Your Lips Say “No,” But I’m Not Listening

There is a long history of security professionals complaining about the insecurity of new technologies. When new technologies take off, they rarely have lots of great security built in. The populace never comes around and says, "Security is right. We should stop using this thing we love." The popular technology ALWAYS wins.

This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Rinki Sethi (@rinkisethi), vp and CISO, BILL.

Got feedback? Join the conversation on LinkedIn.

[Voiceover] What I hate about cyber security, go!

[Rinki Sethi] What I hate about cyber security is that the gender diversity in the field doesn't represent the gender diversity in the world. And the reason that's frustrating is because we have some of the toughest challenges that we need to go and solve, and we need different ways to go and solve the cyber security challenges.And the only way we’re going to do that is if we have that kind of diversity.

[Voiceover] It's time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And joining me as my cohost, you’ve heard him before, it's Andy Ellis. He's the operating partner over at YL Ventures. Andy, say hello to the nice audience.

[Andy Ellis] Hello to the nice audience.

[David Spark] We’re available at cisoseries.com where you can see all of our other programming. We have tons of shoes. We drop eight to ten episodes a week depending on what's in season, what's happening that week. But lots going on. Our sponsor for today's episode is OffSec, elevating cyber workforce and professional development.Yes, they actually have this amazing education platform for growing your own security professionals. You’re going to want to hear what we have to say a little bit later in the show. Stay tuned for that. But first, Andy, we are just a few weeks when we’re recording this from going to RSA. I want to know… You’ve given some great tips.What is the big thing that for you signifies, "I personally successfully pulled off RSA well." What is it for you?

[Andy Ellis] That's a really hard one. And I think I won't actually know until I get home. Because it's really two things. One is am I still healthy. And there's a lot of different ways why you do that.

[David Spark] I got COVID last year at RSA.

[Andy Ellis] Okay, that's definitely not thew ay to do it. But there are times that I burn myself out. I run myself ragged. And then really for me, it's how many follow ups do I have that I look forward to. There's a lot of things you follow up on that you’re like, "Oh, I have to send this person an Amelia just because I said I would, but I’m not excited about it." But it's like, "Oh, I met this really cool person.And I get to send them an email, and now we’re going to have a conversation because we said we would do that." That's what I’m really looking forward to is being able to assess and say, "I had some great conversations while I was at RSA, and I’m looking forward to the next step."

[David Spark] That is very good. My frustration with the follow up is the high level of interest at RSA and how low it becomes when one leaves RSA. [Laughs]

[Andy Ellis] Absolutely. There's a lot of people who pretend to be excited to follow up with you, but they’re not.

[David Spark] Yeah. Well, for me, I’m going to be meeting with a lot of sponsors and potential sponsors, which is great. And also meeting up with guests and potential guests at well. So, that's always… Just the networking alone is just huge for me as well. We have a guest on, are turn champion guest.We had her on before when she was the CISO over at Twitter. And now we get her, now that she is the CISO Of BILL. It is none other than Rinki Sethi. Rinki, thank you so much for joining us again.

[Rinki Sethi] Thanks for having me.

3:21.887

[David Spark] In a recent appearance in New York City, CISA Director Jen Easterly said, "CEOs and board members have to embrace corporate cyber responsibility as a matter of good governance, not as something the IT people worry about." Now, Andy, I want to flip the tables here. What do board members and C-suite executives do to make your job mitigating risk easier?Andy, you said CISOs can't be the only ones to educate because the C-suite/board make risk decisions based on previous knowledge. So… And this is the part that I’m trying to uncover here. If the C-suite is elevated to understand cyber risk, how did they operate better?

