The New CISO Podcast Episode 63: Managing Your First Zero-Day Attack
Podcast Transcript | Air Date December 23, 2021
Listen to the Podcast | Read the Blog Post
Steve: From Exabeam, this is The New CISO, a show about the people who lead IT security teams, the challenges they face, and how they overcome them. If you like what you hear, please rate, review and subscribe to hear our new episodes first.
Steve: Chris, you are a returning guest. Some of you listeners will know who I’m about to announce, but Chris Walski is back again. For those that don’t know who you are, Chris, do us the honor of letting us know who you are and where you work.
Chris: My name’s Chris Walski. I’m the chief information security officer for the Port of Houston. The last time I was here, I was unemployed, and ended up landing a sweet gig in Houston, Texas.
Steve: Yeah. Well, that’s part of what we’ll cover. There’s kind of a couple chapters to this I think that we’ll get into. So you have been a guest before. It was actually a fantastic show because it went through something that hasn’t happened to us, we’ve probably all thought about, where the conditions that you sort of mentioned is you believed in that position that things were going well, until they weren’t, until you had someone in your office on a Friday saying, “Hey, this isn’t working well.” I don’t want to spend too much time on that, but I think that makes what we’re going to go through here that much sweeter. And it’s evident that there’s been growth and reflection since then for sure, from my perspective. Chris, how long have you been now with Port of Houston?
Chris: Since first week of March last year, the week before everything shut down.
Steve: Okay. So the position with Port of Houston took a little bit of work to get into, I think like any job would. But this one I think was a little unique. You were unemployed, looking for a CISO position. What was the duration from the time that you started to find what you though were good opportunities to the time that you got hired?
Chris: Well, basically, it was almost nine months from the time that I was let go to the time that I started back working again.
Steve: Got it.
Chris: So the whole interview process, and a spreadsheet of tracking all the interviews and everything else was a couple of hundred lines long, so a lot of work.
Steve: I think that is important for all of us to reflect on, where you had hundreds of opportunities, things into which you applied or at least sought additional information. And the window of unemployment being nine months, I think there’s a lot of people out there, maybe they’re not CISOs, maybe they haven’t had to go through this, but don’t realize that it takes that long.
Chris: Yeah. It does, especially if you’re just the, admittedly, I’m not a rock star, and so I don’t have all the lights and the name that comes with rock stars typically generate, especially even within information security. If you’re well known and you’re a well sought after thought leader, information security realm, may not take as long to get a new position. But when you’re a guy that’s just getting it done, or gal that’s just getting it done, it may take longer.
Steve: I think humility certainly comes through in your statements, but I think it’s also dangerous when we undervalue ourselves a little bit. I do think it’s, now that you mention it, bringing up sort of this rock star persona that we have sometimes in security. It does exist. Some of the rock stars I think can be actual rock stars, and there’s many others who sort of pretend that they are, and sometimes still get the halo effect of telling everyone they’re an expert enough, and then everyone will believe them. I think there are some that might not take nine months, but I know many people who have applied for great positions, and to make it through the C-suite and get an interview taken care of, and get negotiations done and all the rest can take many months.
Steve: I think that for the purposes of this show, you’ve always been super open and honest, and just sharing that I think is really valuable because there’s not a lot of places to go get this information unless you just have to do it yourself. Right? And so this is … I really appreciate you sharing this. And while I think it’s … I want to go back to the rock star thing, there’s a lot of rock stars, Chris, that I know, that spend their time out getting awards and having a spotlight on them, while members of their team are the ones actually doing the work back home. And so even though that might look cool to be fancy and be the rock star, that’s kind of the Hollywood CISO, is what I refer that as. And so I guess I just bring that up for the listener, and I guess for you as well, that sometimes being in the spotlight is not all what it seems. We need people to go out there and get the job done.
