CISO Series: What We Lack In Security We’ll Make Up in School Spirit

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Dave Stirling, CISO, Zions Bancorporation.

Full transcript

[Voiceover] Ten-second security tip, go!

[Dave Stirling] How do you know your managers are being thoughtful about certifying their users’ access rather than just rubber-stamping the recertification request? So, you can address this by putting a canary in the certification workflow. It’s an item something like, “For quality control purposes, mark this privilege as revoked,” and that’ll help you identify and train those rubber-stampers who routinely click “Recertify All” when they’re certifying their people’s access.

[Voiceover] It’s time to begin the CISO/Security Vendor Relationship Podcast.

[David Spark] Welcome to the CISO/Security Vendor Relationship Podcast. My name is David Spark. I am the producer of the CISO Series and my co-host for this very episode is Andy Ellis. He’s also known as the Operating Partner over at YL Ventures. Andy! Regale us with the sound of your voice.

[Andy Ellis] The sound of my voice is the sound it sometimes has.

[David Spark] Let’s hope it keeps sounding like that. By the way, he was doing a much squeakier version of his [Laughter] voice earlier.

[Andy Ellis] My voice sometimes sounds like this!

[David Spark] No, it never sounds like that, it never sounds like that. We’re available at If you haven’t been there, check it out. Our sponsor for today’s episode, and I am so thrilled that they continue to sponsor us and are phenomenal supporters of CISO Series, it is Varonis! And Varonis has so many wonderful things. We’ve talked about ransomware, dealing with ransomware with them, but we’ll hear what more they have to say in the middle of the show so stay tuned for that. But first – Andy, you were referencing something that our guest said in our opening tease, referenced the classic brown M&M situation. And for those people who don’t know what the brown M&M and Van Halen have to do together, please explain.

[Andy Ellis] Yeah. So, Van Halen had this rider in their contract that said you had to have M&Ms without brown M&Ms. You had to take them all out in the Green Room so that when they came that’s what they could have. And it became this urban legend about, “Oh, my God! Look how entitled they are!”

[David Spark] Yes. By the way, that is the version I heard all through growing up, right.

[Andy Ellis] But the real story is Van Halen was like the first band to play at sort of second tier venues and their attitude was, “Look. If we’re driving across country to go from one major city to another, we’re happy to put on a show every night as we’re driving across country, but we need to make sure that we’re not going to ruin your venue because maybe we’re going to be playing at a high school or something. And if your high school stage can’t handle the weight of our equipment, you’re going to be very upset with us.”

So, their rider included all these requirements for the stage, but then it also just had this one thing that said, “M&Ms without the brown ones in it.” And they would walk in, go look and see if you’d correctly dealt with the M&Ms, and if you had then they could be fairly confident that they could just do a normal tech check. But if there were M&Ms with brown ones in them, or no M&Ms, that told them that you had not read the rider and before they set up their equipment, they should make very sure that they were not about to have a very bad day.

[David Spark] That is the best explanation of that story I think I’ve heard. On the money. That was the case. So, that was their sort of canary in the coal mine, if you will, as our guest has explained. And by the way, let me introduce our guest. So thrilled to have him here. He, by the way, has the same initials as I and the same first name too, by the way.

[Andy Ellis] Very good initials.

[David Spark] But he is a CISO which I am not. He’s the CISO of Zions Bancorporation, Dave Stirling. Dave, thank you so much for joining us.

[Dave Stirling] Very glad to be here, David. Thank you.

Hey, you’re a CISO. What’s your take?


[David Spark] Should the CISO position be seen as an organization in itself? Or as Yael Nagler of Yass Partners calls it, “Office of the CISO.” And she lays out a framework for such an office which includes the three pillars of… Pillar number one being Strategy, Governance, and Oversight; number two being Talking and Partnering; and three being Operations. Now, we’ve discussed all of these on our show, but I really like how Yael calls out some unique CISO problems that calls for the need to develop an Office of the CISO. Issues such as having a difficult executive relationship, the need to quickly on-demand deliver security metric reports, and fear of getting executive approval for a tool you know you need. So, I’ll start with you, Andy. Have you thought of creating a framework around the CISO role and actually doling out responsibilities accordingly?

