Serial CISO, Aaron Wurthmann Shares Insights with Den Jones

Speaker 1 (00:02):
Hello and welcome to Get It Started, Get It Done, the Banyan Security podcast covering the security industry and beyond. In this episode, our host and Banyan’s Chief Security Officer, Den Jones, speaks with 25 plus years security veteran, Aaron Wurthmann. Aaron’s work has covered industries from software to grocery, and he shares some important insights for living the life of a security practitioner. We hope you enjoy Den’s discussion with Aaron Wurthmann.

Den Jones (00:33):
Hey, folks. Welcome to another episode of Get It Started, Get It Done. I’m your host, Den Jones, and, uh, every episode we try and bring in some guests that have got some enlightening wisdom to share. Some good journey, some story of accomplishment, some magical leadership or strategy thinking. Uh, so this- this episode, we’ve got Aaron Wurthmann. So Aaron, why don’t you introduce yourself before I totally screw that up?

Aaron Wurthmann (01:01):
(laughs) Sure, and I don’t think you would, right? Um, I’m Aaron Wurthmann. I have 25 years of experience across multiple verticals, multiple, um, company sizes, multiple roles. I started as a practitioner and I built, uh, a career as a practitioner to- to leadership.

Den Jones (01:19):
Awesome, awesome. So… Well, let- let- let’s get started. Um, so you’re- you’re very active in the community. You are, um… I think you’re between roles right now. So if you were gonna get the ideal role, then what would that role look like, and- and what’s special about the- the role itself?

Aaron Wurthmann (01:40):
Yeah, I think what- what’s special about any of the, you know, standout companies that I’ve been at has been culture. Uh, for me, that tends to be where- where I do the most interviewing on my side, around the culture of that company. I think a- a good culture or a great culture at a company is one where everybody’s on this mission towards something, uh, and then there’s sort of this no-blame, um, you know, fast, hyper-growth, uh, mindset at that company.

Den Jones (02:08):
Yeah. No, that’s awesome. Oh, and I- I forgot to mention, so we’ve- we’ve known each other for a number of years. Why don’t you share for the audience, how- how did we meet, and, um-

Aaron Wurthmann (02:19):
Sure.

Den Jones (02:19):
… why- why would we even stay in touch? I mean, what’s up?

Aaron Wurthmann (02:21):
(laughs)

Den Jones (02:22):
What’s- what’s- what’s the value of that? (laughs)

Aaron Wurthmann (02:23):
So, uh… So- so we met, uh, when Marketo was getting acquired by Adobe. You were at Adobe, I was at Marketo. Um, and it was, I- I forgot what Adobe calls it, but I think they call it day zero, and day zero is when everybody at the acquired company, uh, gets their new laptop and gets, uh, their new credentials and gets logged into Adobe’s environment. Uh, you and I, uh, were there, um, in the back of the room as folks were getting onboarded, and we were helping troubleshoot on either side. Either, you know, Marketo’s side or Adobe’s side. Um, and, uh, we just started talking to each other, and I think as practitioners who became leaders, that really, um… That really gelled well with me and I think it gelled well with you as well.

Den Jones (03:11):
Yeah. It- it’s funny, right? ‘Cause we were… We were leveraging our zero trust platform as we onboarded and stuff and, um, I had never done an MNA like that before where we didn’t really connect the networks on day one. And instead, you’re like, okay, install some of this whizz, bang, magic, and then you can access all your Adobe apps and services and you’re good. And I remember… I remember troubleshooting stuff, and then I remember thinking, it’s a really bad when Den Jones is on a computer trying to fix some shit for someone.

Aaron Wurthmann (03:45):
(laughs)

Den Jones (03:45):
Like, how desperate are we getting when- when I’m, um- I’m on a computer doing desktop support? So I remember… I remember there was an air of, we just all rolled our sleeves up and we were all just jumping in to help the users. And it was- it was really, you know, a great accomplisment for us. Um, hundreds- hundreds of people that, that day or that week, were onboarding, and it’s like, holy shit. This- this- this zero-trust business might actually work. (laughs) So, uh, yeah.

Aaron Wurthmann (04:14):
Yeah, and you’ve touched on exactly what I was mentioning earlier, which is culture. Like, all of us rolled up our sleeves in order to get the job done, right? That, more than anything, is what I gravitate to when I look for my next opportunity.

Den Jones (04:25):
Yeah. Yeah, yeah. And- and you’re… I mean, you’re- you’re very active in the- the communities, like our local CIO or CISO communities and stuff. So what- what- what- what would you suggest to people who are aspiring C-level people, um, like, from a public persona perspective? How would you recommend people think of their persona, and how do they grow that? How do they grow their network? And why has… Why has that been important for you in your career?

