BROADCASTS.com

Managing Data Leaks Outside Your Perimeter

Listed in: Technology

What Are the Risks of Being a CISO?

Listed in: Technology

Onboarding Security Professionals

Listed in: Technology

How to Improve Your Relationship With Your Boss

Listed in: Technology

Improving the Responsiveness of Your SOC

Listed in: Technology

The Demand for Affordable Blue Team Training

Listed in: Technology

Why are CISOs Excluded from Executive Leadership?

Listed in: Technology

What Is Your SOC's Single Search of Truth?

Listed in: Technology

When Is Data an Asset and When Is It a Liability?

Listed in: Technology

Tracking Anomalous Behaviors of Legitimate Identities

Listed in: Technology

Why Do Cybersecurity Startups Fail?

Listed in: Technology

Is "Compliance Doesn't Equal Security" a Pointless Argument?

Listed in: Technology

CISOs Responsibilities Before and After an M&A

Listed in: Technology

Use Red Teaming To Build, Not Validate, Your Security Program

Listed in: Technology

The Do's and Don'ts of Approaching CISOs

Listed in: Technology

Doing Third Party Risk Management Right

Listed in: Technology

Warning Signs You're About To Be Attacked

Listed in: Technology

Do We Have to Fix ALL the Critical Vulnerabilities?

Listed in: Technology

Mitigating Generative AI Risks

Listed in: Technology

Building a Cyber Strategy for Unknown Unknowns

Listed in: Technology

Responsibly Embracing Generative AI

Listed in: Technology

People Are the Top Attack Vector (Not the Weakest Link)

Listed in: Technology

What's Entry Level in Cybersecurity?

Listed in: Technology

New SEC Rules for Cyber Security

Listed in: Technology

The Value of RSA, Black Hat, and Mega Cyber Tradeshows

Listed in: Technology

Is Remote Work Helping or Hurting Cybersecurity?

Listed in: Technology

How to Manage Users' Desires for New Technology

Listed in: Technology

Cybersecurity Questions Heard Around the Kitchen Table

Listed in: Technology

How to Prime Your Data Lake

Listed in: Technology

Getting Ahead Of Your Threat Intelligence Program

Listed in: Technology

How Security Leaders Deal with Intense Stress

Listed in: Technology

How Do We Influence Secure Behavior?

Listed in: Technology

Security Concerns with ChatGPT

Listed in: Technology

Create A Pipeline of Cyber Talent

Listed in: Technology

Improving Adoption of Least Privileged Access

Listed in: Technology

Securing SaaS Applications

With the growth of business-led IT, does SaaS security need to be a specific focus in a CISO\\u2019s architectural strategy?

Check out this post for the discussion that is the basis of our conversation on this week\\u2019s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn.\\xa0Our guest is Steve Zalewski who also hosts Defense in Depth.

Thanks to our podcast sponsor, AppOmni

Do you know which 3rd party apps are connected to your SaaS platforms? After all, one compromised 3rd party app could put your entire SaaS ecosystem at risk.

Get visibility to all 3rd party apps \\u2014 and their level of data access \\u2014 with AppOmni. Visit AppOmni.com to request a free risk assessment.

In this episode:

• With the growth of business-led IT, does SaaS security need to be a specific focus in a CISO\\u2019s architectural strategy?
• Is the problem the architecture of the applications themselves or the fact that a non-security group is bringing these applications online? Is it both?
• Is this problem solvable?
• What technical controls can you put in place to mitigate risk from apps you deem risky?

Listed in: Technology

How Do We Get Better Control of Cloud Data?

When it comes to data, compliance, and reducing risk, where are we gaining control? Where are we losing control? And what are we doing about that?

Check out this post for the discussion that is the basis of our conversation on this week\\u2019s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.\\xa0We welcome our sponsored guest Amer Deeba, CEO and Co-founder, Normalyze.

Thanks to our podcast sponsor, Normalyze

Normalyze is a cloud data security platform that continuously discovers sensitive data and their access paths across your cloud environments. Normalyze provides the ability to analyze, prioritize and respond to data threats to prevent damaging data breaches.

Discover, visualize, and secure your cloud data in minutes with Normalyze Freemium.

In this episode:

• When it comes to data, compliance, and reducing risk, where are we gaining control?
• Where are we losing control? And what are we doing about that?
• Is "losing control" inevitable?
• Is SaaS really extremely difficult to work with at scale?

Listed in: Technology

Finding Your Security Community

If you\'re struggling to get your first job in security or you\'re trying to get back into the industry after being laid off, you need to lean on your security community. But like networking, you should find it before you need it.

Check out this post for the discussion that is the basis of our conversation on this week\\u2019s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski.

Thanks to our podcast sponsor, Egress

Egress helps organization stop email security risks is by addressing both inbound and outbound threats together,. We recognize that people get hacked, make mistakes, and break the rules. Egress\'s Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss. Learn more at egress.com.

In this episode:

• Are you struggling to get your first job in security or trying to get back into the industry after being laid off?
• What is the importance of building your security community network ?
• What should you look for in a community?
• What should you expect to put into it, and what should you expect to get back?

Listed in: Technology

Let's Write Better Cybersecurity Job Descriptions

What should a cyber job description require, and what shouldn\'t it? What\'s reasonable and not reasonable?

Check out this post for the discussion that is the basis of our conversation on this week\\u2019s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Rob Duhart (@robduhart), deputy CISO, Walmart.

Thanks to our podcast sponsor, Normalyze

Normalyze is a cloud data security platform that continuously discovers sensitive data and their access paths across your cloud environments. Normalyze provides the ability to analyze, prioritize and respond to data threats to prevent damaging data breaches.

Discover, visualize, and secure your cloud data in minutes with Normalyze Freemium.

