(Security) Perception is Everything with Douglas Marzano

Welcome to the Security Cocktail Hour. I'm Joe Patti.

I'm not Joe Patti. I'm Adam Roth. You are Adam Roth. How are you doing today, Adam? As I was saying right before we recorded, I had to wake up very early in the morning and then I went to sleep and then I woke up to a woodpecker making a lot of noise.

Well, that's what happens when you're in Staten Island. At least it wasn't the turkeys this time. This time we got a woodpecker, though. That's much more annoying. Turkeys, foxes, hawks, whatever. All sorts of stuff. Okay. Well, we're not doing a nature show here. We have another fabulous guest, a veteran CISO who, I don't know, maybe he's a vet on the side, but I don't think so. Someone I've known for a long time. Doug Marzano. Doug, how are you doing?

Doing very good. Thanks for having me, Joe and Adam. Really appreciate the opportunity to be on your podcast.

No, we're glad you could make it. And I'm glad you wore black. You're definitely fitting in the spirit of things here. So well, well done.

It just shows we're like all like, like in phase or whatever. So that's cool. Give me, give me a second. I'll come right back. I'm going to put on a tank top.

Please, literally, please keep your shirt on. Okay. Okay. All right. Um, so Doug, why don't you tell us a little bit about yourself?

So I'm an information security lifer. My first job was literally resetting passwords. Over the course of my career, I've worked my way up every information security role that you can imagine, except forensics. I was eventually the deputy CISO of a large French bank. And then for 11 years, I was the CISO of a large FinTech firm. Yeah, so I have tons of experience. I got into cyber security after I saw a movie in 1983 called War Games with Matthew Broderick. He was the geeky kid who hacked into the Pentagon, got the pretty girl. I said, this is something that I definitely I'm definitely interested in, and the next day I took over my sister's Commodore 64, and I installed a program called Tone Look, which would war dial and look for modems that offered a command prompt, and then I would do password guessing, and I started that way, and I never lost interest.

Hey, Doug, have you hacked the Pentagon yet?

No, I did not have the guts for that. Probably smart. Not knowingly.

Yeah, you know, we talked in the past about, you know, famous hacker movies and stuff. And we, you know, have told people it's like, you know, like war games. OK, you know, Broderick, pretty, pretty dorky back then. But like, you know, don't don't think you're going to look like Hugh Jackman and have a, you know, Halle Berry chasing after you like in Swordfish.

That's not very realistic. What are you talking about? That's so true. Well, except for you, Adam.

Oh, yeah. I know you got women chasing you all the time, but the rest of us live in the, you know, chasing because they owe the money. All right. So yes, Doug, you are quite the seasoned CISO, the Chief Information Security Officer, which is, you know, we've talked about that before. It seems to be a job that some people aspire to as the pinnacle of their career in security and others run screaming from. But it seems like you're running right into the burning building of the CISO position for most of your career.

Yeah, absolutely. I think, um, when you've been in every role in cybersecurity or information security or data security, what it was first called, uh, when I was, when I joined, I think it's just a natural progression. Um, and I don't think that you fear the role. I think it's interesting how, you know, we were once the lab rats in the back of the room typing on our computer and now we have, um, time with the board of directors, and there's a lot of pressure on us, as you've seen in the newspaper, if you don't do the right thing, you can literally get prosecuted.

Wow. You're so relaxed. You're so chill. Did you start drinking before this? I mean, you know, I was going to introduce the cocktail, but man, wow.

You've got like a real Zen quality to you. That's awesome. No, there's a new law. You're required to take some kind of anti-anxiety meds. If your title is CISO now, it's actually a law.

Here's our anti-anxiety med for this episode. So what have we got? It's always guest choice.

So I chose the Moscow Mule. And if you go to, I think it's my wife got this at Home Goods, I believe. It's a pre-done mix. You pour some alcohol in it, you know, vodka, and then you add some water to dilute it a bit, and you have a perfect Moscow Mule.

All right, well, I guess you did the, I don't know, the easy thing. I tried to be high tech and ask Jack GPT, how do you make a Moscow mule? As I was walking into the liquor store to get prepped for the episode and do the shopping for this. But in any case, cheers everyone. Salute.

I feel I should have total disclosure. I'm one of those guys that didn't follow the rules and I got blue nectar tequila. And I know we're doing two podcasts today, so I'm rolling straight through. I'm drinking from now until then.

Well, just be careful because, you know, the cocktail for the next show is actually going to be margaritas. So don't don't run out of tequila. That's all you got for two shows. You know, you don't want to insult our next guest.

OK, look, my my role is to insult the guest and your role is to But, you know, it's funny, we bring up the issue with, you know, now CISOs can be held accountable for malfeasance and other things. You know, laws are constantly popping up now, whether they're local like New York state laws or federal. And some actually are part of the, and obviously can't be prosecuted for framework, but some of them pop up now for frameworks. Like if you don't do this, you can be not, part of a membership if you don't adhere to this and only adhere to that. But stockholders are holding people accountable and so are bodies of government. If you don't do the right thing, if you didn't take certain steps to protect the data or a breach, you can be prosecuted, like you said, Douglas.

