Subscribe
Share
Share
Embed
The CISO's Gambit podcast is a pragmatic cyber risk dialogue between cyber security leaders from leading organizations, like Zscaler. Topics span technical and non-technical aspects of cyber risk, cybersecurity, privacy, transformational change management, and the evolving role of the CISO as a thought leader and change agent. The podcast covers current risks, what's on horizon, and how CISOs can help deliver business value that lowers risks, flattens the total cost of controls, and reduces security friction on user experience and business velocity.
You can subscribe to the podcast feed on Apple Podcasts and Spotify.
Being a CISO is like waging a never ending chess game against players you don't know, can't see, and attack without warning. On this podcast, cybersecurity
Speaker 2:Today, we are joined by Brett Detting, chief information security officer at Afani, an outsourcing and offshoring firm based in the Midwest. Brent is a passionate security professional with an open and honest what you see is what you get mindset. His drive for excellence and goodness extends into many parts of his personal life, such as adoption and foster care. Buckle up for this memorable discussion with a 25 year industry veteran, who in his own words, is a student of cybersecurity, people, culture, and leads from the front with empathy to advance a positive culture and promote resiliency in our industry. Brent, thank you for joining us on the CISO's gambit today.
Speaker 2:It's a pleasure to chat with you.
Speaker 1:Thank you.
Speaker 2:When I was talking about how we wanted to get the year kicked off, I was sharing with my colleagues, Chris and Dan, the opening that you gave during Evanta Chicago. It was a moving and powerful message that I took away, and I know a couple of our peers had a similar reaction. In your discussion, you were sharing the things that motivate you and you're passionate about. 1 of the things you're passionate about is our industry, our space, and our role in the larger cybersecurity realm. And what I've said for a while is that this kind of passion, it doesn't come from nothing.
Speaker 2:It comes from something else. And when you began sharing your experiences as a leader, as a husband, as a father, that's when I started getting a small peek behind the curtain. I would love to hear how you came to the space. What drove you into it? I know you come from a very deep technical background, and something that was quite disarming was you're like, hey.
Speaker 2:I'm kind of new into the role, and I think I'm doing pretty good. It was very it was very vulnerable. Like, it was very vulnerable, and that you don't hear that too often.
Speaker 1:Yeah. Sure. So, this is it. So I'll I'll tell you a fight a funny story that is that is indicative. So I am 44 years old.
Speaker 1:I was born in 1979. So in 1986, here in the US, there was a little baby, fell down a well in Indiana, baby Jessica. K? And I'm sitting there at 6 or 7 years old, however old old I was, and it was not this was one of the first, like, major news coverages, in the US. And I looked at my parents.
Speaker 1:I'm an older child. I looked at my parents and I said, why don't they just shoot her? What? Parents for death. Like, how do you Wait.
Speaker 1:Like like, shoot her? Yes. Like, shoot her down the well. I was like, can't miss. And then and my parents were like, what the what in the no.
Speaker 1:You can't do that. And I was like, it's not looking too good for her. Put her out of her misery. I am, by nature, an incredibly unempathetic person. I don't empathy is not is not a thing.
Speaker 1:Like, I was 6 or 7. You don't make this up. Right? I had to work on developing my empathy, and I worked on that. My faith I'm a Christian.
Speaker 1:My faith is a very big deal to me. I'm Lutheran. LCMS Lutheran. And I I prayed for a level of empathy. And I wanted to be an empathetic person, and I knew that I was not.
Speaker 1:Now this also, looking back, it limited me in my career because what people told me was the golden rule. Right? Treat other people how you would want to be treated, And that's a bunch of crap because how I wanted to be treated is not how anyone else in the world wants to be treated. Right? With myself, like, I wanted to be dealt with, which was very harsh and blunt and not very kind.
Speaker 1:Right? So when I learned, other people how they wanted to be how they wanted to be treated, my career really took off and do very well. I was looking back. So I'm praying for throughout the sympathy, and it took a while. Right?
Speaker 1:But there's very little that me and god can't do. Alright? And in this time frame, kind of in there, my wife and I, had been married for 5 years and wanted to start having kids. And we were unable to, and we dealt with infertility for 5 years. And if one thing will make you appreciate that everyone is going through something some time and have some empathy.
