Loading summary
A
Go back and listen to part one of this is a anonymous ciso. And it's anonymous because the truth that you're going to hear, the honesty that we're going to hear, is something that we don't normally get from this position.
B
Hector Monseager was responsible for some of the most notorious hacks ever committed.
C
Special Agent Chris Tarbell, FBI informants participated
B
in some of the world's most infamous hacks that caused up to $50 million in damages.
C
A life in the shadows, cyber attacks on the rise.
A
Welcome to Hacker and the Fed. I'm Chris Tarbell, former FBI special agent working my entire career in cybersecurity. And I'm joined, as always, by my buddy, my friend, my podcast co host, Hector Monserkor. Hi, Hector.
C
Hi.
A
Hector's a former black hat hacker who once faced 125 years in prison for his many years of hacking into the code name Sabu. Our stories collide in June. Oh, boy. Heck, this is a rough one already. Our stories collided in June 2011 when I arrested him and then convinced him to work with me at the FBI. Hector's a Red Teamer, researcher, cybersecurity expert, and co founder of SafeHill. Hey, buddy.
C
Hey. What's going on? Hector, that intro is always crazy.
A
I know it always. Every time.
C
I get used to it.
A
But we are also joined by our anonymous CEO for a part 2. The audience demanded it, Hector, and so we're bringing it to. Because they wanted it. They've got so many questions, so much to go through. I'm going to say this is going to be what you call a thick with three Cs episode.
C
It might be a four Cs, but there's a quick the anonymous CSO, not CEO.
A
Oh, sorry.
B
Yeah, yeah, sorry. You promoted me. I don't think that was intentional.
C
No, it wasn't.
A
It wasn't. That was a slip of the tongue. But still, they want. Oh, sorry, this. They wanted a CEO, so. Sorry, this. This is not going to be a thick show.
C
Yeah, well, at least if it had three Cs, then.
A
All right, three Cs. Ciso's here. Ciso, how has it been since the last Hacker in the Event episode?
B
It's been interesting. Globally, I should say that so many
A
cybers have broke off lately.
B
There are many cybers. There's a lot of development on the dark side. Take your pick as to which side that reference is.
A
Are you telling me that geopolitical stuff really affects your job?
B
It should. More than it has. We've all been on alert for it. There's been a few attacks, some of which I think are like Striker, I think are coincidental more than anything else. But just about every CISO is on high or elevated alert, and it seems it's reminiscent of All Quiet on the
A
Western Front just to reset with the audience. Just so you guys did. If you missed part one, go back and listen to part one of this is a anonymous ciso.
B
And.
A
And it's Anonymous because the truth that you're going to hear, the honesty that we're going to hear, is something that we don't normally get from this position. And so we're keeping our CISO anonymous and going to answer questions that are, you know, hard to answer. I don't think a boardroom wants these answers out there sometimes. Or maybe they do. Maybe we're not being honest with ourselves. You know, I was telling Heck in our CISO right before the show started that how sexy honesty is and how much I love having honesty in my life. It makes things so much easier. And so I'm hoping that for the audience, you know, hearing some of these inside information is really kind of what you're looking for too. And from the response from part one, I think. I think it's going to get that. So, Heck, you ready to dive into this and see what's going to go on, really, what's happening in the CISO world?
C
Yeah, no, I. I'm definitely excited. I think that I've given a lot of thoughts our last conversation, and I just want to touch on one thing that our anonymous Cecil has said here, which is that I'm actually more. I'm surprised as well about the number of attacks that we've seen over the last three weeks and how a few of them are actually related geopolitically. Like we saw the Striker one. That was a tough one. That was a hard one. Chris and I have discussed the Saudi Aramco hack of 2010ish, 11ish, whatever that was. That was absolutely political. It was an activist operation that went rogue.
B
Absolutely right. Yeah. It also led to massive impact in the commercial sector, I think, inadvertently, with a run on things like memory and computer boards.
C
Absolutely. It had a ton of different effects, cascading effects. And. And so we saw that happen recently with this company. We saw some small operations. There was a leak of an email that we're going to talk about a little bit of an email account for somebody in the government. But I've seen more supply chain attacks and more ransomware attacks than politically aligned attacks. And I Would love to hear your perspective on that. Is it that I'm asking this from the adversarial side? Hacktivism isn't as big as it was during my era. I think today,
B
or maybe it has shifted form. We saw with the outbreak of the Ukraine, Russia war that much of the ransomware was hosted in Russia in particular. But in countries that were aligned one way or the other, much of it was privatized or co opted. And many of the independent hackers, if you will, the hacktivists were likewise affiliated with those groups. And many of them didn't have a choice but to line up much aside but to get conscripted. And I would say that those who are out hacking didn't have much margin, they didn't have much extra resource to apply. I'm more surprised because in the case of the invasion of Iran, it would imply that there's more strategic depth, that there's even in asymmetry, that there is a waiting and a pause and thought about a long game rather than just a short game. That is perhaps the most disturbing thing about the conflict. For instance, look at the saturation of missiles targeting opposing forces to Iran. That's right, in the Gulf and Israel and you see missiles flying through the air in constant waves, not in one large orgiastic wave that says there's either a conservation of resources, continuous manufacturing capability and logistics or something else is going on.
C
Well, with that we'll probably have to shift over to cybers or more.
B
Oh, and it applies there too, doesn't it?
C
No, it does, absolutely. And I think the problem that, at least from my side, what I'm seeing is that a lot of these bad actors are probably getting access or have access to certain things that they're probably sitting on to cause the most, I would say, disturbance as possible. We saw what happened during COVID without mentioning company names. There were some companies that were compromised and it affect the supply chain here in the United States. And so the reality there is, okay, well are these guys, are these teams, no matter where they're located, is that what they're doing? They're infiltrating and then waiting for, you know, some organized coordinated effort to cause as much damage and panic as possible, at least here in the United States. I'm not sure about anyone.
B
Before we take the perspective of any given CISO or security department or citizens or any national interest, we have to try to take the perspective of the opponent. And so we say what are their objectives, what are their goals? We see, we know what the goals are in the Straits of Hormuz, that's, that's pretty straightforward. But online, what are their goals? And absent an actual objective, simply assuming that they aren't intelligent or that they're out just to flail and cause harm doesn't really serve their ends. At the moment they're gaining sympathy throughout most of the non US Western world, they're gaining sympathy as the perceived victim of U.S. aggression. And why would they affect that? So what a leader always wants is what's called optionality. They want to turn to their ministers, to their leaders of the military, that includes a cyber arm and say, give me choices. But the question is choices to achieve what? It's far more interesting to look at the what they want to achieve and then see what they're doing. Now let's flip it around, let's see what are they not doing. They aren't launching massive full scale attacks. They haven't really changed the cadence of attacks one way or the other. Which means they're not really after strategic objective. From a cyber perspective, that capability has either gone away, which is incredibly doubtful because it's not all based in Iran, or it hasn't come into play yet. Now we say what does the C so care about? Well, they care about confidentiality, integrity, availability of their products, their supply chain, their vendors, their customers. And they're looking at this going, wait, when will the other shoe fall? And they can't know yet.
C
That's right. And good call out to the CIA triad. It was a good one for the audience.
B
Non repudiation sometimes and authenticity too.
C
But yeah, there you go, that works. All right.
A
So recently there was sort of a, you know, I told you so moment for you. You came on the show and you talked about GRC and you didn't talk about it in the most positive of ways. And then we've talked about on the show since you've been on, there's a thing called delve. It was sort of, sort of a SoC2 certificate manufacturing, pump and dump type scheme. What are your thoughts on this? Have you been following this in the news and does it make you feel better because you were able to call this on the last episode? It doesn't make me feel better. I don't feel better about this whole situation. I think it's a block behind cybersecurity.
