Michelle Wilson (2:35)

Okay.

David Spark (2:35)

What's the risk?

David Spark (2:40)

The key to building a company culture that can handle risk effectively is daily practice, not annual slides, argued Maman Ibrahim and Gabriel Schneider in a CSO online piece. An effective risk culture should be based around four questions. Do people notice risk early? Do they name it clearly? Do they know who can decide? Do they act without fear? The key is that the conversation about risk is commonplace, even when risk signals are weak. I'm going to Start with you, Michelle, on this one. How do you have conversations about risk with your team? And more importantly, how do they bring it up with you?

Michelle Wilson (3:21)

I'm actually talking about risk almost all the time with my team. There's very rare occasions that I have a conversation with anyone that I work with that risk doesn't come into play. So I'd say that they're tired of hearing me talk about risk, but they definitely know that it's one of the things I'm most interested in. They do tend to bring it to me.

David Spark (3:41)

How do they bring it to you? Like, give me an example of something you would get.

Michelle Wilson (3:44)

Last week, I got one. We had a developer that noticed that they didn't follow some certain process and wanted to make sure we had it on our risk register, and we're tracking it, too.

David Spark (3:53)

All right, that's a good way of putting it. All right, Rob, you deal with risk. Threat Locker deals with risk. How do you discuss it with your team, and how do they bring it up with you?

Rob Allen (4:06)

I'd like to say we reduce risk. It's one of the things that as a platform, as a product, as a company, we help organizations do. I mean, I just want to say, first of all, that I reject the premise of this question. The fact that there's. I mean, it mentions four questions. There's actually six questions here. I'm not entirely sure which one I should answer.

David Spark (4:23)

The ways they bring up risk, like noticing it, naming it, who decides about it, can you act on it?

Rob Allen (4:31)

I'm just being difficult, Dave.

David Spark (4:32)

Oh, I know. That's what you do.

Michelle Wilson (4:35)

Yeah.

Rob Allen (4:35)

I mean, open, clear communication is extremely important.

David Spark (4:39)

But risk conversations is different than having conversations about security. And so. Well, I mean, yes, they go hand in hand, but the question is, how is that conversation happening in your environment?

Rob Allen (4:53)

We're human beings. We talk. Somebody sees something, recognizes something, realizes something, discovers something. We're human beings, we communicate, and it's open. Clear communication is key to having.

David Spark (5:09)

And is there, like, a risk register? Are you managing it? You're looking at things, Things that need to be taken off the register. I mean, like, how's that going back and forth?

Rob Allen (5:17)

Yeah, I mean, we do roundtables quite regularly, basically. And you would be surprised at some of the conclusions that are come when we have these.

David Spark (5:25)

Let's give an example.

Rob Allen (5:28)

So one of the things that we're extremely conscious about is insider threat, insider risk. If someone was to go rogue, what could they do? And I won't get into specifics, but we had a enlightening risk Roundtable recently where it became apparent that someone with the appropriate levels of access within the environment, and there's not many of them, but there are some of them, but somebody with the appropriate level of access could cause a tremendous amount of damage and a tremendous amount of downtime. Now, when that was discussed, when we thought through it, then we realized it was a fairly simple solution to it and it was again to even more reduce the things that people were able to do. But it's an example of where something was thought of, discussed and dealt with in a pretty systematic way. Yeah, absolutely, absolutely.

David Spark (6:23)

Michelle, close this out. What is there a systematic process beyond like what you described with the Register?

Michelle Wilson (6:30)

So monthly meetings to discuss any new risks in the environment. We get risks sent to us from the teams throughout the month. We don't wait for a meeting to discuss those and evaluate those, put them in our register, track them until they're gone, or until they're gone enough.

David Spark (6:49)

Do you trust this LLM?

David Spark (6:55)

Openclaw is a locally run AI agent that acts as a proactive personal assistant. That sounds like something I could use. But wait, to get its benefit, it must be running on your primary computer, which gives OpenClaw access to your shell email files, calendar and browser. Guess what? Many people did that. Have people gone mad? Questioned Casio Goldschmidt of Reflex Security. That data is now everywhere. The story gets worse with the introduction of another tool called Multbook, a social network for AI bots which began prompt injecting their AI buddies to steal API keys and to rewrite identity. So autonomous systems with access to personal data are talking to other autonomous systems with personal data and it's doing it at machine speed. Rob, I'm going to start with you. Is there a way to rein this in so we get value and not have a privacy and identity nightmare, which is what it looks like.

