Phishing 4 Answers: David Cross, CISO, Atlassian

Show Notes

In this episode of Phishing 4 Answers, host Joshua Crumbaugh is joined by David Cross, the Chief Information Security Officer (CISO) of Atlassian. Atlassian is the global leader in collaboration and developer tools, powering companies with platforms like Jira, Confluence, Trello, and Bitbucket. Securing an ecosystem with millions of users and critical corporate data requires more than a simple strategy—it requires an architectural masterclass. We dive into the challenge of scaling security across massive cloud platforms, protecting the entire DevOps pipeline, and how Atlassian builds a robust security culture for its thousands of employees and global customer base. If you are trying to understand the intersection of extreme cloud growth and ironclad enterprise security, this session is a mandatory deep dive.

Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.

PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!

Chapters

• 0:00: Psychology As The First Defense
• 1:38: Meet Atlassian CISO David Cross
• 3:23: Make Security Tools Developers Love
• 4:42: Shift Left To AI For Secure Code
• 10:31: Data Driven Culture Change That Sticks
• 14:26: Persona Based Training Beats Generic Training
• 19:10: Measuring Culture Through Reporting
• 24:22: Leadership And How A CISO Sleeps
• 28:20: Prompts That Build Security Habits
• 32:24: Rovo Wins And Work Life Choice

Transcript

Psychology As The First Defense

SPEAKER_01 0:00

Psychology is the new firewall. Human insight trumps every trick. We're not hacking systems, we're hacking behaviors, so you won't click. No complicated code. Just try to true right science at play. Social engineering for good. The best defense is in your mind today.

SPEAKER_03 0:44

And we flip the script on the bad guys after turning humanists from an easy target into the strongest line of defense.

SPEAKER_04 0:54

The views and opinions expressed on this podcast belong solely to the hosts and guests and don't necessarily reflect those of their employers or sponsors. We're seasoned security professionals. But this is a conversation, not a custom consultation. If you need specific guidance, reach out to Joshua Krumba directly.

Meet Atlassian CISO David Cross

SPEAKER_00 1:38

This is season two, and I'm really excited because today we have David Cross with us. He is the CISO of Atlassian, that company that owns all of the tools that we use every single day.

SPEAKER_02 1:55

Well, I've been around for a few years, right? Microsoft, Google, Oracle, now Atlassian. I've also been angel investor, uh advisor. I'm also a venture part of Rain Capital VC. But it all started, you know, I don't think this book in the back here, right, is Bruce Schneier's A Pride Cryptography, the original one. Where did I get that from? I got that from the Naval Exchange bookstore in Naples, Italy, when we're coming back from the Gulf War, right? And I said, I read that book. I said, this is where I want to be. That set things off from my military service, you know, obviously worked in electronic warfare, but from there, like I know where I want to go. It all started there like 30 years ago.

SPEAKER_00 2:36

Yeah, you were like key and uh like one hands-on engineering uh with you know some of Microsoft's uh early security, right?

SPEAKER_02 2:45

Absolutely, yeah. I think is that all my patents and things like that is so everything from you go look up who wrote all these white papers about Microsoft certificate server enrollment or other things like that or the encrypting file system. Uh, you might recognize somebody here.

SPEAKER_00 3:00

That was you. All right, all right. You know, I've read a couple of those, normally out of frustration, um, but I have read a few of those. Um, well, it's great to have you on the show. Uh, I'm really excited to dig into some of your philosophies uh around just the the human element in general and to cybersecurity.

Make Security Tools Developers Love

SPEAKER_00 3:23

Uh, but one of the things that I found interesting uh that I I've seen uh you say a few times is that we've got to make tools that developers want to use. And uh and the reason that stood out to me is because I've been saying for a very long time that when cybersecurity is the easiest path, it becomes the default path. And uh and so I I really like that. And maybe that's a good place to start is how do we make cybersecurity easier for everyone involved?

