CISO Insights & Managing Risks with Brent Deterding

Joseph Carson:

Hello everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm Joe Carson, host of the show and it's a pleasure to have you back on and listening to some of our thought leadership sessions. And I'm really joined with an awesome guest today. Some of you have known for quite a long time and have watched some of his webinars and sessions in the past, and it's such a pleasure to have you on. So Brent, welcome to the podcast and show. If you can give the audience a little bit of background about who you are, what you do, and some fun things about yourself.

Brent Deterding:

Sure. So my name is Brent Deterding and I'm a CISO and I've been that way for two years, but I'm a little bit unique. I spent 19 years on the vendor side and I've carried a quota junk like that and I talked to a lot of vendors. I love my job. I'm not burned out at all. The stress is serious. Is there, I mean, you report to CEO, there's stress, but that's not a burden and my satisfaction is through the roof. So I love all this. I love podcasts, I love talk to people. It's all fun. Great. So good conversation in store today. I'm looking forward to

Joseph Carson:

It. Fantastic. What was your journey like to being a CISO? I mean, what was some of the things that you can build you up? What were some of those important skills that you learned over the years that really helps you in your day job?

Brent Deterding:

Yeah, so honestly one of them is I worked in operations center, ran operations center for 15 years and back then it wasn't ransomware, but it was like, oh my God, the firewalls down and

Joseph Carson:

Everything. The attacks.

Brent Deterding:

Yeah. But what you realize is that you are talking to people on a semi-regular basis who are having the worst day of their year or maybe their career and we are doing without video, all this. And so you come in and you're essentially the incident commander is the role that I found myself functioning in. One of the big lessons that taught me that I was forced to learn is to focus on things that I control, don't focus on big and don't experience trust over things that I do not control. So as a CISO, the likelihood of some dude in China ruining my year is zero. That's not going to happen. And that has nothing to do with what happens or doesn't. It's all to do it. Not going to ruin my year because I don't control that now the things I do control, yeah, I worry about those just fine. But giving that focus I think makes me a way better. CISO and I learned that in oncall with firewall issues in 2000 3, 4, 5, stuff like that. So I think that was a very critical thing that I developed over a 20 plus year career.

Joseph Carson:

Absolutely. I think that's really important is that when you worked in very stressful situations in the past, you always find that you learn to deal with it. You become very aware of how to apply that in other situations in the future. I always remember when I was doing different positions in my past, one of the things was I remember going into an interview one time and I was going into this position, I was working in a SOC and it was all about managing foreign exchange money markets. And the person who was interviewing me said to me, Joe, he's like, this is a very stressful environment. We are dealing with more money every day that goes through the stock exchange. There's millions and millions of dollars deals that goes through each system. Can you tell us how would you deal with the stress in such an environment?

And I was thinking, well, the job that I was coming from at the time I was working in the ambulance service and when my systems weren't working, people died. And that stress is when you think about the impact of IT systems and technology has is that you start really understanding about when things don't work, there's bad things and consequences. You learn to adjust, you learn to focus on the things that you can actually, you can manage, you can change. I think that was always the thing is when you work in those types of situations, it really prepares you for a lot of different situations in the future and you start getting that really kind of understanding about how to prioritize things much easier.

Brent Deterding:

Absolutely. So long time ago, 2003 or four or something like that. So both my parents worked in the medical field in some form or fashion back in oh 3, 0 4. I went with a friend of mine who was a volunteer paramedic down in Myrtle Beach, South Carolina, and I went on a run with him in the ammos and I love it. I called my wife and I was like, Hey, let's be thankful that I found cybersecurity before I found emergency medicine. I really, really like this a lot and I have a knack for it. I'm really good for it. And it specifically because of that kind of just attitude of calm, my mom had some health emergency issues when I was a teenager and I get calm and focused. So some of that is natural, I suppose how I'm wired. I'm wired pretty well to be an instant commander, things like that, but I don't get flustered. My heart rate doesn't go up. I just get focused.

Joseph Carson:

I think it's one important, yeah.

Brent Deterding:

Oh, its partially. It's that I've developed that on purpose over time and it's very useful. It's the CSO because it allows you to be happy.

Joseph Carson:

So tell me a little bit about the CISO role itself and how do you prioritize your day and are you really focusing on the day-to-day stuff or do you have a strategy? How far does your strategy go? I've heard some CISOs that might be looking at an 18 month runway. I've heard some that have a five year plan. What does your strategy look like?

Brent Deterding:

Sure. So I think of things I've got to give credit. The first time I heard of this was Andy Ellis, the former cso, Akamai, organ Security, all that. And he has the pyramid of pain is what he called it. And it's simplifying the categorization of risk very, very quickly. Is this a tier zero one? And really it's how surprising would it be if it happened and how bad would it be? So if it's repeating and happening right now and it's devastatingly bad, that's the dumpster fire. You don't need to talk about it, just go fix it, right? Same thing with things like, oh, well this could happen tomorrow and it would be really bad. None of our users have MFA guess. That's the dumpster fire. Go fix it. And then we get into tier two, which is like, okay, I'd be a little bit surprised if this happened and it'll be, yeah, it'd kind of bad.

