Get IT Started Podcast

EP 9 – Robert Davis in Conversation with Den Jones

Hello and welcome to Get it Started Get it Done, the Banyan Security podcast covering the security industry and beyond. In this episode, our host and Banyan’s Chief Security Officer Den Jones speaks with Robert Davis, of Chick-fil-A. We hope you enjoy Den’s discussion with Robert Davis.

View Transcript

Speaker 1:

Hello, and welcome to Get IT Started, Get IT Done, the Banyan Security podcast covering the security industry and beyond. In this episode, our host and Banyan’s Chief Security Officer, Den Jones, speaks with Robert Davis. Robert is Senior Principal Security Architect at Banyan customer Chick-fil-A with more than 18 years experience in security at the company. We hope you enjoy Den’s discussion with Robert Davis.

Den Jones:

Hi, everyone. Welcome to, uh, episode nine of Get IT Started, Get IT Done. I am your host, Den Jones, uh, Banyan’s entry into the world of podcasting. If we don’t make it in the software business, then maybe we’ll become famous with podcasts. You never know. Um, I have z- … I have zero trust on that actually if that [inaudible 00:00:47] even goes down well. Um, so I’ve got a great guest and… on today’s show. So Robert comes all the way from Chick-fil-A. Um, I’ll let Robert, Robert introduce himself in a second. Uh, it’s great to have one of our customers on the show. We had Eric Anderson from Adobe. Uh, Robert’s here now, so it’s, it’s nice to hear from customers who are going through a lot of the journeys and struggles that, as practitioners, um, many of our customers and many of our non-customers also go through. So Robert, welcome to the show.

Robert Davis:

Yeah. Thanks, Den. I appreciate it. Um, yeah. I’m, I’m excited to be here.

Den Jones:

So can you… For our… To get th- … get things started, can you share with everybody a little bit about yourself and your background?

Robert Davis:

I can definitely do that. So I am currently, uh, a Senior Principal Security Architect with Chick-fil-A, but my main focus right now is on red teaming, which is a bit of a, a shift from where I was. I’ve been with Chick-fil-A for about 18 years. I came out of school as a computer science major, but I didn’t wanna be a programmer. I enjoyed programming, but I didn’t wanna do it eight hours a day f- full time. So I, I got a job as a network engineer with Chick-fil-A, and this was during a time when, um, believe it or not, we didn’t accept credit cards at every restaurant, right. We didn’t have a-

Den Jones:

(laughs)

Robert Davis:

… persistent network at every restaurant back when I started, so that was part of my job was ro- rolling out that network to the… to the restaurant so we could accept credit cards. And I eventually found my way into security through firewalls, and I led our Security, Engineering, and Incident Response Team for a while before I eventually took over as Director of the Cyber Security program at Chick-fil-A. I did that for about three years, but last October, I really decided I wanted to get more technical again ’cause at… in the role, it just, you know… you lose a lot of the, the technical, deep, um, deep dives and stuff. So I wanted to get more technical, so now I am focused on building this new red team capability here at Chick-fil-A.

Den Jones:

Awesome, awesome. That’s outstanding. Um, yeah. It’s, it’s funny, as you go through your career, s- sometimes you just make those decisions where you’re like, “This, this isn’t for me.” Um, and leadership roles, um… Now, it’s funny ’cause as an architect, that’s certainly a big leadership role. You’re still leading a lot of the team and the organization on how things are gonna play out in the organization, but a lot of leadership roles, I always think of it as smoke [inaudible 00:03:09] BS and politics. And you’re playing the game.

Robert Davis:

(laughs)

Den Jones:

Um, l- lu- luckily enough, um, that depends on the size of the company and the people that you’ve… you have connected with over the years in, in your network. Now, in talking about networking, um, I don’t… I don’t wanna spend a lot of time on, on this, uh, magical hype that is zero trust, um, but you know as, as a customer of ours, uh, that means there is some attention to whatever that means. And it means that you’re doing something about it, so I’d love to hear a little bit about your story on, on, on what you guys are doing, um, in the realms of zero trust. Maybe start by sharing, what do you think zero trust means to you guys? And, and then, h- how you’ve… how you got started, and why did you start?

