In this episode of Cyber 909, host Den Jones introduces a special "Ask Us Anything" segment featuring guest Aaron Wurthman. The episode promises to deliver unique insights, stories, and analysis on cybersecurity topics, with a focus on cyber leadership.
Aaron Wurthmann brings over 25 years of expertise in information technology and cybersecurity, with leadership roles spanning startups to Fortune 50 companies. His experience in securing customer data and payment information allows him to blend tactical and strategic knowledge into executable visions.
As Head of Digital and Data Security at Albertsons Companies, Aaron safeguarded customer data, pharmacy information, and eCommerce platforms, increasing software delivery while maintaining security. Later, as CIO and CSO at Cision, he reduced cyber insurance premiums and expanded the company's addressable market through critical security certifications.
Narator:
Welcome to Cyber 9 0 9, your source for wit and wisdom and cybersecurity and beyond. On this podcast, your host, veteran chief security officer and Cyber Aficionado Den Jones taps his vast network to bring you guests, stories, opinions, predictions, and analysis you won't get anywhere else. Join us for this special ask us anything episode with Aaron Wurthman.
Den:
Well, everybody, welcome to another of our monthly episodes of our 9 0 9 cyber Webinars, and I've got Mr. Wurthman Wurthman joining me again. Thank you, Aaron. And this is our second of the Ask us anything, and I'd like to prefix that with not anything really, but let's keep it cyber leadership. And I realized my cake baking questions and answers and Aaron's astronaut skills we're not quite there yet. So Mr. Worthman, why don't we just jump in and you just start with the whole, well, why don't you introduce yourself or anyone who doesn't know you, and then we can jump from there. Aaron
Aaron:
Wman, advisory CISO here at 9 0 9, cyber career CISO and career CIO. And then quick plug for part one of this series. Right? So go back to November of Ask Us Anything. And if your question wasn't asked in this podcast today, it may have been asked in November, so please go back and watch that one.
Den:
Yeah, and if you go to the podcast website, I think we release that as the podcast episode nine.
Aaron:
Yes, that's correct. Yeah.
Den:
Yeah, apparently we thought that'd be cool of our 9 0 9 reference. I guess
Aaron:
We just liked doing that. Launched our podcast on September 9th, nine nine or 9 0 9 day. We're very clever then
Den:
Creative, creative, we
Aaron:
Tell ourselves that
Den:
Creative, creative thinking. And on the nine to nine cyber.com website, you'll see that there. You'll see this on the cyber 9 0 9, we're also creative with naming the lines of business. We're wonderful there. So you've got a little spinny wheel. Do you want to explain to everybody what this spinning wheel of joy is?
Aaron:
Right, so what we did was we took all the questions that came in through the email address or things that people are shooting at us. We did some normalization on that, a lot, lot of overlap. We put that into some AI which normalized it, and then we put it into a spinning wheel to sort of randomize it as it comes in. Beautiful. So if there's any new questions that pop up in today's live, we'll throw them those into the wheel as well just to give everybody a fair shake on what it's answered.
Den:
Brilliant. And I'll need to make sure we're checking that. So I'm going to jump into the LinkedIn session while we're here too. Why don't you spin the wheel.
Aaron:
All right. Spin that wheel occasionally. By the way, the wheel does come up with an ad, so we'll have to pause for that. But
Den:
Are you meant to read the ad out though and give a shameless plug to some random
Aaron:
No, we don't do that. If you pay us, we'll happily, we'll happily read out that ad. So give us a call. Love it. Again, this is random, but I do like that it started off with this one. It's very apropos. What is your number one 2025 prediction? So both you and I have posted these for those paying attention, but we can hit number one.
Den:
Do you want me to
Aaron:
Go first
Den:
Or do you want to go first?
Aaron:
I think we probably have the same one so we can just riff off one another, but go ahead.
Den:
Okay. So AI obviously is, it is funny, right? So the last couple of years, zero trust got all the fame and glory, and then last year the AI bandwagon started to roll down that hill real fast. And I would think that, so I was at a conference a couple of years ago and a CDW in Toronto and I said there that one of the big AI players is going to be hacked within two years. So now we're on the second year, so I'm going to stick with that one. I think this year you're going to see a breach in the news of one of these AI players and everybody that marvelously shares their company's intellectual property up in these AI platforms. I think some shit's going to hit that fan.
