Why does it seem that the only time we hear about a company’s concern about security and privacy is after they’re compromised. It is only at that moment they feel compelled to let us know that they’re taking this situation very seriously because as we’ve ll heard before “security and privacy are very important to us.”
[Voiceover] Best advice I ever got in security. Go!
[Andrea Bergamini] Enjoy the journey, both for myself and the teams. Security is like a marathon of sprints. It’s never really done. I think it’s important to celebrate successes along the way and bond with your teams. You’ll definitely need that when a bad day comes.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. And joining me as my co-host for this very episode, you’ve heard him before, and whether you like it or not, you’re going to hear him again. It’s Andy Ellis, he’s operating partner for YL Ventures.
Andy, say hello to the audience.
[Andy Ellis] Hello to the audience.
[David Spark] I said whether they like it or not. Do you think there’s times they go, “Ah. We got Andy this time”?
[Andy Ellis] I hope that they don’t start that way but I suspect there are days, especially when the “What’s Worse?” comes around, that somebody’s like, “Oh, God. Andy’s going to pick this one to pieces again, isn’t he?”
[David Spark] Mm-hmm, yeah. Well, we’ll see what happens on today’s “What’s Worse?”
[Andy Ellis] Yeah.
[David Spark] It’s coming up again. We’re available at CISOseries.com. If you have not been to our website, drop everything. If you’re driving, pull over to the side of the road and go to CISOseries.com and check out all our other programming. Now, once you’re done with that, turn the ignition back on and continue driving.
Our sponsor for today’s episode is Varonis, and I don’t know if you’re aware of this but Varonis was named a leader in the Forrester Wave Data Security Platforms for Q1 of 2023. They’ve been a phenomenal sponsor of the CISO Series and we’re going to hear more from Varonis a little bit later in the show.
But first, Andy, we have been on a string of doing live shows. We got a lot more live shows coming up and the day this episode is going to drop is going to be a week after we did a recording in Denver at RMISC which is the Rocky Mountain…
[Andy Ellis] Wait. You’re going to be at RMISC too?
[David Spark] You’re going to be at RMISC?
[Andy Ellis] I’m going to be at RMISC. Can I be your guest host there?
[David Spark] I didn’t realize that. [Laughter] I literally just booked it. Seriously? I had no idea you were going to be there.
[Andy Ellis] Seriously, yeah, I’m speaking at RMISC.
[David Spark] Well, my apologies.
[Andy Ellis] I spoke at RMISC I guess by the time that this is on.
[David Spark] Seriously, had we spoken about this two days ago, I literally booked it yesterday.
[Andy Ellis] Okay.
[David Spark] Well, my apologies. Don’t be upset with me.
[Andy Ellis] I’ll be in the audience heckling instead.
[David Spark] Well, I appreciate you being there. Now I know that you’re going to be at RMISC, we just discovered this now, but I believe today, the episode that this is dropping, a mutual friend of ours, Mr. Jake Kouns, is doing a show in Virginia. What is that?
[Andy Ellis] It is RVAsec and I will actually be keynoting tomorrow morning, the conference is two days. So, I think you’ll be able to find me today. Hopefully, I’m doing a book signing tonight and I’ll probably be doing one after my keynote tomorrow morning, but I’ll be talking about leadership and how you can improve your security outcomes through better leadership.
[David Spark] Good to know. I swear, I really would have liked to know because it was very, very to book…difficult to book.
[Andy Ellis] Yeah, sounds like it. That’s really funny. Well, I can be your backup in case whoever you’ve got…
[David Spark] If something happens, yes. I appreciate that. All right. Let’s bring on our guest. Very excited to have our guest on today. He is the CISO of Orbia, it is Andrea Bergamini. Andrea, thank you so much for joining us today.
[Andrea Bergamini] Thanks for having me here.
Look at this. Another company got breached.
[David Spark] “Every executive really needs to be a student of crisis,” said Julia Houston of Equifax in an article on McKinsey & Co. Now, Equifax had a massive breach in 2017 exposing lots of personal data, and it’s important to be telling your company’s story before you have a breach, said Houston.
My feeling is it comes off better than after the breach when every single victim feels required to say, “Security and privacy are very important to us,” and barely anyone ever believes them. So, other great advice from Houston around managing a crisis, “When a crisis occurs, decide who’s in charge and then empower that person to make decisions.
