In this episode of The Great Security Debate, Dan, Brian and Erik invent (and copyright) the idea of a Fantasy Hacker League then dig into more serious discussions on deception technology, asset discovery challenges, and resource management. The conversation also delves into the impact of budget constraints on security projects, the mental toll on cybersecurity professionals, and the evolving role of CISOs in digital transformation. Issues such as job stress, burnout, and role mismatches among security leaders are addressed, alongside strategic insights on integrating security within broader business operations.
00:00 Introduction to the Great Security Debate
00:39 Humorous Take on Hacker Recruitment
03:16 Fantasy Hacker League Concept
09:18 Microsoft’s Honeypot Strategy
22:58 Challenges in Security Budgets and Resources
31:03 The Reality of Full-Time Positions
31:31 Introverts vs. Extroverts in Leadership
32:06 The Challenges of Being a CISO
33:53 Work-Life Balance and Stress
37:04 The Role of Security in Business
39:36 The Future of Security Leadership
41:00 Adapting to Economic Constraints
59:28 The Importance of Enjoying Your Work
01:00:26 Conclusion and Farewell
Transcript
Welcome to the great security debate.
HostThis show has experts taking sides to help broaden understanding of a topic.
HostTherefore, it's safe to say that the views expressed are not necessarily those of.
Speaker BThe people we work with or for.
HostHeck, they may not even represent our own views as we take a position for the sake of the debate.
HostOur website is greatsecuritydebate.net and you can contact us via email@feedbackreatsecuritydebate.net, or on Twitter, Twitter ecuritydebate.
HostNow let's join the debate already in progress.
Speaker BSo would that be the equivalent of us having a russian or mandarin welcome message in our system?
Speaker BSo when somebody breaks in and sees it that they are like, oh, well, this is a local, I'm not going to attack this.
Speaker CExactly.
HostYeah, but that goes back to the idea.
HostRemember the old idea of the message that says, hi, you've come to this system.
HostIllegal use is not permitted.
HostRemember the build splash screens?
HostI don't think that worked at all.
Speaker CBut what did work was someone that was like, hey, great work on getting into our system.
HostWould you like a job?
Speaker CJust like to say like you kindly wouldn't mind leaving.
Speaker CGreatly appreciate it.
Speaker CBut this was awesome.
HostSo there was an article, there was an article about that.
HostThere was an article about this is, I think it did not relate to institutional hacking.
HostYou know, those that were, you know, they were rooted in organized crime or state sponsored, but others that found those kinds of messages, apparently there's some percentage, and this, I wasn't planning on this so I don't have the reference ready, but I'll put it in the show.
Speaker CNotes before via text or find it.
HostBut there was a massive drop in the number of, in the number of times the person would see, see that and would then just stop or not do the final extortion because they were there just to, they were there just to play.
HostBut seeing that, yeah, that, that confirmation, that affirmation apparently was quite well received.
HostSo is that, is that going the new robots TXT or security?
HostTxt.
HostThank you.
HostYou found a great thing.
HostWe really appreciate it.
Speaker CWould you like $5 AI algorithm, right.
Speaker CGet that embedded in the AI, be nice, treat the attacker with some respect, some level of glorification, and then kindly ask to leave.
Speaker CYeah, what could go wrong?
HostWhat could go wrong?
HostYeah, really?
Speaker BAs you guys are walking through the institutionalized hacking groups, nation states, and then the criminal begin to wonder, is that like a minor league?
Speaker BDo they start bringing them up at some point that, hey, you've, now we're moving you up to the pros.
Speaker BYou got to.
Speaker BMaybe.
Speaker BMaybe we could start doing this.
Speaker BThe hacker draft.
HostThere you go.
HostYou've been drafted by the Milwaukee.
HostBy the milwaukee.
HostThe Chicago.
HostI can't even think of a good word.
HostB or c.
HostThat Chicago crackers.
Speaker CYou could create a fantasy hacker league, right?
Speaker CLike, drafted sandworm, first round.
Speaker CBooyah.
Speaker CGetting into that Iot, baby, right?
Speaker CLike, ooh, who'd you pick up?
Speaker CRight?
Speaker CLike, oh, I went after that nigerian prince that does, like those.
Speaker CThat phone scamming stuff, right?
Speaker CTry to pick up some low hanging fruit points, right?
Speaker CMaybe on a late Sunday game.
HostAnd then it could all be like the Yankees.
HostBut there's an ethical problem here.
HostMost you'd have to, like, agree to follow the rules that you would only use the assets that you've acquired and not go after others.
HostSo it.
HostOtherwise, it'd be like the Yankees who just break the luxury tax every year.
Speaker BScrew it.
HostWe're buying everything.
HostWe'll pay the extra money.
Speaker BI mean, if we're doing this fantasy, I think you could pick up a defense that's on the blue team as well.
Speaker BLike, you could pick companies to see, and if they don't, aren't in a.
Speaker BYou know, in the.
Speaker BIn the news for a breach for a time period, you're picking up some points.
Speaker CThis could be, you know, like, football season.
Speaker CLike, I did fantasy football again this year.
Speaker CGonna admit I got back in.
Speaker CI kind of been removed from some leagues.
Speaker CNot forcibly removed, no.
Speaker CBut, like, a previous company I worked at, so.
Speaker CAnd I can say when I was at Aisha, I no longer work at Aisha, but I was so close with those people, I still consider them family, right?
Speaker CI was still part of their league for, like, another year or two.
Speaker CAnd when, like, I came in second or first, like, two years after, I'm not there, and they're like, james, we're probably gonna have to remove you.
Speaker CA lot of new people here, and they really want to be part of the league.
Speaker CAnd we had to tell them they couldn't.
Speaker CAnd then some guy from outside the company wins.
Speaker CI'm like, totally get it.
Speaker CRight?
Speaker CLike, breakup.
Speaker BIt's not.
Speaker BIt's not you, it's me.
Speaker CIt's.
HostOh, no, it's me.
HostIt's you.
Speaker CSo, like, now I, like, I joined my current company's league GT's, and I find myself now doing that.
Speaker CAm I doing the audible book in the car?
Speaker CDo I get a little bit of that fantasy sports check?
Speaker CShould I be picking somebody up?
Speaker CNext thing you know, I'm like, an hour into listening fan, and I'm like, I just wasted an hour of my life.
Speaker CThis was pointless.
Speaker CBecause no matter what they say, like, last week, they told me to play Calvin Ridley.
Speaker CZero catches, complete die.
Speaker CNo, look at, this is like, if it was a year long league.
Speaker CLike, this is only so many weeks, right?
Speaker CBut if you had a year long fantasy hacker league, right?
Speaker CWhat defense do you pick up that you hold all year in the hopes that they don't end up in the news on the dark web?
Speaker CYou know?
Speaker CHow many people, like, I'm sitting there listening to fantasy sports.
Speaker CHow many more people would log in to be like, man, I wonder if there's anything on the dark web.
Speaker CI'm gonna totally poop on Eric this week, right?
Speaker CHe's gone down, right?
Speaker CLike, people would actually probably be more diligent.
