What does it take to stay calm in the face of constant cyber pressure\u2014and why does that mindset matter more than ever? In this episode of Security Matters, host David Puner speaks with Den Jones, founder and CEO of 909Cyber, about his transition from enterprise chief security officer (CSO) to cybersecurity consultant. They explore what it means to lead with clarity and composure in a high-stakes environment, the realities of launching a firm in a crowded market, and how pragmatic security strategies\u2014especially around identity, AI, and Zero Trust\u2014can help organizations navigate AI-driven threats, talent shortages, and operational complexity. It\u2019s a candid conversation about what works and what doesn\u2019t when it comes to modern security leadership.<\/p>\n
Hi. This: a developer racing against a deadline pastes a few hundred lines of sensitive code into an AI chatbot to clean it up. The chatbot delivers a flawless solution. The deadline is met, and no one thinks twice. But weeks later, a competitor releases a strikingly similar feature. There\u2019s no sign of a breach, no stolen credentials\u2014just a trail of prompts and a quiet leak that traditional security measures might miss.<\/p>\n
Welcome to the world of shadow AI. Tools designed to boost productivity are now becoming invisible threat vectors hiding in plain sight, and businesses are only beginning to grasp the risks. These risks don\u2019t stop at data exposure. They ripple outward, often culminating in ransomware attacks and other costly consequences.<\/p>\n
Our guest today, Den Jones, knows this landscape well. As a seasoned cybersecurity leader and now the founder and CEO of the consultancy 909 Cyber, he\u2019s helping organizations confront a world where innovation outpaces policy\u2014and mistakes don\u2019t always look like mistakes. In our conversation, Den unpacks why ransomware is often the final domino, not the first; how machine identities are increasingly dominating the identity landscape; and the mindset it takes to stay calm under nation-state-level pressure.<\/p>\n
Let\u2019s dive in with Den Jones.<\/p>\n
David:
\nDen Jones, founder and CEO of 909 Cyber\u2014thanks for coming back onto the podcast.<\/p>\n
Den:
\nHey, thanks for having me. It\u2019s brilliant to be here. It\u2019s\u2014God, we\u2019re halfway through the year already. I mean, where does this time fly? It\u2019s really unbelievable. Steamrolling right through 2025. Nothing new there, but it is really going fast. And thanks again for having me back.<\/p>\n
David:
\nThe last time we spoke, you were on the Trust Issues podcast, which is what this podcast was previously named back in March 2023. And at that time, there was a little bit of a difference between what you\u2019re doing now in that you were a CSO. You\u2019ve gone from leading enterprise security at companies including Adobe and Cisco, and now you\u2019re the founder and CEO of the consultancy firm 909 Cyber, which you launched back in September 2024.<\/p>\n
What led you to go out on your own, and what\u2019s been the biggest surprise so far?<\/p>\n
Den:
\nYeah, David. It is funny, right? So I\u2019d done the big enterprise stuff. I spent a lot of time at Adobe. I ran a lot of teams\u2014infrastructure and operations. My last role there was I ran enterprise security, and that was a really fun, amazing experience.<\/p>\n
And I jumped over to Cisco during COVID. I had a team of about 300 people, spent about $60 million in a year, and rebuilt IT security, which we called enterprise security. Solid line to the CIO, dotted line to the CSO. And then, around the corner, you know, I got this small security company, Banyan Security, that I had been a customer of at Adobe.<\/p>\n
We used them for our Data of Trust program\u2014a little ZT company. So I joined there. I was their CSO\u2014ran it, ran security, did evangelism, even had my own podcast, which you remember.<\/p>\n
David:
\nYep.<\/p>\n
Den:
\nSo that was a great gig. And then we got acquired by SonicWall. Another great company\u2014small, mid-size, channel-based, very embedded, 30 years of network and security experience. So, you know, another great company.<\/p>\n
But the thing was\u2014when a company acquires another company, I don\u2019t remember them acquiring it for their CSO. I think they probably acquired it for, like\u2026 hmm, maybe the software. Maybe the technology. Right?<\/p>\n
So they did offer me the position. I became CSO at SonicWall\u2014for a minute.<\/p>\n
So, Plan A was: become SonicWall CSO.
\nPlan B was: start my own company.
\nPlan C was: get a real job.<\/p>\n
So in the end, we agreed to a great exit for me that gave me some finances to really start this business. We just got going. I founded the company, and we officially launched in September of last year.<\/p>\n
And I guess your other question\u2014the biggest surprise so far?
