A

What I love about cybersecurity go well.

B

I love cybersecurity because there isn't a blueprint to follow. Every day you're waking up and seeing the dynamic threat landscape, responding to new technologies, and it's really, really energizing for me to be able to do that. The level of innovation and creativity really kind of gets me going.

A

It's time to begin the CISO Series Podcast Foreign.

C

Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO series. And joining me as my co host is Andy Ellis, a partner with Weil Ventures. Andy, say hello to the nice audience.

D

Good evening, folks. Or depending on where you are in the world, good night, good morning, or good afternoon.

C

Or maybe they're just listening to us as they're sleeping and they're hearing us in their dreams.

D

It totally possibly could be. In which case, sweet dreams.

C

Sweet dreams. There you go. We're available@cisoceries.com where you can find lots of our wonderful programming out there. And our sponsor for today's episode is Entro Security, Non Human Identity and secret security platform nhi. Non Human Identities. This is what they deal with more about. Exactly that a little bit later in the show. Now, Andy, I'm going to bring our guest in right now because you did something that made me think that Deneen deals with this all the time. Now, our guest for today's show is the VP CISO of United Airlines, Deneen DeFiore. Deneen, welcome to the show.

B

Hi. Thanks for having me.

C

All right, so here's my question. And Andy said, everyone flies, or most everyone flies. Once you tell someone you work with United Airlines and everyone's got opinions, everyone lays it onto you. They go, oh, I love this. I hate this. Yada, yada. And how annoying does it get after a while?

B

No, it never gets annoying. I'm always, I love to hear, but.

C

Like, you become this customer service representative wherever you go.

B

Yes, I do, I do, I do. And people seek me out for that. Not only people I know. People I don't know on LinkedIn and Twitter or X, whatever it's called now, they find me and talk to me about it as well, too. But always open to feedback and happy to help.

C

But if you go to like a cocktail party, you're out there with friends, you. They ask what you do, you let them know you work for United Airlines. Do you then get an earful?

B

Yes, I do. I do. I become either the customer service agent or the travel agent, either one.

C

So and so you're cool. You're saying this with all. With a smile on your face because I like to think is as Andy was peppering you with, with his travel things, and he wasn't specifically attacking you, he was just sort of blaming the entire industry in general and then listing off a series of other airlines. You went along with the whole thing. It seems like you're cool with it.

B

I am. I am. And I love the industry. Right. There's always positives, there's always negatives, there's always room to improve. But I love aviation. I've been in it forever, so I'm here to stay. I'll take the feedback.

D

When I was doing work with orca, I gotta say, Deneen and the whole United crew were fantastic because I would take Orky Orca, the stuffed animal with and take pictures in the lounges, on the planes, et cetera, and everybody was engaging. It was amazing.

B

Yes. We loved it.

C

It's just a small stuffed animal. It was no big deal. It wasn't like you were bringing an actual ORCA onto the plane.

D

No, but it was like, right as people are coming out of COVID there's not a lot of flyers. And so having somebody out there, I provided very direct commentary on the food selection in every single club.

B

Yes, yes. It was good engagement. Great engagement.

C

We appreciate being a good sport.

A

Can't we all just get along?

C

Quote. Despite the belief that cyber regulations are helping the organization, there is a significant difference between CEO and ciso. CSO confidence in their ability to comply with these regulations. Now, that finding came from PwC's 2025 Global Digital Trust Insights report. And there are some pretty big gaps. So less than 2% of executives have implemented cyber resilience across the organization. Less than 50% of CISOs have CISOs involved with strategic planning. And CISOs aren't nearly as optimistic about complying with cybersecurity regulations, particularly around AI. And only 15% of CEOs measure the financial impact of of cyber risk. So this is like eating an elephant. You just start by taking one bite at a time. Andy, where should CISOs begin chewing to start closing these massive gaps?

D

So let me start by throwing some shade at this report.

C

Okay.

D

Like first of all, the 2% headline number is only 2% have implemented across the organization in all areas. Everything. Like, I am surprised you find 2% of the people who are willing to say yes, we have implemented every possible cyber process across every part of our organization.

