We’ve heard a lot of talk about the security risks with emerging AI technologies. A lot of these center around employees using large language models. But what about the potential benefits of this technology for cybersecurity? Could we eventually see a de facto AI CISO on the job?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Rob Duhart, deputy CISO, Walmart. Joining us is our special guest, Aaron Hughes, CISO, Albertsons Companies.
This episode was recorded in front of a live audience at the Watergate Hotel in Washington, DC. We were the opening entertainment for the Convene conference hosted by the National Cybersecurity Alliance.
Huge thanks to our sponsor, KnowBe4
[Voiceover] Best advice I ever got in security. Go!
[Aaron Hughes] Hire people smarter than you. This goes for security, banking, retail, doesn’t matter. Hire people smarter than you. A CISO needs to be great at context switching, doesn’t necessarily need to be a domain expert in every discipline, so always have smarter people around you.
[Voiceover] You’re listening to CISO Series Podcast recorded in front of a live audience in Washington DC.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. My co-host, my guest co-host for this very episode, it’s Rob Duhart. He’s the deputy CISO over at Walmart. Say hello to the nice audience.
[Rob Duhart] Nice to meet everybody. I’ll be pretending to be Geoff today.
[David Spark] Actually Geoff hosts the other show. He doesn’t host this show.
[Rob Duhart] Ah.
[David Spark] But you did do that show.
[Rob Duhart] I did.
[David Spark] We are available at CISOseries.com where you can find this show, Defense in Depth, which is the show that Geoff hosts as well. And I do want to mention our sponsor for today’s episode and that’s KnowBe4. Actually for those of you here in the room can see that their logo’s on the side, KnowBe4 – Human error.
Conquered. More about that a little bit later in the show. But I do want to mention that we are live here at the Convene Conference at the Watergate Hotel in Washington DC. This is all thanks to the National Cybersecurity Alliance, so thank you so much. I think it’s kind of impossible to do a show here at the Watergate, Rob, without acknowledging – holy crap, we’re at the Watergate Hotel.
[Rob Duhart] Literally. Literally.
[David Spark] [Laughter] Yeah. And I also think about the fact that the gate, the last syllable, has become synonymous with scandal, right?
[Rob Duhart] Absolutely.
[David Spark] By the way, I had looked this up, there’s a ton of scandals. There’s InflateGate, there’s Gamergate. Can you think of any other gates?
[Rob Duhart] Oh, my goodness. Bradygate, what is that?
[David Spark] Yeah, that goes back a way.
[Rob Duhart] InflateGate, Deflategate.
[David Spark] That’s Deflategate, the same thing, but they just added it to a different word. So, I just think about how great it was that they chose this hotel for everything to go down and not a La Quinta Inn because that would have sucked.
[Rob Duhart] La Quintagate. No, that wouldn’t have worked.
[David Spark] That would not have worked at all. I don’t think it would have taken off. So, kudos to Watergate for just having that great-sounding last syllable that all our scandals could be based on.
[Rob Duhart] Beautiful view though, still.
[David Spark] Yes. It’s fantastic here. All right. Well, let’s bring on our guest here who’s going to help us through this entire show today. I believe it’s you introduced me to him. He’s sitting to your left, my far left, and that is Aaron Hughes who’s the CISO of Albertsons Companies. Let’s hear it for Aaron!
[Aaron Hughes] Thank you very much. Great to be here. Maybe this is your grocery episode, right?
[David Spark] Oh, could be.
Why are we still struggling with cybersecurity hiring?
[David Spark] “As CISOs, we cannot continue to lament the woes of the talent shortage in our industry while being unwilling to look at underrepresented demographics,” said Shaun Marion who’s a former McDonald’s CISO in a recent LinkedIn post about the need to hire neurodiversity. We often refer to this as just diversity, but the reality is you want diversity in thought, right?
So, we hear it again and again from our CISO guests that thinking differently improves a security program. So to attract neurodiverse candidates, you can’t hire the same way. You must look at other avenues to remove barriers from all stages. So the job posts, the assessments, and the interview process.
Easier said than done, I know. It takes a lot more work than that. All right. So, Rob, I’m going to start with you, two questions. First is just explain how does neurodiversity actually improve awareness in a security program. And two, what is one significant change you have made that others may not be aware of that’s actually helped you find and attract these types of candidates?
[Rob Duhart] I love the question and grateful for Shaun for kind of getting this conversation started on LinkedIn. Thanks for the quote. Look, at Walmart, we have two million plus associates, right? And out of those two million, what percentage do we think are neurodiverse? Higher than you’d imagine, right?
That’s a large number of people. So, for us, this really came down to understanding where are geniuses, what do they look like, and how do we attract them to us? Even if they’re inside the company.
What we found is is our department was full of amazing neurodiverse people and all we had to do was ask, “Hey, what would make this an amazing place for you to be? What could we be doing different that might inspire you and maybe inspire others to want to be a part of us?” And it was a quarter-turn.