[Andy Ellis] So, I actually had an Office of the CISO at my last gig when I was at Akamai and basically what Yael lays out is how we approached it. We looked at the Office of the CISO as having those different pillars. One was just help run the team. Like if I said, “Hey, we want to get X done,” and everybody agreed that we wanted to get X done, I don’t want to have to program manage that, somebody in the Office of the CISO to be paying attention to that. When we’re thinking about what metrics we might want to start evangelizing outward and how do we operationalize that. So, sort of all of this work of being a CISO that you can’t delegate into a specific organization, they basically become an extension of the CISO. So, your CISO becomes 12 people or 4 people or however many you’ve got in it, depending on the size of your organization.

So, I think it’s a brilliant plan and I think more CISOs should have an Office of the CISO. You should probably have in it a program manager at least, potentially an architect or researcher so you can have them go research things you need to know about. Like, “Hey! There’s this new vulnerability that just dropped,” you have an architect who can go learn all about it and come back and tell you what you need to know, rather than relying on trying to do that yourself while at the same time as you’re briefing executives.

[David Spark] It speaks to how ludicrously complicated the job is and it really is not a job for one person.

[Andy Ellis] It isn’t. And if you look across almost every C-level executive, they all have something equivalent to that. Maybe they call it “Revenue Operations” or HR has a different title for it, but almost everybody has this idea that there’s a staff function to the C-level executive who helps them do their job.

[David Spark] All right, I’m tossing this one to you, Dave. Dave, the Office of CISO, do you have something like that set up? And if so, what do you do or do you have something similar?

[Dave Stirling] Yeah. The genesis of this with the way that we have our team set up is about thinking about those persistent elements that we should be thinking about all the time rather than reacting to them. A board member has a metric request for a third party something. So, we scramble for a couple hours and we kind of throw something together, it’s like, “Boy, I don’t want to do that again.” Let’s get this on a cadence where we have somebody thinking about this all the time. And you need to periodically correct, to go back in and say, “Are these the priorities for our senior…” We call it our Senior Cybersecurity Leadership Team, we don’t actually use the term Office of CISO. But it’s the same basic function where we delegate it out.

And I think that the challenge in evolution with some of our leadership team was, and what I liked about Yael’s article was it wasn’t actually… Operations was just one element out of many, and it’s very tempting to think operations is 90% of the job of stopping the bad guys. And then these other things we kind of shoehorn in about metrics or reporting or dealing with the really challenging relationships. But you need people thinking about those things full-time, and if you don’t then you’re going to be scrambling on your own and it’ll just be a drain on your resources.

[David Spark] And by the way, just this whole concept alone, it just seems like a great training ground for cyber leadership, yes?

[Dave Stirling] Absolutely.

[Andy Ellis] Yes.

[Dave Stirling] Yep. The one thing that I think Yael glossed over, she touches on it in one paragraph, but it’s culture. I think she talks about recruiting, onboarding, and promotion, so she’s thinking about the operations piece of it. But every InfoSec team is different and you might have compliance and architecture and AppSec and operations. You might have very divergent functions, and one thing you can also use your Office of the CISO for is to help you actually run a coherent team. Make sure that your organization thinks of itself as one organization, not as multiple organizations.

Is this the best solution?


[David Spark] Is the rigid behavior of data loss prevention or DLP an outdated model? Common complaints of DLP are it puts pressure on the endpoints, can dramatically slow down operations as people try to do their job, and it takes a lot of management. On the Gartner blog, Mark Wonham believed Data Access Governance was a better model, “Using tools that work on the same basis as DLP, but instead of quarantining, encrypting, and deleting data, instead provide large amounts of information about the data structure, access, and use, as well as sensitivity and therefore some idea of risk.” So, Dave, I’m throwing to you first. Would security professionals be better off with an information control that explains a level of risk than the active control of DLP?

