https://cisoseries.com/why-cisos-avoid-the-dreaded-request-a-demo-button/
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Jim Routh (@jmrouth1), former CISO for MassMutual and CVS/Aetna.
Full transcription
[Voiceover] Biggest mistake I ever made in security. Go!
[Jim Routh] The biggest mistake in security was actually following and meeting stakeholder expectations. Specifically the board and the senior leadership team. The natural thing for a CISO to do is be a subject matter expert and say, “These are the top risks. We have to manage the top risks. We have to do these things.” That causes the board or the senior leaders to default to what I’m presenting. What I should be doing is facilitating. Facilitators have to demonstrate neutrality to get to consensus. Consensus has resiliency all over it. If you don’t have consensus, your decisions fragment. Biggest mistake I ever made as a CISO, and nobody ever told me about this, David. Andy wasn’t around to tell me this.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. Yes, it’s our new name. Get used to it people. You’ve had it for about a good month by now. I’m David Spark. I’m the producer of the CISO Series. Joining me, my cohost is Andy Ellis, who’s the operating partner over at YL Ventures. Andy, what does your voice sound like?
[Andy Ellis] Today it sounds a little cloudy with no hints of snow.
[David Spark] That’s good. Oh, I know you got dumped on over there.
[Andy Ellis] We did, and they’re talking maybe we get it again on Friday.
[David Spark] Oh, that’s a lot of no fun. I am, by the way, in San Diego. No snow. Very much enjoying that. We’re available at CISOseries.com. We have other programs on our channel if you want to check them out. Go look there. Our sponsor for today’s episode is Buchanan Technologies. Reinventing the way managed services are provided and delivered. And they have a slew of solutions, so if you need some help you’ll be interested in what they have to say later in the show. But, Andy, all this week… We record our shows a good month to two months ahead of this, and we’re desperately trying to get our production sort of ahead of ourselves. As a result, we made a big, old oops. We recorded something talking about, “Well, next week is RSA.” And I forgot to go back and re-record that. Because we actually did that on another episode, and that episode went out. And we’re fearing that people actually went to RSA only to find out there was no RSA there.
[Andy Ellis] God, I could imagine going to San Francisco right now for a conference that doesn’t happen, and you’re in both San Francisco where you can’t go anywhere without like 85 pieces of paperwork and 12 masks, and there’s nothing else for you to do.
[David Spark] Well, the advantage of going to San Francisco now not during RSA is I’m sure the hotel rooms are not nearly as expensive.
[Andy Ellis] That’s a really good point.
[David Spark] Yes. [Laughs]
[Andy Ellis] But I’d prefer Miami right about now. Oh, wait. I was in Miami last week. It was fantastic.
[David Spark] San Diego ain’t so bad either. All right, let’s bring our guest in. You heard his voice at the very beginning of the show, and I finally got a chance to meet him in person. Both of us saw him when we did our live show in Rhode Island, which was a phenomenal show. Loved that. He is the former CISO over at MassMutual and CVS/Aetna, Jim Routh. Jim, thank you so much for joining us.
[Jim Routh] Hey, David. Great to be here.
Here’s a brand new vendor marketing tactic.
3:27.812
[David Spark] So, I truly hate it when vendors post a “request a demo” button on their site and don’t actually offer a demo. So, my attitude is if you’re capable of actually conducting a demo, just record it, post it, and let interested buyers watch. Now, I just discovered a brand new annoyance, and that is gating an actual demo video. So, viewers must provide their name and email address in order to watch a video that is selling their company. Now I know why both of these happen. It’s because marketing and sales say, “We need metrics and need to follow up with who’s watching.” But they are figuratively shooting themselves in the foot when they do this. I have talked to so many CISOs about this, and there are so many interested potential buyers who are bailing when they see this. I posted this on LinkedIn to a flurry of responses. Andy, I’ll start with you. Wouldn’t vendors be a lot more successful if they just posted a demo video and let people watch on their own?