C

It could be 2% are liars too.

D

I'm surprised that only 2% are lying. Flip it to the other side of this one. It seems like that one should be more. Let's start with that. Let's not get scared by that 2% number. Let's also note that compliance for its own sake and recognize this is coming out of one of the big four firms. They want you to implement lots of process, pay them lots of money to do it. I really want a risk based model and I think they aim for this, go where your risk is. But they're focused on risk quantification. And I think every reader here and listener here knows that I am the person who thinks that cyber risk quantification is snake oil. Like, people shouldn't be doing this. It's useful as a way to sort of get your brain in order. But this is not like, since we've got Deneen here, it's not like trying to quantify fuel loss. Like, there are some really easy quantifiable things that you say, oh, look, if we fly into stiff headwinds, it costs us, it is many more dollars. But there's a reason that when you. The system safety world, which is what good security people learn from, really learns a lot from the airline industry in which you talk about unacceptable losses, not about dollar losses, but there's a reason that when a plane goes down, airlines stop saying passengers and start saying souls. Right. To basically say, we're not going to quantify a loss here. This is just unacceptable. And if you're trying to do quantification with unacceptable losses, you've already missed the boat.

C

Well, and that changes industry to industry. Okay, so there's a cyber resilience. And the resilience that you have at United Airlines is probably very, very different than many other organizations too.

B

Sure.

C

So you are probably in this low percentage that has a cyber resilience across your organization. You don't have to speak to your own specifics for any matter. But whether this is true or not, how do we close gaps in this sort of both CISO and CEO thinking?

B

Right. Well, I think the first bite of the elephant really is to get that alignment between your CEO and your senior leadership. Because if they don't see the CISO as an integral part of the leadership team, the strategic planning, we have to make them see that. Right. We have to advocate for our roles, that we're enablers of digital trust, not just defenders of threats. And that means ensuring operational resilience. Right. If there is an outage related to a cyber incident and we can't fly planes, that's a Real impact on the business. Right. Flights get delayed, flights get canceled. If we don't meet our customer trust obligations and people don't trust our brand because of whatever digital interaction, then that's a real impact on the business and the bottom line. So really getting that alignment and establishing the impact you can make as a leader is really, really important from a.

C

Cybersecurity perspective, because I'm in 1000% agreement here. But can you give me sort of a little like brass tacks, feet on the pavement of how does a security leader say, hey, I don't think we're on the same page here. How do we get there? Like, how does that actually happen? Because, I mean, think about this. Even in a marriage, couples have to get an alignment of how they raise the kids. Like, you know, that's tough too.

B

Yeah, I mean, it is really that constant communication and I'll say alignment to the business objectives. You have to be in the operating rhythms that your operations and your business leaders are. You can't be separate than that. So you need to be in the daily start the airline call. Right. Or start the operations call. And you have to understand how to connect those dots to say, oh, okay, what we're doing makes a difference. And I need to understand this risk and I need to communicate now to that operations leader about xyz. And it's different for every business, but you really have to make sure that you are proactively embedding yourself in the operating mechanisms of your business, not just sitting off to the side doing your cyber risk reviews or your incident reviews or whatever. It's the operational pieces that really make the difference. I always say, like, I know we have to protect data and that's we do. But given the state of data protection as it was now versus 20 years ago, that's not the table stakes anymore. Protecting the operation and enabling your business outcome is the table stakes for the cybersecurity leader. It's not did you have data loss? Okay. It's, you know, we don't want that to happen, but it's really about, did you enable the operations to make the money, to enable the service to deliver the goods right within a timely and safe and quality manner? And if there's something that happened, can you get it back to normal operations really quickly?

A

Is AI going to help us or hurt us?

C

When we think about AI risk, a lot of times we focus on the models themselves. The more fanciful will invoke us. Sort of a Skynet apocalypse. The more banal concern is leaking company data but what are the actual risks the output of these models can create? Sean Waterman at compiler argued that these can create lazy code with tools like GitHub Copilot being fantastic resources for seasoned developers, but can introduce risk in less experienced hands. Now, as companies see these tools as productivity superchargers, there's increasing pressure to use them to ship code more quickly than ever. And on the threat actor side, we're seeing these tools being used to simply extend traditional cyber attacks, just potentially with more skill. So, Andy, I'll start with you here. When it comes to the risk these AI models introduce, what's your focus like? Where do you truly see the real risk?

