Narrator

What I hate about cybersecurity. Go.

Mike Mello

I think that we've ultimately normalized looking secure instead of actually being secure in the industry. And what I really mean by that is how organizations are really good at passing audits, checking boxes and showing fantastic dashboards. But if you actually simulate a real attack path, a lot of that is going to fall apart really quickly.

Narrator

It's time to begin the CISO Series Podcast.

David Spark

Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO series and joining me as my co host, he's one of your favorites. It is Mike Johnson, the CISO of Rivian. Mike, say hello to the audience.

Mike Johnson

Hello, audience. Great to be here with you today.

David Spark

He really means it.

Mike Johnson

I mean it. Just like I am one of your favorite in that there's only like three of us.

David Spark

One of your favorite. He's the original. Yes, he's the original. By the way, we're available@cisoseries.com if you do not spend all your time there.

Mike Johnson

Yeah. What are you doing then?

David Spark

Hopefully you're getting your work done though. But hopefully you're spending a good amount of your time there. And we have other programs. We got four other programs, plus we produce lots of content, by the way. Follow us CISO series on LinkedIn. If you're not already doing that as well, let me mention our sponsor, a phenomenal sponsor of the CISO series and that would be Vanta. Automate Compliance, Manage Risk and Accelerate Trust with AI. That is Vanta. We will talk more about that a little bit later in the show. But first, Mike, I want to talk about something that has been driving me crazy.

Mike Johnson

Oh, the target. Okay, great.

David Spark

And I'm just a journalist, but you are the target of this. And that is these research reports that vendors commission that simply validate their existence.

Mike Johnson

Yeah.

David Spark

And you know what I'm talking. And it's the. Do you know that 3/4 of CISOs are concerned about this type of attack?

Mike Johnson

It's amazing. Whatever that is, whatever that is.

David Spark

I'm sure you've seen a few of these. I just, I keep receiving these reports. I received some from. They go, we're about to release a report under embargo that's going to mention this and a lot more. And I go, that's not news.

Mike Johnson

Don't tell anybody.

David Spark

That is not news. But, but the thing is, is that this still plays into the good old fashioned world of fud.

Mike Mello

Yes.

David Spark

Fear, uncertainty and doubt. And I go, that in no way does that help a security professional build a Security program. But I just want to a. I want to know what is your reaction to those? My guess is it's like window dressing. You don't see it. But second, and we've talked about this before, there are reports that do help you. Correct.

Mike Johnson

Yeah. The ones that you're describing, I'm numb to them. I don't even notice them anymore. I understand why vendors do these and I understand why that there are CISOs out there who enjoy them. They use them to validate their own investments.

David Spark

Yes.

Mike Johnson

This is proof that I did the right thing or that we're doing the right thing.

David Spark

Good point.

Mike Johnson

The types of reports that are useful are the ones that are by independent labs or they are by non security vendors.

David Spark

Let me qualify. You have said that you're a big fan of the Verizon data breach investigation report.

Mike Johnson

Exactly. That is an example of one that is impartial. And that's really where I was headed is the best ones are the ones that are impartial. They don't have an agenda other than to share the information or to share the research that they've spent a lot of time on. The Verizon data breach investigations report is really one of my favorite for that reason. And it's been consistent, gosh, for decades now.

David Spark

Yeah. And the thing is, it comes out once a year and it means so much to the industry.

Mike Johnson

It's the equivalent of in the futures markets where there's like the annual farms report or the annual futures for mining. Those things are very heavily watched out for.

David Spark

It's for CISOs to grow their cyber crops.

Mike Johnson

Yes, Grow our cyber crops.

David Spark

All right, let's bring in our guest. Very thrilled. First time this guest's been on the show. He has an enormous collection of guitars behind him. It is a CISO for the TMX group, Mike Melo. Mike, what is behind you? Are those basses or guitars?

Mike Mello

These are all electric guitars.

David Spark

All electric guitars. It's quite a collection. How many are there? I think I only see part of them.

Mike Mello

Yeah, there's 55 in this room, if you could believe it.

Mike Johnson

Oh, my gosh, 55.

David Spark

And how many hands do you have?

Mike Mello

I still only have two, but I make it work.

David Spark

All right, thank you for joining us, Mike.