It’s almost impossible to try to make a decision by committee. You simply don’t have time.” “Culture is the thing that separates good security from great security.” I like that line. And also, she talked about don’t expect everyone to fall in line automatically with every single change. Change management with people is something you have to do.
So, Andy, I’ll start with you. These are lessons most learn after a massive breach, as did Equifax. So, how do you get things going before you have a massive breach? And essentially the advice that Julia put here. Oh, he’s holding up his book! 1% Leadership!
[Andy Ellis] I’m literally holding up my book because I have chapters.
[David Spark] And he’s about to read from it because he can’t think of anything off the top of his own head. [Laughter]
[Andy Ellis] I have two chapters on this. They’re actually pretty relevant. One is literally if you spend all your time fixing current crises, you aren’t averting future crises. And one of the things that people often get into is not only the like, “We just fix and move on.” You fix what just happened, and you don’t really do this retrospective all of the root causes.
You’re not going to fix all of them, but you should understand them and you should recognize that one of the harms of a crisis is the actual crisis. Like, not whatever happened underneath it, but you just had a crisis, it now hurts you with your customers, with the public, with your investors, with your employees, and you have to think about how you’re going to sort of interact with that.
So, to get started, I’m a big fan on this one of actually doing tabletops. And not the tabletops specific to how do we manage the crisis itself, but just how do you do crisis management and crisis communications. And here’s the lesson I like to give everybody, which is you put a timer on every communication.
When you say, “We need to notify the world that we just had a data breach,” you say, “Great. We’re sending out that message in three hours,” not “We’re sending it out when it’s perfect.”
[David Spark] Right. And I love this, that you have this advice you’ve given before, I’m going to echo it again. That write it up even before the decision’s made.
[Andy Ellis] Right. You write it up and then you start editing it. And I believe – and I have another chapter which is you need to keep your hand on the wheel to stay in your lane – a lot of people write communications and then they send it out into the world of their company. So, it goes to legal for their review and edit, then it goes to marketing, then it goes to product management.
And by the time it gets out to your customers, it says nothing. Whoever writes the initial communication needs to shepherd it through the whole process. They’re the only one allowed to edit it. If legal has concerns, legal tells you what they are and you edit it to make sure it’s still good communication.
[David Spark] Editing by committee I think almost never works. In any situation.
[Andy Ellis] Right. One person who edits with input from everybody. And after a time you’ll develop a rapport and there are some people whose edits you’ll just take because you know they make good suggestions because you’re teaching them at the same time they’re teaching you. The lawyers are right to say, “Look.
You can’t say those words. Those expose us to liability.” But if they’re editing without you around, they’re just removing content rather than tailoring it.
[David Spark] By the way, I’ll give you two perfect examples of exactly this, and then Andrea, I want your take, and this doesn’t have to do around crisis communication. I would produce these man-on-the-street videos for a lot of big companies. One very, very large company everyone knows here sent my video out to get committee answers, and I got a long list of edits.
Had I actually agreed to those edits that were in that video that came back, the two-and-a-half-minute video would have been a 30-second video and it would have been literally nothing. To which I always say whenever I go and a client that goes, I get one or two people give me edit notes. Absolutely no more.
Nothing more than that. Just one or two.
And then similarly when I used to write for Second City out of Chicago, I had a situation where I worked for a very big phone company and wrote a very funny script for them and yet every division in the company was paying for this so they all felt they’ve got to edit it. And I had all these jokes in and what they did is they had to put in all this descriptor stuff between the setup and the punch line of all the jokes.
[Andy Ellis] Oh, my God.
[David Spark] It was a disaster. And the guy I was working with at Second City, he had the best line of it, he goes, “Yeah, it’s called a humorectomy.” Took it all out. All right. Nothing to do with… Okay, let’s get back on track though. This is going a little long and I have not yet even heard from Andrea.
Andrea, how do you get people on track of preparing for a breach without ever having a breach? Because people when they have a breach do get on track for the next one.
[Andrea Bergamini] Absolutely. On one side I think right now it’s so much in the news cycle that in terms of awareness, people get it, right? So, when I talk to leadership now, they don’t need to be understanding the why anymore. They absolutely understand. I’m with Andy on the fact that tabletops, actually we do cyber ranges that are kind of a fancy version of a tabletop.
I’m actually flying to Boston next week to do a cyber range with Orbia. And I agree. It helps with establishing roles and responsibility, lines of chain of command, decision making, some of the points that we heard in the article.