D

So I think this is in the right direction. The risk really is around do we trust the output and are we learning from that process? And the best article I have yet read about this was written in 2002 by Joel Spolsky, who writes an article blog post called the Law of Leaky Abstractions. And he's really talking about Java at the time. He basically says, look, there's a lot of things that live under an abstraction barrier that if you understand what's going on there, you then can see what's happening above it. When you see your code behave in a certain way, you might be like, oh, I probably have a memory leak or I'm not running on big enough hardware, whatever it is. And when you lose that understanding of the knowledge of complexity of what's going on underneath it, you sort of don't have the ability to reason about what's happening. And if you let AI write your code, you just think of AI as basically being like Visual Basic or Java or something else that's an abstraction barrier between your prompt engineering and some other level of code, which then has more abstraction barriers below it. You're basically living in the penthouse apartment, but you have no idea what the I beams are that are supporting you.

C

All right, I throw this to Deneen. Do you agree with essentially what was suggested here by Sean Waterman as essentially it's the code it's producing and the lazy or the inexperienced people having hands on it?

B

Yeah, I mean, I definitely think there's a risk to that, but I definitely agree with Andy that the focus is not just on securing AI itself, but managing the downstream risks of those outputs. Right. That requires a shift in mindset. And it's like you said, that abstraction layer not viewing AI as a black box, but treating it to that system whose outputs need rigor, testing, governance, all that kind of stuff. Right. It's been around for a while. Genai is newer. It's still code, right? It's still code. And we still have to do the same things that we do now that we've done all the before, right? But we do have to look at the outputs and that systemic digital risk is really important, specifically with AI.

C

Before I go any further, I do want to mention our fantastic sponsor, and that is Entro Security. So here's a stat that might surprise you. 62% of all secrets are duplicated and stored in multiple locations without most organizations even knowing. Now this duplication creates an even bigger attack surface, leaving you vulnerable to leaks, breaches and unauthorized access. When it comes to protecting non human identities and secrets, knowing where your sensitive data is stored is half the battle. We know this. You can't protect anything that you don't know where it is. This is the classic the assessment of what you have. So that's why Entro Security has developed powerful discovery and inventory capabilities. With just one click, Entro seamlessly integrates with all your systems, mapping historical context of every place where secrets can be stored or potentially exposed. We're talking about vaults, code repositories, and even collaboration tools. Entro Security's discovery and inventory tool identifies these overlaps and gives you complete visibility into where all your secrets live. With this level of insight, you can finally clean up, secure and control your data in a way that's never been easier or more efficient. Simplify your security with Entra Security and stay ahead of your non human identities. Just go to their website. Simple as that.

A

It's time to play what's worse.

C

It is time for what's Worse. I know you know how to play this game because you've played it before, Deneen.

B

I have.

C

All right, so just so you know, I make Andy answer first and then you can agree or disagree with me.

D

Then you get to agree with me.

C

You can agree or disagree with him, but I'm gonna set this.

D

David hates it when you agree with me.

C

Well, first of all, you get the first crack at it too. So if it's.

D

Oh, it's totally unfair. Like I get the first crack, I get to shape it. If these were perfectly balanced, I would already get a 50% agreement rate.

C

But it's hard to get a perfectly balanced one.

D

But it's hard to get. I've had like, I think we've had two in the last five years that I thought were like complete toss ups.

C

Well, they, they are tough. And the way Mike Johnson does it is he goes when he gets one that's perfectly balanced. He doesn't know which one to go. He goes, I'm just going to pick one and go with it. Like, I'm just going to pick it and argue it, and that's the direction I'm going. All right, so there's a business aspect to these two what's worse scenarios, and there's a human aspect to it, too.

D

Oh, I like this already.

C

So I'm going to ask you to sort of answer in both ways, because there's. There's a big impact in both directions.

D

Oh. So I can pick each one for a different category. I love this.