[Dave Stirling] Yeah, David, thank you for that question. I think that you need both. You can’t kind of forsake the baseline of making sure that really obvious or blatant losses in your system, you make sure those are accounted for. But it has to be accompanied with that governance and that identification of knowing what the data is and involving users in the decision. The CISO can’t be the person who unilaterally decides this rule or this vendor’s best practice out of the box is adequate. So involving other people is essential, and the way you do that is getting information about the data you have and the risk of that data, and governing that and putting in a classification standard that can really drive a lot of behaviors that will improve your overall risk behavior beyond just kind of waiting for that technical control to kick in and block something.

[David Spark] If you’re doing this sort of “dual mode” as you’re kind of describing, are you then loosening the controls on DLP to sort of prevent sort of the restricted behavior, or no? What are you doing at that point?

[Dave Stirling] We’ve had to do that of necessity because many of our business activities involve sending very sensitive data and the rules were just tripping us up and people were always finding ways around them. And so we still have a very solid baseline, kind of “all hazards” type approach. But we are embarking on and have embarked on in certain fields a ability to really have that conversation about what the data is and who’s going to be aware that it’s going out and how we try our users about it. And we still have kind of the safety net, email endpoint, proxy-type controls, but we’ve less of kind of micromanaging those and more about understanding the business processes that drive it and classifying it so we know what data’s involved in a business process that’s helped us to categorize the risk.

[David Spark] All right. Andy, I throw this to you. Do you like Dave’s model of sort of the dual-purpose DLP with some type of sort of essentially this data access governance of the monitoring, knowing the behavior?

[Andy Ellis] I think it’s a step in the right direction. It’s certainly better than the native DLP all on its own. Because I’ll be honest, I think anything is better than that. Outside of some very narrow use cases, I don’t think it’s a highly effective approach. The thing I think most of us need to deal with, and look, Dave’s in his own space because he literally is like a bank and banks have special problems, so do hospitals.

[David Spark] Very, very different.

[Andy Ellis] Very, very different. But for many, many enterprises, you look at how many people just have access to data. Like, it’s just sitting in these databases and it’s being copied all over the place, and you’re like, “Why is the data so widespread that now you try to tack on DLP at the end?” To say, “Oh, look. We let our developers have a database with everybody’s PII in it,” and then we try to do DLP to keep the developer from sharing the PII. Why did the developer have access to PII? Why isn’t that isolated? Why is it being copied everywhere? And I think we need to rethink how we think about data. I like to think of data as fuel. Like, highly toxic in some ways, but you have an engine that really needs it to be able to do business and so you have to protect it. But you don’t just drive a vehicle with fuel poured all over it and many people I think run their enterprises that way. The fuel is all over the vehicle and no wonder you have problems.

[David Spark] Going back to you, Dave, what Andy said at the beginning. Your issues being a bank are way more unique, so you got to do a lot of monitoring and fine-tuning than essentially anyone who’s not a bank or I would say also health organization.

[Dave Stirling] And I think, David, it starts with your crown jewels. I mean, if you’re an aerospace supplier, you’re going to be really careful about that intellectual property. And if you’re a bank, obviously there’s regulations governing the protection of customer data and protecting things from fraud. And so those use cases is where you start. I really liked Andy’s comment that you don’t stop at the end and think it’s going to be a really great preventive control that allows you to do business as usual. You have to think about how you’re using the data. It’s almost like least privilege for access control. What is the least amount of data I need to do this work? And redesign your processes around that and then you can get to a point where the controls can be less onerous and more effective.

[David Spark] Right. How many banks – like when I dial in, I talk to the customer service rep – if the person could look at my Social Security number right there. Why? Until it’s needed for something, they shouldn’t have a wall full of data, they should have the data they need. Now, look, I recognize I just hand-waved and said, “Just redesign all of your processes to do least privilege,” that’s about as much hand-waving as Dave did. But that’s the sort of thing we need to think about, is how do you make sure people have all the data they need but nothing else.

Sponsor – Varonis


[Steve Prentice] The best defense has always been a strong offense, and Matt Radolec, Senior Director of Incidence Response and Cloud Operations at Varonis, says, “This includes adopting a breach mentality which means you know bad things are going to happen.”

