Transcript
Narator:
Welcome to Cyber 909, your source for wit and wisdom in cybersecurity and beyond. On this podcast, your host, veteran chief security officer and Cyber Aficionado Den Jones taps his vast network to bring you guests, stories, opinions, predictions and analysis you won't get anywhere else. Join us for Cyber 909, episode 15 with Jake Bernardes.
Den:
Hey everybody, welcome to another episode of Cyber 909, our adventure into the world of podcasting. And each episode I try and dig up some exciting guests and I've got Jake Bernardes, he is one of my friends from our CSO Society group. There's a lot of CISOs hiding out in there and also though he is the host of the Risking It All podcast and he's a seasoned multi cso. So Jake, welcome to the show and why don't you introduce yourself so I don't screw it up anymore.
Jake:
Thanks Dan. Thanks for having me. Hi everybody. I host podcasts myself, risking all in asset life, which is similar suppose to this one, but focus more around the people and topics that underpin people rather than anything secure to leadership related. We often talk about diversity neurodiversity, what leadership means, that kind of stuff. I am the CISO anecdotes, which is a GRC automation platform, specific enterprises. Prior to that I've been at a number of places. I also hold a few advisory and fractional CISO roles and try and keep my hand in as many different places as possible. Our industry has got so broad that it's the only way to really stay on top of being somewhat relevant.
Den:
Yeah, it sounds like you're a busy guy. I mean, we will put your LinkedIn profile in on the show notes and having run through that myself was like, I don't know what this guy hasn't done. Really. No, I can see behind you that's not a virtual background. That is a real live room and it's dark outside. So Jake, where are you based because
Jake:
Sunny
Den:
For me.
Jake:
Yeah, I'm based in the north of the UK in quintessential England. I live near Chatsworth house, which is the house of pride and prejudice for those who are literary fans and in quintessential kind of rolling chocolate box fch cottages and black and white architecture and that kind of stuff. But I've lived here and worked in the US for well over a decade now. Also lived and worked in the Far east and China in the Middle East and Jordan, we lived and worked in the US as well for a while. So been around, I think I've seen most continents. I haven't gone out to the Arctic and got very cold yet. But yeah, otherwise definitely don't have the standard sunshine in the background. It's really cold here right now.
Den:
Yeah. So yeah, for those that don't know, I'm in sunny California. It is the time of recording just after nine in the morning for you. That means it's just after 5:00 PM and it's January, which means for me it's nice and sunny. And for you it's shedding cold and dark. It's dark and miserable early on, right.
Jake:
It got dark about 3 45 I think today. So I have the double-edged sword of working for an Israeli entity with a strong US presence as a ciso, as every CISO knows, half support, the go-to market motion, half support the product. So I have early morning in Tel Aviv and late night in San Francisco, so it's kind of unescapable at times. The middle of my day is most people's evenings weirdly.
Den:
Yeah. Well let's take into that shortly. I'd love, so from an origin story, why don't you share with people a little bit about the background of Jake, what got you into cyber technology, what was that inspiration? And I'm guessing that was probably a few years ago. You look like you're still 12, which is a blessing. I guess
Jake:
I did shave today, but I'm nearly 40. Look, I don't think any CISO or cybersecurity, Liz has a normal or a standardized storage. Don't think it exists. And I think for me it's normally abnormal. So I grew up around computers. My dad was big into them. We grew up building our own PCs and I remember having an amstrad where you could flick from the mega drive to the pc, which is Windows 3.1 for those who are as old or older than myself. I remember playing with the ZX spectrum and play Dizzy the Egg and turning over the cassette. And I remember those days, not just building stuff but wanting to break stuff. I always inherently want to try and cheat, not I found the games too hard, but because I just wanted to try and do stuff that it wasn't supposed to do. And I think if you find people who are in our industry that's somehow inbuilt into our nature, we want to find a way to break stuff and rebuild it.