[Andy Ellis] Well, I think it’s a yes and a no. So, it’s a caveat. So, I went, and I have the benefit of working with a lot of startups, and so I went and talked to some marketers, one of the ones I work with very heavily. And just got a look into what they’re doing. And for this one, what they do is they have a short demo, completely ungated. Anybody can go look at it. Then there’s a lightly gated longer demo. It’s like ten minutes, shows you the whole product. And that one you have to put in a name and an email address. There’s some light sanity checking to make sure that the email address looks somewhat legitimate. But that’s it. It’s not like they’re verifying that’s really you. You want to put in mickey@disney.com, great. We’ll follow up with the mouse later. Then if you want a one on one demo, have somebody walk you through the tool, look into your specific things… So, that’s the right way to do it, I think, is to have this sort of three-tiered model that lets people easily just check and say, “Hey, is this interesting?” Yes, you do want to collect that data partly because you’re trying to build nurturing campaigns. You’re trying to move people from the top of your marketing funnel to the middle of your marketing funnel, and so you want to know who’s been interested and maybe who’s seen a demo.
[David Spark] All right. By the way, we do have some gating for our video chats. We gate them. But actually we do have some opt ins for some of that stuff. Jim, what do you think about this in gating a demo video? And by the way, let me go back, Andy… Well, I’ll come back to you, Andy, on this. But I’ll ask you, Jim – have you ever bailed on a video because it was asking you for your information?
[Jim Routh] Yes, several times. And interesting now, I use my personal email for things. I don’t use my company email. And a lot of them have filters that if you don’t put in your company email you can’t get whatever white paper or everything that’s being requested. I have another bit of a gripe, which is if I ask for two white papers, I’m the same person. I don’t need to do the verification or put my email address in twice. That kind of makes no sense. But I think there’s some mislabeling going on here because that button that you said if you’re interested in the white paper, that should say, “Click this for automatic spam.” That would be more accurate, don’t you think? Because that’s essentially the output that you’re getting by doing that. But far be it for me to design web pages. What I can tell you is this – there aren’t many positive things that came out of COVID. There are a few.
There are a few silver linings that came – the whole work from home thing. Here’s one of the silver linings from a professional perspective. Many of the vendors put more resources into higher quality video content to host in virtual summits. And then a lot of the platforms have this automatic chat feature that basically said, “Hi, I’m the salesperson that’s normally chasing you around the trade room floor. But now I’m just online. Let me know if I can help you or do anything.” In the meantime, you can take a look at the high quality content, get a much better understanding of what the product capabilities are. And if you’re looking for the best product for your needs in a category where you’re looking at six or seven different vendors, you can do this in maybe 30 minutes. Really much more affective. You walk on a trade show floor and you get accosted by aggressive salespeople, and you really don’t have that same efficiency. So, I think Andy’s point is spot on. I think the video quality and content really can be a game changing experience, and that’s what the website is supposed to do to differentiate the product. And so I think there’s an opportunity there. And I prefer viewing online versus trudging around a tradeshow floor where it’s hit or miss that I actually…
[David Spark] And also it’s the uncomfortable thing of, “I’ve seen enough. I want to walk away now.” [Laughs] I know that feeling. Andy, so, A, have you had that feeling on a tradeshow floor of like, “Oh, I’ve seen enough. I don’t want to see anymore.” How do you walk away?
[Andy Ellis] So, I’ve just learned to be very up front and honest about it. My belief is that all vendors really want is honesty. And so if you say, “Look, I’m just not interested. I’m walking away,” most of them…not all but most of them will be like, “Okay, fine. You’ve told me a very clear no.” The problem is when you try to say, “Well, maybe later.” Now it’s like, “Oh, I’ve got a hook in you,” when your maybe later really meant no, and they want it to be yes.
