker, a phenomenal sponsor of the CISO series. So let's be real. Most cybersecurity tools only act after the damage is done. Detection is reactive. We know this. Prevention is what acts actually changes the game at multiple levels. And that's exactly where ThreatLocker comes in. Instead of chasing threats, Threat Locker helps organizations stop them at the source before they ever even run. Only approved applications, scripts and executables are allowed. Everything else denied by default. That is a core philosophy of Threat Locker. It's the control CISOs have been asking for. Protection, enforce right at the execution layer and even trusted tools stay in their lane. Ring fencing helps PowerShell and browsers from being misused. While storage control and elevation control tighten how data and privileges are handled across the enterprise. It's zero trust made practical and scalable for modern environments. Now if you're tired of alert, fatigue and endless detection noise, who isn't? It's time to shift the model from Detect and respond to Deny and Verify. So you can learn more if you go to their website, threatlocker.com CISO and do me a favor, you go to threatlocker.com, add the CISO. It's the easiest way to let them know that you heard about ThreatLocker from the CISO series. And if you go to threatlocker.com CISO you'll see how Default Deny can finally give you real control over your environment.

It's time to play what's Worse.

Dani, you have played this before. You know how it goes. Two crappy situations. You have to decide from a risk analysis, not an ROI viewpoint which one is worse. All right, Mike, we've done variations of this one before, but I like the simplicity of this one. This one comes from Anna Liv Christensen of Compliance Partner, and she asks the following scenario number one, you inherit a security team of highly skilled professionals with no interpersonal skills. So they're very good at their job, but their ability to communicate to others is a big zero. Now, you know where this is going. We got the flip side.

Mike Johnson

Oh, I think I know exactly where this is going.

David Spark

You inherit a security team that communicates very well and builds trust but lacks deep technical experience, and you will never be able to train them. I have a feeling I know where you're going to go on this, but I will ask you which one is worse?

Mike Johnson

Yeah, so the first one is the brilliant jerk scenario. Like, you've got a team of brilliant jerks.

David Spark

Well, hold it. No, it doesn't. I take that.

Mike Johnson

That doesn't mean no interpersonal skills.

Danny Jenkins

Nerds is a nicer word, but no.

David Spark

But it doesn't mean they're brilliant jerks. They just be buffoons that just don't. You know, the incredibly shy person that just doesn't know how to talk to the girl at the dance. That could be your security team. Not necessarily brilliant jerks. I don't want you to pinch and hold them as brilliant jerks.

Mike Johnson

Well, that was how I interpreted it. So if that's not what we're saying, it's really just.

David Spark

They're not. No, they're definitely not brilliant jerks. I didn't say that.

Mike Johnson

That's just not their skill. Like, their skill is not communication. Their skill is security.

David Spark

They get tongue tied, they screw up, they just don't know how to do it.

Mike Johnson

Yeah, so if I reframe it, the first is people who are very good at security and not very good at interpersonal relationships.

David Spark

Correct. Doesn't make them bad. Doesn't make them mean or rude.

Mike Johnson

Yeah. The second one is they're great at interpersonal relationships. And so. So in security, just.

David Spark

They struggle to configure a single tool.

Mike Johnson

Yeah. So if that's kind of where we're at, this one actually is pretty tough.

David Spark

It is.

Mike Johnson

Because what you've got is people who can actually meaningfully move security forward for the company in a silo versus people who can't effectively move security forward, but they're not doing this by themselves. I think if we break it down into that, like it again, always, these both suck. At least in the first one, you're moving security forward, and it sucks that you're doing that alone, but at least you're making improvements. So for these two, I think the one that you're not making any progress on security, that actually feels like the worst scenario for me.

David Spark

So that would be scenario number two.

Mike Johnson

Yeah.

David Spark

Okay. All right. And I have other arguments why I think that's interesting. Danny, I want your thoughts on this.

Danny Jenkins

So scenario one is the nerds that are really bad at communicating. But one question I'd like to ask. Are the nerds. Are you inheriting it? As in me? As in charge of the nerds? The ciso, essentially.