We didn’t have to do much, right? Good to great quarter-turn. Then we actually found that there were some people in our department whose productivity went up three, four, five times simply because we made a couple of changes. At Walmart we have a principle we call respect for the individual, right? It really means, hey, everybody in this room is unique and provides something that makes us special.
How do we find a way to bring that special out and find a way to make it safe and welcoming to them?
[David Spark] And was this just truly just like an internal philosophy? Once you started thinking that way, just everything changed as a result?
[Rob Duhart] A million percent. I actually have someone on my team specifically, I won’t give names, but just a genius, right? Been in our department for 20+ years. And once we started to structure around the strengths of neurodiverse people, we saw our productivity just really skyrocket.
[David Spark] And I know this is usually just a very small thing but can you admit to like, “We kind of screwed up this way, but once we made this tiny change, it was amazing how that little thing for, again, certain people who may be on the spectrum or something that may not socialize appropriately or in the same way that many of us do,” that that was all it really took?
[Rob Duhart] Can I pick on the crowd real quick?
[David Spark] Please do.
[Rob Duhart] It might not go well for the podcast.
[David Spark] That’s fine.
[Rob Duhart] So, how many people here think cyber folks are nerdy and kind of awkward at times? Put your hands up, come on.
[David Spark] By the way, don’t raise your hand. Applaud. They can’t hear hands raised.
[David Spark] By the way, I just want to note, from every live audience, I always have to explain that you got to applaud because they can’t see your hands raising on the podcast.
[Rob Duhart] [Laughter] This is a good point. I should know that.
[David Spark] By the way, I do this on every show. You’re definitely not unique in that way. Go ahead.
[Rob Duhart] A majority of cyber people in our industry fit the description, and I think many of us are on the spectrum. I myself am somewhat neurodivergent as well. So taking the time to think about where our people are and creating an environment that they want to be a part of, this is a no-brainer.
This is not really hard to think about. Now we struggled at first – two million people. We both used to work for the government, right? One size fits all, let’s create an environment everybody can apply. No, it takes something special and unique. And when we did that, we really saw some unlocks that made a difference in our space.
[David Spark] All right. Aaron, I want you to jump in on this. Now either it can be something that you’ve done or something you’ve seen someone else do that you were really impressed by in terms of hiring techniques or dealing with unique characters like Rob described.
[Aaron Hughes] Yeah. I mean, I think first is – again, I love the characterization to start, whether that diversity is neurodiversity, whether it’s other aspects of diversity – but first breaking the mold that we all have to think the same way to solve the same problem. I think getting that different perspective, analytical thinkers, folks that come from nontraditional backgrounds is just incredibly important to solve the problems in security.
Look, a simple thing that I’ve advocated for or seen in my companies and my peers have done, most basic thing is let’s eliminate the four-year degree requirement, right? Because there’s a lot of people that have been self-taught, whether that’s…
[David Spark] That’s been the first thing I think I’ve seen a lot of people do.
[Rob Duhart] Absolutely.
[David Spark] Yeah.
[Aaron Hughes] Yeah. So, that first and foremost. In terms of like explicit hiring practices, I mean, I think there’s different ways that you can facilitate interviews, facilitate discussions, provide case structures. As a CISO when I’m interviewing something, I’m looking for behaviors. I’m going to assume that someone else is running the blocking and tackling on the technical acumen of a candidate, but can you solve problems?
And so presenting cases that help us approach problem solving and seeing problem solving in different ways I think helps candidates stand out more. I’m much less concerned with academic credentials or certifications and the like. So, I think really just looking at the holistic elements of your hiring criteria is a key factor for a more diverse workforce.
[Rob Duhart] And Aaron, when we think about neurodivergence, right, some of the skills that maybe don’t align with someone who is neurodivergent – social skills, other things – we can kind of teach that, right? There’s ways for us to encourage that in our teams. What you just described – analytical thinking, critical thought, all those things – that isn’t really something we teach much.
[Aaron Hughes] Yeah, absolutely. I think security’s made up of a bunch of intractable problems that in combination really can cause issues for corporations.
Could this possibly work?
[David Spark] What is suspicious to one is actually standard procedure for another. And when you “report,” there are often tones of tattling or betrayal. While there are behaviors you want of your staff, “report suspicious behavior,” Rob Snyder of Microsoft Datacenters argues you should use less weighted words, such as “unusual” and “share.” “So, share something you saw unusual.” I’ll start with you, Aaron, on this.
Do you fear that with all the great training you’re doing that you could be figuratively shooting yourself in the foot by using loaded terminology such as “suspicious” and “report?” Could such a language shift change the narrative and make people feel more comfortable participating in the process of securing the organization?
[Aaron Hughes] Absolutely. Look, I don’t want to say that I even knew you were going to ask this question before we prepped, but my company has already indexed in this way, and I’ve had a forum in front of all 40,000 of our corporate employees where we were intentional in talking about no retribution for bad behavior and sharing and partnership and unusual, and we don’t talk about malicious, nefarious, HR’s going to come after you if you tell me something.