[David Spark] Let me tell you something about that. So, you’ve seen me on the tradeshow floor with my camera and shooting my little man on the street videos and stuff. I’m just stopping random people and saying, “Hey, man. Hey, can I ask you a quick question? A random question.” And either I get a yes or a no, and that’s fine. But often many times people will say to me, “Oh, I’ll come around later.” And here’s what I tell to everybody who says that to me. I go, “I’ve shot 200 of these man on the street videos. I’ve interviewed literally thousands of people, and I’ve heard that line before. You know how many people come around later? Zero. You can…” And I say to them, “Guess what? You can actually say no to me. I can take it.” [Laughs]
[Andy Ellis] Yeah, I think my favorite vendor experience…totally unrelated…was at RSA. A vendor was giving out little Lego mini figs. I’m not going to name who they were because I don’t actually totally remember. And I walked up, and they wanted to scan badges. I hate people scanning my badge. I said, “Tell you what – I’ll stand here for five minutes. Give me your product pitch in exchange for the little Lego.” He said, “No, I have to have your badge.” And I’m like, “Okay, fine.” And I walked away.
[David Spark] Wow, what a mistake.
[Andy Ellis] Talk about… Because you were measuring impressions, you lost the opportunity to do a top of funnel brand awareness.
Pay attention. It’s security awareness training time.
10:06.326
[David Spark] On the r/cybersecurity subreddit, a Redditor asked for suggestions to increase cyber security awareness for a large organization. Redditor wants to improve culture and make it more interesting. There was some basic advice but then some really creative ideas that make people discover security issues on their own like using a haveibeenpwned password strength tester or showing how a small gift like a cup of coffee can be used to siphon a lot of personal information and dropping USB sticks. Have either of you…? And I’ll start with you, Jim. Done any cyber security awareness efforts where people get to sort of experience what a compromise is like firsthand and thereby realize the security issue on their own rather than being told, “This is a security issue. You do this yourself.” Jim?
[Jim Routh] The answer is yes, I’ve done all of those things because I’ve spent 20 years promoting different security awareness campaigns. Here’s major message number one – I don’t believe in cyber security awareness training any longer. Why is that? I actually think the New York Times does a pretty damn good job. And if that doesn’t, and you want video content, go to 60 Minutes. Look, we all know cyber security. We interact with digital assets all day long. We understand that there’s something called cyber security. What we need awareness of isn’t that there is cyber security. What we need awareness of is the specific techniques to manage risk for the task that we’re doing at that point in time. That’s what all digital consumers need. That’s what employees need. So, we have to branch… It’s no longer security awareness. It’s security education just in time. And just in time means embedded in specific functions that we’re asking people to do and say, “Hey, you got some choices here. Do this option or this option. This option is less risky. This option is more risky. Go have at it. Good luck.”
[David Spark] Good point. Andy, what sort of either training or like just in time education where people get to essentially discover and learn it on their own?
[Andy Ellis] So, I think you have to be really careful because some of the ways this question was phrased sounded like they get to discover and learn it was you did it to them.
[David Spark] Yes.
[Andy Ellis] And that, I think, is really dangerous.
[David Spark] Yes, okay.
[Andy Ellis] You should never instantiate a compromise under a ploy and then say, “Aw, training moment.” What you should do is find the training moments. My favorite one… This is what I used to do back at Akamai was… I hate this thing that almost companies have, which is when you get phished or socially engineered, sent mail to the security team who is going to completely ignore it for five days. Maybe they’ll send out an alert, and they’ll send you some form letter that says, “Oh, if you need more training, here’s where to go.” Instead what we did was we created a mailing list called social engineering alert. It had a slightly different acronym. Don’t try to send email to that. Which we automatically put on everybody who had a publicly listed phone number. Every executive assistant, and we made it optional for almost everybody else. So, it’s like everybody in customer care, all the EAs, all the office managers, they’re all on the list. And we said if you ever get attacked, like somebody calls you and asks for a phone number, and you say yes or no… We don’t care if you give out. We don’t want you to. But if you give it out, you’re not going to get in trouble if you send mail here.
And if the person claimed to be somebody else, CC that person, too, just in case. And what’s fantastic was it let them experience this moment of learning and see it happening to their peers. So, their peers would be like, “Oh, I just got this phone call. It claimed to be from the CEO asking for so and so’s cell phone number. I said no.” And they would CC the CEO. And the CEO would invariably respond with, “Yeah, that wasn’t me. Good job.” Right? And every once in a while, somebody had failed and given out an email address or phone number, and everybody said, “Yeah. Hey, it’s okay. It happens. We’ll learn from the mistake.” My favorite was the day somebody sent one, and it absolutely looked like a phish. And the person who it was pretending to be follows up and says, “Oh, no, that was me. I was trying to get a phone number because I had lost everything.” And I followed up with that… It was a sales rep, and I said, “Just so you know, you can’t call a random person and ask for help. At that point, call somebody you know.”
