What can you do when your data keeps passing through different third party applications? Your data is being accessed and manipulated by more people, more applications, and more security policies that may not be aligned with your security policies. It seems once it leaves your environment, it’s out of your control.
This week’s episode is hosted by David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Elliot Lewis (@ElliotDLewis), CEO, Keyavi.
[Voiceover] Best advice for a CISO. Go!
[Elliot Lewis] When you’re going into the board of directors meetings and reporting on the situation to the company, you need to answer three basic questions. First, are we secure, and how do you know. Two, are you going to be secure based on the business plans that have people in this room, and how do you know. And three, do you have enough time, money, and resource to accomplish those goals, and how do you know.
[Voiceover] It’s time to begin the CISO Series podcast.
[David Spark] Welcome to the CISO Series podcast. My name is David Spark. I am the producer of the very CISO Series you’re listening to. And my cohost for this very episode is Andy Ellis. He’s also known as the operating partner over at YL Ventures. They’re a VC firm based in Tel Aviv. Andy, you’re not in Tel Aviv, are you?
[Andy Ellis] No, I’m not. And when you’re listening to this I am probably in Boston for re:Inforce.
[David Spark] I’m also originally a Bostonian myself. We are available at CISOseries.com. That’s where you can find this show and all of our shows on the CISO Series. Even our newest show, Capture the CISO. Our sponsor for today’s very episode is Keyavi, a phenomenal sponsor of the CISO Series, supporting us since day one when they were called something else. [Laughs] We won’t even mention what it used to be called. And they are responsible also for bringing our guest, who’s been here many times before, and we love having him on. But first, Andy, I’ve got something to brag about.
[Andy Ellis] Oh, what do you have to brag about?
[David Spark] Here’s what I’m going to brag about. You see what this is here?
[Andy Ellis] It looks like a shiny, reflective something or other.
[David Spark] No, this is my mini golf score.
[Andy Ellis] Oh, it’s a mini golf score.
[David Spark] Yes, and best mini golf I’ve ever done.
[Andy Ellis] So, the audience knows I couldn’t read his score, so he’s going to say some things about what he did. I have no way to tell you if it’s true or not.
[David Spark] Here’s all you need to know – my best min golf score ever…
[Andy Ellis] Yeah?
[David Spark] I did two rounds, so 36 holes total.
[Andy Ellis] Did you at least get under par?
[David Spark] Got one over par the first time, two under par on the second 18. And here’s the most amazing thing, five holes in one.
[Andy Ellis] Wow. You do know that you’re supposed to start at the beginning of each hole’s green, not just go and drop your ball next to the hole.
[David Spark] Yes, I’m well aware of that, Andy. [Laughs]
[Elliot Lewis] He’s also supposed to be using a club, which is questionable in all this, too.
[David Spark] I did use a club. I am quite amazed with my mini golf scores.
[Elliot Lewis] Did you use New Jersey rules and use the club on the ball or something else?
[David Spark] I did not call a mulligan on any hole whatsoever.
[Andy Ellis] David, I am very, very proud of you. This is a lifetime accomplishment to be under par at mini golf.
[David Spark] I’m very proud of myself, too.
[Elliot Lewis] I’m very proud of him, too. Next time take the kids with you. That’s great.
[David Spark] I did take a child with me.
[David Spark] We actually had a bet, and I beat my son. My 11-year-old son. I’m very proud of that.
[Andy Ellis] Oh, absolutely. Never take it easy on your kids when playing mini golf.
[Elliot Lewis] Never.
[Andy Ellis] Make them earn their victory so they know their victory is actually earned because they will beat you.
[Elliot Lewis] Thus my point about the New Jersey rules and the club. You got to play the right way.
[David Spark] My kids actually do… We don’t hold back at all, and my kids are good sports all the way through. Very good about that.
[Elliot Lewis] Very nice.
