Narrator

Biggest mistake I ever made in security.

David Spark

Go.

Richard Rushing

Thinking that malware and ransomware works the same way today as it is going to work tomorrow. And the controls that work today are going to be effective as tomorrow's controls as well. So the mistake I made was assuming that this system was totally compromised. Shut it down, get rid of it. And that was the only affection. In fact, we had file systems that were in the process of being ransomware ed up due to their connectivity to their original machine.

Narrator

It's time to begin the CISO Series podcast.

David Spark

Welcome to the CISO Series podcast. My name is David Spark. I'm the producer of the CISO series and joining me as my co host, you love them. It's Andy Ellis. He's a principal over at duha. Andy, say hello to the audience.

Andy Ellis

Good afternoon, folks. Or depending on when you are in the world, good morning, good evening, or good night.

David Spark

You're covering all your bases.

Andy Ellis

Gotta cover all the bases. And when somebody leaves the world and heads to Mars, I gotta think a little differently about how I do that.

David Spark

There you go.

Andy Ellis

Good soul or something.

David Spark

We are available@cisoseries.com there's lots of other wonderful programs you can check out there as well. Our sponsor for today's episode, a phenomenal sponsor of the CISO series, Threat Locker. And they have got a brand new tool that's pretty darn cool. I haven't really seen many others do this. It's called Defense Against Configurations. You're going to hear more about that a little bit later in the show. Now, Andy, we are recording this during the Jewish New Year. And this is also the time that we go to our friends that we feel that we have wronged, try to ask for forgiveness. Now, there is something a friend of mine used to do I'm not asking you for. If you thought that's where this was going.

Andy Ellis

Oh, no. Oh, come on, David, you cannot lead with that and then not.

David Spark

No. I'm going to tell you something funnier than that.

Andy Ellis

Okay.

David Spark

I had a friend, every year he would send a mass email out, said, if I have wronged you, give me a call. Let's work it out. Or he would try to absolve himself via a mass email. He would say, please, my apologies for anything I may have done and wronged you over the past year. And I thought that was so wonderful.

Andy Ellis

He sort of, it's funny, did a.

David Spark

Mass email to deal with his, you.

Andy Ellis

Know, does it match the Kavanaugh of the moment? Probably not, no.

David Spark

But anyways, I've confronted him on that you know, personal, because I kind of. I'm humored and annoyed by that email you sent out every year.

Andy Ellis

Yeah, I'd say it was funny. It's a funny once.

David Spark

Well, he says, actually some people do respond. He goes, yeah, well, there was a time that you did such and such, and it sort of opens up a conversation that they are able to resolve. So it does have some value here.

Andy Ellis

Yeah, I can see that.

David Spark

Now. Do people come to you to talk about the things that they have done something wrong to you, or have you done the same, Reached out?

Andy Ellis

So probably I get about, like, one every five years.

David Spark

One every five years. Okay.

Andy Ellis

Every five years, somebody will give me an apology.

David Spark

How many do you give out? Every.

Andy Ellis

Very rare. I mean, I would have to make mistakes.

David Spark

You would have to be. Yes. It's hard when you're perfect. Right.

Andy Ellis

But, David, I would like to apologize because I think sometimes I make a little bit too much fun of your pinball enjoyment.

David Spark

That's fine by me. That's nothing to apologize for.

Andy Ellis

And to our listeners who sometimes aren't part of how close David and I are and so sometimes see us sniping at each other, don't recognize that it's in good fun.

David Spark

In fact, I will say one of our.

Andy Ellis

And that's not on you, that's on us.

David Spark

One of our direct competitors, Smashing Security, actually has a name for this type of bantering going back and forth. They refer to it as. And I love it. And I'm totally copying them here. They call it Bickertainment.

Andy Ellis

Bickertainment. I love it.

David Spark

It's a great name. It's a great name. Bickertainment.

Andy Ellis

Yes.

David Spark

So it's our form of bickertainment, if you will.

