A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST welcome to Cybersecurity Today on the weekend. I'm your host, Jim Love, and I have with me today David Shipley, my co host. David does the Monday and Wednesday shows and if you still miss me on those days, you can catch I do the daily News on trending with daily tech news stories five days a week. David only works two days a week. Welcome, David.

B

Thanks, Jim. Thanks for having me.

A

Yeah, he has other things he does in his spare time and one of those things is David has been covering rsac, the RSA Conference, one of the world's largest annual cybersecurity events in San Francisco focused on security, technology, policy, industry trends, all that sort of stuff. In 2026, I guess they did every presentation on trust. That must have been it, David.

B

So as I joked about in Wednesday's episode, if you are sick and tired of zero trust for everything by every vendor, I have good news. They have dropped it. It's dead. And it's not just like marketing, metaphorically dead. As we get into the conversation about what the new hotness is, which feels a lot like Zoolander, you're going to find out that not only have they abandoned as a term, they are absolutely going in all in on trust on something else, which, you know, on something

A

else, I'm going to do my prediction thing. I'm betting it's agentic AI and security for that.

C

Yes. And I feel Buzz Lightyear from Toy

B

Story and it's agentic AI everywhere.

C

And honest to God, there were some

B

vendors, I think, who were having a competition. And as a cybersecur vendor, I understand this to see how many times they

C

could put AI in different ways on

B

the same booth, but agentic SOC was the number one term and the number one product announcement from a number of people. And if you're following the agentic story, there's a lot of promise and potential. And Jim's probably going to die of shock. Yes, this idea of systems acting in more autonomous ways, faster, at speed, offers a lot of interest and intrigue. It unleashes the potential of the Star Trek like computer. And we're fascinated by that. But it also can go wrong, as we have covered in hilariously bad ways. And so the industry is all in. It wasn't a Vegas conference. That's black Hat this is supposed to be more staid suited professional cybersecurity conference here, not a hacker con. But they are gambling like it's the big table and it's the strip.

A

I'm amazed actually, because Agentic has been with us long enough for marketing people to predict it. But the open Claw and all of the things that have happened in the basically the autonomous Agentic movement and the security reaction to that has been relatively recent. There must have been a whole pile of marketing people just getting stuff reprinted like mad and presentations updated so that they could talk about open claws. But aside from that, because there's the hype part of it, what did you find that was really impressive from the show?

B

It's interesting because there's this market moment. Normally we focus on the tech side of things, but I think it's going to be relevant to our listeners in terms of implications for product availability, cost and other things. And what a lot of listeners may not know is that for the last 10 years, 15 at the longest, cybersecurity has been the coolest kid at SAS high school. So it was the kid that everyone wanted to hang out with. It was the easiest to raise money, it got great exit multiples, it had fantastic IPOs and it was the party that never seemed like it was going to end. And then 2022 happens, the big AI surge happens. And this is the first RSAC where you're starting to see the implications. Because on the edge of this conference are a lot of investor meetings, a lot of VC meetings, a lot of things. It's not just a sales thing, it's you're selling shares in your startup, your equity backed company, you're selling to customers, et cetera. It's quite the show. And in the background the whispers are starting to get louder about what AI is doing to cybersecurity company valuations. And that's going to have huge implications for how much money is going to keep getting poured into this industry to advance. And the tap, I think is about to get closed quite a bit as money shifts towards these AI things at exactly the ironic moment where we're going to need more security than ever before. And so what happened at the show early in the week is was Anthropic unveiled its official version of Open Claw. The immediate impact was some cybersecurity stocks dropped 5 to 8% because of that,

A

that I've been looking at what Anthropic's doing and we'll do a little bit of it and just across promote, I'll probably talk about it on our AI show this weekend, which is Project synapse, because they are sophisticated about this. When generative AI hit, a lot of people built a lot of products that they could just slap on top of it. And they were really cute and they sold and they could raise money. And there was a whole. There was a whole gold rush in that. And now the same thing's happening with agentic AI. There's a whole pile of companies that are slapping this stuff together, getting it out to market. It does this. It'll protect you here. And what happened to a lot of the companies that introduce things is OpenAI just absorbed them. They just took all that stuff inside. That's replaying with anthropic. Like they've built Open Claw and a model of it. From best I can see, that does about 90% of what OpenClaw does leaves. I think it leaves me leave out the unsafe stuff. I'm not sure. I haven't really run it down totally. But now they've also built some security, sandboxing and things inside. So they were out front and center there.

