David Spark

What I love about cybersecurity go well.

Pavi Ramamurthy

I love playing chess. But when you play chess in cybersecurity, it's like the pieces are on fire, the board is upside down and businesses yelling, move faster.

David Spark

It's time to begin the CISO Series Podcast.

Welcome to the CISO Series podcast. My name is David Spark, producer of the CISO Series and joining me is my co host. If you've listened to the show at all, you know he's been co host since day one. It's Mike Johnson, CISO over at Rivian. Mike, say hello to the audience.

Mike Johnson

Hello, audience. It is great to be with you again.

David Spark

He loves being with you, as do I. I do. By the way. I just want to echo and I was saying this to Andy, another co host who also does this show. We get lots of compliments and I know I've brought this up with you before. Just want to say I'm not shy about them. I still enjoy them. And I also enjoy giving them out too. I like to give them out as well for people who do very, very well. Do you give out compliments to your team, Mike? Oh, absolutely.

Mike Johnson

I think it is very critical to give someone a, hey, great job and let others know.

David Spark

Let others see.

Mike Johnson

Absolutely. Celebrate the wins. Yeah, celebrate the wins. As Pavi mentioned, this is a difficult job that we have and anything that can make people feel like their work is recognized and is having impact, they love to hear it.

David Spark

Our sponsor for today's episode is Adaptive Security OpenAI's investment for AI cyber threats. Yes, Next generation Security awareness training. It's built for AI email phishing, vishing, smishing and deep fakes. More about just that a little bit later in the show. Now, Mike, I went to a business meetup yesterday and I ran into somebody who I met at the same business meetup a few months ago and he was pitching his business to me, but in the sense of, well, he was kind of speaking in his own language of his tool, not sort of speaking to someone who didn't know anything about it. And like, what would someone who's never heard this before understand? And when I saw him again, he was talking about it again. And I will just say I'm going to give him a thumbs up for improving his pitch. Still not good. But it definitely went from. He had his own lingo for it. Well, what you want to do is you want to create a widget. He had some word for it, a widget. And then if you have a widget, then it can do this, this and this and Then I'm like, what the. And why would I. And who. What. There was a lot of, like, back it up. Like, what the heck are we talking about? But I refer to this problem, and I've seen it called the curse of knowledge, where someone so severely in their own head, they can't be there for the person who's starting at ground zero. I'm sure you've seen this before. Yes.

Mike Johnson

It's one of the things that we talk about a lot in security, that you need to meet people where they are, not where you are. And I think another way to think about it is on Reddit, there's a whole subreddit for. Explain it to me like, I'm five.

David Spark

Right, Right.

Mike Johnson

And that's essentially what that's meaning is. I. I want to understand. I'm giving you the opportunity to explain it to me. I've got no idea what the heck you're talking about.

David Spark

And by the way, I have to admit, I've made this mistake before. In fact, I made this comment yesterday at this meetup. I send out, you know, for our sponsors, we send out a sponsorship package, and repeatedly, people had the same exact questions time and time again. Stupid me had to get 50 swift kicks in the butt for me to realize, oh, if I'm hearing the same questions again and again and again, maybe I should listen and change something. Which I finally did. But it did take about 50 swift kicks in the butt for me to.

Mike Johnson

Realize that, yes, sometimes we do get very caught up in our way of thinking of things, and we need maybe 50 reminders to say, yeah, my hope.

David Spark

Is next time it won't take 50. I'll do it a little quicker if.

Mike Johnson

You get to 40. Like, that's incremental improvement.

David Spark

That's improvement.

Mike Johnson

Yes, that's improvement.

David Spark

All right. I'm thrilled we're going to have our guest on somebody you know very well, somebody who I met also when we did a live show in the Bay Area. It is the global CISO and cio, by the way. I don't know if you know this, Mike. If you get the title CISO and cio, they pay you double. I believe that's the case.

Mike Johnson

Pretty sure that's how that works.

David Spark

She's shaking her head that I'm completely wrong.

Mike Johnson

Does that also mean you work 80 hours a week, too?