[Matt Radolec] Once you accept that assumed breach mentality or it’s not a matter of “if” but “when,” is really thinking about how can you move the detection to earlier in the kill chain. A lot of organizations, when you start to talk about ransomware, focus on the detective controls that they have for what I call “the moment of detonation” or “the moment of exploitation.” As in this is the exact second that the attackers are unleashing the ransomware and files are starting to be encrypted.

And from my standpoint, detecting that, that’s your minimum. You have to be able to identify, detect, and respond, hopefully automatically, or block the moment that the ransomware gets unleashed. When accounts are being targeted, when lateral movement is happening, when they’re going after service accounts, or putting attacks in on Active Directory to be able to establish higher-level privileges, often referred to as privilege escalation and lateral movement. When they’re compromising those initial users and taking control of them and starting to access and exfiltrate information, these are the early warning indicators of today’s modern cybercriminals, and if you can identify and stop that, you won’t have to rely on that last line of defense, that detective control around the detonation and exploitation of ransomware.

[Steve Prentice] For more information, visit

It’s time to play “What’s Worse?!”


[David Spark] All right. It’s now time to play What’s Worse. Dave Stirling, you are familiar with this game, correct?

[Dave Stirling] Yeah, I’ve heard it before.

[David Spark] Excellent. Well, we’ve got a good one. I always make Andy answer first and I always like it when our guest disagrees with the co-host.

[Andy Ellis] I like it when you don’t disagree with me, just to be very clear. Like, only one of us gets to win this game.

[David Spark] All right. This is a good one. We haven’t had one like this at all, I think, before. This comes from Mike Toole of Blumira and here are the two scenarios. You find out, Andy, several months later, that only 10% of the logs you thought were being sent to a SIEM ever actually made it there, okay?

[Andy Ellis] Ninety percent reduction in my attack footprint for Log4j, I like it, okay.

[David Spark] [Laughter] Or you find out several months later that your log forwarders are configured to send in plain text over the internet to your SIEM. So, your logs are being either sent in plain text and you only find out months later, to your SIEM, or you’re only getting about 10% of your logs. So you get them all but they’re all exposed, or you only get a fraction of them. What’s worse?

[Andy Ellis] So, normally, we say, “Well, I can’t change things going forward.”

[David Spark] Right. But that’s the way it is.

[Andy Ellis] But I think this one becomes a, like, “I have this open problem and now I’m going to change it going forward.” I get to fix both of them. Agh! It’s going to depend on what my logs are, I’ll be really honest.

[David Spark] Of course! [Laughter]

[Andy Ellis] Like, what it really is is like there are some logs that I’m like, “Yeah, I’d rather have all of them at the cost of not having them encrypted,” and then there’s other logs that it’s like, “Heck, no.” So, I really…

[David Spark] But the thing is you’re sending a lot of different logs to your SIEM so there are…

[Andy Ellis] Right.

[David Spark] I would assume there’s both going in, correct?

[Andy Ellis] I mean, it depends. I had a SIEM that was saying only stuff that…like it wasn’t the end of the world if it got leaked, depends on which… Say it’s my Uber SIEM. I got my new XDR system in here and it’s getting everything. Ooh. I think I… Agh!

[David Spark] First of all, kudos to Mike Toole of Blimera. I’ve not heard you stumble so long…

[Andy Ellis] Yeah.

[David Spark] …on a What’s Worse scenario.

[Andy Ellis] I’m going to assume that I’m using my SIEM. Easy answer is, “Look. We’re ignoring what’s in the SIEM anyway, so I’d rather have only encrypted data.” That’s the degenerate answer, I’m not going to take it. I’m going to assume I’m actively using my SIEM.

[David Spark] Yes, you are actively…

[Andy Ellis] I will take the risk of unencrypted logs to have full visibility.

[David Spark] Unencrypted logs to have full visibility. All right. Oh, I’m sorry. That’s the better scenario?

[Andy Ellis] So, therefore what’s worse is only having 10%.

