Host/Announcer

Best advice for a ciso, go.

Russ Harris

First of all, don't be a ciso. It's a rough job, and you've got to have better options. There are many things that you could do that probably as a ratio of risk versus reward are definitely better areas for you to invest your time. But if you must, then you probably want to make sure that you focus on explicit gaps, not trends. I definitely think the issues that we've had over the CISO world are kind of breaking apart people into a hype cycle of tools and those of us that are fundamental. And so I would say try to focus on the fundamentals.

Host/Announcer

It's time to begin the CISO Series podcast.

David Spark

Welcome to the CISO Series Podcast. My name is David Spark. I'm the producer of the CISO series. And joining me, it's the principle of Duha, none other than Andy Ellis. Andy, say hello to the audience.

Andy Ellis

Buon pomerigio. O pure a seconda di cuando di titrove nel mondo buongiorno. Buona serra or buona notte.

David Spark

A little Italian.

Andy Ellis

I've never done Italian, so I figured I'd give it a shot.

David Spark

For our Italian listeners or those who know Italian, tell us how well his pronunciation was.

Andy Ellis

No, I'm pretty sure I butchered that one, so let's not.

David Spark

By the way, any chance our audience can make fun of of Andy, I want to hear it. Yes, very much so. Go for it, please. We are available@cisoseries.com if you are not going there 2, 3, 12 times a day, I don't know what you're doing with your life. To tell you the honest truth, our sponsor for Today's episode is Strike 48, the GenTech log platform without blind spots. Ooh, that sounds interesting. Well, guess what? You're going to hear more about it a little bit later in the show. Andy, before we begin, I want to tell you about the wonderful world of trying to cancel services. Not the easiest thing in the world to do.

Andy Ellis

No, it's not.

David Spark

I'll tell you a funny story. So I wonderfully have fiber now at the home. It's fast, it's wonderful. I got a gig up and a gig down. It's spectacular. So I was canceling my cable, not nearly as fast. And I called, by the way, you can't cancel online. You must call.

Andy Ellis

Right?

David Spark

So I call the number, I get the woman on the phone, and I say, hi, I'm here to cancel my service. I know you have a playbook. I would like to cancel this as Quickly as possible. She goes, okay. And her first question is, how many devices do you have connected to the Internet?

Andy Ellis

Right?

David Spark

And I said, I don't want to answer that question. I think I told you I want to cancel as quickly as possible. Okay, Are you using this for work or for personal use?

Andy Ellis

Man, she had even the wrong playbook. That's the best part.

David Spark

And I said, dina, I know you have a playbook. I go, please. And she goes, sir, I don't have a playbook. If you're going to be insulting to me, you just go to sir. And I go, I'm not being insulting. I just want to cancel this. She goes, okay. She goes, do you do a lot of gaming? I'm like, oh, my God.

Andy Ellis

So the answer is, when you have somebody who's running a playbook on you, you say, here's what I would like, or I can speak to your supervisor.

David Spark

Oh, that's a good line. There you go.

Andy Ellis

Right. So you basically say, I need out of the playbook. Either you can get me out of the playbook or I just want to talk to your supervisor. And sometimes the answer is supervisor has to do it anyway. So great, let's go there. But if not, it might get them to pay attention. Be like, okay, how do I get you off the phone without you going to my supervisor?

Russ Harris

Yeah, or can I press 0? I'm pressing 0 to get to the operator, please. Thank you.

David Spark

By the way, that is the voice of our guest who was laughing all the way through this, couldn't stop himself. But that is the CISO of the principal financial group, Russ Harris. Russ, thank you so much for joining us.

Russ Harris

Thank you very much for having me. Always great to see you guys and.

Andy Ellis

I loved your cold open. Russ, that was fantastic. If you could see yourself doing anything but a ciso, please do it. Reminds me of advice my mother in law gives. She just recently retired as a professor and people would say, well, should I go get a PhD? And her answer was, if you can envision doing anything else with your life, then don't get a PhD.

David Spark

That's right.

Russ Harris

That's right. It's not for the faint of heart, is it?

Andy Ellis

Yes. It's for people who have no other choices.

Host/Announcer

Can this be measured?

