Join us on Identity Radicals as we engage in an enlightening conversation with David Tyburski, VP of Information Security and the CISO of Wynn Resorts. With over 15 years in the field, David offers his expertise on leveraging automation to provision across the entire user access lifecycle in today's digital world. Get ready to uncover the intriguing challenges he has faced, his strategies for data protection, and his outlook on the inevitability of breaches in security.
Join us this week as we engage in an enlightening conversation with David Tyburski, VP of Information Security and the CISO of Wynn Resorts. With over 15 years in the field, David offers his expertise on the significance of infrastructure and cybersecurity in today's increasingly digital world. Get ready to uncover the intriguing challenges he has faced, his strategies for data protection, and his outlook on the inevitability of breaches in security.
We explore the critical role of identity management and access control in cybersecurity. Listen in as we dissect the crucial aspects of identity management, and learn why pre-authorization and continuous monitoring are indispensable in warding off potential intruders. We take you through the necessity of automating security processes and how this can relieve an audit team's burden and let them concentrate on more pressing matters.
Finally, we take a step back and look at the broader picture - leadership in the advancement of the security field. Drawing on David’s experiences, he shares tips on networking, professional growth, and the importance of understanding the industry we’re in.
Key Quotes
-You need to know who has access to all of those systems, all of those applications, all of that data. There's a big problem of managing that access, especially as people come into a company, move through their positions, leave an organization, there's a problem of over-provisioning. People have more access than they really need.
-We've kind of flipped the attestation over in, as well so that we do both sides of it. And we do what's called a pre-authorization. So, based on our rollback model, we say these roles are approved to do these things in these applications. And if you don't have that authority assigned, At the beginning, you can't even request that access because we've already determined you shouldn't have it. So by, by looking at the attestation in reverse, we've been able to say, okay, now we can kind of build a framework around who should have access.
-You got to know the who, the what, the where, and [who] approves. You got to be able to authenticate it. And then you have to prove that you did the right things.
-It's just good hygiene and cleanup practices to say, the new roles don't need it, get rid of it, right? Let the people who are, who need to do that do it, but take it away from the people who don't. It's not even taking the malicious statement out of it, of somebody doing it intentionally, bad permission. It happens because of time and how people move around in the organization. And you have to realize you got to fix for that too.
- You need tooling like Veza to help you decide how does Audit find it, and then how do I find it faster than audit? And then how do I make sure that I retool my processes so that it never occurs to begin with?
-Security professionals, unlike hackers, tend to try to hold everything close to their chest and not share, but that's changing. I do think that's great that it's, I'm a big proponent of sharing, sharing processes, sharing techniques, sharing everything we can. At least sharing what you can.
Time Stamps
4:05-Regulations in the gaming industry
10:25-Radical ideas in identity problems/solutions
16:35-Adapting to new roles and access necessities
18:10-Working with your internal audit teams for maximum efficiency
29:15-Advice for future cybersecurity leaders
Links
Identity Radicals is sponsored by Veza, the Identity Security Company. Learn more about Veza by checking out:
Or, schedule a demo with our identity security experts to learn how Veza's Access Control Platform can lead your organization to least privilege.
David Tyburski: [00:00:00] There's a big problem of managing that access, especially as people come into a company, you know, move through their positions, leave an organization. There's a problem of over provisioning. People have more access than they really need. Welcome to
Announcer: Identity Radicals, conversations with cybersecurity experts.
Welcome to Identity Radicals, the show
Jason Garoutte: where I have conversations with today's leaders On the front lines of cybersecurity. My name is Jason Garut. I am the CMO of VESA, the identity security company headquartered right here in Silicon Valley. My guest today is David Taberski. He's the VP of information security and the CISO of Wynn Resorts.
[00:01:00] A, uh, an establishment that I've visited more than a few times, David has an impressive 15 year career there, and he was actually the first CISO of Wynn Resorts. So as you might guess, he's in charge of just about everything. So things like security architecture and data security and incident management, cloud security compliance, business continuity, and of course, Identity and access management.
David, welcome to the show. Thank you. 15 years at any job, but especially a prestigious brand like Wynn Resorts is impressive. So congratulations on that. I'm sure that you've seen a lot. Maybe give our listeners a sense. For the scale of the operations under your
David Tyburski: purview. Wynn Resorts, uh, operates in North America and Macau right now, which is, uh, an SAR of China.