David Spark

Right, Right. It's like you just joined a company. This is your team. You get team A or you get.

Danny Jenkins

Team B. I will always take the.

David Spark

Nerds, the nerds that can't talk.

Danny Jenkins

And I'll tell you why. Because.

David Spark

Because actually, because you could talk.

Danny Jenkins

That's. As a ciso, your job is to go to the board. And one of the things that we do very well in Threat Locker is very technical interview where we make sure people have good understanding and good ability in their role. And we. What we found is people who can talk, who can't do, often make people feel falsely confident.

David Spark

Good point.

Danny Jenkins

And that is much, much worse. I would rather people who make me feel scared than people make me feel really, really confident and go home every night thinking, we're great. We're gonna. We're going to do really fine. So I think I'm always going to choose the nerds. And as the CISO in this. In this role, that's my job to communicate with the business and my job to communicate with the nerds and figure out how we build a team.

David Spark

Right. And I've heard that a lot, that a really good CISO essentially speaks the language of nerdville. The cybersecurity professionals who fall into that camp. Not saying all of them, but also, you know, and we've said multiple times that they can speak the language of all the other departments. Another point I'd like to throw out in scenario number two, where they lack the technical expertise, that means you've spent all this money on tools that nobody seems to be able to operate or configure. So you're just wasting money in that second scenario.

Mike Johnson

Got a lot of shelfware.

David Spark

Yeah. It would be like having a great tool like Threat Locker and nobody configuring anything.

Danny Jenkins

And that's a big problem in any security tool, actually, where people, people buy the tools and do not configure it because they don't have the technical skill sets. I use the saying quite often. I've heard it quite a few times. It people have friends. Security people don't necessarily.

David Spark

Let me ask you this, and I'm sure you've had this complaint, if you will, and I know by the way, just supporting threatlocker, you guys have an amazing support staff and you're hyper, hyper responsive. But I'm sure you've heard the complaint of from somebody who did not configure the tool correctly and blamed it on Threat Locker.

Danny Jenkins

Yes, oh, of course. All the time. Actually, we released an entire feature that just deals with that and sends email reports over and over again saying, all.

David Spark

Right, this is the DAC tool. Yes, yes. Defense against configurations. It's very thing effective.

Danny Jenkins

Otherwise known as dumbass configurations.

David Spark

Please, enough. No more.

Today's topic is cybersecurity complaints. Complexity versus simplicity. Okay, because we've heard that it's too complex or. No, we can make it simple. But I'm going to start with you, Mike. What have we heard enough about what? We'd like to hear a lot more on this topic or in essence, what are we making unnecessarily complicated in cybersecurity? Where can we simplify here?

Mike Johnson

You know what, now that I mentioned that I've actually heard complexity is the enemy of security. Too much?

David Spark

Yes.

Mike Johnson

Like, it's a throwaway phrase that has no meaning. And the reality is we live in a world of complex systems. We need to embrace that. We need to understand that. And I really think the opportunity here is to make security simple. Golden paths, paved roads, whatever you want to call it. It's really complicated to make something simple. And that's really our opportunity here is we should make security simple for others. We ourselves should embrace the complexity, recognize it's there, but put the work into hiding the complexity from others.

David Spark

Very good philosophy. All right, I'm throwing this to you, Danny, and I know one of your core philosophies is default deny, which that single sort of philosophy and action that you do greatly reduces complexity of cybersecurity. So what's your thoughts on what you've heard enough about, and what would you like to hear a lot more?

Danny Jenkins

I've heard enough of AI maybe not to go down that route right now.

I think one of the things I've heard enough about is the sophisticated attack. And everyone's going to have some cyber incident in their life, whether someone's email account gets compromised or someone's phone gets stolen. But when you hear about these massive companies that have just been hit by a major cyber attack and there's 30, 40,000 endpoints down or 5,000 endpoints down, and they hear words like it was a sophisticated attack, most of the time it is not. It's a fundamental flaw. In basic configurations, a VPN was poorly secured, a RDP server was left open, remote unsorted software was ran. These guys aren't getting in John Travolta style from Swordfist, where they're pounding on the keyboard and everyone thinks it's some kind of magic code. They're literally just doing basic things to get into systems, and fundamental basic security measures could have stopped them. So I think that's what I've heard too much of is the word sophisticated attack. It's very, very seldom a sophisticated attack. We need to stop talking about that and start talking about basic.