Aaron:
And I'm going to stick with ai. I'm going to take a different approach and I'm going to say that as defenders, we now have to have AI as a defense mechanism in order to keep pace with the attackers because the attackers are obviously using ai. There's plenty of free AI tools out there for attackers. And so as a defender, we now need to must use AI as a defensive tool and I think that trend is really going to come to fruition this year.
Den:
Perfect. Perfect, perfect. Go for it. And yeah, folks, if you're watching live, I see some people watching live, feel free to feel free to throw some questions in the chat window. We're here.
Aaron:
Another great question, love this question. One of my favorite topics as well. What metrics should managers use to measure the effectiveness of a security program? I want me to start that one. I'll start that one.
Den:
Yeah, I'll put a little thought in.
Aaron:
So metrics are my absolute favorite topic because I am a believer that absolutely everybody in the company should have a metric assigned to them, at least one metric assigned to them in particular from which their role is measured. And then on top of that, every system, every program, every initiative should also have a metric. And then every effort should have a metric that just being a results based company or results based culture lets you know how it is you can improve and how it is that, how the health of what it's that you're doing. With that being said, I'm not entirely sure what this question is getting at. It says manager, I don't know if that means people. I don't know if that means program. I'm not entirely sure. So I'm going to go with security program and I'm going to go with early stages security program.
So I think when you're at the early stages of a security program, you are measuring two things. You're measuring, do you know all the assets that you're protecting? Do you have a clear understanding of those assets? Those assets could be, those assets are obviously people, they are things like computers, compute in the cloud, otherwise data repos, code networks, et cetera. And then the ability to respond and recover and the time it takes for you to do those things. So those measurements and those metrics at the beginning I think are key. And then as the program starts to mature, you start to work towards the ability to detect an adversary that that may be in the environment.
Den:
I'll try and give a succinct answer on this one for me. You start off with a risk assessment. You do a risk assessment and yeah, I'll roll back a minute. I will answer this in the context of I'm a ciso, I've maybe just started the role as a cso. I have been a CSO many times before and I need to basically level set and get grounded on what it is the company needs to protect. So as you said, know what you have, but for me it'll start with we're going to understand the business, we're going to do a risk assessment against the business and what's important to that business, and then we're going to look at the gaps and then we're going to understand and put together a roadmap to remediate or reduce the risk and then we're going to measure our progress against that remediation. And I think for me personally, that's an exercise that you do ideally once a year or every six months. And the reporting of the progress is obviously more of a weekly, monthly, quarterly situation and ideally something that you're reading out to the board a quarterly or depending on your company whenever makes sense.
Aaron:
You know what, that's actually a great segue into this next question here. What insights can you share about bridging communication gaps between technical teams and the executive suite?
Den:
Oh, I like this one. I like this one for a couple of reasons. One is in IT security. I think the industry being full of technical wizards and geniuses, communication and marketing is sometimes not the strongest soup there. So I look at it like you've got to figure out first of all who your audience is communicating to. Communication in general is always an audience thing. So with that in mind, understand who the executives are and their background and their acumen, their technical acumen, understand what motivates and drives or concerns them. And then make sure in some cases I had a previous leader who was reporting to the board and rather than reporting dashboards, it was a one page document and literally it had bullet points and narrative to say, this is what the risk is, this is how we've been addressing it, this is what's remaining and a little traffic light or is it going good or bad or indifferent?
And I think from a communication perspective, you've got to understand some people, they're not risk, they're not security, they're not that kind of background. But you do get more and more board members or executives that have been around the block and they've been in situations where the company they were at has been breached. So I think more people now understand what a breach is like, and they have that concern about being breached and therefore they're more attuned to the security conversation. So it really depends whether you're twisting this as how we benefit the business as in can we drive revenue or could it be a, we're going to help reduce risk while not impacting the revenue situation.
Aaron:
Yeah, I really like what you said there, Neil deGrasse Tyson has a little phrase that I like to, which is meet the audience where they're at, otherwise you're lecturing to them and nobody likes to be lectured to. And that really resonated with me during
Den:
That
Aaron:
One of those masterclasses that I took. The other thing that I like to remind technical folks as it is that they're coming up, maybe they're coming into an executive path or whatever it is, is to say less. It's something that I struggle with, say less. Your audience has fewer cycles to digest what it is that you're saying. We as technologists, we think that giving more details makes us more authentic. Oftentimes it has the reverse effect on a board member, on a C-level executive. So say less, but be prepared to go deep when you need to.