Speaker 1:Infertility did that for me in in spades. Right? And so I learned that everyone is kind of going through something all the time, and I became what I think is a relatively empathetic person. Now I still am who I am, but, God has been able to work on me to develop some level of empathy. Now throughout we had my oldest child.
Speaker 1:He's 11 now. Had him through advanced robotics technologies, and adoption or foster care was never on our hearts, right, Until it was. And then all of a sudden it was. And not only did we adopted, domestically, we adopted transracially as well, which is a whole another ball of wax. Right?
Speaker 1:And there again, like, you have a choice in for example, how you look at birth mothers and how and the choices they make. I love my son's birth mother. Right? I love her because she made 3 outstanding choices. Right?
Speaker 1:Despite any other life choices, she made a choice for life. She made a choice to make an adoption plan, and she made a choice for us, for my wife and I. And I think that was a good idea, so go figure. Right? And then that also led us to, foster care because we can all say any number of things that we want about politics, religion, people, blah blah, whatever.
Speaker 1:But if you wanna if you wanna put your money where your mouth is, then okay. But then, like, I've I've been there and done that. Right? And we're part of an organization, and this is the organization that I introduced at that event called Cult to Care out by out by us in the cornfields west of Chicago. And it is an outstanding organization because we are not all called to be foster parents.
Speaker 1:I promise you it drives a bomb in your life. Right? But we are all called to care. And loving on kids in nasty situations is something that just about everyone in the world can agree is a good thing. So it's a very practical way.
Speaker 1:And one thing that has been so satisfying for me is our ability to kind of inspire other people to be part of. And I talked about it at that event. We have CASA, which is court appointed special advocates. My wife is 1. We have friends who are 1.
Speaker 1:We have you have to learn a little bit of vulnerability, as you mentioned, yourself because we have things that we could do on our own. But if we say, hey, guys. I need help with a crib mattress because ours, like, the elastic is done. Can someone go buy me a crib mattress? Then that gives people the ability to say yes.
Speaker 1:That whole event at Avanta was filling duffle bags with some stuff for kids in foster care. It gave people an ability to do something, to do and express their care and concern, and that's outstanding. I love those kind of events.
Speaker 2:It was cool because not only was it tied to something that you're very passionate about and is important to you, but But to be able to share that with the rest of the executive community is not something we often get to do outside of our friends.
Speaker 1:Yeah. And it's cool to be able to do that because people are thankful for the opportunity, because in general, people want to help. People want they are willing to help, and they want to, but they don't necessarily know how. And all too often, all you have to do is invite them. And if you invite and you give the opportunity people do that.
Speaker 1:Sometimes it's once, sometimes I've had people that came to me and saw a post it wrote and was like, dude I'm in. And they became Casas and they're helping kids all over the place. And you're like, that's freaking outstanding. Like, that's way more, like, I I just like talking about this stuff. I like it, and I like having other people, recognize that some of these things exist so they can go do whatever, and that's outstanding.
Speaker 1:So to to, every now and again, see, like, I planted a seed, and and it grew, and people did all this awesome stuff. You're like, That's that blows blows me away. It's awesome. So I I I love that kind of stuff.
Speaker 2:In your description and and what you were sharing, where there's so much of our profession where that's not always celebrated or encouraged, where perhaps that 6 year old version of you that was a little more cold hearted, pragmatic, In certain circles, that's kind of how you get on, but I've always fundamentally believed that the best cybersecurity folks are not only the most optimistic people, but are also the ones that are not okay with status quo.
Speaker 1:Right.
Speaker 2:And you've probably seen this in your career back, you know, and you bring an interesting point of view because you've been on the solution provider side. I'm curious about from your point of view as a professional and as your words, not mine, that you're still, quote, unquote, fairly new. You don't act that way. I've been around a lot of executives that are still struggling to to really share much about themselves as as a professional or as a human being. Right?
Speaker 2:It could be pretty scary.
Speaker 1:I met a random person at a bar one time. My wife was receiving an award for teaching, and I'm sitting at the bar. And I started talking to this lady, and she started talking to me. She said, you know, my kids say that I'm aggressively extroverted. I was like, I am going to use that word the rest of my life, that term.
Speaker 1:I am aggressively extroverted. And but it's also that I'm very transparent. I'm very vulnerable. In fact, one of my favorite sayings is that I am consistently good at a couple things in life. Other than that, I pretty much suck at life, and I've seen me do it.