David Spark

Not only that, Danny, I can't remember the last time I truly saw a sophisticated attack.

Danny Jenkins

I would say the closest thing I've seen to one. And again, not a sophisticated attack at its root, but a sophisticated attack, by the time it got there was SolarWinds Orion in that they got into SolarWinds source code. Again, not sophisticated, but the, the long term plan of getting to a vendor, getting into a source code, and then getting down.

David Spark

I would put quotes around sophisticated for the ones that have the long game, essentially for the attack that is, quote, in a way, sophisticated.

Danny Jenkins

Yes, but many times that long game gets stopped by a simple control. Day one.

David Spark

Yes, exactly. So what would you like to hear a lot more of and explain sort of your philosophy at threatlocker?

Danny Jenkins

Look, my philosophy is very, very simple. There's very few ways that somebody gets into a system. It's really open ports, untrusted software being ran, bad credentials or bad dual factor turned on. So I think we should be Focusing on this idea of controls, let's think about what controls we can put in place, tangible things we can do. And that means we have to accept that a user's gonna click on an email link and download something they shouldn't do. We have to accept that it's not. We can't train it out of them, it's like impossible. So if we put basic controls in place, it doesn't have to be hard. People think it's incredibly complex where we say, this user. 500 users in my company are salespeople. They run Zoom, they run Office, they run Chrome, only allow that to run. I would like to see more controls like that, more dual factor controls, more closing network ports where they're not necessary to be open. Most companies will go and install a server. The whole network, the whole lan, can see the server. Why is it not configured to only allow the group of users that need to see it? If we think about controls, that's what I'd like to see more of. And I think even when we think about detection, we should be thinking about it in response of control. So, for example, quite often right now we rely on a detection, an indicator of compromise going to a soc who is expected to make a decision. Somebody's ran an IP scan on our network. Should we shut down this server and take us offline in minutes? Today, because I've seen cyber attacks go from initial access to impact within minutes, we can be thinking about controls in response to detection. So one of the things I like to do is if an indicator or compromise is triggered, it might be an IT guy running an IP scan. But what I'd like to do instead is send an Alert to the SoC, but also disable all admin tools automatically until the SOC has responded to slow down an attacker. And these are real tangible things you can do to stop attackers to begin with by blocking untrusted software, closing supports, but even when they gain access, making their life miserable.

David Spark

Mike, I know this has been a philosophy of yours in that the goal is just make the process of attacking us as difficult as possible. And I'm going to assume, and maybe this is something you can visually show and sort of describe how you show it, or you can see it numerically through any metrics, but when you create essentially walls of, well, you shouldn't have access to that, you shouldn't have access to that. It should be super clear that you should see these vectors dramatically decrease.

Mike Johnson

Yeah, a lot of what we focus on these days is we always call it reducing the attack surface or Reducing the blast radius or what have you.

David Spark

Right.

Mike Johnson

And that is where you see that manifest is there are limited ways that somebody can get in and then there's limited damage that they can do when they get in. And I think I was listening to Danny. What I really liked was there's a lot of focus on prevention. But he's also describing rapid response to detections. And I think that's something that we also need to think more about, is there might be things that we can't just block, we can't just prevent because it will slow down the business or block a normal process. But if we see a detection like something triggers, maybe we actually do, then take the automated action to slow the business down until we're sure. And I think that's an interesting thing. And I just wanted to highlight what Danny had said there because I do think it's another way of thinking about controls. They don't have to be just preventative.