Speaker BLike, you're not even gonna believe it.
Speaker CZero day, I thought it was.
HostAnd this becomes much more.
HostThis becomes much more possible now with SEC disclosures.
HostSo you can actually take your rate.
HostYou can take your results based on the ten k and eight k filing.
Speaker BThis is interesting.
Speaker BI think we're onto something.
Speaker BAnd maybe if you don't want to pick individual companies, you could pick the.
Speaker BWhat are the codes called that define the different verticals that people are in the business codes.
HostOh, the sick code.
HostGo by sick code.
Speaker CLike, if you got stuck with healthcare right now, right?
Speaker CIt's be like, oh, my God, I can't believe I'm picking twelve.
Speaker CI'm totally getting pooped on with healthcare, right?
Speaker CLike, you know, you're putting up zero points, all right, on a monthly basis, just saying, like.
Speaker BBut you can have a multiplier on that.
Speaker BIf a week goes by where healthcare isn't in the news for a breach, there's a multiplier.
Speaker BRight.
Speaker BBecause you took a high risk category.
Speaker CYeah.
Speaker CSo maybe you get four x, right?
Speaker COr if it ends up as a tie, it's like that money back that they're.
Speaker CI listen to the radio and they're like, you know, that you can bet on blah, blah, blah.
Speaker CAnd if your team doesn't win, but you tie at this, you get your money.
Speaker CIt's like, we don't want you to be upset.
Speaker CWe just want you to bet more.
HostThat's right.
HostOr we're going to give you five.
HostWe're going to get.
HostFor every bet you make, we're going to give you five more dollars that you have to spend here.
HostIt's like Kohl's cash or these other goofy ass mechanisms to try and just get you back into the store, Dickie.
Speaker CAnd think about the different parlays you could do.
Speaker CBecause I hear those two where they're like, you know which one I really like right now?
Speaker CI really like the idea of, you know, I forget it.
Speaker CThe Sam Darnold over his passing yards, right?
Speaker CBe like, sweet.
Speaker CWhoever gets hacked this month, I'm taking the over that they go ahead and pay the ransom.
Speaker CI'm betting ten k over on bitcoin.
HostShould we now talk about manipulation of the results?
HostOh, I'm going to bet heavy.
HostI'm going to bet heavy on Cisco getting breached and then I'm going to deploy my own hacking team to breach Cisco in that week.
HostAnd then I'm going to make a ton from both.
Speaker BJust love responsible for any actions taken from the information or game that we may purport here.
HostIs that legally none of this is real and none of the.
HostNone of the names that we've named are actually on our list to hack.
Speaker BI won't.
Speaker BI actually think that would be a ton of fun.
Speaker CLike, it would be one of those things, like, hey.
Speaker CLike, oh, it could be part.
Speaker CNo, I shouldn't even say that.
Speaker CI did not just say that.
Speaker CLike, you're distilling security meetup once a month where it's like, we're just doing a quick check in.
Speaker CJust let you know where the leaderboard stands right now.
Speaker CDanny Ayla really riding high at the top.
Speaker CDrafted really well.
Speaker CGot a little sleeper there, right with his flex play.
HostHe did lose.
HostHe did lose 30 points because he got called by the FBI for his accuracy of choices.
Speaker CDan was thinking long term, got to give the guy a lot of credit going into the playoffs, knowing that there was a presidential race on the line and the fancy bear might pick up their game.
Speaker CBam.
Speaker CHe nailed it big.
Speaker CGive it all to Dan.
Speaker BTeam name tariffs for you.
Speaker CDid you guys read the article about Microsoft creating the fake azure tenants to pull fissures into their honey pots in all the things that they saw?
HostNo, I didn't.
HostSoup is pretty.
Speaker CThis was really cool.
Speaker CI'm gonna.
Speaker CI'm gonna pull this up here, right?
Speaker CCuz, like, now, again, going to the fantasy side, I don't know that anybody would be picking up a Microsoft, right.
Speaker CAs like a sleeper pick for doing something this crazy cool, right?
Speaker CBut again, low dollar value idea, fantasy line.
Speaker CBoom.
Speaker CMicrosoft comes in, drops in some fake Azure tenants.
HostAnd.
Speaker CAnd if I read this.
Speaker CSo Microsoft was using deceptive tactics against phishing actors by spawning realistic looking honey pot tenants with access to Azure to lure cyber criminals in to collect intelligence about.
Speaker BBut who did they charge for the e five licenses?
HostYou.
Speaker CWe all know those aren't free, but with that collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing phishing operations, disrupt campaigns at scale, identify what was cool though, and I'll have to go through it.
Speaker CI'm not going to read the entire thing right now, but when I was looking at it last night, like they were catching like some of the information they got, this wasn't just like a nation state.
Speaker CThey were getting information from everybody.
Speaker CRight?
Speaker CLike nation state.
Speaker CThe, the 17 year old, the 13 year old that was just over in Europe or some guy over here that was literally ended up in that honey pot.
Speaker BNice.
HostInteresting.
HostReally interesting.
Speaker BGood on that.
Speaker CA lot of cool information there.
Speaker BThat's creative because I mean, for the longest time, the Microsoft stack and not unique to Microsoft AWS is also at fault for this as well, right.
Speaker BThat if you look at the amount of techs that have come out of low cost or free tenants email and stuff that have been able to be spun up there, we actually, we were having a conversation with our email provider.
Speaker BSo not naming who they are, but they were like, hey, we see that you put a hard block on anything that was coming from an, on Microsoft.com domain.
Speaker BYeah.
Speaker BBecause I think there's a lot of providers out there that don't understand what that actually stands for.
Speaker BRight.
Speaker BThat anything net new.
Speaker BYour tenant is something dot onmicrosoft.com.
Speaker Bif you see any email from there, that should be a dead giveaway that somebody's screwing around with you.
HostYeah, that's funny because I thought the m's on your shirt and hat there stood for Microsoft.
Speaker COh, well, I thought that was Microsoft Field behind you.
HostEric lives in Windows 95.
Speaker CFor those of you that were watching the video while listening, I said that comment while Eric was taking a big swig of water and he literally just.
Speaker BAlmost like, yeah, almost had to protect my tech here recording it.
Speaker BIt was like a Gallagher event.
HostWell, the idea of attack, the idea of honey pots like that is, you know, obviously not new, but be able to extend it that way is good.
HostI think we need to do more of that.
HostIt's hard to, it's hard to find the time inside your organization to actually spin up those kinds of things unless you have a really big, really mature organization like Microsoft resurgence now.
Speaker BRight.
Speaker BBecause I obviously talked about Microsoft doing it.
Speaker BAs we look at we've started, I mean, under the coin of like the deception vertical, you saw a TiVo come up, get acquired by Sentinel one.
Speaker BPretty cool stuff they're doing, and it's not unique to them in that space.
Speaker BThis is the new wave that, hey, we finally, for the longest time, acknowledged somebody's going to get in, but if we can now start feeding them some crap data and get them to jump for one of these things, we can start to pick up earlier on what they're after, what they're doing.
Speaker CPreston.