We want a Lego kit and build the stuff that's not on the picture. So I grew up very much in that mold. I actually ended up at university studying Chinese, so a completely different thing. And then worked in technology at IBM, then onto KPMG where I spent a lot of time in commercial type technology roles, consulting, deal advisory, kind of that kind of stuff. And then ended up going back into pen testing. I was offered a position that said, do you want try and see if you can do this, hack the box because we're trying to look for people to cross over. Did it and found, I actually had a talent for it. I said growing up in computers, Linux wasn't foreign to me, was able to utilize Cali and able to demonstrate how to do this stuff. Went into pen testing, followed pen testing to consulting.
Went from KPMG to NCC group, which was a massive player in the UK and Europe at the time. Sent me all over the world, all over Europe. And then I famous, took a phone call, two kids, my daughter had just been born and I got a phone call saying, can you do a project? And I said, yeah, sure, where is it? And I said, A man. And I said, fine. Got off the phone, spoke to my wife, went, I dunno where a man is. And I just agreed to a one year seconded project in a man Jordan in the Middle East. So ended up going there and spending, gosh, quite a while with my wife and two kids living in a suite on the Dead Sea, which was nice. And then got straight away, sent to the us firstly to a company in Irvine. So without giving away a credit checking agency, which isn't hard to Google and work out.
And then spent a while in Salt Lake also doing consulting. And I got really into the start of world there. So I became a vc, so going into early stage startups in Silicon Valley, mill, Peters Bay area type places, mountain View, helping them build security and compliance programs, trust centers before they existed. And then outing myself to hire them, their first security people. And then I did a number of times, I then did a test on a company called SQL MemSQL now called single store hacked. The company sat in the CEO's chair and said, you should probably hire someone to fix your security. I lady picked up a backpack from Starbucks and walked through the door and tailgated sat down and said, you should fix. And they said, yeah, do you want to do it? And that was it. I took a left consulting, took a security head of role and from there have transitioned from between companies doing that over and over again. And in the meantime I, I suppose I do a lot of speaking and podcasting mainly I'm probably like yourself, you realize that being opinionated is an art. Having opinions on things is more relevant than not and I like to tell stories. So yeah, here I am
Den:
And that's a journey. So I picked up on the learning Chinese at university, what got you into of all the languages in the world because in Europe, right, normally we'd learn French and German in schools. So what got you into Chinese?
Jake:
Yeah, it's another random story. We're going on a religiosity talent here I'm afraid. So I'm a member of the church of Jesus Christ, like this age, otherwise nickname the Mormons. And I actually served a voluntary mission in Germany when I was 20, spent a couple years there and learned German almost by accident. That's kind of what you do. You learn it as you live there and left. I thought I was horrendous at language at school, absolutely awful. Failed them and then worked, actually I quite liked the learning language thing, got quite good at it and thought I'll go and just do the one that sounds the hardest. So that literally is the honest answer to why I ended up learning Chinese. I picked the hardest language I could think of and decided that would be a good test. I think that translate through, I'm on a tangent already, but that's probably my art. It's a personality trait I think you find in tech and particularly in cyber again is this desire just to find something that's harder problem that seems unsolvable and try and solve it. If that's not the way that we're built and the way that we think as security practitioners then I think we're in the wrong space. Our lives are pretty much orientated around problems that probably on our problems just became our problems, try and solve them.
Den:
As I was applying my career, I'd quite often get assigned the things that people had failed to deliver before and it was like give it to Dan, he'll do it. And not that I was, because I tell you what, I would never regard myself as a technically gifted engineer as I was growing up, but I had the ability to find the right people, come up with the right plan and quite often break the rules for me. Getting shit done sometimes just meant that I'm not following the same rule playbook as everybody else. I remember once Adobe asked me to lead service management and I hated service management, I thought it was bullshit. So for me, I'd love to get, I know a little bit of your opinion, I've watched your pods, some of your pods, so we'll get into the whole compliance equals security or not thing shortly, but for me I was like service management is just someone years and years and years ago, especially when we were doing Sarbanes Oxley early two thousands, it was almost like they're reading the book and they're implementing what's in the book rather than the we're running a business.
