We Can Either Build Resilience or Just Always Be Perfect

David Spark

Who should be listening to the CISO Series podcast? Go.

Ryan Bachmann

Anybody who's aspiring for a career in cybersecurity. Anybody who's trying to understand more about the challenges and topics that CISOs are facing. It's a dynamic field. So therefore I could see anybody from members of boards of directors to other C Suite members, all the way to people that are venturing into this field or the technology field and want to learn more.

David Spark

It's time to begin the CISO Series Podcast.

Welcome to the CISO Series Podcast. My name is David Spark. I'm the producer of the CISO series and joining me, as we like to call them, friend of the show, Eddie Contreras, the CISO over at Frost Bank. Eddie, say hello to the audience.

Eddie Contreras

Hello, audience.

David Spark

So Eddie was supposed to join me at a live show. The whole live event got canceled. Not just us, but the whole show got canceled. And obviously our guests were bringing on as well. And they said, well, we can't be at the live show, but let's do a virtual show. What do you say? So thank you, Eddie, for joining us. We're available audience@cisoseries.com you can check out this show and all of our other shows. We have five shows on our network. We drop 11 episodes every week. Now, it is quite extensive what we have on the CISO series. Our sponsor for today's episode is Dopple. Defend what's real Disrupt what's not Dopple. We'll talk more about exactly that a little bit later in the show. All right, Eddie, I want to bring up something, and this is going to be kind of a little bit of a PSA to our fellow cybersecurity professionals. You are very savvy in cybersecurity. Our guest is very savvy, who I'll introduce in a moment and the people listening. But I'm sure you have family and friends who are not Eddie. Yes, absolutely. Yes. All right. So sadly, someone very close to me got swindled out of a lot of money. And it was one of these things where I was like, if I just. And I thought to myself, if I just sent an email out to everyone saying, hey, here's a heads up on some of these latest scams that are going on. This could have prevented had I just sent that. And I was like, I should do this. And so I wrote up an email listing off common scams, how they're done, and then kind of a list of way to protect. And I didn't do one of these things like, oh, here's an article, go check it out kind of a thing, because nobody do. But I just send it to the immediate family and immediate friends, including in laws and things like that. And I'm hoping this will stop. This kind of thing happen before. Have you done something like this before? And my advice is to everyone, please do this to your own family and immediate friends.

Eddie Contreras

You know, David, I could be optimistic here and say, absolutely, I've done that. I'm a realist. And what I'm finding out now is that the more that I interact with my kids, trying to give them advice, the less they listen. I can send them a text message, a video, an email, memes, you name it. And I'm the last message that my kids actually will look at. So sometimes I'll send messages through others and my intent is that might work. They're going to finally read the message, they're going to look and see, and they're going to come to me and tell me, did you know? And then I will just say, really? Where did you get that from?

David Spark

Thank you for enlightening me.

Eddie Contreras

But yeah, I've thought about that. But, yeah, I think the reality is dads are the last messages you want to hear from.

David Spark

First of all, okay, your dad and your kids, but I'm talking about extended relatives that YouTube, like, I'm sure you have the people who could fall for these kinds of things in your family.

Eddie Contreras

Yes, I do. And I think it's very similar across the board. It's like, okay, so my.

David Spark

So the thing was. But the thing was after it happened, I'm like, ah, I bet you I could have stopped this if I had just sent an email like this. Anyways, so this is my big PSA for everyone listening. Please write up an email like this and just send it to all your extended family and any very close friends. It pained me what happened, and it's been pretty rough. And so I think this would be a good way to sort of help prevent it. If we can just do our part and just send it out once in a while when you see a new kind of scam coming up or a reminder. But again, an email from you personally. Again, not to your kids. I totally get that, Eddie, but. But to the extended family. Trust me, my kids, I don't think they would even read something like that. All right, let's bring on our guest who we were all supposed to do something live in person. Again, another friend of the show. Two friends of the show on one show. Pretty darn exciting. He is the EVP and global CISO over at GM Financial, Ryan Bachmann. Ryan, thank you so much for joining us.