[Andy Ellis] And when my daughter finally beat me at mini golf, man, was she celebrating for like three days.
[David Spark] As she should. All right, with that said, the other voice you’ve been hearing here commenting about the New Jersey rules… You spent some time in New Jersey. You’re from there originally, yes?
[Elliot Lewis] I’m born and raised New York, New Jersey. And I went to school in Boston and Northeastern, so I spent many years in Boston as well.
[David Spark] He knows the whole east coast.
[Andy Ellis] Is he from like Weehawken?
[Elliot Lewis] No, thank you very much. I am not. [Laughs]
[Andy Ellis] Wow, I found something that could offend somebody from New Jersey.
[Elliot Lewis] You could have said I was from the Oranges. That would have made it worse.
[David Spark] If you haven’t heard this voice before, this is Elliot Lewis. He’s the CEO of Keyavi. He’s our sponsor guest for this episode. And I just want to say very briefly that Elliot has been an absolutely phenomenal supporter of the CISO Series. Personally literally reading things I wrote to make sure it was technically accurate.
[Andy Ellis] That’s a hard job, Elliot. I appreciate you doing that.
[David Spark] And I greatly appreciate that.
[Elliot Lewis] It was a lot of heavy work, but I’m glad we got to where we are at. It’s very good now.
Could this possibly work?
[David Spark] Can the US government through regulations shift the tide of never ending cyber security failures? This appears to be the theme of an article by Patrick Howell O’Neil in the MIT Technology Review. Some argue that regulations calling for mandatory minimum requirements could cause more harm than good if they’re inflexible and inaccurate. And government has a poor track record of keeping pace with the technology sector, or in this case cyber criminals. One redditor suggested the government red team companies. And if they’re compromised, they’re fined. Could this work, or do companies just need more regulation? If just the companies were the ones suffering we could let the market decide, but innocent bystanders also get hurt in these attacks. Andy, I’m starting with you. Someone needs to protect the individuals. What, if anything, should the government do to step in or not?
[Andy Ellis] I’m just surprised we didn’t start out with, “Someone needs to think of the children.” Because that’s always the way that we justify crazy and outlandish things.
[David Spark] [Laughs]
[Andy Ellis] Is just think of the children. But let’s think about this red team idea.
[David Spark] Again, this was a redditor’s advice, which got a lot of play.
[Andy Ellis] You, the redditor who hopefully is listening here, is asking for the government to execute no knock warrants in the digital infrastructure in violation of fourth amendment principles. That seems to me to be an unreasonable search and seizure, to have the government break into my facility to try to tell me, “Oh, hey, you didn’t have good locks.”
[David Spark] The idea was to disclose the vulnerability. Again, I’m playing the defense of the redditor. Was to have the white hack team disclose the vulnerability and show them the error of their way.
[Andy Ellis] Without my permission it’s a crime. If I broke into your system to disclose it… We have very careful rules around things like coordinated vulnerability disclosure, specifically because breaking into somebody’s system, actual read teaming.
[David Spark] Well, what if it was set up like a normal red team situation, not a clandestine one?
[Andy Ellis] Why would I ever agree to it if I’m a company?
[David Spark] Because if you don’t I’ll fine you anyways, but if you do then you could avoid the fine.
[Andy Ellis] Then you’re telling me that you are compelling me through government force to accept a search.
[David Spark] This is a regulation.
[Andy Ellis] That’s a fourth amendment violation.
[Elliot Lewis] There’s a lot of ways to tear this town. This kind of all boils down to an old axiom – the beatings will continue until morale improves.
