BROADCASTS.com

Who Knows What Evil Lurks in the Heart of Low Code/No Code? (LIVE in Los Angeles)

Listed in: Technology

Once the Panic Subsides Youll Appreciate This Phishing Test (LIVE in Houston, TX)

Listed in: Technology

Does Burying Your Head in the Sand Count as a Security Posture? (LIVE in Boca Raton, FL)

Listed in: Technology

Were Lowering the Requirement for Entry Level to Just 8 Years of Experience

Listed in: Technology

... And the Business Listened to the CISO and Everyone Lived Happily Ever After

Listed in: Technology

Our Guardrails Only Fail When You Try To Go Around Them (LIVE in Seattle)

Listed in: Technology

Our Cybersecurity Journey Starts With a Single Overworked Staffer

Listed in: Technology

Red Flag? My Vendor Just Asked for My Mothers Maiden Name

Listed in: Technology

Well, I Think My Relationship With the CIO Improved When I Took Their Job

Listed in: Technology

I Said I Was Technically a CISO, Not a Technical CISO

Listed in: Technology

Why Are Fortune 500 Companies Swiping Right on 3-Person Startups?

Listed in: Technology

We Make Threat Actors Read Our Resiliency Policy Before Attacking Us

Listed in: Technology

Incident Response Is So Important We Might Try Getting Good At It

Listed in: Technology

Everyone Has a Zero-Trust Plan Until They Get Punched in the Face

Listed in: Technology

I Dont Want Insider Risk. You Take It.

Listed in: Technology

How to Get the Most for Yourself Through Altruism

Listed in: Technology

Who Owns AI Risk? NOT IT!

Listed in: Technology

How About This? Only Attack the Endpoints We Configured

Listed in: Technology

The Post-it Note Clearly Says Dont Share Right Under My Password

Listed in: Technology

Who You Gonna Call? LEGAL COUNSEL!

Listed in: Technology

Im Rewarding Your Successful Use of the Security Budget by Giving You Less of It

Listed in: Technology

Ransomware? Whyd It Have to Be Ransomware? (Live in San Francisco)

Listed in: Technology

You Cant Leak What You Dont Collect

Listed in: Technology

Our Help Desk Plaque Reads Over 100,000 Threat Actors Served

Listed in: Technology

Cant Talk, Im Onboarding My Kids To Their First Soccer Practice (Live in Mountain View, CA)

Listed in: Technology

I Really Shouldnt Have Agreed to Variable Rate Technical Debt

Listed in: Technology

Well Invest in Resilience as Soon as the Ransom Payment Clears

Listed in: Technology

We Could Lower Risk If We Shrunk Our Business

Listed in: Technology

Our Benefits Include Medical, Dental, and Burnout

Listed in: Technology

Your Biggest Threats Dont Get a Ransom Payment, They Get a Paycheck

Listed in: Technology

A Stressed CISO Is a Happy CISO

Listed in: Technology

BREAKING: Department of No Upgraded to Department of Slow

Listed in: Technology

A Threat Actor Just Liked My Dashboard Screenshot

Listed in: Technology

We Cant Fail at API Security If We Never Even Try

Listed in: Technology

Im Stuffed, I Just Couldnt Take Another Credential

Listed in: Technology

Is There a Konami Code For Cyber Talent?

Listed in: Technology

Its Like a Trust Fall, But We Know Youll Hit the Floor

Listed in: Technology

How Can We Apply Our Shadow IT Failings to Botch Our AI Policy? (LIVE in Clearwater)

Listed in: Technology

Maybe If You Worked Harder Your Burnout Wouldnt Be Such a Liability

Listed in: Technology

For CISOs, Its Less of a Golden Parachute and More a Pair of Brown Pants

Listed in: Technology

Elvis Is Alive and Hes Reusing Your Passwords

Listed in: Technology

SSO No You Didn't (LIVE in La Jolla, CA)

Listed in: Technology

This Security Crisis Is the Perfect Time to Tell You I Was Right

Listed in: Technology

Youre Not Leaving This House Until You Cover Up That LLM

Listed in: Technology

We Got This Far Without Hiring a Prompt Engineer

Listed in: Technology

Ugh, Lawyers Take All the Fun Out of Surviving a Cyberattack (LIVE in Las Vegas)

Listed in: Technology

Dear Abby: Should I Sell to a CISO During a Cyberattack? (LIVE in Mountain View)

This week\\u2019s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Kurt Sauer, CISO, Docusign.

We recorded in front of a live audience at Microsoft\\u2019s offices in Mountain View, CA as part of the ISSA-Silicon Valley chapter meeting. Check out all the photos from the event.

In this episode:

• Is a high profile cyberattack the best time for salespeople to come out of the woodwork asking if the affected CISO would like to see their product, which would have helped prevent the attack?
• Is there any way for a vendor to positively reach out to victims after a cyberattack?
• Also, what could be some effective ways to invest IP with generative AI to create value for the organization?

Thanks to our podcast sponsors, Veza, Sysdig, and SlashNext

75% of breaches happen because of bad permissions. The problem is that you don\\u2019t know exactly WHO has access to WHAT data in your environment. For example, roles labeled as \\u201cread-only\\u201d can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission\\u2014in every app\\u2014across your environment.

For businesses innovating in the cloud, every second counts. Sysdig strengthens cyber resilience by reducing the attack surface, detecting threats in real time, and accelerating incident response. Our platform correlates signals across cloud workloads, identities, and services to enable businesses to prioritize risks and act decisively. Sysdig. Secure every second.

SlashNext Complete delivers zero-hour protection for how people work today across email, mobile, and browser apps.\\xa0 With SlashNext\\u2019s generative AI to defend against advanced business email compromise, smishing, spear phishing, executive impersonation, and financial fraud, your people are always protected anywhere they work.\\xa0 Request a demo today.

Listed in: Technology

Were Not Home. Please Leave Your Companys Data After the Beep

Listed in: Technology

Hey, Lets Merge Our Technical Debt With Your Understaffed Security Team! (LIVE in Miami)

Listed in: Technology

I Taught DeNiro Security Theater, I Can Teach You.

Listed in: Technology

A CEOs Guide To Ignoring Your Security Program (LIVE in Santa Monica)

Listed in: Technology

Security Awareness Lifecycle: Turn On, Tune In, Drop Out

Listed in: Technology

Threats In SaaS Are Closer Than They Appear

Listed in: Technology

We Can Name 50 CISOs. Lets Give Them an Award!

Listed in: Technology

C is for C-Suite, Except If Youre a CISO

Listed in: Technology

Part Man. Part Machine. All CISO. (Live in D.C.)

Listed in: Technology

Is This Just Bad Or Call The Feds Bad?

Listed in: Technology

Giving Slack Slack Will Lead Your Teams to Discord

Listed in: Technology

Please Take Some Pens and Our Company Data On Your Way Out

Listed in: Technology

If You Care About Security, Maybe This Guilt Tactic Will Work

Listed in: Technology

5 Years Required to Write a Better Job Description

Listed in: Technology

When Do I Fix the Toilet Myself or Call the Plumber?

Listed in: Technology

Cyber Advice So Generic, Youll Assume It Came from ChatGPT

Listed in: Technology

Vendors Are From Mars. Their Security Is From Venus.

There are so many third party vendors we want to work with, but uggh, their security and privacy is so troublesome. Is it only the security department\'s job to vet these partners or should everyone have a responsibility of keeping tabs on third party security?

This week\\u2019s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our guest is Phil Beyer, former head of security, Etsy.

Thanks to our podcast sponsor, Balbix

Balbix is a cyber risk quantification platform that discovers and manages all your cyber assets, identifies and prioritizes vulnerabilities, and delivers a monetary assessment of cyber risk. This enables CISOs to articulate the value of risk to the board and obtain support and budgets for security programs.

In this episode:

• There are many third party vendors that CISOs & practitioners want to work with, but why is their security and privacy so troublesome?
• Is it only the security department\'s job to vet these partners or should everyone have a responsibility of keeping tabs on third party security?
• What can frontline employees do to manage third-party risk?

Listed in: Technology

We're So Special Gartner Hasn't Even Thought Of Our Category Yet

Do you know what security categories were created this year? I have no idea. Do you know which ones were deleted? I don\'t think any. Is category growth designed to make more money for the industry? Does it help customers build a better security strategy? It seems like a necessary evil that just confuses customers. The number of categories never decreases or replaces old categories.

This week\\u2019s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our sponsored guest is Maxime Lamothe-Brassard (@_maximelb), CEO and co-founder at LimaCharlie.

Thanks to our podcast sponsor, LimaCharlie

LimaCharlie is inviting you for the unveiling of the SecOps Cloud Platform during a two-hour LinkedIn Live event on Wednesday, July 19th, starting at 10:00am PST.\\xa0

For every registrant, LimaCharlie will be donating $5 to the Internet Archive. Register for the event at limacharlie.io or on the LimaCharlie LinkedIn page.

In this episode:\\xa0

• Do you know what security categories were created this year? Do you know which ones were deleted?
• Is category growth designed to make more money for the industry?
• Does it help customers build a better security strategy?

Listed in: Technology

Whos in Charge of Stopping Stupid Ideas? (LIVE in Tel Aviv)

This week\\u2019s episode is hosted by me,\\xa0David Spark (@dspark), producer of CISO Series and guest co-host Jesse Whaley, CISO, Amtrak. Our guest was Paul Branley, CISO, TSB Bank.

We recorded this episode in front of a live audience in Tel Aviv as part of Team8\\u2019s CISO Summit 2023. CISO Series is honored to have been invited to record our show at the event.

Thanks to our podcast sponsor, Team8

Team8 is a global venture group that builds and invests in early stage companies focused on digital transformation: cybersecurity, data, fintech and digital health. Its strong expertise in cyber is the backbone of Team8\\u2019s CISO Village - a community of hundreds of CISOs who enjoy access to thought leadership, networking events, and partner with Team8 to support its company building process.

In this episode:

• Why should you NEVER boast about how good your security is?
• When upskilling your staff, how do you identify the knowledge that must be learned? Who will learn it? Who will provide it?
• What does this do to your current security if people are spending time teaching and learning?

Listed in: Technology

Password Rules Make Us Feel More Secure

Listed in: Technology

Make Them a Passwordless Offer They Cant Refuse (LIVE in Denver)

Listed in: Technology

After a Breach, Security and Privacy Are Very Important to Us

Listed in: Technology

Your Lips Say No, But Im Not Listening

Listed in: Technology

Failure Is The Likely Option

Listed in: Technology

A Fireman? A Princess? How About a CISO?

Listed in: Technology

Ive Got Plenty of Risk If You Want More

Listed in: Technology

What Kind of Challenges Do You Foresee In Firing Me?

Listed in: Technology

I Wouldnt Trust Everything You Read... On My Resume

Listed in: Technology

Cant You Just Pop Out of Zeus Head a Fully Formed Security Professional?

Listed in: Technology

Wed Secure Our Data If We Knew Where It Was

Listed in: Technology

Our Security Tool Can Do Everything But Mitigate Risk

Listed in: Technology

No Need for Chaos Engineering Since Our Architecture Is Always Failing

Listed in: Technology

Why Arent You On Slack Where I Can Interrupt You?

Listed in: Technology

Fast Track Burnout for Your Cyber Team with Layoffs

Listed in: Technology

We Look for Candidates Who Already Know Everything

Listed in: Technology

We're Experts At Telling You To Fix Your Problems

Listed in: Technology

_Saying_ Were 100% Secure Is Not the Problem

Listed in: Technology

This Unwanted Cold Call Made Possible Thanks to This Months Sales Quota

Listed in: Technology

Adversaries Beef Up Their Shiny Object Distraction Campaign

Listed in: Technology

21 Dark Side-Approved Ways to Threaten Your Prospects

Listed in: Technology

Lets Pretend Were Getting Hacked. Who Wants to Panic First?

Listed in: Technology

Todays Agenda: When Will This Meeting End?

Listed in: Technology

Your Password Is Too Long. Please Shorten It.

Listed in: Technology

Stir in a Little Merger and Acquisition, and Voila, Youre a Target

There is a lot unknown before, during, and after a merger and that can make employees very susceptible to phishing attacks. But, at the same time, the due diligence that goes into an M&A can often open up signs of previous or active compromise, noted Rich Mason of Critical Infrastructure.

What does a proposed merger do to a security program?"

This week\\u2019s episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and\\xa0Andy Ellis\\xa0(@csoandy), operating partner,\\xa0YL Ventures.\\xa0Our guest is Nicole Ford (@nicoledgray), global vp and CISO, Rockwell Automation.

Thanks to our podcast sponsor, Pentera

Pentera is the category leader for Automated Security Validation, allowing every organization to test with ease the integrity of all cybersecurity layers including their ransomware readiness, unfolding true, current security exposures at any moment, at any scale.

In this episode:

• As a security leader, how does your security posture change when you know given your assets you are a specific target vs. just an opportunity?
• Could similar critical infrastructure agencies be grouped together and therefore share cybersecurity resources?
• What does a proposed merger do to a security program?

Listed in: Technology

Were Here. Were Highly Unqualified. Get Used To It

Listed in: Technology

Sound Security Advice Thats Perfect to Ignore

Listed in: Technology

Theyre Young, Green, and Very Hackable

This week\\u2019s episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and\\xa0Mike Johnson. Our guest is Gene Spafford (@therealspaf), Professor, Purdue University.

Gene\'s book available for pre-order Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us.

25th anniversary of CERIAS

Thanks to our podcast sponsor, Lacework

Lacework offers the data-driven security platform for the cloud and is the leading cloud-native application protection platform (CNAPP) solution. Only Lacework can collect, analyze, and accurately correlate data \\u2014 without requiring manually written rules \\u2014 across an organization\\u2019s AWS, Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Security and DevOps teams around the world trust Lacework to secure cloud-native applications across the full lifecycle from code to cloud. Get started at lacework.com/cisoseries.

In this episode:

• Is cybersecurity awareness a long term marketing effort?
  
• Where are we making progress with the general populous when it comes to improving the human aspect of cybersecurity?
  
• How difficult and how long can it take to discover what a company\'s crown jewels are, and what needs to be done?

Listed in: Technology

Entry Level Position Available. 15+ Years Experience Required.

Listed in: Technology

Get All the Stress You Want, With None of the Authority

Listed in: Technology

We Built This City on Outdated Software

Listed in: Technology

Wrong Answers to Revealing Interview Questions

Listed in: Technology

Dont Make Me Explain This, Because I Cant

Listed in: Technology

Wheres the Single Pane of Glass to My Level of Stress

This week\\u2019s episode co-hosted by me,\\xa0David Spark\\xa0(@dspark), the producer of\\xa0CISO Series, and special guest co-host\\xa0Shawn Bowen\\xa0(@SMbowen), CISO,\\xa0World Fuel Services. Our guest is\\xa0Meredith Harper (@mrhciso), svp, CISO, Synchrony.

This episode was recorded in front of a live audience in Chicago at The City Hall nightclub for the opening night of Evanta\'s Global CISO Executive Summit.

Thanks to our podcast sponsor, Cisco

Cisco Secure delivers a streamlined, customer-centric approach to security that ensures it\\u2019s easy to deploy, manage, and use. We help 100 percent of the Fortune 100 companies secure work \\u2013 wherever it happens \\u2013 with the broadest, most integrated platform. Learn more at cisco.com/go/secure.

In this episode:

• What do you think companies can do to alleviate this pressure and help a CISO better succeed?
• Why is there such a significant disconnect between companies\\u2019 increased commitment to diversity and inclusion and the day-to-day experiences of women of color?
• How can enterprise security maintain visibility into, and control over who and what is accessing their data?

Listed in: Technology

Cyber Sales ABCs: Always Be Creepy

Listed in: Technology

We Take Security and Privacy Seriously... Seriously

This week\\u2019s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Geoff Belknap (@geoffbelknap), CISO, LinkedIn and co-host of Defense in Depth. It was recorded in front of a live audience at Microsoft\'s Silicon Valley Campus in Mountain View, California as part of a regular ISSA-SV and ISSA-SF meeting.

Check out all the fantastic photos from the event here.

Thanks to our podcast sponsor, SafeBreach and Noname Security

SafeBreach provides continuous security control validation powered by our breach and attack simulation (BAS) platform.
We enable security leaders to proactively prioritize remediation efforts and drive ROI quickly by consolidating technology costs around what truly enhances your security posture.
Real-world attacks. Real-time results.

Prevent API attacks in real-time with automated AI and ML-based detection from Noname Security. Monitor API traffic for data leakage, data tampering, data policy violations, suspicious behavior, and API security attacks. Integrate with your existing IT workflow management system like Jira, ServiceNow, or Slack for seamless remediation. Learn more at nonamesecurity.com/runtime-protection

In this episode:

• If you truly ARE serious about how you handle security and privacy, should you say "seriously" twice?
  
• Given the immense complexity not just on integration but also training, are we going to see more consolidation of point solutions into suites?
  
• When would it make sense for a company to completely dump their security team and completely outsource it? And if you were to outsource it, what the heck would that look like?

Listed in: Technology

How to Be a Security Vendor CISOs Cant Ignore

Listed in: Technology

I Pity the Fool Who Builds a Homogeneous Cyber A-Team

Listed in: Technology

The Cybersecurity Hamster Wheel of Getting Nothing Done

Listed in: Technology

Who Do You Need to Trust When You Build a Zero Trust Architecture?

Listed in: Technology

The Best Interview Questions and the Answers You Want to Run From

Listed in: Technology

But I Spent All This Money. Why Are You Still Ignoring Me?

Listed in: Technology

Its OK to Look Like a Cyber Hero. Just Dont Act Like One.

Listed in: Technology

How to Market Zero Trust Without Making CISOs Cringe

Listed in: Technology

When Good Decisions Go Bad

Listed in: Technology

When Does an Exaggeration Become a Lie?

Listed in: Technology

Yuck! Now Everyone Has Touched My Data.

Listed in: Technology

Bad Security Practices That Really Arent All that Bad

Listed in: Technology

How Many Forms of ID Do I Need to Buy This Gift Card?

Listed in: Technology

Why Does Your Privacy Matter If Im Paying You?

Listed in: Technology

It Sure Is Fun to Complain About Security Vendors

Listed in: Technology

What Does It Cost to Prove Security Is Working?

Listed in: Technology

I Have So Little. Just Let Me Control Access to the Mail Server.

Listed in: Technology

Security as a Profit Center? Youre Kidding, Right?

Listed in: Technology

Finding That Perfect Time to Quit Your Job

Listed in: Technology

Gartner Creates Another Category for Everyone to Ignore

Listed in: Technology

A Look Back at Foolish Security Policies of Past and Present

Listed in: Technology

Decommission Our Legacy Tech or Just Shut Down the Business?

Listed in: Technology

Lifes Certainties: Death, Taxes, and Violating Security Policies

Listed in: Technology

Is It a Promotion or a Red Flag Telling You To Get Out?

Listed in: Technology

Its a Great Job, But Im Alone and Terrified

Listed in: Technology

Instead of Increased Cybersecurity, Could We Just Order Less Risk?

Listed in: Technology

Why CISOs Avoid the Dreaded Request a Demo Button

Listed in: Technology

Whats Next in Cybersecurity? Look at Last Year and Expect More

Listed in: Technology

Are You Attending the What to Worry About Next Security Conference?

Listed in: Technology

It's BAAAACK! The Return of We Could Have Stopped That Breach

Listed in: Technology

How to Be So Awesome CISOs Cant Ignore You

Listed in: Technology

Attract the Best Candidates with Crappy Benefits and Low Pay

Listed in: Technology

If the Network Is Up, Somebody Is Violating Our Acceptable Use Policy

Listed in: Technology

What We Lack In Security We'll Make Up in School Spirit

Listed in: Technology

What's the Least Annoying Way to Follow Up with a CISO?

Listed in: Technology

Why Ignoring Most of Your Vulnerabilities Is the Best Strategy

Listed in: Technology

Why We Quickly Reject 95% of All Applicants

Listed in: Technology

Security So Good Your Users Won't Use It

Listed in: Technology

We've Never Taken On So Much Risk

Listed in: Technology

The Perfect Gift for a Cyber Crook

Listed in: Technology

"I Love Being Monitored Online," Said No Employee Ever

Listed in: Technology

If We Don't Talk About Cyber Risk, Will It Go Away?

Listed in: Technology

After a Breach It's Really Easy to Calculate Risk

Listed in: Technology

Ive Got Zero Trust In My Understanding of Zero Trust

Listed in: Technology

Were Very Good at SAYING We Care About Diversity

Listed in: Technology

Chances Are We'll Be Attacked the Day Before Your Vacation

Listed in: Technology

Did You Get My Last Email? This One Has a Joke In It.

Listed in: Technology

Hackers of the World Unite... When We Can Agree on a Time

Listed in: Technology

Is Our CISO Doing a Good Job? Our CISO Doesn't Even Know.

Listed in: Technology

BONUS Episode: Innovation Spotlight

Here\'s what went down. The day before our recording, three representatives presented their unique and innovative security solutions to a panel of CISOs and the virtual audience in attendance.

The next day, everyone came back to offer up a quick elevator pitch and to be grilled by the CISOs. That\'s exactly what you get to hear on this bonus episode of CISO/Security Vendor Relationship Podcast.

Thanks to all our sponsors for this bonus episode of the podcast

Kasada

Axis Security

Ordr

Ten Eleven Ventures

Listed in: Technology

We Want to Hire Honest People Who Think Like Criminals

Listed in: Technology

A Quick Way to Tell Which Vendors You Should Avoid

Listed in: Technology

The Ostrich Approach To Vulnerability Management

Listed in: Technology

Sorry, Were Full. We Cant Take Any More Market Segments

Listed in: Technology

What's the ROI of Nothing Happening?

Listed in: Technology

Could We Speak To Your CISO To Confirm He Received the Cupcakes?

Listed in: Technology

Make Your Friends Jealous with Our Hand-Crafted Passwords

Listed in: Technology

Are You Asking "How Secure Are We?" or "How Insecure Am I?"

Listed in: Technology

Tips to Finding an Incompetent Overpriced Cybersecurity Consultant

Listed in: Technology

We Shame Others Because We're So Right About Everything

Listed in: Technology

Will You Accept "My Bad" As Our Breach Response?

Listed in: Technology

I'll Show You My Risk Profile If You Show Me Yours

Listed in: Technology

How Much Charisma Do I Need to Push My Team to the Edge?

Listed in: Technology

How Would You Like Your Cloud Misconfigured?

Great, you just purchased the cloud. Are you a little confused as to what you\'re going to do with it? Not a problem. Let\'s get you set up right with a world class misconfiguration. That should leave you open to all kinds of breaches.

This week\\u2019s episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and\\xa0Mike Johnson. Our guest is Johnathan Keith, CISO, Viacom/CBS Streaming.

Thanks to our podcast sponsor, AppOmni

AppOmni is building the future of SaaS security. We empower our users to enforce security standards across their SaaS applications, and enable them to remediate in confidence knowing they\\u2019re fixing the most important SaaS security issues first. Contact us at www.appomni.com to find out who - and what - has access to your SaaS data.

• Why do we hear so many stories about poor & misconfigured cloud services?
• The benefits of Infrastructure as Code (IaC)
• What makes a vendor meeting worth your time?
• What\'s the best way to learn about a company\'s culture in a job interview?

\\xa0

\\xa0

Listed in: Technology

Its Only a Matter of Time Before We Lose Your Data

Listed in: Technology

His Credentials Say Yes But His Behavior Says No Way

Listed in: Technology

Were Experts at Finding Everything Youre Doing Wrong

Listed in: Technology

Hey Old Man, Go Rotate Your Own Passwords

Listed in: Technology

How CISOs Make It Worse for Other CISOs

Listed in: Technology

Excuse Me, What Bribes Do You Accept?

Listed in: Technology

Holy Crap! Weve Been Doing This for Three Years!

Listed in: Technology

Something Stinks In Here. I Think Its Your Code.

Listed in: Technology

Our Top Ten List of Vendors That Arent You

You look at a top ten list is to see if you made the list. Don\'t bother. You\'re not on it.

This episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and\\xa0Mike Johnson. Our guest this week is\\xa0Nancy Hunter, vp, CISO, Federal Reserve Bank of Philadelphia.

Thanks to our podcast sponsor, Code42

Redefine data security standards for the hybrid workforce.\\xa0Check out Code42.

In this episode:

• Threat tracking: what\\u2019s better? Your SOC\\u2019s data or reading industry trends?
• Finding good security people -what\\u2019s better?: existing skills/experience, or a hunger to learn?
• Listing the things we like about security vendors
• Diversity hiring still has some challenges

Listed in: Technology

Do We Have to Let the CISO Sit With Us?

Listed in: Technology

Why Commute When You Can Stay Home and Be Overworked?

Work from home seemed ideal until you realized you were working at all hours with people all over the world. It would actually be a nice respite to have to commute and leave work at a reasonable hour.

This episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and\\xa0Mike Johnson. Our guest this week is Adam Glick, CISO, Rocket Software.

Thanks to our podcast sponsor, Code42

Redefine data security standards for the hybrid workforce.\\xa0Check out Code42.