Speaker CSee, I did think that was not beating anybody up here either, but I thought Ativos deception technology was some of the better technology in the market.
Speaker CThe acquisition, though.
Speaker CSo like at that same time when you had crowdstrike by Preempt and then Sentinel one bought a TiVo and everybody was looking at it, not necessarily for TiVo's deception technology, but more on some of the stuff they were doing around identity.
Speaker CAnd everyone's like, yep, we just bought an identity solution.
Speaker CWe're going to integrate one agent, still one agent, right.
Speaker CAnd at the end of the day, like after a set period of time when x number of engineers, or I'll just call them like, the overlays are no longer there anymore, I don't know that there was a core understanding of how to position the deception technology of a TiVo, and it was really good stuff.
Speaker CAnd it was like all that momentum that they had talking about it.
Speaker CAnd I'm not going to say that I know stuff that I don't know, but when you have a lot of salespeople or engineers that all leave a.
Speaker CAnd then you have the rest of the company that's trying to work on the identity piece, it was like the deception technology kind of almost got left behind in the story.
Speaker BYeah.
Speaker BSo this is not, this is a conversation I've had with a couple tech CEO's recently that I think certain technologies, they have to start recognizing that their position is not only a market position and where they fit from a technology stack perspective perspective, but also from a maturity roadmap and the companies that theyre targeting, and I dont think they often get that, that certain companies are further along that, hey, ive got a lot of legacy tech debt.
Speaker BIve got to pay down.
Speaker BIve got to fix the architecture now that weve got that and thats where were going to spend our time.
Speaker BNow we can start bolting on some of the cooler technologies and start to take advantage of that.
HostBut if you don't buy the new cool tool now, you'll, your company will die.
Speaker CThat's where some of the pen testing I shouldn't call it pen testing as a service.
Speaker CThe sass, PTA solutions and breach and attack solutions.
Speaker CSo I'm talking like.
Speaker CAnd if we're going to name names like the Pantera, the horizon threes, the on defense, etcetera, what I thought was cool is some of them, or at least one in particular, is now working in the honey pot piece.
Speaker CSo it's almost like working in tripwires.
Speaker CSo, like, as you're doing your.
Speaker CYour patch Tuesdays and then your breach and attack Wednesdays, to confirm that all the patches were done correctly, appropriately, or if you deployed a new this, that it was configured correctly, and then they're leaving behind, as they're doing those simulations, leaving little things behind right when they find gaps or this or that for whoever comes next to hit the bell.
Speaker BInteresting.
Speaker CI'm like, that's actually pretty cool tech.
Speaker CSo instead of just giving me, like, I do a pen test once a year, twice a year, right?
Speaker CI put this in.
Speaker CYeah, I get the breach and attack simulation part.
Speaker CYou can scan way more ips really, really, really fast.
Speaker CBut then I got a lot of work to do.
Speaker CIf you leave something behind that rings a bell right now, it's like, sweet.
Speaker CNow it's that honey poppy.
Speaker CSorry, go ahead, Eric.
Speaker BNo, I was just going to say, I think that's a perfect example of an evolution that's super cool, but still predicated on the earlier tenants.
Speaker BAnd, you know, I'll pick on the CIS 18, right.
Speaker BThat until you know what assets you have, where those assets are, that deploying something like that, you're doing a shotgun approach of thinking that you understand where it's being deployed and what you're protecting, when actually some of your biggest risks probably fall outside of that known container of assets you have.
Speaker CKnowing both you and Dan, though, I mean, you guys would sign a document if your bot management came to you and said, dan, do you know where 100% of all of our assets are?
Speaker CSign this document that.
Speaker CYes, you do.
HostNo, no.
Speaker CRight?
Speaker CLike, now, there are things out there from an asset discovery, et cetera.
Speaker CBut again, you get into that, like, what are we capable of doing on our own, right, from a maturity standpoint?
Speaker CAnd then what would we invest in to help us figure that out faster?
Speaker CAnd if you're one of these companies that I'll say, like, let's say Fortune 500, right?
Speaker CLike, if you're this big today and you've been around that long and have so many legacy old assets out there, deception technology would be really cool to put in there, right?
Speaker CBecause I don't even know where everything is.
Speaker CRight.
Speaker CBut if I could get some stuff at different gates, right.
Speaker CTo be alarmed or get stuck in.
Speaker CSweet.
Speaker CAnd maybe I'm investing in some type of asset discovery solution.
HostBut.
HostBut a very large but.
HostUm.
HostThe idea of putting.
HostYes, I have the large but, um.
HostBut putting things in.
HostInto an environment where you don't understand the environment.
HostNot even.
HostLet's not even say fully, let's call it 80, 90% throwing a mechanism in there, and then you end up spending a lot of time chasing against things that may or may not be true.
HostThat, to me, is a resource strain that combined with spending whatever it was on the tool that you'd only getting 20% of usefulness out of in the first place.
HostI am so fundamentally stay at basics until you are to a maturity point where you can make small, measurable steps forward.
HostThat throwing that stuff in.
HostIn an environment, unless you know you're wasting both your own money and your resources money.
Speaker CAnd that's why they named it a honey pot.
Speaker CSo, honey on the glycemic index, very, very, very low.
Speaker CSo when you look at fructose versus glucose and that process, from a diabetic standpoint, it is way healthier for you, regardless of how much of it you eat or where it spills.
Speaker CRight.
Speaker CLike, that's why they call that a honey pot.
HostYeah, but I'm out $100,000, and I sent seven people running after you after stuff that doesn't matter.
Speaker BYeah, that's not Brian.
Speaker BHashtag cyberpubear.
Speaker CWell, you tell the board, like, yeah, but, guys, it's super low on the glycemic index.
Speaker CLike, this is way healthier for us.
HostBut I bought a honey pot.
HostAre we using it?
HostWell, no, but we bought it right now.
Speaker BHopefully, you're not running it on vmware.
Speaker BAnd it now just went up ten x 20 x in cost.
Speaker BOh, two, actually.
Speaker CI got a great how to pull that together.
Speaker CYou're correct, Daniel.
Speaker CI will agree with you.
Speaker CBecause outside of being low on the glycemic index, the idea of honey and where honey comes from, if you're buying honey at the grocery store, mass produced, coming in a jar from God knows where.
Speaker CYes.
Speaker CYou're getting the good sugar.
Speaker BTell us something.
Speaker BIs that a Michigan cup that Dan was just drinking from?
HostYes.
Speaker COh, my gosh.
Speaker CIt is that back up.
Speaker CThere it is.
Speaker BOkay.
Speaker BAll right.
Speaker BJust wanted to call that out.
HostYes.
HostBecause I.
HostI reuse and do not throw away from.
HostIt's from the game.
HostFrom the Wisconsin Michigan basketball game I went to.
Speaker CBut if you're worried about your security, your posture, right, the idea that maybe we have some allergies in there, things start to flare up in the spring or during, you know, election season, et cetera.
Speaker CIt's the local hunting, right.
Speaker CIn your environment that is best for you.
Speaker CThat's the stuff that they give a little bit into your cereals, your tea, etcetera, to your children.