\nIt\u2019s a saturated market.<\/p>\n
Den:
\nIt\u2019s a saturated market. Everybody and their grandmother wants to be a fractional CSO. And everybody and their grandmother wants to do consultancy on the side. So even if it\u2019s not their full-time job, you\u2019ve got a lot of security professionals out there who have a full-time job, and even on the side, they\u2019re hustling\u2014doing fractional work.<\/p>\n
So that means people like us, who are building a company\u2014now I look at it like we\u2019re building a firm. We\u2019re not just an ex-CSO, one dude called Den doing fractional work. There\u2019s a group of us. And when you build a group with a group culture, I think we\u2019ve got a better chance of not just surviving, but really thriving and helping our clients be more successful.<\/p>\n
David:
\nThank you for taking me through that. We\u2019ll get back to 909 Cyber in just a moment, but I wanted to ask you about the alternate plan\u2014the lesser plan, the plan that you didn\u2019t want to go to\u2014which was getting a \u201creal job.\u201d<\/p>\n
Now, the last time you were here, we talked about how you had begun your professional career as a Royal Mail postman in Scotland. And we also, I think, talked about some of your restaurant work. Is that what you mean by \u201cgetting a real job\u201d\u2014going back to the roots?<\/p>\n
Den:
\nNo, no. By \u201creal job,\u201d I just meant, you know, another CSO gig. So think of it like this\u2014one of my friends, she runs a very successful IT MSP. We worked together at Adobe years ago. And she said to me, \u201cYou should start your own consultancy. You\u2019ll be great at it. You\u2019ve got the right temperament, you\u2019ve got the right experience, and you\u2019ve got the pedigree.\u201d<\/p>\n
And she said, \u201cAs you build it, you need to be fired many times before you give a shit.\u201d<\/p>\n
When you have that one job\u2014if you get fired from that one job, or there\u2019s some problem in that one job\u2014you\u2019re toast, right? So the reality for us was, after that conversation, David, I was like, \u201cOh yeah. That\u2019s\u2026 pretty smart. Yeah. We should do this. I\u2019ll start my company.\u201d<\/p>\n
And she said, \u201cYou have to be fired 30 times before you care.\u201d<\/p>\n
David:
\nThirty?<\/p>\n
Den:
\nYeah. So they\u2019ve got so many clients that they\u2019d need to be fired 30 times.<\/p>\n
It\u2019s not necessarily that you\u2019re getting fired, but you\u2019re definitely recognizing that you\u2019re not\u2026 the retention of one client isn\u2019t necessarily going to be forever. So as you build the business, you\u2019re thinking about what clients are good for our business.<\/p>\n
So that\u2019s where, for us\u2014as we evolved 909 Cyber\u2014it\u2019s not just a fractional CSO-as-a-service. We\u2019ve introduced fractional field CSO, which is helping companies go to market. We\u2019ve got gun-for-hire, hourly-rate billing engineers. Actually, we have CyberArk engineers\u2014so they can go in and help CyberArk clients become successful if they\u2019re struggling.<\/p>\n
So we\u2019ve got all sorts of lines of business that enable us to address small, mid, and enterprise markets.<\/p>\n
David:
\nOne of the services that 909 Cyber offers is a virtual CISO, or CISO-as-a-service model. For those who may not be familiar with what a CISO-as-a-service model is\u2014or a virtual CISO is\u2014what does that actually look like in practice? And what kinds of organizations is it best suited for?<\/p>\n
Den:
\nThink of a regular full-time security executive\u2014but they work part-time hours. So you\u2019re not paying for 40 hours a week. You\u2019re getting someone who\u2019s part-time. And the number of hours is varied, depending on what the client requires.<\/p>\n
You\u2019re providing the strategic direction to the organization for their security program. You may be building it up from scratch. You may be helping them do certifications. You may be leading and training the organization.<\/p>\n
Ideally, what I think of\u2014the best companies suited for this\u2014if they\u2019re 500 employees or less. They may have an IT team that we would partner with. They may not. They may have some security people already there, but they don\u2019t want to spend the big money to bring in a full-time CISO.<\/p>\n
Because you could spend more money on the engineering and doing the work than doing the strategy. And the strategy\u2014if you bring in a seasoned, experienced CISO\u2014then the strategy to build your security program isn\u2019t necessarily a 40-hour-a-week job. You can pay the executive their high rate, but for a shorter period of time.<\/p>\n
And that means you\u2019re spending more money on the engineering and the making\u2014the progress.<\/p>\n
David:
\nAnd what about the intricacies of the company or the organization itself? How does a virtual CISO serve? How do you pop the hood on what that organization is, so you can really do that role effectively?<\/p>\n
Den:
\nThat just comes down to experience. I mean, for us and our team, we\u2019ve got a diverse bench of CISOs who are multi-term CISOs. And it\u2019s everything from big enterprise experience\u2014which doesn\u2019t fit this scenario so well\u2014but a lot of us, it\u2019s all startups, small companies, the SMB space.<\/p>\n
And, you know, we\u2019re in the Valley, right? So we were born in San Jose, which means many of the people we\u2019ve got on the team\u2014on the bench\u2014are in the Bay Area. But the reality is, when you\u2019re in the startup world, most of these companies, they don\u2019t need full-time.<\/p>\n