B

So they weren't out front and center at the conference, but they were having an outsized impact at the conference. And so what's happening is cybersecurity is adjusting to the reality they're no longer the coolest kid, which means they're not going to get all the money and all the attention and all the things. So we have hit, I think, peak cybersecurity in terms of new companies and, and certainly the ease of which money will fuel innovation. Now they're going to have to get a lot more serious about business fundamentals. So they're going to have to become profitable. They're going to have to. So we're going to see industry, the industry consolidation that's been threatened for the last five years, maybe 10 years, it's going to be all platformed, etc. No, but you're going to see a great leaning out of cybersecurity companies. And that may not always be the worst thing because there are. I think Robert Steinen does such good work in this space, but there are at least 4,000 cybersecurity companies and then an exponential of that, more products. So like we're drowning in products. So.

D

Right.

B

Sizing this is probably not a bad thing. But the downside for CISOs and IT managers and MSPs listening is that when choice decreases like this, when supply decreases and demand is about to increase significantly and those that are remaining on the supply side have to Charge more rents or prices. Cost for cybersecurity is about to increase significantly. And I think that's my biggest takeaway from rsac, because even if all of those forces weren't at play, and I genuinely believe they are at play, the bill for all of this agentic SOC is going to be huge. These requirements a lot of compute. And so it only works if these things are destroying jobs, entry level SOC jobs, et cetera. But the bills that these providers are going to get from the frontier models, from the data centers and other things, they're going to get passed on. And the economics, I think are going to get a little harder to understand.

A

This is already happening and it's been part of the story in AI and it has been happening in security as people are reducing staff in advance of anticipated AI benefits. And the last part of that sentence is important. In advance of anticipated AI benefits. I've seen, we've done, I've watched the layoffs carefully for all the shows that I do. And we're, that we're actually people are dropping cybersecurity people. They're no longer hiring as many of them. This is not a good thing. No.

B

And I think one of the things that I've become increasingly convinced on is AI. Generative AI tooling disproportionately by orders of magnitude favors attackers. This is not neutral. It's not 50, 50 equal benefit for attackers and defenders. That's not to say there's not a benefit of AI for defenders. That's not the argument you're making. We're talking about the total balance of power in this. I think it's closer to 80, 20. And why? Because attackers have no penalties for adoption. There's. They are massive risk takers. They can adopt at speed, they can do things at speed. Failure doesn't have consequences. They don't have to work through corporate environments. And if they can steal access to these tools. And I got to tell you, Tammy Harper just gave me a demo earlier today of a brand new phishing as a service platform, Tammy from Flare. And it's able to tap into every single one of these latest models, which I got lots of questions about whether or not they need to be culpable for some of the abuse that they're now accelerating on teams. It is making AI an imperative on the defensive side because you're not going to be able to survive without trying to keep the speed. And I'm not saying AI only benefits attackers. I'm saying the benefits are much larger for attack than defense.

A

Yeah, I would say that. I would argue with you if you said it with the technical difference, because I don't think there is. But in terms of attackers, absolutely. When you've got a job to do and regular day to day stuff to do and things to watch, you don't have the time to focus on only one thing, hacking a system. You're dealing with people who have only one thing to do and that's find ways into your systems. And in fairness, they're doing it on. And I've said this before, and I will take all the criticism and I will argue with anyone what I think is the fundamentally the most insecure architecture we've ever introduced. And I'm back from the days when we didn't have passwords.

B

And it's interesting.

A

AI is fundamentally a problem.

B

And it's interesting. My favorite booth of the entire conference was not one of the million dollar plus booths. And Jim, honest to God, like, one of the reasons why I know this industry is jumping dark a bit is the ungodly amount we're paying into marketing, some of which clever, some not. But it's like, when did we stop being able to show the value of the product? And that being the most compelling thing. And I do feel bad for the vendors in this space because it's an. It's an attention arms race. And so I'm not faulting them for doing it. You pay a million dollars, you better make sure you're getting lots of leads and you're going to get ROI from that. So this is not a slam at the clever marketing that goes in there. There was a giant booth, Jim, that was a castle with a giant dragon above it. There was a western theme booth. There was a 50s diner, neon lights AI booth. There was a hilarious. And I'm gonna give them full props, whoever at Commvault decided to go all in on audacity and attention grabbing you, you did it. They had a wrestling ring with a luchadore. Yeah, no kidding you not. And there was a full show. And you know what, Jim? They got lots of attention. I felt bad for the booths around them because it was great. But that's what we're trying to. We're using spectacle as an industry and I think that's a warning sign.