What applies from this book that makes sense for us? And when I took it over, I love marketing actually it's funny. I'd say I'm very creative. I've got gear behind me that might suggest I'm but not famously creative because I'm doing this job and I'm not playing gigs and flying around the world in my helicopter and private jet. So my music's not that good. But the one thing for me, I look at the kind of curiosity is vitally important in our gig. I also think that being a little bit of a rule breaker, like you said, you're gaming, right? It's like when you're tinkering with computers and you're seeing a game, you're like, okay, how can I break this? How can I circumvent this? How can I do something that's not meant to do social engineering? I love DEFCON and the social engineering village. I think for me that's always an inspiring place to go and sit for a few hours.
Jake:
So that was my specialty, was a social engineer as a pen tester, I was never really into infra testing. I became quite good at manipulating people at reading and understanding what situation was, whether that's from getting a colleague whose female to have a pregnant belly and walk through a room, everyone opens the door for them. So I've done live stuff before, very security comments where we've hacked people on stage based on their social media, done all that kind of stuff. I find that's a fascinating one because tech is tech. Anything is breachable with time, but the real interest in elegance is how can you break people? I think that's where it becomes a really interesting point
Den:
And most people, I say this all the time, most people have a desire to be helpful to do the right thing and then there's also the when under duress and stress. Then what people, how do they behave and what will they do? Because sometimes that's the,
Jake:
Yeah, we've done some terrible things in my time, but we've internally fished the CEO who had a pregnant wife and I'd like faith to the hospital that his wife happened to be visiting to say she's being rushed into emergency care. Just to see if you put in that point of inflection, how malleable do individuals become? I mean when you really think about this, it's pretty dark, but that's the reality of the criminal world that we actually face off against is that they don't have those ethical dilemmas that we often do.
Den:
Well maybe at some point we get you back on the pod and we just dig into the darker side of life. I think that could be a fascinating conversation.
Jake:
May love to. I said the human psyche and how to manipulate it is something which really fascinates me.
Den:
Oh and I realized this morning, I was like, shit, if we had an Irish person on the show today, that would be cool because I grew up learning all these jokes, which was like Englishman Irish and sportsman jokes. I don't know about you, but I always got those jokes. I'm like, fuck, that would've been a great little pod we could just come up with. We could just share a couple of these jokes every now and again that we grew up learning. Probably half of them are not politically correct any longer actually
Jake:
I think they'd be canceled. I'll be honest.
Den:
We'd be canceled in the first half hour. So one thing, you've shared a few things in pods and on LinkedIn and stuff, so let's talk about the governance. You do work for a governance company. So actually why don't you share a little bit what does anecdotes do? What's their MO
Jake:
Anecdote is GRC automation? So this isn't new. You've got well-known brands in the SME space, like your draft of anti secure frame who kind of allow you to connect applications and systems to a single point. In this case the application which then translates those into how they meet with SOC two or ISO 27,000 or one of various compliance framers. Get rid of this problem that you have where you have to go and take a screenshot and show how you do or you answer a question. It's automate the process. What anecdotes has done is taken a concept like that but designed it for enterprise. So where most of those struggle to go up market because of various secure requirements, whether that's around flexibility or customization, the platform or securely written API. So all our APIs are custom. They're not open APIs or around the fact of how you actually take that data and actually present it as real data.
So rather than just a green tick, here's the data, here's the js ON. It shows that evidence, which then allows us to go point to point. So from let's say your auditor is a shellman or a weaver just because they're both integrated the platform, you can take it straight from your application from A-S-G-C-P, whatever it might be, whiz all the way through into their audit portal, which will be audit source or field guide. In this instance straight through to the audit, meaning you never had to do that whole painful thing of answering 250 questions and grabbing the screenshots. It's about automating that process, but then it's about going deeper than that. So where a lot of people stop there anecdote is it says, well actually we've now got this data, this raw data that shows how we comply to these requirements. What else can we learn from that? How can we use that to understand deeper what we are doing as a business, what we're doing from a security compliance and GRC stance and actually mature on that, build customer requirements, build customer approaches like interrogate the data way that other people, I mean I was a customer first a couple of times, so it was always of interest to me. I think the space is fascinating but it's a different twist and angle on it, a different philosophy and I always find that an interesting place
Den:
To, and having been a customer, what do you think, I'm sure they pull you in. You mentioned this about the go to market and we can get into that shortly, but what would you see as an ideal customer? What makes a good customer for an anecdotes
Jake:
Ideal customer cloud first, utilizing a solid and normalized text, like I say. So when you've got vendors that everyone's heard of the gcps, the cloud security platforms, whether it's Tenable or sny, stuff that people know, Okta Junk Cloud. I think that one I people who have already compliance requirements, so they have to frow soc, iso, whatever it might be. PCI fed around hipaa, but they also have a desire to get more deep into that. It's not just a checkbox exercise, it's a how do we become better. I think that's where anecdotes really plays. It's have the right tech stack, have the right requirements and have the right mindset. And then size-wise really like I said, mid-market enterprise. So anything from a thousand on the very bottom end, our sweet spot is probably around 5,000 people with a decent size security GRC team, then we tend to always make people's lives better.
