Rick Howard (11:34)

Foreign cyber threats are more sophisticated than ever.

Dave Bittner (11:45)

Passwords.

Rick Howard (11:45)

They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door. The login Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats Upgrade your security today. Foreign do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. It is always my pleasure to welcome.

Dave Bittner (13:49)

Back to the show Rick Howard. Rick, welcome back. Hey Dave, I have to admit today's a little bittersweet because part of what.

Rick Howard (13:56)

We'Re doing today is sending you on your way.

Dave Bittner (14:01)

You have made the very smart decision.

Rick Howard (14:04)

To.

Dave Bittner (14:07)

Take yourself out to pasture, retire.

Kim Jones (14:11)

Before somebody does it.

Unknown (14:12)

For me, that's a good thanks.

Rick Howard (14:14)

I think a preemptive move on your.

Dave Bittner (14:16)

Part, Rick, which is very smart. But one of the things that I know our listeners are gonna be bummed about is you will no longer be making CSO perspectives.

Kim Jones (14:27)

It is very sad that I don't get to do that, Dave. And you know, I've had the great honor and privilege of being able to work on that show for almost five years and it feels like it's another limb on my body. And to let it go is, like you said, bittersweet. But, yeah, that's where we are. I'm leaving the show and turning it over to better hands.

Rick Howard (14:48)

Well, speaking of better hands, joining us on the line here is Kim Jones.

Dave Bittner (14:53)

Rick, I'm going to let you do the introductions here.

Kim Jones (14:56)

Sure. Ladies and gentlemen, let me introduce you to, to my new friend, Kim Jones. And you know, when we started looking around for my replacement, you know, my big ego said, there's no way that they can find someone who can replace me. Come on.

Dave Bittner (15:11)

And the rest of us said, how hard could it be? So true.

Kim Jones (15:17)

And immediately they found my replacement, like, you know, in a minute. Right. And what's amazing to me is Kim has had almost the same experiences that I've had military career, teacher, educator, serial ciso. And so, yes, we're having a better person come in and take my place on CSO perspective.

Unknown (15:38)

So I won't go that far, but.

Kim Jones (15:41)

Well, thank you for doing this. It's going to be in good hands. As I go out the door.

Unknown (15:46)

I can't tell you how excited I am, Rick, not to see you go out the door, but I'm excited.

Kim Jones (15:50)

Wait, you can't take that back.

Dave Bittner (15:52)

That's the rest of us. Yeah, yeah. Well, Kim, tell us a little bit about yourself. Give us the short version of what.

Rick Howard (16:00)

Your background is and what led you.

Dave Bittner (16:01)

To where you are today.

Unknown (16:03)

Oh, sure. So let's see. As Rick mentioned, I cut my teeth in the military. I spent 10 years as a military intelligence officer. The dirty little secret is that Rick and I both went to the same finishing school for the military just a.

Kim Jones (16:17)

Few years apart, where I learned to dance.

Unknown (16:20)

Absolutely.

Rick Howard (16:22)

Learn how to fold napkins and stuff.

Unknown (16:24)

Yeah. Bounce quarters off of beds. Yes, yes. We both went to west point. I spent 11 years in. I was army intel as opposed to signal like Rick got out in the late 90s, 1998 in the D.C. area and went to work as a consultant for various firms. 2003, I took my first in house job as CISO. And I was a converged CISO. I had to tell people I ran the guns and the geeks for a financial. For a financial services firm, credit card processing firm. My first civilian boss in that role, a wonderful human being named Clyde Thomas, has in later years dubbed me as a smoke jumping ciso. I'm the guy who you have let go the first ciso and the second one is gone, running away kicking and screaming after three months. So I'm the guy who gets to jump in and try and fix things. And I did that for various firms for about a dozen years. I left corporate for what I thought was the last time in 2018 and went into academia and built a cyber degree program for Arizona State University trying to merge both halves of the cyber problem. Stop me if you've heard this before, Rick. We either get great geeks who have a hard time communicating and are terrible at governance and compliance, or we get great governance and risk and compliance folks who don't know the tech and have a terrible time communicating. And did I mention they all have a terrible time communicating.

Kim Jones (17:55)

I don't know what you're talking about. I've never run into that shock.

Unknown (17:58)

Shocked I am. So I tried to build a program that brought those three components there. I did that for a couple years, went out on my own and started consulting, doing risk advisory and fractional CISO work and was lured back into corporate by some friends of mine and went to work For Intuit, the TurboTax, QuickBooks Credit Karma company on CISO staff. They're reporting to the CISO. They're doing various things. Spent most of my time there running security operations. Operations left there in a position called performance acceleration. Focused on strategic issues around how we attract, train, integrate, retain the best talent as well as how we forward look at the security problem going forward. Left there in September and have been back on my own doing teaching training, evangelizing. I'm also a SANS instructor. I teach leader 514 for SANS. I still adjunct at a couple of universities, universities here locally and I'm a lecturer in UC Berkeley's master's program. Other than that, I'm just bored. So, you know.

Dave Bittner (19:07)

Well, let me just. I don't want to put too fine a point on it, Rick, but I.

Rick Howard (19:10)

Think it's worth noting that we're bringing in someone whose core competency is cleaning up the messes that other people leave behind. I don't know what that means, but.

Kim Jones (19:21)

Except for this last time is what you meant. Except for this one.

Unknown (19:25)

This is the first one right here.

