Episode 13: Insider Threats, the CISO's Role, and Reporting Lines
All right. Welcome to Distilled Security Podcast. My name is Justin. I'm joined with Rick and Joe. Welcome to episode 13 here.
Justin:We got a pretty good lineup here and some good drinks that is excellent. We've already kind of sampled it. But wanted to jump into a topic that actually a few of us use this service here. Do you use this service? I do.
Justin:I use Coinbase. Coinbase? No, Coinbase. Okay. So Coinbase had a recent breach just in the past week or so, week and a half.
Justin:And I thought it is interesting. We don't often we don't cover all the breaches. Obviously, you know, that's not what this podcast is about here. But some of the attack paths were interesting. Joe, you want to dive down into that?
Justin:Do you have the notes right in front?
Joe:Yeah. So I think it was just a few weeks ago that they announced this, but the breach dates back to late December twenty twenty four and then went a few months until they figured it out. But the high level is that they were they had personal and financial information stolen over the course of those months. And it was because they had insiders, an insider threat problem. What they had was people were going after some of their contracted and offshored employees, convinced them to give away data.
Joe:Yeah. That would be For little
Justin:reward on the side and everything.
Joe:A little bit of a payoff
Justin:on the Exactly.
Joe:What it came down to is that stolen data was being siphoned out. And then, you know, they discovered it when the attackers gave them a $20,000,000 ransom demand. Yeah. And then what did they do with that?
Justin:Yeah. So then they turned around, they made it public and put a bounty basically on the hackers for $20,000,000 and refused to pay it out, you know, and everything, which I thought was also very cool, you know, of Coinbase actually. I did like that, right? But, one of the things that I thought was interesting about this is as security professionals, we're always so in the weeds about the technical controls and just securing everything up that we can, always assessing the perimeter, the inside, all the stacks and everything like that. And oftentimes we know the end user is susceptible.
Justin:I mean, do phishing attacks and everything like that, but from an actual bribe perspective, it's often not on our radar. So I'm kind of curious, from a response to this, if you were kind of CSO of the Coinbase, like how do you modify your program to know shore up with this or just your own program? Because you know like Coinbase is a target. Obviously they have billions go through their exchange, so obviously they're a big you know target into this, but that's not immune to people just looking on LinkedIn and see who often your lower paid employees are because that would be easier to bribe than a CEO. You would need a bigger check.
Joe:We're already going to struggle with this. One of the things that they had to do was file a report to the main Attorney's General Office.
Justin:And
Joe:that was described as insider wrongdoing. And so what is insider wrongdoing? There's a lot of things that could be there. So overall, I really think I loved a lot of the response that was done. It was very transparent and very forward from how they would notified as soon as they figured out what was going on.
Joe:They let their customers know. They told their customers are going to make them whole and stuff like that. So I think they did a good job from that approach and being very forthcoming. On
Justin:the What? 20 some odd million that they reported was lost through this some of this activity?
Joe:Yeah, I'm not sure exactly how much, but the yeah, there was a There
Justin:were people that experienced loss. Yeah. Right. And mainly the attack factor was, from what I heard, is that they're basically taking this money and going after and fishing the individual on
Joe:Social engineering them.
Justin:Saying, I don't know what the actual attack path was, but it could be like, hey, we're from Coinbase. Right. You know, we have all your information. Here, we'll confirm it with you. Yeah, validate your customer number right now.
Joe:And now,
Justin:give us your encrypted key.
Joe:And but from the inside, so your question was, what can you do? And really comes back to what do you typically do for managing an inside or building an insider threat program? So it's and we were talking about this earlier. I don't think there's just one thing you can do. No, no silver bullet to be able to stop some employee who wants who succumbs to being bribed to give up information.
Joe:But then it's much like when you have, say, hospital personnel and systems and famous people who are in the medical record system. And then somebody hears that so and so is at the hospital. Well, somebody goes and looks them up. Well, should they be accessing that record? Are there tools in place to detect people who aren't authorized to access?
Joe:They're authorized. Their account will let them look at a record. Right. But do they have a need to actually look at that record? And so could somebody like Coinbase or an org that has that kind of a structure put things in place to say, oh, well, you should access your the customers you're responsible for, but nobody else.
Joe:Unless maybe there's some kind of path to to gain that access.
Justin:Yeah. Yeah. And I I think it's interesting. Like, I worked it was a while ago, probably in the late 2000s with a convenience store that had a pharmacy attached to it. And they got pegged by the HHS.
Justin:I forget if it was HHS, the same as, but they're essentially the same organization. They got pegged by them because their employees, their nationwide company, they had employees looking up like Brad Pitt or something like that. And they some stuff in there that was interesting. They had like kind of a blacklist, you know, of like they just populated with celebrity names and all that stuff that would be, you know, common red flags into They also put like a region, like if, you know, say Brad Pitt had a place down in wherever he lived in Los Angeles or something like that, they had a mile radius around The geolocking. You know, of thing that'd be like maybe alright.
Justin:But if it was like back in Minnesota or Maine doing that, okay, a red flag for an investigation. That doesn't mean that it's not legit because we go on vacation, get a prescription refill, maybe, you know, type of thing. But yeah, they put in some stuff to basically be investigated into that. And they got fined for some of the stuff with it because they didn't have enough protections according to HHS at that time there and everything.
Rick:Interesting. Yeah, think a lot of it from an insider threat program. I mean when I think about insider threats I go okay, what are we actually stopping here? And there's two sides, right? It's like people intentionally doing bad stuff but then also like accidents, right?
Rick:It's easily overlooked as security people are like, Oh, bad people are doing bad things. I need to stop them. But mistakes, I mean, a privacy perspective as a for instance, right? You misforward an email that has personal information and now you have an issue.
Joe:Now, that non malicious and
Rick:stuff like Not malicious at all, right? So when I think about these programs, the They banner on it, right? Right, yeah. The top one and the bottom one. It's like, hey, this came from outside and
Justin:then hey, you're not on the lookout if you're not supposed But
Rick:I think the thing I keep coming back to is understanding what normal looks like, which is a super hard question. But a thing that I keep kicking around in my head is because I love leveraging things that already exist to enhance the security program. So the thing I keep kicking around in my head is, well, what if job descriptions weren't just like these static documents that don't intentionally necessarily always reflect reality and all that stuff? And you could use them to define what normal actually looks like to an extent. And then tie various alerts around what normal looks like or doesn't look like to those documents.
Rick:I mean, in theory, you should always you should already have a lot of that. Right. In practice, I've seen a lot of organizations where there's a giant delta between the hiring paperwork and what the person actually ends up But
Justin:this goes down to like, we talk about behavior and everything like that, but most tooling that we're talking about is like homegrown or party and they don't build that into the tooling there. They're more like bells and whistles. You click this button, it does something. Now you're building into rules that is more behavioral based. I don't find a lot of companies at the normal level will actually have that even functionality built into I'm
Rick:not suggesting it's normal. I guess I'm thinking though that I think I'm not suggesting that it's normal for companies to have a good insider threat program.
Justin:No, right.
Rick:I think a lot of programs but when I think about it, it's like, okay, well what are the systems that are typically used to watch behavior and alert if something weird's happening? Okay, it's like some SOC stuff. So in my mind, if you have some particularly sensitive data or some particularly sensitive areas of the infrastructure, whatever that looks like. I mean, we already build alerts to be like, Oh, someone's messing around with that high security zone and they shouldn't be or whatever. This is just kind of like moving that, I don't know what you would call it, a layer up or a layer down, but to more the application layer, the business data layer.
Joe:Well, I think you just invented something new. A little bit ago, I just heard you say we need JDAC. Job description as code. Yeah.
Rick:I mean, I think there might be something to that. I mean, obviously, there's a lot of job descriptions to clean up. But knowing what normal looks like and people do all sorts of stuff with statistical measurement and baselines and activity monitoring and stuff like that. And I always think every time I do that, I think that's cool. But what if the threat was there before I put it?
Rick:What if the bad thing was there before I put in the baselining? I'm like, Oh, well, bad is the normal. So it remains bad and that's still normal. It's like, that's not great.