We have 100% tried to make an open environment. Now, the security ops team that has to triage things that come in, it spikes really high. The counterpoint of that is you get some level of noise but I’d much prefer that higher level of noise than people feeling like there was going to be some retribution because they clicked on a link or went to a website and they don’t want to tell someone.
That can get everyone…
[David Spark] No. Because you feel like a buffoon when you do something like this. I have found that one of the best ways to show that you don’t feel like a buffoon is admitting to your own mistakes.
[Aaron Hughes] Absolutely.
[David Spark] Have you done this, Rob?
[Rob Duhart] Yes. All the time, right? We call it a cybersecurity rock star model. And we even thought about the word rock star. We’re like, “Eh. Do we think that is a little bit biasing?” We landed on no. The human element is so important and words matter. So, yes, admitting in the room that we’re not perfect.
Admitting in the room that we’ve been fooled before, right?
[David Spark] All right. Can you admit to a story right now of something you screwed up?
[Rob Duhart] Absolutely.
[David Spark] Let’s hear it.
[Rob Duhart] I was getting on a plane one day and in my Gmail, I got an email from Doug McMillon saying I needed help. Now let’s think about this. My Gmail account, I’m getting a note from the CEO of the largest company in the world. That doesn’t make any sense. So my first response was, “This is crap.” So I screenshotted it, forwarded it over to our ops team, and they said, “Rob, you’re an idiot.” And I said, “Thank you, I appreciate it.” And then the second response was I actually started emailing the guy back.
And it was actually kind of fun because I was about to take off, I said, “Hey, how are you? What’s the weather in Russia?” Right? I was just asking random questions.
[Aaron Hughes] How much is the gift card that you want me to buy?
[Rob Duhart] Literally. I have tons of them, right? You want gift cards? So, look, we all get caught. I think there’s an answer. How do we humanize InfoSec? Right? How do we let people know that all of us are a part of the solution and that we can’t succeed without you and without your engagement? And there are a lot of folks here talking about that at this conference.
[Aaron Hughes] And there’s not a technical solution for every bit of human fallacy.
[Rob Duhart] Amen.
[Aaron Hughes] We need the humans to partner with us.
[David Spark] That’s a really good point. There is not a technical solution for every human fallacy, and we get back to that line, we’ve heard it before and everyone in this room has heard it, the line of people are the weakest link. Which it’s no, people are actually not machines. So people act like people and they make mistakes and the people who say people are the weakest links, guess what?
They make mistakes too.
[Rob Duhart] They do.
[David Spark] Like us all. So, acknowledging that. I mean, funny story, and I’ve mentioned this on the show before, is I was going to record a show with my co-host Mike Johnson and at the time the CISO of Atlassian. Literally a second before I hit the Record button, my sister calls and I was about to say, “Oh, I’m about to record,” and she goes, “I screwed something up.
I clicked a link [Inaudible 00:13:30].” I go, “Good news. I happen to have two CISOs here for you.” And I put her on speakerphone and essentially what they advised is probably what you would advise is call your Help Desk or your Tech Support right away and tell them what’s happened.
[Rob Duhart] Exactly.
[David Spark] Yeah.
[Rob Duhart] We reset proactively millions of credentials, not just of customers but of associates a day. Because mistakes happen. People reuse passwords, please don’t do that. And so we have to intervene and help them.
[David Spark] So, you’re nodding your head, Aaron.
[Aaron Hughes] Maybe not millions.
[Aaron Hughes] FTC, if you’re listening, Albertson’s is much smaller than Walmart. Inside joke there for those following the news here. But yes, absolutely. We have to do things proactively and humanize, make connections, and make sure folks feel comfortable talking to the department.
Sponsor – KnowBe4
[David Spark] So, before I go on any further, I do want to tell you about our sponsor KnowBe4. I’m so thrilled that they’re sponsoring. They sponsored us last time we were here at the Convene Conference. I want to talk about the attacker’s advantage controversy, and you’ve all heard this before. But our sponsor KnowBe4 has a very interesting take on this.
But let’s first address why do we hear this all the time. Why do experts think this is so? It’s not like it’s a military operation. We’re actually the defender, thought to have most of the advantages. In cyber space, the attacker can just keep trying and probing at very low risk and low cost, and as we know, the attacker only has to be successful once.
And as KnowBe4 points out, email filters designed to keep malicious spam out have a failure rate of about 7 to 10%. So, if your technical defenses are failing 1 out of 10 times, ew, you’re going to be out of luck and you very conceivably could be out of business. So, your best last line of defense is actually your human firewall.
You can test that firewall with KnowBe4’s free phishing test, which you can order up at knowbe4.com/phishtest. Go check it out.
It’s time to play “What’s Worse?!”
[David Spark] All right. For those of you who listened to this show before, you know that this a game of risk management, of which pretty much all of cybersecurity is risk management. And this scenario that I have for both of you I think is going to be truly, I mean, we’ve had variations of it before, but it’s truly going to be the most science fiction scenarios that we’ve ever had before.