Andy Ellis

There we go.

David Spark

But, yes, there's no ill will whatsoever at all.

Andy Ellis

Yeah. And to everybody who I've butchered their mother tongue, when I'm doing the greeting at the beginning, my apologies. My effort is sincere, even if it is not always good.

David Spark

All right, no more apologizing for today's show. We're done.

Andy Ellis

We still got like eight more days in the days of awe here.

David Spark

Let's go on and bring on our guest who I just saw in Santa Monica at a conference where we were doing a live show. So thrilled that he's back. He is the CISO for Motorola, by the way. Longtime CISO at Motorola, kind of. He might be vying for your tenure when you were over at Akamai, too. It is none other than Richard Rushing. Richard, thank you so much for joining us.

Richard Rushing

Thank You, David, for having me. It's great to be back and it's good to see everyone again.

Narrator

What's a CISO to do?

David Spark

We found the difference for great CISOs is not about budget or technology. It's about mindset, strategy and ownership, said Phil Venables, who's the host of Google Cloud Podcast. He put together a framework of Good ciso, bad CISO based on this idea. Okay, sometimes when people leave bait this juicy, we've got to bite. I mean, this was a perfect title for this show. There's a lot of examples here. I'm just going to give out a few here for you. Andy. Good CISOs are business executives who manage technology risk. Bad CISOs or IT managers who manage security tools. Good CISOs manage their behavior software and partner supply chains. Bad CISOs just buy more security products. Good Good CISOs have deep technical foundations, but use them for empathy. Bad CISOs either lack technical depth or wield it like A club. Good CISOs play long term games with long term people. Bad CISOs are transactional A agree with them. What would you add to this list? Andy?

Andy Ellis

So I'm going to throw Phil under a bus. I so rarely get the opportunity to do this.

David Spark

So this is oh, so what better time when you're looking for you're trying to repent.

Andy Ellis

So Phil, I think I might need to apologize for what I'm about to say. So I'll probably send you a text message in a few minutes and you'll be like, what are you talking about, Andy? And I'll be like, wait till November to hear this one. So first preface. If you are a marketing professional, especially in the content world, I want you to go to the link and read Phil Venables post the whole thing. Because here's the good CISO, bad CISO, good marketing CISO, bad marketing CISO. Good marketing CISOs write consumable content that they have the same level of excitement for the whole thing. Bad CISOs are trying to check a box of oh, I have to have 10 pairs of good CISO, bad CISO. But I clearly got bored around pair number six. And so my statements got shorter and shorter as I got to the end. And this is a common content marketing problem. People have a really great idea and they want to repeat this cadence. Good see so. Bad see so. And execution is really hard. The first four are like, oh, I've got it. And then you're like, oh, fine, I'll just fill these out. And it really sort of felt that way as I was reading Phil's list.

David Spark

Hold on. But now, have you done one of these listicles? And you're like, oh, God, I really need 20, and I'm only up to 12. And I'm like, hey, can anyone help me out? I need like eight more.

Andy Ellis

Right? And the correct answer is no, stop at 12. If you're only excited about 12, stop at 12. Because your excitement carries through in the same way that you're building out your security program, you're writing your policy. You're like, I need six key principles, and I'm excited about my first four. You have four principles.

David Spark

So the attack here isn't on the advice of good C's or bad sees. The attack is on the content marketing effort that Phil did.

Andy Ellis

It's on the execution on Phil. All right, all of them are pretty decent. None of them are bad. But the content marketing of it made it really feel like he got bored after the first six or so.

David Spark

I don't know if this was the time to say that during the days of atonement.

Andy Ellis

So now I will text Phil an apology.

David Spark

All right, Richard, I am Phil, throwing this to you. What was your take on this? Because it was a lot of good stuff in. It maybe petered out, per Andy's opinion. What's your thoughts?