Justin:Yeah, I guess. I mean, so what you bring up like with a socket and everything, that's going from unauthorized to authorized, you know? And there's a clear gate you're monitoring for. Yeah, absolutely. Some of that stuff.
Justin:But in these oftentimes insider threats, you're authorized to authorize, you know? Well, it's just that particular use case that they're, you know, not looking it up and there's not like a good tie from the call center or, you know, like, Hey, I got a customer right in front of me. Do I have to swipe their ID to basically get authorized to the record? Like, That's not usually how the systems work.
Rick:Yeah. I don't know that the SOC stuff is necessarily like a full stop on a gate.
Justin:I get that. But when we're talking about an insider threat, it's usually about abusing the permissions that they already have for legitimate purposes. Whereas, you know, other times it's easy to look at, you know, from an unauthorized perspective trying to get access, you know.
Rick:Right. Exploits, like exploiting technology, make it do something it shouldn't do is definitely a different threat vector than doing something technology allows you to do but you're still misusing your authority to do it.
Justin:Right. Exactly.
Rick:And you have to watch them both kind of differently. Misusing authority you have. I mean I've set up elements of infrastructure before from a monitoring perspective where like, okay, well, the HR team needs access to this very specific folder because it has board of director information in it. But like, obviously there's IT administrators that can get to it. All right.
Rick:Well, what are we going to do about that? Well, if anyone ever looks at it, who's not part of the specific HR team or if permissions ever change, we're telling the right people in HR about it. Right? So it's like, do you like completely say no to it or whatever? No, but you can probably set up some alerts and alarms and things like But what's normal look like I think is a hard question.
Rick:And I just keep kicking around in my head. It's like, I think a job description should start to get close to that. And I'm sure there's a way to leverage that. All right. I believe there's a way to leverage that.
Rick:The only other thing that I have from an insider threat perspective that's okay, but not like amazing is I think of it like the sign in the convenience store that's like you're being watched. Right? And so this is internally advertising and maybe sometimes being slightly, potentially even being more aggressive about it than you actually are in reality. But advertising, hey, we're doing audits. We're watching what's normal.
Rick:Hey, if you do something that's not normal, there's very little tolerance for it if it's intentional. Mistakes are mistakes. And by the way, we're going try and help you not make mistakes too. But I think making sure that you're broadcasting internally with some level of frequency, hey, we're doing audits.
Joe:Hey, we're Your suggestion should be part of your awareness program.
Rick:Your comms program. Exactly right.
Justin:So, when you say audits, what do you mean by that?
Rick:Well, reviews of activity.
Justin:Okay. Gotcha. You're not actively trying to bribe somebody to see if they fall for it?
Rick:Oh, no. I mean, that's interesting. Yeah. I think there could be some ethically ambiguous interesting tests to do there.
Justin:But but I haven't done. We're not not quite. I don't We're we're stepping into lawyer territory. Yeah.
Joe:Well, you know, actually, I've had some I haven't done it. I've heard stories of other people who run other kinds of security companies that deliberately go out and do stuff like that. A story was high level exec CEO said, I wonder how vulnerable I am to my whatever COO or whoever to disclose something or do something. And so long story short, I think from what I remember is a long time ago, the person, the security person who was hired ended up hiring a woman to go go out with this person and get information and then get that information in a way that allowed the security person to use the cred to that person, that COO, to break into the company and do stuff. And when we reported back, it was man, I I thought I could trust my high level execs, but apparently, I couldn't.
Joe:And that story didn't end.
Justin:Exec gave his credentials to a woman he just met? I don't even give my wife my credentials. I
Rick:could see. I don't know explicitly of, but I could see certain government organizations or positions like that doing some sort of fraud pressure testing in terms of how susceptible are they to money? How susceptible
Joe:are I wouldn't
Justin:say it was just the
Joe:time they met, but it was probably curated and it was a large amount of, you know, this the security person was paid a large amount of money, but a lot of that money went to hiring people to
Rick:Pretty intense.
Justin:I was just curious. I mean, if she got access to his house and then to the laptop, whether she could like take his credentials, you know, off of that.
Joe:Yeah. Don't have the specifics how she got it and how it was used. But yeah, it
Justin:I would find it odd that they would just disclose that. It probably not like red flags.
Joe:It probably wasn't that clear.
Justin:The dinner date with sneakers. Have you ever watched that? Oh, yeah. He's like, you know what word I love for you to say? Passport.
Justin:Passport. Great. We're done.
Rick:That's so bad.
Joe:Exactly. So well, another part of this whole story that I found interesting and it comes back to what's the real value of dealing with these breaches? How's it going to impact your company? So did you check out the stock price? Well, the day that it was announced, their stock dropped 7%.
Joe:But within a couple of days, it was right back up. And so Coinbase got a twenty four hour time out from Wall Street for the breach. But they were joining. So the idea is the day that they announced it, the next day the announcement was they were joining the S and P five hundred on May 28. And so what that brought around was the stock jumped right back up.
Joe:And a lot of it was that investors, when you join the S and P, there's all these funds that have to invest in an equal amount of money. And so tons of money went in the coin base the day after the announcement. So with that, mean, how many times have we seen a breach? The stock goes down and then you look back a month later and you're like, it's recovered. So there's no
Justin:There was a talk years, years ago that I saw at SmuCon that it was like, breaches are good for you. And he basically did a full analysis on a lot of the big breaches. And back in the day, I think it's a quicker recovery time now than it is back But you look at a year and over 90% of them were over what they were before the breach occurred and everything. And then he made an argument that their security is probably better than some of their competitors now because they basically were forced into maturing into that through either regulators or just public pressure and all that. It was an interesting argument.
Rick:I saw a number that the coin based estimate on recovery stuff. And some of this is like paying back money that was lost and stuff like that. But general recovery stuff was between like 180 and $200,000,000 And I'm like, wow, well I can't imagine that's all lost funds that they're paying back, right? So in terms of like never letting a good crisis go to waste, I do think there's some truth there, right? You're saying, hey, well, if there's ever a time to invest so you don't feel that pain again, it's top of mind and you typically can do some good stuff.
Joe:Yeah. And oh, my mistake, I said May 28, that's today. But May 16 is the day that they
Rick:Oh, that they went.
Joe:Went on to S and P. Gotcha. Yeah. Yeah. Another thing I thought was interesting is, you know, they had to do the eight k filing for the breach.
Joe:And I was reading a different article where they were scrutinized. Like it was a super concise report and you see these all the time, you said. They're never super Yeah,
Justin:actually a service. Maybe I'll post it up in the show notes and everything like that. But you can actually subscribe for free and you get an email anytime somebody files an AK for some type of breach or mishandling or something like that. Yeah. Go ahead.
Joe:Yeah. Was always just that they were criticized for being thin and late, even though they were really hitting in some of the timelines. And I think the DOJ was going to be looking into some stuff.
Rick:Yeah. I mean, I think overall, it seems like a pretty good response. Like the eight ks thing doesn't necessarily Whether a lawyer is writing it directly or very closely working with the CISO to
Justin:write it. And oftentimes, if you look at the Change Healthcare and like some of the stuff that they were posting up into that, like I don't know how long it's limited to the AK, but they're all paragraphs long. Like a paragraph, two paragraphs. So they don't go into in-depth And they oftentimes, if they do have some breach, they're posting up at some public site to give more information, whether it be as simple as a blog post that goes into it or they dedicate a whole section of their web page. There's a different public response.
Justin:Exactly. You know, into that. Like, yeah, given the AK, I've seen criticisms before and all that stuff. I think the direction is basically like you need to give enough details at any, what is that reasonable A reasonable person. Yeah.
Justin:A reasonable investor would want to know. Right. You know, and it's like so you give like that detail and like, what does that mean? You know, type of thing. Yeah.
Joe:And so, you know, I'm just looking at some notes. They did disclose it within the four day rule, but they waited six days to tell their customers their personal data was stolen. So, you know, is the gap that they're really important, you know, December of twenty twenty four till just a few weeks ago that this bad thing was happening. Then they just realized it. They put their report out, but then they even waited a few more days till they So which gap really mattered there?