B
No, it doesn't make me feel good. I think it's a blanket on cybersecurity as well. The reason is this GRC is a bucket. It's a bucket where we put the things that we didn't have a laid before. And it has also become the home of people that like to chase spreadsheets. And frankly, it is security theater. It has been for a long time and I'm happy to dive into this. I would rather be proved wrong, by the way. But what we've got here is plain and simple, con men who or what appears to be con men because of course they haven't been taken to a court. But the evidence is looking pretty damning. And it says a company is enabling people for what looks like absolutely awful corrupt behavior on the part of this company is turning to their customers and saying, for a small fee, you can go through security theater to an even greater degree than normal and you can pass this off and we'll just keep the charade going. So let's define a few things, but first of all, imagine you're a startup and you're doing something innovative. You've got two squads of developers, you've got some, you've got, maybe you're headed towards an A round and you know you want to sell to a Fortune 500. You know you want to do that. Maybe even the global 2000, maybe even just an enterprise up the street. And you know they're going to ask you, are you doing security right? If you're doing security right, even at a base level, you probably need about six people working for two years. And you might, if you aim towards it, get a certification, get a. So that would mean not 20 people plus some management. That would mean 30 people plus some management for two years. Can't do it, can you? Most start, most can't. So they have to really work hard over invest, slow down innovation. Eventually they struggle through a year of doing it on an accelerated path, get good enough, and if they're honest, they begin the process and they bend over backwards and they get it. And it gets worse if they hit the IPO because they have to demonstrate an even higher level. We've seen that. So along comes a company and says, hey, we can help you. We've got a process that uses AI and all sorts of advanced techniques. We can take hundreds of hours of work. In the attestation phase, we can give you all sorts of tips and tricks on how to get there faster. And for a mere $15,000, we can make this all go away.
C
Well, with, with. I want to give an example here for this specific story, they were charging as low as 6,000 or 8,000.
B
Well, that was, that was after negotiation. But if you look, if you look at it let's talk about those definitions. You could be uncertified, you could be doing security, you could be doing it well, you could be certified and doing it poorly. Certified and doing it well. And then you could have a conman come in and give you a false report, and you might be doing it poorly, and you might be doing it well. The certification, in other words, is usually not related to how well you're doing security. There's some correlation, but it's loose. And that, Chris, was why I was so bent out of shape over grc, at least the C part of it.
A
But so in this scenario, this specific scenario, I've got three bad guys and I want your thought on all three bad guys. I got this company that's coming in and saying, for a very low fee, I can make all your problems go away. Pretty obvious that why that guy's a bad guy. We got companies that are saying, hey, I need help with this. I need to get certified, I need SOC 2 certification. And they come back and say, you're now SOC 2 certified as a company. You know, you didn't do shit, you didn't change anything, you didn't improve anything. So you're, you're a bad guy. You know, you just got this fake certificate. You haven't done anything to earn it. Number three, the industry that is requiring these startups, two years, 10 extra guys in your example, to get to this point to be acquired and all that somewhat a. A hurdle that can't be jumped across. You know, you're setting a bar too high. Where do you land on all three of these bad guys? Is one of them not a bad guy? Am I missing misstating the first one?
B
Yeah, there are some. You can have someone come in and they can say, I'll help you. They roll up their sleeves. They've got people who've been through it before, they can help you shave some time off. And people off, they've got canned policies. They'll verify you do or don't do and help you with a difference and all that stuff. There are ways to do that. There's even a better form of that. If somebody's actually done the work and has some innovation and some tools that are going to help you close the gap. There's some possibility that some products and tools are going to help you, especially LLMs seem like a pretty good idea for how to do that. Let's find out how you really do things and where the evidence exists. But you know what, most of those guys are also startups and Most of those guys are still building out those tools. So you've really got to be able to. Here's the thing, you know the Dunning Kruger effect, right? Which is you have to actually be have the same degree of competence to know somebody is dumb as you do to know they're intelligent, right? So you gotta know what good looks like in order to know it's good. That's the problem. Most of these people are brand new at the game. You've got one person in it or a developer who's never done this before, who's being told, don't worry, I got this. Is the person on the other side of the table one of your bad guys, your first case? Or is it a case of a good guy who can actually help so you turn for references and that's what these people did. They kept showing other people. In fact, that's mostly what they showed or they showed demos that made it look easy. Now your second case, that one is actually more likely to be a slightly. Two different cases. The first one is honest people got engaged and partway through the process went, oh my God, there's nothing here. Now what do we do? We dropped money, we're in sales cycles. I mean, I'm going to lose my job, we're all going to get fired. And they're in a. They're in a moment of do I come clean and we cost the company millions in revenue, maybe go out of existence or do I just go along with it and try to fix it later maybe? Or do I just shut up and move along and don't care? Now you're the bad guy. Yeah, it's pretty ugly.
A
What about the industry? Do you ever put any fault in the industry of setting a hurdle that these startups can't get over?
B
Well, I prefer myself when I'm dealing with startups to talk to them. I actually tell companies I don't expect you to be in compliance with these standards. I want to see that you're on a process of you're making progress towards it and you enter into a dialogue with me. I don't care if you haven't done dependent test. Tell me you're gonna. I don't care if your patching is slow. Show me that you mean to change it sometime in the next couple of years. I'll work with you. Show me your roadmap. Oh, you haven't got one. Let's work on one. Show me you mean it. I will spend time with the startup if my business needs the product, but I'll also tell them if my business doesn't. And okay, in my case, I have risk register four or five things at the top, and if they're innovative enough to help me there, I will spend time with them. Because, remember, business is about acceptable risk for acceptable return. And customers can be lazy, too. So as a customer, I have a process where I've got dozens of vendors coming in, and if they're above a certain size, they better have it right. I consider it a bare minimum because it is a checkbox. Let's get it right. You're proving that you have enough people to do this, really. But if you're a small company and you turn up and you go, hey, look, we're 20, 30 people, but we've got a person on it, We've got a vc, so we're working on a program. This is the date we're going to hit it. We don't have everything yet. I'll say, okay, let's set up a monthly meeting. I'll even help the person. I do that. I know some of my colleagues do that because we're not a lazy vendor and we're not a lazy customer.
A
Do you find that to be the norm in the industry?
B
No, it's not. No, it's not. But you know what? A lot of this stuff, I'm hoping There are CISOs listening to your podcast to go, hey, I could do that. If I can't do that, maybe my deputy CISO can. If he or she can't do that, maybe the head of my GRC program can. They should be worth something after all.
C
Yeah, they have to earn that salary somehow.
B
But you see, many people in GRC seem to. They don't realize the checkbox isn't binary. Some checkboxes matter more than others.
C
The way you said that reminded me of Animal Farm at the end, you know?
B
Yeah, not all equal is the same.
C
Yeah, exactly right. Same, same, but different.
A
You talk about checkboxes. Do you actually read the SOC 2 reports coming out of these vendors?
B
Well, most of it's a marketing document.
A
All right?
B
If you have a SOC 2 report that has a finding in it, there's a scramble in the company until they fix it and get it out of there.
A
So you don't see them.
B
So.
A
No, they're all.
B
Because everybody looks at it the same way. It's all the same format. And you look at the findings column, the things you look for is, when did you do your last pen test? Then you follow up and you say, show me your pen test. How Are you dealing with things? But most of that is also security. Theater security is in how you do it. It's not a snapshot. What's a SOC 2 report. It is a very carefully choreographed photograph with everybody standing in the right position and then the flash goes and they blow on the picture a little bit and they frame it and they ship it to you. That's what it is. It doesn't tell you what it's like in motion. I learned far more in a one hour conversation with a security leader and his or her lieutenants than I do with anyone else or anything else.
A
Heck, do you want to say something about Safil here or no?
C
No, it's these, these conversations are great for me because as someone that's running a startup with a 20 man team, as you outlined before, that was not
B
intentional, by the way.