Rob Allen (8:00)

This specifically, probably not fun fact or story? Very good friend of mine, actually my best man from back home called me about two weeks ago and he said, look, I want you to set up or help me with setting up openclaw. And I flat out refused. I said, are you absolutely insane? I am not going to be responsible for doing something that means your crypto accounts get wiped out, your bank account gets emptied, everything gets stolen. And we have had a lot of customers of ours panicking about this. They want to know, where is OpenClaw running in our environment? And it's actually a really simple thing because default deny takes care of it. So it's not running unless you explicitly allow it to Run. And the same applies to other agentic AI tools. But the bigger thing that's approaching us, and all of us, I believe, is organizations are going to want to run agentic AI, but they're going to want to run it safely. And that's a much bigger question. I mean, as I said, default denied takes care of open flaw. It's not going to run unless you allow it to run. The bigger question is when everybody from the md, the CEO downwards wants to run a Gentek AI, it is unbelievably important that they be set up in such a way that they can be run safely.

David Spark (9:24)

All right, I throw this to you, Michelle. I mean, this seems like the cat's out of the bag. I mean, it's gone haywire for that matter. But let's divorce all the privacy and security issues. It does sound darn cool. But wow, it is a nightmare, isn't it?

Michelle Wilson (9:41)

It really is. It's not. Just again, you've got default Deny for your corporate environment, that's wonderful. But if you're talking to any other human, they're using it on their personal environment, right? And that still makes them a target and makes them susceptible to having their, their information taken and used outside of your environment.

David Spark (10:02)

So this, actually, this was a discussion that we brought up on another one of our shows about like, how do you make agentic AI run in a, in a safe way? And there's an eagerness for this and there's a fear for this all at the same time. And I know you're probably getting plenty of pressure.

Rob Allen (10:20)

Yes, it's by a considerable distance. The most common question that I've been asked, not only from customers, big customers, small customers, prospects, massive organizations, everybody has this in their mind. We're going to need to allow these things to run. How do we allow them to run safely? And phenomenal thing from our perspective is we already have the technology, we have the concept of ring fencing, which is allow this thing run but don't let it access my files. Don't let it reach out in the Internet. So there is a solution, a ready made solution there already. Now we're going to need to tweak it, adjust it somewhat to match the behavior of these tools. But as I said, there is a solution there right now it's called ring fencing. Don't let it access data you don't want it to access. Don't let it call things you don't want to let it call. And don't let it go places you don't want to let it go. And that effectively solves this problem. It means you're not depending on decisions, you're not trying to figure out if Claude Code is going rogue, you're just placing guardrails around it.

David Spark (11:28)

Right. But, but also there's certain actions it's going to need to take. So if you do allow it, you're going to need kind of some other level. And by the way, one of the things that's that we found from our community, two things came up is, quote, guardrails, which is a vague term, and ring fencing is a version of that. But another one was how quickly and easily can I reverse the situation as well? Some things you can't quickly and easily reverse. First of all, have, have you tried any agentic efforts in your environment?

Michelle Wilson (12:02)

We have some pilots going at this point.

David Spark (12:04)

And what have you discovered?

Michelle Wilson (12:06)

We had to build a kill switch to be able to turn it off if it was doing something that we didn't want in the environment. So that's part of our incident response plan now.

David Spark (12:16)

And did it behave well? Did you have to hit the kill switch?

Michelle Wilson (12:21)

It actually behaved fine. We just wanted to make sure we had that ready.

David Spark (12:25)

Right. Understandably.

David Spark (12:29)

Who's our sponsor this week?