Joe:I think it might have been the gap between the time that they knew and they didn't inform the customers while
Justin:they
Justin:could be getting
Joe:Everybody
Justin:follows the AK, you know, filings. Weird.
Joe:Yeah. Well, did. They actually did follow the AK filing,
Rick:but yeah.
Joe:They just waited a few more days
Justin:until they're done. Yeah. Like, not all our customers follow that.
Rick:I mean, big breaches I know have, particularly with respect to personal information, I think it may, have like timelines associated with from like a privacy perspective. Like, hey, you got to tell people about these things this time. Like, That's one of
Justin:the crazy things about it. Like everybody's so different in their times. I think we're kind of settling into a three to four day window, but I've seen customers demand twenty four hours. I've seen it's all over the place. You know, I wish we would have an industry standard.
Justin:Yeah. I'll just be like, here's the timeline.
Joe:Well, that three to four days is the four day SEC is after you realize it's material. Right. Which how long is it? Which long could you say it takes to understand like what the actual breach is if you're
Justin:have Whatever you want. As long as you have good lawyers, I'm sure you could argue. Right. But that was just
Rick:the one thing. That extra two days of like disclosure for like telling your customers and stuff like, well, it could very easily still be within whatever those rules are because it's not necessarily governed by the same thing. It could even be early. I just don't know.
Justin:And quite honestly, I mean, even though it's an additional six days, you even mentioned they're covering all their customers. So from an impact, like between those six days, were there any customers actually impacted in those six days? Maybe, maybe not type of thing. But they're still covering them whole. So what's the damages?
Justin:Well, there's
Rick:different legal obligations to customers as there are to shareholders. It's just different things. It's a different type of customer,
Justin:I suppose. But yeah.
Joe:Yeah. There was one other part of this which I was reading about, and that's the makeup of audit committees and the board of directors. And one of the things that Coinbase got knocked on for a little bit is that their audit committee is the one that's chartered the holder responsibility for cybersecurity. Yet there's nobody on the board or the audit committee that has direct cybersecurity expertise. Yeah, that was the same thing.
Rick:That's what I was going to say. Although it'd be good often if they did, I suppose, to some extent. Like one, if the report's flowing upward in the way that it should, typically it shouldn't be terribly necessary to have like deep cybersecurity experience. You should know enough to not get snowed at the board level. But I agree with what you said too.
Rick:But the vast majority of organizations I know, even on the audit committees, the cybersecurity knowledge is cursory at best.
Joe:Right. Well, one of the things that I was reading about and it's I wanted to see what you guys thought, but what do you think about the board of directors having a separate from the audit committee, cyber and risk committee and having security be on that committee instead of it being handled as part of the audit committee?
Justin:I like that idea.
Rick:Yeah. I've seen that before. And I actually think it works pretty well because one's more the Operationalized. Yes. Operationally.
Joe:I think I had trouble with that last Yeah.
Rick:Well, I'm doing it now. Man, this stuff. It is good. But, you know, the execution of security, whereas whereas the other one's the audit side of things.
Justin:Well, and I think the way I think of it, one's kind of looking backwards, like where we're at standing and one's looking forward. Exactly. Yeah.
Rick:I do like that as a thing. I don't know how standard it is yet, but I've seen it Oh,
Joe:don't think it's standard much at Well,
Justin:it's not required, so it's definitely Yeah. Not standard and everything. So yeah, you'll see a lot of audit committees have their hand in a lot of the security stuff and everything. But yeah, it's here and there. I don't know.
Justin:Most boards I've interacted with don't have a great grasp of security. You give a presentation a whole bunch of risks and stuff and more often I've seen just crickets. They're like, okay, you know, maybe a couple of questions here and there and that's
Joe:about So
Justin:we're good? Yeah, yeah. So we're good. They're like, no breaches, right? You got us from a breach standpoint.
Justin:Well, you know. But yeah, the ones that actually have direct cybersecurity is usually within the industry. Like if it's a SaaS tool involved with security or something like that, you'll see people with security because they're in the industry moreover than their security experience. But
Joe:it's a growing trend, I think, to start getting cyber expertise on the board. Even some of the NACD and the Digital Directors Network, so the National Association of Corporate Directors and DDN, they're both pro getting more insight to And I believe some of the what were you going to say?
Justin:Yeah, I just to what end? You like you have your execution team doing that. You're hiring staff among people.
Joe:You might be, but not all companies. So the idea is that the board needs to make sure the organization's being directed the right way and looking at these things. And If you don't have somebody on the board who understands how to talk to that person and understand what they're saying, it becomes less effective. They're trying to increase effectiveness by having somebody on the board who can actually have that conversation.
Justin:You're looking at somebody to challenge a CISO. Or to partner with the CISO to give them Yeah. Guess just be that kind of check Conduit.
Rick:To understand if something's wrong.
Justin:Right. Exactly. Yeah, yeah. Maybe not a challenge, yeah, need that kind of sounding board off to make sure that they're not just blowing smoke. Yeah.
Rick:But I do like that as I do think it's a trend that hopefully continues. I think it's good to have that expertise, but I don't think it's common right now.
Joe:No, it's not. So I would say that if a CISO and you're looking to think about what your next moves are gonna be, think about how you might get involved with a public board. I think they are paid positions and they're looking for that kind of expertise. So it's definitely something that's growing in demand.
Rick:Yeah. Definitely a good one there.
Justin:Any other thoughts on that? Think we've done pretty good not really. Going to introduce our next topic, Sami Yeah,
Joe:the next topic is about Speaking of CISOs. Yeah, Safeguarding CISO communications from legal liabilities is something I was reading, you know, in an article we were discussing a little bit. And, you know, as a contrast from Coinbase maybe being a little reserved on the stuff they put out there, some CSOs may take it a different direction. And is that always a good idea to not be reserved in some of your comments? Or how can over talking and maybe exaggerating how bad a situation is or how good your controls are put you in a good or bad situation?
Justin:So I often think, off, the CISOs should probably not be setting the tempo on this. They can be an influencer into it. I tend to agree with how just for example, Coinbase, I like to share more when it's not directly hurting whatever the investigation is or anything like Nowadays I think people are just kind of overwhelmed with information and the more you give, the more trust you build back quickly.
Joe:But should the CISO be given that or?
Justin:No. No. Right. That should come from the CEO, from the direction of we should share more, not less type of thing. I think actually Brian Armstrong is the CEO of Coinbase.
Justin:He does a good job of being very transparent in a lot of that type of stuff. But if you're a CISO, that's not your call a lot of the times. Honestly, I don't think CISOs get paid enough to actually put their neck on the line from a legal perspective or from an executive perspective there. But they can say, hey, I think this is what we should do into these situations here to help build back trust. But if you get shut down, there's not a lot you could do into that.
Joe:Right. Well, part of what I was reading was an article where they were talking about the SEC cracking down on, and we talked about this before, SolarWinds.
Justin:And
Joe:part of it was their CISO made some statements public speaking, talking about implying how good the security was, things like And then later, they had a breach. And at that point, instead of being very factual, choosing words wisely and using precise but neutral language, not saying, Oh, this program is a mess or, Wow, we're really locked down here. And then making that become like the public idea of what has happened, I think can become a problem if you're not reserved and cautious on the words you use and even where you write them and how you where it's being recorded.
Justin:Yeah. And I think, I mean, goes like I mean, this goes to forget about CISOs. This goes to anybody doing public speaking on behalf of the organization. Like, I think if you're doing any public speaking from a company perspective, you should almost go through training. Your corporation should put you through here's what to say, what to not to say type of thing.
Justin:Be careful of promising the world and all that stuff. Because, yeah, SolarWinds got in trouble because they're like, we have perfect security. They're like, well, no, it didn't look like it, you know, type of thing. So, if they did words like, hey, we're really serious about security. Are we perfect?
Justin:No. Are we always trying to improve? Yes. Know, like type of thing. And I think if they did more verbiage like that, they wouldn't be as into that trouble there, you know, as a kind of a, we're always improving type of thing.
