The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

7. Michael Brooks, vCISO and Director of Cyber Risk Services at Trava

Welcome to the Security Podcast of Silicon Valley. I am here today with a very special guest, Michael Brooks, who is a VCSO at Trava, which actually is itself a security company. But he actually started his career at the NSA, the National Security Agency, as director of IT operations. From there, he moved forward to the National Guard Bureau, where he was an IT audit and compliance senior manager.

After that, he spent a good chunk of time at the White House Communication Agency as a presidential response officer to help him facilitate communication between White House and military. And you're the CIO, CISO, commanding officer at the United States Air Force Central Command. That's awesome. And the CISO senior advisor for global program manager at USSOCOM.

What does that stand for, Mike? That's United States Special Operations Command here in Tampa, McDill Air Force Base. Gotcha. All right.

So that's when you moved to Florida? Yeah, that's when we moved to Florida, yeah. Yep, very nice. And then after that, you were a director of cyber defense portfolios at PWC and Amgen, senior manager of global cyber defense, followed by VCSO.

Looks like your first virtual CISO role and senior vice president of RevOps at Abacode. Thank you. Which lands you now at Trava. So you've had a rich and interesting career across both military and private industry.

So welcome to the show, Mike. It's great to have you. Yeah, thanks. It's good to be here with you, John, and I appreciate it.

You know, yeah, my background is primarily military. You know, I did start it off my IT career in the military. I actually started it off on the help desk and then just kind of progressed from there. Started to get into the security roles.

You started to continue to get promoted and into jobs with higher and higher levels of responsibility. And I had a great time. I had a wonderful time. And, you know, it's, I think the military and the DOD sometimes looks at information much more differently than the business world does in terms of its criticality and importance.

And so, yeah, looking forward to talking with you today. Awesome. Super happy to have you on. One of the things that really drive who we are often comes from our childhood, right?

And maybe there's a couple events or some inspirational moments from your childhood that you'd be willing to share. What was it that sparked your passion? You joined the Air Force and had all of that great service under your belt. And then, you know, you stuck with security all the way through.

Is there something that happened or that connected you to the security world from your childhood? Yeah, that's a great question. And, you know, thinking about that, you know, I'm a twin. So, you know, I started off my life with a buddy before I even entered the world.

I'm an identical twin. I'm actually what's called a hidden twin. My mom didn't know she was having twins. So I was a bit of a surprise when I came out.

And that theme kind of stuck with me throughout my life. I've been in some unexpected places and done some unexpected things. I come from a big family. I had five brothers growing up.

So it was always about more feeling part of a pack or feeling part of a clan. You know, so that was really, really important to me. I played sports my whole life. So always part of teams, right?

Always progressing towards a goal, working hard to achieve something, getting better and better. And my dad was actually a police officer growing up as a kid. So there was a, you know, very strong respect for authority growing up as a kid. And I think all of that really shaped kind of me and, you know, my life path.

And I don't, I didn't realize that kind of as I, as I was doing it, but looking back, I can see how all those things did play a big role in my life choices. My decision to join the military strictly was just to get some money for college. You know, I was played football in a small division two school and wasn't really going anywhere there. And so then he said, oh, maybe if I joined the military, I can just get money for college.

And I wanted to, to join the FBI. That was my kind of goal coming out of, out of high school. Right. And maybe my dad influenced that with his police service.

And so the military seemed like a really good fit. And so, you know, as I joined the military, I fit right in. It seemed well. I enjoyed kind of the camaraderie and the, you know, being part of a unit, being part of a mission and having kind of a higher purpose.

And, you know, just continued on from there. Oh, that's great. And then eventually after that, that service, you ended up in the NSA, which same boat as the FBI kind of floats in too, you know, national service. So you're actually a VCSO.

And I'm not sure that all of our listeners know exactly what that V stands for, or maybe even how a CISO is different from a CSO. Maybe you could share with us exactly how you see your role as a VCSO. Yeah, absolutely. So essentially it's a, you know, it's a market term.