Mike Mello

Thanks for having me.

Narrator

It comes down to the fundamentals.

David Spark

Quote, every point of friction has a cost. If it doesn't earn its place, it shouldn't exist. End quote. This is Brett Conlan, CTO over at American Century Investment, and he frames it as deceptively simple. Friction doesn't just slow Teams down it, it changes their behavior. Extra approvals, redundant tools, processes that exist just in case. These all feel defensible in isolation. But collectively, they push people off the intended path and onto workarounds that introduce the exact risks the controls were meant to prevent. The real tell is that controls get added faster than they're removed. Most security programs never ask if an existing process meaningfully reduces risk or improves outcomes. Is it. I'm going to ask you, Mike Johnson, as simple as asking that for your controls and processes. I mean, can you just ask this question and if so, how much extra process baggage are we all sort of holding onto?

Mike Johnson

I think the most interesting point in here is about the introspection of your current controls.

David Spark

I mean, I got to imagine not a lot of people do this.

Mike Johnson

You don't do it because it's too easy to leave that which is in place, leave it there. Inertia is a powerful force, and so people tend to leave those controls in place. And there's also, as security professionals, we are also risk management professionals. There's an element of risk involved in removing an existing control. If you remove that and then there's a incident, it's not going to look very good. You know, why did you do that? So I think people are very hesitant to look at those controls because if you're not going to remove them, then why are you spending the time even looking at them? But in terms of dealing with it, there are natural opportunities that occur all the time. Like if you get a new team member, just ask them, hey, what do you think of our controls?

David Spark

New eyes definitely help.

Mike Johnson

The new eyes really do help. And that's one of the opportunities that you have. There could be some other business shift, a new technology shift, like, I don't know, AI. That's a really good opportunity to take a look at your existing controls and then say, you know what? These aren't holding their weight anymore. Let's get rid of them and let's either replace them with something else or just genuinely eliminate them because they're not bringing any value.

David Spark

All right, Mike, I'm going to throw this to you. Have you done this exercise? And I'm interested. Have you actually removed or controlled.

Mike Mello

Yeah, great question. Answer is yes and yes.

David Spark

Okay. And let me trust the process that went into it, too.

Mike Mello

Yeah. So I think again, like, great call outs by Brett and Mike, heavily echo everything that you're saying here. Right. Like, it's. I think companies have what I would call these legacy controls just as like, they have legacy tech. And instead of tech debt. It's really control debt. Right. And what I think we've created, this culture of adding controls is safe and then removing them is risky, as you were alluding to there, Mike. Right. And so I think that what we're seeing is we see controls accumulate, right? The workarounds are increasing because the easiest path forward is always the path the end user or anyone will take. Right. And so we have to make security extremely simple. And the easiest path forward, if it's not, will have workarounds and user behavior just won't adopt what we're implementing. I actually have instilled a mindset behavioral shift with all of my teams. Anytime I'm at from my previous companies or current company, really, I ask my team to always be mindful of three questions. Those three questions are, do we absolutely have to be doing what we're doing? If we are, is this the most efficient and best way to do it? And third, the third one being, are we getting the value or output that we expect of that object or widget? And so when we look at this from a control landscape, this is very much this mindset of challenging the norm or how we've always done things. And I'd say that one of the biggest things in making that determination or decision around removing a risk is that it has to be a measured decision. Right. And not like a career risk, as Mike was alluding to, because we can sometimes want to remove things. But I think there's also, you have to have the evidence behind it to really assist with the acceptance of the risk removal. And you kind of have to quantitate why and whether it's not working or it could be better. It needs to be tweaked. We do this a lot in SOC anyways, right? When we're tweaking use cases and so forth. It's a very similar type of construct, but it does take time to go through, quantitate what you're seeing, and then put it into effect.

Narrator

How can we align different departments objectives?

David Spark

Quote one innocent prompt has led to the spread of customer financial data into multiple exposed unsanctioned locations. Pranava Aduri of Bedrock Data sees most data security tools working like x rays. They see patterns like credit card numbers in an S3 bucket, but Ms. The soft tissue of lineage, entitlement and business context. An MRI sees a whole organism. Not just what data exists, but who touched it, where it came from, and whether that access made sense given policy. Right now, legal rights, a policy, the business holds a context. Security managers with controls none of them are looking at the same picture. So if an X ray tooling can't see what AI workloads are doing with the permissions they've been granted, how does any compliance obligation get enforced? And I mean, do you believe this premise, Mike Mello, that these three groups are working in silos and they're sort of having different viewpoints on the environment?