Richard Rushing

No, I think it's good and I think it's the same area. It could be affected by company culture as parts of that as what's good. Or that could be whether you were appointed the job through the company or organization or you got hired in on some of that. Sometimes there's that I always get in discussions about the difference between having leadership and being a manager vastly different on different directions. And there's also the same thing. Yeah, you could add stuff to this of looking towards outcomes versus checking checkboxes and things around that. And I think it's one of the things that we go back to in a lot of these. I didn't see AI as part of this. So that's a good thing from the content marketing side that we left that out. But it's one of the things of show your work. It's no longer black boxes. And the security organizations for a long time were, hey, a black box, stuff comes out, stuff goes in. We don't know really what happens, but there's there now you have a way as you elevated the position up in the org, more responsibility came with that. And I think that's why these sometimes hit at certain levels but miss at other levels. Depending on the organization size and reporting structure for the ciso as well.

David Spark

And just closing this out so you can actually say something legitimate about Phil's article here. Andy, off of what Richard just said is a lot of this stuff really varies depending on the context of your environment, the size of your environment, things like that.

Andy Ellis

Yes, I mean, absolutely. But like, Phil's things are mostly just principles. Like, he's like, good CISOs ensure bad news travels fast. Bad CISOs are the last to know. I actually completely agree with that. Like, that is fantastic. But like, he's got like seven lines about travel fast and like two sentences on being the last to know. So it's like that was sort of the inflection point where it's like, oh, very clearly got bored on the execution here.

David Spark

Maybe. Maybe he wasn't bored. Maybe he's like, there's not much more to say. That's all you need to say.

Andy Ellis

Then you go back and make them all equally crisp. I did want to say that as I was reading this, this felt like Goofus and gallant as sisos and somebody should go license from highlights that I like Goofus.

David Spark

And by the way, that's an old deep cut reference of highlights.

Andy Ellis

Yeah, yeah, like, that's what this felt like. I think you did. Just to be clear, I don't have any issues with what's on the list. These are actually pretty good. But I had to make fun of execution, partly because you're gonna ask me to add to a list of 20 things. Clearly, Phil ran out of things to add.

David Spark

Phil, we're going to get some nasty letters from Phil.

Andy Ellis

I already emailed him an apology.

David Spark

So.

Andy Ellis

It'S like col Nidre, I'm already in advance on my apology.

David Spark

Sorry for robbing your store. Here's an apology note.

Andy Ellis

Yeah.

Narrator

How would you handle this situation?

David Spark

How do you define security hygiene versus finding actual vulnerabilities? Now, this came up on the cybersecurity subreddit with a post that was frustrated by pen tests flagging flaws as mediums. When they didn't impact risk on subreddit, they laid out this rubric. A vulnerability means there's a threat which goes to an exploit path which goes to a business impact. If you can't show that line, it's hygiene, not a vulnerability. Now, not all commenters agree with that, with some pointing out that compliance requires including things like fairly low CVSS scores and that while issues around security protocols, SSL and TLS shouldn't be on that report. Low and medium issues are often changed to exploit systems. All right, Richard, is there a functional difference between security Hygiene and vulnerabilities, or does it more depend on your company culture?

Richard Rushing

I think it depends a little bit on the company culture, but I also think it depends then what defined as a vulnerability. And I think there is two parts of vulnerability pieces. You have the vulnerabilities, which a lot of people patching software code. That there is the other part, which is configurations. This is the TLS world. This is some of the other sides of it. You're not set up the right cipher specs. We've all seen this before. And the issues is that's the configuration. And you can classify it and say, okay, it can lead to problems, it can lead to issues and vulnerabilities and things around that. But there is the software patching aspect and the configuration. They need to live in your vulnerability management program, period on that. Otherwise, what are you trying to get better at? That's the goal, is I'm fixing things and doing something that's there. I think you can classify the cyber hygiene as a very larger area, surface area to look at, rather than nuances that are around that and saying, hey, there's a different sire or hygiene score than your vulnerability side of it. That's there. At the end of the day, these pose risks that are defined. And if you're willing to accept the risk, well, you're willing to accept the risk. Can't do anything about that. But in most cases, accepting the risk usually leads to bad results at the end of the day.