Aaron Wurthmann (04:53):
Yeah. Uh, great question. So, uh, I think first and foremost is sort of leader mindset. When I say leader, like, lead. Like, literally inside of the word leader- (laughs) is lead, and lead also means, um, leading in thought. Being a thought leader, being an idea leader. And that is difficult to do if you’re standing in a room by- a room by yourself, right? So, getting out there, meeting other folks. As you mentioned, I’m a- I’m a member of three CIO communities and then three CISO communities. Um, I’m constantly out there meeting folks. I’m constantly getting, like, new ideas and thinking, how can I adapt this idea to my next adventure? Or how can I share this idea with my peers, or- or- or whatnot.

(05:35):
Um, those sort of things are key towards, uh, developing other soft skills as well, right? At the C-level, your- your primary job is influence and organization, right? So influence, you cannot influence if you do not have those soft skills of meeting somebody, you know, understanding what it is that they want out of the conversation or project or what-have-you, um, and then following that up, right? Um, so having those… Having those [inaudible 00:06:05] interactions, networking’s a great way of getting that. Uh, I think you just need to be a little careful about what networks you join. There are some networks out there that just want to sell you product, and we all want to stay away from those.

Den Jones (06:17):
(laughs) Yeah. And it’s funny, ’cause I’m a member of several of these as well, right? And, um, like, there’s a Slack channel with, like, 400 CISOs on it, and it’s like, holy shit.

Aaron Wurthmann (06:29):
Yeah.

Den Jones (06:29):
It’s very tempting for me to message everybody and be like, buy our shit, buy our shit. But the… But the reality is, is, I’m- I’m invited and privileged to be in that channel-

Aaron Wurthmann (06:41):
Yeah.

Den Jones (06:41):
… because of a- I’m a practitioner.

Aaron Wurthmann (06:43):
Yeah.

Den Jones (06:43):
So when I’m in that channel, I’ve got to be a practitioner, and very subtly, if people ask, like, what does that Banyan do, then- then, yeah, I’d love to share the- the- the journey, right? But-

Aaron Wurthmann (06:53):
It’s interesting-

Den Jones (06:54):
But I can’t abuse-

Aaron Wurthmann (06:54):
It’s interesting that-

Den Jones (06:56):
… the privilege.

Aaron Wurthmann (06:57):
Yeah. (laughs) It’s interesting that you mention that particular Slack channel. I think I know which one you’re talking about. I have seen people advertise their own stuff, uh, in that Slack channel, um, and so I am glad, uh, that- that you don’t. Okay.

Den Jones (07:12):
Yeah. (laughs) Yeah, and you know that I’ve had a lot of conversations with, uh, the guy who runs it and stuff and-

Aaron Wurthmann (07:17):
Yeah. (laughs)

Den Jones (07:17):
… you know, like, if we do… If we do, like, our games night, would I like to tell all those people and be like, hey, come to our games night? It’s rocking, it’s fun. Um, Aaron’s been three times already, you know. (laughs)

Aaron Wurthmann (07:28):
I’ve been three times.

Den Jones (07:28):
So-

Aaron Wurthmann (07:28):
This night’s awesome.

Den Jones (07:28):
Yeah.

Aaron Wurthmann (07:30):
Come to games night.

Den Jones (07:31):
Yeah. So it’s- it’s f- yeah. So… But- but I don’t do it because I- I’m self-promoting our company’s Kool-Aid at that point, really. Um, but yeah, it’s- it’s… I- I think you- you hit the- the nail on the head, right? It’s important to be community-focused, build your network. You can’t lead… It- it’s harder to lead when you’re isolated and you’re on your own. It’s easier to lead when you surround yourself with peers that you can leverage their- their experiences and knowledge, and likewise, you can share yours and they can leverage that. Which, I- I think, for me, it’s like, I like to surround myself with people who are like-minded in the sense of, they’re driven, they’re hungry to learn more, they get shit done. Like, for me, I- I walk away from people and relationships where I just think they’re full of lip service and they don’t get shit done. I- I like to be in the group that, you know, accomplishes stuff and you’re kinda proud of what you accomplish or your team accomplishes more than- more than anything, right?

(08:40):
So, awesome. Now, when y- people in your life, your circle, they’re not all technologists. So how do you describe your job to people who have no idea what the tech, security, cyber, or IT is?