In this episode:

• What should a cyber job description require, and what shouldn\'t it? What\'s reasonable and not reasonable?
• Do these completely unrealistic job descriptions hurt the entire industry?
• What is it we need to put in a cyber job description, and what do we need to leave out?
• Who\\u2019s losing out here?

Listed in: Technology

How Should Security Better Engage with Application Owners?

Listed in: Technology

How To Get More People Into Cybersecurity

Listed in: Technology

How to Create a Positive Security Culture

Listed in: Technology

How Should We Trust Entry Level Employees?

All experienced security professionals were at one time very green. Entry level status means risk to your organization. That\'s if you give them too much access. What can you trust an entry level security professional to do that won\'t impose unnecessary risk? And how can those green professionals build trust to allow them to do more?

Check out this post for the discussion that is the basis of our conversation on this week\\u2019s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Kemas Ohale, vp, global information security, Lippert.

Thanks to our podcast sponsor, Normalyze

Normalyze is a cloud data security platform that continuously discovers sensitive data and their access paths across your cloud environments. Normalyze provides the ability to analyze, prioritize and respond to data threats to prevent damaging data breaches.
Discover, visualize, and secure your cloud data in minutes with Normalyze Freemium.

In this episode:

• What can you trust an entry level security professional to do that won\'t impose unnecessary risk?
• How can those green professionals build trust to allow them to do more?
• What can they do with zero experience?
• How can they graduate upwards?

Listed in: Technology

How Must Processes Change to Reduce Risk?

Listed in: Technology

Reputational Damage from Breaches

Listed in: Technology

Do RFPs Work?

Listed in: Technology

Successful Cloud Security

Listed in: Technology

How Should Security Vendors Engage With CISOs?

Listed in: Technology

Gartner Created Product Categories

Listed in: Technology

How to Always Make a Business Case for Security

Listed in: Technology

Do Breaches Happen Because the Tool Fails, or the Tool Was Poorly Configured?

Listed in: Technology

What We Love About Working in Cybersecurity

Listed in: Technology

Security That Accounts for Human Fallibility

Listed in: Technology

Why You Should Be Your Company's Next CISO

Listed in: Technology

How to Become a CISO

Listed in: Technology

Can You Build a Security Program on Open Source?

Listed in: Technology

Third Party Risk vs. Third Party Trust

Listed in: Technology

How Can We Improve the Cyber Sales Cycle?

Listed in: Technology

What Leads a Security Program: Risk or Maturity?

Listed in: Technology

Limitations of Security Frameworks

Listed in: Technology

Why Is There a Cybersecurity Skills Gap?

Listed in: Technology

What Can the Cyber Haves Do for the Cyber Have Nots?

Listed in: Technology

Securing Unmanaged Assets

"When the asset discovery market launched, every single company that offered a solution used the line, \\u201cYou can\\u2019t protect what you don\\u2019t know.\\u201d Everyone agreed with that.

Problem is, \\u201cwhat you don\\u2019t know\\u201d has grown\\u2026 a lot."

Check out this post for the discussion that is the basis of our conversation on this week\\u2019s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Huxley Barbee (@huxley_barbee), security evangelist, runZero.

Thanks to our podcast sponsor, runZero

runZero is the cyber asset management solution that helps you find and identify every managed and unmanaged asset connected to your network and in the cloud. Get the data and context needed to effectively manage and secure your environment. Try runZero for free at runzero.com.

In this episode:

• Everyone agrees that, \\u201cYou can\\u2019t protect what you don\\u2019t know\\u201d, but what do you do when, \\u201cwhat you don\\u2019t know\\u201d has grown\\u2026a lot?
• With all our efforts to know our assets, are we doing any better understanding?
• How do we decide what we should really be measuring?
• How do we determine what\\u2019s most important in terms of asset management?

Listed in: Technology

Ambulance Chasing Security Vendors

Listed in: Technology

Do CISOs Have More Stress than Other C-Suite Jobs

Listed in: Technology

How Should We Discuss Cyber With the C-Suite?

Listed in: Technology

Can You Be a vCISO If Youve Never Been a CISO?

Listed in: Technology

How Should We Gauge a Company's Cyber Health?

Listed in: Technology

Reducing the Attack Surface

Listed in: Technology

Do We Need a Marketing Manager for the Security Team?

Listed in: Technology

Cybersecurity Budgets

Listed in: Technology

How Can We Make Sense of Cybersecurity Titles?

Listed in: Technology

Walk a Mile in a Security Recruiter's Shoes

If your CFO or Board was to ask: \\u2018How much could we lose to a cyber attack?\\u2019 Would you know?

Introducing SAFE - the industry\\u2019s most complete Cyber Risk Quantification solution to help you answer those crucial questions in real-time:

• Visualize and measure cyber risk across your entire estate
• Discover your $ risk exposure per attack vector
• Gain personalized, actionable insights to tackle your most critical risks
• Communicate your real-time cyber risk posture to your Board

Learn more at www.safe.security

In this episode:

• Instead of complaining about the security hiring process, CISOs should walk a mile in a recruiter\'s shoes and have a little compassion to what they\'re going through.
  
• Have we thought about the process we\\u2019re creating for candidates?
  
• Are we being responsible and thinking about the candidate\'s journey vs. being opportunistic?

Listed in: Technology

Moving Security from a Prevention to a Resilience Strategy

Listed in: Technology

How to Engage with Non-Technical Business Leaders

Listed in: Technology

Cybersecurity Burnout

Listed in: Technology

How to Build a Greenfield Security Program

Listed in: Technology

Managing the Onslaught of Files

Listed in: Technology

Can You Have Culture Fit and Diversity, or Are They Mutually Exclusive?

Listed in: Technology

How to Follow Up With a CISO

Listed in: Technology

Roles to Prepare You to Be a CISO

Listed in: Technology

Minimizing Damage from a Breach

Listed in: Technology

We're All Still Learning Cyber

Listed in: Technology

Practical Cybersecurity for IT Professionals

Listed in: Technology

Data Protection for Whatever Comes Next

Listed in: Technology

What Is Attack Surface Profiling?

