Preloader Image

We don’t go a week without hearing a story about a data breach caused by a third party. We’re increasingly realizing the risk posed by the parties we have the least control over. Some extremely large organizations can exert pressure to raise standards for third-party security, but what can the rest of us do to contain these risks better?

This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Rob Allen, chief product officer, ThreatLocker.

Huge thanks to our sponsor, ThreatLocker

ThreatLocker® is a global leader in Zero Trust endpoint security, offering cybersecurity controls to protect businesses from zero-day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit ThreatLocker.com.

Full Transcript

Intro

0:00.000

[Voiceover] What I love about security vendors. Go.

[Rob Allen] What I love about security vendors is their flagrant use of AI in everything. I feel sometimes if you don’t have AI somewhere festooned on your booth or your product or your web page, you’re basically left out, so I love that.

[Voiceover] It’s time to begin the CISO series podcast.

[David Spark] Welcome to the CISO series podcast. My name is David Spark. I am the producer of said CISO series. And joining me as my co-host for this episode, it’s none other than Mike Johnson, the CISO of Rivian. Mike, say hello to the audience.

[Mike Johnson] Hello, audience. Great to be here with you today.

[David Spark] He likes you. I like you.

[Mike Johnson] I do.

[David Spark] We hope you like us back. We’re available at CISOseries.com where you can check out all our wonderful programming. There are four other shows on this very podcast network. Our sponsor for today’s episode, absolutely spectacular sponsor of the CISO series. We love, love, love their support. It’s none other than ThreatLocker, Zero Trust Endpoint Protection Platform. More about them and their cool new solutions a little bit later in the show.

But first, Mike, we are recording this episode just a week after RSA. And I just published an article, which I used to do at a lot of conferences, called The Cool and Not So Cool about whatever event I was at. And it did well, and there were things that…

Something we talked about was agentic AI before, but one of the things that I mentioned was the plague of “vendorsplaining,” which is the thing where a vendor would say to you, Mike, a seasoned security professional, “Is cybersecurity important to you?” or, “Did you know that the number one vector that people attack networks is through identities?” Like, “Really?” What do you do… And I’m sure you’ve been “vendorsplained” before, yes?

[Mike Johnson] Yes. That is one of the things that I love about vendors, much like Rob in our opening here.

[David Spark] So Rob’s very sarcastic beginning which you… Kind of leaning into that as well.

[Mike Johnson] Yes.

[David Spark] So what I said is you can really just skip that part completely.

[Mike Johnson] You really can. And I think that goes back to some of the earlier guidance that we’ve shared with vendors of like, “Just cut to the chase. Assume that your audience has a certain level of knowledge, and don’t waste their time. It’s a combination of it can be insulting, some people can absolutely be insulted by it, but it’s also just a waste of time. Your time, their time, everyone’s time, just skip all that and just cut to the chase.”

[David Spark] Well, I think also the reason I think they do it is they’re like, “You’ve got to explain the problem, prove the problem,” so there’s always the, “Do you know that’s a big deal? Report X, Y, Z says X percentage [Inaudible 00:03:15],” to validate why their company even exists.

But if you’re in security, you kind of know all this stuff already. You can literally cut all of that out. You just say, “Hey, we’ve got an identity management product,” or whatever the heck it is you’re selling, “And this is what’s unique and different about us.” Could you just start there?

[Mike Johnson] Absolutely. Although, I do think I’m going to start opening up every conversation… When a vendor is explaining to me, I’m going to be very excited to learn this new fact.

[David Spark] Or you could say to the vendor, “Did you know that the number one way vendors make money is selling their product?”

[Laughter]

[Mike Johnson] Great way to start a conversation.

[David Spark] There you go. “Really? I didn’t know that.” Shocked. All right. Let’s bring in our guests. This is a frequent sponsor guest we’ve had on the show. I did a live show with him in Orlando, Florida at their event. He is very entertaining. He may go after me a little bit during the show, but we love him regardless. It is the Chief Product Officer over at ThreatLocker, our sponsored guest, Rob Allen.