David Spark (12:34)

Surprise. Our sponsor is throughout. You all know them, but let me tell you a little about them. If you don't know all this. CISOs don't lose sleep over the malware they see. They lose sleep over the things they trusted that they shouldn't have. Because that's how modern breaches happen. Not through zero days, through everyday tools, doing things no one realized they could do. And that's exactly the problem. ThreatLocker eliminates threat locker, enforces default Deny, as was just mentioned at the point of execution, if it's not approved, it doesn't run, period. Your attack surface collapses from everything on the endpoint, end quote, to only what you say is allowed. And the real power, Threat Locker controls how trusted tools behave. PowerShell can't start scraping credentials, Chrome can't start launching scripts, and your remote monitoring and management or RMM can't stop suddenly turn into an attacker's remote access platform. CISO say the same thing. Quote this is the first time I felt actual control instead of alert fatigue. If you want to shut down entire categories of attacks, not react to them, threatlocker built a resource hub just for security leaders like our audience Tonight, go to threatlocker.com CISO Add that CISO threatlocker.com CISO if you want fewer surprises, start there.

David Spark (14:03)

It's time to play what's worse.

David Spark (14:10)

All right, this is how this game is played. We've been playing it since the very beginning of the CISO series. I'm going to give you two horrible scenarios. I'm going to make Michelle answer. First, you have to determine from a risk management perspective which one is worse. All right. I pulled up an audible. I had one set up, but I said, you know what? That's not the one I want to do. I want to do this one. So this one comes from Jared Mendenhall, who is the CISO over at Armature Systems. And here are your two scenarios. Michelle, remember, you're up first. Scenario number one, your company is in the middle of a crisis where a phishing attack caused a massive breach due to user error. Your next phishing campaign is accidentally triggered sending similar looking phishing messages to the community, causing a company wide panic. Not good. Scenario number two, and by the way, audience, be prepared. I'm going to look for your vote as well. Here it's open enrollment time for hr. You send a phishing campaign telling users that their benefits have been canceled. You do not notify HR beforehand and HR is flooded with angry messages. HR and all the departments hate you. Security, it's questionable if they will ever regain trust. All right, Michelle. Or if you will ever regain trust. The security department. Which one is worse?

Michelle Wilson (15:40)

Okay, so my options are note the

David Spark (15:43)

first case, you were actually in a breach, Right?

Michelle Wilson (15:46)

You're in a breach in the breach, and then accident send out a phishing campaign. Second option is we phish too close to open enrollment and upset hr.

David Spark (15:58)

Yes. And you cause a company wide panic too.

Michelle Wilson (16:00)

Okay.

David Spark (16:01)

Actually cause a company wide panic in both scenarios too, for that matter.

Michelle Wilson (16:04)

That's fair.

David Spark (16:05)

And also you have this lasting hatred of.

Michelle Wilson (16:08)

Of hr.

David Spark (16:09)

Well, lasting hatred of pretty much the entire company, not just hr. Okay, but hr, probably. It's the king of the mountain.

Michelle Wilson (16:17)

Well, in both scenarios, I'm hated. So we're gonna go with the breach scenario being the worst case.

David Spark (16:23)

The worst?

Michelle Wilson (16:24)

Yes.

David Spark (16:24)

Because you're actually in a breach.

Michelle Wilson (16:25)

I'm in a breach. It's much worse than just being hated.

David Spark (16:28)

The lasting pain of this. Of second scenario. That's better.

Michelle Wilson (16:33)

I can rewin trust.

David Spark (16:36)

No, no, no. It's questionable.

Michelle Wilson (16:38)

It's forever.

David Spark (16:38)

Yeah, this is gonna be forever. You can't rewrite the scenario.

Michelle Wilson (16:41)

I'd still rather not have the breach.

David Spark (16:42)

Well, I know it's bad, but I don't know if. So you could. You'd rather be continuously hated.

Michelle Wilson (16:47)

Absolutely.

David Spark (16:48)

Than have a breach?

Michelle Wilson (16:49)

Absolutely.

David Spark (16:49)

Okay, that's Good. All right, let's hear it, Rob. Same thing here.

Rob Allen (16:53)

Can I just say, first of all, this isn't on my piece of paper, right?

David Spark (16:56)

No, it's not supposed to be.

Rob Allen (16:57)

My least favorite thing about this particular game is that I actually have to listen to David for a good 40 seconds. I have to concentrate, focus, listen to him explaining these scenarios.

David Spark (17:09)

Rob has been a very frequent guest on our shows, and we love having Rob on the show. You love Rob, right? That was the weakest applause I've ever heard for you, Rob. Excuse me.

Rob Allen (17:22)

It was more than you got when you came out on the stage.