C
No, it's just. But it correlates it. Yeah, no, yeah. There's a lot of startups, similar profiles and, and, and so these conversations are great for me personally. I'm sure for some of the audience members who are in the same position where, you know, I could look at how I deal with that vendor onboarding process. And I'm hopeful that I find CSOs like yourself that are like, hey, let's go through, you know, what your pen testing methodology might look like. What's the last time you engaged one? You know, what's the frequency of that? You know, I would love that, but honestly, we don't get that from anybody. Even like Fortune 500 companies. I don't get that. Even before I had my own startup, made my own business and I worked as, you know, I would help out with sales with previous companies. They would just sell a pen test or product or whatever. And the onboarding process was, hey, yeah, check all these different spreadsheet checkboxes, then that's it. And, and so from my perspective and moving forward and now that we are in the geopolitical tension and space that we're in turmoil. The turmoil. Right. It does, it does raise concern for me that this is all, you know, a house of cards in a way, because not only is GRC had, not only does the GRC space have these kind of gaps, but pretty much everywhere else within the cybersecurity industry. And as someone that's a very, you know, patriotic, I love the country, I love my country, et cetera, it makes me wonder where else or how far does this spread across the United States? It is concerning. Sure.
B
Please, let's bring some operational rigor to This, I define a problem very specifically as three things. A target, a miss and a trend. The trend is the key part. I define success as hitting a target and a trend. Is it getting better? Is it getting worse? Now if you take that perspective, what does a SOC 2 report tell you? It tells you at some point in time you hit a target and that's it. It doesn't tell you before, it doesn't tell you after. It doesn't tell you trends. What I care about is seeing the graph as it moves along. Now, from what I understand of your product and your company, the word continuous appears in a lot of places. I care about continuity. I care about is it stochastic, meaning seemingly random? Is it going up? Is it going down? Is it getting better? Is it getting worse? And I care about discontinuities, big jumps. I care about disruptors like AI or back in the day. I cared about cloud, sure. I care about war. I care about things that change from a technology perspective or a climate perspective outside. And so I would say what you need to do is to find the people that think that way and help more people think that way. Influencers, maybe get some thought leadership out there. You'll find them. Because we're all sitting here worried that we're staring at greenwashed dashboards. I don't like green. I try to reward in my organization people who bring me red because red I can do something. With green I'm useless. I actually get calm when things go bad because now I know who the enemy is. It's real simple. And that is the sign, I hope, of a good CISO or good security person. That's what I look for, people who are hunting the red, not putting their heels up and putting their hands behind their head when it's all green, because that is scary. They should be leaning forward for the red. So when everything is green and you should be talking to customers and saying is everything green? Do you really believe that? Do you think in an age of AI, when the next AI bot that comes out will be a pen testing bot? How long till it gets weaponized? What's it going to do to your networks when it finds a mountain of tech debt? When was the last time you went back and checked 5 year old code for critical vaults? Do you have any five year old code on your network? Of course not.
C
Right.
B
Should you maybe be looking continuously for stuff, the word continuous for me and continuity and trend, those are important words.
C
Well, I gotta say something before I continue. I'm sorry, Chris, but the way you, the Way you put that out there, brother, it may be even more concerns, to be honest with you. Yes, it kind of freaks me out a little bit because I, as, you know, as a red teamer and even as an adversary, I have legitimately. This is not, you know, fucking gloating here, but I've legitimately compromised hundreds of networks and thousands of servers and it just keeps going. And now, as a professional, right, doing red teams and all that good stuff,
B
how many of them had green reports?
C
Almost none. Almost none.
B
They would have all had green reports from their GRC team, from their Shock 2 report.
C
After the fact. No, but before.
B
Yeah, they delve very far.
C
I like what you did there. But even to this day, 2026, what are we seeing? We are seeing networks that lack segmentation of any sort. Like you said, detect debts, old software, old internal web apps, zero monitoring, action research, anything going on with Set it or Forget it deployments for healthcare in specific, specifically, I can tell you how many times, and it's probably over 50% of the times I do a healthcare engagement of any sort. Mostly internal networks where 14 years ago they bought a product, the healthcare products that since those 14 years, the parent company was acquired and. Or went bankrupt and insolvent. And so there's no more support for the product.
B
But the original high trust certification.
C
Right, that's. That's exactly right. That's exactly right. He got the old school High Trust. But here's the thing.
B
But I didn't touch it after.
C
No, and not only that, you know, they purchased that product for 10, 15, $20 million healthcare. It's expensive. They can't justify replacing it. Cause that's a lot of money they invested in 14 years ago. So they have this machine on a network and you know what they're telling me on an engagement, hey, can you exclude that from auditing? Because we know it's Swiss cheese. Why.
B
But we cannot just heal thyself. Yeah. Can you tell me how healthy I am? Just don't scan the heart. Been around for a while.
C
Well, yeah, and, and, and the concern always is like, yeah, we know where, where it lies. It's risky, but it's an accepted risk. That's one. But two, we don't. We can't afford for you to crash it with your scans because we've done an NMAP scan before and it crashed. You know what I mean?
B
So like an NMAP brought it down
C
because it's a fingerprint, you know, it has like 3,000 fingerprinting modules.
B
I tickled the patient and he had a heart attack.
A
I don't know.
B
Just be careful.
C
I think if you tickle Chris, he might do something else.
A
Well, I know what I will do. Yes. I don't like that accusation, but yes, I will do that. But just to wrap up the delve thing, what do you see as the ripple effects in the community about this?
B
Everybody who hears this, at the very least should be looking at their dprm, right? They should be asking their vendors, do you use delve? If so, for what and when? Because at this point I would, let's say in the court of law, you're guilty until proven innocent. In the court of risk, I don't have that luxury.
A
Do you see this going to a court of law? Do you see any sort of regulatory
B
bodies coming to you? It doesn't matter worth shit. It may or may not based on the evidence and what some DA somewhere says or whatever. It doesn't matter what the glib bastards in the corner office over there can say and convince people of it or not. All I care about is the rngrc and that tells me that if somebody is using them, I need to make sure the claims are true. That's it
C
for a cease on your position without going into details, but massive infrastructure, massive things going on. How do you deal with this now? Because now you have to audit all of your vendors.
B
We have a TPRM solution and it's not urgent in the sense that an exploit is imminent. If this was about, let's say, something like log 4J and it's being actively exploited in real time, I need netsuite right now. But this is not. This is about generally bad practices among a class of vendors and I need to identify that class of vendors because the risk has gone up. But the likelihood is roughly the same as it was yesterday. In the case of a log four day incident, you could see that likelihood spike. Risk is likelihood and damage. So it's not. It is important. And the importance of it just went up, it's now on my radar. But it didn't just spike in the urgency category. Category very much so don't get a Please answer within 72 hours or a week or something like that. I don't want to telegraph too much who I am.
C
Well, and, and, and I would say for the audience here, because remember we have a, we have a broad mix of audience members, people that are technical, non technical, bunch of CISOs, a bunch of.
B
I can explain a bit or you can.
C
Yeah, I was just going to say that when, when, when, when our Guest says tprm, they're referring to third party risk management.
B
It's basically a portal. Go out and ask questions and get answers back from those who supply me.
C
But here's the fucked up part, the part of my French but what if your TPRM is on the Dell space
B
where I'm waiting to see that response.
C
How can you be so sure that the TPRM is telling you the information that you actually need? That's the one.
B
Well, if it outright lies and there's a problem, I already know roughly the subset of editors that it might be. But then we get back to Chris's earlier question. Are they bad guys or are they good guys that were forced into a corner like. So I'm. This is one of those things where if they matter to me as a vendor, then I may offer an amnesty to work with me until they get this stuff straight. If not, fuck you. Yeah,
C
in the original, kind of like whistleblower leak. The substack article with regards to Delva, we're going to move on from this because, you know, one, I would like for more conversations and discourse around this topic.
B
There's gonna be more of these.
C
Yeah, well, on Twitter, it's all the rage. Motherfuckers going crazy on Twitter.
B
But Twitter's also a little crazy. But yeah, it's.