C

And whether that spectacle is calling everything

B

AI, even when it probably isn't actually agentic, isn't say it isn't.

A

So that's never happened in marketing.

B

But my favorite booth, because this speaks to what you just talked about in terms of the state of security So I met this guy, Aaron Portnoy. I found this smaller booth off to the side in these two giant halls. And this booth was a 90s themed kind of college dorm room. So I just want you to picture this. And it's got a Neuromancer poster and it's got an old school CRT monitor. Even an older school, like, monochrome monitor. It's like I'm Gen X. It hit me right in the nostalgia feels.

C

Let's not kid ourselves.

B

They did their homework about buyers and

C

who CISOs are in our age group and everything else.

B

Good for them. But the broader theme of why they did a 90s thing is this is an AI security company helping deal with security issues around AI models, et cetera. And Aaron Portner says, because we are at right now with AI where we were in the late 1990s with cyber security. And we got to realize that we are that far behind at this moment. And I thought, you know what, that was clever. That was attention grabbing. That was a great people listening to the show. You're shocked. Dave Shipley loves a really good metaphor. Yeah, I did. And they nailed it because it was so true to me. That was like, if I could go around giving the science fair badges, that would have been my science fair badge. Because I thought, you guys, you get it? And they use the metaphor in a really powerful way. So this is the product. So it's an AI security tool. It's the company's called Mind Guard. And I've heard Aaron actually on a few podcasts, so it seems like a sharp guy. Good team. I'll give points. And Jim's looking at me. You're going to give Top Parks to an AI security company? Yeah, yeah, because. Yeah, I know.

C

I ate a salad on this trip too.

B

And my team is still just dying of shock when it's seen my expenses.

A

Yeah. So anyway, you invite David for dinner and you offer him a salad. He says, that's not dinner, that's what dinner eats.

B

You got me nailed. Anyway. But besides that, it was interesting. There were some. There's some great talks there. One of the cool things I got to do is RSAC provides a service where you can book an actual studio with a crew and interview folks. And so I got to interview the chief Security officer for Commvault. Again, the most clever and audacious one in terms of the. The wrestling ring. But they had some really interesting things to say.

A

So tell me about this interview.

B

So I had the chance at RSAC to chat with Bill o' Connell who's the chief security officer for Commvaul. And their specialty, of course, is in the backup side of things. But we had a chance to talk about rsac, how the role of the CISO is more important than ever before, particularly with all the agentic soc everyone was talking about. And we had a chance to also talk about the need to celebrate the ciso. So really excited. He was a wealth of knowledge. It was just a fun conversation to have with somebody there who's got experience not just as a vendor, but as an actual practitioner. It was definitely one of my highlights of the week. I had the chance to cover some great talks. We had that on technewsday.com and on the show. And obviously we've covered cruising through the floor and all the things the vendors were doing. But this was a great way just to actually have a really good human conversation about the role of security and the top leader of security in 2026.

A

Let's check it out.

D

I'm the chief security officer at Commvault. I should also send my name first. Bill o'. Connell.

C

Tell me a little bit about Commvault for folks who are listening or watching who may not have heard of your company.

D

Yeah, it's interesting. They hadn't really thought much about it until they approached me about the role, but for years, 27 years, they've been doing backup, and so that was a good business to be in. And then they got a new CEO several years ago who realized, hey, there's going to be a really important time when companies need that backup and be able to recover and trust in that recovery.

C

Yep.

D

And so that was the piece that, as a security guy, said, ah, okay, there's something interesting here. So that's what they do is we call it cyber resilience. Everything has to sound cool. But, yeah, it's about helping companies figure out what are their most important workloads and make sure that they can be resilient.

C

Awesome. And you're here at RSAC and you had an important message around the role of the ciso. Can you tell me a little bit about that?

