Greg Schaffer: Hi, I’m Greg Schaffer. Welcome to the Virtual CISO Moment.
Greg: Jack Rumbaugh joins us today. He is a chief information security officer and cybersecurity leader with more than twenty years of experience building and transforming enterprise security programs across telecommunications, healthcare, financial services, and government sectors. Uh, he holds certifications including the CISSP, the C|CISO, the CRISC, the Certified vCISO Level 3. I know that because we were in the same cohort together. We’ll probably touch on the CVCISO in a bit. And I think most recently just became Certified Generative AI on Cybersecurity. We’d love to hear more about that as well. Jack, thank you so much for joining us this morning.
Jack Rumbaugh: Thank you for having me, Greg. I really appreciate it.
Greg: So great to see you again, great to talk again. Would love to hear, though, about your, uh, your, your, your history, how you got started in this field. Bring us all the way up to where you are now and, uh, then maybe we’ll talk a little bit about the CBC show as well.
Jack: All right, sounds good. Well, I guess my relationship with computers started, uh, during the punch card era. You know, I was in, I was in college and I decided that I was going to be a comp sci major. And with what all that entailed back then was you had to become a very good programmer. And I was not a programmer. I don’t have, I just don’t have the patience for it. So I decided that that wasn’t for me and kind of went a couple of different directions, kind of circled back. I was actually working as a chemist in California and kind of circled back to computers again when I seemed to be the guy in the office that was able to fix everything. You know, we had what’s called a laboratory information management system, which all the instrumentation fed data into it. We were able to generate reports quickly. This is way before AI. So a lot of this was manual.
So we had this all scripted out so that we didn’t have to do a lot of manual entry. And I was the guy that was always fixing the servers and I was always fixing the PC. So I thought, you know what? Maybe this is something that I really have a knack for and I should get into. And shortly thereafter, I got my… I got my MCSE at NT. And the rest is history. So I kind of started as a help desk guy, got into networking, got into network security, and then just kind of fell into information security just by pure accident and have been there ever since.
Greg: So you’re currently working as a virtual CISO?
Jack: I work with virtual C, so I do a lot of, it’s kind of the gig economy these days. I do work for a number of clients.
Greg: You know, it’s funny, whenever I hear gig economy, I always think about, like, you know, I think in terms of, like, bandwidth, like gigabit and not like this is the gig that I’m doing today. I guess it could probably be both ways.
Jack: It could be. Well, I used to be a disc jockey years and years and years ago. So that’s, you know, I always went to my gigs.
Greg: Yeah. Well, you kind of got that disc jockey vibe going on.
Jack: Yeah, people tell me that I have a radio voice. They tell me I have a radio face.
Greg: Now, I mentioned in the intro about the CVCISO, which is the Certified Virtual CISO course through Security Studio. Not often. It’s been a while since I talked about it here, but my involvement on that actually was sort of a challenge and acceptance where I had publicly, I think on the LinkedIn post, had mentioned that I’m not so sure if this is, like, scammy or not. And I was invited to take the course and find out for myself. And as a result of it, it’s like I actually was very impressed with the course. I think that it does a good job both in laying out security principles so that everybody’s on the same level set, but also talking about consulting. But I’d love to hear your perspective of it since we haven’t really talked about that since we went through the cohort. I think it’s been about two years now.
Jack: Yeah, it has been. Well, you know, I kind of fell into that as well. Somebody that I had made the acquaintance of in Houston when I was working for Speedcast, you know, they were going to get in the cohort. They said, you might be interested in doing this. And I knew very little about Security Studio at that point. I’d used it once and had kind of liked the way the product operates because it kind of gives you a more relatable way to tell leadership where we stand, you know, everybody, you know, cause it’s, cause it’s like a credit score. Everybody knows that a five hundreds credit credit score is not very good. Eight hundreds is very good. Eight fifty is you’re almost perfect. So being able to give that information to leadership and they can relate it to a credit score. It made our conversations with, with the other C-suite members and with the board much, much easier.
