Howard Holton

From the CISO series, it's cybersecurity headlines.

Host (possibly David Spark)

Qantas penalizes executives for cyber attack. Sonicwall suffers from password rotation blues. And Cyber Command and NSA to remain under single leadership. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're gonna get some insight, we're gonna get some opinion, we're gonna get some hot takes and indeed, some expertise from our guests. Yes, plural. We have Rob Thiel, the CTO at Oklahoma Department of Commerce, and Howard Holton, the newly minted CEO of gigaom. He still has that new CEO smell. Gentlemen, thank you so much for being on the show. Thank you for checking on that, Howard. Looking forward to a little bit of conversation today. Thank you so much for making the time.

Howard Holton

Thanks for having us.

Rob Thiel

Thank you.

Host (possibly David Spark)

Also thanks to our sponsor for today, Vanta A New Way to grc. If you're listening to the show as a podcast, remember that next time you can join us live. Get in to the YouTube experience. Just follow the CISO series on YouTube and you can watch the live stream. Get involved in the chat or if YouTube. Navigating YouTube is not your bag and it is very few people's bag. Go to cisoseries.com and look for the events dropdown and that will take you directly to it. Click on it. You can join us and have some fun. If you're here right now, contribute in the chat. We've got multiple guests, we've got multiple people looking at the chat. Ccl, Happy Friday to you as well, ccl, one of our chat regulars here. Always great to see you there. And if none of those sound good to you, feedbacksoseries.com is the elect electronic mail that will send a missive to our inbox. We will read it and be, I assume, delighted. Unless it's savage criticism, in which case I'll be devastated. We've got about 20 minutes, so let's get started. Just a quick reminder that these are Rob and Howard's opinions, not necessarily those of their employers of their entire company or anything along those lines. So before we jump into some specific news stories, Howard, I am going to start with with you. What was your just overall biggest story of cybersecurity in the past week?

Howard Holton

That would be the SAP high sev vulnerabilities. They have multiple products with multiple issues, about 200. The highest one is a 10, like 10 out of 10.

Host (possibly David Spark)

So for the, for the layman, that would be bad. That would be somewhere between ouch, And Boeing. Right. That's. That's where.

Howard Holton

Incoming.

Host (possibly David Spark)

So you're saying patch all the things is the order of the day for SAP in this case?

Howard Holton

I mean, yeah, I think it actually opens up a bigger question ultimately. Right. The big question ultimately is when are we going to accept that all of this stuff is a shared responsibility model, that we have responsibility, but also the vendors do. The vendor's responsibility isn't really the fixing of the things, but to take a proactive attitude that builds trust. And I think that's where they are failing. Building trust is more than just, oh, we released a software patch that you don't know about, that we didn't properly explain that eventually someone's going to find a vulnerability that requires this thing. It's really taking a stance of, if my job is to create trust, what are all of the things I do that include patching? That include creating software fixes to make you trust me more? But then also, you know, we have a shared responsibility as the users, as the people that run it, to prioritize these things correctly, to give them the airspace, to make sure that we are connected, to make sure we're taking the proper steps, but also that we're surrounding these things in layers of security so that these aren't actually sev10s when. By the time we calculate them within.

Host (possibly David Spark)

Our organization, within the context of our organization. Yeah, it is a 10, but. Yeah, but we have the proper sandboxing or firewalling or whatever you want to say in place. Rob, I'm curious from you. Do you think that that kind of scale is possible for a company of the scale of SAP? Is that kind of trust building? As. I mean, Howard, I'm in agreement with you. Is that practical for a company of that size, do you think? I'm curious.

Rob Thiel

I do think it's practical, but it has to be enforced through culture. So it's one of those things where you can have rules, but culture is the thing that wins because then people are actually owning what they're supposed to be doing. There's accountability at every level within the teams. And so when you have something like this that happens now, sometimes, in fact, it is a technical failure or someone just forgot to check a box. But when you have multiple failures like this, it's always insight into culture and what's happening behind the scenes. So that would be something I'd be. If you think it's possible. I do think you can have great processes like that that win every time, but they start to fail when people lose interest in Ownership. And there's a lot, much bigger conversation around what that looks like. But I do think it's possible.