C
Yeah, but in terms of like the media, we haven't really seen much on this in the media. I don't think they really understand the consequences of what this is. But going back to Chris's categorizations, I think it's fantastic. His second one and then you split that from the first guy to the second guy. The second, the second one is. So to be right, is the guy or company that signed up for the service, they got the certification, they're like, I didn't do anything. So this is legitimate, I guess, or whatever. No, it's not legitimate and I recognize that. But I'm still going to post the SOC 2 certified certificate because I have to. Because. Exactly. Right. So from there, from the guy's perspective, the author's perspective, he said, I knew that it was wrong, but I just rambled it anyway. Because we paid for it. Yeah, they paid for it. And I'm assuming the guy's a startup, right? That's one and two. We paid for it and we kind of need it now to close jobs and businesses. Right. We can't generate revenue if this thing is false. We've got to go back to Drata or something else. So when I read the substack I was like, wow, this is a hell of a whistleblower story. Great. But then I'm looking at the author, like, dude and she were honest, but how many of those actually exist out there?
B
He was honest in the end.
C
At the end, after everything. Yeah.
B
So this is this. I used this analogy with you the other day. Heck, I said, this is the equivalent for shareholders as it would be for citizens if they were told their overpasses were made with bad cement. The person mixing it, knew it was bad, said, you know what, I kind of got to mix it anyway. Later I'll come out and tell people that the cement is bad. There's still trucks going over it. That's the problem. Now, if the person at the time had gone to their management and the management said, we're going to do the brave thing, we've talked to our investors, there's consequences. But we don't want you to do this. We want you to take the longer path. We want you to start. If they had said that and they'd taken consequences and risk for that decision, which they had to begin with, by the way, when they contracted with Delve, then that would be laudatory. That would be something. I'd be like, well done. I would even be behind you. Now, admittedly, not everybody would be. Many, many people would be like, well, too bad you're not there. But that's the kind of society we have to get to. Not, I mixed the bad cement and built bad overpasses. And now I feel bad however long later it is while people are driving their families over and there's trucks full of propane going over it.
C
That is so true. Yeah, that is. That's a tough one.
B
Oh, he was honest in the end. Okay, so what?
A
Yeah, only honest when caught.
B
Yeah. And by the way, it's still anonymous. That's not whistleblowing.
C
That is true.
B
Tooting at your butt,
C
by the way.
B
Very articulate and well written, FYI.
C
Yeah, I think it was structured very well. It told the story very well. Sometimes I, I, I guess I'm getting older. I can't read the big walls of text anymore that some people do. But that article, I read it from beginning to end. I was like, okay, this is good.
B
But here's, here's the other thing that there were several of them alluded to in that article that we're talking and working together collectively, they have some strength. I would recommend, if they're listening to this, that I have some respect for what you did, in spite of how I just Said it. However, you can do more collectively. Much is expected of those to whom much is given. You've wrestled something, use it
C
well with that.
A
Yeah. So I think we need to move on. Let's move on more into the life of a ciso. I know after our first interview, both Heck and I got a lot of feedback from different CISOs, including one talked to Heck about drug use in the job. Pretty heavy drug use. And that supposedly is a common.
B
He was looking for a plug, right?
A
He was looking for a plug, maybe. But I mean, we're seeing, you know, this.
B
I don't know if we can talk about that.
A
Former Fed. Former Fed. So naturally. But you know, there's burnout, personal liability, you know, impossible expectations. You know, there, there's a lot of stuff out there saying 75% of CISOs are considered leaving their job. The average 10 years, 18 to 26 months. You're putting in, you know, 50, 60, 70 hours a week in this job. It's, it's on call. I mean, shit happens on a Friday afternoon, three day, on a, on a Friday before, a three day weekend, every time, every time, whenever. But you're going to, you know, the wife wants you going out for Labor Day weekend and Friday afternoon. That's when shit breaks off.
B
Which, which wife you talking about?
A
Your wife, your girlfriend, Both of them want you. You know, you're getting, that's another stress. You know, how do you deal with all. How, how, how is this a job that you want? How do young people aspire to this job? How do you deal with it? Like what is.
B
You don't.
A
Dark secrets.
B
You don't. Many don't. The, the average tells a horrible story. There's one of obesity, it's one of drug use, it's one of alcohol abuse, it's one of sadness. The few that make it through have to lean on each other and share. What you'll find is that when we go to RSA conference or Black Cat or any of the, the Gurkha and the Shmookons, if you go to the smaller conferences, what we're really doing is we're together as a community and friends. Sure. The same thing is true at B sides. Same thing is true at any gathering, even the ones for the big brands like Gartner or what have you. And that's because friendship is about the only thing that will get you through this. And I don't know a CISO who isn't suffering from at least chronic depression, bipolar disorder, something like that. It takes a toll. Now some of it may be genetic, maybe we get pulled to it. Most of us by the way, have psychological issues in that we like to protect people and that usually comes from some form of trauma. And so maybe it's traumatic entering. We'd have to look at the psychology of it. There's some studies that have been done. But the bottom line is the human cost is terrible. And one of the things we have to be especially careful of is to provide safe psychological environments for those who are coming into the job, coming up the stack and they see us suffering, they feel it with us and for us. You'll find some of the kindest people in the world that I know in it are cyber people, senior cyber people who've been absolutely traumatized. And you see it every convention you go to. You see the self abuse. You hear people make fat jokes about themselves and they call themselves ugly and they're hurting and it is perpetual. I'm not saying that as a victim, I'm not saying that as a way to get sympathy. It is just a fact and the numbers show it. And so the being not taken seriously as a business person is a hard thing because we're seen as cyber people, cyber. Our own cyber team sometimes see us as having to compromise with the business on things that should ever be compromised with the mission is what we have is a comfort. And many, many of us have failed marriages and failed relationships as a result. It's really hard to have a relationship when you are in an instant for 30 days straight without going home and going to bed.
A
Can you say something? Can you get out and get help? I mean, as a former FBI agent, if I was to say something, I mean, I've watched videos because cases I'm working on of infants having sex with grown men and that bothered me. It really got to me. Oh yeah, but you can't say something otherwise they give you a rubber gun and you lose your security clearance. If you want to say I need help, you can't. If you raise your hand, guess what you just use. The thing is it's the same.
B
You lose your clearance, you can't get certain types of help because that's part of your background check. And now you're considered compromisable, blackmailable and so on. There have been times in the last two years when I checked myself into a hospital and didn't tell my colleagues the cause because it would have affected my ability to hold onto the job. Not because I couldn't do it, because of how I would have been perceived.
A
So why, why do It.
B
Because somebody has to. And because we are protectors at heart. In my case, it's because of childhood trauma. I am. I can't be anything but a protector. It's also my trade in my craft. It's how I identify.
C
Wow. You know what's crazy you say that is that I suffer from that as well. You know, I would say. I know.
B
I can see it in you.
A
Yeah.
C
No, I have the same traits. And it probably goes back psychologically to, you know, when my mother abandoned me as a child. Maybe I have abandonment issues and so. But I never. I never.
B
I know you, and I've known you a long time. And so do I. Yeah. Yes. And you either go one way or you go the other, or you go one way and then you go the other.
C
It makes a lot of sense why you and I are in this space. I tell you, because we feel like we have to be protectors at one point. I was the adversary. I was the offender.
B
Yeah, when you were the offender, you still justified it in your head, even if you had no moral guidance from a mentor, let's say, or even if you didn't have the context to put it in, as you gained that look at the path you steered with Chris.
C
No, that 100%.
B
And by the way, it's a continuous journey. Heck, for you, it just looks to the outside of the world like there was a discontinuity.
C
I gotta say, man, this is a great therapy session. Send me an invoice after this, brother. It's definitely worth it. And by the way, for the audience sake, out of the. The three. The three men on this. This call here, there's only one man on this call that actually had their hands on me and, you know, checked me for weapons. It's your boy Chris. You know, but I still do that.
A
That's just for fun.
B
It's not for a loaded weapon.
C
No, no. He said I had a snub nose and that really offended me.
A
Well, I'll tell you this. I'll tell you this. If you've never been searched by a law enforcement officer, an FBI agent, or a cop or anything, it's a fear boner. It's the opposite. It. It goes in.
C
Oh, yeah.
A
I've never. I've never come across anyone that's any. He's got any sort of excitement out of it or anything like that. It always retract anything, sir.
B
I see you did. Yes.