Yeah, it's, you know, I know we're jumping into a good topic right away. You know, I think it's very important, you know, when you are a CISO and you're company is publicly traded, you are signing off on the 10K. You are saying, hey, to our investors, we are a secure company. Now, every CISO knows that you run a vulnerability assessment and you have 10 million vulnerabilities across your environment. How do you articulate that? to investors in a way that's completely transparent and completely honest, but not alarming, because as a CISO, you know if the risk is valid, perceived, or real. And I think in some of the cases that I read about, the 10K did not specify that. And there were audit reports and scuttlebutt between the employees, you know talking. Hey our infosec program stinks or some more colorful words there and when the regulators got a hold of that a They said hey see so how can you? Sign off on a 10k knowing that you do have these risks. And by the way, you also sold some stock right before a breach so

Well, selling the stock right before, that's a tough one to get out of. But otherwise, you know, I mean, it's so difficult because, and you know, knowing some of these cases also, how to separate the things where there really were a lot of problems from what there weren't. Because the truth is, you know, we do risk management. Everybody has vulnerabilities. Everyone has issues. And everyone has people in their company, and especially on the security staff, particularly the younger and inexperienced people who say, oh, we have this. It's terrible. We have that. It's terrible. There's always stuff to fix. And that's what really worries me about this liability stuff is really because of the nature of security and risk management. There's always something you can point to that you said should have been fixed. There was a risk. You know, the 10 K or the disclosures and everything. Yeah, did you did you in the 3 lines you were allotted really express what the true state of things was the where you are in the scale of lack of perfection?

You know, I think it's really something to the effect and legal always approves it. is just like every organization, we do have our share of risks that we effectively manage through several different committees. I think it's stated that way. But going back to, Joe, what you mentioned about every organization has X number of vulnerabilities, and I mentioned that as well, I think it's really important for a CISO, this is not easy. So you try to articulate to maybe junior staff, but non-technical risk teams, the difference between perceived risk and real risk. So you could run that vulnerability assessment. It could come out with 10,000 vulnerabilities, but you know that you're only really exposed to a very, very small percentage of those. And then even the ones that you are exposed to, you have so many layers of layers of defense in front of it that the risk is really, really low. However, they are still looking at a report that says you have 10,000 vulnerabilities and then taking that and articulating in a way that people feel comfortable with. And if you don't do that, you spend more time mitigating perceived risk than real risk. So you could wind up actually being compliant and doing their perceived right thing, but being less secure because of it.

I think it would be good to kind of discuss what a perceived risk is for our audience versus a real risk. And before we get into that, I mean, I agree with you, but I don't think a CISO's job is to resolve every risk. I think a CISO's job is to identify the risks and let the board of directors or the other C-level staff say, hey, do we want to spend this much money In order to protect against this, the reality is it might be 10% of a risk or 100% of a risk or 50% of a risk. And then the other question is, how do we defend against the unknown unknowns, the zero days? we could put in so many layers of security that might help protect against it. But how far do you go? So that's why it's important, I guess, to understand perceived risk versus real risk.

Okay, I think that's a really good point. So first, I'll go into perceived risk. A lot of times when you're running a vulnerability assessment, you will have an agent on a particular host that will actually enumerate everything that's on that particular host and then come back and tell you this is vulnerable, that's vulnerable. And the reason why you have an agent on the host, because you'll get the most accurate data as opposed to doing it a different way. It will come back and tell you, hey, you're running a vulnerable version of Apache on that particular host. But you know that that service is actually not running. Or if it is running, you're not letting it through the firewall. And then if even you're letting it through the firewall, you have a really good endpoint detection product that's totally up to date, that you're really not worried about that at all. So you have really a perceived risk there versus a real risk as if the Apache server was running. The Apache server was internet facing. It was hosting a critical business component, as opposed to not. And the majority, from what I've seen across my career, is the opposite. You are going to have controls or mitigations across them. And yes, there is the process where you could go through and suppress lots of different vulnerabilities, but Cyber teams are overworked. It's really difficult for a cyber team to go in and suppress, we'll call them false positives, if you will, but not really false positives, because it's true, there is a vulnerability there. But how do you suppress all of these items and effectively manage it? You can't. in my experience. We're getting better now with APIs and whatnot, but it's not something that's easily done. Now, you mentioned something else, Adam, which I think is a good point. Zero days, right? Everyone can get breached, right? We've seen Microsoft get breached. We've seen the federal government get breached. We've seen FireEye or Mandiant get breached, I believe, at certain points. over the last few years. So what I went in and told the board risk committee is that we're not as smart as those organizations. You know, we don't have 8,000 people working on cyber and they did and they still had an incident. So we're going to migrate to an assumed breach model. Our model now is we assume that we will be breached. We're gonna do everything we can to prevent it. However, It's not guaranteed by any stretch of the imagination. So what does that mean? That means if someone does get in your environment, your goal is to limit them from moving around and putting enough bells and whistles around where you could detect them if they're there to minimize the amount of time that they are in your environment. So I think as a good CISO, you really want to not be afraid. You know, it's a tough thing where you're going to walk in to a bunch of directors and say, I can't protect you as well as I would like. We have an assumed reach.