Den:
Yeah, it's an interesting market. I've got some friends that have their own companies that are playing in the GRC space. It is a fascinating market. It's a congested market though. I mean I look at it, there's a lot of players and as a buyer I think it's pretty hard for buyers to digest and understand which one of the myriad of options out there makes sense for 'em. Now in your role I was the CSO at Banyan Security, then they would acquire by Sonic. Well, so I was the CSO there for the little stint and I actually really enjoyed, I mean it was a really small company. I'd just gone from Cisco with a team of 300, a huge budget all the way down to this little dinky startup and as you know in this world it's like you're grabbing for resources here and there and you're kind of making things work, but you're doing, I ran security, I ran it, but then I was also part of that go to market. I was also advising the executives on the strategy for how to sell to CISOs as well. So what is it that you like the most in this role? Is it the speaking with customers and prospects and getting out and about and doing the go-to-market stuff or is it the trying to make sure you're not getting the 3M phone call on a Friday?
Jake:
I think I've spent enough time in SaaS security that it's hard for me not to answer the former look, I get out of bed to build security and compliance functions that work, but I get out of bed to build ones that automate themselves, not just by technology but by people as well that scale and work and function and can test and can survive the resilience tests. But what excites me is definitely the strategic stuff that go to market, but it's both sides of that coin. It's the conversation around now and ai. What do we build, what do people really want? And if you look at the conversation we've had a lot recently is you look at SolarWinds and Tim Brown who I've met a couple times, he is still standing up in the SEC for the fact that he has parts of a security policy that was public that he can't prove that he was keeping or they can prove he wasn't.
So I said, well look, let's take policies and let's dump 'em in anecdotes and be able to show on an automated fashion and where we are complying to each control in that and then advise the one we not what people should do or they should remove from their policy. That's interesting stuff where I'm able to be involved in the strategic vision of what does the product become and the second side, of course I enjoy there's a stress and a pain in sales, but I think there's something also quite enjoyable about it in seeing that firstly you can portray and convey a message in a way that resonates and that people grab to, but also to see that process through to the point that actually they go, you know what? We thought the project works. It actually solves the problem. There's something in that process end to end which is somewhat addictive. And so I think yeah, I've definitely, I love the go-to-market stuff and being involved in that. It's definitely a part of what brings me into these companies.
Den:
I'm kind of similar. I mean I look at it like the whole let's run the security stuff. I mean I love that automation building. I think a lot of people think if they automate themselves out of a job then they don't have a job. Whereas I'm the absolute opposite. I'm like if you automate yourself out of a job, then you tend to be given more, bigger, better jobs.
Jake:
I think there's two parts to that. I think firstly I agree wholeheartedly and I've always told my team, look, I pay you on what you do if you do it in 12 hours or two hours, I don't care. I pay you on what you do. So solve the problem in a smarter way and go snowboard, I couldn't care less or we'll find something better for you to tackle or something more interesting. But also there's this fear which people just don't understand. It's like AI is going to get rid of us. All the complexities of AI implementations are not going to get rid of us all. They're going to just drive software engineers into more API focused development. The reality is we both come from a small island, which at some point had a massive power over huge parts of the globe. Now we also seen multiple industrial revolutions happen inside of the uk.