Robert Davis:

Yeah. I think, for me, it all started with Google’s BeyondCorp papers. Uh, I read them when they first came out and was kinda blown away by this new idea. Uh, at first it was, uh, this feeling that we would go from exposing internal applications to the external world, and that just is a really bad place to be. But the way those BeyondCorp papers laid things out, it just made sense to me, especially, with the feeling of, uh, getting into Cloud more and a- adopting Cloud, adopting SAS, like, r- removing the traditional data center from the mix. And so that’s really the, the core of where zero trust came to be for me, um, starting with that BeyondCorp papers.

So it’s, it’s, it inevitably fell into the space of, we are very good at understanding our identities and protecting our identities, but we no longer know, uh, where you’re coming from. And not only that, but we’re becoming more and more remote workforce. So we should care less and less about where you’re coming from, and so the idea of going just identity and shifting device level authentication and understan- understanding more about the device itself that’s connecting, that, to me, is really what, what zero trust is all about. It’s, it’s removing those, those, uh, logical and physical network boundaries and, and understanding more of the context of the device and the user to allow that access.

Den Jones:

Awesome. Now, so on the scale of all the problems in the world, right, we don’t get unlimited budget, so how did you manage to convince executives that investing time and money into this, this thing, um… How, how do you explain to them that this thing… or what this thing was and why it was important to spend money on over other priorities?

Robert Davis:

Yeah. We’re, we’re actually really, really fortunate at Chick-fil-A to have, um, a lot of backing from our executive committee and leadership in general on all things security. Uh, they take it very seriously, and therefore, we get to do things that we, you know, might not normally get to do in… at certain paces. Uh, but at the same time, we’re a very pragmatic security team, and we don’t want to rush into things. And so, um, for us, it was… it was very much understanding the user experience, switching from traditional VPN to this new zero trust model. What does it look like? And then convincing the… our executive committee and leadership that that will be the way that we need to do these things in the future, and, and just from there, i- it, it becomes relatively easy, as you’re not forcing the security on them.

You’re explaining how this new world in which we live with remote access in Cloud and SAS requires a new way of, of connecting users and devices, and, uh, at some point, it’s actually a better user experience, if done correctly, than the traditional VPN. So it was… It wasn’t a too terribly difficult sell from that angle.

Den Jones:

Yeah. It’s, it sounds very similar to, you know, when I ran into price [inaudible 00:07:04] in Adobe. I had the exact same conversations with our executives, um, and obviously, this is long before COVID even occurred. And the, the work from home at that point just went gang busters, but before then, you know, our, our, our view on our team was, um, uh, users and logging in and MFA, that’s good, but it’s not good enough. It’s not going to be good enough in the future, and this idea of everything’s on your network is… was just, you know, a false sense of security. I didn’t even… I didn’t even like the thought of being… of thinking we’re secure because you’re on our network. Um, you know, if you’ve got 100,000 devices and half of them can all talk to each other because of the work stations and printers and whatever else, that doesn’t sound secure to me.

Um, I used to always-

Robert Davis:

Yeah.

Den Jones:

… use this analogy, when you’re driving on the roadway, you know, you think you’re the good driver, so if I think I’m a good citizen, that I patched my device, the same thing applies in your driving. You think you’re a good driver. It will never stop someone else hitting you because the little yellow line between the lanes isn’t a barrier (laughs) really, and, and I think of an office network just the same way. It’s not a barrier. Now, you made your network segmentation to data centers and things of that nature, but, um, it’s, it’s, uh, 40,000 plus people. That’s, that’s a lot of people to click links and be phished and socially engineered and everything else. Now, um-

Robert Davis:

Yeah.

Den Jones:

On, on the rollout, so what did… what did you do to get started? Like, how did you begin the rollout, and what was your, your measurement of success to get it done?