And then you get like, oh man, I'd be super surprised if this happened. And even if it did, it wouldn't be that way. So I put it in those tiers and then those are the tiers that I talked to were currently held company to my executive team about. And the zero and one is material risks. Those are dramatically bad. Tier two is like, Hey, yeah, we need to take care of it. And really where I am is tier three. Some things like it's worth talking about. It's worth doing something about it. It's not worth a whole lot of money. It's not worth a whole ton of time and attention. But that's kind of the quick way that I think about risks. And I find that that works very well for cyber and also non cyber risks. I can look and say like, Hey, guess what?

The effect of exchange rates we're a global company. The effect of exchange rates on our company could be a big, big, big deal. The effect of having TikTok on someone's personal mobile device isn't that nearly as big of a deal? Maybe we want to talk about both, but big deal, little deal kind of thing in very basic terms because the categorization doesn't matter nearly as much as what you're going to do about it. And I kind of go back to significant risk reduction is simple, easy and cheap. And so I tend to focus a lot more on the protection side of things and on, we might call it protection. When I call it resilience, we might call whatever you want to. I focus a lot more on that than I do on possible of what might happen because what I find is that if I focused on protection and resilience, then that addresses most anything that can happen. Not every possible thing, but my overall design criteria is mitigate material risk aside from nation states and make nation states really, really hard to work for.

Joseph Carson:

I mean, what ultimately is you want to make the attack scenarios as costly as possible for the attacker because I will say that the more time and the more resources and the more money they spend in trying to attack you, they got to be a dedicated focused attack rather than the traditional opportunistic, which most attackers are. They're looking for that basically that low hanging fruit. They want to do it quick, they want to do it fast, they want to do it as cheap as possible. And the more you put on them,

Brent Deterding:

Lock, make it now for most of us, us are luggage lock, make the other guy more attractive. Now, I would feel 100% differently if I was Boeing and depending the state secrets or militaries there hardcore in intellectual property, I mean, so different environments require different focus, which is pretty obvious. But at the end of the day, I remember a story from way back in the operation center where messed up whatever happened, messed up and firewall went down for a few minutes in the middle of the day and I called the client, I called the guy and I was like, Hey man, we screwed this up. And the firewall bounced. It shouldn't have been down for more than a minute, something like that, but it's good. He was like, I don't care man. We make whatever they made. So when the internet goes down, the owner likes it because productivity goes up. I was like, huh, right now, in the meantime, I managed thousands of powerwalls, hundreds of environments, and I'm like, how about that outside? And they're like, no, we make money by making thing. So okay, business do this five. So a little

Joseph Carson:

Bit different. Internet then was a luxury, it wasn't digital business, it was probably more the traditional physical kinetic.

Brent Deterding:

Always have to kind of say what moves the needle? What is the big deal for your company? And if you're manufacturing, it's probably availability, but electro property comes in there and if you're banking, it's more integrity or confident, whatever the case is, where do you make money? That's also the lens that I have to give mine whenever I'm talking to my exec team or when I'm talking to vendors or my team or whatever, it's like, okay, is this a big deal deal? And is it a big deal to what part of the company? To the company overall? Like, oh, hey, this thing, yeah, it's an issue, but it's 1% of the revenue. Okay, does it also have carry on domino effects or would it be absolute? Is it

Joseph Carson:

Yeah, being isolated that it doesn't spread across the organization? That's one thing is I always enjoyed it. I remember years ago when we all used to talk about software to find networks and everything, and I went to the Estonian government one time, we were like, oh, you got to implement software to find networks. That's the way to go. It's all about the software. And they were going, you're way behind. And it was one of those realizations, they looked at it as from a service defined network and the services were the business lines or the services they were providing to citizens. And then each of those services then had applied a business risk and a financial impact. And for that it was a realization is that to your point, is you got to look at is what are the impact of the business? Is that services out almost the domino effect and it spread to other services. And for me that was a realization. Absolutely. You have to have an understanding about, to your point, the example is that the internet access, because it was time people became productive because it meant people were not wasting their time surfing the web, they were actually doing their job. So really finding that fundamental, the risk itself from a business perspective is critical because then allows you to make sure that whichever your focus, your SSIS and olis that you need to have in place.

I think I really like one of the things that the Gartner referred to as the protection level agreements. I like that definition because it really defines, okay, when we have the business risk, what's the protection you've agreed with the board to cover that?

Brent Deterding:

Yeah. One thing I find that my quick and nerdy risk categorization also works and my focus on resilience protection works well outside cyber as well. So when I go and establish a framework a little bit about surprising and impact kind of short to other areas of the business, then it encourages them to think in similar ways that isn't bogged down by lots of terms that we can

Joseph Carson:

Acronyms and technical terms that they lose it.