[Rob Allen] Hey, David.

[David Spark] Good to see you… That’s it? “Hey, David”? Nothing caustic?

[Rob Allen] I do all the caustic stuff beforehand. I keep the nice stuff for now, so people think I’m a nice guy.

[David Spark] Smart move.

[Mike Johnson] I’m convinced.

Is this partnership feasible?

4:34.981

[David Spark] Quote, “We must establish new security principles and implement robust controls that enable the swift adoption of cloud services while protecting customers from their provider’s vulnerabilities. We need sophisticated authorization methods, advanced detection capabilities, and proactive measures to prevent the abuse of interconnected systems. The most effective way to begin change is to reject these integration models without better solutions.”

Now, that statement of intent came from an open letter from JP Morgan to third-party providers. JP Morgan has some weight to throw around in this regard, but is one giant company enough to rise the tide to lift all boats? Because the stick they seem prepared to swing is not using third parties that aren’t proving security.

So Mike, I’m starting with you. Have you seen similar big players throw their weight around to positively impact security? I know this is for startups who want to work with big enterprise companies. What works for third parties and what has fallen flat historically? Mike?

[Mike Johnson] Any SaaS provider is going to listen to this, and have had to deal with it many times. When I was at Salesforce, JPMC was actually a customer, and they would very much inject security requirements into the product. That then became part of the message that Salesforce would use to their other customers of, “We’re satisfying JPMC’s security requirements, we can satisfy yours. You’re gaining the benefit of using a platform that someone like JPMC trusts.”

So JPMC is kind of turning that around and making that more of an open statement for everyone. We do see this quite often. Again, SaaS providers see it all the time. Where I think this runs into challenges is the long tail. And when I was first reading this, I really kind of went on a journey of trying to pull myself back from my absolutism of, “There’s always going to be vendors out there who can’t do this. There’s going to be this vendor that is the only one who solves your need. They’re not going to satisfy your security requirements. Are you really not going to use them?”

And then I stepped back and said, “Well, you know what? If this actually improves security for 80% of your vendors or 80% of my vendors, I’m in a much better place.” So it’s one of those where I’m not sure where this is going to go. I appreciate them putting the statement out there. But even today, single sign-on, just that one control, getting single sign-on for all of our applications is approaching impossible. And that’s just one security feature. So I’m optimistic. We’ll see how it goes.

[David Spark] All right. Rob, part of your business at ThreatLocker is dealing with third-party program solutions that may or may not be causing problems in your environment. So, this is very much top of mind with you. Can just a big player like JP Morgan get people to shake in their boots and go, “All right, I’m going to wise up.” Or do you think there’s just more people who are on board saying, “Yay.”

[Rob Allen] [Laughs] No, well, first and foremost, I think what they’re saying makes perfect sense. I mean, they’re talking about sophisticated authorization methods, advanced detection capabilities, and proactive measures to prevent the abuse of interconnected system. I mean, that is as close to a no-brainer as I could possibly think.

[David Spark] Yeah. I mean, nobody’s against this.

[Rob Allen] No. Absolutely not. And if somebody like JPMorgan is throwing their weight around saying, “You should be doing this,” then as Mike said, then a lot of companies will actually do it. So I see nothing wrong with either the statement itself or the ideas behind it. I mean, it’s just common sense.

And again, as you said, we do deal with… I mean, one of the… I suppose, the beauty to the approach that we take with default deny and everything else is you’re kind of ensuring yourself against those supply chain attacks, those upstream attacks, those things that come from outside of your environment through partners, vendors, whoever it else it may be. So as I said, I’m fully on board. And again, particularly the proactive and reactive measures combined, I mean, that is layered defense.

As a CISO, what do you think about this?

9:23.685

[David Spark] Quote, “Your expertise is borrowed authority. Real leadership is helping others build their own.” Now that’s the core message of Taha Hussain’s reflection on why so many engineering leaders fail. They lead with answers instead of enabling their teams to grow.

