John Barrow, the Chief Information Security Officer for JB Poindexter & Co. joins us on Speed Data this week to discuss the shared responsibility model, data loss prevention, and why it's so important to have a people-first mindset when working in IT.
John Barrow, the Chief Information Security Officer for JB Poindexter & Co. joins us on Speed Data this week to discuss the shared responsibility model, data loss prevention, and why it's so important to have a people-first mindset when working in IT.
[00:00:00]
Megan Garza and John Barrow: we had made those investments in resilience, for when it would happen rather than just hoping it doesn't happen.
Yeah. You know? Yeah. Because it will happen. It, it's not a matter of if, it's a matter of when, and so you just wanna make sure that when it does happen, like you said, you, you've kind of minimized the blast radius. You've locked down everything that you can so that the impact is a lot less significant.
Right. You can recover faster, right? Yes, exactly.
Megan Garza and John Barrow: Welcome to Speed Data, quick Conversations with Cybersecurity Leaders. I'm your host, Megan Garza. My guest today is John Barrow, chief Information Security Officer for JB Poindexter and Co. Thanks for joining me today, John. Sure, I'm glad to be here. John oversees security for the leading Motor Vehicle manufacturing group.
Ensuring the cybersecurity program runs like a well-oiled machine. Before joining jv, Poindexter and Co John led security teams at Texas [00:01:00] Children's Hospital and Caesar's Entertainment Corporation and was an intelligence analyst for the United States Army and NSA. In his free time, he somehow learned to speak Portuguese and he has his C-I-S-S-P and Bs and business and IT management.
That's quite an impressive resume you've got there. John, what made you wanna get into cybersecurity? Well, it was a natural transition from the intelligence community to cybersecurity. Same mindset, just different focus. Yeah. And so, just kind of happened naturally, like, you know, organically.
Yeah. And what's your favorite aspect of cybersecurity? I would say my, my favorite aspect is the people working with people communicating, making sure that we're aligned with the business objectives. I, think a lot of times in IT and cyber, the focus is always technology. Mm-hmm. But you can't be successful in any cyber program unless you focus on the people.
Yeah. Right. That's, your most valuable asset is the people. Yeah, what do you think most organizations misunderstand when it comes to cloud security? what they misunderstand is they [00:02:00] assume that the cloud provider provides all the security. Mm-hmm. But there's still, it's a shared responsibility, right?
Yes. Like the organization still has to protect their assets and the data and all their applications within that cloud environment. Yeah. I think that shared responsibility model, seems to confuse a lot of folks, unfortunately. But you do have your own responsibilities And what do you think is the number one rule for data loss prevention? you need to work with the business. You need to make sure you minimize the operational impact when you're implementing BLP. I think that's where, uh, a lot of people are starting to.
Not shy away, but not focus so much on DLP, just 'cause it's so hard to implement because they try to force it and they, they don't work with the business, they don't make sure they do proper testing and kind of do it methodically to minimize that operational impact. Yeah. And what type of data breaches or exploits keep you up at night?
Like what, what are you worried about the most? Ransomware, obviously. Um, but any, any time our business users [00:03:00] are sharing sensitive data externally, things like that, that keeps me up at night. Yeah. Uh, we, we do have protections in place for that and controls, but, I know it's still happening. Right. Yeah.
Trying to minimize that and, you know, it's just training and education. Yeah. 'cause a lot of times they'll share it externally Or unintentionally. Right. Well, and, and sometimes it's required, you know, as part of their business processes, so just ensuring that it's protected, it's encrypted in transit and things like that.
Right, right. And what do you predict to be the biggest shift in cybersecurity? I think the biggest shift will be from having a cyber prevention mm-hmm. Mindset to cyber resilience because, you Forever and ever everyone's been focused on preventing an attack from happening. Yeah. Which is important, but it's gonna happen.
It's going to happen. Yes. So I think, cyber leaders and programs and organizations, they're gonna need to really double down on their resilience. Yes. And I think it's gonna be a shift even in investments in budget, where it's gonna be. Maybe 50 50 on [00:04:00] prevention and resilience. Yeah. Um, but I think that's gonna be a huge focus.
I mean, every day you read in, in the news. Mm-hmm. You know, another company's been compromised or whatever. I mean, I know that's what we've been focused on our, in my organization. Yeah. I mean, we did have an attack and. Luckily we had made those investments in resilience, for when it would happen rather than just hoping it doesn't happen.
Yeah. You know? Yeah. Because it will happen. It, it's not a matter of if, it's a matter of when, and so you just wanna make sure that when it does happen, like you said, you, you've kind of minimized the blast radius. You've locked down everything that you can so that the impact is a lot less significant.
Right. You can recover faster, right? Yes, exactly. And how do you think the threat landscape has changed since you began your career? The attackers are much faster now. Mm. For a long time. I think the, you know, the mean dwell time was like 15 days or months, or sometimes even years, where they would just sit persistent in your environment and wait for the perfect time to, to actually, enable or execute whatever malware but now with AI and everything [00:05:00] else, that, dwell time's a lot less.
Yeah. Where, I Personal experience with, with the tech we had, the second they got in our environment, they were already moving laterally. They were already trying to. You know, go to their objective. So it's, it's immediate. So the speed that's, yeah. AI has been such a game changer.
Right. We're both good and bad, really. Right, right. And you and I, you know, we've kind of chatted a little bit about our passions and, your passion for running and my reluctance to do so. Um, I haven't been running in a while. You can tell. But if you weren't in cybersecurity, what would you be doing? I would probably be playing music, actually.
Oh yeah. 'cause you said you're a drummer. Yeah. I played drums and sing, and my dad was a musician in Nashville and all that, so Oh wow. I'd probably be playing music. That's, that's another one of my passions. Yeah. Yeah. What kind of music do you play? Kind of everything, more rock and roll. But I've played country and hip hop and punk and hip hop kind across the, yeah.
Wow. Like I did a, um, a world tour when I was in the military actually for six months, where we toured the world playing in a top 40 band. I like to play everything, but I mean, rock's kind of my, my default, you know? That's, Okay. [00:06:00] I do love the Rock. Yeah. Yeah, yeah, yeah. Well, thank you so much for joining me today, John. I'd loved chatting with you. And for our audience, if you would like to be a guest on Speed Data, please visit varonis.com/speed data.
Thank you, John. Thank you.