And I’ve got three scenarios here and it’s quite long so stay with me on this. And audience, I’m going to want your opinion on this as well.
[Rob Duhart] I got to take notes.
[David Spark] Please feel free to take notes. And this comes from actually a pseudonym, this is somebody who’s submitted lots and lots of great “What’s Worse?!” scenarios. It is Osmon Young of Setec Astronomy. If you’ve ever seen Sneakers, that’s the company, Setec Astronomy, and this is the character.
So it’s not a real person, it’s a pseudonym. So, get ready for this. You are the CISO of a pharmaceutical giant and you have just been called into an emergency meeting with the CEO. Also in the room is the VP of R&D and one of the research scientists. They have – get ready for this – accidentally discovered a treatment that reverses the aging process and would effectively make a human immortal.
[Rob Duhart] Will it grow my hair back?
[David Spark] It will not grow your hair back, no. However… Immortality is not enough for you?
[Rob Duhart] Not enough.
[Aaron Hughes] You need hair.
[Rob Duhart] I need hair.
[David Spark] However, due to the circumstances of the discovery, the scientist will need to spend weeks reverse engineering the process to recreate the formula. In the meantime, you have been engaged to maintain the absolute secrecy of this product development. Here are the three scenarios, and I need to know which of these three are worst.
I can’t stress this enough – these might be the worst three I’ve ever read on this show ever. Again, we’re talking science fiction, this is kind of Doomsday, all of them. All right.
After two months, the scientist recreates the formula, the company patents it, and you all become fantastically wealthy. The drug is priced at – get ready for this – $100 million per dose and the ultra-wealthy begin lining up for their shot to live forever. However, as you might imagine, this creates a new class of inequality such as the world has never seen and the 99.999-whatever percent who cannot afford the shot become intensely angry.
Looks like there’s going to be very public, positively violent revolt. Sounds bad, wait for number two.
After two months, the scientist recreates the formula, but before the patent can be filed, you steal the information and leak it to the public. Within months, shots are developed and distributed to anyone who wants it. Worldwide, the death rate plummets, and the life span extends indefinitely; however, the human population quickly swells to a number completely unsustainable.
The third one. Before the engineer can recreate the formula, you pull the fire alarm. You wait for the building to evacuate and then proceed with burning the entire facility to the ground. All on-site data on the formula is permanently lost and you purge all off-site backups as well. You are criminally responsible for this loss and you will pay the price.
All right, that’s a doozy. What’s worse? You go first, Rob. They’re pretty horrible.
[Rob Duhart] Yeah, all three are pretty terrible. I think number two and number three means I’m committing a crime.
[David Spark] Yes.
[Rob Duhart] I used to work for the FBI so I don’t think I want that to be the case. I think I could live with number one.
[David Spark] You could live with number one with the violent revolt?
[Rob Duhart] Because I would be a part of the 99%.
[David Spark] You have $100 million sitting in your account? Oh, you’re going to be part of the 99%.
[Rob Duhart] Yeah, I’d be the 99%.
[David Spark] You don’t have the 100 million.
[Rob Duhart] I don’t have 100 million.
[David Spark] So, then which of two and three is worse?
[Rob Duhart] Which is worse? Of all three of these, which one’s worse?
[Aaron Hughes] Rob’s not following directions.
[Rob Duhart] Yeah, Rob’s not following the directions. I’m choosing which one I like.
[Aaron Hughes] Rob’s off on the directions.
[David Spark] No, no.
[Rob Duhart] Not which one’s worse.
[David Spark] So, the one you like is one, so I need to know of two or three, which one’s worse?
[Rob Duhart] By far the worst is number three in my opinion.
[David Spark] Because you go to jail.
[Rob Duhart] Because I go to jail.
[David Spark] Okay, all right. Number three is worse. Aaron, what do you think?
[Aaron Hughes] I’m glad we can disagree because I’m definitely going number two is worse because it sort of ends humanity.
[David Spark] Yeah, it does end humanity.
[Aaron Hughes] If we grow unbounded, that just says sort of zombie apocalypse to me.
[David Spark] We have had this situation happen before where one guest is very self-serving, “I don’t want to go to jail.”
[David Spark] And the other one is looking out for the common good.
[Rob Duhart] It’s good for a CISO, right?
[David Spark] Okay. So, number two is the worst, yes?
[Aaron Hughes] Yes.
[David Spark] You say?
[Aaron Hughes] Yes.
[David Spark] It’s because it’s going to pretty much end humanity because…
[Aaron Hughes] End humanity.
[Rob Duhart] We don’t want to end humanity.
[Aaron Hughes] We don’t want to do that.
[Rob Duhart] We don’t. That’s true.
[David Spark] You don’t. We’re against ending humanity, okay.
[Aaron Hughes] Yes.
[David Spark] Then which of one or three is the second worse then?
[Aaron Hughes] Oh, man. I think the class warfare, number one, would be pretty bad.
[David Spark] Okay. So, the best of the three scenarios…
[Aaron Hughes] Yeah, number three, that it’s the status quo.
[David Spark] …is that you go to prison.