SPEAKER_02 3:58

Well, you know, I always like to go back to something I learned and heard from a colleague and friend a long time ago, you know, Ira Winkler, which many people have heard of, right? And and Ira says it's really is like security, who's your customer, right? You know, everyone company, you can talk about your end customers, but no, who the customer of security is, it's the developer in your company, right? Security, we're a customer service organization to make our engineers, our developers, and other things work really well, especially because I've been in product security for a long time. But that's the number one how we have to think about it. If we make their life great, they're gonna love us, and that's the way to think about it.

SPEAKER_00 4:34

Yeah, I mean, I I completely agree. Um, as a I have a question for you then uh around the human element.

Shift Left To AI For Secure Code

SPEAKER_00 4:42

Uh, one thing that stood out to me more recently, and a little bit about my background, I spent much of my time as a uh ethical hacker, uh, and about I don't know, 60, 70% of that time uh doing application security for the federal government, uh, amongst other uh organizations. Uh but because of that, I've seen thousands of applications. And more recently, I've seen quite a few applications built predominantly by AI. And one thing that stood out to me was that the AI applications often were built a little bit more securely than the human applications, uh, just because so many of our developers weren't taught about cybersecurity. This is something that they learned after they graduated from school. So, how do you battle that? What do you do to help them write more secure code?

SPEAKER_02 5:38

You know, this is one I can't resist, you know, uh sharing kind of my thoughts on this. Certainly, you know, for many years we had the shifting left, you know, from a culture perspective, from an ownership perspective, etc. DevSecOps, right? I think it had some good principles and things, but was it really successful? I don't think so. But now with AI, the world's changed. And I say we're shifting left to AI, right? What I mean by that is that now we have agents writing the code, right? But now we have agents that could be securing the code, and that's why we're shifting it to AI. And so we're actually it's the best of both worlds. We couldn't ask for something better here.

SPEAKER_00 6:16

I I agree completely. I think AI is the solution here. It can uh review the code, and you know, from the time I commit to the time I get back to my desk, I can have a review sitting in my inbox. It's amazing how quick it is.

SPEAKER_02 6:32

And here at Alaskan, for example, that's what the way we think about it saying, hey, great. AI saying, whether it's your IDE or the coding agent, we say, hey, just go ask these agents to make sure it's secure, it's compliant, it's private. So great. We set those up to do those things, and of course the AI just uses it.

SPEAKER_00 6:51

Yeah. I I do think AI for the first time gives us the opportunity to stay ahead of the bad guys. So much of what we do resolves around uh uh of you know, patching and uh and putting in compensating controls for well uh insecure code. Um, I think now with us being able to write code so quickly, secure it so quickly and so effectively that it will help us stay ahead of the bad guys. I mean, what do you think there?

SPEAKER_02 7:24

Oh, I think it's gonna help it certainly is gonna help enormously. Is you think about for many years, I won't mention a vendor, right? They're saying, oh, we can do remediation uh automatically. We can be, you know, doing all these uh resolutions automatically for it. It never worked, did it, right? But now with AI, it's actually it can actually fix the code, right? And submit the PRs for you that no one would ever want to touch print pass, right? We all have monolithic software sometimes, right? It's like, wow, John Doe, go look at this code someone wrote 20 years ago that you've never seen before and try to fix a bug. Well, AI's not afraid to do that, and it can do that, which never existed 20 years ago, and now it's a whole new world.

SPEAKER_00 8:08

Well, and you know, I think about all of like the Fortran and the Pascal, and we had this these languages that were entirely developed by people who are at retirement age now, they are leaving the workforce, and we had no one to replace them. Well, all of a sudden, AI can jump in, it can read the code, it can write the code, it has no problem with it. Um, and I think that's another really good thing is that it does help us modernize. Um, I've seen a number of clients already that had applications that were, you know, built on old technology that everyone was afraid to touch. And uh, and in one of them, in one case, it was a project manager that was just like, I'm going to rebuild this. And uh, and they did, and it was so much better than what they had. Um, and you know, I when I asked, I was like, Well, who did it? And I expected it to be someone technical. No, it was the project manager that uh that had to manage all of that. Um, that's so it's it's certainly an exciting world where I think for the first time, non-technical people have access to uh to write code too.