[Elliot Lewis] It doesn’t work. It hasn’t worked on Wall Street with regulations in a lot of ways. Now, there’s regulatory reasons for Wall Street. Some of them are excellent. You want to make sure the trading is fair, accurate, controllable, sustainable, so on and so forth. But the problem is that the government is not able to keep up with technology. Technology evolves every six to nine months. Cyber security follows that by about a year. And this is an ever changing capability. So, regulatory compliance is something that has to be passed by congress, passed by committees, passed every four years. You’re never going to be on the forefront of it. You’re always going to be behind. So, enforcing regulations that are already out of date by years by the time you get them ratified is just not even making any sense. And going after people and red teaming them to see if they kept up with old standards doesn’t make any sense either. You’re using a stick where you’re not even trying to use a carrot. So, what you need to do is give people the ability to have the right kind of controls in a subjective way that shows they are doing their best efforts and meeting standards without having the Sword of Damoclesstanding over their head and beating them over something that’s already out of date. Regulations only work if the regulations are up to date first. And we’ve seen that across all of the standards today. You take a look at ISO. You take a look in NIST. You take a look at all the standards that are available today that people are supposed to be following. They’re all out of date by years.
[David Spark] Can the government provide any assistance in this respect? Andy? And again, I’m not looking for a grand solution, a ten percent tip.
[Andy Ellis] So, I think the ten percent tip is a place the government has pivoted to over the last ten years. Ten years ago the government’s attitude was if you get breached, not only are we going to tell you not to deal with it because we want to watch the bad guys to learn more about them, but we’re not going to tell anybody else in the industry either. And so the government does have a great role. They have a bully pulpit to be able to say, “Here are some good things to do.” I actually really like the recent executive order for sort of standing up and saying, “Here’s some specific things around multifactor authentication, around S bombs,” as much as I’m not a big fan of S bombs as a panacea for everything. To at least talk about you should know every piece of software you run. Absolutely. I think that’s a fantastic… Places for the government to sort of lead and to be an initial buyer. Prove out these technologies. Let the government buy them so that the rest of us can then buy them if they actually work.
Look at this. Another company got breached.
[David Spark] Your network was just hit with ransomware. What do you do in your environment? That question was asked on the cyber security subreddit to get some feedback as how others would handle this tabletop simulation. The most popular response came from an incident responder at an MSSP who said, “Ransomware is usually mass deployed after the attackers gain access to end point management of some kind. It is important to investigate how the attackers gained initial access and if they maintain persistent access. I saw people skipping this step and got ransomwared again right after they restored their backup.” Oh, boy, have we heard that story. So, first Andy, and then I’m going to go to you, Elliot. Andy, running a tabletop exercise. You’ve been hit with ransomware. What do you do?
[Andy Ellis] So, I want to actually take the one thing this one redditor said and dig in on it. The incident responder who said, “Oh, you’re just going to get popped against because you didn’t clean up your endpoint system you got breached through.” Let’s just pause for a moment and recognize that the biggest avenue of the breach is the security system in this venue or the IT systems management one. So, maybe the first thing we need to do is stop trusting centralized services like our endpoint management system or our endpoint agents.
[David Spark] Well, he was more saying does the person have persistent access.
[Andy Ellis] Right, but the persistent access through the system that has persistent access to everything. I just want to highlight that because I think this is one of the places that we don’t pay enough attention, which is to our supply chain of IT tools. So, that said, first thing that I want to do is I want to make sure my resume is over on Google Drive and didn’t get popped by the ransomware. Sorry, tongue in cheek humor there. Absolutely first questin though is are we going to actually have to pay for this, or is the business just done.
[David Spark] Kind of like that college that had to go under.
[Andy Ellis] Right. And so the thing to pay attention, too… Because you hear about this a lot – a doctor’s office that goes under, a small college that goes under – is were those businesses on the edge of solvency already and just the dealing with one ransomware incident is enough to knock them out of business. So, if you’re a small business and you get hit with ransomware, it’s much like dealing with any major event. If you barely break even, maybe your first question is, “Do we just close our doors?” And it’s an ugly question to have to really challenge. But I think you need to question whether or not you still have a survivable business on the other side of this.