Steve: One of the things I think I want to bring up too, I don’t glad hand on this topic, when we met just a week or so again, just the conversation we had, you sounded better. And obviously, having a job versus not having a job will make you sound better, make you feel better. I think the confidence that you had and the clarity of your message had vastly improved. And one of the reasons I think is the new job, and some of what you’ve got to work on. How does that strike you?
Chris: It’s very true. I do think that I do feel better, even though I’m still probably getting less sleep now than when I didn’t have a job. But when you have focus, a mission, and you get to build something that you get to call your own, or you’re leaving a legacy, it definitely, it gives you kind of that desire to want to keep going and to push forward and do something good.
Steve: Absolutely, absolutely. And I want to go back a bit to your interviewing. After you began to zero in on Port of Houston, now you didn’t have any maritime, or didn’t have any, didn’t have much maritime experience in terms of the vertical related to what is the Port of Houston and the sort of specific risks and the business of. How much experience did you have there?
Chris: I had a little bit, but a lot of it was based on my days being in the Navy. And I had a little bit at a previous employer, where I was leading their information security program, and they had one pier on the Chesapeake Bay. So I didn’t have all of the large pieces of experience needed to help the number six sized port in the United States, keep cargo moving and containers moving, and import and export. So there’s a lot to learn there.
Steve: It’s orders of magnitude larger than what you had experience with, but it’s something that didn’t keep you from applying and pursuing the opportunity, which again I think is for the listener, for maybe the more junior person, or maybe the more senior, I think it’s important to press on. And how did you press on? How did you get familiar in this process to learn enough so you could go in and have some level of confidence in the interview process?
Chris: I was fortunate. I had contacts that I had made. One of the things that we as information security leaders tend to do is we tend to socialize. We have different events and we gather together to talk about what being a CISO, what it means to be a CISO, et cetera. Well, fortunately, I had one contact that was a CISO for the Port of San Diego, I got to know real well. I had another contact that was the CISO of Port Long Beach. And I expanded my network out to include other cybersecurity professionals or information security professionals within the maritime industry. And LinkedIn helped out a lot. And being able to just set up a time with them, ask them, “Hey, if I was working for you, what would you expect from me, or your organization? What kind of experiences are you seeing with regards to information security? How is it applied in the port?” I learned a lot.
Chris: One of the things I didn’t really have much information about was Maritime Transportation Security Act, so I did a lot of research there. So basically, I did my homework, reached out, talked to people, and researched everything that was related to maritime security.
Steve: So you effectively interviewed, in a way, the CISOs at San Diego and Long Beach, meaning not interviewed like you’re interviewing for a job, but you’re interviewing them kind of about their career and their expectations, and what their daily life is like. Is that accurate?
Chris: Yeah. That’s pretty much it. It’s sitting there getting an understanding of what they see on a daily basis as far as threats, and the handling of the day to day business expected of CISOs to be able to sit there and keep the port commissions happy, and keeping the regulators happy, all that goes into a good program.
Steve: And I would imagine this was happening in a time where there’s extra stress on everyone, so getting their time might’ve even have been taking some more persuasion because there’s cargo that’s sitting out in the port that hasn’t been, or in the harbor that hasn’t been unloaded. Right? We’re in the middle of a pandemic, and so this is … So you had to really persuade them maybe. They may have just been great folks, and you mentioned them, and it sounds like you’ve become friends. So applaud them for helping you, that says good things about our community. But I just think that’s making connections in the vertical I think is an important thing, and I’m glad to hear you did it, that it went well. Is there anything else that, anything you picked up in that process that would be a curiosity or a tip? I know you kept pretty detailed records of your interviewing process. Anything else you’d recommend to those doing something similar.
Chris: Really, it’s about doing your homework. I applied for jobs in everything from finance to manufacturing, to now here in the maritime industry, doing the homework so that when you have that first interview with the actual person that’s doing the hiring, that way you sound knowledgeable, you have the background, the understanding of the industry and the vertical goes a long ways. And I can’t stress that enough that when you’re in a leadership position, coming in cold and not having any knowledge, it’s going to be an upstream battle the entire time, so get ahead of the game.