C
Well, which leads me to a question then, my friend. So we know that after many conversations and a lot of Cs that I've met and it makes sense why conferences are a big deal for CSOs and executives in the space. And you kind of touched on something I wanted to ask you about, which is when you go to a boardroom and you have a CIO there and you have the CEO and CFO and all these people, you know, is the CSO getting the same level of respect as some of these other colleagues? I feel like the Cecil's looked at less as, you know, as important as a cio. This is my opinion. This is not my opinion. I mean a fucking opinion. This is what I'm seeing from the outside. Okay, so from the board members perspective, is the CSO an executive like a CEO or a CIO in terms of importance? And then put on the flip side, you know, how are security teams looking at the ciso? Like, is that my homie or is that my. Oh, that's my executive boss, the guy in a suit. Right? So you're stuck in the. You're stuck in the middle of two different, completely different crowds. That's, you know, that's what I'm saying.
B
I think it's. We should flip that around and say every new CISO is being looked at as an outsider. How it goes from there is up to the ciso. And the most important thing the CISO can do is to realize their job is no longer to be the smartest security person in the room. That is just the fact. They just are. Don't worry about it. Stop proving your competence anymore. Your job now is to let your team be smarter than you. Stay in touch with what they're doing, set them up for success. You're a logistics person. You're a leader, not a manager anymore. Make sure you've got good people. I had a boss who once said, you are now responsible for operational excellence, for being an agent for change in the organization, and for being a voice of technology. Pick one, and if you're really good, pick none. That was incredible advice because now your job is largely social. It is tying your stack to the company and being a business person first, which means your best friend should be the CFO or the general counsel. They are risk stacks like yours, not the cio. If all you're talking to is the cio, you are failing.
C
You're a bad guy.
B
What do you mean? Get out of tech. Get out of tech and talk to. Go and see customers with the head of sales. I guarantee every company, no matter what kind of company it is, has got customers going. What are you Doing about privacy? What are you doing about security? Where's the data? What about data sovereignty? What happens with the information? What happens as you go down? How do you stay up? What are you doing about AI? What are you doing about privacy and AI? All those questions are coming up. If you bring a CISO to the. To that sales meeting with the chief revenue Officer for the company, you're bringing a gun to a knife fight, they will love you. And what's more is having customer contact is the secret weapon in the boardroom. It's the secret weapon. When you go and ask for budget for something, you can say, you know what? I went and saw bank one, a Fortune one company, a Fortune two company, a Fortune three company, and this is what they wanted. Everyone's leaning forward. Not because you came forward and said, oh, I had 50 viruses last month. Nobody cares. Nobody cares. So you are tying yourself to the business. Your best friends are CFO and general counsel, and you should be tied at the hip with your Chief Revenue officer. If you're not doing that. Heck, I know the answer to your question, and so do you. And if you are doing that, you also know the answer to your question.
C
That is such a valuable insight. You know, these are. These. Okay, these are the kind of conversations you have in the background. And I'm not sure the audience realizes that hearing this.
B
Some C cells will recognize me by some of the things I'm saying right now, and they know me well enough to keep confidence. But that's okay.
C
Yeah, no, this is. This is fantastic incident I do have. And, Chris, I know that we have a structure here, but I know we wanted to touch on AI a little bit.
A
There's no structure, just conversation. Just a conversation.
C
Having a conversation.
B
Ask me anything. Okay, this is.
C
This is a good one. And I'll start off. I know Chris has a billion questions, but I'm gonna start it off with this pretty straightforward. How has the game changed for the average Cecil now that AI is a thing, governance is a problem, and this. I know. I know people that they're trying to understand how to build a policy around this, including the White House, they just released a guidance or framework for AI policy moving forward. They have seven pillars. Seven pillars on how to deal with that. We could talk about that later, but, Frederic, what are they doing?
B
Hey. Things that rhyme sound right. Things that come in threes sound good. And when you're really in trouble, things that come in fives or even sevens. Just how human brains work, right? Seven's a sacred number. It's Also a prime number. That's why now when it comes to policy, the problem right now isn't controls. There's a lot of controls. Sure there are, especially administrative controls. That's where the trouble is. So the problem is policy. How do you want it to operate? And a lot of the problem is mimetic. It is in the thinking space. So some people in corner offices are enamored of the idea that innovation happens with small people who just start working over a weekend and come up with an app. And guess what? Anyone can. Now sales wants to build a new quoting tool that can do it with the Claude ide, right? Maybe HR wants to build a new benefit tool. Maybe your legal department wants to build something that will answer questions about the stock program. Everybody wants to be a front end developer, but who's doing the backend work and verifying it? Who's making sure that you're not incurring more tech debt or that it can stand up under stress? And when that person leaves the company, how many of them did they create? What's the inventory of that stuff? What permissions did that stuff have? That's all administrative policy. And so the most important thing I'd say here is the rate of change of the art of the possible with this caliber of tools is such you should be meeting on this probably every two weeks. You should consider your policy a living document. And you should be working cross functionally with the other departments of no, that means legal, that means finance, that means the CIO, and that means security. They have to be tight and you've got to be working hard because every other department, including those ones, want to use these tools. The problem is not what can you do or even what technical controls exist, it's how do you want it to work in your company. You need a life cycle. If you don't have a life cycle, you're doomed. And you need to understand your security model and your identity model. And there's so many other issues we could talk on, like what are machine IDs all about right now? And what are the authorization and authenticity models in the future going to be like? But that's probably a bridge too far today.
C
Yeah, we cover that in episode four, honestly.
B
Yeah, yeah, we'll do that.
C
There was, there was a story that we covered recently. It was a very old company. They had a incident where they had onboarded AI early on and you know, they had like nine to one agents to employee Chris. I don't know if the numbers are off there, but it was ridiculous. I Think they had like 20 some thousand employees or whatever and they had like double or triple that in agents running.
B
If that's actually truly well constructed agents, not just desktop running agents, then their OPEX is going to be off the chart with runtime costs.
C
Oh yeah, well, for that organization they had a problem and the problem is that they had some sort of chatbots and the researchers were able to jailbreak that or break out of it or prompt break it or whatever you want to call it. And they were able to get access to everything, right? The entire thing, terabytes or petabytes worth of information, ip everything you can imagine was available to them. And of course they did a public disclosure.
B
So they're pedophiles.
C
Haha, no, no, no, we don't know that. But allegedly. But yeah. So for that organization that suffered that massive breach, because that is, that is a breach regardless, right?
B
Unauthorized access, technically, yeah.
C
And the researchers, I think they, this is what I told Chris, I said, Chris, you know, they should have just spoke to the company and did like, you know, maybe a little bug bounty and then the company should have probably hired them to help them deal with securing the, securing the perimeter of that chatbot.
B
There's no reason you can't put a little financial incentive behind helping to close stuff off.
C
Yeah, and I'm for that. But in this case it didn't turn out that way. In this case they just, they did a public disclosure, you know, so
A
following
C
that profile, how does a CISO or the executive team or security team deal with something like that, that where you have internal AI being able to access or being accessible from the external side. You know, I can't imagine, obviously the engineering effort involved just did not take this into account that hey, maybe someone
B
breakdown and failure heads need to roll and you need to shut things down and you need to do a tabula rasa approach. That's my opinion. Look, if, and what's if this was anything else? If someone had said, oh my goodness, there's people out selling secrets on the, on Route 280 through San Francisco or 101, if somebody had said they're out there selling this stuff, there's nothing we can do. Yes, there are things you can do. You can have them arrested. Right. What you do is you take drastic measures. But it's not just external people to lose their job.
A
Yeah, it's not just external though. I mean you give your LLM access to all your data. If you want a full picture, the LLMs pretty much got to have access to everything. Your internal engineers now have access to everything. How do you limit your engineers from even accessing, like you know, comp models, you know, what people are getting paid and other benefits. Like how do we set limitations on it?
B
Chris, you're right. This is the problem. I hinted at it earlier and Heck mentioned segmentation. There isn't fine enough authorization and access control fine grained enough. In most organizations when you build something, the credentials that you pass to it have the same access rights as you. Your copilot, if you haven't done limiting and scoping access, has exactly the same rights you do. And it doesn't have the nuances or laziness of a, of a carbon based organism. It goes and exploits them all fully and equally and completely. And so it's time for companies to start taking the access control game much more seriously. It's time to actually do, if not zero trust, a heck of a lot closer to zero and least privilege.
