BSidesSF 2020 - CISO Vendor Relationship Podcast (David Spark • Mike Johnson • Olivia Rose)

ten-second security tip go so - this one's for the vendors for the first time typically is for the the folks in security but if you want to truly successfully sell to a CSO get inside their mind they tend to be very inquisitive fascinated by different ways looking at things shiny objects don't drink your company's kool-aid come up with really awesome innovative ways to pitch and present what you sell to them to grab their attention it's time to begin the CSO security vendor relationship podcast recorded in front of a live audience in San Francisco [Music] playing from the top it's time to begin the CSO security vendor relationship podcast recorded in front of a live audience in San Francisco

[Music] [Applause] [Music] welcome everybody to the seaso security vendor relationship podcast my name is David spark I am the producer and co-host for this show sitting to my immediate left right here that is Mike Johnson he is my co-host for the show you probably recognize him we are available at CCO series.com we're also on reddit on the seaso series on reddit which I don't say enough our sponsors for today's episode which you can see on this gigantic screen behind me our cyber-ark and vulcan cyber you're gonna hear a little bit more about them later in the show and we're recording right now in front of a live audience in San Francisco prove it to them

alright this episode as I said is gonna drop March 3rd so people listening to this will be on March 3rd or later that happened but I also want to mention if anyone is going to be in Boston or New York next week we are doing live shows in New York and in Boston on the 3rd and the 5th so please come out to those and information obviously available on seeso series but I want to mention one quick thing here before we really jump into the meat of the show Mike I got this from near Rothenberg of rapid and he sent a pitch that he received from a vendor that began I saw you're connected to Mike

Johnson and David spark on LinkedIn we're fans of their show here I have received many of these where people are using our show as a as a means to pad a pitch I am totally cool with that so I think that's awesome that's happening in play by the way please feel free to plug us in any pitch that you make to a potential see so we're all for it or to just anyone randomly yes we need more listeners all right to my far left over here sitting at the table you heard at the beginning of the show that he is our guest and she's been a guest on this show before but this is the first time

for a live show please warm round of applause for the CEO of MailChimp Olivia Rose [Applause] how to become a see so we often get the question of how do you become a see so let's have that discussion but move it to the actionable let's start today advice so what could any individual do right now I'm going to start with you Mike to develop the skills to be a cyber leader and make it clear to management that's what they're gunning for I think one of the important things is to not start too soon so I think if you're very early in your career saying I want to be a C so it's a very easy thing to say but

you're still early on in your career so explore around a little bit and don't make that commitment you can do amazing things in a security team as an individual contributor not as you don't have to be the C so that said if you want to be a C so if you've made that decision if you're on board what I would really say is being a generalist is really important you know Peter Libra in previous episode of the podcast was really talking about how being a generalist and having a lot of exposure and a lot of areas in security came in really handy for him when he finally became a C so so that that's one of the

pieces of advice is try other areas of security other than what is your go-to other than what is your well-known background gives try and learn other areas that said I also think the people who are coming from an operational side coming from incident response I think there's a lot of opportunity to turn those skills into leading a security team you're baked in reality you've seen what's happening you know what's going on it'll really help you in that role so and that's another thing that response is good incident response get that broad experience and try multiple air alright hold that let's move over to Libya are there specific things anyone in this room could do to start to demonstrate to

themselves and to others I'm ready to serve move up the leadership ladder yeah absolutely can I agree with what Mike said you've got to know how to fit all the puzzle pieces of the puzzle together at a 10,000 foot view but what I've learned does to see so is that you cannot have enough interpersonal skills down you've got to work with other teams and know how to persuade and influence so I would say don't just focus on your technical skills but start taking classes and start working on building relationships with other teams and stakeholders because that is desperately necessary as a C so or is to get nothing done all right so what Lee and I said

specifically what the two of you did were there's things that you did you know consciously saying oh hey I want to be a C so I want people to start respecting me as a leader were there conscious decisions that you made so when I was starting to make that decision I was very long into my career so I was at Salesforce at the time and Salesforce has great leadership training opportunities so for me you got lucky and fortunate man well I saw those classes out so not a lot of companies are deep education basic sales but you can go and enroll in those courses many companies will have educational grants or whatever as part of your benefits