Speaker 1:And and it's funny because when, like, my friends will see me do something, and I'm like, boy, you kind of screwed that one up. And I was like, this doesn't surprise me. Like, if it surprises you, I don't know why. I'm good at a couple of things. Other than that, not so much.
Speaker 1:But that authenticity and that transparency and that vulnerability forms relationships quickly. And at the end of the day, relationships matter in immense amount. And honestly, I don't have time for drama. So I'm the same person at home, at church, at work, wherever. Like, what you see is what you get.
Speaker 1:And that isn't all good, and it's not all bad. Right? I mean, I'm like, I bring something to the table. I mean, I have some level of skill somewhere. Right?
Speaker 1:But it what it also does is it encourages other people to be vulnerable. So way before adoption and foster care, I was like, I would say, like, I'm not afraid to say about my faith. I'm not afraid to say that my wife and I struggled with infertility. You have no idea how many people quote come out of the woodwork just say, oh, man. My wife and I are, you know, like, working to get some testing.
Speaker 1:And I'm like, yeah. I know all about it. Right? And we'll talk about that in a transparent, forthright manner. Or how many people have I had come and say, you know what?
Speaker 1:I I grew up in this system. And I was like, really? And you talk and you talk about how adoption affected them later in life or how foster care affected them and how that is meant. And then I can be a more empathetic. I can be a better foster parent.
Speaker 1:I can be a better parent. Like, when I talk to a ton of vendors, I benefit from their experience, expertise, and wisdom. When I talk to, when I'm transparent and people talk, it validates me and it it makes them know that they're not alone. You have no idea how many cyber security professionals I've talked about. Fertility test for men.
Speaker 1:I mean, that's not a normal topic of conversation, but you talk about that, and you're vulnerable. And that is what has created some of my longer lasting friendships in the industry because, like, we may we're like they were doing offensive security whatever, and I was doing catch the bad guy early, or they were doing product management or whatever. But you talk about that, and all of a sudden, like, I talk to them once a quarter. I know their wife's names. I know the kids.
Speaker 1:I ask about them. I do all that. Like, that's cool. And at the end of the day, like, I love cyber cybersecurity, but, like, I like people. I mean, I like people.
Speaker 1:I like relationships, and I've been fit, and I hope they've been fit too. So it it works out for all involved.
Speaker 2:You shared something before, we started the recording that you've put a level of rigor around communication within LinkedIn and also giving back in some way to to the community. Can you help me understand a little bit more about that? You mentioned that it benefits others, and it also benefits me. Is that kind of falling in that same realm Yeah. Of how you're looking at it?
Speaker 1:Yeah. So, one thing that I recognized long ago was I was in the operation center, and, we had extremely good margins and crazy levels of what we call Net Promoter Score. Right? So, acceptance by our clients. Like, it was in the seventies, which is, like, drink the Kool Aid Cult kinda thing.
Speaker 1:Like, I've had tons and tons of clients invite me to their kids' birthday parties. Right? That doesn't normally happen in a professional environment. So when I when I did that and and figured that out, I was like, why is that? Why did we succeed like that?
Speaker 1:And it was culture. And then, you're talking to hundreds of clients per year, and you can smell culture. You can smell good culture. You can smell bad culture. And partially because of that, then when I was out of operations and I'm in a sales role, and I would, I was in a global sales overlay sales engineering kinda role.
Speaker 1:And I would come out of some meetings, and I'd be like, they're owned. Like, they're they're completely owned. They don't know it yet, but they're owned. And the seller would be, like, why? And the SEO would be, like, yeah.
Speaker 1:I didn't hear them say anything. Like, you can smell it. Like, they just they are. And then it shows up, then they're they're 3 months later, they hit the IR hotline, and you're like, well, I told you. Right?
Speaker 1:But it's the breadth of experience with 100 of environments that gave me that spidey sense. And really what that is is it turned experience and expertise into wisdom. And so I love talking to vendors because, one, I like to think that they benefit, but, also, I benefit from their vast experience. I know a lot about catching the bad guy early in the kill chain. That's what SecureWorks did.
Speaker 1:We kicked butt at it. We still do. It's a good they do. It's it's great. Right?
Speaker 1:I don't know anything about like, when I first became a CISO, I knew very little about Pam, for example, or any number of things. And so if I get on a call with the vendor, and I'm like, hey, guys. I have this great background doing all this stuff, but, like, you need to break out the crayons for me and explain this. Cool? And then they would.
