Our Theoretical Controls Work Great Against Hypothetical Attacks

Host/Announcer

Best advice for a ciso, Go.

David Nolan

You definitely have to obsess over the business you serve. My advice is get out there, get your hands dirty, get on the front lines where revenue is actually made, and get to know what that success looks like. Talk to your executives and your business peers and help them achieve what their goals are, but do it in a secure way. The cool thing is, not only does that help you to translate your risk in their business terms, but it helps you identify potential impacts and those opportunities that your strategy on security may cause.

Host/Announcer

It's time to begin the CISO Series podcast.

David Spark

Welcome to the CISO Series podcast. My name is David Spark. I am the producer of said CISO series, and joining me is my co host, one of your favorites. It's Andy Ellis, the principal over at Duha. Andy, say hello to the nice audience. That one was in Hebrew. That one I picked up.

Andy Ellis

Excellent. David actually recognized the language for once.

David Spark

Well, I don't speak it. My wife speaks it. And I did recognize a handful of the words there. So there you go. We are available@cisoceries.com where you can find all of our other wonderful programming and our sponsor for today's episode, a spectacular sponsor for years now and continue to be a great sponsor of the CISO series. That would be Threat Locker. Allow what you need, block everything else by default, including ransomware and rogue code. We're going to be talking about that and a lot more a little bit later in the show. Thank you, Threatlocker. But first, Andy, I'm bringing our guests in right now. Okay. So I'm going to announce it, but there's a reason I'm bringing them in. And this is to drive you crazy, just so you know. It'll drive you crazy.

Andy Ellis

Like, I'm already there. It's a short drive.

David Spark

He is, by the way, the former CISO over at Asurion, none other than David Nolan. David, welcome to the show.

David Nolan

Thank you. Glad to be here.

David Spark

All right, here's something David and I discovered just very recently.

Andy Ellis

That you're both named David.

David Nolan

Yes.

David Spark

That is one thing we do have in common. Yes. But that's not the thing I was going to bring up that would drive you nuts.

Andy Ellis

And you have five letter last names.

David Spark

Yes, that was the other thing that was gonna come up. But we are both massive pinball nerds.

Andy Ellis

Oh, no, no.

David Spark

I knew it. I knew it. Okay, let me give you an idea. First of all, one of the machines. We own the same machine. We both own a few machines, but we own the same machine. And he Took a photo of his score. Cause he broke a billion points on Godzilla, which is a big deal.

Andy Ellis

Please tell me it was higher than your score.

David Spark

It was higher than my score, yeah.

David Nolan

Lifetime achievement.

Andy Ellis

Because you're gonna obsess over beating that now.

David Spark

My high on that is about 870 million. He broke a billion, which is a big deal on that machine. And he knew I would appreciate it, and I did. And I actually showed it to my wife and kids, who also know it's a big deal to break a billion on that machine.

Andy Ellis

Congratulations, David. Well done.

David Nolan

Life goals achieved right there, right behind my kid's birth.

David Spark

This is one of the things is I think I get more enjoyment out of a pinball achievement than any professional achievement.

Andy Ellis

That's okay. Just to be clear, like, everybody has their thing. Like, you make fun of people who like football. I'll make fun. I only make fun of pinball because it trolls you right back. I'm glad you have a thing that brings you that much joy.

David Spark

Well, like, for example, I finally placed in a tournament. I got third in a tournament, which was huge for me.

Andy Ellis

Wait, I just need to check just to be sure. How many people were in the tournament?

David Spark

24. I came in third.

Andy Ellis

Okay, that's still pretty good. My mother in law does this because she'll come in and she'll be like, oh, I took first place in my age group. Well, how many people were in your age group? 1.

David Spark

Typically, I ran a foot race and I came in third in my age group. And there were five in my age group.

Andy Ellis

Yeah. I mean, that said, my mother in law is in her 70s and places in cross country skiing races. So I don't care how few people there were in her age group. She showed up and she finished.

David Spark

Oh, she showed up and finished. Forget it. That's a win right there.

Andy Ellis

That's a win.

David Spark

But so here's the thing. On that pinball competition, I made a whopping $14.

Andy Ellis

But what'd it cost you to enter?

David Spark

There you go.

David Nolan

Hold on.

David Spark

Because I paid for myself, my wife and my two kids. All of us were totally into it and the cost to actually play each game. So we dropped about $50, but I won 14.

Andy Ellis

So $50. And four of you entered out of the 24 who were in. And you placed third. This story gets better and better. Who else was in this tournament?

David Spark

Well, other very good pitball players were in it.

Andy Ellis

It'll turn out I was playing in the pinball tournament.

David Spark

My oldest son, of the machines I own, I have four machines. He has A high score in three out of four of them. The darn Godzilla is the only one I'm holding onto right now.