[David Spark] So, Jim, did you in any of the sort of previous CISO roles you had…you had a sort of like if you see something report it policy?
[Jim Routh] We did. I used to have a website just for reporting security incidents that anybody can go to any time and report a security incident across a 100,000 employee base. And we actually learned a lot from getting that response. It was a little bit old school in terms of being delayed, but we did learn a lot.
Sponsor – Buchanan Technologies
[Steve Prentice] Buchanan Technologies is a managed service provider that provides a managed security services division specifically focused on cyber security. But RJ Friedman, who is Buchanan’s chief information security officer as well as the lead for the managed security services division says today’s customers need more than that. They also need managed operations.
[RJ Friedman] Unlike many MSSPs, we handle a lot more than just a 24/7 SOC. So, of course we have that, and we have managed detection response. We have extended detection and response. But in addition, we also do managed operations. We help companies with everything from working with their email security tools to their security awareness training tools, doing data loss prevention, implementations, and ongoing support. And of course virtual CISO work.
[Steve Prentice] Things are becoming so complicated that a holistic approach has become essential.
[RJ Friedman] A lot of the clients that we work with ranging in size from small to the Fortune 500 needed help with more than just 24/7 monitoring. We’re finding that a lot of organizations out there need help with everything from strategy, to managing their tools and the tickets that come in around people not being able to access through multifactor authentication for example, to the nitty gritty of making sure that people are doing their security awareness training. We’re there through all aspects and are taking that holistic approach to security because all of our customers need to take a holistic approach to security as well.
[Steve Prentice] For more information, visit Buchanan.com.
It’s time to play, “What’s worse?”
16:26.851
[David Spark] Jim, I know you know how this is played because you said us do this live. Andy has played this many times. I always make Andy answer first. You can either agree or disagree with him. This is a doozy. By the way, I’m going to caveat. Every time I say this is a doozy, Andy or Mike, who’s the other cohost, will say, “Oh, this one is easy. I can handle this.” So, I’m interested to know how you handle this because I struggled with this myself. So, again, it’s what’s worse. They both stink. We’re going to agree that they both stink. The question is which is more damaging. This comes from Jonathan Waldrop from Insight Global. So, you’re a brand new CISO. And during your very first week of onboarding, you, Andy, fall victim to a well crafted phish resulting in ransomware at the company. That’s number one. So, you are the dupe. You fall for it. Option two – you’ve been a CISO for several years at this organization, and actually you’ve been bragging on your incident free security team strategy. Then your organization falls victim to a successful ransomware event, but it wasn’t specifically you who fell for it. Which one is worse?
[Andy Ellis] Oh, I’m going to totally go with the second one because I was an idiot. The first one is look, I showed up. First week I fell for a well crafted phish. You know what that well crafted phish was? It was email from finance that said, “Click here to set up your payroll so that you can get paid.” Let’s just be very clear because oh, it’s a third party vendor. I had to do this in the last year with multiple companies. So, yeah. No, for me, I’m going to go back to this one is a straight up like yep. And now I get to say, “Hey, let’s fix the problems in our environment that a brand new employee who had not had any special permissions given to them was able to be the vector for taking out the whole company.” Because if it was just my machine that got ransomware, that’s not a big deal. I assume it’s like the whole company, which means we have a serious architectural defect, and I have just demonstrated exactly how bad it is. And either I or the next guy gets to fix it.
[David Spark] So, you’re spinning it wasn’t you who made the mistake, but it was the architecture of this company, and that’s why they needed me.
[Andy Ellis] And I’m on record saying that everywhere.
[David Spark] Because it’s so good it can even get the CISO.