In this episode:

• Work-from-home \\u2013 the joys and the sorrows
• What do we want the board and C-Suite to know about cybersecurity?
• Are you a cybersecurity or infosec hiring manager? What kind of interview questions do you ask?
• CISOs working with young cybersecurity entrepreneurs

\\xa0

\\xa0

\\xa0

Listed in: Technology

Pushing This to the Top Of Your Inbox So You Can Delete It Again

We\'re following up on our previous email because we love to engage in self-defeat. We assume you don\'t want to hear from me again, but just to make sure, I\'ve delivered another email for you to delete.

This episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and\\xa0Mike Johnson. Our guest this week is Rinki Sethi (@rinkisethi), CISO, Twitter.

Thanks to our podcast sponsor, Sonatype

With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company\\u2019s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code.

In this episode

• It takes a while to hire an awesome cybersecurity team. It takes even more work to keep them.
• Breaches are bad, but handling them badly might be worse
• The unique aspects of work from anywhere security that take time to discover
• More of "what not to do" as a vendor pitching a cybersec prospect

\\xa0

Listed in: Technology

OK, I Get It. Youre All Special Snowflakes.

This department manager thinks their data is the most important. But then this department manager thinks their data is the most important. Can there really be so many crown jewels in your company that are all equally important? How\'s a CISO supposed to prioritize?

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Melody Hildebrandt (@mhil1), executive vp, consumer products and engineering, and CISO, Fox

Thanks to our podcast sponsor, Herjavec Group

Herjavec Group excels in complex, multi-technology environments and keeps enterprise organizations secure with best of breed products and comprehensive service offerings. With 5 global Security Operations Centers, emerging technology partners, and a dedicated team of security specialists, we are well-positioned to be your organization\\u2019s trusted advisor in cybersecurity. Let\\u2019s connect!

On this week\'s episode

Hey, you\'re a CISO, what\'s your take?

Recently, we did a Friday video chat on "Hacking the Crown Jewels" where we talked about what\'s really important, where it resides, and who\'s accessing it and when. One of the questions that came up from consultant Ian Poynter was how do you handle the conflicts from the different department leaders as to what the crown jewels are? And Jakub Kaluzny of SecuRing asked, "What\'s harder, identifying your crown jewels, or protecting them?"

Can you change Mike\'s mind?

Our guest, Melody Hildebrandt mentioned that as of recently she was in a pro-vendor mood Only three months into the year she has taken more new vendor meetings than in all of 2020. What changed? And can she convince Mike to do the same?

"What\'s Worse?!"

As always, this will be a surprise on the show. And no one will like the options.

If you haven\\u2019t made this mistake, you\\u2019re not in security

Even if you\'ve configured your email security platform correctly, you can still fail early and often as our guest Melody discovered. But she actually published her findings on Tech Insiders, along with Paul Cheesbrough. Examples she provided included email account compromises that resulted in full evasion of standard email defenses. And given that her business is often an early target for new attacks, protection through threat analysis has become essentially useless. Her solution for enterprise email is to adopt an API-based solution instead of gateways, along with deep machine learning, and continuous protection of email rather than initial scanning and approval. Let\'s look at how difficult this shift was and how Melody is managing it.

There\\u2019s got to be a better way to handle this

On Twitter I asked, "Since security people don\\u2019t get applause when nothing happens, how do you let the rest of the company know how well the security team is doing?" One mentioned a slide on reports that says "X days without a breach" others suggested showing improvements to metrics like vulnerability and mean time to response. So what do we say to the whole company, not just the board?

\\xa0

\\xa0

Listed in: Technology

What to Expect When Youre Expecting a Network Breach

Are you expecting a little intrusion into your network any day now? You better be prepared. Are there some vulnerabilities you should have managed, but didn\'t? Don\'t worry, first time security professionals are always scared about their first incident.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Scott Kuffer, co-founder and COO, Nucleus Security

Thanks to our podcast sponsor, Nucleus Security

Nucleus unifies your existing security stack,\\xa0integrating with over 70 scanners\\xa0and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process\\xa0simple\\xa0through smart automation and workflow optimization? See for yourself at\\xa0https://nucleussec.com/demo

On this week\'s episode

There\\u2019s got to be a better way to handle this

We constantly hear security leaders talk about "people, process, and technology". Overwhelmingly, most security vendors are selling technology, then after a very steep drop there is the sale to managing people, and then "process" feels like a neglected stepchild. Let\'s talk about one process change made in the past year that had a significant impact on security posture? AND what is the "process" in security that needs the most help? Is there an opportunity in this area for security vendors or this just a combination of project management and increased automation?

What do you think of this vendor marketing tactic

Are security vendors eating their own dog food? The next time a security vendor pitches you, Chris Roberts of Hillbilly Hit Squad said on LinkedIn, "Ask them if they are using their own systems to protect themselves OR if they\\u2019re relying on someone else\\u2019s technology to protect their arses." An excellent question and HOW a vendor answers that question is very telling. So, is our sponsored guest using his own product to protect his business?

"What\'s Worse?!"

Jeremy Kempner, BT Americas offers up two really crappy communications options for Scott and Mike to wrestle with.

Please, Enough. No, More.

This week\'s topic: Risk-based vulnerability management, which can be defined as prioritizing your vulnerability remediation based on the risk it poses to your organization. What have we heard enough about with risk-based VM and what should we hear more about?

How have you actually pulled this off?

One of the key parts of a successful pentest is the reconnaissance phase where the necessary background information is generated. Let\'s walk through that process. How much involves planning vs. discovering? It\'s assumed that a lot of creativity goes into making a successful pentest. What are some of the techniques and information needed to increase success?

\\xa0

\\xa0

Listed in: Technology

We Recommend a Know the Right People Certification

There are so many fantastic certifications out there for security professionals. But we\'ve found the one certification that will really help you land the right job really quickly, is to provide proof that you know some people at our company who can vouch for you. Remember, we are a business that operates on trust, not giving people their first chances in cybersecurity.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Jesse Whaley, CISO, Amtrak

Thanks to our podcast sponsor, Adaptive Shield

Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company\'s SaaS estate, and enables quick remediation of any potential threats.

In this week\'s episode

Why is everybody talking about this now?

Should cybersecurity professionals fight back rather than block and tackle? former US government cyber security chief Chris Krebs, has called on law enforcement and others to fight back against ransomware attackers. Krebs, suggested posting private information of the hackers, with malicious intent, AKA doxxing. "Hacking back" is dangerous as it\'s hard to determine the attacker, and you\'re essentially taking the law into your own hands, but Chris Krebs is recommending this, seeing that ransomware is the biggest threat.

Dan Lohrmann of Security Mentor shared this article from the Financial Times and it drove a lot of debate. We\'ve heard this before, but from someone like Chris Krebs, that\'s astonishing. What level of fighting back should people be comfortable with?

Are we having communication issues?

"I push back [on vendors] because I want depth and context from first contact," said John Keenan, director of Information Security, at Memorial Hospital at Gulfport. In this post on LinkedIn he said he\'s annoyed with vendors\' generic first outreach and when he declines their response is "Well, I had to give it a shot". If they want a real connection, include "What\'s In It for Me". A generic response of "I think you\'ll really like what we\'ve got to show," does not qualify. Let\'s talk about who has ever received a first (or heck any) contact that did have depth and context and could clearly articulate the "what\'s in it for you" message.

"What\'s Worse?!"

This week\'s challenge is from Nir Rothenberg, CISO, Rapyd.

How have you actually pulled this off?

Hiring in cybersecurity is a bear. As we\'ve discussed before on this show, there\'s actually plenty of supply and demand in cybersecurity, yet jobs are not getting filled, possibly because of unreasonable requirements. Let\'s talk about what percentage of all the ideal skills people are willing to accept in a new hire, and situations where someone was hired who didn\'t possess that must have-skill for the job. ? And also let\'s look at the most effective training or mentoring technique used to get employees to adopt those skills.

Hey you\\u2019re a CISO. What\\u2019s your take?

On Twitter, Alyssa Miller AKA @alyssaM_InfoSec asked: "You\'re the CISO, rank the priority of the following list from a security perspective and explain your reasons:

A. A well-defined vulnerability management program
B. A reliable configuration management database/Asset Inventory
C. A comprehensive metrics and reporting practice.

A slight majority voted BAC or asset management, vulnerability management, then metrics. But there was plenty of disagreement. Let\'s look at that.

\\xa0

\\xa0

\\xa0

\\xa0

Listed in: Technology

My Backup Plan Is Hoping My Cloud Provider Has a Backup Plan

I think maybe I should check to see if we paid for cloud backup protection. Or maybe, we\'re doing it. Who knows?

This episode is hosted by me, David Spark (@dspark), producer of CISO Series, and Mike Johnson. Our guest this week is Ty Sbano (@tysbano), chief security and trust officer, Sisense

Thanks to our podcast sponsor, Adaptive Shield

Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company\'s SaaS estate, and enables quick remediation of any potential threats.

On this week\'s episode

Why is everybody talking about this now?

Is your cloud service provider backing up your data, or should you be doing that? Many users of OVHcloud realized they should have been doing it because they didn\'t realize what they had bought. OVH suffered a fire that destroyed one of its data centers making some of the customer data unrecoverable. They had backup of some services, but no backups of other data. As of now, OVH is backing up all customer data for free, but this speaks to a big problem with trusting cloud providers, noted Enrico Signoretti of GigaOm in a post on LinkedIn. Did you pay for backups? How are they being provided? Where physically are they? And how often do you test restoring? Everyone knows they should do this, but how often is it actually being done?

Someone has a question on the AskNetSec subreddit

On the AskNetSec subreddit, the question was asked, "What\'s the advantage of reporting bugs to official sources over brokers?" Some really good pro and con discussions of both ranged from brokers usually pay more, to going straight to the source seems "the right thing to do." But there were so many variances that it wasn\'t that cut and dry. As a bug bounty hunter, if you find a significant bug, where should you go first?\\xa0

"What\'s Worse?!"

Rick Woodward from Gibbs & Cox asks, "which kind of dishonesty is the worst?"

Hey you\\u2019re a CISO, what\\u2019s your take?

Another redditor on the AskNetSec subreddit asks, what kinds of questions should the interviewee ask about a company\'s environment so they know they\'re not walking into a giant mess? There were a ton of good suggested questions in the thread. If you could only ask three, which three would you ask that would give you the most information about both the stability and challenge of the security environment?

What would you advise?

Ross Young asked, I want to be a board advisor, how am I going to be paid? How much effort do I want to spend on this? What compensation should I expect? What do companies expect a CISO as an advisor to do? You both are advisors, so what\'s your experience, advice, and what have you heard from others?

\\xa0

Listed in: Technology

Patches? Yes, We Need Stinkin' Patches!

There was a time we could trust a patch, but now our adversaries are actually looking at the patches to find even more vulnerabilities. And we keep patching those as well. Our patches\' patches need patches. When does it stop?!

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Travis Hoyt (@travisehoyt), managing director, exec cybersecurity technology, TIAA

Thanks to our podcast sponsor, Adaptive Shield

Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company\'s SaaS estate, and enables quick remediation of any potential threats.

On this week\'s episode

What\\u2019s the best way to handle this

The vulnerability landscape is changing, according to a new report from Rapid7. One issue, as Rob Lemos of DarkReading reports, is that you can\'t necessarily trust patches. They\'re often incomplete, and attackers look at existing patches as an opportunity to find more flaws, which they do. And the threats come from different angles: they\'re widespread, targeted, often using a zero-day, and there are other vulnerabilities that are impending threats. It seems that the portion of the threats you know about and can defend against is shrinking, and you\'re battling more of the unknown. Have you seen similar, and if so how has your security program shifted as a result?

That\\u2019s something I would like to avoid

The NSA recently provided guidance on creating a Zero Trust security model. In the piece, the NSA says, "transitioning to a [zero trust] system requires careful planning to avoid weakening the security posture along the way." So what is the NSA talking about? What are common transitioning moves to zero trust that can make you vulnerable?

"What\'s Worse?!"

Jonathan Waldrop from Insight Global delivers a challenge specifically tailored for Mike.

Please, Enough. No, More.

Let\'s look at SaaS posture management, or just the ongoing management of potential issues that may come across SaaS platforms - and consider what we have heard enough about with regard to SaaS posture management, and what we would like to hear a lot more about.

Umm is this a good idea

OSINT should go beyond finding out a security practitioner\'s email and phone number, argued Alyssa Miller of S&P Global Ratings. Alyssa received an email pitch from a vendor offering a gift and she declined. That same vendor then followed up and called her. The vendor was pitching her something that wasn\'t in her department, that she had no control of, and she couldn\'t accept gifts because her company is in a heavily regulated market. In summary, Alyssa said if you\'re going to use OSINT, understand the person\'s business, their role, and if making such a request would be counterproductive. What types of vendor OSINT tactics work well and what types work poorly?

\\xa0

\\xa0

\\xa0

Listed in: Technology

I Think Possibly Maybe We've Solved Diversity in Cybersecurity

On this week\'s episode

How have you actually pulled this off?

As discussed before on this show, being the next CISO at a company that was recently breached can be very lucrative. We\'ve had guests that have very successfully negotiated huge salaries as the post-breach CISO. Are CISOs setting themselves up for far too much responsibility to be seen as a the company\'s digital savior? What are the responsibilities of a post breach CISO?

Got a better answer than "we\'re trying?"

Over the years we have interviewed dozens of business owners, security professionals, and hiring managers about diversity. Almost all their answers fall into the following buckets:

1. We\'re trying but there\'s no pipeline.
2. We\'re working with XXX group to improve.
3. Diversity is needed because diversity of thought it needed to create a more secure organization.

No one will admittedly say they\'re against diversity. Yet systemic racism, sexism, or just boys\' clubism in general continues to exist. It appears most of the non-diverse business leaders are being pressured into admitting it\'s a problem. So they do it, and we even get token hires, but it all comes off as diversity theater and not the business actually making a shift. What is the story of diversity in cybersecurity many people don\'t get and need to actually be doing, not just giving lip service to?

"What\'s Worse?!"

Eugene Kogan, CSO at a confidential company sets it up: Who do you want on our side: executives or employees?

And now a listener drops knowledge

"Learn cybersecurity in public," suggests AJ Yawn of ByteChek who recommends joining a training program and then publishing what you\'ve learned on a blog. As AJ explains, "Doing this will help you build relationships & prove to potential employers you\\u2019re applying your new knowledge." He concludes with the advice, "Don\\u2019t learn in silence." The community responded to AJ\'s advice. It\'s great advice, which everyone agreed to in the comments, but why then do so few people actually do it?

There\\u2019s got to be a better way to handle this

Zero trust is not a technology that can be purchases as a solution. It\'s an architecture, methodology, and framework that you have to consciously adopt, noted Stephen Lyons of F5 on a post on LinkedIn. Can solutions already in-house be rejiggered to adopt a zero trust methodology? And if so, what changes would need to be made to existing systems to have a more zero trust environment?

Listed in: Technology

Unnecessary Research Reveals CISOs Hate Cold Calls

In a study we never actually conducted, our fellow security leaders said unequivocally that there never has been a time they welcome a phone call from someone they don\'t know trying to book a demo to see a product they have no interest in.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Andy Steingruebl (@asteingruebl), CISO, Pinterest. Our guest this week is Andy Purdy (@andy_purdy), CSO, Huawei

Thanks to our podcast sponsor, Living Security

Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change.
This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers.

On this week\'s episode

Here\\u2019s some surprising research

As compared to small and medium companies, big enterprises don\'t appear to trust the big telcos to execute their 5G strategy. This according to new research from Omdia as reported by Iain Morris of Light Reading. When asked, "do you trust a communications service provider, AKA big telco, to execute your security strategy," SMEs overwhelmingly supported the telcos over all other options, and big enterprises didn\'t. They trusted their own expertise or wanted to lean on a cloud service provider like Amazon or Google. Let\'s investigate this discrepancy.

If you\'re not paranoid yet here\\u2019s your chance

As if you didn\'t know it already, get ready for some sobering news about third-party risk: According to a survey by BlueVoyant, as reported by SC Magazine, 80 percent of those surveyed had at least one breach caused by a third party vendor within the past year. Most of those surveyed didn\\u2019t monitor third-party suppliers for cyber risk. But, even if they wanted to, it\'s often a point in time measurement, sometimes only yearly, and organizations have an average of 1409 vendors. UK\'s National Cyber Security Center puts the focus of securing against third party risk squarely on the development of the software supply chain, and the need for isolation and proven security checks throughout the development process. That may be good advice, but it still seems so overwhelming given the volume and how much you can\'t control.

"What\'s Worse?!"

A vulnerability response and incident detection conundrum from Jonathan Waldrop, Insight Global

What\\u2019s the best way to handle this

Lessons learned from a big security incident and how these will be applied to the next big security incident.

What do you think of this vendor marketing tactic

Very few, if any, security leaders like cold calls. Yet, even with all the expressed distaste of them, they still exist, and that\'s probably because they still work, and still deliver significant ROI. But when these companies calculating that ROI, are they calculating all the people they\'ve annoyed? One vendor sales rep who said after searching their CRM for "Do Not Call" there was a slew of vitriol from CISOs screaming to never contact them again. And as we all know, CISOs talk to other CISOs. So if you\'ve angered one CISO sufficiently to never consider you, they\'ve probably told a few friends as well. Let\'s discuss getting pushed over the edge by a vendor\'s aggressive sales tactics and what was done to essentially shut them off, including telling others about their actions.

\\xa0

\\xa0

Listed in: Technology

One Day You'll Grow Up to Know Less Than You Do Now

We know so little when we\'re born. We\'re just absorbing information. But then we get older, and get the responsibility to secure the computing environment of a large company, we actually see that knowledge we absorbed start slipping away. What we thought we knew of what\'s in our network is so far afield from reality.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Tom\\xe1s Maldonado (@tomas_mald), CISO, NFL.

Thanks to our podcast sponsor, Nucleus Security

Nucleus unifies your existing security stack,\\xa0integrating with over 70 scanners\\xa0and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process\\xa0simple\\xa0through smart automation and workflow optimization? See for yourself at\\xa0https://nucleussec.com/demo

It\\u2019s time to measure the risk

Outside of security basics and popular controls like SSO, MFA, and password management, what are the most effective means (or security control) to reduce risk? People have been offering some great suggestions on LinkedIn such as reducing attack surface, knowing what you\'re protecting, education, more conversations about risk, and actually having someone in charge of security and risk. All reduce risk, but what truly gives the biggest bang for the buck in terms of risk reduction?

Are we making this situation better or worse?

When things break, what\'s the best tactic to remediation? A bigger/better version of the last thing, or critical thinking? Both actually have serious costs associated to them. The first being equipment and maintenance, and the second having the talent that\'s able to think of unique and innovative soluitons. In a post on LinkedIn, Greg van der Gaast of cmcg argues that bigger walls just result in continued security problems at a more expensive, yet slower rate. He argues many issues could be avoided with critical examination, especially in IT.

It\'s time to play, "What\'s Worse?!"

Ross Young asks how badly do you need to measure your security program.

How would you handle this situation?

Our guest, Tom\\xe1s Maldonado, describes what\'s unique about being a CISO for the NFL - the specific security concerns that aren\'t necessarily on the radar at his previous organizations, and the security issues around huge global events like the Super Bowl.

Well that didn\\u2019t work out the way we expected

Perception vs. reality in security. On LinkedIn, Ross Young, CISO at Caterpillar Financial Services said, "In April 2018, McAfee published a survey asking 1,400 IT professionals to estimate the number of cloud services in use within their organization. The average response was 31, with only 2% of respondents believing that they had more than 80\\u2014yet the real average is 1,935." This supports the great need of asset inventory. There are many instances CISOs have to make an estimate of what they have given the best information. We look at examples of when the reality of a situation was far from the initial perception, and how to manage this.

Listed in: Technology

Would You Look at that Unrealistic Licensing Deal?

CISOs know that salespeople want to make the best licensing deal they can possibly get. But unpredictability in the world of cybersecurity makes one-year licensing deals tough, and three-year licensing deals impossible.

This episode is hosted by David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Mark Eggleston, (@meggleston) CISO, Health Partners Plans.

This recording was recorded live in front of a virtual audience at the "SecTalks - Leading with grit in security" virtual conference brought to you by our sponsor, Cobalt.

Thanks to our podcast sponsor, Cobalt

Cobalt offers a faster more effective pentesting solution through its Pentest as a Service (PtaaS) platform. With it, you can schedule a pentest in as little as 24 hours for all kinds of assets. The platform also connects you with a global pool of pentesters called the Cobalt Core, whose skills can match what you need. And instead of sending you a huge PDF that raises more questions you can\\u2019t answer, they engage with your team throughout the pentest. Findings can land straight into Jira and GitHub, helping you fix vulnerabilities as soon as they\\u2019re discovered. Cobalt makes pentesting easy, quick to deploy, scalable, and simple to remediate.

On this week\'s episode

Why is everybody talking about this now?

A redditor is struggling and overwhelmed! The person is in school studying, working, and loving cybersecurity, but has completely and utterly failed the foundations course and is on academic probation. The person told their story to the cybersecurity subreddit community, and the support came out in droves. We\'ve seen this before. People hit a major wall professionally and they just reach out to the anonymous masses for support. The story hits a nerve and the community is eager to show encouragement. In fact, just this past week, the New York Times had an article about the unemployment subreddit offering advice and information to those struggling. We\'ll take a look at this tactic of reaching out for support and guidance through discussion boards.

What do you think of this vendor marketing tactic?

"Pro tip to vendors: don\\u2019t claim that you can\\u2019t do a one-year licensing deal. You might end up with a zero-year license deal", said Ian Amit, CSO, Cimpress on LinkedIn. We\'ll look at the art of negotiating a contract with a vendor: What is it ultimately you want? What are you willing to concede on and what must you have? And what are the situations that cause this to change?

It\'s time to play, "What\'s Worse?!"

Jason Dance of Greenwich Associates suggests two scenarios that others believe is security, but actually isn\'t.

If you haven\\u2019t made this mistake, you\\u2019re not in security

On Twitter, the CISO of Twitter, Rinki Sethi, said, "A career mistake I made, I rolled out a phishing testing program before the company was ready for it. The HR team said it was against the company culture and if I tried a trick like that again, I would be fired. Lesson - communication is important in #cybersecurity." Rinki asked for others\' stories of failure. Let\'s explore a few.

What Is It and Why Do I Care?

For this week\'s game, the topic is vulnerability management. We look at four pitches from four different vendors. Contestants must first answer what "vulnerability management" is in 25 words or less, and secondly must explain what\'s unique about their vulnerability management solution. These are based on actual pitches - company names and individual identities are hidden. The winners will be revealed at the end.

\\xa0

Listed in: Technology

This Is the Year I'm Going to Lose Weight and Care About Security

Every year I say I\'m going to do it. I\'m going to get healthy and be much better about securing my digital identity and my data. But then after about two weeks I give up, use the same password across multiple accounts, and eat a pint of H\\xe4agen-Dazs.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and guest co-host Dan Walsh, CISO, VillageMD. Our sponsored guest this week is Drew Rose, (@livsecaware)CSO, Living Security

Thanks to our podcast sponsor, Living Security

Traditional approaches to security communication are limited to one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely affect long-term behavioral change.

This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers.

On this week\'s episode

What would you advise?

Over on the AskNetSec subreddit, a pentester wants out. The redditor is looking for exit opportunities into another job in cybersecurity. Other redditors suggested IT audit, SOC operations, incident response, forensics. What would be an ideal next step for a pentester?

We don\\u2019t have much time. What\\u2019s your decision?

What happens when a previous employer of yours gets hacked and your information is potentially stolen. This happened to a redditor who asked this question on the cybersecurity subreddit. If nothing has actually happened, what can they do and what can potentially happen? Is a warning of "I may be compromised" to anyone going to do anything?

"What\'s Worse?!"

Jason Dance of Greenwich Associates delivers a really annoying "What\'s Worse?!" scenario.

Please, Enough. No, More.

The topic is "Security Awareness Training". David prefaces this with a top finding from a Forrester report that said, "Unless You Capture Hearts And Minds, No Amount Of Training Will Work". So with that said, what have people heard enough about with regard to security awareness training and what would they like to hear a lot more?

Pay attention. It\\u2019s security awareness training time

What if security behavior was rated as a performance score, suggested Ashish Paliwal of SONY. In his LinkedIn article, he agreed you can\'t train yourself to better security. It requires positive reinforcement. He suggested psychometric tests and a scoring system where you would gain points for good security behavior and lose points for bad security behavior (-10 for clicking on a phish, +10 for reporting). Creative ideas that he acknowledges have lots of challenges. The focus here is changing human behavior, possible the hardest feature to implement. What user experience does change behavior? And why would or why wouldn\'t Ashish\'s suggestions work?

Listed in: Technology

Please Accept This Not-a-Bribe Gift as an Act of Desperation

Nucleus unifies your existing security stack, integrating with over 70 scanners and external tools, creating a centralized hub to control the chaos of vulnerability analysis, triage, and remediation. Ready to make the tedious VM process simple through smart automation and workflow optimization? See for yourself at https://nucleussec.com/demo.

On this week\'s episode

OK, what\\u2019s the risk?

People hear all too often that risk security isn\'t compliant security and vice versa, but isn\'t compliance just another form of risk? Shouldn\'t it be given quantitative and qualitative ratings like any other risk, prioritized, and remediated especially in highly regulated environments?

Why is everyone talking about this now?