C

Possibly. Possibly. But I'm interested. This is actually what jay dance of StubHub. He's the one who's actually submitted many great what's worse scenarios.

D

Oh, yeah, he does fantastic ones.

C

So he submitted this. All right, situation number one, Andy, One of your employees has had a really tough time over the past few months that has worn down their mental health. They're so frazzled that their actions directly lead to allowing a threat actor to steal three months worth of payroll from your business. Okay.

D

Okay.

C

Employee. It's just a mess. And now you've lost a significant amount of money or another bad situation for an individual.

D

And I just want to clarify that we directly believe that it's because of their mental exhaustion that this.

C

Something happened. Yeah. And they accept it to, like, I'm sorry, I just.

D

Just want to set the set. The.

C

They recognize it. They're a mess.

D

Yeah. I don't want near to yell at me.

C

They're upset. All right. Now, one of your employees is sex torted. The sex tortionist terrorizes your employee into installing the means on your business network for threat actors to then steal intellectual property. Now, it hasn't actually happened yet, but the means is there, and it can be done. All right, so in this situation, Andy, which one's worse?

D

Okay, so the human aspect. This is easy. The second one is worse.

C

Okay.

D

Straight up. No, I got no. No doubts about that one. Obviously, there's that. Let's talk about the effect on the company perspective. You know something? This one. This one's challenging. So I just want to talk about the manager problem here as well, because the first one that we talked about, that employee who was frazzled. We have a culture problem.

C

Right.

D

That nobody noticed and said, hey, let's do what we can for this employee. And here's a really important thing for managers. Don't go talk to HR at this point. Like, if you have somebody who's mentally worn down and just needs a little break. As a manager, you can basically pay them to not show up to work as long as you don't tell hr.

C

By the way, can you say that you mentioned a policy that you had that any employee is allowed to let another employee go?

D

Yeah, any employee can. Like we used to have this when I was at Akamai. Like anybody on my team could send anybody else home. They could just be like, you should not be in the building, either emotional or physical. Like, you're sneezing, get out of the building. Or you're crying, get out of the building. Unless you're crying to stay away from.

C

Somebody outside the building.

D

Obviously be sensitive to that problem. But we didn't do the right thing by employee number one. Let's just be very clear, this is a self inflicted wound on our part that we put an employee in a spot. First of all, we had bad systems. I don't need to know what the breach is. But if a human who's frazzled can leave a breach open, that means our system's failed. Not the human. So why they failed is less interesting to me. The second problem is I've got somebody who's actively gone and installed stuff. Let's ignore why they did it for a moment. That's awful. I actually think that's even worse because now I have functionally a malicious insider. I mean, they're temporarily malicious. For those of you who want to think about this, go download the Microsoft Guidelines for Inclusive design, which have nothing to do with security, everything to do with disability. But it talks about how some people are permanently disabled. I only have one arm versus temporarily disabled. I broke an arm and so I only have one arm. Or like my dad just had his shoulder replaced. Or situationally disabled. I'm carrying a child, so I only have one arm. You can think of adversaries the same way. A malicious insider might hate you, they might be frustrated with you, or they might be compromised by an outside person. They still have sort of the same powers. So I think I'm gonna go with the second one. The sextorted employee. Absolutely gonna be the worst one. Even though I suspect for many people who are within the security management, they're like, oh, I would prefer to have that situation because it gives me a very clear like I can feel righteous. Cause we're gonna go after whoever this adversary is. Cause they were an evil, awful person. It's sort of cleaner to manage, but it's a worse situation.

C

All right.

D

But it's not going to actually be clean. To manage. You just think it's going to be all right.

C

Deneen, what do you think is worse here?

B

So, like, I didn't want to agree with Andy, but I'm going to agree with Andy again. He gets just like, come on. I thought he was going in a different direction, but I do think the second scenario is a little bit worse. In the first scenario, even though a great culture problem, you have an employee that wasn't mentally there to be able to do their job, and that's an issue that you have to take care of. But if you lose money, you can get that back, right? You can. You can recover the financial loss, and we know how to do that. If you're talking about the second situation, there's a bunch of dimensions there, right? It's the. A person who is coerced that didn't feel that they could speak up. Potential malware on your system that could potentially evade your detection mechanisms. Whatever, your IP is potentially gone. Who knows if it. It is not harder to recover from that type of incident or even potential incident than the first scenario. So I definitely think the last one is the worst one.