David Spark

The board is fatigued. Board members are increasingly questioning if that capital is distributed effectively. But the CISO responds with this highly technical set of metrics they neither care for nor understand, end quote. That was the dilemma laid out by Deb Radcliffe in a recent CSO online piece. The situation is changing. Some security leaders are breaking through by translating cyber risk into financial exposure. With one cited in the piece showing a 40% reduction in total cyber loss exposure over six months. They're calculating potential financial losses against risk appetite and showing ROI on specific security investments. Simple to understand for the business. No cyber knowledge needed. So now Andy is laughing here because I know you may not fully agree with this, but let me throw this out there. Doesn't have to be financially motivated. I'm interested to know what metrics are the nine cybersecurity people in the C suite in the boardroom most responsive to?

Andy Ellis

None of them.

David Spark

None.

Andy Ellis

No, no. I'm actually very, very serious. I think people have over fixated on metrics that have never sat in a boardroom. But before I go there, let me just say that if you think you can quantify cyber risk and talk about loss, exposure, et cetera, you are almost certainly wrong. I do recommend my recently published free ebook on this how to CISO volume 2 risk. Like go read that. At least talk about risk. But the challenge is, is that first of all, nobody believes your numbers. But the second is there are very few metrics for measuring pieces of the business aside from total outcomes. Go look at everybody else's board report. The CRO is the only one that has a metric of themself that everybody believes, right? They walk in and they are like, here is how many deals we closed last quarter. Everybody believes that here's what we're gonna close next quarter. Nobody believes it. They look at it, they write the number down. Maybe if they're smart. I've been a director. The boards I was on, I was the only one who wrote down the CRO's projection and then checked them the next quarter to be like, oh, you didn't meet your projection? And they're like, well, we revised the projection. The CMO walks in and tries to talk about MQLs. Nobody believes in MQLs. Like board members just sort of nod their head and they're like, wait, are you telling a story? The reality is you have to tell a good story. What are you actually doing in a believable way that lets the managers of the business, the other C suite executives and the board members believe that you are deploying capital the right way and that it is better spent giving you budget than doing a stock buyback. Like that is your comparison. Am I doing more for the business than buying stock back would do?

David Spark

All right, I'll throw this to you now. Do you agree on the theory that the metrics don't work anywhere Like Andy.

Russ Harris

Says, Russ, I wouldn't say they don't work anywhere. I would just say most places. The frame I would probably add, it definitely would be a yes. And to what Andy was describing is that when I see people describe metrics, the visuals that they represent often don't tie to a decision. And that's your first clue that something's wrong. If you're just giving them an integer value of something that doesn't tie to a business reality, they could choose, that's not really useful context. That's just trivia. You know, you're just saying, here's the number of vulnerabilities. The number is 10,000. And then a board member might say, well, that's great. So is that good or is that bad? How do I buy that down? There are all kinds of questions that should come from that. So I agree with most everything that Andy was describing. You've got to be able to tell a story as it relates to those metrics. And then if you think about what is the metric value, that leads us into a better dialogue. And I agree. You got to get to the point where you're talking about, am I spending money in the right place? If you can do that, then whatever you used, if it was a. If it was a metric, if it was a purple banana, whatever it took to get them to the point that you're dialoguing about the useful deployment of capital, you're in the right zone. If the only thing that you do is you say your number and then you look out across the audience and you just have blank stares looking at their phones, whatever, the distraction points are probably not useful.

David Spark

So no matter how attractive the number sounds, if there's no story to back it, it's meaningless.

Russ Harris

And I would say, what's the choice you're giving them? By showing them that number, are you helping lead them to a dialogue about whether they choose A or B? If you are, then I think you're on the right track with whatever you're doing. And if you aren't, then you probably need to step back a bit and say, what am I actually asking for oversight on? Or am I just trying to drowned them in information? Or you're proud of the number and so you want to talk about it. Yeah, have your pride, that's great. But don't bog down a conversation of the limited time you have in front of the board to give them info they don't want and check to make.

Andy Ellis

Sure your metrics are not perverse. There are metrics that you think are great. But the first time when you show it to somebody, the first thing you have to say is, well, it looks like a good chart, but it actually means the exact opposite. Never do that. If somebody glances at your chart, thinks it's a good story, but it's a bad story, you've already lost the storytelling war.

Russ Harris

Yeah. I think if you go back to what should we be doing instead of what we're currently doing, that's a better frame for you as the CISO to have a conversation with the board because you could say this is on the right trend, this is going in the right direction. I feel good about it. This is not going in the right direction. We need to modify.

Host/Announcer

How is AI going to solve this problem?