David Spark (17:24)

How dare you. All right. Rob has a gentle, fun way of chronically abusing me when we're off microphone. And he's doing it now live for your enjoyment right now.

Rob Allen (17:36)

I'm not. I'm just saying I resent the fact that I have to pay attention to you.

David Spark (17:40)

Yes. There are certain things, like in most games, you don't know the questions beforehand.

Rob Allen (17:45)

I mean, it's pretty obvious. The one where you're actually breached is worse.

David Spark (17:51)

Well, but hold on. That is bad. But like I asked Michelle, you're okay with being universally hated, and this is going to essentially. Really.

Rob Allen (17:59)

No, no, you weren't universally hated. You were hated by hr. I think if you.

David Spark (18:03)

In the second scenario, you're going to be universally hated.

Rob Allen (18:05)

I thought you were hated by hr. Okay, I have a tangent.

David Spark (18:09)

HR and all the departments hate you.

Rob Allen (18:12)

Oh, and all security.

David Spark (18:14)

You may never have a security culture again.

Rob Allen (18:16)

Yeah, I'd still rather not be breached, thank you very much.

David Spark (18:18)

Okay, you don't want to be breached. I'm throwing this to the audience. Scenario number one, you're breached. You accidentally send a phishing to. Campaigns cause panic, but they do not hate you. But second scenario, open enrollment. A really nasty fish. Everyone hates you by applause. How many Think again. It's. You're choosing the worst. How many people think the first scenario is worse? What they chose by applause. Don't raise your hand. Okay, all right. A lot of. A lot for that. All right. All right. By the way, by applause, how many people do not want to be universally hated and do not want their security culture ruined forever? Which one thinks that's worse? All right. A smattering. A smattering, if you will.

Rob Allen (19:00)

David.

David Spark (19:00)

Yes.

Rob Allen (19:01)

I think what they're saying is we were right and you were wrong.

David Spark (19:04)

I'm not saying wrong. It's a game. You have to choose which side you want.

Rob Allen (19:08)

And we chose correctly.

David Spark (19:13)

It's time to play fantasy ciso.

David Spark (19:19)

All right, let Me explain how this is going to work. This is a new game we've been playing. In this game, each of you are going to choose your team of controls. Now, once a control is chosen, like picking a player on any kind of team in a fantasy sport, it's no longer available to the other player. Once you each have your roster, we're going to review and then we're going to give you a random attack. And it's up to each of you to argue why your environment of controls is better situated to hit that random attack that you were hit with. All right, Michelle, you are up first. There are eight controls there. Pick one of the controls that will be the first member of your team.

Michelle Wilson (19:57)

I'll take Access Control Management.

David Spark (20:00)

Access Control Management will be the first one for Michelle. All right, now we have seven left. Rob, what do you want to choose?

Rob Allen (20:06)

I will go with network segmentation and micro segmentation.

David Spark (20:12)

All right, that's for Rob. You're back up, Michelle.

Michelle Wilson (20:16)

EDR please.

David Spark (20:18)

EDR for Michelle. Rob.

Rob Allen (20:21)

Data recovery capabilities first one Data recovery.

David Spark (20:26)

All right, what would you like?

Michelle Wilson (20:27)

Incident response management.

David Spark (20:29)

Incident response. Rob.

Rob Allen (20:33)

Application software security.

David Spark (20:36)

Okay, two left.

Michelle Wilson (20:39)

Well, we'll go with controlled use of admin Privilege.

David Spark (20:42)

Controlled use of admin. And Rob gets pen testing here. All right, don't hit the revealed attack yet. Let's review what we have here. Michelle, on your team you've got access control management, EDR incident response management and controlled use of privileges. And Rob, you've got network segmentation, data recovery capabilities and application software security. And you've got pen testing as well. All right, you're going to go first, Michelle. We're going to reveal the tac and you're going to explain why your team is better situated to handle the attack than Rob. Go ahead, reveal the attack. Ah, a nation state attacker physically infiltrates an air gap secured network. Geez, I don't know if any of this is going to work. What do you think?

Michelle Wilson (21:26)

In this one, I think my, my best savior there is my incident Response management. So if you have a good plan, you can, you can address most things.