C

And both in. And what Andy said in. Both in the human and the business aspect.

B

Yeah, yeah, I agree.

A

They're young, eager, and want in on cybersecurity.

C

Quote, what happens is they get the promise of great riches if you get a certification that costs 10 to $12,000, and then they get it and can't get a job. That comment came up on a cyber security subreddit post, pointing out people are often sold a trendy career in cybersecurity by social media influencers, only to be met with an aggressive job market and no real idea of what it means to work in the field. Now I want to just jump in. I had this exact conversation with somebody at our. We do a monthly meetup in San Diego, and a young man goes, oh, I'm thinking about doing this cybersecurity program. It's going to cost me $10,000. And we were allowed to go, no, no, don't do it like you're. You're. You're being. You're being lured into something. And then we talked to him, and he said, oh, no, you can do this, this, and this, and there are other opportunities anyways. So let me go on and say this lack of proper expectations for getting a job in cybersecurity is the point of frustration. And we just were recording another episode about this. So I'm Deneen. I'll ask you, is there something specific about Cybersecurity that seems to attract more, quote, clueless prospects, or does this just happen in any tech field? I mean, I think it's. If someone's an influencer and knowledgeable, you just kind of assume, well, they know what they're talking about, they have an audience, so why would they be wrong? Where do you think what's happening here? And by the way, do you agree with this premise I'm throwing out?

B

Well, I don't think this is unique to cybersecurity, but it happens in other tech fields as well too. But I think cybersecurity has unique characteristics that maybe amplify the issue. We have an ever present dynamic threat landscape that really creates a sense of urgency and a perception of endless job demand. Right. Like there's whatever, the latest, greatest number of billions of cybersecurity jobs that are open, and then the complexity and specialization of some of the roles that we have also make it hard to understand what the actual job really entails. We've got, like you said, the certification ecosystem and marketing, with really aggressive marketing that is really saying that this is the pathway into a career. And many of the entry level certifications, like Security plus, for example, that everyone gets, suggest that anyone with determination. Right. Can get started. And while that's partially true, it really doesn't provide the depth needed for actual roles. Right. So I think the frustration is both on the job seeker side as well as the employer side.

C

Job seeker and employer. But I'm throwing in this third audience here, which is the ones providing the education and selling them the belief that if you spend 10 to 12k on this certification, you know, you have this very affluent job.

B

Right, Right. And I, you know, while certifications are a good way to get an understanding of the basics and the concepts, really the practical experience is really what matters. Right. And we at United have started a program, it's called Innovate. And it's three or four pathways into cyber security and technology. So we provide a way for folks that are interested in cyber security, whether you're mid career, maybe you're a flight attendant or a ramp agent, right. And you want to get into cyber security, you know, the airline, but you can come in, we'll train you and we'll give you the experience to learn the different domains and skill sets for cybersecurity and maybe you can transition off into a role. We have the same for early career students coming out of college as well too. So we're trying to make sure that the experiences and the pathways are there because there's not a realistic expectation where you go and you spend $10,000 in three weeks or six weeks, whatever, in a boot camp. And then you're qualified to do what we need you to do to manage cybersecurity risk, to get the hands on experience. So I really do think that the marketing, the, I'll say, the hype around cybersecurity, you see something happening every day, creates this Dr. And mystique and allure and some of those companies feed off that. But we as leaders really have to change that narrative and start to provide, I'll say, pathways into the career and really start to hire on potential, provide the training and experiences to get qualified candidates.

C

All right, Andy, I know you have maybe one, possibly two opinions on this topic.

D

I have a lot of opinions. Several of them agree completely with the needs, so I'm not going to repeat those. But I like to think of a lot of security jobs as being insertion level jobs, which is. It's not. Not an entry. But you need to have some set of skills already that we can now reuse. And so I love, especially when very large companies, United Airlines obviously is not a tiny company, you have the ability to say, look, we have a whole candidate pool that already works for us that we don't have to teach them our business. And in fact, they're going to bring business knowledge to us. There's things that a gate agent knows that I think Deneen wishes every one of her staff knew.