David Spark

Well, why does it take take a full time employee to tune a SaaS product? Frank Wang of Surge AI argues that cybersecurity has over specialized into tool babysitting. We've devolved into experts in configuring specific vendor dashboards with not enough people who can do broader work like trace business logic and find root causes. He makes the case that AI will flip this dynamic. Let the AI be the expert in the specific program product and let the human focus on intent. The vision is leaner. Teams trained to think broadly about architecture and attack paths, using specialists sparingly, like outside legal counsel for complex cases. This is an interesting take, but doesn't this risk trading one specialist for another? And if you are on board, how do you make this transition? I'm starting with you, Russ, on this. Do you believe this whole concept? Would you buy in? What's your thoughts?

Russ Harris

Yeah, maybe, partially. I would say so. I think he's onto something. Tool babysitting is definitely an issue. And so what I think he probably got right about that is that we have created a cottage industry of people who have tied their identity to being able to execute queries against a siem. You know, they know the query language inside and out or they know how to get into the console of an EDR tool. And what I would pull back on a little bit there, or maybe have a risk of oversimplifying, is that that person's experience, regardless of what the tool is they're executing, applies to other tools. So getting that person sort of out of the minutia of an individual tool, that's good. But I'd probably go back to on your opener, we probably need more bilingual folks. Right? We need people that can speak multiple languages, the language of the tool and also the language of AI so that you can add in the appropriate business context for the specific situation. And if what we're trying to do in the future is say we're just going to have generalists that don't know anything about the tool and I just ask AI to run everything that do the specifics. That's gross oversimplification. It is so much more complex. Especially when things go wrong. You're going to need some number of people that can go deep and jump in and solve problems and and some number of people that are more business architecture focused that can give the additional context of the business.

David Spark

Andy, how heartily do you feel that AI could take over these no specific tools cases that we could leave that problem up to the AI world and us as the savvy security people, not have to learn specific tools.

Andy Ellis

So I think there's two different questions in here. One is the. There's an awful lot of SaaS tools that are just badly written and so you are buying from your vendors tools that are not complete and you're spending a lot of time configuring the tools. Sometimes the tools don't even have the capabilities you need. Like there's the. Was the SaaS security control framework people are now talking about of like if you're a SaaS vendor, here's sort of minimum standards we expect that your interface should provide. And then yes, we obviously do have to set things up and that should be the realm of AI. Let's just be very clear. And when I say AI, I actually mean the vendor's AI. The vendor should have an AI where we would call it the wizard in the old days that would set this up for you. And then I think there's a separate question of ecosystems are now SaaS native? Like if you are a company doing business today with more than two or three employees, like you have an entire SaaS ecosystem that is more complex than the data center ecosystem your equivalent company had 30 years ago. And you don't know what's happening in there. I think that there's a team which is humans and AIs to understand what's in that ecosystem. So you can do good design and good security practice. Understand where your data is moving inside SaaS. Because we have to get away from the world of SaaS is a thing we have to configure to SaaS is our native ecosystem. That's where we operate. If we don't understand where all of our data is, what are we doing?

David Spark

Let me throw this out and throw a complete red herring here. One thing that I've heard from a lot of security leaders is I've stopped looking at point solutions because I don't have the bandwidth and my team does not have the bandwidth to learn 12, 20 different tools. I'm looking at platform plays. If this were to be true, that AI could configure and manage this and reduce the need for knowledge for each of these tools, could this all of a sudden swing the pendulum back to the point solutions, that they be bigger players again and have a fighting chance against the larger ones? Russ, what's your take? I mean this is a far reaching thought, but if this were to come true, maybe. What do you think?

Russ Harris

Well, I think there is a possibility in that zone. There's also another possibility which is it makes it easier for companies of a certain size to be able to build smaller solutions than having to buy an entire platform place. So yes, it does make it easier for us to do some things. I think the struggle though is look at the outages that we've had recently across all the providers, the interdependency and complexity of all these solutions. Yes, you could maybe at some point get AI to do that, but it takes somebody with such experience and skill set to be able to design a good flowing solution through that path. I just don't know that you can flick a switch and it's going to happen either overnight or.

David Spark

No, no. And we're not seeing AI happen overnight either. I mean, that's a good point. Andy, your final take on this.

Andy Ellis

So I think we always just see this iterative life cycle of point solution to platform to point solution to platform that just goes on and on and.

