Show 141: Bruce Potter discusses ShmooCon, DevOps, and the CISO role

Bruce Potter is CISO at Expel, where he is responsible for cyber risk and ensuring the secure operation of Expel’s services. Previously, Bruce co-founded Ponte Technologies (sold to KeyW Corporation). He then served as CTO at KeyW for 2 years. Before that, Bruce was a security consultant at Cigital. In a seemingly previous life, Bruce founded the Shmoo Group. To this day, he helps run the annual hacker conference ShmooCon. He has co-authored several books, including “802.11 Security,” “Aggressive Network Self-Defense,” and “Host Integrity Monitoring.” Bruce regularly speaks at DEF CON, Black Hat, and O’Reilly Security conferences. He lives in Maryland with his family.

Listen as Gary and Bruce discuss ShmooCon, the state of software security books, network security trends, hacking back, the relationship between preventative security engineering and operational security, DevOps, the CISO role, and more.

Listen to Podcast


Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, vice president of security technology at Synopsys and author of “Software Security.” This podcast series is co-sponsored by Synopsys and IEEE Security and Privacy Magazine. For more, see and This is the 141st in a series of interviews with security gurus, and I’m super pleased to have with me today Bruce Potter. Hi, Bruce.


Bruce Potter: Howdy.


Gary: Bruce Potter is CISO at Expel, where he’s responsible for cyber risk and ensuring the secure operation of Expel’s services. Previously, Bruce co-founded Ponte Technologies, which was sold to KeyW Corporation. Bruce served as CTO at KeyW for 2 years. Well before that, Bruce was a security consultant at Cigital at least twice. In another life, Bruce founded the Shmoo Group and to this day helps run the yearly hacker conference ShmooCon. Bruce has co-authored several books, including “802.11 Security,” “Aggressive Network Self-Defense,” and “Host Integrity Monitoring.” He regularly speaks at DEF CON, Black Hat, and O’Reilly Security. He lives in Maryland with his wife, Heidi, and their three boys.


So when you and Heidi founded ShmooCon, did you think it would become what it’s become?


Bruce: Well, no. It’s certainly grown over the years, and actually it was one of the other Shmoo members who founded it. We had a…we were sitting around at a conference out in Las Vegas—I don’t know if it was Black Hat or DEF CON—and thinking through the talks that we were seeing and the types of things that the audience was ingesting. And there was a lot of stuff coming from the stage that the audience was taking in that was just not really…well, let’s say “true.” And nobody was really…


Gary: I can’t imagine.


Bruce: Yeah, surprisingly so. And nobody was really willing to call people out on it. So, we were kind of sitting there in the audience, and Beetle [Don Bailey]—the guy I was with—was like, “Man, this is terrible. We should do something about it.” I’m like, “Yeah.” He’s like, “We should run a con. We wouldn’t let people get away with this.” I’m like, “Yeah.” Fist bump. And we kind of thought that was like a casual conversation. And then a couple months later, he writes to the group and says, “So I took out a second mortgage on my house. We’re going to have a conference. Please tell all your friends so that I can pay my note off and my wife doesn’t kill me.” And so we ran it the first year, and we sold out 300 tickets. We were like, “Wow. That was amazing.”


Gary: Yeah.


Bruce: And then we kind of kept growing and growing, and 600, 900, 1,200. And we got to 2,000, and we said, “Ooh, that’s it. That’s as much as we can bear to do as a casual kind of event.” And we’ve been at that mark for 8 or 9 years now.


Gary: Yeah. And there used to be the Shmoo ball that you could throw if you thought bullshit was happening. I guess that was inspired by the founding story.


Bruce: Yeah, absolutely. I think the Shmoo ball was meant as a physical manifestation of kind of calling bullshit on the speaker because it’s…there’s a couple things that can happen when a speaker is saying something controversial or may not be 100% accurate. You can get the person who stands up in the audience and says, “I think you’re wrong.” And then the whole talk gets derailed because you’re probably going to hear that person’s life story before they actually get to the point of the thing that they’re trying to say.


