In this insightful session from the ART of Security Summit, Mike Arrowsmith, Chief Trust Officer of NinjaOne, explores effective strategies for reducing risk. With a focus on endpoint security, Arrowsmith explains how NinjaOne collaborates with managed service providers to enhance trust and security across organizations.
During this video, hosted by theCUBE Research's Principal Analyst, Jackie McGuire, Arrowsmith shares their expertise in cybersecurity, addressing the importance of secure endpoints and the human factor in risk management. They highlight how NinjaOne offers a suite of tools to help organizations mitigate risk effectively. The session provides viewers with a deeper understanding of cybersecurity dynamics and offers insights into advanced risk reduction tactics.
Key takeaways from this discussion, as highlighted by Arrowsmith, include the significance of leveraging available resources within the cybersecurity ecosystem to enhance threat response capabilities. They emphasize the concept of treating cybersecurity such as insurance, balancing appropriate measures without overextending. For security leaders, this session suggests adopting both mature cybersecurity standards and fostering a culture of continuous learning and community engagement.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
The ART of Security Summit: Strategic Risk Management for CISOs. If you don’t think you received an email check your
spam folder.
Sign in to The ART of Security Summit: Strategic Risk Management for CISOs.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For The ART of Security Summit: Strategic Risk Management for CISOs
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for The ART of Security Summit: Strategic Risk Management for CISOs.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
The ART of Security Summit: Strategic Risk Management for CISOs. If you don’t think you received an email check your
spam folder.
Sign in to The ART of Security Summit: Strategic Risk Management for CISOs.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to The ART of Security Summit: Strategic Risk Management for CISOs
Please sign in with LinkedIn to continue to The ART of Security Summit: Strategic Risk Management for CISOs. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Mike Arrowsmith, NinjaOne - Reducing Risk
In this insightful session from the ART of Security Summit, Mike Arrowsmith, Chief Trust Officer of NinjaOne, explores effective strategies for reducing risk. With a focus on endpoint security, Arrowsmith explains how NinjaOne collaborates with managed service providers to enhance trust and security across organizations.
During this video, hosted by theCUBE Research's Principal Analyst, Jackie McGuire, Arrowsmith shares their expertise in cybersecurity, addressing the importance of secure endpoints and the human factor in risk management. They highlight how NinjaOne offers a suite of tools to help organizations mitigate risk effectively. The session provides viewers with a deeper understanding of cybersecurity dynamics and offers insights into advanced risk reduction tactics.
Key takeaways from this discussion, as highlighted by Arrowsmith, include the significance of leveraging available resources within the cybersecurity ecosystem to enhance threat response capabilities. They emphasize the concept of treating cybersecurity such as insurance, balancing appropriate measures without overextending. For security leaders, this session suggests adopting both mature cybersecurity standards and fostering a culture of continuous learning and community engagement.
>> Hello, world, this is Jackie McGuire, practice lead and principal analyst. Welcome back to The Art of Security Summit, where we explore ways to avoid, reduce, and transfer risk. My next guest I'm really excited about. I have Mike Arrowsmith. He is the chief trust officer at NinjaOne. He's going to talk to us about reducing risk. NinjaOne actually partners with bold individual companies, as well as managed service and security service providers, so really excited. Welcome, Mike. Mike is remote today. He tells me that he's north of the Bay, he escaped the Bay Area during COVID. Behind him, we noticed lots of Oakland memorabilia. As a fellow former East Bayer who escaped the East Bay as well, super happy to have you, Mike.
Michael Arrowsmith
>> Thank you, Jackie. Appreciate you having me today.
Jackie McGuire
>> Yeah. I'm going to start with this because we were just having this conversation. You were saying, "Don't mind the Oakland memorabilia." I said, "That's fine, but who's your favorite Bay Area rapper?"
Michael Arrowsmith
>> Oh, we were just chatting about this. If I had to pick one, obviously the man, Too Short, was probably up at the very top of that.
Jackie McGuire
>> Yeah, yeah. I'm going to go E-40, just because I think My Ghetto Report Card was probably one of the first albums ... I didn't even realize. I moved to the Bay Area without knowing anything about California. I had never even been to California before. I had been listening to E-40 and then I moved to San Jose. I was like, "Wait a second. I think I'm in the Yay Area. This is totally the Yay Area!"
Michael Arrowsmith
>> Hey, representing Vallejo, he lives in Pleasanton now. Really great guy.