David Spark

She's very much shaking her head on that one. Global CISO and CIO over at Blackhawk Network, none other than Pavi Ramamurthy. Pavi, thank you so much for joining us.

Pavi Ramamurthy

It's an absolute honor to be here. And no, I don't get paid double.

David Spark

I would love to by the end of this episode. Going to convince your boss to do just that? Yes, that is the goal of this episode.

What's the future for a ciso?

Uncertainty is the only certainty there is, and knowing how to live with insecurity is the only security, said Eckhard Meller, CISO over at giz, and he recently highlighted this quote from a mathematician, John Allen Paulos now yet most CISOs communicate risk with things like heat maps, scoring models and diagrams in an effort to show how in control and lockdown they have everything. But Mehler argues that security leaders need to shift from trying to be quants to strategic interpreters. When you get the dreaded quote are we safe? Question from the board, they're not asking for a number, but rather confidence and strategic framing. I mean, that's kind of the job is like make it clear you know what you're doing. So the ability to speak confidently about ambiguity is now a core leadership competency. I want to know if you believe that to be true, Mike. So how do you start this process to fame uncertainty? Without sounding indecisive, is this ultimately about building trust with the rest of the business?

Mike Johnson

One of our jobs is to help the business navigate ambiguity. We live in a world where we don't have a whole lot of absolutes. We have a few, but we don't have a whole lot of absolutes. But we do have ranges. And I disagree somewhat with Eckhart on the idea of getting rid of heat maps. I'm not saying, hey, heat maps are the best thing ever, but it at least helps frame the conversation.

David Spark

But heat maps have a range in them. That's kind of the point of the heat map.

Mike Johnson

Exactly. And that's why I disagree with him a bit where he seems to be saying, hey, we should get rid of heat maps. They're not perfect, but again, they help you frame a conversation. And that's what is critical in communicating with the business, to be able to confidently say, I can scope the problem and we can have a conversation about that. I do like the idea. I do think we can get to a quantitative model. It was kind of funny, right? When I was reading this particular post, I had just finished reading another one from someone who is strongly advocating for quantitative risk management.

David Spark

Yes. And by the way, there's many of our sponsors, vendors out there that do that. But do you think, I mean, I want to go back to this one line here. The ability to speak Confidently about ambiguity is a core leadership competency. Do you agree with that?

Mike Johnson

Well, absolutely. And again, I think for any senior leader or even senior individual contributors, thriving in ambiguity is critical. And so, yes, absolutely. It's a leadership expectation because you have to be able to lead your team through it as well as working with the other stakeholders in the business.

David Spark

All right, I throw this to you, Pavi, what's your take on this? And do you agree that this sort of making people comfortable with ambiguity and not knowing the hard facts is. Is kind of a core job of a ciso?

Pavi Ramamurthy

I'm still learning how to do this. David and Mike, to be very honest, because organizations are different, management teams are different, the culture is different, and the expectations are different. Asking are we safe? Is like asking, Is a submarine 100% dry? Is a pinata safe at a toddler's party? It's unreasonable. But the ambiguity. You are confident in portraying your approach to addressing the ambiguity. Right. We don't want to say we are 100% safe. That's a lawsuit. That's a lie, that's a regret. That's waiting to happen. Here's a 50 slide slide deck with heat maps. Right. The attention span is gone. So if you have 15 minutes with your management team or the board, what do you want them to walk away with? It also depends on your definition of safe. We can't promise safe. At least as a ciso. I can't promise safe, but I can promise ready. Right.

David Spark

Ready is a good point. Like, if this were to happen, this would be the sequence. We'd manage it.

Pavi Ramamurthy

Correct. We are prepared. We've locked the doors, we've turned on the alarm, the guard dog is by the door, but we are still checking for critters in the attic. That's what I would say. It's turning that uncertainty into we are prepared. We continue to evolve, but we can never be 100% safe.

David Spark

Do you trust this LLM.