But a lot of people don’t want that attention. They don’t want to stand up and do it. But what we discovered is if you give them a little foam rubber ball and let them throw it at the speaker if they disagree, you’ll see one ball come up and then a whole bunch, because a whole bunch of people are thinking the same thing, “That’s terrible. That’s not true.” So we still give the Shmoo balls out today. People don’t throw them as often, but I like to think that’s because our speakers are thinking a little bit more seriously about what they’re saying before they say it.


Gary: I got to admit I was a little bit worried about that last year, but everything went OK. So…


Bruce: Yeah. I think you were well-aware of the environment, so you did just fine.


Gary: So ShmooCon 14 is this year. Wow! And you sold the tickets in 9.5 seconds, or something like that?


Bruce: Yeah. We were under 10 seconds this year.


Gary: Unbelievable.


Bruce: Yeah, it’s crazy. Thankfully, though, it went off kind of without a hitch. We’ve had some years in the past where it goes a little bit off the rails, but in the last 5 or 6 years, we’ve had it pretty much under control.


Gary: How does the system work, and why do you do it that way? I mean, most people know, but not everybody. All my listeners won’t know.


Bruce: Yeah. Originally, the tickets, the way that we sold them was we wanted people to pay what they thought the con was going to be worth, and we had a couple different rounds of sales just to make it easier on people. So we had this idea that, if you think the con was worth $100 or $150 or $200, you could pick a ticket at that price and pay it. And it was meant to allow people that had the ability to pay more, like if they had a corporate expense account, they could pay more money and they could get in and help us out a little bit. And if you have a student, you could pay less, and it would all kind of work out in the end.


We got more popular and we started to sell out, instead of days, it came to minutes, and then it came to seconds, it would ultimately just turn into “buy whatever you can.” It was kind of like whatever ticket was available at the time, you just said “we’re going to jump on and buy.” Eventually we changed the process, and we said, “Look, it’s just one flat price. It’s $150.” And from there it turned it into, you know, we keep the three rounds just because it provides people multiple opportunities, or if you’re busy one day, you can try to get a ticket. We still have three rounds, but now it’s just one price. And late-breaking news: Heidi just handed me a piece of paper that said it was actually 10.26 seconds. I just wanted to make sure. She’s correcting me; it wasn’t 9.5.


Gary: That’s what it said on the ShmooCon website yesterday.


Bruce: Updated metrics.


Gary: The internet is so ephemeral, it’s just amazing.

I was super honored to give last year’s keynote, so thanks for asking me to do that. It focused on seven things I learned during my 21 years in security, leveraging Frank Zappa and T.C. Boyle, two of my heroes. So the question is, What is one thing you’ve learned in your long security career that would fit into that talk?


Bruce: Interesting. You know, it’s tough. I think the thing that I’ve learned is that I continue to realize how much I don’t know, and being aware of that is super important. And honestly, a lot of that started at my time working with you and the team at Cigital years ago. I came out of Alaska working at an ISP and a startup up there, thinking I was some hot-shit kid and knew a lot about what I was doing. And I came down and worked with people who really knew what they were doing.


And I remember being frustrated at first because I got the crap kicked out of me on some of the first things I did. They were like, “Oh, this isn’t good. You need to work this.” And I thought, “I know what I’m doing. What are you talking about? You’re full of shit.” And eventually I realized I was the one who didn’t know what he was doing. It was humbling. And I’ve tried to carry that lesson forward since then, to be very heads-up about being aware of what I don’t know, and trying to cover that either with help from other people, or my own learning, or at least some kind of compensating control around the fact that by and large, there’s a huge universe of things I just do not know what’s going on.


Gary: You know what’s funny, Bruce? I think that the more you become an actual expert, the more you just naturally know that you don’t know anything.


Bruce: Yeah. No, absolutely. I think it becomes just part of how you operate, but you have to go through that. You have to have that epiphany of like, “Wow. I’m not the smartest person in the world.” It’s the same kind of thing I think that happens at some point when you leave your teens and you’re like, “Wow! I’m not immortal, and I can be hurt physically.” I think it’s the same kind of realization.