Justin:Like we're not perfect, but
Rick:we're I think that's right. Part of the thing is like knowing where you're communicating and communicating appropriately for that venue, right? So yeah, if you're doing board disclosures or financial disclosures or your board reports or whatever, like you should be extremely precise in that language, right? I've seen some things with respect to like the SolarWinds stuff is like, oh, some internal communications were then deposed and they didn't connect or they didn't reflect or align that well with the things that was publicly disclosed by SolarWinds. And that's the allegation, right?
Rick:Like, hey, you didn't tell the full truth to the public through your financial reporting. And we know that you didn't really feel that way because you had these internal communications that say that. And so I've seen some things that sort of suggest, oh, well, yes, you need to be more guarded in your internal communication, stuff like that. I actually think that's taking the wrong lesson completely from the situation. I think if you start to treat every email like a contract and every Slack message as though it's gonna be under deposition, That is a surefire way to have completely inauthentic communications with your teams.
Rick:Although you don't have to be like fully imprecise or blow things out of proportion or whatever, I think you will lose people completely as a leader extremely quickly. And if you're inauthentic as a leader, they're gonna be ineffective as a team.
Justin:And that's just, I've seen it over and over, right?
Rick:Good leaders are authentic and people trust them and that's bidirectional. So I think it's actually okay to say what you actually think in internal communications. The lesson I think you need to take is, and again, I'm not exactly this did or did not happen. This is the allegation. But I think the lesson is if you are in a position that's responsible or partially responsible for reporting the state of the company from a security perspective in these official documents like financial filings, and you're getting pressure to make things sound better than your internal communications reflect they are, you need to square that circle,
Justin:Right? So lean more toward legal writing it than marketing?
Rick:Well, to some extent or you need to be fully upfront with legal. Or if legal and your CEO are pushing like you need to have something on record internally that's like, Hey, you know, I disagree, but ultimately this isn't my call, Right? If you guys want to write it this way, okey dokey. Right? How long are
Justin:you going to last at an organization when that's a conversation though?
Joe:Agreed. How long do you want to last at that organization? That's what
Justin:I'm saying. And I think that's Whether force or volunteer.
Rick:But I think that's the key. Like it takes a lot of courage to go against the grain if like financially people are demanding, No, we can't say a bad thing about security or else our stock will look like XYZ. But you're in that seat because you should have the courage to do that. I think the lesson is your internal communications. They don't have to directly reflect exactly what you say in the financial reports.
Rick:But I think if there's a giant gulf between those two things, there's a problem. And I think you need to figure that out.
Joe:Well, totally agree with you. What I think everybody needs to be aware of is while you're being very transparent and straightforward with your communications, you need to realize that maybe not everything you say should be on a recorded video.
Justin:I think that's absolutely
Joe:true. Not everything you say should be totally typed up in the No, because I'm not disclosing. Okay. Gotcha. Soon, I'll get Rick to disclose some stuff.
Justin:Yeah. Yeah. Yeah. Good. Good.
Joe:But and and sensitive topics, you know, you probably don't wanna put everything in in Teams or Slack either, but there's a right time to have a conversation with everybody in a medium that's not being recorded and therefore not being the discoverable piece, especially while you're trying to figure things out and talking through it.
Rick:And that also goes for M and A discussions and specific HR actions and things like that. Like you don't just write down and record literally everything.
Justin:Well, this goes back into we had that previous conversation with like AI and some of the meeting notes like how easy it is like, yeah, let's just jump on a Zoom call, which typically is not recorded, but then somebody summarizes the notes and everything. Now it is. And
Joe:when the notes are wrong and they misconstrued what somebody said, then and you don't correct that, that actually becomes a record. And now you have to argue and defend that that record was wrong.
Rick:Well, you're totally right. And that's like new fear unlocked that I have to, like, review everybody's summarized notes from every meeting now. No, but not. Well, I was just talking to you, but your privacy would just argue in AI
Justin:is so bad now that it didn't understand me.
Rick:But even a human, even a human is
Justin:still type still, you have to go through that extra
Joe:stress I was talking to a head of privacy who may or may not watch this and had mentioned that they have to be very careful when they work with their customers and things are recorded because if there's a dispute later about how the contracts worked and who's written the right or wrong and there's recording and that recording was on the customers, they don't have any access to it. Yeah. And that recording and and we all know that when you're making an argument, the more history you have written down becomes the more true history regardless.
Justin:They're talking about the recording would trump the contract or Well, it's a record.
Joe:Say the contract said, Oh, you shouldn't do this thing or we're going to do this in a certain way. And then something didn't exactly go that way.
Justin:And they agreed to something different on the call. Or even if disagree But it never made it back in the contract.
Joe:No, no. Not the contract set. Happened months ago. Doesn't matter. Now you have verbal agreement
Justin:post contract to modify What
Joe:are we doing? What happened? What are we going to do this thing by? We set the date, something like that. And then it's totally missed.
Joe:And they're like, Well, you said you would hit this date, and I have a record of it that you'd hit this date. And the recording may have misinterpreted January for a different month than June.
Rick:Yeah. Well, and so much of what I'm seeing in those proceedings is even a bit more insidious than that. It's, everyone agreed on the language. It's the interpretation of the language. Oh, okay.
Rick:So what did you mean when you said that? Well, I meant this. Well, how do I know you meant this? Oh, well, I have this recording where I said this. What's your record?
Rick:Right.
Justin:Right. But even though that, I mean, there's arguments on that meaning all the time because definitions aren't They're like put into there. So when we say that you've got to report a critical incident, it's like, well, what's critical? That's not defined in the contract, you know. So that's subjective to It is.
Rick:But if you're going after someone for not doing a thing that you thought was critical and they didn't, and there's a recording somewhere on your system where you define what you think critical is, and it's not defined anywhere else,
Joe:nope. Have a record of this
Justin:is what we agreed to during the Yeah, it could be.
Joe:But back to something you were saying earlier and going back to being transparent with your team. Yeah. I think that's true. I also would imagine that you would think sticking the facts and not speculation are also things you'd want to do in that conversation. Like you wouldn't want to wouldn't want to be the person who's trying to be transparent and telling the team everything but not giving them accurate data.
Joe:I think that's true.
Rick:But like also, if you only speak in fact and never opinion, again, I think that's fairly inauthentic. And I think teams sniff that out and understand. Like, again, if you just treat everything like you're about to be deposed on it based on, like, your internal communications, then that's a problem. Now, again, excuse me, you should be as accurate as possible with your team, but that could be about the facts and also your feelings and interpretation of those facts. I don't think there's anything that wrong with that.
Rick:I actually think that's probably a good thing. And as long as what you're saying to the public in like forums where you're supposed to be very truthful doesn't materially cut against the stuff that you've said in private, then you're fine. And also places have culture and communication patterns are part of that culture. And I think if someone's like, you said this thing once out of context, it doesn't take a complete rockstar lawyer internal to you that has all the internal records and be like, yeah, but he said this same thing a thousand times and this is what he meant every other time. So like, why would you interpret it different this way?
Rick:Is it another thing you have to deal with in a court of law and like the more you're explaining, the more you're losing? Sure. But it doesn't feel like fully indefensible. I think it's important to like be honest and accurate with facts, but also like thoughts and opinions.
Joe:Right. Yeah. My advice is don't record the meetings that have a lot of opinions that aren't going to be a I think that's fair. And then if you do want to make a summary of the notes, be very pointed and factual without having a lot of bias in your written summary.
Rick:That's absolutely correct.
Justin:I totally agree with that. Now, what about like we talk a lot about that communication and everything with like CISOs. What about like protection? Like I've heard of some CISOs getting their own insurance from the company and everything like that for coverage like the solar winds or things of that nature or Uber or something.
Joe:Yeah, heard that there's advice out there for CISOs to make sure you're getting covered. You know, try try to see what we can do. Figure out what your like, if you have a C in your title Yeah. Can you be covered under The
Rick:D and O.
Joe:The D and yep.
Justin:Yeah. Yeah.