And I think also it does one more thing in my opinion is that it makes the executive think about what it is that we don’t have ready yet. I’ll give an example. Doing a cyber range, somebody can say, “Well, let’s trigger our continuity plan for that facility,” or “Let’s issue the statement to the press.” These are things that may come up in an exercise.
And then I’m like, after the debrief, we go through that and it’s like, “Well, you don’t have any of those. The continuity plan you talked about? It’s not there. The statement you want to have provided? It’s not written.” So, many of the things that you really rely upon during a crisis, you realize through the exercise that you really, really don’t have them and it triggers a flurry of work to actually do preparation.
It’s almost like the crisis command helps you be ready, but the boat is still going down unless you do something before.
Walk a mile in this CISO’s shoes.
[David Spark] We did an episode of Defense in Depth with Mark Bruns who’s the CISO of FirstBank who posted a question on LinkedIn as to what you would do when building a greenfield security program. Now, rarely do security professionals get a chance to build a greenfield security program, but from the 160+ comments it’s pretty clear they wish they did.
So, I want to revisit this discussion because everyone’s list of first five actions were very different. Some began putting controls in place right away, others felt they needed to talk to the business first, and others felt they needed to get an understanding of their environment with asset management, and there was plenty more.
So, all are important, I’m not negating anything here, but my question is how important are those first steps in a greenfield security program, Andrea? Can you make a wrong move with any of these? Will it cost you in terms of time, money, and security if you don’t choose one path over another?
[Andrea Bergamini] I’m a first-time CISO, by the way, and I’m doing a greenfield. Well, it was two years ago, so hopefully it’s not a greenfield now.
[David Spark] So, you went through this experience yourself?
[Andrea Bergamini] Absolutely. That’s the one I’m going through right now. So, I do tend to agree the first steps are important. But I’m not referring to technical steps per se, you know, choosing one technical control over another, but the way you approach, the way you understand the company, and the way you set the stage.
The one thing I’d like to say is that we have two ears and one mouth and that’s for a reason, right? We should listen way more than we speak, especially in the early stages. So, in my case, I can say, right, I spend time, get to know the company, get to know how the company makes money, what do they care about, and then spend time with my stakeholders to do co-creation.
Imagine, I probably already knew 80% of what needed to be done, but the step of co-creation and getting the stakeholder alignment early on, it’s not something I would take for granted and it helps along the way later on and you only get to do it once, the beginning.
[David Spark] Excellent point. Andy, I throw this to you. First of all, have you ever had a greenfield situation?
[Andy Ellis] Absolutely. When I was at Akamai, that was literally a greenfield situation.
[David Spark] That’s what I kind of assumed.
[Andy Ellis] Yeah, 21 years. I actually think it’s really fascinating because often when you’re in a greenfield situation, you were brought in to solve a specific problem, not to build a security program. And I think a lot of people assume that this is going to be glorious, that they show up and they already have all the business buy-in and they want a big security program and you get to build it from scratch.
And the reality is, like someone said, “Oh, my God. We need to have a security program because.” Okay, what was the “because” because that’s the first thing you’re doing, whether it was on your list or not, and you’re going to build outward from that. That’s the technical there but as Andrea said, the first thing you have to do is understand your business.
And hopefully sometime around now I’ve got an eBook that’s going to drop called How to CISO the First 91 Days. Which is literally like you show up and you’re now in charge of a program. Maybe it existed, maybe it didn’t. And the first things you do have nothing to do with implementing a control, like MFA is not in the list.
Of course, that’s the first thing anybody’s going to do from a technical implementation, but the first thing you have to do is understand your business because there’s a good chance that you have risk areas that you’ve never encountered before in your career that you have to learn about.
Maybe you just moved into retail and you’ve never worked retail before and so you now have to think about fraud in a way that you didn’t, and you need to learn the language of the business and what matters. What are the unacceptable losses to your company? Because everything has to be tied back to that.
Whatever you do from security needs to be tied back to the risks that the rest of the business already understands. Before you start telling them, “Oh, we’re going to go implement EDR on the desktop,” and they’re probably sitting here going, “Like, 90% of our employees don’t have desktops. Why is that your first priority when we’re trying to deal with fraud and shoplifting?” You’re like, “Oh, let me think about inventory management, ” because that’s actually a bigger issue.
How do we make sure stuff gets shipped to the right place? So, my first five steps are learn the business, learn the attacks common to your business, learn the hazards that you have, and then you can start thinking about what you need to change and implement. And that’s where you can then take the list that everybody’s suggested in that LinkedIn post and apply it and say, “Okay.
