Security Is a Human Problem, Not a Tool Problem ft Steven Asifo, Director of Security & GRC @ Yahoo Artwork

Security & GRC Decoded

How today’s top organizations navigate the complex world of governance, risk, and compliance (GRC). Security & GRC Decoded brings you actionable strategies, expert insights, and real-world stories that help professionals elevate their security and compliance programs. Hosted by Raj Krishnamurthy. It’s for security professionals, compliance teams, and business leaders responsible security GRC and ensuring their organizations’ are safe, secure and adhere to regulatory mandates. Security & GRC Decoded brings you: Actionable strategies, expert insights, and real-world stories to elevate your Security GRC programs. Each episode explores frameworks, risk management strategies, and innovations shaping the future of GRC – from practitioners in the trenches. Subscribe now to unlock the tools and knowledge you need to succeed!

All Episodes

Security & GRC Decoded

Security Is a Human Problem, Not a Tool Problem ft Steven Asifo, Director of Security & GRC @ Yahoo

March 24, 2026 • Raj Krishnamurthy • Season 1 • Episode 32

0:00 | 59:59

In this episode of Security & GRC Decoded, Raj Krishnamurthy sits down with Steven Asifo, Director of Security & GRC at Yahoo, for one of the most refreshing conversations the show has had on communication, influence, and the human side of security. Drawing on his unusual dual life as both a cybersecurity leader and a stand-up comedian, Steven makes the case that security and GRC are not just technical disciplines — they are fundamentally communication disciplines. From using analogies to explain vulnerabilities, to reframing GRC as the “Draymond Green” of cybersecurity, Steven shows how the best security leaders translate complexity into clarity, help the business make better decisions, and meet people where they are instead of overwhelming them with jargon.

Key Takeaways:

Security and GRC succeed when they communicate clearly to humans, not when they simply present more technical detail.
The best GRC teams act as guides that help the business make reasonable, compliant, cyber-conscious decisions.
Metrics only matter when they drive a clear outcome or decision, not when they exist for their own sake.
Strong GRC teams build trust by doing the hard, cross-functional work that others often avoid.
Storytelling is a core security skill because people act on messages they understand, remember, and relate to.

What You’ll Learn:

Why Steven believes security is ultimately a human communication problem.
How to tailor security messaging for engineering leaders, CISOs, and business stakeholders.
What “guardrails not gates” looks like in a practical GRC program.
How to think about data, metrics, and reporting without overwhelming your audience.
Why AI may change the consumption layer of GRC, but not eliminate the human need for storytelling.

This podcast is brought to you by ComplianceCow — the smarter way to manage compliance. Automate evidence collection, eliminate screenshots, and scale your program with confidence. Learn more: https://www.compliancecow.com

Watch more episodes: https://www.compliancecow.com/podcast

Connect With Our Guest:
Steven Asifo | Director of Security & GRC | Yahoo
Connect on LinkedIn: https://www.linkedin.com/in/asifosays/

Rate, review, and share if you enjoyed the show!

Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify: https://open.spotify.com/show/5pigcMwOrYIA6d9OOOsxqr?si=416b82ab5c474683

Apple Podcasts: https://podcasts.apple.com/us/podcast/security-grc-decoded/id1795144450

Raj Krishnamurthy (00:00.632)
Hey, hey, hey, welcome to another episode of Security and GRC Decoded. I'm your favorite host, Raj Krishnamurthy. Today we have a fantastic host with us, Steven Asifov. Steven has more than 10 years of experience in security. He has worked for fantastic companies like Verizon, Yahoo, Verizon Media, Ernst & Young, USB. And most importantly, I don't think I've ever get to say this, Steven.

He's also a stand-up comedian. So Stephen, welcome to the show.

Steven Asifo (00:32.866)
Thank you very much, Roz. Very honored to be here.

Raj Krishnamurthy (00:38.958)
Stephen, what is the intersection of comedy and security and GRC? Tell us that.

Steven Asifo (00:45.998)
man, it's a small little overlap. There's a small overlap where those things intersect. That's why there's not many people you meet that do that. I actually stumbled upon it myself. It's not something I woke up one day and said, you know, it'd be really cool if I decided to make people laugh and tell people that there's vulnerabilities everywhere. You know, there's not too many things there, but stand up comedy was something I started as like a

passion project when I was an auditor and I was like, man, I can't do this every day. Like I need a different outlet. And then when I, you know, got more into, my role in cybersecurity, then I was like, well, it's cool because my nine to five work happens during the day and then stand-up comedy for the most part happens at night. But the overlap is in both cases, the, real

thread between both of them is they're both centered around communicating to humans. Like I think a lot of times we think like cybersecurity is about like technology and like, we need the latest tool to do this or everything's a failure because you know, some system didn't do that. But at the end of the day, like the number one vulnerability and the thing that we're always trying to communicate with are people and humans. So at night I am communicating ideas to humans and during the day I'm doing the same, but like from a different

Context and lens and trying to translate all this, you know, either technical things or things that we are Trying to are bad things we want to avoid and trying to influence people and get them to say like hey You know what that does make sense like I get that now and alright Well, what is the behavior that we should be trying to derive? So I've kind of found like that now becomes the thread between this world of like stand-up comedy and cybersecurity

Raj Krishnamurthy (02:37.066)
Okay, and how do you talk about vulnerabilities, adversaries, and hackers? How do you present this differently if you have to?

Steven Asifo (02:45.577)
Yeah. it depends. A lot of it is like context and like who the audience is. So if you're working with like, you know, the engineering teams or within like your own security team, obviously you can get into like the details as to like, you know, what is the specific exploit? What is the payload? You can use a lot of like the technical terms there, but then when you're talking about, well, who is responsible for remediating it or like who's responsible for helping to prevent that.

that might be someone on like in the business that might be, you know, maybe like a sales engineer or whoever that may be. Then you kind of have to think about what is the lens or context in which they're approaching that and looking at, well, I think it kind of depends on like where the stage is. If it's like that we've already identified and we're trying to like get buy-in and this is something that we need to address in a timely manner, then we kind of have to frame it in terms that they understand. And that could be financial.

which, know, sometimes when we're talking about vulnerabilities, isn't always like a direct one to one. so what I think is the most common course of action is using like analogies, right? Like I think there's a, that's an easy kind of one to one between like the world of standup comedy, but then also cybersecurity is like, when you use analogies, you're able to create a world where that is very familiar with folks and it's easier to explain things or have people also contribute.

on ideas without having to spend that much time. if I say, you know, cybersecurity folks were kind of like doctors for an organization, right? And then everyone's kind of familiar with the relationship with like a doctor. You go in somewhere, you have a checkup. They're supposed to tell you some things that you could be doing better. Like you should exercise more. But every time you go back to the doctor, like there's something that you could be doing more there. And when it comes to vulnerabilities, again, you have to kind of understand the context of it, but you could say like, you know, imagine

This system is like your house, right? And right now you have like a broken door to your house, right? And we want to fix that broken door. And so now they can play around, well, OK, well, why do I want to fix that broken door? It's just my back door, right? The front door has a lock on it. So now we can use, we can talk in the same terms, but without getting so technical, that audience requires that. So.