that you can then go and spend and learn don't spend all of those monies on the latest cool security class spend some of those monies on that leadership training but you can go and get you know even at community colleges there are classes out there on that that seek them out and use some of that muscle is this was there something in the last poster did you take any leadership classes yourself oh this sounds really egocentric but I actually didn't need to [Laughter] Wow no I came from advisory it came from consulting for 17 years and for management's so I already had that what I needed was more technical knowledge so I had the flip side of what we might

came from so look at where you're at and where your strengths are and pick up whatever the gaps are and I'll and I'll say if you are in consulting it is a great career move to move into C so dumb because you've seen a lot of bad situations and it's it's a great move for you all right I mean actually one quick question what was isolate one thing that you learned from your classes that you would literally have carried on to today like settle that I don't need we both take these management classes did you took my path so I think a lot of them were really around team-building and getting a group of people working in

a direction that's especially challenging in the security world too this is the direction we we need to all head here here's why here's the advantage and so I really think that the team-building and that guidance of a team those courses were the ones that were most useful what we've got here is failure to communicate [Music] so if all vendors stop sending cold emails yes which is what we constantly here see so say like right now they should do how should vendors spend their time and money instead to greatly improve their success so I'm gonna ask the two of you played the role of the vendor what would you do to get to you and I'll start with you Olivia please

stop sending cold email we've assumed we're already in this courtroom now the next step okay what would you do to get to you the effort is there is another Olivia Rose your clone on some other planet okay and you want to sell some security solution to her okay what is your technique understand this business is all about trust so that comes in the form of trust in products trust in services I only use companies where I know somebody that I trust if mike says on one of the CSIs lack forums that XYZ company is great I will go buy it or at least look at it what did you buy right off of a mic recommendation

contemplate it so instead of the cold the cold emails spend that time looking at ways to build out your relationships based on who you have in common LinkedIn doesn't for you ask for the introduction don't be a you know a nag don't just keep reaching out cold just ask for that introduction be at these events there are so many salespeople who don't come up to us at all but if you do it's welcome as long as you don't talk business right off the start build that relationship trust and that is how you get in the door you would agree with this I sorry I would and do you have anything to add probably so in general I I look at things as long

games and I think this is one area where it pays to build those relationships to build them with either the seaso who you're trying to sell to directly and recognize that you're not gonna get that sale right away or working with their other peers work work with your advisors work with people that you already have a close relationship with and they will help you in those other areas and help you further build those relationships where you are more respected and where you have that reputation one of the other areas that I would say is and honestly this is not pandering to this audience but these community generated community run security conferences get in front of these sponsor these

conferences present at these conferences RSA is fine whatever I guarantee you it's not only cheaper to sponsor here and participate here but it's also more impactful and there are besides events all over the place there are other community generated security conferences show up to those keep showing up to those and then people when they go and look for a widget in your area they'll know your name and they'll reach out to you and have that conversation I'm gonna throw this out again and I we did a similar question like this Mike and you blew the softball yet again the other option is to sponsor this show I just want to throw that is another option but

I think actually one of the one of my main concerns with with that recommendation that can make it which by the way excellent is the measure ability of it and these vendors don't feel they know how to measure something like that and therefore determine how successful or not successful it is so but but I'll jump on I'll jump on that right away and say they can measure the number of badges that they that they scan at RSA but that isn't still telling them how effective that I think I agree so wholeheartedly and and I believe that the main source of the problem of this sort of the vendor seaso conflict is incentive structure I truly truly

believe that so my question is how then and I think a lot of people be like okay I'm on board how do I measure exactly what you guys talked about I think you have to basically back load your measures right recognize that some that a new salesperson a new account exec that they've got new territory or whatever you have to give them time to build up the relationships rather than trying to manage and measure them right away give them that time give them that runway and then you'll find out over the year the dollars that they generate or greater if you were giving them that runway so I think a lot of the measures are still similar but you just phase you

agree I do agree it's not about the number of badges it's about the number of responses back that are part that a warm that are positive so many countless cases I've met someone got along great with them in California they say hey I'm in Atlanta for coffee great if you coming up to where I'm at so I don't need to go very far then we'll meet for coffee and I do want to say one thing about these events like this it says a lot that you're here on a weekend it means you have that added added love of security and that's what we look for so just just being here puts you ahead of the the rest