C
Yeah, well how about less privilege?
B
How about we just start there?
A
It doesn't have to be zero yet.
B
Yeah, I'm not even talking about any vendor. I'm not talking about. I'm like, how about we do some rbac? How about we do some Mac? How about we limit admin? I mean this is not rocket science. It's not, it's incredible laziness over years and decades. And if you're not ready for it, if you're not ready for it, get ready. Hire people who are willing to do the awful thing of saying no.
C
Yeah, I mean we've been talking about this.
B
We're in a world where you have to say no. You have to. There's no, there's no way you're going to get through the AI era without saying no to something. Good luck.
C
Well, that's the problem, right? You know, even, even on this, on the human, psychological. When you look at it from the psychological, the human has a problem signal by default. You have to train yourself to get to that point. Shit. I'm one of those people, when someone calls me like, hey buddy, I need a dollar. And I'm analyzing him. My boy looks messed up and he's homeless. You give that dollar, but then he hops in a BMW and drives away. And I'm sitting there like a buffoon, like, oh, okay, cool, I fell for that one.
B
He didn't ask me for a hundred.
C
Yeah, I'm not in a position to give that away, but I've given as much as $20 because it's hard for me to say no when I'm looking at the conditions. You should just at least, oh, did you know I'm learning glare, right? Yeah. Well, if I say that, it might be a fucking undercover ICE agent to deport my ass somewhere, you know, I'm not trying to deal with that right now, you know, but all jokes aside, all jokes aside, right? If us as humans have a problem psychologically, this is well documented in all sorts of different studies with saying no. How can we implement that into something that we've designed like AI Unless we have built in guardrails, which we don't. All right, I think that that's what. That's the highlighted point here with this company has been breached. You know, obviously there was zero guardrails or the guardrails weren't validated and tested.
B
Well, see, this is why you need to go tabula rasa. If the people didn't say no to get to this point, they won't say no from this point. And maybe they will, but you don't have time for that. You're bringing people whose job is from this point to say no. Culture is the hardest thing to change. And so if you haven't set up a culture where people have to ask for yes and then you got to make sure not just robo stamping it, you've got to measure the right things, you've got to set up the right policies, and then you got to verify. And this is why delve is so insidious. Because the whole purpose of doing audits is to keep it separate from the people who designed it and implemented it. Otherwise you're self checking your homework. Of course I got 100.
C
That's right.
A
It never worked out in high school when the teachers let us grade our own test. Never.
B
No, I didn't learn.
A
I didn't learn anything in chemistry because of that. That was the policy, I. E. You grade your own test.
C
Well, brother, I'll tell you, and this is something that you know, I do want to have. I know kind of time is running out. I want to ask a couple of quick questions, lightning questions.
B
But before you do, before you do, maybe touching on this subject and the burnout factor. We need to rely on each other more.
C
That's right.
B
I think it's lateral friendships and birds of a feather and community that can help us. Now go to your lightning wind if you want.
A
Let me just add to that. I don't think it's just cybersecurity. I think that's the world. I think we don't rely on each other enough. I think the biggest aspect of life is friendships and family. And if you don't cherish those friendships and you don't work on them and you don't do things, you know, it's. It's. It's the only thing you look back at a career, and it's great. We've all had big careers and titles and all that, and things are wonderful. But it's the friendships you leave behind and the friendships you have is really the meaning of this. And I've only learned this as an old man as I gotten older. It's. The only thing important to me is honesty and honesty with friends.
B
Yep. That's the ripple. You.
C
Oh, yeah. And this is why, you know, I appreciate Chris and my other friends. I have a ton of really good friends that I love and trust and support because, you know, when I had to go through, you know, deal with the consequences of my actions, you know, back in the days, it was very easy to feel lonely. I felt completely. It didn't fucking help that my face was in front of the New York Times and Fox News. And that did not help me at all, trust me. But I got to see who real friends were and. And I'll tell you about that offline. But there's one thing that before we kind of move into the other. The other part is there's a lot of AI concepts that folks are not even aware of. There are a thing. And you brought up something there that made a lot of sense. I want to kind of make the connection, which is psychopancy or psycho fancy. These AI models, or LLM models, are trained to always want to give you the answer you want to hear and. Or give you an answer that it thinks you want to hear.
B
It's so drippy.
A
Yeah,
C
I've heard that before. You know what I mean?
B
Oh, it's like. It's like the wormy character next to the monarch in a Disney movie. Or like, oh, just stop. Yeah, it's Grimer Wormtongue.
C
Stop it.
A
Heck, here's it. Oh, it's big enough, Hector. Yeah, yeah.
C
No, but it's, it's, it's. It's a difficult thing because when, you know, Chatgpt, when it first came out, it was more accessible to people. One of the big takeaways was, oh, my God. It's kind of giving me. It's, it's speaking to me authoritatively. It's giving me answers that it thinks is correct. But I'm going to call this hallucinations. You could. You could call it that Right. But you know what I think it was? I think it was psycho fancy. I think the agent, the model, was just trying to give you an answer that it thinks that you needed, that you wanted.
B
And so, no, no, that's the answer it wants. And by with that, I mean the establishment that created it. I'm a little tired of a few things. One, the trickily sweet, like, saccharine verging on diabetic responses that it gives you to make you feel all sugary and nice to the nanny responses. I can get better answers from Google, please. It drives me crazy how the answers get less and less useful. The lack of concision, the lack of variety in style of response. I'm done. I actually write faster than I can write the prompt to ask it to give me something I don't want in a way I don't need. I'm done.
C
That is so true.
A
LLM burnout already? Wow.
B
Oh, no. I was like, oh, this is pretty neat the first time. And I'm like, oh. I asked it to give me some thought leadership on something. And I said, here's the four points. Don't use these four points that are used by everyone else. It used the four points used by everyone else. I go, you're useless. Then I asked it for just a motherhood apple pie piece. I said, try to use a variety of sentences. It didn't. I said, give me an answer that's just three bullets, please. It couldn't. And by the way, I'm not just doing old man screams at sky and clouds. Like, I've tried to use this many, many, many times. The output is formulaic and predictable. It puts M dashes in everything. Every sentence is a simple sentence. It's vomit worthy. And you get better answers from a search engine when it's not using AI mode.
A
Yeah, Even looking for stories for hacker and the Fed. Like, I'll do like five stories and I'll be like, oh, what are the top five stories for cybersecurity news this week? And it'll give me the five fucking stories that I've already written up.
B
I have a friend who had Pinterest. Tell them if you need help, there's people that can help with suicide. Okay, well, that's a little bit forward because she likes darker things. All right. When asking questions about terrorism, I get answers that it can't tell me, even though it knows that I'm a ciso.
C
That's right.
B
I'm sorry, what? Cyber terrorism's a thing.
C
I've run into that problem as well, and I'm debating the model. Like, hey, dude, I am in the cybersecurity space. I need to ask these questions.
B
And every version gets worse. And let's talk about tokens for a moment. You know that paying for tokens model, they may be getting slightly more efficient. Did you know we used to have this model and it completely failed once. It was called mips. Million instructions per second. People used to buy mips. They used to stockpile mips like credits until they became worthless because CPU costs less overtime. So people are going to prepay them. It's sort of like channel stuffing. It's like stockpiling inventory for worthless cards in your back room. It's like buying a collector's item that won't be a collector's item next month. The token economy is bullshit.
C
I think so, FYI.
A
Can we short it? Is there a way of shorting it?
B
There will be a derivative market in it, but it won't last very long because we're getting more efficient. Just like Moore's Law at use of compute, it failed to apply to bandwidth with Gilder's Law, but it applied to everything else since, including storage. It's going to happen here, too.
C
Yeah.
A
So while we're on the topic of AI and where are things going? Everything's going local. Everyone now's been going to buy a $10,000 Dell machine to sit on their desk to run their local LLM.