Like you look at near me, the cotton, when the cotton mills were mechanized, everyone thought everyone would be able to work and that would be the end of industry and the whole of the north of England would start to death. It didn't happen. What they did is actually found new roles and new positions and new industries for those people to leverage into. The same happened when coal collapsed. The same happened when factories mechanized the first time. The same happened when the internet came or you keep going through these, but the reality is that survival is not about forcing or proving your relevance. Survival is about finding the next thing that demonstrates your value. Well I say, and that's the same way I found it as a ciso, yeah, I can build and secure parts of the total organization, but when I want a pay rise or I want to prove or value or evidence my value, I'm going to talk about the sales cycles. I sped up the pipeline, I brought in the customers I helped retain the A RRI helped deliver. Those are things that you find that you can identify where can I show value regardless of what my role is or what else is enforced. Like security is getting more automated, but it doesn't mean that we don't have a relevance as a role.
Den:
And I mean I do a lot of coaching and we have similar conversations. There's two things. One is how did you help the business move faster and how did you help the business make money?
And when companies are selling to these businesses, I always try and tell the salespeople, stop. Try and tell them about how your stuff is better than the other stuff. Start to share with them how you can save money because the features and functions, you might want to check that they meet your minimum requirement, but at the end of the day, these features and functions across 10 different vendors could be quite similar. If you go in there with a conversation and you're like, Hey, if you partner with us, first of all use the words like partner, if you partner with us, we can help save you money here, here and here. We can help this consolidation. We can help reduce these operational costs and at the same time we happen to reduce your risk in a good CISO who knows how to be a good buyer will understand the importance of that stuff.
Jake:
I mean that's always the question, right? If I'm buying a product, my question is what problem are you helping me solve and how are you helping me solve it? And if the answer is technology, this is just cooler it because it's better, bigger, faster, stronger, I want to know, are you helping me free up people's time to do something else? Are you helping me to basically automate, are you helping me to increase our efficacy or impact on the wider business by integrating with more parts or processes across the business? What are you doing for me and my team? And I think you're right. If a good buyer doesn't have that skillset, then they're just buying based off what the latest fad is and at that point you end up with a ton of tools that aren't properly implemented and aren't really doing anything.
Den:
Yeah, no, exactly. Now I wanted to dig into this compliance equaling security or not equaling security. What's your take in that little debate?
Jake:
They're different things. They're totally different things and they always will be. For me, I don't think anyone is less or more important than the other. That's the part where I'm strong and I think people disagree with me frequently and tell me security is what matters and compliance, the reality, that's just not true. I think compliance is babel, right? The translation thing that you can speak into, it gives the language. I think compliance is to a degree B for security to speak to buyers or investors or the stakeholders and let me give that context. Compliance and sales enablement. That's the truth and it's for every business, not just for security companies. You have to say we're so organiz certified, everyone does. You want to sell services, healthcare needs, be hip certified. You want to sell the US government, you need be for FedRAMP certified. You want to sell payment service. You do PCI certified and outside of tech completely, there's ISO 9,001 for quality standards. There's so many
Compliance standards. What it does is demonstrate that you've done crap, you've done stuff that people can understand in a single document that can take and ingest and go yes, box ticked, whatever the hell you want to say it. It's sales enablement. That's what compliance is. Compliance and security are different things. Security is about how do I stop me getting hacked? How do I protect the business to make sure that the cyber insurance policy I just signed, that I stand up to what I said I'm going to sign up to how do I protect the people, the process and the technology of this business that I'm responsible for Compliance is how do I help sales in any, not just tech and not security. How do I help 'em go to market? How do I make sales cycles faster and more efficient? They're different things. You look at a trust center. A trust center, which is probably the epitome of compliance. Yes, it's a representation of your security posture, but it's purpose. It's nothing to do with security. Its purpose is to enable procurement. We have to be able to understand and so many theses get tangled in knots with this whole thing. The reality is they are both different. They are both important. Yes, there is some integration, some intertwined mobile app, but they have completely different purposes.
Den:
Yeah, and totally agree. Do you see, so I think of compliance as exactly you said it. It's really the build confidence is let people know that you're doing certain things which are dependent upon. I also know a lot of programs where they get the SOC two, but literally the quality of the auditor isn't that great.