Jackie McGuire
>> Yeah, yeah. I guess we can argue with him about whether Pleasanton's technically the Bay.
Michael Arrowsmith
>> Exactly, exactly.
Jackie McGuire
>> All right, we should actually do some business. I was really excited to have you on because I think trust is a super important component of what we're talking about. We've been talking about different ways of managing risk and trying to use a more general and common language within the enterprise to talk about risk so that CISOs and security leaders achieve better outcomes when they're talking to their other executives, budget committees, boards of directors about their initiatives. I want to start today by talking about endpoints and reducing risk, because depending on which white paper, marketing paper you read, somewhere between 70 to 90 percent of attacks are still originating at an endpoint. How does NinjaOne, and I guess you as an individual, how do you think about securing endpoints? Then I guess, in the worst case scenario if someone does get in, how do you guys think about reducing the risk of that compromise?
Michael Arrowsmith
>> Great question. Something I think about probably on an hourly basis here at NinjaOne, actually given my career. The endpoint predominantly is the number one vector that we're going to see organizations compromised on. Really, because of the interaction those endpoints have with individuals. We don't ever like to think of people being the weak link in organizations, but the reality is people are that weak link. When we see and think about cybersecurity risk, we're really thinking about the perception around threats, and those threats being actualized on those endpoints because of the interaction with those individuals. It's very, very easy nowadays with gen AI and various phishing techniques to be able to get individuals to interact with some kind of messaging content that has a potential impact being that endpoint. It's why, as cybersecurity professionals, we're really fixated on trying to contain the specific threat or risk that an individual may have. Maybe we think about it from a level of permissions. Maybe we think about it to the level of access that individuals or just fundamentally what network devices can that specific endpoint connect to. All of that computes into this risk conversation that we think about and ultimately how we try to mitigate or reduce that perception around whatever threat may be posed by that endpoint. We think about this on an hourly, daily perspective. Really, from our perspective being a products company, we are providing these tools for our customers to be able to mitigate the same level within their customer base or their employee base.
Jackie McGuire
>> Yeah. It's an interesting point you bring up about employees. I know I look very young, but I'm old enough to remember a time before cellphones in the enterprise. Remember when they first showed up, it was only the very, very high end account executives had Blackberries. I remember when, if you had a phone, it was provided by your employer. It seems like virtually overnight, we shifted to remote work. Obviously, the pandemic accelerated this, but it had already started. The whole concept of bring your own device to me has always been really sketchy, because now you have all of these unsecured endpoints and all these people working remotely, so you really don't have the same kind of sanitized environment that you used to. Really for me, that means the attack surface is everything. Everything is connected to an employee's router at home, from their thermostat to their coffee maker, and things like that. That's somewhat overwhelming because the attack surface is everything. NinjaOne helps provide a whole bunch of tools that manage everything. One of the things that I find that security teams fall into the trap of is buying a Swiss Army knife, and then they don't know what to use first. They don't know what tool to use first, they don't know what to cut with it first. Are there things that stick out to you as you're rolling out within customers that are low-hanging fruit? Things that are fairly often that you find, that in the first couple really impactful places to start, rather than trying to start with everything.
Michael Arrowsmith
>> It's really a great point. We see this pitfall in a lot of acquisition of technologies like NinjaOne, but even in past lives with other software companies we see the same kind of scenario playing out. What we can today offer our customers is a wealth of resources. We have a vast world-class customer support group that can absolutely help all of our customers with any day-to-day challenges. But we also have a whole group of solution engineers, solution architects that could really get to the bottom of how that customer's operation is really being ran, or maybe even forward-thinking what is a preference or a desired outcome for leveraging a tool or technology like Ninja. I think that truly is often times the number one thing forgotten about, especially as technologists ... Again, coming back to the people conversation. We are people, we all believe we are the best at what we do, and we have all the experience necessary in order to do the job. When you start to challenge individuals that have been doing this for many, many, many years, there tends to be a little bit of a bias that, "I don't need help. I can do this, I can figure it out. I'm an expert with this particular tool or that tool." I think we come back to this scenario of remote work extended boundaries with bringing in all of these very different types of devices, you start to really stretch the expertise. By leveraging all of tools around you to come up with a thesis, a game plan of how you want to be able to deploy the software, what are those objectives, what are those milestones that will really set me up for success, is really what we're all about here at NinjaOne. Being able to provide our customers every tool, every resource. We have a tremendous wealth of a knowledge base that customers can look at very pinpointed solutions. But then also jump on a phone and be able to talk about what if scenarios. Often times, my number one recommendation is to use the vendor for all of the resources that are included in your subscription, and then also potentially look for opportunities to extend those solutions into something maybe of a consultation, somebody very light. It doesn't have to be very expensive, it doesn't have to be overwhelming or time-consuming, just to make sure that you're really armed with all of the bits of information to really set you up for success. I would say that's the number one thing to make sure is crystal clear with our install base.