[Aaron Hughes] The best scenario, number three, we live as we live now but Aaron Hughes is in jail, I think that’s the best scenario.
[David Spark] That’s the best scenario, [Laughter] yes.
[David Spark] Okay, all right, all right. I now need to get audience response. Number one scenario, only the ultra-wealthy get the shot, and there’s a revolt. By applause, how many people think that’s the worst?
[David Spark] One person thinks it the worst.
[David Spark] Okay, number two, the human population swells to a number completely unsustainable because everyone gets the shot. Who thinks that’s the worst, by applause?
[David Spark] All right. That’s pretty good, that seems like most of the audience here.
[Rob Duhart] Yeah, it does, it does.
[David Spark] But they don’t seem to applaud enthusiastically for the end of humanity. I don’t know.
[Rob Duhart] This is true, this is true.
[David Spark] Okay. And the third formula where you, individual, I’m not going to say Aaron goes to jail because you’re making the call on this. You go to prison probably for the rest of your life for this. Who thinks that’s the worst by applause?
[David Spark] Wow. Nobody agrees with you, Rob.
[Rob Duhart] No other CISOs in the crowd, I don’t think.
[David Spark] No.
[Rob Duhart] Because we think about going to jail all the time.
[David Spark] All right.
[Rob Duhart] I kid.
[David Spark] I’ve got another scenario for you. Here we go. This one comes from Todd Luther, this one’s far shorter and simpler here.
[Rob Duhart] I’ll follow instructions this time.
[David Spark] Being a CISO, scenario number one, being a CISO that isn’t supported by senior executives, told you’re only here because of audit and regulatory requirements, but you can plan on having no budget and most of your much-needed positions are now canceled. Pretty bad. All right. Scenario number two, similar to getting canned, you are told by board members that if we have a breach or ransom attack, you won’t have to worry about the 2:00 in the morning call because, “We will probably have you terminated on the spot and bring some third party in to clean it up.”
[Rob Duhart] And it’s which is worse.
[David Spark] Which is worse of those two?
[Rob Duhart] To me, number one is the worst.
[David Spark] Number one. So not getting canned. I mean, getting canned is…
[Rob Duhart] Getting canned is a part of the job expectation. [Laughter]
[Aaron Hughes] I think we actually have to agree on this one. Just being sort of a neutered CISO and only being here for audit and regulatory and not having a budget, you’re not going to get [Inaudible 00:23:02], that would definitely be the worst. No intellectual stimulation or anything.
[Rob Duhart] And you’re guaranteed to have issues.
[Aaron Hughes] Yes, absolutely the worst.
[David Spark] So, we’re saying that essentially you can’t do your job in the first scenario, and the second scenario you’re just always on edge and ultimately one day you’re going to get canned.
[Rob Duhart] Yeah.
[Aaron Hughes] Yeah.
[David Spark] Not that you can live with that but that’s the least painful of the two.
[Aaron Hughes] And number two is, like for less sophisticated boards, less sophisticated CEOs, that’s the outcome that they just expect.
[Rob Duhart] Right.
[David Spark] Yeah. [Laughter]
[Aaron Hughes] So, there’s some level of whether or not – that’s certainly not right – but that is more normalized, number two.
[David Spark] All right.
[Rob Duhart] Aaron and I don’t have to worry about that but a lot of people do.
Why has this topic suddenly become the center of attention?
[David Spark] “Humans are prone to over-assign positive qualities to AI as a game-changer for almost any task,” noted Christopher Whyte on CSO Online. Now we have been told for years that AI will replace jobs. The reality was quite opposite. Just a couple of years ago, to implement AI you actually needed more staff and more expertise.
But in the past year, the value has shot up and the skill needed to see that value has greatly decreased. AI is not replacing a CISO but acting as a partner. The article’s author, this was this piece in CSO Online, Whyte, names benefits like being able to respond to decision-making rulesets faster than any human can and helping to make risk-based value judgments.
So, I’ll start with you, Rob, on this one. Where have you taken advantage of AI for your security program? And specifically so you can do your job better as a CISO, where does AI actually deliver opportunities?
[Rob Duhart] So, where there’s big sets of data and the need for rapid response – easy. In our incident response space, we see, let me get this number right, I think it’s 7 trillion signals a year. And so of that 7 trillion, what is valuable and what isn’t? Does it make sense for a human to sift through that?
[David Spark] I don’t know if there’s enough humans to sift through that.
[Rob Duhart] Absolutely. So, for us, we don’t look at it as a replacement for humans. We look at it as the ability to enable humans to do more.
[Aaron Hughes] Make humans be more efficient.
[Rob Duhart] Yeah, make them better, right? And help humans focus on what humans should be focusing on instead of what a machine can be focusing on.
[David Spark] One of the things that I’ve noticed about AI is it’s doing things that were either cost- or time-prohibitive before.
[Rob Duhart] Mm-hmm.
[David Spark] And what have you seen in this aspect, Aaron?