Quote? Once you start mixing and matching tools yourself, there's nothing those vendors can do to protect you. End quote. Simon Willison recently warned about a lethal trifecta on his blog that sits at the heart of the model context protocol. The MCP is an open protocol that looks to standardize how applications provide context to LLMs. Sounds great, right? Well, but the MCP opens the door to agents with three significant abilities. They can access private data, communicate to the outside world, and are exposed to untrusted content. Easy enough to understand the risk. But here is the rub. As teams rapidly adopt AI tools and connect them to Existing systems. How do you even know when you're exposed to this trifecta of doom? So I'm going to start with you, Pavi. When developers are spinning up AI integrations faster than security teams can inventory them, how can you maintain visibility? And how do you sound warning alarms? I mean, like, my feeling is when this comes together, it's unclear when it will happen, and you just don't want it to happen. Or do you? I mean, or is it not a big deal? What do you think, pavi?

Pavi Ramamurthy

If we CISOs are thinking that we are not exposed, we are very wrong, okay? We already are. Developers love shiny toys. The quick test script that I as an engineer spun up over the weekend, guess what? That's now in production. And they are spinning up LLM integrations faster than we can say, can we get a review done. There is no magic AI firewall yet. And the truth of the matter is, if the MCP connects to an LLM, it can also probably connect your HR database. It can connect to your GitHub, it can connect to your IoT device. Right? But we don't want to say that this is an existential risk to our ecosystem, but what I can say with awareness and training is, oh, by the way, we may have accidentally built a chatbot, right, that can read our payroll, that can send emails and tweet as your intern, right? That's a HR incident. That's dlp. If you combine secrets, untrusted input, outbound access, you're building something with baggage which you don't want, right? So AI tools with no guardrails, and this is something that we see, so talk about it all the time, that we can probably say the same thing in our sleep. AI tools with no guardrails are very convincing. Chaos engines. Right? And our job is to not govern every single one. Our job is to find the ones detrimental to the company if it leaks. So are we accidentally building a security nightmare? Is the question that I would ask.

David Spark

Ah. And make the developers aware of that. Are you building a security nightmare? Yeah, that's a good point. All right, Mike, I throw this to you. How do you know if your developers are building a security nightmare?

Mike Johnson

So we're still figuring this out, right? We're very early on the journey of understanding how we secured an environment that we can still enable the speed at which companies want to move when it comes to AI. I keep saying that we did this with cloud. We had the same problem then. It took us a long time to catch up. And actually, cloud adoption moved slower than LLM.

Pavi Ramamurthy

Exactly.

Mike Johnson

So we have some model there, but we actually didn't do such a great job with it.

David Spark

Right, and you had way more time on that too.

Mike Johnson

Yes.

David Spark

And also it's more than just time. The change rate in AI is mind blowing.

Mike Johnson

I'll give you an example. So. So, audience, we're recording this in July and this is airing when. David?

David Spark

September.

Mike Johnson

September. Is MCP still around in September? Yes, that is how quickly things are moving and that really makes this very difficult to deal with. So we do have to have a concept of governance. We do have to educate folks on what they should be mindful of. And I do think we have some amount of ability to look at our data stores and understand what is accessing the data stores, how frequently are they doing it, what are they pulling down, what are the accesses and the privileges. In some respects this is an identity problem. I'm oversimplifying. But if we're able to understand what these agents, what these LLMs are accessing, that actually does give us a head start on how we can implement some amount of controls to keep that really bad day from happening.

Pavi Ramamurthy

But Mike, that's accessing the Data stores, which 100% agreed with you. But what would you say for approved AI tools where developers, engineers, the broader employee population are uploading sensitive files that we can't quite govern because it's happening so fast and also has regulatory implications? Right. When you have pii, PCI data that is inadvertently uploaded to these approved engines.

Mike Johnson

That'S where we do have. We actually do have some control there. We just have to decide if we want to leverage it with endpoint controls.

Pavi Ramamurthy

Correct.

Mike Johnson

DLP is a great example. Detect that they're trying to upload that sensitive file to an LLM full stop and just block it.

Pavi Ramamurthy

Exactly.

Mike Johnson

Again, oversimplifying, but I do think it's the inputs and the outputs is where we have the opportunities for controls. And so that's where we need to look and see what we can do.