[David Spark] The What’s Worse is 10%. All right. Dave, do you agree or disagree?

[Dave Stirling] I have a contrasting perspective which is if you have an obligation, like thinking of regulatory, right? Knowing what goes through my SIEM, do I have to go back and do privacy event analysis on the basis of any customer data that I know has been accessed through like a storage blob that’s been set with global read permissions, right? So, if I’m in that boat, I have to do that quantification exercise and that, actually, might be worse because then I know that I have let my customers down.

[Andy Ellis] Yeah. But since we’re not allowed to fix it, one of the premises was…

[David Spark] You’re not allowed to fix it, yeah.

[Andy Ellis] What’s worse is we’re not allowed to fix the problem and I assert that’s a fix.

[Dave Stirling] So, at an academic level, I agree with you. The visibility is the greater good, but I think for folks realizing what they may have…maybe going out the door and being cognizant of that, that’s something to really be very aware of.

[Andy Ellis] Yeah. No, I’m with you. The practical level is nobody’s actually using their SIEM well enough that the privacy breach is worth it. But given that we’re in the fantasy world anyway, that’s why I flipped the other way.

[David Spark] Sorry, I’m not catching you, Dave. Which one do you think is worse then?

[Dave Stirling] Given the caveat that you can’t correct it, right?

[David Spark] Right.

[Dave Stirling] You’re stuck with the… The visibility is the better play.

[Andy Ellis] So, he agrees with me, the 10% is worse.

[David Spark] You agree with Andy. All right.

[Andy Ellis] I win.

[David Spark] No, I think Mike Toole wins here with one of the best What’s Worse.

[Andy Ellis] Mike Toole does win and, Mike, that one is fantastic so shout out to you for that.

What’s the return on investment?


[David Spark] “The number one mistake organizations make when using an MSSP is thinking that managed security services is outsourcing,” says Jeff Pollard, an analyst at Forrester in an article on CSO Online by Jaikumar Vijayan. The author claims it’s more about augmenting your existing security environment. But the real question asked in the article is how do security teams explain the value of bringing in an MSSP and how does an MSSP show its value. How do companies show the value of MSSPs and what needs to change on both sides to come to a more understandable equation, Andy?

[Andy Ellis] Value confirmation. The biggest challenge with MSSPs is that they’re treated like outsourcers. You basically say, “Look, just deal with this task for me,” and they’re going to go deal with the task and you basically assume it works.

[David Spark] And by the way, let me pause. Why is it wrong? Because I’d like a good explanation. Why do you think it’s wrong to look at MSSPs as outsourcing?

[Andy Ellis] Well, because outsourcing doesn’t work for most security cases, so why would you use an MSSP as an outsourcer? Security is about managing risk in an ongoing fashion. There is no binary like, “I have this taken care of and no longer need to worry about it.” It’s, “I worry less about it because it’s well-managed and every so often I check in.” And if you treat your MSSP like an outsourcer, “Look, I bought this thing and they just handle it,” then you aren’t learning and adapting as you go forward. They’re not learning and adapting. They’re just bringing whatever their processes are, whether they’re appropriate to your environment or not. And so you have this mismatch that’s just going to grow over time. And that’s basically treating your MSSP like an outsourcer. I see it happen a lot.

And then you hear about this story about this multibillion dollar deal that’s going to run 10 years and then 3 years later, they’re trying to unwind it and get out because they’ve discovered that they don’t have good customer support, they don’t understand what they were trying to do in the first place, and it becomes a disaster. Good MSSP relationships don’t look like that at all. The MSSP is part of your organization. Do they report to your Office of the CISO? Are they telling the Office of the CISO, “Hey, here’s what we learned this month,” so that we can adapt to it? If that line of communication isn’t happening, you’re in for a world of hurt.

[David Spark] All right. Dave, what’s your take on this? Sort of trying to present to others the value of the MSSP.