Speaker 1:And then I go, okay. Well, based on lessons that I learned in my career, in 2005, I learned that thou shall not change the minimum segment size of network. And if you do, you need to stop because that's a bad idea in almost all cases. Right?
Speaker 2:Do you mean from a from an IP segmentation layer 3, layer 4 point of view?
Speaker 1:Yeah. I mean, you people attempted to do it with weird VPN configs and MPLS and all that. But but right. Yeah. Exactly.
Speaker 1:Well, but you take that technical lesson, and what that does is it it in your soul, you understand square pegs and round holes don't go together. Right? So then you take that, and you look at and you look you hear you have a a vendor break out the crayons and explain something to you, and you say, okay. Well, based on my experience, I know that square pegs and round holes sound good together. And I believe that in my soul, because I felt that.
Speaker 1:I've been burned by that. I understand it. So I believe x because a, b, and c. Now do you know why because of d, e, and f? Because if you do, you didn't tell me about it.
Speaker 1:Right? And so I benefit from their experience, expertise, and wisdom. And even if they don't have the wisdom, I can ask the questions that get me that wisdom. So it's a way to level myself up as a a CISO, like really, really fast. Right?
Speaker 1:Because I benefit from all this experience that all these people have, and then I, like, I am completely and totally willing to benefit from other people's fortune or misfortune. If someone screws it up really really bad, I don't I'm not going to be a vulture, but I want to see it. Like I want to learn and be like, oh, that looks like it hurt. I don't want to do that. So what do I need to do?
Speaker 1:And to some degree, we all do that. I just like to, like, I view vendors as a fantastic way to level myself up on and I'd like to think that they've been fit and quite honestly, I'm aggressively extroverted and up here to quota, and I kinda like salespeople. So
Speaker 2:Yeah. It's it's fascinating you share this, point of view, because there was a point in my career where I was one of many cybersecurity leaders that just assumed the vendor is the enemy.
Speaker 1:Mhmm.
Speaker 2:And it wasn't until, a my COO, who was my boss, really sat me down and explained to me how business works and the importance of partnership and the importance of, getting to the same place. And, he said to me one time, he goes, Well, do you work for free? And I said, Well, of course not. And he goes, So why do you think they were
Speaker 1:right?
Speaker 2:And I was like, oh, I get it.
Speaker 1:And I mean, there's So there's plenty of bad behavior on on vendors. Right? I mean, whatever. Sure. But they're so much good.
Speaker 1:Like, I can rattle I had a post the other day, and I rattle. I'm like, here. Call people out. You it got 25,000 impressions in, like, a day. It was awesome because we were like, they're awesome.
Speaker 1:They're awesome. They're awesome. They're awesome. And I'm like, yeah. I can rattle off all sorts of people from big dogs to first little startups to vendors to, event planners to coaches to all every possible company.
Speaker 1:I am someone that I'm like, oh, they're doing it well. They're doing it well. They're doing it well. And at the end of the day, a lot of those companies that I I have 2 companies I ran into this week that I will absolutely recommend to people in a heartbeat that I have no intention of ever doing business with. It's not for me.
Speaker 1:But I don't have to defend environments that it's appropriate for. I have to defend my environment, and I don't need it. So I'm not mad, but I'm good. Right? So whether we do business or not doesn't mean that we can't be civil.
Speaker 1:Right? I mean, people matter. Don't be an asshole. And it that's really a lot of it, honestly, is treat me like a person. Oh, yeah.
Speaker 1:Right? Normal human interaction. Treat people like people. Don't lie to them. Don't waste their time.
Speaker 1:Internalize. Don't be an asshole in your soul, and you'll be fine.
Speaker 2:So with your perspective on vendors, I can only imagine the influx of cold emails that you're getting, cold calls either to your staff or to yourself directly around the latest and greatest AI or ML or Gen AI, LLMs, you name it.
Speaker 1:Yeah.
Speaker 2:From your point of view as being on all sides of the house effectively, what are you seeing that is exciting to you about where we're moving directionally, as an industry in adopting machine learning Yeah. AI. So And where where does it have you kinda going like, yo, pump the brakes. Like
Speaker 1:Well, so I I'm I'm working through this. Full disclosure. I am working through I might feel differently about this tomorrow. Right? But where I am right now is, I'm actually gonna this is the bones of the speech I'm giving in 3, 4 weeks.