David Spark

Before I go any further, I do want to tell you about our spectacular sponsor. And that would be Adaptive Security, OpenAI's first cybersecurity investment. Yeah, you heard that right. That means a lot. So let me point out what we all know right now. AI powered social engineering threats like deepfake, Voice Calls, Genai, phishing and phishing attacks are evolving fast. Adaptive helps security leaders get ahead with an AI native platform that simulates realistic gen AI attacks and delivers expert vetted security awareness training. It does it all in one unified solution. And now with Adaptive's AI content creator. Security teams can instantly transform breaking threat, intel or updated policy docs into interactive, multilingual training. No instructional design needed. That means faster compliance, better engagement, and less risk. Adaptive is trusted by Fortune 500 and backed by Andreessen Horowitz and the OpenAI Startup Fund. Adaptive is helping security teams prepare for the next generation of cyber threats. You need to learn more. You need to go check them out. Go to adaptivesecurity.com it is spelled just the way it sounds. A D A P T I v e security.com adaptivesecurity.com, go check them out. And when you do, take a look at them and you want to learn more, let them know that the CISO series sent you there. That's how you found out about them.

It's time to play what's Worse.

All right, I'm going to be honest, Mike and Pavi, I had a completely different what's Worse playing.

Pavi Ramamurthy

Oh, okay.

David Spark

But given the discussion in the first segment, I've pulled an audible and I've swapped a completely different one because it's it refers to a discussion we had in the first segment.

Mike Johnson

I thought you were going to say that you'd had AI write a what's worse for us.

David Spark

I've had that happen. I've let that happen before. I do want you to know that I've let that happen. But this was not written by AI. Although. Although I can kind of tell sometimes when our our submitters have it have them do that. But this one definitely is. And in fact I edited it worth the person who submitted, someone who submitted many, and that's jay dance of StubHub. And here you go. It's very quick. Here it is. And by the way, Pavi, I make Mike answer first and then you will agree or disagree.

Pavi Ramamurthy

Yes.

David Spark

Who is it worst to hear the following from? The following being I want perfect security. End quote. Is it worse to hear it from your cio, your CEO, or your cfo? Now, by the way, I think I know who it's the best to hear it from, but I want to know who you think it's the worst to hear it from.

Mike Johnson

It's funny the way that you said it. The first thing I thought was like your child. I thought that was going to be one of the answers.

David Spark

Cio, CEO, cfo.

Mike Johnson

The screaming fit. So cio, CEO, cfo.

David Spark

Yeah. Which one is that? Is it worse to hear that line from because of the cascading crap that will result from that? And by the way, you can't negotiate them. Now he goes, you don't want perfect security. No, this is just what they feel. But I want it.

Mike Johnson

Yeah, I know the rules, which is you can't negotiate with the problem here.

David Spark

Essentially, you can't calm them down. You can't bring them down from the ledge. They're on the ledge. They're staying on the ledge. They may jump.

Mike Johnson

Yeah. So in the CEO case, they have the opportunity to help you make that happen. So ultimately, if they need to change a business priority, or if they need to change. Move money around, if they need to change staffing, like a CEO can do all of that.

David Spark

Well, couldn't a CFO do that, too? Or.

Mike Johnson

No, to a slightly less extent. So the cfo, they can move money around, they can move people, they can help you move people and budgets around, but they can't change the company's priorities. The CIO can influence the priorities of their org, move things around a little bit within their org, but they have a much smaller scope of what is under control that they can change to help you meet that. I want perfect security. So I think of these three, and this is definitely a case of. I've talked myself into an answer as I've worked through it. I do think it's the CIO because they have the least amount of these three folks ability to influence and make the change that you would need in order to deliver on what they're asking.

David Spark

All right, very good. Now we go to Pavi. Now, just want to point out yet again, Pavi is both a CISO and a cio.

Pavi Ramamurthy

No, I was going to say that. That my CIO will never disagree with me.

David Spark

Right, exactly. But maybe you have a split personality and you can actually have an argument with yourself. That would be fascinating.

Pavi Ramamurthy

Please, I have enough problems in my life as it is.