For a virtual chief information security officer, you can think of it as a fractional chief information security officer for those companies that either have a very specific need for some on-mediation from a security leader or somebody with some security expertise, or a company that's in a position where they don't have a need for a full-time resource, an executive level security resource. So it fits very well into kind of a fractional or virtual model to where it's on-demand support, as needed support. And really, a chief information security officer, in my mind, and from the experience and the things that I've done, it's all about risk management, right?

So it's who can bring some experience and expertise into the organization from a cyber perspective so that we can look at cyber risk to the organization, much the same way we would look at financial risk or health risk. And it just provides that expertise so that we can start solutioning things appropriately to make sure that the data is protected. So, all right, no, that makes perfect sense. And so it's almost like a contract.

You could contract and you're on-demand kind of helping navigate that complex risk space, help smaller organizations that maybe can't afford or don't have a need for the full-time CISO on board yet. So could you actually be a CISO for more than one company at the same time? Yeah, actually, actually can, and we do do that. You know, at Trova, we've got a very specific programmatic approach to that.

And I would say that, you know, that's where it is important to be able to kind of structure this in a program so that that advisory support is being done and put in place and executed in the bounds of an actual program with defined end goals. And, you know, it's based on best practices, right, which is really where we start from a security perspective. So we've got to make sure that the foundational things are in place and we can build from there. So typically the process is we'll do some sort of risk assessment, right?

We'll do a baseline risk assessment and say, okay, where is there risk in any organization? And then it really becomes a management decision from there in terms of, okay, how are we going to deal with this risk, this digital risk or this cyber risk? Are we going to accept it? Are we going to mitigate it some way?

What are those strategies? Are we going to, you know, monitor it, transfer it? And so we really help companies kind of through that process. And again, by going through that process, we actually, you know, are building effective security programs inside of the business and providing advice on security solutions and mitigation efforts and, you know, all of those things because unfortunately in today's digital world, nobody has an unlimited amount of resources and funding.

So it's always a priority game. So, yeah. Of course, of course. So I mean, I also imagine that part of that role is, okay, you have to prepare and build the fundamentals up.

But if there is a security event, you might be front and center to help navigate the ins and outs, play-by-play, mission-critical recovery sort of mode on a security event. Have you ever had two companies at the same time need your services? Or it's been pretty smooth sailing so far. You haven't had been pulled in too many directions all at once.

Yeah, that's a great question. You know, there are always issues, right, especially in this space. So, yeah, I mean, I've had to deal with multiple issues, you know, across companies. And again, I think the way that, you know, the way to approach this is really proactively, right?

So it's like as long as we can have the conversations up front and we can start making some smart decisions and start understanding security capabilities. And again, at that foundational level. So do we know where all the data is? Do we know who has access to everything?

Do we know what we would do if an event did occur? Do we know what an event even looks like? Do we know what one smells like? Have we seen them before?

Can we even respond to such a thing, right? And so I can tell you from experience, you don't want to be making this stuff up, you know, once something happens. So the work that I do mostly is really in that kind of proactive sense to make sure that, you know, notification procedures are in place and understood, that security controls are in place and working, that, you know, inventories are being done. And again, from a foundational security perspective, and just kind of managing that going forward.

And then it's an eventuality that a breach is going to occur. I mean, I think, you know, a SIM breach, yeah, it's going to happen, right? So when it does happen, how ready are we? And what's our plan?

And, you know, much like doing fire drills in school, it makes a lot of sense to talk about that before the event. Exactly. No, it reminds me of that cute little saying, fail to prepare, then prepare to fail. Exactly.

Exactly. And having a plan in place, I'm sure, helps make those tense moments at least a little bit smoother, not making anything up as you go. So, I mean, in terms of everyone that you get to work with, then, are there certain qualities or, you know, do you pick favorites? times or maybe qualities that help make those sorts of relationships better or that you would prefer to work with those types of clients or customers more than some of the others?