David Nolan

Ah.

Andy Ellis

And the student surpasses the master.

David Spark

Yeah. Yeah. Well, he's really good. My oldest son's very good.

Andy Ellis

This is what we should all aim for, that when we're developing our teams, whether we have to grow them ourselves or get to hire them, that they should surpass us.

David Spark

That's. I am very happy that he's a great pinball player. It aggravates me, though, that I'm not better than him sometimes. Here's the thing. First of all, I had the high score on all four machines at one time. No longer.

Andy Ellis

That's what the reset button is for.

David Nolan

I feel like pinball's like darts and shuffleboard. You can't really apply it anywhere else if you're good. So I always hesitate to get good at it.

David Spark

But you don't ever play in tournaments, do you, David?

David Nolan

I generally haven't. I mean, just maybe at the local place, but.

David Spark

Yeah. Well, I mean, that's the thing. This was a kind of a local tournament. We have them all the time. No, I've done the really big ones, too. Those are pretty rough.

David Nolan

Yeah, we've got a national champion and many state champions in our local place, so it's tough.

Andy Ellis

It's challenging. Yeah. Yeah.

David Spark

All right, enough of the pinball talk. Let's get to the show.

Host/Announcer

How is the CISO role evolving?

David Spark

Quote, I'm not here to brief risk. I'm here to get a decision so we can move, end quote. That line From Jeff Hancock, CISO over at UniCast is part of his argument that executive presence for security leaders isn't about polisher gravitas. It's about controlling three things in the room. The narrative, the tempo, and the decision itself. CISOs need to stop bringing problems and start bringing decision packages. Stay calm when everyone else panics. Lead with business impact, not security context. But is this framework about executive presence, or is it really about CISOs orchestrate decision making when they're accountable, but often not empowered. So I'll start with you, Andy. When you walk into that room, what role are you playing? The advisor, the translator, the decision architect, or something else entirely? And does the calm, clarity, movement model work when you're dealing with executives who want certainty, you just can't provide.

Andy Ellis

So I think you're playing all of those roles. There's not just, like one thing that you're doing, and it also depends on the circumstance. Right. You walk in, and as an advisor. The first thing that you're doing is you're making a decision about the direction you want this conversation to go. And that direction might be to say, let's stop worrying about this thing. Because you might have executives who are stressing about something they shouldn't, in which case this is actually about your executive presence, that you're controlling the narrative. You're not worried, you're calm. Here's why we've got this under control. Tone it down. Go worry about something else. Right? And maybe the way in which you do that is by letting them vent and stress and get that out of their system, and then task you with something. Even if what they tell you to do doesn't matter, you're like, great, I'll go take care of that. Get it off your plate. Go away. Other times, you're bringing in a problem or a problem that's already there, and you're trying to drive towards a decision. Now, a key piece of the narrative shaping that Jeff leaves out is you want to get to a point where there are no bad decisions you do not want to present. Here is a great choice, and here is an awful choice, because the awful choice might be what the company goes with. So what you want to do is provide two measured choices that are both ways of dealing with something. Maybe a big one, maybe a little one, but so that if the company says, look, we can't afford to go invest $5 million in solving this problem, that you didn't say, well, invest 5 million, or I'm going to go publish all of our secrets out in Times Square. Like, this cannot be the. Like I'm going to hold you hostage to this great decision. Maybe there is a great decision and the next one is just tolerable, but it's got to at least be tolerable. So you're sort of playing that decision architecture role. But they are trusting you. And an important thing is that they should trust that you'd never play Chicken Little. I had an executive who would always answer the phone when I called him. It did not matter what meeting he was in if I called. Even if he was in a customer meeting, I was the only person. He would recuse himself from a customer meeting, and he would say, I have to take this, because if I called him on his cell phone, it was always important and always urgent, and he always valued that conversation. That's really the most important thing, is that they know that you will never waste their time and their ability to make choices with silly arguments and silly choices.

David Spark

All right, that's very good. And by the way, that reminds me, if anyone is a good Connect 4 player, that to play that game well, you find two ways to win.

Andy Ellis

You have to. If you don't have two ways to win, then if you happen to win, it's because you were playing against somebody who doesn't know the rules of the game.

David Spark

Yes, but this also sounds a little bit, David, like what a magician does who makes you think you're picking the card you want, but you're forcing the card you're doing. Are you being a little bit of a magician here?