Howard Holton

Yeah, I think that's actually why it has to start at the C level and why it's trust, not technology that solves the problem. Right. I think if we allow it to be technology that solves the problem, then the CEO gets an escape. I'm not a technologist. The CFO gets to escape. I'm not a technologist. The board gets to escape. I'm not a technologist. But if it's build trust is the job, well, I don't care who you are, that is your job. Right. You build trust from your customers, then every single thing you do builds trust. That becomes our company culture. And then this stuff, actually, you get all of the support all the way through. And every time the CEO stands on stage, the CEO is talking about what's being done to build trust. And comes from that perspective, it's 100% reinforced.

Host (possibly David Spark)

If we could license it, I would license the print song trust right now. I would do a little bat dance and we would have a lot of fun. Rob, I'm going to throw to you. What was your biggest story in cybersecurity this past week?

Rob Thiel

You know, it was the Qantas sizzo getting nailed with this. Fine. When we look at, just like what Howard was saying about shared responsibility when it comes to the C Suite, right, it's supposed to be one team, one fight. And too often you have people that end up being. Taking the. Taking the blame for something that is really everyone's responsibility. And so that really catches my attention, and it makes me think about risk at the C Suite, power, managing it, how we're managing our relationship with the board or our stakeholders, whatever that might be. In government, it's. It's. It's the governor and the governor's cabinet, but in corporations, it's the board. And all these things are about accountability and also being one team, one fight where we're together in this. We're in this together. And I want the CFO to succeed, and he should want the CISO to succeed, and I want the CTO to succeed. And we're working together side by side on making that happen. We're looking out for each other.

Host (possibly David Spark)

And let me just jump in here just to kind of set the preliminaries here, right? In case someone's not catching up on the situation with Qantas here, they cut annual bonuses for senior leaders by 15% after a July cyber attack that impacted 5.7 million people. They reported a $1.5 million profit for the past fiscal year, but said the penalty reflects accountability for the incident. And we're seeing the CEO also seeing a pay reduction of 25 or $250,000 as part of that decision. But, Rob, I think your point is well made. And I think when we were talking about that ciso, you know, if we want to say the CISO is accountable, we talk. Like, to me, that just means, like, people don't understand actually what a CISO's job is at all or where they're positioned in corporate structure. Like, am I totally off here, Howard?

Howard Holton

No, I think that's. I think it's a big piece of the problem. Right. The CISO is not typically director of the company. They have a C level title, but they don't actually have a C level seat at the table. Additionally, all the CISO is, is an advisor to the CEO and the board. That's it. Right. They have no control over what gets done and what's a priority. That being said, they are hired to be the smartest security business person in the room, very specifically, not technical business. Right. And so it is incumbent upon them to make sure that the, the. The CEO, the cfo, the board, the cio, cto, the rest of the. All of the directors are properly informed to what needs to be done with a risk to inaction is. And what's required to actually execute failure to do that. Sure. There should be a penalty. Should it be criminal or civil charges? No, it absolutely should not be. Right. Should it be for the CEO? It absolutely should be absolutely, unequivocally, like, I'm not.

Host (possibly David Spark)

Buck stops here. Buck. Yeah, like that. You. You are. You are literally the person that needs to be making. You're being. Should be being informed by the CISO so that you can choose to act on the risk that the CISO is letting you know that is out there. Right?

Howard Holton

Sure. And it's really easy to go, like, my CISO is not informing me and increasing risk for the company and for me. Fire the CISO and get another one. Why do we need criminal or civil penalties for the CISO who has no control over the execution and not the CEO who has all control over that execution.

Host (possibly David Spark)

Yeah. I mean, I think there's some nuance in this discussion in terms of, like, you know, your. Your job is effectively to be a communicator, right? To. To connect the. What's happening in cybersecurity to a way that the business can understand. Right. I mean, we talk about this all the time on the CISO series podcast. Right. If this was a solved problem, we, we would have to reformat the show. Right. But the, the idea being like, sure, we can grade that. We can put that in a gradient of how effective that communication is. Right. Did you run through a PowerPoint that was, you know, a bunch of meaningless stats that is not being, you know, you're not effectively showing the C suite what the actual, what the risk is in terms that they will appreciate? Sure, we can say that. But yeah, to your point about bringing in civil liability for that, and I know we were waiting to kind of hear the latest and kind of the Tim Brown, former CISO over of SolarWinds. I just checked the. I have not seen anything in terms of ruling in that lawsuit and that kind of stuff. But we know that that's in the wind and we'll be reporting on that soon. Rob, any other thoughts before we get out of here and kind of move on to the next story here?