Yeah, I'm going to dig on my own tribe here for just a little bit. You know, there's a lot of ego in the cybersecurity space, right? And so I like to work with folks with companies that realize they need the help and truly want the help, right? That to me is a huge, a huge qualifier, right, to find it, okay, where, where we know we need help, right?

We know we're not as good as we could be. We know we're exposed, you know, and they're truly looking to get better. And that could be because of a business opportunity, right? Maybe they've got an enterprise business opportunity now that's in front of them that they didn't have before.

So security matters a little bit more than it did before. Maybe it's a compliance requirement, right? Maybe it's just maybe it's an investment requirement. Maybe it's a board desire.

You know, got to kind of dig into that to find out. But to me, it's like working with the right people is a lot about relationships and trust, right? And just understanding that, hey, you know, you don't have all the answers. I don't have all the answers, right?

But together we can come up with the best answer. That's the best fit for you, best fit for your company. You keep you safe and we can do everything that we can do, right? Control what we can control and know how we're going to react to the rest of it.

And that to me is, those are the best folks to work for. And I get the most traction and the most reward with working with people like that that are, you know, open and honest and truly looking to, you know, to take a critical look at how they're doing things, understand the importance of it, and are ready and willing to kind of do what's necessary to improve their security posture. Yeah, definitely. I like how it goes back to people and relationships and a sense of humility almost, you know, which is very refreshing, especially in the security space, because you're right, sometimes we do bump into some egos here and there.

Yeah, it's interesting. I mean, the cybersecurity space, you know, and I'll dig on myself here too. I mean, it seems like there's a lot of experts, but there's also a lot of issues, right? So for an industry that's full of experts, we seem to have an awful lot of issues.

And a lot of opportunities too. I mean, look at the number of data breaches out there. And I feel a great deal of responsibility to put a real dent in that actual problem that everyone faces, right? Right.

And then, you know, people say it all the time, but it is true. I mean, a lot of this risk literally gets mitigated to a very acceptable level if you do implement the basic blocking and tackling of cybersecurity, right? So if you brush your teeth and you wash your face, those things go a long, long way to effective security for your business. Yes, I couldn't agree more.

And you know, in some sense, it does take a lot of guts to be a CISO because they will tend to get blamed for things when stuff goes sideways. Because of that hesitation about, you know, wanting that type of exposure, that type of, you know, pressure. But clearly you've taken the leap and it sounds like you're very comfortable in that space. So maybe you'd be willing to share a truth that you see about the world or a piece of inspiration that helped push you over that line and took up the mantle without hesitation.

Maybe there was hesitation. I don't know. Yeah, not really. You know, when I started my career, it wasn't in cybersecurity, right?

I was in IT and you learn very early on in the military as you're getting access to data and access to information, that data has a classification attached to it. And when you start getting access to things like top secret information, right, and you read the description of what that means, and it can cause exceptionally grave harm and damage, right? You really quickly realize that it's about protecting the information. And then, you know, when you're in that world, you realize it's your responsibility to make sure that those protections are in place, right, from an electronic and a digital standpoint.

So I think you've got to have an appreciation for the value of the data. And I think once you do that, then you can really start to really make sure that it's protected okay, right, and making sure that we're taking the appropriate measures to protect it. And when we're not, you've got to speak up to the business. And it's a business decision at the end of the day, right?

Risk ignorance is a form of risk acceptance, right? But if you know about the risk and you willingly accept the risk, that's a different story. That's a kind business decision. Yeah, and I think, you know, what I've got to do or, you know, what we've got to do as security leaders and security professionals is we've got to bring that to you in a way that makes sense, right?

We've got to speak your language. I can't come to you with things that don't make sense and you can't make a decision based around it. And I think that's where the CISOs can really start to get, you know, maybe a little bit of a bad name in terms of, you know, the value that they're bringing. I think it's way underappreciated.

I have friends of mine, you know, I was talking to a good friend of mine who's a enterprise CISO, Fortune 500 company, and, you know, sharing with me, I'm I'm exhausted, mate. I'm exhausted. You know, the threats are pervasive. They're everywhere.