Den:
And you just hit on Mr. Jones's continual life struggle of say less, which I learned this years ago. I had a great coach and she turned around and shared with our team. She was a communications coach Victoria, and she shared with us, she was like, imagine you at a BFI and you're going to explain to someone what a BFI is. You start off at the really top level just by saying, Hey, we're going to go to a bfi. And then someone's like, well, what's that? And then you're like, oh it, it's a restaurant that has a lot of food already prepared and they're continually preparing food, but there's seven different stations of different types of food. And then if they want to ask more, they'll ask another question and then you dig in more. So like you say, if you can start off by just giving that here's a 5,000 foot view and then allow them to jump in.
Aaron:
Yep. Perfect. I love that by the way. Thanks for sharing that.
Den:
I it too. I try to apply that many times over the years since.
Aaron:
Alright. How does 9 0 9 cybers consultancy philosophy minimize friction while improving security outcomes? Let's just go with the first part of that. Yeah. How do we minimize Yeah, go
Den:
Ahead. I mean, yeah, I think that's a brilliant question. It reminds me of the work that my teams have done at Adobe, my team's done at Cisco, and a principle and philosophy that we live by today, which is I think there's a lot of bureaucracy in the security landscape, a lot of checkbox stuff. And I think a lot of that is driven by just how the industry has evolved over the years and the lack of confidence in companies spending money efficiently to secure themselves. So what I look at is how do we reduce security, the friction that you put in front of users. A good example was removing passwords. We'd done that in twenty seventeen, twenty eighteen at Adobe. So replacing passwords with C, you do a posture check on the device and the user and if the posture check's skewed. So that whole zero trust principle for us, we got into that in 2017 and I've been involved in that ever since.
And the reality is depending on how you apply these things, you have the ability to make security more of a background thing. So you're using the data in the background, you're using background posture checks, and that means that you're inflicting the pain on your user and users a lot less. And if you could do stuff like that, we removed the need to change passwords every 90 days so that from a service desk perspective, so from a user experience, it's huge from a service desk perspective that reduces tickets related to password changes by about, for us it was about 60 to 80% depending on the company that we've worked with. And that's huge because password related service desk tickets are usually in the top 10 of the number from a number perspective of service desk tickets overall, it's a huge savings.
Aaron:
The other part of our philosophy that I like to talk about too is tool bloat. I mean, part of our philosophy is that we like tools. We both love tools, but you don't need every tool under the sun. And I don't think any security team enjoys having every tool. I think most security teams want to have the right tools and we advocate for the right tools. We don't advocate for every tool, and that's part of our philosophy as well. There's definitely a lot of friction around having to administrate more tools than you need.
Den:
And then at 9 0 9 we coined the phrase pragmatic security. We talk about that a lot, which for me is removing the bureaucracy and bullshit and also doubling down on deploying fewer tools exceptionally well rather than many tools or, I mean, I think at the end of it, we've seen a lot of environments where people spend so much money on tools, they have more tools than they have staff, and at that point you think you're protected because you've got these tools, but you're missing the book.
Aaron:
Yeah, you forgot the permissions of the tool it is that you configured and maybe it has godly like permissions and that makes you less secure if you forgot that you gave it godly like permissions and shelfed it.
Den:
Yeah, complexity for me, complexity also makes security harder. The more simple your environment, the easier it is to know what you've got and secure it.
Aaron:
How does 9 0 9 cyber help organizations align security strategies with business growth objectives?
Den:
That's an interesting one. Do you want to go first on that?
Aaron:
Yeah, I think I read that one to mean that someone, whoever maybe wrote that I, it's maybe at the early stages of a company maybe post seed and they're trying to understand how it's that we would help them grow their company or stay in line with the growth of their company. That's the way, at least I'm reading it. If I read that wrong, please feel free to email me. My email address should be obvious to you. You tell me how wrong I am. But here's how we do that. We match your risk. We have a conversation with you on what it is that you want to protect. Again, we're talking about those assets that you want to protect and we match your risk at the time it is that we're having that conversation with you. And then we have a conversation about what's it going to look like six months from now, a year from now, three years from now, five years from now. And we match your security posture to risk levels at those time periods. We're not going to come in and try to pitch you in an enterprise solution while you're an early stage company. That's not who we are. That's not what we recommend. We don't think that's best for you. So the way that we help growth is matching a security solution and a risk solution to your business at the maturity level of your business at that time.