[Andy Ellis] No, don’t blame the user. No, it’s not so good it can even get the CISO. Email is an awful infrastructure, and I think I say that all the time. So, this isn’t me adjusting to get out of jail. No, no. The worse one is me, the idiot, saying, “Oh, I’m so great. I’ve never had an incident.” No, we have incidents all the dang time.
[David Spark] All right, Jim. It looks like you’re agreeing. You’re nodding your head all throughout.
[Jim Routh] I have to agree with Andy on this. There’s no question about it. Because the first one there’s actually a recovery method. The recovery method is you say, “Security incidents are a wonderful opportunity to learn and learn what behaviors to adjust in the future.” I’ve certainly learned from this experience. And even though I’m new at the company, now I get a chance to put better practices in place so we all learn from this security incident. There’s an easy way…
[Crosstalk 00:19:32]
[David Spark] Let me just say – the two of you have spun a beautiful glass half full.
[Andy Ellis] And if anybody else ever gets breached, like they’re the trigger for it coming in, I can say to them with good faith, “Look, you won’t get fired if you just fess up.” And by the way, I want to just leave a note for our producer that says I would like an extract of Jim saying, “I have to agree with Andy on this one.”
[Jim Routh] [Laughter]
[Crosstalk 00:19:54]
[Jim Routh] Oh, man. He’s going to sell that back to me for big dollars. I’ll tell you that. David, one thing you said, this should be well understood – every CISO cringed when you described a CISO standing up and saying, “We never have any cyber security vulnerabilities.” Everybody cringed.
[David Spark] I know. I know. I know. I know. I know. I know. I know. That’s the pompous jackass version of a CISO. I know that. Yeah, I know that’s not something that you would do. But again, this was the scenario that was put up.
[Jim Routh] It was a good one.
[David Spark] All right. Thank you, Jonathan Waldrop.
[Jim Routh] Or a bad one.
[David Spark] Well, a good bad one.
[Andy Ellis] It was definitely entertaining. Enjoyed talking about it. I think it brought out some interesting things or motivators for CISOs.
If you haven’t made this mistake, you’re not in security.
20:35.039
[David Spark] The process of investing, developing, and selling security products is horribly broken said both Haroon Meer and Adrian Sanabria of Thinkst Canary in a presentation from 2019. They had a lot of concerns, but I’ll boil down the three big ones. One is products are made unnecessarily complex. Two, it’s difficult if not impossible to tell if a product is any good. And three, vendors create misleading marketing. So, I’m going to start with you, Jim, on this. What pains you the most about the vendor ecosystem? And I’m including the vendors. I’m including the buyers, and I’m also including the investors as well. All three.
[Jim Routh] First of all, I think the results here are spot on. So, I think we have a lot of problems with the ecosystem. I think the root cause for a number of these challenges but not exclusively…but a number of them are the investor appetite that is interested in dominating a market. This is particularly challenging for early stage companies. Early stage companies need nurturing and an opportunity to work with design partners to learn what expectations are being met, what expectations aren’t being met. The latter is probably more important. And how to adjust their product to fit into a need in the marketplace. That’s a hugely important time. Investors typically looking at a new capability say, “Is this a feature, or is this a platform?” And if it’s a platform, is it a platform in an existing market that’s defined by the analyst, or is it a small niche that may emerge to be a market in the future.
They want to hit big, and they encourage essentially their companies to hit big and go big. And that drives a lot of misleading marketing pitches that make it more difficult for the consumer in the enterprise, the CISO, to determine whether this is actually something that’s a critical need or not. So, I don’t mean… Andy will take a different perspective I’m sure in terms of the investor perspective because, look, the world doesn’t work without investors. So, we need them. They’re essential. But as a CISO, I was more comfortable with the early stage companies where I was dealing with the cofounders versus later on when I’m dealing with the marketing professionals simply because it was more difficult to answer a simple question – what problem does this platform feature, function, solve.
[David Spark] We’ve talked about this earlier on our shows, Jim, and talking about working with startup companies and the eagerness to do that because they’re so eager to get big wins early on that they’ll trip over themselves to deliver over the top customer service, and you get that sort of front line employees like the founders working with you on that at the time. So, I’ve talked to many CISOs that really, really appreciate that. Andy, what’s your take on where you think the greatest broken parts in the ecosystem are?