Steven Asifo (05:07.827)
Yeah, so it's a lot of like context and knowing like who the audience is and what do we really need them to do.

Raj Krishnamurthy (05:12.874)
No, I think this is very interesting. One of our recent guests was Tom Scudori. Tom made a very similar analogy around EKGs and signals and doctors and specialists and that is, it's very fascinating here.

Steven Asifo (05:20.991)
Yeah.

Steven Asifo (05:25.632)
It's a, yeah, and I think in the role of like cybersecurity, there's only so many things we try to, compare ourselves to. Like there's like the doctor analogy and like that industry there. There's also kind of this like, I don't want to say like law enforcement, because we do use a lot of like militaristic terms of like, you know, attackers and defenders and like very absolute. But that doesn't always translate to.

Again, like audiences that are outside of cybersecurity. I think within cybersecurity, like that's very common because we can borrow things, but like outside, I think it's using things that are a lot more accessible there. like, in the GRC context, when we talk about risk appetite and risk tolerance, like no one really wants to talk about that. No one really wants to have to figure out what that is. But when we talk about like, how do we help the business go fast? We can say, Hey, you know,

there's Formula One or NASCAR, right? Like let's say like the business is that, you guys are on track, you guys are competing, you guys have to get where you need to go and risk appetite would then be saying like, all right, hey, this is probably how fast you guys wanna go. Tolerance is, you know, we're now in your ear saying like, hey, if you hit this bend a little bit too far, you're gonna crash into that wall. That's gonna be in a very expensive car that is now gonna take some damage. So what we'd like to do, we're just guiding you in your ear, you know, familiar with.

Formula One, there's always someone in your ear just giving you some information, hey, pull up for a pit stop. But like our goal is we wanna win the race. We're here to support you. But like we just gotta throw some information your way. Because in that analogy, right, the business is still ultimately driving the car, but we as like, you know, the security team or GRC, we're really trying to act as like guides in that sense, to like provide actionable and helpful information. Not just saying like, well, hey, here's a list of all the different things that are on the road right now. Like, what am I gonna do with them, bro? I'm driving.

But if it's like, hey, like this car coming up front of you has like a flat tire that everyone hitting this bend is going over 50 miles per hour or whatever it is. If you take it 45, I think we can nail them. And then, okay, I could do something with that.

Raj Krishnamurthy (07:37.346)
Got it, got it. No, I think this is, and a big part of stand-up comedy is like you rightly said, know your audience, right? And know the message that you're giving to the audience. Maybe let me ask you a few personas, and I want to get your perspective of how do you think about them as your audience, right? And what is that you think that they would like to hear? Let's say VP of Engineering.

Steven Asifo (07:44.968)
Yeah.

Steven Asifo (07:54.493)
Yeah, for sure.

Yeah.

Yeah, so VP of engineering, okay, so VP of engineering, the way I kind of think about them and it depends just a tad bit, right? So if you have a VP of engineering, for a consumer facing product or something that like has external facing customers, they have like a product manager or some maybe business VP that they're trying to support there, so.

They need to get things done ultimately. I'm quite sure they would like their product to be up to snuff, but there's also like, I need to make this dance. I need to get things out. I need to be able to move at a certain pace here. Like, like if you're, you're costing me money, you're costing this business, some things there. So when we talk about things that we would like to be able to get them to do, it also needs to be in the context of like, well, what is going to allow this product to be like successful or move forward as well. So if it.

we're talking about identity type of solutions there. Or if we're talking about maybe vulnerabilities that are taking their team's time away from actually working on features that are good to market, right? Like, hey, if we are working on like better preventative or patching mechanisms, your team would spend, you know, Y, amount of hours less on just trying to keep up with these vulnerabilities that are patching. You guys could be working on these features that you guys have in the backlog.

Steven Asifo (09:24.498)
So that's like one, I guess, subset of that persona. The other subset of that persona is then maybe more internal, like VP of engineering, like within like a central tech organization or within a CTO there. Obviously you're focused on the organization. You're trying to empower and be like that horizontal bridge there. So you're kind of aligned with like security, but at the same time, you have internal customers that are demanding on you. So it's not necessarily like there's...

one VP, like one business unit VP, you have multiple business unit VPs sometimes that are like, hey, I need this support there. So that can be either more challenging or more like, hey, what can we do to really support one another in doing this?

Raj Krishnamurthy (10:04.653)
Got it. Got it. So essentially, do we help you ship your product faster? At least how do we not slow you down from shipping your products faster?

Steven Asifo (10:13.626)
Yeah, and I guess to go like one more piece is like, who are they really trying to, like, who are they trying to serve? Like by me making their life easier, who are they able to better serve? And just understanding like what that dynamic is, I think puts us in a position to then really think about like, why should they care? What's going to help move the needle for them? Because I think everyone, well, not everyone, but like for, some context, like,

we approach it which is like, well, cybersecurity is the most important thing ever. And like, if people don't care about it, then they just don't care about anything in the world, which isn't true. It's just like, everybody's in the middle of their own war. Everyone has, you I don't have a better analogy to say this, but everyone has like a master that they serve in some context, whether it's the customer or their VP, whoever it is. And until you understand that dynamic, you really can't help somebody because then you're really just seeing it from your own perspective.

Raj Krishnamurthy (11:05.623)
beautifully said. How about a seesaw?

Steven Asifo (11:09.134)
yeah. So a CISO then, and I guess at the CISO persona, and I hope I'm doing this right because that means my boss is usually happy. but, but when you think about the CISO, mean, like they are, you know, thinking about like the strategy, they're thinking about budget. And really when things make it to that level, it's because either it needs to be like a need to know, or there's a decision, but like a lot of things need to be vetted before it gets to them. Like if you're

Raj Krishnamurthy (11:18.775)
Ha ha ha!

Steven Asifo (11:37.698)
If I'm pulling in the CISO for every single, and this again, depends on like the size of the organization and you know, the context of it, whether you work for a consumer facing or like a SaaS product there, like, or a security product. But I think in general, right? Like a, as a CISO, you're covering like the entire organization. You're working with other C-suite executives because you need to know, well, who do I need to either bump shoulders with to say, Hey, look, we need to make a decision here.