Greg: I think that, I think that right there is genius. They, they make it so relatable when you’re talking about security posture. Um, but so I joined the class a week late, have to do a little bit of catching up. Um, I found it to be very informative. I was also going through EC Council’s C|CISO at the same time. Um, I, so I paused that, put all my effort into the CBC cohort. And because there was, there was a lot of homework, you know, it was almost like being back in my masters. Oh, my gosh, it was a lot of homework. You know, I mentioned to people the cost of that thing isn’t so much like the monetary as it is the amount of time you got into it. It’s a huge investment in time. But I think it’s, I think it’s time well spent, because it kind of gets you to where you can relate things that a CISO needs to relate up to either a client or, you know, if you’re working for a corporation, you know, your C-suite members and, you know, the board, because these guys, some of them are not very technical. So you have to take something is very technical and you have to distill it down to something that is palatable to somebody that doesn’t understand cybersecurity. So I think it really hits the mark there.
Well, and on that note, there’s—being a virtual CISO, this is an issue sometimes as well. Well, I shouldn’t say sometimes. It’s an issue for full-time CISOs as well, too. But I think it’s a little bit different in its approach for virtual CISOs when you’re talking about actually talking with the C-suite and the board of directors in—and that sometimes can be a rough path because often security leaders don’t really want to pay much attention to security. They just want to know, are we secure? And the worst answer to that is saying, yes, I did that once and I kicked myself for it. It’s like… I had a president of the bank that I first started working for. He took me out to lunch and he asked me that. I said, yes, sir. And then I had to go back to him like a little bit later in the day. I said, let me explain what I meant by that. It’s like, I think we have things in place, but no, we’re never going to hit that a hundred percent security. He laughed. He said, I knew what you were saying. But in any case, what do you do to help the C-suite and the board of directors if you’re able to talk to them as a virtual CISO, which sometimes that happens, sometimes it doesn’t? How do you help them to understand the importance of looking at security as an important business risk that needs to be addressed like any other risk?
Jack: Well, I think that some of this is having to address risk with them in a manner in which they can understand it. Um, and, you know, honestly, heat maps don’t do it. Red light, green light, yellow light, that doesn’t do it. Um, I’m a huge fan of FAIR, factor analysis for information risk.
Greg: Yes.
Jack: Because it gives you a dollar value per risk so that you can say, all right, so we have this risk. If we realize that three times this year, it’s going to cost us three hundred thousand dollars, and historically we get hit three times a year. Uh, the mitigation is fifty thousand dollars. So that will mitigate the risk down to our risk acceptance and tolerance levels. What do you want to do? So you put it back to them. It’s like, it’s going to cost us six times as much to not fix it as it is to fix it. And usually most business leaders will go, yeah, I can weigh that and we can go ahead and spend that fifty thousand dollars for mitigation. And that’s how you have to really speak to them. You have to speak to them in a language they understand, and dollars and cents is a language that every C-suite and board member, they understand.
Greg: You touched on a very important point there, and that is that you have to speak their language. Their language is dollars and cents. Their language is the business needs. And to get to that point, you have to understand not only the language, you also have to understand the business itself. What would you recommend for, like, this could be for a virtual CISO or a new CISO at an organization. What would you recommend that they do on first engagement to get to know that business, the business processes, and where all the information is?
Jack: Well, you want to integrate yourself in as much of the day to day business as you can. Learning the business is basically for the first thirty, sixty, ninety days, however, however many you need and however large the engagement is, you need to be quiet and you need to listen. You know, I’m very opinionated about certain security subjects. And, you know, I’m going to sit back and I’m going to watch and I’m going to learn and I’m going to figure out how business is done. What do our business processes look like? You know, where does data flow? Where does, you know, where is our data? Where is our infrastructure? You know, there’s not as much on-prem anymore. It’s in the cloud. You know, are we infrastructure service? Is it all software as a service? Are we, you know, what does it look like? You know, what does our third party risk look like? And then once you kind of get that big picture, you can start going, all right, so where are our gaps? And one of the things that I’ve really noticed over the last probably fifteen, twenty years of my cyber career is that some of the foundational things that you would expect to be there, even for large companies, isn’t there. Things like asset management, vulnerability management, you know, the very, very basic things that you would expect to be there. And those are the things you have to look for. You want to make sure that you have the bare minimum industry standard things in place so that you can build from there. Or you need to find out what’s missing so you can immediately start addressing that.
Greg: Yeah, I would actually expand on that where sometimes with larger businesses, it’s more prevalent that you don’t have some of these basic things in place. It almost seems like that they will tend to rely upon tools to do stuff. But when you get to the basics, and really information security is all about the basics and making sure that you’re doing the core things right. And so you just talked about asset inventory. That would be probably the one place, I think, where most businesses, big and small, really fail. And if you don’t know where things are, because assets can be systems, that can be information as well, too. If you don’t know where they are, how can you protect them? If you were to start a virtual CISO engagement tomorrow and you asked for their asset inventory and they’re like, well, I’m not really sure what that is, what would your next step be?