David Nolan

Yeah. I mean, you definitely are. I absolutely love what you said there, Andy, about basically making him have an out, if you will. The great versus awful idea. David, to your question, I think we've got to serve as a risk advisor, but it's a trusted risk advisor. And how you're going to establish trust is bring them realistic options. Right? Not the invest $10 billion or I'm going to the street type of thing or I told you so. So building that trust is a big part of it. And you got to bring it to them with the proper business context, not the classic fear, uncertainty and doubt. Something they're going to understand, something with mitigations and really something that you're going to bring. Say, hey, here's what I suggest, but here's the other alternatives that we've considered as part of that. The only thing that gives me pause in that is the word control. We can't control the decision. I mean, ultimately we have a risk if we approach it with that mindset of the old thou shalt and office of no and everything, but you can control the environment.

David Spark

Like what you were saying, Andy?

David Nolan

I'd say influence is the word I

Andy Ellis

would use, but you can shape the narrative and shape the conversation, but you can't control the players there. But you. You can manipulate them a little bit.

David Nolan

Yeah, yeah, for sure.

Andy Ellis

I once worked for a boss who would never accept any choices we brought to him. If we brought him two choices, he had to tamper with them. So I would just reverse engineer his tampering and bring him a choice near what I wanted him to do. And he would say, well, instead of that, how about if we do this? And I'm like, do we really have to? And we inside. I'm like, absolutely. That's what I wanted to do, but I couldn't tell you that.

David Nolan

Yeah, I think why I have a visceral reaction to that is some of the faux pas that some CISOs out there make is if they bring something and it ignores executive has a higher risk tolerance. And they don't follow that. Exactly. There's this like they get offended and get upset. Right. But the reality is we're a partner and we're going to work together to find what that right decision is.

Andy Ellis

Yeah. If you find somebody who has a higher risk tolerance than you do, you got to learn to run with it.

David Nolan

That's okay. I mean, risk is a business decision. At the end of the day, some companies are going to have a high risk tolerance, some aren't. Your job as a CISO and as a business leader ultimately is to figure that out and to meet those goals within that risk tolerance.

David Spark

Hold it. Have either of you worked at a business where they accepted a ton of risk and they really rolled the dice? Yes.

Andy Ellis

Yes. Yeah.

David Nolan

Of course.

Andy Ellis

If you work for a company that ends up with revenue over $1 billion, there was a lot of dice rolling involved to get there.

David Spark

Really?

Andy Ellis

Yes. So here's one of the perceptions that I run into a lot, which is people think that the riskiest executives are the ones that end up failing. And while some of them do, all of the ones who succeed rolled the dice a lot. Because if you didn't roll the dice, your competitors who did beat you 100%.

David Nolan

Yeah. And I think you've got to have the framework where you can fail quickly. Right. Like the companies that are taking risk are not doing transformational level risk that is going to cost the company billions of dollars. It's ab testing different marketing concepts, it's trying this new technology, et cetera. So it's not big bang risk, it's small risk that's tolerable. I think the last thing, David, that you asked was about executives that want certainty. I have encountered so many board meetings and executive say, like, can you tell me we won't get hacked? And as we know, that's super dangerous to promise things. So we gotta be really careful there and be transparent that there's no sure things. But immediately pivot that conversation to how we're managing that risk to give them that comfort. Right. To really enable that business goal that they're trying to do and achieve that right balance. But certainty, always a risk. I'm sure Andy would agree on that.

Andy Ellis

Absolutely.

Host/Announcer

What's broken about cybersecurity hiring?

David Spark

You aren't struggling to find entry level candidates. You're struggling to find the mid level candidates that are willing to take entry level pay. That's how one Redditor responded to a hiring manager's frustration about Trying to fill stock analyst roles. The manager claimed most candidates lacked business fundamentals like no active directory knowledge, no cloud platform experience, no scripting abilities. The two hires who worked out had gone beyond their degrees. They did capture the flag participation, GitHub projects, self driven learning. But if someone graduates with a cybersecurity degree and a sec, what do they need to demonstrate to be, quote, SOC ready? Is it hands on and active directory management or building a home lab with detection tools contributing to open source security projects? I mean, David, I'll start with you. When you're hiring for a junior SOC analyst, what's the minimum viable skill set that proves someone can operate like just on day one and come in? And whose job is it to build that bridge between graduation and being ready to enter the SoC? I would just say I run the San Diego Cyber group and there are a ton of young people who've got tons of education. They're eager, eager for that first soc job. What's your advice?