SPEAKER_02 9:17

You know, certainly just what you you mentioned, you know, ethical hacker. If I say, okay, red team, pen test, I use a different words there, but but before it's kind of like you think about, oh, you found something, right? Uh and you think, oh, here's vulnerability, but how much time did you have to find every variant, right? Or every path, right? So you found one and then you have to you move on, right? Well, now AI is saying, let me find we can find all the paths, right? All the variants and things in an automatic way and get the full answer, right? And then on top of that, here's the recommended fix and changes to correct that.

SPEAKER_00 9:52

Well, and you get the full fix because I mean there were so many times that uh we would say, Hey, you have this issue, and they would go fix it, but they would fix the exact specific thing that we found and not the larger overarching issue. And so we would go back and forth and back and forth. I mean, I I think one time we must have gotten uh gone back and forth close to a hundred times on a single uh on a single ticket. I I I know the company itself, the the vendor was just hated us, you know. Um, but it is what it is, you've got to get these things secured, and uh unfortunately you're right, they don't take that long anymore.

Data Driven Culture Change That Sticks

SPEAKER_00 10:31

Um pivoting uh a little bit, how do you uh uh what in your opinion, what is the best way to drive culture change from a cybersecurity perspective? How do we make people care about cybersecurity that you know, say they're in the accounting department or uh, you know, even janitorial?

SPEAKER_02 10:52

You know, the way I like to think about this, you know, it's a little bit of the the art of influence and other types of things, but ultimately is when you're data driven and people can understand the impact, you know, from uh from a data perspective, right? It's it's easier for them to embrace it if you say, Well, here's my opinion or here's what I want you to do, right? People are naturally as humans who are gonna reject it, or versus you're saying, Well, this could be the impact to a customer, or this could be the impact to us, or this is what it could cost us if we don't do this, right? And people like, oh people then internalizing that and then accepting it, right? It's always not just about the what, it's about the why. When people understand the why, it it you know, it's really much more easier to embrace and and and accept.

SPEAKER_00 11:40

I I couldn't agree more, and and the why really connects back to motivation, and uh and so we've already talked about ability. Uh, one of the things that I like to talk about all the time is what I call social engineering for good, but it really is just behavioral science. We've been studying it for millennia. Um, and so there is a behavioral science framework for uh, well, framework for behavior change that was developed out of Stanford University's uh behavioral science laboratory by a guy named BJ Falk. And it says, uh, for whatever behavior we want to achieve, we need motivation plus ability plus prompting. And uh, and I I bring that up because what you're hitting on there, starting with why, tell them how it connects to the customer, uh, how it connects to their personal life, all of that ties into the motivation factor. You're building that motivation for the uh the user to drive that culture.

SPEAKER_02 12:43

Absolutely. You know, it's kind of like it's to go back to the art of influence, right? It's you know, the reciprocity, right? Is that hey, if I give you something that you love, you're going to want to return, you know, return it, right? This is the angel thing is why did the vacuum you know salesperson bring the flowers and saying, hey, well, can then can I talk to you for five minutes, right? It's because we're human. And so if you think of it that way, hey, I'm making this better for you, you know, engineer, I'm making this better for you, operations organization. They're like, oh, I I want to return that, right? It's natural.

SPEAKER_00 13:16

Yeah. Well, you know, I love that you brought up reciprocity because you know, there's all of these different cognitive biases that we we all have. We use them every day to quickly make decisions. And uh, but they're also at use to exploit our people and social engineering attacks. One of the things that I focused on is how we can use those same tactics to make our people more secure. Um, and you just sit on it. We use reciprocity, we give them something of value so that they give us something of value in return. Um, and it and and I love it. Uh, I think the same thing about authority. It's it's funny how we still see the CEO attack uh working when it's as simple as sitting down with CEO, getting him to record a video, making sure that every new employee, the first thing that, well, at least within the first however many days, they see that video of the CEO saying, Hey, I'm not gonna ask you to buy gift cards. That exact same bias to authority works to make sure that no one falls for it instead of you know, everybody.