Jack: Introduce them to what an asset inventory is and what it looks like. Like you said, you’ve got to know what you have and where you have it so that you know what controls to put in place. I spent some time working in security with iHeartMedia and they were phenomenal about asset management. This is a very large corporation. It’s international. We had over two hundred and fifty terrestrial radio stations that fell underneath iHeartMedia. You’ve got a bunch of other subsidiaries like Clear Channel Outdoor. If you see a billboard that says Clear Channel on it, that was one of ours. They did it right. They were a ServiceNow shop. They had the ServiceNow asset management piece in there and they had it dialed in.
I’ve also worked for a very large company that will remain nameless, that was global, that couldn’t tell me where everything sat. The internal inventory for laptops, desktops, things of that nature, we knew all that. But where all our servers sat, that was probably seventy percent. OK, where the all the equipment on the edge sat and what it was and what, you know, what’s the firmware level, where, you know, what what’s vulnerable? They couldn’t tell me. And we had hundreds of thousands of IPs that I couldn’t tell you what was sitting on that IP. Yeah. And that, once you kind of, like, uncover that rock and see all the squiggly things running underneath that, to use an analogy that one of my bosses told me, I’d never got that image out of my head, you start to freak out a little bit and it’s like, what are we going to do with this?
But I want to shift gears, though, for a moment, because I want to make sure that I don’t forget to ask this question. When I was going through your intro, one of your certifications is Certified Generative AI on Cybersecurity. I think I have that right. I’m not aware of what that is. What is that?
Jack: Well, that actually came up as I had a goal with my last company to get some sort of an AI certification. And that one honestly was cheap. They weren’t going to pay for it. So it was two hundred bucks out of my pocket. It was on sale for Black Friday or something. And so it is a basic certification that kind of gives you that broad view of what generative AI is.
And I just happened to open an email right before we started here. And ISACA has an advanced AI in security management, AAISM. And I passed the exam several weeks ago. I just got approved literally thirty minutes ago that I can start, you know, putting a certification out. So that’s another one that I did. And that one really dials in on how businesses should treat AI. It is very much a GRC focused certification.
Greg: This brings me back to something you said in your history. You were talking about that you’re not a programmer. I think you said something along the lines of that you don’t have the patience for it. And I’m kind of along those same lines as well. I was an engineering student. I did Fortran, uh, seventy-seven programming. I’m incredibly dating myself by saying that.
Jack: I would be about the same. I’m about the same vintage. So, yeah, I totally get it.
Greg: You know what I’m saying. And it’s like in programming, I mean, back then, you know, I was just trying to solve simple engineering calculating problems, you know, nothing major. And programming, when you’re doing it, the code line by line and all that, it can get to be very frustrating. But now today, bringing this in with AI, we have vibe coding, we have AI infused in coding platforms, we have the ability to create apps. I’ve actually created one internally for our virtual CISO business that helps run the business side of the house and actually made it multi-tenant with the idea that I may release it at some point in time beyond what we use it for. But my point being is that I used AI to help with some of the aspects in this. And in particular, one of the aspects I wanted to try to do was to move one file from one place, from one system, via an API to my system. And in the process of doing that, using the integrator, I won’t say, well, I don’t mind saying it because I said it before, I was using Zapier. Asked them to build that workflow. And they said, sure, we can do this. And within a moment, you had this whole workflow. I didn’t have to code anything. It was all there, except when I investigated it, I found that they were by default dropping it temporarily into an S three bucket, which was exposed that I didn’t know about at first. So I’m really worried about the security using generative AI or some of the other, and I always forget the different terminologies and what they are, but basically using AI to replace work, where then you’re replacing the importance of coding correctly from the start. So you talked about governance. You said it’s mainly a governance thing. For firms that are walking down this path thinking, oh, hey, I could just use Claude to do this, and this is fine. Suddenly, I have this thing here, and it works. Um, what would your suggestions be as far as integrating, uh, governance into that AI process?