When I worked for Joe, and Joe doesn't like to talk about the fact that I worked for Joe. And by the way, like he said before, he inherited me. He didn't hire me. That being said, I've gotten thrown out of Joe's office at least twice for saying Joe. I always assume we're breached. He goes, stop it, Adam. I don't like, not that he didn't take it seriously, but he's like, oh my God, you're giving me palpitations. You know, one of the things that Joe and I did put in place was deceptive technology. So that if somebody did breach us, there was a decent chance of them setting off bells and whistles by using passwords and usernames that were not real, that were triggered, that were connected. And I've seen other EDR products out there that also have the same kind of features these days. They call it IDP, Identity Detection and Protection. And the other thing I wanted to add to that is we had one CEO on here, and she was great, right? And her product does predictive analysis for vulnerabilities, kind of like we could predict the future. And it's a very interesting product, specifically for CISOs. So there's a lot of stuff out there these days.

Yeah, well there's a lot of stuff we can get into here, but I've got to put Adam in his place first and deal with that. Look, assume breach is a technique, it's an approach to building a program where you assume that you're going to be breached. You plan on it, you plan that your defenses will get beaten, and then you figure out okay, you're planning in the future that we'll have to do things after this and not just incident response. Like Doug was saying, you know, it's like we need ways to slow them down, we need ways to detect them inside, we need ways to make them more detectable once they're inside. You know, a lot of people think it's like, oh, you got a ransomware attack, you got the blue screen with the message and done, you're finished. It's not like that. Yeah, so it's an approach. Adam used to come into my office and say, Joe,

No, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, that we've been breached, meaning that somebody's there. They don't have to say anything. They're sitting in the closet in the corner and they're keeping quiet. I never saw the results of somebody being breached. I never had said, oh my God, they did this or did that. But I did say, yeah, guess what, Joe? I've been breached, I'm sure. And he was like, get out of here.

No, no, but here's the thing. And here's why I got so uptight about that is, you know, when you're in charge, you need to walk a very fine line with this stuff, seriously, because it's like, you know, someone said, and this is totally, Doug, you're right, this is totally perception. You know, I don't want to sit at the green table, or have to do a deposition, or something and say, gee, have any of your employees ever told you that they thought or given you any indication whatsoever that you thought you might possibly have been breached, yes or no? Well, then I have to answer yes to that. And it's a bullshit question.

And I would have said no. I would have said no because it was more theatrical effect.

But I mean, the thing is, and this is what worries me about the liability and the notification. There is only someone saying that the sky is falling without context. There are always that was me without context.

I had nothing to prove it. I just did it for effect. I know that's why I threw you out.

Yeah, you did it for effect. You're trying to try to yank my chain and it worked. Congratulations. You're welcome. So I think these things become very serious, you know, especially now. Doug is going to be the referee here between us. That's right. That's why we have guests.

I think if you look at it from a cyber point of view, every time there's something in the news, as a CISO, you will have people come into your office and say, are we protected against the same type of thing? Now that's, once again, taking away from the plan and proving that we're not. I think another point of the perceived risk, and I think I got this analogy from, maybe it's a Gartner report, but don't quote me on that, I believe it is. And the analogy, and forgive me if this analogy upsets people, the analogy that I told Everyone is. Assume you have a soldier on a battlefield. Try to enumerate all the ways that that soldier is going to be hurt. It's impossible. You'll never be able to enumerate all of the different ways that particular soldier may be hurt. What you can do is provide as much protection as you can, and then make sure you have the ability to get that soldier well again. and continue your mission as quickly as possible. So you really, it's difficult to spend all of your time enumerating threats. You do as best you can, but it's unlimited. You'll never know. However, cyber resilience is the key to assume breach.

So let's talk about a use case, right? And you're exactly right, right? You have a server that's already been sunset. It's a Microsoft server, no longer support for it, no longer patchable. What do you do? You have a proprietary application you need to run in order for the business to continue. What can you do, right? Okay, you can do a micro-segmentation. Of course, right? Because you know there's nothing you can do to enumerate every single thing because there's already an infinite amount of possibilities. So you do micro-segmentation only allowing source to destination based on all the ports. And you did some discovery and you're trying to figure it out. Then you have the access control list on your router and switch that protects anybody getting to that subnet. Then you have an EDR solution on there that might see anomalies. Then you have, you know, SIM use cases, that much data has been moved. So you can do five, six of the top things to prevent 95% of all the issues. But you're right, you can't protect against everything. But as long as you are a CISO, directing your teams, your subordinates in the best possible fashion, using, you know, whatever you can within the budget to protect against it, then you've done your job. You cannot protect against anything. Everything.