Speaker 1:I think that as an industry, like, for all of us, not for one individual, but as an industry, the bad guys are going to leverage AI more completely, more efficiently, and way faster than we will. And I also don't think that time changes that. Like, I don't think that we flip the script in 12 months as an industry. Right? So even things like code generation, for example.
Speaker 1:I am not confident that AI is able to write secure code because I don't think that we are asking it to do the right things. So I think the I think the problem statements that we are asking AI and machine learning to solve are too broad, and we're way far away from generalized AI. As a now that's all fine and good. That that's fine and philosophy and whatever else. And people can agree or disagree.
Speaker 1:Whatever. That's fine. The more practical question is, what the hell am I gonna do about it, right, for my organization? Right? And I have a couple of answers for that.
Speaker 1:One is that, embracing AI is a good thing because it's gonna happen. Right? So embrace it for your users and all this. Like, don't stand in the way of the train. Right?
Speaker 1:That's that's easy. Right? The other thing is where we might wanna pump the brakes is using that Spidey Sense, that BS detector to say, like, that's a good problem statement for AI. That is not. Because and I understand this touches emotionally differently and psychologically differently, but is there a difference between a $1,000,000 breach and wasting a $1,000,000 on something that isn't used?
Speaker 1:Either way, it's a $1,000,000 loss to the company. Right? I understand the psychology of it and all that. So part of this whole AI thing is preventing our companies, preventing our organizations from doing things that are dumb. Now it may be dumb from a security perspective, but just in general dumb.
Speaker 1:Like, that's not gonna work well. Problem is a lot of us might not necessarily know which is a good use case and which is not. And so we're there's gonna be some educational time in there. Now can we also, like, so that's incumbent upon us to learn a little bit. And there's gonna be, like, the standard hype cycle, right, where there's gonna be a lot of people who start doing stuff, and a lot of all that is gonna fall away soon.
Speaker 1:So one of the determining factors for me because a lot of this is not AI that we are doing. It's what our vendors are doing. Right? So a big deal to me is how are the vendors using AI, and how are they positioning it? So I can tell you that if your lead into me is, oh, we're an AI company doing blah blah blah blah blah, That is not very appealing.
Speaker 1:What is appealing to me is, hey. Here's the problem that we're solving. AI happens to be useful to do that or to do part of that. That's great. When I worked for SecureWorks, I was like, hey.
Speaker 1:We've been doing AI machine learning, people learning stuff for appropriate problems, and you have to recognize a couple things. One thing that you have to recognize is you have to define a problem that AI is well suited for. 2, you have to realize that the vast majority of what you try is gonna fail. And 3, you have to realize that for some problem statements, 2% efficacy is rockstar. Like, if you get 2% efficacy out of some things, you're doing good.
Speaker 1:Right? So take that world and apply it to code generation. Okay? Or fixing code. Now, I believe, because I've talked to some people who know a lot about this and our starting company is doing this, I believe that AI can be used to fix crappy code and make it secure really well, like 90, 95 percent efficacy.
Speaker 1:If you give it very well defined things, Like, oh, we're gonna do these things in these languages. We're gonna solve this problem in these languages, and we're gonna scan a boatload of code, and we're gonna suggest fixes that a human has to evaluate. Okay. I believe that. So as an industry, can we all do that?
Speaker 1:No. As an individual company and organization, can we leverage AI to do those very specific things? Heck yes. And we should. And that may look like catching bad guys, like risky sign on behavior is a great example for AI and machine learning stuff.
Speaker 1:Right? Good. Cool. Use that. That's good.
Speaker 1:Now I'd be remiss to not back up and say that I like to avoid the problem in the first place. So for example
Speaker 2:Sure. Yeah.
Speaker 1:People are worried about fishing. Right? So how do companies lose money? They lose money via, Rent A Wear and Business Name on Commerce. Those are the two two main ones.
Speaker 1:What are the vectors for that? Phishing, stolen credentials, and external vulnerabilities here and there. Right? Okay. If you have a 100% of your users, have strong MFA, and you do not allow BYOD, are you worried about that?
Speaker 1:Not really. I have a 100% coverage on YubiKeys. How much do I care about phishing? Not really. How much do I care about AI doing really, really good phishing?