Rob Thiel

No, other than, you know, I'm really interested in what the board's methodologies are for determining the penalties. And so that'll be a very interesting conversation. On what kind of scale are they using? Obviously, depending on what business you're in, you have different risk. Aviation, obviously, is huge because the risk is. Can be very, very high. And you can think of other businesses that would be high risk, so their models might look different. And one of the things we do as C leaders is we manage risk every day. So I'd be very interested to see more on what, what the risk models are or just have more of a discussion around what the risk models might look like for a board. It's saying, hey, we're going to hold them accountable. But how? And what do we consider success and not success? We know there's going to be an incident. Are we grading them on how they respond to the incident, or are we just saying if there is an incident, you're getting dinged?

Howard Holton

Yeah.

Host (possibly David Spark)

And as our producer Steve Prentice pointed out in our chat here, money is chump change that we're discussing with Qantas in this particular instance. Right. This might get paid back with stock options next quarter. Right, Steve?

Steve Prentice

That's the thing, is it's not putting the money back into the actual people who are doing the work of cybersecurity. This is like a professional hockey player has to sit out one game because of doing something bad on the ice. I would prefer to see something that, again, reinvests in the people who are doing the defense in depth. Rather than simply what looks like a slap on the wrist when people are making seven or eight figure salaries as the heads of airlines and other companies.

Howard Holton

Like that, I would agree. Right. It'd be. I actually think it would actually have tremendously better optics. Oh, cool. So you took money away, you're just going to give it to the shareholders. The money has to go somewhere. It's unbudgeted now, so it goes to the shareholders. If instead the press release was all executives pay is cut by 15% plus blah, blah, blah, that money is going directly into the cybersecurity program in Qantas. Now all of a sudden, now it's real. You should have invested the money. You didn't invest the money. Had you invested 10%, this would have been fine. Now we're taking substantially more and dumping it into a cyber program that you are specifically paid to maintain. The CEO's job, in addition to being a face, is to pay attention to and reduce risk of the actions taken by the company. If, if, if they had stolen $1,000 from every customer, like they came up with a new product, the new product is free baggage for life. And they had 100,000 people sign up and pay $1,000 a piece and they walked away from that. They just walked away with it. They would go to jail. They lose your Social Security number. Nothing happens. I'm sorry. $1,000 loss is a one time loss event for everyone. Social Security, that is my life. You just gave away my life forever. Every single Social Security number, it impacts me forever. Why is that less than if you, than if you, if you, if you do financial fraud like these are, the impact to cyber today is so much greater and yet the penalties are effectively non existent in comparison.

Host (possibly David Spark)

Don't worry. No, no, no, don't worry. Howard, I gave you two years of credit monitoring, so that'll cover your entire rest of your life, right?

Howard Holton

Two years monitoring company owned by the credit agency that exposed his flaw to begin with. Yeah.

Host (possibly David Spark)

I can't believe. How dare you be Senator. How d. Oh, good gravy. You know what? You know what? I'm not cynical about our sponsor for this week, a huge thank you to our sponsor Vanta for supporting the show. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get your security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started@vanta.com headlines.

Howard Holton

All right, I have to say, Rich, I literally had someone ask me about GRC this morning.

Host (possibly David Spark)

I just texted them, vanta, hey, we're bringing people together. I mean, it is a new way to grc, let's face it. Next up here, Sonicwall suffers from password rotation blues. Sonicwall always has a place in my heart as the blocker that was on my school computers when I was at Benedictine Senior High School. So thank you SonicWall for being around. And their appliances have had their share of heartache when I was trying to visit all sorts of websites or AOL Instant Messenger. But in this case, Sonicwall has confirmed that recent attacks on its firewalls involved a year old security flaw with a CVSS score of 9.3. I guess SAP would call that rookie business where local user passwords were carried over during the migration and not reset. It's tough enough for organizations to keep pace with threat actors, but when we hear about weaknesses that are based, I guess in large part on just like human inertia, forgetting to change passwords or close down accounts for departed employees. Howard, how does that make you feel?