Jake:
Oh, right. We're in a different conversation then and we could go for a long time. So I possibly didn't post out recently and I will continue to. So saying that I think SOC two is now too wide. It should be more expensive and harder to get because it's become completely meaningless. There are vendors who don't. They're telling, if you look the world that we've embroided to the sock in a box, if you've seen my post and comments about it, this idea that you can now get a platform and a vendor to do a SOC for like 10 grand, it's killing our industry because that person has such little time and such little value to make profitability as an auditor that they're giving junior people minimal hours to check stuff, which they don't really understand. And you'll then gain no value that SOC two is meaningless. So then people are devaluing the SOC two and saying it matters for nothing. Well, it does matter, but the reality is that the person that tested it and the things they've tested, meaning that now that one specifically doesn't matter, we need to try and change this. I think it's happening, but it's taking time.
Den:
And I think that's interesting because is, I mean we do this right, help companies achieve their S or their ISO or whatever they're chasing, but the price point for us to make it worth our time to do it, we'll do our piece of the puzzle, but we're acting on the client's behalf. We're still bringing in the auditor, we're still going to bring in the pen test or if you need to do a pen test, we're still helping them. If they need to fix things in their security program in order to achieve it, I think there's different players in the game, they'll do a different quality job, but at the end of the day, people just want to get SOC two lowest price. A lot of vendors, they don't care if the SOC two quality was brilliant, they just want the badge. I agree, I think. But think a lot of this compliance stuff, I mean in the industry, this is where checkbox compliance or checkbox security for me is kind of ruining the game a little bit. Now you mentioned something that got me thinking, so insurance, cyber insurance. I mean, in your experience, do you have any guidance for people that are looking to obtain cyber insurance? What's your take there?
Jake:
Gosh, look, I'm known for opinions and I'm not going to back down from them. I think cyber insurance isn't worth the paper it's written on. You have to have it because if you can't, it's the cost of doing business. You can't go and sell to A-K-P-M-G or a Service now or a major tier one bank if you have cyber insurance, right? You've got no chance. But the reality is I don't know anyone who's ever successfully claimed against cyber insurance because every time something happens, somehow there's always something you didn't do. Right? Look at like, let's go back to SolarWinds, Tim Brown, SEC, or let's go to Joey Sullivan, Uber, two really famous people I've had interactions with recently. Both of them got caught for a single instance of a volumous procedure, but you can't have everything right all the time. It's not possible. And cyber insurance will always find that one time that you didn't do it and therefore it's not void. So yes, you have to have it and yes, you have to answer their questions to get it and you have to demonstrate security posture. And is it helpful to be able to do that in a specific certain way? Yes, but the reality is cyber insurance is probably any other type of insurance. They will fight tooth and nail to not pay you a dime and they're pretty good at it.
Den:
Yeah, I lump that. I lump that in with your car insurance, like your house insurance, like any insurance. And then I actually lump that in with a lot of founders and CEOs don't want to spend the money on cybersecurity and it, so sometimes the role of a CISO I think is getting a little more concerning these days because, and I've had this conversation with CEOs about the role of a CISO and actually Tyler, another CISO society member, a friend of mine, he'd done an article recently and we had the conversation in the podcast about just the role of the CEOs and well, the role of the CISOs and how the CEOs aren't really enabling CISOs to do their job. So where do you see, I mean ciso, you a virtual CISO or fractional ciso, where do you see the evolution of our role in the industry in the next five years?
Jake:
I think there's two parts to that. So I think there's a lot of noise right now about the fact that CISOs will die out. I think that's nonsense. I think there's always going to need to be someone in that chair. I think maybe the role and scope of it changes. Maybe it becomes someone who becomes an internal advisor, almost like a legal counsel to the business in terms of what you should do and how you should approach things as security gets interwoven throughout the business. But I've worked a lot of startups. I've had conversations in the last few days as I do every January, but this year we've got to do more with less. Targets are higher, budgets are down every time, and it's not just me, it comes across the business. So I think that you can throw your toys at the pram and start to say, look, I don't get the money to do what I need to do.
