In this episode of Redefining CyberSecurity, host Sean Martin engages with guest Sue Bergamo to explore the dynamics and responsibilities of cybersecurity leadership, comparing and contrasting the roles of the CISO, CIO, and CTO within organizations.
Guest: Sue Bergamo, Executive Advisor/CISO/CIO at BTE Partners, LLC
On Linkedin | https://www.linkedin.com/in/suebergamo/
On Twitter | https://www.twitter.com/@suebergamo
On YouTube | https://www.youtube.com@suebergamo
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Pentera | https://itspm.ag/penteri67a
___________________________
Episode Notes
In this episode of Redefining CyberSecurity, host Sean Martin engages in a conversation with guest Sue Bergamo about the dynamics and responsibilities of cybersecurity leadership. They discuss, compare, and contrast the roles of the CISO, CIO, and CTO in an organization and the handoff of tasks and responsibilities between them.
Sue emphasizes the need for a holistic approach to security, with the CISO responsible for protecting the inner workings of the company and its data. They explore the challenges of hiring in the cybersecurity field and the impact of the current economic climate. Sue cautions against a siloed approach to security and advocates for a well-rounded security program. They discuss the importance of consistency and structure in change control and release management processes to prevent issues and vulnerabilities. They also emphasize the role of the CISO as a trusted advisor, communicator, and educator within the organization.
They touch on the maturity level of cybersecurity programs and the need for organizations to embrace business-level conversations to reduce risk and exposure. Sue addresses the current state of the industry, highlighting the challenges faced by CISOs and security teams. She suggests that a calm and collected approach is a sign of a well-functioning security program. This, however, could leave the rest of the organization questioning their investment in cybersecurity. To this end, they discuss the importance of implementing controls and processes to create structure, improve security posture, and demonstrate this to the business leaders and key stakeholders.
Overall, the episode provides valuable insights into the evolving role of the CISO and the importance of a holistic approach to cybersecurity. The conversation is informative, thoughtful, and thought-provoking, without sensationalizing the content or adopting a journalistic tone.
Listeners can expect to gain insights into the complex dynamics of cybersecurity leadership and the challenges faced by organizations in the current landscape. Have a listen!
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
Short-Takes (podcast): https://www.youtube.com/ @suebergamo
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: And hello everybody, you're very welcome to a new episode of Redis Finding Cyber Security here on ITSP Magazine. This is Sean Martin, where I get to chat with all the cool people from around the industry and beyond to talk about tech and how it impacts business and security and risk and how we need to bake that in to enable the business to succeed, not block them from growth and revenue generation.
And, uh, there's a lot. In that all in itself. But then if you, if you look inward as a security professional and even, even more so with, with scrutiny from others as a CISO in a role, uh, there is even so much more to consider, uh, personally, uh, how do you deal with it? Um, are you able, what attributes do you need to have?
What skills do you need to have? What teams do you need to build? What tech do you need to use? And then there's also the, the, uh. The stress that comes that with that and perhaps the liabilities as well. So we're going to talk a little bit about some of that in the context of the current state of the CISO.
And we're going to look at, uh, the CTO role and the CIO role and how CISO fits in there and what some of the gaps are as well. Uh, of course, not having been a CISO, I know nothing. So, that's where our guest, our good guest, Sue Bergamo, comes in. How are you, Sue?
[00:01:25] Sue Bergamo: I'm good, Sean. How are you today?
[00:01:27] Sean Martin: Thanks for coming.
It's exciting. I'm glad to have met you the other day and thrilled to have you on the show. Hopefully, I didn't butcher your last name.
[00:01:35] Sue Bergamo: No, actually, you said it correctly. You're like one of just a few. And going back to Italy, there's this nice little town in northern Italy called Bergamo, Italy. So, there you go.
It is the polenta capital of the world. Ooh.