There's one more thing you have to do that, in a sense, is the most important thing of all, is that if you have that out-of-date server, it can't be patched, which, you know, from a security standpoint, it's essentially radioactive. You want desperately to get rid of this piece of shit, but someone has told you, no, you got to keep it. We need it for the business. The world is going to end if we, but whatever, you can't get rid of it. That's where you need to invoke, I mean, that's where risk management comes from. I mean, that needs to be there on your risk register, where have you put it, and communicate it up to all the right people. I had a CIO once who called the risk acceptance, the auditor's kryptonite. It's not quite that simple, but that is incredibly important to make sure that people are, that the people need to be aware of it. are aware of it. And you see, that's part of the thing that worries me too, is like that, that ain't making it to your 10K. You know what I mean?

It's not, but you have that, you know, that note that I said that every organization has risks and they're escalated and mitigated appropriately. Now I was reading an article uh, six steps to manage cyber risk, um, from Gartner. Um, and one of the things that they, uh, that they stressed and I found it very, very useful. It's kind of weird. You could talk to five people, say the same exact thing, but if you put a different frame on it, It has totally different meaning. Depending on the sunglasses you're giving the person to wear, to look at it. Now, instead of saying something like, you're going to risk accept this. You're the business. You're requiring me to have this server. Therefore, I can't protect against it. Therefore, it's your risk to accept. You know, right away that it doesn't feel collaborative in my in my personal view, it feels like this is what it's going to be. So, you know, what I got from that.

Don't put it to him like that. I mean, your job's not always good. You got to romance him a little bit.

Come on, you know. Douglas, we're not here to make friends if we're going to say so. We're here to give the bitter reality of what it is. And if they don't like it, they can't accept it. It doesn't mean you have to be everybody's friend, but you can work collaboratively with them to resolve the issues if they're going to accept it. Hey, we'll accept it for today, but this is the plan I have to fix it in the future.

No, totally agree. The glasses that I put on it is really, this is the protection level agreement we're talking about. So it's no longer, hey, we have this risk that because your developers or whatnot have not migrated to a modern solution that we have to run this antiquated operating system. our protection level agreement is this. I can't patch it. I can't do anything with it. That's the agreement now that we have collectively. And now you hear the term protection level agreement almost like an SLA, which people could really start to relate to. It says, okay, this is the protection level that we have. Are we okay with that? Yeah, you're nice. Same exact thing is exactly what you're saying. I'm exactly what you're saying, Joe. But now just the wording around that. I personally found there's a lot more. acceptance, if you will, to it. If you look at the risk acceptance, how do you calculate risk, right? Probability times impact, I think, equals severity. It's impossible to predict probability. Probability is one of these things where people will tell you, OK, we have this server out there. What's the probability it's going to get hacked? You've never gotten hacked there before. You've never seen any activity on it. That doesn't mean anything. What's that probability? You probably don't have enough metrics anyway to really determine accurately what's the probability. No, that calculation risk is, I don't agree with it.

I'm going to disagree with that. I'll tell you why. As time progresses, historically, you can get more and more of an idea of what's the likelihood of you're going to get popped. Now, I understand there are other factors of getting popped. For example, if you're running you know something if you're running a firewall that has not been patched and is highly vulnerable to something that over the last three years they said out of 8 000 machines running this because they know the statistics 3 000 of them got popped then there's a closer chance you're going to get popped right but it doesn't mean there's a Yeah, but Evan, that's an easy one.

It is easy. Most of them are the tough ones and I totally agree with you. If you've got something like, okay, we have a system here. It comes up with a vulnerability. It's a medium risk. It's not that serious and we're not quite sure what someone could do with it. But if we're going to carry it, what's the risk that this could cause a compromise? I would be willing to bet you a couple of bucks that when people put that risk down, they're making it up.

I agree.

There are no, there are no numbers behind it. There's no, that's why the cyber insurance business is a mess because they don't know how to, they don't have the statistics, you know?

You hit it on the head. Cause when you work for a finance company, right. And they're, they're looking at some type of security and they're trying to predict what that security price is going to be six months from now. There's math behind that, right? You have to have at least metrics, 12 different data points. And if your data points are precisely accurate, you can only go 50% greater than the data points. So if you have a year's worth of data points and they're perfect, you could only predict another six months. So you could go 50%. And now that's only if your data points are precise. Typically they're not, so then you can only really go three minutes.

That's right. What about when you've got nothing?

You do not have, as you said, Joe, you do not have those statistics to even remotely calculate what's the probability of that happening. And then from a CISO point of view, if there's going to be a risk, what's the benefit of us saying it's not a high probability? There is none.

Okay, that's another really important practical. If it's not high risk, it gets ignored.

Well, there is a benefit to saying a high possibility or whatever, from an emotional standpoint, you're saying, look, to me, there's a high vulnerability, meaning I'm going to address this. This is my high priority. It doesn't mean that there's any real statistics or math behind it. But for example, Joe and I can have a conversation and say, hey, there's a file server that's sitting behind two firewalls and only three people access it. And they have the VPN in to get to it. And there's no other ACLs. Then there's a very low probability that's going to get popped, even if it has exposure. But if you have an Apache server with struts issues facing the internet, You know, that's another whole story, right?