It’s a dynamic that shows up in cybersecurity too, where technical mastery can quietly morph into control, bottlenecks, and mistrust. Leaders who solve everything themselves may feel indispensable, but they’re often just in the way. So, Rob, do you just tell engineering leaders to do this as in, “Show other people how to lead,” or is there another way?

[Rob Allen] I kind of agree with the sentiment behind the statement, but I also don’t. And there’s a very personal reason for that, which is… And you’ve met our CEO, Danny, at Zero Trust World. And Danny is, in most circumstances, the cleverest person in the room.

Danny is very much a “fix things.” I mean, it’s kind of gone a little bit beyond the “he knows every line of code” at this stage, but I mean, he did fundamentally build the product at the beginning, and is now very actively involved with helping fixing things, improving things, etc. Others, maybe not so much.

I mean, I’m very much not the “knows every line of code” type, and I’m much more inclined to lean on others’ knowledge and expertise and advice. Both approaches have value as far as I’m concerned. I wouldn’t say that one is infinitely better than the other or one is preferable to the other. I think both approaches have value. I mean fundamentally different people are structured and built in different ways. Danny is a doer.

[David Spark] But is there a way to bestow authority on other people? Or you just say, “Hey, everybody, pay attention to this person too”?

[Rob Allen] No. I mean, realistically, I think as leaders, our job is to get out of people’s way and to enable them to do what they can do. But as I said, that doesn’t mean that there isn’t equally value in somebody who is fundamentally a doer. I think both can contribute to a successful organization.

[David Spark] Mike, I know you have said this, and I’ve heard it from others, that people when they move up to a more leadership position, they kind of miss the days of coding, miss the days of actually working with the technology hands-on. You yourself have moved up to a leadership position, and I know that you have helped others as well. Maybe you have a history of what’s worked and what hasn’t worked.

[Mike Johnson] It’s one of those things where you have to stop yourself from your own habits. If you are the person who’s doing all the work, and you’re always doing the whole work yourself, you’re never going to scale that. You’re never going to be able to distribute that workload, and you’re limited to the number of hours that are in the day from a productivity perspective.

So once you stop to realize that, “Hey, I can’t do everything,” you then have to look at, “Well, how do I decide what I can and can’t do?” And then, “How do I empower others,” to Rob’s point, “to do what they can do best?” In terms of what does and doesn’t work, I don’t think you can just go and tell someone, “Hey, you need to change how you’ve always been doing things.” You need to show them what is wrong, what they’re missing out on, what is their impact.

And when you’re talking with engineering leaders, talking about scalability is a great way to have a conversation, and say, “Hey, look, wouldn’t you like to have more output? Wouldn’t you like your org to get more done? If you would, then you need to start distributing some of these tasks more. You need to start delegating. And in the beginning, it’s going to feel painful. You’re going to give someone a task that you know you can do in five minutes and it might take them half a day, but they’re then empowered going forward to be able to handle that.”

And if you’re then able to explain simply, “Here’s what’s going on. Here’s the advantage that you could have, and here’s how you get there,” that’s what people will listen to. Telling them to change, that’s not going to have any impact.

Sponsor – ThreatLocker

14:01.267

[David Spark] Before I go any further. I do want to talk about our fantastic sponsor, and that’s Rob’s company, and that’s ThreatLocker. So in cybersecurity, seconds matter. We all know this. Precision also matters. And that’s why ThreatLocker is up in the game again. The company just launched a new set of solutions built for teams who need to move fast without compromising security. It’s zero trust, but without complexity.

So here are a bunch of cool new solutions they’ve got. First, with ThreatLocker insights, you get real-time intelligence from millions of endpoints worldwide to empower you to make the best swift cybersecurity decisions on what applications to allow and what controls to put in place in your environment.

Patch Management? Well, instead of chasing updates and manually approving patches at 2:00 a.m., Threat Locker takes care of it for you with the rigorous research and testing you need to stay compliant and secure. Cloud Control? It adds an essential layer of defense, further closing the gaps that phishing and token theft campaigns love to exploit.