Rick:I think it's a good thing. I think it's probably a luxury. A lot of people that are like directors trying to become a CISO for the time don't necessarily have the luxury of But
Justin:I feel like seasoned CISOs, so that might even give you a leg up. If you're asking about stuff of that nature, you're going to look at more experience.
Rick:I think that's true, actually.
Justin:And a lot of people, you go into a company, a lot of people are afraid to negotiate. I don't think that's a bad thing. Talking
Rick:Have the conversation.
Justin:Yeah, have the conversation.
Rick:It doesn't have
Justin:to be an ultimatum. I'm here to help you never have a bad incident, but that's not realistic. You know, we will have something probably maybe, you know, type of thing. But hopefully with the stuff we put in place it'll be minimized, it'll be controlled, it'll be well rehearsed by the time we get there, hopefully, you know, type of thing. But if I have to go in front of Congress, whatever the company is, and all this stuff like, I want to make sure you have my back at the end of the day, you know, like with this.
Justin:And I'm not going to be personally sued or liable. Like that was crazy when what was it the SEC went after the Uber guy for that? And there was a lot of I won't rehash all this stuff and everything, but I thought it was really interesting that when he put the ransom under the Bunk Bounty program, he had like a five minute call with the CEO, but they didn't record it. But he got banged over the head for doing
Joe:Yeah, no, that was
Justin:an interesting I wonder what they talked about, you know? Well,
Rick:that was
Joe:an interesting case too because not only was a CISO, he was also an attorney who other attorneys who were coming after him said he knew better even in the way that it was structured. That's like one of those edge cases, I would say.
Rick:Yes. Yeah. But I actually think it's potentially good advice to CISOs to be thinking about it, but to companies in general to be thinking about it because I think it's probably bad typically for organizations in general if a CISO becomes personally liable for a thing and is now looking for escape paths or places to place blame internally, right, to the rest of the organization. Like if company themselves is protecting that executive, then they're gonna frankly be probably more aligned with the rest of the company.
Justin:Which is crazy to me because the security department for the most part, does not have operational ability over anything. They can't even patch systems, for the most
Rick:part. Yeah, it depends on how it's set up and exactly. Yeah, but right.
Justin:And we'll talk about reporting in a here. But generally speaking, you don't have security people applying patches to They're not remediating issues that are being discovered. So how is the CISO responsible if they get breached into that and you've done your due diligence on reporting everything out into that.
Joe:Well, that's why I like to think about the CISO's role. And you mentioned what their role might be a little bit ago. I think it's maybe a little bit different. It's to manage information security risk and help the organization to make risk based decisions. In which case, you're more of an advisor to the decision makers who own the budget that can actually make things happen about here's the consequence.
Joe:Here's how we manage risk. Here's how we think about risk appetite. Here's where our risk tolerance lies based on everything I've collected from the organization and based on knowing the organization's appetite for risk, their tolerance for risk, how it will be applied. Now they can make informed decisions when they're going and saying, you know, we have this risk, we have this control in place. If this control is violated, well, that's not a risk anymore.
Joe:It's a nonconformity. And when we have a
Justin:Which in turn raises your risk.
Joe:Exactly. Yeah. I've been having a ton of conversations where I'm enlightening people around that through some of the AEEs I've been on. And we talk about how when a process breaks or control breaks, your risk scenario is gonna increase until you can bring that back under control. So there's not just a one effector, but they're both effected and it's interrelated.
Justin:And I'm in full agreement with you on that role in the CISO. I guess I'm looking at it as like the CISO gets blamed because they get breached, you know. And that's an unfair Totally unfair. That's fair. Because if you're educating the risk but some level of business unit isn't implementing the remediation or doesn't, again, that might be their call depending on your organization and the risk appetite that you're setting up into that.
Justin:But if they get breached, why is the CISOs to blame?
Joe:It happens all the time too, doesn't it? I'm very uncertain.
Rick:100%. I think they can be in limited circumstances. I think the two cardinal sins are if you're negligent in your analysis Oh, yeah. Or if you lie about the results.
Justin:Yeah. We're not saying like because there is a layer where they have, you know, responsibility.
Rick:But if you're not negligent in your analysis and you're not lying about the results.
Justin:Right. I absolutely agree. Then you're getting scapegoated, right?
Rick:Right.
Joe:Exactly what happens. So how do you approach that? So this is the problem. We're all afraid of this problem, but Get
Justin:a golden parachute in your contract. Think the way
Joe:we approach it is by being very transparent. Go into these meetings, sit down with the leadership and make it very clear that never go in and say we're not gonna have a preach, right? Nobody would ever say that. But we need to go in and say there's a bad thing will eventually happen. Our goal collectively is to figure out where investments are gonna go to help minimize that risk.
Justin:Right.
Joe:And I'm going to, as the CISO, put in front of you choices you can make. One of those choices that is on you is you just want to accept it. And that's totally okay. I may not be able to continue working here if you accept that risk. That's the decision.
Joe:That's the power I have.
Justin:I'm going help you realize the full consequence of accepting that risk at the end of the day. That was one thing when I was at gift cards and everything. I reported straight to the owner of the company. I always told him this story. I was like, if you wanted to throw gift cards out in the middle of the street, that's your prerogative.
Justin:I am here to help you understand what are the consequences of that. But it still would be your decision. Now I might not work here tomorrow because I don't want to deal with the ramifications of that type of thing. But again, that's your decision.
Rick:But to answer your question, I think the answer to that to a large extent does lie in meeting minutes and accountability around risk acceptance or formal How we're creating meetings again.
Justin:I'm
Rick:all in favor of good minutes. Listen, document your disagreements. Hey man, this is why I think this is a bad decision. You have a different scope of visibility than I do and a different remit than I do. Think it's okay to do it.
Rick:All right. Just want to make sure that
Justin:everybody And I actually kind of agree with that because I've seen so many organizations that they'll have a laundry list of vulnerabilities. Like we talked a little bit about vulnerability management in a previous episode. They'll have thousands of criticals out there for months and months and months.
Joe:Well beyond their standard for remediation.
Justin:Yeah, yeah. Just sitting there and they have the meetings with the teams like, when are you going to fix these? Like, when are you going to fix these? When are you going to fix these? You know, they're like, Oh, we're busy with other priorities, blah, blah, blah.
Justin:That's perfect for a meeting minute.
Rick:Yeah, but that's okay.
Justin:Exhibit A when CISO gets held up. I told them.
Rick:Do you as a CISO think it's a risk? If so, have you escalated and educated appropriately? And if so, did the resources to fix the thing change
Joe:or not? Right. Let's walk that through. So at this point, we've been talking about it as you're the CISO who wants to be there with your company. And at this point, something bad happens.
Joe:Well, you might be deposed. And at that point, you're probably no longer wanting to be in alignment and loyal to that company anymore because you've sat down you said look this is how it we need to do this we need to fix these problems otherwise this bad thing is going to happen somebody else is the one that you want to be in the shoes of They're the ones that have made the wrong decision, not you, the CISO, who's brought all the right things. You were very ethical, very upfront. You said, I think we should fix this. We can't fix it.
Joe:Well, let's let's document your decision that we're not gonna invest in fixing that, and the bad thing happens. You're deposed. You have records that say you did the right thing. You push this forward. Those are the kind of records I think that a CISO would have.
Rick:They protect you. They also protect the company if the decisions are made reasonably. Risk acceptance is a very normal thing. As long as it's not negligent, people can be like, why did this bad thing happen? Were you not even paying attention?
Rick:You say, no, we were paying attention. We
Justin:just made this Yeah, we're gonna get beat over the head with it. An incident
Rick:If you're calling the court If an
Justin:happened that you accepted around what you accepted and an incident happened, you're still gonna get hit over the head.
Rick:Yeah, but again, I agree with you on the premise.
Justin:Agree
Rick:you premise.
Justin:You know, that type of thing. But if a serious incident happened where you accepted that risk, you're gonna get hit
Joe:over that. Well, a CISO shouldn't be accepting a risk.
Justin:That's what I'm saying. 100%, yeah.