D

Yeah. It's interesting walking around Moscone here. I've been in security for 20 years, and I've seen this physical event evolve so much. And I think that really speaks to the change in the role itself. Where, you know, there were companies I worked at where you could physically see how removed security was because everybody was in this building over here, and then you had to walk across a field and get to a small building. Where there were other businesses and like a mechanic on the first floor. And that's where the security team was. Fast forward 20 years later and this event takes over the city and has grown in size. And that's again analogous to the role itself, that the CISO role has become so important now. You see so many companies where it reports to the CEO. They're talking to the board. I'm talking to the board and the audit committee regularly. That's very different. So it's been fun, a fun journey to see how this has evolved in 20 years.

C

And you've been doing security not just in the vendor space, but you've been working as a practitioner as well.

D

Plenty of battle scores from doing it. Yeah, started off in consulting, where I had worked at a consulting group, and they said, oh, we're, we're interested in starting a practice around this whole information security thing. Are you interested? And so quickly dove in, did my cissp, all those things, then worked in several different roles running different areas of security, ran pretty much every function at least once or twice. And so now what I thought was most compelling, and on a personal note, was run the enterprise security.

B

Also.

D

We make and sell software and SaaS solutions in the cloud. So be responsible for that product security and have that kind of customer focus and then also help set the direction and craft for what we do. How would a CISO use this product? Yeah, it's been an interesting, interesting journey. But, yep, I've done all the hard stuff. Got plenty of battle scars along the way.

C

It's a tough job. It can be you sometimes.

D

Thank you for saying that.

C

It is. You have to sometimes give very busy people news they don't want to hear about. Hey, we're gonna have to spend some money on this. We're gonna have to slow down on that. And sometimes it can be a challenge to influence those others. Even if we might be in the same building now. Do we always speak the same language?

D

I think that's the most important thing. Security people are paid to be paranoid. Sometimes that's not a fun headspace to live in. And for other people, that can be a tough goal. And so, yeah, making sure. How do I translate that in the right way, where I'm not downplaying the risk at all, but I'm making that connection. Quick little example, years ago, I got sent overseas to do some work. And working with that business, I really had the opportunity to sit with the person that led that business and say, okay, they know nothing about technology. How do I talk about SQL injection? Where I don't have an hour to show them on the whiteboard. Right. And so what are things that I could do to raise it up to a level to say, okay, I've got five software products here. This one's an A, this one's a B, this one's a C. Here's why I want to spend more time here. You've got this many customers on this and it makes us this much revenue. And I want to get it to the point where it's at least a B, that's a 60 second conversation. Whereas if I get in the weeds on our aging on our software vulnerabilities is below what our standards say. And I'm worried about our input validation errors over here. Like, it's. I can sum it up in a way that matters, and I think that's part of the CISO job, is to be able to handle all the technical things, but then also figure out, okay, if I'm not dealing with a technical leader, yep, how can I make that connection?

C

And do you think that the missing link here is the risk conversation? Setting the context for risk, not the nitty gritty details. But what risks are you prepared to accept? What risk do we think we need to mitigate?

D

Yeah, absolutely. I think it, for me, it's all about risk. And I'm sure a lot of people around the building here have had that tough challenge of, I'm really worried about this thing. But am I being your own devil's advocate? How much of this is just me being worried? Or is this a real issue trying to block out the FUD factor and really keep the organization focused? And also making sure that the organization understands the impacts of the choices they make. And so putting that responsibility at the right level, I think that's a huge part of the job.

C

Now, speaking of risk, and it's interesting because it's both a risk and a possible reward. AI is everywhere here. I think I've seen a competition being boost to see who can put the most AI on things. Is the CISO still relevant in the age of all this talk of agentic AI, AI socks, AI.

B

This.

D

I love it. I'm picturing a walk through the vendor booths downstairs and yeah, everybody, it's a prerequisite. You have to mention AI. I think it's an interesting time. I think it shows that it's like a good analogy for the space in general. There are things that we don't know. Naturally. Part of us as a security person needs to be worried about it a little bit. But Also there's opportunity there. And yeah, the way you said I think is great that, that there's benefits to uncertainty sometimes. Right. This could be an amazing thing for a business. So for years people have been saying don't be the person that says no. Like you're being able to say yes. And, and for me that, that's what I think when I think of AI, that we don't know all of the uses. So first let's level set on terminology. When people say AI, what do we mean? Do we mean ChatGPT or any other organization like that or do we mean agentic? Like how are you talking about AI? Is everybody using the same lexicon so that we know what we're talking about when. And then secondly peeling it back to say, okay, what are the typical controls that I would need to have in place for any non human identity? Should things have access to this system or this data? How can I control it? How can I log and monitor to see after the fact what things were done? And those are things that the security team. That's a natural playbook for us. But I do think, I think more than is it relevant, I think it's super relevant now that the AI is only going to be as good as the people using it. So you need to make sure that you've done that awareness piece. I know you and I are both passionate about awareness to help the organization understand what use cases are acceptable and what use cases can lead to that great productivity gain that everybody is expecting.