Or where do I need to start asking for resources? So it really needs to be something that's been vetted, or they're just choosing between option A or B, or they can ask the right questions to get to that final decision. But they really hopefully shouldn't be having to get into the weeds because they have a team that has worked out a lot of these ideas and issues. So trying to raise it up a little bit high level. obviously, know, your CISO has enough breadth and depth to be able to ask their questions that we can go into that.

if they need to, but at a higher level, we're trying to then say, thematically, where should we be going? What are some of the key things that we're calling out? And if they need to ask more questions, we have that for you, but we don't want to take more time than we need. Here's the decision point that we need from you as our CISO.

Raj Krishnamurthy (12:57.261)
Got it, got it. I can go on, but I think that you made a, you make a fantastic point, Stephen, and you, as you were talking about the VP of engineering, right, and Jason Chan from Netflix used to say this many, years, and he used to use this word, guardrails not gates, guardrails not gates, right? And so how, in your experience, how does the GRC team become this guardrail and not a gate?

Steven Asifo (13:12.943)
Yeah. Yeah.

Steven Asifo (13:23.949)
Yeah. And so the Garbill gate, one shout out to Jason Chan and you know, what he's offered the industry and that take there. think it's something that a lot of organizations definitely aspire to and want to build because it's one of the easier ways to kind of position yourself as a partner when not everything is like, we have to go to a security for this. And you know, we are the department of no, because everything has to go through you. But if you can put some of that

context and information out there to begin with in structured ways that allows some opportunities. So from a GRC perspective, obviously you have policies and standards which are kind of more of like your written tablets that are probably somewhere in an internet or something like that. But how often are people reading that? that it's helpful as a reference, but it's not helpful in like every day I need to make a decision. there's areas where

you want to be where the decision points start to take place. So for example, when individuals say, well, I want to work with a vendor. I guess I'll back up for a second. I really do think like as a GRC organization, like our value that we add, like the one thing that we do that no one else in the organization does is guide the organization to make reasonable, compliant, risk conscious decisions. Like I don't think there's anybody.

else in the organization that wakes up every day to say, how do we do this successfully every day? There's sister teams, like privacy does it from a privacy perspective, legal does that from a legal perspective. But like, think that is one of the core, um, Purpose, one of the core purposes of like a GRC team. So kind of going back to tactically, what that looks like is trying to get where that decision point takes place. Because if you really want to enable the business, right? Like you want to be there or try to get.

as close to that, like idea of when this takes place here. So we think about like, want to work with a vendor there. It's like, well, what does that, what does that like process look like? All right. Well, when I normally work with a vendor, I have to go to procurement. So it'd be great at that time when procurement is asking for either like a purchase order or even asking for certain information that we're right there with them to say, Hey, we're able to provide either like a list of certain requirements or things or accelerators.

Steven Asifo (15:45.338)
That would then say, you guys are looking for vendors, maybe here are some things that already exist, or here are some things that we can run off. And then if you take this to the vendors that you're looking at, it might even speed up the process for you getting them onboarded or integrated because these are some of the existing policy requirements that we do have. So that's just kind of example there. There's also a set of things that we can do from a control standpoint where you kind of bake that in, where you make the safe choice the easy choice. So instead of...

having to say, here's a number of configurations that you do, right? As a GRC team, can work with your, know, Scissor teams to set up baselines and, know, different control configurations that like out the gate, you already have these things kind of baked in. So he's like, I kind of know what's expected of me. And if I go out of that, I know what I need to do in order to get approval or so on and so forth.

Raj Krishnamurthy (16:37.684)
Okay, and a big part of storytelling has to be backed up with data, right? And I think that builds credibility and trust. I'm sure you would agree. But how do you go about collecting this data? I mean, this seems to be a big challenge, right? About how frequently do we collect? How accurately do we collect?

Steven Asifo (16:48.738)
Yeah.

Steven Asifo (16:53.913)
Yeah

Steven Asifo (16:57.975)
Yeah, yeah. So just in the broader context of data, it's hard. I know if we say it's easy, like, yeah, we'll just get some data on that and do that. It's a hard problem because you either have like too much data and it's like, well, trying to filter it down to something that's like meaningful or you don't have enough data. And the way that, you know, I've tried to approach it, cause I've been on both ends of that spectrum is,

really focus on the outcome that we're trying to achieve with this. Whether it's a metrics or trying to present some sort of report or bring a conclusion on a hypothesis. It's like, what decision do we ultimately want to drive if we're capturing this? Because by doing that, you can of work backwards to say, well, ultimately, if we want to be able to influence

Let's see, the effectiveness or, well, let me back up even a bit. If we want to be able to influence, let's say, applications that are onboarded to a certain identity solution there, right? Because ultimately we know that if all of our applications are onboarded to a certain identity solution, it becomes a lot easier for us to kind of manage configurations, know what's there, know what's not.

there and then be able to kind of manage privileges between that. Like that would be ideal. So we can work backwards to say like ultimately we want to drive that number up. What data would we need to be able to do that? Well, we probably need to know like the entire population of apps that are in there, which can be hard with shadow IT. But then we'd also like to know within that, well, how many applications support this like.

single sign on or whatever solution that we're looking for. That'd be great to know there. Cause you can drive that as an adoption piece to say, okay, let's go out and work with the vendors or work with people that maintain this relationship to kind of have them drive that up. And that makes it then easier to say, okay, well, what information will we need to be able to define that? But it's hard when you just say, well, I have a bunch of data. Let's just try to like make something out of it because you're either then driving the wrong conversation possibly. Cause again, people's attention is only so much. So if you saw me,

Steven Asifo (19:18.934)
You know, five metrics, I would hope these are the metrics that matter to me. Otherwise, like, why are they here? If you show someone too many metrics centers, like, okay, well, I don't know which one is the most important one to do. And if you tell me all of them, well, that's still going to get confused quickly. so I hope they're like consistent. so yeah, the data data situation either too much, too little, but I think the right answer is like.

focused on like what is the outcome that you want to drive at the end and then working backwards to say, all right, do we have that data? And if not, what is that? What needs to get compiled in order to drive that action?

Raj Krishnamurthy (19:57.516)
And you work for a very tech-forward company, Steven, and whenever you come to the realization and, like you said, you backward track, right? And this is the story that I want to say, here are the metrics that support that story, right? And here's how I'm going to collect the data for the metrics. Who does? I mean, there is some amount of engineering and automation work that needs to happen, right? Where do you see that work happening? Is that within the GRC team or is it outside the GRC teams?

Steven Asifo (20:21.142)
Yeah.