Jackie McGuire
>> Yeah. One of the things I think is a recurring theme with a lot of security teams is a reluctance to work with professional services I think. It's one of those things that I find when companies don't spend enough on professional services, they end up mired in support tickets. Because, "If I can't make it work, it must be broken. It can be that I couldn't make it work." Yeah, I think that's a really good point is that many vendors provide a lot of resources for you in the form of professional services, consultations, and a lot more customers should probably be taking advantage of that. Here's a related question. One of the things that I've always found is a struggle in security is that it's very hard to quantify risk. Most businesses are 100% focused on money and when you say, "Hey, we should do this so that this doesn't happen, they're like, "Well, that's never happened before." I've actually had to do that. One of the things that I find is a common phenomenon is that if a breach hasn't actually happened, there's not usually enough damage to prove why it's a good idea to take better security measures. You get great customer feedback, at least according to Reddit, which is one of my bibles for things that are true. For security leaders who are successful in getting NinjaOne approved, getting it deployed, really having it go successfully within their organization, are there a few things that you can think of in terms of best practices or early wins that have really helped your security leaders to get a solution like this across the line and demonstrate value?
>> That makes a lot of sense. I think one of the things that's really interesting about technology and security in general is that, if you look at vehicles, the lifespan of a vehicle tends to be somewhat short. The number of 10, 20, 30-year-old vehicles on the road is very low. I became a data scientist, which is how I got into security, and the first model I wrote was not more than 10 years ago and it was for a Cobol server that was still sitting in a closet at a bank. Or if you turned the switch off, it would turn off and nobody could do online banking. Yeah, it's a really interesting thing to think about how far we've come and how versatile security tools need to be, because there is no two tech stacks are exactly the same. I think that's one of the things coming into security that is shocking is it's basically like being a mechanic where no cars you see were assembled the same way with the same parts at the same place. I think that's really fascinating. Any other things that you want to add, either from conversations you're having in the field or particular ways you've seen your security leaders achieve success that we haven't already talked about?
Michael Arrowsmith
>> Yeah, I would say maybe one last thing to just iterate on success. That's this concept, we were talking about budgeting and how to position that to executive leadership or the board, that needs to be a recurring process. Every year, every single period that you go through that budget cycle, you need to be able to go through that and have that conversation. And reassess, "Where am I at, where am I going?" Because I think one of the most rewarding things I find within cybersecurity is what we did two years ago likely isn't applicable anymore, and I think we could all talk about that during the pandemic. When we think about the evolution of what adversaries are looking at, we see them already today embracing the cutting-edge of cybersecurity, of just technology in general. We're always, from a cybersecurity practitioner, defense perspective, PASHA perspective, we're always trailing that just a little bit. It's this ever-evolving game of chase. We don't quite ever catch adversaries, but we're always getting really close. That's the fun that I think really entails what we do as cybersecurity practitioners, and why we need to keep having this rigor back-and-forth. I would say maybe just one additional concept is find a group in your local area, find a peer group that you feel comfortable with, and exchange these ideas. I often times am asked to go to cybersecurity conferences to help Ninja with our brand and customers, and meet vendors, and whatnot. But I really enjoy meeting former coworkers, peers of mine, and just learning about the experiences that they've gone through because it illustrates what you just said. No two tech stacks are ever the same, no two organizations are ever the same, and thus the attacks that those organizations or locations are receiving are going to be different. There will be a wealth of knowledge that is shared and really exposed if we start to tear down a lot of these maybe bias or barriers that we felt specifically in the cybersecurity industry. I think John Strand said it the best maybe a few years ago, at one of the last DerbyCons. "Cybersecurity is one of those unique roles in that we're often times rewarded for the skills and aptitude that we can bring to the organization." And because of that, it builds this competitive perception, maybe a little bit of a bias. The more we can tear that down, the more we can share information amongst each other, I think the better we're going to be to defend against these adversarial types.