[Dave Stirling] Yeah. It’s a tough one, right, because you’re asking often for a lot of money to stand something up and your goal is to prove a negative, that you don’t get hacked. But we haven’t had any events [Phonetic 00:22:49] or really kind of worthless metrics for the business value because you don’t know what goes into that metric. So, when you look at an MSSP decision, I think there’s a couple of things to look at. Number one is how is life going to be different in six months than it is today versus my internal team or my current provider or whatever. What is going to be different? And what are the specific gaps I have? Some of those gaps might not be solved by bringing in a provider. They may be changing something else in your program that is a better way to address those gaps.

But if you have a clear picture of that, you can actually make that case to your firm, that, “This is the problems I’m going to solve and here’s how much it’s going to cost us to solve it.” And in order to do that, the second piece is what does “good” look like. Like Andy was talking about, this really proactive, “Hey, we found this kind of thing kicking around on your endpoints. We suggest that you do something about it.” Rather than, “Oh, we didn’t even see it.” Right? And so a couple things you could do is really establish those clear metrics, not just the performance metrics of, “We didn’t have a breach,” or whatever you’re looking at there, but what are the metrics of how the tickets they’re working are… The visibility you could show they’re actually doing their work is auditability built into the contract, so you can see that they’re actually engaging. And there should be a dozen touchpoints at your organization or more. There shouldn’t just be, “Here’s the ticket, handoff workflow,” for this type of event that the MSSP is working. It’s all about supply chain and business resilience and change management. All those things have to be touchpoints and that’s beyond you as a CISO. That’s your relationship in the organization so you treat them as part of your organization.

[David Spark] And let me ask both of you. Are most engagements with MSSPs around managing a SOC? Is that predominantly the reason you lean on them?

[Andy Ellis] I’ve seen managing a SOC, I’ve seen managing devices, but not really like in a SOC fashion but almost more like just an IT support function like, “Oh, keep my firewalls up to date. You make sure my WAF gets the latest and greatest rules.” So, you can sometimes split the management from the operations and it’s really just more about the just ongoing make sure it still works and maybe there’s some mild SOC functionality in there. But I’ve definitely seen ones where they’re not really your SOC.

[Dave Stirling] As much as they market to that, right, “We can do everything for you,” I think you need to keep some key people even if you are maybe looking for some help with 24/7 coverage or whatever. I wouldn’t ever envision a world where you say, “This is my primary and main go-to for security operations, it’s completely running through this one firm.”

[David Spark] Yeah. But going back to the earlier comment is it’s an augmentation, which I think both of you support, yes?

[Andy Ellis] It’s an augment, it’s part of your org, you have to manage just like you would manage if it was actually people who worked for you. But yeah. Everybody that I know that has either inherited or been told to outsource the entire SOC to an MSSP, within a few years they’re like, “Oh, my God. How do I bring this back in-house?”

There’s got to be a better way to handle this.


[David Spark] What should a student do if they see that their school has devastatingly horrible security practices? Now, a redditor who appears to be a high school student, although possibly college, detailed out the really bad procedures that their school had, like the use of sequential integers for usernames which are also passwords. Ouch! This made it extraordinarily easy to look up a student’s account information and see the sensitive information such as parent phone numbers, addresses, fees, student grades, etc. There were a lot more issues and he was asking the reddit community for some advice. Many acknowledge the fear that…may be seen as a malicious hacker if it was actually presented, but the most voted-up advice was to document everything with screenshots and get the redditor’s parents involved. Have them set up the meeting with the school. So, I’ll ask the two of you, I don’t know how tech-inclined you were in your high school days, had you seen something this sort of violently wrong and off, how would you have addressed it? Andy?

[Andy Ellis] Well, there’s how I would have and there’s how I should have. Let’s just say that I would have not done something that was very helpful if I go back at the time. And let’s put the benefit of hindsight. We all know the story of The Emperor’s New Clothes. And let’s just be very honest. If it was a story about reality, when the little boy shouts out that the Emperor is naked, the Emperor’s guards will walk over and kill him. Like, this does not end in a good way for the little one who shouts and in many school environments, even just coming in and saying you have a problem will be problematic for the student and the family.