I mean, if you think of the cost of a fully loaded CISO\u2014if their base is even 300 or 400\u2014then you add stock, then you fully burden, and you add bonuses. I mean, you could be sitting there from half a million to three-quarters to a million a year for a full-time CISO.<\/p>\n
For us, I don\u2019t care the industry you\u2019re in\u2014at the end of it, we have the ability, we\u2019ve got the diversity on the bench, we can jump in. And the other thing is, our network is vast. Because we\u2019ve all got decades of experience\u2014and decades of experience partnering with other people in the industry and building that network.<\/p>\n
So if I need a three-letter agency to jump into a client site tomorrow, I\u2019ve got their cell phone numbers.<\/p>\n
David:
\n909 Cyber works with mid-market organizations and SMBs\u2014a segment that is often underserved in the cybersecurity space. What are some of the biggest security blind spots or challenges these companies face? And how do those challenges shift as organizations grow?<\/p>\n
Den:
\nYeah, it\u2019s interesting, right? Because I even think of the latest Verizon breach reports\u2014the 2025 one. You know, for someone who\u2019s watching this three years from now, the 2025 one was talking about ransomware.<\/p>\n
Now, ransomware\u2014if 44% of how breaches happen involve ransomware\u2014and SMBs are hit the hardest. They\u2019re about 88% of that number. That means that small and midsize businesses\u2014they\u2019re clicking links, their users are probably less educated, they\u2019re clicking links. They likely have less technology defending against this one attack vector.<\/p>\n
And the reality is, ransomware is an outcome. It didn\u2019t start with \u201cI got ransomware.\u201d It likely started with \u201cI clicked a link,\u201d and then the software installed on my device. So that whole attack vector\u2014ransomware is an outcome.<\/p>\n
And I think the reality is, as these companies grow, their defense-in-depth strategy needs to evolve with the business. Because remember, we\u2019re running a business. The business is there to make profit. That means the amount of money a CEO wants to spend on IT and security is ideally as lean as it can be.<\/p>\n
They didn\u2019t wake up in the morning thinking, \u201cI\u2019d love to spend some more money on security today.\u201d<\/p>\n
So the reality is, you\u2019ve got to put strategies in place that maximize that investment\u2014and ideally differentiate that company in their sales process. So that you have the ability to say, \u201cWe\u2019re not just a cost center. IT and security have the ability to add to your credibility, your trust, as you go to market and you sell your product.\u201d<\/p>\n
So we\u2019re trying to turn security\u2014not just from being a drain on your expense bucket\u2014but actually help your income bucket.<\/p>\n
So the thing for us is, as a company grows, how do we help the IT and security organizations grow with that mindset?<\/p>\n
David:
\nMm-hmm. And that\u2019s a different challenge.<\/p>\n
This may or may not seem obvious, but do you look at security as a growth driver for those organizations?<\/p>\n
Den:
\nDepends on the company. But yeah\u2014any company that is selling services to another company? Definitely.<\/p>\n
You have the ability to say, \u201cWe do blah, blah, blah, blah, blah. Here\u2019s our Trust Center. This is what we\u2019re doing. And this is how you can have more trust in us than our competition.\u201d<\/p>\n
We partner with a lot of startups, because one of the things they\u2019re trying to do is go through compliance. They want to get their SOC 2, their ISO 27001\u2014because for some of their clients, that is a good signal of trust.<\/p>\n
Now, I would never say compliance equals security. But you have the ability to say, \u201cWe\u2019re doing a little bit better than nothing. And here\u2019s evidence.\u201d<\/p>\n
Because a lot of clients want to see evidence that their supplier is meeting at least some minimum bars.<\/p>\n
David:
\nNow that you\u2019re also advising CISOs, what are the top two or three things that are keeping them up at night?<\/p>\n
Den:
\nWell, I think the number one these days is AI, right? So AI-driven threats\u2014that emergent attack vector. Everything from deepfakes to automated vulnerability discovery and exploitation.<\/p>\n
And then one big thing is shadow AI. So we\u2019re all familiar with shadow IT. But I think of shadow AI as being employees in the company deploying unvetted AI tools.<\/p>\n
David:
\nMm.<\/p>\n
Den:
\nAnd what do they mean to the business?<\/p>\n
Then the other one is\u2014there\u2019s a talent shortage. We just recently launched a platform called 909 IC, and the whole goal is to try and bring cybersecurity talent into the industry. So we can talk about that later.<\/p>\n
But the reality in the talent shortage is\u2014we can\u2019t hire quick enough to facilitate business growth. And I think it\u2019s the right talent. Then I think it\u2019s talent retention.<\/p>\n
And in some jobs it\u2019s worse than others. But I think the reality is, the ones where the burnout is higher\u2014you know, things like your SOC. The guys that are working the night shift, or you\u2019re trying to do \u201cfollow the sun.\u201d So different countries, different regions\u2014it\u2019s different hiring challenges.<\/p>\n
David:
\nAs AI and agentic AI reshape both the threat landscape and the tools we use to defend against it, what are the biggest opportunities and risks you see for security teams right now?<\/p>\n