Jackie McGuire
>> Yeah. I have to say, I spent the first 15 years of my career in investments, and then venture capital. Coming into security and being accepted for who I am, how I look, I think it's one of the ... I try to tell people this. It's too bad that I'm starting to see better representation. I was actually at a high school bootcamp in Arizona a couple weeks ago that was 50-50. I was like, "Oh my gosh." It's one of those industries that I wish people understood more how nice it is to work in this industry, especially as a woman. How much people want to help, how much people want to share knowledge. I've met some very high up pen testers and hackers from three-letter agencies who were more than willing to sit down with me for half-an-hour and explain things that they probably learned 20 years ago. I agree, the more you can do to connect to the security community and really in touch with the problems other people are facing, the better off you are. The other thing that I think is really interesting about interfacing with other people in security is that I learned language. For example, coming from banking and things like that, when I got here, there's language that's used within security that doesn't really work outside of security. I think the other thing you have to do is step out of that environment a little bit. Revenue risk is one that I bring up. If you say, "Hey, we have operational risk if this ransomware attack were to happen," what's operational risk? But if you're like, "Hey, if we had been non-operational this weekend, the revenue we would have lost would have been this," that is a much straighter line between what the CEO, and CFO, and other executives care about and what you care about. Interfacing with people from different leadership positions, I think too, is also important to understand how to speak to people in their language, which is the whole reason we're here. Yeah, sorry. The last, last thing I want to talk about is RSA is coming up. It's one of my favorite events because I get to see all of my friends. Do you guys have anything going on at RSA? Where can people find you? Are you venturing down for RSA?
Michael Arrowsmith
>> 100% we'll be at RSA. Ninja will have a booth in the main hall, so really excited to be able to meet our customers. We do it every year. We are hosting an event on Tuesday night, we're co-hosting it with Optiv, called Bourbon and Blazers, really exciting. Get fitted with a custom blazer, have a few cocktails, enjoy some good conversations with some like-minded individuals. I'd encourage anybody and everyone to attend if possible. It is a really great opportunity in the West Coast to be able to meet a lot of senior leaders, a lot of VC folks will be there. But also, a lot of customers, just folks that are generally looking to improve their security postures. It's a lot of fun. Highly encourage everybody that's close or nearby to attend, it's always a great event.
Jackie McGuire
>> Yeah. I know it can be cost prohibitive for some people, but even if you can't afford a pass to the actual conference, it's probably worth just hanging out around Moscone for the couple days because the parties are also pretty decent. All right. Unless you have any other thoughts, Mike, I really, really appreciate the time. I think we're going to see you again, because we actually are going to talk about transferring risk in a little while. But for now, I'd just like to thank you. Any closing thoughts, any other thoughts on risk?
Michael Arrowsmith
>> Really appreciate the time today. Again, the way I think about risk is that perceived threat. Again, the more folks that are fixated, and again I think you brought up a really good point on how to interpret that for the audience, that resonates with them. As leaders, as individuals, we all have to find that common language, that common denominator that we can be able to express that same concern. That's what I would leave you on, is really appreciate that anecdote. I'm going to still that, be able to leverage that operational risk. Absolutely love that. Thank you again, Jackie, for the time. I appreciate it.
Jackie McGuire
>> Yeah. Thank you, Mike. All right, we will be back in just a few with a few more tactics for reducing risk. Stay tuned for later when we move on to talk about transferring risk. I'm Jackie McGuire, principal analyst and practice lead at theCUBE.
>> Hello, world, this is Jackie McGuire, practice lead and principal analyst. Welcome back to The Art of Security Summit, where we explore ways to avoid, reduce, and transfer risk. My next guest I'm really excited about. I have Mike Arrowsmith. He is the chief trust officer at NinjaOne. He's going to talk to us about reducing risk. NinjaOne actually partners with bold individual companies, as well as managed service and security service providers, so really excited. Welcome, Mike. Mike is remote today. He tells me that he's north of the Bay, he escaped the Bay Area during COVID. Behind him, we noticed lots of Oakland memorabilia. As a fellow former East Bayer who escaped the East Bay as well, super happy to have you, Mike.
Michael Arrowsmith
>> Thank you, Jackie. Appreciate you having me today.
