Host

Best advice I ever got in security.

Becca Harness

Go. Best advice I ever got was years ago from Alan Paller. He said the most important thing is that people trust you. So job number one when you start a new job is just establish that trust with the board, the executive team, your peers, anyone and everyone. That was absolutely true.

Host

It's time to begin the CISO Series podcast.

David Spark

Welcome to the CISO Series podcast. My name is David Spark. I am the producer of the CISO series and joining me is my co host, one of your favorites, Better be. It's Andy Ellis, principal of duha. Andy, say hello to the audience.

Andy Ellis

Hello to the audience.

David Spark

Ah, it's like the walk this way

Andy Ellis

gag, you know, got to try something a little bit new from time to time.

David Spark

By the way, that gag, which is so old either, you know, repeating. What do they say? Say hello to the audience. Hello to the audience. Or say your name. Say your name. That joke is so old, although it repeated itself. It was just thinking, say your name is from Animal House. They say, yes, I state your name

Andy Ellis

because it's just a funny joke.

David Spark

It's a funny. But it's been said a bazillion times. Anyways, classics sometimes never go away. We're available@cisoseries.com where you can check out all of our wonderful programming. Our sponsor for today's episode is Strike 48. Strike 48 unifies your logs and agentic AI. We're going to be talking about that just a little bit later in the show. In fact, they are a brand new sponsor and a brand new company. Pretty spectacular. Now, Andy, first thing I have to do though on today's episode is say happy birthday. Because I understand today you're celebrating your birthday by recording an episode with us, correct?

Andy Ellis

I am, because I just wasn't fast enough to block today before you managed to schedule something. So it's the only work I'm doing professionally. I got other work I have to do. There might be a little bit of snow I'm dealing with. I know this is airing not on my birthday, so hopefully there's no snow today in March.

David Spark

Yes, let's hope not. Now, I don't want to know about today, but I want to know what was the most spectacular birthday you've ever had?

Andy Ellis

The most spectacular birthday I've ever had. That's. That's got to be a really hard one. I don't think. I know I've got a. I mean,

David Spark

or a surprise gift. You'd never.

Andy Ellis

Well, actually got a. I got a really great surprise gift today for this birthday, some were visiting some friends, and they gave me a shirt that says, of course I talk to myself. Sometimes I need expert advice.

David Spark

There you go. That's good. So that's. That's the best you can think of?

Andy Ellis

You know, I just enjoy, like, living in the moment and enjoying sort of what's happening as what's going on. Because here's the important thing. Growing old is something that happens to you. Growing up is a choice.

David Spark

That is true. I will say the thing that for my wife and I, we don't actually buy each other gifts. We essentially plan an entire day for the other person.

Andy Ellis

Oh, that's awesome.

David Spark

So my wife's name is Joy. I'm David. So the idea is we create what is called Joy Day or David Day, and it's a whole day of activities, and we do not tell the person what's going to happen. They just come along.

Andy Ellis

I love that.

David Spark

And it's always fun. The big joke in the family is that I've done, like, too much in a day where I've brought my wife to tears.

Andy Ellis

Oh, my goodness. See, that was the problem that we would have, which is if I was going to schedule a day around my wife, I'd just be like, okay, great, we'll do, like, a spa day, like, because easy to schedule. I don't have to think about it. Whereas my wife is an amazing planner, and she'd have, like, so many activities, and I'd be like, I just want to sit and do nothing. Like, hop on a plane and go somewhere it's sunny would actually be a highlight. Instead, my birthday's in the winter, and I live in New England, so my days often revolve around snow.

David Spark

For example, my wife, who grew up in Reno, and as a snowboarder, I thought she would also be into ice skating, did not realize this. Now, this didn't bring her to tears, but I took her ice skating on her birthday once.

Andy Ellis

Oh, my goodness.

David Spark

She was beyond miserable. Beyond. Like, I have video of her just being miserable on ice skates.

Andy Ellis

Yeah, like ice skating. If you don't actually know how to skate on ice, that is a brutal sport that looks nothing like any other snow sport that's out there.

David Spark

Yeah, well, she was not happy. I thought, ah, you're into snowboarding. Well, you must be into all winter sports. I was wrong. All right, enough of this nonsense. Let's bring in our guest who we've had on before. I'm thrilled to have her back on again. And in fact, we have something in common. Both owners of aquariums, although technically I don't own one yet because mine had a leak and I ordered a new one. But I always appreciate people who are aquarium owners and owners are fish anyways. But that is not her claim to fame for this episode. Rather she's a ciso, the CISO for Deltec, none other than Becca Harness. Becca, thank you so much for joining us. Joining us.