Danny Jenkins

I think that is really good. And I want to give another example of this. In the world of zero trust, you give access where access is required. It's not about. No, it's about where access is required. So my marketing team need access to USB drives because they copy PowerPoints onto USBs, video files onto USBs to go to booths at trade shows and things like that. What we're able to do and what again, it's implementing controls as needed rather than blocking USB all the time. We've put a policy that said they can copy X number of files per hour to a USB drive. And if it exceeds that, we now revoke the policy. So again, their computer still works, they're still able to operate, but they can no longer copy those files. The soc will then respond, decide was it a false positive or was were they data expelling? Did they decide to copy all of our files to a USB drive? And these are the type of automated controls that aren't necessarily black or white. Allowed or not allowed Allowed under normal circumstances. But if the circumstance changes, we're going to revoke that access.

David Spark

Today's security tip has to do with patch fatigue. Yes, this is not just vulnerability management, but the humans that are dealing with it. That's coming up right now.

This week's security tip is brought to you by Tenable, the exposure management company.

Even the most advanced exposure management platforms can't protect you if your teams are overwhelmed. Patch fatigue is real. And when remediation velocity slows down, your exposure widens. No matter how good your visibility is. Pay attention. Not only to vulnerability counts, but to process capacity. How many patches can your team realistically apply in a week? How many configuration changes can they implement without burning out? If the workload consistently exceeds that capacity, you're not dealing with a tooling issue, you're dealing with a human exposure problem. Automated patching can clear out routine, repetitive remediation tasks, those low complexity updates that eat up most of your team's time. That frees your experts to focus on the high risk items, the actively exploited vulnerabilities, the misconfigurations that form attack paths, and the issues that require context and and judgment. So by managing workload as deliberately as you manage vulnerabilities, you create a sustainable exposure management rhythm, hedging yourself against the risk of tired teams missing things.

This has been your weekly security tip. To learn more about exposure management, go to tenable.com.

Will we really ever Achieve Zero Trust?

Zero Trust is like dating in high school. Everyone's talking about it, not many are doing it, and almost no one is doing it correctly. I love that quote that GEM dropped in a recent cybersecurity subreddit thread, with one commenter noting they had quote, zero trust in Zero Trust marketing. While vendors slap zero trust on everything, actual practitioners are struggling with the realities of implementation, from micro segmentation resistance to legacy system nightmares. One commenter pointed out the cultural change is harder than the tech, while another argued it's just repackaged defense in depth for the identity era. Okay, now this is in no way attacking you, Danny, but I know that this is a part of your philosophy and part of your marketing. So if zero trust is really a mindset shift rather than a product, why are we still letting vendors define what it means? But you're a vendor. You're not, I don't think, defining what it means. I think you're kind of leaning into it, aren't you?

Danny Jenkins

Absolutely. And actually, if you look back on Wayback Machine, our messaging on a website, when everybody else was saying zero trust, we didn't actually even say it because it became white noise and we had EDR saying we're a zero trust endpoint. Every booth at RSA and black hat said zero trust. Just like every booth says AI on it right now. And we didn't put the wording on our website because I would rather transition to the wording of block untrusted software, limit what applications can do, stop access, take away admin privileges because an IT practitioner or security practitioner can understand that messaging, whereas if you just put generic terms, they can't. And then if we want to use zero trust, and where I personally focus on using zero trust is I'm going to tie everything back to it. So blocking untrusted software is a zero trust approach. So I think the messaging. I'm not really big on any security messaging, and I think it comes down to marketing people creating messaging and not practitioners and not security people. However, do we. Can we achieve it? I don't think we achieve it. Yes or no. I think we achieve a zero trust mindset in certain areas. And right down to. If we go back 20 years ago, companies would say nobody can access the payroll folder except the payroll staff, and that's zero trust. When it comes to payroll, I think we expand from just payroll to a much larger part of the business, and we start talking about untrusted software and who can access what files and who can upload data and who can use USB drives. I just think we get more secure by implementing more controls that follow that philosophy than we did 20 years ago when it was just a payroll folder.

David Spark

Yeah, Mike, honestly, it's impossible to truly have zero trust. I think what we're really talking about is chronically minimizing trust or minimizing access, which achieves sort of. We're getting to a point of ever closer to zero trust while never actually achieving it. Yes. Am I correct in this way of describing it?