Listed in: Technology

How Can You Tell If Your Security Program Is Improving?

Listed in: Technology

How Can We Improve Recruiting of CISOs and Security Leaders?

Listed in: Technology

How Is Our Data Being Weaponized Against Us?

Listed in: Technology

Can Security Be a Profit Center?

Listed in: Technology

Getting Ahead of the Ongoing Malware Fight

Listed in: Technology

Building a Security Awareness Training Program

Listed in: Technology

Onboarding Cyber Professionals with No Experience

Listed in: Technology

Where's the Trust in Zero Trust?

Listed in: Technology

Who Investigates Cyber Solutions?

Listed in: Technology

Does the Cybersecurity Industry Suck?

Listed in: Technology

Are We Taking Zero Trust Too Far?

Listed in: Technology

Is Shift Left Working?

Listed in: Technology

Technical vs. Compliance Professionals

Listed in: Technology

Why Do So Many Cybersecurity Products Suck?

Listed in: Technology

Training for a Cyber Disaster

Listed in: Technology

Virtual Patching

Listed in: Technology

Start a Cybersecurity Department from Scratch

Listed in: Technology

How to Think Like a Cybercrook

Listed in: Technology

Building a Data-First Security Program

Listed in: Technology

Offensive Security

Listed in: Technology

When Vendors Pounce on New CISOs

Listed in: Technology

Building a Cybersecurity Culture

Listed in: Technology

How to Pitch to a Security Analyst

Listed in: Technology

Is Your Data Safer in the Cloud?

Listed in: Technology

What Should We Stop Doing in Cybersecurity?

Listed in: Technology

DDoS Solutions

Listed in: Technology

Making Cybersecurity Faster and More Responsive

Listed in: Technology

Promises of Automation

Listed in: Technology

When Social Engineering Bypasses Our Cyber Tools

Listed in: Technology

How Can We Simplify Security?

Listed in: Technology

Convergence of Physical and Digital Security

Listed in: Technology

How Do You Measure Cybersecurity Success?

Listed in: Technology

How Do We Turn Tables Against Adversaries?

Listed in: Technology

Ageism in Cybersecurity

Listed in: Technology

Proactive Vulnerability Management

Listed in: Technology

Why Is Security Recruiting So Broken?

Listed in: Technology

How to Be a Vendor that CISOs Love

Listed in: Technology

The "Are We Secure?" Question

Listed in: Technology

Ransomware Kill Chain

Listed in: Technology

Can Technology Solve Phishing?

Listed in: Technology

Convergence of SIEM and SOAR

Listed in: Technology

Cybersecurity Is Not Easy to Get Into

Listed in: Technology

Preventing Ransomware

Listed in: Technology

Managing Lateral Movement

Listed in: Technology

First Steps as a CISO

Listed in: Technology

How Does Ransomware Enter the Network?

Listed in: Technology

What's the Value of Certifications?

Listed in: Technology

Measuring the Success of Cloud Security

Listed in: Technology

How do I get my first cybersecurity job?

Listed in: Technology

Educating the Board About Cybersecurity

What do we want the Board and C-Suite to know about cybersecurity? If you could teach them one thing about cybersecurity that would stick, what would that be?

Check out\\xa0this post\\xa0and this post for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our guest Phil Huggins (@oracuk), CISO, NHS Test & Trace, Department of Health and Social Care.

Thanks to our podcast sponsor, Proofpoint

Sixty six percent of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability. Proofpoint\'s 2021 Voice of the CISO report explores key challenges facing CISOs after an unprecedented twelve months. Get the report.

In this episode

• What the Board needs to know to make the CISO\\u2019s job more effective
• It\\u2019s not about the Board understanding cyber \\u2013 but it is about mitigating risk
• Security is a shared responsibility: Board & CISOs
• Using other companies\\u2019 breaches as Board learning opportunities

Listed in: Technology

CISO Recruiting Is Broken

Listed in: Technology

Retaining Cyber Talent

Listed in: Technology

Salesforce Security

Listed in: Technology

Cloud Configuration Fails

Listed in: Technology

Starting Pay for Cyber Staff

Listed in: Technology

Fear of Automation

Listed in: Technology

Hiring Talent with No Security Experience

Listed in: Technology

Security Hygiene for Software Development

Listed in: Technology

How Much Do You Know About Your Data?

Do cybersecurity professionals even know what they\'re protecting? How aware are they of the data, its content and its sensitivity? What happens to your security posture when you do understand the data you\'re protecting? What can you do that you weren\'t able to do before?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, and Steve Zalewski, CISO, Levi Strauss, with our sponsored guest, Aidan Simister (@aidansimister), CEO, Lepide.

Thanks to our podcast sponsor, Lepide

Ninety eight percent of all threats start with Active Directory and nearly always involve the compromise of data stored on enterprise data stores.\\xa0Lepide\\u2019s unique combination of detailed auditing, anomaly detection, real time alerting, and real time data discovery and classification allows you to identify, prioritize and investigate threats \\u2013 fast.

In this episode:

• How much do you know about the data you are being asked to protect?
• Equating the value of the data to be protected with the cost of protection
• How to find out how data is being used
• Moving beyond the bare minimum of protection

\\xa0

\\xa0

\\xa0

Listed in: Technology

Do Startups Need a CISO?

Startups are all about proving the value of their product and growth. At the beginning, all of their money is funneled into product and market development. When do they need a CISO, if at all?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, and guest co-host Jimmy Sanders (@jfireluv), head of cybersecurity for Netflix DVD and our guest is Bryan Zimmer (@bryanzimmer), head of security for Humu.