On LinkedIn, LinkedIn CISO, Geoff Belknap asked, "Tech Vendors: Please, stop offering cash or gift cards for meetings. It throws into question the entire basis for a relationship and It\'s not ethical."

Vendors take CISOs out for lunch all the time. That is a form of a gift. One vendor said because they can\'t take a CISO out they send a Starbucks card in lieu of the coffee they were going to purchase. Then there are the gifts that arrive for attending an event.

Edward Kiledjian at OpenText, said, "I recently had a vendor get upset with me that I wasn\'t willing to accept his gifts. He said others in my position accept it and he couldn\'t understand why I was being so \'stubborn.\'"

How should this situation be handled and does a CISO\'s opinion of the vendor change as a result?

"What\'s Worse?!"

David tried to second guess Mike and was wrong on this bad idea from Jesse Whaley, CISO, Amtrak.

If you haven\\u2019t made this mistake you\\u2019re not in security

When Zero Day bugs arrive, security flaws just keep perpetuating. Garrett Moreau of Augury IT posted an article from MIT Technology Review about Google\'s research finding that when patches are released for zero days, they\'re often incomplete. Hackers can actually find the vulnerability sitting on the next line of code right next to the patched line of code, making it very easy for a hacker to reignite the zero day vulnerability. How can this problem stop perpetuating itself?

Someone has a question on the cybersecurity subreddit

A frustrated redditor eager to learn cybersecurity is getting stuck on CTFs (Capture the Flags ) and is losing the motivation as a result. The person is worried that relying on walkthroughs will be harmful. Responses from the reddit community were that the walkthroughs are there to help people learn, and that most CTFs don\'t resemble real life. They\'re there to teach a few tricks. So, is that the case?

Listed in: Technology

Foul! That Interview Question Is Unfair

Pick a side. You either want your employees to have a work/life balance, or you want them to be obsessed with security 24/7. You can\'t have both.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Arpita Biswas, (@0sn1s) senior incident response engineer, Databricks

Thanks to our podcast sponsor, StackRox

StackRox is the industry\\u2019s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle.

What would you advise?

People speak a lot about the importance of integrating security and DevOps. Now it\'s time to learn some specifics, like how to energize developers to be more security minded in their development. What works? What hasn\'t worked?

"What\'s Worse?!"

You just learned something was breached. Uggh. (Thanks to Mike Toole, Censys)

What\\u2019s the best way to handle this ?

What questions should be asked to see if a security team is cloud incident ready? A good article over on F5 by Sara Boddy, Raymond Pompon, and Sander Vinberg, provides some suggestions such as "Can you describe our attack surface and how have you reduced it to the bare minimum?" and "How are we managing access control?" and "What do we do when systems or security controls fail?" Which of the questions is the most revealing to cloud security readiness and why?

Should you ignore this security advice?

On the AskNetSec subreddit someone inquired about a good hiring question. One redditor suggested asking "What do you do on your own home network with respect to security?" to which another redditor argued that the question was unfair. He left the security and networking for work. He had other hobbies and interests for home life. Another person said, yes it is unfair, but there are plenty of candidates who do breathe security 24/7 and if given a choice, the redditor would take that person. The politically correct thing to say is you want the person with the work-life balance, but wouldn\'t we be more impressed with the person who has security in their blood day and night?

Close your eyes and visualize the perfect engagement

Another question on AskNetSec subreddit asked "What are the most important skills you see missing among other coworkers or your team?" The two most common answers I saw on the thread were communications and critical thinking. Are these correct. or should something else go there? ? And if those two did improve, what would be the resulting effect to a company\'s security program?

Listed in: Technology

Why Do We Fire the CISO? Tradition!

Why is everybody talking about this now?

On the AskNetSec subreddit one redditor asked, "Why do people always get fired over a breach?" to which one responded, like many others, "it\\u2019s just tradition. Military, government, corporations. It\\u2019s an old-fashioned thing really, but a lot of people still believe a \'blood sacrifice\' is required to restore faith from the public or the shareholders." How tenable is it to keep doing this with so many breaches? After a breach what are the different actions needed to appease shareholders, executives, employees, and customers? And when is blood letting warranted?

How to become a CISO

Over on the CISOseries subreddit, a hopefully soon-to-be-CISO asked, "What should I ask before being a CISO at a startup?" This startup is pre-IPO. 2000 employees. About $1B in valuation. The redditor is looking for advice beyond asking what\'s the current security strategy and what the reporting structure would look like. What would you want to ask in such a situation?

"What\'s Worse?!"

Probably the ultimate "What\'s Worse?!" scenario.

Hey you\\u2019re a CISO. What\\u2019s your take?

On LinkedIn, Kris Rides asked, "If you can only do one thing to retain your staff what would that be?" What have you done and has any of your staff let you know that certain actions you took meant a lot to them. According to research from leadership consulting firm DDI, 57 percent of employees who walk out the door, do so because they can\'t stand their boss. For that reason, the pressure is heavily on the CISO to make sure they\'re well-liked by their staff.

There\\u2019s got to be a better way to handle this

Can you think of a moment you had to make a significant shift in your security program? What did you do and why? Was there a specific event that triggered it?

\\xa0

Listed in: Technology

Click This Link to Fail a Phishing Test

Our phishing tests are designed to make you feel bad about yourself for clicking a link. We\'re starting to realize these tests are revealing how insensitive we are towards our employees.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Yaron Levi, (@0xL3v1) former CISO, Blue Cross Blue Shield of Kansas City.

Thanks to this week\\u2019s podcast sponsor, Stackrox

StackRox is the industry\\u2019s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle.

Is this a cybersecurity disinformation campaign?

On reddit, an explosive discussion formed around a ComputerWeekly.com article by Saj Huq of Plexal about the importance of making disinformation a security issue. The problem though has primarily fallen into the hands of social media companies mostly because that\'s where disinformation spreads. While we\'ve seen disinformation being used as a political tool, for businesses, it can tarnish your corporate brand, consumer trust, and ultimately the value of your product. It\'s also used in phishing campaigns. Breaches are compromising your data. Disinformation is questioning the validity and value of data without even stealing it. How do you combat that?

Are we having communication issues?

We\'re recording this episode shortly after GoDaddy sent its infamous phishing test email that promised employees a $650 bonus check. Those who clicked on the email were rewarded with additional security training. It took the entire Internet to point out how insensitive this was, GoDaddy\'s response was "We understand some employees were upset by the phishing attempt and felt it was insensitive, for which we have apologized." They argued that while it may be insensitive, these types of well-timed phishing emails do happen. A lot of people do not like phishing tests and Yaron has proven that if creative enough, anyone can fall for a phish. How can the company and security be more sensitive to employees, respect them, while also letting them know they may receive a malicious email just like this?

"What\'s Worse?!"

An international What\'s Worse conundrum.

How do you go about discovering new security solutions?

Julia Wool, Evolve Security said, "I just finished a Splunk course and wanted to explore other SIEM platforms and I am having a difficult time understanding how an enterprise should choose a vendor in this space. I couldn\'t imagine being the guy at an enterprise that has to consider all these different vendors that seem to be doing the same thing." Julia brings up a really good concern: If you were completely green, didn\'t have CISO connections, and were going to choose a SIEM for the first time how would you go about determining your needs and then researching and deciding? What sources would you use? And how do you limit this effort so you\'re not overwhelmed?

There\\u2019s got to be a better way to handle this

Brian Fanny, Orbita, asks, "Vendor scope can change over time within a project or the start of another and harder to control than the initial evaluations. They start off when non-critical requirements/needs eventually grow into handing assets of greater value and/or gaining access to more critical systems. How do you keep up with vendor/project scope creep from the security sidelines?"

Listed in: Technology

Our "Hope It Doesn't Happen to Me" Security Strategy

We\'re thinking it just might be possible to wish our security problems away.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Steve Giguere, (@_SteveGiguere_) director of solution architecture and community, StackRox.

Thanks to this week\\u2019s podcast sponsor, Stackrox

StackRox is the industry\\u2019s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle.

On this week\'s episode

That\\u2019s something I would like to avoid

Security theater is a security placebo. We\'re being told that it\'s effective, and we may fool ourselves into believing it is, but the reality is there\'s no real security medicine there. Over on Infosecurity Magazine, Danny Bradbury has identified a few key ones I want to call out. In particular, technology buzzwords - like getting a solution with AI, data collection - more data, more insights, right?, and endless security alerts - for practitioners and end users. All of these seem to be in regular practice today. Does calling out security theater result in pushback? And if so, how do you handle calling it out and how would you shift each of these security placebos into a more medicated version?

There\\u2019s got to be a better way to handle this

On reddit, kautica0 asks, "If a company becomes aware of a 0-day vulnerability and it impacts their production web application serving customers, what actions should be taken? Should it even be considered an incident?"

Just because it\'s a 0-day vulnerability does that make it more threatening than any of the known vulnerabilities? There was a lot of logical advice that was akin to how we would handle any vulnerability, but the 0-day nature had the looming feeling of this could be an incident very quickly and would require an incident response plan.

"What\'s Worse?!"

A "What\'s Worse?!" entry from our youngest listener.

Please, enough. No, more.

The topic is Kubernetes Security. We discuss what we have heard enough about when it comes to Kubernetes security and what we would like to hear more.

Where does a CISO begin

Is being cloud first a security strategy? Over on the UK\'s National Cyber Security Centre, an article argues that we should not ask if the cloud is secure, but whether it is being used securely. What does that mean? And is there an argument for and against cloud first being a valid security strategy?

\\xa0

Listed in: Technology

Hey Reseller, What's the "Value" You're Adding?

It seems that you\'re offering so much more when you add the VA ("value added") in front of your title. What is that? Why am I working with you rather than buying directly from the vendor?

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Doug Cahill (@dougcahill), vp, and group director, cybersecurity, Enterprise Strategy Group.

Thanks to this week\\u2019s podcast sponsor, Dtex

Traditional Employee Monitoring solutions are creepy. Capturing screenshots, recording keystrokes, monitoring web browsing and following social media activities is unnecessary and damages culture. DTEX InTERCEPT is the first and only solution that delivers the real-time workforce monitoring capabilities today\\u2019s organizations need and employees will embrace. Learn more at dtexsystems.com.

On this week\'s episode

How a security vendor helped me this week

From Trevor Marcatte, The SCE Group, asks a question about the "value added reseller" or VAR vs. the "large account reseller" or LAR.

I\'m paraphrasing, but Trevor wants to know what we\'re seeing as the value of this middleman. Trevor said, "Being the middle man is tough and battling the big guys is tough. CDW\'s, SHI\'s of the world. The smaller guys have so much more to offer than a price. Price is dictated by the vendor anyways."

What do the smaller VARs have to offer that the larger LARs can\'t offer?

How do you go about discovering new security solutions

How do we evaluate DevSecOps solutions? Mike hates the term, so I\'ll say how do we evaluate solutions that will improve the security of the DevOps pipeline? GigaOM Research has a report where they evaluate these solutions, but they also have another report that goes into detail on evaluation criteria. There is a lot of criteria such as seamless integration into tools, process, and dashboards, plus role-based access controls, automation driven by policy, management of secrets, and dependency analysis. What criteria do we look at? How does it change from company to company? And how do we supplement when a solution looks great, but misses a key criteria?

"What\'s Worse?!"

A question about DevSecOps.

What\\u2019s the best way to handle this?

Is cloud identity management going to stick? According to David Vellante over at Wikibon and The Cube, the pandemic has forced that shift for everyone and there\'s probably no turning back. For cloud-first companies this was business as usual before the pandemic. But what about all the new businesses that are going to the cloud and doing business with you. It\'s a very broad field and there are a lot of industry players, so actually skip the obvious stuff and just mention the items that have become sticking points or are still in need of development.

Is this the best solution

The "X" in XDR extends traditional endpoint detection and response or EDR to also include network and cloud sensors. We talked about this on our other podcast, Defense in Depth, and one of the issues came up was the disruptive nature of XDR. How much was real. David Thomas, Computacenter, said, "The aspiration to get fully integrated insights of all your tools and create the ultimate feedback loop responsive system is a worthy aim... Current vendor XDR pitches are up selling opportunities but customers have a challenge to adopt or shift to a single vendor platform due to a vast array of displace/replace challenges. It\\u2019s a great marketing story but the pragmatic reality is it\\u2019s a tough and long journey to realise the platform / single (pain) pane promise, unless you are a greenfield organisation." Is XDR a worthy goal and what is the marketing hype buyers should question?

\\xa0

Listed in: Technology

The People Closest to You Will Hurt You

Insider threats. We know some are malicious, and sometimes it\'s the unwitting result of someone trying to do their job. Aren\'t you supposed to trust the people you hire?

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Dr. Deanna Caputo, chief scientist for behavioral sciences and cyber security capabilities, senior principal behavioral psychologist for MITRE.

Thanks to our sponsor, Dtex.

Traditional Employee Monitoring solutions are creepy. Capturing screenshots, recording keystrokes, monitoring web browsing and following social media activities is unnecessary and damages culture. DTEX InTERCEPT is the first and only solution that delivers the real-time workforce monitoring capabilities today\\u2019s organizations need and employees will embrace. Learn more at dtexsystems.com.

On this week\\u2019s episode

What we\'ve got here is failure to communicate

Breaking News! The cybersecurity skills shortage is growing. The ISSA and Enterprise Strategy Group released a report claiming the reason that 70 percent of companies feel that they\'re at risk is because of the increased workload for cyber professionals, unfilled open job requisitions, and poor education on the relevant technologies. This discussion appeared on the cybersecurity subreddit and complaints ranged from entry level jobs asking for 3+ years experience (something we\'ve discussed many times before), and people with many more years of experience struggling to find a job. Others who were contemplating entering cybersecurity said the discussion was turning them off from entering the field.

There\'s supply and demand, yet there\'s frustration on both ends. Why aren\'t they connecting? What\'s going on?"

Are we making this situation better or worse?

What defines "usable security". We\'ve discussed obvious things like trying to make it invisible to the user and just basic user experience. But what\'s unique to cybersecurity design that many don\'t consider when creating usable security. For example, for phishing there are an endless number of email programs AND we have lots of security awareness training. Could we do away with the awareness training if security was more usable?

What\'s Worse?!

Insider threats are no fun, but which one is the worst?

Please, Enough. No, More.

Topic is Insider Threats. What have we heard enough about with insider threats, and what would we like to hear a lot more?

There\\u2019s got to be a better way to handle this

What do you do after you get the certification? What are the next steps? Mo Shami reached out to me and mentioned that he was going to announce that he passed his CISSP or Certified Information Systems Security Professional exam. He wanted to share the excitement and I said when you post to LinkedIn ask everyone else what they did right after they passed. Most people ended up just saying congratulations, but a couple suggested more certifications or just research job openings (seems obvious). What should one do after you get the certification?

Listed in: Technology

When Should You Stop Trusting Your CISO?

How technically capable does my CISO need to be? If they lose their technical chops, should we stop trusting them? Should they even be a CISO if they had no technical chops to begin with?

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is James Dolph, CISO for Guidewire Software.

Thanks to our sponsor, Dtex.

Traditional Employee Monitoring solutions are creepy. Capturing screenshots, recording keystrokes, monitoring web browsing and following social media activities is unnecessary and damages culture. DTEX InTERCEPT is the first and only solution that delivers the real-time workforce monitoring capabilities today\\u2019s organizations need and employees will embrace. Learn more at dtexsystems.com.

On this week\\u2019s episode

We mentioned past guest, Kelly Shortridge\'s new book with Aaron Rinehart, "Security Chaos Engineering".

First 90 days of a CISO

It\'s time for a CISO do-over. One of the great things about being a CISO is you get a chance to actually apply everything you learned from past jobs. Our guest, James, worked in product security with Salesforce before becoming a CISO. When we recorded the episode, James wasn\'t yet a full 90 days into his job. And Mike also came from Salesforce as well (they worked together) and working at Lyft was his first CISO job directly from Salesforce as well. Did they both have the same viewpoints of applying product security principles to the CISO role?

How do you go about discovering new security solutions

What criteria do you use to evaluate phishing solutions? GigaOM Research released a report earlier this year of the key criteria for evaluating phishing platforms. Some of the criteria they mentioned were phishing solutions that do and do not impede workflows, a security edge solution that\'s in-band vs. out-of-band, and do you need detonation chambers for potentially malicious emails.

What criteria do Mike and James use to evaluate, and have they seen those criteria change from company to company? What criteria are not as important?

What\'s Worse?!

Failing as a professional or being a mediocre professional?

What\\u2019s a CISO to do

On Defense in Depth, my co-host Allan Alford said, "I think the lack of technical skills in a CISO is expected to a certain degree. You have to have the foundation, but I don\'t expect my CISOs to be rolling up their sleeves and doing a lot of the hands on work." I turned that quote into a meme image and it caused a flurry of response from the community. How much of applying of security controls that your staff currently does, could a CISO do themselves today?

Let\\u2019s dig a little deeper

What are our passion projects that are tangentially related to cybersecurity? Are we adopting any and how is it helping us stay mentally healthy during COVID? Tony Jarvis of Check Point brought this up. He suggested that we should be sharing our passion projects. What have been our passion projects? How have they helped our mood and our work? And have we been able to keep up with them?

Listed in: Technology

Why Is 'Pay the Ransom' In Next Year's Budget?

With 25 percent of ransomware victims paying the ransomware, have we waved the white flag to the attackers? Should we just budget for it?

This week\\u2019s episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and\\xa0Mike Johnson. Our guest is Les McCollum (@doinmorewithles), managing vp, CISO, ICMA-RC.

Thanks to our sponsor, BitSight.

BitSight is the most widely used Security Ratings service with a mission to change the way the world addresses cyber risk. Learn how BitSight for Third-Party Risk Management helps you efficiently mitigate the growing risk across your vendor ecosystem by taking an automated, data-driven approach.

On this week\\u2019s episode

Why is everybody talking about this now

Are culture fit and diversity mutually exclusive? Allan Alford, co-host of Defense in Depth podcast, brought up the conversation of needing diversity in all areas: age, gender, ethnicity, city vs. country, country of origin, military vs. civilian, college educated vs. self-taught, socioeconomic status, and disabilities. But at the same time, I\'m thinking we NEVER see those types of groups hanging out together or getting along. So how do you create a culturally sane group among such a diverse group? People are tribal by nature and even if you\'re successful creating diversity on your team they\'re going to bond with people of similar types. Won\'t this introduce new problems?

If you haven\\u2019t made this mistake you\\u2019re not in security

At the end of the year when you look at your security budget, what are the costs you didn\'t expect or budget appropriately at the beginning of the year? On CSO Online, John Edwards has an article about seven overlooked cybersecurity costs that may bust your budget. He mentioned items such as staff acquisition and retention, incident response, third-party analysis, and replacement costs. What has been a surprise for you and has adjusting things for the next year helped, or is there always a surprise? Which is the one everyone should prepare for but they don\'t?

More bad security advice

Over a quarter of companies that fall victim to ransomware, pay the ransom, according to a study by Crowdstrike. In a discussion thread on reddit, user yourdigitalmind said they had a client who remarked, "WHEN we get hit, it will force us to start doing things right, but right now, it\'s cheaper\'" So he\'s accepted being hit by ransomware is inevitable. That falls in line with Crowdstrike\'s study that found after a ransomware attack 75 percent of the victims do increase their security spend on tools and hiring. Humor for me a moment. Most of us do not want to pay the ransom, but sometimes you can\'t think of the greater good and you have to think of the survival of the business.

Is this where I should put my marketing dollars?

What types of vendor stories do you respond to?

I bring this up because Mike O\'Toole, president of PJA Advertising wrote a great piece about how to build a cybersecurity brand story. In the article, he offers up some really good advice such as "Position yourself against the category, not just your direct competitors," "Fear gets attention, but opportunity can drive purchase behavior," and "The strongest brand stories are about market change."

Which advice most resonates with how you\'re pitched, and can you think of either a customer story or offering that you overheard that pushed you into exploring a vendor\'s solution?

Listed in: Technology

We're 90% Confident We've Lost All Confidence

I don\'t think we\'re doing enough to protect ourselves against cyberattacks and I\'m also pretty sure we\'re clueless as to what our third party vendors are doing.

This week\\u2019s episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and\\xa0Mike Johnson. Our sponsored guest is Stephen Boyer (@swboyer), co-founder and CTO, BitSight.

Thanks to our sponsor, BitSight.

BitSight is the most widely used Security Ratings service with a mission to change the way the world addresses cyber risk. Learn how BitSight for Third-Party Risk Management helps you efficiently mitigate the growing risk across your vendor ecosystem by taking an automated, data-driven approach.

On this week\\u2019s episode

There\\u2019s got to be a better way to handle this

How confident are your employees in your cybersecurity efforts? And how does employee confidence affect corporate security? Tip of the hat to Tor Swanson of Premier IT for posting this survey from Nulab. The survey found that employees felt that their company\'s ability to secure digital data was a major to moderate problem. That percentage jumped up dramatically for companies with less than 100 employees. In addition, employees don\'t feel they\'re being heard with their cybersecurity concerns. For companies with less than 50 employees, 44 percent felt their employers were slightly or not at all responsive.

Perception is a huge part of successful cybersecurity. If you were to let these perceptions continue, how does it affect your overall security program?

Question for the board

Ross Young, CISO, Caterpillar Financial Services asked, "What are the cyber metrics that should be reported to the board each month or quarter? Is this standardized (example does the financial industry say we want these five metrics), and where would you go to see how you benchmark against the industry?"

I\'ll skip to one important metric we\'ve mentioned on this show multiple times and that\'s "dwell time" or the time between an incident happening, discovering it, and then remediating it.

How do you go about finding benchmarks, and what other metrics tell a good story to the board so they can better wrap their heads around the security program\'s effectiveness?

What\'s Worse?!

Third party issues? We\'ve got \'em.

Please, Enough. No, More.

Topic is third party risk management. What have we heard enough about third party risk management, and what would we like to hear a lot more?

Close your eyes and visualize the perfect engagement

We\'re all getting bombarded with virtual events. Interested to know what virtual events have you attended that you\'ve really enjoyed. Also, what virtual events are the most engaging where you find yourself NOT multi-tasking while watching.

Plus, what does a virtual event need to offer for you to take time out in your day to attend?

Listed in: Technology

Networks Wobble But They Don't Fall Down

Eager cyberprofessional looking to really impress a CISO? Create a home network lab and show how you can handle incidents on that network without shutting it down.

This week\\u2019s episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and\\xa0Mike Johnson. Our guest is Steve Zalewski, deputy CISO, Levi Strauss.

Thanks to our sponsor, BitSight.

BitSight is the most widely used Security Ratings service with a mission to change the way the world addresses cyber risk. Learn how BitSight for Third-Party Risk Management helps you efficiently mitigate the growing risk across your vendor ecosystem by taking an automated, data-driven approach.

On this week\\u2019s episode

Why is everybody talking about this now

Following the horrible terrorist attack in Vienna, the EU has proposed a ban on encryption, requiring companies like WhatsApp and Signal to provide backdoor keys to decipher their end-to-end encryption. It\'s questionable whether this attack could have been thwarted had the data they couldn\'t see been read, but regardless, it appears this ban is going to be approved. As you might imagine, the cybersecurity community blew up... on reddit.

This is obviously a complicated and thorny issue. What\'s at play here are authorities being blocked from doing their job because of technology. The loss of human life. And the loss of democratized privacy. Are there any checks and balances that can provide some benefit to any side of this equation?

What would you advise?

On a previous episode Mike mentioned that if you\'re an aspiring cybersecurity professional, one way to really impress a CISO is to setup a network and show how you can deal with incidents without taking down the network.

I get Mike to talk specifics of that. What if he was in the shoes of that aspiring cyberprofessional. If he were to set one up, what would it have on it and how would he do it?

"What\'s Worse?!"

Do you need experience or communications?

Close your eyes and visualize the perfect engagement

On CSO Online, Jaikumar Vijayan wrote a best practices guide to negotiating SaaS contracts for risk and security. It\'s a good primer. He mentioned know your risks, state what\'s non-negotiable, insist on early breach notifications, and be clear on terms for termination. What is the most important concern when negotiating a SaaS contract, and what has been the most difficult to manage?

"What Is It and Why Do I Care?"

The panoply of security products is very confusing. There are so many product categories and then there are so many companies delivering solutions for all these categories. As a security vendor, how do you know if your pitch is landing with CISOs? That\'s why we play "What Is It and Why Do I Care?" I ask vendor listeners to submit to our game which you can find under the Participate menu option and then "Challenge Us".

Today\'s category is penetration testing. We have four challengers. First, I will read four 25-word descriptions from four unnamed security vendors. That\'s our "What Is It?". Then I will read four 25-word differentiators from the same unnamed vendors. That\'s the "Why Do I Care?" It\'s up to our CISOs to pick their favorite. At the end I will announce the winners, and only the winners. Losers are not announced. YES, it\'s the only risk-free opportunity in cybersecurity. Ready to play?

Submit your pitches to "What Is It and Why Do I Care?" I\'m looking for vendors in the following categories to submit: Data loss prevention, human-layer security, MSSPs, third party vendor assessment, and managed detection and response.

Listed in: Technology

Why Don't Cybercriminals Attack When It's Convenient for Me?

Hey cybercrooks, I\'ve got a really great weekend planned, so could you do us all a favor and cool it this Friday and just let all of us enjoy the weekend?