[Andy Ellis] I think they stop being tactical. One of the challenges that I see in a lot of companies and talking to a lot of CISOs is they’re bringing on a new board member, and this is the board member who understands cyber. They immediately dive into the nitty gritty. They’re like, "Oh, can I see your controls aligned against the CSF?Or let's talk about specific details." And really it's kind of like foreign exchange. I actually like to use foreign exchange risk as a way to talk about cyber risk. Everybody who works in a multinational company at the executive level has a basic understanding of how foreign exchange risk affects their business.They’re going to rely on the CFO to get them teasers like, "Oh, hey, we’re maybe a little over leveraged between our revenue and our Great Britain subsidiary and the US dollar." But they know the basics and how it fits together. And that's what we need to elevate. Like CISOs don't need to tell their C-suite, "Oh, we need to be worried about this specific name of a trojan." But if they don't basically understand how ransomware works…and by say how it works I’m talking like three sentence description… Gets on a machine, moves laterally, steals all of our data.Boom, that's their description. So that when something comes up, they have a clear framework that they’re thinking about, "How would this affect our business?"

[David Spark] Good point. Rinki, I throw this to you. Have you worked with sort of the varying degrees of cyber aware board/C-suites versus not so much? How have you seen the two groups just operate differently, and how does that make your job easier one way or the other?

[Rinki Sethi] Yeah, I think it's interesting because I sit on a board as a CISO, and then I’ve reported to boards as a CISO as well.

[David Spark] So you’ve seen it from both sides.

[Rinki Sethi] Yeah, a couple different perspectives on that. One, I think when a CISO presents their material, there's lot of metrics, and there's a lot of data. And a lot of times, the board members have asked for that data and said, "Oh, we’ve read some stuff, and this is what you should be presenting on." So, you go and gather that.But is that what's keeping me up at night as a CISO? I think that's the important conversation on are you getting the support you need from leadership. What are the key risks that keep you up at night? Are there the right investments in those areas? Whether that's in the board room or if it's with the board members one on one and having those dialogues to get the right kind of support I think is actually the most critical thing.

[David Spark] And does support just translate to money? I mean what is support? Can you dig down a level deeper?

[Rinki Sethi] No, not necessarily money. I think it's understanding the risks, understanding if you haven't made the investments that there is a good, "Okay, this is the right decision for the business and where we’re going." Or if it's, "I don't think this is a gap that we should take, let's make the right investments." Whether that's money or whatever that might be.And I think that's really important. I’ve seen board members go and take classes on cyber security as well, and I think some of that… I’ve seen some of the material, and it's a little outdated. I think they would be better served talking to a CISO instead. The other thing I’ve seen companies do which I… And this is a new thing that I’ve seen, and I think it's actually pretty cool.That they’re starting to create CISO advisory boards that advise the board. And so you get a diverse perspective of CISOs coming and kind of sharing their knowledge. You’re not just hearing it from one CISO that might be sitting on a board. So, I think there's interesting ways to say that, "Look, we’re not aware as a board, so we need to get educated.But that might take time. And so let's get other folks to come and help us." And I’m seeing more and more boards do that.

[David Spark] Andy, I want to ask just one of the same questions I asked Rinki is what does support from the board mean to you.

[Andy Ellis] So, support means… I think when the board is asking, "Do you have the right support," they’re asking, "When you say something is important, do your peers listen to you?" Because if every initiative that you need to get done requires you to get the CEO to approve it then you don't have support.Support is that you’re part of the business. And when you say, "Hey, we need to go get this done," within reason and the same way that if HR showed up and say, "Hey, you need to get this done…" People don't generally push back on everything HR asks for. We do push back on a lot of it. But if you’re experiencing nothing but pushback, you don't have support.

8:39.144

[David Spark] @myracoonhands on Twitter… Not their real name. By the way, they also go by the name AKA Infosecsie. Asked if…

[Andy Ellis] I like the glottal stop you put in there.