Robert Davis:

Yeah. Since it was kind of a new paradigm, one of our first, uh, thoughts was, “Okay. Well, let’s, as a security team, try to adopt this model in some way,” so we, we leveraged Bing in, in this case to, to put it in front of some security specific tools, or security centric tools, like our, our security orchestration and automation platform, uh, our sim, and, and really just try to eat our own dog food and understand the user experience a little bit better and understand some of the pain points that they might go through. So that was our initial set of, of, of users, and then we… we then start to adopt like, “All right. Well, let’s, let’s go a little bit beyond security, but let’s get some highly technical individuals that can help, uh, you know, work through some of those user issues and, and understanding how RDP is gonna look and feel or SSH access is gonna look and feel.”

And so that was kind of the, the slow roll, uh, from that aspect, and then eventually we’ll be able to get, get beyond that and go, go heavier. But yeah, we started with that small group just to really understand, you know, the difference between that and traditional VPN.

Den Jones:

Yeah. We, we actually, you know… And I’ve so… done two deployments. One was Adobe, and one was Cisco. Um, different technologies along the journey, but the principals of starting was exactly how you describe it. You know, find, find a small group, so your own team to begin with. Then we went to the extended security organizations. Then we went to the IT organization and, and continually just pushed out, and I, I think by the time you get that far, you’ve ironed out a lot of the kinks. Not all of them, but, but certainly a lot of the kinks. Um, and, and the one thing, you know, for me, I’d always say no software is ever perfect, and, and I will f- … I will certainly say including our software, right.

Um, so that, that, that’s where the partnership, for me, becomes really important, and on, on that topic, so when you think of a great vendor or one of your favorite vendors… I’m not even gonna make you… I’m not gonna make you say us, but, but when you think of a good vendor, (laughs) wh- what do you th- … what do you think makes a good partnership as, as you work with a vendor?

Robert Davis:

Yeah. I think some of the… some of the most important things are, are, how does support work, right? Because… Especially when we’re… If we’re talking software and not, um, you know, staff augmentation, like getting contract resources and consulting, but pure software and tooling, uh, it’s really… it… the bulk of it boils down to, we have an issue. What are you doing, and how quickly are you going about making our issue a priority and solving that? And so that, that really becomes number one, and then number two is, is that vendor understanding the space and how they could in… they could… they can be better, not just for Chick-fil-A, but their other customers? But let us know and, and get back feedback from us so that we’re helping guide, in some ways, the product roadmap, right? ‘Cause if we bring on-

Den Jones:

Yeah.

Robert Davis:

… a vendor, their product’s great, but then they start shifting direction, and they’re building other products, or they’re going down a road that isn’t helpful to us, then, you know, that starts to, uh… we start to lose interest, so to speak. So we like to keep that-

Den Jones:

Yeah.

Robert Davis:

… that feedback loop going.

Den Jones:

Yeah, no. That’s, that’s awesome. I think… Yeah, I totally agree. The, the dynamic between the, the c- … the customer and the… and the supplier f- … is… in, in the context of building software and that journey and that path, I, I, I’ve always enjoyed getting in early with start-ups, younger companies where you can almost be a design partner in what they’re working on. Um, for, for me, actually joining Banyan, I was… I was… I knew what I was getting to because we had already made the deal with Banyan in 2019 when I was at Adobe, so it was easy for me at that point to understand who these co-founders were, what the experience working with the engineers was like, and, and how the Adobe team and the Banyan team kind of collaborated as, as we were trying to make sure our deployments were, were smooth, as well.

Um, and something you touched on, which I think is really, really important, is… e- e- especially at Adobe, for us, it was a user experience game, you know. When you have… Or when you deploy something to people who build software that is ut- … uh, user experience based software and design type software, y- you’ve gotta be really on your A game when you deploy things to that audience, um, an- and I, I think everybody’s the same because you don’t that want that phone call to happen five times on a day on how your new thing sucks, right?

Robert Davis:

Yeah.

Den Jones:

So…

Robert Davis:

Exactly. [inaudible 00:13:21].

Den Jones:

Yeah, y- y- yeah. Um, excuse me. So, um, non, non-zero trust… In fact, before, before I close out the ZT stuff, um, any takeaways or gotchas that you wanna share with people on the ZT journey that you guys have been on so far?