Ryan Bachmann

Thanks for having me, David. Glad to be a friend of the show.

David Spark

Once again, we've got identity issues.

It seems like new vendors in the identity space have coalesced into three different categories. These boil down to visibility and hygiene, governance and posture and identity, threat detection and response. This all according to Francis Odom of Software Analysis, Cybersecurity Research. ODUM envisions consolidation across these categories and more, plus AI stepping in to do what AI does. Now, we just recorded an episode of Super Cyber Friday discussing the fragmentation of identity. I'll start with you, Eddie. Are users demanding consolidation in identity? Because it seems like there's a lot of tools you need to get this right.

Eddie Contreras

What do you think consolidation is a preference? Maybe a utopia? Simplification probably is the more obtainable goal here.

David Spark

That's a good way of putting it.

Eddie Contreras

Yeah. One of the things that I look at is.

David Spark

Let me just clarify. Vendors want consolidation. Users just want simplification.

Eddie Contreras

Exactly. Yeah. Vendors absolutely want to have market cap. Right. And they want to be able to say, we've sold you our entire skew of offerings here. And so the reality is simplification should be the goal. But you know what I often tell people is things are just not as easy as a term or a phrase. And I'll tell you what I mean by that. If every CISO just said all we have to do is adopt NIST and MITRE and we're going to be secure, well, then that would be an easy role to have and it'd be an easy goal to obtain. Apply the business now. Okay, Every business is different. Well, what do you mean you can't have 15 character passwords because you have a mainframe? What do you mean that you can't apply an EDR agent to an AIX operating system? There's so many variables there. So the goal really should be about simplification and saying, okay, let's let me see how I can simplify the process to make the most sense for what my business needs, as opposed to that single pane of glass or unification or just all out, let's get one vendor and to run everything. The goal really is about simplification.

David Spark

So it's interesting you mentioned that about simplification, because I remember talking to some other CISOs who worked at companies where they didn't have like a huge engineering staff. And they actually live in the world of looking toward consolidated environments because their attitude is, I can't train my staff on 20 different tools, and to them, that's a huge variable in simplification. Ryan, what's your take on this? Is there a great demand for consolidation, or is it really a great demand for simplification?

Ryan Bachmann

What do you think the easy answer is? Both. But on the consolidation side, I agree with Eddie quite a bit. Each vendor wants to capture a bigger part of that market share. Right. So you'll see that with Microsoft, for example, they'll come to the table and say, now you can get rid of all these other tools because we have a tool that can do it for you. On the user side, you certainly want simplification. But I think what this really underscores is a bigger issue, which is there's no one single solution or solution set that's going to take care of the challenges that CISOs and their teams and organizations face. Not number one. And number two, I think that it also underscores that there's a reason that these companies are emerging with capabilities in these little niche spaces. It's because they realize there's opportunity of other companies aren't doing it very well. So I think the problem is complex enough that it creates opportunity for new companies to come out and say, hey, here's a problem we know nobody has been able to solve yet, so here's our best volley trying to solve it.

David Spark

I want to double down on something you said there, and I want to know the reality of a phrase where you said, well, Microsoft will come to us and they'll say, hey, we got the complete solution for this and you can get rid of all these other solutions. Let's just say that someone did come to the table and said, we've got this thing that can get rid of these five, six products. How easy or capable could you. You said you were like fully on board of whatever the heck you know, Vendor XYZ said how easy and possible would be able to just eliminate 5, 6 products from your environment like that? Is that even possible like that?

Ryan Bachmann

I mean, that's one of the main things that we look into. Right. So we look at risk reduction, we look at overall costs, and we look at ease of implementation or integration.

David Spark

Sure.

