December 6, 2024

Episode 9: Ask us Anything with Aaron Wurthmann

The podcast promises to deliver unique insights into cybersecurity through guests, stories, opinions, predictions, and analysis. This episode features an "ask us anything" session with Den Jones and Aaron Wurthmann, advisory CISO for 909Cyber.

About our guest

Aaron Wurthmann

Aaron Wurthmann brings over 25 years of expertise in information technology and cybersecurity, with leadership roles spanning startups to Fortune 50 companies. His experience in securing customer data and payment information allows him to blend tactical and strategic knowledge into executable visions.

As Head of Digital and Data Security at Albertsons Companies, Aaron safeguarded customer data, pharmacy information, and eCommerce platforms, increasing software delivery while maintaining security. Later, as CIO and CSO at Cision, he reduced cyber insurance premiums and expanded the company's addressable market through critical security certifications.

Connect on LinkedIn

Watch & Listen on Your Favorite Platforms

Watch on YouTube

Transcript

Narator:

Welcome to Cyber909, your source for wit and wisdom in cybersecurity and beyond. On this podcast, your host, veteran chief security officer and Cyber Aficionado Den Jones taps his vast network to bring you guests, stories, opinions, predictions, and analysis you won't get anywhere else. Join us for Cyber909, episode nine with Den Jones and Aaron Wurthmann.

Den:

Yeah, so we can check LinkedIn. LinkedIn's. All good. Mr. Wurthmann, thank you for joining and happy Monday everybody. I'm Dan Jones, founder and CEO of 909Cyber, and we thought in our marvelous wisdom that we'd throw an ask us anything session together and we plan to do these more frequently because we got so many questions. We think we can do a lot of these sessions. So Mr. Wurthmann, why don't you introduce yourself?

Aaron:

Aaron Wurthmann, advisory CISO for 909Cyber.

Den:

Excellent. Now, do you want to talk a little bit about the questions in the format for today's show?

Aaron:

So first and foremost, thank you to those that submitted legit questions. There was certainly a lot of illegitimate questions and certainly a lot of requests that you call your mom, Den.

Den:

Yeah, I've done that actually once you've told me about that.

Aaron:

Alright, so what we did was we consolidated all the questions that we got using AI down to about 50, did some normalization on those questions. Then we put them into a spinner, so spin the wheel. So we'll use that off camera to spin the wheel and then pick from those questions. If any questions come up during the live event for those that have joined, we'll add that to the wheel alone and we'll spin those. Any questions that we don't answer this time around, we'll get to the next time that we do this.

Den:

Excellent. That sounds great. So why don't you, yeah, why don't you just spin the damn wheel. Aaron, let's get spin the wheel show on the road, man. Come on.

Aaron:

All right, all, here we go. Here we go. I'm afraid.

Den:

Don't be afraid.

Aaron:

What lessons from leadership experiences would you share with CEOs and CTOs who are just starting to prioritize security? Man, right off the bat,

Den:

I'd rather start with an easier one. Why don't you jump in with your 2 cents?

Aaron:

I think overall what I would share with, I'm going to say founders, I'm going to revise this question a little bit and say founders, is that security does need to start in the beginning and the inception of the company. And it doesn't need to be a big scary thing. It doesn't need to be an expensive thing. There are things that you can do early on built into your culture. Nobody is going to take your company more seriously than the two of you, the CEO and the CTO. And so if you are building in that security mindset, that security culture early on, it's going to pay itself back. So you are securing your future. And so if you treat security as such, it's going to be helpful for the rest of the company.

Den:

And I think a couple of things. One is don't fall into the trap of buying all these tools if you suddenly find yourself. So I'm assuming right now they haven't got a leader and they haven't brought in people like us either as a consultant or virtual ciso, ongoing capacity. So if they're winging it themselves. So I agree with what you were saying there, but I would add to that and just say, look, don't jump online or go to conferences and see everybody's whizzbang magic and believe the Kool-Aid that you need to buy all their shit. I think most of the times what we see in the people we speak to is we tend to speak to people who are down their journey and they've already made the mistake of spending a lot of money on tools and technology that doesn't actually reduce the risk that they intended. So I'd be mindful of that.

I had be very aware that when you do start to bring in security leaders, look at your budget and look to see what you can afford. And the concerning thing is right now is the CSO market. I think there's a lot of great CSOs out there, but a great CSO with, and by great, I mean they have good, great experience, diverse experience. They know how to build security in a company and that culture, they're more expensive. So if you're trying to low ball that price, then you're going to get what you pay for. And ultimately, I think you're going to get someone that isn't necessarily going to know how to leverage your budget or to build that culture successfully.