Den:
So there's the startup landscape and then there's the, you're already up and running landscape and let's imagine, so you've addressed the startup, I'll cover the you're up and running landscape. I always bring this back to you've got to as an executive in security and it really understand and have your business hat on. Take your technologist hat off for a minute, put your business hat on and understand the business strategy and then your goal. I see it. I think our goals have evolved over the years, right? Years ago it'd be like, I'm going to deploy CyberArk, I'm going to deploy this, and you'd measure your success on did you deploy the technology or not, which is very shortsighted. I think what's really important is any investment that you make, you obviously have to reduce the risk, but you've got to also understand the business and what the business is trying to achieve and understand will that investment we make help accelerate that goal of the business.
And in some cases, you need to enable the business to move faster in a secure way. You need to remember that no is not the answer. And you need to remember policies you put in place that slow the business down are policies that people are going to try or circumvent. So you got to be really thoughtful. We had this whole thing when we were running enterprise security at Adobe where we reviewed all the policies that we'd inherited. And the goal of that review was to kind of understand what was bullshit and what was common sense. And then ultimately in engaging with some of our audience, we'd try and understand from them what did they think was nonsense and bureaucratic and how would we try and improve that? Because at the end of it, if you start to see your customer base as in your employees of your company, circumvent, avoid and dodge security or policies or all those other things, you've got to try and figure out how can I make that easier and how can I make it palatable so that they're, they can follow policy without having to have a degree in shitty IT and security policies.
Aaron:
And now they got AI at their disposal too. They can just ask Claude how to circumvent something and
Den:
That's brilliant.
Aaron:
Sure, Claude and chat GPT will tell them. The other part I'd add to that too is we do see ourselves as cyber risk, where cyber risk avoidance end in some cases enable, we will enable cyber, right? We'll enable you to do something or business enablement. So think of your risk posture like that. We want to enable you to do something and avoid you avoid risk. All right. Spinning wheel. What are some emerging trends in cybersecurity that peers in similar roles should be prepared for? This is a layup for ai, if ever I heard one,
Den:
Well, actually I'll jump on the zero trust bandwagon to allow you to jump on the AI bandwagon just so that it's not all ai. I still come across people struggling to deploy two factor authentication or deploy it broadly. And that just reminds me that some companies, some peers of ours, they're still way behind in the sense of their company's culture. The acceptance and tolerance for more advanced and which MFA is no longer an advanced thing for me, it's table stakes. But I think when I think of something like zero trust, I really believe there's still many years of people being able to push out zero trust type architecture. I'm a firm believer and a shameless plug for, we're about to publish one of our case studies, but I'm a firm believer in the fact that when you take something like a zero trust architecture, you get to overly again, your business problems, your business strategies and then determine what from that architecture makes sense based on your resources, based on your current investments, based on the direction you're going. So I look at ZT as being something that still has a lot of runway. Yeah, but let's overlay some AI on that, shall we?
Aaron:
Well go down before I jump on that bandwagon. You know what, I'm still seeing you and I haven't talked about this, but I had this conversation with somebody about how they would not go, they just absolutely refuse to go. Passwordless did not believe in the concept, and I wouldn't even consider Passwordless to be an emerging technology at this point, just like you wouldn't consider two FA to be an emerging technology at this point. I hope the person that I have this conversation with does take a look at our case studies that you're working on right now because you did it, your team did it back at Adobe. These things can be done. And I mean we're not approaching the 10 year mark from what you did it, but we're not far off from the 10 year mark.
Den:
Yeah, shit that
Aaron:
You did them,
Den:
Man. I had this conversation with someone just the other week. So at Adobe 2017 we started that journey. I was at Cisco in 2020 and our enterprise security team there, a hundred thousand people. And then when I was at Banyan as the CSO there, we had many customers deploying Banyan technology, which instantly brought you and I mean Adobe became a customer of Banyan in 2019. So they had passwordless back in 2019 before Okta Indu and Microsoft and all those guys were pushing that to their clients. So Passwordless has been around for quite a while and yeah, I'm over six or seven years on this shit. I mean, man, it feels like I've been talking about it for a long time.
Aaron:
Yeah, so now I'll jump on the AI bandwagon.
Den:
Oh please.
Aaron:
Yeah. Earliest week I was meeting with someone who still hadn't opened up chat GPT, I don't want to call them out in particular. They're not alone. There are some folks that just don't and they're on a regular basis. They either don't have the time or don't see the value. And what I'd say to everybody is now at the point where I AI is going to start taking our jobs, and by that I mean either you're using it as a tool to make your own efficiency better, stronger, faster, or you're going to be using it as a tool to make your tools better, stronger, faster. We're going to start using AI to see whether or not our permissions are correct. We're going to start using AI to make sure our firewall rules are correct or our les are correct and so on and so on and so on. If you're not doing that already, and many are, a lot of people are already using tools in that way this year, I think things are, the heat's really going to turn up on the folks that aren't. So if you're not doing those things already, take a few minutes, YouTube's readily available for you to learn, just chat. GPTs got a free tier, Claude's got a free tier, they all have free tiers, go get in there, mess around with it a little bit.