Mike Mello

Absolutely. I think this has been a challenge even back in the data governance layer of an organization and having strong data governance posture. And so I've been a strong advocate of data security programs, especially at the dawn of the DSPM revolution, say like almost four years ago now. And Pranav is definitely on point here. I think his core points are very accurate. I would say that data inventory, data lineage, these are all fantastic things, but there is this fragmentation between the different business groups and similar to how we're looking at governing AI with this shared accountability and responsibility, I think the same needs to be applied to data security.

David Spark

Right.

Mike Mello

Everybody needs to have an understanding of, you know, what is this data, why is it here, where does it come from, and what do we do with it to be able to govern it? And especially as we start looking at getting into agentic AI, if you do not have the foundations and fundamentals at play in your data security program, it's going to reap an exorbitant amount of havoc in your organization.

David Spark

Yeah. And by the way, that's a good way of saying it's going to be havoc in your organization, not just for the security and privacy, but like, well, privacy over to the legal department, but with everybody else trying to make sense of it, it's just going to go out of control.

Mike Mello

Absolutely.

David Spark

All right, I'm going to throw this to you, Mike. Mike, do you agree with the sort of the analogy of x rays and MRIs that Pranava put forth here?

Mike Johnson

I'm a little lost with the analogy, but conceptually the.

David Spark

Well, you're not a doctor, Mark, and

Mike Johnson

I don't even play one on tv, but I recently stayed at a Holiday Inn Express. Anyway, I think the concept and really what they're trying to get across, and as Mike was mentioning, you need to think in terms of systems. It can't just be these individual components, all of these fit together.

David Spark

Well, a body is a system, and I think that's what he's also talking about.

Mike Johnson

Exactly. And I think that's fundamentally what the attempt, the analogy was, was to really talk about an enterprise or a set of environments as a system, rather than just their disparate components. And I think that is something that's very much long been needed. And it's all the more so in this world of AI where these systems are using data in ways that we don't expect. They're not deterministic systems and so we can't say well it always uses this data in this way, knowing what you have, where it comes from and how it moves through your environment. Mike was referring to data lineage that is really critical so that you know what, right? What are the correct controls to put in place that you're not just adding unnecessary friction, that you're actually bringing value to those controls. And ultimately the goal is to enable the business to move faster. Like that's always what we're after. Everyone is very much like oh there's always a little bit of fear of AI. But if you know what your data is, where it comes from and how it's going to be used, the there's a lot more freedom that you can give to the business to go faster.

David Spark

What's the one thing in business that's spreading as fast as AI? It's AI risk. Yeah. Every new tool your team signs up for. Every vendor that turns on AI features, every new integration, each one is an opportunity for something to go wrong. And most security programs weren't built for AI's pace of growth. Enter Vanta. Vanta is the number one agentic trust platform used by over 16,000 fast moving companies like Ramp Cursor and Harvey to ensure they're always audit ready. And now Vanta is helping companies like yours watch for the risks that show up between audits across your vendors, your AI tools and your whole environment. How well the Vanta agent works like a 24.7grc engineer in the background finding issues, drafting fixes for you and cutting vendor assessment time by up to 50%. Whether you're a fast growing startup or a global enterprise, Vanta is here to help you automate your security and compliance and earn improve trust. Why not get started today@vanta.com CISO that's V A N T A dot com CISO. CISO. Remember, add that CISO at the end. Easiest way to let Vanta know that you heard about them from the CISO series.

Narrator

It's time to play what's Worse.

David Spark

Mike Melo. I know. Mike Johnson knows this. Mike Mello. Are you familiar with the game what's Worse?

Mike Mello

Yes.

David Spark

All right, so you know how this works is two bad scenarios. Both stink. You have to tell us from a risk management exercise which one is Worse, I'm going to have Mike Johnson answer first and you can agree or disagree with him, but either way you have to give your explanation whether you agree or disagree. All right, this comes from Neil Saltman of Ahead. He has sent us lots of wonderful what's worse scenarios. And here I like this one. Get ready. Mike Johnson.