Jackie McGuire
>> Yeah. I'm going to start with this because we were just having this conversation. You were saying, "Don't mind the Oakland memorabilia." I said, "That's fine, but who's your favorite Bay Area rapper?"
Michael Arrowsmith
>> Oh, we were just chatting about this. If I had to pick one, obviously the man, Too Short, was probably up at the very top of that.
Jackie McGuire
>> Yeah, yeah. I'm going to go E-40, just because I think My Ghetto Report Card was probably one of the first albums ... I didn't even realize. I moved to the Bay Area without knowing anything about California. I had never even been to California before. I had been listening to E-40 and then I moved to San Jose. I was like, "Wait a second. I think I'm in the Yay Area. This is totally the Yay Area!"
Michael Arrowsmith
>> Hey, representing Vallejo, he lives in Pleasanton now. Really great guy.
Jackie McGuire
>> Yeah, yeah. I guess we can argue with him about whether Pleasanton's technically the Bay.
Michael Arrowsmith
>> Exactly, exactly.
Jackie McGuire
>> All right, we should actually do some business. I was really excited to have you on because I think trust is a super important component of what we're talking about. We've been talking about different ways of managing risk and trying to use a more general and common language within the enterprise to talk about risk so that CISOs and security leaders achieve better outcomes when they're talking to their other executives, budget committees, boards of directors about their initiatives. I want to start today by talking about endpoints and reducing risk, because depending on which white paper, marketing paper you read, somewhere between 70 to 90 percent of attacks are still originating at an endpoint. How does NinjaOne, and I guess you as an individual, how do you think about securing endpoints? Then I guess, in the worst case scenario if someone does get in, how do you guys think about reducing the risk of that compromise?
Michael Arrowsmith
>> Great question. Something I think about probably on an hourly basis here at NinjaOne, actually given my career. The endpoint predominantly is the number one vector that we're going to see organizations compromised on. Really, because of the interaction those endpoints have with individuals. We don't ever like to think of people being the weak link in organizations, but the reality is people are that weak link. When we see and think about cybersecurity risk, we're really thinking about the perception around threats, and those threats being actualized on those endpoints because of the interaction with those individuals. It's very, very easy nowadays with gen AI and various phishing techniques to be able to get individuals to interact with some kind of messaging content that has a potential impact being that endpoint. It's why, as cybersecurity professionals, we're really fixated on trying to contain the specific threat or risk that an individual may have. Maybe we think about it from a level of permissions. Maybe we think about it to the level of access that individuals or just fundamentally what network devices can that specific endpoint connect to. All of that computes into this risk conversation that we think about and ultimately how we try to mitigate or reduce that perception around whatever threat may be posed by that endpoint. We think about this on an hourly, daily perspective. Really, from our perspective being a products company, we are providing these tools for our customers to be able to mitigate the same level within their customer base or their employee base.
Jackie McGuire
>> Yeah. It's an interesting point you bring up about employees. I know I look very young, but I'm old enough to remember a time before cellphones in the enterprise. Remember when they first showed up, it was only the very, very high end account executives had Blackberries. I remember when, if you had a phone, it was provided by your employer. It seems like virtually overnight, we shifted to remote work. Obviously, the pandemic accelerated this, but it had already started. The whole concept of bring your own device to me has always been really sketchy, because now you have all of these unsecured endpoints and all these people working remotely, so you really don't have the same kind of sanitized environment that you used to. Really for me, that means the attack surface is everything. Everything is connected to an employee's router at home, from their thermostat to their coffee maker, and things like that. That's somewhat overwhelming because the attack surface is everything. NinjaOne helps provide a whole bunch of tools that manage everything. One of the things that I find that security teams fall into the trap of is buying a Swiss Army knife, and then they don't know what to use first. They don't know what tool to use first, they don't know what to cut with it first. Are there things that stick out to you as you're rolling out within customers that are low-hanging fruit? Things that are fairly often that you find, that in the first couple really impactful places to start, rather than trying to start with everything.