David Spark

Often it's because the point solutions end up on the platform because they get bought, right?

Andy Ellis

The point solutions either get brought into the platform or they become a new platform. Like think about SaaS as an example. The SaaS security world right now is entirely point solutions.

Russ Harris

That's right.

Andy Ellis

And at some point there will be a platformization and there will be a small handful of these that do a little bit of everything and then there will be point solutions that will come in either to improve them and get bought by those platforms or to sit on top of them. Like a great case in point here is look at the CDN world because Russ, sort of brought up by illusion, a recent CDN outage, CDN started as point solutions have become platforms and and now what we're starting to see again, and we've seen waves of this in the past, is the multi CDN approaches to say, hey, you have these platforms but you're so dependent on them, you need point solutions just to manage the platforms. So you see like companies like IO river that are now out dealing with that problem and so will that become a new platform of its own, get incorporated in, who knows. But I don't think it's as simple as saying, well, I don't have enough time to do any point solutions, so nobody should innovate. Endpoint solutions.

David Spark

Before I go any further, let me tell you about our spectacular sponsor. And that would be strike 48. Now you know everyone's talking about AI for security, even your C suite. Geez. Co pilots, assistants, chatbots, the list goes on. No need to list them all. Because you have to ask yourself, how much time is AI really saving? I mean, does it have access to the data it needs or just isolated silos? I mean, can you trust it to do real reliable security work? This is exactly where Strike 48 enters. The first agentic log intelligence platform that gives AI agents the visibility they need to take a load off your team. Now, it's no secret that AI is only as effective as the data it can access. We know this. I mean if your SIEM costs force you to drop logs or put them in cold storage and any existing AI you deploy is inevitably going to have blind spots. I mean that's just going to be the case. No data, nothing to scan. Not anymore. Now you can maximize log visibility without maximizing costs. Plus the platform connects to your logs wherever they live, so you can keep the technology you already have. With Strike 48 you can deploy pre built agent clusters or build your own agents and workflows covering phishing, threat intel alert, triage, SoC and more. Here's the best part. You can try Strike 48 for free at strike48.com security. You're going to have to go there if you want to try it for free. So give it a whirl. See how this works strike48.com security and start deploying log intelligence agents today. Remember that strike48.com security go check it out.

Host/Announcer

It's time to play what's Worse.

David Spark

Russ, you know how this game is played? Yep. Two horrible scenarios. They both stink. But you have to decide which one is worse. I will make Andy answer first and you can agree or disagree with him. This comes from Oscar Morales from Klin IT and some cyber solutions. And here are your two scenarios. Just setting it up. It's a deep fake attack or zero day exploit. Pretty much. Let me sum it up for you.

Andy Ellis

I'm just going to guess zero day Is the one I'm going to pick is the worst. But let's go for it.

David Spark

My guess is you might go with that. But let's see. We'll see what happens.

Andy Ellis

Yeah.

David Spark

Bad actors have leveraged AI to launch a deep fake attack campaign using your company's likeness and brand or impersonating your executives to spread false information to the media. So it's a big PR disaster. And not only maybe money's moving. Who knows? Because major deepfake campaign or having to defend against bad actors who have used AI to find and exploit zero days that are in your environment, which one is worse?

Andy Ellis

Okay, so first of all, I do want to criticize this one because we've talked about the vector and not actually talked about the consequences. Really hard to make a choice when I don't know how bad the outcome is.

David Spark

Well, no, but I don't know. I totally get it. I hear you. And I was looking at it for the same reason, but I was like, you know what? If you just know the vector and you don't know the consequences because those could attack. I don't know what's gonna happen.

Andy Ellis

Yeah. But then I get to pick what I think it is.

David Spark

What's the most common thing that happens from a deepfake? What's the most common thing that happens.

Andy Ellis

From a. Yeah, but I've had zero days that ended up going nowhere because the adversary didn't know enough to move past the zero day.

David Spark

And the same thing with a deepfake could happen.

Andy Ellis

Right.

David Spark

These could both be nothing burgers.

Andy Ellis

These could. But then really, what's worse? Because worse is a scenario, not a vector.

David Spark

By the way, you attacked Oscar Morales, who, By the way, dedicated listener.

Andy Ellis

Thank you, Oscar, by the way, for.

David Spark

Submitting one dedicated listener.

Andy Ellis

But for the future, give us consequences.