SPEAKER_02 14:21

You know, I can't resist bringing up, you know, something that comes to mind I'm really passionate about in this

Persona Based Training Beats Generic Training

SPEAKER_02 14:26

area. You know, we think about the various training, you know, phishing training, you know, and social engineering, things like that. Is I think the thing that which I'm very excited about is how we've evolved quite a bit here now. It's not about giving the exact same training, exact same message to every person in the organization. Yeah. Because the executives are different than the developers, than the knowledge workers, then the executive admins. It's how we train them in based on their persona, what their workload like, because that is how it will mean the most, right? And I think you're seeing a lot of companies that are helping with this, and I think that's how we have to look at things going forward.

SPEAKER_00 15:01

Well, I saw a statistic that said that when you contextualize the training to that individual's role, that it becomes 15 times more effective because it means something. All of a sudden, it's not this generic, oh, it's everyone's training. It's oh wow, this training is for IT, this training is for finance. And so it it hits to them. I think the other point here is that the bad guys are targeting our people based on their role. So if we are not training based on their role, we're starting out behind the uh whatever. Absolutely. The different roles.

SPEAKER_02 15:39

Oh, yeah. I'm saying the different roles, the different personas and the behaviors, right? People have different risks, different um, different roles um and different threats. And then how you take that information. I think this is like one of the companies like uh Living Security helps doing that. Is here's the people based on how they're acting and the role, this is what they're going to need, you know, and helping them with that, right?

SPEAKER_00 16:00

Yeah, no, I I couldn't agree more. I I think it's that that role-based training that is so critical. Uh, but uh along the role-based training, something that I also think is neglected, uh, and it's the flip side of the same coin, is role-based fishing. So our people get targeted every day based on their role. Um, I think we have to target or do our fishing uh to the individual's roles. Um, but I all I've also seen the phishing simulations get a really bad rep all the time because of where the way they're done in a lot of places. So I want to just leave that one wide open. Uh, what is your opinion of phishing simulations? And uh and if you do do them, how do you do them effectively?

SPEAKER_02 16:47

You know, I think there was just a paper came out, and uh we saw on LinkedIn here recently uh people talking about some research that yep, it never works, right? I I think that when you do it the same for everybody, you're never going to get um the result you want. Nothing's gonna change materially.

SPEAKER_00 17:03

I agree completely. Sorry, I'm just the choir here saying amen.

SPEAKER_02 17:08

But so Joshua Iski is like, let's go back to ethical hacking and red team. Does a red team ever fail to get in? No, they always gonna get in because that's their mission. So for phishing tests, can I get everybody to always fail? Of course I can, right? Because that's the nature of it. Versus focusing on where's the real problem, understand their persona, their role, right? And how they can be trained and in and detect these things themselves, right? And I think that's the difference. Way that's how we think need to think about it.

SPEAKER_00 17:36

Well, I agree. I think so often the the goal of phishing assessments is to try and get people to click. Um, my goal when I run phishing assessments is honestly uh to try and get people to report. I I want to train people, I want to build those reflexes. I don't think the goal is as much can we get people to click? Because it the goal is education. The goal to me is building those what I like to call human virus definitions. So, you know, whenever people do a hands-on exercise, they get muscle memory. And to me, that's what we're trying to do with phishing simulations. Uh, but they have to be done in a way that the user instantly knows when they made a mistake and they learn from that mistake. Uh, when you lose that just-in-time uh education, I think too often the user feels exploited and they feel taken advantage of. And that's when you get that whole phishing doesn't work.

SPEAKER_02 18:38

You know, I can give you my opinion. I think one of the other challenges is we have phishing training and tests that do one thing, and then our email security solutions do another, and they're not that connected, right?

SPEAKER_00 18:50

And so therefore No, they're not, they're always battling each other, aren't they?

SPEAKER_02 18:54

Yes, and ultimately I want the user to click, I want them to click the thing is like investigate this for me, right? I don't want to click the other things, I want them to clicking that button, but it's they're so disconnected in how we approach us, right?

SPEAKER_00 19:08

I I I agree uh completely.

Measuring Culture Through Reporting

SPEAKER_00 19:10

So um let's talk KPIs. Uh, how do we measure culture within an organization? Um I'll I'll leave that open to you. What what how do we measure culture?

SPEAKER_02 19:24

Can you give me some more scoping for that one?