[David Spark] But by the way, just I’ll pause here, is that smart for this student to realize that just announcing it is going to cause problems.

[Andy Ellis] Yes. So, my recommendation would be begin with the documentation. This is a great write-up of, “Hey, let’s figure out what’s going on, make sure we understand all of the issues.” Basically, almost treat yourself like a third party consultant who’s come in to do an audit. That’s great practice. You can learn some cybersecurity skills by documenting this. Now, you go with your parents and you figure out what do you want to do. Do you think you’re going to be able to fix it while you’re in the school? Because if not, maybe you’re better off waiting until you graduate and then dropping this on them when they cease to have any power over you. Like, once your transcripts make it to your college, then it’s like, “Hey! Guess what? Let me tell you all about the problems this school district has.” Maybe you have administrators who are prone to listening to family, parents, student concerns, in which case you can bring it up to them. But I think it really does all depend on that atmosphere within the school.

[David Spark] Dave, what’s your advice to this student?

[Dave Stirling] Yeah. Well, they have a right to be worried. I mean, you look what happened recently with a journalist trying to help and a state government kind of coming after them and saying, “You’re hacking.” Where many of us would consider, myself included, that just being responsible journalism and the way it was handled wasn’t very well. And this isn’t a journalist, this is a student. Right? And so a couple of things I think to consider. Even sometimes parents may not be in a position of power. We have to recognize in our society there’s a lot of variables that come into play and it could go poorly, right? And so a student may be a position if they have some of these skills, maybe they’re in a school where there is an instructor a teacher that has a little bit of influence that they can work with to say, “Hey, here’s what I found. We were learning about arrays and enumeration in class the other day and look what I found,” right? And kind of bring it up that way. And then bringing another kind of trusted adult into the circle may be an option for a student who maybe just doesn’t feel like if they went up with their parents to their principal that it’s going to do any good.

[David Spark] It sounds from both of you there is no kind of “one size fits all” here. You got to kind of know the attitude of the school and are they open to hearing criticism from their own students, I guess.

[Andy Ellis] Yep.

[Dave Stirling] Yeah.



[David Spark] Well, that brings us to the end of this very show. This was great. Thank you so much, Dave Stirling and Andy Ellis. Dave, I’m going to let you have the very last word in the question that we always ask our guests – are you hiring? So, make sure you have an answer to that question. Our sponsor for today’s episode – I also want to thank Varonis who keeps supporting us and we love that. So, thank you again, Varonis, for your phenomenal continued sponsorship of the CISO Series. Andy, any last words? And are you hiring? I’m assuming YL Ventures through the portfolio companies is hiring like crazy.

[Andy Ellis] We are always hiring, so, we aggregate the whole portfolio right there.

[David Spark] All right. And hopefully, by then… In fact, today I actually put up a job position for CISO Series, we’re looking for an associate producer. Hopefully by the time this airs, we will have hired that person. Who knows? We’ll see. Dave, I throw this to you. Any last thoughts on the topic? If you’re hiring, let us know. And if so – please, please promote and how one person of interest could get in contact with you.

[Dave Stirling] Well, thank you, David, it’s been a great opportunity today. These are really important topics we’ve covered and I appreciate the time. At our corporate website,, we have a number of cybersecurity careers always open, particularly right now and even probably into the future for a while, in threat intelligence and identity and access. So, if you have those skills in your portfolio or any other related skills,, click on the Careers link, and we’d love to… We do hire nationally even though we’re based in Utah. We hire across the country so looking forward to anybody who is interested in exploring our opportunities.

[David Spark] That’s excellent. Well, thank you very much, Dave. Thank you very much, Andy. And thank you to our audience. As always, we greatly appreciate your contributions. And you know what I could use? A lot more What’s Worse scenarios. If you could send one maybe of the level of what Mike Toole sent in, that would be awesome. I loved watching Andy struggle. It was pretty awesome.

[Andy Ellis] David wants some more in his toolbox.

[David Spark] Yes, I do. So, thank you very much. Please send those contributions in. Thank you for continuing to contribute and listening to the CISO/Security Vendor Relationship Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”