[David Spark] Just for you. If you’re in a leadership position, how do you handle failure? Specifically within your staff. And what do you think of the phrase, "Failure is not an option." So, want to just quote three of my favorite responses here. Sean Mollett said, "Failure is not making a mistake.Failure is not recognizing and correcting a mistake." @CyndyL44 said, "I work in software product management. And if failure wasn't an option, we’d never build anything. I think it's outdated sales-ish motivational nonsense." And Karsten Hahn of G DATA said, "Failure is not avoidable and is an opportunity to learn and make things better in the future.It should be used to improve processes instead of seeing it as a personal failure. Most of the time it is not caused by a person but by the process." So, Rinki, I’m going to throw this to you, but I’m going to add a little bit of backstory on the phrase, "Failure is not an option." It's actually a phrase attributed to NASA flight director, Gene Kranz, and the Apollo 13 moon landing mission.But he never said it. It was only said in the 1995 movie, "Apollo 13." So, I’m going to ask you, Rinki, how do you handle failure with your staff? And what do you think of that phrase, "Failure is not an option." Is it a line you’ve uttered yourself?

[Rinki Sethi] I don't think I’ve uttered that line myself. Isn't our job to find failures in things as cyber security people? That's what we thrive on. So when I think about failure, I think about mistakes. And I agree with some of the quotes that you provided on… I think making mistakes is how you learn, how you grow, how you innovate.It's when you keep making the same mistakes again and again, or the intent is bad. That's when I think it's no longer even a mistake. You’re talking about something totally different. But I think you’re going to fail if you’re going to grow. And learning from that… And that's what defines success. So, I don't think that failure is not an option.That doesn't resonate with me.

[David Spark] Andy, how do you handle failure on your team?

[Andy Ellis] So, I just went looking in my book… Sorry, I have to reference the book. And of my 54 chapters, 6 of them are about failure.

[David Spark] Did you fail at writing them?

[Andy Ellis] [Laughs] I failed at writing some of the other chapters. There used to be 55 chapters until my editor got to the book, and now there's only 54.

[David Spark] [Laughs] Hold on, I want to know, which one got cut?

[Andy Ellis] The one that had the title "It doesn't matter how good your football team is, if you put them on a hockey rink, they’re doomed to failure."

[David Spark] Yeah, I like that. That's a good one.

[Andy Ellis] Which actually I liked, but it overlapped with two of the nearby chapters. So, anyway. First of all, failure is how people grow. Like every time you want someone to grow, you have to expose them to the risk of failure. Now, you should do it in a controlled way. You should make it safe. You shouldn't just be like, "Oh, so you want to get ready for the next job level?Well, let me just send you off to do that unprepared." A piece of failure is also being prepared to apologize for failure within a corporate setting. Which is when you fail, you own it. You just say, "Yep, we failed. Here's what we did wrong. Here's what I as a leader will do differently."

And you work with your team, and you say, "Here's how I failed you, by not quite catching you in time." But also it's really important to fail at projects. If you aren't regularly failing, you’re not making enough bets. Everything you do… Nothing is a sure thing. And so if everything you do succeeds, it means you were way too conservative on your investments.Whether that's a product organization or even a security project. The number of projects that my team started but never finished because we’d get part way through them and we’d see that the winds had shifted, this was no longer necessary… And we were willing to concede failure early and fail fast rather than stay committed because failure was not an option.

[David Spark] Rinki, what do you do with your team to, A, let them push themselves to possibly break a few things and allow them to learn from that? Is there something you do to get to that point?

[Rinki Sethi] Yeah, I think it's empowering them to make mistakes, make educated risks. Right? And so I couldn't agree with some of the things that Andy said more. But when you think about just red teaming with a company, you’re going to break things. And if the team is too afraid that I might take something down…a server may come down…you are not going to take the risks to find the things that you need to find.And so empowering them to say, "Look, be smart. But it's okay. If you screw up, I’m going to be there. I’ll be there to defend you, and we’ll learn from that and make sure we don't do that again." But at the same time, that's how we’re going to find the issues that we need to find. And so there have been times…

And I can give you two situations in the past that have happened, one, when it's been a red team or they take something down and they share that. And then we learn from it, and we either… Or we find a gap that we need to fix. There's been another where they cover it up. And to me, that is not the type of behavior you want.But if you scare people and you create an environment where you’re not going to allow failure, that is one of the things that may happen. So, I think just empowering folks, knowing that, "Hey, it's okay to make mistakes. I’ve made mistakes, too. And even when I do mistakes, I still make mistakes. And sharing that that was the wrong decision, or that was the wrong thing to do.Let's pivot." So, I think that's how you show…role model that mistakes are okay.