Steven Asifo (20:27.764)
It's, definitely a combination of both, but it's, it's also one of the hurdles in this idea of one metrics and then just using data effectively. So unfortunately it kind of depends on your organization and some of the context in which I've addressed this or had an opportunity to work on it is there will be maybe like a central team that might start solve for the organization. So, Hey, we have like a.

platform or dashboard where other teams are reporting metrics for certain assets there. So you say, okay, well, how do I build into that? Now they may solve it for, you know, their use cases there, but then we still need a way to get, you know, security metrics onto that. So one of the things that we worked on within our own GRC team is like really creating like a pipeline from like where our work takes place to...

you where this, I will like a better term, like this grand central union station is like, you think about like trains, it's like, Hey, we, we, know our region is over here. We're just going to create like a railway that kind of takes it to this situation here. And the real cool thing about that is now you've created, like we've created a vehicle for the rest of our security team. So if anyone, so we decide as like a security leadership team, it's really, really important for all leaders in the company to like be tracking against this metric.

Normally we would create our own dashboard, manage it over here. But if we know now that there's like this one central here, we've built out of a pipeline solution using like MySQL, creating, up like, and S3 bucket, and then passing that through there, which removes a lot of like the headache for other teams. Let's say it's incident response or, you know, cloud security, whatever it is to now also benefit from that relationship there. But there's also now like more tools that like, you don't necessarily have to go that route, whether you use like,

You know, a tableau or like a looker piece. And I think that kind of depends on like the culture of that, the organization that you work in. like, there's been situations where our leadership says, Hey, I want to be able to use a dashboard when I have one-on-ones with like other leaders in the company. So maybe it's like a looker dashboard, maybe it's tableau, something that they can just spin up and everyone has access to their, or it's kind of like what I said before, we're like everyone in the organization.

Steven Asifo (22:50.666)
we want to be able to come use this information and that's like whatever that grand solution is. And then sometimes believe it or not, it's just a slide deck and it's or a spreadsheet and is it hell on earth? Yeah, it is. You know, it's hard to maintain, but if it gets the job done and people are happy with it and it's driving like an action, a decision, sometimes that's what it is too. But what I've found is like, it definitely is helpful to have the GRC team.

help own that and help build that connection.

Raj Krishnamurthy (23:21.425)
Okay, what do you think in your experience, Stephen, how do others perceive GRC within the company? And let me give you a very specific, how does the leadership team perceive GRC teams and the value that they add?

Steven Asifo (23:31.785)
Yeah

Steven Asifo (23:39.505)
so in the context of my organization where I work now, I'm very fortunate to say that we, very much have like a strong relationship with our other teams within, cybersecurity and also like outside of the cybersecurity as a whole. it's kind of a bit broader, but we've put in a lot of work over the years to like build a lot of trust and.

with our brand as the paranoid cybersecurity team, which is fantastic. Just even that name, anybody can be paranoid. So the vision of what we're trying to build is this shared culture where everyone can be a little bit like, oh wait, should we be doing that? We should probably kick the tires on this a little bit more. That's the outcome there. where GRC has helped to show up over the years and why I think that's been up.

A dedicated relationship amongst everyone. We're like, Hey, like we, want GRC in the conversation. It'd be great to bring someone from GRC in is again, like we really wake up every day thinking about like, how do we guide the organization or help guide this team to make a reasonable, compliant, cyber conscious decision. And sometimes that means doing the work that no one else wants to do, which could be, you know, helping to document, maybe helping to like negotiate things like across like engineering and business terms there. Cause

Not every team has the opportunity to kind of be a little bit creative on like, if you're doing a product security review to say like, okay, well, yeah, you guys don't really have to meet that requirement. And that thought, their model doesn't really matter that much. no, the part of that threat model or review means like, need to look at what are the critical things and I have to let you know about it. but GRC, we can kind of come in and then help model like, okay, what are some of the common standing controls in there? How do we kind of roadmap that?

What are we really trying to protect and what would it look like to influence that to like a manageable state? And we can help bring that up in like, you know, a few months once we have a plan on that there. And nobody, I don't want to say nobody, that's not everybody's favorite thing to do, but GRC, like that's a role that we play when it comes time to like helping enable like sales and like on the, in the compliance front, like we're working with external vendors to like answer security questions for them.

Steven Asifo (25:58.867)
Making sure that when it comes to like PCI or SOC 2, like, that's not something that everyone wants to do, but you know, we are very well versed to kind of wear a couple of different hats. And what I tell people is like, we're kind of like the Draymond Green of cybersecurity. And if you know Draymond Green, like on the Warriors is, you know, he's a core piece of the team. You know, everyone knows Steph Curry, Steph Curry shoots threes from like the parking lot. He puts up 40 points a game, runs around.

Raj Krishnamurthy (26:26.303)
Hahahaha

Steven Asifo (26:28.68)
He's like one of the best players to ever touch it. You know, they got Jimmy Butler, another all-star there. But then Draymond Green, you know, he's a core part of the team. He does defense. He does all the hard work that no one else wants to do. He's got to guard the people, like Wim Benyant. He's got to guard LeBron James. Who wants to do that? You don't see like, you know, Steph Curry wanting to do that every night. He's got to go down and shoot threes, but Draymond kind of plays that center role to just make sure the ball gets to where it needs to go.

And sometimes do we get a little physical with people just to make sure we get the ultimate decision? Yeah, we can do that. But yeah, that's kind of how I frame what we do as a GRC organization. And I'm very fortunate that our team and our organization has done that. But that's really because we've built trust with the services that we've offered and the value and being very clear on that value that we're providing to our teams.

Raj Krishnamurthy (27:21.331)
Okay, that's a fantastic analogy. How do you see risk compliance and governance?

Steven Asifo (27:30.196)
Oh man, you know, it's the classic three headed, you know, lack of a better word, monster there. And I guess when you say like, how do I see it? Is it just like in today's world or just like how they relate to one another? guess, what do

Raj Krishnamurthy (27:43.497)
How do you see them relating to one another? How do you see them reinforcing one another? And how do you see them adding value?

Steven Asifo (27:50.482)
Yeah. I mean, it's probably like a, I'm trying to see if there's like a, you know, unique way for me to answer it aside from like what you can just get in like a textbook. But, I think the most prevalent, it really should probably be like. RCG, you know, or something like that. Cause I think the risk piece is something that's always comes first for a lot of organizations. Like you don't necessarily have to have a robust.

team or a robust approach to address risk. You can in your everyday life think about risk when you get in your car, when you think about different things that come in your life. Risk can be shared across the organization or different businesses there. So I think that really is kind of the forefront and something that we're always trying to manage or keep in scope. And then compliance is something that you have to do that, especially if...

the industry that you work in, because if you don't, then you're wrong, right? Like you're not meeting what needs to be, especially if you work in like, say healthcare or financial industry there. And governance, that is a fun word that can be very loaded for some folks, or it can mean a lot of things. And I think that also has a bit of a cultural context to it, because when we say governance, what we're really trying to say is like, we're getting like the right people in the room to make the best decision. That's really what it is, but governance,

in like a banking standpoint, people are like, yeah, I love governance. We're heavily regulated. We want all that. But then in like a tech, you know, landscape, sometimes what people hear is red tape, right? Like now I have to go in front of like this group and then get that all approved. Like I'm trying to move fast. Like they just released this new version. I have to put my new version out tomorrow. Like, what are we doing about that? So there's different ways I think you can frame that. I don't think it has to be like that word by itself, but like the way I think about it is like,

How do you get the right people in the room to make the best decision, whether on a periodic basis or just like as needed, but it needs to kind of be in a sense where people feel like, this is something where I feel like I'm getting value that I wouldn't have gotten anywhere else. Like it's quicker for me to get where I'm going by like meeting with you guys than for me to kind of go alone and try to figure it all out. So that's kind of like how I see them all relating. I think, know, risk is the one that's most prevalent everywhere. You never get rid of that.