Where is MFA going on my rollout structure?”
[Andrea Bergamini] I just wanted to comment that 100%, right? On that’s exactly, to be honest, what I did in the first four to five months on the job here. The only thing I would add to this is that in parallel to that I also did what I like to call no-regret moves. So, there are some things that they are too much on fire not to look at right away.
So, there are situations, again, fully alignment with that, but there are things where you just look at that and you’re like… Well, they had a number, just to give an idea, there can be a number of different projects or plans going on or things that are lost or you just needed to tidy up the house a bit and help put out those fires.
So there are some no-regret moves where you say, “Well, let’s just do it regardless of whether the direction has been set or not.”
[Andy Ellis] And your peers probably told you what most of those were because your first conversations… I always love asking very simple questions like, “What is the thing you’re most worried about? What security control does it flabbergast you that we haven’t implemented? And what security control is implemented that you hate?” Like, the answers to those three questions basically give you all of the quick amazing wins that everybody’s like, “Yes! This person understands our business.” Because you literally solved the things that were giving pain and stress right now.
[Andrea Bergamini] Yes. In some cases it’s almost like you need to think more about what can you do for them first before what they can do for you. Especially when you’re new, that is something that you need to think about rather than just sucking in energy. You want to provide solutions sooner than later.
Sponsor – Varonis
[David Spark] Before I go on any further, I do want to talk about our sponsor Varonis. As I mentioned at the beginning, Varonis was named a leader in the Forrester Wave Data Security Platforms for Q1 of 2023. So, so many security incidents are caused by attackers finding and exploiting excessive permissions.
Oh, boy, have we talked about that on this show. So, all it takes is one exposed folder, bucket, or API to cause a data breach crisis. Now, the average organization has tens of millions of unique permissions and sharing links. As you might imagine, tracking that ain’t easy. Even if you could visualize your cloud data exposure, it would take an army of admins to right-size privileges with how quickly data is created and shared.
Well, it would be like painting the Golden Gate Bridge or any large sculpture you don’t want to paint.
So Varonis reduces data exposure while you sleep with the industry’s first fully autonomous data remediation. Varonis continually and intelligently removes unnecessary permissions, sharing links, and fixes misconfigurations without any human intervention. Ah, that sounds nice. Now, because Varonis monitors who uses data, their free IR team, that’s their incident response team, will watch for alerts and call you if they see abnormal behavior like insider threats or compromised service accounts.
Now, to see how Varonis can reduce risk while removing work from your plate – sounds nice – head on over to their site varonis.com/cisoseries and start your free trial today. They also have a great way that they will scan your environment to see what your situation’s like, purely SaaS-based, so take them up on that as well.
It’s time to play “What’s Worse?”
[David Spark] Andrea, are you familiar with how this game is played?
[Andrea Bergamini] Yes, I am. I need to disagree with somebody, I think.
[David Spark] You do. You’re going to need to disagree with Andy.
[Andy Ellis] Your goal is to agree with me.
[David Spark] No. Your goal is to disagree with him. But this one might be easy for a disagreement because I think you could go any way on this one, I think. Now, with my other co-host Mike Johnson, he talks about the brilliant jerk, his least favorite thing. We’ve always tried to figure out a “What’s Worse?” scenario where he will choose something other than the brilliant jerk because he always consistently answers the brilliant jerk.
But I am going to give you something where there’s no way you can win on this one, Andy. And it comes from Mathew Biby who is the CISO over at Satcom Direct, and he asks you what’s worse. You have one brilliant jerk. That brilliant jerk is on the board, that brilliant jerk is the CFO, that brilliant jerk is the head of HR, that brilliant jerk is legal counsel, or the brilliant jerk is the CIO.
Which one is the worst brilliant jerk?
[Andy Ellis] Ooh, that’s fascinating. So, I’ve got the CIO, the head of HR, the CFO, the board member, and there’s a fifth one.
[David Spark] And legal counsel.
[Andy Ellis] Legal counsel.
[David Spark] Which one is the most miserable experience with a brilliant jerk?
[Andy Ellis] Wow. This one is actually really hard because I’ve been very blessed. I haven’t had that many brilliant jerks at that senior level, but I’ve had a few of them. Actually, I think I’m going to go with the board.
[David Spark] That’s the worse one to have?
[Andy Ellis] I think that’s the worst one to have.