Brent Deterding:

Just talk about vulnerability, the term vulnerability or the term risk or the term threat or threat appetite or risk capacity, risk tolerance, all these terms. We can get into incredibly long pedantic debates about what they mean.

And don't me wrong, it is good to have a good firm understanding about what portfolio building means. It's actually complicated, just kind of an involved thing and requires a whole lot of stuff. But if I can quickly get my VP finance to proactively think about and say, you know what Brent told me about what deep fake technology is, and I know that our resilient, our processes are fairly resilient, they're fairly robust, but there's this one thing and I'm going to think about that. And then when I talk to him next quarter and I'm like, Hey, have you thought about how any of your processes could be manipulated? And he's like, I was thinking we talk. So what I'm doing is I'm teaching other areas of the business, how do you think in risk terms? And I'm doing it with a very simple, their eyes don't glaze over with all these pedantic arguments about vulnerability and risk tolerance and risk capacity and all that. But I can teach them a little bit about a framework and they go, oh, well this, I'm like big deal, literal deal. Oh well, kind of a medium. Okay, so what can we do about it? Because what we do about it is the biggest thing.

And that's really my issue with a lot of third party risk management things. I don't care about the scans or the, SO two, type two or what I care about is are they janky? Is our data at risk? And if so, let me go talk to the business owner or the owner of that service of their product and be like, Hey, from my perspective, this is a little janky. They're like, well, what do you mean by that? And then we'll get into the conversation and everybody's like, oh, well, okay, big deal again, big deal, literal deal. Is this something that requires a larger discussion? And as a CISO I can say, we need to talk about this more, or I can also be like security. I

Joseph Carson:

Absolute, I remember doing, I took the SABRE approach, it was quite a few years ago, it was a pen test and working with the CI o in order to get an increase in their security budget and to be able to achieve all the things they wanted to do. And we went with the fear approach and the CEO and CFO didn't, it spurred them, but they were very pragmatic and thinking about, well, they were looking at how they measure things differently. And ultimately came down to that the CEO said, show me the tangible value. And that was a big, always the quantifiable value of what doing helps the business. And so the CFO made a big realization. He always remember when he says the cost of doing something versus not. His simple mass was that, show me I don't want to spend more to protect something that's got less value than what you're actually spending on.

Brent Deterding:

Is this a $10 solution to my $5 problem? Just because that organization it's a problem, doesn't mean I don't care. To me it's a $5 problem and that's a $10 solution. I assume that every product on the market is an elegant solution to a real problem. My challenge is to quickly and easily say, is this a $10 solution to my $5 problem? And how I do that is when I look at how I spend my time or my team, how they spend their income or a vendor or every line item on my budget, it's the same basic question. There's several different ways to ask this, but this is a little bit more convoluted but a little bit clear at the same time. And that is tell me a plausible story about how not spending this time spending this money costs my company a lot of money.

Because if I can't tell that story like that, I better think about it now. And frankly, there's a lot of things out there that I can't tell that story from my organization. Now, maybe I could for a different work, that's fine, but my job isn't to defend them is to defend this one. So that one question I emphasize to vendors all the time, do that. If you tell that story, if you tell a story that is plausible specific to that organization where they're going to cost a lot of money, the CSO will take that and they will sell it to the CEO and the CFO. And when I sold I workforce SecureWorks for 19 years and I had a CISO ask me and say, Hey, I'm sold. I like it. How do I sell to my CFO? I said, oh, that's easy. And which is not exactly what you want to tell CISO.

Like, oh yeah, that's easy, but he let me get away with it. And I said, so here's how I would sell it. And I went through a boom boom, it just 30 seconds. And he is like, that's awesome. That just didn't work. I said, I think will, I'm seeing it work. Beware though, if you do that for this, your CFO is going to say, that's cool deal for every single thing that you spend money on. And he is like, well, that's probably not a bad thing. I'm like, it's not a bad thing as a CISO as anyone, as any executive owning my budget, I should be able to defend any of my budget items. But yeah, this is a quick and easy story about why we're doing this. And sometimes the answer is, well, we must be compliant to operate as a business with whatever.

And that compliance thing says, thou shall so I shall. I don't have a choice to matter. It's like paying taxes maybe what do you want to or not? It doesn't matter you're doing it. But then there are a lot of other things where it's like, well, I know that this reduces risk and I can tell a story like that. So do that. And what you notice is if you tie back to the pyramid, the pain idea is that those are the things that are knocking out material risk. And then it's like, well, should I spend $480,000 to do this thing? That doesn't really matter. I I can tell a story, but it involves four levels of theoretical James Bond scenarios. Probably not.

Joseph Carson:

Some of the challenges that many CISOs and organizations have is sometimes also letting go of the past. So that's always the thing is that if you're going to do something more, does that fundamentally allow you to get some of the old legacy stuff away? It's always a challenge. Where's that confidence level of once you've got to be able to take some of it away.