Becca Harness

Thanks for having me here.

Host

Is AI going to help us or hurt us?

David Spark

Quote 95% of AI pilot projects fail to make it to production. End quote. Now that stat is from mit, was recently highlighted by Enrico Signoretti of Cubbit to show the pressure CISOs are under when it comes to AI strategy. Executives are hearing about competitive advantages, seeing competitors announce AI initiatives and wondering why you're not already deploying your own chatbots and automated threat detection. But in the rush to go AI first, organizations are skipping the data first step that makes AI work for Enrico, without data that's organized, secured, cataloged and accessible, AI projects become expensive hobbies, not production systems. So when your CEO asks what the company's doing with AI, how are you framing that conversation, Andy and how do you balance exploring legitimate opportunities against managing expectation about what's achievable? This seems like something everyone's dealing with,

Andy Ellis

so it absolutely is. But I just want to start out by challenging the underlying premise here, like 95% of your pilot programs. And we could talk about pilot in a moment. Failing is a great statistic. This is not a bad statistic. I see way too many companies that basically say, look, once we decide to try something, of course it will make it to production. You've set the bar too high for getting into pilot. The whole point of a pilot is to figure things out in live production, not just on paper. So I'm actually happy to see 95% are actually not making it to production and are failing. Because that might mean doesn't necessarily mean, but might mean that companies are iterating and saying, oh, hey, this didn't work, let's try something again. And now maybe if you want to call it something, that's like a pre pilot, but most companies just don't have language for, hey, we're playing around. Because that's what companies are doing today. You're playing around with AI to see what might work. And if it works, then you're running with it. Now what they're not going to do, which we all wish they would do, is once something works, go back and clean up the deployment model, because you probably cut a lot of Corners like you should when you're playing around. And so that's going to be the real challenge, is the AI projects that stick will not be ones that you actually did. All this diligence work, like he wants people to organize, secure catalog, and makes accessible all of your data. That's an impossible barrier. No project that starts that way will ever make it to pilot, let alone to production. So the things that make it to production are all going to need that work done retrospectively. And that's been the challenge of our career field for basically my whole life. So I don't expect anything different out of AI.

David Spark

But I see this as okay. If 95% of AI pilot projects fail, that means the answer to your executives is, we're trying things out, and a lot of things are failing. Right now.

Andy Ellis

We are experimenting rapidly to identify the synergies that will provide the most value to the business and to quickly spot the places where AI will not provide sufficient value to justify further investment. You don't say we're failing because you're succeeding.

David Spark

That is a fantastic way to get rid of your executives, isn't it?

Andy Ellis

You have to learn their language. Like, 95% not make it to production is not 95% failed. It's 95%. We learned enough to realize that was a bad path to continue down, and we went somewhere else. Learning is success.

David Spark

All right, glass half full. Rebecca, I throw this to you. Do you see this the same way as Andy?

Becca Harness

Yeah, pretty much. I mean, what was it like in web 2.0? All of us were championing fail fast. Right. So going to try an awful lot of things. Don't go too far down the rabbit hole before saying, okay, that's not working. Let's try something different. But for us, the goal was get AI in the hands of all of our people. Let's not have a culture of have and have dots. Get it in the hands of everyone and figure out who succeeds, figure out where the logical use cases are. And that's been real successful for us over the last year.

David Spark

And so is everyone kind of on the same page then? Like, have you had this? You know, Absolutely not. Oh, okay. All right.

Andy Ellis

Lots of pages.

Becca Harness

Yeah, there's lots of pages.

David Spark

But the thing is, I'm sure that the executives, those not in security, are trying to push AI initiatives everywhere just because they're reading it and they realize it's some kind of competitive advantage, but they don't know exactly where.

Becca Harness

Yeah, certainly every executive and probably every industry knows they have to have an AI story for the board? How are we leveraging it? How are we using IT to reduce costs, to move faster, to be more competitive, equip our customers with AI tooling, with enterprise. That's true in every organization today. And I think downstream of that, it's looking for those pragmatic, practical implementations of AI where get it in the hands of people that are experts in their field and let them figure out how to use it best and then tell that story upline with probably a lot of marketing included in there.