[David Spark] But you have the least amount of communication with that person.
[Andy Ellis] So, the challenge is the board is mostly not awfully disruptive until they’re painfully disruptive, and that’s where brilliant jerk can cause problems. Because normally the board’s job is corporate governance – making sure the corporation is well-run and ensuring that the CEO has a succession plan.
That’s it. That’s their two jobs. We keep tacking stuff on but at the core, that’s it. The CEO’s often trying to manage the board and show them a beautiful picture of the company, he says, “Hey. We are well-managed, keep your mouths shut, show up for your quarterly meeting, we’ll fly you out to wherever it is, and take your options and run.” When you get a brilliant jerk on the board, they’re not going to accept that and so they’re going to become disruptive.
They’re going to want to learn information that the CEO does not want to expose to all the other board members, but they’re going to demand it. Like, they’re going to say, “Hey, tell me every security problem you have.” Boards don’t need to know.
[David Spark] You just brought everything to a screeching halt.
[Andy Ellis] Right. Worse, the CEO expects you the CISO to manage that brilliant jerk. Like, your job is to manage them and get them to be quiet, which you’re never going to succeed at. And at the end of the day, I know more CISOs who have lost their job because of the tension between the CISO, the CEO, and someone on the board.
That’s your career ender right there is the brilliant jerk on the board. The brilliant jerk everywhere else, like, you can work around them, you can accommodate them, build insulative barriers to the rest of your organization so they don’t have to work with the brilliant jerk. The board member’s the one person you can’t avoid, even though you start with the least exposure to them.
[David Spark] Really, really good explanation, all right. Andrea, are you going to agree or disagree with Andy here?
[Andrea Bergamini] See, the thing is I had an answer in mind that was in perfect disagreement with Andy but by the time he was done, he almost convinced me.
[David Spark] Ah, well…
[Andrea Bergamini] But I’ll stick to my choices, I’ll…
[David Spark] Okay.
[Andrea Bergamini] Although I have to say, Andy, you made a brilliant case.
[Andy Ellis] Thank you.
[Andrea Bergamini] Brilliant, no pun intended. I was actually going for legal in my case, and the reason I thought of that is because in some companies, especially greenfields, once again, where the CISO did not exist, right? There was no CISO before me. The situation is that other functions like legal have a very strong standing in that organization.
They’re respected, they’re well-known, they have a very clear mandate. And as a result, you can’t put a lot of barriers and trips and falls, especially in many joint programs when it comes to data security and privacy or many other related matters that come to mind. So, I just felt very practically that as the new kid on the block, I guess, in my company, if that was a brilliant jerk it could really jeopardize the launch and continuation and sustainability of the program.
So for me, that’s what came to mind. But I have to say again, you made an excellent case, Andy.
[Andy Ellis] My second worst was going to be general counsel, so I think we’re in some relative agreement here. Partly because there’s an entitlement that can come with that role.
[David Spark] Andy, no. You can’t claim agreement…
[Andy Ellis] I’m not changing it.
[David Spark] …because he chose something and that was your second choice.
[Andy Ellis] Well, you gave us choices and we agree on the top two.
[David Spark] All right, I’ll give you that.
[Andrea Bergamini] Yeah, does that work?
[David Spark] That’s good but usually there’s only two options. I gave you multiple options on this one too. So, the same top two on most of these would be everything.
[Andy Ellis] Yes. If top two out of two would not qualify.
[David Spark] No, it would not.
If you’re not paranoid yet, here’s your chance.
[David Spark] Do we fully understand the security implications of ChatGPT? Rachael Greaves of Castlepoint Systems posted on LinkedIn that data extraction attacks are possible where an attacker can get the system to recall sensitive information it has been given. So, on Dark Reading, Rob Lemos reports that more than 4% of users have tried to give it sensitive information.
Now, here are a [Laughter] couple examples. An executive cut and pasted the firm’s 2023 strategy document into ChatGPT and asked it to create a PowerPoint deck. In another case, a doctor inputted the patient’s name and their medical condition and asked ChatGPT to craft a letter to the patient’s insurance company.
Ouch! But the fact that they can poll this is unbelievable. So, is it important for security professionals to understand how people and attackers are using this tool, or is this just another exterior threat that needs to be managed through the security defenses we already have in place? Andy, what if anything would need to change with our security programs with this, like, tool that people seem to be using, knowingly and unknowingly?