The data is always at risk. People don't understand how important it is. You know, we're not that far away from a very, very bad day. And, you know, there's not much I can do to protect it.

You know, it just, it wears on me, you know, after, you know, a month, a year, five years, 10 years, you know, it's just because again, it's an eventuality. It is going to happen. It will happen eventually. Just like driving a car, you'll have in a car accident eventually.

You just keep driving. Exactly. You do all the steps to avoid it, but statistically, you know. I would give a lot of credit to all the security professionals that are out there each day, you know, protecting the networks and protecting the data.

Because if you look at the importance and the significance of the work that these folks are doing, you know, it boils down to a simple question in my mind, right? What can your business do today without access to secure data and systems? Right. So there's not a lot you can do in today's business world without data and without access to systems.

Right. So it's that critically important that that stuff is secure, that it's available, and then it's, you know, only accessed by the people who need it. And that's what the security folks are doing. So they're doing a great job.

It's not an easy job. Technology is advancing rapidly and everybody wants to leverage it for the maximum amount of productivity. So that's always going to be a challenge and we're always going to have those trade-offs. That's so true.

And such an inspirational message. Thank you for sharing that. I'm sure all of our listeners really appreciate that, the shout out. So tell me about the best day that you've had on your journey as a CISO.

Yeah, you know, every day is a good day. You know, I think every day is a good day, especially when you're helping folks and you're making an impact, right? I think some of the days get called out a little bit more than others, right? I think some of my more rewarding days are seeing clients that I'm working with obtain a very, you know, high level industry certification like an ISO 27001, right?

And the reason that that's so important is because there's so much business and opportunity on the other side of that certification. And the path to getting that certification was, you know, grueling and it was a lot of work and, you know, a lot of effort went into it. And, you know, the auditors came in and we went through all of the processes and we wrote all the documentation and we can demonstrate that, you know, the business is actually providing, you know, effective security and somebody comes in and puts a stamp on that, right? Because of that stamp, you know, you know, you're validated and a lot more folks want to do business with you.

You know, that's rewarding. Open up that top-end growth for that small business. That can be really special. Almost life-changing, right?

Yeah, it can, you know, it can move them into the enterprise. It can move them, you know, from being a mid-market company into an enterprise company. The other thing is pointing out areas of significant risk, right, that are, that can be fixed and can be mitigated, right? So working through that and then seeing the lights kind of go on that, oh, okay, you mean if we do this and we do that, then, you know, all of this kind of risk gets minimized down to an acceptable level.

It's like, absolutely, you know, let's, and let's keep that under management. Let's, let's make sure we're staying engaged and we're staying proactive, you know. So I think just the opportunity to work with, with the clients and help them make good decisions, right, and improve their security posture, especially in today's world where you see, you know, single ransomware events impacting, you know, the U. S.

economy at large. I mean, this is a, this is going to be a significant problem going forward that we're all going to have to work hard at together to get, to get better at. Absolutely. No, I'm excited to see the new technologies coming out that can help mitigate all of those new threats and those new risks.

But I love the, the best day for you is like helping companies open up and hit those goals, open up the top-end growth because I think a lot of times security gets put pigeonholed into this place of like, oh, this is just risk management. This is overhead. This is, you know, if we do security right, we're just going to stay out of the news and that's, that's it. And that's really not the case at all.

You can open up your top-end growth with, you know, dotting your, your I's and crossing your T's. Yeah, absolutely. I mean, you have to look at it like a business capability. You know, that's the way I do it.

Like how well are you, how well are you at doing this thing, right? Just like production is a, is a business capability, right? Distribution is a business capability. You know, security and IT is the same way.

It is, it is there to be an enabler. You know, people say it provides competitive advantage, right? That's a bit of a buzzword, but it's true. It can put you into markets or get you to do business with folks that, that are interested in doing business with you because it provides that level of trust and assurance that, you know, I'm at least performing to a defined standard and I can show you that.