[Aaron Hughes] Well, first, the reason why it’s center of attention because companies like Nvidia are now $2 trillion of market caps, right? There’s a lot of money, a lot of investment, and a lot of smart people thinking about this. In terms of how we’re leveraging, right now the benefit is a lot of the vendors that we leverage, that Walmart leverages, that Albertsons Companies leverage, that our peer groups leverage are baking in the capability so that we don’t have to spend the time, effort, and attention to build our own sort of bespoke layers of analytics on top.
So, to Rob’s point about operations, right, how is our SIEM discerning these signals more efficiently, how are we doing better routing, to even the basic things of how we’re training new associates and how do we develop training curriculum for different job functions, to how do we evaluate our contract language to make sure our contracts are efficient so I can get my lawyer’s time to do more effective things for me.
I think those are some of the force amplifiers to make humans more effective that we’re seeing right now.
[David Spark] So, where have you applied, Rob? I mean, maybe you’ve just kind of toyed with it. Have there been certain things that you’ve toyed with a little bit in AI that have gotten you kind of excited? And specifically this article’s addressing to make your job easier. I’m sure there’s AI tools that your staff is using, but to make your life easier.
[Aaron Hughes] I think to make any CISO’s job easier is the ability to apply your next security dollar somewhere more effective, and if it can be not having to hire the next human to do a job, or if it’s to hire a more astute human to do something differently, like that’s the big force amplifier for CISOs.
It’s like how we can spread our money spend because we’re more effective or efficient at a certain task.
[Rob Duhart] Aaron said it perfectly, right? We think about bots a lot, particularly when we’re selling high volume items on ecommerce, and so we have to be ahead of the threat actor. And so what Aaron talks about, our ability to buy, the ability to manage the today to buy time for tomorrow, it’s extremely valuable because now instead of thinking about how we’re blocking a bot today, I can have my team thinking about how are bots going to respond tomorrow.
And AI helps us cover down on the today.
It’s time to measure the risk.
[David Spark] So, when your home gets robbed, the financial loss is of concern, but more unnerving is the violation of your private space. The feeling of being a target initiates a long period of ongoing fear and stress. This same phenomenon of victim depression appears to also happen in cyber, this was what Stephen Cobb noted in a piece for Dark Reading.
So, with an average of $750 lost per cyber scam incident, victims are self-reporting worse general health and higher levels of anxiety according to the “Scams and Subjective Wellbeing” study by the UK Consumers Association. Now I haven’t heard of any organizations having a mental health program for employees suffering a breach, but anecdotally have you ever seen this happen?
Could be with employees, could be with friends, whatnot. And have you seen employees’ work behavior suffer as a result? If you did, how did you handle it? Rob, I’ll start with you.
[Rob Duhart] Yeah, I love the question. I actually haven’t heard specifically of firms doing that either, but it’s something that should be a part of the playbook.
[David Spark] Yeah, I’m thinking this should be coming up soon.
[Rob Duhart] And absolutely. I have a buddy who lived through NotPetya.
[Aaron Hughes] Oh, wow.
[Rob Duhart] And I won’t go through describing what NotPetya is but it was not fun.
[Aaron Hughes] No, not fun.
[Rob Duhart] And he talks about the hardest…
[David Spark] Yes. It’s a good way to describe it.
[Rob Duhart] Yeah, he said the hardest part about it, obviously responding was hard, but taking care of the people. Because overnight, he had leaders who were sleeping in their offices because they lost billions of dollars of technology in 24 hours or less. And so these people who had kids and spouses and lives outside of work now all of a sudden had to move to this 24/7 crisis mode.
And so something we do is we’ve increased the number of healthcare visits, mental healthcare visits we’ve enabled our people to take advantage of. Not just inside global tech but even beyond all of Walmart, I think we went from 10 to 20. And so how do we put our money where our mouth is and actually invest in people being able to have access to mental health resources?
Not specific to a breach but specific to having a healthy program and a healthy culture – critical.
[Aaron Hughes] Not directly related to what you’re saying here where you’re having an individual’s data get breached and there’s maybe something posted publicly that you don’t like or you lost money, but where I have seen this, and I’ve indexed on this personally in a variety of roles, is how you can overcome the perception of when a corporation has a breach, that it is the individual security department’s fault or an individual analyst’s fault for missing an alert.
Over index on having the CEO of the company, the CIO of the company, the board of the company address the security department or address a group of individuals and say how thankful they are for the efforts that they’ve put into the recovery of the company. Like, you could see how that motivation or trigger in an employee base that was, “Oh, am I going to get fired tomorrow?
Is this my fault?” Because there has been the perception of the negativity around a failure in a security program or team led to a breach, right?
[David Spark] Yeah. I mean, this concern, it’s not just security awareness for the general populace but it’s making the cyber team feel like they can keep doing their job.
[Aaron Hughes] Absolutely.
[Rob Duhart] I mean, David, a part of – and Aaron, I think you’d agree with this – a part of our teams, they come into cybersecurity because they’re very dutiful. They like the idea of protecting people, getting things right, kind of being that officer, the protector.