This week\\u2019s episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and\\xa0Mike Johnson. Our guest is Margarita Rivera, vp of information security, LMC.

Thanks to our sponsor, Netskope.

The\\xa0Netskope\\xa0security cloud provides unrivaled visibility and real-time data and threat protection when accessing cloud services, websites, and private apps from anywhere, on any device. Only Netskope understands the cloud and takes a data-centric approach that empowers security teams with the right balance of protection and speed they need to secure their digital transformation journey.

On this week\\u2019s episode

Is this the best solution?

Geoff Belknap, CISO, LinkedIn asks, "If you could only buy one off the shelf security tool / product. What would it be and why?"

Here\\u2019s some surprising research

We\'ve discussed a lot of how COVID is changing security. Well Eli Migdal, CEO of Boardish sent me some interesting research his company conducted regarding the last six months since the start of COVID. According to Boardish\'s report the top three threats now are:

Immobility (not being able to work remotely)
Ransomware
Accidental Sharing

And the top 3 solutions now are:

User Awareness training
Remote conferencing
IAM (identity access management) Solutions

Does this track with your current threats and solutions?

What\'s Worse?!

Two guaranteed bad things will happen. But one will cost far more damage. Which one?

Pay attention. It\\u2019s security awareness training time.

Jackson Muhiwre, deputy CISO at UC Davis said his cyber team "Are now extra vigilant on Fridays or call it the new Monday for cyber folks." The reason for this increased awareness is the number of cyber incidents that happen on a Friday or just before a holiday seems to go up. Past cyber incidents seem to show that pattern said Muhiwre who believes that malicious hackers know that users have their guard down at these times and it\'s the easiest time to attack.

Are our CISOs of similar thinking and if so how do they prepare/warn/keep staff vigilant? What can be done on top of your existing protections if your staff lets its guard down?

What\\u2019s the best way to handle this?

On LinkedIn, Caitlin Oriel, wrote a very emotional post about her being unemployed for six months and how the non-stop stream of rejection has become overwhelming. The community response was equally overwhelming with nearly 80,000 reactions and 7,500 comments. Caitlin works in tech, not cyber, but the post was universal. The feelings she expressed about being rejected continuously and ghosted by companies left her sobbing in her car. All of this rejection made her question if she\'s doing the right thing and where she belongs. I have been in this position myself, as have my friends and family. I wish I knew the right things to say to someone or how to keep them moving. What are positive ways to combat ongoing rejection and get a sense you\'re still heading in the right direction?

Listed in: Technology

Archaeologists Dig Up the Remains of An Optimistic CISO

It it believed that in ancient times cybersecurity was successfully fought with a glass half full approach. Today\'s pessimistic CISOs have yet to confirm the findings.

This week\'s episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and\\xa0Mike Johnson. Our guest is George Finney (@wellawaresecure), CISO, Southern Methodist University and author of "Well Aware: The Nine Cybersecurity Habits to Protect Your Future".

Thanks to our sponsor, Netskope.

The Netskope security cloud provides unrivaled visibility and real-time data and threat protection when accessing cloud services, websites, and private apps from anywhere, on any device. Only Netskope understands the cloud and takes a data-centric approach that empowers security teams with the right balance of protection and speed they need to secure their digital transformation journey.

On this week\'s episode

Vendors have questions our CISOs have answers

Neil Saltman of Anomali runs a CISO meetup group and he asks, "A common topic is CISOs going back to platform vendors versus best of breed because they are overwhelmed. When do you buy best of breed vs. just add it to the stack from Microsoft or other large vendors\\u2026 When I worked at Bromium I had a CISO tell me \'I\\u2019ll buy your product when Microsoft buys you.\'"

Mike Johnson leans more to best-of-breed or in some cases build it yourself. Can Mike sympathize with these other CISOs and what would his situation have to be to make a platform play?

What I learned from a CISO

One of the main tenets of George\'s new book, "Well Aware: The Nine Cybersecurity Habits to Protect Your Future" is that optimists outperform pessimists in productivity, wealth, and longevity. The "Department of No" cybersecurity people are just hurting themselves. You argue that the more positive attitude can be garnered by learning from people who have successfully protected their communities. What are examples of watching another\'s success, and what can you learn?

What\'s Worse?!

Both are going to cause problems. It\'s tough to say which one\'s worse.

It\'s time for "Ask a CISO"

We\'ve got a request for career advice, from an anonymous listener. We\'ll call him Steve. Steve has been with his company 14 years and they were recently acquired and the new company was calling the shots. After the acquisition, the CISO and Steve were working on bringing the merged companies up to compliance standards and dealing with audits: SOC 2, Sarbanes-Oxley, PCI, etc. CISO was planning on leaving the company in 2021 and grooming Steve to replace him. Then COVID hit and the company gave the CISO a beautiful severance package leaving Steve with all the CISO\'s responsibilities, but not the title change or salary. Steve asked the CIO about plans to replace the CISO and the CIO said Steve could apply once the position was announced. That was 5 months ago. Steve likes his job and the people he\'s working with but he\'s frustrated with no clear vision of future plans. We offer up some advice for Steve.

What\\u2019s the best way to handle this

Can we opt-in to cybersecurity awareness? At one of our live shows I asked the audience, "Who has gone through security awareness training?" Every hand went up with a loud audible groan. Most of us would like to opt-out of this mandated training. What if our coworkers could be enticed to opt-in? It\'s the end of cybersecurity awareness month. What have you done or seen others do that\'s actually worked? And now the far trickier question, what has worked over a long time?

Listed in: Technology

Can a Robot Be Concerned About Your Privacy?

On this week\'s episode

Why is everybody talking about this now

"The lack of women in cybersecurity leaves the online world at greater risk," stated Naomi Schalit of The Conversation. Mollie Chard of Capgemini shared the article that generated a lot of conversation. Naomi hit many issues we\'ve discussed before like diversity offers different viewpoints, which is critical for building a cybersecurity program.

I would like to focus on the dynamic of the security team. I\'ve been in testosterone-fueled environments and things change dramatically when just one woman enters the room. And it changes even more when there are more women. What is that dynamic, why is it valuable, and what\'s the danger of the all-male environment?

Well that didn\\u2019t work out the way we expected

At the end of every show I ask our guests, "Are you hiring?" And prior to COVID, almost everyone said desperately, "YES, we\'re hiring." That has changed dramatically for the worse since COVID started. Emma Brighton has a story on InfoSecurity Magazine about the real shortage that\'s happening. Problems she points to are the need to secure more communications channels, security people being offloaded to do IT support, and the competition for skilled talent. What is COVID doing to our security environment and our staff?

What\'s Worse?!

Everyone in the loop or out of the loop?

Please, Enough. No, More.

Today\'s topic is security on the chipset. We have never talked about this on the show, but now we\'ve got someone from Intel and it seemed appropriate now would be the time to do just that. What have we heard enough about chip-level security, and what would we like to hear a lot more?

Are we having communication issues

Will the fight to maintain privacy always be in conflict? The people who collect data always want more information so they can get greater insights. Outside of regulations, they have no incentive to maintain privacy. As we\'re collecting more and more information automatically and artificial intelligence systems are making decisions for us, can AI systems be made privacy aware while still being effective at gaining insights? What would that even look like?

Listed in: Technology

BONUS EPISODE: Innovators Spotlight

What makes a security solution innovative? Where do you think security desperately needs innovation? And what do you look for in a security vendor\'s presentation?

On this very special bonus episode of CISO/Security Vendor Relationship Podcast, I invite two special guests, David Tyburski, CISO, Wynn Resorts and Matt Crouse (@mattcrouse), CISO, Taco Bell to answer that very question AND determine if any of the three competing security vendors during the Evanta 2020 Global CISO Virtual Executive Summit were in fact innovative.

Our three competitors (and also sponsors) were:

John Worrall (@jworrall), CEO, ZeroNorth

Nick Halsey (@nickhalsey), CEO, Okera

Demetrios Lazarikos, CEO and co-founder, Blue Lava

Thanks to these sponsors and Evanta for their support on this episode.

Listed in: Technology

A Phish So Insidious You Can't Help But Be Jealous

Wait, that\'s a phish even I\'d fall for.

This episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and\\xa0Mike Johnson. Our guest this week is Matt Crouse, CISO, Taco Bell.

Huge thanks to our sponsor, CloudKnox.

CloudKnox Security is the market leader within Gartner\\u2019s newly defined Cloud Infrastructure Entitlement Management (CIEM) segment. CloudKnox transforms how organizations implement the principle of least privilege in the cloud and empowers security teams to proactively address accidental and malicious credential misuse by continuously detecting and mitigating insider risks.

On this week\'s episode

Here\\u2019s some surprising research

Here\'s a depressing statistic. Ninety four percent of security and business leaders say they\'ve suffered "one or more business-impacting cyberattacks in the last year \\u2014 that is, an attack resulting in a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property." This according to a Forrester Consulting study sponsored by Tenable. Do we accept the sobering fact that a business-impacting cyberattack is an annual inevitability? And if so, what percentage of a CISO\'s job is putting systems in place to minimize damage, and what are ways you do that?

If you\'re not paranoid yet here\\u2019s your chance

Get ready for a really nasty phishing attack. Craig Hays, bug bounty hunter particularly interested in phishing, tells a story of a wormable phish that after taking over one user\'s email account began to reply to legitimate email threads from that account. The phisher would actually read the thread and create a relevant response, but with a phishing link which would then compromise another user\'s email account in the same way. And the phisher would repeat the process from yet another account, causing this wormable phish to spread not just through the initially targeted company, but through their partners, suppliers, and their partners and suppliers.

At the time Craig\'s company didn\'t have multi-factor authentication (MFA) implemented to which Craig realizes that would stop such an attack. Yet, in the end he was very impressed with this type of attack because it has so many indicators of legitimacy. Have we experienced a similar attack and/or do we have a "favorite" phishing attack in terms of its effectiveness?

What\'s Worse?!

Audit season is about to begin.

What would you advise?

On the Cybersecurity subreddit, GenoSecurity asks, "What types of projects would look good on a resume since I have no work experience. I am also open to projects that might not look as good but are good for beginners since I\\u2019m currently working on my Net+ cert."

Close your eyes and visualize the perfect engagement

Last Friday we had an online after party using a new tool called Toucan which simulates a real party in a virtual setting. We\'ve also used a platform called Icebreaker that allows for one-on-one random meetups. And last week I participated in a table top cyberthreat exercise with Bruce Potter of Expel and Shmoocon that ran like a Dungeons and Dragons role playing game. All were fun and had their value. Since the launch of the pandemic, how have we been able to socialize and stay connected in fun and unique ways?

Listed in: Technology

Whether It's Vulnerabilities or Children, We Like to Pick Favorites

While you do have to claim all of your vulnerabilities and your children, you don\'t have to like all of them.

This episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and\\xa0Mike Johnson. Our sponsored guest this week is Ben Sapiro, global CISO, Great-West LifeCo.

HUGE thanks to our sponsor, Kenna Security.

With\\xa0Kenna Security, companies efficiently manage the right level of risk for their business. Our Modern Vulnerability Management model eliminates the friction between Security and IT teams about what to patch, providing clear prioritization based on real-time threat intelligence and guidance applied to each customer\\u2019s unique environment across infrastructure, applications and IoT.

On this week\'s episode

Why is everybody talking about this now

Do you have a clear overall picture of how you\'re protecting your environment? The Cyber Defense Matrix, an open source tool created by Sounil Yu, a former guest, offers a simple five-by-five grid with the x-axis being the five operational functions of the NIST Cybersecurity Framework and the Y-axis are the five asset classes cyber professionals are trying to secure (devices, applications, networks, data, users). The idea is you are supposed to fill in all 25 squares as best as possible to see where you might have gaps in your security program. Ross Young, CISO, Caterpillar Financial Services Corporation, and a recent guest on this show, has adapted the matrix, by changing the Y-axis to four risks of phishing, ransomware, web app attacks, third party risks.

So what\'s a better way of building out at your security program: by the assets that you\'re trying to protect or the risks that you\'re facing? What are the pros and cons of each method?

Can you change Mike\'s mind

On a previous show Mike said he is NOT a fan of security through obscurity. Utku Sen of HackerOne argues that security through obscurity is underrated. His argument was that adding "obscurity" is often costless and it adds another layer in your defense in depth program. It is far from bulletproof, but obscurity reduces the likelihood which lowers your overall risk. Examples he included were obfuscating your code in your program, and/or using random variables in the code.

Can we change Mike\'s mind? Is there a level of security through obscurity he has deployed and/or would consider?

What\'s Worse?!

What\'s better? Good and bad data or no data?

Please, enough! No, more.

Today\'s topic is vulnerability management, or specifically, vulnerability remediation. What have you heard enough of on vulnerability management, and what would you like to hear a lot more?

Question for the board

What misconceptions does the board have of the role of the CISO? On LinkedIn, Amar Singh of Cyber Management Alliance Limited, listed off what the CISO is and, isn\'t, and what inappropriate demands are made on them. He said the CISO is
-NOT a super-being or a magician
-NOT there to fix IT blunders
-NOT the only guardian of the realm
-Unable to STOP all cyber-attacks.
-NOT a scapegoat/sacrificial lamb
-NOT accountable but responsible

We often get the sense that CISOs do play these roles as they come in and out. What can be done to temper these beliefs? "

Listed in: Technology

I Want to, but... I Just Can't Trust Your Single Pane of Glass

I\'ve already got a view into my company\'s security. It\'s going to take a lot to get me to to dump it for your solution.

This episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and\\xa0Mike Johnson. Our guest this week is Joshua Scott (@joshuascott94), former CISO, Realtor.com.

HUGE thanks to our sponsor, Kenna Security.

With\\xa0Kenna Security, companies efficiently manage the right level of risk for their business. Our Modern Vulnerability Management model eliminates the friction between Security and IT teams about what to patch, providing clear prioritization based on real-time threat intelligence and guidance applied to each customer\\u2019s unique environment across infrastructure, applications and IoT.

On this week\'s episode

First 90 days of a CISO

How do you define the likelihood of impact? Yaron Levi, CISO, Blue Cross Blue Shield of Kansas City, shared an article by Brian Spanswick of Splunk who discussed this process of building out a company\'s security program, and that mission should be "mitigate the likelihood and potential business impact of a breach while supporting an organization\'s strategic goals and business objectives." Our guest was Realtor.com\'s first CISO. He built their cybersecurity program from scratch. We talked about how he reduced impact while staying keen to the organization\'s objectives.

How do you go about discovering new security solutions

In the last three years, where have our guests successfully innovated in cybersecurity? Why did they do it? And where do they think they need the next innovation?

What\'s Worse?!

How much battle damage do you want your CISO to have?

Can you change Mike\'s mind

Mike inspired me to ask this question on Twitter, "What would a single pane of glass need to have for you to dump your current pane of glass?" This was has major argument that each single pane of glass requires him to dump his current one. The question is what type of mountain does a security vendor need to climb for him to unload his current view of his security program.

What Is It and Why Do I Care?

Today\'s topic is threat detection and I\'m a little loose on this as I got slight variations on threat detection from insider threats, to SIEM, to just threat detection. I\'m lumping them all into the umbrella of threat detection, but it\'ll be obvious which is which. Vendors send various pitches explaining their category and also explaining what differentiates them. Mike and our guest will determine which is the best and from that and I will announce the winners, but only the winners.

Listed in: Technology

Security Is Suffering From DevOps FOMO

Darn it. DevOps is having this awesome successful party and we want in! We\'ve tried inserting ourselves in the middle (DevSecOps) and we launched a pre-party (shift left), but they still don\'t like us.

This episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and\\xa0Mike Johnson. Our sponsored guest this week is Dayo Adetoye (@dayoadetoye), senior manager - security architecture and engineering, Mimecast.

Thanks to our sponsor, Capsule8.

Capsule8\\xa0is defining modern enterprise protection by providing detection and response for Linux infrastructure in any environment. Capsule8 provides host-based detection and investigatory data for incident response with on-going support. Unlike anyone else, Capsule8 mitigates the financial, scalability and reliability limitations of protecting your Linux infrastructure.

On this week\\u2019s episode

Are we making the situation better or worse?

What makes a successful phish? On Sophos\' blog Paul Ducklin writes about their most successful phishing emails. Ducklin noted that most of the successful phishes dealt with mundane and undramatic issues that still had a sense of importance. Looking at these examples they do seem to follow a similar pattern of something looking official that is being requested from the company and could you click here to check it out. Is that the majority of what you\'re testing? If so, what exactly is the value in conducting phishing tests on employees? Can the testing have a negative effect in security or even morale?

There\\u2019s got to be a better way to handle this

What is the right approach to threat modeling? In a blog post, Chris Romeo of Security Journey opines that formal training or tools won\'t work. Security needs to ask questions of developers about features and then show them how a threat evolves, thus allowing them to ultimately do it themselves.

Adam Shostack of Shostack and Associates advocates for formal training. He says Romeo\'s informal approach to threat modeling sounds attractive, but doesn\'t work because you\'re trying to scale threat modeling across developers and if you tell one developer the information it\'s going to be passed down like a game of telephone where each successive person tells a distorted version of what the last person said.

So what\'s the right approach to building threat models across a DevOps environment?

What\'s Worse?!

What\'s the worst place to find your company assets?

Close your eyes and visualize the perfect engagement

Shifting Left. DevSecOps, These are the mechanisms that have been used to infuse security into the DevOps supply chain. While noble, both concepts break the philosophy and structure of DevOps which is based on automation, speed, and delivery. But, DevOps is also about delivering quality. So rather than inserting themselves, how does security participate in a way that DevOps already loves?

If you haven\\u2019t made this mistake, you\\u2019re not in security

On AskNetSec on reddit, Triffid-oil asked, "What was something that you spent effort learning and later realized that it was never going to be useful?" And let me add to that, it\'s something either someone told you or you believed for some reason it was critical for your cybersecurity education and you later realized it wasn\'t valuable at all.

Listed in: Technology

Enjoying My Blissful Ignorance of Cyber Vulnerabilities

What keeps me up at night? Nothing! That\'s because I hold onto cybersecurity myths because it makes me believe I don\'t have a security problem.

This episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and\\xa0Mike Johnson. Our guest this week is Dustin Wilcox, CISO, Anthem.

Thanks to our sponsor, Capsule8

Capsule8\\xa0is defining modern enterprise protection by providing detection and response for Linux infrastructure in any environment. Capsule8 provides host-based detection and investigatory data for incident response with on-going support. Unlike anyone else, Capsule8 mitigates the financial, scalability and reliability limitations of protecting your Linux infrastructure.

On this week\\u2019s episode

Why is everybody talking about this now

Kris Rides of Tiro Security asks, "When writing a job description in cybersecurity, what\'s your process?" What in the job description is most important that you want potential candidates to know? And do you have any universal requirements of all candidates?

Is this a cyber security disinformation campaign?

Stuart Mitchell of Stott and May posted an article from FoxNews on cybersecurity myths, such as I don\'t have anything worth protecting, I will know when something bad happens. From this list, or possibly another myth, which one do you think is the most damaging?

What\'s Worse?!

Public or government interference?

There\\u2019s got to be a better way to handle this

Why are InfoSec professionals still struggling to secure their cloud environments? According to a study by Dimension Research, sponsored by Tripwire, 76 percent admit to having trouble. And only 21 percent they\'re assessing their overall cloud security posture in real time or near real time. What are the quarter of security professionals doing who are not struggling with securing the cloud?

Close your eyes and visualize the perfect engagement

Do we need more cybersecurity professionals, or do we just need our general workforce to be more cybersecurity minded? Phil Venables, Board Director - Goldman Sachs Bank, makes a good argument for the latter. Mike has mentioned that when he can make cybersecurity personal, like offering employees a password manager, they start to see the value. Assuming making security personal is the best tactic, what is the ripple effect of that? How do they approach security at your business and how do the efforts of the security team change?

Listed in: Technology

Tell Me We're Secure So I Can Go Back to Ignoring Security

I don\'t know anything about our state of security. I don\'t want to know either. But I do want to know you know about security and there\'s nothing I have to worry about. You can do that, right?

This episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and\\xa0Mike Johnson. Our guest this week is Dan Walsh, CISO, Rally Health.

Thanks to our sponsor, Capsule8.

Capsule8 is defining modern enterprise protection by providing detection and response for Linux infrastructure in any environment. Capsule8 provides host-based detection and investigatory data for incident response with on-going support. Unlike anyone else, Capsule8 mitigates the financial, scalability and reliability limitations of protecting your Linux infrastructure.

On this week\'s episode

Why is everybody talking about this now

How do you respond to "Are we secure?" It\'s a loaded question that we\'ve addressed previously. Daniel Hooper, CISO, Varo Money brought up this topic again that caused a flurry of discussion on LinkedIn. In the past Mike has mentioned that he talks about the state of his security program and where it\'s heading. The core of this question is anxiety about something a non-security person doesn\'t understand. How does a security leader break down this question into small parts, and what question should a CEO be asking if not "Are we secure?"

There\\u2019s got to be a better way to handle this

The engineering team at Rally Health is around 800 and our guest Dan has a security team of 30+ of which only 5 of them are application security people. Those five are definitely going to need some help if they\'re going to have an impact on how secure the applications are. I ask Dan Walsh what he\'s doing with the engineers that\'s turning them into application security force multipliers.

What\'s Worse?!

How damaging is a bad reputation?

What do you think of this vendor marketing tactic?

CISOs have ways to retalilate against aggressive sales tactics. George Finney, CISO at Southern Methodist University told a story on LinkedIn about an unsolicited sales invite that was sent to 65 people at his school. He blocked the email. He asked the community if that was too harsh. Similarly Steve Zalewski, deputy CISO of Levi\'s said if he sees aggressive tactics by a company, the security team has the ability to block the whole domain from their servers. Are these tactics too harsh? Have Mike and our guest taken similar tactics, and/or is there something else they do in response to extremely aggressive sales tactics?

If you haven\\u2019t made this mistake, you\\u2019re not in security

How prepared do you need to handle your next cyber job? A question was asked on reddit from someone who wasn\'t sure they should take a job because they didn\'t have all the skills to do the job. Most people just said, "Do it." How would Mike and our guest answer this question as an employee and a manager. What level of unpreparedness for a job is acceptable and possibly even exciting? Could too much result in imposter syndrome?

Listed in: Technology

Request a Demo of Our Inability to Post a Demo

It\'s really easy to include "Request a Demo" button on our site. But potential buyers would actually like to just watch a demo on our site. Should we actually expend just a little more effort to record a demo and upload it to our site?

This episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and\\xa0Mike Johnson. Our guest this week is Ross Young, CISO, Caterpillar Financial Services Corporation.

Thanks to our sponsor, Kenna Security.

With Kenna Security, companies efficiently manage the right level of risk for their business. Our Modern Vulnerability Management model eliminates the friction between Security and IT teams about what to patch, providing clear prioritization based on real-time threat intelligence and guidance applied to each customer\\u2019s unique environment across infrastructure, applications and IoT.

On this week\'s episode

Why is everybody talking about this now?

Our guest posted about the 10+ daily product pitches he receives and he suggested that vendors place a product demo on their site. It just so happens, I also posted about this on LinkedIn. I am astonished that not every vendor spends their first marketing dollars on creating a product demo and posting that video. If a security practitioner is interested in a company, how do they begin their research? What do they look for? Do they watch product demo videos? Do they click the "request a demo" button?

First 90 Days of a CISO

Our guest shared a study from PWC that points out what management thinks are the most important roles for a CISO. Eighty four percent considered the ability to educate and collaborate across the business was critical making it the top most skill they look for in a CISO. At the same time, it appears investing in a talent management program for leadership was the least important with only 22 percent responding. What I read from this is management wants you to lead, and get the whole company on board, but do it alone. Plus, they expect you to be a perfect cybersecurity leader out of the box. Is that feasible? Is this why we\'re having so much burnout of CISOs? It\'s not just the pressure of protecting, but taking on all leadership responsibilities with no ongoing support?

What\'s Worse?!

How are you advertising for new hires?

There\\u2019s got to be a better way to handle this

Turns out half of employees are cutting corners on security when working from home. This includes using home computers for corporate work, emailing sensitive documents from personal accounts. It\'s not malicious, but the distractions of work from home life and demands to deliver quickly are forcing employees to take the less secure route. Also, being away from the watchful IT and security gives them the breathing room to be less careful. Tip of the hat to Gina Yacone of Agio for posting this article from ZDnet about Tessian\'s work from home study. How can security leaders stay in contact with employees so they don\'t stray?

How CISOs are digesting the latest security news

What makes a security podcast valuable? What elements does a cybersecurity podcast need to have for you to say to yourself, "I\'m glad I spent the time listening to that"?

Listed in: Technology

The "Do What We Tell You" Technique Isn't Working

On this week\'s episode

Why is everybody talking about this now

Why hasn\'t COVID spurned more disaster recovery and business continuity planning roles? This is what Stuart Mitchell, a recruiter at Stott and May, noticed. Obviously, he\'s not getting that much demand. The community says it\'s assumed already into many roles. I have to think BCP and DR are everyone\'s responsibility. If that\'s the case, has BCP and DR planning increased during this time? Why or why not?

How to become CISO

Are two CISOs better than one? Our guest mentioned that her company has split the CISO role. One, the head of tech, reports to the CTO and the other, our guest\'s role, CISO and head of cyber risk reports to the chief risk officer. How exactly does this work? And what does our guest believe are the pros and cons of splitting the CISO role this way?