Steven Asifo (30:13.287)
compliant to something that you have to address, you have to do. And then that governance piece is a lot more cultural. So when I think about like where our own GRC team and organization is going, I'm like really what the vision is that we're trying to build. Like we're not really, we're not trying to build like a cool risk register. honestly, nobody in the like care cares about that. Like I've never once heard my CISO CEO or head of product wants to be like, know what, you know what really made me happy today? I had a risk register when I woke up. Like nobody, nobody talks about those stories.

Raj Krishnamurthy (30:39.732)
No.

Steven Asifo (30:42.64)
You know, like the stories that people talk about, you know, when I listened to like my, VP or when we get excited hearing from like other leaders is when they talk about like, well, Hey, we identified like, thanks to XYZ being detected, we were able to catch, you know, this incident or issue before it went live. Right. Or like, you know what, we saw some malicious activity here and we were able to report to such and such, and that helped us save so much money. Or, you know, we were, we were so worried about.

fraud and with this new mechanism we actually saved XYZ amount of money. And that's really that shared responsibility or that shared culture of just being a little bit more paranoid and like, how do we kick the tires on this a bit more? Or how do we kind of get ahead of this? I think when we hear more stories about that across our organization, everyone's like, my God, we want more stories like that. But nobody really cares about like, well, we got all these policies. So everybody's got controls now. Nobody wants.

That's not why we exist. And that's not, that's not the stories that we go on and tell when we talk about wins.

Raj Krishnamurthy (31:46.695)
And is it about the tools we have or is it about the stories we tell? What is the issue here? Because ultimately this is about capturing risks, understanding what the impacts are. And I think that's one part of it, that is just raw data. But how do you take that, digest that, and say that in a way that appeals to people, that resonates with people is a whole different ballgame. So where do you see the gap is today?

Steven Asifo (31:59.494)
Yeah.

Steven Asifo (32:12.688)
Yeah.

Steven Asifo (32:16.698)
Yeah, I think the gap for this today is, it kind of goes back to like the data problem is that there's either a lot of information we're trying to digest and to, you know, who we're trying to talk to, or maybe there's not enough. then we start trying to grasp that like, what's going to help make this clear for somebody. And, you know, as like working in like the space of like standup comedy as well, you know,

All I do is like try to take ideas either my own, I, well, they're using my own ideas, but like taking topics that either people have a relationship with or don't have a relationship with, but then putting it in a format where everyone can then kind of grasp it and say, okay, I get it. But in standup comedy, it's a bit different because the kind of end result is like this like moment of laughter where everyone kind of has this like, ha ha moment, right? Whether it's like a deep laugh or not a laugh. And I can get feedback on it really quick.

You know, like if it does, if nobody laughs at it, then I'm like, okay, well that didn't work. There's a word, there's a word, but like, but I think this is why I like standup comedy so much and why, and I'll tie this back to like security because like, it's usually like a word missing. like sometimes they call it like the funny word. So if I say, this is not going to be funny cause I'm doing it on the spot. And this is not me I'm not a comedian, but it's just cause I've been talking about security and it takes a little bit for my brain to switch back.

But if I say that my neighbor next door parked in my driveway, he's a real pickle stick or something like that. Pickle stick becomes the funny word. I would put that at the end versus if I said my neighbor's a pickle stick, I hate when he parks in my driveway. There's this rearranging of words and wordsmithing and then thinking about, well, what does my audience already know about this topic that I can just already build on? Do I use an analogy here?

So like that's what goes through my mind when I think about like communicating is starting with like, well, who's my audience? What is the most important thing that I want them to know? What is the most important thing that I want them to do? And then working back to say like, what is like the like least amount of information that I can give them where they can all come to that same conclusion? Because if you go to like a standup comedy show and it's just like, you know, it's a little que, just long words to do that, like.

Steven Asifo (34:39.916)
It's not good. But if you watch like standup comedy on TV or like late night, it's very like wordsmith. Like you're losing, you're using the least amount of words as possible to get to the result. Because if it takes me, you know, two steps to get somewhere versus 10 steps, I'm a lot more efficient and I have more time to like, you know, get people there. And as an audience, I'm very, very respectful. If you're like the VP of engineering, if you're my CISO, that you're very busy.

Raj Krishnamurthy (34:58.419)
Got it.

Steven Asifo (35:07.29)
Could I explain this risk to you over the course of like an hour? I would love to. Let's sit down, let's go through it. But if I can do the same thing, but if I can do the same thing in three to five minutes, I'm quite sure you'd be happier. Cause you know, like every time Steven gets in front of me to explain something to me, I know it's gonna be like, I'm gonna get it. It's gonna be straight to the point. And it's gonna be very clear what needs to happen next. And so I think that the challenge is, like sometimes we take so much information and we think,

Raj Krishnamurthy (35:12.711)
Hahaha

Raj Krishnamurthy (35:19.475)
That's very powerful.

Steven Asifo (35:34.242)
everything's really important. Well, they need to know this detail and they need to know how the vulnerability exploits and they need to do this that we don't then say, well, what do they need to do next? Or we talk about, well, everyone needs to do this, but we don't talk about why it matters. So it's really thinking about like from the human aspect of like, you know, what is going on in my audience's head? Why do they care? Right? Like what's gonna keep them here? And then what do I need them to do? And how do I make it as easy as possible for them to do that? Right?

Cause it could be at the end of like my little spiel and say, well, right now, all we really need you to do is to kind of have, you know, your team, join this, like call here, push this PR. And we already have some templates from other teams that we've shared. So if you just review that, you know, we'd be ready to go as soon as you are. Okay. So now you see that there's an end if you're on the other side, it's like, okay, well, there's an end. It's not like there's some port. So like the, the, barrier to do this becomes a lot easier versus if I came to you and said,

All right, hey, look, this is the issue. We need you guys to kind of push this out. So come back to us when you guys can. It's very open-ended. There's no real commitment there. There doesn't sound like there's much support. It kind of is like, all right, well, I'll just go do what I was gonna go do. So are we really partners? What does that situation look like? So it's really just thinking about it from a human perspective of what would make you feel like I'm getting the help I need or being guided to the best decision.