[David Spark] All right, Elliot, I know you have two answers to this – the answer of everyone listening and then the answer of if people are using your product, Keyavi. Because I know there is a key solution angle with Keyavi if that is installed. So, please feel free to give us both answers.
[Elliot Lewis] Well, let’s start off with the overlying answer here. I don’t want to focus on the Keyavi solution just yet because we got to talk about the real heart of the problem here. The redditor and the incident responder was on the right track but not looking broadly enough. I think that Andy brought in some excellent points here, too. The way you have to look at this is that these attackers came in, and they may not have compromised anything you’re thinking about. They may have gotten access to identity. They may have gotten access through regular means or an authorized ID that they compromised. They may have found a vulnerability in some of your systems. It may not have been the security systems. You may not have had one of your vectors properly shored up, and monitored, and controlled. There are multiple ways. When you look at ransomware, there’s really three phases. The second and third phase is all about them stealing your data as well as encrypting and then offering to sell it at a price. And then the third phase is selling the data anyway whether you pay them not to or not. And that’s where the majority of the money is in ransomware control. Let’s talk about the first phase for a moment because that’s what this incident responder is talking about. When they get into your system, they start going into the systems, looking at your email, looking at your insurance, looking at your data, finding out where your IP is, looking where the value is, how much cyber insurance you can pay, what the ransom can be. They’re doing reconnaissance. Usually for a very long and very succinct amount of time. The last thing they do is start making themselves known by encrypting systems. You can say…
[David Spark] That’s what this redditor said, yeah.
[Elliot Lewis] Yeah, but to focus just on the end point management is myopic in my mind. It can be from multiple vectors. These guys are going in and [Inaudible 00:14:03]systems, operating systems, everything else. And to just focus on one attack vector is probably a mistake because they’ve gone through, and they’ve been there a while, and they’ve been compromising a lot of systems. Now, that being said, when you look at what our solution does… Let’s go to that point, too.
[David Spark] Yeah, please.
[Elliot Lewis] When you have all of these different things you have to monitor, control, and manage to keep ransomware or any kind of attacker out, what is the one common denominator they’re after? The data itself. And what has been the problem in cyber security to date? The fact that data cannot protect itself, and it was vulnerable to attack, stealing, compromise, and relocation. Keyavi enables data itself at the data layer and all data to make itself aware of who, what, when, where, and how it’s being used and be able to protect itself no matter where it goes, no matter who took it, no matter what place it’s taken to because it works in perpetuity. And your security goes wrapped into the data itself. Your data is self-intelligent this way. If you go to the one common denominator and make data protect itself and make it work in perpetuity in real time no matter where it goes, you can completely compromise everything including ransomware. Because when you look at ransomware and they steal your data, the worst thing they can do is try to access it. Because the data is going to say, “I don’t know who you are or how I got here. I’m going to self-delete myself right after sending your physical address to the authorities.” Because the data is that smart. And if we can do that, you just turn the entire threat model on its face.
It’s time to play, “What’s worse?”
[David Spark] All right, this one comes from Nir Rothenberg, who’s the CISO over at Rapid, and he has supplied many a, “What’s worse?” scenarios, and he’s been a guest on the show before, too, as well. Okay, I make Andy answer first, and here’s the scenario – what’s worse, being a CISO of a two-million employee company with a team of five-thousand security specialists or being the CISO of a three-hundred person company which is fast and agile, but you only got a team of five? And I should mention the pay is exactly the same in both scenarios.
[Andy Ellis] I would much prefer to be the CISO of that smaller organization, especially if the pay is the same. So, I’m trying to figure out what I’m missing.
[David Spark] Now, let me qualify it because I was thinking that would be the case, so I’m going to modify this a little bit. I’m going to say the pay is a little bit more. It’s more if you work with the larger company.