Thanks to our podcast sponsor, Lepide

Ninety eight percent of all threats start with Active Directory and nearly always involve the compromise of data stored on enterprise data stores.\\xa0Lepide\\u2019s unique combination of detailed auditing, anomaly detection, real time alerting, and real time data discovery and classification allows you to identify, prioritize and investigate threats \\u2013 fast.

In this episode:

• Should a company get a CISO right away, or wait until the security program matures?
• If they get a CISO should they go for "on-prem" or on-demand?
• Or.... should they just go and seek CISO-level advice from the security community?

Listed in: Technology

Insider Risk

By just doing their jobs, your employees are introducing risk to the business. They don\'t mean to be causing issues, but their simple actions and sometimes mistakes can cause great harm. Is it their fault, or is it security\'s fault for not creating the right systems?

Check out this post for the basis for our conversation on this week\\u2019s episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Steve Zalewski, CISO, Levis, and our sponsored guest Mark Wojtasiak (@markwojtasiak), vp, portfolio strategy & product marketing, Code42 and author of Inside Jobs: Why Insider Risk is the Biggest Cyber Threat You Can\'t Ignore.

Thanks to our podcast sponsor, Code42

Redefine data security standards for the hybrid workforce. Check out Code42.

In this episode:

• Distractions and fatigue causing split-second mistakes
• The need for tailored education and training
• Making it easier for people to make the right choice
• Identify ways damage could happen, in order to mitigate

Listed in: Technology

Whats the Obsession with Zero Trust?

Listed in: Technology

Mentoring

Companies want security people with experience and they want to grow cybersecurity leaders. It\'s often hard to find that experience, and while there are certification courses aplenty, courses in cybersecurity leadership are hard to find. One possible solution is mentoring, but that has its own hurdles.

Check out this post for the basis for our conversation on this week\\u2019s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host, Geoff Belknap (@geoffbelknap), CISO LinkedIn, and our guest Sean Catlett, CSO, Slack.

In this episode

• The mutual value of being a mentor
• What obligations does a mentee have?
• Mentorship: large-scale concepts or day-to-day or both?

\\xa0

Listed in: Technology

Securing the Super Bowl and Other Huge Events

How do cybersecurity professionals secure a huge event like the Olympics, the Superbowl, or a city\'s New Year\'s Eve party? What are the unique considerations that come into play?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Tom\\xe1s Maldonado (@tomas_mald), CISO, NFL

Thanks to our podcast sponsor, Lepide

Ninety eight percent of all threats start with Active Directory and nearly always involve the compromise of data stored on enterprise data stores. Lepide\\u2019s unique combination of detailed auditing, anomaly detection, real time alerting, and real time data discovery and classification allows you to identify, prioritize and investigate threats - fast.

In this episode

• Protecting large events starts long before, like years before
• How threat actors targeting events differ from than those targeting companies
• It\'s not just the target - there\'s also public safety
• When it goes live, it GOES LIVE

\\xa0

Listed in: Technology

Cybersecurity Isnt That Difficult

What are you security people complaining about? As compared to 10, 15, 20 years ago, the technical aspects of cybersecurity are not that difficult. We\'ve got the control frameworks, tools, and training that are predecessors didn\'t have.

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, guest co-host Naomi Buckwalter (@ineedmorecyber), director of information security and IT at Beam Technologies, and our guest, John Overbaugh (@johnoverbaugh), vp, security, CareCentrix

Thanks to our podcast sponsor, Trend Micro as bold

Threat actors want what you\\u2019re storing in the cloud. Trend Micro\\u2019s Cloud One platform provides cloud security from a single console, keeping you at your most resilient. Let what happens in the cloud, stay in the cloud.

In this episode

• What infosec was like "back in the day"
• What\'s out of alignment: the technology or the culture?
• Can we really stand on the shoulders of giants amid so much change?
• Where is individual cyberhygiene in all of this?

Listed in: Technology

Cloud Security Myths

The cloud is inherently insecure! The cloud will handle all your security needs. More data breaches happen in the cloud. These are just some of the many many myths of cloud security. Listen as we debunk as many as we possibly can.

Check out this post for the basis for our conversation on this week\\u2019s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Steve Zalewski, CISO, Levis, and our sponsored guest Mark Nunnikhoven (@markna), vp, cloud research, Trend Micro.

Thanks to our podcast sponsor, Trend Micro

Threat actors want what you\\u2019re storing in the cloud. Trend Micro\\u2019s Cloud One platform provides cloud security from a single console, keeping you at your most resilient. Let what happens in the cloud, stay in the cloud.

In this episode

• How many cloud myths from years back still endure?
• Is cloud less secure or more secure now?
• Who has the responsibility for security?
• Just because you\'re in the cloud, does that mean you\'re protected?

Listed in: Technology

What Is Security's Mission?

In this episode

• Security mission option 1: protecting the company
• Security mission option 2: protecting the brand & revenue stream
• Does one lead to/support the other?
• Does the degree of cloud presence make a difference?
• How much of this is technical vs philosophical?

Listed in: Technology

Vendor CISOs

It\'s hard to be a CISO. But, what\'s it like to be a CISO at a security vendor, doing the hard work while carrying the stigma of being a "vendor"?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our sponsored guest Allan Alford (@AllanAlfordinTX), CTO/CISO, TrustMAPP, and host of The Cyber Ranch Podcast.

Thanks to our podcast sponsor, TrustMAPP

Does your board want to see yet more heat maps? No, they do not. They want to see that security investments align with business goals, and that their costs are objectively justified. TrustMAPP\\u2019s data visualization helps you communicate with your board in a way they can understand \\u2013 and approve.

In this episode

• How to balance being an advocate, an evangelist and an operator
• Are there really "stigmas" to being a security vendor?
• What\'s unique to practicing security while being a security vendor?

Listed in: Technology

How Much Log Data Is Enough?