Brent Deterding:

So here's the other thing, and this always fascinated me in sales and still today if I stop doing something,

But it was me who made the decision to do that in the first place, is that compromise me. Well, I thought this was a good idea three years ago, but now I don't think it's a good idea. Am I going to look bad? Now me, I have no problem saying I made the wrong call or technology changes or the threat landscape changes or whatever. But when you are selling something and you want someone to replace something that they already have, you're asking them to emotionally go against their own position. And by the same token on the sales side, it is never a good idea to call someone's baby ugly

And our program is our baby. So if you say, oh, well you shouldn't do this, it's like leg roll, slow down. I made that decision and if that decision involve a lot of money, I have to then say I made a wrong call. And that may be hard and a lot of people may not emotionally or politically or whatever be able to do that. I have no such qualms. But I think my observation being from the sales side is that it's extremely common that people do not, people actually get very defensive of their mess. It's like a baby sitting in a really full diaper like Ah, it's a full of crap, but it's warm and it's mine. People get very defensive.

Joseph Carson:

They are very, very protective, not just defensive. But I remember years ago I was in that awkward situation years ago I was working for HP and I was over infrastructure tools for all the data centers and it was just HP acquired come and they acquired all their data centers. And what was really awkward was I was a HP employee, so I was HP in a compact data center and my job was to map what Compact was using in their data centers over to HP's technology. And that was such an awkward situation because you're in that situation where you've got uni center architects and you've got TNG and Tivoli and they're all used to using these tools in the data center, and now you're telling them over time they're going away and was very awkward and it was always a difficult situation, but you're trying to show them that change is good, that it's a new skill, you're going to become much more enriched with knowledge, but you always had to approach it very, very balanced and safe that you're, you're not taking something away. You're adding something to the

Brent Deterding:

M and a m and a can 100% be like this, right? And another approach that, I won't say I've seen this, but I'd be really, really tempted to do it. And that is to rip the bandaid off and just do it really harsh all at once. Be like, listen, this is the way it's going to be. We're doing this, this, this and this. Get your feelings hurt about it. We'll have a beer on Friday and just rip the bandaid off through it all at once because I found that those culture things can drag on for many, many years and can be a real anchor as well. And it works out, but it takes a long time and at some point you kind of have to be like, should we just rip the bandaid off quick?

Joseph Carson:

At some point you deal with the pain quickly than done prolong.

Brent Deterding:

Yes. And especially on things like what tools people use, it's like, I mean all of this though, whether it is a CISO, whether it's just a person in a critical role in an m and a, whether it is sales, whether it's just being a person, is empathy, understanding that people respond to their incentives. So we have the ability to care about what this is and honestly giving a damn is really important. And if people know that you give a damn and you just call some things out, I find that works really well because at the end of the day, a CISO A reports to CEO, my job is partially, sometimes I got to make decisions that my team may or may not agree with for whatever reason, I have decisions that I may or may not agree with and that doesn't matter. So at some point you've got to empathize with people and be like, listen, I know that you did not agree with this, but this is the way it's going to be. Now it's time to get all on the same page one team, one dream, let's get done. And that applies to a lot of things. Just giving a damn makes a big difference. Caring what other people feel and think makes a big difference as well.

Joseph Carson:

Absolutely. One things, I want to go back on something we covered a little bit earlier, but we talked a little bit about things like third party risk and supply chains and stuff. So what's your strategy? Is that a major risk that you see and what's your strategy to minimize or to mitigate from a third party perspective? Because seen in the last year or two, a lot of the compromise, a lot of data breaches have been some type of API data sharing has been third parties can access or something. So what's your strategy around that side?

Brent Deterding:

So I get to go back and be like, so I talked to a lot of CISOs and some of them I heard a friend of mine said, yeah, we found out on Tuesday that we bought a company three years ago I was knew about and I was like, oh, that sounds terrible. But I mean when you're doing dozens or even hundreds of MNA a year, then that happens. I don't have to deal with that. So I have to protect my environment, not someone else's environment. And this is not something that causes a significant amount of stress or time waste for us. I to focus on having a lot of conversations. So I'll take a given vendor or a third party and I'll think about it and I'll talk to my team about it and then I'll also go and I'll talk to the owner of that process or that function or whatever and I'll talk to them and I'm like, okay.

And I lead the discussion about what would happen if, and largely determine, try to determine is this something that we need to really talk about with the broader group or is this something that it's like, okay, so for example, if X vendor thing were to go away for an hour, would we know this? What about a week? What about a week? And if the answer is like, oh, okay, well at a week we got to start talking about different, okay, well what would we do? Oh, well we would do this. Okay, that's probably sufficient for that. Whereas other things, it's like, alright, what if they went done for an hour? It's like, oh good god, that's a bad day. It's like what? We probably need to talk about that one more now we, so again, it is about prioritizing the risk not only from a cyber perspective, but from a down availability perspective, data breach, what of our data do they have? And if so, I don't want to be too callous about this, but who has how much liability? Well, okay, well, and also if that happened, is anyone going to worry about our data? So if Microsoft or Google or whomever were breaching every email that they had was accessible to China,

What number on the list are we that they care about? And I mean it's not the end all be all, but it's a reasonable question to ask If I am Boeing or Bank of America, well, okay, if I'm critical infrastructure, if I'm me, I mean we're not number one. So there again, quick and dirty categorization because the important part is to drive the discussion to say what the hell do we do about it?