Den:
\nThere\u2019s two different types of CISOs we\u2019re talking to, right?<\/p>\n
One is the ones that don\u2019t want AI near their business. They want to block access to AI. And I\u2019ll put them in the bucket of\u2014you can bury your head in the sand and pretend nothing\u2019s happening. But it\u2019s there. So if you don\u2019t embrace it, then you\u2019re going to be in worse trouble down the line.<\/p>\n
So that first group\u2014blocking it, not allowing it\u2014I think that\u2019s a fool\u2019s errand.<\/p>\n
David:
\nAnd how prominent is that group?<\/p>\n
Den:
\nThankfully, I think it\u2019s less than 20% of the people we talk to.<\/p>\n
David:
\nOkay.<\/p>\n
Den:
\nBut they do exist. And I think different industries make up that group. So if you\u2019re in an industry that\u2019s highly regulated, tightly controlled\u2014medical, finance, government\u2014some of those folks, that\u2019s more that bucket. Because that\u2019s the industry they\u2019re in, and there\u2019s a lot more controls and rigor. Tolerance for risk is different.<\/p>\n
Now the other group\u2014the ones that say, \u201cLook, let\u2019s embrace it. Let\u2019s have the teams really dig in and learn about it.\u201d Not just the security team, but the IT team, the engineering team.<\/p>\n
And let\u2019s put guardrails. Let\u2019s try and give proactive advice. Let\u2019s try and have a think tank of people in the organization that come together\u2014like an AI steering committee\u2014and they\u2019re really going to try to figure out, \u201cHow can the company best leverage AI in a safe way?\u201d<\/p>\n
David:
\nMm-hmm.<\/p>\n
Den:
\nLet\u2019s recognize that if everyone\u2019s just throwing stuff into ChatGPT, and there\u2019s ever a breach over there, then all that stuff is in the wild.<\/p>\n
So what are the risks?<\/p>\n
And as they go through the risks, they can determine what their tolerance is. They can determine where they\u2019re taking risks. And they can also determine\u2014look, do we need to bring some of this in-house and create a bigger playground for the organization?<\/p>\n
And companies like Adobe, that leverage AI as part of the product\u2014they\u2019re building AI into their products, like Firefly\u2014then you can\u2019t stop the engineers from playing around with AI, because they need to learn a lot about it.<\/p>\n
So you need to enable them to learn\u2014ideally quickly\u2014because they\u2019re trying to get product to market quick. And then ultimately, how do you do that in a safe way?<\/p>\n
So I look at it like\u2014guardrails and embracing it is the best approach. And any burying your head in the sand? You\u2019re probably going to get left behind. And you\u2019re definitely going to get caught out at some point.<\/p>\n
David:
\nDo you ever wind up in the situation with a CISO from one of those super risk-averse organizations\u2014or someone who’s looking to lock down AI\u2014where they’re just, despite the different assessments you’re taking them through, where you’re doing the pros and the cons and all that kind of stuff, where they still end up just really digging in and still not wanting to open up the possibilities of AI?<\/p>\n
Den:
\nYeah, so there\u2019s a couple of things.<\/p>\n
What\u2019s the role of that CISO we\u2019re working with? The role of that CISO is generally to arm their leadership team with information so they can make decisions.<\/p>\n
Our role is: take all of our wealth of knowledge and arm that CISO with information that helps that person and their business be successful. So we could sit there and play devil\u2019s advocate\u2014which we will do\u2014but at the same time, we\u2019ve got to say, okay, what is your unique business?<\/p>\n
This goes back to the thing you said earlier about when you hit the ground running within a company\u2014what\u2019s the difference here?<\/p>\n
Well, the difference is we\u2019ve got the experience to recognize the constraints that that CISO and their business are working under. And those constraints mean that their view of AI is going to be a lot more conservative and risk-averse.<\/p>\n
David:
\nMm-hmm.<\/p>\n
Den:
\nOkay\u2014how do we help them explore that? And how do we help them explore what the technologies and opportunities are that can enable them to still learn and leverage, without going over a risk threshold that they’re comfortable with?<\/p>\n
David:
\nRegardless of the organization and tolerance for risk\u2014are there varying levels to how security leaders should approach AI, both defensively and strategically?<\/p>\n
Den:
\nSo there’s a couple things.<\/p>\n
One is: start off with strategy. Everything is strategy\u2014then tactics next, right?<\/p>\n
So from a strategy perspective, I think it’s really important that they understand the business strategy, and how the business strategy is embracing\u2014or not embracing\u2014AI.<\/p>\n
And then, if you\u2019re really the CISO, if you\u2019re really the C-level executive, you need to have the ear of the other C-suite. So if you do, then where are you injecting yourself in the conversation as it relates to AI from a strategy perspective?<\/p>\n
If you do that right, then part of that\u2014you\u2019re then bringing back in\u2014and you\u2019re looking at where the business is going from a strategic perspective, and what risks does that create? Or reduce? Or increase?<\/p>\n
From there, you\u2019ve got to sit there and say, \u201cRight, well\u2014what do we now do from a security program?\u201d And how do we adjust?<\/p>\n