Howard Holton

I mean, this is basic stuff, right? Like this is like 101 entry level stuff, but this happens so often it's not even funny, right? And it, and it like it gets executed poorly just as often. Even if it's policy, even if it's core of a policy, right? The number of times people have thought about what is the impact to this thing, how do we mitigate that impact? How do we reduce the blast radius again, right? All the kind of basic hygiene stuff. And then politics gets involved on top of that. This happens constantly, continuously. The number of places that I've been where they had a security first policy around account deactivation is effectively zero. The number of places I've been where they're like, no, we need to retain the data, we need to retain, blah, blah, blah, blah, and they actually execute quickly, like within minutes is fewer. And you want to maintain someone's email account, you want to maintain the lines of communication, but you need to develop your policies in a way that removes everything else. That account should not need access to file shares, right? You should be able to assign someone the ability to read the mailbox. Great, that should Be the extent of what you actually need. Everything else should be cut off. You can always add it back later, guys, you can always go, hey, you know that file we can't open? We need to impersonate this user. Great, we'll go add that back in.

Host (possibly David Spark)

I mean, Rob, is this your experience too, right? No security policy survives first contact with politics. Is that just constant, right?

Rob Thiel

It is. And I will tell you, this is all kinds of layers of problems. It really to me is an implementation problem. Because anytime you have an itsm, one of the first things you should do is have onboarding and offboarding as part of that. How that's missed is beyond me. How you can even have an ITSM without not ha. Without having proper offboarding. So where that's getting missed is I don't know if it's a project management problem where they're just not finishing the project, but it just goes to show you the power of poor implementation when you don't have that because it's such a basic one on one thing. Like Howard was saying that you should have it where you're 100% sure that they're off boarded. It's a mathematical equation. And how you can get to these numbers where they're not being disabled. I've seen it up into the ten thousands.

Host (possibly David Spark)

Oh my God.

Howard Holton

I have to agree with Rob. Right. I'd like to. I'd even be willing to double down a little bit and say offboarding should be the very first thing you do for itsm, right? Not the second, not the third. If you get offboarding correct, then you know you're ready to move on to other ITSM workflows. And then onboarding is probably the second most valuable. Remember, offboarding is how you protect your organization from the thing you least like to do, which is let employees go. Onboarding is the way you show someone that they're valuable.

Host (possibly David Spark)

So like my question is like how this seems like so blindingly basic. How like. And again, Sonicwall is not a startup, right? Where they're just like, we're moving fast. They're Sonicwall, right? They're like an institution. Is that the problem? Is it just like you're going to use Sonicwall anyway? We don't care. Again, how does this happen with not to pick on Sonicwall? How does this happen in organizations?

Howard Holton

No, I understand. Because it's political. So you can track almost every single problem to the org chart. So literally just draw where you're at, where the person is to solve the problem. Now draw a circle of the Scope. And if the circle of that scope goes beyond one C level executive, you're done. You're done. Now the number of people that are required to get in the room so that you have consensus on what needs to be done and how it needs to be done is so great. What ends up happening is someone goes, this is really important we should do this. Sends the message and then the crickets start and then a tumbleweed blows by and they go, Well, I got 273 other things I need to do, so I'm going to do the things I can actually do. Right? So almost universally right. If you just track the org chart, you can see like every time you ask a question, how did this happen? Why did this happen? Your chart, and you just go, bang. Oh, yeah. Like there's seven layers here. Okay? That's like 28 to 72 people that have to be in a room to make a decision at that level.

Host (possibly David Spark)

That's good for a dip, not for an org chart. That's. Yeah, we have this next story. We got to get into it here. This was a, this was a hot button a couple months ago when this initial announcement was made, and it's where we're following up on it now. Cyber Command and NSA to remain under single leadership. We were covering that. They were going to split it up. So get your hat puns ready here, folks, because the White House has announced that there won't be any splitting up of the dual leadership of U.S. cyber Command and the NSA, setting the complexity and multi year timeline. Who could have known? So senior officials say maintaining the dual hat structure allows for faster and more unified operations. Army Lt. Gen. William Hartman, acting head of both agencies, is expected to be confirmed permanently. Just in General Rob, a big deal. Not a big deal in terms of them rolling this back. Is this something they should investigate over time? Is this job too big? You know, can you fit two hats on this one head?

Howard Holton

Well, wait, wait. I don't think Rob's equipped to answer this. He doesn't know anything about the military or the government.

Host (possibly David Spark)

Sorry.