Speaker 1:Who cares?
Speaker 2:It's about the same.
Speaker 1:I can publish over YouTube and password to him on the Internet and really not care. I'm not doing that, but Yeah. It's a good theory. Right? So
Speaker 2:Yeah. Yeah.
Speaker 1:I like side stepping the problem, and that allows me to sit there and watch and be like, hey. Sucks for you, bro. But that also allows me to define the problems, because if I'm not worried about that stuff, then I can focus effort on other things that enable the business to work better, more securely, avoid cost, enable sales, more efficiency, ensure compliance, all that kind of stuff. And I like focusing on more interesting, more important problems, and I do not like I don't like doing work without progress, basically. So that's a long rant on AI, but there you go.
Speaker 1:That's the of the talk I'm giving in 3 weeks.
Speaker 2:Well, I I it's interesting because there have been a variety of perspectives. Some of them that are really far into the future. Hey. The industry is going to disappear the way we currently know it Yeah. To Mhmm.
Speaker 2:Which is like, okay. Sure. I'll bite. Let's have the conversation. I think it's an a fun, intellectual exercise.
Speaker 2:Then you have the others, where, you know, actually, Sam Curry was on the show. He's he's done a lot of AI research in the past, and, we were talking a lot about, and it goes back to what you were saying about secure coding. Right? About data poisoning, which is, should we not believe that there are bad actors right now purposely feeding bad data to these LLMs? And the answer to that is, of course, they are.
Speaker 1:Of course they are.
Speaker 2:Of course they are. And you likely also have people with good intentions doing a similar kind of thing as well, whether they realize it or not. In terms of your business where you're currently at right now, and, it's pronounced Anfi. Right?
Speaker 1:Afni Afni.
Speaker 2:And seeing where some of these tools might be beneficial, not just from a security perspective, but also from enabling better customer outcomes, better client outcomes, how was the organization looking at it? And, are they looking to you to say, hey. Guardrail this thing, or are they telling you put it back in the box or none of the above?
Speaker 1:Oh, no. No. It it it so it is, a lit a little bit cautious, but very much how can we leverage this. How can we leverage it to improve our outcomes for our clients? Right?
Speaker 1:And we partner we partner closer with our clients to do exactly that. Now will we use it also for our own, you know, resource management? I mean, we run call centers. Right? Yes.
Speaker 1:A big, big chunk of our business is front of call centers. So can we leverage AI to figure some stuff out? And can our business intelligence guys, can they use it? Absolutely. Right?
Speaker 1:Can we also use it to improve the experience of my clients' customers, that we're interacting with? Yes. Absolutely. And we are absolutely doing that. That is in the, like, billing our own models kind of thing based on our own training data.
Speaker 1:Then there's also the normal I shouldn't say normal. The very common aspect of, like, BingChat Enterprise and and junk like that. And yes. Now do we instantly go, oh, and have no concern about it? No.
Speaker 1:But we're moving quickly because what would you rather have? Would you rather have people using OpenAI for whatever the hell they want? Or would you rather say, hey. Here's being turned on price, and here's how you can use it. I'd rather give them I would rather give them the alternative that I would like them to use.
Speaker 1:Right? And I would rather help them use that. Now when we get to copilot, okay, But there's some cost involved there. So there's a business case to make there. But then there's also some let's think about this a little bit.
Speaker 1:Right? And now I am in the position where if I were Boeing or if I had crazy amounts of intellectual property around, I feel a little bit differently. But I don't have to defend Boeing. I have to defend AAFNI, and that's a great place to be. So my organization, where we make money, how we make money, what our risk is, whether we're public or private, IP, all this stuff matters.
Speaker 1:Business context matters. And so for my environment, I am I'm I'm generally okay with it. I mean, we still talk in guardrails in our life, but I'm not standing in the way of this. I am heavily involved in the process to make sure that we're able to do things in a way that is reasonable risk for the company and that enables the business. Right?
Speaker 1:And I think that's the only real way that you can go about doing it. Like, I mean, like, do for example, let's say there's some piece of information on the Internet that you don't want to exist on the Internet. How easy do you think it's gonna be to get that off the Internet? Impossible. Right?
Speaker 1:Like, you can go at like, you can waste your effort and time doing that, or you can just embrace it and say, hey. This is the way things are gonna work, and work with it. And that's the process that we've taken. And I believe that we can do that in a safe and secure manner for my organization. That may not be the case for everyone else.