In total, we have, uh, 26, 000 employees today. Roughly 12, 000 of those are computer [00:02:00] users. We have just over 400 applications that take to run the facilities. We operate in Las Vegas, just outside of Boston, Massachusetts. Like I said, Macau, China, and we're beginning to build out in the United Arab Emirates.
So, we cover the majority of the world, and my responsibility covers everywhere that wind goes.
Jason Garoutte: Now, because it is a casino, I would imagine that you get some exposure to interesting security threats. You know, my old joke is that most of what I know about casino security comes from watching Oceans 11, so you got to keep your eye out for George Clooney, but maybe you have a more real example.
What's,
David Tyburski: what's something Totally for a different reason you have to watch out for George Clooney, but not because of Oceans 11. What
Jason Garoutte: is maybe something that Unusual that you've encountered from the security side. Well,
David Tyburski: we have Black Hat here in Las Vegas every year. DEF CON, B Sides, all of the, the fun and interesting characters from around the world can, [00:03:00] you know, come to our city and they love to, we'll say wreak havoc as much as they can.
Normally they're pretty good and they're, they're here to learn, but sometimes they have some fun. The, the digital signage that we have up and down the strip is always one of those big threats that they go after. Cause we have big signs and apparently they, they love to publish their faces on big signs.
And so they're, they're always going after that. Luckily Wynn has not the largest sign anymore in some ways since the sphere was opened and it's the big, you know, big monstrous video. Processing solution. So we became a, you know, a secondary target. That's a great thing for us, but we still have to be on, you know, be aware and always be vigilant to make sure that they don't get ahold of it, you know, and then there's always the fun things like, you know, one year, I remember that these guys decided to do basically a coordinated attack on one of the hotels and, and brought a couple hundred [00:04:00] people and everybody inserted their room key all at the same time in a synchronized event.
And of course, you know, that many requests to the database through the systems to unlock the door simultaneously caused a little bit of trouble and people were locked out of their rooms for several hours. And so, like I said, they come up with some pretty creative stuff while they're in town.
Jason Garoutte: You got to appreciate the ingenuity.
And it sounds like these are fairly harmless on the spectrum of risks. But of course, some things are more serious. And so when you think about the data that you need to protect for when. And what kind of applications are the ones that you're most
David Tyburski: worried about? Well, I mean, we have everything from, you know, hotel management to our food and beverage applications, to point of sale, to our gaming applications, to PCI related functions, our financials.
It crosses the gamut of everything you can think of, and not everything requires the same level. Of, you [00:05:00] know, capabilities, but we are a highly regulated industry. So we have gaming controls in every state that we operate in. We have SOX regulation because we're a publicly traded company. We, you know, have health information with our insurance.
We have all kinds of different functions. So yeah, it, it. It runs the full gamut around the board of what we have to protect, and data is, of course, the most critical element that contains the value that people want to steal. So we're always vigilant about what data we have, how long we store it, where it is, and how we protect it.
Jason Garoutte: I have heard you talk before about two principles that are important to you. One, there is no perimeter. And number two, it's not a question of if there's going to be a breach, but when, and I just wonder how these two principles influence how you approach security. [00:06:00]
David Tyburski: Well, those are, I mean, every salesperson on the planet right now in a security, they use those two terms because that's how they feel that they're going to sell their product.
the, the organization, right. Oh, there's no perimeter anymore. You need to buy my product cause it'll solve every problem you ever have. You don't even have to install it, just buy it, put it, just, that's all you got to do, you just buy it and it'll fix all your problems, right, every sales guy. And then, you know, on top of that, it's, like I said, it's not a matter of if, but when, and you've probably heard that conversation a hundred times from everybody out there.
But my statement behind that is, is if you really believe those things are true, And, and I'm not denying that they aren't true because I do think that they are. You, you asked yourself the question then from a security perspective, security professional perspective, like a CISO, what becomes important, right?