[00:01:48] Sean Martin: I'm gonna have to go visit that now and check it out and then taste, of course, but, uh, we can talk about food on another episode on another show. We're going to focus on, on cyber today. I'm sure I'll, I'll bring in a food analogy. It's uh, That's what I do. But, uh, before we get into the, the, all of those nits, uh, and bits, uh, Sue, a few words about what you've been up to, what you're currently doing, and, uh, and why this topic?
[00:02:18] Sue Bergamo: Well, actually, I, I've been talking about this topic for the better part of a year. So by trade, I'm a pattern watcher because I have to be. Um, and, uh, I've been seeing some things that are a little disconcerting in the industry and just. Uh, trying to call them to attention, but my background is CIO, uh, uh, CIO for 12 years.
And then, uh, I went over to security, uh, about eight years ago, which still do CIO work, still do tech work. Um, I think there's a misconception that you can separate the two, but they go hand in hand. Uh, no matter if you're, you know, dealing with the engineering team or, you know, the IT team, but security really gets their hands into everything, including the business, right?
HR and finance and marketing and sales and customer support. So we're not just a one shop or one topic, you know, role where we're all over the place and we should be.
[00:03:17] Sean Martin: That might be a good. Place to start, actually. I know we want to touch on some of the gaps between CIO and CTO, but given your experiences in, in the roles that you've had and, and the trends that you're watching, the things that you're spotting.
Do you feel that we have, I don't know who even we is, the greater we, do we have a good understanding of how the CISO role fits in, in relation to the CIO and the CTO and I don't know, I guess every company does have, does build stuff pretty much at this point. So there is. There's a technology officer or product officers as well, uh, bringing, bringing apps to, to play internally or externally.
So do we have a good, good grasp of CISO, CSO versus the other roles? And have we done a good job over the years kind of? Drawing lines where they need to be keeping them removed where they shouldn't be there.
[00:04:17] Sue Bergamo: See, I think that's part of the gap that I'm seeing. So I think that the, the CISO role was well intended when it first came out.
And, and I speak from experience because as a long time CIO, I always had security in my shop, but I have to be honest with you, not to the level. That I did when I became a CISO. It's a whole different dynamic and I really believe that CIOs asked for the help because they understood it was a whole other full time job and they were already wearing many many hats.
The, the CTO In more, I'm going to say mature companies have understood that, you know, if they're developing products that they have to be cognizant of the security around those products. But, you know, I do think that there's a little bit of a gap right now, um, in understanding that the CISO really is there, not just to secure the perimeter, which I think it was what everyone thought in the beginning, like just go after the network and we're fine.
But it, um, We're there to find, identify, detect, and then respond to gap areas. And I think that's where some of the rub comes in right now because, um, you know, if we're doing our jobs correctly, we're partnering with CIOs we're not just poking them in the nose when we find a gap. But face it, when you're really busy and you're, you've got all these priorities, You know, uh, on your plate as it is.
And then we come in and we're like, Whoa, you got all these exposures and look at all this, you know, you know, these vulnerabilities and these defects and, you know, all these exploits. And, you know, we're just adding to the burden on these folks plates. And I think that's where some of the conflict comes in.
[00:06:06] Sean Martin: Yeah. And I can't help, uh, Myself, but to look back on some of my own experiences when I was building products at Symantec so different than a security program But still a program in that you have a problem you're trying to solve or something you're trying to build over to achieve some objective and I can't tell you the number of times that the organization reorganized how products were brought to market.
Sometimes they'd place a business head at the top. Sometimes they'd place a tech head at the top. Sometimes they'd place a program head at the top. Depending on... Either well, oftentimes kind of what the company thought was needed for the company at the time, but then also I presume sometimes down at the product at the delivery level to say this is a high risk or this is a very technical or this is a very time sensitive, depending on what some of the core attributes of of the challenges where they might organize a team a certain way or an organization a certain way.
So do you? My question from that experience is, Do you think we define the CISO role in a way that's malleable enough to fit different types of organizations and different types of scenarios, maturity levels, size, industries?