David Spark

All right, Andy, your feelings on whether it's hygiene or a vulnerability, your thoughts?

Andy Ellis

So I dislike the language. They're onto something. But they're conflating language about risk with projects around solving risk. First of all, vulnerability is kind of a term of art that they're misusing here, right? A vulnerability is a hazard in a system generally tied to a software defect. That's it. It's a class of hazards. When they say threat to exploit, path to business impact, the exploit path is that collection of hazards. What they're calling a vulnerability here is a scenario, a way in which a set of hazards are exploitable by an adversary to cause a problem. That's just me. I got to put my soapbox here. Got to be very careful about language because if you start redefining vulnerability to mean something different, you're going to confuse everybody. The really interesting point here is that when we think about these hazards and these scenarios, we really have four different problem areas, depending on how bad they are in terms of impact and how bad they are or likely they are in terms of probability or how surprised we'd be if they happen and what they talk about is hygiene. Here is what I call litter cleanup. The low probability, low impact things, the things that are very low cvss, it's not worth the energy to go figure out a scenario. Think of it like litter on the street. If you come out of a nightclub at 3 in the morning or out of your hotel at 6am when it's over a nightclub. Anybody who visits Tel Aviv is probably familiar with this scenario. The street is covered in litter. It's all really annoying, it's all really dirty. And you would be foolish to try to do the work to figure out how bad each piece of litter is. In the same way that a configuration mistake that we just found that seems minor, like it's not worth going and figuring out how bad it could be or how likely it could be, you should just have a hygiene project to clean it up, right? If you don't have street sweepers cleaning the litter off of your streets in your nightclub district, that's the actual problem is the lack of street sweepers, not the fact that there are either 1,000 or 5,000 pieces of trash on the street. It doesn't really matter how many you've got. And so I think that is a very key component is we should stop using the language of high severity or high frequency events to talk about hygiene problems. And we should say this is hygiene. The problem is not any given one of them. It's the fact that there are so many that there might be some needles sitting there and people are going to step on druggies needles and that creates a hygiene problem or a health problem for the city. We don't have to count to find the one needle, we should just clean everything.

David Spark

Who's our sponsor this week? Well it's our fantastic sponsor, Threat Locker and you're going to want to listen to this brand new tool that they've got. ThreatLocker Defense against configurations delivers clear visibility into system risk by continuously scanning endpoints built directly into the threat locker agent. It identifies misconfigurations, weak firewall rules, risky USB permissions and and default windows settings that weaken your defenses so you can address them before they're exploited. Findings are also mapped against compliance frameworks including NIST, CIS, HIPAA and ISO 27001 with actionable remediation guidance to simplify security hardening and audit preparation. The platform updates daily provides administrators with the most current view of their environment without added performance impact, additional agents or complex integrations by consolidating configuration risks into a single dashboard. ThreatLocker defense against configurations, streamlines compliance, reduces attack surfaces and strengthens overall security posture. See how ThreatLocker makes it easier to secure and maintain a compliant environment? Just go to threatlocker.com and if you want to let them know that we sent you there, go to threatlocker.com CISO easiest way to let them know that you heard about them from the CISO series.

Narrator

It's time to play what's Worse.

David Spark

Richard, I know you're familiar with this game. This is how it's going to work. I'm going to read the two crappy scenarios to Andy. He is going to pick one that he believes is worse and you are going to agree or disagree. If you want to be my favorite, you will disagree with Andy. If you want to be Andy's favorite, you will agree with Andy. Got it?

Richard Rushing

Got it.

Andy Ellis

I think you should do what feels appropriate, Richard, which is always agree with Andy.

David Spark

Yeah, there we go. All right, here we go from Eric Block of Allumio. He asks what's worse. Andy, your AI powered automation platform auto remediates issues based on detection confidence. But once a week it kills a critical business process.