Aaron:

All right. Spinning the wheel. One of my favorite questions, we get asked this a lot, where did the name 9 0 9 cyber come from? Is it an area code?

Den:

It's not an area code. It's an

Aaron:

Area code. It's an area code.

Den:

Well, it's an area code, but it's not our bloody area code in the 4 0 8 business. But park the word cyber to the side because I'm hoping that they're not confused on that one. 9 0 9, I'm a musician. I think if everybody sees all this shit behind me, they'll recognize that off the bat that I have a huge passion for music. And the first record I ever released, which is the one in the middle, the black and white 1, 19 94, the drum machine that we used, my favorite drum machine, which I owned back then was called Aroland, TR 9 0 9 9. So when trying to come up with a name, that was the best I got was something I wanted something. First of all, that was easy for people to remember, easy for people to say, unless you've got a Scottish accent and the domain names and the social medias were available because when you're picking your company, I don't want people to confuse us or go to the wrong website.

Aaron:

All right.

Den:

That was an easy one. Geez, I love an easy one.

Aaron:

Where did you two meet

Den:

The band, you two? I am not sure. They were in Dublin. I think actually they still live there. Why don't you answer? Oh, they mean you and me.

Aaron:

They mean you and I. Yeah.

Den:

Oh yeah. Oh, you and I, not you and me.

Aaron:

Yeah.

Den:

Oh shit. Well, why don't you answer that one because you tell it better.

Aaron:

Well, we met on the apps, that's where we met, which was extremely awkward because the next day we showed up to work together at Marketo and Adobe.

Den:

Yeah, yeah, yeah. You don't want to swipe right for any old fool. Yeah. And when we met my team was we had just deployed zero Trust at Adobe. We called it Zen, Zero Trust Enterprise Network. And we figured with two M and as in the hopper for Adobe, and you guys were the first one to hit the street. And I think it was the whole thing of let's onboard your team, give them access to all of our apps and services, but without connecting the networks together. And my team was with the end user support guys and working with your team. And you and I were trying to help. I think you're technically more gifted than I am, so they maybe allowed you to touch more laptops than me, but they were like, Dan, what are you doing? Stop touching shit.

Aaron:

Yeah. For me, I think it was more of a pride thing. They did not want me touching laptops. They felt like it was something that they did wrong. If I had to touch laptops, that was,

Den:

Yeah. I mean, look, if you and I were getting involved in touching shit that usually would signify something bad was going on,

Aaron:

Love that coffee mug.

Den:

So this is the thing is a good marketing person will tell you the logo shouldn't be here, but someone who can adapt to life and culture can easily put a sticker there.

Aaron:

Yep. All right. Spinning the wheel. How can leaders effectively build a security conscious company culture? Well, I think I touched on this in that last question. Apologies for not consolidating this too. The AI must have not picked up on that, but it starts from the top. So it starts from the top. It starts from the people who care and own and they own the company or care the most or effect like we all should, but starts with everybody. Security is everybody's job. It's not just the security department's job.

Den:

Yeah. I mean, look, I think there's a lot of security practitioners out there that sit in ivory towers and they do security for security sake. I'll give a great example. So annual security awareness training, and that is required for compliance, but they don't get too prescriptive in what needs to be in the training. They say you need to do it. They don't say what it should comprise of. And everybody's so busy talking about corporate, corporate, corporate that what results is your employees go through that training while they're doing something else. So they don't really focus on the training boring and bullshit. And I think that if your security team pushed down things to people that they think are bureaucratic, that they think are cumbersome or disruptive to the business productivity, they're going to find ways to work around it. And that's a great example of that training not really being as effective.

One of the things that we talk about with our clients is swapping that training, reducing that training, and really focus more on protecting your family, your personal, your online, your bank account and all those things. Because if you know those things, you tend to remember that more because it's emotionally connecting. And then secondly, you will bring that back to the office. So I kind of look at that culture is top down, but culture is also important that security teams don't create this friction and this bureaucratic bullshit that people just don't want to deal with because then their reputation and brand gets impacted and people ignore all the other security stuff. You're no longer, you're no longer all in it together. It's an US v them, and you don't want to build that culture.

Aaron:

Absolutely. You're going to hear that theme throughout our talk. Some of these other questions come up with these adversarial relationships. They have to go, what are the most common security missteps you've observed in startups? And how can VCs proactively address 'em?

Den:

Why don't you go first on this one?