What it's, what are the things that, that you really need to focus on? Now there's always going to be regulations, regulated industries like we're [00:07:00] in. So there's things we have to do to meet. Compliance requirements, regulatory requirements, those kinds of things that you have to do, that's kind of bread and butter, but I've really narrowed it down to what I believe is a concise list of three very, very high level things that you have to do based on the fact of those two statements and in, and it's talking about the modern world, right?
So you go back 20 years ago when everybody was like, put in firewalls. Put in this, block your data, you know, protect your network, put your arms around it, but build big high walls and nobody's going to get in. Well, that's doesn't work anymore because there's no perimeter anymore. Right? So the question becomes is what, what is important?
So the first is your infrastructure. Right. That might just be the, the, the cell phone you're on or the laptop you're on. You have to define what is it that is the infrastructure that runs the company and build a protection around it. And it might be 30 different principles [00:08:00] because you have mobile workers on laptops, you have a data center somewhere, a bunch of cloud services, SAS services, integrations.
And so you might have different principles of protecting your infrastructure, but you've got to define what is your infrastructure and how do you protect it and build that strategy. The second is, of course, protecting the data. The data is the value because that's what people want. If you didn't have data, nobody would, I mean, nobody would really care because that's how they make their money.
Whether that's credit card information, proprietary information, what are they stealing? It's data. Right? That's, that's what people are after. So you have to protect your data and your infrastructure helps you define that on how you're going to protect it. But the very third thing is identity and protecting the people.
You need to know who has access to all of those systems, all of those applications, all of that data. There's a big problem of managing that access, especially as people come into a company, you know, [00:09:00] move through their positions, leave an organization, there's Problem of over provisioning. People have more access than they really need.
They come up with scenarios that you find that people are, that are, they're using data in ways you don't expect. And so you need to have visibility into that. You need to have the capability of managing that. So, like I said, three things, infrastructure. Data and Identity. And those three things are the only things that I've come up with today from a high, high level.
And I mean, none of that is an easy answer, mind you. Those are very high level statements that are very complex. But those are the only three things I know of today that a security professional should be focused on to protect their organization. And it meets those two statements. Then you should be able to defend your organization effectively.
And I use that word should loosely because they,
Jason Garoutte: well, it's [00:10:00] hard, right? It's hard to connecting the data to the identity. So your second two points is actually really tricky and it's, I think it's a question of scale, right? And you talked about having 12, 000 employees or more, and there's probably machine identities on top of those.
And each of those has how many roles and how many permissions? I think this is a big number.
David Tyburski: Well, if you do the math, yeah, I, to even do, it comes out to trillions of combinations, of potential combinations, very, very quickly. So, you know, 12, 000 times 400, an average of 10 roles per application, 10 permissions per role, I mean, you get...
The, the scale goes up, you know, extraordinarily quickly in just that simple math.
Jason Garoutte: So trillions is a lot, and I don't think you're going to solve that problem. I don't think anyone can solve that problem with human hands. And so I certainly believe that the, the world is ready for a radical approach. [00:11:00] The show is called Identity Radicals.
What's something radical that you've tried to deal with that huge identity problem? When
David Tyburski: you look at identity, again, I'm, apparently I like the number three a lot of times, because I think there are three critical components to managing identity. One is the identity orchestration piece, which is what I call identity orchestration.
And that's really that. Who needs it? How do they request it? Who approved it? Um, how do they, they flow through the system to get the accesses that they need, right? You hire somebody, they come into your company, and, and you don't want them to just sit around at their desk twiddling their thumbs. I mean, unless that's the job you hired them for, and if that's open job, I want to talk to somebody because I'm good at it.
Um, second... Part of that is identity authentication, which is how do people actually use that identity that you've given them throughout all your applications. Whether that's through an IDP in [00:12:00] local authentication, you know, directory structure, Linux, or whatever it is. People need to be able to authenticate in, and you need to have some confidence that the authentication is correct, right?
And then there's identity attestation, which is on the back end side, is do the right people have the right access? And did you miss something that you shouldn't have missed? So the radical side that we've done on two... As I'll start on the, the orchestration side, one, we've built the system to do that orchestration that works for the company, but we've kind of flipped the attestation over in as well so that we do both sides of it and we do what's called a pre authorization.
