B (4:36)

Yeah. So you're able to like figure out what the commonality was and the dates that there was a set of problems.

A (4:44)

Yeah, yeah, yeah, that's right. So you take all that information and, and you send it back to the issuing institutions, which are the ones that have the relationship with the cardholders, you and I, and we would let them know, hey, you know, this batch of cards we believe is at risk and you know, they might reissue the plastic, send you a new card, and randomly you might get a new card in the mail. You might not even know why, or they would just put some additional fraud controls on, some additional monitoring. You know, they might not do anything. But it was at that point where it was between, you know, the issuers had a choice to say, hey, look, we've got this fraud alert from the payment card brands that this group of cards is at risk. Right. And now we can make a decision what we want to do. So, so that that job ultimately led me to where I've been now for the last 11 and a half years or so.

B (5:35)

Compliance does not equal security. Why do so many organizations still treat Compliance as the finish line rather than the floor.

A (5:46)

Yeah, yeah. I've said compliance does not equal security, but security does equal compliance. And that I've sort of. I've learned over my career and just sort of better understanding everyone else's perspective of their information security posture. And my, My thought on that has a lot to do with my time at MasterCard. And we were investigating all of these merchants that were breached, and we would have this list that would go on for, you know, it seemed like miles, you could just scroll down this list, and every line was another merchant that we were very confident was having some sort of breach issue because there was all this fraud on all of the cards that happened to go through their point of sale system. And, and every single person that we worked with, every single company that we worked with that was breached had a PCI compliance program. Every single one of them was compliant. So we. We'd get in there and we work with them, and, you know, we would be very curious, like, you know, we know this is happening. And they were like, this can't be happening to us. We have our PCI compliance stamp, right? We have our report on compliance. I just had a QSA into my environment, and they went and they did all of the things that they do, and they told me I'm compliant. So how is it even possible that we have a breach event right now? And that's where, you know, the stars kind of started to align in my head. We're like, obviously, compliance isn't good enough, because they weren't wrong. You know, we could see their report, they'd send it over to us, and. And we'd look like, well, sure enough, you're compliant. But, you know, we can find one thing here or there that, you know, your auditor may have missed. And now, you know, you're. You're in a breach situation.

B (7:30)

So.

A (7:31)

So the issue that I always had with just kind of ruling your program through the lens of compliance is good enough, is that it gave this, you know, this false sense of security to the people that were not in the IT teams or the people that were not, you know, thinking about cybersecurity all the time. The CEO or the executive team would get this report and go, okay, cool, I don't need to continue to invest here. Right, we're good, you know, Right, we're good. We're good. And they would. They would be able to then, you know, redirect what could have been or should have been investments into hardening their infrastructure or doing some of the basic, more Basic security things. They'd be able to move that money towards other strategies that they had instead because again, they have this compliance report. And that was really, I, I believe the way that the retail industry was, you know, going back 10 or 15 years was they'd get this report and everyone would think they're good and they'd move on and they'd be able to do other things with that money. And I think, you know, around 2012, 2013, which was this huge spike in payment card breaches across the United States. And at that time, Europe had already moved to EMV transactions, which is that chip and pen that is now very common. But, you know, the United States was slow to adopt that. So that's where all the attackers were we're looking at was United States businesses and you know, breaching that payment card data. And, you know, more and more, more and more merchants and companies were recognizing that. Even though I've got this compliance report, I've got some pretty big problems that I still got to, got to figure out.

B (9:14)

So you've read a lot of the breach reports. You know, you have that experience of understanding that being compliant doesn't mean that you're secure or that you've controlled the risk. What do you recommend to other security leaders to help those executive teams avoid that false sense of security when they get a clean audit report?

A (9:34)

Yeah, you know, so much of it comes down to relationship and having a rapport with the executive team so that they know you, they trust you. It's great. And it's always great to, you know, continue to sort of forward and let them know of what's going on in the industry and some of the events that are happening. But at the end of the day, if you don't have that relationship and that rapport with the executive team, you're just, you know, you're another, you're another person doing a great job. But they might not be giving you the focus that you really need or the attention you really need to make. You know that those risk mitigating type decisions and you, you know, it's harder to get the support behind it.

B (10:16)

So what are some of the things that you've seen successful security leaders do or you yourself have experience to build those relationship? Is it language that resonates? It's a cadence of a conversation. Talk to me a little bit about that.