[David Spark] Now, Andy wants to reference his book yet again. Go ahead, Andy.

[Andy Ellis] So, an apology budget is what allows your team to take risks. And so to tweak slightly just so people hear it differently. Rinki said, "If you screw up, I’ll be there to defend you." It's actually a little bit different. It's, "I’ll be there to apologize for you." Like it's on me as the CISO that you did this thing, and we hurt the business.And we need to apologize for the business while at the same time defending that this was a necessary risk to take. But I will be there, not having your back, but I’ll be there with you and hopefully replacing you when people are like, "I need to yell at somebody." "Great, I’m here. Yell at me. I’m sorry.It was my team that did this at my instigation." Now, in the back end, I might say, "You’ve used up the apology budget for the year. I need you to take a little bit less risk and let your peers take a little bit more risk." I have had that conversation with people before. But that's what they really need to know.Not that you will go down fighting with them but that you will take the heat of being the one to deliver an apology when you break the company in some way.

[Rinki Sethi] I like the way that you said that. That's exactly it. That's exactly it.

15:43.021

[David Spark] Before we go on any further, I do want to talk about our sponsor, OffSec. So, this is pretty cool. Listen to this. OffSec, the cyber security learning and skills development company behind the well-known OSCP certification and Kali Linux Distro, they have now a new solution created specifically for the unique needs of the enterprise.It's called Learn Enterprise. Aw, that's simple to understand, right? With a Learn Enterprise plan, your employes get unlimited access to the OffSec learning library which includes over 1,500 videos, 2,000 practical exercises, and more than 800 hands on labs. The library is updated regularly with defense and offensive job roles specific content from foundational to advanced.Even better, plan holders get exclusive access to the new OffSec cyber range to practice their skills in a real world environment. Google, VMware, Microsoft just to name a few all trust OffSec for their team development needs. You can learn more about OffSec's new offering, Learn Enterprise, by just going to their website.It's offsec.com. Let me spell that for you. OffSec.com. OffSec.com, head there now.

It's time to play, "What's worse?"

23:00.114

[David Spark] Rinki, I know you know how to play this because you’ve played it before. We’re going to play it again. And this one comes from…I’m going to tell you, it's our blue ribbon submitter of "what's worse" scenarios. The problem is this person is anonymous but goes by the pseudonym Osman Young [Phonetic 00:17:36].All right? So, this is Osman's scenario. It is a little long, so hang tight as I get through this.

[Andy Ellis] Osman gets a little more complex each time I’ve noticed.

[David Spark] Yes, this one is pretty darn complex. I will say that.

[Andy Ellis] I’m waiting for a simple, "Heads or tails. Which one is worse?"

[David Spark] No, no, no. Well, Osman is very creative. As I have said, Osman could have a really good career in fiction writing, too, with these. All right, a company has no CISO, and infosec is a thing IT operates and handles theoretically sometimes when they feel like it. So, breaches waiting to happen are sprinkled throughout the environment.All right, scenario one. And I’m going to stress you’re really not going to like either one of these. You have a DMZ web server hosting a mission critical application with lots of regulated PII in a local SQL database. The NIC, Network Interface Controller, is directly exposed to the internet with no network or host based firewall.But it's running windows 2022, and it gets patched within 24 hours of patch on Patch Tuesday. SQL and all other application middleware are kept completely up to date as well. SQL database is full of European customer personal information, regulated by the GDPR. So, you got name, address, phone, email, date of birth, income, and sales history.The server has advanced antimalware software from a reputable vendor, an EDR client, an advanced configuration lockdown solution, well configured login, and feeds out to a well-tuned SIM. And advanced operating system configuring hardware based on industry standard recommendations except for the firewall.That's the big thing missing. Scenario number two, you got a Windows XP workstation with no antimalware and no other security controls. It's sitting on your internal network. You have no internal network segmentation. It's running a web browser that hasn't been updated since 2016. The interns use it on their lunch break to browse the internet.The Windows XP workstation itself has no sensitive info, but it will get infected with something that will allow an attacker to use it as a jump off point or gather recon on the rest of the network and launch other attacks. All right, Andy, which one is worse?