David Spark

Please come back on the show and do that for us. That would. All right, Pavi, agree or disagree?

Pavi Ramamurthy

So, Mike, what did you say? You said it'll be worse here.

David Spark

The CIO is the worst to hear that worse.

Pavi Ramamurthy

Okay. Yeah. So that's not applicable to me. For me, coming from the CFO would be worse because if it came from the CEO, then I can use that as leverage to get the funding approved from the cfo. Whereas when the CFO says it, then I need to justify. Get the business justification, which I anyways have to do. But it's a harder sell to the CEO than it is to the cfo.

David Spark

But the net result is you're going to lose no matter what, because no one's going to have perfect security, and it's eventually going to result that you're not going to have it, and they'll think that you failed. Right.

Pavi Ramamurthy

So that was a trick question.

David Spark

Exactly. It's a Kobayashi Maru situation. You're going to lose no matter what.

Mike Johnson

They're all trick questions. Exactly. And it's like all of these. It's not great to hear that from any of them. No, by any stretch.

David Spark

The point is we which one is worst? Hence the game.

Mike Johnson

Yes.

David Spark

You think it's the cfo because I thought the CFO would be good because of the ability to move some money. But as you pointed out, only to a limited extent.

Pavi Ramamurthy

It's a buy in that you automatically get when the CEO says, I want perfect security, and then you use it to say, great, let me try as best as I can with the following investments and support. And then the CEO is going to say, cfo, can you make that happen?

David Spark

My other feeling about the CIO saying it is, shouldn't the CIO know better than to ask a stupid question like that?

Mike Johnson

Again, we're playing within the realm of the model here.

David Spark

No, I understand, but that's really showing the ignorance of the CIO in such a situation.

Mike Johnson

It's entirely possible that they're passing down what they heard from the CEO and.

David Spark

Right. Oh, so essentially the idea the CIO has to be the bearer of bad news.

Mike Johnson

That's certainly a possibility. Can't rule that out.

David Spark

Good point there.

Pavi Ramamurthy

That's a good point. Yeah.

David Spark

Why are CISOs leaving the profession?

What makes CISOs walk away from the role? We talk about specific CISO frustrations all the time, like a lack of alignment with the the business or regulatory changes. But Rinky Sethi, who's now CSO at Upwind Security, nails the underlying reason. Being held accountable for things you had no say in. I know many of our listeners have felt the brunt of exactly that. She's seen incredible CISOs leave not because they were incapable, but because the environment was fundamentally broken. No budget, no trust, no alignment, and. And no real chance of success. Is this situation getting better? And is there a way for someone coming into a CISO role to spot these issues before they accept a role? Or does everything look good and then there's a shift.

Pavi Ramamurthy

Pavi, this is a little bit of a tough one, right? I can answer the first part of the question. Is the situation getting better? I guess it depends on your organization's leadership team, Right?

David Spark

Every organization treats the security department differently. And by the way, this is something you should look to during the interview process.

Pavi Ramamurthy

Exactly.

David Spark

But I mean, things could look great when you were interviewing and then things shift when you're there.

Pavi Ramamurthy

I mean, it can happen and things shift. So what makes a CISO leave? I would say burnout. Constantly trying to get to a level of maturity which is beyond reach to assure your management and your board. Right. You're never going to be good enough because the attack surface is constantly evolving. So you're always playing catch up. So I personally think that CISOs are in a can't win this battle business. Right. CISOs also really don't know until they have been in the job for at least a couple of years. You need at least a couple of years. You can't really make a judgment call on, hey, been six months. I don't think this is working. Although there are some signals, right, where you know that the program is crappy and you get no budget. Those are warning signals that you probably didn't see when you were interviewing. But you quickly see the ecosystem and then you say, okay, I'm not going to be successful. I'm not going to make the company successful. This is a great reason for me to walk away. So no budget, no trust, no alignment, and no chance of success. And all of this you should be able to glean within the first year. And you also owe it to them to try and change the culture. Right? So it's really on you. If you really did this the right way, you would be asking these questions during the interview process. Why did the last CISO leave? What kind of budget would I get? What is important to you? How many hats am I wearing? Right.