Gary: Yep. So you’ve written a bunch of security books. Why’d you do that? And would you do it again? And what do you think about the book situation in security these days?


Bruce: I’ve struggled with that a lot over the years. I think when I first started writing, I wanted to do it to be able to say that I did. I wanted to be able to say like, “Hey, I want to write a book,” and that kind of thing. And I’ve been pretty honest about the first book that I did. I did “802.11 Security” and ultimately brought Bob Fleck in to help out with that. But when I pitched that book to O’Reilly, I went to their website, downloaded the “So You Want to Write a Book” form, filled it out, and sent it in without really knowing much about Wi-Fi security. Like I was kind of at hobbyist level of interest associated with it, but not certainly what I thought was appropriate to write a book. And 2 weeks later, they’re like, “Here’s a contract. Congratulations, you’re going to be an author.” I was like, “Oh, my god. I need to go learn some stuff,” and went out and bought a bunch of Wi-Fi cards. And ultimately, I think, what came together, I think, worked out pretty well.


But it was somewhat striking to me that I could get a contract to write a book without being a bona fide expert, and I realized that there’s a good chunk in the publishing industry that’s just…I mean, it’s an ongoing commercial and capitalist thing, right? They need to publish books that people want to buy, and if people want to write books that can be popular, that’s how it’s going to work out.


Gary: Just like the news. You know, the news is the news, but it’s also trying to sell advertising. In this country, at least.


Bruce: Yeah, I know, absolutely. I mean, these companies have got to be able to make money in order to continue. So it caused me to have a much more critical eye about what I’m reading, even in books. I think up until that point, I had the perception that if I went to a bookstore—you know, back when bookstores were a thing that you went to—that you could actually have some faith that the person’s name that was on there was credible and there was a reason they were writing it. It caused me to be much more critical about who they are, what their background is, and the facts even stated in the book—are they even true? And I would have to go research it.


And I think security went through a bit of an arc where, because of the growth industry we’ve had—you know, the mid-2000s—kind of a lot of books on the shelf that weren’t necessarily the most technically correct or useful books to have published. But as, honestly, technology’s changed, people are consuming more of their material off the internet. I think we’ve seen this a little bit of a downhill slope on publishing in this space, which has caused, in a lot of ways, the quality to come up, because the crap won’t sell anymore, right? If people want to buy the good stuff, then they’re actually going to go spend the time and energy to buy an actual honest-to-god dead-tree book.


Gary: Yeah. And the ephemeral nature of the internet that we just alluded to a minute ago also lends some credence to this idea of having a dead tree on your shelf. So when you write a good book, it’ll last for much longer, and it’ll become a reference, and people go back to it, and it sells over a decade, which is really pretty cool. And I agree with you that that’s a good change of the number of books being published in security going down. But there are bad things too. It’s tricky.


You know, looking back on my career, I wrote a whole bunch of books too, but I haven’t written one since 2008, and I think your last one was around 2005-ish. So the real question is whether somebody who’s starting out in the field now—and they really are gaining expertise fast, say—whether they should even consider writing a book or not. And I’m not sure what the answer is. I’m interested in your opinion about that.


Bruce: Yeah. There’s a lot of different ways for people to go about kind of establishing themselves and pushing their knowledge out to other people. I think there’s a guy, Tony [Robinson]—I can’t remember his last name, @da_667 on Twitter—self-published a book on building a home virtual environment for malware analysis and that kind of thing. He self-published it, so it’s JIT [just-in-time] publishing. And he clearly knew what he was doing. It was a great book. It’s helped thousands of people out. But it wasn’t big enough for a normal publisher to transact on, probably sold a couple thousand copies. And that was, I think, a really interesting task for him, and it’s been, you know, watching that online and how it’s helped people, because it’s a complex subject, right? I mean, it’s a big…The one takeaway, one of the reviews, is it’s a physically large book. Like when it shows up, it dents the table. But it requires that kind of treatment.