A (10:32)

Yeah, it's definitely all of those things and just trying to show up and be human to them. But it's also like our jobs as security leaders is to sort of Simplify what is really, really hard concepts to understand. It's hard to wrap your head around the real cyber risks that we're dealing with. And so trying to, trying to simplify the best you can, like what my program's here for, and also being like, very, very candid in that, you know, there's no silver bullet, just, you know, recognizing that at the end of the day, I cannot guarantee something won't happen. But what I, what I do say is I can guarantee that if something does happen, we're going to know about it, we're going to be in a position to respond to it. So, you know, just simplifying. Like, I look at my program and I sort of try to. Everything we do sort of falls into one of three buckets. And it's, you know, if we're doing one of these three things, we're doing what the organization needs for us. And it's as simple as we want to complicate unauthorized access, right? Any unauthorized access, make it harder for that person to have that access. It's unauthorized, so it shouldn't be happening. So complicating unauthorized access, minimizing the attack surface. So don't have this giant, huge, you know, obvious humongous target that everyone can start hitting, and eventually they get to just make that as small as possible. So minimizing that and then. And last but certainly not least is actively respond and contain to the incidents when they happen, and if they happen, it's when they happen. Right. So I try to simplify everything that we do in my cybersecurity program to those three things. Complicate unauthorized access, minimize your attack surface and actively respond and recover and contain incidents when they happen. And sort of boiling those three, you know, kind of concepts down into a program. You can get more and more detailed under each one of those things. But that's a pretty high level. Like, certainly anybody should be able to understand those types of three things. And so, you know, working through that with your executive team, I think you get a lot of the different light bulbs, of course, with all the breaches that happen, the ransomware, let's go, that, that's been happening and the like, you know, hopefully, given your, the relationships that you're working on, though, they are at that point listening to you and going, okay, like, we should ensure that, that this team is getting the funding they need to, to do those three things successfully.

B (12:56)

I like that. It's not oversimplifying it, but it's putting it in clean buckets that somebody can track like if we complicate that access, then that slows down the ability of the attacker to get in and to exfil, which means that we have more time to, you know, stop them. It makes it so that the size of the exfil is smaller if they're not able to get as much access. And downstream that means that we have maintained more trust with our customers or our partners. And I think that that's the last piece that I was just talking with one of our researchers about a massive cloud breach. And it wasn't that it was 90,000 credentials that were lost. That's the problem. It's the knock on effects after that of what ends up impacting your business. And to make that transfer over to the business impact, whether it's reputational risk or you're no longer allowed to operate as a business cause you're locked up, those are the things that I think any executive or board can understand. And sometimes the technical details of what does this control do aren't really illuminating for them what the risk is that they're facing or they're accepting by not funding what you're asking for. So I like the idea of bucketing it and then being able to tell good stories that, that resonate with those leaders.

A (14:18)

And at the end of the day, I think it's important that the security teams our, our real job is to enable the business. And I think that's been sort of a change over, over the last 15 years as well, where security departments can no longer go in and, and just be what we used to call the department of no. Like no, you can't do it. No, you can't get to that website. No, you can't use this this way to send data. No, you can't do all these things. But you know, trying to flip that on its head and being a business enabler saying no, you can't do that, but you can do it this way. Here's the right way to do it. Let me lead you to the way that is a safe way to transfer this data or you know, use your computer or ultimately get your job done. We have to be business enablers and think through that lens so that our executive teams aren't just figuring, oh, we're the guys that just make it hard to do everything right. Like I don't want to complicate your access. As another teammate of mine and a trusted employee of this organization, I want to complicate the unauthorized access. You know, yours is authorized. So how do I make it easy on you as a Business enabler, so you can do your job better, faster, more efficiently, all those types of things, and leverage technology to do those things. But at the same time, put yourself in a position of better security posture. So you're. You're protecting the organization at the same time, you're enabling it to do whatever it is that they. That they do best.

B (16:24)

Yeah. I was recently talking to another ciso, Nigel Hedges, and one of the things he talked about with a board conversation was, here are the things that I want to do. Here are the things that aren't funded, and this is the risk that you're accepting. If we don't put these controls in place, if the business is okay with that, we'll move forward. Right. Like, my job isn't to tell you you can't take the risk. My job is to make sure you understand the risk you are taking. And I like that. Reframing, you know, he said in some cases, the business wouldn't accept the risk or the board wouldn't accept the risk, and so they'd go back and figure out how to fund it.