Joseph Carson:

I think it gets into the discussion whether you're a primary victim or a secondary pass by victim, and that's that scenario is that if you're a primary victim is that they're going to be really the first thing they're going to look after. If you're a secondary, they may never even get to it. It may be something that they just, it's just collateral damage as part of the overall split.

Brent Deterding:

It also goes back to what do I control or do I not control? If I don't control that thing, then I mean I'll call out, we can talk about it, but I can't do anything about it. Just like I cannot do anything. We have significant operations in the Philippines. I can't do anything If a tsunami hits Menil, I don't control that. Now there's a whole lot of stuff that we do control and there's a whole other of stuff that we do and that's funny, but do I control it? Do I not control it? That's a big focus, whatever.

Joseph Carson:

What things have we done in those side of things? A lot of companies went through and they've done compliances in order to identify those risks and try to look at offsetting them, whether it being in the financial side with PCI just ISO standards and also organizations have also been down the path to cyber insurance and also for the financial safety net. What's your approach on those side, whether for compliance or cyber insurance?

Brent Deterding:

So I'll talk about cyber insurance a little bit. So we renewed our cyber insurance after I had been here nine or 10 months and our premiums went down by a third the following year they went down by another quarter. So over a two year timeframe, I cut our premiums in half for slightly better coverage and it's still big. Well-known firms and all that. And I did it because I know what moves the needle on risk and I had this last one, I had 26 underwriters on the phone and I sold my program in two slides and 10 minutes and got a reduction. Now how much of this is me and my program or whatever doesn't matter, but I never mentioned a framework. I mentioned the five things that we do to substantially knock down risk. And then I literally had a slide with a big table full of all the stuff. I'm like, yes, we have policies, yes, we have backups. Yes, yes, yes, of course in then out with three or four clearly check the box. They're like, can you clarify? Yes, of course. That kind of stuff. Do you encrypt data at rest? Yes, of course, right?

All this stuff and that made a difference and someone who's going to regulate you, right? Yep. There's always a regulator and it can come in the form of the law, it can come in the form of regulation, it can come in the form of compliance, it can come in the form of cyber insurance. It can come in the form of bad guys and the cheapest, nicest waste to self-regulate. So my approach is very much I'm going to do the right things, the knock down material risk to my company and then we'll do the paperwork and figure out whatever else we get to do. And that appealed to separate insurance that appeals like that way. My answer to anything do we comply with, I'm like almost assuredly, yes, we may not have done the paperwork for it, but yes, we're doing all the right things that anyone could expect or demand and we can fill up all day. That's not a problem.

With some caveat, the caveat here is like, okay, well if you want to start doing a significant relative business in the EU with GDPR, we got to talk because I don't deal with that, right? So now could we? Yeah, I'm sure we could, but that's a big enough thing. Or federal, all government fed go, there'd be dragons there. We got to talk about that. We got to think about it. But in general, I am very much a do the risk reduction things that are simple, easy and cheap and then figure out the paperwork from the backend. And I find that that works and I find that that sever insurance responded very well to that.

Joseph Carson:

I think it's one of the things I did a previous podcast song, A Risk in Governance and Compliance, and it's really interesting that the recommendation from the auditor was to make compliance and risk as a part of your cybersecurity program. Many organizations do it the reverse. They have security basically doing the checkbox of the program itself from a compliance program. And it's their own way because what you're doing is you're doing security for the sake of meeting the paperwork. And to your point is absolutely, if you do security best practices, it's typically going to be the foundation for multiple pieces of paperwork or compliance and checkbox,

Brent Deterding:

But consider. So in my world, if we are not compliant, that is the material risk to the business. We don't get to operate. So there's a whole lot of stuff that I have to do and I have to pay and I've got to do because I've got to ensure the compliance, lack of compliance is which funny, funny thing that also means that the compliance framework or whatever, that's the thing that is enabling the business. I'm really not. I'm just, but to that point, if it's stuff that I have to do, I want to spend as little time and effort on it as possible. I want to spend time and effort on things that are moving the needle to reduce risk, which I have strong opinions about that apparently cyber insurance agrees with,

Joseph Carson:

Which I completely agree because cyber insurance has really taken that a lot of basically the frameworks and done a lot of copy paste in order to basically saying that these are the things the frameworks are looking for, so they must be the right things. But if you take it from a program, a security approach to what things are the most effective, you're typically going to automatically meet a lot of the check boxes. But there's probably a few things that you have to do in a certain way or you have to show evidence of auditability and the controls are in place and that's the paperwork pieces. That's typically making sure that what you've already done is you're doing it in a process that checks the box off of the paperwork piece, which I think is the more effective way and it's more cost effective way as well.