Steve: Well, yeah. And I think it’s a way also to you can sort of acknowledge your weakness in a way, in the interview process. They may say, “Chris, you don’t have hardly any experience in this. Why would you make a good CISO?” And you say, “You know what, that’s an accurate statement. However, I have spent my time researching these acts, reaching out to peers in industry, actually interviewing them.” I think you can begin to make a pretty compelling argument for yourself. Now that still may not be good enough. There might be somebody who comes in with a ton of experience over the top of you. But it’s sort of the best fight you can make.
Chris: Definitely, exactly. It’s like you said at the beginning, it’s about coming in. It’s a humble slice of pie, and acknowledging your weak areas and how you’re trying to improve to make them a strength.
Steve: So Chris, back to the Port of Houston, were you the first CISO or security leader there?
Chris: Yes, I am. I was actually the first cybersecurity hire the port has had. Prior to my arrival, I mean, it was at that port, cybersecurity wasn’t going on at the Port of Houston. It was collateral duty for somebody within IT, or a couple of people within IT. So it’s not that it wasn’t being done, it just wasn’t focused. And now it’s got somebody to focus on it.
Steve: So this is both a good thing and a bit of a curse when you’re the first one through the door because in many cases, you are introducing these concepts to people that have never had to think about this stuff much before. Right? There’s a dedicated framework now, and there’s a figurehead, there’s a center head of an officer that’s in charge. That really starts in the interview process. I mean, while you were getting educated up on maritime, maritime industry, and all the rest of the port, you had to also begin to teach them about security starting day zero. How did that go?
Chris: It’s been a challenge. People there, for them, everything’s worked, has always worked. And why do we need to change it? Port of Houston has been around for a long time. And for them, tradition and the way things are done has always helped in getting cargo moved. And for something to come in, to change, and in some ways, they’ll feel like it’s impeding. It’s a difficult thing to tackle. The chief operating officer, not chief operating, chief port officer, what he does, he’s like, “I don’t care what you do for information security, just don’t impact my cargo moving.” And I’m like, “Okay. Got it. Noted.” So when I come back, I’m like, “Well, everything I’m doing is going to improve your cargo movement, so I’m helping.”
Steve: Right, right, right. Well, I mean, from their perspective, they don’t want a roadblock anymore, whether it’s a physical or a virtual one, and security is a bit of a new concept for some verticals and some organizations. But what typically happens, what typically happens is there’s an event at some point that then requires the organization to become educated. I have lived this, and you have as well. And the event is usually some sort of big incident, maybe a breach, that then sort of wakes everyone up. And that’s, as I understand, a little bit of the taste of what the port had. And fortunate enough, you were there.
Chris: Yeah, recently, we had a cyber attack that utilized the zero-day, that true zero-day fashion, there was nothing out there that said, “Hey, your software was vulnerable.” And to add to it, from what we’ve been told, we’re probably the first, if not one of the very first ones to actually have the attack used against the port, so kind of gives me shivers because I wouldn’t think that the port would be such a target. I know that we are a target for nation states. We’re definitely a target for criminals. But to have a zero-day to be used against us was kind of eye opening for myself, as well as for the leadership. And working through an incident like that, where the potential for shutting the port down could’ve been there, the potential for having to do disclosures, breach disclosures, was all there.
Chris: So fortunately, my background was in incident response, and came up as an analyst. I was able to sit there, we had a good incident response plan that we practiced. And fortunately, we were able to go from within two, less than three hours, we had gone from the attack beginning to actually having it contained, and within 10 hours, actually fully remediated. So we were told this was an APT, that again, APT could be anything, but this was actually truly an APT that conducted an attack against us. And we’re kind of feeling like dodging a bullet and that we caught this one so quickly. So that did raise a lot of eyes that APTs are willing to attack a port like the Port of Houston.