So I think if you’re in a domain that has that level of need where there’s such detail now, it’s like that kind of thing makes sense. When I see works around, like, Docker and Puppet and all these kind of tools that are out there around software development and orchestration and deployment, that’s a super fast-moving target and doesn’t lend itself well to killing trees and publishing books and is much more suited around, “Here’s a website that covers all this material because it’s going to change tomorrow, and the next day, and the day after that.”


So a lot of it depends on the domain. A lot of it depends on how long the information is going to be good for. You’re talking about, you know, you’ve got books that people have been referencing and buying for 10 years. That’s amazing in this space. I do a lot of fly-fishing, and I read a lot about flies and fly construction and the actual, the insects themselves, and their reference material is, like, from the 1600s.


Gary: Exactly. It’s a slightly different thing. But in some sense, academia does that too, even for security. Not for computer security, because computers were only really invented in the ’40s, but there is a literature that goes back. So it sort of speaks to that tension that we talked about at ShmooCon last year between “researcher” and “researcher.”


Bruce: Right, yeah.


Gary: We’ll be right back after this message.


If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on There, you can find writings, videos, and even original music.


Let’s move on to a slightly different topic. I know that Yanek—who was Show 123 of Silver Bullet—and Dave Merkel had a new thing, so I knew they were working on something, but I had no idea that you were the CISO until I was like, “Oh, that’s the same company.” So that’s really cool, and it’s a very small planet. And I’m interested in what Expel actually does and why you guys decided to found a security startup now.


Bruce: Expel’s a very interesting place to be right now. From my perspective…Rewind to last year. So last year I was the senior tech advisor for the presidential commission on cyber security. I spent a year running around the country, working with the commissioners, helping them understand what was going on in the industry, interviewing public and private sector people, talking about what’s working and what’s not working with respect to cyber risk management and IoT and control systems and all that kind of stuff.


And what struck me about what I was hearing, when I was out doing those interviews and at all the commission meetings, is there was a very kind of bright edge between companies that kind of understood risk management and had cyber risk management as kind of part of what they did. It doesn’t mean that they were doing it well, but they were kind of mature enough that they could think about risk in large brushstrokes, think about cyber risk, talk about the controls they’re trying to put in place. And a lot of it was still kind of stumbling around in the dark, but for the most part, they were somewhat sophisticated about it. And then very quickly, you’ve got the companies that were basically like, “Hey, could you give me a purchase order that just says, ‘Quantity: 1, Item: Security, Costs: $20,000,’ and I’ll sign it? I just need a SKU, and I’ll be good.”


Gary: “Me and my lawyers thank you.”


Bruce: Yeah. And they went out and they bought the antivirus, they bought firewalls, and they just didn’t know what to do next, right? They were really struggling on “What do I do with all the security technology that I have?” And so I realized at the time, man, small and midsized businesses really need help. They need a law enforcement backstop, they need better technology, they need better operations, and I couldn’t really wrap my head around what that looked like. At the time I was at KeyW, and I was actually going to take a break. It was earlier this year in February. I resigned, and I was going to take some time, spend with the family.


Gary: Yeah, the number of ties—flies that showed up on your Twitter feed was pretty high around March.


Bruce: It was. Right around the time I was quitting, it was pretty clear I was checked out, because all I was doing was talking flies. I actually got a call from Yanek, and he said, “Hey, we started this company, we’re looking for a CISO, but we’re kind of looking for maybe part-time through the summer, and maybe even the fall. But it’s really hard as a startup to find somebody who knows what they’re doing and is willing to take the risk with a startup and be part-time. Do you know anyone?” I said, “Well, I don’t know. Tell me what you’re doing, and I’ll see if I can help make a match.” And Expel told me what they were doing, and I was like, “Oh…”


Gary: That’s cool, yeah.


Bruce: “This is the thing that I think can make a huge difference for organizations that are looking for the next thing that they need to do to kind of walk down this path.” And I’m like, “Hey, I’m interested.” And Yanek’s like, “Oh, OK. Well, that was the job interview.” And so…


Gary: “You’re hired.”