B

Right, exactly.

D

So like a gate agent coming on board, it's fantastic. You're like, great. How important is it that every channel for communication has the same departure time in it? Very important. Because your passengers get really confused when different numbers are there. Gate agent knows that intuitively, whereas somebody else coming off the street does it.

B

Exactly.

D

I want to point out this 10 to $12,000 number, which is not crazy in this industry, except that's Ivy League education number. Just to be very clear, these are people who are claiming to give you an Ivy League education in cybersecurity.

C

I'm sorry, Ivy League costs a more than 10 to 12k.

D

It does, but you're not done in six weeks. So they're basically saying, oh, we're going to give you six weeks of an Ivy League education. That's the pricing.

C

What? No, they're pricing it at ROI levels. Like we charge this because we think you're going to make more.

D

Right. But they failed to do that. And in fact, I recently saw some discussion in a forum about one of these that said that people who'd come to their program should list it on their resume as an internship.

C

Really?

D

That you were a cybersecurity intern, not going to this class. And I'm like, that just tells me how unethical some of these players are. Many of them are not. Just to be very clear, let's not throw this whole industry under the bus. A lot of folks have really positive. They're really trying to help and say, hey, let's give you some basics.

C

By the way, the educa. This is the one I want to separate. I think the education they're doing is solid because I haven't had arguments about the education, but it's more the selling of the education.

D

Well, there's the selling of the education, but I don't actually think the education is the right thing yet. I'm not saying that it's bad, but I'm saying that it's sort of an academic. Like, we're gonna teach you how to use these tools, how to do these things. But if you don't have that in the context of a specific job, what does pen testing matter? Like, everybody who's ever done a pen test or a vulnerability scan or whatever it is, the first time you do it in a production environment, then you try to hand the results to an engineer and say, fix all of this. It's eye opening. And so teaching somebody how to do one without the other, I'm not actually convinced that's a solid education.

A

Attention, CISOs. Your expert opinion is needed.

C

Is cyber insurance feasible for smaller businesses? Zia Mohammad and Jeremy Straub argued that while insurance is a piece of the risk of risk management toolkit, and the cost puts it out of reach for SMBs. The National association of Insurance Commissioners saw cyber insurance premiums up 50% on the year in 2022. And that's the last year we have figures from them. So that issue is getting more acute. They suggest regulatory action could help in two ways. The most direct path could see the government subsidize insurance premiums for smaller businesses. But the other would be making it clearer what an insurance policy actually covers with similar nutrition labels we've seen on everything from appliances to broadband service. So my question is. I'll start with you, Deneen. Is the cyber insurance market changing so quickly that SMBs don't have the resources to keep up with changes in policy requirements and coverage, even if they could afford? So that's an interesting thing because it is changing very fast.

B

Yes. Yeah. I mean, every. Every year, right? Cyber insurance policies and reviews applications get More and more complicated and they get more in depth. And I've heard some of my peers talk where it used to be a 200 questions that they would answer. Now it's four days of eight hour meetings, talking to and reviewing things.

C

Geez, really?

B

Yeah, yeah.

C

That makes, that's the 200 questionnaires. That's a walk in the park now. Right.

D

With underwriters from like seven different firms in the room. Like it's not you one on one, you have your broker who brought in the underwriters and you have to talk.

B

To all of them, all the towers. Yeah, yeah. So that's kind of the way we're going. And at a large company, people can handle that. At a small, medium sized business, there's no way they can handle that. Right. And the expectations around, I'll say hygiene to have. Yes. Okay, well everybody needs mfa. Okay, everybody needs mfa, but there's no like small medium sized business. There's not a hundred percent, you know, there's not 98 to 100 coverage of every single control. So I don't think it's the way we have set it up. It's realistic that small medium sized businesses are able to manage, afford, and then even if they do get cyber insurance, they're not insured to the level that they need to be. Large businesses are not insured to the level that they need to be. When you have a cybersecurity incident, the result of that incident is not just the disruption to your business or the valuation of the data. It is years and years of dealing with the output and fallout litigation, external legal fees, orders from different regulatory agencies that you have to comply with. All those things that add up over time. So long answer to your question, I just don't think the model is feasible for small medium sized businesses at this point.