Jack: Well, first you gotta figure out which framework works for you. Um, EU has one, NIST has one, ISO has one, mm-hmm. And you can get in, for firms that don’t do government work or don’t have to be ISO certified, pick and choose, you know, go through, go through them and tailor the controls to what you, what you need. And honestly, that’s what you should be doing with any framework. Cause there’s gonna be things that just don’t fit. And once you’ve tailored it, you can start putting processes and procedures and policies in place. But the big thing that they’re stressing within this, with this in this Asaka cert is you have to have transparency and explainability of whatever it is you’re doing with AI. You know, if you were using a chat bot that took in customer information that filled out some forms on the back end, uh, you want to be able to explain, number one, how did the AI reach the decision it reached when it spit out stuff back to the customer? And you need to be able to explain that. It needs to be a transparent process. So those two concepts were something that was a little bit different for me to wrap my brain around. But also, you mentioned coding and not having any humans in the loop. That’s a big thing as well. If there’s anything that is, you know, something that you cannot turn AI loose on a hundred percent, uh, for one of the examples given was, you know, diagnoses with health information. You know, you upload the patients, uh, all the patients’ blood work and everything in there and the AI will help with diagnose diagnosing a condition or what have you. There has to be a human in the loop for the important things. So the important decisions, like can I roll out this code and is it going to be secure and are there going to be vulnerabilities? You still have to have that engineer in the loop to be able to go through and, like, you know, in your case, discover the S three bucket that was completely exposed to the internet. There needs to be somebody that’s reviewing this stuff, at least for now. Once, you know, twenty years from now, it may be totally different. But right now, AI is not perfect.
Greg: Well, that’s a standard process in coding where it has to go through peer review, some sort of review before it’s released to prod. And so we have that coding process governance in place. The problem with being able to do it now easily with some of these tools is that you don’t have coders that are building these things. You have business people that are building these things that want to solve a business problem as rapidly as possible. And therefore, you don’t have the guardrails in place. I’m a little worried.
We’ve often seen, like, other frameworks, like I’m sure you’ve worked many, many, many times with corporations and organizations that are trying to get to have their SOC two at a station or they need to meet PCI DSS or, or high trust or something along those lines. And so it becomes more like they’re managing to the check the box of the compliance and not really the security aspects of it, um. And we have that problem of trying to convince those folks that, no, you’ve got to make sure that you’re checking security as well, too. This isn’t just a compliance thing. It’s risk-driven. How do we do that, though, with the governance, with AI? I know you talked about putting in frameworks. And for you and I, we understand that. But how do you sell that to… maybe your smaller businesses where you got your startups, and they’re like, I can build this thing in cloud in a day, when really, it could be a real mess that could destroy their business.
Jack: I think you still have to treat it like any other development project, you know, because SDLC is there for a reason. So you want to make sure that you have those security gates. And honestly, if you’re engaging security and all the other stakeholders very early on in the conversation, then maybe you’ll, you’ll avoid some of the pitfalls along the way. But honestly, you still need to be able to act like you’re going to roll out an app to the public. You still have to do application testing. You still have to do the penetration testing to make sure that there’s nothing in there that’s exploitable and that you’re not going to end up exposing data. You know, and I think if you follow the process, it’s already there and you just loop AI into that process, I think you’re going to have some guard rails already in place that you know how to deal with because the guys that are coding this stuff by hand, they already know this and they should be able to say, okay, just because AI did all the work for me and let me do this in, in, you know, a tenth of the time, I still have to do go through all the security gates. I still have to do the due diligence.
Greg: So the takeaway from that, at least a takeaway I get from that, is that this is not going to replace the need for qualified coders for startups, for example, that are building applications. Don’t just rely upon everything on AI. You’ve got to have that human touch in there somewhere.
Jack: Oh, absolutely. Human in the loop is still something that’s required for a lot of what AI is doing. Because you have to sanity check it. Most AIs are very good at doing certain things. But if you get outside of what they’ve been trained on, maybe they’re going to give you a hallucination. I’ve done some stuff where I’ve put together policies, and I will absolutely use AI to help me develop a policy template. But as you’re reading through it, you’re going, eh, that doesn’t belong here. And you can’t just take it all at face value. There has to be somebody that reviews this stuff, at least now.
Greg: Right. Well, one of the constants in our industry is that there will always constantly be change. And that’s one of the things that makes it exciting and makes it a beneficial path to choose. But it can also induce stress. And I’m a big proponent of stress. We need to, we need to release that stress in a positive manner as we’re encountering it, because if we can’t take care of ourselves and we can’t take care of others, we can’t help protect information the best that we can. And I always encourage folks. I know that people who regularly listen to this podcast think that I’m being a broken record here, and I’m dating myself by using that term broken record here. But you have to do it in a healthy manner. What’s one of the things that you do, Jack, to maintain your control, if you will, on the stress? Don’t let it overwhelm you.