Speaker CIts like giving yourself a little bit of that sting of every plant in the environment in very low dose amounts with the sugar and other things in there, right.
Speaker CSo that your body ends up building up immunity to the pollens, right.
Speaker CAnd thus reducing down those seasonal allergies.
Speaker CSo, Dan, to your point, totally agree.
Speaker CIf youre just throwing random honey in there aint going to work.
Speaker CYou got to figure out your local environment and go get a honey pot.
Speaker CThat makes sense for the allergies in there, right?
Speaker CLike, come on, guys, local honey.
Speaker BWhat?
Speaker BAnd now what if we just start becoming, what if we get local cyber bees?
Speaker BCan we just better, because they're, they.
Speaker CUnderstand your environment even better.
Speaker CLike what happens when you, like when you have all these almond orchards and everything else that are bringing bees from Michigan out there and then those bees hang out, but they don't really know the environment.
Speaker CHang out with a bee, they shouldn't have come back with a little something something and boom, beehive dead.
Speaker CRight.
Speaker CLike you got to know the local environment.
Speaker CAbsolutely agree with you there, too, Eric.
Speaker CGreat point.
HostAre you advocating for a cyber bee in every, in every port?
Speaker BIt is actually kind of funny that you bring this up because I was talking to somebody last night.
Speaker BWe were grabbing some beers and talking about how their sales.org is structured differently from a company they were previously at.
Speaker BAnd the kind of the national marketing and push for sales versus being able to create regional pockets that start to understand organizations and where they are.
Speaker BAnd just the vast difference between the coasts, Midwest, and the speed at which companies are moving what they're actually looking at.
Speaker BBut if you try to take that holistic approach, just like bees and honey, right.
Speaker BYou got to have that local touch.
Speaker CYeah.
HostYeah.
HostYou really do.
HostI want to flip to something else, though, in that discussion.
HostAnd it's about resources and budgets.
HostThe fact that throwing money at tools, throwing resources at tools, it was, you know, this was a lot easier in a day in which the, we were seeing information security budgets stay or grow.
HostI think we're starting to see the, well, we've, now, I think we can all agree we've seen the end of the, of the unfettered growth of security and security budgets.
HostThe, there's just, I guess we're having to do more with less for the first time in a very long time.
HostAnd as a result, we started to hear more from people about, I guess, overwork, unhappiness in work, doing things they don't want to do.
HostI mean, I'll be very frankenous.
HostI, if I have to fill out one more security questionnaire, I'll probably throw something, which, by the way, my afternoon is filling out security questionnaires.
HostBut the, but there's all sorts of this going around in organizations.
Speaker BReal quick, what I'm hearing, Brian, is GTS should actually send Dan a questionnaire about his involvement in the upcoming Michigan, Michigan state tailgate to understand the controls that he has around the environment, what's being brought.
HostI got, my controls were all thrown out the door when they made it a late game and now have completely made me unable to go.
HostThe, the, just the idea here that we're starting to see real pull on this environment.
HostI think organically this and our field has already been one that's very taxing mentally because of, because of the topic area, because of continuous bombardment, because of continuous threats.
HostThere's never a downtime, there's never a good day to take a vacation day.
HostAll of those kind of things that come in just naturally in the infosec field, but then later on to it, we need you to do even more.
HostWe need to take the existing people and use them in more ways, despite the fact that the outside threats are growing and we can't buy the tools we need to, and we need to, um.
HostOr we can buy the tools, but we can't really get the people to run them.
HostI guess I I'm, I'm really curious about impacts.
HostI'm really curious about the experiences you guys have had and seen with people, you know, people you work with, obviously keep names out of it.
HostUh, but you know, that how this is starting to play out and what can we do about it as a field?
Speaker CI'll say, go ahead, Eric, if you want.
Speaker CI was going to say I've seen a massive.
Speaker CHow do I say this?
Speaker CAlmost everyone that I work with on a personal basis, from my job standpoint and what I do in terms of companies I work with, I would say one out of the ten is okay or intent where they're at, the others are not.
Speaker CAnd then across that entire ecosystem, I have, like, I guess I got to take this, like, with a grain of salt.
Speaker CBut I have never in my life seen as many security projects pushed, hunted or kicked in the last six months.
Speaker CEven going back to like when security companies, vendors were worried in like 2022 because of budget and getting money, etcetera.
Speaker CAnd I'm like really, really surprised.
Speaker CEven companies that have gone through situations, I'll refer to them as incidents.
Speaker CRight.
Speaker COr even breaches for that matter, from a budget standpoint, be very, not just conservative, but as like, just kind of like, hey, we're cutting a.
Speaker CWe're cutting, we're cutting.
Speaker BYeah.
Speaker BFrom my perspective, I begin to wonder if we're all right.
Speaker BSo I think we can agree the days are gone of money being thrown after an issue without questions and justification.
Speaker BRight.
Speaker BI think that was the boom that we saw in security.
Speaker BSo as the money dries up, that is just being thrown around forces you into a position that you have to be better at justifying.
Speaker BWhy?
Speaker BWhy should I invest in this?
Speaker BWhat do I get as an organization?
Speaker BWhat's my risk offset to be able to make that, that investment?
Speaker BAnd I think we're starting, this is going to shed a new light that we have not evolved enough as security leaders being able to tell that story that we cannot continue down this path of bolt on technology after bolt on technology just for the sake of, oh, this is super cool, it does something new, right.
Speaker BThat I think that we need to start looking through the lens that as we think about all these different tools.
Speaker BAnd I think it's fascinating now that if you look at a lot of the different security technology, not as much the ups, the kind of new starts that are coming in and disrupting some of the industry, but we're starting to see the acquisition palos buying them, checkpoints buying them and starting to.
Speaker BNot that I'm advocating that we go back to an era of platforms because we've done that on an episode, I think everybody refer back to that, you know exactly where we stand.
Speaker CBut you're starting, unless it's a fantasy hacker season, it will be on a platform.
Speaker BBut you're starting to see this Venn diagram now with so much overlap on what is offered from these different platforms.
Speaker BAnd I think that now more than ever, we are in a heightened level of tool scrutiny that we need to be able to not only try to seek out net new spend, but take the hard path and starting to repurpose spend that were constantly having to start looking at some of your partners that you already have in the ecosystem and sort of like, was yesterdays decision the right decision today?
Speaker BOr can I take that spend and maybe find somebody that's almost as good in the space that I bought them for, but also adds this, this and this feature to give us a broader perspective.
Speaker BAnd I think this just, this is where we had to be to start working harder and understanding and rationalizing what we're doing.
HostYeah, there's probably, Dan, if I could.
Speaker CI was gonna say, if I could interject there, too.
Speaker CEric, I really do agree with you.
Speaker CBut I also think to the point of that, like, I look back, not because I planned any of this, but like, 16 years in automotive working for the same company.
Speaker CEven at the end of ten years, it was very hard to understand the entire business that Aishin did right.
Speaker C16 years did give me a very, like.
Speaker CThat's why I always revert back to automotive from like, a large supply chain.
Speaker CThe idea of quality control, production control, etcetera.