[Andy Ellis] Can I assume for the second scenario that I have equivalent valuable data somewhere in my network?

[David Spark] Yes. Yes. Yes.

[Andy Ellis] Okay, I just wanted to make sure that I’m not…like the second scenario is I get to work in a company that has no data whatsoever, which might actually be a pretty good one.

[David Spark] Literally it's like a dummy computer that's just… It's like a porthole to the rest of the internet.

[Andy Ellis] It's a dummy computer inside a very sensitive environment. Oh, then this one is easy for me. I’m totally going with number two is the worst scenario.

[David Spark] Yeah, but the thing is you could have great security everywhere else. It's just this thing is…

[Andy Ellis] You said it could be used as a jumping off point, which suggests that I do not have great security everywhere else, or you would have mentioned that.

[David Spark] No, but this particular shop took the hard outer shell approach to network security. Internally there is no network monitoring, login, or controls. So, once an attacker… Well, you’re right. The XP box there can move around freely inside the network.

[Andy Ellis] Yeah, so number two is definitely the worst one. And I’ve got two reasons why, and I’ll give both of them. And I suspect Rinki is going to agree with me, so I’m going to win this time. Which is first of all, what we see modern adversaries do is all multi-step attack paths. So, this idea that if the sensitive data is not on the machine that's their first entry point, I’m safe just needs to go away.You have to think of the entire network is actually what they’re attacking, and now you’ve given them an entry point. So, that's reason one. The reason I’m not actually… I actually kind of like scenario number one. I don't think it's that bad. Because what you have posited is that for that machine, everything on it is done right.

Which actually means I don't need a firewall, and that's going to be very controversial to a lot of people. I’m a big fan of compensating controls. But a firewall is a compensating control for the impossibility of doing perfect security. But it's this scenario, and Osman Young has given me perfect security on that box.That means there are no ports open to the internet except for the services that we are exposing to the internet. Which a firewall would be exposing to the internet. The only real risk I have here if I have no network layer defenses is DDAS. That would be a problem. And in fact if I couldn't come up with a better solution, my answer was going to be I’ll take scenario one is my favorite, and then I will DDAS the heck out of my server so I can never have a data breach.But I’m not even having to go that far. I’m just going to say number one is actually not a bad scenario and better than where most companies are. So, number two is absolutely the worst.

[David Spark] All right. Good answer. All right, Rinki, I’m going to assume you’re agreeing. Are you agreeing on this? Because I saw a lot of head nodding.

[Rinki Sethi] 100%. Number two is terrible. The reason that you have all the perimeter security network security is because you assume that someone will be social engineered. You don't have the perfect security, and there's a lack of patches and things like that that then will be used to go and get into your most sensitive data.So, the fact that these folks are practicing 100% security, Andy nailed it, it's DDAS is the thing that I would worry about. But even in that case, it's not going to lead to a breach, a data breach. It's going to lead to an availability issue. So, definitely scenario number two is bad.

[David Spark] All right.

[Andy Ellis] There's a reason I build zero trust services at my last company, was to stop scenario number two.