What\'s Worse?!

This time, no matter what the answer, everyone\'s going to get in trouble.

And now for a little security philosophy

Chad Loder, Habitu8, said, "Us InfoSec experts spend too much time asking \'How do we get users to care more about security?\' and not enough time asking \'How do we get security to care more about users?\'" So I asked my host and guest that question, and more importantly, how has that learning about users improved their security team and overall security?

First 90 days of a CISO

William Birchett, CIO of Required Team Gear, asked, "When you start, how much do you know of what security posture you\'ve inherited?" We\'ve talked about this before, but I want you to answer in reflection. What were the biggest surprises (positive or negative) between what you knew starting out and what you discovered after 90 days on the job?

Listed in: Technology

Set It. Forget It. Reset It. Repeat.

This episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and\\xa0Mike Johnson. Our guest this week is Brett Conlon (@DecideSecurity), CISO, Edelman Financial Engines.

Check out Tricia Howard\'s dramatic readings of cold emails.

Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner\\u2019s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com.

On this week\'s episode

Why is everybody talking about this now

On LinkedIn and on Twitter, I asked "Is there anything in cybersecurity that\'s \'set it and forget it\'?" There were plenty of funny answers like "Passwords" and the "Off" switch. But there were some interesting answers like whitelists from Brian Haugli of Sidechannel security and ethics from Stephen Gill of Russel Holdings. So many treat security as "set it and forget it" but we know that\'s a path to insecurity. Regardless, is there ANYTHING in security we can set and forget?

Question for the board

Our guest claims he\'s got an awesome board. I don\'t think we\'ve ever heard that on our show. In most cases there\'s either fear of the board or the CISO doesn\'t even get direct conversation with the board. I asked our guest what is it about his board that\'s so awesome and what tips could he give to CISOs to move their board into that territory?

What\'s Worse?!

Who is going to handle physical assets the worst?

If you haven\\u2019t made this mistake, you\\u2019re not in security

Alexander Rabke, Splunk, asked, "How should sales people handle situations when, in fact, you are a security company with a security vulnerability (he also talked about a product not working) - what do you tell customers. How do you like to see this handled by the vendor?" I know a first response is to be honest, but they want to hold onto your business. What\'s a way salespeople could go about doing that?

What do you think of this pitch?

We\'re not talking vendor pitches in this segment. We\'re talking candidate pitches. Gary Hayslip, CISO, Softbank Investment Advisers and former guest on this show has an article on Peerlyst, a platform which is unfortunately going away, about finding your first job in security. Hayslip\'s first tip asks, "What information do you have?" Researching yourself is good advice, but I want to extend that to a question that I think puts you ahead of the pack and ask, "What\'s your unfair advantage?" It\'s a question that I heard investor Chris Sacca ask startups and I think it can also apply to individuals applying for jobs. Agree? If so, what are some good unfair advantages from candidates that have put them over the top?

Listed in: Technology

I Need Resources to Free Up My Resources

On this week\'s episode

There\\u2019s got to be a better way to handle this

How well has the cybersecurity automation gambit played itself out? Last year, Ericka Chickowski wrote a piece on Dark Reading about the cybersecurity automation paradox. She said that "security teams find that a lack of automation expertise keeps them from getting the most out of cybersecurity automation." According to a Ponemon study, that accounts for 56% of organizations. That\'s the number one obstacle. It\'s more than legacy IT challenges, lack of budget, and interoperability issues. 40% of respondents say they\'ll need to hire more people to support security automation. Everyone speaks of wanting automation, but is it more of an aspiration and a marketing pitch? Has it specifically alleviated any pain over the past year. And if so, what?

What annoys a CISO?

For my co-host MIke Johnson, the annoyance is the "single panes of glass" that so many security vendors offer. Our guest, Aaron Ansari is ready to challenge Mike on his grand distaste for "the single pane of glass" as the window to your security status/infrastructure/whatever you like it to be.

"What\'s Worse?!"

What\'s worse, failure but honesty, or success and deception?

Please, Enough. No, More.

Topic is "cloud configuration." What have we heard enough about with cloud configuration, and what would we like to hear a lot more?

Ummm. Maybe you shouldn\\u2019t have done that

We\'re talking about vendor lock-in. It makes recurring sales for vendors super easy. But it makes exit strategies very difficult. On Quora, the question was asked, "How do huge companies like Netflix avoid vendor lock-in with a cloud computing provider?" So I ask the question to both of you, what safeguards can you setup to prevent vendor lock-in or at least make an exit from a cloud provider as painless as possible?

Creative Commons photo attribution to Alden Jewell (CC BY 2.0)

Listed in: Technology

We're Not Fooled By Your Diversity Theater

How CISOs are digesting the latest security news

If you thought tech firms were abysmal with diversity hiring, it appears venture capital firms are even worse. In a Washington Post article by Nitasha Tiku, just 1 percent of VC dollars went to black start-up founders in 2018, and that same year and percentage reflects the number of black decision-makers at VC firms as well. With the scrutiny turned up, small minority-focused funds have spurned, and there has been some cosmetic title inflation of minority employees at VC firms, but black tech entrepreneurs are brushing it off as diversity theater. What opportunities and money are VC firms leaving on the table by not taking diversity seriously? What should VC firms do to prove that their efforts are not diversity theater?

We don\\u2019t have much time. What\\u2019s your decision?

Interesting question on reddit by throwawaycostam who asks, "How do you create easy to memorize, yet relatively strong passwords?" A password manager is first and foremost recommended, but there are cases where you do have to remember a few passwords, like the one to get into your password manager and desktop screen lock. If you have to memorize five really good complex passwords, what technique do you recommend to create those passwords?

What\'s Worse?!

Is clueless better than not being engaged?

It\\u2019s time for \\u201cAsk a CISO\\u201d

On a previous episode, CISO, Dennis Leber, now with University of Tennessee Health Science Center, but previously with a state government agency said there\'s no perfect pitch a vendor could make to him that would facilitate a sale. Heck, he couldn\'t even write the perfect pitch to himself that would work. We know the government is a different beast when it comes to procurement. What are the stumbling blocks vendors need to concern themselves when pitching a government agency?

We\\u2019ve got listeners and they\\u2019ve got questions

Jesse Rosenbaum of Varonis brought a job posting to my attention that showed requests for extremely specific experiences with different applications. Jesse asks, does the listing the name of products or protocols you\'re using expose the company to additional security risks? Isn\'t this the reason so many customers of security vendors are not willing to give testimonials? But if they\'re putting these products and protocols in job descriptions, isn\'t this the same darn thing?

Listed in: Technology

How to Tell If Your CISO Sucks at Their Job

On this week\'s episode

Is this the best use of our Money

On CSO Online, Terena Bell has a piece on how to cut your budget without hurting security. The suggestions are well known: Identify overlaps in technology, renogiate contracts, and use tech to lower the need for manhours. Her last tip was a warning about layoffs. Are you always looking to reduce costs or is it something you do when it\'s mandated? And how are you supported by the business if and when you proactively reduce costs? Or does that not ever happen because the demand is ever growing.

Is this where I should put my marketing dollars?

I\'m not sure, but it\'s possible that our guest is our first CISO that has an MBA. In his role as CISO he\'s mentioned he uses common marketing techniques to advance your organization\'s cybersecurity program. He said, "Security is just an inside sales job and that marketing creates the demand that sales fulfills." Lee tells us about what he learned in his MBA training that was so critical for your growth as a CISO.

What\'s Worse?!

We have a split decision on third party risk management.

How a security vendor helped me this week

We haven\'t done this segment in a long time and we got a request from a listener to bring it back. So I ask Mike and our guest, recently, how has a security vendor helped you. And were any of those security vendors who helped not customers?

We\\u2019ve got listeners and they\\u2019ve got questions

A listener, who wishes to remain anonymous asks this question: "How do you convince a CISO to focus on the basics?"

The listener goes on and says, "I\'m not a CISO but have seen and talked to many that want to be seen as \'visionaries\' so they focus on \'new hotness\' things like \'zero trust\' instead of the basics things that are missing like patching, asset management, etc." The listener understand this, and he\'s obviously talking about his own CISO, hence the anonymity, but how do you approach your CISO and get him or her to balance their own time with basics or as Yaron Levi, CISO of Blue Cross Blue Shield of Kansas City says, "fundamentals" while also having a forward looking vision of security?

Listed in: Technology

How Will the Candidate Respond to "What's Worse?!"

On this week\'s episode

Why is everybody talking about this now

If we could change one thing about the cybersecurity industry, what would it be? Rilhouse on reddit brought this post by Naomi Buckwalter of Energage to my attention. What you can change are processes and behavior currently in the industry.

Is this the best solution?

Both Mike and Elliot hire cybersecurity talent. Here\'s a question from bubblehack3r on reddit who asked during our AMA. "What are your different methods and tools you use to verify and test the professionally of a new hire in the cyber security domain?"

"What\'s Worse?!"

The shortest ever "What\'s Worse?!" question.

Please, Enough. No, More.

Encryption. We\'ve had it around for decades, but people and companies still don\'t use it. What have you heard enough about regarding encryption and what would you like to hear a lot more?

It\\u2019s time for \\u201cAsk a CISO\\u201d

What have Mike and Elliot learned from a product deployment that they didn\'t realize until after they deployed it.

Listed in: Technology

"I LOVE Cold Calls", Said the CISO on Opposite Day

On this week\'s episode

Why is everybody talking about this now

Are we making ourselves safer by calling end users "dumb"? On LinkedIn, Shaun Marion, CISO, Republic Services called out those security professionals who chose to put down the end user. As a result, security professionals in aggregate are getting a bad wrap.

What do you do to change this long held belief of security professionals as putting down the end user?

Rich Mason of Critical Infrastructure said, "offer something beyond training to mitigate the damage potential of that click. You can bash those who don\'t heed your advice on running with scissors or you can design better processes and safer scissors."

How do you go about building systems and behavior of the security team with the end user in mind?

Are we having communication issues?

There is ENDLESS debate on cold calling. I know most CISOs despise it, but as evidenced by Ross Gustavson of Reciprocity, he met 120% of his sales quota solely on cold calling. He posted all his stats so you simply can\'t argue with that success rate. And Jay Jensen of Sales Evolution said the conversation of cold calling should be about how to do it effectively, and not whether it should be eradicated. And Allan Alford said he wants the conversation to be about partnering with sales staff.

What is the communication you\'re open to having with a security vendor to which you don\'t currently have a relationship?

What\'s Worse?!

Those miserable team building exercises. Is there a worse way to do them?

If you haven\\u2019t made this mistake, you\\u2019re not in security

Eli Migdal of Boardish ran a poll on LinkedIn asking how many cyber professionals suffer from impostor syndrome. Sixty two percent believed most did, and Allan Alford, who admitted having it himself, said he was on a call with 25 other security professionals and all of them admitted to suffering at one time from impostor syndrome. Why does this come about and is it healthy or detrimental?

RESOURCE: Do You Suffer From Impostor Syndrome? You Are Not Alone

Is this where I should put my marketing dollars?

On LinkedIn, I published an article entitled, "Formula for Creating a Successful Security Podcast." In it I just talked about my experience publishing successful and not successful shows. I\'m a proponent of security vendors using their marketing dollars to produce podcasts because it\'s a means to create a one-to-many and many-to-many relationship with the audience.

Focusing on other security and technology podcasts, what makes us excited to listen to a show and actually engage with the show or other listeners. And have we for any reason stopped listening to a show and why?

NOTE: CISO Series and its parent company Spark Media Solutions is now offering consulting and production services for others, including vendors, who want to launch and maintain their own successful podcast. Please contact me, David Spark, for more information.

\\xa0

Listed in: Technology

NYTimes Critic Called Our Security Theater "Unconvincing"

On this week\'s episode

How CISOs are digesting the latest security news

We recorded this episode on June 24th, just a five days after Trump\'s first rally in Oklahoma where purportedly TikTok fans en masse were able to register for Trump\'s rally and fool his entire staff into believing that 1 million people had registered and were planning to attend his rally. In the end, the arena was less than half full. We are all well aware that some cyber protests can cause serious damage, but does this one? Is this the kind of peaceful cyber protests that we should encourage or not encourage? Dan Lohrmann at Security Mentor posted this discussion and said no matter what political affiliation you\'re on this is a call for more cybersecurity because this will happen again. But is this the fault of Trump\'s cyber team or his social media team for not keeping an eye on TikTok?

Why is everybody talking about this now?

On AskNetSec on reddit, NoInterestingGuy, a college student starting his first internship at a security firm, posted he likes to participate in "extracurricular activities". He then asked, "If I were to get caught with a crime related to cyber security, would that impact my chances significantly of getting hired in the future for a security company?" The community almost resoundingly said, "Stop," but has Mike and our guest ever hired someone with a cybercrime past or caught an employee engaging in cybercrime? How did they handled it. Is there an "it depends" meter? We all do stupid stuff in college.

What\'s Worse?!

Is the unknowing always the worst?

It\'s security awareness training time

On CSO Online, J.M. Porup wrote a piece about five examples of security theater and how to spot them. Security theater refers to the practice having a show of implementing security where its effectiveness is in question. Some examples are purposefully complex passwords, checkbox compliance, and bad security awareness training.

How do we spot security theater? Is there any value to security theater? What\'s the antidote? If it\'s in place, how do we eradicate it?

What Is It and Why Do I Care?

We played this game before and like the "What\'s Worse?!" game, the title pretty much explains it. I have three pitches from three different vendors who are all in the same category, Security Awareness Training. I have asked the reps to first, in 25 words or less, just explain their category. That\\u2019s the \\u201cWhat Is It?\\u201d and then for the \\u201cWhy Do I Care?\\u201d I asked them to explain what differentiates their product or makes them unique also in 25 words or less. It is up to Mike and Shawn pick their favorite of each and explain why. I only reveal the winning contestants and their companies.

Listed in: Technology

Why Am I Working Harder During This Pandemic?

On this week\'s episode

Why is everybody talking about this now?

On TechRepublic, Scott Matteson wrote an article about cybersecurity pros working harder than ever during the pandemic. Stuart Mitchell of Stott and May posted the article to LinkedIn and asked if anyone has taken a day off since COVID-19 started, and the general consensus is no. I see a multitude of factors affecting this: increased surface area to protect, compliance is more difficult, I also have to deal with my family, and where the heck is anyone going to go for vacation? I guess I\'ll just work.

Close your eyes and visualize the perfect engagement

On LinkedIn, our guest Chris Zell asked others to be more welcoming when you see someone post "aspiring cybersecurity professional." We discussed the approach and what the community could teach us.

What\'s Worse?!

Three options of how to talk to the board.

There\\u2019s got to be a better way to handle this

On CSO Online, Mary Pratt has a guide for CISOs on securely laying people off. What are critical technical considerations during layoff time, and as a manager how do you manage security for those people who are still there. Have either of you made a massive security mistake during a layoff that was a great learning experience for you?

What Is It and Why Do I Care?

We played this game before and like the "What\'s Worse?!" game, the title pretty much explains it. I have three pitches from three different vendors who are all in the same category of governance, risk and compliance or GRC. I have asked the reps to first, in 25 words or less, just explain their category. That\\u2019s the \\u201cWhat Is It?\\u201d and then for the \\u201cWhy Do I Care?\\u201d I asked them to explain what differentiates their product or makes them unique also in 25 words or less. It is up to Mike and Chris to pick their favorite of each and explain why. I only reveal the winning contestants and their companies. Ready to play?

Listed in: Technology

I Have the Perfect Job for You (But Probably Not)

On this week\'s episode

How CISOs are digesting the latest security news

Paul Martini of iboss asks, "What network weaknesses has the current pandemic revealed?"

Close your eyes and visualize the perfect engagement

As evidenced by a previous episode, security recruiters have a hard time getting some respect. Let\'s discuss this issue from the viewpoint of the candidate. On Peerlyst, David Froud of Concept Security felt that the recruiter approach of saying I have a perfect job for you was misguided. Mike and our guest talk about their early security careers and how welcome they were to approaches from security recruiters.

What\'s Worse?!

Crappy tools or crappy team? What\'s worse?

I tell ya, CISOs get no respect

On CSO Online, Neal Weinberg has a story about hard truths security professionals have to deal with. One item was the outright lack of respect, being misunderstood and underappreciated, from the board and your coworkers. I know the generic response is communications and listen, but I want to know what are ways to command leadership so those do pay attention to you and you do get that respect. We discuss specific turning points in security leadership careers that allowed Mike and our guest to do this.

Vendors have questions. Our CISOs have answers

Dennis Underwood of Cyber Crucible asks if you can you be a threat hunter if you have to sign NDAs. Are NDAs the cover up so companies don\'t have to reveal information about their failed defenses? And are NDAs a common occurrence in bug bounties?

Listed in: Technology

We Compensate Our Low Paying CISO Jobs with High Stress

On this week\'s episode

Why is everyone talking about this now?

On LinkedIn, Farhan Khan, a recruiter at CyberApt Recruitment, told a tale of getting a call asking if he could help his company recruit a seasoned CISO for their 300+ person company. He was excited until he found out the salary they were offering the CISO was in the range of $90-$105K.

We\'ve talked before about unrealistic CISO salaries before, but this is actually below the rate of entry level cyber positions in the Bay Area. How do CISOs or heck any cybersecurity professional handle someone\'s unrealistic expectations? Do you say something or just say, "No thank you"?

Also, Davi Ottenheimer of Inrupt, brought this story to my attention and argued that high CISO salaries are just attracting fraudsters. Does our panel agree, and if so, what would a company have to be wary of?

Mike\'s Confused. Let\\u2019s help him out

On previous shows Mike has admitted he would not want to (not confused although that may be part of it) run the IT department. Nir mentioned that he feels that getting out of one\'s comfort zone is critical, no matter what department you\'re in. What are the pros and cons of other departments not just being security aware, but taking on cybersecurity responsibilities? And vice versa, cybersecurity taking on other department responsibilities? How far can/should it go?

What\'s Worse?!

Too much flexibility or too many restrictions?

We\\u2019ve got listeners and they\\u2019ve got questions

Anya Shpilman of Swiss Gulf Partners sent recorded this question: "I\'m a recruiter and I specialize in cybersecurity recruitment. At the end of the show everyone says they\'re hiring. But I have a hard time getting traction from CISOs. So what would you like to see/hear in those initial emails or LinkedIn messages."

Go here to record a question to be played on one of our shows.

Umm, Is this good idea?

I recently published an article on CISO Series entitled "25 API Security Tips You\'re Probably Not Considering\\u201d. The very first tip, from Gary Hayslip, CISO, Softbank Investment Advisers, is K.I.S.S. or Keep It Simple Stupid. I then went on to provide 24 more tips from experts which if you were to deploy them all would in no way be simple. KISS sounds great in theory, but how the heck do you pull it off in practice. Can you point to an example of how you took something that was complicated and simplified it?

Listed in: Technology

Keep Pouring. I'll Tell You When I've Had Enough Security.

On this week\'s episode

Looking down the security roadmap

Dean Webb of ForeScout asked this great question on Peerlyst. "What are the things that are the hardest to fix that leave organizations the most vulnerable?" These are not the quick security fixes or low hanging fruit, but rather the big projects that nobody wants that often never get finished. What are they and is there any way to make them not so painful?

It\\u2019s time for \\u201cAsk a CISO\\u201d

sitdownson on reddit\'s AskNetSec asked, "How and when did you decide to specialize?" Sultan_of_Ping answered, "For most people it\'s not a decision, the specialization comes to them." Do you get a taste of everything and then determine which one you\'re passionate about? Do you read market demands (e.g. cloud security) and go in that route? What have you seen your colleagues do?

What\'s Worse?!

A "What\'s Worse?!" first - FOUR scenarios. Which one is worst?

Here\'s some surprising research

We\'re revisiting the Verizon Data Breach Investigations Report. Tony\'s organization, Center for Internet Security had a hand in the report and specifically at the end where you map the CIS top 20 to the breach findings. In particular, the report notes that there are 171 safeguards that are grouped based on the resources and risks the organizations are facing. Has anything shifted significantly in this most recent report?

What\\u2019s the return on investment?

Tip of the hat to Norman Hunt, Deputy CISO, GEICO, who sent this article from HelpNet Security about a study on CEOs and CISOs approaches to "When is security enough security?" There seems to be a disparity with CEOs being more confident with the security that CISOs. I have to assume that mature understanding of risk is the biggest contributor, and the nature of the job of a CISO who sees more threats than the CEO, but only in a cyber context. A CEO sees all the other risks. What causes such swings in opinions?

Listed in: Technology

Facebook Personality Quiz Asks, "What's Your Favorite Password?"

Why is everybody talking about this now?

On AskNetSec on reddit, user u/L7nx asks, "How do you handle alert fatigue?" Many vendors out there listening want to scream, "We\'ve got a single pane of glass solution!"

On reddit, Kamwind commented that it\'s not so much managing the output, but rather the input and false positives. "What are you doing to tune those rules and IOCs (indicators of compromise) to reflect your network vs accepting them from whatever vendor you\'re getting them from."

Is alert fatigue a real thing and what can be done to manage input and output?

It\'s security awareness training time

There\'s a meme resurfacing that pokes fun at Facebook personality quizzes that ask seemingly innocuous questions such as "What\'s Your Favorite Band?" and "What\'s Your Favorite Teacher\'s Name?" In the meme, the answers to each question are just one word of the sentence, "Stop giving people your personal info to guess your passwords and security questions."
We\'ve talked about training programs that rely on fear. Humor seems rather effective here, but heck, I don\'t know. Does humor in security training work? Does fear? What tone have you seen actually foster behavioral change?

What\'s Worse?!

Do you likeable or useful vendors? Sometimes they\'re not both.

Here\'s some surprising research

The Verizon DBIR is out. Mike\'s favorite. There\'s a ton to unpack as there always is, but for this segment I just want to visit one item in this report and that\'s configuration errors. From a quote by Larry Dignan on ZDNet: "Errors definitely win the award for best supporting action this year. They are now equally as common as social breaches and more common than malware... hacking remains higher, and that is due to credential theft and use." I get the sense that second to black hat hackers, we\'re our own worst enemy. One argument for the increase in cloud breaches is because security researchers and others are discovering exposed storage in the cloud. Could it be just poor training of cloud security? Or poorly maintained cloud providers?

Vendors have questions. Our CISOs have answers

Landon Winkelvoss of Nisos asks, "What do your good vendors do on an ongoing basis (quarterly, monthly, weekly, etc) that make renewals easier around budget season? How often should they do it? What metrics and impacts to the business should they document and present that make this relatable to people outside of security such as the CFO?"

Listed in: Technology

Great Security Program! Too Bad We Can't Implement It.

On this week\'s episode

How CISOs are digesting the latest security news

The Wall Street Journal has a story about cybersecurity budgets during the COVID-19 crisis. Many companies are dealing with budget cuts across the board. One issue mentioned was that the first items to go from the cybersecurity budget would probably be big projects that require a lot of integration. So as to avoid getting left on the cutting room floor, what would be your advice to vendors on how better to situate themselves, prepare, and prove to potential buyers that they can help with the ease of that integration? Also, for those security leaders, how do they best show compassion to the rest of the business and don\'t just fight for their slice of the budget pie?

It\\u2019s time for \\u201cAsk a CISO\\u201d

On reddit, countvonruckus states and then asks, "It\'s great to see CISOs giving back through mentorship. As a younger professional looking to become a CISO someday, it can be difficult to get a minute of a senior leader\'s time even for critical work decisions. How should someone looking to find a mentor or to benefit from the mentorship of a particular leader go about asking in a respectful but effective way? Is there anything a mentee can do to provide value in exchange that will make it more worthwhile for mentors?"

It\'s time to play, "What\'s Worse?!"

Two "What\'s Worse?!" scenarios nobody likes but many have faced especially now.

Please, Enough. No, More.

Operationalizing GRC. What have you heard enough about operationalizing GRC, and what would you like to hear a lot more?

Looking down the security roadmap

On Quora, the question was asked, "Do cloud providers implement governance, risk management and compliance (GRC) well?" I didn\'t know how one would define "well" and what we should expect from cloud providers to help with GRC efforts. This harkens back to our last segment, because we would hope that cloud providers could actually help us operationalize GRC. What are cloud providers doing to help in GRC efforts?

Listed in: Technology

We Promoted the Competition and Still Won

On this week\'s episode

Why is everybody talking about this now?

On this podcast we have sponsored guest episodes in which we dedicate a segment of the show for the sponsor to talk about their category. I was just given the heads up by a listener that a competitor of one of our sponsored guests, actually promoted that episode via an email marketing campaign. I asked the community why they thought that happened. Did the company know they were promoting a direct competitor\'s solution, or were they of the philosophy of let\'s promote the space. The more people who know about this problem that benefits the entire industry and in turn that helps our competitor and us. Most people on LinkedIn agreed with the latter and actually thought it was a savvy marketing move possibly demonstrating that the competitor was confident with their product.

It\\u2019s time for \\u201cAsk a CISO\\u201d

Tip of the hat to Sounil Yu, CISO in residence at YL Ventures for bringing up Mike\'s comment in a Slack channel of your frustration with cybersecurity startups who end up having an "us too" attitude towards creating the next cybersecurity solution. It seemed their only credentials was a successful exit, but not presenting a unique solution to an actual problem. You claimed a criteria that you would only meet with a founder who had a committed idea to a product. But how do you differentiate between an "also ran" and a unique solution?