Dave Bittner (19:27)

I don't want to say that was at the top of his resume, but.

Rick Howard (19:31)

Certainly bumped him up to the top of the list.

Unknown (19:34)

Dude, I see you. I see the finishing school helped, man. Have you reread Carnegie's how to Win Friends and Influence People? Or you just go retire now, not worry about it?

Rick Howard (19:43)

That's right. It's just going to go cackling off into the distance.

Dave Bittner (19:47)

Well, Kim, on the one hand, I don't envy the situation that you're in.

Rick Howard (19:52)

Here because so many people have enjoyed.

Dave Bittner (19:54)

What Rick has put together here. But at the same time, you do walk in here with a preexisting audience and the ability to make this your own. What do you have in mind going forward?

Unknown (20:04)

Well, it's a great question and I could give the flippant answer. Wow, I really have no idea. But that's not quite true. One of the things I've admired about CISO Perspectives is Rick's ability to take some of the tractable issues we have out there, that when you're sitting the chair and Rick, you know this as well, you don't necessarily have the time to deep dive, get your hands around them in a data driven manner so that you can move things forward. We're all in the business of firefighting. And what I love about Rick's podcast is it says, let's step back for a second, think strategically and think about the problem holistically and look at the next level. I want to continue that for the audience as we go forth. You know, I will tell you that one of the first things that I want to tackle is a passion point of mine, and I don't know if I'm doing an early reveal or not, because we're still in the process of figuring out what the next season is going to be about. But one of my big pet peeves is what I would call affectionately the cyber talent ecosystem, similar to what I was working on at Intuit. And what I like to tell people is if you ask six CISOs, what are the skills that you need to get into cyber, what is the path that you need to get into cyber, and what is the problem we need to fix in Cyber, you'll get 47 different answers, and most of those answers will center around personal preference or personal journey and whether or not you believe there are a million jobs out there or not. And I'm not sure I believe there are a million jobs out there or not. But there is still a need for us to try and figure out how this profession moves forward and how we make what I truly call one of the few true meritocracies that should exist within technology more accessible, more attainable, and self sustaining. We've got to come up with some consistency regarding those answers. And as someone who's played in this from all sides, as a hiring manager, someone focused on looking at it strategically from an academician, from someone who mentors people within the environment, it's terrible. We don't have a straight answer. And one of the things that I genuinely want to do with our audience is to say, look, I don't really care what the answer is, but. But damn it, we probably ought to come up with one because, you know, I'm not as old an old fart as Rick, but I'm not that far behind.

Kim Jones (22:31)

And there's a whole can really make that point.

Unknown (22:33)

Yeah, there we go. But there's a whole lot of us who are these first generation cyber guys that are getting ready to step away from the chair, take a look at what we're leaving behind in terms of pathing and progress, and as you can hear, is truly a passion point of mine. And I want to have some detailed discussions about that from all avenues and all angles. So that's one of the things that I'm working with your Rick's awesome team to try and say, how do we do this? Does this make sense to do this? And how do we make it interesting so we can truly bring the conversation up to the surface as opposed to how most of us talk about this, which are at conferences, in passing over a beer, say, yep, that's a problem. We probably ought to fix it.

Dave Bittner (23:18)

All right, well, Rick, we bid you a fond farewell and all the best in retirement.

Rick Howard (23:23)

I mean, in all seriousness, we hate.

Dave Bittner (23:25)

To see you go, but we're excited.

Rick Howard (23:27)

For you to enter your next stage of life here.

Dave Bittner (23:31)

And Kim, we couldn't be more excited.

Rick Howard (23:32)

To have you join us here. Looking forward to what you're going to bring to CSO perspectives. So, gentlemen, both of you, thanks so much for joining us here today.

Kim Jones (23:40)

Thank you.

Unknown (23:41)

Fantastic, but an honor and a privilege. Thanks.

Dave Bittner (23:58)

Hey, everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data.

Rick Howard (24:08)

Brokers, so I decided to try Deleteme. I have to say, deleteme is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing.

Dave Bittner (24:23)

My data privacy is protected.

Rick Howard (24:26)

Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout, that's JoinDeleteMe.com N2k code N2K.

Dave Bittner (25:15)

And finally, as regular listeners of our Caveat Law and Policy podcast are well aware, for years stingray devices or cell site simulators have been the nosy eavesdroppers of the digital age, lurking in the shadows and pretending to be legitimate cell towers, tricking phones into spilling their secrets. Law enforcement loves em, privacy advocates hate em, and the rest of us just wonder if our phones are snitching on us. Enter Ray Hunter, the EFF's new open source watchdog, designed to sniff out these pesky imposters. Running on a cheap $20 mobile hotspot, RayHunter detects suspicious cell tower behavior, like forced downgrades to insecure networks or unusual imsi requests. No PhD in hacking required. If something fishy happens, RayHunter turns red, letting users know it's time to shut down or alert the community. The EFF says the goal is real data on stingray use, not just paranoia. With enough users worldwide, we might finally expose how, when and where these digital spies operate. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Jim Walter from Sentinel Labs. The research is titled Hellcat and two brands, one payload as ransomware affiliates drop identical code. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Heltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.

Rick Howard (28:16)

And now a message from our sponsor, Zscaler, the leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools, It's time to rethink your security. Zscaler 0Trust AI stops attackers by hiding your attack surface making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@Zscaler.com Security.