Ryan Bachmann

And so if you look at some of these companies that have been out there in acquisition mode, and I don't want to pick on anyone in particular, but you've got Google that's just acquired Wiz, you've got Palo Alto that's regularly acquiring other companies. I mean, Crowdstrike acquiring other companies. But the challenge comes in integration. The challenge comes with being able to integrate that entire technology stack even when it's under one umbrella like one of those large tech companies.

David Spark

But all true. But could you all of a sudden dump five, six products like that? Like how tough a lift would that be?

Ryan Bachmann

Yeah, no, you'd have to make sure that it obviously operates and works the way that you want it to and that's going to go beyond the confines of a POV or a poc. And then once it's proven out, then you could potentially walk away from it. Right, but that takes time.

David Spark

Eddie, how realistic is that claim? Like in your environment, like again, you agree? 100%. I think it is amazing product. I think it can do all this. But in my environment, can I get rid of these five, six products?

Eddie Contreras

It's complex. Right? And I think Ryan said it absolutely perfectly right. It's, there's good aspirations here to be able to do something like that. And I think the challenge is realizing once you're in the product itself, what was the original intent of your business case? Can you actually solve for those business cases with the Unification tool? And I don't know in Microsoft, Like I said, I love the example of Microsoft because I think that's something that everybody's accustomed to. If you were to have the money in your budget and you were to buy the E5 license, so much comes with that E5 license. It opens up the possibility of what you just said, David, is all of that is now to be discussed. You have to evaluate it. But then you realize the cost of a sim, the Microsoft version of it versus maybe your on prem splunk varies differently on how you're using it. So yes, the opportunity's there, but the reality is you do have to do it like a case by case analysis as to what's up for evaluation and retirement. And does it really make sense to do that?

David Spark

I'm going to throw one quick question. I just want a quick answer because you realize from the vendor's viewpoint we simply bought these five, six identity products, so it should be able to replace use. Wouldn't it be better if they asked the question what would it take for us to shut down these six products in your environment? Am I right on that?

Eddie Contreras

Yeah, absolutely right. But it's rarely something that's discussed at the beginning. And maybe it's what can I shut down versus what are the use cases that you simply do not want anymore that we can help address?

Ryan Bachmann

I agree with what Eddie said. The reality is a lot of times in security we're racing to the next problem. We're racing to the next thing that we've got to address. And sometimes we're guilty of not reflecting on the solutions that we've put in place in the past and whether or not they're still providing the value that they should. So a lot of Times I think CISOs have to stop and reflect on the technologies they have in place, see if they're still as effective as they were when you first put them in place, see if they're still delivering on that value proposition, and then also see if there's other technologies that have been brought into the fold that could potentially do some of those things for you. I know a lot of people felt that way around user behavioral analytics. They felt like they could get other competency out of other solution sets versus a true UBA player. So a lot of them have walked away from that, from that UBA stack or UBA space because they can get value from the other tools and technologies they have, and that allows them to divest and put those resources someplace else.

David Spark

Would this person be a good fit for the job.

Part of the conversation about entry level jobs and cybersecurity has been the claim that it is that the whole role has been poisoned by online influencers. Now there are the people telling you online that you can get a few certs and start working for six figures. But as Ira Winkler, CISO over at CYE, pointed out on LinkedIn, entry level doesn't mean no experience required. He names real entry level cybersecurity roles involving programming, networking, help desk, project management and compliance. Ira maintained that he doesn't know a senior cybersecurity practitioner that began their career in cybersecurity. Agree. And if so, and I'm going to start with you Ryan, on this, where are the real entry level fields before you start in cyber? What do you think?

Ryan Bachmann

Well, I think it's somewhat self evident that the cybersecurity field probably hasn't been around as long as some other fields in technology. So it's sort of a foregone conclusion that if you started in cybersecurity maybe with a cybersecurity degree or something along those lines, which have only been around in and of themselves for 10 years or so, maybe 15 at most, it stands to reason you might not have reached senior cybersecurity leadership positions just yet. But I'm of the belief that there's not necessarily one particular discipline that leads to good cybersecurity introductory level positions. I think that obviously there's the computer science background or things like that, but really I've seen people springboard very effectively from help desk and other areas in IT support.