David Spark

All good questions.

Pavi Ramamurthy

Do I have the freedom to make any changes? And then you'll have to be the cynic behind those, you know, interpreting those responses and trying to read between the lines saying, if I have the freedom to make all these changes, then am I going to be blink? It's a situation where I think CSOs or I can tell you that I have become very cynical. There is no guarantee that all of the right resources that are being given to you will still make you a successful leader. It is adapting to the culture. The first question that you ask on quantitative or heat maps, sending the right message to the management team, doing a great risk assessment. All of this takes the first year for the CISO to determine whether they are going to be successful in that role. And if not, I think walking out earlier is better both for the CISO and for the company. So they bring in the right candidate to carry on the job.

David Spark

All right, I throw this to you, Mike. You've seen CISOs come and go and also I know you're part of many slack groups where you express concern and I'm sure these issues have come up. Are there trends you've seen either through your colleagues yourself? We don't need to name names or anything like that, but just interested to know the trends.

Mike Johnson

One of the trends I was actually talking with someone about recently is we are seeing more and more earlier stage companies bring in CISOs. Quite often it is a one person show. They need someone to come in and build a program and they're giving them the title ciso and they have expectations. What's interesting about those environments is they've never had a CISO before, they've never had a security leader, so they don't know what to expect. And there's positives and negatives to that.

David Spark

By the way, we've discovered this on this show, especially our first few years. Remember, there's a lot of people we interviewed that were the first CISO at that company they were at.

Mike Johnson

And I think from there you can shape the opinion of how the company thinks about security, about CISOs, or maybe not. And again, to Pavi's point, you may not find out very quickly, but again, the trend that we're seeing is it's not just big companies or even medium sized companies that are hiring CISOs these days. And that makes it a little bit more difficult to understand what the trends are. A lot of those companies that are hiring CISOs actually shouldn't, they just don't know any different. And years ago I had talked with several companies and said, you don't need a ciso. Go and hire a good security engineering leader, have them work closely with the rest of the engineering team and come back in a couple years. And some of them did, some of them didn't. And some of the CISOs that hired didn't hang out very long because they were struggling to implement the change or implement the improvements that they thought were necessary. So all this is a long way of saying is our field is still very undefined, our profession as CISOs even more so. This will continue to be ambiguous for quite some time. And the best advice that I would give to folks is put yourself first, take care of yourself. If you're in an environment that is overstressing, you go do something else. And that's the single most important piece of advice.

Pavi Ramamurthy

So you need to stalk all these CISOs who left and then see their LinkedIn profiles to see what they are doing and if they're doing something completely different than what their security profession is, you know the reason. Yes, I'm a beekeeper now.

David Spark

How would you handle this situation?

There are too many things, too many solutions, too many complexities, too many standards and too many vendors, said Mike Prevett of Return on Security in a recent Tech Target piece. And honestly, he's not wrong. With over 3200 security vendors. I think that's what's mention here. But I should mention from another research firm that I highly respect, they estimate between 4,500 to 5,500 security vendors crammed into around 75 product categories. Most look eerily similar. You've got the same support offerings, same third party certifications, same claims about being quote, the best. I've heard that a lot or the first. This is compounded when most organizations lack the in house expertise to evaluate vendors. Everyone's got the same playbook, slick demos, oppressive case studies, competitive pricing. But when you strip away all the standard evaluation criteria, what actually made you choose one vendor over another? And so I'm going to start with you Mike, and just think about and don't mention the vendors. But like, what were the triggers that make you choose a vendor? That's what I want to know. Was there a moment during the sales process when someone quote, just got it or showed you how to solve your specific problem? You're like, I know I want this. I'm very interested to know that aha moment where you said, oh yeah, we're pulling the trigger.