Aaron Wurthmann (08:55):
Wow. So lately, because of one of the hobbies, which we’ll- we- maybe we’ll get into, one of the hobbies I’ve been gravitating towards lately is puzzling. I do a lot of puzzles, right? And so, uh, I tend to use these- these analogies with puzzles a lot, when I’m explaining to non-tech peop- people what it is I do, right? So, uh, non-tech people o- often get sort of hung up on many of our acronyms that we use for building a framework, right? Whether it’s NIST or whether or not it’s ISO, or like, whatever it is, right? And so oftentimes I’ll say something along the lines of, look, I come in and I- I build a framework around what it is that, uh, the organization’s gonna do. What is a framework? Well, we all have done puzzles, right? “Yes, we’ve done puzzles.” Well, when you’re building a puzzle, you tend… What’s the first step you take? So what’s the first step you take when you’re building a puzzle, Den?

Den Jones (09:47):
Uh, depends on the puzzle, but if it was a jigsaw, I’m gonna find those little four corners.

Aaron Wurthmann (09:52):
Right, right. So you start with the four corners, then you build the edges out, and then you sort of work towards the center. Maybe you stack colors or whatever it is, right? But that’s a framework.

Den Jones (10:02):
Yeah.

Aaron Wurthmann (10:02):
W- what we’ve just… What we’ve just described here is a framework. Build the corners out, build the edges out, find like colors, build- build towards the center for real puzzle. So that, when I’m explaining, like, what a framework is and what my style is, I tend to gravitate towards these very, very non-technical, um, you know, jigsaw puzzle, uh, analogies.

Den Jones (10:27):
That’s awesome. Now, um, when you talk to the board… And again, this just goes… So for me, a lot of our career is the art of communication, right? So… And you mentioned this earlier about being audience-focused.

Aaron Wurthmann (10:41):
Mm-hmm.

Den Jones (10:41):
When you’re having a conversation with the board, who, some may or may not be more technical, right, how- how- how do you explain to the board when you’re making progress or what good looks like from an ITR security perspective?

Aaron Wurthmann (10:57):
Yeah, it’s really gonna depend on the topic, but I’ll- I’ll pull out one from security real quick, um, because I’ve- I’ve done this a lot where you’re in front of the board, either on a committee or full board, et cetera, um, and you’re- and you’re trying to articulate what your- what your risk is to the company, what the cyber risk is to the company.

Den Jones (11:13):
Mm-hmm.

Aaron Wurthmann (11:15):
And so, um, there’s a number of different ways of doing that, but my favorite way of doing that is to compare yourself to your peers. Um, also, to, uh, compare yourself to… When I say peers, I mean companies that are your size, your maturity level, maybe your revenue level. Something like that. Um, a lot of that data’s sort of readily available. Uh, and then another way is to compare, uh, a number of metrics sort of rolled up into one and calling that risk, right?

(11:42):
So the metrics that I like to roll up and call risk would be something along the lines of, vulnerabilities found and acted upon within seven days. Critical vulnerabilities found and acted upon within seven days, right? That’s… That’s [inaudible 00:11:55]. Um, number of, um, you know, third party, uh, databases scanned or third party repositories scanned. That’s a number, right? So you roll all these numbers up into one and you articulate it in a way to the board, as an easily digestible number of, this is our risk score. We’re- we’re in the red because of these other metrics. Or we’re in the green because of these other metrics.

Den Jones (12:24):
Yeah, and it’s- it’s… I mean, I think it’s funny because everybody l- gets the traffic light or the out of 10 or the whatever. Having the narrative that explains the why the score is, having the narrative that says, how did that compare with the previous quarters-

Aaron Wurthmann (12:42):
Yeah.

Den Jones (12:43):
Are we t-… Are we trending the right way? Um…

Aaron Wurthmann (12:46):
Yep, ye.

Den Jones (12:47):
And then the other thing… The other thing is, is a lot of execs are under pressure to save money and reduce cost. I mean, security and IT, they’re not exactly profit centers. So when you’re dealing with cost reduction conversations, do you have any good strategies over the years that you’ve- you’ve applied there?

Aaron Wurthmann (13:06):
Yeah. So I… There’s one that, like, I think we- we’ve forgotten in these later years, and that is that the- the cost of protecting something should not cost more than the item itself, right? I have seen people spend millions of dollars-

Den Jones (13:19):
Yeah.

Aaron Wurthmann (13:20):
… on something, on a company, on- or on a project or whatever, that if- if, you know, knock on wood, it were- it were to be exploited or- or compromise, would only lead to $500,000 lost or, you know, some number less than-

Den Jones (13:35):
Yeah.

Aaron Wurthmann (13:36):
… than protected. So one… Like, one, you have to start there.

Den Jones (13:38):
Yeah.

Aaron Wurthmann (13:39):
And that is like… That is rudimentary between all info sect people know that, and I think we’ve forgotten that. So we really got to steer towards that. And then… And then the other thing is, um, understanding the business’s risk. Period. So as a, like… Let’s just say as a fresh startup, you don’t even have a customer yet, you may… Your risk tolerance may be so, so high because you don’t have a customer yet. You have nothing to lose, right? And so that-

Den Jones (14:11):
Yep.