Raj Krishnamurthy (37:00.499)
God, I think if I sort of put myself in the, you know, to your stand-up comedy example, when I go see a stand-up comedy, right, I am vulnerable, I'm relaxed. Maybe I'm not, vulnerable is not the right word. I have my guard down because there is no obligation on me to remember and act on something. I'm there to enjoy the moment. But that's not the same in a boardroom or when you're presenting to your leadership team, right?

Steven Asifo (37:08.302)
Yeah.

Steven Asifo (37:21.828)
Yeah.

Steven Asifo (37:27.129)
Yeah.

Raj Krishnamurthy (37:27.657)
So a lot of the message that you're saying I'm 100 % in agreement, but how do you bring them to this common denominator? How do you let their guard down so that they can relax and understand what you're trying to say? Is there something that you do there when you...

Steven Asifo (37:40.599)
Yeah, I would say it's still fairly similar because I mean, you'd be surprised. mean, I've performed, you know, your classic bar shows and the bar show, it's a trick because sure, people might be drinking, but they may not always want comedy. Now that's a tricky spot when people don't want you talking at all, which could be very similar to like, you know, a boardroom or like a VP is like, why are you talking? Like, what are you doing here? You know, and so you have to kind of like break

Raj Krishnamurthy (38:01.5)
In order.

Steven Asifo (38:09.839)
And so in that instance, you kind of have to like break the expectations you either have to like say something that like captures that tension or be very very present and That's what I found it like usually the trick is like being very present like if I if I know it's like a rowdy bar room Everyone's doing that and don't want to hear comedies like I'm not gonna get up there and do my act that I've been doing for the last five years and like hey guys I got married last year and you won't believe what's going on and can like who cares? Why do I care about that?

Raj Krishnamurthy (38:31.185)
hahahaha

Steven Asifo (38:36.622)
But if I get up there and then say, hey, look, they're making these drinks so strong. I just got up here. I don't even know whose microphone this is. Now people are like, who is that up there? Right? And I'm talking about like what's going on present day. I still may not win the room, but at least now I'm thinking about like, what is going on in this audience? Like what is relevant to them? I think that's what I mean by being present is like, you can have a script and you can say, well, this is how the textbook says you should talk about risks. But like, nobody cares about that. It's like, well, trying to think about like, what does this audience care about?

Like what is the context in which they're coming from? Who do they serve? Like what are they going to go do after this? And so I try not to treat every single audience like it's the same when, whether it's like cybersecurity or whether it's like standup, like sure, I may have like an act or I have a way that I communicate risks or ways that we normally address things, but it's going to be different between business units, just like it's going to be very different between crowds. Like they're going to have different motivation factors. So I do my homework beforehand.

You know, I'm always a student of this and I think it does take a little bit of time to do it, but like it's like that repetition that you didn't become very good and have certain tools to frame it. there's, sorry, I know I'm kind of rambling on this, but like even as you're going, you can frame yourself as the bad guy, right? Like we, mean, I know security, we say, well, nobody likes us and it's hard for them to work with. Sometimes you can lean into that.

You know, and that can be fun too to say, look, I know I'm the worst person that you want to hear from right now when I tell you this and it's going to be bad. Like I'm just going to tell you right now, it's going to be bad. It's going to be a big number. So now you're anchoring. You're anchoring that emotion is like, all right, what do you got to say? What do you got to tell me? And then what you have to say doesn't even sound that bad afterwards. Look, everyone's got to take this training, right? I just need you were 13 % off and that's what I need you to do. And like, now I disarmed him because I took you all the way up here. But what I said kind of down there, you know, and then sometimes you

Raj Krishnamurthy (40:19.727)
Steven Asifo (40:29.523)
can play like a little bit along like alongside to say, hey, you know, maybe you have someone in the room that you're already have a relationship with and you can kind of use that to build up. So there's different ways that you can use it because at the end of the day, you're talking to people, right? Like we complicated because you're like, well, there's all these technical details that we have to communicate. like people are people. And once you learn how to communicate like a human, like this becomes a lot easier to like help communicate information and digest. like, well, what do we really need them to do?

Raj Krishnamurthy (40:58.696)
No, that's brilliant and that's beautifully said. Have you ever received a feedback where said, this is supposed to be a very serious talk and you're just diluting it? How dare you, Stephen?

Steven Asifo (41:10.317)
I, you know, I will be honest. I've never gotten that. I've never been in like a situation and I would say, cause I've done like, you know, have the pre-destination when people say, hey, I don't agree. You know, like I'm not doing this. I've even done comedy shows where people just like, you know, this isn't funny, right? Like, so like, I would be honest with you Raj, if I was just like, hey, something's not connecting here, but I've never really been, I've never been in a situation where someone was just like, this is a serious topic. This needs to be boring.

Raj Krishnamurthy (41:29.33)
Ha ha ha ha ha ha ha.

Steven Asifo (41:40.288)
You know, like I want this to be something I can't engage with. But like, even if, cause I, cause again, it's all about context and timing. So I'm not saying I go in there and I crack a couple of jokes all the time. Like that's not what I'm saying. What I'm saying is like, there's a way to present information where it is compelling, where people can engage with it. People can, you know, say, Hey, I resonate with it. And it's different in cybersecurity because you're not looking for laughter. You're looking for like, maybe like that's right. Or maybe like, you know what? That is the pain I'm feeling.

You know, like that's a very different emotion to be able to pull out. but no, I've never once been in a situation where I said, you know what? This was supposed to be boring and you made it, you know, interesting. You know, I've never been in that situation.

Raj Krishnamurthy (42:20.104)
I think on a different world, for example, in product management or product engineering, there used to be two schools of thought. There I think continues to be. One is sort of loading all of this in a PowerPoint presentation. And this is sort of very ugly set of presentations that you can never see. And then there is the other school of thought, which is typically the Amazon school of thought, where you almost write it like a newsletter, allow people to read and ask you questions.

Steven Asifo (42:47.008)
Yep. Yeah.

Raj Krishnamurthy (42:48.614)
So the question is when you are presenting this, is some prop, something happening and that's not there in a stand-up comedy. You just have a mic and you're just telling your story. How do you do this when you present security stuff? What props do you use?

Steven Asifo (42:53.27)
Yeah.

Steven Asifo (42:57.642)
Right, yeah.