And I can prove to you that, you know, I can protect your data. And why is that important? Well, you know, third-party risk is first-party risk in a connected world. I mean, that's the way to think about it.

In an interconnected world, everything is dependent on everything. Everything else. And so, you know, when you pull in another dependency, you're pulling in all of the risks associated with it too. Yeah, you can see that with these supply chain attacks, you know, you can see that there's unintended consequences all the way up and down the supply chain in terms of one vulnerability was exploited and then, oh no, wait a minute, now it's 10 people that are affected, or no, wait a minute, now that's the drinking water, so it's everybody, you know.

SolarWinds was a good example of that. It's like, how widespread is this? It's like, well, we don't even know. We won't know.

It's going to take a long time to figure it out. Patch your systems. That's what you need to do, right? That's what you can do right now.

So, you know, not losing sight of that, I think, is important. You know, just keep in focus on, you know, what are we here to do? And it's enable the business, right? It's to protect the systems, but not in a disruptive way where it's like, we're going to shut everything down and lock everything down.

It enables the business to actually function more securely, more efficiently, more effectively. Yeah, it's a partnership. You know, absolutely right. That's a great word and a great way to say it.

It's a complete partnership, and it should be viewed that way. So what about the worst day that you've had as a CISO? What can you share about that day? Yeah, it's just, I mean, you know, when things happen, it's just, it's unfortunate, right?

And when preventable things happen, it's really unfortunate. So, you know, getting called into a situation after the event has already occurred and starting to figure out, okay, what happened? How did it happen? Why did it happen?

And then more importantly, how do we continue very quickly? You know, how do we move to restoration and getting the business back on its feet? Right. And it's extraordinarily difficult when you start to work with folks that didn't realize the value of having a backup application or having restore procedures or, oh, well, we got ransomware and there's really no way for us to get that data back.

So what do we do now? It's like, you're out of options. I mean, it's like, yeah, your options are, you know, start over or pay the ransom. It can be very, very damaging, especially when you're working with business owners who have spent the last five or 10 years of their life building this company, building it from an idea in their heads to, you know, a $10, $15, $20, $50 million company.

And now it's on its knees because of a security failure where a certain critical business system wasn't being backed up and that data is now gone. And, you know, it's like losing that research paper that you typed up, you know, for three hours, only much, much worse. And it's that real. I know those experiences can be very painful, but I'm sure that they're glad to have someone like you to help them navigate all of that if it does happen.

Yeah, I don't like those things, but again, yeah, what it, and it will, and it will, right? That's where we come back to, you know, the approach. I think the approach has got to be right. It's got to be proactive approach.

You have to look at risk management as a discipline. You have to see security and technology as a business capability. You have to view the data as valuable and you have to make sure that all of those things are being put in place in a programmatic way so that you can, you know, manage it and monitor it going forward. So to include the insurance piece, which is, you know, another interesting conversation on the cyber side is cyber insurance now is getting tougher and tougher to get, you know.

Isn't it? The rates are way up. The underwriting is reacting to what's going on out there in the cybercriminal space, right? So.

Yeah, you know, and there's a lot of loss there. And so, you know, I mean, you know, it's a plus or a minus in the world and the insurance companies, and they're starting to see minuses. And I can tell you, you know, I live in Florida. There's a couple of large home insurers that basically came out and did the analysis from the last year and said, you know what?

That's too expensive for us. We're not insuring homes in Florida anymore. So there's like 50, 000, you know, homes that are now, you know, I need to find a new insurance provider because of the risk. And again, it's a risk decision.

So cyber insurance, I think, is going to be one of those areas going forward that is potentially going to drive security improvements simply from the, you know, I'll call it from the back end. I mean, from the insurance side to say, hey, look, the minimal acceptable level of risk here is this. And these are the things that you need to be doing from a due diligence perspective just to be eligible, right? So it's like, you got to wear your seatbelt.

You got to follow the speed limit. You got to do all these things, right? Right. And then if something happens, okay, now let's talk about it.