SPEAKER_00 19:27

Well, uh it anyway, I I can give you an example of how but one of my favorite metrics. Um one of my favorite metrics to just measure culture is the report rate. Um, if I send a phishing simulation, how many actually come back to me? Um, it's you know one of a few, but it's hard to measure culture. And uh and I think that's one of those ones that gives me a good idea of how security aware people are. Um, but just anything, it could be coding, it could be number of bugs, it could be, you know, whatever.

SPEAKER_02 20:06

Yeah, I certainly I think there's two things. Certainly, I do love it when I see people reporting, not just the phishing tests, you know, and the thing, yes, oh, I caught you, but more the one thing I suspect something, right? And I'm I'm double checking, right? And when you've seen the ones, and even if they're the false positives, they are checking, they got the right mindset. That is one in itself.

SPEAKER_00 20:26

It is a one.

SPEAKER_02 20:28

The second one is really is whether a company, whether using Slack or other things, is really you have the space where I don't care what the question is about security, whether the phishing or something suspicious, whatever, that people say, I know I can send it there and I'm gonna get an answer. Someone's gonna answer me right away, and I'm gonna they're there for me, right? And when you get people to feel comfortable with that, then you can say, well, so many problems and issues can bubble out that it never would have, versus if it's not easy, you know, if they're if it's not easy, people are just like, oh, they'll make a mistake, they're not gonna tell anybody, they'll fail. No, we we want people to say, I need help, and it then they love it because they get great customer service.

SPEAKER_00 21:09

Well, I think it's not only that it's it's easy, but that we create an environment where they know that they're never going to be penalized for reaching out to the cybersecurity team, to the IT team. Um, and and I say that because I I guess I do focus a little bit on the fishing side of things. That is my business. I have two million users, right? Uh, but uh but I I bring that up because I do still see um, well, not personally, uh, but I do a lot of public speaking just like you. And one question I like to add of everybody is uh how many people in the audience still have a three strikes in your out policy at work? And for the longest time, I've always had multiple hands in the audience. Uh the best I've ever done was this most recent one. I was out in Phoenix a a few weeks ago. And uh, and I only had one person raise their hand and she said, Well, it's not me, but my husband company still does this. Um, and I think that when people are afraid of getting fired because of the way we run any program inside of our cybersecurity, we create this environment where they're afraid to talk to us.

SPEAKER_02 22:20

Well, I can't resist, you know, I'll go back to my military experience. I was in, you know, main uh naval aviation, right? In the aviation community, is element is you make a mistake, there's no blame, never, right? We want people to say, I made a mistake, something's wrong. There's never blame, it's always done in a safe way. We need to do the same thing with security. If people like, I think I made a mistake, right? It's just like PIRs or postmortems, it's like it's always safety, do the right things, and we make it better, right? And that's the culture that we want.

SPEAKER_00 22:50

Yeah. Well, and I think the more we can make cybersecurity easy, the the better it is. Now, another thing you talk a lot about, I saw, was not being the department of no. And I know we've hit on that a little bit, uh, but maybe you want to uh just elaborate a little bit.

SPEAKER_02 23:08

Well, I think we can go back to the old days of you know testing QA. It's like, nope, you're building this, I can't test that. I don't have the resources, right?

SPEAKER_00 23:15

Uh I've been that guy before.

SPEAKER_02 23:18

Oh, yes. I can go back my days on Windows Server at Microsoft, right? You know, um, but I think it's it's the it's the ultimately is we're there to help, is that in and and understand is what is your problem, we're there to help you fix it, right? And and it's really that's what it's all about. And when you understand the pain, this is where I love of you know being the enterprise, right? When you understand the pain, then you know what to fix. And so it's also being firsthand, touching yourself, being there, being embedded with it, and that's a big part of it.

SPEAKER_00 23:48

Yeah, no, absolutely. So you run the or or protect the systems that, well, everyone in the world builds their systems on. Um, that's a massive, massive responsibility. Uh just, you know, a uh what's your approach that? How do you make how do you sleep at night uh with with all of that pressure and uh and responsibility on your shoulders? What's your approach?