[Andy Ellis] Yeah, because I started as that CISO of the smaller company, and then we became the larger company. We never quite made it to two million employees, thank goodness. But actually I think I would… And this is for me because your style might change. If you want to run a really large team, like 5,000 people, a huge company, I suspect you’re probably also doing physical security, or maybe you’re not. Maybe you’re just the IT. But I think you’re focused on a lot of tactical IT problems in that world. And for some people that’s great. There’s a lot of maintenance in that job. That 300-person company, there’s only 5 of us, first of all that’s a great ratio. I’m better than one percent. That’s my normal cutoff for how well am I set up. I’ll take that 5-person team because I think when I had a 5-person team our company was 1,500. Then I had to lay off half of my team because we went down from 1,500 to much, much smaller numbers. Then growing back up, it came back to five. But we were near a thousand people by the time I had five.
[David Spark] All right, so you prefer the much smaller. Even if the pay is more for the larger company?
[Andy Ellis] Yeah, if it’s peanuts to millions I might change my mind here, but if they’re both paying competitively or what that job is…
[David Spark] Well, yeah, so you’re getting more if you’re at the larger company.
[Andy Ellis] And at the right point in my career.
[David Spark] All right, Elliot, what’s worse?
[Elliot Lewis] Well, I can speak from experience here. When I was running stuff on Wall Street, we had a quarter million people including traders and everything else, and bankers, and all that such. I had 300 people. It was the right ratio. It was spread out across the planet. It was well organized. It was designed and done for structure. And as far as paying a little bit more or above market, the question isn’t what’s worse to the security practitioner – what’s worth it is what they have to think about. Do you really want to take on that kind of sprawl? Because is it worth it for you to be working that hard that much with that kind of confusion? It sounds to me with someone putting in 5,000 people you’re throwing heads at a problem when you should be throwing strategy. And it’s just a red flag on anything I’ve ever done in 30 years. You have that many people, you’re not managing it right. You should be able to do it with less with more efficiency and more strategy rather than just throwing heads at something. It’s a major red flag to have that many people.
[David Spark] So, worst is the larger team.
[Elliot Lewis] Absolutely. It’s frankly mismanagement and lack of strategy.
[David Spark] So, what would be the right size team for a two-million person company, and would you ever want to work for that company?
[Andy Ellis] It’s going to depend on the type of company it is. Like if you are a warehousing company, your IT footprint is probably pretty small, and you don’t need to have nearly that number. But how many of those people like security admins doing things like password resets because you’re a hospital system, and the doctors coming in can’t be bothered to be remember their passwords.
[Elliot Lewis] Well, there’s that plus the fact that technology has advanced enough that a lot of that is automation anyway. So, again, if you’re throwing physical heads at it you’re doing it wrong in this day and age. But a two-million person company, what percentage of those people are actually users touching data as opposed to warehouse workers, or drivers, or whatever else it may be? A two-million person company I would say you got to look at the percentage of real data users and then look at the percentage of people access to critical data rather than just visual, and then appropriately right-size your management staff to control things with the right kind of technology. If you have that many people with that many users, again, I think you’re not doing it right.
[David Spark] Just playing devil’s advocate, I would argue if you have a team of 5,000 then you’ve got a lot of sort of senior management under you that is going to handle a lot of the work that you don’t have to deal with.
[Elliot Lewis] I would say in my experience if you have 5,000 people protecting 2 million you’ve got a lot of drama, and you’ve got a lot of feifism going on.
[David Spark] Oh, that’s for sure, too.
[Andy Ellis] Yeah, there’s a very good chance you’ve got to… Look at, here’s the bright side – the reason why you might want to take that job, plenty of opportunity for reinventing the security program.
[Elliot Lewis] Yes, but then you have to look at your opportunity to reinvent with a battleship that’s going that far, that…
[David Spark] That ain’t going to turn agilely. That’s going to take a long time to turn.
[Andy Ellis] Toss an anchor down.
[Elliot Lewis] I have had offers to take on that kind of a role, and I turned it down simply because when I interviewed them it was a feifimized drama shop, and there’s no way to protect companies that don’t want to be protected if they’re just not willing to get their head wrapped around it.