I think that's what Joe was saying, though. The easy versus the hard ones. You know, some of them are like, you know, the ones that you're articulating now are relatively easy. You see log4j, you know, everyone's going ballistic. You know, hey, this is obviously there's a high probability that someone's going to discover it. It's easy. But other than those, in my personal view, I think it's really difficult to accurately calculate the probability of that to complete the risk formula to get to the actual overall severity level. That's why I sort of scratch that. And I say, hey, this is the protection level we could provide. We can't patch this device. We're not patching this device. Typically, that's what we do. The protection level is here. Most organizations, according to these stats, patch every three months, once a month. We're not going to be able to patch this for six months. That's what we're saying here.

That's it. Well, like the time Joe told me, hey, can you take care of that issue? I see that on the NAC. There's a PlayStation trying to connect, and I don't think we could put an EDR on it. So can you get that off the network, Adam?

Yeah, but again, that's an easy one. And you know, You know, one of the things that I find, I find a lot of things frustrating about risk management, as you can tell. One part is the quantification. It's extremely difficult. Now, the other practicality I mentioned was, you know, unless something is a high risk, it's very unlikely to get fixed. But, you know, another thing that's very tough is just what you're talking about there, Doug. It's like, you know, you may say, we'll go back to the case of the machine that's out of data, can't be patched. It doesn't have anything, wrong with it right this second but you know we know we want to get rid of this it's a bad practice yada yada yada um there's kind of no half measure for it you know we can do a lot of standard things to wrap it but it's either got to be retired and replaced or not it's not like we can say oh well if it's a look if we end up it's a low risk we're going to do this light little thing and if it's a medium risk we're going to do more it's like no it's really a binary thing and in a lot of cases you don't have a tremendous amount of flexibility in it. And, you know, it's kind of frustrating, but that's often the reality.

No, and I think, you know, as you see observability platforms, starting to mature with AI and having all of this different aggregation, as well as industry data, I think we're getting we're probably I would predict I will predict with no real stats behind it, that within 12 to 18 months, you will see organizations being able to do a better job of potentially predicting these types of things. However, that hasn't been proven. It's not there yet. And I think we really just have to articulate again, what's the protection level that we're able to provide? What's the SLA?

Well, I'll tell you that I think that's not quite as bold a prediction because the truth is the job that we're doing it now qualifies as absolutely shitty. It is it is it is so so hard to figure out. what the effect of the impact or the real risk of one thing is because of the chain of all other things. There are systems that do it. They're very expensive. They take a lot of maintenance. Hopefully AI will, will help with that because it's just, it's tough now.

It's really, it's really tough. We do have a product out there that does predictive analysis, right? We spoke about that with the CISO, a CEO, and she uses AI and she just released the latest version of that. So I wonder. we should probably bring it back on with Douglas and we could have a conversation, but you know.

And if you mention her again, we're going to need a sponsorship. That's all I'm saying.

I think one of the things that, you know, one of the goals, the original goal is really to talk about, hey, how do you start a cyber program

Oh, sorry.

I think, you know, that was probably Adam's sort of... Is that our first discussion point?

Yeah, well, you know... 35 minutes in, we just figured that out. Sorry.

That's right. Let's start the podcast now. Okay, here we go. Okay, let's go. Doug, how do you start a security firm?

We'll see how good the editor is now. So I think, you know, one of the things I believe we want to talk about is everything that we articulated here is part of that. If you're a CISO, there's typically three ways that you're going to go into an organization that has no cyber program. One, it's a security startup. They know they need a CISO from day one. Two, it's a startup that they're getting ready to have an IPO. And they want to make sure that their investors and everyone for their first 10K are comfortable. Three, it's an existing organization that for whatever reason, they never spent a lot of time dedicating someone to that role. And they had an audit, and the audit said, you need to see some. Typically, I've seen those are the three areas where you're going to go into a company without an established program and be the first person on there, you know, with the mandate to develop a cyber program. How do you do that? You know, that's a significant challenge. And I think one of the first things that you have to do, and I feel like Adam's going to agree with this, I don't know why, and I think Joe, you probably will too, is you have to let the teams know who are actually going to do the work. Right? We don't patch. We tell someone to patch. They're the ones who have to work the weekend. You don't. You have to show them that you're on their side immediately, and then you could talk the language. Now, I always felt that, you know, when you join an organization, you have to figure out a way. In my past organization, when I first started, it was, I installed the SIM. I had all these logs, every log you could imagine going in. the all of the infrastructure team, all of the developers, they were going to spend the weekend there, rolling out the latest version of the application. No security at all. But I said, Hey, fellas, I'm going to stay with you this particular weekend, because now I have all the logs. And if you run into a problem, I could probably find a few a lot quicker than if you were on your own. And then, you know, I think that's the first step when you, to develop credibility in an organization. So when you do the normal stuff, you get your risk assessment, you go through all the audit reports, you know, you figure out what the threats are. That's, you know, that's easy stuff that, you know, you read any, you check GPT, hey, I'm a new CISO, what do I do? You know, right away it's going to say, hey, you should run these different risk assessments and whatnot. But how do you build that relationship with the teams? I think one, you have to be able to speak their language, whatever technology that they're speaking. You know, if they tell you something and you give them a crap answer, they're going to ignore you. This guy doesn't really know a lot about X, Y, Z. But I think once they feel that you're one of them, You're on the team. I think, you know, that's that first level that you want to get to when you first join an organization. Again, forget about the normal stuff that you could get off chat GPT. I think that first level is, hey, let's let the teams know that are going to be doing the work, that you're there with them. And more importantly than anything else, this is not a gotcha exercise. I could find out that you did the most ridiculous thing. You fired up an old version of the operating system, you know, an image that was supposed to be deleted five years ago. You didn't delete it. You brought it up in the DMZ, and now this is coming out. So what? You know, I'm with you. We're going to figure out this together, why it happened, before you bring it to anyone else's attention, unless obviously you need to. They see that you have a plan with them, that you're working together, and it's not a gotcha exercise. So you go from this, I'm gonna help you, whether I need to or not, because I'm with you, I understand that you help me all the time. And if something comes up, I'm not here to say, gotcha.