David Spark

Help desk, by the way, we keep hearing again and again, it's like one of the best places to start.

Ryan Bachmann

Yes, sure. I mean, it's troubleshooting, right? I mean, at the end of the day, if somebody starts from help desk and then maybe ends up in a SOC or a CSERT type position, really what they're doing is they're troubleshooting alerts, chasing down alerts to find out what's going on in the environment. Not unlike they would do that from a troubleshooting or problem solving perspective. So I think there's a whole lot of different avenues into cyber. I mean, we've taken people from other areas of traditional it, we've taken people from engineering backgrounds, you name it. It's really, I feel that a lot people who are successful coming into introductory roles within cyber are typically people who've done a fair amount of self study and then can augment that with some level of prior experience. I mean, we've had a tremendous success hiring people in from what I would call big box retail stores that self studied and became very interested in cyber and they were very successful.

David Spark

All right, I asked the same question to you, Eddie. Where do you think the real entry level fields are before you start in cyber? Yeah.

Eddie Contreras

And I think it may not be a popular answer, but I disagree.

David Spark

Let's hear it. By the way, you're not the first person to disagree with Ira Winkler. Go ahead, Ira.

Eddie Contreras

I like the concept, but I think it's a dated concept and I think Ryan really said it perfectly. Which is context, right? What context matters? Right. Before the industry was here, you had to come from somewhere. And so of course the statement makes sense in context. You entered the field because before this field was there, you were in another field. But there are entry level positions. We hire them. That's what intern programs are for. We have an amazing graduate program where we hire people that are in their undergraduate or their graduate program and we're the first job they've ever had. And if you know and you're studying the information in college, you can absolutely get a role in the industry at an entry level. So think of application security. You're learning how to code, you're learning how to scan, you're looking for quality assurance and quality checking. Those are things that you can be taught conceptually and you can apply it within a junior role so long as you have peer reviews, so long as you have somebody overlooking and giving you guidance. So I can look across all the departments in my area and we have interns that have come through each one of them and are being successful and it's their first job ever. So yeah, I think Ryan said it, you know, accurately that view of you came from somewhere was applicable. But you can absolutely start in an entry level position.

Ryan Bachmann

You know, just one more thing, David. We've actually, to Eddie's point, with college internships, we've actually had success with high school internships in certain cases. So younger, 16, 17, 18 year olds, juniors, seniors in high school that intern for us and then we see go on to college, then come back and intern for us during college and then come on board after they graduate. So that's actually been something that we've had a lot of success with.

David Spark

Before I go on any further, I do want to tell you about our actually spectacular brand new sponsor and that is Doppel. So Doppel is the first social engineering defense platform purpose built to dismantle impersonation threats before they cause harm. And I was talking about the importance of educating your family about this. Well, this is a sort of critical issue as well. I was talking to my family about this very issue, about the fact that the AI's ability to impersonate voice and video is incredible. Now. Now, while legacy tools focus on detection and alerting, Doppel goes further using AI and infrastructure correlation to link phishing emails, fake demands, deep fakes and impersonation campaigns across channels from executive protection to brand impersonation takedowns. Doppel doesn't just flag threats, it disrupts them from the source. Every attack fuels their shared threat grid, giving every customer the benefit of collective intelligence. The result, faster disruption, stronger resilience and fewer opportunities for adversaries to profit. Doppel makes digital deception unprofitable, protecting your people, your reputation and your revenue in a world where social engineering is now the biggest threat to enterprise security. For more go check out their site. It's doppledopel.com.

It'S time to play what's Worse.