Aaron Wurthmann (14:12):
Fitting that, um… Fitting, like… Having crazy controls over a- an environment that tolerates high risk doesn’t make sense. You have to tie your security program to the risk tolerance of the business that you’re at. Period. Um, and people… And we just forget that.

Den Jones (14:31):
Yeah. Yeah, it’s funny. I… Yeah, I’ve always… I mean, s- exact same thing, but said slightly different is, uh, I’ve always said the- the cost of preventing the bad outcome-

Aaron Wurthmann (14:43):
Mm-hmm.

Den Jones (14:43):
… shouldn’t be higher than the bad outcome.

Aaron Wurthmann (14:46):
Yeah. (laughs)

Den Jones (14:46):
I mean, it’s- it… It is a no-brainer, right? You’re like…

Aaron Wurthmann (14:49):
You-

Den Jones (14:49):
And- and I have- I have-

Aaron Wurthmann (14:51):
You would think so. You would really think so, but I- I’ve seen some stuff and some things and some tools sitting on- sitting on shelves, and I’ve been like-

Den Jones (14:58):
Mm-hmm.

Aaron Wurthmann (14:58):
… that- that tool cost money you’re letting sit on a shelf.

Den Jones (15:01):
Yeah, tool… Yeah, technology [inaudible 00:15:03]. I do remember once in Adobe, in the security organization, we’d done a tools assessment, and I think it was 1.5 tools per employee in the security team.

Aaron Wurthmann (15:14):
(laughs)

Den Jones (15:15):
And you’re like, so first of all, you know with… You know with that number, you’re not deploying any of the tools to get the full value out of the tools. Then you also know that if you’ve spun up problems, uh, programs like vulnerability management or whatever, whatever, um, you’re- you’re probably- you’re probably not achieving the value that you set out to. And then going back to the spend, it’s like, a lot of people spend the money on these things without actually asking that first question, which is, what is the cost if shit hits the fan here? And they just go straight to, I’ve been asked… I’ve been asked to build a vulnerability management program, so therefore.

Aaron Wurthmann (15:56):
Yep.

Den Jones (15:57):
And they just go spend money and it’s like, almost like, hey, to do a vulnerability management program right, the book says… And then it’s like, right, okay. Well, the book says I need to do these 10 things. Well, let me do these 10 things and I need five staff, and- and before long, your vulnerability management program’s so bloody expensive, but slow and not really achieving any value.

Aaron Wurthmann (16:16):
Yep.

Den Jones (16:17):
Um, and I’ve… And we’ve- we’ve all been there, you know?

Aaron Wurthmann (16:19):
Yeah.

Den Jones (16:19):
So, yeah, it’s- it’s-

Aaron Wurthmann (16:21):
And- and then along those ways, I can almost guarantee you that the scenario you just described, that that vulnerability, uh, management, uh, program doesn’t match the company’s risk tolerance, right?

Den Jones (16:33):
Yeah, yeah, ex-… Yeah, exactly. And- and it is funny because, since, uh… I mean, and since I’ve been more involved, uh, at the executive level in the security space, I think every company, every CEO, every board, when they say security’s part of our culture, I think- I think really, it’s all lip service, generally speaking, because I think if they could spend zero dollars on security and get away with it, I think most CEOs and boards would spend zero dollars. They spend the money because they don’t want to be in the news.

Aaron Wurthmann (17:10):
Right.

Den Jones (17:10):
They spend the money b- because, in some cases, it’s compliance-

Aaron Wurthmann (17:15):
Yep.

Den Jones (17:15):
… is forcing them to spend the money. Um, but ul- but ultimately, most people, like your car insurance, cyber spend is like your car insurance. Most people think it’s never gonna happen to them.

Aaron Wurthmann (17:28):
Mm-hmm.

Den Jones (17:28):
They think their employees are wonderful people and they’ll never steal the data, right? Um, or they- they think they’ll never click that link. And unfortunately, you know, social engineering’s so good these days, and with AI it’s only gonna get better, um, employees are gonna click links because they’re so- they’re so intelligently done these days. A lot of the- the campaigns are just flawless, you know? And they- they’re gonna get more personalized at scale with AI. So it’s gonna be fun.

(17:58):
Now, outside of work, um, hobbies. What- what kind of hobbies have you got? And then we heard about the puzzling, right? So I’d love to hear the hobbies, but I’d also love to hear, what is it that you learn during the journey of these hobbies that you bring into your professional life that benefits you?