Aaron:

Wow. All right. So proactively address them. I think this is a hard one, I think for a VC to tackle, because the VC has to walk that line of trying to ensure that the company's risk profile doesn't get in the way of innovation. And that's always a dicey, dicey thing to tackle with a young company. But I always feel like risk is present and needs to be talked about at whatever level it's at. So I think a vc, having that conversation with early founders and saying, look, risk is ever present. Build it into your security. Build it into your culture. Build a security aware culture that's going to carry you into the future that's going to secure your company into the future. And that's going to pay dividends is extremely helpful. The missteps I see in this or that that's not talked about. And then you have to, a security practitioner comes in around, I don't know, I'll call it series C, a full-time security practitioner comes in sometime around series C, sometimes sometimes series B, and then has to build security practices or security controls into the company at that late stage. And a lot of the time that person is then breaking innovation. I think that there's a way of doing innovation and security at the same time if you catch it early enough.

Den:

And I think for the context of this question, we'll assume the VC and the startup concern is not a security company. As you and I know, and we talked to a lot of founders and CEOs, the ones who are a security company, they're like, we know this shit. We've been doing this shit our whole career, dah, dah, dah. We're security people, so on and so forth. So I worry less about them, although the question still applies because sometimes those people do get complacent. And or most importantly is these CEOs, founders and boards, they're in the business of trying to get logos and make a profit and make money. And sometimes the whole security thing is an expense it, and security is an expense that they don't see having business game changing outcomes. So they don't see it as part of the ability to grow the business. So I think there's a couple of things. One is recognize they don't want to be in the news, but also recognize they don't want to spend an extra dime on this shit unless they have to. And ultimately, for me, I've seen a lot of founders and startups, they will do the minimum security or they will actually do no security until they think they have a product worthy to secure.

And that's just the dilemma. I mean, shit, man. For us, we see a lot of security companies talk about building programs and programs with startups from the ground up at the inception. And you mentioned that earlier. Is that a good thing to do? Something like that. But we recognize that when you say the word program, let's talk about a little sprinkling of a program just to identify and reduce the risk that is largest, the one that you're facing the most, and not try and do this big behemoth thing. So I get concerned when people say the word program, they think of this over cumbersome, expensive thing. And I don't think anybody who uses that term for startups necessarily isn't inferring that. I hope not. Anyway,

Aaron:

So that question might come back up. I forgot to delete it.

Den:

Oh, geez, man. Well, if it does, just spin the wheel again. I know you're a professional wheel spinner, so I mean,

Aaron:

Well, we need a producer. We need to get a producer up in here soon, so

Den:

Oh yeah, we can have somebody behind us later are spinning an actual wheel.

Aaron:

Alright, this question, Aaron, what was your tagger name? So for those that aren't aware or they're watching us for the first time or any podcasts with me, there's a few things that always come up. And one of 'em was that in the nineties I was a graffiti artist and I was a tagger. So Aaron, what was your tagger name? Can't tell. You won't tell. The reason why I won't tell you is at least publicly is recently I was downtown San Jose and there was still some artwork that I had done 30 years ago. There I am. I don't unaware on what the statute of limitations is in the state of California for these sort of things. And so I just feel like I'm just not going to tell you how about that.

Den:

I mean for legal reasons, obviously that was a commissioned piece of artwork, Mr.

Aaron:

Obviously that was a commissioned piece of artwork.

Den:

Yeah, I mean, shit, you would not break the law in any way,

Aaron:

Nor would I advocate for such a thing.

Den:

One of the things I've seen with a lot of downtowns in cities around the world is they do actually start to commission more people to do that kind of artwork. And I love seeing that when it's done Right.

Aaron:

Agreed. Agreed. My views on this topic 30 years later obviously aren't what they were when I was a teenager. So my wife has to put up this a lot where I'll drive by some graffiti and I'll be like, those damn kids look at him ing up the walls. But what was I doing?

Den:

Hold on. But we are in a community where there's a lot of people in our industry that like to tinker and hack and break into shit and figure out and are curious. And I think that's the one thing. There's a level of rebelliousness in our nature. Fuck it, man.

Aaron:

So funny you say that.

Den:

Go for it.

Aaron:

I was teaching when I was teaching a class over the summer. I shared with my class that this is what I did in my youth, and I thought I was going to surprise my TA with this information. He was not surprised at all. He was like, Nope. That tracks, because of the timeline in which you became, we'll call it a gray hat hacker because of the timeline that you became a gray hat hacker. This is in line with the rebellious nature. So I'm not surprised to hear that you were a tager.