Mike Johnson

Well, it's one of those things where you remember the thing years ago of like, what color is this dress? I think zero trust is exactly that. It means so many different things to different people. I agree with Danny. It's noise. And I think we've reached a point with it that I would kind of like to see the term go away because it's absolutely meaningless at this point.

David Spark

I don't know if it's meaningless.

Mike Johnson

It is.

David Spark

I mean, meaningless means zero. But I think everyone, look, the government is embracing it. Like the government embraced the term zero trust. And people generally understand the philosophy of least privilege. Don't give persistent access. Yes, Danny.

Mike Johnson

I think Danny just nailed it. It's least privilege, and it's a term that we've had forever.

David Spark

Right.

Danny Jenkins

We also used to call the cloud hosting.

Mike Johnson

Also fair.

Danny Jenkins

And marketeers come up with new buzzwords to reinvent hosting to make it sound sexier and call it the cloud. I think it was SaaS somewhere in the middle, too. And maybe it's SaaS sometimes now, but I think zero trust is the new word for least privilege.

David Spark

Yes.

Danny Jenkins

I think as a CEO, I'm incredibly careful to make sure all of our banners all of our messaging includes the tangible things we're actually doing.

David Spark

Good point.

Danny Jenkins

As opposed to just zero trust. And we can use that zero trust as a bottom tagline, but everything in between has to be stop untrusted software, ring fence applications, stop PowerShell from eating your lunch. These are more meaningful to a practitioner than the word zero trust.

David Spark

And by the way, we have this game that we started playing with our audience called Slogans Run, where we essentially put up a slogan from a company and you have to guess which company is slogan and like, what we've been talking about since, like the overuse of zero trust, the overuse of a lot of these terms. It's quite difficult. And companies keep changing their slogans for that matter, because it's quite difficult to describe something that is not tangible. It's tough.

Danny Jenkins

Our mission statement in 2017 is exactly as it was today, which is to change the paradigm of security from default, allow to default deny. And I think we'll lean into budgets, especially when companies get budgets for things like zero trust. But ultimately that's what it means to us. Change security from that default allow to default deny, which is.

David Spark

Now people are describing zero trust, but you were ahead of the game, just with different terminology.

Danny Jenkins

Correct.

David Spark

Excellent, Danny, let's wrap it up right there. I want to thank you Danny Jenkins, who's the CEO over Threat Locker. And Threat Locker being a phenomenal sponsor of the CISO series. Remember, go to threatlocker.com CISO just throw the CISO in there. It's an easy way to let them know you heard about them from the CISO series. Their tagline currently is the world's leading Zero Trust platform. Platform. Throw default deny in there or deny by default. Just throw it in there. Mike, thank you so much as always. Any last words?

Mike Johnson

Danny, thank you for joining us. You know, David made a comment along the way about this is a good episode. And that's really because your thoughts, your perspectives, your philosophies, and really being able to kind of go all over the place, like down into the details, but also give our audience some perspective of what a CEO thinks about. So really appreciate you being able to share all across the spectrum. So thank you.

Danny Jenkins

Well, thank you for inviting me today.

David Spark

And then, Danny, I'm going to just say it. You're always hiring, correct?

Danny Jenkins

We're always hiring. I think we had 40 people last month.

David Spark

Wow, that's unbelievable.

Danny Jenkins

We just, we're expanding to other offices and we're probably going to add 50 people.

David Spark

Oh, so you're not just Orlando, right?

Danny Jenkins

So we have offices in Orlando. We have a second building now in Orlando coming up.

David Spark

Congrats.

Danny Jenkins

And we have offices in Dublin, Dubai, Brisbane, and then we've got staff In I think 10 or 15 different countries at this point. I can't even keep track of it.

David Spark

Well, congratulations. If you're looking for positions, please go to threatlocker.com they've got positions open there as well. Huge thanks to you, Danny. Thank you again for Threat Locker for supporting CISO Series. Thank you, Mike and our audience. I don't say this lightly. We truly appreciate your contributions. Send me more what's Worse scenarios, please. And for listening to the CISO Series.

Podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website CISO series.com please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity Headlines. Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.