[David Spark] Quoting my friend, Patrick Flaherty, he said, “You know what the most efficient company is? The one that has one employee.”
[Elliot Lewis] You know the best way to protect systems? Unplug them. How far do you want to go, right?
[Andy Ellis] Sledgehammer argument. I can protect your data by taking the sledgehammer to it.
Please. Enough. No. more.
[David Spark] Today’s topic is protecting data in the supply chain. This was a really hot topic for everyone, but I’m thinking in particular the CISOs that we’ve had from MGM and Fox who were generating mass media content and need to protect all forms of data through the entire life cycle of production. The content must go through many hands such as contractors. They thought of very creative ways to deal with this concern like delivering lower quality versions and only distributing portions of content. Andy, I’m going to start with you. What have you heard enough about with protecting data in the supply chain, and what would you like to hear a lot more?
[Andy Ellis] So, I’d like to hear more about how do you do it well at high performance. I’m reminded of like for the academy awards, the selectors are shipped little Sony disk players with the DVD glued in so you can’t open it. So, it basically because single use. Your headphones are glued in, the whole thing. I don’t know if they still do that. That’s what they did years ago. They had approached us when I was at Ocomide [Phonetic 00:22:23]to come up with a better way to do this over the internet, and I’m like, “If you are so worried that the person you’re delivering the movie to is your threat model, there’s nothing I can do over the internet.” Because they can just record their screen as it is playing, and there’s nothing you can do at that point. So, I’d like to hear more about when you really need to push that content out. How do you do it in a way that minimizes your risks rather than tries to eliminate them entirely?
[Elliot Lewis] This use case you just described, this is directly in line to the discussions we’re having with content providers and media providers at Keyavi. Because when you look at all these pieces, what does it come down to? You’ve got to figure out all these ways to give… You take a standard Disney or Marvel movie and how much money they put into fake contracts or face plots, or even have to mask what the plot reading is because someone is going to play a part for the thing and try to interview for the part. And the amount of money they have to spend on just creating the protections around anything before the media is even created.
[David Spark] So, you’re saying they’re generating a bunch of bogus information and storylines to throw off people who are stealing their stuff.
[Elliot Lewis] Absolutely. There’s an entire cottage industry around this. And so when you look at this, what does it really come down to. And Andy hit it on part, but I’m going to expand upon what he just said. In the supply chain… And this goes for any kind of business beyond media, your intellectual property that is valuable to you, it all comes down to the data level. Once it’s gone, you can’t control it. And I would say that’s not true anymore because Keyavi actually controls it. You have complete control and visibility and perpetual control of your data. You can see who’s accessing it or trying to. You can make sure it only works where you want to, how you want to. That’s the point of making data self-intelligent. It changes the entire paradigm here for the supply chain.
Oh, geez. Not again.
[David Spark] On Twitter I asked, “What’s the biggest security flaw you’ve ever seen in every environment you’ve ever worked?” Now some of the answers that were posted included people. That’s a security flaw I’ve seen everywhere. Backups in the same domain and putting off tomorrow what should be fixed today. So, Andy, I’m going to ask… And I mean everywhere. What’s the same flaw you’ve seen everywhere?
[Andy Ellis] Oh, excessive permissions for administrators. People are not the problem. Anybody who answered people, please come find me so that I can beat…I mean so that I can tell you…
[Elliot Lewis] Jersey rules. See? I told you.
[Andy Ellis] No, it’s really just we trust the administrators. I don’t mean as humans. I mean we trust their systems to be able to do everything, and it’s this persistent problem. Until you stop having root access to all of your endpoints from somewhere, you are not getting rid of ransomware. It’s that clean. It’s that simple.
[David Spark] All right, Elliot, the same problem you’ve seen absolutely everywhere.