Den:
And even the paid subscriptions are pretty basic entry level.
Aaron:
I mean, I don't want to pick on the platform for which we are doing this live, but I pay more to LinkedIn than I do to either one of those two AI platforms. Right?
Den:
Yeah.
Aaron:
Alright, lemme make sure. I think I deleted that question. So for those who didn't watch part one, I have a bad habit of not deleting the question out of spinner and then we get asked the question twice, we'll see, see whether or not I remember to delete that one spinning. Can you share some examples of how 9 0 9 cyber's approach has transforms organizations without increasing complexity? Yeah, I think this is very similar to that previous question to be honest with you.
Den:
Yeah, I was going to say, I think we covered something along that line of eliminating passwords and resistance service desk tickets and well, we didn't add eliminating the need for VPN reducing network segments. We published, actually I linked to our website a blog post that I wrote while I was at Banyan about turning your office network into a guest network, which is part of the fight to eliminate lateral movement. So I think there's things like that that we've helped our clients simplify. And there's two things, right? There's simplify the experience for the users and then there's simplify the backend and the cost of operation and the complexity which will help you with reduce risk. The funny joke I always had, and maybe it's not a joke, it's too much reality, is if you've got firewall rules and VPN rules and LES and stuff, these things historically have been IP tables. So when you're looking at an IP table and you're trying to understand what users groups have access to what apps, that's a gnarly thing to figure out and then
Aaron:
Chat GPT my friend,
Den:
But then you're going to upload all your companies into chat GPT, what
Narator:
Can go
Den:
Wrong? Well, going back to someone's going to get breached this year if it's them, if that prediction comes right? So I look at it like as an example, our ZT implementations move away from IP tables and revert back to using directory groups and user les. And that does two things. One is that simplifies the operational cost. If I add you to the group in the directory, which I would do anyway, so you've got application level access, I don't need to now add you to the VPN level access or the network level access or the firewall. So your complexity is reduced. The ease of understanding who has access to what is improved, it's a lot simpler. And then at the end of it, you don't have to have two different teams managing access to apps and services, one at the directory and one at the network is just a directory.
Aaron:
The other thing I would add to that, there's all those technical controls, love all that. Love network isolation, network segmentation, especially using the guest network for that. Brilliant. The other thing I would add to that is res scoping your compliance requirements. We've had some success with that. So not everybody needs all the controls in say a SOC two or an ISO 27,001. We've had some success in sculping those controls to match the company's risk level at the time in which we're at that engagement and doing risk assessments that lead to a company changing an existing security program or an existing security initiative, which removes complexity. So we've had success with both of those. Spinning the wheel, oh, this is an experience question. Love this one. How does your experience working with startups and Fortune 50 companies influence your approach to supporting early stage ventures?
Den:
Why didn't you start with that one?
Aaron:
Yeah, so lemme make sure I delete this question first. Actually I'll come back. I'll remember to delete it this time. I promise everybody. All right. So I actually started my career at startups and I had worked probably, I don't know, half a dozen before I had worked at any Fortune 50 company, maybe more, maybe a dozen before I worked at any Fortune 50. So for me it's a little bit in reverse. So I had learned quick and nimble ways of doing things before I had the Fortune 50 experience. So the Fortune 50 experience, what it taught me was that stakes can be bigger. It taught me that there are more things to protect. It taught me that scale is important, that you are going to eventually get to this level. So you need policies and procedures in place. You need policies and procedures that match the maturity level that you're at when you're there.
Agreed. You don't need to overly develop those at a startup. I'm not advocating for that, but I'm just saying that you need to match them for the maturity level that you're at. There is value in policies and procedures and the way of doing things. I just mean to say that you need to match them for the stage of the company. That's what Fortune 50 taught me. And I had already developed that in my startup career because we were doing socks and going into going BIPO at some of the startups. But what I carried with me from Fortune 50 back to startups, flip flopped back and forth, is that discipline?