Do you want the grenade there, or you don't want the grenade?

No grenade.

Ah, dog ear. So you use a grenade. It works when the reporting mechanisms work. It works, and I'll explain what I mean. It works when the corporate culture is there. So yes, as we on the cybersecurity side, we on the information security side, we're seen as cops. We're seen as detectives. We're seen as, don't you dare do it because we're going to arrest you. The sysadmins that do the patching and usually those groups, they don't report into the cybersecurity group. In some organizations, the culture is great. We all work together, we have fun, we understand each other, we get along. Sometimes the pillars, the two different groups, there's a lot of friction between the bosses at the top. And when that happens, that boils down even if The people that are parallel on the lower level, the subordinates, are great friends. Sometimes there's an animosity at the higher level because the stakeholders don't have the same thoughts. That money was for my budget. That money was for this budget. So I don't care if they help me or not, because I don't really care. I don't like it. I'm going to do it the way I want to do it. You can't tell me what to do. I don't want your help.

No, I think, you know, that's always the, that's part of the challenges. And I think that's why a security person, I think, right, you have to be, what makes a good security person? You have to be, I think you have to be smart and you have to be curious, right? But what they don't talk about is you have to be a chameleon. You have to be able to talk to the help desk guy, like your buddies. have to be able to talk to the developer person like you're, hey, I know this technically. You have to be able to talk to the one level of management and then the board. And you might have to do that all in one day. So I think you have to be smart. You have to be curious. That's what makes us who we are. And then you have to be able to be a chameleon. So Adam, I think what you're saying is 100% accurate. To me personally, I think to be successful, probably being a Staten Island guy, you do well with this. you know, you have to be a chameleon. You know, you have to be able to go to the deli, talk to all the fellas who, you know, never, never matured. And they're still hanging out at that corner and be able to talk to them. And then you'd be able to go home, be the family man, and then, you know, talk to your, your business partners all in one day and be able to be a chameleon.

I was just going to say, that's, that's very true. And I would say, you not only need to be a chameleon in terms of, you know, dealing with those people in those different roles, but knowing how to deal with specific people. It was interesting when you talked about the scenario where someone does something wrong and you say, I'm here to help you. That works for some people. For other people, you need to use a little different approach, which sometimes is, it's okay this time. There are people who respond to that. It depends. And I think all that kind of gets to the thing of where you're, absolutely right, you need to establish credibility, you need to say I'm here to help do all this stuff. Coming in to an organization as the first security person or also in cases where you're coming in where your predecessor was a very weak security person, it is extraordinarily difficult and it takes a tremendous amount of time, not very often and you know because very often you're coming into a place where yes you are perceived as giving people more and more and it doesn't matter how committed people may say they are to security, that can be a tough hurdle to get over.

So one of the people that I admire, or not people, but roles in my life, I admire more than anything else, you're going to find this funny, is a hostage negotiator. And the reason why I admire a hostage negotiator is that they have come to a really good point where they know how to have conversations with people and to help people or to try to calm things down. And you're right, right? We need to be chameleons, but I'll put it one better. We need to be diplomats or ambassadors. We need to know how to interact with our respective audiences in such a way that they do trust us. I'm not saying to wrongfully trust us, because we want to be trustful. We want people to believe that we are capable of giving them real information. And you're right. You have to know how to work different situations. So while some people don't like Kevin Mitnick, I always was kind of impressed with Kevin Mitnick's social capabilities. Though in person, he really wasn't a sociable person that he knew how to put on the social charm when he tried to get information. And there are other books like how to schmooze, how to get yourself into any venue for free. Those are amazing people. And I'm not saying to be deceptive, but I'm saying people who know how to walk the walk and talk the talk and being able to get things out of people, that's a great thing if you know how to use it for good things.

Yeah, but people who do that go into sales, not security.

Well, I guess I'm in the wrong place then. I think like I could send myself. That's going to get me in trouble.