who's our sponsor this week it's Vulcan cyber they're one of two of our sponsors and let me tell you about them you know in vulnerability management our goal Valken cybers goal is clear find vulnerabilities or actually it's not just in Vulcan Cyprus everybody's goal is that but identify the most critical ones and fix them while there are plenty of tools for detection and prioritization when it comes to remediation we seem to hit a wall how could it be that with all of these new tools and technologies we still can't seem to remediate our vulnerabilities on time now we can introducing Vulcan the vulnerability management platform built for remediation pioneering a remedial orchestration approach Vulcan takes

threat and vulnerability management beyond prioritization the platform enables effective remediation in three steps first highlighting the organization's biggest risk then analyzing finding and delivering the right solution for each vulnerability through the tools you already use and finally initiating and orchestrating cross team remediation workflows now vulnerabilities can actually be fixed and not just discovered Vulcan stop managing start fixing it's time to play what's worse [Music] all right for those of you who know this game what's worse the title kind of says it all we I'm gonna provide you with two options here both stink I should mention they're awful you're not gonna like them but you have to choose between one of the two items so

the so we have two rounds of the game we're gonna play and the first one comes from Michael Martinez of si focus software incorporated and he asked us what's worse scenario and by the way Olivia you do get a little bit of a breather because I always make my cancer first an unencrypted database with multi-factor authentication in a high physical threat environment that's option one or an encrypted database with a single factor authentication in a high virtual threat environment which one is worse so what we're really trying to balance here is the likelihood of compromise right and kind of get passed forward if you're in maybe it's in some storage closet somewhere that someone could very easily walk and walk into but

that was the unencrypted database right yes that's the high physical threat of our high physical has encryption or does no it does not unencrypted so again could theoretically walk in but would be really difficult to compromise remotely versus the other one you know great it's encrypted but your remote threat is someone doesn't matter where they are right for me I always look at the likelihood right and there's the threat and the likelihood of that threat taking action in a remote environment it's very easy for someone to attack that remotely and there's that many more people who could somehow to come in and attack it right in the converse where it's even though my there's a high rule there's a

higher likelihood of potential compromised to physical access there's oh just physically there's there's a less number of people who can do but again it's also unencrypted the data so once they get their hands on a database they both suck David so you know again comparing these two really the one that I feel is the worst is something that's easy to compromise remotely even if it's you know encrypted at rest you're that much more exposed that many more threat actors alright so you're going with the worst scenario is the second scenario the encrypted database hi virtual at threat environment Olivia where DS Dan agree/disagree again you know I always like it when people disagree with Mike I die yeah I

would politely disagree don't people I don't even to be polite about it not politely wrong great prove me wrong I would think now you said it's in a cloud environment right it's not known if it's in the cloud or not no oh

there's a high virtual threat in the section section okay actually then I would look at the physical controls I would look at the my level of comfort with the employees and I actually would say the worst case scenario I would in that case agree with Mike and the reason is because if it were a cloud environment you need more specialized skills to be able to know how to access and then it's also encrypted so my mind it's not it like could just be sitting on a server sitting right over there but I wouldn't have that in a closet she was agreeing with me there is no good answer all right all right we got our second

question here this one comes from Mark Butler I didn't make a play on i.t okay we have a green agreement done on the first one okay hopefully we'll have disagreement on the second one here we go having an unlimited budget for third party outsourcing of your security function and just keeping oversight internally or you get a small group of internal team player who were who know the environment inside and out and are slowly building out their security skills so yeah basically what you've got here is you're outsourcing your security team versus versus not right but you had a lot of money touts right so it's unlimited funds got a small group internal team know their stuff

so I go ahead and say these are both actually workable it's actually it's really more of which one is best rather than which one is worse than this one but I ran into a company you know large global brand that you've all heard of that they have all they have internally as security architects and they've outsourcing everything it's actually very effective for them versus an internal security team that they know everything they're that much more effective on a person-by-person basis that they can go and get things down they know who to talk to they know what to do and they have more potential in these two the one that I would actually prefer is the smaller more effective team so

the worries pesavum that unlimited budget with and it's it's funny how I keep answering these that the worst is usually have an unlimited budget yeah I think that seems to be linked to your company right now you're saying I really don't need any money you know every time I ask for money just decline make do all right Olivia do you agree or disagree it depends on the answer to this so Joyce if I outsource it do I still get to keep my internal team know all that your internal team needs you're just keeping some oversight internally of the outsource team so you don't have that internal team what the level that you have is you're just oversight of the