[Andy Ellis] So, I think Jim is actually onto something about it sort of being in that late stage, the growth stage companies. Actually I’m a huge fan of aiming for the platform, but you aim for the platform by building and dominating a future. You sell a product that really works, and then you start adding things onto it. Maybe going back in my history. Maybe it’s a CDM. Like you just deliver bids. And then you’re like, “Oh, hey, we can do security on top of this. Oh, hey, we can do a WAF on top of this.” You just keep adding things until you’re a platform. But I see one challenge is people are trying to box out competitors that are nearby by claiming to have neutralizing features. “Oh, I can do that, too. Oh, I can do that, too.” And so the problem is they do like 17 things, and none of them well. And they’re not really well integrated, and they don’t really have a thesis for who they are. That results in a lot of the things that we’re looking at. Now, it may be that some of that is driven by their investors. I’m really fortunate at YL. I think we’re a really good investment team. Early stage. Our goal is we wanted to help our companies really… We do want them to dominate, but we want them to dominate what they do and not try to do 17 things at once even if we see that potential for them in the long run.
[David Spark] Let me ask you guys about the marketing thing. One of the things that Haroon and Adrian did in this video… Which by the way, I highly recommend everyone watch. It’s truly fascinating. One of the things they did is they created a fictional person in a fictional company, and they went to these cyber security awards organizations. And as you know, you can pay for these things. They paid for them. And this fictional person from the fictional company won a series of awards really proving the bogus nature of these awards.
[Andy Ellis] Right. Well, that’s a completely separate issue.
[David Spark] Yeah, but it’s part of the ecosystem though. I wanted to point it out.
[Andy Ellis] There’s an ecosystem that some of it’s in the press where people just want to get their name out there, and so they create these award programs, or they create the list of the top 100 influencers. And all of a sudden they’re like, “Oh, we’re going to tweet out the top 100 influencers and hope we get retweeted.” And they’re not experts in any fashion. They’re just some marketing person who was told, “Hey, great content.”
[David Spark] By the way, I have done these lists myself. You know how they’re created? You look at the last person who created a list, pull from that list, and then say, “Hey, do you happen to know the name of any other CISOs?” “Oh, yeah. I know this guy, Andy Ellis, and this other guy, Jim Routh.” “Okay, I’ll add those to the list.” “Does anyone know of a name?” This is honest to God… Someone thinks there’s some great criteria that’s created. No, that’s how it’s created.
[Andy Ellis] No, and it’s funny because I’ll often be like… I’ll see a list, and I’m not on it. And then I’ll see another list that comes out two months later from a different company, and I’m not on it. And I’m like, “But it’s the same people who are on this one.” So, totally just, “Oh, yeah.” Copied from a list I was never on.
[Jim Routh] Hey, David. There’s one more item that actually Andy identified, which is the list of features. That list of features often corresponds with a marketing person’s desire to check a box and say, “Yes, we do those 15 things.” So, if there’s a web search on any of those 15 things, it’s going to bring it back to our domain because we do those things. Now, whether the software actually does that is totally irrelevant. It’s purely a process to get through the RFP process with some success. And I’m not saying it’s good or bad. I’m just saying that it has nothing to do with the actual software functionality that’s underneath it.
[Andy Ellis] Yeah, I think look at how may zero trust vendors have…
[Crosstalk 00:27:31]
[David Spark] That’s what I was just going to say.
[Laughter]
[Crosstalk 00:27:33]
[Andy Ellis] No, but everyone went to zero trust. Then all the people who did zero trust network access are now doing SASE because SASE is the new buzzword. And it’s like 18 different features that they have to claim to have.
[David Spark] In six months’ time there will be a brand new one.
[Andy Ellis] Yep.
What’s a CISO to do?