Steve: I have no superior knowledge or experience with this particular incident, but I will make some I guess analytical heaps on this one. I think on one hand, they probably researched the environment a little bit. They probably figured that you wouldn’t catch it, that they wanted to test this O day in this vulnerability within the password management platform, this password keeper. I think that’s an excellent thing to try to attack. Certainly, the theft of credentials is something we see often, often difficult to detect. But it’s interesting that this happened and that you caught it and were able to kind of clean it up.
Steve: You said something that I think is important to call out. You don’t have to name who you were working with, but it sounds like you were getting some information on the actor or actors. That’s an important thing I think to engage outside help, government help early, no matter what vertical you’re in. You said you had an IR plan. Was that part of it? Or did that happen just because you had done IR before?
Chris: That was one of the first things I put together upon my arrival. The other thing I’ve done in the past is I was a firefighter. And I know the value of a good plan when you’re going in to fight a fire. We do pre-planning of different buildings, and write these down in a book. So if you’re sitting in the front seat, doesn’t make a difference who’s sitting in the front seat of the fire engine. They’re able to go through and actually execute the plan based on the knowledge that we already have. So we had a plan. We had it practiced, so people were not unfamiliar with how the whole thing worked.
Steve: So the other thing I think is fascinating, again, you’re in a pandemic. There’s logistical problems. You have an O day that’s being exploited and then caught. And it’s related to shipping. I find that interesting. And from your conversation, I think you said it was number six port in size, but number one in bulk cargo. So my mind goes a little bit wild to think, “Well, is it an organization that is interested in criminal behavior? Are they interested to know our capabilities related to the movement and transportation or transition from on a ship to freight on a truck? Are they looking to disrupt this, knowing that we’re already kind of our backs against the wall?” We don’t need to explore that here, but I think it’s your organization got educated on all the very quickly.
Chris: Yeah, we did.
Steve: That benefits you though. Right? I mean, so you now have to sort of stand on top of that story. Right? And people have to be saying, “Oh, shit. Listen to this.” And a little bit of you has to be saying, “I told you so,” or, “Yes, this could happen.” I mean, am I accurate? Or am I off?
Chris: You’re accurate. I mean because one of the things that we do within information security leadership is that we gen up our risk matrix. Right? What is our risk and everything else? So interestingly enough, back in February, March, I had updated our risk matrix. And this style or type of event was one of those items in my risk matrix. And they’re like, “It could never happen.” Like you said, I so wanted to say, “I told you so,” but I just kept my lips closed and just say, “Well, we can chalk this one up as being legitimate.”
Steve: Yeah. I mean, having documentation like that, that you can reference, having something that you can point to that says, “I told you so,” is worth so much. And for those that listen that know me, why I’m emphasizing this so much, but we’ll keep it on Chris, it can … You never want anyone to ever question. Well, if something bad happens, was your leader ignorant? Did they warn you, and you just did nothing? Or were they ignorant and they didn’t know any better, and they were just sort of inert and did nothing? You need to document every way possible, whether it’s an incident, or a risk matrix, in this example, and have that out there because you don’t want someone to come back on your program and say, “Well, you know what, they were just inert. They just weren’t any good.”
Steve: But if it’s documented, and you’ve sent it in an email, now it’s discoverable. And that’s where you want it to be. It’s got to be put together in the right way. And your lawyers might not like it, but that’s honestly, if you’re doing good work and you have real concerns, document it and send it out. So that’s my public service announcement for the day. But it does feel good, it’s a bit vain, but it does feel good to say, “I told you so.”
Chris: You’re right. And just coming away from that and that day, and then talking to the organization’s chief risk officer, who was like, “Yeah, you were right,” and then have leadership say, “Oh, maybe this guy actually knows what he’s talking about.” It’s always an extra feather in the cap, and that helps with the credibility, especially when you’re starting to move forward and address other areas that are a risk.