David Nolan

Yeah, so first off, we've joked about it here. The last time I was on, but hosting an entry level role with 10 years of AI experience, that's just, that's a thing that happens and it's the running joke. So assuming that we can squash that one specifically for junior roles when I'm hiring, you've got to be a realistic hiring manager about it, right? We can't have tons and tons of experience expectations. What I'm looking for is someone who shows initiative that can show us examples of that continual willingness to learn, that can be formal, that can be through different organizations. It could be home labor, things like that. But ultimately, and I'm sure not all leaders are this way, but I've got countless examples throughout my career where we've grown employees that come in as maybe a project manager or help desk or salespeople from security tools, but they show that right initiative and that willingness to learn and they really quickly can even come into a SOC roll and be willing to kick butt. However, it's a really big ocean right now and there's a lot of especially folks coming out of college and you got to differentiate yourself. So how are you going to do that? I think that's the core of the question here that you're getting from your San Diego group. So lots of options there, minor cost or no cost. We always talked about home security labs as being a thing, but those are becoming cheaper with all of the AWS and Azure Free instances you can do. We mentioned AI. You can start open web UI instances at home for fun, to play around with, contribute to open source projects, hack the box. I mean, overall, if you show initiative and you're willing to tinker, play, try and you can articulate that, I want that person in my camp and they're going to be ready for SOC activity.

David Spark

That's a great tip. What would you add to that, Andy? And again, what I'm looking for. And I'm going to echo this because tomorrow we're having our meetup in San Diego and there's going to be a bunch of young people. In fact, many of them are my volunteers. I love it. So what advice can I give them? As echoed by Andy Ellis.

Andy Ellis

Yeah. So first I want to start. There's a bunch of soapboxes here. I'm going to play some quick parkour. If you have a cybersecurity degree and a certification and you don't think you have the right skills, I hate to tell you, but you kind of got ripped off on your degree. I just got to say this. I know a lot of cybersecurity degrees out there that are not really worth the paper they're printed on. Fortunately, that's not unique. That's the truth case for many degrees. Second thing I'm going to tell you, if you're starting right now, there are no entry level SOC positions. In four years they won't exist. There will only be mid level SOC

David Spark

positions because those are all going to be eaten up by AI.

Andy Ellis

Right. Because what entry level actually means is an alert fires and there's a procedure I need you to go follow. That's all going to get replaced by AI because the procedure gets followed by automation and it's kicking up to somebody to make a decision. You need context for that decision. So there's some two soapboxes for you there. Yeah, A lot of people post entry level because they want to pay entry level even though they need somebody with a lot of skills. How do you go get those skills? The best way to get into security is to start in it. And I know you're going to say there's no IT jobs left out there. You are almost all part of some community group, whether it's your church, your synagogue, your mosque, whether it's some nonprofit, whether it's a meetup group offer to do the IT support. Like our synagogue is deploying, you know, network, we're deploying cameras, access control, all of the things a small business has to do. And what's fascinating to me is all of the people who are working with it are all very senior Professionals, long time in their career. We've got no junior people working on it. I'm trying to figure out, like, how do we pull in people?

David Spark

That's a great way to learn from the, from the senior people to be

Andy Ellis

like, you want to learn how to do like identity management, where you got to do identity management for our access control system. And right now it's like me and a senior researcher out of Harvard who literally, like, we're the IT guys. That's wrong. And yet that's what we're doing. So go find those roles. Get practical, hands on experience. Because once you're doing it, there's nobody doing security, so you can do it as well. Look, I'm a big fan of all the hands on, like, go do ctf, build your own home lab. But it's much easier if you're actually doing it in support of a business in a mission. That, and there's a lot of folks who need the support and cannot pay because they're nonprofits. So you need the experience, you don't need the pay right now.

David Spark

Good advice.

David Nolan

So true. I think it's so easy too, to find a nonprofit that wants help. You just gotta find something you're passionate about. And generally they don't have the money to do it. I mean, we all say we want a job we could be passionate about. I started internships in high school, working out, and it was all about passion and finding that right thing. And so again, it goes back to initiative, though. Like, if you're just waiting for that job to fall in your lap, you're never gonna get it.

Andy Ellis

Yeah. Or honestly, go do it for your parents. Like, I'm also the IT for my parents. And like, oh, cutting the cord and figuring out how to do TV tuning over the air, over the network. Like, that's interesting.

David Spark

Yeah. But there's no one gonna help you with that. The advantage of doing it at an organization where there are senior people currently doing it is you'll learn from them.

Andy Ellis

Right. They'll teach you. Well, you can learn a lot from the Internet. I will tell you the number of times I have turned to an AI and said, this isn't the piece of software I'm using. How do I install it? And it'll point me at very useful references.

David Nolan

So, Andy, in conclusion, support your mother's Azure instance.

Andy Ellis

Yes.