external again yeah I agree with Mike the words there's no way there is no what's worse here it's more about the level of control so in my mind I would look at the situation as how much do I feel in control of my environment am i okay with losing that control and outsourcing it and in this case if I do have an internal team that's very good at what they do and they're all bright-eyed and bushy-tailed I think I would still outsource it and I would put that excitement and that enthusiasm of the internal team onto something else so you're disagreeing so awesome we have we have a disagreement on the second one

all right our second sponsor as you can see up on the giant screen for those of you in the room it's cyber-ark and let me tell you about it them previous privileged accounts credentials and secrets are everywhere on premises in the cloud on endpoints and across DevOps environments from personally identifiable customer information to critical intellectual property they provide access to your enterprises most valuable assets and attackers are after them right now recognize for establishing the privileged access management category cyber-ark continues to deliver the industry's most complete solution to reduce risk created by privileged credentials and secrets cyber-ark is the number one provider in privileged acts lists management a critical layer of IT security to protect

data infrastructure and assets across the enterprise on-premises in the cloud on endpoints and throughout the DevOps pipeline secure privilege and stop attacks with cyber-ark what do you think of this vendor marketing tactic so according to a recent study by Vala male CEOs are very suspect of security vendors claims in general the number the numbers are horrible for vendor credibility close to half of security professionals claim the following vendors Tech and explanation are confusing practitioners have a hard time seeing a measuring value and practitioners don't know how a vendors product will stay valid on the security roadmap so I'm gonna ask you I'll start with you Olivia what could cyber security vendors do to make their claims more believable and

how could you see an easy way to look for yourself and test it out what makes you believe well maybe answer this question what makes you believe a cyber security vendors claim well I would say this anything that comes from the marketing group stop well that's how they usually come right but if I was a salesperson and I really wanted to get in front of a c-level or senior security leader just smile and nod at your marketing team yes we're using your collateral and then throw it away because my three main points are and I've said this before and this this awesome show is just tell me what it does what are the benefits in simple

language in bullet points preferably and then how is it gonna help me with my type of company and my strategic security I'm gonna I'm gonna totally argue with you because that's the point of the marketing department is to hopefully simplify what is normally complicated stuff I have actually done videos like this where I ask incredibly I ask people to dumb down simplify complicated technology and often people have trouble with that so my hope is the marketing department does stuff like I have a background in marketing for security companies so I know and I come from the vendor side I would hope you would know because I was always the I was the the consultant the advisor so so

I do Olivia for any cybersecurity marketing is that what you're saying yeah but Mike no my point is here that marketing likes to use big words they don't truly understand technology the landscape I mean how many times Mike have you received an email saying there are big threats out there or si si si so's have to spend all their time worrying about threats it's like oh oh tell me something I don't know that's the marketing department so if I were you get with your security pre-sales engineers try to tap into what exactly are the fine points of what you're trying to sell and the marketing materials are honestly just what I I'm gonna argue I think this is also the

often the curse of knowledge why sometimes they can't do it is because the the people who are deep in the product can't see outside sometimes but Mike let me show it to you what would you know what would you what get you to believe a vendors claim well I think some of Olivia's advice but all of Olivia's advice was good but really about being very specific and marketing does tend to be very broad and so to try and target and try and be very specific but when I was thinking about this question a while ago I'd made a claim that you know proof of concepts of the new PowerPoint mm-hmm and I think if you

make your demos easy if you just allow me to click through that to a demo don't make me sign up to a list and have the demo really explain and illustrate to me what it does I that much I'm that much closer to understanding the value so I am amazed at you say that so I actually did something that's for for climate we produced a demo video for them and I talked to vendors all the time and I said you know what what what sells your product the most good well if we get to sit down and do a demo with them then we get you know don't sit down yeah whatever so to which I always say

do you have a demo video of your product online and they go to all of them say no oh I do not comprehend that if you don't have a demo video of your product get one up immediately yeah I would say have demo video screenshots something that can tell me what to expect that's the teaser to get me to actually spend the time on the demo yeah and certainly not every night every product or service is something that can have a self-guided demo but if you can do it and you'll find it you'll find people will pick it up put up a video of you know the person demoing the how the product yes worst case that works as