[Andy Ellis] So, I use ChatGPT, I love it. And every time I go to use it, I stage whatever I’m going to cut and paste into ChatGPT into a separate document and I go through and I redact it multiple times, and I suspect most people aren’t doing that.
[David Spark] No. Hence the case of the doctor.
[Andy Ellis] That’s the case. But how many people have been told what to do? Like, they just think of ChatGPT as, “Oh, it’s this system I’ve got that does this thing,” and they’re not conscious of the fact. And ChatGPT just straight up tells you. OpenAI is like, “We might look at your questions and answers to improve the service.” Like why is it that people aren’t already out ahead of this?
Because just to be very clear, if your company isn’t using a large language model today, they will be, so your security program needs to provide advice and guidance and tooling. Maybe you need an API to ChatGPT that’s connected into a DLP system, much as I hate many DLP systems, like, “Here. Write down your question and we will scan it for you and be like, ‘Huh.
You mentioned a person’s name in here. That needs to be reviewed before it can be sent out.’” Like, we need new defenses because they don’t really exist.
[David Spark] But ChatGPT has some like I can’t say, “Give me your opinion on Andy Ellis.” It actually has that kind of protection. I think ChatGPT maybe needs some work.
[Andy Ellis] Oh, no. You can go ask ChatGPT for its opinion on me.
[David Spark] When I first used it, it wouldn’t. It specifically said, “We will not give opinions on individuals.”
[Andy Ellis] Okay. Maybe it’s you have to phrase it differently.
[David Spark] It’s possible. It’ll give me a, “Can you give me a bio of Andy Ellis?” It would do something like that.
[Andy Ellis] Yeah, you say tell me about a person.
[David Spark] Like I will say, “Give me an opinion about him.” By the way, people can email me and say, “Give me your opinion of Andy Ellis,” and I’ll do that. You don’t have to ask ChatGPT.
[Andy Ellis] Ooh. Actually, everybody should do that and I want to hear what David says about me.
[David Spark] Andrea, what’s your feeling? Is ChatGPT something where we need to build something else into our security program or do our existing defenses operate sufficiently?
[Andrea Bergamini] I don’t think it’s a new risk per se, right? It’s just another vector for it. I was just thinking back when I was reflecting on the question that we have people today that use WhatsApp right now, or for example, there are people copy/pasting documents in Google Translate to get a translation.
And again, it’s just sensitive documents going to Google. So it’s not new. So, I think in some way…
[David Spark] Do we know of cases… Actually, I didn’t even think about that. Do we know cases of hackers extracting data from Google Translate?
[Andrea Bergamini] I’m not sure that I’ve heard one but, I mean, it’s still not a good idea to copy/paste your corporate data into. I mean, unless you’re customers of Google, I guess. I wouldn’t recommend it still. All of this to say that there are controls already in place today that can help with this.
By the way, as we are talking, I think Andy’s basically asking ChatGPT an opinion about himself. I don’t think that’s allowed.
[Andy Ellis] Now I’m asking about David Spark and seeing what it says.
[David Spark] Is it just giving a bio?
[Andy Ellis] It did a bio and then it said, “Some may appreciate his journalism and thought leadership in the tech industry while others may have different opinions.”
[David Spark] [Laughter] Some may have different! Yes. You could say that. This is like going to see a tarot card reader.
[Andy Ellis] Oh, absolutely.
[Andrea Bergamini] One thing I wanted to offer is that however there’s an opportunity now with AI to… We’ve been through this with the IoT world, right? Where they were being built very insecurely, right? They were being thrown out there for anything and then they were easily exploitable. I think now regulation is coming to help, I think it’s called the Cyber Resiliency Act, for example.
I’m just thinking that… I think rather recently that there is an open letter on this. I think it was done by Elon Musk and a few others, where they’re pushing for a pause and to do this responsibly basically. I think there is an opportunity now to do this differently potentially and put more responsibility also on the service provider to do something rather than just relying on the companies to put controls in place and blocks, right?
Again, I use the analogy with IoT because that’s not what happened, right? In IoT, they were just pushing stuff out and then we were dealing with the most vulnerable devices out there. Maybe for AI we can do something different.
[David Spark] One of the things I’ll say about ChatGPT that I’m impressed by is it hasn’t been abused to the speed and level that other ones. Like, think about Microsoft Tay, that bot that Microsoft put on Twitter that they immediately got saying racist and anti-Semitic things as quickly as possible.
ChatGPT did put some controls when it put it out.