I think it goes back to. I guess, Adam, you sort of made my point before where I was talking about rose colored glasses. Right. So putting the risk acceptance versus protection level agreement is sort of exactly what, you know, you were sort of saying. So how do you speak that person's language? to make them feel comfortable, be a diplomat about it, or be a chameleon about it, and get your point across, get everything done in the correct way. You know, Joe, I know I've definitely had people in my career who've, you know, made that same mistake. And, you know, first, second time I'll send them that GIF that says, you're killing me, Smalls, from the Sam Lai movie. And then the third time, like you said, it could be a more serious conversation. But my signature, and again, I do a lot of research and reading. I don't want to just say things. It was from a book, Managing Risk and Information Security by a guy named Malcolm Harkins. He came up with the concept Protect to Enable. And I used to have that as my tagline. And I used to do that to starting to get the business behind me. Look, there's the evolution of the CISO. CISOs are no longer IT people. Information security, cybersecurity, whatever you want to call it, is no longer an IT risk. It's a business risk. Plain and simple. There's certain extinction-level events that will wipe out a company. Pure and simple. But I think once you start getting the businesses that you're adding value, Adam, the people at different levels, also start to see, hey, I don't care. I know this dude, you know, this dude is getting that level of respect. He's the CISO. He has elevated. He is where he is. He's coming down to talk to me. My language is kind of awesome. You know, I'm gonna, You know, I'm going to work with him, but how do you really protect to enable? What does that mean for a CISO? Personally, I feel that it's our job to understand the company's business plan. And I think it's our job to become friends with, you know, maybe it's the global management team or the global management team minus one. And quick example, that's easy. If you find out that they're looking to go into an emerging market, when they get there, they should not have to come to you and say, Doug, are we compliant with those regulations? You should know that they're going there and that when they come to you, be like, yeah, we're just like this close. I might need an extra couple of funds to go there, but we are ready to go there. And then all of a sudden they're like, oh, what made you do that? Even if they haven't told you, articulated, you had you in those meetings when they were deciding whether they were gonna go to the emerging market. I read this. I saw what you had on the corporate business plan. I got it. We're done.

That goes back to knowledge instills confidence, right? If you are knowledgeable, if you practice your trade and you do the homework and somebody asks you a question, then you build up confidence with them, which builds up respect, which goes from, and almost every relationship that you have in life, and the severity differs, right? It goes from storming, right? You might not have the best relationship in the beginning. They're not sure of you. Maybe you're okay. Maybe you're all right. And then, you know, then it might become, you know, forming. Okay, I see they're okay. Maybe they're, it could be a little bit better. And then it goes to like norming, right? Yeah, that person's not so bad. I actually believe everything they're saying. It can go the other opposite way. Like this guy doesn't know what they're doing at all.

You know, that goes to, um, I remember. when I was doing vulnerability management. I went to a Linux guy and I said, you know, this came out of, I'll just say a free one, Nessus. You know, this came out of Nessus and you have these 80,000 vulnerabilities. He looked at me like I was totally no respect. And I said, okay, what's going on here? I went back and at the time, I'm sure we all had it, those thick O'Reilly books. I went back, started going through that O'Reilly book, cover to cover, installed Linux at home, started playing with everything. And then next time I went back to him, I said, okay, I got you. I understand now, there's no such thing as groups or really permissions in Linux. It's really what's the permission of the file. There's root and then there's everything else. And I totally get, you can't go through 8 zillion files and look at all these ones that are, you know, writable and have execute permissions, which that initial report said. But it's so important, right, Adam, you have to be able to gain their respect in a program that's just starting out. You know, if you have people working under you who are, you know, that's their specialty, awesome. But when you're first starting out and building up that program, it is what it is. You have to be able to talk the language, and that's kind of the hard part of being a CISO, right? You know, it's hard, but that's, you have to know enough, of course, everything.

Well, yeah, well, some of this stuff also, Some of the scenarios you talk about aren't necessarily restricted to security or to CISOs. You're coming into a new organization, you're going somewhere, you need to build credibility. So what do you do? You need to realize, well, you can't do everything at once. You can't even make your plan at once. You got to see what's there, who's there, build credibility, get some wins for yourself and for others too, for your allies. Do some favors. When I have a new job, I'll tell you, I buy a lot of beers. I help out with a lot of stuff.

I kind of do that now, right? When people go out of their way to help me, or I really respect them, and it's not a lot of money, I send a $10 gift card. It could be any coffee place. Even when it's remote, I send them a gift card. because I really do respect, and I think that does go a long way. While the value is not a lot, it's the thought that counts, and it shows a lot of respect.

Yeah, nice Starbucks gift card. You know, Adam, you're 100% correct. Now, look, I'm talking here like I'm pontificating. Hey, this is how you build a program. Where did I stink? You know, what lesson did I learn? What was a weakness of mine? When I first joined, I was, my wife hears me say this out loud, she's going to say, you know, don't tell people all your weaknesses. It's not a good thing. But I, I was, I didn't trust my gut. And I defaulted to people who were there longer than me, where I didn't feel enough confidence to say, no, you cannot do it this way. This is going to tilt our building forever. And that's something that I regret. I think when you first join an organization, if you're the SME, be the SME. You know, you know, brought out your shoulders and say, we want to do it this way. Like you said, Adam, I don't agree with it. This is why. And if everyone decides to go the different way, who cares that this way, you know, you don't take it personal. We should give you a point of view. But at the beginning, I wouldn't even give my point of view. Because it was just like, oh, everyone in the room feels this way. How am I going to say this? I'm just starting out. I'm just building this program. And then I zipped it. And I regret that. That's one of the things that it's hard. That's where I screwed up.