Host

How is the CISO role evolving?

David Spark

Andy, a little while ago you wrote a piece for CSO Online proclaiming the death of the CIO, arguing that quote, as most of the traditional IT based application support activities are handled by SaaS vendors, the primary need for SaaS support is security support. And it'll be wasteful for companies to have both a CIO and CISO providing that support separately. So, Becca, you took that idea, the very one that Andy was saying. It's amazing, Andy. People listen to you and they take action. I'm shocked. Let me go on.

Andy Ellis

Wow.

David Spark

You took that idea, Becca, and you ran with it, Floating the idea to your executive team that your organization should close the open CIO position and shift to a new operating model with most of it reporting to you as CISO. Six months in, you now have 150 people reporting to you with IT infrastructure and support services under your leadership. We talked about this theory on the show before, but now we have an actual in the wild example. All right, so Becca, walk us through that Jerry Maguire moment was like, how did you make the case? Because I'm envisioning this whole movie scene that played out. Oh yeah, what's working six months into. And where are the friction points? Let's hear the story.

Becca Harness

So where this really started was this is my third run as CISO, having been CISO at St. Louis University and Quickbase and now Deltec. And you know one thing that's followed me at each spot, I don't know if I'm the death knell for CIOs, but at St. Louis University, six months in, we had a changeover in CIO. Quickbase, I think it was nine months in, we had a changeover. CIO here at Deltec, same thing. We had a CIO exit and they started looking for a new cio. Every single time it's kind of been the same story where, okay, we're going to bring someone else in. Then I got to develop that relationship, develop that trust. We got to figure out how to work together. And then hopefully make some progress towards whatever we're trying to accomplish. And this time I was just like, okay, third time's the charm here. We got to figure out a different way to go about this because it takes too long, it interrupts progress. And we're also a point in the industry. Like we talked about, every organization is trying to do this transition over to AI and such. I happen to be in a position where I spent a good part of my career in IT services and support and IT engineering. So I had the right background there. I've been in security since around 2012, so I've got the maybe the right foundation to take on something like this. So when I was at quickbase, the CTO that I reported to was had come from Amazon. He was a big believer in the Amazon 6 pager and the PRFAQs that come out of the Amazon culture. So I sat down and rather than kind of build a slide deck, I wrote a 15 page Amazon 6 pager with references, including Andy's article, which is really kind of the first one that I ran across when I started looking at doing something like this and kind of made that point of, let's think about this in a different way. Maybe rather than bring in a CIO and say have everything report up to the cio, why not move the IT engineering and IT support, which I've got a good background in. Let me take leadership on that and focus on bringing in an executive that's solely focused on transformation, digital transformation, the transformation towards AI, those big bucket things. Because inevitably what happens is you bring in a CIO or whatever you want to call them, and in our case they're executive positions but not called cio. They're looking to make a name for themselves. They're of course going to focus on innovation and transformation, that sort of thing, and IT services and support, security. It's kind of best effort type of thing. Bringing IT into the security organization allowed me to merge the teams together. So our IT and security teams our really tightly blended together. My SOC manager now also leads network operations. Our security engineering team is part of the network engineering team. There's really great synergies across the stack. So it worked really well. I wrote the paper, I sent it to all of our executive team and then I kind of went one by one and met one on one with them and they poked and prodded on it. And I think what it really came down to was they had seen what I had done with security over the last year and I'd done some really Great stuff. Taken a very pragmatic approach. They trusted me and I was really telling the story from their perspective of, we know we got to do these big bucket things. Okay, give me the things that are kind of noisy, so to speak. Let me take that and manage that, and then other folks can focus on the big transformation activities and such. So six months later, I think it's worked really well. The teams have picked up on it. I think some of the biggest friction points was it used to be very project focused, which tends to slow things down, takes longer to run large project cycles. So I'm a big believer in Agile methodology. Kanban plus Scrum. So we've been migrating to. That's how we manage work and how we implement stuff. I think that's kind of been the biggest thing so far.

David Spark

All right, Andy, so you hear real world example. Had you heard others? What's your take on Becca's story?