So based on, on rollback model, we say these roles are approved to do these things in these applications, and if you don't have that authority assigned. At the beginning, you can't even request that access because we've already determined you [00:13:00] shouldn't have it. So by, by looking at the attestation in reverse, we've been able to say, okay, now we can kind of build a framework around who should have access.
It's not perfect. Nobody, you know, and it changes as people's job change and needs. And we learn and grow on that every day, but we've probably been able to eliminate 90 percent of those odd requests out there that somebody who's, I don't know, let's say they're, they're sitting as an analyst. You know, in, in finance and they request the same level of access as the CFO, right?
You're probably going to say no to that. You probably, you know, I don't know, everybody's business is different, but in our business, we're going to say no to that. Right. And, and so we've been able to, to kind of define that and organize that and, and build that up front. And then when we come to the attestation side on the.
Far end of that, now we have a framework to work from as well. Did we grant something outside of that approval process? Did we look at something that we shouldn't have? And so [00:14:00] we have tools on both sides to do it and that helps. And so, like I said, those are kind of the three aspects of identity management.
You got to know the who, the what, the where, and approves. You got to be able to authenticate it and then you have to prove that you did the right things. I
Jason Garoutte: really like the flip on attestation and it feels like a lot of times companies are basically taking their best guess on access and they're waiting maybe 89 days until the next quarterly review to see if they kind of got it right and even that process which is burdensome in itself.
May not give you the correct answer. You're trying to be more preventative and almost do the compliance on a continuous
David Tyburski: basis. Almost. I mean, like I said, it's, and, and if I was going to say this to your other comment is, if it was easy, everybody'd be doing it, right? So it's never easy. But the idea is to get to at least At least as much as we can, right?
So, so there are [00:15:00] certain things that you know aren't, aren't valid, certain things that you know aren't reasonable, so stop those from ever even starting, to your point, because if you're waiting 90 days before you check it, What happens is, is that there's 89 days in there that they can be abusing privilege.
They can, you know, be stealing data. They can, the cell phone camera, right? I don't even have to print it anymore. I can just bring it up on the screen, snap a picture, move on. And if it looks like legitimate access, it's very difficult to find in that. But if you've said that a person in that role, let's say in this example, we were using of a clerk or an analyst shouldn't have the same level of access as the CFO, you can continuously look for it.
You can look to say that should have never happened to begin with. And so instead of being there for 89 days, you can stop it less than 89 minutes because you can have. Tools that can look in that on a fairly accurate [00:16:00] and read and basis to at least determine all of this is wrong up front. Now, it's not going to determine everything, but that, because that takes some human intelligence on the backside until Chet GPT figures out how to do it, but that's a whole different problem.
But, you know, the, the humans go in and look at it the every 89 days, but at least there's an assurance that over that time, the majority of the stuff that should have never happened didn't. I talk in
Jason Garoutte: terms of bad permissions, and I think that a lot of the systems that people have today are allowing bad permissions.
To propagate and to persist, and good access teams are, are able to hunt these down on an ongoing basis and continually weed the garden. Right? That's the metaphor I use. You've got to weed the garden because every day they're growing and, uh, each one that you leave there untreated becomes a possible vector
David Tyburski: for intrusion.
Absolutely. And, and not [00:17:00] necessarily because people are being malicious. You can take some of the intentional malicious out of that statement and just look at that as somebody who's hired into a company like myself. I came into the company in one role and I've been promoted through six different roles before taking on this position.
Um, That permission level kind of follows in a normal organization, right? So, I started out having certain roles here, and then I moved into the second one, and they added on what did I need for the second, and then they moved to the third, and then you add on some more, and move to the fourth, and you add on some more, and by the time you get to the fourth or fifth role in your organization, you look back and go, First of all, I don't use half of those that I did when I was in the first role.
Why do I still have them? And it's just good hygiene and cleanup practices to say, the new roles don't need it. Get rid of it, right? Let the people who are, who [00:18:00] need to do that do it, but take it away from the people who don't. So like I said, it's not even taking the malicious stuff.
You have to realize you got a fix for that too. It's not always a, it's not always a threat actor doing something intentionally to harm you. It's your own practices. Not doing something which is harming you.
Announcer: This podcast is brought to you by VASA, the identity security company. 75 percent of breaches can be traced back to identities that were either compromised or abused.