What\'s Worse?!

One of our most challenging debates ever

Close your eyes. Breathe in. It\\u2019s time for a little security philosophy

On our CISO Series Video Chat, Bob Henderson of Intelligence Services Group asked, "Has measuring risk itself become a risk? Since risk is primarily arbitrary depending on who defines the risk wouldn\\u2019t the solutions be arbitrary and thus add complexity and uncertainty. Which are contributors to risk."

Let\'s dig a little deeper

What are the intrinsic training elements of Israel\'s elite 8200 that results in so many of the graduates going on to become cybersecurity entrepreneurs? What if anything can other organizations, military units or schools learn from this?

Listed in: Technology

Three Years Experience Required for Sub-Entry Level Positions

Are we making the situation better or worse?

On LinkedIn, Gabriel Friedlander of Wizer asked, "Should we be doing home risk assessments?" Could we create bigger problems if we do that? Gabriel\'s post generated a debate on what actions can significantly reduce risk. Is there value in a home risk assessment and if so, what\'s it going to reveal?

It\\u2019s time for \\u201cAsk a CISO\\u201d

On reddit, crossfire14 asks, "Why are helpdesk roles requiring 2-3 years experience? I thought they were entry level friendly? Im trying to start at lower positions to work my way into infosec yet I cant seem to qualify for any helpdesk roles because of exp?" I looked and actually these entry level positions are often asking for 3-5 years experience. Is this required? If not, what IS required for an entry level help desk role and what\'s the best way to show that?

"What\'s Worse?!"

Two horrible company debilitating options that have happened in real life. How would you survive either one?

Please, Enough. No, More

Our topic is Privileged Access Management, or PAM. What have Mike and Brandon heard enough about with PAM, and what would they like to hear a lot more?

The great CISO challenge

Outsider attacks, insider attacks, your assets, networks, people, and controls - what DOESN\'T always change in security? If we assume that consistency is synonymous with simplicity, is it always an uphill battle to try to keep security simple especially if we\'re expanding into new services and cloud environments? Could this be why the foundations are still a struggle for everyone?

Listed in: Technology

LOOK! Freshmen CISOs. Get Ready to POUNCE!

On this week\'s episode

Why is everyone talking about this now?

Our guest, Wayne Reynolds posted the good news about his new CISO role. While he got the expected kudos, he also got lots of sales emails. In the short conversation we had in preparation for this episode, six pitches came in. He counted 731 vendor pitches in just five days. Given the situation, we have all seen an uptick in pitches, across all industries, not just cybersecurity. Vendors want to make some type of connection. If they weren\'t pitching, what would be a more acceptable outreach?

It\\u2019s time for \\u201cAsk a CISO\\u201d

What can security startups do to prepare for and prove to prospects that their solution won\'t slow down operations? Thanks to John Prokap, CISO, HarperCollins for pointing me to this great article on CIO.com by Yoav Leitersdorf of YL Ventures on mistakes security startups make. One concern was on the issue of startups losing this specific focus.

From the article, Peter Bodine, AllegisCyber Capital said, "I cannot stress how much of a difference productivity makes to the CISOs we consult with. So, as an investor, our attention is immediately piqued when we learn that a POC took fewer resources than a regular POC, because it often means that they developed their process early enough with a customer satisfaction person. We really don\'t see that very often, but when we have, we\'ve written a check almost right on the spot, just because they take so much sand out of the gears and make it so much easier for a yes decision to occur.\\u201d

"What\'s Worse?!"

Do you want to be the one to reveal the cybersecurity incident or do you want somebody else to reveal it?

What\'s a CISO to do?

In the world of DevOps I\'m constantly seeing the desire for developers to be security aware. But the point of DevOps is to be aggressively competitive. That\'s something I often don\'t see security people understanding or literally being aware of. Nicolas Valcarcel of NextRoll gave me heads up on a post by Mike Sherma of Square about having dev champions on the security team to advocate for the software engineering experience and design principles. Is this a good idea, and if so how would it be rolled out and what would be the benefits?

How to become a CISO

Prior to the unfortunate COVID-19 crisis we at the CISO Series were planning on hosting our very own one-day event to train security leaders. That event will happen eventually, but right now it\'s on hold. The whole idea is we were going to have a group of CISOs training a group of wannabe CISOs to be CISOs. Wayne is a strident mentor for wannabe CISO. At any time he\'s got 4 or 5 security professionals you\'re mentoring. We discuss the core skills security professionals are lacking to become CISOs, and what mentorship does to help you get those skills.

Listed in: Technology

Cleaning Those Tough to Reach Digital Identity Stains

On this week\'s episode

Why is everybody talking about this now?

On Quora, the question was asked, "What are some ways to protect identities on the Internet?" Mike and Davi offer their advice.

It\'s time for "Ask a CISO"

The Three As: Authentication, Authorization, and Auditing or Accounting. How do they interrelate? What\'s the order? And have we been doing it wrong?

It\'s time to play, "What\'s Worse?!"

How are you going to handle having a very well known exploit?

Close your eyes, breathe in. It\'s time for a little security philosophy.

On Quora, the question was asked, "What should I do to completely erase my digital identity for good?" It seems impossible, and probably is, but how what steps would one need to get rid of our online identities?

It\'s time to play, "What Is It and Why Do I Care?"

We\'re introducing a brand new game today called "What Is It and Why Do I Care?" Here\'s how the game is played. I have three pitches from three different vendors who are all in the same category, application security. I have asked the reps to first, in 25 words or less, just explain their category. So give me a simple explanation of application security. That\'s the "What Is It?" and then for the "Why Do I Care?" I asked them to explain what differentiates them or makes them unique also in 25 words or less. It is up to Mike and Davi to pick your favorite of each and explain why. I only reveal the winning contestants and their companies.

If you would like to be a contestant for "What Is It and Why Do I Care?" just go here and fill out the simple SurveyMonkey form.

Listed in: Technology

Let's Just Dump On Zoom's Security and Offer No Solutions

On this week\'s episode

Why is everybody talking about this now?

Yaron Levi, CISO, Blue Cross Blue Shield of Kansas City a frequent and recent guest of the podcasts, had an incendiary post on LinkedIn where he challenged the long held belief in cybersecurity that "we\'re all in this together." Well that theory was put to the test with the outcries of Zoom\'s security and privacy flaws. Levi believes the security industry failed. Instead of trashing Zoom we should be offering suggestions of how they could fix a now universally used application. His challenge exploded online with over 200 comments. How could we/can we handle this situation better?

Look at this, another company breached

Oh Marriott. You blew it again. Two massive data breaches in two years. This one just gave too much access to too many customers from a branch office. Years ago this would be a front page story we\'d be talking about for weeks if not months. Now they\'re just another breach and it doesn\'t seem that the affected users seem to care. How much damage are these breaches doing to companies if the customers have breach fatigue and can\'t see the damage immediately or even directly? And what percentage of these breaches do you believe are the result of poorly architected or implemented security programs?

It\'s time to play "What\'s Worse?!"

We get a chance to talk about Mike\'s favorite topic, toxic team members.

Please, Enough. No, More.

Today\'s topic is Identity Access Management or IAM. We discuss what we\'ve heard enough about with IAM and what would we\'d like to hear a lot more.

It\\u2019s time for \\u201cAsk a CISO\\u201d

We have a question from a listener, a college student. Here\'s her question:

"I\'m a college student interested in majoring in cybersecurity. However I\'m more of a people person and I\'m afraid cybersecurity is just dealing with computers and having no people interaction. I\'m just wondering what I should expect if I continue to pursue a cybersecurity major."

Listed in: Technology

We've Got a Dozen Features. Only Two Work.

On this week\'s episode

Hey, you\\u2019re a CISO. What\\u2019s your take on this?

What\'s the value of a vendor-derived security meter? I sat down for a vendor presentation that was chock full of dashboards with meters. Some made sense and others appeared they were derived through some mysterious black box.

1. When do you trust a vendor-derived meter? Can you? If not you, who are they for?
2. Is it possible to ignore the absolute numbers in a vendor-derived formula and value only the changes over time?
3. If you don\'t trust a vendor-derived meter, what meters do you create for yourself that you do trust?

How do you go about discovering new security solutions?

Tip of the hat to John Prokap, CISO, HarperCollins for forwarding me this excellent CIO.com article by Yoav Leitersdorf of YL Ventures.

How feature rich should a startup product be? In the article, Richard Rushing, CISO, Motorola Mobility talks about the need to trust a startup and the quality of each feature. \\u201cIt\'s not enough to just focus on three out of five. All five have to be spot on because I can\'t miss, which means you can\'t miss."

How does a vendor avoid the classic case of trying to be everything to everybody and really you\'re serving no one?

What\'s Worse?

What\'s better for the business, compromised security occasionally, or unnecessary overhead that grows over time?

Close your eyes and visualize the perfect engagement

There\'s a well-known paradox in the healthcare industry when it comes to working with third party vendors. Because of HIPAA regulations there\'s a desire to keep information private, but at the same time, what about all these wonderful third party tools. Let them have access to our data.

What\'s the advice for vendors eager to work with a healthcare organization? How should they demonstrate their awareness of this paradox (e.g., scope of responsibilities, efficacy of controls, attestation, accountability)?

Why is everyone talking about this now?

We recorded this episode on March 30th as we talk about this next topic and that is should companies challenge their employees with a COVID-19 phishing test? Tip of the hat to Louisa Vogelenzang of Kroll who pointed me to this active discussion started by Grant McKechnie, Telstra, who asked this very question. There was a lot of debate. We debate both sides and offer an ultimate recommendation.

Listed in: Technology

Let's Ask CISOs If They're Concerned About Data Security

On this week\'s episode

Why is everyone talking about this now?

On Quora, the question was asked, "What is the most common unaddressed cybersecurity risk at companies?" Looking through the list, we\'ve talked about all of these issues: people (malicious and negligence), program maturity, data privacy, and just basic network. They\'re all important, but we discuss which one we believe is least addressed.

There\\u2019s got to be a better way to handle this

What happens when a cloud provider breaks a service level agreement or SLA? On a recent episode of Defense in Depth, Taylor Lehmann, CISO, athenahealth said that putting ultimatums in SLAs just doesn\'t work in reality. No one really pulls the plug just because a cloud provider fell short on providing a certain level of uptime. We walk through the steps of the SLA. What\'s needed? What\'s too much? What do you do when something is violated? How do you right the ship and maintain the relationship?

What\'s Worse?

What happens when there\'s a political motivation to select a vendor?

What do you think of this pitch? and Why is this a bad pitch?

We put a good one and a bad one back to back so you can hear the range of what comes in a CISO\'s inbox.

Um\\u2026 maybe you shouldn\'t have done that

As a security vendor, how do you catch yourself if you\'re cybersplaining?

Brian Haugli of Sidechannel Security offered the following definition: "When a salesperson or company representative explains in detail how a basic attack, ransomware, BEC, or other threat works to a CISO or current cybersecurity expert in order to push a sale."

From what I see, it appears that cybersplaining is the norm mostly for those who are very green in cybersecurity. I\'ll also say I\'ve seen the complete opposite where someone at a much higher level assumes you\'re already in their head and agree to the same assumptions they have about cybersecurity as well. This plays out that they\'ll state an issue in cybersecurity and conclude with "right?" not waiting for an answer but just assuming you\'re on the same page so that they can go on with their rant.

What are ways to check yourself on both sides of the spectrum and what\'s the happy medium?

Listed in: Technology

I Don't Need Anymore Advice On How To Work Remotely

On this week\'s episode

Why is everyone talking about this now?

Adapting a line from Wendy Nather of Duo Security, what\'s the security poverty line for remote work? Gabriel Friedlander of Wizer started a thread of best advice for employees working at home. And then he compiled a list of the best tips. We talk about our favorite tips and add a few of our own.

There\\u2019s got to be a better way to handle this

Mike and our sponsored guest, Brendan, are both security leaders who have been thrust into managing their entire team virtually for an extended period of time. On top of that, their teams are going to have new pressures on them (e.g., kids at home) that are going to conflict with their ability to be efficient employees. We talk about what they\'re doing to adapt and their greatest concerns.

What\'s Worse?!

How are you dealing with patch management when you\'ve got an all-remote workforce?

Please, Enough. No, More.

Our topic security cloud or specifically SaaS apps. What have we heard enough about on this topic and what would we like to hear a lot more?

A serious confounding feature of public activities like elections and climate change discussions is the proliferation of actual fake news \\u2013 stories created by bad actors and distributed by bots and which include deepfaked video and propaganda that lead audiences into a state of not knowing who to believe anymore. Security experts including the International Security Forum categorize this as a cyberthreat called\\xa0Distortion, the loss of trust in the integrity of information.

As threat actors continue to hammer away at the cyber defenses however they can, it is extremely likely that Distortion attacks will be yet one more way of bringing organizations to a point of extreme vulnerability, just like ransomware and siegeware.

Though the Distortion content may be generated externally, it has the potential to be implanted in a company\\u2019s environment through phishing, MFA fraud and hacking, leading to media crises, drops in market valuation, destruction of public credibility and of internal stability.

More from our sponsor, ExtraHop.

Um\\u2026 maybe you shouldn\'t have done that

Some really well-intentioned people are responsible for some really bad data practices. When I was in Tel Aviv I ran into a number of companies offering discovery solutions to show you where your data is, identify the sensitive data, the PII, and who has access. We learn a lot about sensitive data after it\'s breached, but there are also plenty of bad data practices happening internally which lend themselves to misuse or greater damage when there is a breach.

Listed in: Technology

The Department of "No, Thank You"

On this week\'s episode

There\\u2019s got to be a better way to handle this

The hot new cybersecurity threat is the Coronavirus. Not the virus itself or the possible fake phishing emails connected to it, but our overall fear and its impact on work. According to data from Boardish, there is a 42% increase over baseline in fear of immobility, or staff not being able to operate effectively remotely. To put that number in perspective, phishing and ransomware have each seen an 8% threat increase. I read immobility\'s huge number to mean companies are simply not prepared for how their staff may need to operate.

What we\\u2019ve got here is failure to communicate

What\'s the best way to say \'no\' to a vendor? This was a question that was asked of me by Eric Gauthier, CISO at Scout Exchange. He wants to say no because his cloud business has no need for certain services, and he doesn\'t want to be rude, but just saying no doesn\'t seem to work. What are the most successful techniques of saying no to a security vendor? And what different kinds of "no" are there?

"What\'s Worse?!"

A tough decision on a company built on acquisitions.

Walk a mile in this CISO\\u2019s shoes

For many CISOs, there is a "What\'s Next?" as they don\'t necessarily expect "CISO" to be their final resting place professionally. Gary Hayslip, a CISO for Softbank Investment Advisers and frequent guest, wrote on both LinkedIn and Peerlyst about next steps for CISOs who want to move out of the role. The recommendations were other C-level positions, going independent, and starting a new company.

On January 2 of this year, parking meters in New York City stopped accepting credit and parking cards. At fault? Security software that had expired on the first day of 2020. Reminiscent of Y2K, this draws attention to the next two time-related bugs predicted for 2036 and 2038. The 2038 problem affects 32-bit systems that rely on timecodes that max out on January 19 of that year. A similar rollover is expected in 2036 for Network Time Protocol systems.

In all likelihood, affected systems either have been or will be replaced over the next 18 years, but the dangers still exist, in situations where vulnerable devices remain buried in a legacy system or in cases where advanced calculation of expiry dates are needed, or like New York City, where the upgrade was apparently overlooked. \\xa0It serves as a reminder that data security must look to its past while it plans for the future.

More from our sponsor\\xa0ExtraHop.

Hey, you\'re a CISO. What\'s your take on this?

What\'s the impact of Europe\'s Right to Be Forgotten (RTFB)? It\'s been five years and Google has received ~3.2 million requests to delist URLs, from ~502,000 requesters. Forty five percent of those URLs met the criteria for delisting, according to Elie Bursztein, leader of Google\'s anti-abuse research team. Search engines and media sites hold the greatest responsibility, but what responsibility are companies forced to deal with and do they have the capacity to meet these requests?

\\xa0

Listed in: Technology

We Pick the Best Security Awareness Programs for Your Staff to Ignore

On this week\'s episode

Pay attention, it\\u2019s security awareness training time

Jinan Budge of Forester finished a report on security awareness training programs. She found a trend that supported both the need for compliance and the need to actually train employees to be more security aware. We discuss what actually works to get people to be more aware of cybersecurity.

What do you think of this vendor marketing tactic?

At RSA, I talked to a vendor who told me about their new solution. It was so unique that Gartner was creating a new category for their product with yet another acronym. UGGH, another category for which you have to educate the market? And now you have to convince buyers to create a new line item for this category? And now what is that going to do to your marketing budget? It didn\'t take much convincing for me to point out that their product was just third-party risk management.

Admittedly, cybersecurity professionals love the new and shiny, but where do we draw the line about learning something new in cybersecurity and adding confusion to the marketplace?

It\'s time to play, "What\'s Worse?!"

Two rounds, lots of debate.

Where does a CISO begin?

When we hear about digital transformation, it is being done for purposes of speed, accuracy, and business competitiveness. Scott McCool, former CIO at Polycom was on our show Defense in Depth, disputed the common notion that security serves the business. Instead, he believes that security IS the business. And if you deem that to be true, then security can no longer can take a consultative role. It must take the role of brand and value building.

This is more than just a discussion of "shifting left." What are actions that security must take to make it clear that they are part of making the business fast, innovative, and competitive?

Um... maybe you shouldn\'t have done that

We tell talks of the worst proof of concept (POC) efforts.

Audience question speed round

We close out the show with a series of quick answers to audience questions.

Listed in: Technology

Buy Our Product. We Have No Idea What We're Selling.

On this week\'s episode

There\\u2019s got to be a better way to handle this

How well are you configuring your controls today and tomorrow? At RSA, I chatted with Adam Glick, CISO, Rocket Software. He said what he\'d like is a tool to test the maturity of his deployed controls. How are his controls optimized over time? What does it looks like today vs. a year from now? How are we currently trying to solve that problem and what could be done to improve it?

Hey, you\'re a CISO, what\'s your take on this?

"Which cybersecurity certification should I get?" It\'s a question I see repeated often, especially on Quora and Peerlyst. Your best bet would probably be the one that most employers are looking for. And according to job board searches, conducted by Business News Daily, CISSP is the overwhelming favorite. Do our CISOs prefer certain certifications over others? Is it a requirement for hiring? And what does a security professional with certifications vs. experience tell us about that person?

What\\u2019s Worse?!

Split decisions on both and the audience plays along as well.

Is this the best use of my money?

"One of the common complaints I repeatedly hear is that cybersecurity vendors are not solving real problems. They\'re just looking to make money. I think that\'s a rather unfair blanket statement, but regardless, I hear it a lot.

I think why I hear that so often is that we\'re all in the cybersecurity fight together and we need to help each other. Helping each other is often done by participating in the open source community.

Why is it critical to contribute to the open source community?

Um... What do they do?

I read copy that appeared on various booths at RSA 2020. Most are confusing and non-descriptive and don\\u2019t appear to assume a pre-existing understanding of cybersecurity.

The expo hall at RSA is filled with security professionals who are already security minded. I honestly don\'t know exactly the reaction they\'re looking to get or what type of information these vendors are trying to convey.

Audience question speed round

We close out the show with a series of quick answers to audience questions.

Listed in: Technology

We're Market Leaders in Customer Confusion

On this week\'s episode

How to become a CISO

What is some actionable "let\'s start today" advice. What could an individual do right now to develop the skills to be a cyber leader and make it clear to management, that\'s what they\'re gunning for?

What we\\u2019ve got here is failure to communicate

If all vendors stopped sending cold emails, which is what we constantly hear CISOs say they should do, how should they spend their time and money instead to greatly improve their success? If a CISO played the role of a vendor, which happens often, what should you do, to get to you?

What\'s Worse?!

We play TWO rounds.

What do you think of this vendor marketing tactic?

According to a recent study by Valimail, CISOs are very suspect of security vendors\' claims. In general, the numbers are horrible for vendor credibility. Close to half of security professionals claim the following:

• Vendors\' tech and explanation are confusing
• Practitioners have a hard time seeing and measuring value
• Practitioners don\'t know how a vendor\'s product will stay valid on their security roadmap.
• \\xa0

What could cybersecurity vendors do to make their claims more believable?

Close your eyes and visualize the perfect engagement

Rafal Los, Armor Cloud Security asked, "If you could implement one thing in your organization that would receive universal adoption without push-back, what would it be?" The question, which seems reasonable, but in the security world often feels impossible, generated a ton of responses on both LinkedIn and Twitter. Many wanted company-wide adoption of one solution, such as MFA or vulnerability management. Others wanted widespread and ongoing security education. Our CISOs debate the one pushback-free solution that would yield the greatest results.

Listed in: Technology

Last Chance to Vote for "Most Stressed-Out CISO"

There\\u2019s got to be a better way to handle this

CISO Stress. We\'ve talked about it before on the show, and now Nominet just released a new study that claims stress levels are increasing.

• 8% of CISOs said work stress has had a detrimental impact on their mental health, almost twice as high as last year (27%).
• 31% of CISOs said that stress had affected their ability to do their job.
• Almost all surveyed CISOs (90%) said they\\u2019d take a pay cut if it improved their work-life balance.

How could a CISO negotiate better work/life balance upfront and have either of our CISOs done it?

Hey, you\'re a CISO. What\'s your take on this?

Gary Hayslip shared this Peerlyst article by Ian Barwise of Morgan Computer Services about the incredible array of OSINT tools. What OSINT tools do our CISOs find most valuable and for what purposes.

What\'s Worse?!

A little too much agreement on this week\'s "What\'s Worse?!"

Here\'s some surprising research

Why are cloud security positions so much harder to fill? Robert Herjavec of the Herjavec Group posted a number of disturbing hiring statistics. Most notably was one from Cyber Seek that stated jobs requesting public cloud security skills remain open 79 days on average \\u2014 longer than almost any other IT skills. Why isn\'t supply meeting demand? Why is it such a difficult security skill to find? And how easy and quickly can you train for it?

EKANS is the backward spelling of SNAKE. It is also the name of new ransomware code that targets the industrial control systems in oil refineries and power grids. Not only does it extort a ransom, it also has the ability to destroy software components that do things like monitor the status of a pipeline, or similar critical functions in a power grid or utility. A recently documented attack on Bahrain\\u2019s national oil company reveals the architecture and deployment of EKANS not to be the work of a hostile nation-state, but of cybercriminals.

The chilling message behind that, of course, is that penetrating and sabotaging critical components of a country\\u2019s infrastructure is no longer exclusive to sophisticated national intelligence agencies. Lower level criminal agencies may have motives that are far less predictable and trackable, and when combined with the complexities of an industrial control system, these may have cascading effects beyond the wildest dreams of the instigators themselves.

More from our sponsor\\xa0ExtraHop.

What do you think of this pitch?

We get a pitch with some suggestions on how best to improve the pitch. We want more pitches!

\\xa0

Listed in: Technology

Let's Blow Our Entire Marketing Budget at RSA

On this week\'s episode

There\\u2019s got to be a better way to handle this

Next week is RSA and by podcast law we\'re required to talk about it. We offer up tips on maximizing the following: education, engagement, and follow up.

What\\u2019s the return on investment?

On Peerlyst, John Mueller, a security architect with the US Navy, suggested ways to use incident response metrics to help determine whether your cybersecurity program is improving. But as Mueller points out, it\'s not easy as you could fool yourself into believing you\'re doing well if you don\'t valuable discovery tools. We discuss methods to measure improvements in security programs.

What\'s Worse?!

A really tough one that delivers a split decision.

Please, enough. No, more.

Our topic is trust and hardware manufactures. We discuss what we\'ve heard enough about with trusting hardware manufacturers of tech products, and then we discuss what we\'d like to hear a lot more.

The fable of Walt Disney having been cryogenically frozen to be revived in an age where the science to do so existed is just that \\u2013 a fable. But there is still something to be taken from that when it comes to documents archived on the cloud or consigned to data landfills. Just because encrypted data cannot be easily decrypted by hackers using today\\u2019s tools, that doesn\\u2019t mean tomorrow\\u2019s tools can\\u2019t do the job and revive the information stored inside.

When threat actors take it upon themselves to steal data, through hacking, ransomware, or AI, they might, of course be searching for material that is immediately exploitable, such personal data, or data that has immediate value in being returned or unlocked as in the case of ransomware.

But other players are in it for the long game, counting on the fact that the inexorable momentum of progress will lead to a decryption solution in time for stolen archived data to still be of use for future crimes, frauds and deep fakery.

More from our sponsor\\xa0ExtraHop.

Close your eyes. Breathe in. It\\u2019s time for a little security philosophy.

I got back from Tel Aviv where cybersecurity professionals find themselves innovating out of necessity. They\'re often short on resources. We discuss the kinds of exercises we\'ve tried to help ourselves and our team to think creatively about cybersecurity.

One suggestion is the interrogation technique of "Five Whys" to get at the root reason of why we make our choices.

Listed in: Technology

Empowered! Working Together to Pile on the Cyber Guilt

On this week\'s episode

Mike\'s confused. Let\'s help him out.