well of armor cloud security asked if you could implement one thing in your organization that will receive universal adoption without pushback what would it be so the question which kind of seems reasonable but in the security world often feels impossible generated a ton of responses many wanted company one company wide adoption of a single solution such as MFA or a vulnerability management others just wanted widespread and ongoing security education so I'm gonna ask you the same question refine last which is Mike what do you think is the one pushback free solution that we dealed the greatest results as I was reading the thread I was you know thank you you know MFA are back SSI auditing

these are all great you know I would I would love to have these and I I kept reading a kept reading and there was one that was about pervasive network monitoring that you know instrument everything and it was an interesting answer but I think it's a little bit behind the times where that the networks are all encrypted these days so this isn't really buying you a whole lot and it dawned on me the one that would really like if I could be guaranteed to no pushback and this is the key on this that's the whole point if I'm guaranteed no pushback is true pervasive application whitelisting if I if I push out application whitelisting to an

entire environment that I'm controlling everything that gets run I'm done I can basically just I can now enjoy my weekends I can take nice long vacations so it's that simple just deploy application whitelisting all of you the but there is a lot of pushback there this is one of those I'm just sayin and like what's the one thing that would yield like the greatest results if you could so we did this company I worked for I worked for Salesforce we actually deployed application whitelisting it was an utter pain in the ass it took us like two or three years but we never had to worry about our Windows environment anymore the the thing that we used only

worked on windows at kernel panicked all of our Mac's so we didn't use it there but really meant that Windows was now quote-unquote safe for us and we could spend all of our time on the Mac side it was high effort but it was absolutely worth it the payoff is there if you can do it without pushback application whitelisting a hundred percent all right so what do you think what's the one thing no pushback would you would love yield the biggest results hey I still love this question I spent two hours of my five hour of plane flight just kind of staring into space thinking oh I would Gary turn your phone off what I would love

because you said things it doesn't need to be technology anything right it could be 101 requests the idea of having a member of my team who I know and trust and I know is smart situated on every single one of my stakeholder teams but they belong to me mm-hmm so you essentially you have a spy in every department but they're integrated so their dotted line to the state good spies big good okay but hackers but just the idea of being able to integrate with the business so tightly that way with all my stakeholder teams but yet having that direct conduit oh that would be moi that would be Nirvana to me so first of all how hard is it to get that kind of

information from from all the teams currently are you seriously asking me this question it's kind of it's between a polling and drilling your own tooth so so is it like what are you like if you had a conduit of like what would you want to learn on a daily basis from another department for example I would want to know how they're configuring firewall rule sets instead of just having visibility into the into them every quarter per se for example if they own the firewalls okay so that and just trying to find out that information is difficult well it can be so I would like to have someone on that team so we can that person can help govern and help

define and build the best practices and not even possibly manage it but you know there would be a clear line of event escalation of hey this is a weird thing the firewall folks don't think it's a bad thing but from a security perspective we think it is having that direct line of communication it would be just wonderful how much communication do you have in your office Mike so I've only been there three and a half months now but it actually is a fair amount teams are very open with what they're doing we have team members I don't have one person but I have multiple team members who assigned to individual teams where they are sitting in on their

meetings where they are that bi-directional trusted advisor so I guess I do have good spies so but it's difficult and the company has to be ready for it yes it's very difficult it's a culture change absolutely I would assume it's a culture change if you're gonna have spies it's time for the audience question speedram all right in this hand right here I have a series of index cards of questions that people just random people here at b-sides have have asked and I am here to ask you these questions for you to answer them and some of them are the people have revealed their names some are anonymous but this first person who like to believe in the audience right

now Paul and Z of remedial yes you're here I saw him earlier there and there is there is all right he asked this question what do you think will be on your risk register 24 months from now Mike Wow so this is really looking into the future and also thinking about what I can remove from my risk register between here and there oh you always have to pull one off to put one on right it's it's a you know lastin first-out okay you know that's really kind of looking forward for what are the concerns what are the global concerns of security between here and there and if I look forward down the road I still think I'm gonna have to deal with

my vendors I still think I'm gonna have on my on my risk register the security of vendors and it might be one particular that is there anything new I'm sorry anything new anything new new vendors will be on there yes it's hard to say that's really that's really Olivia good what do you think is gonna be enriched register 24 months now it's not on it currently I work for a product company so there's always new features coming out and in promotions and those have heavy implications for I want abuse prevention as well for security and abuse prevention so I would say those are always new plus our friends and you know foreign places okay that's a hard question to answer with