Mike Johnson

Great.

David Spark

What's worse? Hiring an employee who seemed qualified but proves to be clueless once they start working for you or a lazy employee who's capable but not getting the job done.

Mike Johnson

Okay, so you've got somebody who you thought was great and they're just not delivering.

David Spark

Right. So you've kind of blew it on that respect.

Mike Johnson

Right. Versus somebody who is capable but is

David Spark

unmotivated, but they're being lazy and they're not. So I kind of see that it's, it's also both failures on you as a manager too.

Mike Johnson

That's actually kind of where I was going to go on this. And, and the one which one can be dealt with tolerated is.

David Spark

Which would also remember, this is what's worth. It's also a risk management exercise. Like which one's going to create more risk for you too?

Mike Johnson

You know, the reality is I think there's not enough in the scenario to say one's more risky than other.

David Spark

Yeah, yeah. I think they're essentially equal in that respect.

Mike Johnson

So like we'll cancel out the risk and really think about what is the. What's more bearable, what's more problematic for the rest of your team. Like what is going to drag down the rest of your team. What is more.

David Spark

There you go. So we have clueless and lazy. Those are two bad ones.

Mike Johnson

And I guess bringing it back, the. There is an element of risk here that the clueless one is generally going to be the one that's riskier because they don't know when they're about to make a mistake or that they've just done something really bad versus in some respects.

David Spark

Well, the lazy one could just.

Mike Johnson

They're just not gonna do anything.

David Spark

Ignore mistakes like just.

Mike Johnson

They're just not gonna do anything.

David Spark

And so that means there'll still be mistakes happening.

Mike Johnson

Well, maybe the reality is they just don't do anything at all. And so that means they don't harm any.

David Spark

This is a Sophie's Choice.

Mike Johnson

It really is. And so honestly, I think I'm just gonna go with the one that's clueless is worse. Is worse. Because at least the one that's lazy, they probably have some self awareness, but the one who's clueless doesn't yeah, the

David Spark

lazy employee is capable.

Mike Johnson

Yes.

David Spark

So that actually. There you go. All right, Mike Melo throwing it to you. Which one do you think is worse?

Mike Mello

Yeah, I think it's actually the. Yeah, the lazy employee. Right. Because. And I think it.

David Spark

Who's capable of not getting the job done.

Mike Mello

Yeah. And I think it also matters on what your next decision is. Right. Because both of them, as you guys said, is a management problem. Like, you've obviously hired somebody and weren't able to sift through maybe some signals or the capability side. And then on the other side, you have an issue where turns into, like, lack of ownership or there's a signal. Right. From. From just you're not managing that person well. So I think you can act really quickly and like. Yeah, you sink a bunch of time into getting rid of the bad hire.

David Spark

Well, no, no. First of all, the way the. What's worse is you can't change the scenario. This is it. This is what you got.

Mike Johnson

You're stuck with these people.

Mike Mello

No, no, no. Yeah, that's what. That's. Oh, you're completely stuck with these people.

David Spark

Yeah, yeah, they're stuck. They're the CEO's son and daughter, and they stay with you forever.

Mike Mello

Oh, geez. Then it's the. It's the. Probably the clueless one.

David Spark

Oh, so now you're switching.

Mike Mello

Actually, no, actually, you know, you know what? I'm gonna stick with. With my original, because I think the clueless one, I can educate and train, whereas changing behavior is a lot harder to change than educating.

David Spark

I think that's.

Mike Johnson

That's fair.

David Spark

Yeah. I mean, they're going to stay pretty much clueless, but that's a good point. And also, lazy is an attitude problem.

Mike Mello

Yeah.

David Spark

And you're not going to change attitude. No. So now. Now. Now, the most important thing is we want to know. So you disagree on this, which is great. Have you hired these people before and are they currently working for you?

Mike Johnson

I have.

Mike Mello

And no, they're not currently working for me. I think everyone's kind of experienced that.

David Spark

Which, by the way, have you. Have you hired both scenarios? I'm sorry, Mike Mello, have you hired both scenarios?

Mike Mello

I've hired one that was clueless, yes. Early in my career.

David Spark

Okay, well, so you. Look, you were clueless in hiring.