Andy Ellis

Yeah, so this is absolutely not the first I've heard of it. In fact, I did not write this cold and be like, oh, I have this great idea. I wrote it because I was already starting to observe it. And in fact, I've been observing. Fascinating. And it may just be availability bias. I've noticed a gender skew here, which is I'm more likely to see a woman who is doing both jobs than I am a man who's doing both jobs. And certainly the early cases, I actually pitched a panel to RSA and I went and I tried to find everybody who'd been both CIO and CISO, and the first 10 people I could come up with were all women. It wasn't even like a little bit of a split. I could not find any men who had done this several years ago. So to me, that's just a fascinating. I don't have an explanation for it, that's just observational data. But I think exactly what Becca sort of closed with is, I think a key thing, which is there's different cadences that organizations operate at, and it is traditionally a very operational role, like, things have to move fast. But it evolved into this project role of, oh, we want to do big things. Big organizations like that don't move fast. They become sort of these engineering change, leadership, change management. And that affects the operational teams because more and more of your leadership doesn't know how to work in an operational role. And you also. I've seen some really weird dynamics and I can't wait to see. Actually, I hope Becca doesn't run into this, which is there's a boom and Bust cycle of headcount, right? It's like, oh, let's get more headcount. Oh, we have to take away headcount. And what I've seen in a lot of IT organizations is when they get a boom, they apply all of the boom into the big projects. It's like, oh, let's put all of this bonus headcount we've got into digital transformation. And then a year later, when they're told, oh, cut 10% of your heads, they protect digital transformation. And the 10% cut isn't just the 10% of the ops team. It's the 10% from digital transformation applied to ops. So your ops team keeps getting cut even more and more. And so separating them out. I love as an idea, just to protect the budget lines as well, like, hey, here's our operational support team. They're not carrying this, I don't want to say dead weight, but this weight of these big transformation activities that you should invest in or disinvest in as a whole. Not partially.

Becca Harness

You know, one way we mitigate some of that is through monthly metrics meetings. I'm like, I'm a big metrics nerd. And we're constantly doing trending data. And every team tells a very tight story of what they're delivering for the organization and what they're doing in the name of continuous improvement. That's one way we avoid that, is we make sure that we tell our story very, very well upline so that everybody understands the value that we bring the organization.

David Spark

Before I go any further, I want to tell you about our fantastic new sponsor, and that is strike 48. As we know, everyone is talking about AI for security. Copilots, assistants, chatbots, the list goes on. But how much time is AI really saving you? I mean really, does it have access to the data it needs or is it just isolated in silos? And can you trust it to do real reliable security work? Enter Strike48. This is the first agentic log intelligence platform that gives AI agents the visibility they need to take a load off of your team. Now, it's no secret that AI is only as effective as the data it can access. So if your SIEM costs force you to drop logs or put them in cold storage, any existing AI you deploy will have blind spots. Don't worry about that anymore. You can now maximize log visibility without maximizing costs. Plus, the platform connects to your logs wherever they live, so you can keep the technology you already have. With Strike 48, you can deploy pre built agent clusters or build your Own agents and workflows covering phishing, threat intel alert, triage, SoC and more. You can try Strike 48 for free. Yeah, just go to strike48.com, spelled exactly as it sounds, the word strike. And then four eight strike48.com security and start deploying log intelligence agents today. Remember, strike48.com security. You heard about it from the CISO series.

Host

It's time to play what's Worse.

David Spark

Becca, you remember how this game is played. Two crappy scenarios. You have to decide which one is worse from a risk management perspective. I will make Andy answer first. You can agree or disagree. This again comes from Ryan Renee Rosado of rsm. She has put together an interesting combination on each side of the what's worse scenario. So there's again, it's kind of apples and oranges on each side, but you will see what I mean. All right.

Andy Ellis

But I loved this one, last one. We did like this. Even though I thought it was somewhat easier, it really made us think.

David Spark

Well, this one will make you think as well. All right.

Andy Ellis

Okay.

David Spark

A huge data breach that will lead to fines and SEC scrutiny with a material weakness. And this is all on one side here.

Andy Ellis

Yep. While that's happening, you go to a

David Spark

huge data breach that can lead to fines and SEC scrutiny with material weakness, and a wildfire is heading towards your area. Okay.

Andy Ellis

Oh, this is a California problem.

David Spark

Okay.

Andy Ellis

If I got wildfires heading towards my area, we got serious issues.

David Spark

It could be just go anywhere up and down the west Coast.

Andy Ellis

This could be.

David Spark

Or there's dry areas in the Midwest too.

Andy Ellis

Okay. So actually, honestly, I've been really close to this one before. Had serious issues with a wildfire headed for the engineering team that needed to deal with the issues.