Speaker CIt's very easy for me to go back to that because I was in it so long.
Speaker CBut when people change from vertical, vertical to vertical to vertical, every company, two to three years, if you're a good extrovert and you can understand business well, and you can tell that story, great.
Speaker CBut the number of people that were in security, that were introverts, that just got promoted because they were the security guy and understood that security environment, I see a paradigm shift in two things.
Speaker COne is there is not a limited budget.
Speaker CThere never was.
Speaker CBut throwing money at stuff just doesn't happen anymore.
Speaker CSo you really got to be able to explain it, right?
Speaker CIt used to be like, quality problems in manufacturing.
Speaker CThat was our number one line, right?
Speaker CSo as things happen, you just threw money at it, right?
Speaker CBut at some point, you're like, why don't we just go back and rebuild the entire line on the next generation vehicle and remove all this added bolt on crap that we were doing.
Speaker CSecond thing there is that help that you were getting.
Speaker CYou had the people working in security today, the cisos, the directors, the admins, et cetera, are working longer hours than they have for a long time.
Speaker CI can say that just sitting in my position and having it on the phone at some of the hours I do, where when they were some of these analysts that were like, when I was contract, I was done at 8 hours.
Speaker CAt 9 hours, I'm working more hours for less pay.
Speaker CLike, I'm not even sure why I wanted the full time position, because I don't see a road at the end of the tunnel, because I've been passed up two times already, because there's no budget to promote me right.
Speaker CAnd I'm like, that is a very disheartening thing to hear.
Speaker BSure.
Speaker BSo I'm gonna go tangential for a bit.
Speaker BI think the, if we start to boil this down on introvert versus extrovert, that's a crutch.
HostYeah, right.
HostTotally agree.
Speaker BIt's way more nuanced than this.
Speaker BI just had this conversation with one of my peers and came out of leading a two day strategy session.
Speaker BI mentioned to him at the end, I go as an introvert, I go this is going to suck.
Speaker BThat I had to lead it because it was the right thing to do and it made sense to do it from security focus and just the lens that I was coming from.
Speaker BBut you pay for it at the end, the next day just completely drained.
Speaker BWith that in mind, I go back to something Earl Dubie said at one of the talks back at CSa.
Speaker BHe was doing a fireside and he looks at everybody.
Speaker BHe goes, you think you want to be a ciso, you don't want to be a ciso, right.
Speaker BThat everybody looks at it.
Speaker BThat, oh, it's the title, it's the control, it's all of these things.
Speaker BBut there is, there needs to be a retrospect that you can be an introvert but you still have to find those opportunities because that's part of the job to be able to connect in with people.
Speaker BIf you go in purely tech focused and go, I'm just going to do the typical gremlin, no lights, not going to talk to anybody, thats not the right role for you.
Speaker BAnd yes, you are going to add a ton of stress to yourself in doing that.
Speaker BBut I look at it as youre talking about the amount of time that has to be spent.
Speaker BAnd Im going to preface this, Im not advocating that leave your companies in a precarious position, but have had conversations with a number of people that put in way, way, way too many hours and what they end up doing is, but if I don't put in the number, the hours, then this is going to fall apart, the metrics are going to look bad.
Speaker BI go yeah, but you're actually masking an underlying issue because you're doing that.
Speaker BThat if somebody looks at your metrics, pick on a help desk, right.
Speaker BThat if I look at abandon calls or how long first time resolution, stuff like that, you're making it look like nothing's wrong.
Speaker BAnd this is, it's counterintuitive.
Speaker BBut if you don't step back and put healthy boundaries in place to protect yourself, to protect your team, that is going to continue and it's going to get worse.
HostYep.
HostA hundred, a hundred percent.
HostAnd the way to affect change is to in there.
HostWhat is, what causes the, what causes the pearl?
HostIt's the sand, it's the agitation.
HostWhat causes change in an organization is the pain.
HostAnd I use that term lightly, but sometimes you have to have, the organization needs to understand that there's pain or there's no impetus to change it.
HostRight now.
HostNone of this is negligence.
HostNone of this is, you know, abandoning it all.
HostBut in cases where the, the catalyst becomes, we clearly know, we clearly see we have a need for this because something's not getting done.
HostThings are taking too long.
HostWe're not meeting SLa's.
HostAll of these kinds of things are the inputs that gender generate the necessary kind of change and help understand in the bigger priority, guess what, security leaders.
HostThis is exactly what happens in the rest of the organization.
HostThe people who aren't in guardian fields, in protector Fields, who don't feel this ethical, heartfelt need to solve all the problems and make sure that, no, that the breeze will never hit their faces, those kinds of things.
HostUm, and we got to change some of that.
HostEverything that I just heard.
HostYeah.
HostWas, was correct.
HostBut I think there's also some other elements here I think it less has to do with.
HostI think you guys are both talking about things at a personality level, but I think there's something a little more about we need to take it up one more level and look at the type of role that's involved, the type of CISO role, the type of security function that's there.
HostI, um.
HostAnd then that helps to dictate the kind of person that can go into that role, you know.
HostUm, as it happens, I'm doing a, um, uh, are two of our, of the show's friends.
HostUm, yeah, Jess Byrne and Jeff.
HostJeff Pollard from Forrester are just finished a new update to their, what it, their future of the CISO research, in which there have been six archetypes of cisos.
HostUh, it's really good research.
HostUm, it's paid research.
HostSo if you're a Forrester client, go to it.
HostI'll put the podcast version of this into the, uh, the public podcast into the show notes.
HostUh, but, uh, go take a look at the research.
HostBut as it happens, in December, I'm, they asked me to come out and do some, do a panel at their security and risk summit, uh, in which we're going to talk exactly about this, about the archetypes.
HostAnd I think the archetypes like the, um, the post breach Ciso, like the policy and risk CIso, like the transformational ciso.
HostLike all these kinds of things dictate different personality types, different needs, and they're in different focuses.
HostLike, there's one that's more of an operational, see?
HostSo, like the run, run the bank kind of person, which I have no interest in.
HostLike, as soon as it gets to running, it's boring to me and I'm out and I want to, I fall into different categories.
HostUm, I think that has less to do with, you know, with my, what has a lot to do with my character traits.
HostBut I think it's an under important to understand the nature of the job you're stepping into in the organization.
HostUh, and look at the characteristics you bring.
HostSo I don't think it's the introvert extrovert that, you know, the run the bank one, the operational can very easily be done by an introvert because it's just crank or the policy, the policy wonk one absolutely could be done by an introvert.
Speaker BI agree with you.
Speaker BAnd I think in a lot of cases that sometimes it takes time for somebody to figure out what is it they really want.
Speaker BRight.
Speaker BIf I look back to early my career, that I had a conversation with a recruiter, and one of the comments I made at the time is I don't want to go into an organization and build up a security program again.
Speaker BNow that I look back at that, boy, was I wrong, because I started to recognize the same thing, Dan.
Speaker BI have no interest in just being there to run, to keep the lights on.
HostSteady state bores the crap out of me.
Speaker BBut at the same time, I also recognize that if we almost think about this in the context of crossing the chasm, right, the early adopters and stuff, that as you look at a company that does not have a security program today, while should be only a few of them, I'm probably not the right fit for that as well.