Steven Asifo (43:02.379)
Yeah, man, this is definitely like a skill. I know people say like if you are, I don't know what people say, but I'm gonna say it because you know, sometimes people say, if you're, if you like, they live in slide decks, at one point I made so many slide decks, I like, I dreamt, I dreamed in slides. And people say, that's bad, you're not doing real security work. But no, like I was really thinking about like, well, how do you use this space effectively because,

I mean, again, just thinking of like from a human context, if I put like a wall of text on a slide that looks like, you know, an Apple iTunes agreement, terms and agreement there, your eyes are going to glaze over and then people get up there and read it word for word. You're like, well, why, why, why, why do I have you here? I could have just read this on my own. If you're just going to send me a novel, you know, and then the way that I think about it is again, going back to like, how do I make it as easy as possible for people to do what I want them to do? So even if there's like 20, like,

pages on the text is like, why? Like, thinking about like, what is the most important thing I need to communicate on this slide? If everything, it's, if your eye doesn't immediately look at it without me talking and doesn't say the same thing that I'm saying, then I need to remove it, right? Like I need it to be visually like consistent with what I'm saying. So if you look at it, cause I mean, you've been in presentations before, like the slide deck goes up, even though you're listening to someone talking, you're already glazing over going ahead of them, you know, cause audiences are smart.

That's the same thing in stand-up comedy. Like if I say, you know, hickory dickory dock, the mouse ran up the... Well, yeah, the clock, right? You can finish it yourself. You know, you didn't need me to say it because audiences are smart, but, that's why, you know, comedy becomes fun because you can break what people are expecting. But when it comes to like, you know, the board rumor, like putting together a presentation...

If what I'm saying isn't consistent with what you're seeing on the slide or your head is going up and now you're wondering why is that number there and that number doesn't agree with what you're saying, then you become confused. You're not even thinking about the message that I'm saying anymore. We're on a whole nother topic. So I try to say like, keep the least amount as possible, or if it doesn't support the key idea, remove it. Like it doesn't need to be like, you know, 10 different ideas. Like

Raj Krishnamurthy (45:17.0)
100%. But I think what goes in, what goes, I think one of the challenges, I think as an engineer, I've been caught up with this all the time in my life is that I don't want to come out as somebody who has not done the work. I want to show all the work that I've done and I want people to see it, right? And at the cost of completely missing the point of what I'm trying to communicate.

Steven Asifo (45:29.16)
Yeah. Yeah. Yeah.

Yeah. And you know the fun thing? Nobody cares. Nobody cares, But that's the great thing about an appendix. Put your heart and soul in that appendix, man. But if it's really... And it is hard. A lot of stand-up comedy is just editing. People will go through 10 different drafts, 20 different drafts of a joke, just like I would go through 10 different...

Raj Krishnamurthy (45:39.964)
No, I'm kidding.

Steven Asifo (46:04.085)
drafts of like, you know, a memo or like, you know, a slide deck, because like, I'm constantly just asking myself like, all right, is that, is that important for my audience to know? Because again, your time is valuable. If I, if it's not, then I need to cut it because I could use your attention to focus on this idea here. So then all that other deals, cause you're a smart guy. If you ask the question, we can go to the appendix. I would love to talk to you about risk for an hour. But if I only have, you know, five to 10,

five to 15 minutes, which really that's usually how long you have at an executive level, I need to be right on the money. Everything I'm saying ties back to this key idea. So I'm using visual things here. If I put a number here, it has to be very, very clear what that number means. Context is like, yeah, so I'm very, very serious about like what I put on there has to be consistent and has to make it as easy as possible that when you look at it, whether I'm talking or not, you get to the same idea.

Raj Krishnamurthy (47:01.809)
Got it. And what do you, if you were to dream of a GRC solution, how would that, what would the GRC solution look like?

Steven Asifo (47:08.671)
Yeah.

Steven Asifo (47:13.322)
man, if I had to dream of a GRC solution, I'd have to think about like what problems I would want to solve. And the problems that I would want to solve are, I mean, one problem I'd like to solve is like being able to make sense of, and when I say I'll get to like what it means to make sense of like the...

the disparate information that we have across the security team, but putting that up against the context that we have for these different products. Because I think that's where a lot of things come to play. If I'm thinking about the most important thing that I do is guide the organization to make reasonable compliance, cyber-conscious decisions, is I need to be able to know what decisions are being made. What is the context in which they're operating in?

So as we're doing reviews, like different security teams, or as we're helping them make consciousness, it'd be great if that information kind of all coalesced somewhere. There's the risk register that kind of just says, hey, here's the risk and does that, but making that something that's actionable is tough because then how much information do you pull out of that that you then bring in front of a business owner? So I'd say that'd be one problem that I'd to solve is like,

getting kind of like the right information in one place to make, you know, an actionable decision, not just like for my team, but then for other teams, generally on the security side. For the business, what would be great to make easier is where they don't necessarily have to know all the different like policy controls or ways that we support them. So like, for example, when it comes to compliance or when it comes to like sales enablement,

when it comes to working with a third party risk management, it's great that we can get involved, but if there is a way when they're starting that onboarding process, some of these questions come up as they're going through it on their own, or they're being guided through that before we even get there, so they're starting to think through that, that would be fantastic as well. So trying to integrate some of the work that we're doing into the business process. So that way we're not coming in as an afterthought. It's some of the things that are just...

Raj Krishnamurthy (49:36.441)
sense.

Steven Asifo (49:37.001)
part of the piece that I'm making there. then, hmm, I think those are the two things that come to my mind during this piece here. Yeah, two things.

Raj Krishnamurthy (49:47.496)
Okay, I think if a few years ago, if it asked about storytelling, we would have talked about developing a tabloid report, developing a looker report, developing some of that stuff, right? But I think Mosey Platt said this best. And he said that we are in an interesting world, especially in security and GRC, because if you find the right data, what the large language models and generative AI allows you to do is to allow the right, the...

Steven Asifo (49:57.361)
Yeah

Raj Krishnamurthy (50:17.223)
allow the person to write their own stories. And I ask you this question because you're big on storytelling. I think is the entire consumption model or the consumption layer of GRC changing with what we can possibly do with the likes of chat GPT?

Steven Asifo (50:19.464)
Hmm. Yeah.

Yeah, for sure.

Steven Asifo (50:36.36)
I think so. Cause I know this is something that like my team has been experiencing with is pulling disparate. So kind of what I was saying before, like pulling different sets of information for trying to kind of synthesize it against a certain criteria and normalized rubric that we would evaluate things against. But at the end of the day, even though there's AI and all this, like there's still that human element that we have to get to at the end of the day. think AI makes it challenging.

that like storytelling piece because you know, in the future, it could be next year, it could be five years from now, everyone's going to have an agent that is like making some sort of decisions on their behalf. So now, yeah, you want to influence the decisions of that individual, but maybe you have to go through and figure out what their agent is doing or their agent talks to your agent. But you know, there's probably somebody, there's gotta be somebody somewhere that's pointing that agent to do these tasks. so stories, stories is like, storytelling is like,

such an art and like a human element because story telling goes all the back to cavemen, right? Like if, if, you know, caveman tells a story about, Hey, look, Bob was here, you know, yesterday, but a dinosaur ate him. You know, that caveman is going to tell that story day after day after day. Cause he's going to say, don't go by the, he says something about that lake. There's something about the lake that Bob went. He never came back. You're going to tell that story, you know? And so, I mean, that's, and now there's different stories that you

Raj Krishnamurthy (51:48.561)
Ha

Hahaha!