David Spark

Support your mother in laws. Because I've done this with my wife. My wife is tech support for my mom and I'm tech support for her mom. It makes everyone a lot happier before I go any further. Let me tell you about our spectacular sponsor, ThreatLocker. And you may have heard me talk about this before, but they got some cool stuff to let you know that you may not already know about. So first, let's start with something you do know. CISOs don't lose sleep over the malware. They see they can handle that if they know where it is, right? They lose sleep over the things they trusted that they really shouldn't have. Because that's how modern breaches happen. Not through zero days, through everyday tools, doing things no one realized they could do. And that's exactly the problem. ThreatLocker eliminates threat locker, enforces default deny at the point of execution, so if it's not approved, it doesn't run, period. Your attack surface collapses from everything on the endpoint to only what you say is allowed. And the real power, Threat Locker, controls how trusted tools behave. PowerShell can't start scraping credentials. Chrome can't start launching scripts. Your remote monitoring and management RMM can't suddenly turn into an attacker's remote access platform. CISOs, they say the same thing. Quote, this is the first time I've felt actual control instead of alert fatigue. So if you want to shut down entire categories of attacks, not just react to them, threatlocker built a resource hub just for security leaders. Start there. This is easy. This is really easy for you. Go to threatlocker.com CISO. Remember, it's threatlocker.com if you want fewer surprises, start there. And it's the easiest way to let them know that you heard about them through the CISO series.

Host/Announcer

It's time to play what's Worse.

David Spark

All right, before we went on the air, David Nolan made it very clear that he wants to disagree with Andy.

Andy Ellis

So I'm really hoping this is a lot lopsided what's worths with one easy one and one stupid one so I can back David into a corner.

David Nolan

So afraid.

David Spark

Look, I see you could take the ball and run it with either one of these. Okay, that's good.

Andy Ellis

That means we have disagreement just for the sake of it.

David Spark

And they're very short, by the way, these two. This is very short.

Andy Ellis

Oh, two short ones.

David Spark

Okay. From Joseph Carson of Segura. Here we go. Here are your two scenarios.

Andy Ellis

Okay?

David Spark

You got thousands of stale accounts. That's one scenario. Or one very active account nobody recognizes, I think.

Andy Ellis

So I'm trying to figure out what nobody recognizes means, because that could be

David Nolan

one think a service account that nobody knows, Right?

Andy Ellis

It could be a service account that actually is A service account being used correctly as a service account, but we all forgot it existed. Or it could be it has been taken over by an adversary.

David Spark

Right. But also, these thousand stale accounts could just be stale accounts that nobody's touching.

David Nolan

Right?

Andy Ellis

Well, they're stale, so nobody's touching them.

David Spark

But this could be two benign things and it could be two horrible things.

Andy Ellis

It could be two horrible things. Oh, this is a fascinating one. Cause like, this is not clearly.

David Spark

All right, David just literally rubbed his hands. He's excited to jump on.

Andy Ellis

I know. He's so excited because he's like, which way is Andy gonna go?

David Spark

Whatever one it is here.

Andy Ellis

I don't know. I don't know. Right. So I think there's three different ways I could look at this one. I'm gonna spend a little bit walking through it just to annoy the heck out of both Davids. So there's the. This is all benign, like stale accounts. Yeah. We should probably clear.

David Spark

There literally could be zero this, by the way, I think a first time where one of the options is this could be nothing across the board.

Andy Ellis

And the same thing for the service account. I'm going to call it the service account. The unrecognized account could just be a service account that is doing a whole bunch of stuff, really active. Because all of our automation is on a service account rather than on user accounts. Like, this is actually a good thing. So this is one possible set of scenarios. There's another one which is we've got some weird things going on. Not necessarily malice, but we need to do investigating. Do I want to be investigating on a thousand stale accounts? Who the heck knows? Or on this one hyperactive account that's doing a million things, all but one of which might be legitimate, but I got to go figure it out. Or this could be. I've got to go find an adversary. Where am I looking? Oh, look, the account. Nobody knows what it is that seems to be doing everything. Or these thousand accounts that we can't go through.

David Nolan

So did you make a choice?

Andy Ellis

No, I made a choice. Cause I haven't convinced myself. This is a good one.

David Spark

By the way, this is exactly what Mike Johnson does. He reiterates it. Although you are going through all the variances. This could be.

Andy Ellis

I'm going through the variants because I'm trying to decide. In each variant, I have a different one I would pick. Which makes this much harder. Because I'm trying to decide would I rather be able to focus all my efforts on one hard problem or do I want this? Oh, I've got a long tail. And I think I just answered that, which is, I actually don't want to deal with the long tail. I would rather have that one service account or unknown account. Because now I can focus my effort in one place. If I've got these thousands of stale accounts, I know I'm never going to be able to clean them all up because we're going to get distracted by something else. And that's not a problem I can wrap my brain around. So I'm going to go with the one active account that we have no idea is what I want. I don't want thousands of stale accounts.

David Nolan

All right, so, David, Andy, I'm gonna disagree with you here.

David Spark

Good.

Andy Ellis

What a surprise for people keeping score. This does not count as disagreement. Cause I flipped my answer at the last second. So now he agrees.

David Spark

Yes, it does. It totally counts as disagreement.