Steve: No doubt because then it’s like, “Hey, this was … ” And this was on the tip of the spear. This is an O day. Now you still have to have the capabilities to identify the intrusion and respond, whether it’s an O day or not. But it’s still an O day, and that is on the more extreme realm of what you’re likely to face. And so if this can happen, so can a lot of other things, I think is sort of the message. I’ve got to ask you, Chris. Was there anyone … This is kind of an unfair question, but I really want to ask it. It falls into one of my own, kind of my thesis around these types of problems. Was there anyone in the company that you met because of the incident, that you hadn’t met before?
Chris: Yeah. I mean, I actually got to meet the … Well, part of it was always been kind of locked down. But this kind of sped up me meeting with executive director and the chief operating officer, and then also on top of that, outside of the company, the Coast Guard and everything else. So this really quickly elevated me with not only within my organization, but with the maritime industry here in the Houston area.
Steve: People are probably tired of hearing me say this stuff, Chris. But one of my other things I often say is, “You never want to make an introduction in a crisis.” Now it’s better than no introduction, but meeting someone that’s very high up and important, and there’s now a security crisis, making that your introduction is hard. You have their attention, you just can’t screw up. You’re under … There’s higher stakes. Do you have a perspective, or maybe just a point of levity on that related to your own experience?
Chris: I guess I’m kind of fortunate in that all this went down, and it was done and over with quickly. Two hours, right? That’s when I knew something was wrong, and then we were fully recovered or ready to be recovered within 10 hours. So this wasn’t something that had long and dragged out. I was at lunch when all this kicked off, and done by 10:00 at night. So I was able to go to sleep that night, but in the back of my mind, I’m still kind of doing the analysis of the event, but always going back and playing the what ifs and everything else. But the good thing was, it did help raise the awareness that Port of Houston, within my organization, the Port of Houston is subject to cyber attack by somebody that has money that can sit there and put together an O day because these attackers are just like businesses. They have to have a return on investment. And if they figure that they’re going to get something out of the Port of Houston, or some way … They weren’t necessarily looking for our credentials. They were looking for something else.
Chris: And so the password manager, or reset manager was just the doorway for them to get in. We stopped them at the reconnaissance phase. They never got anywhere. So it’s that whole thing is we blew their entire return on investment within two hours. And within two weeks, having the rest of the world notified of all the indicators, and having the software patched by the manufacturer. It’s definitely something that you don’t get to see much of and hear much of. And part of it I think is because organizations are afraid to be out there in the limelight. And to be honest with you, I didn’t want to be in the limelight. All this was supposed to be anonymous. We’re providing all this information anonymously, until somebody decided they wanted to make a statement that wasn’t even related to my organization and made a statement about it. And so my point of view is, well, since somebody has decided to give us some lemons, we’ll go ahead and make some lemonade and turn this into a good news story.
Steve: Well, I think one of my biggest complaints about our industry is we don’t share the right information enough. And specifically, that means we’re often happy to share boatloads of indicators and things. But the narrative around the failure or success is often left out. And it doesn’t happen because generally, lawyers or government officials are involved to, typically lawyers, to keep it quiet. So even if you’re in a spot where you can share, as soon as you have a big enough incident, that all goes away. You’re not sharing anymore. And I see it all the time.
Steve: So then the very best learning exercises are sort of frozen. And then you might hear about it 10 years later, and that’s way too late. And that’s, if we don’t educate ourselves on these things, we’re just going to continue to fail. And I don’t know if you’ve got a perspective on the sharing of this. I mean, I know this was supposed to kind of been quiet, and other things happened we won’t go into.
Chris: My perspective is, yeah, I agree. We need to be sharing. We need to be sharing the lessons learned and how to make things … We’re not going to get better if we don’t do this in a collaborative environment. Part about being anonymous, that’s a good thing about the TLP system and everything else. The information was out there, everything from how it happened, to the lessons learned. All that was out there at a level that was releasable to just about everybody. The only thing that wasn’t out there was my name. So basically, it was almost like a … It was supposed to be redacted, and it wasn’t.