David Spark

I like this kind where they don't tell you the outcome. You have to guess how bad the outcome could be. Because it could be a multitude of things.

Andy Ellis

Right. And the reason David likes it is after I answer, he will then change the scenario. Violating the rules about scenario changing.

David Spark

No scenario changes here. You have to presuppose what the attack could be.

Andy Ellis

So I'm going to stick with my first inclination, which is zero day. And here's why. The zero day is my fault. At the end of the day, I got a vulnerability in my systems. I'm accountable for those. I've had those before. If anybody wants to have fun, go like Google Fluffy bunny. That was. What was that, like, 2000 vulnerability I had to deal with where we narrow Ms. Like, somebody almost took control of Akamai's global network and did not. But it was like a very tight miss. We caught them. The fact that they didn't manage to take the second step was pure luck. It could have been a really, really bad day. We were part of Operation Aurora when, you know, the Chinese infiltrated all of our systems. Not all of our systems. They got our production, they got our back end. They got a bunch of data out. Like, really bad day. That's on me, Deepfake, not on me. Like, at the end of the day, this comes down to the same thing that I talk about when people say identity theft. Bs. Identity theft is not the crime. The crime is whoever believed the identity. They were defrauded. My identity was never stolen. Same thing with Deepfake. If a media entity believes a deepfake, that's not my fault. That's the media entity's fault. They're the one a problem. I could turn this into a positive PR thing. Yes. Maybe I take a short term stock hit. Short term, though, Maybe it's an opportunity for us to do one of our stock buybacks. Our CFO might see this as a good opportunity, but it is not my fault that somebody else fell for a deep fake. I might choose to turn it into a good customer service event.

David Spark

So you're looking at this what protects me personally, like, me and my brand. Yeah, you and your brand. So the Andy Ellis brand. So you're looking out for number one yourself here.

Andy Ellis

No, my employer as well. No, no. Like, if my employer that has zero days, like, that is our fault. Like, there's no way we get to say, well, we should have known. We couldn't have done anything better. Yes, we could have. But if you deep fake us to the media, like, I get to go and say, hey, like, this was not us.

David Spark

Okay, but I'm gonna throw a twist on that.

Andy Ellis

No, you're changing the scenario. You're not allowed to do that to.

David Spark

The general consuming public. They can see that you are being fooled.

Andy Ellis

I'm not being fooled. You are.

David Spark

Hold on. That you're being fooled by the deepfake.

Andy Ellis

No, I'm not being fooled by the deepfake. That was not the scenario. The scenario was that others.

David Spark

No, no, no. But that's what the whole thing with the Deepfake is. Someone's gonna get fooled.

Andy Ellis

Right, but someone is not me. Like, if my company got deepfaked, I consider that in the zero day category of you deepfaked my executives who took some action. Yes, that's A different problem. If you pretended to be my executives and deepfaked a media entity who went and ran an article that was bs like, first of all, I have a lawsuit. This will be fun because I just got defamed by that media entity. Like, we can go do whatever we want to do. I'll let my lawyers decide how we're going to pursue it. But I would rather have that any day than zero days in my environment that got exploited.

David Spark

All right, Russ, this is a lot of back and forth, and you've been eager to jump in, so jump in.

Russ Harris

Okay, so first of all, this is like the Kobayashi Maru test. He's just looking for a way to try and make sure he's not going to be in the difficult, difficult challenge space. And I, I sync with that. I want to change the test myself. 80. So that's what I, I would love to do. However, staying within the parameters, I would say yes, deep fake. It has a. A much quicker decay rate than a zero day might. So if I just did them on absolute terms, I don't know what the outcome might be from the zero day. They could continue to do other work than I thought initially when they came in. They could do persistence, they could do lateral movement, all kinds of things. Whereas on the deepfake side, there's probably going to be that initial flush of information. And then if I get my own campaign out, I've got a good PR team, I've got some folks that can help me drive this to a better conclusion or outcome, then the decay rate kicks in, and now it's not going to be as big a deal seven days from now. Totally. The reverse could be in the zero day situation.

David Spark

All right, so you got consensus here. You got consensus.

Andy Ellis

Yeah, but I do have any of our reporters who are listening, since we had media in this one. If you fell for a deep fake and you and your editors ran an article that was negative about a company based on PR outreach you believed you'd had, that included a video conference with an executive, and it turns out you had been fooled, what would you do?

David Spark

That is actually a very good question.

Russ Harris

Great question.