Den:
Yeah. So I'm the opposite. I've spent most of my career at larger companies from manufacturing with production environments to banks and then software. The bureaucracy in a larger company I think is outstandingly annoying sometimes. So I always like to run my organizations like a startup. We were a mini startup within. And the most important thing was how do we build credibility regardless of the size of the company? So regardless of the size, you still need to execute, you want to execute quick, you want to measure your deployment of things and the business seeing value in those deployments in days and weeks, not months or years. And when I say months and years, obviously you do something, I had this joke, right? I dunno if anyone finds it funny. Netflix did not call me for the special yet, so clearly it's not the best joke. But I like to get involved in projects that are shorter than it takes to make a baby.
And I'm talking about a human baby and the nine month thing. And someone then said, that's not the making part, it's the growing part. So the nine month thing is important, and here's why. Because when you're in a larger company, and this really multiplies to large companies, when you're in a large company dynamic, you're trying to convince those around you, the executives on your funding and your, give them confidence in your ability to deliver what they're already funding, the strategies that you've already put in place. If you take longer than nine months, assuming that you start that endeavor, when you get your money and your funding, you need to be done within three or six months of the sprints that you talked about. So you build the credibility up. So when you go and ask for additional funding or funding for another initiative that you've got the credibility that you can deploy something. If your project takes more than nine months, the likelihood is you miss the next funding cycle. So you're going to get to the year end planning and you'll not have finished a thing that you started at the beginning of the year. So how the hell are you going to convince anybody to give you more money?
I wrap it around that joke. But really there's a serious element to this, which is called credibility execution and the enablement of the conversation to get more funding for the thing you're doing next. Now, in a startup, you don't have nine months a startup, your strategy might be an annual strategy, none of this three to five years nonsense. So you might be sitting there going, we're not worrying too much about strategy, here's a north star. But it's all about the business moving fast. How do I enable the business to move fast and in the background sprinkle in signs and elements of a program. Now in a startup, if you turn around to any CEO in a startup and you say, let me build your security program, they will probably shipwrecks because they'll sit there thinking the thing you're talking about sounds expensive. It sounds like it's going to take a long time. I just want to log in and have the team be able to build some software. But what you are talking about as a security person sounds, gives me the feeling of something which is large and expensive and may not materialize. So for us at nine to nine, again going back to the pragmatic security approach is let's not make it a big program. Let's make it something that fits your business where you're at.
Perfect. I don't know about perfect, but it is what it is.
Aaron:
By the way. I like that. You're the one who called Fortune 50 companies bureaucratic and I did not
Den:
Oh, yeah, yeah, yeah. That's called experience, Mr. Worthman.
Aaron:
All right. How can security leaders ensure their initiatives align with broader business objectives such as revenue growth or customer satisfaction? We've touched on this, but I think the topic deserves a deeper dive.
Den:
Read that to me again.
Aaron:
How can security leaders ensure their initiatives align with broader business objectives such as revenue growth or customer satisfaction?
Den:
One of the things, yeah, actually, yeah. Why don't you go first? I'm noodling here.
Aaron:
Yeah, I think this starts with relationships, relationships, relationships and partnerships, right? Security leaders should never see themselves as living in this silo, and all we do is security. You need to get out of that silo, get out of your office, virtual or otherwise, whether you live in a void like I do or an actual office and go meet the CRO, go meet the sales team, go meet the customer team. I know it might sound weird to sound to meet either team, but you want to know what the end customer's experience is, whoever that end customer is, and you want to take those lessons back to know whether or not you can change that experience. For the sales team in particular, you may as security leader actually be in front of customers, and so you are going to want to know what's important to customers. You may be in front of customers or even post-sales. So either one of those two relationships are important for you to know and understand. You want to know what those end customers, what's important to them.
Den:
Yeah, I'll do this in two ways. One is small company, big company, right? So small company one's easier. Quite often if you're in a company that's selling a product to their clients, if it is a sales process, which is not consumer, so it's B2B, then you're in a situation where quite often they want to engage with the security organization to understand your security controls, your posture. They want to understand where the security team is in the sense of protecting the customer data. They want to understand the security team's angle on the products and the security of the products that the businesses are going to buy from your company. So I think that's a great way to support the business. I also, I love the idea of the security organizations in these companies being public and even on social media with blogs and other posts about the brilliant work that they're doing that helps build confidence.
The important thing, if a client's going to buy some software, they're going to have three or four different products that they're looking at at the same time. And so what's the difference between these products? Is it feature, is it price? And then is it confidence in the company? I think you have the ability to play a role there. When we were in a larger and larger company, Cisco and Adobe, but Cisco, we were selling a zero trust product, and my team had deployed zero trust to a hundred thousand people. So what better way than to be in front of clients? So the leader Josephina, who ran that team, her and the team, they were in front of a hundred clients in one year. I mean, that's a lot of business to support. And the more we can share how our enterprise security team at Cisco deployed, supported, maintained the security products that we used, that we also built, I think that's goodness.