All right. It is time to play what's Worse. You've both been on the show, you know how this game is played. But since you are playing the part of our Guest co host, Mr. Eddie Contreras, I would like you to answer this first. All right, so I'm going to set you up. This comes from Oscar Morales from Callion IT and Cyber Solutions. And this is the setup is it's a nation state cyber attack versus a disinformation campaign. Here are the two scenarios. Remember you're picking the one that is the worst of the two. So scenario number one, you're working for an organization who does business with a country who is being attacked by a nation state actor, thus making you a victim caught in the crossfire. And. And because of it, your systems and environment is being targeted and disrupted. Pretty awful. Would you agree with that, Eddie?

Eddie Contreras

I would completely agree with that. Sounds bad.

David Spark

Okay, this next one also stinks. Or you're dealing with false information and narratives being circulated and communicated about your company. So this is specifically targeted to you and it is impacting your stock price and losing user confidence in your business. Now I can't tell you the variance of how bad or worse each of those scenarios, but in general, being associated with someone who's getting attacked by nation state actors, so it's affecting you or a direct disinformation campaign that's really affecting the financials and your customer confidence. Which of these two is worse?

Eddie Contreras

So, David, I'm going to channel my inner Andy and I'm going to do a thesis on each one for 25 minutes before I get to my conclusion. I will not do that. And hopefully Andy understands the details just there. So I think the latter is worse and here's why. Disinformation, whether coming from a credible source or it's coming from a nation state or whether it's coming from a, what are they, script kitties? If you don't know, you don't know what to believe. And that's really challenging. At least with the nation state there's tactics that you can understand who your adversary is. There is kind of a profile. You're probably going to get a lot of information so at least you know what you're up against. When it comes to disinformation, you have to kind of discount certain things or you have to essentially account for everything. And that is so disruptive. And the fact that you know there's pressure, your stock price isn't being impacted, your executive team is kind of looking at you and you have to assume all is correct or assume all is incorrect could be a really challenging scenario there. So I do think that's worse.

David Spark

So the second one puts you more an imbalance, would I say, like you're so out of balance, out of whack and you don't know where to go next. All right. By the way, I have an argument against it. I'll throw it at you, but I want to hear from Ryan first. Which one's worse of these two, do you agree or disagree with Eddie?

Ryan Bachmann

I agree Disinformation. Disinformation has no symmetrical response. In other words.

David Spark

Yes, good.

Ryan Bachmann

There's really no playbook there. You're going to have to bring to bear all kinds of different resources within your company to try to battle it.

David Spark

Well, you, you, you bring crisis management teams in, don't you?

Ryan Bachmann

Yeah, yeah, no, for sure. But it's a, it's very much a cross disciplinary approach. Whereas as a ciso, I can, I kind of know how to handle more symmetrical cyber attacks and things like that. There's better information sharing about the adversaries and better ways to potentially foil those tactics. Plus you're not necessarily dealing with it out in the public sphere as much so.

David Spark

All right, now here's my argument against it saying it's not as bad. People have short memories. I've seen many a disinformation campaign or just many bad news campaigns go away over time. Would you rather wait it out rather than having the associated nation state attacked? I'm going for that because I have the theory of most of the stuff. People have short memories and it moves on. So the dip in stock price could be just temporary. What do you think?

Eddie Contreras

Yeah, I mean, I think that's the reality, right. If you look at Target when they got breached, their stock covered, and we get that.

David Spark

And I think, by the way, not just Target, in fact, when we're saying the Verizon data breach investigation report showed this just happens time and time again.

Eddie Contreras

It does. And I think the assumption here is you can outlive that. Right. As a ciso. Right. So yes, the company will recover, but will the CISO get through that process?

David Spark

So this is more self preservation at this point.

Eddie Contreras

There's time to live and you have to have some type of longevity. But even with that complexity there, you know, I think that's less of a concern just because you're right, most companies are going to, especially larger companies are going to be able to survive the attack. But disinformation just, I mean, if you think about that within a security program, can you trust your own logs? Can you trust the information coming to you where you're supposed to focus your, your investigation on? And so if they're providing disinformation to the public and about your company, you should assume there's disinformation already within your environment. And so, you know, where does it end? You're kind of like in that Inception movie where, you know, how deep do you go? I'd love to hear Ryan on this.