David Spark (21:35)

Yeah. Is your EDR is not helping here. I don't think. No, I don't think your admin privileges possibly your access control. Possibly, but no, probably not. I think you're, you're instant response. Now you can also argue why Rob is not situated at all.

Michelle Wilson (21:54)

I could see how he might be. Okay, but again, you want to win.

Rob Allen (21:58)

Thank you.

Michelle Wilson (21:59)

I want to win.

David Spark (22:00)

So. All right. You got an instant response plan?

Michelle Wilson (22:02)

I do. And he's sitting There trying to figure out how to recover something.

David Spark (22:05)

All right, Rob, what are you. Why are you better situated?

Rob Allen (22:09)

Oh, I thought I got a different attack. It's the same attack.

David Spark (22:12)

No, it's the same attack.

Rob Allen (22:13)

Oh. Well, I was going to say if it's those guys and that's all we have available to us, then we're both screwed.

David Spark (22:20)

Yeah, it's a. It's a pretty bad.

Rob Allen (22:22)

It's not a great selection of controls and tools. So, yeah, I think we're both.

David Spark (22:27)

Although, I mean, maybe data recovery capabilities.

Rob Allen (22:32)

No, because nation state are not interested in causing damage.

David Spark (22:37)

So you're pretty much saying you're hosed. You got no defense here.

Rob Allen (22:42)

It's not a lot of great options you've given us here. Now if you said application control, if you said allow listing, if you said ring fencing, if you said all of those things, I would have said you've nothing to worry about. Well, you've not as much to worry about. But that set of options available.

David Spark (22:59)

Yeah.

Rob Allen (22:59)

Your host, unfortunately, your host.

David Spark (23:01)

Well, this was. Again, it was oriented that particular attack.

Rob Allen (23:03)

Now if you'd given us a different attack, then I.

David Spark (23:06)

All right, let's do it. Click new attack. Let's see what we got. All right. Cybercriminals convincing deepfake audio and video of the CEO demanding secret financial transactions within the company. I think you're equally hosed possibly here. What do you think?

Rob Allen (23:20)

I think she wins.

Michelle Wilson (23:21)

Yeah, I'm doing okay.

David Spark (23:23)

Yeah. All right. By applause. How many people here think Michelle wins by applause in both cases? Anyone think Rob's gonna win here by applause? Rob, your host.

Rob Allen (23:36)

Okay, can we just have one that involves ransomware, please?

David Spark (23:38)

All right, click a new attack again. Let's see if we get a ransomware one. I have no idea. A disgruntled employee steals censor data company. You're hosed.

Rob Allen (23:48)

I reject the premise of this game.

David Spark (23:53)

That might not have been the best decision.

David Spark (23:58)

All right, a door with a combination lock whose code is printed on it is no longer locked. David Travis, city of Auburn, posted a photo of the offending door lock to mock it and show how the blast radius expands when someone bypasses the control. And it was just, it was just a photo of a lock and literally had the, you know, the four digit code printed right above the lock. Now that's the knee jerk reaction, though, what David Travis said of a security professional and understandable. You know, at one time that door did need to be locked, but it's possible systems have changed. That door doesn't need to be locked. Anymore. If that's the case, honestly, it's far easier and cheaper to just post the code on top of the lock than finding a locksmith to remove the no longer needed lock. So system design requires security professionals to walk in users footsteps. When do you ask and I'll start with you, Rob, here. Why is this control here and what risk is mitigated by having this control? I mean, is this the regular process you go through to audit your security controls or do you do something else? How do you handle it?

Rob Allen (25:08)

That was a really long winded way of getting around to a question about reviewing controls.

David Spark (25:14)

I'm trying to set it up with a colorful picture.

Rob Allen (25:17)

I was going to say you were painting a picture.

David Spark (25:19)

I could have started segment. How do you. How do you review controls? Painted a picture.

Rob Allen (25:24)

We didn't need a Mona Lisa to get to the. How do you review controls? Or do you review controls? Yeah, quick short answer. Yes, you should review controls. You should review controls regularly.

David Spark (25:35)

I mean like, what are the questions you like here's a control. What are we doing? Like why is this there? Are we even noticing that the control is there? Like what is the conversation you're having?

Rob Allen (25:47)

Well, one might argue that you would be better having a control, even if it is no longer necessary or perceived as no longer necessary than not having a control.