[Andy Ellis] Well, they did. They made it so that it can’t learn from context and carry that context forward, so you get very limited interaction space with the language model and it’s not really learning in the way that Tay was, right? They put Tay out, and Tay was a learning model which meant they distributed the teaching.
Now that said, you can get ChatGPT to say crazy and outlandish things and make stuff up if you carefully word what you’re saying, but you can’t quite push it to the direction that Tay went.
Should you hire this person?
[David Spark] On Twitter, Matt Johansen of Reddit – you following me there? Matt Johansen works for Reddit but he posted something on Twitter.
[Andy Ellis] Works for Reddit but was actually using Twitter even though… I don’t know what he’s up to there.
[David Spark] So, Matt asked this question, “What is your favorite question to ask someone when interviewing them for a job in infosec?” And here are a few of them. What do you want to work on, and more importantly what from your resume/experience do you not want to do anymore? Another one is do you have a home lab and if so tell me about it.
Another one is what is infosec to you? And as simple as it sounds, it’ll tell you a whole lot about what they’ve experienced so far. And two more questions is describe a conflictual situation that you found yourself in, how did you handle it, and what did you specifically do to solve it? By the way, we get variations of that one a lot.
And lastly, you have all the money and resources in the world, how do you fix security? And then ask the flip side of that. You got no money; how do you fix security? So, I will start with you, Andy, on this one. Do you have a favorite of these? And I’m sure you’ve got some great questions that you have asked over the years in all the people you’ve interviewed.
What is the one that you find is the most revealing?
[Andy Ellis] Yep. So, I have one I like. I’m actually going to give my least favorite of these, which is the question about the home lab. Don’t ask that question anymore because that one has a lot of interesting bias around it. Like you’re assuming the person has enough wealth to have a home lab, so be careful with a question like that.
The question I like to answer which is sort of related, is I say – it’s a two-parter – what is a technology you have experienced in your life that is just revolutionary and amazing and you love? And it can be anything – a microwave, it could be a security tool, you could talk about an amazing security tool, it can be whatever you want.
But then the second part of the question is now, think adversarially about that technology. How can it be abused and what are problems that it has? Because if I’m hiring you, especially for an architecture role, I need to know that you can think adversarially. So, first I’m going to tell you to give me something that you know a lot about because you love it, you interact with it.
Now tell me what’s wrong with it because there’s something wrong with every technology, and that gives me a lot of insight into how their brain works.
[David Spark] Very good, I like that. Andrea, your favorite and why.
[Andrea Bergamini] I do ask a very different type of question. I do like to interview, by the way, everybody who joins the team, no matter what their level is. I think it’s important to get a good feel for anybody joining. I give it more like as a scenario. So, the way I phrase it is that I basically tell them, “You joined our team,” assume you joined, “Welcome.
Congratulations. You’re here now. It’s been three months; it’s been six months since you joined us and now you think, ‘Man, what a mistake I made joining this company and this team.’” And then I ask the candidate, “Okay, what happened? Why do you feel that way?” So, the reason I ask it like this is that I want to get a feeling for…
And just so you know, I get all kinds of answers. Some people answer technically, some people tell me, “Well, there’s something wrong with you as a manager,” there’s something wrong with the team, something wrong with the company, something wrong with my pay, something wrong with the location, my computer, something.
So, it gives a varied spectrum of answers. But it gives you a good feeling of what they value and what makes them frustrated in a job. And since I know the company, I know where we’re at, and I know the reality of what they would have to deal with, it gives me a good sense of whether or not they’ll succeed, they’ll do well, they’ll feel well.
Because again, it’s very difficult to get talent, we definitely want to try to retain it, and that’s my question to try to gauge how likely it is that that person will stay with us.
[David Spark] Interesting that you picked your least favorite, and I agree to a level that you do make a good point. Is there a common question that you think that others are asking that they should just completely take off their plate?
[Andy Ellis] So, I think there’s a lot of them and it’s really about changing the “why” than necessarily changing the question. Like, people like to ask the conflictual situation, like “Tell me about a problem you experienced in your career.” And I actually love when people ask me that question because I get to take that question wherever I want to.
And what most people are really looking for is they’re looking for like, “How did you solve the problem?” What I think gets missed is that what you’re really asking for is similar to what Andrea just talked about, which is how does this person perceive the workplace that they’re in.