Rick:That's what I'm saying. And so if you say I educated, a different decision was made, right? Then you can have all these conversations. But I think the key there is you're walking into the room with the lawyers on your team and saying, look, here's the records I have. Here's the decisions we made.
Rick:Here's why they were made. Did I agree with them?
Justin:No. But am I the CEO? Also no. Saying no in that situation opens them up to a whole bunch of lawsuits though. Internal counsel?
Justin:No. No, no, I'm talking about if you're saying like
Rick:I'm gonna say get on listen, when you're on the stand, right, you need to navigate those waters based on a series of factors, including what the lawyers that are on your team are suggesting for you based on the course of action and things you have before. But what I am saying is those records, right, that you have if there are disagreements and they don't have to be ultimatums, they can be very amicable. Had lots of times where I'm like, hey, I think we should do this. And the business as a whole says, nah, we can't do that right now. We don't have the money or we don't have the tolerance or we're do that or we're gonna put it off or whatever.
Rick:Go, okay, well, I think we should do it now. You sure? They go, yeah, we're sure. And I go, all right. I disagree, but okay.
Rick:Like, that's
Justin:Or how about we do this one thing for now? You know, like Well,
Rick:I want to say that too exactly. Because it is rarely is it like does someone just accept risk. It's like, okay, well what can we do to mitigate it? And I think that's a big part of the conversation as well. Well, didn't do this so we had to do this and this and this.
Rick:Did that end up being sufficient? No. Did we hope it was good enough for a period of time? Yes. Like, these are long drawn out conversations.
Rick:But ultimately, I think documenting your disagreements is my point.
Justin:You still have Windows 2,003 living in our environment. Do we like it? No. Does it have to be there because somebody has to print something weird and that's the only place that does that? What did we do about it?
Rick:Were we negligent in our analysis? No. Did we lie about our analysis? No. Well,
Joe:I like we're
Rick:doing Yes.
Joe:With all that part because this is where I think IT leaders and security leaders need to get better as they approach the role of becoming a CISO. You have a lot of less experience. I want to say inexperienced, but less experienced security leaders who will look at that single instance of a I like the idea of the out of date, out of service And they're saying this is a risk. But what they're not doing is turning that risk instance into a business risk scenario. Exactly.
Joe:And it's more about it's less about the point that we have a single server that's out of support. But the risk scenario is because we have as an organization out of date servers that can't be patched, we have an increased risk of an exposure or an outage due to that system becoming corrupt or compromised.
Rick:And also flip it to the positive. Think about, okay, what aren't you execute? What features aren't you executing on those systems that maybe the business could use? I think there's a lot of CISOs that focus quite a bit on the potential for technical exploits and the risks in the negative, but missed opportunities or not being able to capitalize on features that exist that you can't leverage because you have an old version of an app on an old piece of software, that's legitimate too, right? And I think you'll get a lot.
Rick:I've seen instances where learning a little bit more about I'm probably stealing future thunder, I apologize. But you learn a little bit more about the business and where and how you could be not only mitigating the negative risks, but doing that in a way that enables positive movement forward. That if you presented it in that way and flipped it around a little bit, you could get a lot more backing behind it because now all of a sudden it's not just, oh, this costs money because bad things could happen. I'm paying for insurance. It's, oh, there's an element of investment here as well.
Joe:A return on investment. If we were to take that outdated system, replace it with this one, stop paying the outdated the extra support money for it. And in the future, we'll reduce our risk of having an outage because of this thing. By the way, the new system actually If we pay for that, we're actually going to be able to get rid of this other software we use. Is that what you're saying?
Rick:Yeah. So get allies in the business that that'll benefit from the things that
Justin:we're Yeah. This is the thing, like oftentimes us from security, we look at like the single pain point, but then it opens up that the business isn't even looking at long term technology stack, you know, and the procurement of what's the strategic involvement going. Because a lot of times, they're like, buyers are well, if it ain't broke, don't fix it. It's like, Okay, that's not good with the rate of change that's going on because we'll be stuck behind and then we won't have any support and then the support we get is going to be super expensive
Rick:type of thing. But the alternate is also true in terms of like, but if we upgrade this thing we can put the new version of the app on and then you'll get this feature. And I guess you didn't know about that but wouldn't that be cool? Then people Oh, that would change my life. You go, Okay, great.
Justin:We're try to But a lot of leaders don't look at the full picture. Agreed. Fully agreed. It's like, All right, here's all our old stuff. What are we doing?
Justin:Are we just going to bite the bullet and pay double the support
Joe:costs right now
Rick:if it even is available. Extended support is a nightmare.
Justin:Yeah. But that's the thing. More and more I see that's not a sit down conversation that people look at and build into their plan. Agreed. It's always like future, like what are the features and buttons and, you know, stuff that we can deliver.
Justin:It's not like, what do we do with the old stuff? Exactly. Like, how do we So use the new stuff
Rick:to fix the old stuff.
Justin:That could be part of the strategy. Absolutely.
Joe:Yeah. So we covered a lot here. We we talked about good communications, appropriate communications, maybe what not to say and when not to say it, at least what venues to be careful. But also, I like how you brought this around to some good risk management conversations, being able to actually use your risk conversation to drive better change. And I always look at the risk conversation to drive action.
Joe:What's the action we're going to take that makes the whole place better?
Rick:Yeah, definitely agree.
Joe:Now, any other final wrap ups on that one? Suggestions for people as they're thinking about doing their job better?
Justin:One thing I had a thought into this with companies that don't really care about security all that much. You mentioned about you get less experienced security people that won't do certain stuff. I almost feel like that's a self fulfilling prophecy. Well, they won't get the expensive CISO. And a lot of CISOs, they'll see the red flags when they do an interview or something like that.
Justin:It's like, hey, this culture isn't really serious about security. I might not get the budget. I won't get the support, whatever it is. So you're left with the brand new CISO for a buck, buck 10, you know, or something like that that has, you know, seven years of experience total in the industry. And it's almost self fulfilling at that point.
Joe:My advice to that person, everybody
Justin:Do virtual CISO.
Joe:What's that?
Justin:Do virtual CISO. Yeah, exactly. Listen to this podcast. Yeah, yeah.
Joe:None of that, really. Those are all good pieces of advice. Do virtual CISO, do the things that we all sell. Anyway, see, here's what I hear a lot. It's how do I get that CISO role?
Joe:Maybe you don't want that CISO role. Maybe you're not qualified to have that CISO role. If you have that C title, that comes with some accountability that may not be there with the director title.
Justin:Exactly right.
Joe:And you may not want to be upset that you just got the director title and not the CISO title. Because if they're not gonna put you on the director's and officer's insurance and put you on some of the other safeguards that they're protected by, you may not want that. I like where you took that.
Rick:Yeah. That's absolutely true. Officers are not exactly the same as employees from a liability perspective.
Joe:Yeah. Sometimes they're just unlucky.
Rick:That's true too.
Joe:Speaking of unlucky,
Justin:what are we drinking here? Oh, we're drinking something lucky.
Rick:Are we? Great segue.
Justin:All right. Yeah. So today what we're drinking, we went back to the Widow Jane with that. If you recall in previous episode, we had the Black Opal, which was
Joe:good stuff.
Justin:It was delicious and everything, but we can't do that every episode. So with this one, we're doing the widow Jane lucky 13 in honor of our episode. It's aged for thirteen years. I saw 13, 14, depending on the website you're looking at.
Rick:It
Justin:is delicious. A lot of the Widow Janes, they put a lot of emphasis into the quality of the product. Everything is aged quite a number of years and everything like This one I get a lot of sweetness at the front, but kind of a nutty toffee flavor coming off the tongue and everything, it's very smooth. We're often like, whether ice or not into this
Joe:No, was going say that.
Justin:All of us are no ice into here. I'm never ice, but some of the other gadgets I'm often a little.
Joe:Sometimes I like a round chip in order to cut it up.
Justin:Thing. But, yeah, this is this is one that
Rick:It's also a decently high proof for how smooth it is.
Justin:What is it? 46. So a little over 93 proof.
Rick:Yeah.
Justin:So, yeah, it's it's it's not that high.