David Spark (25:57)

You think it's better to have one than even if it's no longer necessary?

Rob Allen (26:02)

Maybe it's going to be necessary again tomorrow. Maybe it's necessary, but we don't know it's necessary. Maybe it's necessary, but we think it's not necessary. More controls are better than no controls or less controls.

David Spark (26:14)

But hold on, now we have the business that we're dealing with right now.

Rob Allen (26:17)

Screw those guys.

David Spark (26:18)

Oh, sorry.

Rob Allen (26:22)

But hold on, we didn't say that the control was stopping business. I mean a door having a lock is not stopping business. Again, your metaphors are killing me, David.

David Spark (26:32)

So for example, people need to get into this room to this session. If we had a lock on the door, then it would be quite difficult for people to get in here.

Rob Allen (26:41)

Yeah, but they've got a code posted on the top of the lock.

David Spark (26:44)

No, not in this case. They didn't have a code post. But what I'm saying is when do we need to make things slow down for a control and when do we need to remove it? Or when do we need to keep it strong? Is everyone confused? Michelle? I'm gonna let Michelle take over.

Rob Allen (27:02)

Michelle's gonna tear this entire thing up.

Michelle Wilson (27:04)

I'm gonna argue with you you about having more controls is better.

David Spark (27:08)

All right, good. Thank you for being on my side.

Michelle Wilson (27:10)

I'm not on your side, but I'm going to argue with him.

David Spark (27:12)

Okay, bring it on.

Michelle Wilson (27:15)

Well, so I've always had to operate with a very lean team. So if I have a lean team and I have a lot of controls that they're having to manage, update, keep working, keep functioning, I find that either reducing or collapsing controls into something that's more uniform so that they can work with one tool that maybe does multiple things, rather than having lots of controls that maybe aren't doing something very successfully. It's an efficiency thing that I'm talking about.

Rob Allen (27:49)

So I'm a gentleman, so I'm not going to disagree with you. I'm not going to tell you you're wrong, but you're wrong. Controls can help and facilitate teams. Being lean controls are not necessarily something that require constant management upkeep. Yes, they should be reviewed from time to time. But equally, I mean, very simple example is the difference between proactive, what we do, basically application, control, allow listing, etc. And detection and response. Detection and response involves alerts. Alerts. Fatigue is a real problem. It's a massive issue in cybersecurity that entire whack a mole or boy who cried wolf, where you better hope to hell that your security teams check everything out, hope they don't miss the one thing that's really important versus proactive, basically blocking everything by default and working backwards from there. One's a control, one's a response. And I would argue that the control requires far less management and far less work for a lean team like you have.

Michelle Wilson (29:12)

I would agree when you're defining it in that way, but only when you define it that way.

Rob Allen (29:18)

I did define it in that way.

Michelle Wilson (29:19)

There you go. All right, look at me. I concede. No, I don't.

David Spark (29:27)

What we've got here is failure to communicate.

David Spark (29:32)

The words we choose build the reality we operate in now. Phil Venables, who's the host of the Google Cloud Security podcast, recently explored how cybersecurity metaphors shape our decisions. He started with a Stanford study that gave people identical crime reports, with one key difference whether the crime was described as a wild beast preying on the city or a virus infecting the city. Those who read about the beast suggested enforcement, capture, punishment and caging. Those who read about the virus were more likely to suggest systemic root cause solutions. Venables then dissected our field security's most common metaphors. Cyber war pushes us into reactive tool Obsessed mindsets and diverts focus from foundational work like managing vulnerabilities and governing access. Castle and Moat fosters false security and overinvests in perimeters while leaving the interior vulnerable. Cyber hygiene can place a burden solely on users, leading to a blame culture. Instead of building robust architecture, he argues the wrong metaphor leads to the wrong investments and false security, while the right one aligns the organization on a shared understanding. I'm going to start with you, Michelle. What metaphors resonate with you to build the right solutions?

Michelle Wilson (30:57)

One of my favorite metaphors is talking about how the business likes to go fast. So they have the race car metaphor. They want to use a Lamborghini. I need to make sure the road is not. Not full of potholes. So we need to make sure that we've got our foundations set and effective so that that nice Lamborghini doesn't end up in a pothole and lose a tire in the first five minutes.