Andy Ellis

Awesome.

David Spark

Just randomly kills one.

Andy Ellis

Well, that's already a shortlist contender for worst possible. But let's see what could be worse than that.

David Spark

Here we go. You don't use AI auto remediation at all.

Andy Ellis

And.

David Spark

And even a minor issue becomes a ticket that sits in a queue for a week before anyone looks at it. So all issues sit and nothing gets done for at least a week. Which one's worse?

Andy Ellis

Okay, so the way this one is phrased gives me an easy out. The first one is clearly the worst one and the reason for that. And this is for everybody who's going to submit what's worse in the futures. And I hate to pick on a specific one. The second one, the only impact being demonstrated is an impact to my security organization, not to my employer. Ah, the first one, we're killing critical business processes. Once a week the company is having bad days. The second one, there's no assertion that the company has anything bad happen to it.

David Spark

Well, but it's like a reverse, Andy. Hold on, Wait, hold on. It's a reverse bad things are happening to it and security's doing little to nothing about it.

Andy Ellis

But you have to lay out what the outcome is.

David Spark

Yes.

Andy Ellis

Right. So since I don't have an outcome there, it's easy for me to say, well, shooting the business in the foot once a week is worse. Than not shooting the business in the foot once a week. So I'm gonna go with the first one is worse.

David Spark

But it could. Well, yes, but I could also say.

Andy Ellis

But we're not allowed to modify. That's the near rule.

David Spark

The business may be shooting itself in the foot more than once a week and you're not doing squat about it.

Andy Ellis

But we don't know. And the Nier Rothenberg rule is we don't get to modify the scenario.

David Spark

Correct. We're not modifying. Yes, there is a lot of unknown here.

Andy Ellis

Right. But we have to run with the unknown as it is.

David Spark

Yes. Wow. See the thing is once a week kills a critical business process. Worse could be happening. On the other hand, we don't know.

Andy Ellis

Quite could be, but we didn't say it is.

David Spark

Richard, agree or disagree with Andy here.

Richard Rushing

I'm going to have to go with the disagree now.

David Spark

Now we're talking, Richard. All right, go ahead.

Andy Ellis

You're killing a critical business process once a week.

Richard Rushing

Killing the critical business process. I hate to see your metrics on that side of it there. Or your partners are going to be after you. Especially if it's not the same business critical process but. And they can track it back to the AI system. So the evidence is pretty much you're the one that's responsible. Because a lot of times systems critically die and whoops. Trying to do root cause analysis never really get all the answers that are there. But I think from this one, having an unknown idea of not knowing what's going on in the world of cues today, given the current cybercrime exploitation zero day Fiestas that are going on in this.

David Spark

Mm.

Richard Rushing

It's gonna be waiting a week's worth of time. It will destroy the entire business, not just one system that's there that's critical.

Andy Ellis

I think we're reading a lot into this. So basically. But no, the argument Richard's making.

David Spark

No, I think Richard's got something going on here.

Andy Ellis

Is that the absence of AI powered cybersecurity prioritization and auto remediation is destroying every business there is. We have lots of evidence that's not true. So I think he's really rewritten this scenario just to be disagreeable.

David Spark

Really.

Andy Ellis

I'm gonna challenge on this one. Plus if we get to rewrite the scenario that little bit.

David Spark

No, but he makes a really good point. Like first of all, issues come up all the time, right?

Andy Ellis

Yep.

David Spark

Every now and then an issue comes up that is maybe decimating the company. And if you don't deal with it that hour that day that week there might not be a company.

Andy Ellis

But we're in the world of mites. If we're in that world of mites, here's my counter proposal. How long do you get to run your AI powered cyber auto remediation system?

David Spark

Killing a business, system killing a critical.

Andy Ellis

Business process every week. I give you eight days.

David Spark

But I think that's an interesting thing. But I think there's a situation where there's this culmination point, like enough of these things happening that you don't sit on for a while. Enough business processes being killed. There's gonna be a point where they meet in terms of they destroy the business.