Mike Johnson

I used to be a bit more, I guess, vibe oriented when looking at solutions. It was how does it feel? And since arriving at Rivian, we have a very specific way that we go about buying things across the board. And a key really is to set up a standard evaluation criteria. You should be looking at all of the vendors the same way. Come up with your lists of must haves and nice to haves, send that as a spreadsheet to everyone that you want to talk to and get those answers back. And that actually goes a long way. You can very quickly eyeball, hey, they're able to do what I want them to, they're able to do what I need them to. And then you actually start looking at cost. What does it cost to purchase a thing but also what is the total cost of ownership? It might be very cheap, but you've got a whole lot of engineering effort that you've got to do to maintain. Might be very expensive and it's very easy to drop in but cost is part of it. But then you start moving into the things that are difficult to measure. Do they seem like they are a good partner? I value innovation. Is this a company that is really coming up with novel ways to solve problems? I look for that and then the one that I think is most important is do they have a solid set of reference customers? Can I go and talk to some of their existing customers, learn from them, learn their experiences and from there.

David Spark

You.

Mike Johnson

Can get a better feel for some of those things that are difficult to measure.

David Spark

All right, Pavi, same question for you. Interest to know and you can think of specific cases or generally, are you vibe oriented like what Mike said, or do you have a more regimented structure?

Pavi Ramamurthy

I am more of a referral oriented structure. So Mike was talking about. You were asking Mike about the CISO channel that I'm also part of. And so for me it's extremely simple. Hey, I'm thinking of evaluating this vendor for this problem. Has anyone tried it? What are your thoughts? Same thing. Like Mike said, these are like customer referrals. Right. And it's a close, safe space. So we openly talk about issues with these vendors, by the way.

David Spark

But if you were to mention and do you sometimes leave that question open when you're asking this question among your community of CISOs on the Slack channel, Do you ever say, I'm looking at this one vendor to solve this problem. Has anyone worked with them or possibly somebody else that can solve this? Do you ever kind of keep it open like I'm open to looking at others?

Pavi Ramamurthy

Yeah, I feel very comfortable asking any question in the CISO channel, which has been an incredible source of knowledge for me. But having said that, how many of us are evaluating newer solutions today? We already have solutions in place.

David Spark

So this is. Let me pause you for a second. This is something that Alan Alford, who used to be the co host of Defense in Depth, brought up multiple times and it bears repeating again. If you don't actively look at new solutions and what you're describing is the way a lot of CISOs discover new solutions, what you get is an echo chamber. And it's very difficult for new solutions to enter. You need someone to physically go out, discover them and bring that information back. And if you're not doing it, you're just hoping others do. And that's not a good strategy.

Pavi Ramamurthy

I mean, it's exhausting to replace an existing solution with a new solution. Unless your differentiator is 10x, there is absolutely no reason to. It's everything from the data Migration to retraining, to recalibrating your metrics. I wouldn't even go there.

David Spark

So it takes a lot to rip and replace.

Pavi Ramamurthy

Yeah. It's almost like mission impossible. I was going to say mission reasonable, but no, it takes a lot, and you need to have a solid reason for doing that. There's always bubble costs involved because you can't just rip something out and replace it. You need to have them both work parallel for at least a period of six months. And not all CISOs have the budget to be able to do that. And they need to really ask the question, do I really need the five extra features, or am I better off asking my current vendor to implement those in an upcoming roadmap?

David Spark

Good point. Two things came up here. One is they're referring to it as being a safe space. We are hearing that a lot because a lot of CISOs, the reason they don't click that schedule a demo button is because they don't want to be trapped in the sales and marketing funnel. I mean, we've heard this multiple times that they actively avoid it. And why we strongly recommend that everyone have a video demo on their site. But some say that's kind of their secret sauce and they don't like to expose it so much. That's another issue altogether. But this whole concept of the safe space. And let me throw this out. Have you seen any vendors really, really good at showing how good their migration is that that rip and replace could be less painful? Mike, you're smiling.

Mike Johnson

The reason why I'm smiling is I literally had a conversation today with a founder who was talking about how important that was.

David Spark

The ease of migration.

Mike Johnson

Yes. That was something that he was designing in from the beginning because he knew that was the only way that he could break in.

David Spark

Did he get 50 swift kicks in the ass before?

Mike Johnson

You know, he.

David Spark

He.