Because one adjustment at the business level\u2014you\u2019ve got to look at that trickle effect as it comes into your strategy, and then you determine what do you do next?<\/p>\n
And then as part of that, now you look at your defense-in-depth. Now look and say, \u201cOkay, from a defense-in-depth perspective\u2014just with an AI lens\u2014does this change what we\u2019re doing?\u201d<\/p>\n
If it does, how does it change it? And then what do we need to do to adjust?<\/p>\n
I\u2019ll give you one example, which is: companies are building code as part of their product, and a lot of engineering teams are now pressured to leverage AI a lot more.<\/p>\n
The real question here is: if you\u2019re putting your code snippets\u2014like your real, live code\u2014into this technology, what are you going to do when that gets breached?<\/p>\n
Do you care?<\/p>\n
Right\u2014you might, you might not care. So you\u2019ve got to go through that threat scenario and understand, and then determine what your tolerance for that risk is.<\/p>\n
Some companies choose to then bring that in-house, and they\u2019ll run an internal version of it, just so that they don\u2019t risk losing their code.<\/p>\n
David:
\nWouldn\u2019t that be your recommendation, generally speaking?<\/p>\n
Den:
\nYeah. I mean\u2014again, it depends on the tolerance of the company, and also the finances and the constraints. Not everybody has that same ability.<\/p>\n
If you\u2019re a little startup, you might not want to build your own internal AI copilot.<\/p>\n
David:
\nGoing back then to the talent shortage you were speaking of earlier\u2014there’s been a lot of talk, of course, about the cyber skills shortage. What’s your take, and how has that changed since you launched 909 Cyber last fall, now that you’re also in the cyber recruitment space?<\/p>\n
Den:
\nSo it’s funny, right? Yeah\u2014our business started off as fractional CISO-as-a-service, subscription model. We opened up beyond that to more consultancy, and as part of that, we\u2019ve got a recruitment division.<\/p>\n
And the recruitment does full-time recruitment, but we also have a gun-for-hire, staff augmentation model. And\u2014not because of this\u2014but as we\u2019re trying to fill positions for clients, it is a struggle. Especially\u2014you know, I\u2019ve been in the identity and access management space since \u201992.<\/p>\n
So I\u2019m like an old Novell guy. And actually, my relationship with CyberArk goes all the way back to around 2003, 2004. At the time, we were putting password-protected files in the vault.<\/p>\n
David:
\nMm-hmm.<\/p>\n
Den:
\nAnd that was before PSMs and all that stuff.<\/p>\n
David:
\nThis is right around when you were starting at Adobe?<\/p>\n
Den:
\nYeah, this was probably three or four years into my time at Adobe in the U.S.<\/p>\n
So by the time I was running\u2014when we were centralizing the server team and I was leading that team\u2014back in those days, we would store admin passwords for all the servers inside a PDF file. That would be password-protected, then protected by Policy Server, which is an Adobe thing, and then we would put that in the vault.<\/p>\n
So I mean\u2014it would be, like, all these layers to get to the file. Because I mean, that was your crown jewels.<\/p>\n
So as we\u2019ve been building this business, I\u2019ve kind of recognized\u2014even trying to find good identity and access management people is so hard. It\u2019s a nightmare.<\/p>\n
David:
\nIs it a talent shortage, or is it an expectation of employers?<\/p>\n
Den:
\nHow do you mean?<\/p>\n
David:
\nWell, if you look at job postings\u2014and, you know, we pick up these and make fun of them quite a lot. Entry-level job posting where they\u2019re looking for a new college grad, and they turn around and say they want five years of experience in blah.<\/p>\n
Den:
\nOkay, yeah. It\u2019s like\u2014so you want them to have just graduated from a four-year degree course, right? But at the same time, you want them to have five years\u2019 experience.<\/p>\n
So if you read through the lines on that, what are they looking for? They\u2019re looking for something that doesn\u2019t really exist. Their expectation is unrealistic based on what they\u2019re asking for\u2014and what they\u2019re willing to pay.<\/p>\n
We saw a position for a senior engineer in New York. They wanted to pay $130,000 a year. In Manhattan. Which for me is a non-existent human\u2014because no human I know is going to live in Manhattan and do a senior security engineer role for $130K.<\/p>\n
Because a lot of juniors will pick those gigs up, or they\u2019ll work remotely for another company that\u2019s going to pay more. And they wanted them on-site. So that also changes the dynamic a little bit, right?<\/p>\n
I saw an AI posting the other week where they wanted, I think, five years\u2019 Gemini experience\u2014something like that. Some nonsense.<\/p>\n
David:
\nHow\u2019s that possible?<\/p>\n
Den:
\nWell\u2014it\u2019s not. But, you know, the people that write\u2026 and now this goes back to\u2014well, who\u2019s writing a lot of these job posts?<\/p>\n
David:
\nThe AI, isn\u2019t it?<\/p>\n
Den:
\nWell, some are by AI now. But some are the HR team. Some\u2014the hiring manager might give some bullet points, and then the HR team, the recruiters, will write it up.<\/p>\n
I think there\u2019s a bit of an unrealistic expectation\u2014equivalent to when we go buy a house: we want a two-car garage, we want two fireplaces, five bedrooms, three bathrooms\u2014and we don\u2019t have enough money to buy a one-bedroom tough shed in San Jose.<\/p>\n