They’re also making life easier for IT and security teams with the new User Store, a smart way to give users instant access to pre-approved software while maintaining the strong security of your environment. And for web threats, well, Web Control lets you block sites you don’t trust or users should not access from the workplace. It blocks unapproved content by category, not URL by URL.

Of course, you still get ThreatLocker’s 24/7 U.S.-based Cyber Hero support. No scripts, no waiting hours for answers. They deliver world-class, swift support, responding in about 60 seconds. It’s no accident that over 50,000 companies now trust ThreatLocker to help them harden their environments against modern threats. If you’re serious about tightening your defenses and getting a platform that doesn’t slow you down, check out ThreatLocker.com to learn more. It’s spelled just the way it sounds ThreatLocker.com

It’s time to play “What’s Worse?”

16:14.759

[David Spark] Rob, I know you know this game. You’ve played it. I will make Mike answer first. This is a contribution we got from Rajitha Marur, and it’s Rogue AI versus Rogue HR. These are going to be the two scenarios. I’m going to spell them out for you. So here’s the situation you have. This is for both scenarios. Company ABC hasn’t implemented any controls to block AI apps or data loss.

All right. First scenario. Mike, employees have been using intrusive AI apps for meeting notes, which the security head accidentally found out about while attending a town hall. As there is no AI policy or systematic restriction on external apps, there are multiple apps being used. No vetting has been done, so all kinds of company information has leaked into the outside world. There is no way to identify who is using these AI apps or determine how bad the percolation is, okay?

So pretty much everyone’s meeting is now public info, it sounds like. Second scenario. The security head discovered the HR managers, with privileged access to employee and potential employee/job applicant information, have been downloading the data from Workday onto their personal machines to build and present reports.

They do not like the company-approved BI app, Business Intelligence app, so they went ahead and acquired a one-off solution and used their machine as a server for a report generation. There is no way of tracing how far back this practice goes as the company has grown through a series of acquisitions. All right, Mike, you’re up first. Which one is worse?

[Mike Johnson] The second one really feels like somebody has lived that experience.

[David Spark] It’s very possible. [Laughs]

[Mike Johnson] It’s very specific. Yeah. That one just feels like, “What did you have to deal with in the past?” and I’m so sorry. And the first one is what pretty much every company is going through right now.

[David Spark] Well, the first one is the fact that all their meetings have been exposed publicly.

[Mike Johnson] There are so many companies that are using AI tools that they have no idea that they’re using…

[David Spark] Yes, this is true.

[Mike Johnson] …that who knows what they’re doing, and there’s presumptions of what they’re doing and what those systems are doing.

[David Spark] Well, in this first scenario, it’s very clear that this data has gotten out, the [Inaudible 00:18:53] the meeting notes have gone out.

[Mike Johnson] So my take on it, though, is the meeting notes are then sitting in some random LLM somewhere, which is very different than public.

[David Spark] Well, it’s not so much… The thing is, once you have the meeting notes, it creates a document for you. So it’s no longer just an LLM, it’s an actual document.

[Mike Johnson] Sure. But it’s not like it’s being posted into Twitter.

[David Spark] That is true. But it’s just the information has leaked into the outside world.

[Mike Johnson] Sure. Again, that is LLMs training off of your company data. Which again, that is what everybody is living right now and trying to figure out how they direct that appropriately so that they know at least which LLMs are involved.

[David Spark] Right. So it does describe this. So I’m getting the sense that you’re going to say scenario number two is worse just because we’re all living scenario number one right now.

[Mike Johnson] Scenario number one is the transition that we’re all going through right now and have been going through for the past two years, and does have an end. We know where that’s going. The other one, and one of the challenges of the second one, is that is personal information. And there are regulations specifically around handling of personal information. And there’s contractual obligations and privacy statements that you’ve made to your employees.

[David Spark] So we know for sure the second scenario, we got sensitive data.