Mike Johnson

He's a prior founder to what he's doing now, so it's entirely possible that he got a whole bunch of swift kicks when he did when he started his previous company.

David Spark

My feeling is that's what happened. No one comes to that conclusion on day one. No one does.

Pavi Ramamurthy

The vendors are getting smarter, though, because they don't. Some vendors at least just don't come prepared with their pitch decks. They have done their homework, understood your problem statement, and actually come with very specific data on how they can make it better for you.

David Spark

Yeah, that's great to hear.

Pavi Ramamurthy

I appreciate those vendors. Rather than say, let me show you my product instead of saying, let me.

Mike Johnson

Solve your problem, I think vendors should Recognize that there's essentially three meta competitors that they have. They have the do nothing. That's competition. They have build it yourself or open source, whatever you call. And then they have other vendors and they really need to make sure that they're addressing all of those.

David Spark

That's a good point. Those are three levels of competition.

Mike Johnson

Yes. Because I've seen some of those similar pitch decks to what you're talking about, Pavi, which they just go all in on, like, here's how we're better than all these others. And I'm sitting here thinking, I don't need this. This is not a problem that I have. So you're actually competing against not doing it at all. And sometimes they don't. Remember that.

David Spark

That is excellent. We're going to close on that. I'm hoping vendors heard this great advice. You don't need 50 kicks in the butt to make this work. Thank you very much. Pavi, I'm going to let you have the last word, but first I want to thank our sponsor, Adaptive Security OpenAI's investment for AI cyber threats. They're the ones giving you next generation security awareness training built for AI email phishing, vishing, smishing and deepfakes. Go check them out. Adaptivesecurity.com is. And when you check them out and you learn more about them, let them know that you learned about them listening to the CISO series. All right, Mike, any last thoughts from you?

Mike Johnson

So, Pavi, thank you for joining us.

Pavi Ramamurthy

Thank you.

Mike Johnson

We've known each other for a while now, so it was great to sit down and have this conversation with you and let folks learn from you and your experience. I did want to return back to something you said specifically at the beginning, which was can't promise safe, but can promise ready. I really think that's something that folks should really strive toward. That was a really good tip. So, folks, think about that. Can't promise safe, but can promise ready. That's an excellent goal.

David Spark

And essentially build your security team to deliver. Ready.

Pavi Ramamurthy

Yes, exactly. Exactly. Thank you. Thank you so much, both of you for having me on this show. Mike. Yes. We've known each other for a while now. I actually put in my Rivian order only because of you. I'm waiting for that.

David Spark

And by the way, if you have a problem with it, call Mike directly. He will do tech support for you also.

Mike Johnson

True. Yes, yes.

David Spark

In fact, all our listeners who have a Rivian, call Mike directly. Yes, please.

Pavi Ramamurthy

This is a thankless job. This is a hard job, but I wouldn't do this if not for the community, for the security community. And I genuinely mean it, because they've been there to not just offer guidance about vendors or best practices, but they've been there when VCIs get burnt out. And they are a safe haven for me. So I really appreciate that.

David Spark

Excellent. And let me ask you one last question, Pavi. Are you hiring over at Blackhawk Network?

Pavi Ramamurthy

I am hiring. I will always hire good talent, so please hit me up.

David Spark

By the way, will it help if they say, I heard you on the CISO Series podcast?

Pavi Ramamurthy

They have to have heard every single minute of it because I will ask them a question.

David Spark

Oh, yeah. Well, you know what? We do have transcriptions, and they could look things up.

Pavi Ramamurthy

Okay.

David Spark

AI well, actually, we. Hi. We hired him. I'm sure they're using AI, but one of the advantages of our transcriptions is we spell people's names correctly, which is something AI does not do because we actually. For everybody, we quote in this, we actually deliver the names so they know the spellings of everybody's name. So you can actually find if you've been quoted on our show, because we will spell your name correctly. All right, thank you very much, Pavi. Thank you very much, Mike. And thank you to our audience. We greatly appreciate your contributions. And for listening to the CISO Series.

Podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and cybersecurity Headlines. Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to use get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.