Rick:Well, I guess, for some reason, thought it's a little higher than that.
Justin:Yeah. But That's the bottle number.
Rick:But yeah. No.
Justin:That's great. Yeah. Delicious and everything, and to the episode?
Joe:Cheers. No. I don't have to have any PSTD from, like, having an explosion happening to this one. That was just the last one. You didn't reach back behind
Justin:you and grab There's always You never know. You
Rick:never know what's gonna happen.
Justin:There's probably still some of that confetti left. I
Joe:still think there's some in this glass.
Justin:I was cleaning it a couple of days after. And then, like, I got everything cleaned up. And then I bumped, like, one
Rick:of the lights. And,
Justin:like and then it just, like, dumped a whole new thing. I'm like, oh,
Joe:come on. That is great.
Rick:That is very good.
Justin:So, yeah. So, I hear there's something coming up July 11.
Joe:July 11. We hit it in the last couple episodes as well. Yeah. B sides Pittsburgh. So, last I checked, we have over 600 tickets sold.
Joe:So what I think is working is the progressive pricing because it started out at what, 20 and around tax time, it went You're saying
Justin:that this time, last time it wasn't that many that you were
Joe:No, we were only about 400 or less than 400 tickets sold thirty days And now we're a little over just under a month and a half away.
Justin:Right?
Joe:And so we have over 600 tickets sold. So we're ahead of what we were last year. You say you get most tickets sold? Traditionally, we've gotten most tickets sold like the last three to four weeks. So in order to prevent that or at least mitigate that a little bit is we created this progressive pricing.
Joe:Tickets, you can't get them for $20 anymore, but that ended mid April and until June 13. So on June 14, they go up from the current $35 to $75.
Justin:That's a big jump.
Rick:That's a big jump.
Joe:But that big jump really will hopefully help curb a bunch of problems that we've had in the past. One is not really a problem for us until we get the complaints, but a problem for the people who are showing up want the t shirt that we have awesome t shirts. They have the greatest designs, awesome design people who make these things, and everybody's super disappointed if they don't get a t shirt. But how would we know to order these t shirts in advance if you didn't buy your ticket in advance? Because we need like a month in order to get them.
Justin:The order Are you saying they would get a t shirt with the 75? No. They won't. Thought you were saying that mitigated Right. It's more money and less stuff.
Justin:Who would
Rick:do that?
Joe:Get your ticket out
Justin:of the gate.
Joe:Pay your ticket now. So what I'm trying to do is get you to buy your ticket sooner than later by making it even more expensive to wait. So why wait? The food now.
Rick:Right? I mean The food.
Joe:Oh, we get the best food the casino will offer, the best buffets. And I'll tell you to get that meal like that anywhere else, it'll cost you more than $35 And we're only charging $35 for the whole day with all the foods
Justin:and all the drink tickets. Never understood that people have waited. Well, so I look forward to all of the events and everything like that. But especially when it was like $20 it was like, okay, I'm planning on this. If something really comes up and I have to miss it, it's $20 It's not that big a deal.
Justin:But I'm going to plan on it and put it in my calendar so I don't get meetings over it, you know, and all that stuff and everything.
Rick:So, get your tickets. Tell your friends.
Joe:Yep. Register by June 13 for $35 so that we can you know, we won't guarantee a t shirt after that time. And we still have a few sponsor tables left. Yeah. But they've been surprisingly, we're still getting new emails asking about sponsorship.
Joe:We have
Rick:a handful left. So if you were thinking about sponsoring and you haven't yet, reach out. Well, I'd also say a handful of new one, new sponsors this year, which means if you've sponsored in previous years and you want to sponsor again, haven't got on that yet, please do so because, you know, there's a decent number of tables, but it's not unlimited tables.
Joe:No. And the person who probably is sponsoring is your competitor. So get out there and make sure that you're at least there too.
Justin:Yeah.
Joe:So But yeah, I can't wait for the day. Oh, and by the time this is released, the talks should be out on the
Rick:That's right. All selected, schedules figured out, and we just got to get
Joe:that thing posted. Three tracks. And I think one of the things that happened over the last couple of days is we figured out how to add a few more talks in by Normally, we wouldn't schedule talks over lunch, but we thought getting talks over lunch is probably a little bit more important than exactly leaving that open. More opportunities to go see people.
Rick:Sounds like fun. It will be. It's exciting.
Justin:All right. Yeah. Last topic here. We actually touched about this a little bit and this is something I'm actually pretty passionate about. So, lines.
Justin:Where should the security organization live within the company?
Rick:Are you asking me?
Justin:Sure.
Rick:The right place. It depends. It does. I'm the ultimate consultant. It definitely always does.
Justin:Good idea everybody does.
Rick:Yeah. So my thinking on this, I'll sum it up by saying a thing that a gentleman named Alex, who we both know very well has said a bunch of times in the past, is like at the end of the day, I think the CISO is risk role. And we've touched on this earlier, And ultimately it should be a business risk role as all risk is business risk, right? It's not just technology risk, it's not just security risk. So I think if the CISO is naturally equipped by personality and training to speak the language of the business, they can report anywhere.
Rick:It's fine. If the CISO Well, not anywhere might be a bit strong, but any reasonable place. My lawyer came out right there.
Justin:Fair, fair, fair, fair, fair.
Rick:Guys, this is Don't depose me on this conversation. Anywhere, anywhere. But I think, honestly, I've seen All
Justin:right, reports to the janitor.
Rick:So mean it could be chief risk officer, it could be a direct report if it's to the CE, if it's a technology organization. It could be to the CIO if again they're naturally equipped to speak business. It could be the CFO. I've seen it in legal teams and compliance teams, all sorts of places, right? I think the key though is the CISOs that in my opinion have the worst time of it in terms of actually getting a seat at the table are the CSOs that grew up as deep technologists and never made the pivot from technology stuff to business risk advisement.
Joe:I agree with that. And if you're reporting to the CIO, you're more likely, not always, but more likely to be caught up in not being able to do that business speak.
Rick:Yeah, you might be allowed to nerd out
Joe:all the Yeah, being forced to do it. So the article that kind of spawned me to think about this as a topic that suggests is there's been a growing trend of people potentially reporting to the CFO over the CIO. And why is that maybe advantageous? And so some of the things that we were thinking about and talking about is, well, the CFO naturally goes through their work understanding business risk budget controls. And they need to put They're probably a little bit more likely than the CIO or maybe even the CRO to be the ones who are talking at the board meeting and preparing board materials.
Joe:So if you wanted to almost be forced into changing your paradigm from the way that you're thinking about risk and turning into business risk, if you were reporting to a CFO instead of a CIO, you're naturally going to be pushed by that person who only knows how to speak in those ways.
Rick:Because your manager is going to set a different tone.
Joe:Exactly.
Justin:And a lot of CFOs, I mean, they're naturally drawn to the risk, you know, like Absolutely. How much are we putting on hold? How much are we putting in an investment and a treasury? You know, like, what are we putting where to execute the right strategy?
Rick:You know? It's the same thing we talk about. If I only have $10 to put somewhere, where am I putting it? And it's the exact same thing we talk about in security. If I only have $10 or ten hours or whatever, how do I make it go the furthest?
Joe:And it's easier to get a budget when your boss is the one who controls the budget.
Rick:That's not untrue. Yeah.
Justin:So yeah, and I don't think that's bad. I think it's better than the CIO a lot of the times. Where I'll disagree with you on the Anywhere thing, so I think of it a lot of times as an institutional type control. So when you're actually putting in segregation of duties and the oversight into certain functions of the business, you might have a great CIO that really incorporates security, puts priority on it, get the right budget, everything like that. But you get a new CIO and that won't be the same case type of thing.
Justin:So in that circumstance, you want security to be outside to put some checks and balances into it and say, okay, you're making poor decisions. You're not patching. That one of those 2,003 boxes is still hot in the open. Now if I report to the CIO and he's making the decision, like, Yeah, we're just keeping it there type of thing. All of a sudden, I have a conflict of interest.