[00:07:39] Sue Bergamo: I wish I could say it was totally defined. So let me start by saying that in the MBA programs, no one teaches tech and security. It's sales, marketing, and finance. So that's the first gap, right? And then, and, and again, you know, I've had a long career in, in security. So, you know, these aren't, these aren't rubs.
These are just facts. Um, then you get to the board level and again, it's mostly, you know, investors, CEOs, right? Again, marketing, sales. And finance, tech and security are typically not a part of the board. Now, if you're in a really big company, you may find, uh, those individuals, you know, sitting at the board level, but for the most part, they're not there.
So you have a whole bunch of business people, either if they're sitting on top of product, or if they're sitting on top of a company, not CIO.
Or the CISO should be doing. CTO is very clear. They're there to get product out the door. But these other, um, uh, roles, you know, just like what the CIO went through 20 years ago, they went through a lot of pain, try to figure out what it was that they should be doing. And at the end of the day, They kind of got pushed into the back corner, and now they're just internal applications, which, by the way, is an important role to have, and there's a lot of work that needs to be done in order to maintain internal applications.
So, the CISO... You know, sort of came out of that as an, okay, well, we're going to protect all the internal corporate affairs, you know, the, the network, the internal applications, the employees, and then some CISOs got to participate and venture over into product, which is a great thing to have happen. But again, You know, we, we were coming in sort of, you know, at the end of the tail, right?
The tail's already wagged and we're coming in at the end and we're saying, but you forgot, but right, what about, but, and, and people are going, wait a minute, we have been functioning all this time without you. And, you know, like you're coming in here, like, sort of like a little bit of a wet blanket saying, well, you're not doing things correctly.
And so, you know, again, if we're doing our jobs, right. We're not just identifying, uh, gaps in, in these other areas, we're working to help resolve them. And that's really what we should be doing. And. It, a lot of it starts, I hate to say this, it just sounds so simplistic, but it's true, with access privileges.
If we get access privileges right, it's not that it takes cyber off the off the menu, but it at least Gives you some foundation, some basis to then start building a program on top of hopefully role based security and access privileges. Cause as I like to say to, you know, board of directors, when I get a chance to talk to them, why would you give customers success access to sales numbers or HR access to finance numbers, right?
Like, you know, people should have the data that they need to do their jobs. And really no more than that, right? It's, it's the privilege of least. That's what we, we abide by, meaning if you don't need to see it, you don't have access to it. And that's a good thing. And you know, especially lots of folks say to me, well, you should have access to everything because you're the CISO.
And the, uh, the answer is, oh dear God, no. Like I'm the last person you want to give full access to, or the CEO or the CMO, because we're the most sought after person in the organization to be attacked. The CEO is the most, um, you know, uh, attacked person in any organization, but if we get compromised and we have high access privileges, it's game over for the company.
So there's a lot to be done, and honestly, it starts at IAM.
[00:11:51] Sean Martin: Yeah, yeah, it makes sense, and uh, I cannot but think that, uh, as part of that, uh, access to information, but also the system. So therefore, uh, the networks and segmentation, for me, fall underneath that. That may, may start to make things complex again, but, but, uh, nonetheless, yeah.
[00:12:12] Sue Bergamo: And not to bring this up, but it just continues. Like, so I, there's themes every week and this week's theme is API security, right? And connections and service accounts. I love to go into companies and say, once last time you guys rotated. You know, tokens, you know, your, your secret keys and, and your passwords on those service account IDs.
And people look at me like, what are you talking about? And it's like, it's just like a user ID. You should be rotating them minimally at, at an annual basis at a minimum, but. A lot of companies don't even know where the assets are located, let alone how to go about and rotate those keys. Exactly. You're laughing.
It's true.
[00:12:54] Sean Martin: No, I know. I can, I can sadly picture a few myself that I'm thinking, Oh yeah. The good thing is I remember some that I've set up that I can follow this advice for, but to your other point, there were probably others.
[00:13:09] Sue Bergamo: And hopefully you didn't hard code any of them, right?