David Spark (31:19)

Yeah, and I think actually the race car metaphor has been used many, many times and it is very apropos. What about you, Rob? Do you have a favorite metaphor?

Rob Allen (31:29)

I have lots of favorite metaphors. I think metaphors are really useful.

David Spark (31:32)

Okay.

Rob Allen (31:33)

I think an important part of what we do is explaining complex things in a simple way that, yes, anybody can understand. Probably my. Well, my go to for what we do if a normal person was to say, what's threat locker all about? You use the analogy of your house and a lock on the door and how a lock on the door is a control or a lock on your windows as a control. They're all controls. You could talk about how detection and response is like an alarm. It's a motion sensor. It's something that is reactive. The control is stopping people from getting in, but the reactive is in case somebody does manage to get in. And you can take that to the nth degree because we have people who will go so far as to say ring fencing is. Is about allowing people into your house through the lock, but then saying they can't go to particular rooms within the house so they're allowed to come so far and no more.

David Spark (32:36)

That actually it's a better version of what the candy bar metaphor through just classic firewalls, you know, hard on the outside, chewy on the inside. You address that with the ring fencing

Rob Allen (32:48)

and you can take it to the nth degree. You can go really far with that. But just in very simple terms, it is. And it was. I actually. I don't know if you caught Danny's intro on Wednesday. He Described his threat locker being a bank vault and the ed, or portion of it being a motion sensor with laser beams, which I thought was interesting way of describing it, but it's fundamentally the same idea, which is we build locks, we build controls around environments. In some cases with like, ring fencing, you let things in and you. You let them do certain things, but no more. But I think that is a useful metaphor for describing to people who don't understand what proactive security looks like is.

David Spark (33:34)

Okay, do you add any more metaphors? You just gave us the racecar one. Any others that you sort of lean into? And is this what you describe to others within the organization?

Michelle Wilson (33:45)

I don't actually use metaphors that often.

David Spark (33:47)

Sorry, so you don't.

Michelle Wilson (33:48)

Yeah, I just try and explain in English what it is we're trying to do.

David Spark (33:52)

Sounds good.

David Spark (33:56)

It's time for the audience question. Speed round.

David Spark (34:02)

All right. With the time that we had left, we have a little bit of time left. I've got questions in my hand from our audience. All right. You have not seen these. Like you didn't see the games. You haven't seen these. I'm just looking for your answers to these. This comes from Amar. Amar, first name and last name are exactly the same. From the University of Tennessee Health Science Center. And Amar asks what security defenses are going to fail from AI attacks at scale. So this is, you know, we're concerned about how attackers are using AI doing the attacks they're doing now, but at scale. So what security defenses do we have now are just simply going to fail at that?

Michelle Wilson (34:41)

Anything you think security awareness training is not going to be able to help us as much as we've always come to rely on it.

David Spark (34:48)

Security awareness training.

Rob Allen (34:49)

What do you think, Rob anything that involves detection and response when you're trying to detect and respond to 560,000 new pieces of malware every single day, when you're trying to recognize them, when 40% of them are AI generated or AI enhanced or AI iterated, you're guaranteed to fail at some stage. You won't fail all the time, but trying to detect, recognize every one of them is doomed to failure. I'm sorry to tell everyone.

David Spark (35:21)

All right, let's go to the next question from Stefan Yell of Silicon Valley Services. MSPs. He's an MSP, wants to say yes to every client. Say yes. You want to do this? Yes. Yes. Yes, yes. They don't operate as a department of. No. But what should we as security professionals, even though we do not want to be known as the department of no. What should we be saying no to?

Michelle Wilson (35:43)

I don't say no. I say yes. And so the answer is, yes, we can do that. And we need to do these 82 other things to do that.

David Spark (35:51)

Okay, but maybe would they also balk? Like, all right, but I don't think I want to do those 82 things. So they say no to themselves. Yes, that's a smart way of doing it. Throw it in their hands. What should we be saying no to? Rob?