Aaron Wurthmann (18:16):
Yeah, so first we’ll talk about puzzling and clear that one. Uh, what I brought in is- is, like I said, describing frameworks or describing complex problems and then using puzzle analogies for it. Um, number one is- is, uh, sourdough. So, um, over, uh- over a time period, somebody gave me a pizza- a pizza oven. Um, I started with the pizza oven, started making pizzas, and then I was like, you know what’d be even better than, like, just normal pizzas that everybody makes? Sourdough pizza. So then I got into- to making sourdough.

(18:47):
Um, there’s a lot of just little tie-ins with just having to tend to your sourdough every day, um, that- (laughs) that I think have, like, direct, like, career tie-ins, right? Like you have to feed your career. You have to feed your sour- sourdough, right? Um, you know, don’t let things get too cold. Don’t let things get too hot. You know, just those sort of-

Den Jones (19:08):
(laughs)

Aaron Wurthmann (19:09):
Those sort of analogies. I’m gonna, at some point, post a LinkedIn article about it. But, um, there’s absolutely a lot of things that I bring in to… Basically, like, it’s a little life-form live- living on top of your countertop that you have to keep track of-

Den Jones (19:22):
Yeah.

Aaron Wurthmann (19:23):
… and makes it’s in the ideal environment. Kinda like a dog.

Den Jones (19:28):
And then-

Aaron Wurthmann (19:29):
But dogs bark and [inaudible 00:19:30].

Den Jones (19:30):
Yeah, your sourdough doesn’t bark, huh?

Aaron Wurthmann (19:32):
Yeah.

Den Jones (19:32):
I mean, it- it… So it’s really the fungus, right? You’re just kinda nurturing and- and keeping that culture going, right?

Aaron Wurthmann (19:38):
Yep, exactly. Keeping the culture going. I like it.

Den Jones (19:40):
Keeping the culture going, man. That’s- that- that’s for the, uh, bring it back to the office.

Aaron Wurthmann (19:44):
(laughs)

Den Jones (19:44):
And then, um, you know, so you and I, we’ve connected a lot socially. Um, we- we both like good beer or- or good drinks. We both like good food. We both like music. Um, so let’s dig into this music thing. You, um… You- you’ve been into that. Oh, and then you’re also into the tagging scene a while ago, right?

Aaron Wurthmann (20:07):
Yep.

Den Jones (20:07):
When you were a young kid.

Aaron Wurthmann (20:08):
Yep.

Den Jones (20:08):
So I… How does… How does that kind of music, artistic culture flair, how d- how do… How does that play into your professional life? Like, what… What have you learned over the years that helps you there?

Aaron Wurthmann (20:19):
Yeah, so I think just creative mindset, right? I think… I think a lot of the times… So, uh, you know this and, uh, I… Other- other people know this as well. I also code as a hobby, too. Right. Like, a lot of my code, you’ll n- never see the light of day. But I do it. Uh, maybe I’ll help somebody out with a project or maybe it’s just a personal project I want to work on or whatever. And what I have found is that that is tapping into my creative mindset, right? So this… Back in the day, I was a- I was a graffiti artist, um, and then that sort of, uh, creative outlet is gone now as a professional. So, um, I- I’m coding, and oftentimes it’s a new idea. Oftentimes, it’s something different or we’re doing something in a different way, and I’m definitely tapping into that creative mindset.

Den Jones (21:04):
Yeah.

Aaron Wurthmann (21:05):
Um, music still plays into that, right? When I’m coding or when I’m doing… Even when I’m doing PowerPoint slides for a board or- or for a, uh, networking meeting or whatever, I have music on. It is your- your typical, um, you know, boots and cats beats going on, um, just to- just to keep me focused on what it is I’m working on.

Den Jones (21:27):
Yeah, it’s… Yeah, it’s funny for me ’cause I- I- I write music and I cook and those are creative- creative outlets. Um, and then certainly, when- when I’ve been in stressful situations professionally, then those outlets really, really help. And they’re also two outlets which are, I think, social. So they’re very social. And I think us, as leaders, uh, cyber guys, it’s a bit hard, right? Sometimes you get the total nerds that, really, they’re more introverts and they don’t want to socialize, and then you get the leaders who are highly sociable, like me and you, and- and we see that as- as another creative outlet. But also, you know, it’s great to meet people. It’s great to learn.

(22:11):
Um, now, as- as we start to wrap up, um, it’s funny, I got- I got this book here. Um, I don’t know if you can all see this. Uh…

Aaron Wurthmann (22:23):
(laughs)

Den Jones (22:23):
Now, it’s- it’s funny. So Carlos gave me this. Carlos on our team, he gave me this book, and it’s- it’s- it’s really literally like a password manager. Um, I can write it all down. Now, password lists and device security and all that kind of stuff, as you know, that’s a- a big Banyan- big Banyan business. Um, but where- where do you see… Where do you see the world going when it comes to things like passwords and authentication and just that side of user security?