27:47.794
[David Spark] What are some really bad cyber security practices that need to be corrected right away? Now, the Cyber Security and Infrastructure Security Academy or CSIA put out a list of three items that need to be dealt with immediately, especially if you’re supporting critical infrastructure. They are using unsupported or end of life software, using known fix or default passwords, and using single factor authentication. All issues we’ve talked about in the past on this show. So, we hear it on the show all the time, deal with the fundamentals, but it seems all organizations at some level are still struggling with some if not all of these issues. Just looking at these issues, how do you make sure your company doesn’t have these issues specifically for critical infrastructure. And Jim, where would you begin to say, “Okay, we just got to deal with these three first right away.” How would you begin that sort of search and dealing with that?
[Jim Routh] These three things are examples of IT hygiene. Every company I’ve worked for uses economic incentives for qualitative and inefficiency across the enterprise. IT hygiene should be no different. The accountability for efficiency and for economic benefit is actually the system administrator that puts technology into production and changes technology and production. Those two reprocesses need to have a disciplined approach to capture defects, identify the defects and the root cause in the process, change and improve that process, measure the output and results, and tie that to economic benefit. Because productivity increases and operating costs decrease by simply doing good IT hygiene practices. And because our economic incentives drive typically the right behavior, we just need to connect the right behavior to those incentives for IT hygiene across the enterprise. It deals with all three of these things and many other things around – asset management, configuration management, and vulnerability management. And frankly it does drive peoples’ behaviors in large organizations. That’s what we need to do.
[David Spark] Andy?
[Andy Ellis] I just got to say I loved Jim’s answer. But I want to come back to these three. And I think one of these is easy. One of these is hard, and one of these is weird. So, the easy one is single factor auth. Well past time. Get rid of single factor auth, preferably channel based MFA. Lots of different ways to do it. We could spend hours on how to do that. But you want enterprise level not just multi factor auth, but you really want something near single sign on since you have better control over everything. That one is easy. Hardest is, “Oh, get rid of unsupported or end of life software.” And especially with the caveat especially for critical infrastructure when it’s often the critical infrastructure interfaces. Whether it’s medical or power. There is nothing that is current…
[Crosstalk 00:30:53]
[David Spark] Right, and you have this multi million dollar piece of hardware that runs on this antiquated software. You don’t get rid of the hardware.
[Andy Ellis] Right, and the process of qualification is hard and challenging. So, I do think in general, yes, you should figure out how do you deal with your software and get as much of it into support. I think the bigger challenge that many companies have is not that critical infrastructure. It’s there’s some component that is really dang useful that some developer or customer care rep wrote on their spare time because there wasn’t a good business process. So, they wrote something, and it just works. And it’s been abandoned, but it still works. And it’s been there for years. Maybe decades even. And nobody understands it. Like go find those, and I don’t care that your IT or your software development team doesn’t think that that’s the cool, sexy feature. It’s probably the most useful piece of software in your company, and it is both unsupported and well past its end of life. So, fix it, and support it, and make it good. The weird one is the known fix default passwords. I hate these, but often this is like you’re stuck with them. Like you bought software or inherited software, so yeah, you’ve got to figure out how do you move past that. But I don’t think it’s as easy as just, “Oh, just knuckle down and put in some elbow grease and get rid of those,” the way it is for single factor authentication for your users.
[David Spark] So, this goes back to the thing that we say again and again – you need to do the fundamentals. But sadly the fundamentals are not easy.
[Andy Ellis] They’re not easy, but I think you don’t have to look at that and be like, “So I shouldn’t start.” What you should recognize is the 80/20 rule completely is going to apply here. 80% of this gets done with 20% of the effort, and the last 20% takes 80% of the effort. So, do that first 80% and then reevaluate where you are to figure out what your next steps are. Like if you haven’t even started moving to single sign on or supporting MFA at the enterprise level then you’re not into a world where you can worry about getting rid of the last single factor auth application. Don’t borrow trouble. That’s going to be years now.
[David Spark] Jim, you have the final word on this going specifically to the using unsupported or end of life software. When it seems so daunting and difficult, and also should point out that when you have a security team that’s eager to work on the latest, newest thing and you’re telling them, “Go work on the thing that nobody gives a rats ass about…” [Laughs] How do you get someone eager and excited about doing that, or how do you manage sort of the need to do it with the sort of maintaining the culture of like, “We’re all in this together,” kind of attitude.