Speaker BBecause I see there are those cisos out there that are much better at having, much better on a personal level, that are connecting with people and being able to help them understand why there's a need to start investing in this whole new area that we've really never paid attention to before, or just falls as an add on hat to somebody else.
Speaker BThere's others out there.
Speaker BNot to say I can't do it, but there's others out there that do it way better.
Speaker BBut once that need is realized, to be able to come in and then build out a program hundred percent like that's.
Speaker BThat's what I see as my sweet spot.
HostYeah.
HostBut I think the mismatch is a lot of what's causing people's challenges too.
HostDon't get me wrong.
HostOrganizational constraints, environmental constraints, economic constraints, costumers, customer constraints.
HostWhere people aren't buying this, it has to do with this across all this is not just.
HostIn fact, I'm going to specifically exclude security software.
HostThat's a byproduct, it's trickle down portion.
HostBut if you look at just revenues in general, people buying things in the b two c world, things costing more so you can buy less, salaries not necessarily going up in association with that.
HostIn the b two b world, everyone is contracting their budget, so everything is cutting.
HostSo there's outside forces that we can't avoid.
HostNo matter whether I'm in the right role for my, the right role archetype for my personality or my characteristics or nothing.
HostSo then you have, and I share this with both of you, and I'll put this into the show notes.
HostIt was Blackfog had a, had some research recently on cybersecurity.
HostLeaders under pressure is the title of it.
Host24% of currency sellers are looking to leave their role, but 55% are open to new opportunities.
HostThe 24% are actively looking to leave, which I guess in a 10% churn world isn't too much higher than a normal churn life.
HostUh, but 54% over half would take something if it showed up.
HostUm, but here's the part that, that's really interesting.
Host93% say stress and job demands are driving their decision to leave.
HostUm, the stress that the job.
HostSo, you know, it's fine to say, I'll put on my best, um, chief people officer hat for just a minute and say, look, you know, it's, it's fine.
HostWe can always hire another one.
HostThere's a lot of people out there.
HostNo, there's not, says the narrator.
HostBut any kind of churn like that in a role that's become so business specific, so sorry, so business important, it's part of selling, it's part of go to market, it's part of internal operations.
HostAnything like that that causes a ripple.
Speaker CIt's.
HostIt's.
HostIt's almost like when you change a CFO or almost like when you change, you know, a cooze.
HostI dare say we're not quite at the same level yet, but I think a level of impact or level of ripple, but I think it definitely is getting there.
HostSo this is pretty big, this number of churn, this amount of overstress this amount of job demands and environmental.
HostSo what can we do about it?
HostHow can we fix it?
HostShort of hiring more people and working less hours?
Speaker BSaw the light bulb over Brian's head go on.
HostNo, that's just because Kelly turned on.
Speaker CThe turned on the lights article that also highlighted to the number of hours that somebody's working today versus when they.
Speaker CVersus having somebody that was a staffed not staff employee, but staff augmentation, somebody that was a contract employee.
Speaker CAnd the people were like, man, I'm literally working 1018, 20 hours more than when I was through a staffing firm.
Speaker CLike, but I'm being paid the same amount of money.
Speaker CLike, this just isn't worth it.
Speaker CMy stress level is higher.
Speaker CI also look, I think in the last year or two, especially with companies being breached, this is going to go to culture.
Speaker CAnd it's not just my personal opinion, but, like, what I sit and witness now in my chair in working with companies across North America, in a japanese culture, working at Aishin, if somebody screwed up the launch of a vehicle, they didn't get fired.
Speaker CThey had something that they referred to as a window seat, right?
Speaker CAnd, like, in american culture, you'd be like, so you're telling me if I screw something up, you're going to give me a window seat on a high floor?
Speaker CDude, that sounds awesome.
Speaker CBut the reality is there you get a window seat on a high floor to look over the world, right?
Speaker CIt's reflection as the world goes by.
Speaker CBut you're kept there to understand the problems that were faced.
Speaker CLike, they don't get rid of you, they're going to build you up to become better.
Speaker CThere's not a single CIsO alive that I think would say, yeah, I'm working for a large company, and I know if we get breached, they're going to keep me on to make sure that I get better.
Speaker CNo.
Speaker CAnd with what I've seen in the last six months, like, the feelings that people have gone through when there's been something bad that happened, think about when you.
Speaker CWhen you have true fear, you resort to self preservation.
Speaker CYou start to make decisions just to protect yourself.
Speaker CI have witnessed some very startling stuff where it's like, I.
Speaker CI tried to do everything I could.
Speaker CNow I'm fearing for my job.
Speaker CNow I'm fearing for my not life, but I'm fearing for my job and my well being, right?
Speaker CAnd I'm working so many crazy hours, I don't know if I even have time to go find something, right?
Speaker CAnd they're not happy.
Speaker CAnd there's a personal like that impacts your family.
Speaker CDan, that presentation you sat on with Christy Fosi.
HostOh, yeah.
Speaker CWhen she talked about, like, what changed from COVID till now.
Speaker CThe ability to work more hours is what changed.
Speaker CRight.
Speaker CWhen you're not in the office.
Speaker CAlthough.
HostAlthough, to be fair, that's been the case for remote workers since well before.
Speaker CCOVID But now you have, like, as it in that stressful executive leadership position.
Speaker CThat 30 minutes drive home to go pick your kids up was a time to kind of.
Speaker CAnd now I totally agreed with her.
Speaker CI am still on a call as I'm picking up my kids, right.
Speaker CAnd when they're getting into the car, I haven't even had a moment to let 30 minutes to unwind, to get ready to be that parent.
Speaker CI'm like, guys, guys, I got five more.
Speaker CYeah, right.
HostYeah.
HostNo, I get it.
HostAs somebody who commuted, I took a train every day and it was 45 minutes of the best time of my day because I'd get up in the morning, it was early in the morning.
HostAnd you get up and you'd read.
HostI'd read the financial Times that I read the Wall Street Journal and I read the Tribune.
HostAnd then I'd listen to 20 minutes of music.
HostAnd then I'd get there and it was.
HostAnd then on the way home, same kind of thing.
HostIt was ability to, like, really put compartmentalization between your life.
HostThis is also before BlackBerry, but this is also before blackberries.
Speaker CWall Street Journal for me, can you summarize this?
Speaker CRight.
Speaker CSo instead of, oh, I got it.
HostSuch a cop out.
HostUnpopular opinion.
HostAI is a cop out.
Speaker BAt the expense of sounding unempathetic, though, to that, I get it.
Speaker BThere is a real fear around job loss and what's going on at the end of the day, we knew this going in.
Speaker BThis isn't anything new.
HostRight.
Speaker BLike, I came into the current role that I'm in, knowing that if something happened at some point, I'm going to be finding something else.
Speaker BNow, if we would have put the lens back, I think if we go back all the way back to TJX and target some of the bigger original breaches, right.
Speaker BThen a lot of us at that time would have said, all right, it's a death sentence.
Speaker BRight?
Speaker BI went through a breach.