Aaron Wurthmann (22:57):
Yeah. So first, let’s- let’s touch on the p- uh, the threat factor of that password book you have there.

Den Jones (23:04):
(laughs)

Aaron Wurthmann (23:04):
Right, so a lot of our security, uh, colleagues would tell you, oh my gosh, don’t write your passwords down in this book. This is gonna l- lead to ruin for you. But let’s- let’s talk about the threat there, and the threat is, somebody broke into your house- (laughs) circumvented your alarm system, circumvented your, you know-

Den Jones (23:24):
Cameras.

Aaron Wurthmann (23:24):
… your cameras, all of that, and then picked up the book and got out of the house by the time the cops arrive. Like, that’s… That’s- that’s a pretty, like… I don’t know. I don’t know.

Den Jones (23:35):
Yeah, yeah. It seems… It does… It does seem like… And the good thing is, at the start of the book, you’ve got a bit to write your name, your name, your email-

Aaron Wurthmann (23:42):
Yeah.

Den Jones (23:42):
… and your phone number, too.

Aaron Wurthmann (23:43):
(laughs)

Den Jones (23:44):
So not only would they have the passwords, they’d have the phone number for my SMS second factor if I was using that, as opposed to, like, a push or something.

Aaron Wurthmann (23:53):
Right, yep.

Den Jones (23:53):
Um…

Aaron Wurthmann (23:54):
But- but back to your question on- on where we’re going, like, password list is absolutely where we’re going. Um, I think we can’t get there fast enough. I think there’s some hurdles that we need to get over first, and one of those is, you know, matching- matching your passwords to your offline access. Basically like, logging into your laptop when it’s not connected to the internet. How does that password, because your laptops still asks for a password. How does that synchronize with your- with your corporate passwords, and so on and so on? We’ll get there.

Den Jones (24:23):
Yeah.

Aaron Wurthmann (24:23):
Uh, it… We’re just gonna have to go through these- go through these struggles until we get there.

Den Jones (24:29):
Yeah, and it- it seems… It seems like Apple and Google and other- other companies, they’re- they’re really pushing hard on- on password lists. Um, Banyan 2019, I think in our- our platform was password lists at that point. Um, and it’s- it’s interesting though because, really, you’ve got the, how do you log onto the device locally, and then how do you leverage that to pass through to get to an enterprise password like single sign-on or stuff like that. And I hate those terms, but- but it’s- it’s certainly a journey that I think is long overdue, and it-

Aaron Wurthmann (25:05):
Oh, yeah.

Den Jones (25:05):
It’s exciting because a lot of companies, in recent months, have taken some big steps in that direction, so that’s cool. Um, give us one thing that scares the shit out of you from a cyber perspective, that keeps you up at night, that you’re like, oh my God, this is… This is the biggest problem in my new role. This is… This is a thing I need to worry about.

Aaron Wurthmann (25:28):
Yeah, I mean, I hate to jump on the AI bandwagon, but AI. Right? Like, and you touched on it earlier, and that is starting to use AI for social engineering campaigns. Right now, there’s- there’s sort of… There’s an army of folks in, you know, d- in East Asia that will attack folks as part of their business. But those businesses are always looking for ways to cut costs.

Den Jones (25:54):
Yeah.

Aaron Wurthmann (25:54):
As those businesses, again, these social networking, hacking, bad actor businesses, lean more and more towards AI, the AI’s gonna get better. It’s gonna get better at trapping us normal humans, and before you know it, Skynet. So, absolutely, uh, AI right now.

Den Jones (26:12):
Yeah, yeah. I- I think it’s… Uh, we, um… I mean, we were both just at RSA, right? And I- I certainly s-… I certainly saw the theme, um, and- and people talking about being concerned about it. Did- did you… So RSA this year, I mean, for me it’s more of a social gathering.

Aaron Wurthmann (26:31):
Yeah.

Den Jones (26:31):
Um, I always think of it, like, as a bit of a vendor shit show, where you walk around that expo and it’s just inundated with more vendors and more vendors. One person said to me, and I’d love your observations on this, but one person said to me they’d never saw so many big vendor booths, like, where they easily spent a quarter of a million dollars on that booth and getting that shit there, but a company you’d never heard of. So there was these big vendor booths and I’m like, I’ve never heard of these people and I’ve been in this industry forever. So where did… Where did they come from, and- and decide to spend so much money? And you know, that fascinated me. I was just… And- and it was one of my friends that I bumped into and she called it out, and I’m like, holy shit, you’re right.

(27:18):
Well, I mean, so what- what was your take on that, and what’s your take on the RSA in general?