David Spark

All right. Okay, Ryan. So my take is that this Information will go away over time.

Ryan Bachmann

Yeah, I, there's, there's others that, that might disagree. I mean, I think there's companies that have struggled with massive PR related issues due to some of the decisions they've made and somebody in the, out in the media sphere not liking it and then running with it and then they just become a constant sort of recycled topic in the, in the headlines and it does a lot of damage to the company. So again, I, I'm still going to go with this information being a much more difficult one.

David Spark

All right. Regardless, I think it was a good topic.

Eddie Contreras

Yeah, you got to do a poll on that one next time.

David Spark

All right, before we go, we leave this, we do want to hear from the audience. Tell us which is worse. Being essentially associated with someone getting attacked by a nation state attack or is it disinformation campaign against you. Which one's worse? We want to hear from you. Let us know.

How is the CISO role evolving?

It's never an easy time to be a ciso. Would you agree, gentlemen? Yes, absolutely. You never go away. Today was a breeze. Has that ever happened? No.

Eddie Contreras

There's a lot of wine back here for those days.

David Spark

Yeah, it's never an easy time to be a ciso, but the last few years have been a doozy. There are increasing regulatory requirements being heaped on the roll at the same time as as we're seeing an ever expanding roster of threat factors and attack surfaces. Rather than splitting the role up between two functions, the role could evolve into something like a architect of business resilience. This is what was suggested by Randolph Barr in a dark reading piece. He likens this to an enterprise architect that sits between it and senior management while overseeing technical architecture and roadmaps. The. The CISO role has always been about managing risk. But could reframing it around building business resilience help make the job more manageable? I'll start with you, Ryan. It's like this idea of you're just focusing on that and then you have other team members to deal with the other aspects of your business. What do you think if the job changed into that?

Ryan Bachmann

Well, I think it already has a little bit.

David Spark

Yeah. I mean, I do envision it. It's like that. But like the idea is you could push a lot of stuff off and you just focused on that. Like the whole security program is not under your auspices. I guess would be the idea.

Ryan Bachmann

Yeah, no, I'm not, I don't think that's the right answer. I think what it honestly comes down to is there's an operations and engineering side to cyber that I think it makes sense just from a conflict of interest perspective and a lot of other reasons why that would be under CISO's domain and continue to be. But I think what we're talking about is growth. It doesn't have to be broken into pieces and spread out. I think what you're talking about is the ascension of a role and the more critical importance of a role. And I think this question around operational sustainability and enterprise resilience is at the forefront of everything because it's not just about protecting data, it's about protecting the enterprise. So it's natural that we're having those types of discussions and that we're being pulled into those directions. But I don't think that calls for a, I guess, bifurcating of a typical CISO organization and breaking it off into pieces. I'm not sure that really makes a whole lot of sense.

David Spark

Let me ask you, Eddie, whether it makes sense or not, do you think this could be pulled off, say some greenfield organization saying, we're not going to have a ciso, we're going to have an architecture for a business resilience and the other functions are going to be handled by other people? Could that be done? Would that be seen as a giant mistake?

Eddie Contreras

I think it could be done. It's an intriguing concept. And Gartner tried this, I think, about two years ago, where they tried to introduce the next level of ciso, which was going to be the. The Chief Resilience Officer.

David Spark

Yes.

Eddie Contreras

Where their role would be. Exactly what you said, the continuity of business. And believe it or not, I actually know Randy Barr. He and I are actually childhood friends and really. So the fact that we both ended up in this industry is amazing. But I get what he's getting at. Right. It's really about understanding what is a priority. Is it availability, continued revenue generation, or is it security and ensuring that the company can withstand whatever it needs to withstand. So, you know, I'm agreeing with trying here that, you know, it's not probably the best practice to do something like that. I'm assuming there will be companies that try this. What I really like about the financial sector, so we go by regulatory guidance and expectations. There was an update to our regulatory guidance a few years ago where it says the CISO cannot report into operations because of the conflict of interest that it proposes there. Right. So there is actually mandate now that says there has to be a separation between information security and the executive or the leader over information security versus those making decisions. Around availability and revenue, and I think that's a good thing. So I know in the financial sector it'll be a little more complex and maybe not as easy and straightforward, but I'm sure companies will try it and we'll see what the results are. But it'd be interesting to see how that turns out.