Now, regardless of the organization, the pulse of the organization, so if you support 50 people in your company or a hundred thousand, you got to figure ways, and you mentioned this, how do you get the pulse of the organization? How do you get in front of your sponsors, your stakeholders? Do you build focus groups? Do you walk the hallways and have conversations? Do you meet, I mean, I was lucky at Adobe, I had a lot of friends there and we'd have lunch together and we'd talk about it. Or the other thing was what's the sentiment of people complaining and griping about how many times do they log in a day or they're just staying for VPN. So there's many ways, but you got to keep your communication and ears to the ground and listen to what's going on in the company and also try and if it makes sense, meet customers, like external customers. Yeah.
Aaron:
You know what? Good point. External customers as well as internal customers, I don't think you would've got your password lists or password change policies in place had you not met with internal customers and understood that people were sick and tired of changing the passwords every 30, 60, 90 days, right?
Den:
Well, I mean we were Well, right? I not got
Aaron:
That feedback, right?
Den:
Yeah, but I mean, yeah, look, you've got a team. So whether you've got a team of, I mean at Adobe we had a team of 75 people and enterprise security alone, so we're just doing our skip level and all that stuff, or team meetings, you could hear where people were frustrated. And so I look at it, we know ourselves. And the other thing was we ran the identity platforms at these companies. So I never ever had to go to some customer like employee and be like, Hey, would you like to log in less? No, I've never heard anybody ask that question. Would you like to log in less? Would you like to change your password less? You don't ask that. So you just naturally know one of the things as a service provider is how do you improve the service you're providing? So that was easy.
Aaron:
Yeah, that is one of the things that when I inherit a new team, it's one of the things I task them with is, what is your service catalog? How well do you deliver that service? Go find your customers and get their feedback on how well, alright, moving on. How much we got time left. Alright, could you share examples of your most rewarding projects or milestones in your careers?
Den:
Yeah, well, so the ZTE stuff, obviously, I mean when you remove the need to enter passwords or VPNN or change passwords, that's a huge thing. But I'm actually going to jump way back to the year 2004. Well actually 2001, 2002, all the way that span, I was a little engineer and in the directory stroke server team. And the thing that I realized when I moved to the US at Adobe was people really struggled to get access to data and apps and services. And quite literally, they put a service desk ticket in and then the team would look at an Excel sheet and then they'd look at all the file shares that they'd have written down in this Excel sheet, and then they'd be like, okay, who's the owner? Let me go ask them. So I go with this guy, esh, who was a lot notes developer at the time, and he wrote a front end on Lotus Notes. I wrote the backend using batch files and we literally created a cell service mechanism where every file share and folder that went two or three levels down in the file share would give the owner of the folder the ability to approve a request via a webpage. And literally we automated and made it all. So I think at one point we moved from Lotus Notes to a better professionally built platform and in three years we'd done over a quarter of a million. We avoided a quarter of a million tickets in three years,
And by the time we went to the third generation of that, we called it E manager. And it would allow you to change your password, it would allow you to get access to file shares. Eventually we bolted on things like a front end for SalePoint and CyberArk, the front end for Okta. I mean we had all of the front end and then I think the fourth or fifth generation, it was all API driven with the web front end also interacting with the APIs, but then we could go to teams, like engineers or whatever, if they wanted to build any apps or publish apps, we could have themselves servingly, Okta enable their own applications via a p. I mean it was a simple workflow. So by the time I left Adobe, we had over 2000 apps on Okta and over 70% were all self-service and not within it. Yeah, it was a couple of million transactions a month going through this thing. It was crazy. So for me, that legacy, because they still use that today and you can't go and buy that off the shelf. That for me was brilliant. The ZT stuff obviously has been I think groundbreaking as well, but I love that. And here's the thing, when I first started it, people were pissed off because some of the server admins were like, you're going to work us out of a job.
The other thing that happened is one of my Scottish friends, a Unix admin at the time, he turned around and he said, but why are you doing this? People are just going to give you shit for it. Some people are thinking you're going to work them out of a job and then nobody asked you to do it. And I was like, yeah, nobody asked me to do it. But I just knew what we were doing was inefficient as a user experience went. It used to take weeks to give people permissions to file shares, and we cut that down to minutes, like 20, 30 minutes.