[Aaron Hughes] Very mission centric.
[Rob Duhart] Yeah.
[David Spark] A lot of security people I’ve spoken to like to have this idea of being sort of the cyber superhero, they like that.
[Rob Duhart] Yeah.
[David Spark] It’s fun for them.
[Rob Duhart] But you also have to take the pressure off of them and say we’re all human and it’s okay to be human. We expect there to be challenges, we expect there to be mistakes, how do we compensate for them and get better from them and learn from them?
[David Spark] I will highly recommend that everyone listen, we just interviewed Tim Brown who I met here at Convene, the last one in January in Clearwater, and Tim Brown is the CISO of SolarWinds who dealt with a doozie. Just the story though, we talked about dealing with intense stress, it’s most recent episode of Defense in Depth from this recording.
But one of the things that Tim talked about that I thought was fascinating is a cyber attack, when you get something of that level, it’s affecting not just you, your staff, senior management, it also affects everybody’s family as well on top of it. It trickles down everywhere. And so you’ve got to work with dealing with all of that and understand that.
[Aaron Hughes] Yeah. Again, maybe I was going to pivot off the team and more to the individual, there are absolutely examples that I’ve seen in sort of a less professional context, more of a friend context, where there’s been victim shaming or depression as a result of being scammed in some way, shape, or form.
Somehow they feel, as opposed to call the law enforcement, that the CISO’s the first call, like I have some magic erase the internet button. But certainly mental health plays a big role and I would love to see organizations call this out more explicitly in corporate policy.
[David Spark] By the way, others look at you sometimes as a superhero too. Do people think, “Hey, can you get that stupid thing I did off and have the magic erase buttons?” Rob?
[Rob Duhart] Geeze, yeah.
[David Spark] Aaron deals with this, right?
[Aaron Hughes] Do you know how to trace this bitcoin wallet?
[Aaron Hughes] Lots of stuff.
[Rob Duhart] No, that’s gone, I’m sorry.
It’s time for the audience question speed round.
[David Spark] I hold in my hand questions from you, the audience. We greatly appreciate you, the audience. Thank you very much. These are people I chatted with before earlier today. I’m going to get through as many of these questions as I can with the little time that we have left. Actually, we’ve got a good amount of time.
So, I’ll just ask these questions, I’m just looking for quick takes from both of you on it. This comes from Ashley Jones of CISA, and I thought this was an interesting question. Does cyber insurance incentivize better risk management or as we have heard, these cyber attackers look to see if you have cyber insurance and then ask for the amount of money that your insurance program pays out, or does having cyber insurance make you a bigger target?
What do you think? Good question. You’re smiling. Aaron?
[Aaron Hughes] No, really good question. I mean, I think I look at it from sort of the shareholder standpoint as well. I think if it came to light that you did not maintain some semblance of cyber insurance, I think that could lead to more litigation down the road. Certainly matters the size of the corporation, the amount of liability coverage you’re willing to have.
I think it’s sort of commonplace for large Co’s to have it.
[David Spark] Are there some maybe new ways you can obfuscate what your insurance is so the ability to infiltrate it and find that information out? You’re nodding your head, is there a way to do that?
[Aaron Hughes] I don’t know that it is ever publicly disclosed.
[David Spark] Well, it’s not publicly disclosed, let’s hope not. Then it makes it really easy for the attackers, “Oh, they’ve got a $10 million policy. We know what we’re going for.” [Laughter]
[Rob Duhart] I think paying ransomware actors, whether it’s through insurance or not through insurance, creates an unhealthy vicious cycle. It drives the business model.
[David Spark] Right. And the US government’s policy is do not pay it because it encourages more behavior. But sometimes, and we’ve talked about this on the show before, it’s never so cut and dry. It could literally be business survival or not that you have to pay the ransomware.
[Aaron Hughes] And it could be more costly to recover without paying than paying.
[David Spark] Yeah.
[Aaron Hughes] I think that’s the calculus that’s happening on the board really frequently is if I can pay just my $1 million retainer to my insurance as opposed to months and months of recovery and tens of thousands of hours to recover, that’s a no-brainer.
[David Spark] Yeah. As much as we would like to say don’t negotiate with them, it’s never that cut and dry. Is it, Rob?
[Rob Duhart] It’s not. And then the other question is we’ve seen this, insurers not wanting to pay, right? And having limitations to what they’re willing to pay for. Not saying that’s a problem we have but do we really trust that at the end of the day that’s going to help us? I don’t know. It’s an interesting question.
[David Spark] And I should actually – by the way, I said don’t negotiate – actually negotiation has actually been something that people have been called in to help with negotiation.
[Aaron Hughes] There’s a whole industry around Dark Web negotiation.
[David Spark] What I mean is don’t pay but negotiation has become quite a good industry.
[Rob Duhart] How much time can you buy, all these other things.
[David Spark] All right. Let’s go to the next one. Where does CISO autonomy fall short? This comes from… Oh, I’m not going to, that’s Ashley again, I’m going to give somebody else, I’ll come back. All right. Do you have a different strategy with domestic and international threats? So, after you deal with a threat, do you deal with it differently afterwards?