Justin:Am I getting the right raise? If I'm too loud, will I be kind of ostracized in the organization? There's institutional conflict that you build up building
Rick:a bad I don't disagree. I think there's the opportunity to have a bad boss anywhere though because I mean, could report
Justin:to the CFO and they go, Yeah, but no, we have these rates in this So
Rick:we're giving you $0. And like, it just, you know,
Joe:Well, one of the So I have a couple of different arguments and they actually are counter to each other. With the separation You
Justin:argue with yourself.
Joe:Yeah, I do that a lot. The CIO, they want speed and the CISO. You know, their their job is to, like, safety of the organization from a risk perspective. And so, you know, reporting to that CFO lets you raise that red flag without having to jeopardize your potential reporting, conflict. However, on the other side, why would it be better to report into the IT department?
Joe:So we know how IT departments work. And we know that when you're part of the IT department and you're sitting there and you're able to have those conversations, you're probably going to understand a little bit more about what's technically going on, what's happening. Whereas if you're only occasionally you're in all the meetings. You're in all the team meetings if you're part of the IT department. If you're outside the IT department and you're occasionally meeting on maybe every two week or monthly basis and you're getting those updates for what want you to know, what IT wants you to know, you're a little bit less in tune.
Joe:So how does somebody who reports outside of IT stay as in touch with the going ons inside of IT?
Justin:You need the right triggers in place. I think that's a poor argument into that to say like, I just need to be in all the meetings just in case to hear something. While you might be right factually, that's a lot of sunk time for the just in case, which means you don't have good triggers in place. So when a new IT project kicks up, there should be triggers in place that security is aware. You get the PMO involved.
Justin:You get finance. There should be triggers in certain areas of procurement. Security should be a player into that that says, what is this new vendor we're bringing in? What is this new software we're bringing in? We need to make sure that it fits within our security posture and doesn't degrade it.
Justin:Really good points. But sitting in all the meetings just to catch an occasional, and we're bringing on this vendor here. I'm like, what? Well, I'm not saying sitting over the meeting. Yeah.
Justin:But if you're I'm thinking like you're But
Joe:if you're part of IT leadership, you're in the right amount of IT leadership meetings where they're making decisions.
Justin:But I think different decisions like
Rick:Yeah.
Justin:But I think then you're Because you could be in that room without being in like the organization, you know, to be But nothing preventing that. But it's
Rick:the same mechanics. I think you're basically saying very similar things, right? Because you asked, hey, what should you do if you're not there? And you're saying, here's some of the things that are important, right? So, I think that's kind of thing.
Rick:But you're right. It's the triggers and then the relationships. And that's no matter where you report. If you as an executive officer aren't building triggers and relationships with your partner orgs or you don't understand who they are, you're not doing your job. And that's if you're a CSO or a CIO or a CFO or whatever your role is, if you're an officer, one of the things that one of my mentors told me that has always resonated was the higher up in the org you go, the less time you should be spending with your direct team and the more time you should be facilitating with other teams.
Joe:Yes, absolutely. You're to be working outside your department more so than inside. Yeah.
Rick:But I agree. Like on a mechanics perspective, it's going be all triggers with other departments and recurring relationships, whether it's just
Justin:to say hi and check-in or say, hey, what's your department doing? And ideally both. Yeah, yeah. And bribes are okay in this department. I've actually given the Defined advice.
Justin:You mean donuts and lunch? Right. I mean building relationships type of thing. I've actually like there's a lot of things that you can do to give little gifts. If somebody's a bourbon lover, give them a bottle.
Justin:If somebody like I've had people that I knew was like out sick, I'd send them a soup basket type of Absolutely right. This is outside of my immediate organization. You break down so many walls and no matter what, when you're calling next, they will pick up a phone whether they do something for you or not, it's another thing, but they will absolutely pick up the phone for you.
Rick:I agree with that so much. Some of the best things I've ever done from a relationship building perspective, and this is more like manager, senior manager level is I had a couple buckets of different candies on my desk and they typically tried to reflect things that I knew were popular, right, by different people. And so if someone had an issue or something bad happened, come to me and I'll give you candy to tell me,
Justin:right? You're the creepy guy in the van.
Rick:Yeah. Probably I could phrase that better,
Justin:but yes. Children and free candy. No, but
Rick:seriously, it's a conversation, sorry, all that stuff. I mean people make relationships over food, but if you're also super busy like maybe that shouldn't be a full meal every time someone wants
Justin:to cook you and it's just like
Rick:a little snack.
Justin:You have to use discretion on how you like exercise that and everything.
Rick:But I'll also say like but also if you're not located in an office but you work with a lot of people in that office, send them something. Send something for the office. And there are stories people will tell about a candy that I really liked that nobody else apparently liked. And I sent them a couple of things and it became a joke, right? Like, oh, are you gonna give me like the Reese's cups?
Rick:No, like little ginger chew
Justin:or something. I think they're awesome and delicious, but
Rick:I really like ginger. So, is this a conversation where I have to eat do I get to eat a Reese's cup or I have to get a ginger those
Justin:pink and purple things that used to be like oh, no. There are some random candies out there and everything. But this is type of stuff
Rick:you can talk about. It's relationship building. That's
Joe:my I was going to say that. Yep, absolutely. Relationship building trumps reporting lines 100%.
Justin:Yes. And I agree. I guess, again, I look at it more institutional, like protecting against the next person. You can have a phenomenal boss in any situation and that'd be great. But this is the whole argument against a monarch.
Justin:You can have a great king and then you can have a terrible king because his son's an idiot and it's just set up all that
Rick:I would argue though that strong relationships actually end up trumping that.
Justin:Like if you report That's not historically accurate. I've seen a
Rick:lot of organizations where a CISO reports to a CIO that reports to whomever else, right? CEO or CFO or whatever that chain is. But if the CISO has great relationships with internal audit, legal, finance, CEO, all that stuff, the right stuff happens even if there are amicable disagreements.
Joe:Oh, so what I'm hearing is if you're the CISO who's sitting in your office or in your home office and you're just looking at reports and reading articles and you're not making phone calls and getting on conversations, you need to fix that immediately. Yes. Start start figuring out who your allies are. Start figuring out who the people who aren't your allies and make them your allies.
Rick:Right.
Joe:And get out and actually talk to people. If there is an office and you don't go to it, you may be in a better schedule a trip. And maybe your company won't pay for it, but think about the long term. How much would it actually cost you to get to your office? And would that be worth you meeting your goals for the year or not?
Justin:Yeah. Yeah. It's actually really shocking. Like, the people that are at the office, there's so many decisions that are made behind your back going out for a meal or was one company I was part of that they just love going out for cigars. We go out from a leadership and the people that weren't there were out of the conversation type of thing.
Justin:It's just a fact of life. Absolutely right. Like if you're not around that conversation when it happens, you're already going to be behind the eight ball to catch up and try to include yourself in.
Joe:It may not be fair, but it's just how
Justin:It's just how it is. Understand it. Yeah.
Rick:Yeah. But I think that's absolutely right. If you're not building those relationships intentionally and regularly, you should really think about that.
Joe:Yeah. Yeah. Well, I like how the conversation today went from, know, what's happening with Coinbase to talking about, you know, whether they disclose fast enough or told enough to what the right things are you should talk about. And when you're trying to get support for what you should talk about, where you should report. This kind of brings it all around to lots of things I think aspiring CISOs could think about when they're looking for the next position and even have a chance to mold a position.
Joe:What do they want that to look like?
Justin:Yeah. I think that's right. Yeah. This is a good episode for a CISO talk and everything.
Rick:Yeah. And a great drink to have it with.
Justin:Yeah, exactly. All right. A wrap?
Joe:Think so. All right.
Justin:Yeah. Thank you everybody for joining us. Don't forget to like, comment, and subscribe up to it. It really helps our numbers to see with that who's subscribing up. You'll get instant notification when we post up new stuff.
Justin:And stay tuned for next one, episode 14. We got a pretty good topic that we talked about today. I don't want to say it yet but we'll disclose it here and I think it will actually be a very popular topic. So, stay tuned and have a good one.
Rick:Cheers.
Justin:Bye, all. Cheers.