Bruce: We went from there. So what they’re doing is really transparent security operations. The idea is that you take your existing security technology: the firewalls that you already have, the antivirus, the endpoint, whatever you have. You send us the alerts, and then our analysts dig through all the alerts, try to identify bad things that are happening, and then work with you to remediate it. But the kicker is unlike an MSSP—where they kind of hand over a bunch of data out of a black box and say, “Here’s the stuff you should look at”—we hand you actual ongoing incidents and say, “Hey, this is a thing that you need to worry about. It’s not something you might have to worry about. This is actually a thing.”


But also, secondarily, the interface that we use, the portal, all of our tech is totally open to our customers, so our customers can work right alongside with us. They can work with our analysts, dig through the same data. They can task their own infrastructure to go cross acute systems to get process lists and files and all that, right? The same way that all our analysts work. It’s very open and transparent as opposed to kind of black-boxy that this part of the industry has been kind of plagued with over the years.


Gary: Yeah. I remember talking to Yanek about the idea of, let’s just call it next-gen MSSP way back, even beyond a year ago, when he was just thinking about it with Dave. And it’s very cool that you’re associated with that.


I want to ask you, what’s the most important recent development in network security? I know you have huge deep network chops, and I’m interested to know what’s going on in that world.


Bruce: The push toward kind of a cloud-first organization is changing a lot of what we’ve conventionally thought about network security. There was this idea of, like, deperimeterization and everything would just all be connected and every endpoint would be on its own kind of thing. But what’s striking to me is that we haven’t realized that goal, and I don’t think we’re going to. People still have a warm fuzzy about “I have a perimeter.” Even if it’s squishier, and even if it’s got some bulbous parts that stick out farther than they would like, they still are wrapping their arms around it. It’s not from a hard wireline sense, at least from a logical sense, or like, “Mm,” get their arms around it and say, “This is mine.”


And I think some of the changes that we thought would happen with respect to network security as deperimeterization was stumbling forward haven’t occurred, and we still have all these somewhat legacy network security controls in place, and we’re getting more value out of them, right? I mean, if you look at, like, Palo Alto’s offering and what they can do at the network level, URL filtering and all the firewalling stuff that they can do, it’s like, “Man, that’s actually pretty comprehensive.” And I get a warm fuzzy from having that in front of a network. You know, it’s the same thing as people talking about, “You don’t need a NAT and G6, because there’s a billion addresses.” I’m like, “I like NAT. I like the fact that it hides things.”


Gary: Exactly.


Bruce: “It’s OK to hide stuff.”


Gary: Yeah. Try teaching a local ISP how to double NAT, though. That confuses it.


Bruce: Yeah. Good luck. And so I think my feeling is the more…People projected or expected a lot of change in the space. It just, it hasn’t materialized, because common sense kind of won the day. People still want to know, “This is my enterprise, and this thing over here is not my enterprise.” They want to be able to label that. And I think network security has not evolved nearly as much as we thought it was going to.


Gary: Slightly related but not too related, what are your thoughts about hacking back? I know that you like being very active and monitoring very actively, but what about hacking back? Good or bad?


Bruce: I think it’s a terrifying idea, just on the face of the economics and motivation of the thing. If I’m a car company and I build cars, I have security as kind of a property of my system, right? I have to pay people to keep it secure or whatever, but it’s all in support of building cars. If I’m running a criminal enterprise that’s breaking into companies to steal stuff, that’s my primary mission. And when a car company, as an example, gets attacked and decides they want to hack back, they’re directly hacking back against the main mission and purpose of this criminal organization. This criminal organization has nothing better to do than be like, “You want to pick a street fight? Let’s have a street fight.”


Gary: It’s kind of like using a BB gun to shoot at a tank.


Bruce: Yeah. It’s a terrible idea. And what gets me about it is it’s a very visceral response to how helpless companies feel right now, where they don’t know what to do. They don’t have a law enforcement backstop of any material amount unless it’s a huge breach. If it’s a huge breach, then FBI and everybody get involved, but if it’s a small-time, just a kind of everyday background noise, ticky-tacky stuff that you’re battling, law enforcement just…There’s nothing they can do. They don’t care. And so companies are left standing there on their own, being like, “Well, I don’t know what to do. I guess we’ll go after the bad guys ourselves.” And it’s a losing proposition, in my mind.