Howard Holton

Rob and I know each other really well. What is your rank, Rob? Your current rank?

Rob Thiel

I'm an officer. That's all I'll say.

Host (possibly David Spark)

Okay. And a gentleman, I will point out.

Howard Holton

Thank you.

Rob Thiel

But I will say this is a tricky thing, right? This balance between sharing information, which is really necessary if you want to win, particularly when you have foreign actors that are trying to get to the United States and our assets here. Then you have to be unified. It has to be a unified command. So I'm 100% for that. Where the tension happens is when you start talking about domestic situations and the Constitution. So it's a tricky business. You want them to be able to share as much as possible. It's the only way we're going to win. But then there's this counterbalance that says we still have privacy as Americans. You're not supposed to be spying on people unless you have a warrant. And the list just goes on and on. So there's this balance of power and the oversight is my biggest concern when it comes to these agencies. Just like we want oversight for corporations, we also should have oversight in government and especially when it comes to our nation's secrets and stopping some of our worst enemies that are trying to attack us and take down the United States. So there's a balance there and it's a larger conversation overall to figure out what we want that balance to be. Who is going to be the group that holds it accountable. When one group only holds power, then you always are going to have abuses of that, which we've seen. Right. It's not like there's an unknown thing there with Snowden and everyone that whistleblow on the abuses. So that brings up a lot of concerns as American citizens in the Bill of Rights. But when it comes to foreign enemies, absolutely, 1,000% it should be a unified command. It's the only way we're going to win.

Host (possibly David Spark)

I mean, Howard, from your perspective, was this always going to get rolled back? I mean, was this just optics for them to think they were going to split this up? What's your take on this?

Howard Holton

That might be my favorite question I've got in the last two weeks, honestly. Okay, that is a super nuanced question. Right. Because all of this changed on 9 11. We're talking about it here on 9 12. 911 caused this change. The Patriot act is the biggest rollback of US Resident privacy. Remember, the Constitution applies to everyone who lives here who, like, is physically present here. If you are visiting from another country, the Constitution likely applies to you in most cases. So when we put the Patriot act into effect and started to roll these things back and signal this change, this is a mass, massive change. Now, I do think, without a doubt, having the head of Cyber Command and the head of the, the agency most concerned with cybersecurity as a job be the same person has tremendous value. But it only has value from a policy standpoint, not. It should not be a data sharing standpoint. Right. If we have the same cyber programs that should absolutely, absolutely Be a top down decision. Federating cybersecurity is awful, right? Having having kind of semi central command with local execution is awful. Having distributed decisions is like not having cybersecurity at all. You know what I mean?

Rob Thiel

Yeah, yeah, great point.

Howard Holton

Terrible. So having one decision point that says this is the framework we are going to follow, these are the decisions we are going to use. This is the common language we're going to use in cybersecurity. I stand behind that 100%. However, there should be no data sharing at all. I find a lot of what's been happening lately really disconcerting. The FBI is not local law enforcement. The CIA is not law enforcement in any way, shape or form. Right. Each of these organizations have a very specific charter. And the more blurry we make that every single time, the more we say the rights of the citizens are less important, the rights of the residents are less important. And look, it's not a political conversation. It doesn't matter which side of the fence this comes from. It's always worse because that protection is now gone. Even if not executed, it's gone. Today you may not be a victim, tomorrow you absolutely may be. And the way we stop that is by saying, no, it's absolutely not going to happen. We need clear missions, we need clear directives and we need an absolute unequivocal. As in it is treason to violate them.

Host (possibly David Spark)

That, that is a. No, no uncertain terms there.

Howard Holton

So no, no, look, seriously, back to that CISO conversation. If an advisor that gets ignored can be held civilly liable. Violating the rights of the globe should be treason.

Host (possibly David Spark)

Well, speaking of violating rights, we got to get onto our last story here, and that's US based investors and spyware firms nearly tripled in 2024. We don't know where the economy's going any given time. I'm not an economist, I don't pretend to play one on tv. But I'm glad spyware companies are doing well. This comes from a new report from the Atlantic Council. That think tank says that 31American firms were found to be backing the manufacturers of spyware. That's compared to 11 in 2023. So tripled. There we go. It makes the US the largest investor into the spyware market. I think the whole of the EU also has 31 investors. Israel has high 20s, I want to say. And this includes owning and investing in companies like Graphite and Candiru. Apologies to spyware vendors if I'm mispronouncing your name here. The argument is often one that revolves around the Proactive benefits of spying on certain individuals versus the dangers of privacy concerns. And of course, war in all its forms is highly profitable. I'm curious, Rob, what, you know, what do you, what do we to take from this other than the, the market for spyware is hot, it seems.