Den:

That's brilliant. Yeah, yeah. Came

Aaron:

Out, let me make sure to delete this actual question this time around. All right. Spinning the wheel.

Den:

Oh, and while we're waiting, so folks online if you want to post questions, I think in LinkedIn there is a place to add comments or ask questions. Being our first time doing LinkedIn live, then we're not quite sure in those logistics. But please post questions if you see that chat box. This

Aaron:

Is a fun question. What role does 9 0 9 cyber play in supporting security leaders during board level discussions or executive decision making?

Den:

Oh, good, good, good. Let me start. I guess a couple of things. One is a lot of executives, they'll go in a board meeting and it's just sometimes helpful to the third party in there with you or prepare slides or a document for you based on our review of your security posture, your risk, and things of that nature. So some of the execs we work with, they find value in that one. And then I think the other one is if you're the founder or CEO and you don't have a security leader, you might bring us in to work with your IT team. I'm assuming you have an IT team, but you're not big enough to really have a security team. So IT people are doing a lot of security type stuff, or at least the execution of it. It's good for us to come in and be at the board meeting with you and we would represent your security, your it, or any of those risk areas you want to add to that one.

Aaron:

Yeah. The only thing you covered exactly it. I think the only thing I would add to that would be mentorship or conversation. If you wanted to bounce ideas off of us. I've served on boards, den served on boards, we would love to hear what you want to present and we could give you feedback. Right. That's about the only I would add to. Yeah,

Den:

I think mean, look, I think the board meetings are highly dependent on who you have on your board and their background and their level of experience from a security perspective, because some boards absolutely lack that. And then other boards, they have one or two people that have a little depth. And it's even better if people on the board have actually been part of or experienced a breach. Because when a board member has been in a company before or involved in a company that's went through a breach, then they actually understand and believe that it could happen to anyone as opposed to a lot of people who think it'll never happen to them. So I think that's bit of a differentiator there.

Aaron:

Alright. Another commonly asked question, and you almost answered it earlier, and I was like, if he answers this question earlier, it's making my job a little bit harder to go fix this spinner. But thankfully you did. Thank you. What was the title of the first record you released?

Den:

Oh yeah, I got close to that. The band name was called Future Nation. The song was called I'm for Real. And it's still available on iTunes, Amazon. Yeah, some of those Spotify, you can find it there. So yeah, it's still available. Oh, and on vinyl you can still on the secondhand market though, I think you're paying between 50 to a hundred dollars for that vinyl in good quality.

Aaron:

How much money do you make off of each stream?

Den:

Nothing. I mean, yeah, it's really funny. I mean, we could do a whole show on how messed up the record industry is from that perspective, but the reality is the record deal that we'd done in 1994 was long before streaming existed. So there was no language in there for streaming or payment based on streaming. And actually the record label owner, he passed away about five or six years ago and somebody in his family I think took it over. But there's no, yeah, there's no money coming from that direction.

Aaron:

Wow. All right. We touched on this, but we can touch on it one more time. How do you approach the balance between innovation and security at fast growing startups?

Den:

Why don't you start that one?

Aaron:

Yeah. So we touched on already, and it's finding that risk profile that makes sense for that particular company and that particular market at that particular time. So you never want to step on innovation, you want to keep that innovation going. You don't want to burden them with policies or too many policies. You don't want to burden them with too many hoops to jump through for security. So how do you find that balance? Well, I mean, you start with culture. You start with what is necessary to secure the company and the assets of the company, and you don't go much further beyond what's necessary unless there's a significant risk. Right? Yeah,

Den:

That's brilliant. So you covered everything. I think that's important. I think the one thing I would add to that is, excuse me, that's a difference between a seasoned leader in security and someone who's not. Because someone who's not, they may jump in and there be like, you brought me into secure the company and goddammit, I'm going to do that. And then they'll jump in, they'll want to buy tools, they'll want to put process, and they'll add friction and they'll start to grind the company to a halt.

And I think a more seasoned, and this is why you pay for the experience. And I think that's where we would come in, is we understand that dynamic and we're looking for ways to reduce your risk. But I think in a way that's collaborative with the business. So if you're working with the engineer and organization and those leaders, then you want to have great conversation, great communication with them, and figure out ways to protect that data and that source and ip. So yeah, so I think that that's the only difference. The only thing I'd add, sorry.

Aaron:

All right. How important are internships or apprenticeships in building a successful career in cybersecurity?