Aaron Wurthmann (27:22):
Yeah, so, um, like you, RSA for me, is a- is a so- social, uh, event and I bounce around from one party to another. Um, always going to game night. Another- another plug for that.

Den Jones (27:33):
(laughs)

Aaron Wurthmann (27:33):
Um… (laughs) But, uh, vendors. So, uh, big vendors. Um, big booths, like you said, of vendors I’ve never heard of. But really, what caught me off guard was that the aisles were so packed. Like, the general aisles, other than, you know, the- sort of the outskirts around- around the booths, they were so packed that you really couldn’t navigate your way through them without rubbing your shoul- shoulders with somebody.

Den Jones (28:00):
Yeah.

Aaron Wurthmann (28:01):
And they were so packed that there was sort of a queue for people who wanted to talk to people in that booth. Right?

Den Jones (28:09):
Yeah.

Aaron Wurthmann (28:09):
And so, um, I’m line-adverse. I- I- I rarely will stand a- in a line for anything. I’m certainly not gonna stand in a line for somebody to sell me something. So that was a… One of my observations was that there was, in fact, people standing in line to- to talk to vendors, and for… On RSA’s, um… For RSA, that’s great. Right?

Den Jones (28:28):
Yeah.

Aaron Wurthmann (28:28):
That’s great that they had the turnout that they turn- that they had. It’s great that they had the engagement that they had.

Den Jones (28:35):
Yeah, and I- I think, as well, so, like, between the expo halls and- and the- the speaking conference rooms and stuff, but then a lot of the business dealings are done outside of the Moscone, right? A lot of them are at that hotel bar. And I saw, like, the normal hotels were also super packed during the day-

Aaron Wurthmann (28:54):
Mm-hmm.

Den Jones (28:55):
… and at night. Um, so for me, it was great to see the numbers back up. I always tell our team, I’m always like, you know, I’ve never went to a conference and saw something, then suddenly thought, I need that. I must buy it. Normally… Normally, tho- those are good for visual awareness or I can get some insight, or my- maybe my team does. Um, but ultimately, I- I… Like, I don’t… I don’t see the spend. Like, at these mega-conferences now, people are spending millions of dollars on their booths and stuff, and- and sometimes it’s like, f- you know, flashing how brilliant and rich the company is-

Aaron Wurthmann (29:35):
Yeah.

Den Jones (29:35):
… and they’ve- they’ve got- got a great booth. It doesn’t necessarily mean they got great technology. So-

Aaron Wurthmann (29:41):
Right, right.

Den Jones (29:41):
Yeah.

Aaron Wurthmann (29:41):
Well, let… But let’s hope that RSA sticks with it. I would hate to see it go away like E3, right?

Den Jones (29:46):
Yeah.

Aaron Wurthmann (29:47):
I think… I think, you know, E3’s the act- the opposite story where each one of the big vendors decide if they’re gonna have their own conference, and they pulled away from the big conference of E3, and poof.

Den Jones (29:57):
Yeah.

Aaron Wurthmann (29:57):
It’s gone now, right?

Den Jones (29:58):
Yeah, yeah.

Aaron Wurthmann (29:59):
So, um, I love the social aspects of RSA. I really hope they continue.

Den Jones (30:05):
Yeah, and I do think, yeah, I mean, for me, um, it’s… O- one thing, you know, San Francisco’s got a bit of a- a mess in recent years, especially during COVID, and the economy and stuff. So I- I’d love the city to be more welcoming and clean and available and stuff. Other- otherwise, I’d fear that RSA will probably end up in Vegas like everything else.

Aaron Wurthmann (30:28):
Yeah, yeah.

Den Jones (30:28):
‘Cause I don’t see the conference going away, ’cause I think it’s a bit of an institution, but I certainly think, like, which city they host it in is- is- is, you know, something to be thoughtful about. But- but I love San Francisco. It’s a great city, so I’d just love some of the issues to be-

Aaron Wurthmann (30:46):
Yeah. (laughs)

Den Jones (30:46):
… get cleaned up a little bit better, you know.

Aaron Wurthmann (30:48):
And they had it-

Den Jones (30:49):
Um…

Aaron Wurthmann (30:50):
… fairly clean for RSA, anyway.

Den Jones (30:52):
Yeah. Well, I’ll tell you, it’s funny ’cause we’ve got our office, uh, on Minna Street, right, and every week when I’m up there, you can see, like, there’s a lot of street cleaning going on. There’s… There’s, you know, a lot of services and stuff that are really trying to make it better. So I- I- I- I- I see that they’re making an effort. Um, I just… I’d like to see it a little bit better sometimes, ’cause I walked from my hotel to the conference, and that walk was not a pleasant walk. I mean, that’s… You’re- you’re stepping over people in the streets and stuff, so…

Aaron Wurthmann (31:24):
Right.