Then the insurance starts to kick in. Right. Just to help make it the economics viable, right? So everyone can enjoy a little bit of that sense of security that insurance does provide without ruining it, I guess, for everybody.

Yeah, and we do, you know, we do a fair amount of work there too. And I've done a lot more work here recently in the insurance space, just doing evaluations of policies and making sure that, you know, folks understand what those minimum requirements are in terms of due diligence. It's like, hey, look, if you're going to submit a claim here, we've got to really make sure that you're doing these eight or nine things because it's critically important. They're going to want to know.

Do you think insurance companies are going to look for those certifications, the ISO 27001, or the, or I don't know, even like FedRAMP or FIPS certifications or common criteria or any, anything to help them, you know, get a rubber stamp that says, okay, this organization is operationally more mature and we can accept doing business with them? Yeah, I think there's going to be some, there's going to be some industry standard scoring, right, that's going to get applied, FICO score-ish. I don't know if that's going to be it, but, and that's some of the work that we're doing as well. There's going to be a data model that's going to be produced.

There's going to be actuarial tables. Maybe they already exist, but they're going to be produced in a very clear way to say, what is the cyber risk of this entity? And, you know, it's not just you again, in this connected world, it's who are you dealing with, right? Who's the upstream, downstream folks that you're connected with and talking to?

And this is where zero trust, I think, is going to really start to emerge as a very viable technology going forward. And, you know, I think, hopefully, we can get to a state pretty soon of, you know, self-healing IT, right, where it's like, if there's a vulnerability and it patches itself, it heals itself. If the data is lost or damaged, it destroys itself, you know, and it's like, we can get moved towards, you know, where we're leveraging a lot of this promise of technology to keep ourselves more secure. But I think you're still going to need the humans in the loop there, right, to kind of guide and provide that decision-making oversight.

Yeah, definitely. I think you're on to like at least two or three different, you know, startup companies, like, bubbling around in there. I'm going to stay focused right now, because right now, you know, that's the way I view it. You know, I'm kind of pulling again.

I think if you, I think if, you know, you can do the modeling on the financial side, you can do the modeling and simulation on the health side, you know, again, this is just risk at the end of the day. So the factors are a little bit different, but how we go about it and delivering success to me is the same. And, you know, look at all of the great advances we've had because of technology, right? I think it would be a tragedy of our age to say, we had this wonderful thing called technology and we just couldn't figure out how to use it and secure it.

So we lost all of this promise. You know, I think to me, that's really the tragedy that potentially comes out of all of this. That's definitely, you know, part of that tragedy or the risk that we face, like moving forward into a future, if we don't know, like how to utilize all of this great technology because of the risk that it poses from a security perspective, then we're going to lose out on so much, so much, right? In the bigger picture.

Absolutely. And you see this, I mean, you see this on the global stage, right, where some countries are advancing their cyber capabilities, right? And they're really, they're kind of going all in on cyber and what does that mean? And how can I reposition myself from a cyber perspective, right, economically, globally, politically?

And then, you know, same, same for businesses. That's all going to trickle down to businesses, right? So, you know, as we kind of already talked about, what does having good cybersecurity mean for me as a business? What does it mean for those folks that I do business with?

You know, it's going to start to mean more and more as these, as these attacks and business disruptions, you know, continue to exacerbate. So it sounds like you, you know, you don't think CISO will ever be replaced by just a fully automated system. Maybe that role will be enhanced with all of this upcoming technology. I think we're going to continue to get more and more connected.

I think there's going to continue to be more and more reliance on technology. I mean, I can tell you my own personal life, sometimes it's just so frustrating, the reliance on technology that we do have. You know, I always find myself in the airport struggling to get the faucet, the water faucet turned on because I can't get the sensor underneath the thing to realize my hands. And it's like, can I just turn the faucet on?

It seems like it'd be a lot easier that way. Right. I'm with you on that one. But they never work.