You\'re a CISO struggling with an influx of log data into your SIEM. What\'s the data you want to keep, and for how long? You want insights, but you also want to keep costs down. Holding onto everything is going to cost a fortune.

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host Steve Zalewski, deputy CISO, Levis, and our guest Naomi Buckwalter (@ineedmorecyber), director of information security and IT at Beam Technologies .

Thanks to our podcast sponsor, TrustMAPP

Does your board want to see yet more heat maps? No, they do not. They want to see that security investments align with business goals, and that their costs are objectively justified. TrustMAPP\\u2019s data visualization helps you communicate with your board in a way they can understand \\u2013 and approve.

In this episode

• So, what is the sweet spot for retaining log files? 90 days? 1 year?
• Should you categorize according to business criticality?
• How do you separate the "junk" from the valuable data?

\\xa0

\\xa0

Listed in: Technology

Should Finance or Legal Mentor Cyber?

Cybersecurity leaders are constantly looking for ways to improve how they think about risk, and how they communicate risk. But they\'re not the only ones. Others have been managing risk long before CISOs existed. So, who could be the best mentor to help a CISO gain better insight into business risk and how to communicate about it: the chief financial officer, or the legal department\'s general counsel?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest, David Schellhase (@davidschellhase), general counsel, Slack.

Thanks to our podcast sponsor, TrustMAPP

TrustMAPP delivers Security Performance Management, giving CISOs a real-time view of the effectiveness of their security program. TrustMAPP tells you where you are, where you\\u2019re going, and what it will take to get there. TrustMAPP gives organizations the ability to manage security as a business, quantifying and prioritizing remediation actions and costs. To learn about the MAPP methodology, download the white paper at https://trustmapp.com/mapp-paper/

In this episode

• Which executive could a CISO learn more about risk?
• Determining ROI of finance, legal and other execs
• Analyzing why its so important to establish the ideal mentorship relationship

Listed in: Technology

Data Destruction

How do you deal with data at end of life? Holding onto data too long can be very costly and increase risk. So how do you get rid of it... safely?

Check out this post for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, guest co-host Shawn Bowen, CISO,\\xa0Restaurant\\xa0Brands\\xa0International\\xa0(RBI), and our sponsored guest, Frank Milia, partner, (@ITAssetRecvry), IT Asset Management Group.

Thanks to our podcast sponsor, IT Asset Management

Poorly managed IT asset disposal, lack of due diligence, and a disposal program without clearly defined responsible parties has now resulted in millions of dollars in regulatory penalties.\\xa0 Is it clear who is responsible for the performance of your data disposition practice? \\xa0\\xa0IT Asset Management Group\\u2019s\\xa0free program guide includes tips for establishing stakeholders at your organization and expectations for all practitioners. \\xa0 \\xa0 \\xa0
Download the program guide today at\\xa0itamg.com/CISO

In this episode

• Is the risk of holding onto data greater than the value of keeping it?
• Should client data be considered a "toxic byproduct"?
• When disposing of client data, how much destruction is enough?
• What legal and regulatory requirements should be considered before destroying data?

\\xa0

\\xa0

Listed in: Technology

How to Make Cybersecurity More Efficient

You\'re a new CISO told to hold headcount even and find the resources to do 20% more work. We\'re already maxed out. So how do we do more? Coming up next we\'re getting smart and more efficient with security.

Check out\\xa0this post for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, guest co-host Steve Zalewski, Deputy CISO, Levis, and our guest, Mike Morgan, (@theywerecones) head of information security, infrastructure director, Foster Farms

Thanks to our podcast sponsor, IT Asset Management Group

Poorly managed IT asset disposal, lack of due diligence, and a disposal program without clearly defined responsible parties has now resulted in millions of dollars in regulatory penalties.\\xa0 Is it clear who is responsible for the performance of your data disposition practice? \\xa0\\xa0IT Asset Management Group\\u2019s\\xa0free program guide includes tips for establishing stakeholders at your organization and expectations for all practitioners. \\xa0 \\xa0 \\xa0
Download the program guide today at\\xa0itamg.com/CISO

In this episode

• Improving processes right from the beginning of the pipeline
• Looking for waste - and knowing what "waste" is
• Doing more with less means at some point, something important will break
• Delegating and crossing over skills
• Watching out for IT sprawl and "new fangled" solutions

Listed in: Technology

Does a CISO Need Tech Skills?

• Why having the skills helps with realistic expectations
• Being able to see through the nonsense
• The value of staying passionate about the profession

Listed in: Technology

How Do You Know if You're Good at Security?

What metrics or indicators signal to you that an organization is \\u201cgood at security\\u201d?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, guest co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Justin Berman (@justinmberman), former CISO, Dropbox.

Thanks to our podcast sponsor, Imperva

Face it, your data is everywhere! Imperva Data Security unifies compliance, security and privacy needs for any data store while saving you time and money. No matter where data lives, get confidence about what is happening with data, where it\\u2019s stored and who\\u2019s accessing it. Start a free trial now.

In this episode

• How do go about measuring risk
• Assessing the ratio of critical/high severity issues to issues closed
• The difference between a reactive or proactive threat management policy

\\xa0

Listed in: Technology

Building a Security Team

You\'re a new CISO at a new org given a headcount of ten to build a cybersecurity team. What\'s your strategy to build that team?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, guest co-host Steve Zalewski, Deputy CISO, Levis, and our guest JJ Agha (@jaysquaredx2), CISO, Compass.

Thanks to our podcast sponsor, Imperva

Face it, your data is everywhere! Imperva Data Security unifies compliance, security and privacy needs for any data store while saving you time and money. No matter where data lives, get confidence about what is happening with data, where it\\u2019s stored and who\\u2019s accessing it. Start a free trial now.

In this episode

• The importance of assessments and gap analyses
• Why you need to leveraging your network
• Educating and empowering teams
• Introspection and self-awareness as a leader

\\xa0

Listed in: Technology

Are our Data Protection Strategies Evolving?