Rob Thiel

Well, you know, I would say this is one of those things that hits, hits two levels, right? It hits you at the corporate level because everyone's bringing their own devices now, you know, and so you have to have all these attack surface layers to protect you against the spyware that's on their compute, on their personal phones when they're in your enterprise environment. But then it's also annoying as a consumer. Really, really annoying because we're constantly trying to be private and exercise have security so people don't get Howard's Social Security number. And so to know that they're investing in. I mean, obviously they have a right to invest in whatever they want, but it certainly seems like a massive conflict of interest. And this actually begs the question is it's everyone's responsibility to be secure, right? If you are willy nilly with your own personal security plans, don't depend on your enterprise security posture of your business to make you secure individual. You should have a plan for yourself that this goes way beyond what company you're working for. And so the more that we can do this as individuals and retake, basically take back all the privacy that we lose through convenience, I would highly recommend it. There's lots of things that you can do as an individual to, to keep that from happening to you. And there's all kinds of data tools now. It's really, really neat what some people are doing. Defcon. I went there a couple of years ago. They had all kinds of really great tools that you could use to be private secure. Howard just recently had a great experience@ DEF CON.

Howard Holton

Oh, it was awesome. My highest trending LinkedIn post, I think, ever. Or second highest trending LinkedIn post. I was so mad. It's amazing when I go on a rant, people seem to listen and at least have an opinion on how wrong Howard is. Let's put that.

Host (possibly David Spark)

Listen. You're getting people talking, Howard.

Howard Holton

Yeah, so like, at some point shouldn't we declare spyware tools of crime? Like, how are we. Under what guise is spyware legitimate? And if it's legitimate, are we properly calling it spyware? Is it not a corporate monitoring tool at that point? That could be used for the very like, like, I think the headline's a little sensational to begin with, right? I think that's a huge problem. And frankly, that's just kind of the fourth estate in the 21st century.

Host (possibly David Spark)

Got me to click.

Howard Holton

Sure. That's a big problem. At the same time, if it is actually spyware, it needs to be classified as malicious software. It needs to be illegal. Like, why are we wasting time with other laws when that is so obvious? And. And the organizations building malware need to be referred to as criminal organizations, then this is easy. If it's not, then.

Host (possibly David Spark)

But Howard, Howard, to your point, and I got to shout out TechCrunch for having this in their reporting, one of the companies that received investments from a US Firm is on the US entity list, right? Sure. So.

Howard Holton

So then why isn't that firm like. Like, then the FBI shows up, Department of Justice shows up, SEC shows up, they lose their investment license, like, classification. Right. Like, you get classified as an investor. If it's an investment firm that is a classification and has certain rules that are associated with being an investment firm, you can't invest in Walter White Incorporated. Right. So why would you be able to invest in these. In these companies? We need some enforcement, right? Capitalism is dead. We need some freaking enforcement. This is ridiculous.

Host (possibly David Spark)

Capitalism is dead. Long live. Yeah.

Howard Holton

Good.

Host (possibly David Spark)

Before we get out of here, was there. This seems like there was a lot of facepalming today. I'm not gonna lie. Was there any bright spot in the news for you? I'm gonna maybe turn this around. Maybe we're not gonna ask for a face palm, but is there anything in the news, a conversation you saw, a vibe that you had that was positive? Any kind of positive note we can leave our audience on? I always like to try and find these out. Rob, is there any. Is there any. Is any positive news or kind of sentiment out there that you'd like to share?

Rob Thiel

Sure. There's always some good sentiment to spread around. I certainly would. Like I said, every day I get a little bit of personal joy out of making sure that my systems are as secure as I can make them. Doesn't mean I'm foolproof. But that's a daily thing, right? You have to be vigilant every day. My advice to everyone listening would be to stay vigilant and take it. Take it as seriously as you could possibly take it when it comes to securing yourself and others around you and being a good citizen in your enterprise and for your own personal use. But that's kind of a vibe I have every day, and I nerd out on security things, so it's hard to be. Not be Positive. When you, when you're you, you have a discipline of trying to do the right thing when it comes to securing yourself and others around you.