Andy Ellis

Oh, no, right, absolutely. These are both bad situations. But the problem I have with this one is one of them. The second one describes the status quo for most companies. Like this is the world that most companies operate in. You aren't doing AI powered auto remediation.

David Spark

They don't get around to screen squat.

Andy Ellis

Like you're weird if you do that. So that's normal. That's not a bad scenario. That's just every day the other one, kill a critical business process once a week. Like you're not surviving that as a ciso. If you let that run for three weeks.

Richard Rushing

Yeah. Take your SAP system or take your ERP system, the business is dead. I agree with Andy that, hey, if you're looking at the badness of this, but I also, I've gone through zero day Fridays for the last couple of sides of it that everybody's gotta go, hey, we got a Cisco one running around. If that was in the queue. Oh, it's come in. It talked to our router and it's like, I don't think you're gonna be here next Thursday in a structured manner. That's part of that.

David Spark

I think there's a situation where these two sides are going to hit a meeting point and it's literally a race. Who's going to crush the business first?

Richard Rushing

Who's going to crush the business the first. Is it going to be outside or is it going to be. You're either going to prevent it or you're going to be responsible for it. I think that's the issue that you get into.

David Spark

And I understand that you might think it's worse. It's worse that I'm responsible for ending the business.

Andy Ellis

Right.

David Spark

Directly responsible.

Andy Ellis

So I want to appeal to the audience. So we're do something new. We've never done this before, which is. I want to appeal to the audience because I think these two are really off base and disagreeing with me, but I might be really off base.

David Spark

All right. Yeah. Okay, that's good.

Andy Ellis

So, audience specific question. Is Andy really off base here? I don't need you to judge the other two. Like, maybe it's a legitimate disagreement, but am I just really wrong here and I'm not thinking correctly about it? That's what I'm asking for. So give us an answer in LinkedIn. Email me wherever.

David Spark

In fact, we have an email feedbackisoseries.com just email us@feedbackisoseries.com yeah, the problem is.

Andy Ellis

That I might not ever see it, but I need to see the answers.

David Spark

I will forward it to you. Don't worry. You'll see it.

Andy Ellis

Okay, forward them all to me.

Richard Rushing

There's a poll.

David Spark

Andy will see it.

Andy Ellis

There's the poll right here.

David Spark

Andy will. And in fact, let us know if we can publish it. And we'll clip this and we'll put the best responses to it online. Yeah, all right, sounds good.

Andy Ellis

Because I feel really strong that this one's easy and I got two people disagreeing with me. So somebody's worldview is broken. I want to make sure it's not mine. Okay.

Narrator

How have you actually pulled this off?

David Spark

Quote, if a single impulsive click can cascade into the compromise of your entire identity, then the real issue isn't the human, it's the bad system design, said Joshua Copeland of Crescendo. And by the way, Joshua, you can't see this, but Andy's literally dancing to your quote. He argues, Joshua, that, quote, human error isn't a vulnerability to be patched. It's the default operating mode of being human. I think we can all agree with that.

Andy Ellis

I don't like that phrasing.

David Spark

But, yes, unlike tools or apps you can tune and configure, humans operate on motivations and threats. They're tired, stressed, trusting, and fallible. We keep designing security that assumes perfect behavior, then blame users when they inevitably remain true to their nature. But if one click brings down the house of cards, maybe it's time to stop trying to configure humans and. And start building systems that work with how people actually behave. All right, since, Andy, you were doing the dancing. Richard was not, but I'm sure mentally he was dancing. I'm going to go to you first. What are some good security design elements that demonstrate that you are building a program for humans to be fallible?

Andy Ellis

So let me start by disagreeing with the framing of humans are fallible here.

David Spark

Okay.