A (16:59)

But.

B (16:59)

But it, to me, was that clear moment of, I now understand what I'm exposed to if we don't do this. And that was a little bit of a shift. And like you, he wants the business to move forward and not be that blocker, that department of no. So I think that those storytelling and reframing what I'm asking for leaders like yourself that are able to do that really well, I think it helps businesses move forward in a way that allows them to grow and to maintain their trust with their customers and their partners.

A (17:32)

Yeah, 100%. And that's, that's what it's all about is just, you know, you're. You're articulating that risk in a way that we can make a business decision about what we want to do with it. You know, do we want to fund a technology to mitigate it? Maybe not. A lot of times the answer might be no. It could be just let's change the process instead. It could be, let's, you know, pick up some additional insurance to help mitigate it from an insurance perspective. But ultimately, you know, if the business said yes to every single thing your security teams wanted, you'd probably end up putting your business out of business because nothing would work.

B (18:07)

You would be the risk that they couldn't accept. Right. So it was perfectly secure.

A (18:13)

Yeah. I've joked with our CEO before, like, if you really want me to 100% secure this company, like, you know, we'll unplug everything from network altogether. We will bury all of our servers in concrete, unplug it all, and we'll be secure. But, you know, we'll probably be out of business in about one day. So I know that's not what you want, right? So obviously we have to operate with some risk. There's, you know, there's no, you know, making money or, or serving customers or doing, you know, doing whatever your organization does without operating at some risk. So you're right.

B (18:49)

Requires some risk, right?

A (18:51)

Yeah, yeah. Otherwise, everybody wanted be able to do anything. So it's just. Yeah, I think you said it right. You got to, you know, have those relationships and, and work through, you know, here's the risk, here's a couple of things that we can do to mitigate it, or are we good with living with it, or, you know, what, what do you want to do about it so we can continue to thrive but operate at a tolerance that we're okay with?

B (19:17)

You know, you've talked about when you're evaluating new technologies that you want to run a proof of concept battles with really strict criteria. Why is that approach so critical in today's vendor landscape?

A (19:30)

Yeah, there's just so many vendors out there, so many solutions that we're constantly being, you know, that are hitting our inbox or different outings that, you see, there's just this landscape of technology. It's hard to figure out which one's the best, but, you know, that's going to be different for every organization. So if we know we have a need, if we know there's a particular risk that we want to, you know, tackle, there's definitely multiple options as far as technology to, to look at. And so, you know, I like to take, you know, my top two, three, probably no more than four options and do that, do exactly a proof of concept and say, okay, if you, if you're really going to help me with this before I buy your, your thing, that's going to help me. I want to prove that it actually works. And so, you know, putting them up against each other really validates, you know, what's going to work for your organization and, you know, helps them also recognize that they just don't default in the business. They've got to win it over their competitors as well. You know, I got it. There's.

B (20:40)

We.

A (20:40)

I did a session once where we talked with a group of CISOs at a conference about how do you sell to a ciso? Because we're all just so inundated with the salespeople what is it that actually works? And shout out to my friend Andrew Riley, Andrew Wilder, who's. He's over at Vector, he's the CSO of Vector. He came up with like, this is. This is if I'm interested in buying something. He's like, these are the four things that, that need to be where, you know, number one, I have a known issue, I've budgeted for it, my funds have been approved, and I can start pocing all these options. Number two, is there some sort of new regulatory requirement that says, you know, you need to do this type of protection with this type of data? Number three, an incident actually happened and now we essentially have an open checkbook to, to respond or start putting some controls in place, or lastly, my peers in my community are talking about it and we're recommending it to each other. And it's like, if one of those four things are happening, then we're interested in said technology and we can start to move towards the PoC. But it's just very hard. The vendor landscape is loud, it's very aggressive. And I think you got to put them up against each other to ensure that they're going to provide that risk mitigation that they say that they can.

B (22:09)

So you just mentioned your peers saying something as an influencer and earlier you talked about having that relationship with your executive team and the board. You've been this proponent of CISO communities and peer collaboration. Talk to me about why that network is so essential in the environment that you operate in today.