Den:

I, man, I dunno. For me, after 30 years of being in this stuff, interns, I'll say interns for me are the little gift that keeps giving the ability to bring in an intern while they're at school is great. When they go back to school, I try and keep the good ones. And so instead of them working at Starbucks or McDonald's, they, they're working for us at the weekends. And then if you provided you create and give them a good experience, then when they graduate, you're ideally their first choice for a real job. So I think the ability to take someone who's keen, enthusiastic and looking to learn and hungry and has that desire, I think is brilliant. At Adobe and Cisco, we were heavy in the intern space. I always wanted our leaders in my organization to bring in interns and as much budget as I could get for interns, we'd get as many as we could.

Aaron:

Dito di on all that. The only thing I would add to that, and I mean I don't mean it as a contrasting point, but what'll say is that there is no single path to success in this career or in life. Not to get too deep here, but there is no single path. You just need to want it.

Speaker 4:

Yeah.

Aaron:

Oh, all right. Is the unicorn really Scotland's national animal?

Den:

Yeah. So the answer is yes. And the unicorn for us, when I was at Banyan security, the CSO there, a lot of my time was spent on the road at conferences and I would do this talk and as part of the talk, I'd reference the unicorn. But I would do it in such a way, because obviously for me, conference talks can be dull, boring, and just bullshit. I like to make it more, I think of it more like a standup comedy show where I'm going to entertain, but yet educate. So one of the jokes is all along the line of a unicorn. And what I'd say is when you go to a conference, I used to always tell my team, you got to learn at least one thing and I'm going to give you the one thing. And then I talk about the national animal of Scotland being a unicorn. And some people raise their hand as if, because they knew that already. And I tell those people, well, they need to stay and still learn something else at the conference, but the rest of the people after this talk, they can go home. And then I make the joke about, can you imagine how drunk the Scottish elders were hundreds of years ago coming up with a national animal? And they end up so drunk, they get this fictional creature that doesn't exist.

It's a fun one, it's a great icebreaker. It's something to get the crowd laughing a little bit. And for me, any conference talk and any advice I'd give to anybody doing a talk, you got to not read the slides. You got to talk about stories, you got to educate, you got to give examples. A lot of these shows are pay to play, which means the vendors are selling their Kool-Aid. And at Manion, I didn't do that. I didn't want to do that, and I refused to do that. I wasn't asked though because they liked my idea of I'm going to talk strategy, we're going to talk practitioner to practitioner and build up the credibility. And I think that worked really well.

Aaron:

Nice. I have nothing to add there. I don't know anything about that.

Den:

You dunno much unicorns in your life, huh?

Aaron:

I mean, my only ad there, I saw that question and my response to that was like, let me Google that for you.

Den:

You googled it and realized it was true.

Aaron:

I probably googled it the first time. I heard you say it years ago. How do you approach the balance between, oh, this is that question that I forgot to delete.

Den:

Okay. Yeah, let's skip that one.

Aaron:

Everybody. Sorry, sorry, sorry. I deleted it that time spinning again in, see, that's proof that in fact these things are random and they're on a spinning wheel because I forgot to delete that one. Now I'm pre-reading the question just to make sure this isn't a question that I forgot to delete. What role does 9 0 9 cyber play in preparing startups for compliance and regulatory audits that might impact their funding rounds funding round?

Den:

Is the funding round the twist in the question? I mean,

Aaron:

Yeah, this feels like some very personal question to somebody who's spot ready to get a funding round and they're like, I'm ready to get a funding round. I got to have that SOC two type two or SOC two before I get that funding round. So

Den:

Yeah. So I think it's an easy answer. So first of all, you need to know which compliance you're going to after if you're going to after SOC two, ISO 27,001 or something else. The easy one for us is look, we grab the SOC to the template and the questions, and we'll go through that exact workflow, everything from who are the named people, where have you quantified your risks and then suddenly gone through going through the controls. And it's funny because a lot of these, the controls and how you address the control, some of that, there's flexibility there. So I look at it like you're going to go through that, and we're pretty much going to do the equivalent of an internal audit.

I look at when we talk about doing a security assessment like that as well, if I'm going to do a security assessment, then why wouldn't I leverage that or some other framework. But ultimately it's whether you're going for a round of funding or whether you've got customers that won't sign and become, or prospects that don't want to sign or become a customer because you don't have it. I mean, a lot of people lose business or they're not in the running because they don't have their SOC too, especially these days. So for us, it is pretty straightforward.

Aaron:

The other thing I'll add to that too is a lot of times what I see people do is just go straight to external audit or external external engagement. And then what they'll do is there'll be some findings along the way, some ancillary findings with us. There's collaboration, there's roadmap to address those things. So connecting with somebody like us is going to be in your best interest versus just going straight to some sort of external party that's more like an auditor. And then a gap analysis, right?