Andy Ellis

Right. Humans are doing what the human is supposed to do, like, click a link is actually a thing humans are supposed to do. We're supposed to click stuff when we're interacting with our email, with our messaging. That's what the messaging exists for. So let's even move further past. And Joshua, I completely agree with where you're headed. I just want to move it further. Human error is a symptom of a system in need of redesign. If you blame human error, it's because your system's at fault. So I think we agree on that. I just don't think that's human error. I think that's why did you expect the human to do differently? Like, I get DocuSigns in my email all the time, especially when I was on five boards. Let me tell you the number of times I was doing DocuSigns. The fact that DocuSign spam is showing up in my inbox, like, people trying to phish me, like, that's a failure of my mail server. Like, why are you delivering things that are so obviously trying to screw me over? Like, that's not acceptable. So let's start from that. When you think about this, the systems you need, you need to. And I hate to use the phrase zero trust, except I love zero trust. Like, this is the whole model of zero trust was to say, like, everything needs to be validated. I need to validate that you're still the user. That's why I want MFA and I want fish proof mfa. But the problem we have right now is we expect people to use passwords that get passed around over the Internet. No. Like, if anything can emulate my computer, that's a problem ever. So the fact that, like, I have to prove my identity to some server and now the server gets to be me instead of it's no me and my computer and my phone, they are me. You can't phish me. If I click a link on here, there's nothing to get. That's where we need to be is this model that it always requires me and my phone to do a thing. And stop worrying about making it so easy to bootstrap losing your phone. That should be the hard moment. It should not be that reading every piece of email is a hard thing.

David Spark

All right, Richard, I throw it to you. Do you agree with Andy's setup of the reference that Joshua Copeland said here that humans are fallible? That's the standard operating procedure or not?

Richard Rushing

I agree on the side, definitely with Andy, that if something is bad and it's presented to the user or the user is in the middle of the transact, it's a problem. Your tools are not configured, you don't have the right tools, you're getting stuck. One of the big issues around a lot of that is those are not metrics we go track and show in a lot of places. So the executives and everything else, they'll complain about why I have to reenter passwords, why I have to do this, why. But at the end of the day, these passwordless other functionalities, you've got to make sure that to Andy's point, it's not fishable, it makes sense. It works in environments, it works for the user, on the network, off the network, somewhere else. And I think those are the ideas that we constrained ourselves and a lot of our designs for our security principles are still in the world of this was before remote work. This was VPN access with hard clients that were there that we had until this world where things are outside the world, things are all parts of that. And I think from that perspective, you have to think as the user in their ability to use things. We've unified the messaging to browsers and functionality. Instead of fat clients, we used a unified client which just goes to the other side. We simplified single sign on and all those implementations probably need a very, very good relook at and go back to the idea that your authentication, if it's providing sessions, how long is the sessions? Hey, you can get kicked off of most organizations. You know what, your outlook still works if they didn't boot you off the server that's there. And it'll work for like 72 hours if they haven't changed the configuration. So three days. So I think there's one of the things to think about and look at from a human perspective of those sites and maybe go to something different. We went with sessions cookies for the simple fact that it was browser initiatives that's there. Maybe we need some level of additional kinds of authentication compliance, moving back and forth, identification of not only the user, the machine that's actually connecting as well.

Narrator

It's time for this week's security tip. This week's AI infused security operations tip is sponsored by Anvilogic.

David Spark

How would your soc respond to a convincing deep fake of your CEO or an AI crafted social engineering attack that perfectly mimics an employee's tone? These aren't futuristic hypotheticals anymore. As we all know, generative AI has made it easy for attackers to clone voices, reproduce writing styles and fabricate entire identities with frightening precision. The result is a new definition of trust, one in which your team must learn to question what looks and sounds. Real AI infused security operations offer the countermeasure. Advanced models can analyze subtle digital signatures such as timing patterns, metadata and linguistic cues to detect when content has been synthetically generated. Sox must integrate these AI systems into their workflows for heightened vigilance and accuracy, but most importantly, teaching analysts to treat authenticity as a new dimension of risk.