Steven Asifo (52:04.595)
Like that's a story of like, you know, risk and fear. So the question becomes like, what do you do with that? But then there's also stories of like achievement and wins where it's like, Hey, you know, by way of working with us or by enabling people to think and work a separate way, here's a new behavior that we've now taken. But storytelling, I think is like one of the most human things that we all do. And that's one of that, we kind of share, like you sit around a table. Yeah.

Raj Krishnamurthy (52:28.999)
And you're a practical expert on this and if this comes out any differently, I apologize, Stephen. But in the story that you said, right, there was Bob yesterday and Dineshwar, I laughed. Is it because I laughed because it was so silly? And the reason I'm asking you that question is that, but I remember this, right? I I will remember this. even for many episodes to come, I'm going to say I had a conversation with Stephen and he talked about Bob being eaten by Dineshwar, right?

Steven Asifo (52:47.653)
Yeah. Yeah.

Steven Asifo (52:57.564)
dinosaur and it's going to sound crazy out to somebody else.

Raj Krishnamurthy (52:58.759)
But how do you do that on your security reports?

Steven Asifo (53:05.318)
Yeah, well, okay, so here's, you know, and I know I have to tie everything kind of back to this, that's my thing. So the fun thing about standup comedy, which I believe carries a lot into cybersecurity, is that you're able to tell the truth without getting beat up. You know, now in cybersecurity, oftentimes you're telling people that like their code stinks.

Because all these gaps are in there or like their product sucks because all these gaps are in there and nobody wants to hear that You know or or at least you have to find a nicer way to tell that to them But like, you know in stand-up comedy if you go back to like, know The role of like a jester being in the king's court you kept him around because you know Hey, he the jester could say things about the king about whatever without getting beat up if actually it was like a prized role because you have to find a very very articulate way to kind of like Toe the line and show people a mirror

without necessarily forcing them through that. And so the way to be able to do that in cybersecurity is, and I guess I may have to kind of think about how I do that there, is there's a creativity to kind of shaping, you can do a comparison kind of piece. Like you can kind of put two things side by side. And I think that's a common thing that people like. So for example, if you do like a maturity assessment, people will also want to know like, well, how do I compare against the industry?

Right? So I can show you up against, you know, another thing we're like, Hey, you know, XYZ, similar size companies, you know, have a maturity score of XYZ. We have maturity score of, you know, this, right? And that's, you know, largely because, you know, these, and these companies here put this amount of money into it and they do way less. And we do this and put this amount. So you can draw some comparisons and tell the truth.

Raj Krishnamurthy (54:54.993)
What is the point of that? Are you saying that it is not that we don't suck? In fact, our court sucks, but we suck less than the competitors. Is that what you're trying to say?

Steven Asifo (55:03.481)
Yeah, yeah. So, and sorry, I know it took me a little bit to get to it, but I guess I'm trying to show there's different ways that you can allow people to... Hmm. Cause you don't want, there's an art to like, like letting people come to their own conclusions. Cause like I said, audiences are smart. So like if it's, I can tell you what the answer is, but it's better if you get to that answer on your own.

Raj Krishnamurthy (55:30.225)
Beautifully said.

Steven Asifo (55:31.215)
So that's why I was like, you know, in a comparison aspect, you can come to that conclusion. If I say, Hey, the people that are leading in this market, right? Have a certain level of maturity score or spending this much money on it. We're here and we're also not hitting the certain thing here. You did, then ask yourself, Hmm, maybe we should start spending on, you know, if, if, you know, XYZ companies are doing that and they're at this, maybe we should do something like that. Cause there's something about comparison that feels

Raj Krishnamurthy (55:36.708)
I see.

Raj Krishnamurthy (55:47.12)
I see, I see.

What should I do?

Steven Asifo (56:01.177)
like that there, there's, you know, and there's different ways to kind of like show people a mirror, right? You don't have to necessarily just force them to say, look, this is what you look like, right? Like that's a little too harsh, right? And calling out, calling out people's features.

Raj Krishnamurthy (56:11.345)
Got it. I think that's beautifully said. That's beautifully said. I think that's a fantastic lesson, Stephen. We are approaching the end of the segment, Stephen. And I wanted to, for this person, not everybody's a standup comedian, so maybe I'll give you the last 60 seconds. What should people do? How can we make this entire rigid, dense environment lighter? What can we all do to make this sort of a much more fun-loving place to work?

Steven Asifo (56:20.524)
Absolutely.

Steven Asifo (56:40.815)
Yeah, would say the most important thing that anyone can do, if I only had like a second on your podcast or like one minute, I would say a lot of people, there's this myth that cybersecurity is a technology problem and all we need is like, know, more, you know, engineers and more tools to be built. But really what we have is like a human problem and how we communicate like humans to other humans to help.

change behaviors and influence behaviors. So what I think we can all do is like, think about ourselves as a human before you put on like your cyber security hat and say, I'm going to go hack the world or defend the world is like, what would, what would influence my own behavior? Cause people try to influence on a day-to-day basis and we make decisions, right? Like people tell you, you should buy insurance. Cause the sky is falling in. Sometimes you buy it. Sometimes you don't. Some people sell you on up things. It's all like, just thinking about like, what is that emotion that, you know, brings you to make, take a certain decision or behavior. And then.

you know, trying to replicate that there, trying to think about like, well, why would I sit through a security training? Like what, what does that look like? Why does that have to be boring? Like think about like what you would sit through. Cause then if you wouldn't do it as a human before you're even a cybersecurity person, just as a human, if you, your kid, your wife wouldn't sit through it, why would you expect somebody else to do it? Just because you told them to? Okay. Hey, have at it buddy. Have at it. But that's, that's a very hard battle to do then.

trying to think like, well, let's just make this enjoyable for everybody. know, like, let's try to make this as like engaging as we can and just make it very easy for people to do what we want them to do. That's it.

Raj Krishnamurthy (58:16.549)
Hyperson. Stephen, this was a fantastic, fun interview, fun podcast. Thanks for coming on the show.

Steven Asifo (58:20.557)
Thank you so much. Thank you so much for having me and all the best.

Raj Krishnamurthy (58:26.504)
Thank you.

Raj Krishnamurthy

Host