23:00.114

[David Spark] On LinkedIn, Matthew Sullivan of Instacart said, "Security folks are welcome to push back against open AI, Chat GPT, Copilot as much as yawl want. But just remember that we’ve already gone through this with BYOD, Dev Ops, Cloud, and Library Proliferation. The tech always wins. Your job isn't to fight it.Your job is to become the absolute expert on it and advise your people and products to successful to outcomes." So, I’m realizing there's a long history of security professionals complaining about the insecurity of new technologies. And honestly, when new technologies take off, they rarely have lots of great security built in.The populous never comes around and says, "Security is right. We should stop using this thing we love." So, the popular tool always wins. Rinki, does security always have to throw up their hands in defeat when poorly secured tools become popular? Must they just become experts regardless? Or maybe is there some middle ground?What do you think?

[Rinki Sethi] I don't think that you throw your hands up. It was funny, I was just reading an article about five characteristics that make a bad CISO, and one of them talks exactly about this. I think it was CSO Online or something that I read that article on. But it was one of them was that the CISO comes in and says, "You can't use any of these tools because they are insecure.We don't know yet how they’re processing data." And so folks find workarounds. They’re going to use the tools anyway, and then the CISO becomes the bad person in the organization. And so I think that you have to figure out what the risk is to your organization and how you can educate people on what good uses and bad uses of these things are.I think it's when you don't take a business perspective and you don't understand why and how folks might be using this, and you try to lock things down so tight. That then creates a bigger vulnerability than actually using the tool itself. And in some scenarios and in some risk environments, you just may not accept the risk of using something like a Chat GPT, or Grammarly, or whatever it may be.But I think really understanding what your organization's risks are, how much you can monitor and enforce, and how much you can educate users. And so if that's your mindset, you’re not going to feel defeat necessarily. So, I think it's really about how you think about that and how you’re taking into account the risk versus kind of the business value is really important.

[David Spark] Let me ask you a question. Have you had a situation in any role that you’ve had where something like the business loved, and you as a security professional was like, "Oh my God, what the heck?" And you just told your whole team, "We got to figure this out because we can't fight this. This is going to be used.What is it we’re going to do here?" Have you been in that position?

[Rinki Sethi] All the time. [Laughs]

[David Spark] Okay.

[Rinki Sethi] All the time. Especially when there's tools that they have an enterprise version, and you’re like, "Hey, we don't have the budget to get the enterprise version that might be more secure." Or in the case where is no enterprise version and to your exact point, and we have to figure out how are we going to allow this, or are we going to block it?Or are there alternatives? And what are those alternatives? I think that's something that we have to talk about all the time. There's new tech in this space that's coming out all the time and having those discussions, understanding the risk and what you’re able to accept or not, I think that's…every day, that's what we do.

[David Spark] Andy?

[Andy Ellis] So, Rinki hinted at the solution for 99% of these, which is contracts. Like people worry about the, "Oh, well, what if we leak sensitive data to Open AI?" Well, that's why you probably shouldn't be using the free version. You should be using the paid for version and have a contract that makes them an actual vendor.And so you can audit and understand what they’re doing, up to you decide if Open AI is going to let you do that. My worry on Chat GPT is completely different, and I think that most security professionals are forgetting that the bigger risk is actually reputational. Which is Chat GPT lies.

[David Spark] It's a good liar, by the way.

[Andy Ellis] It's a great liar. It's like that [Beep] at a cocktail party who just makes stuff up that sounds good. And if you have people in your company that are relying on it and are just copying and pasting and publishing that data, that's a bigger risk to your company for most CISOs than the risk that sensitive data will be disclosed.Now, you should still try to manage the sensitive data risk but don't get bike shedded by that and go focus down this rabbit hole when the real problem is you have people who don't know enough to qualify the answers that ChatGPT is giving them using Chat GPT. And they need to be educated on how to validate that what Chat GPT just told you is correct.And for those of you who think Chat GPT is amazing, I love it. I use it all the time. And to remind myself before almost every stretch, I ask it to write a bio of me and send it back to me. And it's amazing what it thinks I have done in my life. It's wrong.

[David Spark] Does it make you sound better than you are?