Gary: Yeah. Another question: What is the relationship between preventative security engineering—including software security, which you know I just totally dig—and operational security?


Bruce: The relationship in this day and age is getting closer and closer, with more and more organizations trending toward something that smells like DevOps. I think that you’re seeing the operational security components being integrated more and more into the developmental and software engineering components. And that’s a good thing, right? Because, I mean, true DevOps environments are highly instrumented. They’re learning from them all the time. They’re able to rapidly deploy right on top of itself over and over and over—which, I mean, from an operational perspective, is great. Box has been owned? OK, press the big red button. New box is there. Box is not owned anymore, and it’s patched. Like, that’s your recovery process. It’s fantastic.


I will say that the one thing I’ve seen is that there’s that potential benefit from doing it that way, but the reality of how organizations implement that is often very different because they don’t have the security expertise and the development processes. And that’s where you kind of have to have it in order to have the operational games. What ends up happening is the developers take over the infrastructure in those kinds of environments. And you lose the system administrators, you lose the network security engineers, so you lose all the gates that were associated with it. I mean…


Gary: You also, by the way, lose architecture kung fu on the software side. I’m with you. DevOps can be really good, but it has some gigantic pits on both sides you got to be super careful about.


Bruce: Super careful. And for every one organization that’s doing this well right now, there’s 99 that are doing it terrifyingly bad. And that’s what I struggle with, because there’s just so much potential there. And I’ve had this argument with people. There’s a lot of potential, but if you’re not heads-up about it, you’re going to cause problems. I mean, you think about back in the day, when we did waterfall and slower kind of development, if the engineers had something that was terrible and they threw it over the wall to QA, QA would be like, “No,” and they would throw it back over the wall. And if it came out of QA and it was terrible, and it lands in the system admin’s lap, they’d be like, “I can’t do this,” and they would throw it back over. So they’re all these kind of natural gates that happen just because a person will look at it and be like, “Well, this is dumb,” and throw it back over. But now that infrastructure is code, those gates have disappeared, and if your CircleCI server doesn’t say like, “This is dumb,” it’s like, “Hey, go to production…”


Gary: Woo-hoo. Ship it, again, and again, and again, and again. So let’s talk about CISOs, not “CIZOs.”


Bruce: Oh, my god. You’re killing me.


Gary: So I completed a bunch of BSIMM-like work in the CISO field, which is going to be released January 17. It’s kind of like, well, we gathered real data from 25 CISOs, and we got some incredibly strong results. But the one thing that I noticed is that nobody is really sure what a CISO should do, or how. And so in your view, what do you think a CISO should do, even if it’s called a “CIZO”?


Bruce: Yeah. Well, first of all, the primary thing they need to do is make sure it’s pronounced correct. So it’s “CIZO.”


Gary: You’re the only guy who thinks that.


Bruce: I am the only guy. I was at a CISO dinner up in New York with another 20 of us, and I was the only person at the table who pronounced it “CIZO,” but I was adamant. Every time I said it, “CIZO, CIZO, CIZO.” In my mind, it’s all about managing cyber risk. It comes down to cyber risk management and being able to bring it to an acceptable level for the organization to continue to run its business. And it’s a fairly broad brush with which to paint, and it covers a lot of ground, but I found that to be a very useful backstop. I think the role is evolving over time, and I think it’s been interesting to see, when I was a consultant on the other side, where organizations try to home their CISO. You would just be homed under the CIO, which, in my mind, is a conflict of interest.


Gary: Yep.


Bruce: It’d be homed under general counsel, be homed under the CFO, be homed directly under the CEO. And all of those options are better than CIO. And now we’re starting to see companies flip it where they say, “Hey, CIO is actually a subordinate to the CISO.”


Gary: Yeah. And there’s a new role too, CRO, which has popped up recently. So that’s related to that idea “Let’s put all the tech stuff up under risk.”