David Nolan

Yeah. 1,000. Stale. You said stale. Right. So I'm gonna do the old school approach and we're gonna take them in batches and just start turning them off.

Andy Ellis

Turn them all off. Unplug the network. One at a time.

David Nolan

Unplug the network. I think that very active account.

Andy Ellis

Yeah. All your backups will die in 91 days.

David Nolan

But they're stale. They're stale. I mean, this sounds like a hygiene thing to me, but we did not

Andy Ellis

define what stale meant. And I know a lot of things that use hasn't been active in 14 days is stale. So.

David Nolan

Yeah, that's fair. That's fair.

Andy Ellis

Any automation might just be broken.

David Nolan

This very active, unknown, crazy account just worries me because that screams malicious, so.

Andy Ellis

Oh, it totally does. But at least I don't have to pay attention to one account. But it might be that it's an account shared by Like 75 services and I gotta clean them up one at a time. And I'm in the same boat.

David Nolan

So, yeah, I just say I've done a million hygiene initiatives. We'll preview, we'll talk about it in a minute, I'm sure.

Andy Ellis

Yeah. Like neither one of these. So, Joseph, I hate you, by the way. You came up with this one. This is the best. What's worse, in my. I don't know how many years I've been doing this.

David Spark

Really, this is the best. What's worse?

Andy Ellis

Really, this is the best one because it totally sucks.

David Spark

That is high praise for Joseph Carson.

Andy Ellis

Yes. Because I cannot disagree with David disagreeing with me. Like, he came in wanting to Disagree, but I'm 5050 on this one. I'm flipping a coin on which one I Pick is they both suck. They're not awful. This isn't like career ending.

David Spark

It's a weird environment because they could both be a big nothing.

Andy Ellis

Right? They could be big nothing. They could both be disasters. Either one could get hit by the, like this hygiene problem of trying to clean up. Like, I can see how it hits both of them. Like this one. Actually, it's almost. It's just two different ways of looking at the same problem. And both of them suck.

David Nolan

Yeah.

Andy Ellis

So, Joseph, you're fired. I don't want any more Woodsworth's from you.

David Spark

So the winner here is Joseph.

David Nolan

Kudos.

David Spark

He wins.

Andy Ellis

You know something? I don't think I've ever said this. David. So I'm gonna exercise co host privilege and say, Joseph, you just want a fleece.

David Spark

Whoa.

Andy Ellis

So reach out to David. David will send you a fleece.

David Spark

I'll get. You know what? I'll send him a code. I will do that. I will send Joseph Carson a code.

Andy Ellis

You absolutely deserve one for this. This is the best. What's worse yet?

David Spark

All right. Although I sent a flat least to. He hasn't sent me in a while. The guy who used to send me. He uses a pseudonym. Who sent me all those creative ones a while ago.

Andy Ellis

Right. Yeah. We had that wave for a while. I'm glad he got one. But like Joseph, I think this is the first time Joseph has submitted one. Potentially.

David Spark

Yeah.

Andy Ellis

By the way, I don't recognize his

David Spark

name, so just so you know, he submitted like seven or eight of these. So we got more from Joseph coming up.

David Nolan

Oh, jeez.

Andy Ellis

Go delete the rest of them.

David Nolan

Do not envy you, Andy.

Andy Ellis

Man, now that David's going to save them all for me. Like, he's not even giving the mic.

David Spark

They're all loaded up.

Host/Announcer

Could this possibly work?

David Spark

Quote, best practices assume a level of maturity most organizations simply don't have and most likely will never get to. End quote. Ross, highly Luke of venture insecurity, argues the security industry is too obsessed with with idealized frameworks built for greenfield environments. But it's not reality for 99.9% of organizations. Instead, he says we should obsess over basic practices, the baseline everyone should implement and master before anything else. MFA is the perfect example. It's unsexy. Won't land you a keynote at a security conference, but it's what makes the difference. What are. And I'm going to start with you, David Nolan. What are the biggest best practice offenders? The ones everyone talks about but no one actually achieves. By the way, this is the Classic. I'm just going to throw this out as a red herring for a second. My wife and I used to work together, and the number of articles I read about spouses working together, and one of the big pieces of advice is never bring the work home with you. That's impossible, impossible, impossible. So I want to know, these are the kinds of things I want. People say you can do it, but you don't. So as a ciso, is it hard to defend focusing on basics without looking like you're settling for mediocrity? David Nolan.