In this episode

• Cloud platforms and exposure make it easier to deploy with less oversight, making mistakes easier.
• There\'s a need for a change of mindset of product and marketing leaders to consider consequences of taking in different data types in the design phase.
• There\'s also a need for SIEM tools and access management.

Listed in: Technology

Should CISOs Be Licensed Professionals?

Many professionals are required to obtain a license before they can do their job legally. The demands of cybersecurity professionals, especially CISOs, has become more critical as evidenced by the increasing number of regulations demanding a person oversee security and privacy controls. Should CISOs be licensed to maintain a minimum standard?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our guest Patrick Benoit (@patrickbenoit), vp, global head of GRC and BISO, CBRE.

Thanks to this week\'s podcast sponsor, F5

External threats to your organization\\u2019s security are constantly evolving. Your apps need broad and preventive protection from bot attacks that cause large-scale fraud, higher operational costs, and problems for your users. And they need to be optimized for secure operation internally. Silverline Shape Defense helps you stay ahead of cyber threats and fraud.\\xa0Get\\xa0a\\xa0free\\xa0trial.

Highlights from this episode of Defense in Depth:

• Almost universally, nobody liked the idea of requiring a CISO to have a license in order to practice. But, with that said, the subject stirred up a hornet\'s nest of discussion.
• Main complaint is the job changes so drastically depending on what industry you\'re in.
• Many argued that a license won\'t translate into success. Hard to tell how to put a license around someone who is managing risk, but doesn\'t own the risk.

Listed in: Technology

Inherently Vulnerable By Design

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-inherently-vulnerable-by-design/)

Much of what we do as practitioners is to prevent inadvertent security problems - oversights, zero-days, etc. What about inherent and unavoidable problems? When the very design of the thing requires a lack of security? What do you do then?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our sponsored guest is Dan Woods, vp of the Shape Intelligence Center, F5.

Thanks to this week\'s podcast sponsor, F5.

External threats to your organization\\u2019s security are constantly evolving. Your apps need broad and preventive protection from bot attacks that cause large-scale fraud, higher operational costs, and problems for your users. And they need to be optimized for secure operation internally. Silverline Shape Defense helps you stay ahead of cyber threats and fraud. Get a free trial.

On this episode of Defense in Depth, you\\u2019ll learn:

• The mere act of conducting business requires you to have certain procedures that would make you vulnerable. Simple things like taking customer information to create user accounts and processing credit cards. That\'s inherent to doing business, and by opening that up, it makes you vulnerable.
• A lot of this inherent vulnerability comes down to having users or customers and needing to authenticate them.
• When you start a business you\'re also accepting the inherent vulnerability and you have to ask yourself to what level can the business function having that vulnerability abused? It\'s all about risk appetite.
• Two factor authentication sure is nice, but there has to be multiple "behind the scenes" authentications going on to verify identity continuously.
• As you\'re collecting all these additional data points you can use that information to ask the user to verify.
• Provide discounts to customers and users for good security practices. Insurance companies do this with people who prove safe driving practices. It could be a win-win for everybody. For example, with Mailchimp, they give you a discount if you enable 2FA. Why not offer a discount for a really long and complicated password?
• One of the major issues is the password reset process happens through email. Email wasn\'t designed for critical authentication. Many hacks happen through the reset process via email.

Listed in: Technology

Imposter Syndrome

For CISOs and other security leaders, suffering from imposter syndrome seems inevitable. How can you ever be really confident when there\'s an endless stream of threats and a landscape that changes without your knowledge?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our guest David Peach (@realdavidp), CISO and head of privacy, The Economist Group.

Thanks to this week\'s podcast sponsor, F5.

CISOs are dealing with the increasing sophistication of cyber attackers that are taking advantage of their applications. Find out how F5 helps organizations expand their security and see the unseen by watching the F5 Security Summit webinar. View it here.

On this episode of Defense in Depth, you\\u2019ll learn:

• Imposter syndrome is a feeling of not being as good as you purport to be or others perceive you to be. Almost all security professionals, especially CISOs, have moments of imposter syndrome.
• The root of the problem is underestimating your contributions.
• Imposter syndrome can debilitate a security professional. But the opposite is also dangerous. If you don\'t question your ability and think you alone can solve things and others perceive that you can do that as well, that\'s a disaster waiting to happen.
• The relentless change of technology and threats can overwhelm a professional and feel that they can\'t keep up. There\'s a sense of you will always be behind.
• It\'s not a sprint, nor a marathon. Security is an infinite game. There\'s no winning and no moment of relief, but looking at it as a journey you can see success along the way.
• There is an outside pressure that CISOs know more than they actually do, and at the same time they don\'t want to disappoint management, the business, or the team.
• Imposter syndrome can be seen as a positive when it leads to self awareness and improvement.
• Be smart enough to know how little you do know and accept it, but still stay on that journey to keep learning more.
• You can\'t teach the person who thinks they know it all.
• The flipside is you rarely get congratulated for your work as a security professional.

Listed in: Technology

Why Don't More Companies Take Cybersecurity Seriously?

With every cybersecurity breach, we still don\'t seem to be getting through. Many companies don\'t seem to be taking cybersecurity seriously. What does it take? Obviously not scare tactics.

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our guest Ben Sapiro, global CISO, Great-West LifeCo.

Thanks to this week\'s podcast sponsor, Sonatype.