B
This is the private cloud phase.
A
Yeah. Is that going to be part of killing tokens? Are we just going localized with everything, or is this. Just have the.
B
If they let us have the models that are not. First of all, the access to the data to train them is going to be important. And if you notice how every model comes out and it's even more nanified with even more nerf gloves on it. And I mean, it's like trying to. It's like trying to build a goat with boxing gloves on. Good luck.
C
Yeah. Have you ever tried that? Milking a goat with boxing gloves? That sounds.
B
Something tells me you like that.
A
Something I jerked off once in boxing gloves, but I used an overhand grip, so it felt good.
B
So, yeah, you also. You also need good lube. Don't use the hot sauce.
A
No, I go raw. Raw dog every time.
C
That's too much. You gotta. You gotta at least rock some cholula sauce on that, brother. You know what I mean?
A
All right. Heck, we've been over an hour now. We gotta get in some questions. The users wrote in some questions. I've got user Questions that can be quick, quick answers you got. You said you had a couple. You want to wrap up for your
B
answer, then it's up to you. If you slow down.
A
Nope.
C
Up to both.
A
I'll go. I'll go. What's the big example of quote, cybersecurity theater you've seen in a large organization that everyone knows doesn' actually improve security, but leadership still pushes forward anyways?
B
Mobile security.
A
How do you handle boardroom politics? When executives want quick checkbox security solutions instead of real risk reduction, do you
B
push back and how get the job done anyway? You obviously push back as much as you can, but then you have to self fund it and you have to make sure it happens because risk falls on you whether or not you get approval.
A
Why do CISOs so often end up as the fall guy after a major breach, even when the problem started years before they were hired?
B
Because everyone looks around the boardroom and says, who's my buddy? And if you're not in that list, you're the. You're the one who's going out. And by the way, if you don't get the job done and you have to go to the board to ask for money, you're doing it wrong. The board and the top level C level of a company are not the place you go to get funding.
A
Where do you go?
B
You do it. You have a budget.
A
How do you get your budget increased if not going?
B
You prioritize. You prioritize and you put it in your annual cycle.
C
But you also leverage that buddy system. Because there have been there, there's been situations where a company wants to bring me in to do like an internal presentation or something.
B
But sometimes you have to do things out of cycle and then you've got to ask, but you know what, if you haven't done the work of getting the social, doing the sneaker wear and getting the social work done ahead of time, you'll never get anything. And if you have, I have CFOs I've worked with who will write any check if I come and ask. Because I only come and ask when it's dire. What's the next question?
A
If you could tell your CEO one thing about cybersecurity that they probably don't want to hear, what would it be?
B
One thing they don't want to hear. AI is not the answer.
A
No, I thought it would be, I'm leaving.
B
Well, actually, yeah, but I don't want to say that yet. Otherwise I would have.
A
What's the most frustrating gap between what security teams know they need to be done and what the business actually allows them to do.
B
They spend far too much time on meetings and emails and trivia.
A
What about pre meetings? I always know that I'm with a shithead.
B
Meetings about meetings?
C
Yeah.
B
No time.
A
I'm with a shithead. I will not work with you.
B
If you call a pre meeting yourself, you should always be asking yourself, why not now?
A
Yeah, yeah. I worked with a guy who would always have a meeting before the meeting and he would call us in and we'd have the meeting and then to get on the phone with the client or whatever and say all the questions that we had at the pre meeting and then look at us and say, you guys got any more questions? Any questions? And we're like, no, you. You ask all of us for the pre meeting.
C
It's a fact.
A
I hate those people.
B
There's a. There's someone who, if you got rid of them, life would get easier for those people and don't invite them.
A
How do you balance being transparent about risk and not scaring the board of Executive into paralysis?
B
Work with your general counsel.
A
In your experience, what's the biggest cultural organizational change that would actually make companies more secure?
C
Cultural.
B
It depends on the culture of the company. The number one thing that comes to mind for me is object and then commit. But generally speaking, it all has to do with where authority comes from and that. So does it come from hierarchy? Does it come from consensus? Does it come from expertise? Or does it come from the sort of. There's a one in the Toyota way. There's one that has to do with cultivating the next generation. That's actually a corporate culture. It happens at places like Danaher and Toyota as examples. You've got to identify that and you've got to go right to the authority. If it's the consensus, you've got to know how to win that over. If it's the subject matter expert, you got to go to those people. If it's the hierarchy, you go to the top. That's how it works. You know it in your company, if you're interested, is a book by Schmidt called the Re Engineering Alternative.
A
Have you ever had to say yes to a risky business decision for political reasons, knowing that it could blow up later? And how did you sleep at night?
B
The answer is I've had to say yes to risky things, but not for political reasons.
A
Well, not like geopolitical, but even political inside your company.
B
No, I know what they mean. So I've had to say yes to risk you things all the Time. Business is about acceptable risk for acceptable return. When it comes to political things, you have to remember authority is inherited through a very specific system. Shareholders to the board, the board to the CEO, the CEO to the organization. Your job is to accept risk, as that hierarchy dictates. Your job is to highlight it. Now, if you find it transgresses ethically or you disagree with it, you can vote with your feet and leave. And I had done that twice. I said, I disagree. I'm out. Wow, I've done that.
A
Was it a threat or you just. You had already determined your mother?
B
No, no. On one occasion I actually said I disagreed with the CEO and I said, this is the choice you have. The question is whether you're doing it before or after I leave because I disagree with what you've done and I'm resigning. You now still have the same choice and I'm informing you of the correct decision, still your choice. Now, in the event that this happens, and I disagree, but ethically it's okay, then I sleep very well at night knowing that the decision was up to somebody above me in pay grade. So I accept critical vulnerabilities, for instance, if it's for the right business initiative. My job's not to get rid of all risk. My job is to accept the correct risks.
C
That's a good point.
A
With the rise of the.
B
One of my interview questions is when I hire someone, I say, can you give me an instance of when you've accepted a higher critical risk and why you did it? That's actually an interview question that I give to new hires.
C
That's a tough one. That's a tough freaking question.
B
Absolutely. But if you want to be a director of VP on my team, you better have an answer.
C
Sure.
A
How has the rise of ransomware and supply chains attack changed the day to day reality of being a CISO compared to 5 or 10 years?
B
I think what it's done is, it's. It has changed processes and the relationship of cyber insurance to most companies. I think it's changed the relationship of external counsel and counsel with the security department, which is in some strange ways helped. But if people are still wrestling with this, oh, it's that shit has ailed. I don't care how prevalent it is. You should be ready for this to hit you. You should be like, okay, it might be horrible and I might hate it and I might not. I might have sleepless nights in the long pain ahead of me, but I know the extent of the damage. I know the likelihood that it will hit. I Have things that are triggered when it happens. I was talking publicly the other day and someone said, how do you know your incident response plan will work? Is it because you tabletop? I'm like, no, you use it every day. You use it all the time. You use it for the small stuff, use it for the medium stuff, you use it for the big stuff. This is a used and well worn mat, not something you roll out like a red carpet.
A
Yeah. I mean it makes good sense that you shouldn't have to practice something if you're doing it on a daily basis or multiple times per day.
B
Yeah.
A
If a young security professional wants to eventually become a CISO and after this conversation, I don't know how the fuck they would do that. What's one piece of advice that you'd give them that they probably wouldn't hear in certifications or in trainings?
B
Don't do it through certifications. Apprentice yourself to somebody you respect. I give the exact same advice to CISOs now. In a world of AI, my generation, we were autodidacts. We taught ourselves that option doesn't exist for the current generation. And that's sad. There are some areas where it still does. Like AI assessments, for instance. The way that the younger generation gets in is by intense memorization and certification and very little chance to see real human beings dealing with a crisis with very little opportunity to actually learn hands on at the higher order stuff. They're going to be shocked when they get up to the CISO level. But the most important thing is networking, seeing how people handle crisis, seeing how they handle those tough ethical decisions in the moment. Apprenticeship is the way. And you know what? It also helps with the question you asked me about earlier, which is how do you handle burnout? When you are responsible for shaping the young minds around you and they are looking up to you. You don't want them to see you doing a bump. You don't want them to see you drunk at a conference. You don't want them to see you getting behind the wheel of a car in bad shape or breathing badly because you're having a heart attack. It works both ways.