[00:13:12] Sean Martin: Didn't use them, yeah.
Exactly. And I didn't put them in GitHub, the keys as well. That's another, another point. But let's, this is all fun as well. Um, but I want to talk about, I, I think what you just described clearly. Well, I don't know, maybe not clearly. I want to talk about responsibility. You talked about CIO and CTO and, and then the bringing of security in.
And there's. There's handing off activities, there's handing off requirements and jobs and things like that. And then there's the responsibility part. And I'm wondering your thoughts on what from the CIO or the CTO were handed off as Tasks, what things were handed off as responsibilities. And I guess I'm asking a bit of kind of an, uh, an organizational structure who sits at the top and who maintains the responsibility.
We haven't talked about risk managers or risk officers yet as a, as a label. But somehow they fit in there as well. If the organization is big enough. So I don't know if you can paint a picture of the different roles and where the difference between activities and responsibilities might, might lie.
[00:14:40] Sue Bergamo: Personally, I see them as. You know, the CIO and the CISO. Because they are, they are all at the C level, and they are all peers. It doesn't matter if they're focused on technology or not. They each have a different focus. One is product, one is internal. And the other one is security overall for not just a platform, but it's the company, it's employees and customer data.
So while the other two are getting, you know, busy getting product out the door and, and applications out the door, the CISO is protecting those, you know, inner workings of, of those environments. Um, and it's, it's just as big a job as the other two roles are. So, you know, if you look at some of the job descriptions that are out there today, it's like a laundry list and, and a CISO does have a laundry list of responsibilities, you know, on them and, and that's okay.
So they could be Responsible for data privacy or GRC, you know, governance, risk, and compliance programs. They could be responsible for development or infrastructure or physical security. And of course, uh, security operations. They could also be responsible for fraud related activities, right? Depending on the type of company that you're in.
So there's, CISO is supposed to be doing. Some CISOs are very Focused on one thing, you'll see job descriptions out there for, you know, application security or just infrastructure security. And those are very, um, siloed approaches. And, you know, I say to companies, I do a lot of advisory work for companies and I say all the time, if you're only focused on one pillar.
Then what are you doing with the rest of the company? So, you know, if you're, let's say, only focused on platform security, well, who's watching HR and finance, right? You're basically saying that it's not important, or, you know, a lot of times those departments are left to sort of fend for themselves and they're not trained in security.
They're trained in their job functions. So, You know, I always get a little suspect when I see the siloed security. Um, role,
[00:17:04] Sean Martin: Let's talk about, um, that you mentioned job description and laundry lists. And I don't know if we can kind of put under, under the big, bigger bucket of the state of the CISO conversation. What, what are you seeing as you're engaging with organizations? Do they feel they have? Certain areas covered. Are they struggling to, to cover some of the other pillars using that term, as you mentioned, um, is hiring going well?
Are teams strong and robust? Um, what's kind of the general sense of things?
[00:17:45] Sue Bergamo: I wish I could paint a really rosy picture right now, but I can't, so I know more CISOs that have been let go from their jobs. I know more team members that have been let go from their jobs and honestly, I wish I could tell you it was role specific or gender or age or race or geographic area or some pattern, but it's not.
It's across the board and it's at all levels. Um, Unfortunately, what's happening right now, which is great for the SecOps manager, they're being elevated. Um, and I'm again, no disrespect to SecOps because they work hard and they do a lot, but they're getting elevated to what I'm, I'm calling a band aid, uh, which is companies are faced in an economic downturn with high inflation and probably a lot lower ARR.
Um, and they're, they're trying to. Fix a problem that they have perceived they're having. So if they don't want to pay for a high price to see, so they just need to make sure that security operations is being taken care of. So they're elevating the SecOps manager to head of security. And again, no disrespect to SecOps because they do work hard, but there, unless you get somebody who's been, um, you know, involved in Broad range of activities, mostly their, uh, their goal and their, their skill and expertise is in alert management and understanding what to do when a company's under attack.