Robert Davis:

Yeah. I think, um, one of the things that I underestimated… Well, t- … There was… There was really two things. One was that, while I knew MFA would not be the, the single control to, to rule them all and, and be the thing that kept us from getting breached from an identity perspective, I think the MFA win is, is losing ground very quickly, probably quicker than I anticipated. Like, in my seat now as a red teamer, um, I’ve validated that, which before, you know, we hadn’t seen these attacks personally against us, but as a red teamer, you can validate how relatively easy it can be to bypass. So that’s, that’s kinda number one. Like, all right. Well, MFA is there. It’s great. It does wonders for protecting us, but six months from now, is that gonna still be true? Is the tooling that the attackers and-

Den Jones:

Yeah.

Robert Davis:

… and red teamers are using, is it gonna improve so much that it, it’s almost pointless to have MFA? Um, so that, that’s one thing, is just getting in front of that problem. Uh, definitely something that people need to take into consideration. Um…

Den Jones:

Yeah.

Robert Davis:

And then-

Den Jones:

Yeah.

Robert Davis:

Yeah. And, and then on the other side of that, it’s, um… you, you kind of alluded to this before a little bit, but putting software on machines in order to this zero trust thing, um, is not an easy task for machines you don’t control. And so we’re… As we enter this BYOD world and this BYOD space of… it doesn’t always have to be a, a completely controlled and managed machine if we understand the risk posture of the device.

Den Jones:

Mm-hmm.

Robert Davis:

We can let it do other things that we wouldn’t normally, but that’s really (laughs) difficult to, uh, to, to support (laughs) when you have no idea what that device is doing and why things might not be working. So I think that, that aspect of it is still, uh, still something we’re, we’re learning through and trying to figure out, um, but I’d say those are the two, two biggest things in this journey so far.

Den Jones:

Awesome, awesome. Yeah. It’s, it’s, it’s really, really important for people to kinda comprehend the MFA, u- uh, and I… and I think that the, the failures of MFA are m- more in the news now. I- I- I think that’s a big thing, so there’s a lot more hype about it. I don’t know the percentage of attacks that are, you know, like, MFA, you know, flood, flood that push notification ’til they get bored sick le- … sick…

Robert Davis:

(laughs)

Den Jones:

… sick and tired, and you just hit the button, right? I don’t know how many of those really occur. Um, I, I was a big fan of what we’ll call security intelligence [inaudible 00:16:26] team at Adobe and then Cisco based around this principal, which is gather all that log information, and especially the first and second factor, and then the location you’re coming from. So all of the stuff that you think of, um, when your bank says, “Hey, was this you?” Well, do the exact same thing for all your authentications, and then suddenly, we start to see a picture of first factor successful, second factor fail and from a different country, from a different device, blah, blah, blah.

So what, what was really important to me is now going back to that device. If I register the device to me, and the only person that can log in to that device is me, and I can only log in to applications from devices I’ve registered, then that makes it really, really hard for someone to that kind of attack from their Windows machine on the other side of the world. They may have a first factor. They, they may get my second factor, but they still can’t log in because the device they’re on isn’t registered. Um, and they need to know some extra secret sauce t- to get there. It’s not to say it’s fool proof, but, but it’s a lot better. It’s a lot better than just, um, the identity piece, so I, I kinda look at the identity and the device together as being really, really important. Um…

Robert Davis:

Yeah, absolutely. That’s, that’s zero trust to me right there. Yeah.

Den Jones:

Y- yeah, yeah. I don’t… I don’t trust a… I don’t trust your devices. (laughs)

Robert Davis:

(laughs)

Den Jones:

And BYOD, it does… I mean, BYOD vendors, those scenarios are really, you know… they’re a lot harder, so some, some of our, uh, customers right now are working on vendor specific scenarios so that their vendors can go through the posture check, um, as part of that authentication workflow. Um, in the spirit of deploying in phases, it is easier to deploy to devices you manage, and like you said, it’s harder to deploy to devices you don’t. So that strategy on that phased approach means that the vendor thing and the BYOD thing kinda goes towards the end, right? Um…

Robert Davis:

Yeah, exactly.