Aaron:
It
Den:
Was brilliant.
Aaron:
I used to have this saying, which was that I'm going to automate myself out of existence and just nobody's going to, when I was an SRE, that's what I would do. I would grab tickets, had automation, I would grab the ticket and then just go through a script and fulfill the ticket and I would just create more and more automation. I would do these things, but obviously I never achieved my goal. But again, the year of ai, maybe soon, we don't have much time left, so I'll try to make this quick. I'm also going to pick one from way back Marketo. So at Marketo we were doing this, we were at this hypergrowth period where we were moving our phone system back when people used to put phones on desks where moving our phone system. And we were moving away from hosted exchange into Office 3, 6, 5.
And for whatever reason, all the timing for these projects all ended up falling within one quarter. So we did all of this against some adversity. We lost a project manager somewhere in between that was organizing all of this. So it fell back to the technical team to actually manage the project. We did all of this, that's not what stands out for me. We did all of that and then the business actually recognized all of our hard work. So at the next All Hands, Phil Fernandez actually invited me on the stage to give rewards to everybody in my team that participated in either one of these two projects. So I got to hand out reward plaques as well as RSUs to anybody who participated in those projects. So as you can imagine, 20 something it engineers having to get on stage in front of roughly a thousand people, how nervous they were. It was great.
Den:
I was just taking notes there. I think we should, I dunno what made me think of this in that last conversation, but a webinar on leadership mistakes and lessons learned. If you just think of over the years, and we'll maybe grab a couple of our other leader friends to join in that and make it more of a panel, but I think that would be a great one because if you think of just that story there, it's like, well, what mistakes? It's like having all these things fly at the same time. Having the team under that much pressure all at the same time when you could just simply have staggered it a little bit. It's like,
Aaron:
Yeah, yeah, yeah.
Den:
It's a great nugget for someone who's listening right now.
Aaron:
Yeah, absolutely. We got four minutes left. You want to try to fit one more in?
Den:
Yeah, let's squeeze one more in.
Aaron:
All right. Spinning the wheel. What we got here, we asked that one already. It's my bad for not deleting it. Geez, man. Geez.
Den:
Just can't
Aaron:
Get, it was bound to happen. It's bound to
Den:
Happen. You just can't get the quality staff.
Aaron:
What are the most effective ways to reduce cyber insurance premiums while strengthening security?
Den:
Oh geez, you left this one to last spiny wheel.
Aaron:
I mean, we've hit on this throughout this conversation though. This should not be a surprise to anybody listening. Yeah,
Den:
I mean, I think quickly is you've got to get, so first of all, understand the relationship with your cyber insurance companies. I think that's an important piece. And then you want to get to a situation where you can demonstrate, I would say a few more advanced techniques and things that you've implemented. And I'm not going to say show them you got a SOC too, and that's going to help reduce your premium. I don't think that does shit these days, does not. But I think you got to look at what is the insurance company's most concerned about and then directly address those concerns and demonstrate that you have that covered.
Aaron:
Yeah, exactly that. I think you hit the nail on the head too, around having a good relationship with your insurance company. If for whatever reason you have an insurance company that doesn't want to have a good relationship, replace them.
Den:
Yeah, shop around,
Aaron:
Shop around. You can shop around, you should shop around. And then we touched on already, but identity is big for insurance companies. They want to make sure the right people are logging in, right people and things. So your non-human accounts as well. Make sure that your non-human accounts are being monitored. They want to make sure that those are, and then your time to recover and that you have enough controls in place to be able to recover. The ransomware is still prevalent in the world. And so those are the big things that insurance companies are going to be looking at. But you should absolutely have a conversation with your particular insurance company.
Den:
Yeah. Excellent, excellent. Well folks, we are definitely up on time. Aaron, thank you for your time and helping curate and take the questions in and throw them in a wheel of spinning fortune. That is brilliant. That helps me doing any work at all really, and I don't like to work hard. Folks, we will be back next month with another webinar, and you could follow us on LinkedIn or on social media. We're on LinkedIn, we're on Facebook, we're on Blue Sky, we are on Instagram. We are all over the place really. And then we have recorded this episode, so like and subscribe. And this will be published on both our podcast website as well as our 9 0 9 cyber website. So Aaron, thank you very much, sir. Appreciate your time as always, and any questions folks, we'd love your feedback. Reach out.
Narator:
Thanks for listening to Cyber 9 0 9. Subscribe wherever you get your podcasts, and don't miss an episode of your Source for Wit and Wisdom in cybersecurity.