[Mike Johnson] The second one is absolutely sensitive data, and it is absolutely lawsuit material.

[David Spark] Right. But it doesn’t look like it’s gone public yet. Though in people’s eyes…

[Mike Johnson] So that’s where we’re arguing about the definition of public. Just because it’s sitting in an LLM doesn’t make it public.

[David Spark] But we don’t see the… It just said “leaked to the outside world.” We don’t know. It could be public, could be the published reports of the meetings here.

[Mike Johnson] I am taking that to mean how LLM’s actually work versus the hypothetical.

[David Spark] Yeah. But hold it. I’m going to argue with you.

[Mike Johnson] Sure.

[David Spark] These meeting notes applications, it immediately turns it into a document. You have a meeting… Zoom does this. You have a meeting, all of a sudden you have a document of what everybody said. So that’s not LLM there. That’s an actual document. That could be shared and go anywhere.

[Mike Johnson] It absolutely could be shared and go anywhere. But again, I have no idea what to make from this particular scenario.

[David Spark] Correct. We know in the second… But it doesn’t look like it’s gone everywhere. It looks like just some random yahoos have been taking this information, which sounds like a regulatory nightmare.

[Mike Johnson] That’s the problem with that. That second one is absolutely regulatory nightmare. The first one is just terrifying.

[David Spark] Okay. [Laughs] So terrifying versus regulatory nightmare.

[Mike Johnson] It’s really, “Who’s going to punch you in the face sooner?” And the regulatory nightmare is the one that’s going to punch you in the face sooner. Yeah.

[David Spark] All right. So you’re saying scenario number two is worse. All right. Rob, walk me through it. Which one do you think is worse here?

[Rob Allen] I think Mike has already done a really good job of walking us through it. I mean, look, they’re both not good. As he said though, I mean, look, we don’t want our meetings going out into LLMs, or anything along those lines. But again, there’s a difference between information going to LLMs and being learned from, and data or information being out there.

I mean, I don’t know. Maybe if I ask ChatGPT if it knows anything about internal company discussions about X, Y, and Z. I mean, realistically, I don’t think it does. It’s just going into the greater LLM learning pool.

Again, the regulatory one is not great, but again, did data really get out? I mean, yes, some yahoo downloaded documentation onto their computer. Was it their home computer? Was it protected? There’s not really that much information there other than some yahoo downloaded a load of documents onto the machine, and were using something on the machine.

 Again, does that constitute a data leak? Was that machine in the building? Was it at home? There’s not really enough information there to say whether it’s really, really bad. But can we just all agree that both are pretty bad and leave it that? Does one have to be worse than the other?

[David Spark] Yes, hence the name of the game. It’s called “What’s worse?”

[Mike Johnson] What’s worse? Which one’s worse, Rob?

[Rob Allen] It is literally called “Which is Worse?” isn’t it?

[David Spark] [Laughs] Yeah. 

[Rob Allen] On the assumption that that information has not gone anywhere other than some yahoo’s work computer, let’s go one being worse then.

[David Spark] So you think one is worse, and Mike thinks two is worse. I like it. I like when we get a split decision.

[Rob Allen] But there’s a lot of buts there.

[David Spark] There’s a lot of unknowns here. A lot. Yes.

[Rob Allen] A lot of unknowns.

[David Spark] By the way, can we just clarify? Like anything in security, nobody knows clearly what’s happened right away, right, Mike?

[Mike Johnson] There’s always a finding of information, gathering of facts, assembling opinions as a result, for sure.

[David Spark] How soon, when you have an incident, does someone yell at you and goes, “What have we lost?” And you’re like, “Don’t know yet.” [Laughs]

[Mike Johnson] Sometimes you actually do know very quickly because you…

[David Spark] Do you?

[Mike Johnson] Because, not speaking for myself, but someone might be finding out about an incident because it’s been posted publicly. And then all you need to do is go download that file and you find out exactly what’s been taken.

Please, enough! No, more!