Speaker 1:Right? But for my organization, hey that's fine. If I'm, again, if I'm designing fighter jets, we're gonna have a different conversation, but I'm not. I'm running call centers. I'm good.
Speaker 1:Right?
Speaker 2:The point of view that you shared is something that always makes me chuckle, also get a little concerned. The number of times I've heard organizations say, well, how do we compare to our people?
Speaker 1:Uh-huh. Who
Speaker 2:cares? That's what I always think.
Speaker 1:Yes. It's like,
Speaker 2:well, let's see what let's see what data we've got, but you would really wanna play keeping up with the Joneses
Speaker 1:I like perhaps. But also, like, normal sucks. So I don't I don't wanna be normal. Yeah. I don't wanna be like a.
Speaker 1:Like yeah. That damn. I that's fine. I get that question and we're known again. I might ask that question and we're known again, but, like, I don't know.
Speaker 1:I don't care. Like, I I I care about what makes sense for my organization. Right? And what makes sense for my organization may be dramatically different than other people or other organizations. Right?
Speaker 1:And and that's and that's fine. And, honestly, like, I there's value in being different.
Speaker 2:There absolutely is. Something that you shared about your your previous experience having worked across and advised so many other leading companies before you went to Afni was the diversity of perspectives that you could get. And what I'd like to know from your point of view, what are two things that you feel that the industry is still self inflicting wounds on themselves? And on the inverse, what would you say might be three things that you feel are moving in a very positive direction industry wide?
Speaker 1:Sure. This is like the magic wine question. Like, if you had a magic one, you had to fix 2 things, what would it be? I think one of them one of them would be that we have a matching problem in cybersecurity in general. That is we have we have plenty of we have plenty of jobs.
Speaker 1:We have plenty of people, and they're just the matching is all jacked up. Right? And I you know, I'd I'll give you an example. Right? Job recs say, we want someone who has 10 years of experience in this particular vertical to do this role.
Speaker 1:You know what? Okay. So you just limited your scope, like, dramatically. Conversely, why don't you say, this is the skills that we need to do this role. Because I have interviewed many, many hundreds of technical practitioners back in the day.
Speaker 1:Right? I'm staffed operation center. In fact, when I worked at at SecureWorks, I I was like a a bar raiser kinda guy. Like, I I went around interviewing people for other portions of the company because I was pretty good at interviewing, and I had a pretty good spidey sense of people. And what I really cared about was not head knowledge.
Speaker 1:I can cram knowledge and brains. That's not a problem. What I cared about was coachability, grit, and resilience, primarily. Right? And there's a bunch of different ways you can get that, but largely, it's it's a gut feel.
Speaker 1:You you can smell it. Right? That kind of stuff. So that's one issue is the the matching the matching issue. And another one I'm not sure that this is, like, the most important, but it's one that comes mind because it kind of grinds my gears a little bit.
Speaker 1:And I haven't talked about it in a long time, but that is learned helplessness. Right? So I like, your circumstance, whatever your circumstance may be, is the result of your decisions. And if your life if you're burned out and you hate life and it sucks, maybe you have a toxic environment. I don't know.
Speaker 1:You don't have to work there. Maybe you feel compelled to especially, I'm I'm not talking for all people for all roles, for all time. But I'm talking about CISOs a lot. White collar workers in in first world countries.
Speaker 2:Alright?
Speaker 1:And there's all this, like, language that people use that might be accurate. Like, oh, it's not a matter of if but when. Okay. True. Right?
Speaker 1:But when you weaponize that, it irritates me, because it's like, I'm not a victim. I'm not a my stress is not a burden, and my satisfaction is through the freaking roof. I love what I do. I love every moment of what I do, and I'm not a victim. And I've chosen a lot of things and I choose how I respond to things, and that is adult behavior stuff.
Speaker 1:And so I'm not calling anyone wrong. I'm just, like, I I don't know. I'm not a therapist. I'm not a psychologist. That ain't my gig.
Speaker 1:That's not I'm not calling anyone out. I'm not saying that. But it just seems like we have a lot of people who are burned out and feel as if they're victims and they're they're helpless to change their their circumstances. And I don't believe that to be true, but I also don't know how to fix it, per se, but this was a magic wand question, so that's why. Boom, fixed it.