[Andy Ellis] Different at least. My favorite is it gave me a set of industry awards that were almost but not exactly the industry awards that I had. And I’m like, "Well, this other Andy won six awards in years one year or near when I actually won something by a similar publication." It was very strange.So, that's my bigger worry is you’re going to be so busy fighting this battle about whether or not people should use Chat GPT that you aren't having the conversation about what is the process to use Chat GPT in a way that will actually help the business.

28:41.374

[David Spark] On Dark Reading, Steve Shelton of Green Shoe Consulting outlines a fictional scenario of a CISO who has an upset CEO because he hasn't been able to send or receive emails for hours. The CISO has risen through the ranks, taking on more responsibility and pressure. The CISO is proud of his accomplishments but fears an incident is going to come crashing down and ruin his reputation.Lastly, and this is the one I question, leadership expects 100% protection against malicious threats and perfect performance, which the security team realizes is an unrealistic and unreasonable expectation. Now, this scenario was published February 2023. My question is how realistic is this scenario, especially the last part.And where can a CISO facing any of these issues right-side the ships? What are…? And I’m going to ask you, Rinki, first. What are the expectations of performance of the CISO and their security team?

[Rinki Sethi] It's interesting because I feel that it's my job to set the expectations and communicate them, and communicate them broadly. And what I mean by that is understanding it's not just my job to understand and carry all the risks on my shoulders, but it's when something goes down where folks expected that, "Hey, why would this kind of thing ever happen, and how come these risks were never communicated to me or to the company?Why was there no transparency?" That's when it feels like you’re not doing your job. But instead, if you’re proactive and coming and saying, "Here's what the lay of the land looks like…" And this kind of ties nicely back to our board communications and executive communications on, "Here's our assessment.Here's what we’re doing really well and what you can expect from me in these areas because we made good investments as a company. But here's the areas where we’re lacking the right investments or the right capabilities.

Or we’ve made some decisions together as a leadership team on what we’re going to accept risks on." Then when something happens, it's not just the CISO. It's, "Hey, how do…? If this was so important, maybe we need to go back and make the right investments." And so I stress two things. I think the CISO role has changed and become a communication, education, understand the business, communicate risks.It's so, so important to do that and not just keep it to yourself. And that there's alignment on that. And if you’re doing that on a continuous basis, I think you’re okay. You don't run into this kind of situation. Hopefully. And I stress the word continuous because risks change, and there may be something that you say, "I think this is a massive risk, and we need to do something about it.And so it's my job to raise…" Because I’m the one that's paranoid and thinking about these things constantly, it's my job to raise my hand and go and tell the appropriate folks and then get alignment around how we want to deal with it.

[David Spark] Mike Johnson, our other cohost, has said if your CEO or board member is asking the classic unanswerable question of, "How secure we are," then you as a CISO has not educated the board appropriately. So, I want quick answers from both of you. Andy, what is it you do to make sure that that question is not asked in that way, and they should be asking…?

[Andy Ellis] Often what Mike says is, "Where is our security program? Like where are we?" So, I actually love that question because you can turn it into an invitation for a deeper conversation. It is okay to say, "Look, that's a really complex question." And I have humorous ways to deflect it if I need to.I actually joke about the military and like if you’re asked to secure a building, secure means very different things to different branches of the building. Everything from getting a lease when you’re in the air force to just blowing it up when you’re in the marines, so be careful what you ask for.

But you can have that conversation because what you really want to be able to talk about with the board is say, "Hey, here are the unacceptable losses that we worry about. These are the worst possible things. Here's what we’re doing to control for them. And we think that that is reasonable given our size of a company and the risks that we face." And at some point they have to trust you.Because at the end of the day, that's what they are doing is they are trusting that you’re their advisor, and you’re telling them whether the current program is reasonable. And their governance is just based on that. Now, you might try to communicate with it a number. "Oh, we’re a 75 on the Spark scale." Or, "We’re a red epsilon on the Ellis scale," or whatever crazy things you and I might come up with.But at the end of the day, that's what your goal is is just to be able to clearly communicate. And you’re going to have bad days. What I found fascinating about this question, the scenario was this was somebody in the middle of an incident who was worried about their job after the incident, which actually tells me there's a problem.Because during an incident, you’re focused on, "How do we fix the incident? How do we communicate?"