So the reality is, it\u2019s expectation.<\/p>\n
Den:
\nI was at a conference in L.A. at the start of the year, and I was talking on stage about strategies for CISOs to be cost-effective. One of them was\u2014I said, leverage startups, because you can be design partners.<\/p>\n
But the other one was\u2014I said, leverage interns and students.<\/p>\n
An intern can work with you for six weeks in summer. But what I used to do at Adobe\u2014and I\u2019ve done this for over 15 years between Adobe, Cisco, and then Banyan\u2014is: they might work for us over summer. If they\u2019re good, we keep them on staff as a part-time employee.<\/p>\n
And then, when the winter break comes in, they ramp up again. Then when they go back to class, they ramp down again\u2014but they\u2019re still doing, like, 10 hours a week.<\/p>\n
Right? So over the course of a couple of years, these cyber students\u2014they\u2019re getting their book smarts done at university. They come and work with us part-time. They\u2019re getting real-world experience. They\u2019re learning. They\u2019re networking.<\/p>\n
Then by the time they graduate\u2014if they enjoy working with us, and we\u2019ve got the position\u2014they roll straight into the full-time job.<\/p>\n
They\u2019ve already onboarded over two years.<\/p>\n
David:
\nSo in a way, that\u2019s sort of practical, on-the-job developing of cyber talent.<\/p>\n
Den:
\nExactly.<\/p>\n
David:
\nTo that point\u2014what\u2019s your approach to developing cyber talent, and how can organizations build stronger pipelines?<\/p>\n
Den:
\nSo I think there\u2019s a couple of things.<\/p>\n
One is the pipeline itself\u2014and this is why we created 909 IC.<\/p>\n
Generally, what would happen is: your business would have a relationship with one or two\u2014or say, half a dozen\u2014schools. And then they\u2019ll do a career fair and they\u2019ll bring people in.<\/p>\n
But you can go beyond that, right? There are thousands of colleges. And we have them in our system. And we have the students in our system. And that means a diverse pool\u2014and also local people. Reduced cost is there, too.<\/p>\n
So let\u2019s say you connect them, and you bring them in.<\/p>\n
When we bring them in, our big thing is: we want to try and give them diverse experiences while they work with the company. So it\u2019s not just, \u201cI\u2019m going to do some work with some guys doing audit work and some GRC,\u201d and maybe that helps me get a broader outlook on security in general\u2014because they\u2019re looking at the controls.<\/p>\n
At the same time, I might bounce them into the SOC space, so they can get some experience on what life in the SOC looks like. And then incident response.<\/p>\n
Then you might say, \u201cOkay, now you\u2019ve done the incident response\u2014I maybe want you to get involved in some red team\u2013type stuff.\u201d So we\u2019ve seen a little bit of the attack and defend. Let\u2019s put you on the other side now.<\/p>\n
Of course, it depends on your company\u2019s size, your company\u2019s funding, what you have as a need\u2014because obviously, you\u2019re not just there to serve and say, \u201cLet\u2019s get these students quote-unquote experience.\u201d<\/p>\n
But I think the reality is: everywhere that you\u2019ve got a gap in your program, you might want to jump in with one of these young, fresh, enthusiastic students and say, \u201cOkay, I want you to help out here.\u201d<\/p>\n
And they\u2019re generally assisting one of the more senior people. Because you want them to shadow someone who\u2019s been doing this for a long time.<\/p>\n
Because this is real-world experience in parallel to them getting the book smarts.<\/p>\n
David:
\nA lot of shadowing, for sure.<\/p>\n
Den:
\nYeah.<\/p>\n
David:
\nSo that sounds like a pragmatic approach to developing cyber talent.<\/p>\n
You refer to your approach\u2014or perspective\u2014on IT and security as pragmatic security. So what is pragmatic security? What does it mean in practice, and where do you see companies overcomplicating things?<\/p>\n
Den:
\nI have a reputation in the Valley of being no-BS, get-shit-done, and not necessarily being the most politically correct individual in the world.<\/p>\n
The reality is\u2014we get paid to deliver results. Our goal, as we deliver results, is: let\u2019s inspire those around us, let\u2019s have some fun, and let\u2019s remember\u2014we\u2019re here to reduce the risk to the business. But at the same time, we don\u2019t need to increase friction.<\/p>\n
Most security people I know continually add and add more tools\u2014and more friction\u2014to the workforce that slows the workforce down.<\/p>\n
So when I think of pragmatic security, we\u2019re looking for ways to save money.<\/p>\n
David:
\nMm-hmm.<\/p>\n
Den:
\nWhich\u2014when you look at tools\u2014if you look at just the regular number of tools in any organization, if you do a tools assessment, they normally have more than two tools per security employee.<\/p>\n
So if you\u2019ve got 20 people in your team and you\u2019ve got 40 tools or more\u2014they\u2019re not going to be fully deployed. They\u2019re not going to be best at protecting your company.<\/p>\n
So the reality is, you\u2019ve got to start looking at the tools that we\u2019re deploying and get back to basics and say, \u201cAre we doing the basics right?\u201d<\/p>\n
And then from there, let\u2019s try and make sure that we\u2019re not adding more friction to the workforce. Because you want the workforce to move as fast as it can.<\/p>\n