David Spark

Managing security changes for business Optimization.

We just talked about the security a role being complicated, but a lot of that comes down from the reality that cybersecurity is extremely complicated. Is there any way to simplify things? We talked about this at the very beginning of the show. So maybe we can turn to Occam's Razor, the idea that, quote, entities should not be multiplied beyond necessity as suggested by J.J. davey of Planet Now, a sound principle, but where can that be effective in cybersecurity? And, and where are the areas that we can't simplify no matter how hard we apply Occam's razor? So really it's just a simple question of what can be simplified in cyber Eddie and what just we can't. It's going to always be that complicated. What do you think?

Eddie Contreras

I'd love to give you a use case and I'll tell you the use case here in a second. But when you look at the cost of a control, the cost of the control cannot outweigh the risk that you're trying to protect. And so when you're talking about simplification and you're saying, I'm about to spend a million dollars on this control, but the problem you're solving is only a hundred thousand dollar problem, well then is it really worth the investment to simplify that control? I love what NIST did around the password and around what authentication requirements are still needed for the password. If every company is trying to eliminate the password eventually and NIST is now saying, well, now it's a variation of letters, numbers from 8 to 15, it's no longer mandating the longer control. You can actually simplify that control with the delivery of invisible controls or transparent controls. So you can essentially minimize the impact of the users by simplifying the control. But it has to be cost effective to do that. So if you're bringing in some very costly controls to be able to just get rid of passwords, is it really worth at the end of the day? But I do think, you know, you have to understand the cost, you have to understand the user impact before you actually apply the simplification process.

David Spark

Ryan, before you jump in, Andy Ellis, who's one of the co hosts of this show, One of the things he does when he comes into a new role and what he suggests to others is ask the staff, what is the one thing we're doing here that's insane, that we're still doing in that way? Which to me seems like a really great way to begin the simplification process. My feeling is that knowledge of simplification sits in the minds of your entire staff.

Ryan Bachmann

Yes, the knowledge of simplification, absolutely. They're the ones who are closest to having to do the actual work every single day. So they're going to live the pain that we later hear about. And so trusting them and giving them the opportunity to say, these are opportunities where we could make things a lot more efficient, improve processes, improve technologies, whatever it may be. Andy's not wrong. That should be one of the first places you start. One thing I want to say really quick, though, is, David, you're sitting here asking CISOs in our profession, what can we do to simplify our profession? Well, look at a CFO and think about all the things that a CFO has to deal with relative to tax, relative to financial reporting, all the different countries they work in, all these different aspects of a CFO's role. I think that certain things are just going to maintain complexity and are going to have to have that level of leadership and have that level of priority within a company. And I think security is very similar. It is complex, and it's going to be driven by your regulatory components that Eddie was speaking to. It's going to be driven by your operating footprint, of where you operate, by your technology footprint, by what your company wants to do. And as long as companies are wanting to do different things to differentiate their products and services, security is going to be, I think, a challenging and increasingly complex thing to have to be able to apply to those companies.

David Spark

So if I'm getting this right, you're blaming the business on having aspirations. Yes.

Ryan Bachmann

No. What I'm doing is I am aligning to the business and what their aspirations are and trying to figure out how to help them succeed and operate and be protected. So.

David Spark

Right. But, but, but that makes a really, really good point. Look, if your business is just providing one product.

Ryan Bachmann

Exactly.

David Spark

Very simply, security is going to be pretty easy.