I don't have enough, and therefore it's all your fault, Mr. CEO E, you're an idiot, blah, blah, blah. Right? The reality is that that just can't be true. Part of the conversation we started having is you have to be smarter in trying to find creative solutions to problems. And if you have less budget, your question to the CEO should be, how much do I have? Okay, fine, it's X, whatever that is less or more than you expected. What are your priorities for it? Security compliance, GLC, and what do you expect from me? If I fill those three things, I've fulfilled my requirement. Those were documented hopefully, and that conversation, this is what I'm supposed to do, I did it. The second part of this problem is the fact that CISOs have an ego issue right now. So there weren't CISOs really 10 years ago. The first one, you're talking about mid noughties, and we've grown up from being managers to being C-level executives like this.
You look at the common root for A CRO, how many rungs of a ladder are they going to go through A CMO, like a CTO, A CPO? These all come through strategically well-known paths. You do this role than this rather than this one, this blah, blah, blah, blah, right? CISOs just seem to appear, and I don't think we have the eloquence or the elegance to sit at the ELTA lot of the time, a time we sit there and we can't speak business. To your point, we've had it already. We should be able to be able saying, this is why I give the business, this is how I enable revenue. This is how I protect customer churn. This is how I help us develop strategic offerings. This is how I'm helping the business grow and go forward, whatever that growth looks like, whether it's tech or not. But most of the time you're finance CSO saying, this is the hypothetical risk I protected you against. This is the money I need to be able to protect against this future hypothetical risk. It's very hard as a CEO to say, I'm going to give you a hundred thousand dollars protecting as a risk that may never happen, and then I'll pat you on the back for protecting you against the risk, which didn't happen.
We've got CISO just aren't good. Often they don't deserve their seat. And I say that myself, I've had to learn business. It's been most lessons I've learned, I've spent in the go to market functions as a field CISO and healthy go to market and understanding how business really works. So I can sit at the table and speak about strategy, which isn't just protection, deny and stop, because that's generally what CSOs have as a word in the boardroom, and that can't be what we speak about. The rest we're completely pointless. Why we're there.
Den:
Yeah. Yeah. And that's the thing, is it really, I agree. I mean it's a transformation of, it's really a business role as opposed to a technologist role. You're the leader of a business unit within an organization like any leader. If you want to be the ELT or report to the CEO or some way have input into strategy of the business, then you're going to have to elevate your conversation. And I like you, I learned traveling round, speaking to a lot of customers, prospects, speaking at events and interacting with a lot of CEOs and other CISOs.
If you're trying to benefit the business, you don't have a choice. You actually have to learn what it means for that business to be successful and what their strategy is. And then you're overlaying, okay, how do I spend the money? The one thing I'd always say as well is being really transparent on what you're able to do for the budget you have and what you're not able to get to and allow that conversation to take place with your leader or with other executives and sponsors in the business. Because ultimately what I think might be important or want to get to and reduce risk is great, but it could be it's been a little bit less on that and a little bit more over here, and that one shift is enough to propel the business further forward. And you may not have known that unless you'd had the business level conversation.
I love to talk about strategy with people because I think, and it depends on the organization, the size of the organization and stuff, but I think a lot of enterprise organizations get the strategy wrong because they're so focused on spending money in all these different program areas. They've done a science course to learn about the top 10, and then they're like, okay, I need to spin up a program about this and that shit at the end of it is just me seeing people throw money down the pan. They end up with more tools. So tools sprawl for me was another one. I'm like, companies spend so much money on tools, they don't deploy them properly, then they don't reduce the risk and all they're doing is pulling money down the chip.
Jake:
And I think that's one of the blessings and curses of spending a lot of time in startup and growth companies I have is you don't have crazy budgets for tools. I can submit it every year, but I'm guaranteeing it's getting half by the time it actually gets agreed and signed off. So it's more about them thinking, how do I actually focus on building security centric culture? How do I focus on building processes that work and how do I focus on making robust strategy decisions? So what am I going to do that's going to get me to what the CEO's priority or what good looks like is in the most simple and cost efficient way? It might be the most elegant, it might be the most high tech, but it'll get us there. And that's always where it comes back to. And in different companies, we have different priorities.