David Spark

Okay. All right. Or you have an insider threat stealing proprietary information when your mistress is pregnant and your wife just found out.

Becca Harness

Well, if my mistress is pregnant, that's going to be a really difficult thing.

Andy Ellis

Yeah, that's.

Becca Harness

That'd be a miracle.

Andy Ellis

It would be a miracle. Becca.

David Spark

Look, things can happen. Things can happen. Let me just say things can happen. All right. But Andy's going to answer first. What's your take on this?

Andy Ellis

So first, let's go with the professional piece of it because I love that these are a professional and a sort of a personal one.

David Spark

Yes.

Andy Ellis

Which is obviously the first one is worse. Like the breach with fines is worse than the insider threat. That to me, that would just be a no brainer if it was just those. And so the question is the wildfire headed to you Versus you are engaged in an extramarital affair and that partner got pregnant, and your spouse is about to find out about it.

David Spark

By the way, this happened to a neighbor of one of ours, actually.

Andy Ellis

That actually is really, really fascinating. And I have to decide, how bad is this wildfire to really sort of compare with that one.

David Spark

But that second one, I mean, you want out of that scenario at all costs. I think that's pretty bad.

Andy Ellis

Well, the problem is you got into that scenario because you weren't thinking about the cost. I gotta say, this is a good one. But I generally try to put the professional hat on when I'm answering these from sort of a risk perspective.

David Spark

Yes.

Andy Ellis

And I gotta say, you did this. The second one. You did this to yourself. You have a mistress. Like, this is on. I know, but again, versus wildfire coming to your house.

David Spark

Yes, that's true.

Andy Ellis

Yeah. Wow.

David Spark

By the way, this is the longest I've ever seen Andy debating something.

Andy Ellis

Well, because if I just. If I put on my professional hat, like, how do I feel as a professional? I would have to say the first one is worse.

David Spark

Yes.

Andy Ellis

Especially because the wildfire impacts your ability to deal and your whole team's ability. You can't even delegate.

David Spark

Oh, yeah. Just the number of people this affects is the first one.

Andy Ellis

Cause the wildfire is headed towards your headquarters. Like the number of people being affected.

David Spark

But that second one, oh, man, does that get you.

Andy Ellis

But that second one, from a very personal perspective, this is like. Like, how do I go up to my wife after recording this and saying, well, I just said that, you know, if hypothetically I was in an affair and got her pregnant, that's not that bad. There's just no way to walk off with that one. I gotta say, this is a really good one. But I'm gonna stick to my guns and say the first one is worse.

David Spark

Okay.

Andy Ellis

Simply because the amount of effect on your life, your company's life, all of your employees life, is much more massive in every realm of it. Whereas the second one, the risk is all just concentrated on. You were an idiot. And so I have a hard time saying that it's worse. Even if personally, that would be really awful.

David Spark

Now, Becca, same story for you. You got your mistress pregnant. I don't know how you did it, but you pulled it off.

Andy Ellis

Good job. You make a lot of money repeating that experiment.

David Spark

There you go. I bet, right?

Becca Harness

The book deal alone would be great.

Andy Ellis

The book deal is fantastic.

David Spark

So which one are you going to agree or disagree with Andy again? You see how it's sort of this is weighted.

Becca Harness

Well, I mean, selfishly, I would say that the second one is actually worse because that's going to follow you for the rest of your life. Whereas the first example is temporary pain. Like it's going to suck for six months, then it's going to go away. And in modern society, like living through that as ciso, like that's a resume building activity. You know, that's.

Andy Ellis

Although your house could have been in the Pacific Palisades and when it gets burnt down, the state won't let you rebuild it because they want to, you know, seize your house for some other purpose. Who knows.

Becca Harness

But you get all new stuff. So, you know,

Andy Ellis

you get all new stuff.

Becca Harness

I'm a silver lining type of person. So.

David Spark

So anyway, so you're leaning on the second one being worse because. Great example. It has a longer lifespan. The rest of your life. Exactly.

Andy Ellis

Yeah.

David Spark

All right. Well, I think Rebecca wins on this one. Andy.

Andy Ellis

Well, I think that Ryan Renee wins on this one for getting Becca and I to disagree because it's been a while since a guest has disagreed with me.

David Spark

That is true. Thank you very much, Becca. Thank you, Ryan. Thank you, Andy.