This comes from Larry Young of the Carolina Cyber Center.
[Rob Duhart] Yeah, I’ll take that one if you don’t mind.
[David Spark] Yeah.
[Rob Duhart] Jurisdictional controls and legality changes regardless of where you are. We are in South Africa, we are in Chile, Argentina, a bunch of places in the world. It’s different in Mexico than it is here. Doesn’t mean it’s bad. And so yeah, it absolutely does change what we look at. Attribution is extremely hard.
Whether they’re attacking one of our properties overseas or not, I think the approach changes, I think the legality changes, I think the involvement of our GC is pretty equal. But we do think differently depending on the locale that we’re in. And we have great law enforcement partners all across the globe that help us manage this, but it is definitely a consideration.
[David Spark] All right. With a merger, how do you blend two companies’ cyber culture? So, there’s a lot of issues with mergers and stuff, but just focusing on the culture issue. Company X has this culture, Company Y has this culture, how do you deal with that?
[Rob Duhart] Is it safer for me to handle this?
[Aaron Hughes] You’ll ensure this is a safe space, my lawyers aren’t listening.
[David Spark] Right, and we’re not recording this, as I see that red light is on.
[Rob Duhart] Big red light.
[Aaron Hughes] From a culture standpoint, this is the great thing about security industry. The skills and people and dynamic is so permeable whether or not you’re in financial services, Retail Company A, Retail Company B, you’re all trying to protect company assets and the hope is that there’s a mission-first dynamic, so I sort of have no reservations about sort of leading through a merged entity.
[Rob Duhart] We’re more alike than we are different.
[Aaron Hughes] Yeah.
[Rob Duhart] In many ways.
[David Spark] That came from, I don’t know if I mentioned, that was from Beth Nicholson of CommonSpirit Health gave us that one, Beth. Oh, this is good. This comes from Anne Roberts of Christian Brothers College High School. What cyber tech trends outside of soft skills should we be guiding our youth towards?
So, the youngest. What techniques, trends, what should they be learning? What do you think? And for say the average person and to the person who wants to go into cyber.
[Aaron Hughes] Look, I think foundational skills around computer programming, you can never go wrong with that. Sort of scripting helps in a lot of analytical jobs that are more cyber bespoke and helps a ton in software engineering and it gives you a concept of how you introduce vulnerabilities into a piece of software that you’ve written.
So, I would always say start with being sort of a computer programmer.
[Rob Duhart] I’m going to quote Aaron back because he said this earlier – critical thinking. Sadly, that’s something that I think we don’t see as much, but how do you look at a problem and solve it critically is huge. Whether it’s technological or not, it’s the essence of cyber.
[Aaron Hughes] And I know that the question said to discount soft skills but you can’t.
[David Spark] Well, looking for other things outside of soft skills.
[Aaron Hughes] Learn programming languages.
[Rob Duhart] Would you even call soft skills soft skills anymore?
[Aaron Hughes] No.
[Rob Duhart] I just call them skills.
[Aaron Hughes] They’re required skills.
[Rob Duhart] Yeah, critical skills.
[David Spark] All right, let’s close with this one. This comes from Ava Woods of Raytheon. What specific investment in people have you seen to be the most effective? And we’ve talked a lot about this on the show. Which one had the biggest impact?
[Rob Duhart] I’ll say wellness and that’s not just mental health, we talked about mental health, but also physical wellness as well. When you take care of the people, they take care of the team and the company. I think we as information security professionals sometimes are selfless and we like to think of others more than ourselves.
Absolutely critical to teach our teams to think about themselves in the right ways and to take care of themselves and their families.
[Aaron Hughes] Yeah, absolutely. I mean, I think a combination of, these are more corporate things, but just flexible time off and being able to step away from the workplace and know that you’ll be able to cover down on responsibilities while out.
[David Spark] Excellent.
[David Spark] Well, that brings us to the very end of the show! Thank you very much, audience!
[David Spark] We greatly appreciate you! And let’s hear it for my two guests. Rob Duhart who’s deputy CISO over at Walmart, and Aaron Hughes, CISO over at Albertsons Companies. I want to also thank our sponsor for that matter. That would be KnowBe4 – Human Error. Conquered. Remember – they are the social engineering experts and the pioneers of new-school security awareness training.
Be sure to take advantage of their free phishing test which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Now, I’ll let the two of you have the last words. Any last words you want to say on this? Are you hiring? Both of you, please tell us and our audience as well.
[Aaron Hughes] Security programs are always hiring. We always want incredible talent and thank you for allowing me to be a guest today.
[David Spark] You were awesome, thank you.
[Rob Duhart] Grateful to be here. We are also hiring, consider both. Aaron is amazing. Belonging matters. Everyone wants to talk about DEI, I’m not against it, belonging is just as important. Let’s stay focused on that.
[David Spark] Awesome! Let’s hear it for them!
[David Spark] Thank you! We greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.