Brent Deterding:

It is easily self-regulation and doing things and move the needle risk are easily the cheapest, most efficient way to go by doing this.

Joseph Carson:

So

Brent Deterding:

When I say simple, easy, cheap, people can get a little frazzled by that simplest, a technology statement, cheapest, cheap, easy is the people process part. And for that, you can get better at that. You can get more persuasive, you can get better language, you can get a better ledge, you can get that is a trainable skill. And just me saying, oh, we should do this doesn't mean that we're going to go do that, but if I can build a coalition around things like getting rid of on-prem ad or not having anything legacy around, or no BYOD or everyone, no questions as YubiKey, things like that, I can make that argument not in one big grand like, oh, here's my case, but in a million different conversations with a big coalition and then we get a lot of people going, yeah, yeah, a hundred percent, a hundred percent, yeah, agree. That's a good thing. And so I have not found a significant challenge in my experience getting things done that are fairly well self-evident, evident and things like strong MFA is pretty much, I think I can explain that because it's faster, easier, cheaper, dramatically more secure, and you don't have to be the best salesperson in the world to sell faster, easier, cheaper, and more secure.

I always tribute this back to if you ask 100 people, are you an above average or below average driver, 90 something percent of them will say that they're an above average driver, which means that 40 something of them are not right. If you ask a hundred CISOs, can you get 99 point something percent of your users using strong impact? A lot of them be like, no, not in my environment. I'm not saying you're wrong. There are environments where there would be extremely challenging. No doubt.

Joseph Carson:

I live in Estonia and we are a country that the entire country uses MFA, but

Brent Deterding:

I'm using that. It's true and I'm going to use it

Joseph Carson:

The point where, but one of the things is, I remember I listened to a talk last year from the former president, president ve, and he did a talk. He says the important part of making that successful was the preparation and planning and education beforehand. And that was what was critical. He said before they were able to get that stage is they had to make sure that the citizens were aware of what was coming, how to deal with it and add value to them as well. So not only do they actually get it for during the one thing that it protects them, that actually enables for much more things. I remember even doing a training course, it was a risk assessment for a large transportation company. The same thing is that they realized that if they're going to basically want to protect their employees, they actually started realizing that how do we add more value?

How do we get, and they realized that actually let's give free versions for all of their family members, let's expand it to their home. They realize that actually security doesn't start at the office. It doesn't start with the employee, it starts with the social sphere. And they realize that if I can not only protect the employee and actually expand that to giving licenses for their kids devices, their siblings and their family and everything else, and you protect that home, what you're doing is you're protecting a target or that landscape or attackers go after and you're making it more difficult for them. In many cases it's at a very low cost as well for me. But that point is that yes, I think that every company around the world, every employee, every person can get to MFA, but it's the journey to get them there beforehand is sometimes the most critical part.

Brent Deterding:

And yes, so to put it this way, I 100% of my users have a YubiKey, yay, go me, right?

Joseph Carson:

That is one of the fundamental is one of the best protections if you can get to the point where it really mitigates a lot of the attacks out there to the ones that are very, it's not a hundred percent protection, but it's one of the most difficult for attackers to abuse.

Brent Deterding:

And this includes costing our agents in opinions. My new example is the entire country of Estonia has MA and you can't do it for your fast person company. Come on now. And truly, I mean some environments really, really are difficult, but so a hundred percent of my users have YubiKeys, and I even see it in the employee surveys that we do. People are like, oh, YubiKey is awesome. It's great. I have people walking through. People are like, I love my YubiKey. I don't even know my password anymore. I'm like, yeah, good.

Joseph Carson:

And then your point as well is that you're, you're not only putting MFM place, but we also moving passwords into the background and that's one of the biggest pains is that getting that balance is about you're giving them something that they might have, there's a learning curve to be able to understand about how I can apply it, but at the same time, I'm taking away one of your biggest pains, which is having to choose remembering enter passwords in. It's a win-win.

Brent Deterding:

It is. And if you not, it is cheaper because if you do that, then you don't necessarily have to spend a lot of your $25 problems became $15 problems or $5 promises. And so then you can look and be like, okay, we're not going to do this. We're going to go in that eyes quite open and I think we can do without this fine. And even things that would be dramatically necessary in a lot of environments you like. I dunno. So that's fantastic. But when you can, how I dealt with that, that lead up, that preparation is I'm a big fan of storytelling. I'm a big fan of like, Hey, bad guys, don't log in. Bad guys don't break in. They log in right Now I can say that because I'm a cybersecurity expert. I've been doing this for a long time. People believe me, I'm a credible statement when I say that. And because of that, the only way that you can log on is to physically touch that key being that even if a bad guy had your username password, they can't do that. That's logical. It makes sense. People understand that. I'm like, okay. I'm like, and this is the cost. I was like, oh, stop. Exactly. You're

Joseph Carson:

Completely minimizing it down to back to it's the physical side is that they have to basically hold that person to hostage and get them to do what you want them to do. And that minimizes it significantly. Where the likeliness of that happening, or to your point, I really like the term you use, is it surprising? I like that bus better than the likeliness scenario because it is more relative.