Because I actually did ask this question once many, many years ago, and I still remember the candidate who basically talked about how everything was somebody else’s fault. And basically, they lost the interview, not just on this question, but then they kept going like every challenge was in the light of, “I couldn’t succeed because of somebody.” And then so all the successes were theirs and all of the failures were the other executives in their company.
And it really revealed something to me, which was this person’s going to approach everything with a victim complex, and they’re never going to be on a self-improvement journey. And I think we miss asking that question. Like, “What did you learn?” is more important than, “What did you do to solve it?” Like how are you a different person because of what happened there.
Not just what happened there.
[David Spark] Andy, you got one last one for us?
[Andy Ellis] Yep. So, I hate Fermi problems. For those of you who aren’t aware of Fermi problems, it’s when you ask somebody a question that they can’t possibly know the answer to, like how many piano tuners are there in New York City, and they’re supposed to reason and say, “Well, there’s so many people and I guess there might be so many pianos per person and so many tuners per piano,” and they do the math and they come up with an estimate.
Right? And you’re specifically asking somebody to string a bunch of estimates together and hopefully the ways in which they’re wrong round out. They’re known as Fermi problems. And stop asking those questions because you’re asking if somebody knows a specific technique but you’re pretending that there’s some deeper meaning here.
[David Spark] Yeah. This is like what’s your favorite animal or what car would you drive, I hate these, they’re idiotic.
[Andy Ellis] Or where you’re trying to get one specific thing. And my favorite answer, a story about this, was Megan McArdle who’s written for a lot of places – journalist at the Atlantic, elsewhere. She got asked the question once how many gas stations are there in Lower Manhattan, and they expected her to solve it as a Fermi problem.
Her father was a limo driver in Manhattan, so she grew up driving around Manhattan, especially going to all the gas stations. She knew where they all were so she counted them and gave the answer and was told that was the wrong approach. Because people are often seeking a specific approach rather than saying freeform, “I want to see if you can solve problems.” So, be really careful about puzzles.
[David Spark] Yeah. These out-of-the-box-type questions, I think they’re trying to, the person who’s interviewing is trying to show how hip and on top of it [Inaudible 00:37:12] sort of wild questions.
[Andy Ellis] Right. But you’re really trying to show off and that’s not what you want to do. Your coolness comes at the expense of the coolness of your candidate which is not the goal of an interview.
[David Spark] Yeah. Your goal of the interview is to see if the person’s going to fit in with your culture and do the job.
[Andy Ellis] Right.
[Andrea Bergamini] Yeah. I think those kind of questions, yeah, it was Management Consulting 101, I think, I don’t know, if it was in the ’90s and it kept getting through, right?
[Andy Ellis] Yes. Kept going.
[David Spark] Yeah.
[Andrea Bergamini] Yeah.
[David Spark] All right. Well, that brings us to the end of this very episode. I’m not going to ask you any Fermi questions at all, and I had never heard that term Fermi. So now I know the category of them because I have never really liked them, to tell the honest truth. Andrea, thank you so much for joining us.
I’m going to let you have the very last word here. I first though want to mention our sponsor Varonis. Remember, they were named leader in the Forrester Wave Data Security Platforms, Q1 of 2023. You should check them out at varonis.com/cisoseries to start a free trial, but you could also just go to their site and scan your environment and see what your environment looks like.
And it’s quite easy to do. Take them up on this because knowing is better than not knowing. Andrea, are you hiring over at Orbia as you are building out your greenfield program?
[Andrea Bergamini] Yeah, absolutely. We have plenty of roles out there, so if you are interested, absolutely reach out.
[David Spark] All right. So, I’m assuming there’s a job board there or they can reach you directly via LinkedIn, yes?
[Andrea Bergamini] Yeah, absolutely. The job board, actually, I think tacked to my profile on LinkedIn, and you can see the ones that are open right now.
[David Spark] So, if you want to be jumping on year two of a greenfield security program, talk to Andrea as well. Any last words for today’s discussion?
[Andrea Bergamini] No, thanks very much for having me here. It’s been a lot of fun, first time for me.
[David Spark] All right. Andy, I’m going to apologize again for not realizing you were at RMISC because it would have made life a hell of a lot easier.
[Andy Ellis] It would have.
[David Spark] I’m thrilled, by the way, with the guest that I did get. Thank you very much. I’m thrilled to have you on stage with me and I will see you in Colorado a week before this episode drops. Thank you very much to our audience as well. We greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet-up, and Cybersecurity Headlines Week in Review. This show thrives on your input.