So it's, in my Personal opinion and in my level of expertise at this point in my career, I keep saying it's the wrong picture. It's the wrong way to go about solving security. Yes, we do need to solve alerts and attacks and figure out what's a false positive and what isn't, but security is so much more than an alert.
It's so much more than just a technology. It's the triumphant or the triad as we call it. Um. of people processing tech and the real triad that CISOs solve. is availability, integrity, and confidentiality, right? CIA. So, if we're not focused on, on the triad, um, we're missing something. And then the ability to identify and detect and respond, um, becomes a little bit harder to do.
Leaving companies vulnerable to attack.
[00:20:19] Sean Martin: Yeah. And I, I have a, uh... I don't know, multi layered rosy colored set of glasses that I often look through when, when I'm on the show, cause it's easy to get, get down into things are challenging. We don't get the support we need. We don't have the budget we need, but then I often ask my guests, well, if we think about it this way, is there, is there a way we can change the way the business operates is defined, architected, built, deployed, managed, whatever in a different way.
That reduces exposure, reduces risk, thereby reducing the need for some of the other downstream detection, monitoring, response, constant patching, fixing roles that get misused and abused. And I feel that over the last few years, those conversations have grown. It seemed that companies and people that I've spoken to find a level of maturity.
Uh, or yeah, basically some, some level of maturity is taking place. What I'm hearing from you now though, is perhaps we might be not yet quite taking a step back, but certainly not pressing forward on that if we are not keeping CISOs on and, and embracing and encouraging business level conversations by putting others that are more tech oriented into positions where they now need to know the business.
And the exposure, the grander exposure that, that it has. So I don't know, any, any thoughts on, on the maturity level of programs, given what you just said? Are we, are we, is it still possible to mature that way with some of the things you're seeing?
[00:22:17] Sue Bergamo: It is. And, and please don't take the message that I'm sending today as doom and gloom.
I live in a world of sunshine and rainbows. I have taken companies from nothing to something because I love transformation. I love the challenge. It's why I'm in this role. But right now I think we've hit a pause and I'm still trying to figure out why. And the only thing I can. Put my finger on is that it's the economy, right?
And, uh, you know, there's just a lot of people out there, um, that are unemployed that are trying to do the right things and, um, and this role people are looking at, and they're kind of shaking their head and they're saying, do we need it? Why do we need it? You know, and, and I've been saying this for quite a few months now.
Um, and hopefully this will resonate with some of your audience members. If we're doing our jobs correctly, then nobody really should be hearing from the CISO, like things are calm, cool, and collected, right? If we're doing our jobs correctly, it's almost like we're doing ourselves a disservice and we should be running around with our hair on fire, which give me a moment to explain this.
Personally, my measurement, my internal measurement is if my team and myself are running around and our hair is on fire, then we're all doing something wrong. But if it's calm and cool, then we're doing something right, but no one really notices us because Well, what are they doing back there? Right? It's all quiet.
This security thing's working out just fine. Look it, we're not getting breached. But what we don't do and shouldn't do is put the real metrics in front of the C level. First, their heads would explode. Second, it would lead to a whole bunch of questions that we just don't want to, you know, have them go down that rabbit hole.
But most organizations are being attacked. millions of times a month. The bigger ones probably millions of times a day. And it's the one that gets through that gets all the attention, which it should. The ones that aren't getting through, it's just calm, cool, and collected. So the CISO needs to be You know, the relationship builder, the partner, the communicator, the educator, you know, like I could bring all these adjectives into what we should be doing.
Um, but we really need to be there as a calm. This is just my opinion, calm, silent advisor, trusted advisor that anyone can come to at any time and say, I think there's something wrong. I've noticed I've done right. You want to have that kind of relationship with individuals. So they're confident to call you as well as with the C level.
I can't tell you how many times a CEO has called me to say, I need to talk to you about something because we need to be the steel trap. But then we go into the organization and we work everywhere across the enterprise. And we say things like, You know, we're trying to put together a program and we do assessments based on a compliance framework.