C

Let me throw this out to both of you and I'll have you Andy, start first. My argument with just cyber insurance in general is first of all, I don't understand how they price anything because they don't have these decades of actuarial tables that other parts of the insurance industry have. And even if they did, cyber and essentially the attack surface and the attackers are changing so drastically, like literally. Could you compare what happened three, four years ago with what's happening today?

D

Well, in fact, that's why the premiums went up so much in 2022, was that 2021 was the year in which there was a preference cascade in which companies said, oh, disclosing a breach isn't such a bad thing. I'll go tell my insurance carrier about it. Because so many people got hit with ransomware and so everybody was filing claims for ransomware breaches, whereas 2020 and before people weren't really filing claims. Companies were basically self insured with this external insurance agency partially as a backstop, partially. Like I had to tell Deneen that I had cyber insurance so that she would pay me money for other services. So I had to go get insurance even though I didn't use it because it was just an expectation. Like that's the large business world and that's what drives like that top end number. But let's also pay attention to the low end number here, which is small and medium businesses are not going through this massive, oh, I gotta go talk to all the underwriters. And their cyber risk is not something insurance can really help them with. Cause what does insurance help you do? Right? It pays for some of your losses, pays for system recovery, notification, et cetera. But I remembered a bunch of cases. There was like one small medical practice that shut its doors, got hit with ransomware and being down for three days, they were already basically living on break even and they were debating closing anyway. Like, okay, what point do we get out of this business? It sucks. Oh, I don't have any systems anymore. It's not worth the hassle to come back. That's the real resilience challenge is the lack of economic resilience in the small and medium business market to survive a multi day cyber issue.

C

So, Deneen, I'll let you close this out. Do you think the fact that SMBs can't keep up is something they should actually be happy about? In a way?

B

Yeah. I mean some of the burden and the kind of administrative minutiae that comes with it. Right. They don't have to deal with that. I do think though, some of the benefits around just having an understanding of what that baseline is though, is important for everybody to get to get on board. Right. If there's an expectation that we all have efficient resisting MFA right now, because regular MFA is not going to cut it or hasn't cut it for years. Right. Like that should be kind of a good outcome of this whole discussion. Right. But I don't know that that's going to happen.

C

Well, that brings us to the very, very end of this episode. And I want to thank Deneen and Andy for helping on the show. I'm gonna let you, Deneen, have the very last word here. But I do want to thank our sponsor. And that'd be entro Security Remember, go to their website, Entro Dot Security and look at what they're offering for non human identity and secrets security platform. Your non human identities are growing at a much higher rate than your humans are. They actually, they multiply a lot faster. Even if we had a baby boom, they would grow at the rate that the non human identities are growing. So that is happening in your environment. Go take a look at what they're doing at Entro Security. Andy, thank you as always. And Deneen, the question I always like to ask our guest is if you are hiring, are you hiring at United?

B

Yeah, we're absolutely hiring in cybersecurity, digital technology, data analytics. You can check out our careers.united.com site and there's listings for over 100 jobs right now, so definitely check it out.

C

Oh wow. Lots and lots of positions. Would it help if they contacted you via LinkedIn and said I heard you on the CISO series. Would it help at all whatsoever?

B

It depends.

C

Very, very good political answer there.

B

It depends.

D

Take a picture with the United logo behind you. You get better engagement that way.

B

Yes. Yeah, yeah, yeah, yeah, yeah, yeah.

C

The United logo with the CISO series logo together. There you go.

B

Hey, that could work. I like that.

C

Thank you again, Deneen. Thank you very much, Andy. And thank you audience. We greatly appreciate your contributions. Send in more what's Worse scenarios and listening to the CISO series podcast that.

A

Wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity headlines. Week in review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved involved including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. thank you for listening to the CISO Series podcast.