On this episode of Defense in Depth, you\\u2019ll learn:

• Even with attacks and breaches on a constant march, far too many companies operate under the "it will never happen to me" ostrich strategy.
• Problem with the "I\'m too small to attack" defense is you probably also have minimal security protections which also makes you far easier to attack. Far easier to penetrate 100 low defense targets than one huge target with high defenses.
• Watching other companies survive a breach makes one feel as if they\'ll be just as resilient.
• Many companies not showing interest in cybersecurity may simply not be doing appropriate risk-based analysis.
• A company in a highly regulated industry has no choice but to take cybersecurity seriously.
• Businesses that are highly built on trust and have a low barrier to exit often understand the need to take cybersecurity seriously. They are always cognizant of reputational risk.
• Many feel that they are powerless against the onslaught of attacks and even if they do take cybersecurity seriously and spend money defending themselves it will all be a giant waste of effort.
• Many people simply don\'t feel attached to any type of cybersecurity effort. If you\'re not vested in it, why care about it?
• Those of us in cybersecurity forget what it feels like to not know anything about cybersecurity.

On this episode of Defense in Depth, you\\u2019ll learn:

• Even with attacks and breaches on a constant march, far too many companies operate under the "it will never happen to me" ostrich strategy.
• Problem with the "I\'m too small to attack" defense is you probably also have minimal security protections which also makes you far easier to attack. Far easier to penetrate 100 low defense targets than one huge target with high defenses.
• Watching other companies survive a breach makes one feel as if they\'ll be just as resilient.
• Many companies not showing interest in cybersecurity may simply not be doing appropriate risk-based analysis.
• A company in a highly regulated industry has no choice but to take cybersecurity seriously.
• Businesses that are highly built on trust and have a low barrier to exit often understand the need to take cybersecurity seriously. They are always cognizant of reputational risk.
• Many feel that they are powerless against the onslaught of attacks and even if they do take cybersecurity seriously and spend money defending themselves it will all be a giant waste of effort.
• Many people simply don\'t feel attached to any type of cybersecurity effort. If you\'re not vested in it, why care about it?
• Those of us in cybersecurity forget what it feels like to not know anything about cybersecurity.

Listed in: Technology

Data Protection and Visibility

Where is your data? Who\'s accessing it? You may know if you have an identity access management solution, but what happens when that data leaves your control. What do you do then?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our sponsored guest is Elliot Lewis\\xa0(@elliotdlewis), CEO,\\xa0Keyavi Data.

Thanks to this week\'s podcast sponsor, Keyavi Data.

Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner\\u2019s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at\\xa0keyavidata.com.

On this episode of Defense in Depth, you\\u2019ll learn:

• In general, all of security is based on detecting threats and stopping threats. When those two fail, and they do, what\'s your recourse to protect your data?
• What if when your data leaves your control either accidentally or through a malicious breach, you were still able to see your data wherever it went and your data could communicate back to you its status, allowing you to control access to your data?
• There are so many scenarios when data leaves you, it\'s impossible to protect for all scenarios.
• Asset inventory is first step in the CIS 20. Just trying to get an asset inventory of equipment is difficult. An inventory of data is near impossible especially when you may be pumping out a terabyte of data a day.
• Ideal situation is to protect data proactively, as it\'s being created.
• The ultimate goal is to have visibility of your data in perpetuity, for the life of the data, and you can decide when to destroy it even when it\'s no longer within the confines of your greater network and ecosystem.
• Governing your network, your applications, the rules, and the data is half the battle.
• Data visibility also allows you to make informed decisions as a business and can provide the answers your legal team will need in case there\'s a breach.
• You want the data protection and visibility schema to be platform and ecosystem independent. If data is taken out of the ecosystem, then the protection and visibility is moot.
• A good precursor to this is digital rights management or DRM. They have figured out how to manage data from being copied and manipulated and they can place controls on it. The limiting factor though is it\'s platform dependent.

Listed in: Technology

What's an Entry Level Cybersecurity Job?

Naomi Buckwalter, director of information security at Energage analyzed one thousand random information security job posts on LinkedIn. The most notable trend she found was that 43% of the posts had CISSP and 5-year experience requirements for entry level positions. Are companies trying to lowball cybersecurity professionals, or do they simply not know what an entry level cybersecurity job is.

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our guest is Joseph Carrigan (@JTCarrigan), senior security engineer at Johns Hopkins University Information Security Institute, and co-host Hacking Humans podcast.

Thanks to this week\'s podcast sponsor, Keyavi Data.

Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner\\u2019s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at\\xa0keyavidata.com.

On this episode of Defense in Depth, you\\u2019ll learn:

• There has been an ongoing trend for companies to post "entry level but experience required" job listings for cybersecurity professionals.
• This is self-defeating for companies because the positions don\'t get filled. And for true entry level people, they get discouraged. They feel it\'s impossible to get into the industry. This can drive them away from cybersecurity which hurts the entire industry.
• Others would argue that we shouldn\'t even have this conversation because there is no such thing as an entry level position. Like there are no entry-level doctors. You must have some type of training or experience to do this job.
• There\'s no doubt that CISOs fight more for headcount than they do overall dollars. And if they get a limited headcount, they\'re going to want to get as much talent as they possibly can with that limited number of positions they can fill.
• Security is a layer on top of IT, engineering, or development. For that reason it can be seen as mid-level experience or above, simply because security is a specialization.
• Is this behavior of shooting so high for an entry-level cybersecurity role causing the cybersecurity skills gap?
• Best way to prove your value to a hiring cybersecurity professional is to setup your own home lab.
• The skill that is hard to put on a resume or to explain in a job listing is non-linear thinking. But that\'s essentially what you\'re looking for with an entry-level cybersecurity hire.

\\xa0

\\xa0

\\xa0

Listed in: Technology

Securing Digital Transformations

Digital transformation. It\'s definition is broad. Meaning securing it is also broad. But there are some principles that can be followed as companies undergo each step in a deeper dive to make more and more of their processes essentially computerized.

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our guest is Paul Asadoorian (@securityweekly), founder & CTO, Security Weekly, and chief innovation officer, Cyber Risk Alliance.

Thanks to this week\'s podcast sponsor, Keyavi Data.