C

Have you ever seen the TV show Silicon Valley? Of course. So there's this famous episode where Son of Anton, an AI comes in and it deletes everything in prod because it was given the mandate eliminate all bugs. And of course there's this very tense scene between the founders, like what did your software do? Well, it found the most logical choice to eliminate all bugs was eliminate all software. So with that in mind, like what is the role for good backups when we're running around running and gunning with agentic AI?

D

Yeah, I think it's a great. Everybody in software right now is feeling this real serious crunch that people are thinking, oh, AI is everything and software is dead. And I think that's a little bit misguided. I think, I love that. I'm remembering that episode very well now. And yeah, I think that's a great example where it's dramatic for television, but we're seeing real world cases where AI is. We're not people are using it and not realizing what the implications could be. So, like any tool, let's make sure that we know how to use it and use it the right way so that when that sort of disruption happens in that scenario or any others, you can get back to where you were. And I think whether AI or in general, to me that's good practice. I think smart CISOs know it's not just about building the wall higher. You think like the NIST framework or the CIA triad, recovery, availability, these are key parts to the playbook. But for the past maybe 10 years or so, I've seen people so heavily over index on defense and prevention. Yep. And I don't see as much emphasis placed on how am I going to make sure that I can bring the business back up if any of those things happen.

C

And we're seeing the impacts of a huge event in the US healthcare industry two weeks ago where their entire productivity environment swiped out using reportedly some of the tools that they had. And so the ability to recover at speed. And that's not the only example, obviously, the Irish national healthcare system and the stresses they were under recovery. We've seen this with the ransomware story writ large. But I think this issue of as we're learning and we're walking and crawling, it's getting our knees with AI systems. We're gonna need backups more than we've really thought of. You're not just worried about the threat actors anymore. You're also worried about speed of some of these tools.

D

Yeah. This resilience gap is huge for me. I, I think of a boxer whose strategy is never get punched in the face. You're not going to be very successful. And I feel like some CISOs, it's almost like a badge of honor. Oh well, never happen on our watch. And I know plenty of good CISOs that have unfortunately had some sort of disruptions and I know it's not their fault.

A

Right.

D

Like you can't control everything. You can't control what every user decides to do. So why people are so reluctant to. Just don't want these things to happen.

B

Yep.

D

But you still have to be prepared. Right. So that when you get that punch to the face, can you take the hit? Can you get back up? To me, that's, that's part of the job. And again, it's funny that it's part of the playbook, but I think people have just been so worried recently that they just want to be on, on defense, protect, protect. But for years the. Everybody's talking about resilience, but how do you make sure that you turn that from A buzzword into practice. Right. Into good practice in the organization. I run marathons and imagine somebody says, oh, let's go run a marathon. No, you should have been practicing. You should be ready for that. You don't want to figure that out. The morning of this, like our tag word for res ops, when I first heard it, I was like, that's genius to me that this needs to be a discipline. This needs to be something you practice.

C

So you said something using res ops. Let's just. I'm going to assume this means resiliency operations.

D

Yeah, absolutely.

C

So this goes along with DevOps and SecOps and now you've got resiliency ops.

D

Yeah, at the highest level thing that. How can I expect to be good at something if I've never practiced it? And again, BCP has been around for a long time. When I see bcp, I see people. Lots of paperwork. Yep. Lots of questions. Oh, we've got a BCP plan for everything in the organization. Great. Some of the incidents you mentioned, some of those disruptions, I bet if you talk to the CISO or the CIO at the time, they're not pulling up those documents and saying, okay, step one, like, it's hectic, it's chaotic. People have lived through incidents, know time is not on your side. You need to be ready to act quick and have a very short list of what's the first thing I'm going to do. Second thing I'm going to do. If I'm a healthcare from a hospital, let's say how do I bring back my life support systems? Right. If I'm a payroll provider, how do I run payroll for the customers that I have? The hospital probably isn't. Payroll might be down the list, but for the payroll provider, that's number one on the site. So every organization needs to figure out what's first, what's second. Great that you have a BCP plan for everything but desert island style, what am I going to do first? You need that and you need to have that practice.