Den Jones:

So we do… W- we do have a couple of our, our customers right now going through that, that journey. So…

Robert Davis:

Excellent.

Den Jones:

Shifting topics to some non, non-ZT stuff, um, so sports, I, I, I usually always say to people, I avoid talking about politics, sports, and religion. Um…

Robert Davis:

(laughs)

Den Jones:

But I, I, I th- … I think, from my research, uh, you are a bit into sports, so you can share a little bit about y- … what your favorite sport is and, from there, any parallels you’ve drawn between the sports industry, or, or a team you follow, and, and then how you apply that or what learnings you’ve had as you go through, um, building teams, working with teams, and them being successful.

Robert Davis:

Yeah. A couple of favorites sports, one to play, one to watch. Although, I- I’ll watch, uh, um, either one, uh, at any given time, depending on who’s playing. But my favorite sport, and I’ve played it my whole life, was… is soccer or, or football as they, they might say in other pl- … parts of the world. Um, when it comes to security specifically, uh, and then I’ll touch on leadership, but security specifically, there’s a lot of parallels between the strategies involved in, in team sports and security. Um, one real specific one that I, I like to, to look at and lean on is the defensive side, right? So as a defender, um, in, in soccer, your, your primary job is not to steal the ball, right? When you’re in a 1V1 situation, it’s not to just go poke at it and steal that ball. If you can, great, but your primary role is to slow the def- … the, the offensive player down so that you can get help, right?

And so when we think about it from a security perspective, it’s the same scenario, right? Our defensive postures should be the things that slow the, the offensive, or the attacker, down versus completely stop them. We know there’s no one or multiple controls that will ever completely stop these attacks, so our best bet is to just do our best to slow it down so that things can catch up and we can eventually detect them or get help in other ways. So I think that’s, that’s the biggest one for me when, when we’re looking at sports in general, comparing it to security and how we approach it.

Um, and then from a leadership side, it’s… sports is all about doing your job and, and, um, focusing… The, the most elite athletes focus on their job when they’re… when they’re playing and, and solely their job and doing their job as best they can. Um, if you look at some of the greatest coaches in, in the football… the American football space, you got Bill Belichick and Nick Saban. They’re all about the process and doing your job and, and focusing on that, and if everybody does their job the way they should, uh, your team is just gonna… you’re going to do better as a team versus some, you know, some people doing their job correctly, others taking over because they feel like that other person isn’t doing their job correctly. So there’s, there’s tons of parallels to, to sports in general and, and all of these things.

Den Jones:

Yeah, no. That’s awesome. I’m, I’m also a huge football fan, as in soccer, football, um, and I, I love the analogy on the defense, right? ‘Cause I, I kinda look at that, as well, and it’s like, you know, a defender, you’ll always hear whenever commentators are talking about the defender, how they’re, they’re, they’re trying not to let the attacker get on the inside of them ’cause they’re really trying to steer then away from the goal. So if you think of it as a, you know, a bad actor attacking your company, you’re trying to steer them away from the, the bad stuff. You’re trying to slow them down. So when we talk about the defense and depth really, uh, and, uh, not allowing that mission to, to be accomplished, we may put other gates and controls if you’re going to highly confidential or restricted data or some crown jewels in your company.

Um, and you know, we don’t mind if they got onto your internet site that might have information that y- you don’t… you’re not so squeamish about losing, um, or, or there’s no legal ramification or PR scandal or things of that nature. Um, and, and the one… The one thing for me and, and, you know… when I think of building great teams, and, and team sports is, is really like this, is, yeah, know your job, know the strategy of the team and how the team wanna apply themselves. And then ultimately, the, the big thing is if y- you’re building diverse teams, you know, not every player in a football team or soccer or any sport…. not every player is the same, so if you’re the defender, the, the traits that you’ve got, they’re different from an attacker.