Mike Mello

Obviously, I didn't have to live with it, though, so I was thankful for that. No, I haven't really been stuck with someone who's lazy.

David Spark

All right, Mike Johnson, have you hired either one of these people? Hired or been brought on and got stuck With.

Mike Johnson

Had to work with for sure.

David Spark

Yeah. Okay.

Mike Johnson

In both scenarios. And no, I'm not working with either of these archetypes, so.

David Spark

But you can't tell anybody. Obviously. You could probably tell me their names of these people. Yes.

Mike Johnson

I'm not going to do that on air. Jeez, David, were you trying to trick me into. Just like.

David Spark

That was the whole. I was just like. Why don't you say it calmly enough?

Mike Johnson

It was David.

David Spark

And then Mike all of a sudden will blurt out the name.

Mike Johnson

Yeah, it was David. He was both.

David Spark

But that would be pretty bad if you have both.

Mike Johnson

That's awful.

David Spark

But by the way, have you ever had a nepotism situation where you had to work with somebody or.

Mike Johnson

No, I have not.

David Spark

Have you, Mike Mello?

Mike Mello

No, I have not.

Mike Johnson

That sounds terrible. I know.

Narrator

There's gotta be a better way to handle this.

David Spark

There are now 68 different vendors out there selling an AI SoC solution. Now, this comes from Richard Stennin of IT Harvest. I got the number from him. They all have knowledge of your environment. But is that the same as the institutional knowledge a senior SOC analyst has baked into the system? Can that be made available to AI? That's the wisdom led SoC. And Ross Young of CISO Tradecraft challenges the handover to AI. So he challenges all these sort of AI SoCs that are out there. How do you test it against the CPR model? And he calls it C for confidence. Can you see why a decision was made? Precision. Can it fix the problem? Example, a malicious file rather than taking out a system like a domain controller. And reversibility, the R&CPR. Is there an undo button when it makes a mistake? So I will start with you, Mike Johnson. How do you build that into your testing and continuous auditing of an AI SoC? And I mean, is AI coming into your sock? Let me ask you that.

Mike Johnson

First, I want to point out that it was 68 at the time of recording.

David Spark

Yes.

Mike Johnson

I'm curious to know if it is, how much more it is by the time we air.

David Spark

No, no. Actually, no. So here it is. It was 54 originally.

Mike Johnson

Oh.

David Spark

But then, because I had written something about this and Richard Sten. Because Richard Stennon was the one who said 54. He goes, the number went up, it's now 68.

Mike Johnson

Yeah.

David Spark

So it is growing. Like, I got to imagine at least half of them are in the past year, at least.

Mike Johnson

And so by the time this airs, odds are the number is not 68

David Spark

anymore, although some may fall away.

Mike Johnson

So I'm very much in the Build camp when it comes to AI soc.

David Spark

Right, I know. And that has been your model as a ciso and you've had.

Mike Johnson

That's where I live.

David Spark

Yeah.

Mike Johnson

But I do believe that AI is something that can really empower socks. It can really help them get through just the flood of alerts that come in. It can help them design their detection capabilities. It can even allow them be more tolerant of false positives because it's not going to be spending time of a human to go and look at that thing. So I genuinely think there's a lot of value here. The trick is, how do you bring that knowledge that your SOC already has into one of those systems? Odds are you have playbooks. So you can bring those playbooks and you can use that to educate the AI. How should it deal with this situation? You should absolutely have metrics and measures and know are things getting better or worse as a result of your usage of AI. And those are things that I think that people may not really think about when they're thinking of moving to AI soc. It's like, oh, I'm just going to be able to go so much faster or I can scale my capabilities so much more. But there's groundwork that you have to put in place first. You have to have those metrics, you have to have playbooks, otherwise you're just going to waste a whole lot of money, a lot of time and probably end up in a worse place than a better one.

David Spark

All right. Giving the sort of the guidance, the health to an AI society which seems to trend these days, what's your sort of. In this CPR model that Ross Young put out, Mike Melo, is this, I mean, is this a good way of testing it? I guess is my question.

Mike Mello

Yeah, I think so.

David Spark

And just to remind everybody, the three, it's confidence, precision and reversibility are the three CPR. Go ahead. Mike Miller.