David Nolan

Yeah, thanks, Ross. I mean this. I definitely agree with this and I love this. I like using the term best approaches because it is impossible to hit perfection with a lot of these frameworks. Right. And especially for companies with lower budgets and maybe smaller companies, I think trying to achieve perfection without focusing on the basics is a recipe for disaster. And ultimately the approach is different for every company. We talked about risk tolerance. Everything like that is going to be different for every company. So it's a different approach. It doesn't have to be the exact same framework for everything. You have to obsess over the table stakes. We actually talked about this in a CISO roundtable a few weeks ago that I led. And it's not sexy. I mean, you talk about it, David, like it's. It's not the cool new tool and it's not the new logo and things like that, but the amount of companies that have been burned for not patching a legacy or an end of life server is most.

David Spark

Yeah.

David Nolan

And so we talk about some of the things that companies get wrong. You have to be continual on your patching. You have to be wholesome. You can't have these, these scotomas in these dark areas that you just say, oh, those are the systems we don't patch. Right. Or those are the production systems we're scared of touching. So Ross mentioned IM hygiene, but it goes more than just the MFA and all the controls. We talked about cleanup. So is it worse? You've got potentially tens of thousands of stale accounts. You've got service accounts, you don't know what they are. You've got over privileged accounts that you should be running bloodhound on. These are all, to me, almost all the hygiene basics and things. Especially as a ciso, coming new into a company, you need to be finding all these skeletons, all these end of life, where's the end of life? And my favorite thing to do on that example, and I'm wondering if Andy has done this. Find all of your end of life and your legacy. And don't steal that budget. Get the budget for IT for them to go replace those and upgrade those. That is the best security budget you can spend is reducing risk when it's not part of your budget.

Andy Ellis

Oh, absolutely. Yeah. I've gotten budget for IT and engineering teams before to go do work I needed them to do that they had been able to budget. Best thing to go do. I just want to disagree with Ross slightly. I mostly agree with him, but I will point out that he says what he was It MFA is unsexy and won't land you a keynote at a security conference. Seven years ago I keynoted RSA talking about how I've used MFA to put all of our intranet applications publicly on the Internet, not behind firewalls, no vpn. That was an RSA keynote only seven years ago. And a key piece of it was the MFA that we had put onto every device so that we had certificates and push off to get access to all of our stuff. So the answer is it can be sexy.

David Nolan

Andy, are you the godfather of MFA and Zero Trust?

Andy Ellis

No, I'm the godfather of Ztna. Ztna 0 trust. Like you've got some analyst whose name I don't need to mention running around claiming to be the father of Zero Trust. I will point out that, yeah, Zero Trust was innovated at Google is who you can actually point out for. Like, who really was the core for it. But we were the first people to market with Zero Trust. So yeah, and I built that internally for us. So here's actually the reality. When people talk about these frameworks, they're trying to create this perfect model of thinking about a problem rather than tackling parts of the problem. And until you have tackled enough of the problem that you can't just glance around and go, oh, I should fix that. Like, as long as there's good work to be done that you can just glance at and say, we should go do that now. You shouldn't be bothering with some perfect framework of how to categorize all the work you're doing. Go do the good work that's in front of you.

Host/Announcer

Do you trust this? LLM

David Spark

development has been the use case that's paying dividends for LLMs. But Keith Townsend, the CTO advisor, is skeptical if we're about to replace developers, saying, AI does not own outcomes, it does not bear responsibility when an assumption turns out to be wrong. It does not understand the difference between confidence and correctness, only how to simulate both. Convincingly. AI can argue its Case fluently citing plausible metrics and familiar frameworks. But the moment you ask it basic questions, that the confidence outpaced the evidence. Not because it was lying, but because it was presenting claims with no accountable owner for him. Until AI closes that gap, it's an accelerator, not a replacement. So, Andy, how should security leaders manage AI generated code? How do you build a governance model for code that arrives with confidence but no owner?

Andy Ellis

Okay, before I even answer that question, I would just like to posit that this was set up to say AI does these things that developers don't do. And the things that AI does that apparently developers don't do is not own outcomes, not bear responsibility for assumptions being wrong, not understanding the difference between confidence and correctness, but can simulate them convincingly. That sounds like a developer to me. No offense. I've known a lot of developers that that describes very, very accurately. I actually do agree that AI is not about to replace developers. What AI is doing is turning everybody into. Are giving everybody the capability to be a very basic developer. Let's go. Vibe code an app to solve a problem that a developer would never try to solve for you so you can get something done more quickly. It's really democratizing doing systems integration. I actually think of it not necessarily as development, but more. I used to think of it as shellcoding. Those of us who would sit down and we didn't really write software, but we could take a shell and we could write a bunch of calls out to different pieces of software and different applications and it would get something different done. That was a hard skill. That now is a. That's what vibe coding is. Like somebody walks down and says, oh, hey, make a call to here, a call to there. Put this two pieces of data together. Like, AI is absolutely knocking that out of the park. That is not replacing Salesforce. Right? You're not going to vibe code Salesforce tomorrow, but you can totally vibe code. Almost every shell script that I have written in my career in a weekend, if you wanted to. Like, I'm totally not that great of a developer. I'm not replaced by AI. But AI means all of the people who aren't developers at all get access to that. So I just want to start with that, that we're going to get a lot more integration code than we've ever had before, and it will mostly be written by AI. So I think as a security leader, that's what you have to recognize is that the person behind the AI has never had to manage code before, and now they're a Software development manager who's got an AI that wrote the code, but they themselves do not know what software development management looks like. And this is basically going to be the exact same problem we had when we went to cloud. And you're all going to be like, in what way? Or is it just connecting two dots? And when we went to cloud, what happened was all of the application owners who had never been IT managers for their own applications, they just got to throw them into a data center and they inherited all of this IT infrastructure to support them, security, networking, backups, you name it. Now they were able to write their application, throw it into the cloud, and there was nobody doing IT support for them and they had to learn how to do it despite never having done it before. That's the exact same challenge we're going to have with AI written code is the people who are writing the code are not professional software development managers. It's not that they're not professional software developers.