A (22:30)

Yeah, it's one of those things where I jump on. We have monthly CISO calls and it's a variety of different industries, but we're all battling the same challenges. And if nothing else, it's just a group of, of security leaders that can sort of look at each other and be like, yep, yeah, I've got that problem, too. And, you know, these are the things that keep me up at night. So, you know, we're not alone. So there's some strength in just having, like, others that are understanding the battles we're fighting. But at the same time, you know, you could, you start to recognize or you can tell stories between each other about what's working, what's not working, strategies around. You know, there's certain companies, and I've had some really good conversations in those, in those meetings where it's like, this particular company is looking to move all of their renewals to a OPEX model. So that's going to happen to us. So be cautious if you're Trying to continue to keep this as capex model. Maybe you want to do your renewal before now, before it becomes an operational expense for you. So just, you know, we're all in this battle together and it's just sharing that information. I don't consider anybody in the world that's in cyber my competitor. Right. Like, I could be working with the CISO of another grocery store that directly competes with my organization, but when it comes to cyber, that person's not my competitor. Like, let's fight out in the aisles of our stores who can, who can better serve their customers and the like. But at the end of the day, we, between the security industry, we're fighting the same adversaries, and, you know, we'll let the best, may the best business win. But ultimately we're all in this together and we got to recognize that our adversaries are working together. You know, they're largely, you know, they, you know, they largely outfund us. Their, their teams are, you know, largely more motivated. You know, they don't take the weekend off. They, you know, don't enjoy fourth of July holiday with their family. You know, they're, you know, in, you know, in the case of nation states, they're getting significantly more funding to do their programs and do their things than we are. So it's, you know, it's. The least we can do is start to, you know, collaborate with one another to say, hey, look, we're outnumbered, but, but we can work together to, to do what we can to mitigate the, these threats that we're seeing all the time.

B (24:45)

Yeah, I, I used to sit in on a board of advisors and there were direct competitors, insurance company, medical company, you know, they always had a counterpart or there. And it was so inspiring to me that just like you said, let's let the grocery stores beat each other as businesses or attract customers as businesses in the aisle. They were looking at it the same way of, like, it doesn't really work if one of us goes out of business because we had a cyber weakness or a cyber breach that caused us to be harmed as a business. And I think that that's one of the best things about our industry. And if you're coming up and you're listening to the pod, I think reaching out and finding that mentorship, finding those folks that'll have those conversations with you, maybe even just letting off a little steam to somebody who fully understands what you're talking about. It's the release valve that we need, and it's where I think you can find Those insights and innovations that maybe aren't really obvious right away.

A (25:53)

Yeah, right. It's, it's just having a room of, you know, a group of peers that are all in this together. You know, it's, it's, it is, it's that deep sigh of relief that, hey, I'm not the only one trying to figure this out. Maybe collectively, you know, more brains are smarter than just one brain. So, yeah, it's, it's, it's hugely important.

B (26:13)

Joey, you drew this interesting parallel between the rise of artificial intelligence and the early days of the Internet where connecting everything without securing it seemed like a great idea. Are we making the same mistake again?

A (26:32)

I don't want to be like doomsday, but it does scare me because, you know, I just got back from an industry conference that was more focused on compute storage and infrastructure stuff. Not, not like a CyberSecurity conference. And AI, you know, like it is. And everywhere, buzzword AI, we do with AI. AI is going to fix everything. And, you know, I battle with that even internally at Schnooks now where, like, we're, you know, we want to leverage AI to be a differentiator for our customers. We want to figure out the, you know, these tasks that we can automate through AI so that we can better focus our associates on serving our customers needs and getting rid of just the busy work type stuff. And everyone's really excited about it. And it just reminds me of, you know, the early Internet where we started connecting as, you know, as a species. We started connecting systems and computers together. When we reckon, you know, we had, we, we saw all this value in, in, you know, being able to work smarter and work faster and work better. And this is just, you know, the early advent of, you know, basic networks. And, you know, all these people, I think, got these dollar signs in their eyeballs and said, oh, you know, we can bring in these things, like, we can make money online now and we can do banking online now, and let's connect it all. And paid, you know, paid to the cyber risk that, that introduced subsequently, you know, birthing an entire cyber security industry as a result of a, you know, arguably poorly built Internet. I just think, like us as humans, we're, we're marching down a scary path. That sounds very similar with AI, right? Like, oh, AI, AI, it's gonna, we can make so much money with AI, we can do all these things. And again, not to sound like doomsday, but, you know, where are the regulatory controls around this? Or is anybody, you know, thinking about the risk that this poses to my organization or all the bad things that this can, that, that can happen as a result. And so I, I, you know, I challenge and I'm still looking, even as, you know, a ciso, these are the risks that we're thinking about. I'm still looking for the technologies out there that can identify malicious AI or, and things. And I, you know, it's a huge opportunity for, for companies like Palo Alto and others to, you know, solve some of these problems that we're now dealing with because I do fear that we are putting the excitement and the, all the positive things about AI in front of thinking about all the negative things. And so, yeah, it's, it's going to be very interesting how this all goes the next couple of years. But it does concern me, it really does concern me that as a, as a, as humans, we're more excited about all the cool things AI can do and we're not really focusing yet on the negative side of it.