Host

What works? What's not working?

David Spark

Quote We've all implemented controls that looked solid in design reviews then cause unexpected friction once real users and workflows got involved. End quote. Now, this comes from a recent cybersecurity subreddit discussion that looked at what security controls look good on paper but create too much friction. The responses ran the gamut. USB drive lockdowns triggered massive pushback because people felt untrusted rather than protected. And removing local admin privileges exposed how many shadow tools employees were using, DLP policies that blocked accounting teams from establishing customer relationships. HTTPs inspection broke Microsoft 365 traffic when misconfigured. So when you implement a control that causes unexpected operational friction, it happens. How do you diagnose whether the problem is the control itself, poor change management, or something deeper about trust and culture? Becca, what can be adapted and what needs to abandon with controls?

Becca Harness

Yeah, you know, I do want to say, like removing local admin permissions. I've done that at several organizations so far and I've never really run into a lot of challenges there, but I've always had an EPM tool to assist with that. And so that's one that I haven't actually had a lot of friction there. You would expect it to be. And every single organization, they're like, the developers are going to hate this. They can't stomach this. And we always seem to make our way through that. So I've never had a problem there. The one that's always, always, always a problem is that migration to zero trust network access. Anytime you're changing out networking, firewalls, routers, that type of thing, it just seems like we're unwinding decades of stratified goo when it comes to network rules and trying to translate that into modern stacks, modern tooling. Always going to run into challenges. And I think that's the difference. You're going to find out really quick, do I have a good networking team or do I have a great team? Because if I have a great networking team, I think there's always going to be impact, but it's going to be relatively minor. You're going to get through it. A day or two of pain be okay. If you have a good networking team, that pain is going to last a while, and things are just going to bubble up again and again for months. But that's the one tool that I think extremely necessary. But I've never seen it go super smoothly.

David Spark

All right, Andy, I throw this to you.

Andy Ellis

I'm just laughing because if you asked me to pick what thing I've deployed that went smoothly and what thing I tried to deploy that failed, I'd say what went smoothly was ztna. And what failed was removing local admin access.

David Spark

You see, you're disagreeing on everything with Becca, although Becca's the one who followed your advice, too, about the whole CISO model.

Andy Ellis

But we're not disagreeing about why. The why is in which place did you truly understand what your users were doing in advance and be prepared to support them? And almost every time that I see something like this, where it's like, oh, this looks solid in a design review, like, did anybody ever ask how people use the system? Did you think about change management as part of design, or did you just assume that nobody would do something like that? By the way, most dangerous phrase in security, Nobody would ever do that. Believe me. You have employees and customers doing exactly the thing you think nobody would ever do. That's not on them. That's on your failure of imagination. So if you don't start your rollout by saying, how will it fail? Do pre mortems? What could go wrong? Let people tell you and listen. Yes, it took us nine years to build and roll out ztna, but we were the first people to do it. There was no roadmap. So we built, we went very slowly, and by the end of it, we had people begging us to go faster. They were like, why are you doing this so slowly? Just give everybody this right now. It works. And often we would do, we'd be like, oh, look, here's the system, here's the vpn. We're not turning off the VPN yet, but if you just use this, you don't have to ever use the VPN again. And that was amazing because we didn't take away what they trusted. We just gave them what was a better option and they started using it. And we're like, oh, hey, this works. Or they would, like, let the person next to them, like, Mikey likes it, let him try it. They would let somebody next to them try it. And when it worked. And the biggest fight that I had was with the IT department that they wanted to control the rollout. They wanted to say, you can't use this new system until we approve you for it. And I'm like, no, approve everybody for it, but let them opt in as to when they want to do it and just be prepared for that. And once you do that, if your system works, people will jump. And if this doesn't work, they'll tell you early, but they're not disrupting your roadmap because you let them self select back out.

David Spark

I would assume these kinds of changes really boil down to the culture that you create and kind of what you describe. Do you have a good or a great team? Becca, you got to make changes. It's how your team and also all the users respond to it and what they know or to expect from them. So I guess maybe my question is for both of you, and let's get quick answers here is what do you communicate about your culture to everybody about, hey, changes are coming, this is going to happen. We might have some friction. How does that roll itself out? I'm just making something up. Beck, what do you say? What do you do?