So y- you, you know, the way you think, the way you operate, um, is, is, is uniquely different, and, uh, I almost p- … like, you know, defenders and goalkeepers are selfless usually. They’re not in their… They’re not… They’re not getting all the accolades and the fame and the fortune, but the attackers, those strikers, they’re the ones with the big ego. They’re the ones that just love that fame and fortune, so it’s, it’s diversity, um, for sure, with, certainly, personality types. And, and then skill.

Robert Davis:

Yeah, I like that.

Den Jones:

Yeah. Now, at Chick-fil-A… So as, as we’ve spoken before, I shared with you I have still never had a Chick-fil-A sandwich.

Robert Davis:

(laughs)

Den Jones:

Um, and I’ve heard so much… (laughs) so much about them, and, um, the b- … the big thing for me is I’m not really much of, I’ll say, a fast food person. Um, but I do hear that Chick-fil-A sandwiches are premium sandwiches, um, so tell, tell me, um, what’s your favorite sandwich? And then I hear in the headquarters you guys get to test some new stuff, so what, what’s that experience like?

Robert Davis:

(laughs) Yeah. I, you know, I, I go back and forth, but I always, uh… Well, first of all, it’s a… it’s a travesty that you have not tried our Chick-fil-A sandwich yet.

Den Jones:

(laughs)

Robert Davis:

So we will have to remedy that, but, um-

Den Jones:

Yeah, we’ll remedy that.

Robert Davis:

(laughs) But I, I think, f- for sure, my favorite is just our original chicken sandwich. It’s our hero product. It’s, it truly is, like, in… the best in class chick- … f- … like, f- … um, fried chicken sandwich that, that is probably in the world, if I had to guess. It’s unbeatable. Uh, it’s simple, you know. It’s a… It’s a fried piece of chicken between two pieces of bread with some pickles, but it is, uh, oh, so good. So that’s definitely my favorite. I do love a, a spicy chicken sandwich, too, though, so that’s my… if I’m, you know, feeling, feeling spicy for the day, I’ll go get the spicy one.

Den Jones:

(laughs)

Robert Davis:

(laughs)

Den Jones:

Awesome. And then… Yeah. In the headquarters, so I hear, that’s, like, a test kitchen almost for, for you guys, right?

Robert Davis:

Yeah. It’s, uh… It, it was amazing, especially early in my career, uh, when I had a little more ti- … more free time to go try things, but, uh, they used to… they used to bring around a lot of the trial products for us to taste test with. And so we got to taste test the spicy chicken sandwich years and years ago, uh, before it ever hit restaurants and, and weigh in on the level of spiciness being too much or too little, um, so yeah, it’s a… it’s been pretty awesome to b- … to be able to try these products before they hit market and, uh, provide the feedback that steers, (laughs) steers the menu a little bit. So…

Den Jones:

Yeah. That’s awesome.

Robert Davis:

Yeah. It’s an awesome campus.

Den Jones:

That’s awesome. Yeah. Now, um, so dinner parties, how would you describe your job to people are non-technical?

Robert Davis:

(laughs) Uh, the simplest is, “Hey, I do IT work,” and, uh, and they’re like, “Okay.”

Den Jones:

(laughs)

Robert Davis:

Um, but if they… if they have a little bit more understanding, they might, um, you know, probe a little bit more, and so if I… if I ever in a l- … if I land in a situation where I’m talking about security in general at Chick-fil-A and my role, it usually goes like, “Yeah. I’m, I’m kind of responsible for making sure that your credit card doesn’t get stolen,” right? Like that’s…

Den Jones:

(laughs)

Robert Davis:

That’s the easiest way to, to, to explain the high level like, “Why does… Why does Chick-fil-A need security, uh… information security anyways?” “Well, we’ve got things that we care about from our customers.” So always len- … always lends, um, lends itself well to just talk about the credit cards specifically.

Den Jones:

Yeah. That’s, uh… I guess, that’s the easy one. I u- … I used to tell people… So in the mid-’90s, um, I was going through my career, and I was getting sick and tired of people, when I was back in Scotland, asking me to help build a computer for them.