Andy Ellis

Yep. Because now it's on you. You're the one who fell for the deep fake. It's not my fault, it's yours.

Host/Announcer

Are we making the situation better or worse?

David Spark

The real challenge is not designing better interfaces. It's designing organizations, policies and processes that can maintain care over time, even when they are under pressure. And this is what Ron Bronson of the University of Michigan said. Cybersecurity is a design discipline at heart. But Bronson argues that systems fail slowly and it's not designers who fix them, it's the people living inside of those systems. The caseworker bypassing broken eligibility software, the IT contractor fixing the same permission matrix every week. He argues AI has made this maintenance work even more visible. What happens is we automate without understanding and and create more repair work, not less. And this echoes something that Anton Chuvakin of the Google Cloud podcast said. He pointed out that automation, quote, faithfully and beautifully executes the underlying brokenness of a process. Now, he warns against treating design as just the surface layer with better dashboards, while the underlying logic remains broken, and calls for designing systems worthy of of the care by the people maintaining them. So I will start with you, Russ. What are the design choices in your processes, not your interfaces, that have actually reduced friction and maintained care under pressure?

Russ Harris

Yeah, and this totally resonates with me. I think we've talked about before. I'm a recovering engineer, right. That's why I came up through the ranks. And that faithfully executing the underlying brokenness hits a little too close to home for me because I'm sure I've done it myself. And what I see happening over and over again is we have a process that doesn't work or the outcome isn't well understood, and then when we go to implement the automation of that problem, we've now got scale to our brokenness. So I agree with all the premise of those things, But I think part of the solution of that design element is right in the front of what we just talked about, what we were discussing before about AI and humans being involved. It had a subtlety that we didn't comment on. And that is if you have a human that doesn't understand the problem, they're going to implement the wrong solution. And as a systems thinker and proponent myself, if I don't fully understand the problem I'm trying to solve, then chances are I'm not going to make a good solution for it, whether I automate it or if it's manual. So the design pattern that generally works is start with the outcome, get a systems design book. If you don't know what it is, understand what you're trying to achieve as your outputs, and then stand on that. Because if I was giving advice to somebody about the mistakes that I've made in this space of automating things, I should. I don't think it's so much, can we automate something? It's really, should we automate something and then the best automation is often not executing that process at all. I can think myself of having automated wonderful access reviews where I generated thousands and thousands of of reports on a monthly basis and then up to the frequency to weekly because we thought that's what the issue was when that was never the problem. The developers didn't need to know again week after week that there were problems they had to go take a look at or access reviews they needed to solve. They knew it the first time. I needed to make it easier for them to do the work. So I think the best pattern to follow is really get to the root of the shortest distance to implement whatever the work is, get rid of all your wait states, don't put any queues in place and that's probably going to get your best automation.

David Spark

All right, Andy, your take on this of the design crafting one must do of your processes, not the actual interfaces.

Andy Ellis

Oh, absolutely. Too many people don't understand processes as control systems.

David Spark

Good point.

Andy Ellis

Where you actually say like the process that you want to automate is self enforcing. And I'm going to use like as an example, you probably have a process or a control. And I put air quotes around that. There's like every code change is reviewed by somebody, right? And the way that you enforce it is in your ticketing system for your pull request there's a mark that says so and so reviewed it. Did they really? Is that really enforced? And now you probably have an automation system that looks for a pull request that was accepted where there isn't that tag and now you go chase it down. Which means you didn't have a control system because a control system would not allow that to go out without somebody else looking at it. But now you have to actually look and say, is somebody really looking at it? Are they really doing what I want? Because there is some evidence that says if I take responsibility and I split it among two people, what I actually get is less care because each person assumes the other one will provide care. And so if I'm writing code and I know, oh, David's going to look over my code, then I'm like, yeah, I can be sloppy and David will check it. When David goes to look at it, he's like, eh, Andy did a good job. Why would I bother investing hard in this one? I once did data entry for a defense contractor many years ago. I was a Kelly girl. For those who know about Kelly, many years ago.

David Spark

This wasn't last week.

Andy Ellis

This was not last week. No, this was in a prior millennium and the Way that we did, two person control on data entry was two people entered the same data and the computer system flagged it. If you entered different data and now somebody had to go look and say.

David Spark

Oh, so you literally all had to duplicate the exact same work.