So: you reduce cost, you reduce friction, and then you reduce risk.<\/p>\n
David:
\nHow often are you seeing those basics not being done right?<\/p>\n
Den:
\nEvery day.<\/p>\n
David:
\nOkay.<\/p>\n
Den:
\nI mean\u2014every company we look at, we can jump in\u2014especially from the identity perspective. I\u2019ll look at a company that\u2019s leveraging Salesforce, and I will, within an hour, show you how many admin-level accounts are not going through their IDP, that are going through the back door\u2014local on Salesforce\u2019s platform.<\/p>\n
I mean\u2014they\u2019re great for break glass. You at least want them set up to be multifactor. You at least want some extra rigor around those accounts.<\/p>\n
And I can walk into any customer that\u2019s using Salesforce, and I will show you some messy, gnarly, scary stuff.<\/p>\n
David:
\nOn the subject of identity\u2014with machine identities outnumbering human identities now by more than 80 to 1 (that\u2019s according to our 2025 Identity Security Landscape Report)\u2014what\u2019s the real risk? And how should organizations be thinking about identity security?<\/p>\n
Den:
\nLike I said earlier\u2014this has been an area for me since the early \u201990s. And we used to just say, \u201cWell, that\u2019s a generic account. That\u2019s a service account.\u201d And back then\u2014like back in the \u201990s\u2014it was the opposite way around, right?<\/p>\n
You\u2019d maybe have 20% or even less be your non-human identities.<\/p>\n
And as AI evolves, that 80% number is going to grow.<\/p>\n
So I think it\u2019s imperative that companies now figure out their plan for the non-human identities. They look at the technologies that exist. CyberArk is a great technology that we used at Adobe. My team at Cisco used it\u2014so I\u2019m very familiar with how well it works. There are others out there that might meet your needs.<\/p>\n
But the reality is\u2014you\u2019ve got to look at: how are you securing these identities?<\/p>\n
And one of the things\u2014even for us\u2014is: if you look at the analytics of how they\u2019re logging in, how often, where from, where are they going\u2026 If that\u2019s a non-human identity, that non-human identity should be pretty uniform in how it behaves.<\/p>\n
Any deviation\u2014you could start to determine whether that account is compromised or not.<\/p>\n
So there are some really simple things.<\/p>\n
In 2017, we built a team called Security Intelligence at Adobe. Funnily enough, all college grads. And that team did wonders.<\/p>\n
They basically would look at anomalous events for identities\u2014both human and non-human. We had it down to, I think, about a 99.5% success rate. Which meant the other 0.5% was noise in the system. We got it to that level\u2014which for me was incredible.<\/p>\n
So my biggest thing is: yeah, companies just need to really figure out what they\u2019re going to do with non-human identities.<\/p>\n
Every case is unique. But at least\u2014you\u2019ve got to look at how they\u2019re being logged in, and how you\u2019re tracking the movement of those from an intelligence perspective.<\/p>\n
David:
\nAnd how does that change the way they look at Zero Trust\u2014or have them stay the course in the way they\u2019ve been thinking about Zero Trust?<\/p>\n
You\u2019ve been called\u2014or you\u2019ve called yourself\u2014a large-scale Zero Trust deliverer, as I think we talked about last time. How has your thinking evolved since your days at Adobe and Cisco? And what\u2019s next for Zero Trust?<\/p>\n
I\u2019ve asked you a lot of questions right there.<\/p>\n
Den:
\nYeah, there\u2019s a few things in there.<\/p>\n
I have called myself that. I mean, I don\u2019t place myself at the same level as John Kindervag\u2014Dr. Zero Trust\u2014or Chase Cunningham. Both great guys, both pioneers in the space.<\/p>\n
I would say I\u2019m a practitioner that has been blessed to implement what we called Zero Trust at certain companies.<\/p>\n
And, you know, people\u2019s definition will vary. And I don\u2019t\u2014like I said before\u2014read the full book and say, \u201cWe\u2019re going to do the full book.\u201d<\/p>\n
I think the first thing is: Zero Trust, more than ever, has a place. With AI growing, some of the principles in the Zero Trust frameworks\u2014I think\u2014are going to be really vital for people to leverage and take advantage of.<\/p>\n
Accessing applications and services\u2014so when we were talking about it, we\u2019d always say it\u2019s: end users accessing applications and services, regardless of where they are, regardless of where the app is, and along the journey\u2014regardless of the network\u2014and assume an untrusted network.<\/p>\n
Now, when you think of non-human identities\u2014I look at the same thing. This is just an application being accessed by a user. So that identity is still a user. And how are we protecting and figuring out the trust level of that user?<\/p>\n
David:
\nSo is it kind of Zero Trust at scale, then?<\/p>\n
Den:
\nThis is Zero Trust at scale.<\/p>\n
So I think the principles of ZT still apply. If anything, they apply more. It\u2019s going to be more important.<\/p>\n
You\u2019ve got to start to leverage security intelligence. You\u2019re going to have to start to look for anomalous events. You\u2019re going to have to look at: are we passwordless? How are we protecting the account?<\/p>\n
Generally speaking\u2014you know, we\u2019re certificate, we\u2019re FIDO, we\u2019re going to a better level of security assurance rather than just a password.<\/p>\n