you can't answer it all right I need quick answer this is speedrun what's your most successful method for aligning with the business it's comes from Chris Patterson of RSA so that that's the architects that I just mentioned you know really carving up the company in two sets of teams products horizontals verticals whatever it is and assigning them someone who sits with them who's working with them all the time who's a long-term partner and doesn't have to be brought up to speed on any new assessments okay what's your most successful method Olivia that's a good one I would say not enough my successful way is listening because I think too many people don't listen so they don't understand the

strategic drivers of the business so if you think you're not you're not listening enough listen better if you think that's enough listen more because unless you understand the drivers you cannot align what you're doing to the business all right next question this comes from someone anonymous well how do you make sure Mike your users are on VPNs on captive portals like Starbucks I hate VPNs don't you like people I think my endpoints should be able to protect themselves regardless of what network they're on and routing them through some sort of what is frankly multiple layers of encryption because they're already talking TLS in the first place wrapping that through another level of encryption doesn't help and in fact what

you've done is you've created a new entry point into your environment that someone can attack to get into your environment just look at all the reasons Citrix vulnerabilities the recent I think Cisco and juniper have both had them every one of these gateways has vulnerabilities that are actively being exploited you're only making your security worse by forcing everyone through VPNs you agree or disagree with this or do you have some way to force people to use VPNs Olivia well I don't think you can force anyone to do anything right unless it's transparent like you were saying however you can initiate change if you do it carefully but I think that you have to show people

it's all about site uh security awareness I mean I know that's a boring answer but if people truly want to protect the company and they understand why you need to use a VPN or safeguard your that the your company asset so whatever it is you have a better chance of enforcing that change all right here's another question from Jim McCloud of M Denny he says since your firewall is mission-critical should you upgrade to the latest OS or because it's missing critical should you not upgrade to the latest OS since you know how this OS operates I'll start with you Olivia oh is this what's worse it is a kind of a what's worse can I say it depends on

this one you can yeah okay we're not playing white words we don't usually let it depends playing what's worth but since this is the final speed round you can throw it out it depends what the upgrade is depends yeah but you don't know what it is like you don't know how it's gonna damage things when you upgrade oh my brain hurts I'm gonna give this to Mike Mike clear concise Sarah answer take this out so the a lot of this is preparation being prepared for the eventualities that you're gonna have to upgrade your firewall that whatever you have on your network you're eventually going to have to upgrade it so have your architecture your systems your environment such that

this isn't a hard question that when the question comes up because you can you know because it will you're prepared for it you're ready to do the right thing upgrading to patch whatever a critical vulnerability isn't going to be painful because you're ready for it well that brings us to the end of the show I have to thank you Mike and Olivia and I have to thank b-side San Francisco for inviting us to be a part of this and I have to thank this audience everyone who is still in this crowd thank you very much I appreciate it I want to remind our listeners that we are doing shows this week March 3rd and March 5th in New

York City and Boston respectively I want to thank our sponsors cyber-ark and Vulcan go check them out if you haven't already they're awesome because they sponsor our show we like those pungent Olivia will let you have the last word I appreciate you being available for this live show so thank you very much but before we let you speak Mike Olivia thank you for coming back on again thank you for coming back onto the show and then being willing to subject yourself to not only one but two what's worth questions it's so so thank you for coming back I specifically I liked when you were talking about the path your path to CSUN and reminding folks that there are multiple paths and

explaining what worked for you and that happened how you got there so specifically thank you for that but in general thank you for coming on the show and sharing with our audience and Olivia I would also advise anybody who works in marketing for a security vendor that if you meet Olivia just tell them you're an engineer Olivia any last words I'm not available for marking of marketing well I'm hiring security operations engineers if you live in Atlanta or Oakland check out MailChimp on LinkedIn calm I would love to hire some really bright eyed and bushy tailed folks awesome well thank you very much I have to just say thank you so much for coming out to see

our live show we love performing for live audiences this is the largest I've ever seen our logo ever yet which is pretty spectacular so uh thank you so much for listening and as always participating in the CSO security vendor relationship podcast [Music] [Applause]