24:21.517

[David Spark] So today’s topic is EDR, Endpoint Detection and Response. Okay, Mike, I’m actually surprised. I don’t think we’ve ever done EDR in this segment. I don’t think we have in all the years we’ve done this.

[Mike Johnson] This long, we’ve never done EDR? Okay. Great.

[David Spark] So I’m going to ask you, what have you heard enough about with EDR? And what would you like to hear a lot more?

[Mike Johnson] I think we’ve reached a point where end point detection and response has become a commodity. It’s table stakes at this point.

[David Spark] It’s like locks on the door.

[Mike Johnson] Exactly. We’re so caught up on the detect-and-respond side though. I’d like to hear more about prevention. How do we move this further to the left of a kill chain, or whatever metaphor you want to use, rather than where we have been thus far of, “Great, we’ll detect it and we’ll respond really quickly, but really wish we could have prevented it the first place”?

[David Spark] All right. Very good response there. All right. I throw this to you, Rob. What have you heard enough about EDR? What would you like to hear a lot more?

[Rob Allen] Look, detection has a time and a place. Detection is important. I think Mike’s point is probably more important, which is there are layers to this. Wouldn’t it be much better if you could stop these things at source? Wouldn’t it be much better if you could be proactive rather than reactive?

Because fundamentally, that’s what EDRs are, is they’re reactive. They’re waiting for something bad to happen or indications of something bad happening to respond. I mean, the hint is in the name—it’s detect and respond. Wouldn’t we be far better off stopping the things from happening in the first place and not having to respond to them at all?

Again, the other way to describe it is that detection and response does have a time and a place, but it should be in addition to other layers which will be proactive and will, as I said, stop these things from happening. So, you want to know about things that are trying to happen, but failing rather than knowing about things that have already happened.

[David Spark] So explain to me… Because I know this is kind of your mantra at ThreatLocker. I mean, you’re dealing with security on multiple sides, but let’s stop the problem before it happens. You have a very much zero trust philosophy. What has been your approach with EDR?

[Rob Allen] So we see it as complementary to other layers of security. So allowlisting and ring-fencing and network control and all that other fun stuff. So it’s complementary to those other layers rather than being what it is in most environments and most circumstances is the whole ball game.

Because the fundamental problem with any sort of detection is that to detect everything, you need to know everything. You need to be able to recognize everything. You need to be able to make millions of decisions a day about, “Is this thing good?” or “Is this thing bad?” And the fact is, if you get one of those decisions wrong, it could be game over.

So rather than depending on decisions, as I said, millions of decisions a day, all of which have to be 100% right, why don’t you have the detection as complementary to other layers of protection or other layers of control?

[David Spark] By the way, haven’t we heard this story where someone says, “Well, they had an EDR in place and they still got popped”? We’ve heard this so many times. So it is kind of like a lock on a door. It’s like a lock on a door, it works to a degree to the person who doesn’t really want to get in. But yeah, it ain’t going to really protect you, is it, Rob?

[Rob Allen] As I said, there is a value to it. There is a reason for its existence. It should be realistically part of any well-balanced security stack, but it shouldn’t be the entirety of a well-balanced security stack because if that is all you’re doing, if all you’re waiting is for something bad to run or for something bad to happen, it’s only a matter of time before something that is not known about, whether it be a zero-day, or a new piece of malware, or whatever the case may be, comes along and gets you.

[Mike Johnson] David, really just to adjust your metaphor a bit. Think of it as the difference between cameras and cops around the corner, like they’re ready to pounce as soon as the camera detects somebody, and a lock. The lock is actually the preventative control. The cameras and the rapid response team is the EDR. And there’s a lot of nuance to EDR these days, but fundamentally, I’d really like to have that lock.

[Rob Allen] Mike, I could not have put it better myself. I mean, it is an analogy that we actually use. I mean, it’s big locks on your door versus an alarm. I mean, I’ve got an alarm in my house. I also have big locks on my doors. One being a control, the other being detection. They work well together. Would I just have an alarm and leave my doors wide open? Probably not. Would I just have big locks and not have an alarm? Probably not. So both approaches have value in combination.