Jack: Well, honestly, I try to keep work-life balance in everything that I do, whether it’s a VC engagement or whether I’m working directly for a corporation’s employee. You’ve got to unplug for a little while. Have that phone on you, twenty four by seven. You know, you’ve got it. You’ve got to set it down, put it on. Do not disturb. Whatever happens, you know, at, at ten o’clock at night, unless it’s an absolute dire emergency, it’ll still be there at eight o’clock in the morning. You know, you can unplug for a certain amount of time.
But to manage for stress management, I work out. You know, I have a gym in my garage. I go to the local gym here in town. I try to get at least three workouts in a week. Some, some weeks I do five, some weeks I do two. But it pretty much averages out that I’m working out three times a week. I also like to ride motorcycles and just get out on the back roads here in north of San Antonio and just kind of just veg, you know, look at the scenery, drive around, feel the wind in my face.
Greg: I love the scenery in that area. It’s like I had mentioned to you before we started recording that I had gone to that area on business over the summertime. I got an opportunity to visit Lackland Air Force Base for the first time since I was in basic training back in… The one thing I remember about that area, and I don’t remember if it was, it was probably more North Texas. And actually, I guess Wichita Falls would be in Kansas. But, but boy, those jackrabbits. Do you have jackrabbits where you’re at?
Jack: You see him occasionally, but not as much. That is definitely a North Texas, Wichita Falls thing. When I was younger, my dad was an Air Force officer, and so we moved around a little bit. But one of his duty stations was Shepherd Air Force Base in Wichita Falls. That’s where I was at, is Shepherd. And I remember seeing the jackrabbits there with just the weirdest, like huge ears and all that. They’re interesting looking.
And one of the things I remember when I was a kid, the horned lizards, little horned toads, you know, that’s TCU Horned Frog is, is, uh, is basically what they’re talking about. But they used to be out in the yard. I mean, you’d go be able to collect four or five or six of them at any given time. And I’ve lived here for ten, again, for ten years, I haven’t seen a one. And unfortunately, I guess they’re endangered now. But that was something that I grew up with is like, yeah, let’s just go get a horned toad and play with it for a while and then turn it loose.
Greg: How does, no, maybe I don’t want to know. How do you play with a horn-toed frog? You just have it around, watch it walk around and all that?
Jack: Well, you know, you try to pick it up without getting poked. I mean, when you’re three or four years old, it’s cool anyway because it’s a reptile that won’t bite you. And, uh, you know, occasionally you can get it over by an anthill. You can watch it eat it. You know, so there’s, it’s entertaining. It’s entertaining for a four-year-old.
Greg: I remember as a kid we didn’t have those frogs. We just had, we had regular frogs without the accoutrements, I guess. Um, but the, if you picked one up it always pee on you, and I, I don’t know if those frogs did it.
Jack: But no, not as much. But at least, you know, again, it’s been a while since I was four years old, so I don’t really remember. But yeah, we’ve got frogs and toads around here at New Braunfels, but we just don’t have any of the horned frogs, which are actually lizards.
Greg: Here on the Virtual CISO Moment, we cover topics all over the place, including urinating frogs. Go figure. Jack, what plans you got coming down the road, man?
Jack: Well, right now I’m doing some side work, doing some VCs at work. I’m still looking for that full-time gig. The company I worked for last year went through some hard times. They laid off a bunch of us in, well, right about the first of September, they laid off five hundred of my closest friends and myself, and they’ve gone bankrupt since. So, you know, I’m still looking for that, that next challenge, that next opportunity.
Greg: Well, everybody, you got a candidate here. If you know somebody who’s looking for a qualified CISO who is also very well versed in the AI risk management governance space, Jack’s the one to call. Jack, appreciate you joining us this morning. Very interesting conversation. Like I said, I don’t think I’ve ever talked about frogs before in here, but I’m willing to talk about anything. But appreciate you taking the time today, and I appreciate catching up. It’s been a while since we talked.
Jack: Yeah, we need to do this again sometime. Thanks so much. I really appreciate it, Greg.
Greg: Yeah, me too. And everybody, stay secure.