Host (possibly David Spark)

That's like, I'm like vibing on that. That seems like a very pleasant way to wake up every day and think and approach the job like that. That's awesome, Rob. Thank you. Howard, leave us with a word of hope.

Howard Holton

Does it have to be cybersecurity related?

Host (possibly David Spark)

Vaguely. Try, try. Let me see what you got. Maybe I'll stretch it. Here we go.

Howard Holton

Ooh. I think overall, I feel like the dialogue has changed within cyber. I think we're having more open dialogue overall. And in the same way we review bomb companies to treat their customers extremely poorly in, like, the retail space, it seems as though we're starting to do much more of the same in companies that screw their users over, don't declare, bury their cyber stuff. Like, I'm seeing more of this not just here within our group that works in cyber, but I'm really seeing overall an awful lot more kind of conversation around cyber security and what this means and, and far more people are curious. My mother, my. I don't know how I, I hate to say this. I don't know how old my mom is. My whole life, my mom has said it's her 36th birthday, even when I was no longer under 36, so I could do the math in my head.

Host (possibly David Spark)

She kept her story straight regardless.

Howard Holton

Right. If you add 20 years to whatever I look like in your head, that's close enough. Like, my mother's asking the question and that's a. That. That is an awesome change to see within society. I really am hopeful that we are going in the right direction. Look, this stuff is wicked complex. There's no level of complexity. Cyber security will never be solved. It will never be a finished problem ever. Right. There's too much money to be made in, in. In the attack side, which means there's an equal amount or greater in the defense side. Like, there's too much money here. But the fact that we're all keeping this front of mind, that we're all having open dialogues, that we're all really digging in and not playing protect your feelings means there is actually hope for all of this.

Host (possibly David Spark)

I think those are. That's. That's the way to walk away today. I think I'm feeling good. I'm going to be happy going into the weekend. Brown paper bag. Kudos on the username there in our chat. Is very curious what you had in mind initially there, Howard. So I will say, you know, you have to subscribe to Howard's Patreon if you want to find that. No, I'm just kidding. Yeah, dial 1900, Howard. Yeah, Howard's big idea.

Howard Holton

It's 1-900-major nerd.

Host (possibly David Spark)

Yeah. Please, please, dear God, don't dial any of those numbers, please. I cannot.

Howard Holton

That's not, that's not actually my number.

Host (possibly David Spark)

But a big, big, big thank you to both of you. Rob Thiel, CTO over at Oklahoma Department of Commerce, and Howard, CEO of GigaOM. If you haven't congratulated Howard on the new role on LinkedIn, do so. You can find both of them there. Am I correct in assuming LinkedIn is the way to connect with both of you? Absolutely. So we will have links to those in our show notes. Thank you both so much for making the time, for making me laugh, making me think, and having a good time on a Friday afternoon. All right, thanks also to our sponsor for today, Vanta A New Way to grc. And a big thank you to our audience today. We know we, we can't always get every comment up on the screen, but we love seeing the questions, the comments helping us know what our audience is thinking kind of in real time. That's awesome. That's like a very unique opportunity and I don't take it for granted. And a big thank you to producer Steve for popping on. He's going to be showing up more often on the Social. Thank you so much, Steve Prentice for diving into the show and being a more active presence here. Thanks you as always. Remember, if you have any feedback for us, feedbackisoseries.com is the way to get in touch with us. We read every single one. Please remember to join us next week. First we have Super Cyber Friday where our topic will be Hacking Critical Infrastructure. An hour of critical thinking about thoughtful modernization for the things that can't fail. That starts at 1pm Eastern. And then we'll have a week in review with kind of this new format. Let us know what you think of this new format. By the way, feedbackisoseries.com we've got two more guests lined up. I don't have them in front of me. I probably should have so I can plug them. Too late. You'll have to find them on LinkedIn when we promote it there as well. And find info for all those events. CISoseries.com events. In the meantime, you can still get your daily news fix through cybersecurity headlines. Give us about six minutes, we'll get you all caught up. For myself for Howard for Rob, for Steve. For all of us here in the CISO series organization, here's wishing you and yours to have a super sparkly day.

Howard Holton

Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.