Becca Harness

Yeah, Well, I mean, in my first example, we were trying to convert a university at the beginning of COVID to enable everybody, including students, to work remotely. So there's a ton of challenges there, but everybody got it right. I mean, it was just going to be difficult. I'd say the more relevant recent examples, we have a global workforce working 24 7. So for us, like, that culture aspect was, was really, look, let's get rid of tooling, let's get rid of that decision point. Do I connect to the vpn? Do I not connect to the vpn? Like, hey, it just works. It's always on. It's there in the background and we're slimming down the number of tools on your laptops. Being a product company, developers like one less security tool. Great, I'm in. So I think that really helps buy some patience as you work through all the rules and such.

David Spark

All right, Andy.

Andy Ellis

I think the most important thing is to communicate to IT and security that we work for the user. If the user needs a thing, the answer is not, let's run that through the process. The answer is yes in real time. You need to get to yes as fast as you possibly can. Even if you think that might be the wrong decision, because we can come back and revisit it. But if at 3am a user's like, I need to install this thing on my platform, unless there's a really good reason you're saying no, like we that that's malware, let's not do that. But if you just want to say, well, we haven't approved it. No, you approve it, you let it go. And then in the morning let's sit down and figure out was that the choice we want to make going forward but don't get in the user's way? And that's the biggest challenge I see in so many security teams is they think they get to say no to a user. You don't. The person who's going to say no to that user is their boss. If you don't like the tool that a user thinks they want, then you go to their boss and say, hey, they can't have the tool. Let the boss deliver that message. Your job is just to enforce the rules of the organization and to make it seamless and fast.

Becca Harness

Championing employee enablement will build a lot of trust quickly.

Andy Ellis

Exactly.

David Spark

Coming up next, don't weigh down security with all vulnerability management. Exposure ownership belongs with the control owners.

Host

Today's exposure management tip is sponsored by Qualys.

David Spark

In some past multiple identity related breaches, excessive privileges were known issues, but remediation stalled because security lacked the authority to change access models. Application teams shouldered the responsibility of making the changes, but accountability sat with business executives to approve those changes. Security was then left holding the bag. This resulted in months of delay and it ended with eventual exploitation. The lesson wasn't to deploy better tooling, but simply to align exposure ownership with control ownership. Exposure management breaks down when everything is owned by security. The most effective programs push ownership to the teams that can actually control the risk, such as identity teams that own privilege sprawl, cloud teams that own misconfigurations, and network teams that own segmentation gaps. Security then becomes the orchestrator, not the bottleneck. This model also shortens remediation cycles dramatically because fixes happen where decisions are made. More importantly, it invents exposure awareness into daily operations instead of treating it as an external audit function. That's where exposure management becomes sustainable at scale.

Host

Want to go beyond exposure visibility and actually reduce risk? Find out how by visiting qualys.com roc. Here's a brand new vendor marketing tactic.

David Spark

Your company is vulnerable. We found 1223 security issues, end quote. That was the subject line of something CISO Nick Ryan of Ryan Leadership found in his inbox from a pen testing company demanding $15,000 to reveal what they supposedly found. Nick's response was direct. Send me the list and I'll pay you. Otherwise, stop scanning our infrastructure without permission, end quote. He never heard back. Because they didn't find anything, they likely sent the same email to hundreds of companies hoping someone would panic and pay. As Nick puts it, quote, this is what desperation looks like in security sales. So how do you quickly distinguish between legitimate security vendors and companies running scams with an llc? What are the red flags you watch for in vendor outreach? Besides obviously this one? And is this the shadiest sales tactic you've ever come across? Or are there worse?

Andy Ellis

Andy okay, so I see this from legitimate vendors. So this is not just a signal of a shady vendor. My least favorite was actually all of the various file share and instant communications platforms that would send us CISO the you have 75 employees in your organization using our platform, but you're not an enterprise customer. Talk to us and let us know. And I've always been like, look, if you actually think that I care, which I actually did. And I'm like, look, if one of my customers wants to use Dropbox for us to share with, fine. An employee's gonna set up a Dropbox account to share there. That's not the end of the world. But if you think I would care, what I don't care is the list of 75 is what you're trying to tell me. What you want to sell to me is like your enterprise tool where I can manage the 75. So send me the list. Like send me the list and say, hey, here's what I've found. I've already got it. I'm giving it to you as good faith and I can sell you value on top of it. Because the answer is outside very small niches. Discovery is not something that CISOs want to pay for long term. That's a one time activity. So if what you have is I discovered some Things. Give the things you have discovered. Turn this from shady to now I'm doing good work. I found these things. I'm going to tell you about these things. By the way, I have a related tool so you can manage because that's what you're probably selling. So this is shady. What is actually shadier is anything that involves going over my head. The number of vendors I've had who have reached out to another C level executive to try to get a call doing something like this. Your CISO is ignoring this. That's honestly even worse because even if you're right, I do not want to do business with you.