Mike inspired this brand new segment with his question to the LinkedIn community, asking what\'s the big deal with 5G security? The story I heard about 5G is just sheer volume over unsecured networks. But Mike said, we\'ve been dealing with unsecured networks since 2G and 3G and we dealt with them using Transport Layer Security or TLS, and implementing other services such as multi-factor authentication or MFA. Mike called out to the community to clue him in as to why we should be more concerned with 5G.

Does shaming improve security?

Thanks to Mark Eggleston, CISO, Health Partners Plans for alerting me to Chris Castaldo, CISO of Dataminr, and his post about Rob Chahin\'s "Single Sign-On or SSO Wall of Shame". Chahin, who is the head of security at Eero, purports that SSO should be a standard feature in applications and websites that allow for secure sign on through third party identity services, such as Google and Okta. Single sign-on is a significant boon for security and management simplicity and Chahin argues that many companies force users to pay dearly to enable SSO.

What\'s Worse?!

A grand financial decision in this scenario.

Is this the best solution?

According to a recent article in the Wall Street Journal, there is an ever slight trend of CISOs moving away from reporting to the CIO, opting instead to report directly to the CEO. Why is this trend happening? What are the benefits and disadvantages?

\\xa0

With hacks and breaches becoming all too commonplace and even encrypted data still vulnerable to hackers who can read and copy it, focus is now being placed on Quantum Communication as a potential next option. This is a technique that encodes data into photons of light, each of which can carry multiple copies of ones and zeroes simultaneously, but which collapses into a single one-and-zero if tampered with. Basically, the scrambling of data to an unusable format.

Although Quantum communication has been development for a few years, researchers in China have apparently already outfitted a fleet of drones that will soon be able to communicate upwards to its already launched Quantum satellites and downwards to ground stations while remaining stable in flight.

This paves the way for the field of quantum teleportation, a glamorous term whose uses and actual development are no longer just the realm of science fiction. For data at least.

More from our sponsor ExtraHop.

Close your eyes. Breathe in. It\\u2019s time for a little security philosophy.

Simon Goldsmith, adidas, said, "I\\u2019ve been having some success in replacing risk with uncertainty. By which I mean not having a threat, vulnerability or impact made tangible creates uncertainty which is next to impossible to factor into any modern decision making process. If I make it tangible, it becomes a risk and I can help you make a better decision. Puts value on turning uncertainty to risk and fights FUD."

Listed in: Technology

You're Mistaken. I'm Not Annoying. It's Chutzpah.

This episode was recorded in front of a live audience in Tel Aviv on the eve of the 2020 Cybertech conference. Special thanks to Glilot Capital for hosting this event.

This episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and my special guest co-host, Bobby Ford, global CISO for Unilever. Our guest is John Meakin, veteran financial CISO, and currently CISO for Equiniti.

David Spark, producer, CISO Series, Bobby Ford, CISO, Unilver, and John Meakin, CISO, Equiniti.

Thanks to this week\'s podcast sponsors, Polyrize and Intsights.

As newly adopted SaaS and IaaS services add an additional layer of risk for security teams, Polyrize provides a cloud-centric approach to simplifying the task of protecting user identities and their access across the public cloud by right-sizing their privileges and continuously protecting them through a unified authorization model.

IntSights is revolutionizing cybersecurity operations with the industry\\u2019s only all-in-one external threat protection platform designed to neutralize cyberattacks outside the wire. Our unique cyber reconnaissance capabilities enable continuous monitoring of an enterprise\\u2019s external digital profile across the clear, deep, and dark web to identify emerging threats and orchestrate proactive response. To learn more, visit intsights.com.

On this week\'s episode

How do you go about discovering new security solutions?

In an article on LinkedIn entitled, "Why do CISOs take a vendor meeting?" Dutch Schwartz, of AWS said that they take meetings per a recommendation of their staff, their peers, or they have an explicit problem that they\'ve already researched, or they have known unknowns. Are those the reasons to take a meeting with a security vendor? We discuss what meetings CISOs take, and which ones are the most attractive.

It\'s time for "Ask a CISO"

Israel is known for a thriving startup community. But what I always see is cross pollination between Israel and Silicon Valley when it comes to startups. We discuss what Israeli startups can learn from Silicon Valley and vice versa.

What\'s Worse?!

We\'ve got two rounds. One agreement and one split vote.

It\\u2019s time to measure the risk

Five years ago I wrote an article for CIO.com about the greatest myths of cloud security, The first myth was the cloud is inherently insecure. And the other 19 are ones I\'m still hearing today. My conclusion for the whole article was if you can overcome these myths about cloud security, you can reduce risk. In this segment we dispel cloud security myths and explain how the cloud helps reduce risk possibly in ways many of us are not aware.

Close your eyes. Breathe in. It\\u2019s time for a little security philosophy.

On this podcast we talk a lot about CISOs needing to understand the business. In a thought-provoking post on Peerlyst, Eh-den Biber, a student of information security at Royal Holloway, University of London, noted that the job of cybsecurity is more than that. It\'s about understanding the flow of business and being present in the individuals\' lives and their stories. We discuss the importance of being present in your users\' lives.

It\'s time for the audience question speed round

The audience has questions and our CISOs have answers. We get through a lot really quickly.

\\xa0

Listed in: Technology

Revisiting a Whole Career of Cyber Screw Ups

On this week\'s episode

Why is everybody talking about this now?

Chris Roberts of Attivo Networks posted about his video game addiction as he admitted one certain game ate up 475 hours of his life. He really struck a chord with the community as he got hundreds of comments of people admitting to the same but also recognizing that video games are great stress relievers and that the problem solving in games actually helps keep your mind sharp. There is the obvious need for a break, but is there a correlation between how gaming in any form can help someone with their job in cybersecurity?

Hey, you\'re a CISO, what\'s your take on this?\'

Are we doing a good job defining the available jobs in cybersecurity? The brand that we see out there is the image of the hacker and the hoodie. In a post on Peerlyst, Nathan Chung lists off eleven other cybersecurity jobs that don\'t fall under that well known cybersecurity trope. Jobs such as data privacy lawyers, data scientists developing AI and machine learning algorithms, law enforcement, auditors who work on compliance, and even project managers.

We discuss some of the concrete ways to explain the other lesser known opportunities in cybersecurity.

What\'s Worse?!

We play two rounds with the CISOs.

Um\\u2026 maybe you shouldn\'t have done that

In an article on Peerlyst, cybersecurity writer Kim Crawley, asked her followers on Twitter, "What mistakes have you made over the course of your career that you would recommend newbies avoid?" There was some great advice in here. We discuss our favorite pieces of advice from the list and our CISO admit what is the mistake they\'ve made in their cybersecurity career that they specifically recommend newbies avoid.

We\\u2019ve got listeners, and they\\u2019ve got questions

Chris Hill of Check Point Software, asked, "How can non-technical people working their way up in the security industry improve their knowledge and abilities from a CISO perspective." Chris is a newbie and he wants advice on being a \\u201ctrusted advisor\\u201d and he\'s trying to figure out the best/most efficient way to get there.

It\'s time for the audience question speed round

We go through a ton of questions the audience has for our CISOs

Listed in: Technology

Debunking the Misused "Chased By Bear" Cybersecurity Metaphor

On this week\'s episode

Is this the best solution?

On LinkedIn, Rich Malewicz of Wizer opened up a discussion of security is really just about making the lives difficult for attackers, or more difficult than another target. Rui Santos summed Rich\'s theory succinctly, "you don\'t have to be Fort Knox, just make it not worth the effort of hacking your organization."

Let\'s dive into the specifics of this. Provide some examples of how you architect a security program that makes it too difficult or too costly for an attacker. Obviously, this would change given the asset you\'re trying to protect.

The great CISO challenge

Brad Green, Palo Alto Networks, asks, "What are the most important functions of the SOC (security operations center), and what are the most important activities that support them?

What\'s Worse?!

As always, both options stink, but one is worse.

Please, Enough. No, More.

Today\'s topic is data security. What have you heard enough about with data security, and what would you like to hear a lot more? Mike?

Communicating cyberthreats to the general public has always been a challenge for cybersecurity specialists, especially when it comes to eliciting cooperation in areas like cyberhygiene. Sometimes it helps to give people an awareness that the need for proactive security doesn\\u2019t exist only on screens, but everywhere.

One fascinating example of this can be seen in the research of Dina Katabi of MIT, who has shown how WiFi signals can be monitored \\u2013 not for their content, but as a form of radar that can see through walls, and which can accurately observe people physically moving around, or even detecting heartbeats and sleep patterns. Remote espionage opens up all kinds of opportunities for bad actors to build ergonomic profiles of anyone and then deploy AI and ML enabled analysis to influence and impersonate them.

Showing people just how many different dimensions can be used in cybercrime may one day shift public perception of cybersecurity into the center spotlight where it belongs.

More from our sponsor\\xa0ExtraHop.

There\\u2019s got to be a better way to handle this

For years security professionals have talked about trying to secure the exponentially expanding surface area. One way to simplify, that we\'ve all heard before, is driving security to the data level. Could we let networks run wild, within reason, and just have a data-security first approach? How is that different from zero trust, if at all? To what extent does this work/not work?

We\'ve all been having conversations about encryption for decades. It\'s not a new story. But it\'s still not universally used. There are billions of user accounts available in open text. After decades, why has the encryption story still not been getting through? What\'s holding back universal usage?

Listed in: Technology

We Put the FUN in InFunSec

On this week\'s episode

Close your eyes and visualize the perfect engagement

What should a CISO\'s relationship with the board be and how much should a CISO be involved in business decisions? According to a Kaspersky survey, 58% of CISOs say they\'re adequately involved in business decision making. 34% say they\'re summoned by the board for data/security related manners. 74% of CISOs are not part of the board and of that group, Of that group, 25% think they should be. What are the pros and cons of a CISO being heavily involved in the business?

The great CISO challenge

On Dark Reading, Joan Goodchild asked CISOs what were their New Year\'s resolution. Most said obvious stuff about visibility, being a business enabler, work on human element, and privacy. But I was most intrigued by Jason Haward Grau, CISO of PAS Global, who said he wanted to make security a little more fun. Keeping it fun and interesting is my obsession with this show. If you want to attract, and more importantly retain, security talent, a little bit of fun is critical. So what is currently fun about cybersecurity and what can CISOs do to make it more fun?

What\'s Worse?!

First time Mike Johnson admits to being wrong!

Looking down the security roadmap

On LinkedIn, Mike recommended that security professionals line up tools with their comparable threat models, and then compare that list with their company\'s actual threat models. Mike admittedly offered the advice but never actually had done itself until he wrote the post and then he started. We delve into what actually happened and how one could actually do it.

The Cyber Defense Matrix is a handy, yet easy to use grid plan that helps IT and cybersecurity professionals formulate a plan of proactive defense and effective response. Devised by security specialist Sounil Yu and discussed in detail on the October 17, 2019 episode of Defense in Depth, the matrix continues to gain ground as a vital tool for not only understanding the required spread of technologies, people and process, but also in performing gap analysis and crisis planning.

The matrix creates a logical construct across two axes, creating a five by five fill-in grid.

Although some experts debate whether it is sufficiently broad in scope, cybersecurity organizations such as OWASP tend to agree that its role in organizing a jumble of concepts products and terminologies into a coherent inventory helps cybersecurity specialists measure their security coverage, discover gaps in their IT strategy, and create a better project plan.

More from our sponsor ExtraHop.

And now, a listener drops some serious knowledge

"Sandor Slijderink (SLY-DUR-INK), CISO at undisclosed company, offered a quick tip on a new phishing scam.

Type in some text that looks like a foreign language, then create a hyperlink that reads:
""See translation""

We discuss some attack vectors that we think others may not be fully aware of but need to pay attention.

Listed in: Technology

We Lower the Security and Pass the Savings on to You

On this week\'s episode

Are we making the situation better or worse?

Are big Internet giants\' privacy violations thwarting startup innovation? That\'s been presidential candidate Elizabeth Warren\'s argument, and it\'s why she wants to break up companies like Facebook and Google for what she sees as anti-competitive practices. According to Seth Roseblatt\'s article, it appears all of a sudden Facebook and Google are very concerned about privacy.

Nine years ago, I remember seeing Eric Schmidt, then CEO of Google, proudly admit that they tracked people\'s movements so thoroughly that they can accurately predict where you\'re going to go next. Nobody blinked about the privacy implications. But today, users are upset but they don\'t seem to be leaving these services at all. Is it all talk on both sides? Have you seen any movement to improve privacy by these companies and would regulation be the only answer? And heck, what would be regulated?

Here\'s some surprising research

Over the past 15 years, home WiFi routers have been manufactured to be less secure. Seth reported on this study by the Cyber Independent Testing Lab, which we also discussed on an episode of Defense in Depth. The most notorious weakening is the use of default passwords, but there\'s a host of other firmware features that don\'t get updated. Is there any rationale to why this happens? And has this study done anything to turn things around?

Is this a cybersecurity disinformation campaign?

Fighting "fake news" like it\'s malware. In Seth\'s story, he noted there are structural and distribution similarities. I envision there are some similarities between fake news and adware which isn\'t necessarily designed for negative intent. Fake news appears to be an abuse of our constitutional acceptance of free speech. How are security tactics being used to thwart fake news and how successful is it?

When you set up your new home assistant, try not to position it close to a window, because someone across the street might be preparing to send voice commands, such as \\u201copen the garage door\\u201d by way of a laser beam.

Researchers from the University of Michigan and The University of Electro-Communications in Tokyo have successfully used laser light to inject malicious commands into smart speakers, tablets, and phones across large distances and through glass windows. They use standard wake commands modulated from audio signals and pair them with brute forcing of PINS where necessary.

They have also been successful in eavesdropping, and in unlocking and starting cars.

Their research shows how easy it is and will be to use lasers to not only penetrate connected devices but to deploy acoustic injection attacks that overwhelm motion detectors and other sensors. More information including access to the white paper is available at lightcommands.com.

More from our sponsor ExtraHop.

Look at this, another company got breached

Tip of the hat to Malcolm Harkins at Cymatic for posting this story on Forbes by Tony Bradley of Alert Logic who offers a rather pessimistic view of the cybersecurity industry.

It\'s broken, argues Bradley. We spend fortunes on tools and yet still get hacked year over year using the same tools. The article quotes Matt Moynahan, CEO, Forcepoint, who said we wrongly think of security as an "us" vs. "them" theory or "keeping people out" when in actuality most hacks are because someone got access to legitimate user credentials, or a user within our organization did something unintentional or potentially malicious. Are we wrongheaded about how we envision cybersecurity, and if so, is there a new overarching philosophy we should be embracing?

Listed in: Technology

Ah, Here's The Problem. You've Got a Leaky CEO.

On this week\'s episode

Where does a CISO begin?

Gary recently brought up an excellent discussion pointing out that executives are the backdoor into your organization. Do they understand that they\'re critical cogs? Do they and are they willing to take on responsibility? What is the patching process?

Walk a mile in this CISO\'s shoes

Gary, talked a lot about the importance of work/life balance with cyber professionals. Robert Carey of RSA Security said your actions do most of the talking, "As a CISO, you\'re a model of work life balance. If you stay 14 hours a day, that\'s what is expected of employees. If you leave at 5pm they\'ll realize that\'s ok for them to do." How do our CISOs handle presenting to their staff what is and isn\'t OK, when they\'re in the office or when their employees are remote?

What\'s Worse?!

You\'ve got a new hire. Which one do you choose?

Is this the best solution?

Does the email pitch still serve a function? On a recent CISO Series video chat, we talked about how CISOs get 50-80% of their information about products from other CISOs and that yeah maybe sometimes they read an email pitch. Is there still room for the email pitch or should it just die? And if it should die, what should it be replaced with?

Security Squares: Where CISOs Put Vendors in Their Place

A brand new game that asks CISOs how well do they know the vendor landscape? This one was a nail biter.

It\\u2019s time for the audience question speed round

Our audience has questions, and our CISOs will have answers.

Listed in: Technology

Trust Me, We're Using "Advanced" AI

What we\\u2019ve got here is failure to communicate

Is the privacy message getting out to the right people? I argue we need to go to the source and we\'re not. I was at Dreamforce, the Salesforce conference, and I got the sense I was the only person of the 100K people there that didn\'t want to be scanned. This crowd is obsessed with the collection of personal data given this conference is mostly about how do I create greater understanding from personal data. Are we as security people in a bubble in this privacy conversation? We need to go to the source of the people who are actually collecting the data and I\'m getting the sense we\'re not getting through.

Are we making the situation better or worse?

We\'ve talked a lot about AI on this show, and many vendors are selling intelligent solutions, but the factor that seems to hang up usage is trust. Cyber professionals don\'t think twice about trusting their AI-powered spam filter, but so many other tools are met with skepticism. What\'s missing from the vendor side and what trust barriers are practitioners putting up? What should the barometers be for trusting AI?

What\'s Worse?!

Two bad types of people wanting to do you harm. Which one is worse?

Is this the best solution?

Should you hire staff from companies that have fallen victim to cybercrime? According to a study by Symantec and Goldsmiths, University of London, as reported by ZDNet, more than half of respondents said they don\'t discuss breaches or attacks with peers. And more than a third said they fear that sharing breach information on their organization would negatively impact their future career prospects. I would think that asking a prospect, "Have you lived through a breach and how did you handle it?" would be very revealing. Mike?

Security Squares: Where CISOs Put Vendors in Their Place

A brand new game that asks CISOs how well do they know the vendor landscape?

It\\u2019s time for the audience question speed round

Our audience has questions, and our CISOs will have answers.

\\xa0

Listed in: Technology

Isn't That Adorable? Our Little CISO Has An Opinion.

On this week\'s episode

Why is everyone talking about this now?

Gary Hayslip, CISO, Softbank Investment Advisers and regular guest, posted an article about a growing trend of CISO frustration and why they don\'t last at an organization. This article addresses many issues around burnout, but I want to focus on this one stat from an ISC(2) study which states, "Sixty three percent of respondents said they wanted to work at an organization where their opinions on the existing security posture were taken seriously." Hard to keep any security staff in place if they\'re not respected. We talk a lot about being able to talk to the board, but the communications has to be two way. How clear are executives in understanding that respect and listening to their cyberstaff is in their best interest?

What annoys a security professional

Deidre Diamond of CyberSN, asks this very pointed question, "We are short 500k cyber professionals in the US and 89% of our current cyber professionals are open to new opportunities; why are jobs taking on average 4-9 months to fill?" That last stat is CyberSN\'s data estimates. She\'s arguing there is plenty of supply. Why is this taking so darn long? Nobody\'s happy.

What\'s Worse?!

We\'ve got a question tailored for our DevOps guest this week.

Please, enough. No, more.

DevOps and security. This is a topic that has grown over time, evolved in branding, and Mike has spoken out about how much he don\'t like the term DevSecOps. As we regularly do in this segment, what have you heard enough of on the DevOps and security debate and what would you like to hear a lot more?

Two factor authentication is a smart step towards more secure password management but what happens the moment after you have convinced the employees of your company to adopt 2FA, when you then say, \\u201cOh yes, don\\u2019t forget your SIM PIN.\\u201d

2FA might stop hackers from using easily searchable information like someone\\u2019s mother\\u2019s maiden name, but these bad actors have already discovered the weak link in this particular chain. They call the phone provider, pretend to be that specific victim and ask to swap the victim\\u2019s SIM account information to a new SIM card \\u2013 one that is in their possession. That way, everything the victim did with their phone \\u2013 texting, banking, and receiving 2FA passcodes \\u2013 all goes to this new phone.

More on CISO Series.

Check out lots\\xa0more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company\\u2019s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Hey, you\'re a CISO, what\'s your take on this?

Nigel Hedges, CISO, CPA Australia, asked, "Should security operations exist in infrastructure/operations teams?"

Nigel asked this questions to colleagues and got mixed results. One CISO said it was doomed to fail, others said its up to leadership and a CISO doesn\'t need to own secops.

"Other people were adamant that the focus required to manage secops, and streamlined incident response cant work within infra because the primary objectives of infra are towards service availability and infra projects," said Nigel who went on to ask, "Is this important prior to considering using a security vendor to provided managed security operations? Is it important to \'get the house in order\' prior to using managed secops vendors? And is it easier to get the house in order when secops is not in infra?"

Listed in: Technology

Rest Assured, We're Confident Our Security Sucks

On this week\\u2019s episode

Why is everybody talking about this now?

Tip of the hat to Eduardo Ortiz for forwarding this discussion Stuart Mitchell of Stott and May initiated on LinkedIn asking if there should be a "golden bullet" clause in a CISO\'s contract. He was referring to the CISO of Capital One who had to step down and take on a consulting role after the breach. What are arguments for and against?

Ask a CISO

Nir Rothenberg, CISO, Rapyd asks, "If you were given control of company IT, what would be the first things you would do?"

What\'s Worse?!

Should a CISO be closing sales or securing the company?

Hey, you\'re a CISO, what\'s your take on this?

According to Nominet\'s Cyber Confidence Report, 71 percent of CISOs say their organization uses the company\'s security posture as a selling point, even though only 17% of CISOs are confident about their security posture. There are probably many factors that contribute to this disparity. Is it a gap that will ever close, or is this just the nature of security people vs. sales?

Bluetooth is a convenient and easy method of sharing data between devices, which, of course, qualifies it as a prime target for exploitation. A trio of researchers has discovered a vulnerability that has the potential of attacking billions of Bluetooth-enabled devices, including phones, laptops, IoT and IIoT technologies.

In short, this Key Negotiation of Bluetooth vulnerability, which has been given the acronym KNOB, exploits the pairing encryption protocol within the Bluetooth Classic wireless technology standard, which supports encryption keys with entropy between 1 and 16 bytes/octets. It inserts between the pairing devices forcing both to agree to encryption with 1 byte or 8 bits of entropy, after which it simply brute-forces the encryption keys.

More on CISO Series.

Check out lots\\xa0more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company\\u2019s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

What do you think of this pitch?

How targeted should your pitch have to be?

\\xa0

Listed in: Technology

What Security Advice Will Your Family Ignore?

On this week\\u2019s episode

Why is everybody talking about this now?

Rich Malewicz, CIO, Livingston County, started a thread of common threats and scams we should warn family and friends about over the holidays. Lots of great advice. We discuss our favorites, whether we turn into family tech support, and if you had one cyber holiday wish for every family member, what would it be?

Hey, you\'re a CISO, what\'s your take on this?

When is the right time and WRONG time to start red teaming? (the process of letting ethical hackers loose on your business to test your defenses, your blue team.) What exactly is it you\'re testing? Are you testing your network\'s resiliency or your business\' resiliency?

"What\'s Worse?!"

Three options in this "What\'s Worse?!" scenario.

The great CISO challenge

We have repeatedly touted on the podcast the benefits of multi-factor authentication or MFA. Our guest implemented an MFA solution at his company. We talk about the challenges, criteria, and roll out like? And did they see any visible evidence of security improvements?

Casey from accounting is getting frustrated, waiting for client files being held up by the firewall. Jordan is trying to join a video conference that needs a plugin, but the firewall won\\u2019t let it through. So they call the IT manager who then disables it.

This happens a lot. Maybe not in large companies, but small law firms, medical clinics, or small businesses that might use an old-school administrator who will either turn off the firewall or opt out of using one altogether, believing in the power of a cheap antivirus product to keep things safe.

More on CISO Series.

Check out lots\\xa0more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company\\u2019s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

What do you think of this pitch?

There is lots of disagreement over whether this pitch is any good.

Listed in: Technology

Do's And Don'ts of Trashing Your Competition

This episode is hosted by me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series and founder of\\xa0Spark Media Solutions\\xa0and\\xa0special guest co-host, Mark Eggleston (@meggleston), CISO, Health Partners Plans, and our guest is Anahi Santiago (@AnahiSantiago), CISO, ChristianaCare Health System.

We recorded in front of a live audience at Evanta\'s CISO Executive Summit in Philadelphia on November 5th, 2019.

Recording CISO/Security Vendor Relationship Podcast in front of a live audience at Evanta\'s CISO Executive Summit in Philadelphia (11-05-19)

Thanks to this week\'s podcast sponsors Trend Micro, Thinkst, and Secure Controls Framework.

Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit\\xa0www.trendmicro.com.

The Secure Controls Framework (SCF) is a meta-framework \\u2013 a framework of frameworks. This free solution is available for companies to use to design, implement and manage their cybersecurity and privacy controls in an efficient and sustainable manner. Our approach provides a comprehensive solution to manage complex compliance needs.

Most companies find out way too late that they\\u2019ve been breached. Thinkst Canary changes this. Find out why the Thinkst Canary is one of the most loved products in the business and why the smartest security teams in the world run Canary. Visit https://canary.tools.

On this week\\u2019s episode

Why is everyone talking about this now?

Greg van der Gaast, former guest who runs security at The University of Salford, initiated\\xa0a popular LinkedIn discussion\\xa0on the topic of human error. According to his colleague Matthew Trump of the University of Sussex, in critical industries, such as aerospace, oil & gas, and medical, \\u201chuman error\\u201d is not an acceptable answer. You simply have to prevent the incident. If not, a mistake can be both a regulatory violation and lethal.

But people are a part of the security equation. It\\u2019s unavoidable.

We know zero erros is impossible, but can you accept \\u201chuman error\\u201d as a fail point?

Hey, you\\u2019re a CISO, what\\u2019s your take on this?