A
I don't believe what you just said. To be an honest assessment of the industry, I don't believe most CISOs, I think you might be unique. No, no. As being. Looking at yourself as being responsible of shaping the young generation.
B
Because I do.
A
I think that's unique. I think Hector and I going out and we talked, we're in the, in the country talking to all these different people and none of them see themselves as having to shape the industry, or shape the industry like we talk about. You had young people, how do you get in? How do I get in? And, and I blame, I mean, we were at a conference in Atlanta just last week and I said, it's, it's the, the head of the companies that aren't letting you in there. They expect 10 years experience, you know, for entry level positions.
B
They do. The rung is getting higher.
A
And that's bullshit. You have to have a PhD in computer science in order to get interesting.
B
It's happening. Yes, but we can change it. I can change it. And by the way, if I wasn't anonymous right now, I would be saying the exact same thing. And I'm hoping every CISO who hears this goes, holy fuck, I can do that. I can pick a young person that I see in an audience who contacts me or somebody who's older and changing career and say, and if they come to me and say, I want to be an apprentice, I want to learn from you, it's not ass kissing. They give them the chance because I have had apprentices. One of them just published a book. Some of them are now CISOs, and they started at zero. I'm proud of them. Not me, them.
C
That's right.
B
But I can say that because I'm anonymous right now. There's no ego.
C
Chris asked you some amazing questions. He did. I just.
A
Those are the listeners. Those aren't mine. Those are the listeners.
C
Shout out to the listeners. Big shout out to them, then more.
B
I'll come back.
C
Yeah, well, I do have one question.
B
Oh, I disagree with them. People should say they disagree if they want, like solicit that.
C
Yeah. So the question I have for you is, so let's say that right now you get a call, a phone call from the President of the United States, and he says, look, I've heard about you. I've, you know, I've looked into you and I've come to the conclusion that you would be the person to help me deal with national security from the perspective of cybersecurity. Can you help me with your, you know, with, with, with everything, everything that you know, your knowledge base? Can you help me come up with one rule, one guideline? One. Something that would drastically improve cybersecurity but then inherently improve national security? From that perspective, is there something that you could think of that you would tell the President
B
who does new phone? No. No.
C
You can hit with a meme. I got you.
B
The answer is not to do one thing. It never is. I think it's about the dialogue around it. But I also think, I think there's far too many lobbyists already. I think there's too many people trying to sell a product or a service with that kind of leverage. Instead, I would encourage the industry to self organize more. Look, if the answer for us personally is community, I think the answer for us collectively is also community. And so I'd love to see more on that front. One of the things this president did in the first administration was he had roundtables of people in industry. Why not have some CISO round tables and collectively get the answers from a group of us? I would also ask for some time to go away and think about it because I wouldn't want a flip answer even with him on the phone at one time. I'd want to come back with my request. You don't ask. If you ask, you tell the genie. Give me a few minutes.
C
Sure.
A
I think the current genie should wait a few minutes though.
B
The problem also, I think we all need to meet at Heck's house to talk about it.
C
So yeah, I'm with it. We'll have one.
A
Oh, Heck, get your part while he's there.
C
Well, you know, the, the, the thing is this is I always tell Chris like, I always tell Chris like I wish that the current administration, they would have brought in more advisors within the administration that you know, have, act like, have experience in the space and, or are thought leaders in the space and, or are really good at getting the right people together. For example, I always joke with Chris, I say, dude, you should have been the director of the FBI, right? He says, oh, I would never take that job. I don't like, I would never do that job.
B
That's why you're probably qualified for it.
A
I do. I'm an email hacked. There's some crazy shit in my email.
C
But I joke with Chris like, hey man, you should have been a director because you could have easily taken that job on and took the FBI to where it needs to be. But I understand his answer. I get his answer right and I'm sure that you're probably gonna say the same thing. I wouldn't take that job. I wouldn't be director of SISA, for example, because of X, Y and Z. But the P. And you brought up a good point right? Now maybe the reason why he's qualified is because he's willing to. He has a self awareness to realize that maybe I don't want to do it. The problem is, is that we end up with people that are not qualified for real? For real. And you know, they're just not doing shit. You know, I love.
B
I think people need to recognize the validity of experience and knowledge and wisdom. Some people have. But there is actually a national cybersecurity strategy that just came out and it's not bad. Yeah, I mean it talks about shaping adversary behavior. It talks about doing common sense regulations and trying to simplify them. That sounds pretty smart, doesn't it? It talks about modernizing networks.
C
That's right.
B
Somehow that came out. And you're right. I wouldn't want to be in some of these positions. But people are doing their duty when they do it and I have respect for that.
C
Sure. 1,000%. And I think that Chris and I, we've talked about this a lot. I know a lot of people don't really like this person, but Pete Hegseth has been doing a lot of great stuff when it comes to like cyber, especially after the whole Microsoft incident, while back with the proxies or escorts or whatever that was called in China. But then also more recently with the SEC blocking the import of Chinese made routers, which has been a problem in the United States. So there's some traction there. In my personal opinion, it might be a little bit too late. We're in the middle of a war at this point or a special military operation, whatever you want to call it. And I feel like Striker is the beginning and we're probably gonna see a whole bunch of crazy happening soon. I'm just not sure we're ready for that.
B
You know, it's never too late to take responsibility for your actions. Yeah, I say that to everybody who thinks they're too far gone. And look what a gang members try to. What are the gangs try to do when they indoctrinate someone? They try to get you to kill someone so you feel like you're too far in. You're never too far in. You can always decide you're going to do the right thing. Take your delve person. Maybe they should have behaved differently early on. But they did the right thing in the end. Whether they whistle blow or whistle toot or whatever.
C
Sure.
A
All right. Heck, this episode's super thick. I think you're right. It ended up being 4 C's. 4 C's Anonymous CISO, thank you so much. I'm sure we'll get a lot more feedback. People are going to love this episode. They love the first one. They're going to blow their heads on the second one.
B
Let's get more questions and let's see
A
what they think, let's do it. Get feedback. And like you said, pushback. If anybody says wants to call your bullshit on you, I'd love to hear from you. So it's a different perspective. So that's an honest conversation. So heck, had a great time. Love and respect you, brother. Anonymous Ciso, I can't wait till we do the next one.
B
Already looking forward to it.
A
All right, guys, have a good one.
B
Later, buddy. It.
Release Date: April 2, 2026
Hosts: Chris Tarbell & Hector Monsegur
Guest: Anonymous CISO (Part 2)
In this candid and deeply insightful episode, Chris Tarbell and Hector Monsegur welcome back their anonymous Chief Information Security Officer (CISO) guest for a highly anticipated second part. Celebrated for the rare honesty and vulnerability he brings, the anonymous CISO shares what truly keeps security leaders awake at night, navigating a landscape shaken by geopolitical tensions, supply chain attacks, AI disruption, regulatory failures, and the immense personal toll of the role. The conversation explores the realities behind cybersecurity industry standards, certification scams, AI risks, burnout, and the often-overlooked human cost of protecting organizations in a world where the threats are multiplying and evolving faster than defenses.
Timestamps: 02:06 – 09:21
Timestamps: 09:32 – 34:42
Timestamps: 35:11 – 44:12
Timestamps: 44:12 – 49:01
Timestamps: 46:00 – 63:16
Timestamps: 63:36 – 69:53
Timestamps: 71:05 – end
This episode pulls back the curtain on what CISOs are honestly worried about in 2026: not just the deluge of external threats, but the internal realities of burnout, broken industry incentives, and the need for radical honesty. It’s a call to action—for CISOs to build real peer and mentor networks, for organizations to focus on progress rather than certificates, and for the industry at large to recognize, support, and sustain the people on the front lines.
For feedback, pushback, and more, listeners are encouraged by the hosts and the anonymous CISO to write in—and to keep the community conversation going.
[End of Summary]