Den:

Yeah. I mean, from a cost perspective, if you have never worked with an auditor before, so there's two things here. One is have you got experience working with an auditor and knowing how they operate? If you don't, then you don't want that first time to be as you're going through this because you're going to end up tripping up, and then that'll cost you more money in the long run. And then, yeah, if you've not prepared, if you've not done that internal retrospective first, then yeah, you're going to end up spending more money. So our goal is let's save you money in the long run. I mean, you will pay for our services, but we can accelerate and get you through that SOC two quicker than you're going to do that on your own.

Aaron:

Yep. All right. Next question. What skills do you believe are critical for entry level professionals in cybersecurity today? I got mine.

Den:

Yeah, you go first. I'm pondering on this one.

Aaron:

Yeah, I say this a lot, a lot, a lot, a lot. A lot. Problem solving. So problem solving, problem solving, problem solving. And that for me, at the end of the day, if I have a problem that I haven't solved, it sticks with me. I'm in a bad mood at the end of the day going into dinner or whatever, going into drinks or whatever it is. So it's specific to me, but I think it's also very specific to this lifestyle. So if you, beyond technical skills, beyond interpersonal skills, if you like problem solving or if you want to build up your problem solving skillset, do that. Learn to solve problems. Want to solve problems.

Den:

Yeah. I mean, I would add, I want to see people who are hungry. They're curious. They're hungry. They don't think they know it all. I guess anybody who's watching this, who knows the Dan Jones from 20 years ago will call bullshit. Yeah. Will call bullshit in my answer there. But I think with maturity and experience, don't do what I've done is probably the answer.

Aaron:

Yeah. One of the questions that didn't make this 50 something question cut was something like looking back 20 years ago, what would you tell yourself? Or something like that. So stay tuned for next time. Questions like that will the wheel. But there's a lot of those reflecting questions that I would love for us to get to. And what would you tell yourself 20 years ago? Not that we would listen, I wouldn't have listened. I would've been like, whatever, dude, get out of here.

Den:

Well, I'll tell you, one of my old bosses and mentors, he told me many times, I need to be more empathetic. I'm like, yeah, I'll do that. And I don't think I'd done that for years. In fact, I know I didn't do it for years or probably a decade or two.

Aaron:

Yeah. One of the things I remember that stuck with me that I wish I would've listened to back then, that's very, very simple. And one of the things that I push nowadays, and you'll know this too, Dan, is metrics. So back then, a leader, I want to say close to 20 years ago was telling me that I need to track metrics for success on my systems, on my people and all of these things. And what is that those look like? How does those improve over time? And I was just so cocky at the time. I was like, nah, whatever. I know what success looks like. I don't need to track anything. Apparently back then I had deeper voice, so ignored. But now I will stand on this soapbox and tell you that absolutely everybody has a metric they should be tracked by. Obviously systems have metrics that they should be tracked by too.

Den:

Yeah, spin the wheel man, spin the wheel,

Speaker 4:

Spin the wheel.

Aaron:

How do you balance short-term security wins with long-term strategic goals for an organization?

Den:

So I always think of it like you've got strategy, then tactics and execution and stuff, and it's really important. I think that you can build a strategic roadmap that's going to show three years out. Some people talk five years. I sometimes even just talk one year depending on the size of the company, because while that's maybe not the most strategic view of the world, some companies move so fast that a 12 month view is best strateg as you're going to get. I think it's important for the culture and the team that you're building within your organization for people to understand how those tie to the business objectives. And I think it's important when you're talking to your founders or CEO, that you recognize where the business is going and how are you helping as an organization, the business achieve their goals. And then as you back that up into shortterm roadmaps and execution of the tactics, then you're getting to a position where you can say, these are going to be our short term wins. Because I think of it for us, we're only as good as our last gig or last contract, and everyone's got to be impeccable. But when you're inside the company, so if we were brought into a company, we'd still need to turn around and say, okay, we've done a strategy that's been based on our reviews and our assessments. And then from there, we've backed that off into monthly outcomes. And I kind of say that if you don't deliver something that the business visibly sees every month

As a benefit to them, then they're going to lose confidence or they're going to not give you funding or you're not going to be credible. Credibility is a great way to get funding. And if you can improve how the business operates, then that for me is gold dust saying, you deployed CyberArk, nobody gives a shit, but saying that you protected a thousand accounts because you'd done, and in doing so, you reduced the time for engineers or platform owners to go do X, Y, and Z. That's more important. So I think the outcomes need to be business related outcomes that are regularly, regularly visible. And if you don't deliver that, then you lost it.