B (29:18)

Yeah, I think it's a combination of being naive, being excited about the opportunity, the dollar signs. It's weird. As you were talking about it, my son introduced me to two gaming platforms. He's a teenager and he started playing Roblox, he started doing Minecraft and a lot of fun. Lots of different things that you can do in those. They're different in some ways. Same in some ways. And the thing that was really surprising to me was the rampant fraud and the attacks and the different things that are going on in this sort of like micro environment of platform gaming. And I'm going like, wait a minute, we already know all these lessons. How is it that, oh yeah, they wanted to grow fast, they wanted to innovate, they didn't necessarily have the knowledge and the information that they needed. And then I see a parallel as we're screaming towards a, you know, an AI infused future. And a lot of folks are looking at the things that are cool, the things that you can, you can build. And as a, I don't know, a positive person and a former designer, I feel that urge. But as somebody who's had a foot in the security side for almost a decade now, I'm going, hold up, there's some risk here and somebody's going to figure out how to take something from you that you value using this technology or using your blindness, whether it's being naive or greedy to put you in a compromise. And we know better. And yet I don't feel us putting enough as a tech industry, just a little tap of the brakes right and.

A (30:57)

It goes back to what I said earlier. Our job is to articulate exactly what you just said. And while we still want to enable the business like we have to leverage AI, there's so many positive things we can do it, we have to leverage it securely though. So educating the business with everything you and I just said while still enabling them to use it. But let's put these, some of these guardrails around how we use it, why we use it, what are we really trying to achieve here and let's, you know, flesh that entirely out so that we can be using it to drive the business, but using it in a safe way that doesn't put us more at risk than, than we want to be.

B (31:33)

Do you have any recommendations or thoughts on how to insert security or some of these conversations into the drive for innovation? You know, so that you're not necessarily labeled as a blocker, but you're helping the companies and those teams understand that a little bit of that prevention or a little bit of that thought allows them to scale and achieve speed later when they don't hit that, you know, whether it's a speed bump or a full on breach from a cyber risk.

A (32:03)

Yeah, it's, you know, I think the answer is a lot of just, you gotta be part of that team. You can't just be this siloed information security program and it's just part of the other, you know. You know, hopefully at least companies are looking at their information security teams to, you know, to at least do some reviews and checks. But that, you know, you should be part of that entire process from the beginning. Like, okay, let's really define what we're trying to solve here. Let's look at the technologies that are out there and really ensure that we're going to get the value that we're looking to get. And then the security teams ensuring that it doesn't put us at, you know, such an increased amount of risk. It's just being part of the conversation early on and being, you know, having a seat at that table and always approaching it from. We're here to enable this business so we're going to figure that part out. But we're here to enable it securely. And so it just, it's so important to have those relationships with the business side so that you do have a seat at the table and you're not just perceived again as that department that if we bring them in, they're just gonna, they're just gonna throw the whole thing out.

B (33:19)

Joey, thanks for this awesome conversation today. I really appreciate you sharing your insights on security leadership strategy, you know, telling me your stories of coming up from the, you know, the hard drive side in forensics and through the retail side of MasterCard and into what you're doing today. And then, you know, even offering some of your thoughts on maybe some of the mistakes we're making as we rush for new technologies like AI.

A (33:48)

Well, it's great to be here, David. I appreciate the conversation and I know we, we, we, you know, just scratched the surface of so many things. And I appreciate what you're doing on this podcast to, to bring, you know, like minded people together to just sort of, you know, have a voice and have a seat at the table like we talked about. So thanks for having me.

B (34:13)

That's it for today. If you like what you heard, please leave us a review on Apple Podcasts or Spotify. Those reviews really do help me understand what you want to hear about. Or you can reach out to me directly about the show@threatvectorloaltonetworks.com I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenny Miller, Joe Bincourt and Virginia Tran. Elliot Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.

A (35:11)

Sam.