What’s the motivation to do this?

29:36.485

[David Spark] When is it time to take a break in your career? That came up on the cybersecurity subreddit with someone running a security engineering team where, quote, “The problems were trivial to address, and the root cause was obvious, but politics and leverage was most important.”

And commenters were quick to caution that the job market may be pretty unpredictable when that person returns to work. Others shared similar experiences, taking the time to sharpen skills, sidestep into adjacent careers, or start a consulting business.

Now, there are obvious stresses in any job, even satisfying ones, but I’ll start with you, Mike. When do you know it’s time to take a break? And what can you do to communicate you’re approaching that point with the business? And maybe you’ve had an employee do this with you, too.

[Mike Johnson] Oh, gosh. I mean, this is such a personal decision. As you said, there’s stress in every job. There’s always going to be stress. That’s just part of being human. But if you can’t find the good in your job, if there’s no upsides, if all you’re there is to collect a paycheck, then yeah, it’s probably time to start thinking about what your options are and reconsider.

I don’t think you communicate with the business because I fundamentally think you own your own career. So if you’re approaching this, figure out what you can change. What are the variables? What are the things you can change?

Talk to your boss, talk to your peers, talk to your team, look at other options maybe even within the company, different responsibilities. All of those are things that you can take control of yourself. And frankly, start with a vacation. Vacations can go a long way. Take a week, take two weeks off, reset, come back, have that new perspective.

[David Spark] Well, I will argue that some people have said, “Well, that’s for the individual,” just echoing something we’ve talked about in a previous segment. That if you have a messed up culture, this is a different story, and the person’s stressed out, which kind of teases sort of beginning of this discussion, they’re just going to come back to the [Laughs] same messed up culture when they come back from vacation.

[Mike Johnson] Sure, but they’ll also have a more clear mind.

[David Spark] Yes.

[Mike Johnson] And they’ll be able to come back and try and separate what are the things that they can control? What are the things within that culture that they can deal with? And what can they not change? And if it’s something that they can’t change it then time to look for another opportunity or to take that break.

[David Spark] All right. Rob, I throw this to you. Have you or any of your staff members said, “I got to step away”? And is it more of a take a vacation or truly like, “I got to leave the job”?

[Rob Allen] As Mike said, it really is a personal decision. There’s so many different variables, there’s so many different circumstances. I mean, realistically, if it ain’t making you happy, and as you said, if you’re just doing it for a paycheck, maybe it’s time to look at something else.

I mean, I’m a really bad example, or I’m a really bad one to talk about this because I’ve worked for nearly 20 years for one company, frustrated or not. And actually, interesting enough, I had one of our younger team members here, a 21-year-old yesterday, talking about career advice and where their career was going.

Now, made me think back to when I was 21, when the last thing in my mind was a career. It was mainly girls, to be perfectly honest, and a bit of sport. That’s basically it. So the careers didn’t even come into it at that point. It was literally just a job.

But I mean, fundamentally, and this advice I give anyone, if you can find something you love, something that you want to do, something… I mean, what I do, I would do it as a hobby. It’s a really nice benefit that I actually get paid for it as well. And if you can find something like that, it is the perfect situation.

So, I mean, I’m not saying everybody should look for that. I’m not saying everybody will find it. It may be a unicorn job. But the fact of the matter is what I’m doing for a living, I would happily do as a hobby. And it is just a really nice benefit that I actually get paid for it as well.

[David Spark] Are there any hobbyists that work for ThreatLocker?

[Rob Allen] Are there any hobbyists? Yeah. I mean, we’ve got all sorts of people that work for ThreatLocker. I mean, we’ve got… One of my…

[David Spark] Wait, what’s the most unusual hobby of any employee at ThreatLocker? What’s the most unique unusual hobby you’ve seen?