Narrator

To learn more about saving costs and optimizing analyst capacity with a hybrid SIEM and data lake, go to anvilogic.com. What's the roi?

David Spark

People don't change under pressure from a PowerPoint. They change through conversations, pressure from peers, and accountability from someone they respect. That's mentoring, said Maman Ibrahim of Eugene Zonda. Mentoring can be the force that drives positive metrics, not the negative metrics, which are often the definition of the metrics reported by security. Implementing mentoring isn't the real challenge, it's knowing how to report it and tell the story in ways that connect with executives. How have you I'll start with you, Richard proved that mentoring moves a security program and therefore can move budgets.

Richard Rushing

I think it's coming back to use this training perspective is a good example when mentoring is that we can buy content and show what content is, but it's a whole accumulation. We went with the death by PowerPoint training once a year. We're moving into at risk training and things around that. All those elements that you fought in. It's like to the point of we're not psychologists, we're not behavioral science, we are not hr. But I think it's one of those areas where you need that response. You need to get those feedbacks to understand motivation and people or how they're doing. And training is one of the key areas, what's effective and what sucks. And you can use people that do training on a regular basis. You can have your folks of going look at what generates this and I think it's from the mentoring side of it is how do I find those in the organization. A digital supply chain is another side of it in your supply chain organization. I don't know that world. I should in those areas in a lot of cases. And the only way to do that is to ask for help and let me understand what this is all about. All the interconnects and a factory operation and things around those sides of it. We shied away from that a lot of times. But in most cases that was something that was definitely necessitary to say hey, reach out to those folks in those business roles and ask what you want to show as how we move something there. These projects don't have to be security projects. That's why they're projects. You scale them up to include other people and organizations to come back to you to help you. And that's the whole thing is I have not that many hands in my organization. No one does. So how do I get that to come back even further on that side of it? That's there.

David Spark

Excellent. Andy, your thoughts on the mentoring being the leader of essentially pushing the security program forward.

Andy Ellis

So I think we've built so many compliance driven activities that we've taken away the energy left for for mentoring. Just think about like security awareness training and how much it costs so many companies to do like these very bulk programs. Like everybody's got to sit through a one hour video when you can probably replace the compliance aspect of that with a like here's a click this link coming back to our don't click this link conversation earlier to just like read the security awareness program. Click move on five minutes. And now let's save mentoring for actually having conversations and say hey, we're seeing a problem in your organization. Let me go mentor a VP rather than trying to get them to tell people to take training. That's worthless. What the real mentoring value is. Everything he writes in the article is great by the way, but the real value is building the relationship that people will then let you talk to them.

David Spark

Very good. Well, that brings us to the very tail end of this episode. Huge thanks to you Andy for Thank you so much and to you Richard as well. I want to also thank our sponsor and that would be Threat Lock. Remember their new tool Defense against configurations. We have Configuration drift. It happens. Tools change over time. Find out what the status of yours, where they are, how are they treating your environment? Go check them out@threatlocker.com CISO at the/ciso. Easiest way to let them know that you heard about them from the CISO series. Richard, thank you so much for being on the show. Are you hiring over at Motorola Mobility?

Richard Rushing

We're always looking for good people. You can find us at Motorola Careers.

David Spark

Excellent. And if they find an interesting job, can they contact you directly through LinkedIn? Yes. Yes. And we will have a link to your profile on the blog post for this very episode. Thank you very much Richard. Thank you very much Andy. And to our audience, as I always say and truly mean it, we greatly appreciate your contributions. Send more what's worse and arrows. Send us an email feedbackisoseries.com if you think Andy is off base in his rationalizing the what's worse scenario, or if.

Andy Ellis

You think I'm off base about anything in general, I'll happily take feedback about anything at all.

David Spark

Or. Or you wanted him to apologize to you during the Days of Atonement?

Andy Ellis

Yeah.

David Spark

Thank you for listening to the CISO.

Narrator

Series Podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity Headlines. Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.