Ryan Bachmann

Relatively.

David Spark

Sure. But once things. You start offering 100 products to lots of different customers, it starts to get a little complicated.

Ryan Bachmann

Sure. And I mean, every. Every company looks for a way to differentiate itself against its competitors, to differentiate itself with its. Within its industry. And with that comes the complexity that follows. And with that comes the security to secure that complex web of systems and data and everything else. So I think we're not driving complexity into the business. We're responding to that complexity. And companies have to increasingly, in a more competitive environment, have to figure out ways to differentiate, have to figure out ways to create new revenue stream streams and it's our job to come up with ways to protect it.

David Spark

Now, while you gave the glass half full response, I'll give the glass half empty response and saying we're blaming the business for making security complicated. But I support your response as long.

Ryan Bachmann

As it's clear that I didn't say that because I do value my job and my employment.

David Spark

Just giving you a hard time, right? No, but that's a really good answer to this. Eddie, what were you going to say?

Eddie Contreras

I would say there's a good use case here. If you think about a publicly traded company versus a non publicly traded company, there are times where user attestation you have to do because it's a regulatory requirement. Socks in a non publicly traded company, you may not have to do it in a way that the SOX program does. Sometimes you have to inform the business this control is present to be compliant with our regulatory environment. And there's other times where you can say, you know what, I agree. Let me take that feedback. Just like Andy said, let me take the feedback. Let me understand. And because we're not publicly traded, maybe we can retire a control like that and use automation or technology to help ease the burden of management. But that's a, you know, when you look at that, it's like, okay, there's reason and rationale why controls are present and sometimes it is. Maybe to Ryan's point, it's educating the business on why it's here. So that way there is not too much pushback of when they're executing that control.

David Spark

Thank you very much, Eddie Contreras. Thank you very much, Ryan Bachmann and thank you to our audience. We greatly appreciate you listen to the show. Hold it. Let me ask you, both of you, a quick question. We like to let our audience know. Eddie, Ryan, are you hiring at your respective companies?

Eddie Contreras

The answer is yes, Ryan.

Ryan Bachmann

Absolutely. Yes.

David Spark

And I'm assuming there's job boards on Frostbank and GM Financial, correct?

Eddie Contreras

Yes. Please visit the website.

David Spark

Go. And can people contact you directly if they're interested once they find the job?

Eddie Contreras

Yes, absolutely. If they come and say we, we heard about this on David's show on.

David Spark

The CISO series podcast, that will give you a gold star.

Ryan Bachmann

Yes, absolutely. Puts you right at the top of the applicant pool, as far as I'm.

David Spark

Concerned, David, this is what we love to hear. Awesome. That's great. Awesome. All right, well, thank you very much. Go check them out. GM Financial and also Frostbank. Work with two great security leaders. Man, anyone be thrilled to to work with both you guys. We love having you on the show. Friends of the show, both of them. I want to thank our sponsor. That's Doppel. Remember, defend what's real, disrupt what's not. Go check out what they're doing over@doppel.com d o p p e l dot com. Any other last plugs you gentlemen would like to make about what we talked about? Anything for your company, security, working with you guys, let me know. Eddie, Ryan, happy to be here.

Eddie Contreras

I'm glad I'm a friend of the show.

Ryan Bachmann

And yeah, absolutely.

Eddie Contreras

If you're looking for a job in Texas, you know, look on our website.

David Spark

Yes. Ryan, any last words?

Ryan Bachmann

Gmfinancial.comcareers. we're hiring in cybersecurity at a number of different levels.

David Spark

That's awesome.

Ryan Bachmann

Love to have you come be a part of our team, learn about what we're doing.

David Spark

And you both hire entry level. I love hearing that because this is the major aggravation is that nobody's hiring entry level. That's great. Great that you're doing awesome. Thank you very much. Thank you, everybody. We greatly appreciate your contributions. And for listening to the CISO series.

Podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and cybersecurity headlines. Week in review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.