Yeah, they don't seem to ever work. But, you know, I also don't think we're headed to, you know, if you've ever seen The Office, you know, Dwight is a character in that show and he thinks that, you know, robots and technology are going to, you know, turn on us. I don't think we're headed to that point. So no Skynet.

I don't think so. But I think, I think we are going to, we are going to, again, continue to see, it's up to us how we apply and use the technology, right? And so that's, that's what we need to control is how are we applying this technology? How are we using it?

And security's got to be a part of that equation, right? Otherwise, we're going to always be lagging in that area. And it's, it's, as we know, it's extraordinarily difficult to go back and bolt it on after the fact. That is so true.

Well, I'm very optimistic about that, that future. And it's, it's, you know, it's like the world is what we make of it. It's so true. And computers, they're just these tools.

They do exactly what we tell them to do. There's engineers, there's programmers, they write code. It's these machines, they're at our service entirely, 100%. They can't do, they can't think for themselves.

They're just doing what they're programmed to do. And I think you're right. Security has to be a part of that story as we move forward into this future. So if there's any listeners out there that are considering going down the CISO path or inspiring to become CISOs themselves, would you have any advice to share with them?

Oh, yeah, I would tell them to go for it. You know, I mean, I think, again, working in technology is exciting, and it's very exciting. You know, I would say my advice that I give to folks that I mentor and talk to all the time is, you know, don't lose sight of the main thing, right? In this world, as a security professional, the main thing is the data, right?

That is truly what is of value that needs to be protected. We say things like confidentiality, integrity, and availability, right? And to us, that means things, but really, it's all about the data, who has access to the data, is it there when it needs to be there, and is it accurate, you know? And I use the bank example a lot because I think it's relevant.

It's like, you know, you get on your phone and you log into your bank and you look at your bank account and everything's good. And then you do that again tomorrow, maybe, and then you check it again in a couple of days. And you always assume that it's going to be there, and you always assume that it's going to be correct. What if it's not there?

You know, maybe for an hour, that would be, oh, okay, I'll check back. They must be doing something. It's okay. Well, what if it's a day now?

What if we're going into three days? What if we're going into a week? You know, that's the work that. .

. It starts to get scary. That's the work that security folks are doing. So, you know, I think if you're interested in that, you know, and you should absolutely, you know, go into it, but you should go into it realizing that that's the job, is protecting the data and the availability of the data and making sure that it's there, you know, not creating policies to disrupt the business or, you know, hold people back from doing their jobs.

Yeah. I love the focus on the data. I couldn't agree more. It is all about data.

And even when you were rattling off those access control or authorization or authentication, that's all just to help control and secure the data. At the end of the day, that is what matters. Like these programs that we have and they're running on these machines, they're nothing. If you can't trust the data, if you can't trust the input that they're taking and computing, then the outputs don't mean anything either.

So, yep. Well, thank you so much, Mike, for jumping on the show with us today. This has been a really interesting discussion. Do you have any final thoughts for our listeners?

No, I really enjoyed it, John. You know, I like coming on and doing these things. I love talking about this stuff. I have a lot of conversations with folks.

I think it's fascinating, you know, and we're living in a wonderful time. I mean, if you think about the time that we're living in now, what's possible and, you know, how much opportunity we have in our lives to do things that have never been done before or just live to a much fuller degree. I think technology is wonderful. We just have to use it correctly.

We have to stay in control of it. We have to make sure it's secure. Those would be my parting thoughts. And I would also, you know, I'll steal a line from my football coach's mantra.

Don't get beat on blocking you tackling, right? Do the basics right. Make sure your foundational security practices are in place, right? Make sure you're starting from a good place.

Make sure you can get the basics down and then, you know, you can advance from there. So I really enjoyed it. Thanks again for having me, John. Mike, no, thanks for joining us.

And thank you to all of our listeners who have tuned in for this show and stay tuned for our next one.

‹ 8. Fredrick Lee, CSO of Gusto: Why is authentic diversity essential for epic security teams?

6. Prakash Darji, General Manager of Digital Experience at Pure Storage: The Next Frontier of Storage and Security ›