Speaker BNow I'm not going to be able to find another job.
Speaker BThat's not the case anymore.
HostRight.
Speaker BThere's almost an element that it's a badge of honor that I've heard Cecil.
Speaker BThose that are trying to break into the Cecil ranks that were shut out because they've never gone through an incident or a breach because they don't have that experience, that experience.
Speaker BAnd I'm sure, and Dan, hashtag truth.
Speaker CI literally had someone reach out to me and say, hey, we're looking for somebody.
Speaker CThis guy gone.
Speaker CAnd we're looking for somebody that has experience of going through a breach.
Speaker CLiterally, like, that was requirement a.
Speaker CAnd then came BCD.
Speaker BI mean, it's no different than some of the other executive ranks that are out there with the.
Speaker BAnd I think in a lot of cases, we would agree in a CE role role, especially in bigger companies, that you could screw things up terribly, get a wonderful parachute, and then go do it again somewhere else.
HostSure.
Speaker BI don't think cecils have risen to that ranks.
Speaker BJust my personal view, just throwing that out there.
Speaker BCisos haven't risen to those lengths yet, but I am starting to see some of that grow now.
Speaker BAnd knowing certain people that, in their current contracts, had built in language there, what happens if I get let go because of some type of event?
Speaker BSo I think we're growing in that direction, and that comes with the territory of holding bigger roles, making bigger decisions.
Speaker BAnd, I mean, look, for the longest time, we've been asking, we want a seat at the table.
Speaker BWe want a seat at the table.
Speaker BAll right, you got a seat at the table.
Speaker BAnd now we start to look back and go, well, I'm afraid of the risk of what happens with that.
Speaker BAsk for it.
HostYeah.
HostAnd I don't think this comes back to two things.
HostUm, a theme that we've.
HostWe think we've all, both you and I have said a lot, Eric.
HostI think, Brian, you agree with being the CISO is not for everyone.
HostAnd the.
HostAnd what I.
HostIn the podcast, the Forester podcast, I think Jeff said it perfectly, and I texted him right afterward because he said it was a quote, you don't want to be the CISo.
HostAnd it really, you really don't.
Host99% of people, security practitioners, et cetera, don't.
HostYou really don't.
HostAnd if you do, you probably don't understand the role.
HostAnd then there's the 1% that do.
HostUh, because we are gluttons.
HostWe have the right.
HostWe have the right personalities, we have the right interests, et cetera.
HostBut it's not a role for everyone.
HostIt is not the next bigger role.
HostAnd I think this is really important, as people do career planning.
HostIt is not the next bigger role for a networks director, or it's not necessarily the next bigger role, and it shouldn't be seen as that because guess what?
HostIt's a business job.
HostIt is not a technical job anymore.
HostAnd if it is still in your organization a technical job, you're doing it wrong.
Speaker CLike, hopefully there's not a ton of ctos that listen to this.
Speaker CBut I'm going to go out there and say, like, I hope there are.
HostBecause that means we're getting good, good viewership.
Speaker CEven CIO's maybe don't want to be in that position anymore.
Speaker CBut to be the CTO working with the CIO and the CISO, it's like, yeah, I use the word digital transformation in my interview.
Speaker CI use the word AI in my interview and I know that I can pull in and get massive budget because I'm the chief technology officer.
Speaker CI need to change things and get all this new tech.
Speaker CThat's what technology does, right?
Speaker CLike I'm saying that half jokingly.
Speaker CI'm not also look at it when I see the amount of money spent in the data storage, the, all the weird data analytics, the amount of money being spent on consultants to come in to consult on AI right now and come on in and it's like, and I'm talking to your same security team and they literally just told me like, yeah, we're going to push that again.
Speaker BBut this is.
Speaker CYep, we know we need that.
Speaker CWe're going to push that.
Speaker BThis is where we have to start being creative.
Speaker BSo I think the one thing that I see, and maybe it's just because being in the industry that I want to see it this way, I think security is uniquely positioned and having purview across the entire organization.
Speaker BWe have to understand purview is in.
Speaker CThe Microsoft product purview or purview as.
HostIn you're not licensed to say that word.
Speaker CYeah, Microsoft, no purview.
Speaker BThanks.
Speaker BNot a sales pitch.
HostI have no idea what it actually means because they keep changing the names and so I just give it up.
Speaker BI don't get it.
Speaker BYeah, when they mention it now, I'm sorry, what tools did I originally know that you collapsed in there?
Speaker BThat you're now asking me to pay another license?
Speaker BOkay, off the.
HostBut I do want you to come back to this.
Speaker CI'm going with the think.
Speaker BI think we're uniquely positioned to see across the organization.
Speaker BAnd if we only use the lens of our propeller hat and look at it from our own security perspective, we've missed the opportunity.
Speaker BThere are opportunities to fix inefficiencies, to draw, draw, drive innovation across the organization.
Speaker BAnd this goes back to a conversation I was having with a vendor that plays in the OT space and protecting the plant floor.
Speaker BAnd as I was talking to them, I go, you guys have not hit economies of scale yet that your install base isnt big enough, that your cost structure is now going down.
Speaker BAnd what that means is that to try to purely position yourselves as a security organization, a security play, the cost is so high you're not going to gain traction.
Speaker BBut if you find the right maturity level and the CSO that actually views themselves as part of the overall business organization, you can start to reposition it.
Speaker BThat hey, I can now use this technology to get better data off of my machinery.
Speaker BI can aggregate it, I can use it to make decisions that directly has a business impact on, by the way, it's way more secure that's put in there, which is an added benefit.
Speaker BThat's we need to be the.
HostSo I don't.
HostBrian, I need.
HostI need to come into this one.
HostYeah, I need.
HostThere is, there's so much about what you just said that needs to be.
HostI want to repeat it.
HostThe information security, and I'm purposely not using the term cybersecurity because this is above that.
HostThis is about information.
HostIt's about data flow.
HostIt's about.
HostIt's a broader topic.
HostIs so well positioned to be the new enterprise architect for the organization.
HostI just finished about five months worth of data mapping activities and some of this is related to the privacy portion of my role.
HostBut it's also equally to.
HostYeah, if you don't know what you've got and where it's moving, how can you protect it?
HostPortion of my job.
HostAnd I can argue, and this is across 15 brands, I could argue that I am one of a very handful.
HostCount them on one, maybe slightly into two hands, people that has a true understanding of the whole organization.
HostAnd I don't say that to be glib.
HostI don't say that to be bragging.
HostI say that to be that we, through the nature of what we do, in order to protect it, you've got to understand it and you've got to understand how we sell it.
HostYou've got to understand how we, how people buy it.
HostYou've got to understand where it sits.
HostAll of the above.
HostAnd I think that that then lends to a change in information security leadership, which changes to be much more advisory.
HostAnd this comes back, Brian, to your CTO question, your CTO comment that, that the CTO then becomes an extension and enabler to execute that.
HostThe CISO says, here's how we're going to do it.
HostWe'll advise you, we'll give you the information, we'll come bring back the things that you're doing, and we will tell, will help give you the risks.