C

And I'm a former soldier. And when you're tired, when you're stressed, the fact that you've got muscle memory, you've practiced something, you're not trying to think through it the first time this starts to matter. I've chatted with CISOs over the years and it's been shame to listen to them talk about after it all happened. And I can only imagine that marathon analogy. Everyone thinks it's the first mile. And by thinking runners have this, that point the hump. Right. And you're just trying to get over that. And once you're past that psychological point, you get there. And I think, I wonder from your running experience if it's having that resiliency ops helps you get past that hub. Like you can see the light at the end of the tunnel. Okay, we've practiced this. I know how to do this.

D

Absolutely. I think it's critical that within the team, within the organization as a whole, leadership, is this now something that they're used to. Again, you don't want to be figuring that out in real time. You need to bring it forward and create that operating model for what I think is the inevitable.

C

Right.

D

Some disruption will happen. Spoiler alert to all the CSOs here who think it's never going to happen. If you're in the game long enough, it's going to happen. Are you built for it? Are you ready? Is your team ready? Are the leadership different key people in leadership, are they ready? Have you practiced it? I think it's critical.

C

And you mentioned before we started, we talked a little bit about the role of the CISO and the importance of the ciso and they're now more important. If you had to give one piece of advice to someone starting as a CISO and this is the first thing they've listened to, what would your advice be?

D

That's a good one.

A

I don't.

D

First I'd make sure that they are okay with the stress.

B

Yep.

D

Because not like you said, it's not an easy job. And I think, I think the most important advice I would give is to make sure you understand your business well. In I've been in three very different industries. You spoke a lot about the kind of medical side doing security for medical device manufacturer. There's a lot of difference there than doing it in a less regulated organization or doing it in a place where you make and sell software and make and sell SaaS solutions for customers. So really understanding for me that's high level. What does our company do? How do we make money? And then even getting deeper, I encourage my team to listen to our earnings reports. Yep. Here. How does the CFO talk about the company? How does the CEO think? I've had the fortune now for several years of being part of that executive team. So I sit in the room with the cfo, the head of sales, head of marketing, cio and I get to see what are they trying to do. And now I filter everything that I'm worried about in my head through those lenses to say, okay, what about the ciso? Job matters to the cfo. How do we spend less money or how do we use our investment wisely? So every dollar I get, I'm thinking, okay, with the cfo, how do I make sure I use benchmarking that they're not overspending? Here's what companies our size and industry spend so that they feel comfortable knowing this budget that I'm constantly nagging them for is a good investment.

C

Yep.

D

The head of sales, they have a quota they want to meet. Is there anything I can do? Answer those pesky third party risk questionnaires faster and meet with customers and create good documentation to explain all the security that we have in an easy to consume format. Because again, I want them to. Their job is close more deals faster. So how do I align with them? So that would be my advice, is to really understand what the organization does at that highest level and what each of those key groups are doing so that you can show how you're looking at the same problem side by side and saying, I want to tackle that too.

C

Now, the CSO is often the first to face the fury of whatever breach, et cetera. If we have to change the narrative, if we had to, should we be

B

celebrating the CISO and the role that they play and good CISOs.

C

And I think you guys are doing something cool about trying to shift the narrative of the chief scapegoat to actually the chief business enabler safely.

D

Absolutely. I, when I first heard that Time magazine wanted to do CISO of the year, I. I literally did a double take. I was like, this is amazing. What an amazing accomplishment. Again, I've been in the space 20 years. That's not. If you asked me to guess if this was ever going to be on the radar, no chance I would have put money on this. But I think it's such a strong statement that they recognize executives of the year. But to say, hey, this job is worthy of its own kind of focus I think is key and I'm so glad that we get to be a part of it. That the focus for me, again, this point around resilience, that they're looking for CISOs who also understand the resilience aspect, that it's about all the domains, what NIST or any framework you use, it's about identifying, understanding, defending, and also how do I bring this business back. And I think it's a great celebration, like you said of the people that, you know, have been in the trenches, started off in the trenches, in the shadows, are starting to get more and more attention. And then when you Think about anybody walking down the street here in their daily life. Everything we do is digital.

C

Yep.