Andy Ellis

Yes, it was faster because everybody is a touch typist. When I was doing numeric keypad, I was like 110 words per minute. And so I'm sitting here entering time cards and if I'm the first person who puts it in, I just get to sprint through. It's fast. If I'm the second person, as soon as I make a different entry, the computer says, hey, whoa, wait a second. You entered something different than the previous person did. Now look carefully and tell us exactly what is happening.

David Spark

Were there ever cases where you both made the same mistake? I know that's low probability.

Andy Ellis

I mean, probably, but we never got told about those. I suspect there were cases where people had handwriting that was sloppy enough that we both misread it the same way. So it's not a perfect system, but it's a really good system that beats most of the like one person enters it, now somebody's trying to eyeball, is there a mistake here? So always ask yourself when you're designing systems, what value is my human adding? Right? How do I keep them engaged if I'm asking them to be a control? Because humans make really bad controls. If you make them do the same thing over and over again because they get bored, we're evolutionary optimized to not think. If you make us do the same task multiple times, the decay rate on.

Russ Harris

A human is tragic. It is tragic.

Andy Ellis

No, it's not tragic. It's amazing. It's why we're the dominant species on the planet.

Russ Harris

Totally. It is great for ruling a planet. It is terrible for checking a time card.

Andy Ellis

Exactly.

Host/Announcer

What's the starting point for a ceso?

David Spark

How often do you talk to your ciso? Now that was a question that came up in the cybersecurity subreddit and the answer spanned the organizational gamut. Some talk daily over lunch, others see their CISO once a year at town halls. One standout example, a CISO at a 50,000 person company who talks directly with managers, at least weekly, uses security tools personally, and has the entire team willing to, quote, fall on their sword, end quote for him. Another runs random weekly breakfast with staff asking, quote, tell me something you think I may not know. It's a way to surface issues that get filtered out as they move up the chain. If you're A CISO being pulled in multiple directions from everything from vendor meetings to departmental meetings to incident response. How do you actually stay connected to your own team? I will start with you, Andy. You lived this for many, many years. And in fact, you. Your book one percent Leadership refers to a lot of this. A lot. Giving you a plug for your book. What's your approach to keeping your fingers on the pulse of your security team? And I know, read my book, you answer this a lot. But, yeah, give us our thoughts.

Andy Ellis

No, I'll go straight to the point. Where is your team talking and are you there? Like, we used Zulip, which is not slack, not discord. It's actually better than both of them, but for a lot of folks, wouldn't have been sort of the right approach. Way better than Cisco WebEx teams, which is what the company was trying to standardize on at the time. If you are not in the place that your team is communicating, you have a problem as a CISO because you want people to ask you questions and more importantly, for you to be able to ask them. One of my favorite things is I'd walk into a meeting and somebody would say, hey, I want to talk to you about Project Zulu. And I would just drop into my team chat. I'd say, hey, who can give me a quick briefing on Project Zulu?

David Spark

We.

Andy Ellis

While I've got some VP who's trying to give me some pitch, I would have an architect saying, oh, yeah, I got briefed on Project Zulu. Here's the five big risks about it. You're probably going to get an escalation at some point because somebody doesn't want to do what they need to do. Here's what they need to do. Boom. I look like a genius. Because before this VP was done trying to smooth talk me about this project and why could we get expedited security review? I'd be like, hey, this is the person who I want you to go talk to. Who's the architect on my team responsible for that? And I could see the look on their faces like, damn, we're already talking to that person. We were just trying to end run around them. Like, you will be more efficient and effective if you can build a hive mind through communication so that everybody can talk to everyone. When I see things like, oh, I only see my CISO twice a year. Who are you and what are you doing? Like, if you're one of the Fangs, I can get that. Yes, you have hundreds of thousands of employees everywhere, but if you are a technology focused company that is in any fashion like one organization, everybody should know who the CISO is, and certainly everybody in their organization should have regular conversations with them. But ciso, you need to be out and about and have people like, happy to take your calls because you never waste their time.

David Spark

All right, Russ, I know there's plenty of people who would like to talk with you. How are you keeping in touch with your team when there's a demand on your time?