Michael Arrowsmith
>> It's really a great point. We see this pitfall in a lot of acquisition of technologies like NinjaOne, but even in past lives with other software companies we see the same kind of scenario playing out. What we can today offer our customers is a wealth of resources. We have a vast world-class customer support group that can absolutely help all of our customers with any day-to-day challenges. But we also have a whole group of solution engineers, solution architects that could really get to the bottom of how that customer's operation is really being ran, or maybe even forward-thinking what is a preference or a desired outcome for leveraging a tool or technology like Ninja. I think that truly is often times the number one thing forgotten about, especially as technologists ... Again, coming back to the people conversation. We are people, we all believe we are the best at what we do, and we have all the experience necessary in order to do the job. When you start to challenge individuals that have been doing this for many, many, many years, there tends to be a little bit of a bias that, "I don't need help. I can do this, I can figure it out. I'm an expert with this particular tool or that tool." I think we come back to this scenario of remote work extended boundaries with bringing in all of these very different types of devices, you start to really stretch the expertise. By leveraging all of tools around you to come up with a thesis, a game plan of how you want to be able to deploy the software, what are those objectives, what are those milestones that will really set me up for success, is really what we're all about here at NinjaOne. Being able to provide our customers every tool, every resource. We have a tremendous wealth of a knowledge base that customers can look at very pinpointed solutions. But then also jump on a phone and be able to talk about what if scenarios. Often times, my number one recommendation is to use the vendor for all of the resources that are included in your subscription, and then also potentially look for opportunities to extend those solutions into something maybe of a consultation, somebody very light. It doesn't have to be very expensive, it doesn't have to be overwhelming or time-consuming, just to make sure that you're really armed with all of the bits of information to really set you up for success. I would say that's the number one thing to make sure is crystal clear with our install base.
Jackie McGuire
>> Yeah. One of the things I think is a recurring theme with a lot of security teams is a reluctance to work with professional services I think. It's one of those things that I find when companies don't spend enough on professional services, they end up mired in support tickets. Because, "If I can't make it work, it must be broken. It can be that I couldn't make it work." Yeah, I think that's a really good point is that many vendors provide a lot of resources for you in the form of professional services, consultations, and a lot more customers should probably be taking advantage of that. Here's a related question. One of the things that I've always found is a struggle in security is that it's very hard to quantify risk. Most businesses are 100% focused on money and when you say, "Hey, we should do this so that this doesn't happen, they're like, "Well, that's never happened before." I've actually had to do that. One of the things that I find is a common phenomenon is that if a breach hasn't actually happened, there's not usually enough damage to prove why it's a good idea to take better security measures. You get great customer feedback, at least according to Reddit, which is one of my bibles for things that are true. For security leaders who are successful in getting NinjaOne approved, getting it deployed, really having it go successfully within their organization, are there a few things that you can think of in terms of best practices or early wins that have really helped your security leaders to get a solution like this across the line and demonstrate value?
>> That makes a lot of sense. I think one of the things that's really interesting about technology and security in general is that, if you look at vehicles, the lifespan of a vehicle tends to be somewhat short. The number of 10, 20, 30-year-old vehicles on the road is very low. I became a data scientist, which is how I got into security, and the first model I wrote was not more than 10 years ago and it was for a Cobol server that was still sitting in a closet at a bank. Or if you turned the switch off, it would turn off and nobody could do online banking. Yeah, it's a really interesting thing to think about how far we've come and how versatile security tools need to be, because there is no two tech stacks are exactly the same. I think that's one of the things coming into security that is shocking is it's basically like being a mechanic where no cars you see were assembled the same way with the same parts at the same place. I think that's really fascinating. Any other things that you want to add, either from conversations you're having in the field or particular ways you've seen your security leaders achieve success that we haven't already talked about?
Michael Arrowsmith
>> Yeah, I would say maybe one last thing to just iterate on success. That's this concept, we were talking about budgeting and how to position that to executive leadership or the board, that needs to be a recurring process. Every year, every single period that you go through that budget cycle, you need to be able to go through that and have that conversation. And reassess, "Where am I at, where am I going?" Because I think one of the most rewarding things I find within cybersecurity is what we did two years ago likely isn't applicable anymore, and I think we could all talk about that during the pandemic. When we think about the evolution of what adversaries are looking at, we see them already today embracing the cutting-edge of cybersecurity, of just technology in general. We're always, from a cybersecurity practitioner, defense perspective, PASHA perspective, we're always trailing that just a little bit. It's this ever-evolving game of chase. We don't quite ever catch adversaries, but we're always getting really close. That's the fun that I think really entails what we do as cybersecurity practitioners, and why we need to keep having this rigor back-and-forth. I would say maybe just one additional concept is find a group in your local area, find a peer group that you feel comfortable with, and exchange these ideas. I often times am asked to go to cybersecurity conferences to help Ninja with our brand and customers, and meet vendors, and whatnot. But I really enjoy meeting former coworkers, peers of mine, and just learning about the experiences that they've gone through because it illustrates what you just said. No two tech stacks are ever the same, no two organizations are ever the same, and thus the attacks that those organizations or locations are receiving are going to be different. There will be a wealth of knowledge that is shared and really exposed if we start to tear down a lot of these maybe bias or barriers that we felt specifically in the cybersecurity industry. I think John Strand said it the best maybe a few years ago, at one of the last DerbyCons. "Cybersecurity is one of those unique roles in that we're often times rewarded for the skills and aptitude that we can bring to the organization." And because of that, it builds this competitive perception, maybe a little bit of a bias. The more we can tear that down, the more we can share information amongst each other, I think the better we're going to be to defend against these adversarial types.