Listener David said, \\u201cOne thing I have experienced at my last two jobs is integrating with a \\u2018global\\u2019 security team whose security program is effectively and functionally inferior to our own. In these occasions, the global security team wanted us to remove current safeguards, processes/procedures and tooling that reduced the preparedness and effectiveness of our security program and introduced risk(s) that we have not been exposed to in years. All of these changes were always touted as a \\u2018one team\\u2019 initiative but never once was due diligence on security posture taken into account.

\\u201cWhat is the best way to go about a consolidation like this? Do you not mess with a good thing and ask the \\u2018better\\u2019 security program to report up incidents, conform to compliance check boxes etc. or as a CISO do you sign off on a risk acceptance knowing that the operating company is now in a worse state of security.\\u201d

\\u201cWhat\\u2019s Worse?!\\u201d

We\\u2019ve got two rounds of really bad scenarios.

What annoys a security professional

Geoff Belknap, former guest and CISO of LinkedIn,\\xa0appreciates a vendor\\u2019s desire to \\u201cbring like minds\\u201d together around food or drink, but the invite is not welcome on a weekend. Belknap feels that the weekend intrudes into a CISO\\u2019s personal/family space. There was a lot of debate and disagreements on this, but there were some solutions. One mentioned a vendor invite that included round trip Lyft rides and childcare.

Oh, they did something stupid on social media again

Jason Hoenich, CEO of Habitu8 posted on LinkedIn that he didn\\u2019t appreciate Fortinet writing about security training for CSO Online, something for which Jason\\u2019s business does and for which he believes Fortinet does not have any expertise. It appears this was a sponsored article, but Jason didn\\u2019t point to the article nor did he isolate specifically what he felt was wrong with Fortinet\\u2019s advice.

Here at the CISO Series, we like Jason and Habitu8. They\\u2019ve been strong contributors to the community. But complaining and not pointing to any concrete evidence is not the best way to convince an audience. Earlier this year we saw something similar with the CEO of Crowdstrike going after the CEO of Cybereason claiming an underhanded sales tactic that was not specified nor anyone at Cybereason knew what he was talking about.

Is it OK to go after your competition in a public forum? If so, what\\u2019s the most professional and respectful way to handle it?

It\\u2019s time for the audience question speed round

Our Philadelphia audience has questions and our CISOs had some answers. We rattle off a quick series of questions and answers to close the show.

Listed in: Technology

Get Out! The FUD Is Coming from the Inside

On this week\'s episode

Why is everyone talking about this now?

On LinkedIn, Ron C. of CoreSolutions Software said, "Cybersecurity is no longer just a technical problem. It\\u2019s now more of a people problem! So why aren\\u2019t businesses prioritizing security awareness training for their staff?" There was a massive response and mixed agreement. Regardless, are we falling short on security awareness training? Is it not effective? Is it too complicated to pull off? Is the cost not justified? More importantly, has security awareness training had any impact?

Hey, you\'re a CISO, what\'s your take on this?

accidentalciso on our reddit channel, r/cisoseries, asks, How does a security professional know if "CISO truly is the right career goal for them? I don\\u2019t think the reality of the role is consistent with what one might think early on in their career." What was it about the CISO role that makes a security professional want to pursue it and how does that previous perception of what a CISO did counter or align with what was really experienced?

It\'s time to play, "What\'s Worse?!"

Is there a worst type of attack?

Ask a CISO

James Dobra, Bromium, asks, "Are security organizations guilty of using FUD internally, e.g. with the board and with users, while complaining that vendors use it too much?" Does FUD happen internally? Do security teams do it to get the money they want and/or shame users into submission?

On August 30, 2019, white hat hacker Tavis Ormandy discovered a vulnerability in a LastPass browser extension. This was a vulnerability, not a breach and was very quickly remedied without damage. But it still causes chills when the last bastion of password security reveals its Achilles heel. It\\u2019s like seeing your family doctor contract a terminal disease.

But for CISOs, this might be a good thing. Password complacency and sloppy security hygiene are the scourge of security specialists everywhere. A SaaS-based password manager that uses hashes and salts to remove the existence of physical passwords in their own vaults, is still a highly proactive solution.

More found on CISO Series.

Check out lots\\xa0more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company\\u2019s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

First 90 Days of a CISO

Both Mike and our guest, Ed, are second time CISOs in their first 90 days at the role. We review what mistakes they made the first time as a CISO that they\'re actively avoiding this time. Are there any hurdles that are simply unavoidable and they\'re just going to have to face it like any new CISO would.

\\xa0

Listed in: Technology

Say It Loud! I Didn't Read the Privacy Policy and I'm Proud!

On this week\'s episode

How CISOs are digesting the latest security news

We\'re blowing it with general cybersecurity education. According to a study by the Pew Internet Research Center, most Americans don\'t understand or can\'t identify basic cybersecurity concepts such as two-factor authentication, private browsing, or the purpose of a privacy policy. We talk a lot about the important of education and it appears we\'re not doing a good job. What are some creative ways we can dramatically improve these numbers?

Hey, you\'re a CISO, what\'s your take on this?

Cai Thomas, Tessian, has an article on TechRadar on the dangers of sending corporate work via personal email accounts. He outlines the issues. As per the previous story, chances are very high people are completely unaware of the risk their placing the company in by forwarding corporate email to personal accounts. No amount of education is going to solve this problem. What are the systems that companies can and should setup to give people a better alternative than sending emails to personal accounts?

What\'s Worse?!

How damaging can not having a seat on the board be?

Ask a CISO

Nick Sorensen, Whistic, asks, "What do you see the most proactive vendors doing to prepare for vendor security reviews from their customers?"

\\u201cYour bank account has been frozen.\\u201d That\\u2019s now an old chestnut in the scamming world, but it thrives through increasingly sophisticated spoofing activities that include a banks\\u2019 real phone number and real-looking pop-up websites for password refresh requests. Even IT experts can get caught by these things occasionally, as some have even confessed on this very podcast series.

This level of relentless innovation is worth keeping front of mind when considering the amounts of data that Internet of Things devices are creating but that organizations have no plan or space for. IBM, Forrester, and others have suggested that maybe 1 percent of data generated from IoT connectivity is being used, mostly for immediate learning or predictive activities.

More available on CISO Series.

Check out lots\\xa0more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company\\u2019s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

First 90 days of a CISO

Today is Roger\'s first official day as a CISO in residence at YL Ventures. What the heck does that mean, and how does that differ from being an operational CISO?

Listed in: Technology

I'll See Your Gated Whitepaper and Raise You One Fake Email Address

On this week\'s episode

Why is everyone talking about this now?

To gate or not to gate. Mike posted on LinkedIn about how much he appreciated vendors who don\'t gate their content behind a registration wall. The post blew up on LinkedIn. The overwhelming response got some vendors willing to change their tune.

Hey, you\'re a CISO, what\'s your take on this?

Kevin Kieda of RSA Security asks, "For an initial meeting what are the things you want the sales person to know about your business that many of them don\'t." Kevin says he gets frustrated that he gets the sense a prospect wants them to know what tools they\'re using even though he knows he often can\'t find out that information. What is the must know, nice to know, and boy I\'m impressed you know that?

Mike Johnson recommends BuiltWith.com for basic OSINT on a company site.

What\'s Worse?!

Whose mistakes are worse? Your own or the vendor\'s?

The great CISO challenge

Factor Analysis of Information Risk (FAIR) is a risk framework (often laid ontop of others) that simplifies the understanding of risk by identifying the blocks that contribute to risk and their relationship to each other and then quantifying that in terms of money. Ian, can you give me an example of how you actually do this?

Since its inception back in 2010, Zero Trust Architecture has been gaining traction. Much of the interest stems from the nature of work and data today \\u2013 people working from anywhere on any device, and data racing around networks and to and from the cloud means there is no single fortress where everything can exist safely. Operating on a belief that everything inside the perimeter is safe because it\\u2019s inside the perimeter is no match to today\\u2019s hacking, penetration and inside sabotage.

The establishment of new perimeter protections, including microtunnels and MFA is best applied to new cloud deployments but must still somehow be factored into a legacy architecture without becoming more inconvenient and vulnerable than what it is trying to replace.

More on CISO Series.

Check out lots\\xa0more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company\\u2019s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Why is this a bad pitch?

What\'s the polite way to hande the way too generic vendor request. We offer two examples of non-specific pitches that are obviously just begging for a CISO\'s time.

Is there a polite way to refute the request and let them know without talking down to them and letting them know that this isn\'t a tactic they should pursue?

Listed in: Technology

Rated #1 in Irresponsible Security Journalism

On this week\'s episode

Why is everybody talking about this now?

Two recent stories showed some fallibility in multi-factor authentication or MFA. We repeatedly recommended MFA on this show. But, the FBI announced some technical and social engineering techniques that are being used to break multi-factor authentication. In addition, Twitter admitted that email addresses and phone numbers used to set up MFA might have been sent to third party advertisers. The FBI says its news shouldn\'t change our trust in MFA. William Gregorian, CISO, Addepar, posted on LinkedIn that the press is claiming that MFA is broken and that\'s irresponsible journalism.

Let\'s dig a little deeper

Security professionals thrive on hearing about and learning about the latest threats. It feeds the latest security headlines and conferences. While it\'s often fascinating and keeps everyone interested, to what level are security concerns based on well-known years old threats vs. the latest threats?

"What\'s Worse?!"

Whose mistakes are worse? Yours or the vendors\'?

Please, enough. No, more.

We\'ve talked a lot about machine learning on this show and the definition of it is broad. What\'s ML\'s value in threat protection. We discuss what we\'ve heard enough about with regard to machine learning being used for threat protection And what would we like to hear a lot more.

When companies in retail or enterprise remind their online visitors to change their passwords, are they doing them a favor or causing them grief? Password managers exist, of course, as do newer forms of passwordless authentication, multifactor authentication and behavioral and biometric data.

But ultimately, whose responsibility is this? Should a merchant website place the onus of personal security back on the customer? And if so, how would this protect the merchant\\u2019s own property? If this jeopardizes a sale or transaction, the cost of proactive security, at least for the short term appears too great. And it\\u2019s obvious, from the avalanche of data breaches of recent years that stored data of any sort becomes a permanent liability.

More available on CISO Series.

Check out lots\\xa0more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company\\u2019s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Ask a CISO

Gina Yacone, a consultant with Agio, asks, "If you\\u2019re performing a table top exercise. Who are the only three people you would want to have a seat at that table?"

Listed in: Technology

Cybercrimes Solved in an Hour or Your Next One's Free

On this week\'s episode

What annoys a security professional

Question on Quora asks, "What does everybody get wrong about working in the field of forensics?" There were a handful of answers from looking to TV and film dramas to that it\'s only a post mortem analysis. What are the biggest misconception of digital forensics?

Why is everybody talking about this now?

Tip of the hat to Stu Hirst of Just Eat who posted this Dilbert cartoon that got a flurry of response. Read for yourself, but in essence, it\'s a boss that thought technology would solve all his problems. Not realizing that people and process are also part of the equation.

All too familiar. The "I\'ve been hearing a lot about __________" phenomenon. What causes this behavior and how do you manage it?

"What\'s Worse?!"

How much flexibility to you require in your security team and the business?

Please, Enough. No, More.

How far can AI go? Where does the human element need to exist? What are the claims of the far reaching capabilities of AI? We discuss what we\'d like to hear regarding the realistic capabilities and limitations of AI.

Every year, the Fall season sees billions of dollars being spent on home-based IoT devices. The back-to-school sales are the starting point, Cyber Monday is the clubhouse turn and the year-end holiday season is the finish line.

As usual, these devices \\u2013 printers, DVRs, IP cameras, smart home assistants, are relatively inexpensive and provide plug and play convenience, to satisfy an impatient customer base.

For the rest of the cloud tip, head to CISO Series.

Check out lots\\xa0more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company\\u2019s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

We don\'t have much time. What\'s your decision?

What are the best models for crowdsourcing security? There are entire businesses, such as bug bounty firms, that are dedicated to creating crowdsourced security environments. Our guest this week is passionate about investigative work. We asked him and Mike what elements they\'ve found that inspire and simplify the community to participate in a crowdsourced security effort.

Listed in: Technology

Mapping Unsolvable Problems to Unattainable Solutions

On this week\'s episode

Why is everybody talking about this now?

Mike asked the LinkedIn community, "What\'s bad security advice that needs to die?" We had an entire episode of Defense in Depth on this very topic called "Bad Best Practices." The post got nearly 300 responses, so it\'s obviously something many people are passionate about. Is there a general theme to bad security advice?

The great CISO challenge

Sounil Yu is the creator of a very simple problem-to-solution chart for security professionals called the Cyber Defense Matrix. This simple chart allows a cyber professional to see how their tools, processes, and people are mapped to all different levels of security protection. We discuss the purpose of the matrix and all the real world applications.

"What\'s Worse?!"

We have a real world "What\'s Worse?!" scenario and Mike and Sounil compete to see if they answered the way the real world scenario actually played out.

Hey, you\'re a CISO, what\'s your take on this?

Last week on Defense in Depth we talked about a discussion initiated by Christophe Foulon of ConQuest Federal on cyber resiliency. Some people argued that it should be a security professional\'s primary focus because its action is in line with the interests of the business. Should a cyber professional shift their focus to resiliency over security? Would that facilitate better alignment with the business?

Exploitable weaknesses measured in decades. Not a comforting thought. But this is a reality that exists in at least two major IT ecosystems. The first is Microsoft and the second is firmware. Teams belonging to Google\\u2019s Project Zero have found exploitable security flaws affecting all versions of Windows going back to Windows XP \\u2013 which presents a logistical nightmare for admins the world over.

Sarah Zatko, Chief Scientist at the Cyber Independent Testing Lab spoke recently at Red Hat and DEF CON in Las Vegas about deficiencies in the security of firmware, including those from companies that manufacture the world\\u2019s best-known routers.

More available at CISO Series.

Check out lots\\xa0more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company\\u2019s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Ask a CISO

Thanks to Chris Castaldo, CISO at Dataminr, for this post on new research from the firm Marsh and Microsoft. According to the study, half of the respondents didn\'t consider cyber risk when adopting new tech. A full 11 percent did no due diligence to actually evaluate the risk a new technology may introduce.

Does it take that much effort to understand the basic risks of introducing a new technology? What are some first level research efforts that should be done with any new tech consideration or adoption?

\\xa0

Listed in: Technology

Wait... What? Good News in Cybersecurity?

On this week\'s episode

How CISOs are digesting the latest security news

We simply don\'t hear enough good news cybersecurity stories that make those involved proud. What are the cybersecurity stories that aren\'t being told publicly that should be?

First 90 Days of a CISO

Michael Farnum, Set Solutions, said, "If you come into the job and aren\\u2019t willing to critically review existing projects AND put a stop to the ones that are questionable, then you are going to cause yourself problems later. It might seem like an unwise political move when new to the company, but you have to be willing to swing the axe (or at least push the pause button) on anything that doesn\\u2019t make sense." Not so easy, but where\'s the line where you can actually push and say, "We\'re changing course"?

It\'s time to play, "What\'s Worse?!"

We\'ve got a split decision!

Hey, you\'re a CISO, what\'s your take on this?

On a previous episode of Defense in Depth, we talked about employee hacking or getting the staff on the same page as the CISO and the security program. I quoted instructor Sarah Mancinho who said, "I am a firm believer that CISOs/CIOs should have their own dedicated IT strategic communications person(s) that report to them, and not any other office. Most comms roles I\'ve seen...had to report to HR/PR/General Comms....none of whom really knew anything about technology/technical comms/infosec....and had little to no interaction with the IT/security team."

My co-host, Allan Alford, loved this idea, never had it, but would love to have it. What value could a dedicated PR person bring to the security team?

The devious new Android malware called Cerberus steals credentials by using a downloaded fake Adobe Flash player. That is not really innovative in itself, but what\\u2019s interesting is the way it seeks to avoid detection by using the phone\\u2019s accelerometer to confirm that the infected target is a real device and not on the screen of a security analyst. According to ESET researcher Lukas Stefanko, quoted in Forbes, the app actually counts a number of physical footsteps taken by the phone\\u2019s owner, and deploys once the required number has been reached.\\xa0

For more, check out the full tip on CISO Series.

Check out lots\\xa0more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company\\u2019s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Why is everybody talking about this now?

What\'s behind the cybersecurity skills shortage? In an article on the Forbes Council, Mark Aiello, president of cybersecurity recruiting firm CyberSN, pointed out some ugly truths as to why it\'s so difficult to hire cybersecurity talent. He pointed to low pay, the desire to find unicorns, poor job descriptions, training and growth. Is the core issue that the cybersecurity industry just does a very poor job welcoming new entrants?

Today, what does a cybersecurity professional need walking in the door? And what are CISOs willing to accept no knowledge of, yet willing to train?

Listed in: Technology

Serious Hackers Wear TWO Black Hoodies

Here are the links to the items Bruce mentioned on the show:

• Expel\'s third-party assessment framework
• NIST CSF (and soon to be PF) self assessment tool
• Oh Noes! The incident response role playing game

Thanks to this week\'s podcast sponsor Expel

Expel is flipping today\\u2019s managed security model on its head (Ouch!) for on-prem and cloud, taking a technology-driven approach that lets analysts focus on what humans do best: exercise judgment and manage relationships. The company offers 24x7 monitoring through its security operations center-as-a-service, using the security tools customers already have.

On this week\'s episode

We\\u2019ve got listeners, and they\\u2019ve got questions

A listener, who wishes to remain anonymous asks, "I am a one person security organization, and I get frustrated reading industry news and even listening to the CISO Series (love the show). My frustration is that so very often articles, blogs and podcasts assume that you/your organization has a security TEAM... How do you thrive and not just survive as a security shop of one?" What can a one-person shop expect to do, and not do?

Let\'s dig a little deeper

Bruce is also the founder of the Shmoo Group and his wife is the organizer for the annual ShmooCon which is a hacker conference held in DC every year. I\'m stunned that his 2200-person event sells out in less than 20 seconds. There is obviously huge demand to attend and speak at your event. This year\'s event he had 168 submitted talks and 41 were accepted. Bruce tells us what makes a great ShmooCon submission and what were the most memorable talks from ShmooCon.

"What\'s Worse?!"

Today\'s game probably speaks to the number one problem with every company\'s security program.

Hey, you\'re a CISO, what\'s your take on this?

An issue that comes up in security all the time is "how do you do more with less." Are there ways to advance your security program when you don\'t have more budget or more people to do so?

Study after study shows a top priority for cloud users is having visibility into application and data traffic. But most are not getting it. Nine out of ten respondents believe that access to packet data is needed for effective monitoring. So even though the cloud providers maintain the fortress, the enterprise still needs to see what\\u2019s going on. They\\u2019re ultimately responsible, after all.

Cloud needs its own approach to monitoring, more closely based on how cloud customers interact with their data. It needs its own tools and greater level of communication between them and their providers.

More on CISO Series.

Check out lots\\xa0more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company\\u2019s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Why is everybody talking about this now?

We have talked in the past about the tired and negative image of the hacker in the black hoodie. It\'s pretty much all you see in stock photos. And since that\'s all any media outlet uses, that image just keeps getting reinforced. Poking fun and I think truly trying to find a better hacker image meme, Casey Ellis, founder of Bugcrowd, challenged others on LinkedIn to find a better "hacker stock photo" than the one he posted of hands coming out of a screen and typing on your keyboard with a cat looking on. We debate the truly worst hacker images we\'ve seen and we propose a possible new stock image of the hacker.

Listed in: Technology

CISO Confessions: "It's Not You. It's Me."

This episode was recorded live in WeWork\'s Times Square location on September 5th, 2019. Here are all the photos.

Enormous thanks to WeWork for hosting this event. They\'re hiring! Contact JJ Agha, vp of information security at WeWork.

Also, huge thanks to David Raviv and the NY Information Security Meetup group for partnering with us on this event.

Thanks to this week\'s podcast sponsor Tehama, Tenable, and Devo.

Tehama provides secure and compliant virtual desktops on the cloud, and all the IT infrastructure needed for enterprises to connect and grow global and remote teams. Tehama\'s built-in SOC 2 Type II controls reduce the risk of malware intrusion from endpoint devices, data breaches, and other vulnerabilities.\\xa0 Learn more at tehama.io.

Effective vulnerability prioritization helps you answer three questions: Where should we prioritize based on risk? Which vulnerabilities are likeliest to be exploited? What should we fix first? Tenable gives you the accurate and actionable data you need to answer these questions and better secure your business. Learn more: tenable.com/predictive-prioritization.

SOC teams have been struggling with many of the same issues for years \\u2013 lack of visibility, too much noise \\u2013 all while the threat landscape grows more complex. Devo Security Operations is a next-gen cloud SIEM that enables you to gain complete visibility, reduce noise, and focus on the threats that matter most to the business.

On this week\'s episode

How are CISOs digesting the latest security news?

An article on Bloomberg and an ensuing discussion on LinkedIn pointed out that costs after a breach go beyond fines and lost reputation. It also includes the cost to keep top cybersecurity talent. Salaries for a CISO post-breach can range from $2.5-$6.5 million, that includes stock. What could a security professional show and demonstrate in this time of crisis that they are the one to hire to garner such a salary?

Hey, you\'re a CISO, what\'s your take on this?

Michael Mortensen of Risk Based Security asks a question about when there\'s considerable dialogue with a prospect, and they go cold. Michael wants to know what causes this? He has theories on sales people being impatient or wrong set of expectations, but he\'s interested in the CISO\'s viewpoint. Assuming you have had conversations with a vendor, have you gone cold on their outreach? If so, what was the reason?

It\'s time to play, "What\'s Worse?!"

Two rounds lots of agreement, but plenty of struggle.

Why is everybody talking about this now?

Cryptography firm Crown Sterling has sued Black Hat for breaching its sponsorship agreement and also suing 10 individuals for orchestrating a disruption of the company\'s sponsored talk at the conference in which the CEO presented a finding on discovering prime numbers which are key to public-key encryption. The crowd didn\'t like it and they booed him. You can see a video of one individual yelling, "Get off the stage, you shouldn\'t be here." Crown Sterling argued that Black Hat was in violation of their sponsorship agreement because they didn\'t do enough to stop it.

At Black Hat and related parties I saw many printed signs about codes of conduct. It doesn\'t appear anyone had a plan to enforce those rules.
What has happened in the security community that some security professionals feel they have the right to shout down a speaker like this?
If one of these 10 disruptors was your employee, how would you respond?

What\'s a CISO to do?

So much of a job of a CISO is to change behavior. How do CISOs change behavior to a more secure posture? Where should a CISO start? What\'s the low hanging fruit?

It\\u2019s time for the audience question speed round

Our audience has questions, and our CISOs tried to come up with as many answers as possible. Our closing question put my guest co-host in the hot seat.

Listed in: Technology

Getting Over Our "Security = Compliance" Obsession

On this week\'s episode

Why is everyone talking about this now?

On LinkedIn, Omar Khawaja, CISO, Highmark Health, argued that every time a security person repeats the "Security does not equal compliance" trope, it translates to a belief that compliance is useless. This caused a flurry of discussion. Is compliance useless? If not, Omar asks what should "Security does not equal compliance" be replaced with? Essentially, how should compliance be viewed in an overall security program?

Ask a CISO

Scott Holt, sales engineer, cmd, asked our CISOs how they\'re balancing keeping their information and infrastructure private while at the same time working with vendors to fill security needs?

"What\'s Worse?!"

We\'ve got a question based on the build vs. buy debate.

Hey, You\'re a CISO, what\'s your take on this?

Paul Makowski, Polyswarm, asks a question that\'s very relevant to their business. He said, "Enterprises often subscribe to multiple feeds [of threat intelligence]. They learn their strengths and weaknesses and develop weighting algorithms to divine highest quality intelligence in the context of what\'s being analyzed. How can the industry close the feedback loop with threat intelligence providers, providing them with an opportunity to improve coverage and efficacy (false positive / false negative rates)?"

The Shared Responsibility Model for cloud is, as Amazon and others describe it, the difference between the \\u201csecurity OF the cloud\\u201d and \\u201csecurity IN the cloud,\\u201d with cloud service providers taking care of the OF, and clients taking care of the IN. \\u201cIn the cloud\\u201d means the data, the access \\u2013 especially guest access, and the usage.

More on CISO Series.

Check out lots\\xa0more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company\\u2019s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Close your eyes. Breathe in. It\\u2019s time for a little security philosophy.

Steven Trippier, Group CISO, Anglian Water Services, asked, "What are the right metrics to use to illustrate the success / performance of the security team?" We\'ve asked this question before and one of the most popular answers was "mean time to identify and remediate." But here\'s the philosophical question that Steven asks, "How does this change in an environment where breaches/malware outbreaks are uncommon and stats such as mean time to identify and mean time to contain are not relevant?"

Listed in: Technology

Open this Email for an Exclusive Look at Our Clickable Web Links

On this week\'s episode

Hey, You\'re a CISO, what\'s your take on this?

Last month, Brian Krebs reported a breach from the 6th-largest cloud solutions provider PCM Inc. which let intruders rifle through Office365 email/documents for a number of customers.

In response, listener Alexander Rabke, Unbound Tech, asked, "Would CISOs continue to do business with \\u2018security\\u2019 companies that are breached?" What\'s your recommendation for sales people who are at such an organization? How should they manage news like this?