HostIt really becomes a risk advisor and a policy one a little bit and a little bit of organization.
HostBut also, I mean, I find myself advising on how to sell.
HostI find myself advising on how customers will want to buy this.
HostAnd it's a role that I never thought that the CISO, or in my case, chief security and trust officer.
HostAnd I think that's really important.
HostThis is the evolution from CISO to trust that that isn't quite as broad or widespread.
HostThat's what I wanted to say.
HostGo ahead, Brian.
Speaker CWholeheartedly, 100% agree.
Speaker CNetwork security infrastructure, what you just said there, like CTO, mapping out where all your data is, right?
Speaker CMapping out where all your data is coming from, understanding your network and how it was set up and why it was set up.
Speaker CWhen it comes time to go through a change or network team or infrastructure teams working on this, if you have that security background to say, hey, guys, this is who we, this is how we've been doing things.
Speaker CThis is who we've been working with.
Speaker CBut there's a better way, right?
Speaker CLet's look at how we could either a simplify this without having to bolt on security tools later, right?
Speaker CLike, I look at some of the network as a service companies.
Speaker CYou could do that yourself if you were going through a big transition or a big change.
Speaker CEven my daughter agrees, right?
Speaker CShe's throwing the brush out like, dad's going through a transition with his beard.
Speaker CWe could brush it right now, same thing.
Speaker CAnd then I like, even when we were just talking about the secure web browser, right?
Speaker CAt the end of the day, like, is that a security budget or is that something that would be useful for so many other groups within the company of other problems that it solves and efficiencies and everything else, instead of making security, try to sell it as a security tool, right?
HostLike a group, we stop thinking about it.
HostA security budget.
HostWe think about it as an enterprise budget with security components to it.
HostIt democratizes security into everything.
HostIt is not security versus everybody.
HostIt is not us versus them.
Speaker BIt is everything has a security budget.
Speaker BComment about creative and using it at the expense of becoming Matthew McConaughey Wolf on Wall street and chest thumping here.
Speaker BGoing into this year and looking at the economics, there was no way that we weren't going to have some type of business impact, right?
Speaker BConsumer spending is linked to interest rates.
Speaker BInterest rates were out of control.
Speaker BWhen that gets out of control, people don't want to spend on discretionary goods.
Speaker BRight.
Speaker BI'm going to pull back.
Speaker BSo what does that do?
Speaker BThat hurts an organization.
Speaker BSo knowing that going in, we were flat on our budget, which was actually a great opportunity to show throughout the course of the year that we repositioned our spend in different tools to find where we could take that money, be neutral, but reapply it to something, gain features without having any additional impact to the financials of the organization, and yet coming out in a way better risk position.
HostYeah.
HostIt also breeds an organizational philosophy of mutual benefit rather than fiefdoms.
HostAnd my budget, my, my budget, my tools, my world and swim lanes and that kind of stuff.
HostAnd I know there's some organizations that really revel in that, you know, stay in your lane stuff, but I think the more we do blended where we are, um, we're, we're ble embedded advisors across all units.
HostWe're trusted advisors.
HostThis comes back to the trust piece.
Speaker CIt's not just customers talking about asset discovery tools earlier.
Speaker CRight.
Speaker CAnd why that could be important.
Speaker CWe were talking who's like, where could security help a team?
Speaker CLike what team is responsible for purchasing all these said assets and keeping track of all of them?
Speaker CSorry, guys, your budget, I'll help you figure out what the best solution or tool is with your budget.
Speaker CRight.
Speaker CAnd you over there, it team that does the patching and everything else.
Speaker CDid you know there's tools that help integrate into this salesforce solution that you guys bought in the service?
Speaker CNow here's one to take a look at versus this piece of turd that you were about to go buy.
HostDid you know that my buddy down.
Speaker CThe street told you you liked it and his cousin makes good daiquiris.
HostDid you know that?
HostMy sim takes in all the logs from the entire enterprise.
HostYou know what, you don't need to buy an additional APM.
HostYou don't need to buy additional logging solution.
HostJust tap your, your developers put API tools, use the APIs and build something cool to query it.
HostIt's all there.
HostWe don't need to buy twice.
HostYeah, same kind of things.
Speaker BAnd it's not, this isn't unique to technology as well.
Speaker BNo.
Speaker BYou could use this in the context of headcount and stuff.
Speaker BI mean, there's been times where I've taken headcount out for our team because as you start to look at others around you, knowing full well that if they don't get key positions, what happens?
Speaker BThings roll.
Speaker BI don't want to say downhill because it makes it sound like security's sitting at the bottom of the hill taking everything else.
Speaker BBut when we need to action something, we need to move the needle.
Speaker BThe resources that we would typically try to influence outside the arent going to be there.
Speaker BAnd therefore it puts us in a position.
Speaker BWe have to do all of the work ourselves.
Speaker BYouve got to be a strategic part of a much broader team and totally agree with Dan that if we continue to sit there in just this myopic lens, my budget, my people, my tools dont touch, were going to continue that everything that weve gained as a security community is going to start to devolve.
Speaker BWe're going to lose that seat and.
HostDirty little secret to close out the show.
HostIf you're enjoying what you do, if you're doing broad work like this, that's meaningful.
HostYou're going to, you're not going to notice the extra time you're spending quite as much.
HostYou're not going to feel it.
HostIt's not going to feel quite so pained.
HostAnd the reality is we do need to do more with less in this world.
HostWe can't just say, I hit my 37.5 hours, I'm done for the week week.
HostIt just doesn't work that way.
HostSo finding ways to keep it enjoyable, to keep it meaningful, to not get knocked down in the, in the GR, in the drudgery and not let that take over helps with the burnout.
HostIt helps with, with keeping motivated and keeping our organizations motivated.
HostIt's really important.
HostAnd that's what helps keep the organizations that we serve as safe as they can and helps us be part of the broader business that we sell.
HostWe are the business.
HostWe've said this time and time again, it is not security and the business.
HostWe are the business.
HostAnd on that note, we're out of time.
HostThanks again for joining us.
HostWe love having you as listeners and as viewers.
HostIf you're listening to us on a podcast, hop over to the YouTube channel YouTube.com little security debate.
HostAnd if you're listen.
HostIf you're watching us on YouTube, go to your favorite podcast app and find a way to commute to work and listen to us in the car on your way back and forth.
HostAs part of the segregation between home and work, you can find us by searching the great security debate in your favorite podcast application.
HostEric Brian, thanks again for another great debate.
HostYou can find us on our website.
HostWe're part of distilling security.
HostDistillingsecurity.com securitydebate.
HostYou can find all of our episodes.
HostUh, you can find us on YouTube at security, at great security debate.
HostYou can find us on LinkedIn, uh, great security debate, search for that, but also part of distilling security.
HostUh, and, uh, you can email us in, uh, security debate at distillingsecurity.
HostAnd, uh, we'll get back to you.
HostAnd if you've hung on this long, go to the YouTube, find this video, go to the bottom and write, I made it till the end.
HostIn the comments, we'll look for them and we'll give you a shout out.
HostThanks for being here.
HostWe'll see you again on the next great security debate.