Russ Harris

So I'd agree with everything that was covered before. I'll add a few points maybe of techniques you can use if you're not set up the way that you want today. Number one, I do weekly one on ones with all my directs that I don't miss. I defer just about everything else in relationship to those. I also do something that I see as a challenge today that would probably help, and that is I don't multitask. I don't look at my phone. I don't have a laptop when that person's talking. I don't do anything else. When I get to the point of the second week. So that would be week to week. I'm doing one on ones the second week. Then I'm trying to rope in their directs. So that's at least a couple of levels in the organization. The third part I would say focus on is once a quarter. I'm trying to do focus groups between groups that don't include the managers. So it gets close to the point of we were just talking. I need raw, unfiltered, unvarnished information that usually comes from getting people out of the context of wondering what their boss is going to think if they say something slightly out of sorts. And then the final part, I would say is just be genuine when you're interacting with someone. Don't make it forced. Try to understand what is a connected point with them. You know, for me, I love cooking, I love woodworking, bike riding, all those things. You're probably going to find somebody in your teams that likes similar things as you try to find something that you can resonate with so that it makes you want to talk with them, they want to talk with you. And at least in my experience, that's made a spiderweb effect of the people that would want to talk to you organically. And that makes it so much easier to come back and talk about Project Zulu because they see you in the hall again. They had talked to you about this issue. Here in Iowa, where I am now, there's a fantastic brewery up the street. Somebody just heard that I didn't drink beer. Told me about it. I went there. It is fantastic. So now we have that connection. And they asked me about a problem that I would have never heard about two days later. So I would encourage people to try and get your own mind right. You do need those connections. You do need to set some type of webbing between all of your team members to come give you information you can't get in other sources. And meeting them where they are is a fantastic place to start. And then I would say making sure that you genuinely show up is a great place to land.

Andy Ellis

I want to add one thing. For all of the managers and CISOs out there. If you have an open door policy, you need to practice hearing things that you don't agree with and saying, huh, I need to think about that. I'm listening, but I'm not reacting because I need to understand more. Figure out what you're gonna say in that moment. Because the biggest way to get people to think you're not connected is when they walk in and they tell you something and you're like, that can't possibly be true. Boom. Your open door doesn't exist anymore.

Russ Harris

Yeah, I wanna come on top of that as well. The thing that we are describing is critical to being able to make sure the other person is heard. So if you don't do that, you will not get great responses the next time. So I totally agree. You got to definitely practice it, because especially as a ciso, where you're supposed to be deciding things quickly, you're assessing that, and you're like, nope, doesn't sound right. Thanks. Next.

Andy Ellis

Hey, doesn't sound right. Move on. No, no, it's. It's one of the things that's like we call them in Judaism, we call them liturgical responses. Like, there's. When a thing happens, there's just this liturgical response that you just, you know, the right words to say and so you don't have to think about it. Right. And so you create your own liturgy as a CISO of, oh, somebody tells me a thing that I don't believe, I say, huh, I need to look into that to know more. And just to be very clear of, every time I've used that, I would say, like, seven out of 10 times, the person was flat out wrong. Like, what they were escalating to me was not an issue, but I needed to go look to make sure. Was there something I hadn't learned? But three out of 10, those were real issues that I would have shut down had I just gone with my first gut instinct.

David Spark

Well, that brings us to the tail end of the show. I want to thank our sponsor. And that would be strike 48, the agentic log platform without blind spots. Go ahead, try it out for yourself. Just go to strike48.com security. That's strike48.com security and start to pull intelligence agents. Today. I want to thank our guest, Russ Ayers, who is the CISO over at the Principal Financial Group. And Russ, are you hiring over there at Principal Financial Group?

Russ Harris

Indeed we are. I'd love to hear from you.

David Spark

All right. And Ken, we'll have a link to your LinkedIn profile. If people find a job on their job board and they're interested, can they reach out to you?

Russ Harris

Of course they can.

David Spark

Awesome. Andy, as always, thank you so much for being very wise on the microphone. And let me also very give another plug for your book. There were things that Russ said that were exactly in your book.

Andy Ellis

Exactly.

David Spark

I remember.

Andy Ellis

Yeah.

David Spark

Have you read his book yet, Russ?

Russ Harris

I haven't, but I will.

David Spark

It's great. I'm telling you, it's great.

Andy Ellis

And if you need me to come out to Iowa and grab a beer with you and talk to your team, I'm down for it.

Russ Harris

Oh, we're going to do that 100%.

David Spark

1% leadership by Andy Ellis. We want photos for that Iowa meeting. We'd like to see it. And I want to thank our audience. As always, we greatly appreciate your contributions. And for listening to the CISO series.

Host/Announcer

Podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity headlines. Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.