Mike Mello

Yeah, I'm pretty bullish on AI SoC and more so agentic. Right. I think as a guiding principle, I'm seeing this as machines need to meet machines on the battleground. Right. And if you think you have alert fatigue now, just wait until you start loading up a bunch of different generative AI or agentic in your ecosystem, let alone an adversarial agentic attack. Like there's no way to keep up with this. Now I do think when we look at the confidence, precision, reversibility, CPR model, this is where we're going to struggle. Right. Because there is a lack of context with these agents in the AI SoC model and Unless your company is extremely well documented and mature in that regard, it's going to lose a lot of context that you would have from a senior analyst. And so what that really requires to be this wisdom led model is feedback loops. And we have seen managed socks decay over time because we don't give, well, feedback loops to our managed socks and we don't treat them very well as like extensions to our team. And that is how we're going to have to treat AI Sock as an extension of our team and provide this feedback right on analyst decisions, near misses and feed all of that back into the system. I think on the reversibility side, I look at this as having almost like an agent moderator. So we're going to need an accompanying agentic fleet to be able to engage with agents on our side from a defensive perspective in a lot of different ways based on our enterprise architecture or an agent for change management and risk evaluation on what that agent is going to do. Because as humans we can't possibly be expected to stay in that loop. There is obviously going to need to be an escalation point and so forth. But I think for reversibility, I look at it as almost like a trading market that we need a circuit breaker. Right. So if your agent starts, I would say, operating outside of the norms of the archetype, then it needs to have a circuit breaker and halt it. Right. I think that the reversibility is going to be tricky, but I'd say preventative control around disaster is something that we could really look into as a real possibility.

Narrator

What's a CISO to do.

David Spark

If your program only works when you sit high enough in the hierarchy? It was fragile to begin with. For Brian Blakely of Bellini Capital, the perpetual reporting line debate is a distraction. Security is a horizontal function. In a vertical world. You don't control engineering, HR operations or sales. Regardless of who you report to, you get things done through influence, credibility and risk communication that lands with operators and executives alike. That's a lateral game and no org chart position plays it for you. Quote, if I only reported to the ciso, quote isn't a structural critique, it's an excuse. So I'm going to start with you, Mike Mello, on this. How should security leaders build cross functional credibility before they have the positional authority to demand it? So I mean literally, this is actually for someone who could be nowhere near the CISO position. I'd like to know what they could do. What do you think?

Mike Mello

Yeah, absolutely. I love this question. Right. Because it's the Common debated question on who CISO should report to or hierarchy being a hurdle from you being to execute or be successful. And I think what you can really do is, again, we have to elevate ourselves outside of technology, speak language of the business, but what that really means is also understanding the business. Right. You really need to understand what makes them tick, what are their driving forces, and you need to be able to make risk actionable and ultimately reduce friction. Right. We can't be the beat cops always beating people down here.

David Spark

And everything you're saying, correct me if I'm wrong, is something anybody can talk about. Insecurity. It doesn't have to be the ciso. Correct.

Mike Mello

Absolutely. And I think that's really where we start compounding credibility. Right. And I think that how people need to start showing up to the business is consistently and honestly solve a real problem that that business cares about. Right. Be that person that shows up, they follow through. You don't create a bunch of noise, because once people start to see you as someone who helps them succeed, influence will just show up naturally. And I think the irony of all of this is by the time you get the title, you shouldn't need it anymore.

David Spark

That's a great line. Oh, that's a quote we're keeping right there. All right, Mike Johnson, try to beat that.

Mike Johnson

I don't think I can. I think that's a. That's a very wise way of thinking about it, in that if you're relying on the title, either yours or your direct supervisor, your direct manager, your boss, whatever term you want to use, you've already lost, you're not going to be successful.

David Spark

Good point. Yeah. So the people who do that are either making excuses or waiting for something so they can do something which you shouldn't have to.

Mike Johnson

I think excuse is the right way to put it. It is making an excuse for not being successful, for not enabling the kind of security program that a company needs and saying, oh, well, gosh, if only I had X, where X could be more money, more people who you report to, all of these. Right. And I think that that's really the failing of this perspective, is you need to build your own influence, and you can do that without having to say, hey, I report to the CEO. You have to listen to me. Like, if you're falling back on, you have to listen to me. Then again, you failed.

