Podcast - The New CISO Podcast Episode 101: What About Third-Party Risk? A CISO’s Questions for the SEC - Exabeam

Podcast – The New CISO Podcast Episode 101: What About Third-Party Risk? A CISO’s Questions for the SEC

Podcast Transcript | Air Date October 5, 2023

Listen to the Podcast

Listen to Steve and Dan discuss how reporting protects shareholders and the new stakes for CISOs:

Meet Dan (1:30)

Today’s guest, Dan Creed, is the CISO for Allegiant, a travel company.

Dan discovered how to take over his school’s television channel in high school, which stemmed from his friend getting dumped. Dan and his friend used the cable TV channel to post some unflattering messages about his friend’s ex.

Although Dan was rightfully punished at the time, he was allowed to take over the school’s computer lab, and his career journey began.

Maintaining Excitement (7:02)

Dan maintains his excitement for technology by keeping up with all the changes in the industry, like changes in coding. If you love learning and learn fast, you will have a rewarding and lasting career in cyber security.

An Important Role (13:23)

Steve presses Dan on the importance of Absec. Dan reveals that Absec is related to code and that the most essential security aspect is code.

If you are in a customer-facing role, you need to be able to install software on other people’s machines and make sure their vulnerabilities are shielded.

Coping Mechanisms (16:45)

Dan copes with workplace and personal stress by understanding that humans are imperfect and make mistakes. There’s risk in everything we do, so keeping a balanced perspective is critical when mitigating potential cybersecurity issues. 

Ultimately, the stress in the security industry is building as the stakes grow, so finding ways to cope is necessary.

SOAR Review (19:27)

Steve asks Dan about his opinion on the automation software SOAR. He thinks it has its place, but finding people who can automate themselves is better. People need to use the right tool for the job.

Building a Response Playbook (21:58)

Dan shares the first thing to automate when building a response playbook for the first time. First things first, make sure you can monitor strange behavior. Starting there allows you to work on the more complex procedures.

His Driving Force (26:16)

Dan reflects on his reasons for finishing his degree later in life. He wanted to learn how to “speak business,” in addition to his computer skills, which drove him to complete his undergraduate degree and MBA.

Choosing One (31:02)

Steve presses Dan on which one to choose if you could only pick one: storytelling or culture. Dan says it depends on the person and what they are good at.

If you look at what’s more important, it would be building work culture first and seeing how your team reacts to phishing and annual security training.

What is Material? (33:23)

Dan and Steve discuss how reports influence the stakeholders and what they invest in. Dan is critical of how the SEC changed the cyber security guidelines, partly because they are poorly organized and confusing.

There are good things, but more context is needed to determine materiality. These guidelines also do not factor in how to deal with third-party risk and supply-chain issues. 

Reporting Issues (41:23)

The SEC has intended to help shareholders with these guidelines so that they can protect the share price. Although Steve applauds their efforts, Steve questions if this reporting should be used for something else.

Dan believes these guidelines will not be as helpful to business leaders as believed.

The New CISO (49:24)

To Dan, being a new CISO means keeping up with the times and evolving. It’s essential to speak to the business side in addition to knowing your skills.

Quote: “I don’t have an issue with it being reported, but like you said, then what are they doing with that data? What is it really accomplishing? It’s not really protecting the share price. It’s not really protecting the shareholder and telling, oh, well, I don’t know if I should invest in this company because they got breached or not. As any company can be breached, we’ve been shown that time and time again, and the government can be breached. They should know this. They have been breached.”

Links mentioned:


Listen to the Podcast