Leadership And How A CISO Sleeps

SPEAKER_02 24:22

Well, certainly I think is an element is I think three things. Is one, you build a great team, right? You buy, you find people that are better than yourself, but also everyone is equal, right? You're part of the team. My mission is not to be a hierarchical leader, my mission is to help the team members who are the experts and they're very serious. Can I I yes, I can write code. Am I the best coder? No, I'm not, right? There are people in the team. What is blocking them? How can I help them, right? And that's a big part of it. But how do I sleep well at night? Is I think is then when you have a great team that you I go back to my military days. You know, we were a squadron, we're all in, we're one family, we're there for everyone, and you have that confidence. You can turn your back, you can sleep well because you're there. And I think it's how you build an organization, a culture is that we're all in together, then you're always going to sleep well.

SPEAKER_00 25:12

Well, I can sleep well because you sleep well, because my infrastructure is certainly on yours too. So uh um just very curious. So another question that I like to ask, uh particularly CISOs like yourself, is what's your day look like? Um, you know, what what do you spend most of your time on?

SPEAKER_02 25:33

You know, uh it's a really good question. Uh I never see unlike the Wall Street executives or something like that, but no, I every morning I wake up early, I go exercise, and uh I read what's the news, what's going on, staying informed with things. And the every day is different, right? I think one of the exciting things about security is every day is different. It's always dynamic, it's always going, right? Um, I'm a big fan of listening to podcasts. I like running, I'm a big runner. And so, do I want to listen to music when I'm running? No, I want to listen to podcasts, you know, and uh that's where you connect with that. But the last thing I was gonna say is that I've learned for many years, you know, when I first left the military, I want to join Microsoft, and they're saying, Nope, you're you need to build up your skills a little bit more if I'm ready. So I went back to graduate school and things like that. Every week I invest time in learning and growing, and that's what it's all about. You set a dedicated amount of time every single week, you stick with it, you're always learning and growing, and that's how you make yourself happy.

SPEAKER_00 26:32

Uh, I I agree. In fact, when I'm not learning, I'm far less happy of a person. So I I like that you said that's how you make yourself happy. Um, great advice. Um, okay, I think I know the answer to this one, but I do ask every single guest if you only had one and you had to choose carrot or stick, what are you gonna go with that moving forward and why?

SPEAKER_02 27:00

If I only could have one, um, I didn't quite understand that one. Sorry.

SPEAKER_00 27:05

Okay, so you know, carrot or stick. Do you do you want to punish people to get them to be more uh security aware, or do you want to reward people to make them more security aware?

SPEAKER_02 27:16

I love recognizing and rewarding when people do the right thing, right? And and that's what it's all about, right? Is it's not about we're not at war, right? And therefore we need to use the stick. It means we're there to celebrate and be successful and lead by example.

SPEAKER_00 27:33

Yep. Uh I've actually only had one person that uh ever chose stick over carrot. Um, you mentioned them earlier, but I'm not gonna say any names. Uh uh, but no, I I I completely agree. I I think that it's it's the well, it goes back to the old adage that uh we've heard a million times you catch more flies with honey than with vinegar. And I think that all the behavioral science says that we want to motivate people to do what we want them to do. Um, so the the final part or piece of the formula that I mean we haven't hit on yet, you know, motivation and ability, I think we've hit on really well. Uh, but the final one is prompting.

Prompts That Build Security Habits

SPEAKER_00 28:20

And it says basically that once we have a uh motivation, once we make cybersecurity the easiest option, we still have to prompt them on a regular basis to remind them about it because it's not their job, they're not gonna think about it on their own. Um, what tricks and tips do you have to prompt your people to be, you know, just to remind them about cybersecurity, that you're here, that you're you're, you know, there when you need them to not do risky things, you know, not to uh use an AI that's unsanctioned or whatever it happens to be.

SPEAKER_02 28:58

You know, there's no easy answer for this one, but I'll say in two things. One is for many people know, it's not a public uh uh uh forum or things like that, but I write what's called the weekly security dossier. I've been doing it for almost 20 years, right? And everybody, the company knows David Cross, the weekly security dossier. And part of it is like you're building a rhythm, you're building that music beat. And people say, David, what's going on? I said, Did you read the dossier? Oh, what do I need to know? Did you read the dossier? Where do I go? It's all on the dossier. But that said, though, it's part of it is you're sharing the stories. People don't know sometimes I say be data driven, but as humans, who's the best presenter? Who's the best speaker? You know, when do you remember it the most? Is you tell a story that then people can relate to, right? And when you share these, and people are like, I want to know what the latest story is. Oh, thank you for sharing, right? In a safe way. I think sometimes that really helps people to stay connected and and uh up to date and and thinking about it.