David Spark

But okay, but I want to go back to the question I asked Mike Powell. Your advice for someone even at the lowest levels in security, how they build this level of trust with Others and that people will look to them, even though they don't hold any specific title.

Mike Johnson

A lot of that is meeting people where they are and helping them. Like Mike mentioned it, how can you support them? How can you make them successful? And how can you do that in a way that maybe it's invisible that you're doing that, but this person is aware and they're going to come to you and look for help. They're going to come to you and look for how do I solve this problem over and over and over again. And the next thing you know, they're now depending on you. And you can then implement the capabilities that the, that the company needs. And you're doing so with the context of the other folks in the business knowing what they need and how to support them. And context is king these days in so many different ways. And this is one of those.

David Spark

Well, that brings us to the end of the show and this was a fantastic episode. Just packed with amazing advice. Thanks to the two mics on the two mics.

Mike Johnson

So many mics.

David Spark

We were talking about this earlier and the 55 guitars. Mike Mello, is that how many?

Mike Mello

Yeah, 55. And growing.

David Spark

Of course it's growing. You can just stop. Let me ask you, what does the 56 guitar need to have the previous 55 don't have?

Mike Mello

Honestly, it's. It's how I feel in the moment.

Mike Johnson

That's fair.

David Spark

So you can't answer now. It's just gonna be no, you're gonna walk. So is it. First of all, do you buy these all in person or are you looking online or what is. How does they get purchased?

Mike Mello

I source them all over the world. So sometimes when I'm on my travels, sometimes online through different marketplaces. But yeah, usually I go for more boutique, unique, kind of collectible side. But I also play them so they're hanging wall art that I get to enjoy.

Mike Johnson

Nice, right?

David Spark

Well, I would hope you'd play them. So how long you been playing guitar?

Mike Mello

I'd say probably like seven or eight years in total. Actually. In my spare time, I moonlight as a student at Berklee College of Music in the guitar performance majors program.

David Spark

Excellent. Well, thank you very much for joining us and we would love to get you back again. I want to thank our sponsor and that would be Vanta. Remember, automate compliance, manage risk and accelerate trust with AI. Go to their website vanta.com and do me a favor, go to vanta.com CISO just a super simple way to let them know. Hey, we heard you on The CISO series. This is how you'll know that. We heard you. We're going to type in vanta.com CISO so thank you for doing that. Mike, any last words? I'm going to say Mike Johnson first. Any last words?

Mike Johnson

Thanks for joining us, Mike. What I really appreciated and the thing, one of the things that you'd said was machines need to meet machines on the battleground. And I think that's something that folks really need to keep in mind. That's the world that we live in today.

David Spark

That is a good point.

Mike Johnson

And is only going to be more and more important. And so you really need to step up your machine game because there's machines out there that are coming after you.

David Spark

Yeah, like you. Yeah, you can poo poo AI all you want, but it's just like, well, the machines are going to be the ones attacking.

Mike Johnson

So, yeah, poo poo AI all you want. It's here. So thank you very much for that, Mike. But, you know, in general, thank you for sharing your insights with our audience today. It was great chatting with you and

David Spark

Mike Mello, you get the very last word here.

Mike Mello

Yeah, thanks for having me, guys. This was a blast. I really had a great time. It was great chatting with both of you, getting your insights as well. Again, I think it's all about just sharing and building a community together. Together. And I do share quite a bit on LinkedIn here. I try to get a little nerdy and guitarist sometimes with my hot take Tuesdays. But, yeah, I think we just need to level up how we're viewing things and honestly start thinking a lot differently.

David Spark

I'm in agreement. So when we say think differently, that means don't tell us that X percentage of your colleagues are worried about some kind of a threat.

Mike Mello

Exactly.

David Spark

All right, thank you very much, Mike. And Mike, and thank you to our audience as well. We greatly appreciate your contributions. In fact, let me say this again, I need a lot more what's worse scenarios. Make them creative, make them challenging, make them equal. They could be equal really bad or equal slightly bad. Either way, that's fine by me. And we love fun, creative stories around them. Send them to me. Always need more what's worse scenarios. Thank you very much everyone for your contributions and listening to the CISO series podcast.

Narrator

That wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity Headlines Week in Review this show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.