Aaron:

Yeah, I really like what you said there, which are like that there was these big projects that everybody's aware of on your roadmap or whatever. So boom, there's this timeline, like a Gantt chart, that big project, but there's all these little things that are going on that are actually making improvements that maybe even if the big project gets canceled because things get moved, those little projects actually are what move the doc. So I think what I would say that's complimentary, what you said, I wouldn't contrast it at all. I'd say you have to have these little projects that move the dial. Don't just concentrate on the big projects because the big projects can and will get shifted around as the company moves based on just the ebb and flow of a company,

Den:

And it's very specific and dependent to the company, the size of the company and the dynamics and stuff. At Cisco, we deployed our zero trust internally to 110,000 people, and we've done that in five months.

We leverage products that Cisco create and deliver, so that makes it a little bit easier. And Adobe, we've done it in seven months and we glued and hodgepodge some shit together. Now, let me give you another little fun, entertaining fact, Mr. Wordman. When I'm on stage, one of the other jokes I tell people is I never like to get it. I get bored really quick. So if this shit's not moving fast, if we're not delivering stuff quick, I get bored and I tell people, there's no prizes for just deploying the thing or building the thing or delivering the thing. You don't go on stage and say, Hey, we deployed some Okta. No, anyone can do that. When we go on stage and we're like, oh, we deployed Okta to 300 apps in six weeks,

Now you've got someone's attention. So the ability to do something quick. So the thing I say on stage is I get bored that quick and never want to get involved with or lead any project where it takes longer to deliver that project than it does to make a baby pause for a second. I need to clarify a human baby. And then someone said to me in the team at Banyan, they said, I think I got it wrong. It's not the making part, the making part that could be three minutes. It's the growing inside part. That's nine months. So I tell people this for a reason, nine months, if you take nine months or more to deliver value to the business, what happens from an executive perspective is you've not delivered visible value to the business. And what that means is when you start to ask for more funding for the next thing, they don't have the confidence.

Now, if you deliver something in five months or six months or three months, ideally three, and you're like, Hey, we've done our version one of this in three months, and now what you notice is no more passwords, no more VPN, some benefit to the business. We'd like to refine this more, and as we refine it more, we need some more investment. Well, you've already delivered some magic. Within three or five months, people now trust that you can deliver more, and they're willing to put their money in your gamble, right? Your bets. So while the joke is a little fun and entertaining and it gets the attention because you're saying something that's a little bizarre, the reality is you got to think of how you're getting the funding. You've got to think of, are you building credibility? I have heard people say about it teams across the world being too slow and too expensive. Okay, counterbalance that shit, try and do stuff that people visibly see as beneficial to the business and do it quick.

Aaron:

Yeah, absolutely agree. I really like the way that you nailed on that timeline too, because that's exactly the budget cycle too.

Den:

Yeah. Yeah. It's all based on money. I mean, you've got to prove that you're worthy of those dollars. You can have your CEO or CFO cut your budget every year, or you can play to their emotions and play to what's important to them.

Aaron:

Yep. All right. One more. Two more?

Den:

Yeah, go. Yeah, we got 10 minutes.

Aaron:

All right. How did you both transition into cybersecurity, and what advice would you give someone? Just starting out. I have my story, but let's go. You want do yours?

Den:

Yeah, yeah, yeah. So I've been in the identity and access management game since the early nineties, so about 92. I ran basically the whole infrastructure and operations for a manufacturing plant as an engineer, a small company really. And then when I joined Adobe 2013, they had what I'll say is a very famous event. And before then, security was dispersed. People that were doing security roles were all embedded within different teams. So there was no centralized team in no centralized strategy. So after that event, one of the things Adobe done was they put a leader under the CIO, so the equivalent of a CSO kind of leader dotted line to someone who became the CSO. And ultimately, I was grabbed to move into that team, and then I took over teams that I had ran before, which was the identity and excess management stuff, all of the privileged identity stuff.

And then just continued from there. And at some point, my boss retired Paulette, she retired, and they made me the leader of enterprise security. And that covered, I mean, shit that covered engineering security, that covered labs, that covered source code, that covered code signing, endpoint network, firewall, I mean just all of it, everything to m and a security, which is kind of then how we met security strategy for high risk countries. And the CEO's airplane, which I learned it was 19 apps to run an airplane. But if you've got your CEO's passport details in these apps or some of these apps, then you're going to have to secure that shit. So yeah, it was a fun journey.