Jackie McGuire
>> Yeah. I have to say, I spent the first 15 years of my career in investments, and then venture capital. Coming into security and being accepted for who I am, how I look, I think it's one of the ... I try to tell people this. It's too bad that I'm starting to see better representation. I was actually at a high school bootcamp in Arizona a couple weeks ago that was 50-50. I was like, "Oh my gosh." It's one of those industries that I wish people understood more how nice it is to work in this industry, especially as a woman. How much people want to help, how much people want to share knowledge. I've met some very high up pen testers and hackers from three-letter agencies who were more than willing to sit down with me for half-an-hour and explain things that they probably learned 20 years ago. I agree, the more you can do to connect to the security community and really in touch with the problems other people are facing, the better off you are. The other thing that I think is really interesting about interfacing with other people in security is that I learned language. For example, coming from banking and things like that, when I got here, there's language that's used within security that doesn't really work outside of security. I think the other thing you have to do is step out of that environment a little bit. Revenue risk is one that I bring up. If you say, "Hey, we have operational risk if this ransomware attack were to happen," what's operational risk? But if you're like, "Hey, if we had been non-operational this weekend, the revenue we would have lost would have been this," that is a much straighter line between what the CEO, and CFO, and other executives care about and what you care about. Interfacing with people from different leadership positions, I think too, is also important to understand how to speak to people in their language, which is the whole reason we're here. Yeah, sorry. The last, last thing I want to talk about is RSA is coming up. It's one of my favorite events because I get to see all of my friends. Do you guys have anything going on at RSA? Where can people find you? Are you venturing down for RSA?
Michael Arrowsmith
>> 100% we'll be at RSA. Ninja will have a booth in the main hall, so really excited to be able to meet our customers. We do it every year. We are hosting an event on Tuesday night, we're co-hosting it with Optiv, called Bourbon and Blazers, really exciting. Get fitted with a custom blazer, have a few cocktails, enjoy some good conversations with some like-minded individuals. I'd encourage anybody and everyone to attend if possible. It is a really great opportunity in the West Coast to be able to meet a lot of senior leaders, a lot of VC folks will be there. But also, a lot of customers, just folks that are generally looking to improve their security postures. It's a lot of fun. Highly encourage everybody that's close or nearby to attend, it's always a great event.
Jackie McGuire
>> Yeah. I know it can be cost prohibitive for some people, but even if you can't afford a pass to the actual conference, it's probably worth just hanging out around Moscone for the couple days because the parties are also pretty decent. All right. Unless you have any other thoughts, Mike, I really, really appreciate the time. I think we're going to see you again, because we actually are going to talk about transferring risk in a little while. But for now, I'd just like to thank you. Any closing thoughts, any other thoughts on risk?
Michael Arrowsmith
>> Really appreciate the time today. Again, the way I think about risk is that perceived threat. Again, the more folks that are fixated, and again I think you brought up a really good point on how to interpret that for the audience, that resonates with them. As leaders, as individuals, we all have to find that common language, that common denominator that we can be able to express that same concern. That's what I would leave you on, is really appreciate that anecdote. I'm going to still that, be able to leverage that operational risk. Absolutely love that. Thank you again, Jackie, for the time. I appreciate it.
Jackie McGuire
>> Yeah. Thank you, Mike. All right, we will be back in just a few with a few more tactics for reducing risk. Stay tuned for later when we move on to talk about transferring risk. I'm Jackie McGuire, principal analyst and practice lead at theCUBE.
Jackie McGuire