[Jim Routh] I think Andy hit the nail on the head. This one is hard. It’s hard to do in every organization because there’s always legacy environments that don’t get attention. However, legacy environments that don’t get attention, specifically dollars to support the systems, they’re often legacy business processes that are changing and evolving, and the need for that legacy environment is actually diminishing over time. The entire organization needs discipline around architecture that says, “You know what? Instead of pouring money into that asset which is so difficult to operate and maintain and breaks all the time when we try to make changes, we need to invest in a new solution. And if there’s a business owner that’s standing by and saying, “I want my legacy environment. I don’t want anything else,” that business owner should be targeted by saying, “You know what? We’re going to throw a little nest money your way because over three years we’re going to spend less than we’re spending now with this archaic architecture that’s cranky and breaks all the time. So, let’s build a new application on contemporary stack technology. It’s going to require a little bit more investment, but it’ll be less than what we’re spending today to maintain this old thing that’s growing in obsolescence.” There’s nothing that I’ve just described that is easy. This is hard. But it all comes to the economics. We have to make an argument from an economic perspective to do this.
Closing
34:57.262
[David Spark] And that’s where we’re going to close it, right there. Thank you so much, Jim Routh, who by the way if you aren’t following his career, he’s the former CISO of MassMutual and CVS/Aetna. Thank you very much, Andy. By the way, Jim, I’m going to let you have the very last word. But first I want to thank our sponsor, Buchanan Technologies, for sponsoring this very episode of the show. Their website is Buchanan.com. Check it out, and you can see the incredible slew of services that they offer. Thank you very much, Buchanan Technologies, for sponsoring this episode of the podcast. Andy, any last words for our audience?
[Andy Ellis] Well, by the time this one drops hopefully the weather will be turning. Hopefully that’s not going to be cancelled and rescheduled. Hopefully we won’t have snow in Boston. But if you’ve spent the last several months indoors, and you’re feeling a little bit cranky, go schedule some time to get out of your house and do something else.
[David Spark] I’m actually meeting with a local security professional. I’m trying to meet up with more. By the way, if you’re a security professional in the San Diego area, I want to know you because we’re trying to amass sort of a small meet up group in this area. Jim, any last words for our audience?
[Jim Routh] One last bad practice that I’d like to just point out – traditional HR practices are you post a job when you need the role, and you write a job description that’s a walk on water job description that has every certification known to mankind. And you have six weeks while it’s posting to find such a candidate. The market conditions do not allow that today. There is a scarce supply, and that supply is getting scarcer. We as cyber security professionals have to fundamentally change HR practices in this regard. You hire when you find people, not when you need people. You never, ever, never, ever do a hiring freeze. Never. Recruiting never stops. It’s a continuous process. When you interview candidates, you ask them what they want to learn, not what you’d like them to learn. You ask them what they want to learn. You don’t create roles and fit people into them. You find talent, and you modify roles to fit what they want to learn. These are nontraditional HR practices. You still have to partner with your HR team, but you cannot follow traditional HR practices and be successful under the current market conditions.
[David Spark] I think this sings to you, Andy, yes?
[Andy Ellis] Oh, absolutely. I think most companies don’t actually recognize how much candidates talk. It’s possible to slow down your hiring and being like, “Okay, we’re not going to hire as many people this quarter.” But never, ever freeze a candidate. You have a candidate you’re about to make an offer to, and you’re like, “Oh, I don’t know if we have budget anymore because we’re renegotiating,” your company has just screwed something up royally the moment you ghost that candidate that you wanted to hire. It means you thought they were great, which means they probably know great people. And they’re going to go tell all the great people, “Don’t bother applying at that company because they’ll just ghost you.”
[David Spark] Excellent advice. Thank you very much, Jim Routh. Thank you very much, Andy Ellis. Thank you to our sponsor, PlexTrac. And thank you to our audience. We greatly appreciate your great contributions, your “what’s worse” scenarios. Send me more of those. And for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to the CISO Series Podcast.