Steve: Chris, there is a value though, I think at a human level, at a leadership level, and it’s not necessarily just your name. It is going out and sharing. It’s both a failure and a success. It’s both that you don’t want to have any incidents, but you’re going to have them. And this is a rare story. I think it’s a positive thing for the Port of Houston. I think as a leader, it’s a positive thing for you, both as individual experience, and also sort of having to represent it, to tell the story, to get up and to give a perspective. It’s super value. It leads to development in many, many ways, and so I’m glad you’re sharing this. I think more people need to. An anonymized TLP notice is great. But when you get up and tell it from your perspective, it’s different. It carries more weight at a round table, or in this scenario. One thing I will say, and I’m envious of this, is that yeah, you found it and got to go to bed that night.
Chris: Yeah.
Steve: That’s a pretty rare, or a fairly rare thing when an O day’s involved, and all the rest. But you’ve been there 18 months. How many times did you have to sort of put your time into this problem after that day? Meaning you’re explaining it to someone, you’re dealing with an issue, there’s a meeting to talk to a regulator. What’s the long tale of that, even though this was a 10 hour event?
Chris: For Port of Houston, we’re like I said, regulated on the Maritime Transportation Security Act. And so that meant Coast Guard got involved, and they were here, lot of questions. But the good thing is, they came not to be like regulators. They came to be more like search and rescue, and came out to see, “Hey, how can we help? What can we do?” I had FBI here, same thing. I think part of it was because it was such an odd event … I mean, initially this looked like potentially another solar wind style attack. So we’re thinking, “Oh, no. We’re at the forefront of another supply chain attack.” And so that’s what got FBI involved and CSA involved, so they came out and they were all offering assistance and providing us with the help that we needed to sit there, because with two people for an information security program, it’s been a real small program. So we definitely don’t have the resources internally to be able to handle the amount of lift that was necessary to be able to get all this information together.
Steve: I think my personal interaction and what you’ve described, especially the FBI, has actually been pretty good, the hands on help. There’s one area in particular where they helped what we were working on a long time ago, where there’s sort of a blind spot. They can sometimes put together things that you wouldn’t be able to if you didn’t have the access that they do. They were very helpful. It’s still the reality can be kind of a pain in the rear end too, but I would encourage everyone to reach out. I’d encourage everyone to have a relationship with your local field agent before you have a crisis is what I really recommend.
Chris: Definitely. Yeah, fortunately for me, I was part of the InfraGard, so I have a local agent that I would be able to reach out to and talk to.
Steve: Is that who you called?
Chris: Yeah. Well, not first, but yeah, I did call that agent, who put me in charge, in touch with another agent that more specialized in cyber. So the particular agents, typically like InfraGard, that’s a good portion of what they do, is just the InfraGard piece of it. So they’ll put you over to somebody that knows the cyber side a lot better.
Steve: Chris, a point you made, and I really like this, it’s a little bit … It sounds silly, but I think it’s very true. You kind of fight too battles. You fight one against the adversary, and these are my words, but I think we talked a bit about this. You fight against the adversary and you fight against what I call organizational indifference.
Chris: Yes.
Steve: You had an event that helped with the second one. What’s the relationship between those two things? Or how would you describe this battle or this insider threat category, the indifference of the insiders? Just advice to someone who’s out there, who’s struggling, who’s maybe a new CISO, or new director. How do you break those two down? And do you need to have a major incident before the second one gets better?
Chris: So yeah, like you mentioned, there’s always that struggle. You’re not always just fighting the battle against your cyber actors that are out there trying to cause a headache for you in your day to day job. You also have the internal battles that you have to have. And it’s politics within the organization, and it’s people and they’re protecting their portion of the organization. And I kind of mentioned it earlier, like how the two port officers like, “Do not do anything that’s going to break us moving cargo.” So part of it is, it’s fear. They don’t know. And we kind of talked about that a little bit earlier.