SPEAKER_00 29:56

Oh, I agree. We we've got a new uh thing that we use all the time called Praise the Reporter. Um, so whenever we get something, uh it's not all the time because people get desensitized, but uh, but when when I when we see that that whatever happens to be reported, that's actually a legit security concern where you know it almost makes you go, Whoo! I'm I'm glad they didn't fall for that. Thank God they reported this. Um, I know we've all been there before, uh, and we'll praise them. So we'll send an email to everybody saying, uh, you know, so-and-so reported this. We wanted to thank them for it. This was a real attack targeting organization. Um, and then we use curiosity. We say, would you have noticed this if it hit your inbox? And uh and we found that that's not only a great motivator because you know, people are are very much motivated by ego, uh, but it also helps to uh to remind everybody that uh that the threat is real because it's that social proof along with it. It's not it's not David Cross telling them about cybersecurity, it's their peer.

SPEAKER_02 31:03

Yeah, I think two things is also yeah, recording when a person does something and people are like, Why do we have all these security people? Like, well, this is what they did. Here's something great, but also sometimes the security technologies, right? People are like, Why are we spending all this money? Why do we have these restrictions? And when you say, Oh, guess what? We blocked this, we caught that. This was, you know, we were trying to come in. And because we had this, that's what saved us, everybody.

SPEAKER_00 31:27

Yeah, yeah. We were actually just uh putting together an intro for uh uh state, their entire security awareness program. And that's one of the things we did was we grabbed stats from all their different security controls, and we said, you know, in the very intro last year, you know, we were able to block this many of this, this many of this. And and I agree, I think that that helps build that uh that momentum with uh with your peers. Um, well, we are almost at time here. This has been a phenomenal one. I can tell that uh that you're a brilliant CISO, and uh and I'm I'm honored to have the opportunity to speak with you, uh, particularly because like I said, we are a hefty user of Atlassian. Uh so thank you so much. Um, but before we do end, do you have any last sort of lasting tips that or recommendations that you want to leave with the audience?

Rovo Wins And Work Life Choice

SPEAKER_02 32:24

Well, certainly the one thing I'll say, I'll give my my professional tip and I'll also give you my personal tip, right? My my professional tip is certainly is those that use it last year and you know, Jure and Confluence is like Rovo is your friend. It's amazing when I came to the company from you know two years ago, is everything that I could do with Rovo, right? It's like, what's going on? Where did this occur? You know, uh uh, how do we fix this? How does this apply to FedRAM? Everything's done in minutes, right? It's unbelievable how you can see it.

SPEAKER_00 32:51

I only just checked it out the other day. I should have checked it out sooner. You're right, it is very powerful.

SPEAKER_02 32:57

The second thing I always like to say, everybody, is is from a personal perspective, is it's not about work-life balance, everybody. It's about work-life choice. Make the choices when you want to push, when you need to take a break, right? When you're making the choices, you're always gonna feel great. And also, you we all most of us have families, right? It's like, hey, I want to go get my MBA or I want to push for promotion. You make a choice and a decision as a family, and so then you're all in together, right? And then you can also benefit from it. But it's not the us versus them or things like just you. It's make you make family choices, and this is how people end up the happiest.

SPEAKER_00 33:34

I agree. In particular, I mean, um, I I am a little bit of a workaholic, but I'm I'm right there with you. Where if you do something that you enjoy, you make choices each day to do things that allow you to do stuff you enjoy. Uh, you really don't have to work, you just get to get up and do it again and have more fun. So, at least in my opinion. All right. Well, hey, thank you so much for your time today. It's been a fabulous episode. Uh, and I really appreciate you joining us. Everyone out there, have a great day, and we'll see you again next week on Fishing for Answers.