David Spark on Making Security Change Management Personal

Security 6 min

Global podcast host David Spark shares how to make security change management personal across the organisation. Chatting with Peter Hind, they explore how a CISO can fully realise their toolsets, how to keep on top of security issues, and why he started his podcast.

Peter Hind:

David, you have a business as a content and social media influencer. One of the Kardashians who’s not even out of her teens is a billionaire in this thing. And yet you give it all up, or don’t give it up, but you set up a whole new business about CISO podcasts. What drew you? What was the catalyst to do that?

David Spark:

So the catalyst to start the CISO series, as I normally say, “CISO series.” But now that I’m in Sydney, I’m trying to adapt as the Australians do. Through my content marketing business I had a lot of security clients, and I would ask the inevitable question that a marketer would ask, “Who do you want to reach?” Every single one of them across the board says, “Oh, we want to reach CISOs.” To which I thought, well if all of my clients are saying they want to reach CISOs, I have to assume every security vendor is trying to reach CISOs as well. And through my research, I discovered that’s pretty much the case. And I also got to assume that these CISOs are overwhelmed.

We have this mutual dependency on each other, that the CISOs need security tools to secure their environments. And the security vendors need CISOs, as they are the ones that sort of control the purses.”

That they’re the ones essentially authorising purchase of security products. But, the imbalance happened when literally you’ve got 3,000 plus security vendors trying to hammer a single CISO, it becomes overwhelming. And that’s why it became so intense, that I realised there needed to be some kind of mediation, some discussion that’s going on. And that’s kind of what I see here at the CISO Edge conferences, we’re just doing it in podcast form. Same kind of idea.

Peter Hind:

But a topic like CISO covers, and I’m going to say, “CISO.” So you take me up on that. It covers such a breadth of topics, it’s so diverse, we’re getting different angles. How do you keep abreast of all the potential material that needs to be covered in something like that?

David Spark:

Well, I do a lot of podcasts, I’d say. The joke I always say is that, “I have zero first degree knowledge in security.

Everything I know comes from interviewing extremely smart people in security.”

And fortunately, I’ve had a lot of them on my show. Actually, I just found out from a listener the other day that he’s making one of my podcasts Defence in Depth a required listening for his students. Which is awesome! And also, I’ve heard that some security vendors, Tanium was one of them, in particular, that were required the CISO Vendor Relationship podcast to be required listening for the sales staff, for that matter.

The issue is, fortunately for me that this is such a rich topic that I can keep doing shows. So my answer is, it’s not something that scares me, it’s something that excites me because I never have a hard time coming up with topics for each episode. Because there’s just so much out there and the other thing I have to say is, our audience is so loyal to me, that I would say about half of the stuff that I get for every show at least comes from listener’s suggestions.

Peter Hind:

It’s just a reflection I suspect of how much the digital world embraces business in everyone’s life and the issues that arise from that sort of stuff. I was thinking here though that when you talk about this podcast, one of the things you mention is this disconnect between the vendors and the CISO community. And my experience is, one of the biggest challenges for CISOs is around change management. How you get people to embrace and utilise the toolsets that you’ve got. What sort of feelings do you have on how that issue can be addressed?

David Spark:

Well, change management is not something that’s isolated to just the digital world. Just think about it. It is hard for people to change behaviours period. There is an entire industry of weight loss out there, that is trying to get people to change the behaviour of how they consume food and exercise to lose weight. And that is a change management process in a way. So, security is the same thing. Not only is security about buying tools and applying them to your environment, to secure your environment but it’s also getting the people to change their behaviour of how they approach security and how they are secure about themselves and other things.

The number one advice that we hear on the show is, “How does this advice about being more secure, apply to you personally?”

So if you start talking about personal issues, how they become personally more secure. With their banking, with their private information, with their social media. Then they start to learn how that applies to the business and probably one of the best tips that we’ve ever heard on the show that my co-host back in the States, Mike Johnson and many others advises is, purchase a password manager for your entire staff for personal use. And that is probably the most aggressive move one can make to help them to understand their own personal security which will evolve to business security. But, that’s the big thing.

If you don’t make it personal to them first, they’re going to have a hard time understanding the value to the business.”