But I think it\u2019s important\u2014you\u2019ve got to look at these frameworks and determine what is right for your business.<\/p>\n
The goal is never\u2014and I\u2019ve said this to John and Chase over the years\u2014the goal for me at Adobe and Cisco was never to \u201cdo Zero Trust.\u201d<\/p>\n
The goal was to respond to business attacks.<\/p>\n
We\u2019re seeing attacks coming in. Our role was to protect the company from those attacks.<\/p>\n
It just so happens\u2014you can leverage things in that framework to do that. So we called it Zero Trust. You can call it whatever you want.<\/p>\n
The reality is\u2014we\u2019re blocking attack vectors. We\u2019re going passwordless. We\u2019re not using VPNs. We\u2019re going away from network-layer access controls to directory and app-layer access controls.<\/p>\n
So we\u2019re making these changes because: if that device was compromised, if that user did click the link, if that credential was stolen\u2014then we\u2019ve put defense-in-depth things in place to stop it.<\/p>\n
David:
\nYou\u2019ve led security, as we\u2019ve covered, at global enterprises\u2014and now you run your own firm. So based on all of that experience, what\u2019s the best advice you\u2019ve received? And how do you help CISOs and CSOs manage the stress of the role?<\/p>\n
Den:
\nI was lucky enough a while ago to have a coach that I brought in to work with our team, and she had told me to start meditating. And ultimately\u2014get out in nature, meditate more, do yoga, do something which is a calming influence on your life.<\/p>\n
So I look at this\u2014and I share advice like this with a lot of people\u2014because emotional strength is important in this role. A level of calmness is important.<\/p>\n
When you\u2019re under attack by a nation-state\u2014or you\u2019re in some ransomware incident\u2014the last thing you want is your executives to be losing the plot.<\/p>\n
You need them to be calm. A steady hand. Clear thought.<\/p>\n
And the analogy I\u2019ll use is\u2014you can\u2019t see through water when it\u2019s all wavy. If raindrops hit it, and it\u2019s all moving around and stuff like that, you can\u2019t see through it. It\u2019s not clear.<\/p>\n
Water that\u2019s calm\u2014you can see through. And it\u2019s clear. Provided, of course, you\u2019re not in some dodgy, murky place. Right?<\/p>\n
But it\u2019s when you\u2019re calm, when you can reset, when you can think clearly\u2014that\u2019s when you have the best ability to lead through really trying situations.<\/p>\n
And unfortunately\u2014when I was at Cisco and Adobe\u2014it was worse than it is now. But the reality is: the further up that ladder you go, people aren\u2019t knocking on your door to wish you well.<\/p>\n
People are knocking on your door with escalation after escalation, complaints and everything. Everything is a tug-of-war\u2014vying for position. Especially the more political the company gets. The bigger the company gets, the more politics get involved.<\/p>\n
David:
\nYeah.<\/p>\n
Den:
\nSo at that role\u2014you\u2019re always under pressure. I like the pressure. I thought it was fun.<\/p>\n
But the reality is\u2014you need some way to disconnect.<\/p>\n
David:
\nDo you find that CISOs are generally predisposed to calmness?<\/p>\n
Den:
\nYeah. I mean, I look at it like\u2014most of the CISOs that I hang out with socially\u2014there\u2019s always a level of quirky personality. Almost like\u2014we don\u2019t mind taking the beating down again.<\/p>\n
And it is part of the job. I mean, part of the job is\u2014you\u2019re under attack. Right?<\/p>\n
Like, I don\u2019t know how many people you know that sign up in life and say, \u201cI would like to lead the team going to defend us against attack\u2026 every day.\u201d<\/p>\n
David:
\nIt makes me think of a goalie\u2014in soccer, hockey, whatever it may be\u2014they\u2019re just getting those shots flung at them, here, there, and everywhere.<\/p>\n
Den:
\nYep. And you\u2019ve got to have that mindset. You\u2019ve got to be willing to embrace that and thrive on that.<\/p>\n
David:
\nYeah.<\/p>\n
Den:
\nAnd the security team is very much like your defensive line, right? So whether it\u2019s goalie, defenders, midfield, or whatever\u2014depending on your sports analogy\u2014it\u2019s really the defensive line.<\/p>\n
I mean, it\u2019s trying to keep your company out of that mess. Keep them out of the news.<\/p>\n
David:
\nSo last question for you. You\u2019re out there. You\u2019re doing podcasts. You\u2019re at conferences. You\u2019re running 909 Cyber. You\u2019ve got your own podcast now, 909 Exec. Where else can people find you?<\/p>\n
Den:
\nI think the best places are probably LinkedIn and the website: 909cyber.com. We\u2019re still working on the site, but it\u2019s coming along nicely.<\/p>\n
And 909 Exec\u2014we\u2019ve been having fun with it. We launched it because we kept having these great conversations with CIOs, CISOs, and CEOs that we wish we recorded.<\/p>\n
So we finally just said, \u201cLet\u2019s hit record.\u201d The idea is to keep it short, conversational, and to bring some real honesty to the executive experience\u2014especially in cybersecurity.<\/p>\n
David:
\nI like that. And I\u2019ll make sure we link to everything in the episode notes. Den, thanks again for joining us on Security Matters.<\/p>\n
Den:
\nThanks, David. Always a pleasure.<\/p><\/div>\n","protected":false},"featured_media":219914,"template":"","class_list":["post-213056","podcast","type-podcast","status-publish","has-post-thumbnail","hentry"],"acf":[],"yoast_head":"\n