[Rob Allen] Okay. Very quick aside, I play with drones from time to time. I took a drone out at our company sort of meeting, get-together thing a bit a year ago, and I was doing some really cool pictures [Inaudible 00:34:31]. And we have a lake outside of our office. I was flying over the lake, I lost control of the drone, and the drone very slowly and very sadly sank into the lake, or landed in the lake.

One of our guys, he was in our applications team, he’s now in our infrastructure team, decided that it was his mission to get my drone back.

[Mike Johnson] [Laughs]

[David Spark] He dove for it?

[Rob Allen] Okay? He went out in waders, first of all. So he waded out about six or eight feet, and then discovered that it got really deep, really quickly. So that was plan A. Plan B was he actually took a boat out and fished for the drone, like net fishing, trying to get the drone out. Now, I don’t know if that truly counts as a hobby, but I mean, it really showed a level of dedication that I did…

[Crosstalk 00:35:17]

[David Spark] Did he get the drone back?

[Rob Allen] No.

[Crosstalk 00:35:20]

[Mike Johnson] [Laughs]

[David Spark] I wanted to see that picture of the drone coming out of the net.

[Rob Allen] I actually do have a picture of him in the boat on the lake, so I will find that and I will send it to you, David.

[David Spark] Well, bless his heart for looking. Who knows if that thing would work taking it out of the water, though?

[Rob Allen] As I said, he was more interested in recovering my drone than I was. I just called up DJI, who I got it from, and they sent me out a new one.

[David Spark] That was nice.

[Mike Johnson] Insurance.

[Rob Allen] Yeah. No, I did have insurance on it. [Laughs]

[David Spark] Good. You know some people are not good pilots as Rob has just proven.

[Rob Allen] Excuse me. There was nothing wrong with my piloting. It was a fault in the drone as far as I was concerned.

[David Spark] We are going to leave it at that as long as DJI wants to know. It was a fault in the drone, not Rob’s piloting skills.

Closing

[36:00.609]

[David Spark] Well, that brings us to the very end of this show. I want a huge thanks to our sponsor, and that would be ThreatLocker. Remember, it’s ThreatLocker. Remember ThreatLocker, Zero Trust Endpoint Protection Platform. They have a slew of different products. I’m sure there’s one that you’re going to like. Go check it out at ThreatLocker.com.

Thank you, Mike, as always for your great participation since day one on the CISO series. And Rob, you’re always hiring there over at ThreatLocker. And any special offer, anything you want to mention about ThreatLocker at the end of the show?

[Rob Allen] Yes, David, we are always hiring, ThreatLocker.com/careers, if I’m not much mistaken. Anything interesting new? I mean, you’ve spoken about the new stuff already. That’s kind of the icing on the cake, really. The cake itself is all the controls that we didn’t really get into in terms of allowlisting and ring-fencing and network control and all that fun stuff.

So yeah, check us out on ThreatLocker.com. We have YouTubes. We have LinkedIn’s. We’re on all the socials. We’re actually starting a new series of webinars very soon, which is going to be a 100 days of how to harden and secure your environments. So we’re going to do weekly webinars for 100 days, giving people practical and useful and solid advice as to how they can harden and secure their environments. That’ll be on YouTube, maybe.

[David Spark] It’ll be somewhere. I’m sure you can find out on ThreatLocker.com.

[Rob Allen]  Correct.

[David Spark] By the way, many of the products that he mentioned are also a part of our new show’s security you should know where our other host, Rich Stroffolino is interviewing Rob along with two CISOs or security leaders interviewing Rob about the product. So check that out. It’s pretty darn cool. Just 15 minutes to learn about each individual product. And so if there’s one that interests you, go listen to the episode. And also, not only that, Rob does a demo for me of that very product.

All right. That is the end of our show. I want to thank Rob Allen. I want to thank Mike Johnson, and I want to thank ThreatLocker. Thank you so much to our audience as well for your contributions and for listening to the CISO series podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review.

This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries .com. Thank you for listening to the CISO Series podcast.