David Spark

All right, David, your take.

David Nolan

Well said. Andy, you've got a decent amount of experience in this space. I think what you said about everybody is now a basic developer. Absolutely love that because I've definitely seen that being the case where it increases the speed to mvp. So it has the classic. Back in the day we wanted IT or the development or product teams to build this new thing for me and I didn't have enough time or it wasn't prioritized. This at least allows non development teams to prototype and prove a concept before they then have to scale it, et cetera. And then my vote is you have to put a point where to your point, they prove something out and then it gets prioritized and traditionally scaled, developed, et cetera.

Andy Ellis

Right. And somebody else takes it over.

David Nolan

We hope somebody else takes it over.

Andy Ellis

But the history of engineering organizations is that engineers never want to take over what somebody else wrote.

David Nolan

Exactly. I don't think it's going to replace the developers right away. I've seen some cases where companies try to do that, but it's definitely an accelerator of the. I did 10 plus years of development back in the day and I use it right now. And it definitely accelerates the basic work I do as well. I think the interesting thing is people hear AI and they automatically think it's special. But when you ask how are security leaders supposed to think about AI generated code? There's a lot of basic controls that should be applied whether it's AI or human generated. Right. So like AI generated code could have the same weaknesses as human code. So the middle Ground may be the same CICD pipeline as human generated code. It should have code scanning, secret detection software, composition analysis. Like all this stuff that we should have anyhow. But we do. And I love your point Andy. Need to consider where it's different. So if you're considering fully agentic development, we should consider human in the loop if it makes sense when those risks necessitates it. AI generated meta tagging may be a thing. So if someone's going back and looking at code later, they know who has the accountability for it. Or AI had the accountability for it. Or tie it back to the product.

Andy Ellis

Yeah.

David Nolan

If a product owner is going to be using AI, make them be accountable for that code regardless of whether it's AI or not. The thing that I find interesting though in the appsec or the product SEC world is is SBOM analysis and SCA and all that stuff becomes very important because we don't know where this code is being taken from or where it's being motivated and inspired from. So that can be very important. But at the end of the day, the company's got to decide what their risk tolerance is. Some companies may choose to ban AI code from specific databases and specific intellectual property, or some companies may open it wide open because they see the business value in it. But I think only the last thing to think about, and Mike Johnson and I talked about this last time on the show, is if it's code. The cool thing about it is you can also do security as code. So we can do quality, risk, compliance, all that. You can use AI against AI, so why not have a trained AI security bot that's going to check all the AI work and use it against itself? Right. There's a lot of potential value here.

David Spark

Excellent. Well, great advice both of you. Excellent job during the what's worse, and kudos to all these sort of unwitting contributions for our show.

Andy Ellis

And the one witting contribution that was also very good.

David Spark

Yes, and one winning contribution, huge thanks to our sponsor. That'd be Threat Locker. Remember, allow what you need, block everything else by default, including ransomware and rogue code. Go check them out@threatlocker.com CISO do me a favor, add the simplest, easiest way to let them know you heard about them from the CISO series. You don't have to do anything more. You go threatlocker.com CISO they know you heard about them from us and they're awesome and so go check them out. David Nolan Any last thoughts? Great job on today's show.

David Nolan

This is always fun. Andy I appreciate the banter and let's do more of these fun. What's worse?

Andy Ellis

Absolutely. And everybody, don't forget to file your taxes tomorrow.

David Spark

File your taxes tomorrow if you haven't already done it.

Andy Ellis

If you're an American. If you're outside, I don't know what your date is. Good luck with that.

David Spark

Do whatever. Thank you everybody. We greatly appreciate your contributions and for listening to the CISO Series podcast that

Host/Announcer

wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity Headlines. Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.