Even if you're not certifying in a specific framework like a SOC 2. SOC 2 is not a certification, but if you're not going for SOC 2 report or doing ISO 27001, the CISO should still be implementing that level of control because when we implement controls, and by the way, controls is not a dirty word. Nor is process.
We create some kind of structure in a non bureaucratic way that gives us a positive outcome, right? And that positiveness in that outcome leads to a better security posture and more maturity. So let me use change control as a, for instance, if you have no clue, Who's putting items, you know, release packages into your CICD pipeline.
You have no idea if there's any collisions. You have no idea of the timing. You have no idea if there's integration work that needs to continue from one team to the other. You have no idea who tested the code for any defect or vulnerability that may be impacting a customer. And all of a sudden the thing goes out into release.
It's the middle of the night. Platform goes down and there's no support personnel. Who looks bad? Is it the CISO that should be getting blamed for that? Or is it somebody else in the organization? So when you have consistency in change and release management, everybody's lined up, everybody knows a release is coming, everybody knows who should be supporting it, you should know what's going into production because it should have been tested in dev and test and figured out, you know, from a configuration standpoint in pre prod.
And it's consistent and it goes out and everybody's happy, right? Along with release notes. Don't forget release notes. So that consistency, that routineness leads to a limited amount of defects and vulnerabilities if done correctly. Otherwise it's crapshoot. You don't know what you're getting. And it goes from being calm, cool, and collected to your hair's on fire.
[00:27:40] Sean Martin: So are there, are there anything that teams can do, assuming Assuming budgets are frozen or, or reducing and, and let's just say the team stays intact, the CEO is not gone. Our CISO is not gone. Um, Are there things they can do to remain calm, cool, collected, kind of like baseline actions or documentation or meetings or ways to communicate that keep things, keep a, what I'm trying to get to is kind of like a sense of culture for a good security posture, even if things get shaken up.
[00:28:25] Sue Bergamo: Yeah, I think first that every engineer should know the OWASP top 10. Vulnerabilities, but hands down, right? Just even if your company doesn't have a program, just learn them. Because honestly, every pen test that I've ever done, it's always, Oh, it's never the network. IT out a long time ago, but it's always the OS top 10.
So every engineer in a CTO's organization, just learn OS top 10, take, take all those defects and vulnerabilities off the table. And then let's look at things like. You know, um, champions, security champions, right? If you don't have the staff or the budget, there's always ways that you can be creative. Have, I don't want to say a steering committee, but have a group of individuals that meet, that want to be there, that can help you champion Sending messages down and through the organization, right?
And have a security mindset. And that's not just a buzzword. It's, it's true. If people start recognizing how to identify, uh, threats, um, you can actually, you know, solve some of those problems before they start, you know, if you can't afford, um, you know, a vendor to do phishing simulations or a fancy software package.
Just send out information, right? If it's through Slack, email, um, get again, get people in a group, go visit with teams. You can show people, it's as simple as a PowerPoint slide, right? Just, just go and get, um, you know, examples of, uh, of email phishing campaigns and show them to people. Right? It's that easy, you know, and, um, you know, and constantly send out messages around, um, what to look for.
So every week, every day, you know, brings about another threat. Let people know what the threat is and make sure that they have that information before it lands in their inbox. And they're told to click, you know, you know, urgently on the, on the following link, you know, upend it before it happens.
[00:30:31] Sean Martin: Yeah, that's also might be a good good way to partner.
You call them champions, but part perhaps partner with HR and Marketing right maybe maybe somebody there has an interest and those teams have an interest in security and might be able to help
[00:30:49] Sue Bergamo: And they usually have a learning management system. So, you know, honestly, if you have no budget, it's, it's as quirky as get a couple of your, you know, team members, um, in front of a camera and put together, you know, a quick video segment on some security topic.