That's why companies use VASA to find and remove the risky access permissions that legacy tools just can't see. Secure your data wherever it lives with VASA. Learn more at vasa. com
Jason Garoutte: Everybody wants least privilege and I don't think anybody feels like they've actually accomplished it and maybe it's an impossible goal.
I don't know, but [00:19:00] you have an ally in your fight and that is the internal audit team. And one of the things I've heard you say in the past that I think is radical is that to work the internal audit team out of a job. But these are folks that are trying to, you know, maybe it's an aspirational thing. So what do you mean when you say that?
David Tyburski: So, I always look at it this way, an audit team, and they are an effective team, and I don't want to, I don't want to alienate anybody or upset anybody, because they do an incredible job. But the point is, is they are definitely looking at point in time, so just like you're doing an attestation maybe every 90 days, your internal audit team can't run continuously, they're, they're looking at it from a very specific standpoint, they're taking point in time, you know, evaluations, and they're looking at that saying, Okay, is anything wrong right here and right now?
And if it's wrong, why is it wrong in helping build new processes? Because that's, that's their job. But if you can [00:20:00] take that and turn that into an everyday thing, or an every hour thing, now it becomes much more difficult for them, point in time, to find something that went wrong. Right? And then you get the idea that you're making those adjustments faster.
So that's why I say always in a sense, I want them to look at all the financials. I want them to do the work that they need to do to make sure the company stays around, does all the right things, is profitable, because I like being paid and I want them to make sure that I continue to get paid. What I don't want them to have to do is expend an inordinate amount of time auditing access so that.
They can't look at all the other important stuff they need to look at. So, I guess I'd flip that statement. It's not to say out of a job, but let them focus on more important things than me. That makes sense.
Jason Garoutte: Maybe it's, uh, hackers getting onto the sphere
David Tyburski: down the street. Yeah, exactly. Let them, let the sphere worry about it.
I don't want to worry about [00:21:00] it.
Jason Garoutte: I think that just the word audit has sort of a reflexive connotation that makes people nervous. But of course, they're, they're here to help us make sure that the processes have control. And what I think people in your line of work have to worry about is, you know, getting too many compliance violations.
They're called different things in different industries, but it may be a matter requiring attention or some kind of warning. We all want to stay out of. Socks Jail. I heard somebody recently say, Hey, Vesa, can you help us get out of Socks Jail? They were talking about Sarbanes Oxley and not being in compliance because of something the auditors found.
You know, what, what is the challenge? How often are CISOs in Socks Jail?
David Tyburski: Unfortunately, more often than they should be. And again, that's because they haven't really looked at these processes and, and you're probably right. There's probably some contention there in their audit teams, but luckily I, I, I work [00:22:00] with some great people and, and I have a good relationship with my audit team.
And I always ask the question, how are you looking at that? How are you finding that? Right. What is it that you're trying to discover and why, and then work backwards from there to say, how do I do it better? How could I take what you do into an automated fashion and stop it before you ever find it?
Because I, I always said, if I can find it and fix it before you, then it is not one of those audit findings, right? So I always look at it in that respect of saying, how do I, how do I bring it backwards down the chain? Simple security practice is push the issue farther and farther away from you. In the audit, it's I want to draw all those issues closer and closer to me.
I want to bring it where I'm finding them before. Uh, my audit team finds them. I want to see them faster than they can process them. I want to do in a sense, every bit of work that they do, I [00:23:00] want to automatically do it at a rate they can't keep up with. Because if I can keep finding them and ensuring that I'm fixing them from a metric standpoint, right, if I can change my processes that it never happens, one audit's going to be happy because those findings, those.
Issues, incidents, whatever they want to call them in your industry. They never occur in the first place. Well, isn't that the goal, right? So you talk about how do I get out of SOX jail? Well, you get out of SOX jail by not letting those things happen in the first place. So you need tooling like VASA to help you decide how does audit find it?
And then how do I find it faster than audit? And then how do I make sure that I reas retool my processes so that it never occurs to begin with? How
Jason Garoutte: do you know if you're getting better? This feels like a journey that you're on and there's always new challenges arriving and then you're coming up with new systems or buying new vendors to help you get better at this.[00:24:00]
How do you know if you're making headway? Is there any metric that you add up to see if you're, you're getting to a place where you're catching all these things before the auditors? Well, there's nothing,
David Tyburski: nothing particular. I mean, you can obviously, you can obviously look at segregation of duty. You can look at, you know, did I leave somebody active?