We have to demonstrate different things. If you look at like now I'm in a GLC company, so right now we have to demonstrate best in class GLC, right? We can't sell a product to be crap at our own business came from W, which a vendor risk management tool, we had to demonstrate best in class vendor risk. Whereas at anecdotes that's less important. We just need to make sure we do enough in vendor risk whiskey, we need to do enough in GRC to sell. So where you are and the emphasis upon where you focus your resource and the strategic decisions you make depends on what you're trying to achieve and who you are trying to be ideologically as a business in a function.
Den:
And yeah, I think most CISOs, if they're not already, they should be thinking about their role in the sales cycle being how do they demonstrate if, certainly if they're a product company, but mostly so as I know like their team, and we would do this at Adobe and Cisco. We'd have our people at conferences doing talks on the cool shit that we're doing internally at Cisco. I mean, when we deploy Cisco's own technology, we're sharing with customers and prospects how we deploy the technology, how we automate, how we integrate, what does that internal team do. And then a startup like you and I is the same, but I think the stakes are higher. You got to be, you're being your customer. Zero. We ran the Customer zero program at Banyan, so it was great for us to show people how we deployed the technology internally, how we leveraged it as part of an audit and compliance work because we used that for a lot of the evidence.
We automated a lot of it. So I think that kind of ability to show the internal workings of your team is fun. I mean, I enjoy it. I enjoy, I enjoy it. I think a lot of CSOs, they don't like talking to a lot of them that are really tech heavy. They don't like talking to a lot of people and I've worked a lot with them and hat off to them for their tech genius and shit. But the reality for me personally, I enjoy going out there and meeting other CSOs. I enjoy that network and I enjoy hearing how they're successful and sharing the successes or the lessons learned. Now we're kind of up on time. Jake, if you're going to leave the audience with one little takeaway, one lesson you think they should learn from all your years of wisdom, what would that be?
Jake:
Well, it's one of those things where you should prepare in advance and think something insightful. But I think, look, it's a bit of a cliched phrase on t-shirts, but lemme give you some context. I think it's being uncomfortable and being happy. People say get comfortable being uncomfortable, but I think it's more than that. I think it's be happy being uncomfortable. I think if you want to succeed, particularly in tech and in cyber, our role gets broader and broader and broader every year and our knowledge can't get deeper and deeper and wider and wider. So you have to get not just comfortable, but happy, being comfortable and then find ways to be creative and solve problems. I think that's the key. If people are willing to kind of put themselves in places that feel completely out of depth and flourish there not survive, but thrive, then I think that's the biggest lesson you have is make yourself or develop that skill. So that says that I'm comfortable looking something I don't understand, that looks horrendous, and just working through it step by step and solving that problem to deliver whatever that business outcome is at the end.
Den:
That's excellent. Thanks Jake. And look, I really appreciate you staying up. Well, not staying up late, it's not too late.
Jake:
Not quite bedtime yet.
Den:
It's not even six o'clock yet, but I mean, God, man, go back to how dark it is outside. It looks late slate. But yeah, I truly appreciate your time. Thank you very much, sir. Can't wait to see you in person one day in the future. Hopefully you're back state aside at some point soon, maybe some security conference, I'm sure.
Jake:
Whereabouts are you based in specifically in California?
Den:
Oh yeah, San Jose.
Jake:
Okay. I'm back in RSA, probably I'm in LA in February, but a bit far south.
Den:
Oh yeah. Well I was meant to be in LA next week and we're going to be there in March due to their fires and stuff. So it's crazy what's going on down there at the moment. Definitely. Yeah. Alright. A devcon black hat, all the usual places with the usual suspects, so hopefully we can catch up. Thank you, sir. I appreciate it. Folks, if you like the show, please like subscribe and also, yeah, plug for Jake show because I've been listening to this one, so we're risking it all podcasts. We'll put the link to that in the show notes as well. Jake, thank you very much. Thanks for having me.
Jake:
Been a pleasure. Thanks.
Narator:
Thanks for listening to Cyber 9 0 9. Subscribe wherever you get your podcasts and don't miss an episode of your Source for Wit and Wisdom in cybersecurity.
.svg)
.svg){kind=icon}