[David Spark] Well, it's obvious in this scenario that there is not a good relationship with the upper management and the CISO.

[Andy Ellis] There might not be, but there might not actually be a good incident model. In a healthy organization, you have incidents on a regular basis. Most of them don't have really bad outcomes. But they’re at least visible so that the management gets this understanding that you are capable of managing incidents.Because that's what I read between the lines. And maybe that's just my own biases. But like this is down, and you fix things for me. Why isn't it back yet? Why does the CEO not understand how incidents work? Haven't you taught them in all the years of fixing things that you don't fix things instantly?

[David Spark] It's possible that the writer of this piece needs some fiction writing education from Osman Young.

[Andy Ellis] I think that's a great idea.

[David Spark] Yeah. Yeah, that's what I think. All right, Rinki, I want you to wrap this up for us. What do you do if you’re confronted with the how secure are we question?

[Rinki Sethi] I think Andy nailed it. I think if it's… Hopefully I’ve painted them a picture to show them already what our security program is. There's no answer to how secure are we. It's more about, "Here's what our security program is, and here's where our risks lie." And I’d like for them to walk out and say, "I understand really well where we’ve made investments and where we lack investments in security.Or what risks we’ve taken and we’re good with and which ones we haven't." And that, I think, is their answer to how secure are we. We do get those kinds of questions. "Give me one number that defines it." And it's like there is no such thing that exists, and that means there's a lack of broad understanding around this.And to Andy's point, then that means I haven't done my job in really clearly defining what security is.

35:25.191

[David Spark] Excellent point. Well, that brings us to the very end of this show. Thank you very much, Rinki, who… That was Rinki Sethi, who is the CISO of BILL. Just BILL. But you can find them at bill.com. And huge thanks to our sponsor, OffSec, for supporting this episode. Brand new sponsor of the CISO Series.Remember, their website is offsec.com. And if you want to scale up your staff, which I’m assuming you do because everyone needs an even wiser staff, please check them out at offsec.com. Rinki, are you hiring at this point?

[Rinki Sethi] We absolutely are hiring. And if you’re looking, we’d love to have you on the team. BILL is focused on how do we automate financial operations for small and medium sized businesses. And we’re a vendor also that can be trusted. We have an amazing team here of cyber security professionals that really cares about our customers and our customer data.

[David Spark] Awesome. Very good. So, I’m assuming check the BILL's site out. And can they contact you through LinkedIn? Yes?

[Rinki Sethi] Absolutely.

[David Spark] Awesome. Andy, any last words?

[Andy Ellis] Oh, always I love last words. But in this case, if Rinki decides not to hire you, our portfolio is always hiring. You can go to jobs.ylventures.com.

[David Spark] So, you’re telling everyone to stop by bill.com first.

[Andy Ellis] Absolutely. I’ve wanted to work for Rinki my entire career and just never managed to pull it off, so I could live vicariously through our listeners.

[David Spark] Aw. If you do get a job… By the way, drop our name when you contact them. Who knows what’ll happen? I have no control over that. But do, just drop our name whenever you can. Thank you very much, Rinki. Thank you very much, Andy. And thank you to our audience. We greatly appreciate your contributions and for listening to CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com. Please join us on Fridays for our live shows, Super Cyber Friday and Cyber Security Headlines – Week in Review. This show thrives on your input. We’re always looking for more discussions, questions, and "what's worse" scenarios.If you’re interested in sponsoring the podcast, check out the explainer videos we have under the sponsor menu on cisoseries.com. And/or contact David Spark directly at david@cisoseriescom. Thank you for listening to the CISO Series Podcast.