Rob Allen (36:06)

Anybody who will not take your advice on security. I mean, fundamentally, anybody who doesn't recognize, understand, believe you telling them they need better security or more security. I've been that soldier. I've spent 18 years as an MSP. And I know from painful experience that the customers who say no to wanting something else or better or different from a security perspective are the very same ones who will blame you when they get hit, when they get breached. So be mindful of and wary of customers like that who, who don't take your best advice because fundamentally, you are the expert. Have confidence in your own advice. Have confidence that you are giving this advice honestly and to the best of your ability. And if they choose not to take it, be aware that they are probably the ones that are going to get hit and they are probably the ones that are going to blame you when they do.

David Spark (37:17)

All right, Dan Powers over at Full Sail University asked this question, and I'll start with you. Rob someone right out of school with some cybersecurity training or certificates. What could they also do? They have that, but what could they do? Because there's so many young people have those experience. What could they also do to really impress you?

Rob Allen (37:37)

I met a young man last night who I hope I will see again today. If he's in the room, by the way, do come and talk to me. At some stage, this young man, fresh out of college, paid for his own ticket to come here to Zero Trust World. Not an insubstantial or unsubstantial amount of money for a young person not in the workplace yet, but he paid for himself to come here. That's incredibly impressive. He wants to learn, he wants to meet people, he wants to understand the industry. And that's the kind of thing that, I mean, I'm not going to say he's definitely the only just fresh out of college student that's here, but I wouldn't be surprised if he's the only fresh out of college student that's here, but somebody like that who will go the extra mile, who will try to learn to improve themselves, to meet people, to network, from my perspective, is incredibly impressive.

David Spark (38:34)

That's very good. All right, what about you? What can impress you, Michelle?

Michelle Wilson (38:38)

It's actually a pretty similar answer. Getting involved in the local community, getting to know people in the industry. Most cities have some sort of group that a new person could join for reasonable amount of money to meet people and then in their free time, learn more. Like demonstrate that you've got curiosity and demonstrate that you're willing to learn. You never stop learning in this field.

David Spark (39:03)

So what do you want to add, Rob?

Rob Allen (39:06)

I just wanted to add one other thing. When I had this conversation with this young man, I was dressed as Barf.

David Spark (39:12)

From Spaceballs.

Rob Allen (39:13)

From Spaceballs. So it was quite difficult to have a serious conversation with him, much as I might have wanted to. So, yeah, it was a little bit tricky. But as I said, if that young man is in the room, come talk to me at some stage. We will organize a refund for you for your ticket for the event.

David Spark (39:29)

Oh, that's very kind. Very kind. All right, last question. Let's wrap this up. From TJ Williams of MMI Technologies. How do you convince people whose knee jerk reaction is to want to hide that they made a mistake? So, like a fish, a real fish, or a fishing test their knee jerk reaction to that they made a mistake, they got phished, but they need to report it, but they want to hide it. It's a positive thing to do. How do you convince them that's what they should be doing?

Michelle Wilson (40:02)

Michelle, you do try and build a culture that does not reflect punishment for letting you know, especially if they let you know and celebrate when they do let you know. We actually give out awards when people let us know that they did something or that they saw something. We prefer to give them awards for noticing something and not clicking on it. But building that culture is important to get people to work with your teams.

Rob Allen (40:29)

Rob, everything that Michelle just said, you need a culture where somebody can be honest, somebody can admit to making a mistake or even thinking they made a mistake. If you have a culture where somebody is terrified to admit such a thing, they're not going to come forward. They're not going to fess up. They're going to try and hide it. So it is all about the culture. It's all about making as leaders, making ourselves available and listening and people knowing you're not going to chew them out of it just because they made a mistake.

David Spark (41:01)

We are now at the end of the show. Thank you very much, everybody. Thank you. I want to thank threatlocker for bringing us out here. Threatlocker.com CISO allow what you need. Block everything else by default, including ransomware and rogue code. And I want to thank my guest right here to my left, Michelle Wilson, the CISO of Movement Mortgage. Rob, you are always hiring a threat locker, is that correct?

Rob Allen (41:32)

Yes, very much so. We now have room for people. So, yes, we are ramping up hiring. All right, so, yeah, come live in Orlando. It's really nice. It's warm.

David Spark (41:41)

All right, well, thank you very, very much, Rob. Thank you very much, Michelle. And thank you to ThreatLocker and to our audience. We greatly appreciate your contributions. And for listening to the CISO Series podcast, You guys,

David Spark (42:02)

that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and cybersecurity headlines. Week in review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.