Also, don't beat yourself up too much about that because that also changes with experience, career experience. Now, you go into a lot of those situations and you hear some of these things, whatever. I walk into a situation, I see stuff. It's probably not like I think that's wrong. It's like, I have seen people fail repeatedly doing what you're suggesting. That's why you hired me for this experience. You're right. Let me help you. That's a really good approach. or they're wrong, they don't, or they need to do extra work or change, you know, it's really tough.

I'm gonna say two things about that, right? One, I'm not a baseball fan, I don't know much about baseball, but I do know if you're batting .333, you're doing pretty well, which means, you know, one out of three times you hit, right? So if we put that same thing kind of in, you know, perspective or perspective to, you know, being a CISO, you know, it'd be nice to bat 333, right? So the other two times you're wrong and the one time you're right, but we can't be perfect. We make mistakes and people have to accept that there are mistakes made and sometimes you can do nothing about that. That's life. But you want to be, you want to err more on being right than wrong. And the second thing is I had a person hire me once. And they said, and it's not Joe. And that's true. And the person said, the first week I worked for them, I want you to fire this person. And I looked at him like, why? And they said, blah, blah, blah, blah, blah. I said, you're not even giving me time to evaluate the person. Ironically, I didn't fire the person and they outlasted me and the other person in the organization. You should have fired him.

He might have kept your job.

That's true, right? So the point I'm getting at is that I think I made the right decision. This person was a wealth of knowledge. was really good, and even after I left that organization, that C-level person still didn't fire that person after I left, after they wanted me to fire him in the first week, and he was already there a couple of years. So the point I'm making is sometimes in any level, in any position, and by the way, full disclosure, I've never been a CISO. I wanna be one day when I grow up, but in my leadership position, I thought I was gonna get fired for not firing the person and I made the best decision ever. Okay, so I made one good decision, probably five other bad decisions, but you can't second guess your gut sometimes. The only decision that's bad is a decision that you're not making.

No, I agree, but I think it's important for people who are looking to become a CISO, once you have that level of experience is don't be afraid to say, I know this based on my knowledge. And do not get personally insulted when everyone collectively says, we don't agree. Cool. My job is to just advise, articulate, be an advocate. But at the end of the day, if the organization says no, Not only do you say, okay, but I'm going to 100% support you and do everything I can to make your decision the best one.

It sounds like the line from Crimson Tide. We're not here to practice democracy. We're here to preserve it.

Oh boy, that's a can of worms. Okay.

I'm not trying to get political. In other words, I'm saying to you, At the end, when you're in a leadership position, sometimes you have to make that decision, even though it's a hard one, even though the majority of the people might feel a certain way, it doesn't mean that you have to go with them. If you think you're right, then you should take that leap and do it. But make sure you have all the information before you take that leap. Don't just do it. You know, sometimes you gotta go against the grain and do what's right.

Okay, and that thought takes us to last call. And Doug, I'm afraid to ask you for your final thoughts because I can tell we could probably go on for about two or three more hours. You have a wealth of interesting thoughts on this stuff. And we're glad you've been able to join us. But what are your final thoughts?

My final thoughts are when you want to become a CISO, don't be afraid. When someone asks you what keeps you up at night, your answer should be nothing. I sleep like a baby because I know I'm doing everything I can to keep the environment as secure as possible. And nothing keeps me up, honestly. You always get that auditor who's going to come in, sit in your office and say, OK, what keeps you up at night? Zero. Nothing. I sleep like a baby. If you're a CISO and you're going to worry all of the time, you're gonna have a heart attack and die. It's, I'm doing my job. I told everyone it's an assumed breach model already. I'm good. I think that's, don't be afraid. You trust your gut. Put on, be a chameleon, right? And I think, Yeah, that's it. I think you want to make sure you engage with the business. Read those business plans.

Doug, that is an absolutely great thought. A great one to end on. I think everyone should listen to that who's insecurity, and that may very well end up being the title of this episode. Don't be afraid. You really shouldn't be. If you're doing a good job as a CISO, you're not afraid. You're comfortable with your program and what you're doing. So well said.

I was going to say the title should be Douglas Marzano Sleeps Like a Baby. Because we do have another episode. It's called What Keeps Monty Fabriani Up at Night?

That's true, we did do that, yeah.

So this is the mirror episode to that, like, so Mati's staying up, Douglas is going to sleep. That's it. Yeah. Or I was going to call this episode, Be the Ambassador.

Be the Ambassador. All right. Okay, then, Doug, thanks again for joining. This has been a lot of fun. My pleasure. Adam.

Love to be on again. Always fun.

Take care.