Brent Deterding:

And the reason I don't like the zero to 20, 20, 40% likelihood or whatever is because that tends to make people think that it's not just a wild ass guess. Whereas just using the emotional term, surprising, it's not great, but it works. Because again, I want this to take 15 seconds, right? We'll talk about it, that's fine, but let's have this take no time at all and focus on it. What the hell are we going to do about it? Because then you can go, oh, well, don't care, don't care, don't care, don't care. In a school feed of all of us, I have 80 to a hundred things a day that I look at and I'm like, don't care, don't care, don't care, don't care, don't care. And I get to do that because of some of these other things that I did. But it all goes back to you got to lay the groundwork, tell a story, talk to the people, because at the end of the day, as much as people might not like it, massive amounts of decisions in life are emotional decisions.

And the currency of cybersecurity is trust and confidence. When I've talked to underwriters for cyber insurance, when I talked to my fellow exec team, when I talk to my team, when I talk to whatever trust and confidence has to come through because no one is convinced based off head knowledge, oh, here's how I two type two or here's our PCI do. It doesn't do it, right? What does it is that makes sense to me? That makes sense to me. And I see internal and external validation that what Brent says, what the CISO says is accurate. I get external validation, but hey, we faced a named threat group. We faced scattered spider throughout all of 22. Competitors are getting chewed up. We're not, Hey, our suffer insurance went down by 50%. Hey, the CIO who's been here 24 years, he says good things. Everyone is saying good things. That helps. As the CISO, it helps because then I get credibility and I get credibility to protect our business. My job is to, this is a slight thing I heard. I love it though, is my job to secure the company or to protect the business. My job is to protect the business. And

Joseph Carson:

That is, I always remember it's about understanding risk. That's our job. But we are risk professionals and ultimately to protect the business and the revenue and also become enablers. And how they can actually look at when they decide to take on new digital services is how quick can they do that in a safe way

Brent Deterding:

And to do enough. I mean, that's the fundamental question. Security is a feeling, right? You can be in grave danger and feel just fine, feel safe, and you can feel incredibly unsafe and be just fine. So that feeling matters and that feeling matters. It's a little bit different for everyone as to what instills confidence, what instills trust in. So, which is why I care a lot about protection, but I also have to care about the feeling of trust and confidence and in me as CISO, in my team, in our company and all of that. And for me, we're a privately held company, so that means the owner, but how the owner feels makes a big difference because guess what? He's my boss. Protection also matters. And protection informs my confidence. It doesn't necessarily translate to anyone who hasn't been doing the separate security for 20 years. So I'm comfortable for a whole lot of different reasons. You can tell me a hundred percent you behave. It's like, okay, I'll be alright. Give me any environment that is a hundred percent UBI and I'll be okay. It'll be okay. I think it's something I can work with. Now, I'm pretty sure,

But when I say a hundred percent UBI keys to underwriters, they know When I said to other thesis, they're like, damn it. Awesome. When I say to Ace O, it's like, and

Joseph Carson:

What have you actually from a business financial side, what have we done, right?

Brent Deterding:

And so that at the end of day we're talking about education, which is head knowledge, but we're also talking about emotion, trust, confidence, credibility, all of these things. And some of that only happens over time. I don't care who you are. If you encounter someone brand new in your life and they tell you X and you believe Y,

Joseph Carson:

It has to be earned.

Brent Deterding:

You're overcoming cognitive dissonance.

Joseph Carson:

You have the internet or you have defined mutual areas where actually that can be shared. So trust is either earned or it's shared. And this

Brent Deterding:

Is all sales. This is all sales. We can call it borrowing credibility. I can tell you as a brand new CSA coming into an organization, you need, with very rare exceptions, if you're some sort of crazy, highly recommended or something, in most cases you really need head nods from other people. You need to borrow credibility from other people. If other people kind head nod and go, yeah, what he's saying, it makes sense.

Joseph Carson:

It's credibility. It's credibility question. What's the resources that Ryan do that helps you? Education or knowledge, or is there conferences you go to or books that you read? What's the thing that you do in order to keep making sure, because an industry of always changed and we need the old stay up. So what's the resources you use to keep you up to date? So

Brent Deterding:

Head knowledge is generally not a problem. I don't have a hard time encountering the knowledge that I need to know. What I do focus a lot on is I focus a lot on frankly sales. Sales. Like things like persuasion, not manipulation, but persuasion. What makes the compelling environment, understanding different types of people. I have thousands, thousands of data points on fundamentally technical people. I've been interacting with CIOs, CISOs, security, cybersecurity, IT people for 25 years. I got that. I run arguments by my wife who's incredibly intelligent, but not at all a cybersecurity person and be like, if I say this, does that make sense to yes. Why are you talking out of me? I'm like, I'm not, but that helps me. Or if I can take any given concept, again, that cognitive dissonance thing is a big deal. So if you believe X, and I tell you why, depending on who you are as a person, that's going to take between five minutes and five months to overcome. But we got to start that timing. It could be on religion, politics, whatever. Take your nastiest issue that people get really emotionally fired about and do that and figure out how to talk to people. How do to get them to engage, how to get them

Joseph Carson:

To engage, how do you find the balance that all allows it to a discussion and not an argument.