Robert Davis:

(laughs)

Den Jones:

Um, and I figured when I moved to California in 2001, people that I’d meet o- outside the parties or whatever, they’d always ask what I done for a living, so I used to start telling people I was an igloo repairman. I figured in California-

Robert Davis:

(laughs)

Den Jones:

… there’s probably very few igloos, and there’s nobody gonna call me up and, and ask for my help over the weekend to repair them. So…

Robert Davis:

That’s right.

Den Jones:

So yeah. I, I stuck-

Robert Davis:

That’s a solid plan.

Den Jones:

(laughs) I s- … I stuck with that for a number of years until people realized I was full of shit. D- … Um…

Robert Davis:

(laughs)

Den Jones:

(laughs) So now, one of the things, um, from a leader perspective, if you were gonna give a, a young person new in their career some advice on how to navigate the, the security world and grow their career, what would it be?

Robert Davis:

Uh, that’s a really good question. There’s so many things. Well, I think, for me, one of the biggest, um, biggest lessons that, that I learned, and in, in… I’ve… it just took some time, and, uh… I think that’s just the way this thing goes, but if you talk to new security professionals, and they’ve ever gone through a security course, like a SANS training or something like that, they always come back with the ultimate level of paranoia, thinking that every vulnerability will lead to a breach. And I think that’s one of the biggest mistakes that early security people make because you start to, uh… When everything is on fire, then eventually, some people will just stop listening to you, right? Like, if you approach someone with every single possible vulnerability, whether it’s small or big, and you treat it all the same, they eventually stop listening to you because you, you’re, you’re bugging them 100 times a month.

So I think security professionals understanding the business that they work in and understanding the things that matter to that business are probably the most important skills that they can learn as a young security professional ’cause when you understand what’s important to the business and what, what you need to protect, you can start to balance the things that you think need controls, and you can think through them more pragmatically and go, “Okay. This… I know this control sounds important, or this vulnerability sounds really bad, but let’s look at where it is on our network, or look at where it is and w- … how it would impact the business.”

Den Jones:

Mm-hmm, yeah.

Robert Davis:

And if, ultimately, it’s a bad vulnerability but it has zero impact, even if leveraged, then we can slow down a little bit, and we don’t have to push, push, push all the time. So I think that balance is the most-

Den Jones:

Yeah.

Robert Davis:

… important thing.

Den Jones:

No. That, that’s awesome. I get if, you know, people… If, if you’re gonna cry wolf on every single thing that happens, then y- you just get ignored after a while. And, and, and there’s… Or there’s the other flip side of this, which for me, um, I’ve, I’ve been in teams or inherited teams that had this ivory tower complex, where it’s like, “I’m security. You should do as you are told.” And I think the reality is, is, as, as you’re growing your career, you’re building your network, realize, realize that the partnership, the collaboration will help you get to that end goal quicker than you just turning around and being dic- dictator-ish and directive or telling someone what they need to do. If you actually start off by explaining, “Hey, here’s the problem. Here’s the risk, and this is why this one is more important than all the others,” … And I like how you put it. It’s in the context of business. The reality is, is we’re here to run a business.

Robert Davis:

Right.

Den Jones:

And not, not all the money in the world is made available, and not everything can be tackled. I mean, there, there… We have to make big choices on a regular basis on things, things that you’ll deprioritize or that’ll go in the backlog, and, um, you know, you’re figuring out what’s the bigger risk that you’ve got to be, be worried about ’cause not all… not all, at the end, are, are gonna have any impact on your business. Some might have absolutely no impact ’cause there’s, there’s other controls, or it just doesn’t apply to, to your situation as much.

Robert Davis:

Yeah, exactly.

Den Jones:

Now, I got, uh… So what, what piece of advice have you been given by somebody else that you think was inspirational, um, that you’d love to share with people?

Robert Davis:

Uh, I think (laughs) one of, uh… one of the first things when I got into my career, um, and… So coming into, into work and, and going through college and, and high school, I was… it was Windows only. I didn’t have a whole lot of experience with Linux. Uh, I got into Chick-fil-A, and, and one of my first, uh, people leaders gave me a book on, on VIM (laughs) and VI.