[Elliot Lewis] I think one of the most common things I’ve seen everywhere where I’ve done consulting, where I’ve been the executive, where I’ve been the architect, everything else is that when the business and the CISOs make too many security exemptions and take it too lightly as to what they’re trying to accomplish with the business and not taking the risk seriously. When you make bad choices and you create your own holes and you create your own environment issues, it doesn’t matter how good you train your problem. It doesn’t matter how well you’ve made your policies and control systems succinct. When you do a security exemption that is not properly thought out and threat modeled, you’re making your own problem, and it will get used by the hackers.
[David Spark] So, the idea of, “I don’t want to deal with this now. Let’s just make a security exception.” That is the person is going to put it off tomorrow what he should be fixing today.
[Andy Ellis] I actually sort of agree, but I think it’s a different problem. The problem is not the exemption. The problem is it’s a policy that didn’t work.
[Elliot Lewis] Yes, well said.
[Andy Ellis] You wrote a policy because someone told you, “You need to have a policy that is shaped like this.” And so you wrote it. You published it, and now you have to do nothing but exemptions. If you want a new policy, slowly push people towards it until you have a majority is over the line. Then write the policy and stop giving exceptions.
[Elliot Lewis] It’s kind of like when you’re working…in the technology when you’re working on the patent. It’s not enough to claim something. You have to make something that’s actually executable, that’s actually creatable in real life. And when you do a policy, as Andy is saying, that’s just never going to be able to fully be accomplished, monitored, controlled, and executed, now you’ve laid a goal that you can never meet which leads to exemptions, which leads to holes that are never going to get fixed. It starts there. You have to understand your environment. You have to understand how to protect it and not make light of the issues that you know are there.
[David Spark] All right, I want to get one quick answer from both of you on this. You see something like this happening. You see excessive exemptions happening. What do you do to start slowing this process down? I’ll start with Andy first.
[Andy Ellis] I think first you go look at why do you have these exemptions, what is wrong with your policy and how it is mismatched to the business. Then you need to figure out what needs to flex. If it’s going to be the business needs to flex then you have to have all the business leaders on board with why they need to do that. But more likely it’s retract your policy, try again, making incremental changes to drive the business forward.
[David Spark] Would you add to that? Yes?
[Elliot Lewis] I would because I think there’s even an even more fundamental problem you have to look at first. The culture that created this environment, and are they willing to change and willing to accept they were doing this in an incorrect way or not a properly done way. If the culture is going to sit there and fight you and say, “We just do it this way, and you’re just going to have to live with it in this kind of constraint and do a loose security posture,” you’re probably not going to be very affective no matter what you do. It starts with culture.
[David Spark] Yeah. Well, that’s a sign to get the heck out of there.
[Elliot Lewis] That’s a sign not to even start.
[Andy Ellis] Just to be clear, the culture problem might be on the security team side.
[Elliot Lewis] Absolutely.
[Andy Ellis] It might be this is not an appropriate policy for this organization, not that the organization is lackadaisical.
[Elliot Lewis] Absolutely.
[Andy Ellis] And you need to understand which one.
[Elliot Lewis] It’s not only the business. It could be the security team. It could be the IT team. It could be the customers. You have no idea where the policy starts, but you got to get your culture down first.
[David Spark] I love it when you find the problem everywhere. That’s always [Inaudible 00:28:56]
[Andy Ellis] Yep.
[Elliot Lewis] Yeah.
[David Spark] All right, with that said, we’ve come to the end of our show. Thank you very much. Elliot was here in studio with us. I don’t know if I mentioned that in the beginning, but he was in the studio with us for this entire recording. So, that was a thrill.
[Andy Ellis] He was in the studio with you, not with me. Just to be very clear. Unless that was the royal us.
[Elliot Lewis] [Laughs]
[David Spark] Andy was in studio with himself. Elliot, I’ll let you have the very last word here of which you can make a plug for Keyavi, of which we’ve heard lots about, which is awesome. But also let us know if you’re hiring, which I do already know you are hiring.