It doesn't need to be more than five or 10 minutes long and post them on the LMS. Right. For people to take or even push them out to your employees. Like one of the things that I always do when I do, um, annual training, which should be done more than annually, um, I make sure it's a hundred percent, including the CEO, right?
Everybody gets to take annual training. It's. It's something simple and easy to do that people will sometimes go, Oh, wow. I didn't realize that that was a problem. Change your password every 90 days, right? Go to a digital, you know, footprint, um, you know, use MFA. You know, I know MFA is getting a lot of, you know, fanfare these days, but it's one more layer that you can install a VPN, another one, right.
That everybody, you know, is sort of, you know, on fire about, but you know, if you're working from home, you should be on a VPN. Um, you know, especially if you're in the financial services arena, you know, don't shortcut those things.
[00:32:08] Sean Martin: And as we come to the end, I don't think we're going to get to some of the, we touched on responsibility a little bit.
I don't think we're going to get to the liabilities part. So maybe we can, uh, have another chat on that, um, in the future, but I want to, want to use this last moment, maybe to highlight some areas where you think security teams. Kind of need to brace themselves because you talk about changes in the business environment, right?
The economy is changing. Business is changing. If we're letting certain team members go, we, we're also likely making changes in how we build products, how we interact with our customers, how we manage operations and pick your favorite part of the business. Everything's kind of impacted at some point, right?
Um, the first thing that comes to mind is, Shortcuts, using that word you just mentioned a minute ago, uh, what are some shortcuts that might be happening? What are some other areas where decisions being made on how things are done could impact security? And are there ways to kind of head that off at the past?
At least be aware so you can look for the signs that Something, something is coming.
[00:33:31] Sue Bergamo: Yeah, I think that's a great question. So as people are getting let go, that means that more, the people that remain are taking on more work, which means they are going to look for shortcuts, which means, you know, they may not be looking at access and identity management the way that they should be.
They may be forgetting to terminate employees, you know, at the end of the business day. You know, um, I've heard. I've heard stories of employees, you know, being let go. And then, um, you know, the CISO is not involved, right? I I've, I've also heard things where people are getting let go, but they have all day to remain in their, in their, uh, on their operating environment, right?
Nobody's the wiser because nobody's been told there's a lot of this going on out in the industry, you know, in. That's a gap, right? So they could be taking, I'm not, you know, not everybody does it, but some people could be taking data, right? Like we all know salespeople have a different contact list than the one that's in Salesforce.
Um, so every, again, my opinion, every cyber security opening On the job, I think the last count in April was like 3. 5 million. That's 3. 5 million exposures, uh, across the landscape of corporate America, that's ripe for takeover. So I just think that, um, you know, whoever remains in security has to be more diligent about.
Identifying where the threats exist and help those business people that remain try to plug them up as best as possible. And, and the use of technology will help in that regard.
[00:35:12] Sean Martin: Excellent point. So it's all comes back to IAM again, making sure access is, uh, It is robust. Well, Sue, uh, I feel we, we barely scratched the surface here, but a lot of, a lot of interesting and fun things to talk about and consider and, um.
An absolute pleasure chatting with you. So I'm glad you joined me on the show and, and, uh, always interested in, in chatting with you more. I know you're, you're, uh, doing a podcast as well. So hopefully folks can listen to some of the things you're working on and, and, uh, we'll include links to your, your profiles as well.
So folks can connect to you there. And if you have any resources that you think, uh, are relevant to this conversation, we can share those as well. So I'll put those in the show notes for everybody.
[00:36:02] Sue Bergamo: Thank you. Thank you for having me. And I'm welcome to, um, and happy to come back at any time and talk about various topics.
[00:36:08] Sean Martin: Perfect. Perfect. And thanks everybody for, uh, listening to this episode. Hopefully, uh, you enjoyed the conversation as much as I did. Certainly made me think and hopefully did the same for you. And, uh, of course stay tuned, subscribe, share with your friends and enemies alike, and, uh, we'll see you on the next one.
Thanks again, Sue. Thank you.