Den Jones:

(laughs)

Robert Davis:

And he said, “This is one of the most important books you will ever read, and you’ll learn the most from this thing,” basically. And, um, and it wasn’t about VIM and VI necessarily, but it was about learning a new skill that I was uncomfortable in and just getting better at, at that. And then of course, he was a, a, a VIM maxi, but, uh…

Den Jones:

(laughs)

Robert Davis:

… you know, that, that really taught me a lot of just understanding there’s, there’s so much more to this world than just the things you may have already done and to be open minded about the… learning new skills and, and changing the way you may have approached things in the past. Uh, learn some new skills and change that approach based on some of those new skills you learned and, um… Yeah. Constantly evolving, essentially.

Den Jones:

Yeah. That, that’s, uh, you know… I’ve, I’ve heard that many times, right? Which is try and… try and s- stretch out of your comfort zone, you know. If you feel comfortable for too long, try and think of ways that you can shake things up a little bit, and, and mainly in the sense of trying to grow your, your knowledge or the area you’re working in. Um, I, I- I- I got, you know… I’ve had so much advice over the years, so, so nothing, nothing really springs out for me, othe- other than, you know, try and look for opportunities to, to help work with other people in the organization, growing your network.

But ultimately, at the end of it, when you’re doing that, people… it’s hel- … it’s, it’s not about doing favors for people, but if you go out of your way to help make someone successful, especially someone who’s a customer… And by customer, I mean anybody in your business could be your customer. It’s not the person that buys the sandwich at the end of the day. They’re the resulting customer, you know, f- … but, but within the organization, you know, we’ve all got customers. And I learned very early on in my career that, you know, everybody’s a customer, and the more you can go out of your way to help them be successful, the more that will, A, build your personal brand and reputation as someone who gets things done, but then ultimately, when you need favors or help from other people, they’re, they’re usually standing beside you ready to lend a hand because they know they can count on you.

Um, the other thing, I’d say, is people, people tend to not gravitate towards people who are lazy and aren’t helpful and don’t get things done. (laughs)

Robert Davis:

(laughs)

Den Jones:

Uh, we shy a- … We shy away from those people, so for, for me, you know, if you get that reputation, it’s very hard to unravel that over time. Um, y- you gotta work a, a lot harder. Now-

Robert Davis:

Yeah.

Den Jones:

I’m gonna wrap, wrap up with one final easy question. Um, what would you want people to take away from our conversation? What would you say is the, the one takeaway they should walk away with?

Robert Davis:

Um, that is a great question. I think, uh, one of the biggest things to take away from this is, um, as we think about zero trust and the future of security, it really… we really have to think beyond MFA and what is that next thing. And, and for me, it is zero trust, and so we really need to be thinking about how we can approach it, whether it’s with Banyan or, or someone else. We still… We need to be thinking about that new mindset. The cloud’s not going away. SAS isn’t going away. Your, your traditional on-prem data centers are going away in a lot of cases, so we really need to, to rethink this whole model. Um, and MFA just isn’t good enough, so that’s, that’s probably number one.

Den Jones:

Awesome, awesome. Well, everybody, thank you. Uh, Robert, thanks for coming on the show. Robert Davis from Chick-fil-A. Uh, and Robert, personally, thank you very much for partnering with Banyan on your journey. Um, I know that these journeys are never, never easy, um, so hopefully, we are making our small part and contribution to helping the success over at Chick-fil-A. Really appreciate it, and, um, thank you, everybody, for watching and listening in. Take it easy.

Robert Davis:

Yeah, thank you, Den.

Den Jones:

Thanks.

Speaker 1:

Thanks for listening. To learn more about Banyan Security and find future episodes of the podcast, please visit us at BanyanSecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their track Summer Silk and all their music at UrbanPunks.com.

Close Transcript

< Back to Resources

Free for 30 Days
Simple, secure, & free!

Quickly provide your workforce secure access to corporate resources and infrastructure.

Get Started Now