Chris: It’s the fear of what they don’t know about cybersecurity, being the first one to come in the door. But even when you’re not the first one to come in the door, you still have to be able to speak in a language that they understand. In my case, the port is very well versed on physical security. It’s something that they know. Safety is something that they know. And so you put in parallel descriptions of what I want to do for cybersecurity, and how it is similar to what they already know within physical realm. It’s drawing those parallels that may ease their apprehension towards making changes.
Chris: So it’s really about putting them at ease. If you can do that, the battles will go down. And then we get a little bit clearer of what your vision is, because when you come in there and you start talking cyber, they’re going to be like eyes rolled into the back of the heads. And they’re looking for the next pot of coffee and the glazed donut. And they’re just going to let you keep talking. And then when you’re done talking, they say, “Thank you very much.” And that’s as far as it gets. So you’ve got to be able to put it in terms they know.
Steve: And I would imagine, I don’t know much about this vertical, but I would imagine a lot of it is still certainly very mechanical and not networked. But it’s probably becoming more so networked and IOT devices, and different monitoring that’s done, whether it’s everything from RFID, to who knows what. I don’t know what I don’t know. But there’s more of that that’s living in your environment every day. And if it doesn’t go managed, it’s going to go bad fast. If there’s not good hygiene and visibility and some sort of way to analyze all of this, it’s going to slide sideways.
Chris: Very true. And it grows every day. I mean, it’s already there, and it’s huge. It’s like any large manufacturing organization, if you go to Ford, where you have robots making cars, or Toyota, or any of these auto manufacturers, things like that, that’s happening at the port. Maybe not so much robotic wise, but every crane, every device out there has some sort of chips in it. I remember working in one of the other organizations, we had pallet lift trucks, the kind of that just sit there and you pumped up by hand. Those had computers in them. Those were IOT. Oh, yeah. And the reason being was that’s how they detect when the person driving that actually ran that carton of whatever into a wall, or a pole, or something like that, and it recorded all that, so it’s all over the place now.
Steve: So I think we should, you might not like this, but I think we should give thanks to your colleagues at San Diego, and you said Long Beach was the other port. Were those the two? Am I correct there?
Chris: Yep. Robert Renzulli and Eddie Galang, they both did a lot to help me out in getting prepared for this position.
Steve: My thanks goes out to them as well, if maybe they listen. And then in that vein, mentioning your friends that helped you with this, prepare for this new position. I wanted to also state that I learned you also have a podcast. I believe it’s a video show from what I saw from the link you sent. I want to give that a shout out. What’s that called?
Chris: Maritime Security Talk. It’s five of us in the Houston area that get together periodically and sit down and have a censored, but not so censored talk. I mean, we’re sitting there, we’re drinking, we’re having bourbon. A couple of us might be smoking cigars while we’re talking. And we’re just talking maritime security. Could be physical, could be cyber. It’s whatever the topic of the day is. And we try to get together every couple of weeks and talk shop.
Steve: So for those in the vertical, those that are interested in learning more or connecting with Chris, I’ll put that in the show notes, and we’ll link to that. Or you can search for it. That will be out there for you as well. Chris, I want to thank you again for being on the show. And I’m going to close on a question that you’ve already been asked last time you were on the show. But you’ve got a new perspective now. And that is pursuant to the name of the show. Chris, what does being a new, new CISO mean to you?
Chris: Doing your homework, get to know those that you’re working with, whether they’re working for you, or are your peers, or those senior to you, get to know them. And be willing to educate, especially if you’re going into an organization that has not somebody to lead their information security program. And do that, I think you’ll be on the road to success, being a successful CISO at that organization.
Steve: And have a good IR plan.
Chris: That too. Always helps.
Steve: Chris, thank you so much for your time. Have a great one, bud.
Chris: Thank you. Appreciate coming back.
Steve: That’s it for this episode of The New CISO. Thank you for listening. Check out more episodes on exabeam.com/podcast, and remember to rate, review, and subscribe to get brand new episodes first.