When they were terminated from the company and for how long was that access ever used? Did we leave access when somebody moved from one position to another? Response times on changes to access? There's a lot of different things you can measure to make sure of it. Can you 100 percent know that an auditor will never find anything?
It's their job to find something. You just want to make sure that something is small. First of all, and that's not always the case, but the true measure that I use is, how, how much am I being yelled at? Right? How serious is it? This
Jason Garoutte: is the same measure I use in domestic [00:25:00] matters to
David Tyburski: see how I'm doing.
Absolutely. It's just, it's a perfect measure in this case, right? Is my audit team sitting in front of me saying, you've got 6, 000 problems and they're critical in these ways because these systems contain financials, these systems You know, sensitive data, there's PCI, whatever it is, right? Is my audit team sitting to me telling me I've got this cacophony of problems?
Or are they sitting in front of me saying, well, we found this thing over here. It's not really a big deal, but you should probably look at it, right? In that case, I'm going. Okay, I'm probably doing pretty well because they're basically just brushing it off saying I got to find something, I got to tell you about something, but it's really not that bad.
Jason Garoutte: Uh, it's hard to make a dashboard, I suppose, to track the number of times you get yelled at, but I, I think the close analog would be to view these as process defects and to sort of keep a tab of how often you're getting defects and [00:26:00] how severe are they. There's that number trending down over time, then you're doing a good
David Tyburski: job.
Yeah. And, and, well, that's a, isn't that a nice analytical way to put it, but it's really the amount of the, the, the intensity and veracity of being yelled at.
Jason Garoutte: Okay. Well, we're not yelling at you, so I think you're doing a great job. Let me just turn and ask you some kind of more fun questions. I'm just curious.
I always ask my guests, is there a movie out there that you do think that you've enjoyed the most that has something to do with security or hacking?
David Tyburski: Well, I, you know, I always go to Swordfish, I mean, you know, the hacking, okay, let's just put this, if you could be in front of a computer as a hacker with Halle Berry drinking wine, wouldn't you do that?
I, I feel like if I answer that question, I've got an open chair, she's welcome.
Jason Garoutte: That's, I could get yelled at for, for answering that question the wrong way.
David Tyburski: Well, me too, and if my wife sees this, she's going to yell at me for saying it, but let's just be honest. I mean, that's, that is the [00:27:00] most, from that perspective, I am not John Travolta.
I don't have his talent for movies. Halle Berry is never going to come sit in my office and talk to me about cybersecurity, but you know, there's the dream. The dream could happen.
Jason Garoutte: She really doesn't
David Tyburski: know what she's missing out. Absolutely. That's what we're going to say.
Jason Garoutte: David, you know what, one thing I think that's always really interesting for our listeners is to know where.
leaders get their information from? And, you know, how do you find out about new technologies or new techniques that you might want to try
David Tyburski: at WIM? Well, I talk to a lot of people. I talk to my peers. I attend conferences like Black Hat and DEF CON. I sit in, in groups all the time and have those, those types of conversations.
I do an immense amount of reading online. It's amazing that the security community has grown a little bit. And that they share information. They're not quite a hundred percent. They're security professionals. Unlike hackers tend to try to hold everything [00:28:00] close to their chest and not share, but that's changing.
And I, I do, I do think that's great. That is, I'm a big proponent of sharing, sharing process, sharing techniques, sharing everything we can, not the, not the, the proprietary that you have to protect. or, or the, you know, whatever, but at least sharing what you can. And so, I helped found a group here of CISOs in town in Las Vegas that still exists.
We get together on a quarterly basis and we talk through issues. We, we do that, no offense to vendors, but vendor agnostic. We keep them out of the room so that the, you know, well, so that we can talk bad about them if we need to. You got to have
Jason Garoutte: your safe
David Tyburski: space. Exactly. And, and, and those conversations help tremendously because, and it's not just gaming, it's multitudes of industry here in town is, is coming together from a senior leadership and that, like I said, along with the reading stuff, looking amazingly, if you, if you look at the LinkedIn, [00:29:00] um, Profiles of a lot of security professionals and go through the feed.