Speaker 1:As far as, like, three things that I think we are doing well, I am extremely optimistic because we have, at least my experience is that we have rock star levels of community that we do really, really well supporting one another. And that's my experience and has been for 20 years, Twenty plus years. Right? So I like that a lot. I am also eager because although we might complain a a little bit about things like SEC regulations and lawsuits and liability and all those, we're kinda getting taken seriously.
Speaker 1:Now whether we're up to attack I mean, to some degree, this might be like the dog catching the truck. It's like, oh, shit. What do I do now? We're gonna have to figure that out. But in general, I like that.
Speaker 1:Like, that's a truck. Yeah. In general, I like that because it is forcing us to earn our seat at executive tables. And I think that that is sometimes painful, but a very good growth opportunity for us as an industry. And
Speaker 2:Yep.
Speaker 1:Another thing that I like is I see a lot of people talking about sales, marketing, clients, relationship stuff, there are a lot of people out there saying very similar things to what I do. You know, I mean, Danny Wolf, Clark Bander. Like, there's a lot of people saying really good stuff. Right? About this whole vendor thing.
Speaker 1:And I'm hopeful and I'm eager to see, that makes the impact absorb into the the VC firms and the chief revenue officers and all that kind of stuff where they start not driving the metrics that drive the the crappy behavior that checks us all off and that we're able to partner better and emphasize relationships more. So I think those are those are some of the things I think that we're doing very well and that also some things that if I had a magic wand, I go, poof. We're not doing that anymore.
Speaker 2:So, Brent, I I'm very grateful for you, coming on the show, sharing your enthusiasm and your point of view, which I think is really needed from the point of view of positivity and that optimism because as you mentioned earlier, it's so easy to get caught into the negative cycle, whether you it's the learned helplessness or it's the world is against me, this kind of mentality, which, you know, I think all executives have to deal with that in one way, shape, or form, irrespective of the cybersecurity discipline. But it is a it is an important point that you really call out that, you know, there are some really big positive things that are happening. If somebody would like to, learn more about the content that you're putting out Yeah. What would be the best way for them to follow you? Would that be LinkedIn?
Speaker 1:Yeah. Link LinkedIn is it. I put out about 3 right now, about 3 pieces of content a week. Everyone does this differently. I wrote, like, all my content over, like, Christmas break each year, and then I use buffer, a little $6 month tool, to schedule that out.
Speaker 1:So it just it it I wrote it, and it just it goes. Right? And some resonate, some don't. Whatever. Like, I don't really, like, have a purpose to it.
Speaker 1:I'm not, like, selling anything. I just figured that having a good strong network is never going to be a weakness. So and and I like it. It makes me better. I I hope it makes other people think.
Speaker 1:Like, the biggest compliment to me is you made me think. You can agree with me or not. That's fine. But if I made you think, then I feel good about that, so it it's worth it to me. It's not some time, but LinkedIn LinkedIn is it.
Speaker 1:Hit me up. I tell I actually answer cold calls, at least some of the time. And I was telling them, like, yeah. This is 2,024 work. Phone calls.
Speaker 1:Not okay, especially 5:30 in the evening when I'm trying to get my kid wrestling practice. But hit me ball and 10. I will read what you write. Now my little story. I posted something just a couple days ago about bad outreach and bad lead gen.
Speaker 1:Did this. Someone liked my post, sent me a connection request on LinkedIn, and promptly sent me a cold email. I was like, come on, man. Really? Like, you read the post that said don't do this, and then you did it.
Speaker 1:Right then, in, like, 2 minutes. I was like, come on. Really? So you I still deal with that, but I deal with so many good, authentic outreach things. And I give I give I give time, and I enjoy it because we all benefit from it.
Speaker 1:So hit me on my LinkedIn. We'll talk. You may agree. You may disagree. That's fine.
Speaker 1:As long as you engage, you're good to go.
Speaker 2:Brent, thank you again for coming on the show.
Speaker 1:Yeah. Thank you.
Speaker 2:You've been listening to the CISO's Gambit. I'm your host, Sean Corinto. Thank you for tuning in. If you enjoyed this show, please leave a comment and subscribe.
Speaker 1:Content on this podcast may contain forward looking statements that are current as of the date of recording and subject to change. These statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. Full legal disclaimers are available atrevolutionaries.zscaler.com.
Speaker 2:Copyright 2022.