Bruce: Yeah. And I think it makes a lot of sense because it helps the decision-making process. It’s not a visceral or a tech thing anymore. It’s about supporting the business. And that’s the most important thing. I’ve certainly worked in organizations where the security function was very much…maybe not an island to itself, but they felt super self-important, like they were…


Gary: Well, and it also can be like the plumbing, which turns out to be super important if you want to flush your toilet, but the plumber’s the plumber, not treated as a senior executive, you know.


Bruce: Right, yeah. I think that that evolution is going to continue for a while, but we saw the same thing with CIOs. I mean, as the CIO concept came into being and then evolved, it went from being kind of a tech thing, to driving cost out of the business, to enabling the business to whatever. I think it’s an ever-evolving thing. I think the one true thing is it seems to be the scapegoat when things go sideways. Like, the first person who gets jettisoned into space is the CISO. I’m prepared. I might go back. I’m ready.


Gary: Yeah. If the organization is doing it wrong, I think that’s totally right. So we found four tribes of CISOs, which I’m not going to talk to you about. Everybody can read that in January. But the one that was the most important was not holding the bag. You identify risk, and then you allocate that risk to the people that should own it, to fix. But you’re not the person holding the risk bag, and that’s a gigantic shift, which is unfortunately rarer than it should be.


Bruce: No. I’m sure it is, but I think that’s the right way to think about it, because where that risk lives is scattered all over the organization, and it’s not going to be folded up on the CISO. And the CISO’s job, in my mind, is figure out where all the stuff is, figure out how to get it down to a level that you care, and then track it. And it doesn’t mean that you own it, but it means that you own the oversight of it, which is a very different thing than owning all the IT infrastructure and all that kind of crap.


Gary: Exactly, or being the guy before the guy.


Bruce: Yeah. And Forrester had a thing out the other day, a report on CISOs as well. And they come in all shapes and sizes with respect to their backgrounds that they come from. I mean, there’s so little common ground. And we’ve been using for a long time, both as a consultant and then at Expel, we use the NIST CSF [Cybersecurity Framework] as our backstop for measuring where we are and where we want to be with respect to cyber risk. And the release of the CSF, I think, was a huge step forward because it’s a public framework that people can use. And I’ve used it from county government levels to huge hedge funds and been able to apply basically the same process, the same thoughts and concepts around cyber risk to those different-size organizations with totally different missions, and it works.


Gary: Yep.


Bruce: And that’s the first time I’ve seen that we’ve had something that’s common ground in cyber risk that works in that kind of diverse group of organizations. That gives me a lot of hope that in the next 5, 6, 7 years, things are going to get a lot better.


Gary: Yep, totally agree with you on that. I was going to ask you another question, but we don’t have any time, so we’ll just jump to the very last question. You’ve been tying fishing flies for some time now, especially last March, which is fun to watch on the Twitters, but you’ve also been collecting Christmas hats for a longer time. Are there any plans to merge those two things into, like, a thing?


Bruce: So I tied a Santa fly the other day with some camel hair, which I thought was somewhat symbolic of the Christmas season. It was a red fly with some camel hair tufts on the ends and stuff. When I go on vacation, I’m actually hoping to tie an elf one, which will be a take on an Adams that has little wings, but it’ll have little elf ears instead, and a green body.


Gary: Excellent.


Bruce: So I’m trying to bring them together, and maybe I’ll get like…if I’m lucky, I can find a Santa fishing hat, but that seems to be maybe a bridge too far.


Gary: You should make one. Yeah, so please @ me on that, the elf tie, when you get that done.


Bruce: I will. I’ll pass it along.


Gary: Thanks for your time. This has been a blast.


Bruce: Yeah. Thanks, Gary. I appreciate it.


Gary: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is co-sponsored by Synopsys and IEEE Security and Privacy Magazine and syndicated by Search Security. The November/December issue of IEEE S&P Magazine includes our interview with New York Times tech reporter Nicole Perlroth, one of 12 interviews carried out over a year focused on women in security. Show links, notes, and an online discussion can be found on the Silver Bullet web page at This is Gary McGraw.

Bruce Potter