It's amazing how many new things they're sharing, you know, Oh, I think this is great, or I think this product does well, or I'm looking at this and you get a lot of understanding. So there's multitudes of avenues. To do that, but it really does, it's about, it's about working with the security professionals because I can't see everything.
They can't see everything. So we need to talk about what we're all seeing so that everybody gets an idea of what's coming. And every industry is different too. So some things that I think are important, other people are like, I don't care. And, but their industry, something else is important. So.
Jason Garoutte: I think the combination of velocity with so much change coming so quickly, plus opacity with a lot of people keeping things close to the vest, makes it hard to learn what's going on.
And so, things like what we're doing right now, networking sessions, person to person contact, kind of the, the best way to get the, uh, the freshest info. [00:30:00]
David Tyburski: I agree. And like I said, the, the, by the time something gets published, it's normally outdated, but if you have a personal relationship, one on one conversations, data feeds that you're looking at, you tend to get it faster.
Jason Garoutte: If someone listening to this is, uh, wanting to learn and they're hoping to rise up the ranks and maybe get to the same title that you've achieved. Do you have any career advice for people that are making their name in security today?
David Tyburski: The one thing I would, I always tell people, especially guys that work for me and same conversations come up, just be careful what you wish for.
You just might get it and goal of taking on a CISO title. I know a lot of people have that goal and I did. Was I a hundred percent prepared for what it meant? No, I've learned a lot since I've been in this role, and there's a lot more of conversation around business objectives than, than I thought there was going to be understanding of financials, understanding of, of, you know, business [00:31:00] operations and, and those kinds of things.
So. You really take a strategic look at what you're trying to achieve. And there's nothing wrong with becoming that, that SME in the technical world instead of the CISO, right? If that's where your talents lie and your interests lie, and I'm just. Saying that from know where you're going. Talk to the people who are in those roles in your industry, ask them what their challenges are, what keeps them up at night, what are the things that surprised them when they took the position that in and of itself will give you a better understanding of the role.
That's the first thing, right? Second thing is. Learn as much as you can and be as creative as you can to help the company. I find people in my role too often are impediment to success of a business. And I, that's not our role. Our role is to empower the business to move forward effectively, [00:32:00] safely, and correctly.
And so the more we can do that, the more we get in a sense out of the way, but we. Protect the organization at the same time, the better off we are. The joke is the CIS know, and you never want to be the CIS know. Right? So, understand how to be creative and listen. The last time I checked security operations, security organizations, unless they are, that's your business, like you're a, you know, an MSSP or you're in the business.
We don't typically, we're not typical revenue generators for a company. We spend money really well, but we don't make it for the company. So, You know, somebody striving to be in my role, figure out how to do the security job and enable the company to make the money the way they want to, because that's what, that's what basically pays your paycheck, that revenue coming in.
So the more you can help the company make, the longer the company's going to be around, [00:33:00] the better off they're going to be. And they're going to go, that's the guy helping us make the millions. Let's make sure we pay him or her.
Jason Garoutte: Don't aspire to be the CISNO, but aspire to learn how the business makes money and try to be an enabler
David Tyburski: towards that end.
And build security into that enablement. The term is out there, security first, right? Everybody wants to say we take a security first approach. And yet, how many times do you hear that security is the afterthought? Well, that doesn't make it first. So let's be first, but understand it's not about stopping the business moving forward.
It's about... Enabling the business to go in every direction they want, as fast as they want, safely. Just add that word to the end, safely.
Jason Garoutte: Safely. Who could argue with that? Okay, well, David, this, as always, has been fantastic. I'm grateful to you for spending some time with me this morning. And you know that you're welcome here on the show anytime.
To our listeners, let me just say, this has been Identity Radicals, brought to you by VESA. If you're [00:34:00] enjoying hearing from leaders like David, be sure to subscribe and Check this out wherever you get your podcasts. And until next time, let's be safe out there.
Announcer: Thanks for listening to Identity Radicals brought to you by VASA, the identity security company.
To learn how to secure your organization's identity access, visit vasa. com. Please leave us a rating and review and subscribe to the podcast to get each new episode as they're released. See you again, next time.