[Elliot Lewis] Yes, we are hiring.
[David Spark] Andy, any last words? I know you’ve got a book coming out next year.
[Andy Ellis] I do.
[David Spark] Which I know you’re always up for plugging.
[Andy Ellis] And by the time this comes out there will be only eight and a half months left until publication date. But as of the time we’re doing this, I have four chapters left to edit and get it to my publisher. I personally have about two weeks to do that, and I’m spending one week of that in Jamaica. So, I have one week to be done, and I’m really excited about it. I think the book has come together fantastically, and you will all love it.
[David Spark] Here’s my favorite part about editing is when you go back to edit you think to yourself, “I really wrote that?” That’s my favorite moment of editing. [Laughs]
[Andy Ellis] Yeah, I had one chapter that I went back to, and I read it, and I’m like I vaguely know what I was trying to say, and I missed the mark by a mile. And I don’t usually have that problem. Usually I’ll read something, and I’m like, “Yeah, this isn’t well written.” This was just awful, and everything around it was good. This one chapter just jumped out at me, so I had to rewrite it like three times until I realized that I actually didn’t understand what I was trying to say.
[David Spark] But nothing is correct the first draft ever. Nothing is.
[Andy Ellis] I had some good first drafts.
[Elliot Lewis] When I was writing books back in my career, my editor told me the secret to being a good editor with a great author. The first thing you need to do is get that author through all of the pain of writing the book. The second thing they have to do is make that author forget about all the pain of writing a book so they’ll write another one.
[Andy Ellis] No, I’ve enjoyed this process. Writing the book has been a blast for me. It’s been very cathartic because I don’t belabor points. A lot of management and leadership books are just one idea repeated for 400 pages. My goal here was to have one idea that took one to two pages to cover, and that was it. And then 55 of those strung together, so the book isn’t going to be super long. Management books rarely are. But it’s not the same point over and over again. This is 55 practical lessons that you can use in leading yourself, your team, and your organization.
[David Spark] I’m sure this is not the last time we’re going to hear a plug for that book. All right…
[Andy Ellis] No.
[David Spark] Elliot, any last words about Keyavi? By the way, audience, it’s spelled Keyavi. And if you were to add a .com on it, and you typed into a Webber address, guess what? You’d land on his website.
[Andy Ellis] Webber?
[Andy Ellis] I was like, “Does Webber now make a browser?”
[Andy Ellis] Like I can grill and web browse at the same time?
[David Spark] I meant to say web URL, but I just sort of… It kind of blurred all together.
[Elliot Lewis] You went to a grill.
[David Spark] Yeah, something like that. I went to a grill, exactly.
[Andy Ellis] We’re going to grill you over this one now.
[David Spark] If you put that on your grill, grill it for six minutes on each side, it’ll taste delicious. Elliot, you are hiring, correct?
[Elliot Lewis] We are absolutely hiring.
[David Spark] Are your jobs listed on your site?
[Elliot Lewis] They are listed on our site. They’re also listed on LinkedIn. If you go onto LinkedIn, you will see all the areas and positions we’re hiring for at Keyavi.
[David Spark] All right. And if someone wants to see Keyavi in action, what should they do?
[Elliot Lewis] Just go to our website, fill in the form. Let us know what you’re interested in, and we’ll be happy to set something up. My team can provide a full demonstration and get you running in the labs. You get to experience self-protecting, self-intelligent data.
[David Spark] Thank you very much, Elliot Lewis, who is the CEO of Keyavi. Thank you very much, Andy Ellis, who is the operating partner over at YL Ventures. And thank you to the audience. I would mention all your titles and companies if I knew you all. I know many of you, but I can’t say that right now. And it would make this long podcast even longer. Thank you, everybody, for your participation and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, Our Virtual Meetup, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series podcast.