Brent Deterding:

Yeah, yeah, exactly. It doesn't help. We're yelling at, right? We don't have to agree. But if we understand the issue, because guess what, I don't necessarily care to get my way, and that's part of who I am as a person. I don't need to get my way. What I do need as a person is to be heard and respected. So if I'm heard and respected, because the CIO has a different perspective, the CEO, the CFO, et cetera, and frankly, they may have a perspective with knowledge that I don't have, nor should I necessarily have. So my goal is to make sure that we make informed decisions, and I know that when do I need to pound the table and make a big stinking deal about something and when it is like, okay, again, big deal, a little deal. So I tend to read a lot about emotional intelligence, persuasion, sales mindset, different types

Joseph Carson:

Of people. The psychology side of, I guess it's really understanding about how people make decisions comes down to it, which I think it is quite impress. I remember reading the ABCs of cybersecurity, which is a great book because it's all about moving from taking small steps to getting it into your behavior and then ultimately make it cybersecurity part of the organization culture. And I think that's approach, because it really means what you're doing is you're making people think about it as habits as a day-to-day thing, rather than just something that they have, because it's part of a policy is that it becomes much more native to them.

Brent Deterding:

If you understand who people are, what their real view is, then that can really inform a lot of a separate ED roadmap, for example. So if I understand that my privately held company, I understand how conservative they are with risk or aggressive or whatever, then that helps inform me about who I'm working with. And really, because at the end of the day, for a partly held company, how you define material is whatever the owner cares about, right? I mean, that's it, right? Because some of those things can get into somewhat sensitive topics. If I say, okay, are you willing to lose $5? Yep, absolutely. Kind of need enough. How much is this in the wallet? Are you willing to lose five bucks and you get 10 bucks in the wallet? That's way, that's pretty aggressive. If you have $5,000 in the wallet and you're like, five bucks was okay, 10 bucks too much, whoa, you're super conservative.

So that informs, I mean, they get to make that call. They don't, the company, it gets a little bit more interesting about what does a reasonable investor think when we're talking about SEC. But even that, I think that we can work around that, but understanding that is not just a financial number, but it is worldview, how people approach the world, how they think about the world. And you get all those indications from talking to them about whatever I learned, I learned a lot about people talking about their kids, traffic, weather, roads, whatever normal chitchat tells you a lot. So part of what I do is I have a ton of one-on-ones with people around my company just to people

Joseph Carson:

Find the pulse. It's like getting that temperature of the people understanding about how important it is and what things you can do. Brett, it's been amazing and awesome having you on the show. You've been completely so valuable. Lots of great insights, lots of great approaches and strategies. And for me, even I learned a lot. That's one of the things I enjoy about these conversations is sharing experiences, sharing ideas and strategies, and then really bringing it to the next level. And I think that's really the more we get our ideas and thoughts into the industry and more people to hear them. Ultimately, my hope is that through these podcasts and having you on as a guest, is that we're making the world a safer place, not just for organizations and business, but ultimately for everyone. Any final thoughts of words of wisdom you would like to leave the audience?

Brent Deterding:

No, not specifically. Great talk. Great talking to you. It is enjoyable talking to you. One of my takeaways is the country of Estonia has problem with that

Joseph Carson:

For everyone to the point where I think it's around, it's like 1.3 plus million people and it's a citizen ID that everyone from birth gets it, and it comes with basically two PKI, and you've got an authentication pin and an authorization pin. So the authentication's for view and the authorization always to make changes. And they use it for voting, for tax returns, for banking to everything. Vending machines to parking and loyalty cards. Is

Brent Deterding:

It a physical card?

Joseph Carson:

We have multiple. You have the physical card, which changes every five years. Most of them use it for passport. It's actually more securely and more liable than passports. And then that enables you to then sign child certificates, for example, on your sim card and your phone. And then you can use your phone as a primary method. And then the card is the master. From a society perspective, it makes life and interaction with the government and even companies that use it as well. Much more seamless and enjoyable, to be honest. That's

Brent Deterding:

Awesome to know.

Joseph Carson:

That's cool. Fantastic. Well,

Brent Deterding:

Hey, thank you very much for having me on. I really, really enjoyed the talk.

Joseph Carson:

Absolutely. So for everyone, Brent, many thanks for joining me. For everyone, this is the 401 Access Denied podcast, really bringing you ideas, strategies, thoughts, and really for you to bring back to your businesses and apply them, and hopefully it'll enhance your career. And also, at the same time, I help you put things in place to help your organizations. Tune in every two weeks and look forward to speaking with you and seeing you in future talks. All the best, and take care everyone.