Den Jones (31:25):
But it’s getting… It is getting better. T- touch wood, um, they- they keep the investment in the city, um, ’cause it’s good to see the city start to come back to normal, ’cause it’s a great city. Um, now, as we wind up, what would be one piece of career advice you would give to somebody who’s early in career, just in the industry? Um, what’s t- what’s that one bit of magic you can share with those kinda people?

Aaron Wurthmann (31:54):
Yeah, I think, um, for those starting off maybe a year or less than a year of experience, uh, learn. Do not stop learning. Don’t- don’t let your career, your current jobs, you know, sort of stop you or put a roadblock in front of you. Keep learning no matter what, right? Learn as a hobby. Um, that certainly served me and it certainly has served, um, the folks that, um- that I’ve mentored as well.

Den Jones (32:21):
Yeah. Yeah, no, that’s awesome. Yeah, I- I’ve asked that question of a lot of people, and there’s a theme, right? The theme is, just ’cause you got in the door does- doesn’t mean that you- you’ve done it, right? You’ve- you’ve just… You just got in the bloody door. You got to prove yourself and that takes- that takes a lot of work, you know.

Aaron Wurthmann (32:37):
Yep, and so-

Den Jones (32:37):
Um…

Aaron Wurthmann (32:38):
So a follow-up to that, I’d say, um, I- I do see a lot of folks being in their- their current job, whatever their job, maybe it’s analyst or whatever, and then stopping ’cause they feel like there- there’s a roadblock in front of them. They feel like there’s a cap in front of them or they feel like they can’t do something. And so I- I would just challenge those people to do it. (laughs)

Den Jones (32:57):
Yeah, yeah.

Aaron Wurthmann (32:58):
Whatever it is. Um, break through that barrier and then see whether or not it- it served you.

Den Jones (33:05):
Yeah, and you know, the… I think the- the thing is, is, I- I- I tell people, like, we never work together forever.

Aaron Wurthmann (33:12):
Yeah.

Den Jones (33:13):
At some point in a- a relationship, a business relationship, I’m gonna get a new job or you’re gonna get a new job. Um, the- the- the- the longest I’ve probably worked with people is probably Carlos, who’s- who joined, uh, Banyan as well, and he was with me at Adobe, then Cisco, now Banyan, and we’ve been working together for God knows how many years, but it’s a long time. So, um, maybe… Maybe there’s slight exceptions, but you know, we- we’re not in the same arc at Banyan. Um, so I think the thing is, is you’ll never work together forever. While you are working with a leader, learn- learn what you can from them, and- and recognize there’s things that they’ll do that you like and things they do that you don’t like. And you know, you don’t… You don’t need to adopt all the shit that they do. But you know, there’s some stuff that you’ll learn and you’ll take onto- on with your career.

(34:07):
So, Aaron, hey, thank you very much. It’s always a pleasure to catch up. It’s always better to catch up in person, which I know we were gonna do, but after RSA, I think I’ve drank enough alcohol, um, to- to- to probably sink a small- small village, you know.

Aaron Wurthmann (34:24):
(laughs)

Den Jones (34:25):
So I don’t want to be… Yeah, I don’t want to be that guy that’s like, let’s do another happy hour. Although, I do believe we have one next week, so… (laughs)

Aaron Wurthmann (34:34):
We do have one next week.

Den Jones (34:36):
And then, oh, are you gonna be, uh, at Black Hat Def Con this year? Is there [inaudible 00:34:41] catch up?

Aaron Wurthmann (34:42):
Debating. Um, yeah, yeah. Um, count on not, but, um, if, um… If some things line up in- in my career path, then yes.

Den Jones (34:50):
Yeah.

Aaron Wurthmann (34:50):
But count on not.

Den Jones (34:51):
Well, I’ll- I’ll definitely be there. For me, that’s… Def Con’s like my favorite-

Aaron Wurthmann (34:55):
Yeah.

Den Jones (34:55):
… favorite event of the year, really. So I can’t h- I can’t help myself.

Aaron Wurthmann (35:00):
No.

Den Jones (35:00):
So, hey, thank you very much, Aaron. Always a pleasure. Uh, thanks, folks, for spending some time with us today. Uh, this is Get It Started, Get It Done. I’m host, Den Jones. Aaron Wurthmann, always a pleasure. Thank you, sir.

Aaron Wurthmann (35:16):
Thank you.

Den Jones (35:16):
Take it easy.

Aaron Wurthmann (35:16):
Bye-bye.

Speaker 1 (35:16):
Thanks for listening. To learn more about Banyan Security and find future episodes of the podcast, please visit us at BanyanSecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their track Summer Silk and all their music at UrbanPunks.com.

 

Close Transcript