D

And there is a person and a team of people, whether it's at that hospital or at your bank or anywhere that you do everything you do trying to keep you safe. When I was in the medical space, our mantra was we have to do the security that regulators require, customers expect and patients deserve. And I always thought, like, how there's some customer out there, like an end user, your grandma, your child, somebody that's counting on you to keep this safe. And I think that's what CISOs do is they. For whatever company you're representing, they're having a lot of sleepless nights, probably dealing with a lot of stress. And here comes Time magazine to say it's time that we celebrate them.

C

So all the CISOs out there, last thing. Do you think it's worth it, the job?

D

Yeah, it's. It's a lot of stress. But as a kid, I always. Sports have been a big part of my life, and I always played defense. And I find that so funny to see myself now move into security where there were other people out there that would take the shots and score the goals. For me, that sense of I want to be a part of protecting something. And so if that speaks to somebody out there, I think that it's absolutely worth it. Other people, they. When I was a kid, my dad was a cio, and so on Saturdays, I'd come in and watch him change the tapes in the tape room. And. And then as. As I was growing up, back in the 1900s was a different time. Back then. He used to run network cable in offices and Upgrade people to Windows 95. Cutting edge stuff. And so for me and others, also, seeing this great technology and seeing how it's really empowered everybody to do so many new cool things, that's the other lens too, is that with that great technology and that great advancement for society, somebody's got to make sure it works. So. Yeah. So I think it's worth it if you care about those two things. Thanks.

C

Almost like with great power comes great responsibility. Thank you so much for your time. Dave, this has been such a pleasure. I'm so glad to meet you and really grateful to RSCC for the chance

B

to have this conversation.

D

Absolutely. It's great speaking with you.

C

Awesome.

B

Thank you so much.

D

Thanks.

C

Take care.

A

That's fantastic. David.

B

I had a little bit of fun

C

with Bill in terms of asking him,

B

like, is the job worth it? It. And I think we got some really great insights from that it is worth it. It's stressful, but it is impactful. And I think that means a lot from a guy that. Whose past history includes protecting a medical device manufacturer. I loved his analogy about the marathon and being a marathon runner and how that applies to life in security. No, I think it was great. And I love the idea of celebrating the CISO and this idea of Time magazine doing a CISO of the year. And I think that's great. Interesting, because you've got DevOps, you got security operations. And I like this idea of making a distinction between security and resiliency. But when Bill was talking, he's got experience in being a CISO, not just for a vendor, but in the medical space and other things. And we were talking about the importance of celebrating resiliency. And I think we have to. We have to stop using it as the chief scapegoat, information security officer and actually be about no CISOs that do a good job, that are persevere under horrible circumstances. I think the. The CISO at Stryker is probably going to be a fascinating conversation once they emerge from all that and lessons learned and how they were able to help the organization recover. It's about shifting to culture. We treat CISOs like the dark Knight Returns, the Christopher Nolan mid movie in that series where someone turns to him and says, you either die a hero or live long enough to become the villain. And isn't that the story of the CISO right now, where careers are 18 to 24 months, the stress levels are high, 50% want to quit, and they either die the hero or they become the villain. And I think putting a flag in the ground of it's worth celebrating. This is great.

A

We'd love to have comments from the audience on this. So you can go check us out@technewsday.com or ca, take your pick. You'll get to the same place, get the contact and send us a note. Or if you're watching this on YouTube, you can just put a comment under the video. We read them all and try to answer them all. David, it's been a great week. I'm sure you're ready for some sleep, but you've got your trip to Korea, so you the. So you may be ready for sleep, but you're not going to get any. But. But I'm thrilled. I'll be thrilled to see you back. I'll be watching for your show on Monday morning to find out what you're handling the trip to Korea as well.

C

Yeah, it's exciting.

B

It's a team Canada trade mission. I'll be back to my regular day job as the CEO of boserotten Security. And I'm really looking forward to it. It's my first time heading to Asia and it's the second longest flight of my life. Longest has been from Europe to Cape Town, South Africa. So this is, this is going to be the second longest one. And I think the way back when I fly into Toronto will officially be the longest I've ever been stuck in an airplane in my life.

A

Something to celebrate and we'll see you on Monday morning. And that's our show. We'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses to data centers. Book a demo@meter.com CST that's M E T E R.com CST I'm your host, Joe. Jim Love. Thanks for listening.