David Spark

No, that's. And hopefully you have a good enough relationship with your CEO. They know that that's shady sales.

Andy Ellis

Oh, yeah, they just forward it to you. They just say, hey, this is a vendor. And you just reply and say, yeah, it's one of the scummy sales tactics. And they never follow up to say, what were the 23?

David Spark

All right, Becca, do you get these kind of weaselly sales techniques? And have you seen worse than this?

Becca Harness

Yeah, I get them all the time. That is kind of the worst of the worst is I've got this thing and demanding payment upfront. So one, I think it's important to have a responsible disclosure program. So when we get things like that, depending on the source, if it looks like quasi legitimate, I'll respond back and just say, hey, here's a link to our responsible disclosure program. We really appreciate your partnership and cooperation. I don't mention payment or anything like that. They want to submit it, great. If they don't, they don't. I will say, like, one thing I had at a prior organization is I think it was just a lot of misapplied youthful enthusiasm, young pen testers trying to make a name for themselves. They don't think about, like, I should ask for permission, I should try and work with you. They just go do a bunch of stuff and they're trying to get you to say that, oh, you found this thing and you know, they want to make a headline. They want to be in an article or something like that. Kind of. To Andy's point, the big issue with us is that I see all the time is just vendors being over aggressive on sales or they created a problem, you know, basically allowing all these free signups with corporate accounts and then, oh, you know, now we want you to buy an enterprise license for it. Just don't engage with that. And I do want to reinforce, like, again, if you've got good trust amongst Your executive team, because vendors will absolutely climb up that ladder, but they'll also go downstream, too. You know, they'll reach out to your security engineers, your security analysts, and say, oh, I found these things. And then they get them all spun up and distracted from what they're supposed to be working on. So a lot of challenges in that space, I think.

Andy Ellis

Yeah, I've actually, I have two shadier ones that I've thought of, David. So I got to share these. So one was a researcher who wanted to collaborate with us and worked with somebody on my team, like, hey, I want to do some data analytics. You have access to some cool data. So our person went through legal and got the like, oh, we'll share this with an academic researcher. Academic researcher did the analytics and then sent us a bill. There was no contract. Like, they just set us a bill for, for analytics. We were, we thought we were doing nice, like, oh, we'll let you have access to cool data to do research. And another one. And a company I can't name because they have been a sponsor of ours in the past said, oh, here's what we're telling our customers about you. You should pay us money for us to stop saying that and things. And I said, well, I will just go tell all of my customers not to do business with you.

David Spark

That is pretty bad. Well, I'll find out off mic, what the heck sponsor that was. By the way, everyone has. All good companies have rogue employees. It does happen.

Andy Ellis

Yep, it does happen.

David Spark

With that, we're going to close this show to our listeners who are not rogue listeners or employees. I know that those people wouldn't be listening to this show, the ones that are rogue. Thank you very much for listening to this very episode. Let me thank our sponsor for today's episode. That was strike 48. They unify your logs and agentic AI. Remember, you can go check them out@strike48.com when you go, let them know that you heard about them from the CISO series. All right, Becca, any last words you'd like to say on today's episode or about your company or anything?

Becca Harness

Always a delight being here. So thank you very much for having me. And secondly, I'd just like to say this is a delightful industry to be in. I fell backwards into it back in like 2010, 2012. And I really hope that anybody listening to this, if you're a young person's maybe early career, these type of stories are the things you'll think about, you know, for your whole career and can really can help develop your career. So I highly advise paying attention to the voices that come before you.

David Spark

So and would you support an outreach from someone debating whether they're going to get into cyber and you'll give them a convincing argument?

Becca Harness

Becca yeah, absolutely.

David Spark

So reach out. Yeah, we'll have a link to her LinkedIn profile on the post for this very episode. Andy thank you as always. Becca, thank you as well. And audience, we greatly appreciate your contributions. And for listening to the CISO Series

Host

podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website csoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity Headlines. Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.