Aaron:

That's an interesting factoid.

Den:

I know a couple,

Aaron:

How did I get my start? So born and raised in Silicon Valley. My dad was a system operator before me, computers were around the house. From an early age, I didn't really think about tech as a career, it was just something I was around all the time. So I actually started as a graphic artist. I went to school to be for graphic design, and I was an office manager at a startup. The office manager job at a startup entailed the identity portion. So getting people set up in N, which is an old identity service on Unix, and as well as getting 'em set up on the Windows identity service at the time, which at the time it was Windows nt. So did all of those things at the startup, didn't really see going into security or IT as a career path, because again, I was doing graphic design as a side job.

And then at some point, one of the recruiters reached out and said, Hey, why don't you go and do the IT job, which entails all of these things at the startup, and I really wasn't interested in it. For me, there was a lot of autonomy in the office manager job. The receptionist reported to me and I got to build all the computers, so why would I want to go do the IT job? Fulltime just wasn't interesting. And then she explained that there'd be more autonomy, there'd be more computer and tech stuff, which I was already familiar with. And then she explained the salary gap between the office manager and the IT manager role. And again, I was already doing the role. So for me, there was this, what's fair? So I was already doing the role, but I wasn't getting paid for the role, so why don't I just go get paid for the role that I was already doing?

So I went and did that, and that's how I actually got started as a technical person at that company. That was everything. That was network, that was it. That was security. That was absolutely everything. And that's what I did throughout my career as I would be at these startups where you had absolutely everything there was for the technical operations for the company. Every now and then, those companies would get acquired by larger companies, and those things would get split off from me. So security might be with some whole org, and then I would have just networking or I'd have just it, or I would be in the networking org, or I'd be in the security org of the company and I wouldn't have it, or I'd be a software developer at the company, and I wouldn't have any of those things. So as those things got split off, I developed skill sets in each one of those areas, and I developed opinions on how it is. I felt like the interworkings between those areas should work. And I built this mindset that I just didn't feel like we had to have adversaries within the company, within the company against these areas. So security at most of those large organizations had this very adversarial mindset. They oftentimes would just treat people like the department of known and slow at companies where I had security or at companies where CISO reported to me or I was the ciso. That wasn't part of, wasn't part of with the way I ramp.

Den:

And that's the thing is I think in our careers because of the journey and the path we had, our opinion on what good security programs or good culture looks like, or good security leadership looks like is actually based on us doing both of those jobs, either being on the receiving end of security or bad security sometimes, and then also moving into leading these teams. I think that's part of what do you pay for when you bring in an experienced leader. I mean, you've got to expect that you're bringing in someone who has that diversity of experience. So I know we're kind of up on time, Mr. Wordman. So

Aaron:

The second part of that question is advice. So I'd say build your experience, build your diverse experience.

Den:

Yeah. Look, it's interesting. You see a lot of people that talk about tenure. I've been doing this for 30 years, 30 plus years, which I have. But I think what's more important is the quality of the experiences. And I would say someone who's been at some companies for five years maybe has more diverse or challenging experiences than another company for 10 or 15. So let's keep that in mind. So Ms. Worthman, let's wrap this show up. Any parting comments? I mean, we said we're going to do this again, so we haven't figured out how the frequency, certainly we don't have the time to do it weekly busy bees, but I think maybe monthly we'll jump on this one. So over to you to close us up.

Aaron:

Yeah. Well, first thank you for those that were able to join live. Thank you for those that submitted questions for those that weren't able to join live, obviously this is recorded, so we'll get reposted on our various outlets. 9 0 9 Cyber Cyber 9 0 9. Those names are familiar, or those names are similar on purpose then?

Den:

Yep. Yeah, I guess it's called Lack of Creativity.

Aaron:

For those whose questions didn't get answered, again, they're on the wheel. They will get answered. We do appreciate you submitting the question. Like I said, there were 50 something questions and they just spun around on that wheel.

Den:

Okay, thank you. Well, hey, look, Aaron, thank you for your time. Audience, we appreciate you and your time. For those of you watching, please, oh, let me do this. Oh, like share, click whatever that nonsense, and yeah, spread the word. If you found this valuable, please share that with your friends or colleagues, and hopefully they do too. Aaron, thank you very much, sir. We will catch up with each other, I guess, shortly this week. Yeah, and thank you everybody, once again,

Narator:

Thank you. Thanks for listening to Cyber 9 0 9. Subscribe wherever you get your podcasts, and don't miss an episode of your Source for Wit and Wisdom in cybersecurity.

← Back to all episodes