Our Keyavi breaks new ground by making data itself intelligent and self-aware, so that it stays under its owner\\u2019s control and protects itself immediately, no matter where it is or who is attempting access. Keyavi is led by a team of renowned data security, encryption, and cyber forensics experts. See for yourself at keyavidata.com.

On this episode of Defense in Depth, you\\u2019ll learn:

• Digital transformation is about relying on computing technology for more integral processes and aspects in our daily work lives.
• Lots of debate on the definition of digital transformation and as well securing digital transformations.
• Definition: A targeted change to process and technology for the benefit of the people.
• Definition: increasing levels of interoperability of information.
• We heard the recurring argument of the need for security to have a seat at the table at the beginning of a digital transformation, and not at the end. But at the same time reality sunk in and it was argued that security doesn\'t get to dictate that. And if security tried to, it would create a greater wedge with the business.
• When security is brought in at the end though, security has no option but to disrupt the business. Then no one is happy.
• Digital transformation simply introduce new risks, often greater risk. If the point is to integrate more of your processes, then that integrates the risk as well.
• If you\'re undergoing a true transformation, you are looking at core processes and saying, "What new tech facilitates, streamlines, and/or actualizes these core processes?" You no longer have to settle for shopping for a solution and then smashing your processes up against it.
• Your security tools should also undergo a transformation. That includes a transformation in monitoring as well.

Listed in: Technology

Leaked Secrets in Code Repositories

Secrets, such as passwords and credentials, are out in the open just sitting there in code repositories. Why do these secrets even exist in public? What\'s their danger? And how can they be found and removed?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our sponsored guest is J\\xe9r\\xe9my Thomas, CEO, GitGuardian.

Thanks to this week\'s podcast sponsor GitGuardian.

GitGuardian empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline.

On this episode of Defense in Depth, you\\u2019ll learn:

• Putting passwords and other credential information inside of code simply happens. It is done by developers for purposes of efficiency, laziness, or simply forgot to take it out.
• Given that exposing secrets is done by developers, these secrets appear in code everywhere, most notably in public code repositories like GitHub.
• Exposed credentials can appear in SIEMS as it\'s being exported from the developers\' code.
• There is a shared responsibility model and cloud providers do have some ability to scan code, but ultimately code you put in your programs is your responsibility.
• Scanning public code repositories should be your first step. You don\'t want to be adding code that has known issues.
• Next step is to scan your own code and get alerts if your developers are adding secrets (wittingly or unwittingly) in their code. If you alert in real-time, it fits naturally within the DevOps pipeline and they will improve their secure coding skills.
• Another option to deal with exposed secrets is to sidestep the problem completely and put in additional layers of security, most notably multi-factor authentication (MFA). A great idea, and yes, you should definitely include this very secure step, but it doesn\'t eliminate the problem. There are far too many authentication layers (many automated) for you to put MFA on everything. There will always be many moments of exposure.

Listed in: Technology

Measuring the Success of Your Security Program

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-measuring-the-success-of-your-security-program/)

How does a CISO measure the performance of their security program? Sure, there are metrics, but what are you measuring against? Is it a framework or the quality of protection? How do you tell if your program is improving and growing?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our sponsored guest is Chad Boeckmann (@SDS_Advisor), CEO, TrustMAPP.

TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you\\u2019re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs.

On this episode of\\xa0Defense in Depth, you\\u2019ll learn:

• The process is very systematic. Start with knowing your risks, how you\'re going to track them, and the controls you\'re going to put them in place to manage them. Simple to say, hard to do.
• Security risk is just one of a multitude risks a business faces.
• Data\'s whereabouts is a moving target. Having confidence in its location and protections is key to managing overall risk.
• Constantly be asking who has access to the data and what communications processes are you using to share that information between humans and machines.
• Discuss with leadership as to how you will judge success and what metrics you will use. C-suite will need to lead the discussion with security providing guidance as to what they can and can\'t measure.
• If you\'re measuring security\'s performance this is a great opportunity for security to tell its story and prove its value, ultimately setting it up for increased budget and participation from others.
• An informal metric for success could be how often is security getting invited to informal meetings.
• Overall positive sentiment of security by non-security employees.
• How well are you able to build (are people eager to work with you?) and maintain your staff?
• Another "out of the box" metric to consider are opportunity costs. How many contracts are you losing because you were incapable of meeting a potential customer\'s security standards?
• Strong debate as to what is the goal of a security program: Risk reduction or risk management? It\'s very possible that you are currently managing risk well and the additional cost to reduce risk is not necessary.

Listed in: Technology

Privacy Is An Uphill Battle

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-privacy-is-an-uphill-battle/)

Privacy is an uphill battle. The problem is those gathering the data aren\'t the ones tasked with protecting the privacy of those users for whom that data represents.

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our guest is Dave Bittner (@bittner), host, The CyberWire Podcast.

Thank to our episode sponsor, TrustMAPP.

TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you\\u2019re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs.

On this episode of\\xa0Defense in Depth, you\\u2019ll learn:

• Marketers, the ones often collecting the data, have no incentive to not gather more. The only thing holding them back, barely, are newly growing privacy regulations.
• Security professionals are tasked with protecting privacy but they\'re not usually on the front lines of data collection and are often brought in after the data has been collected.
• The public has become numb to the abuse of their privacy. A little is being chipped away at the time that they either don\'t know they\'re being abused or it appears to be so slight they don\'t even care. They see the benefits of sharing far outweighing the negatives.
• GDPR is large and very difficult to comply with. And although it only affects site visitors from Europe, most site owners are deploying GDPR controls system-wide for all visitors for fear of making a mistake while at the same time realizing that similar regulations will launch in other parts of the world.

Listed in: Technology

Legal Protection for CISOs

What\'s the legal responsibility of a CISO? New cases are placing the liability for certain aspects of security incidents squarely on the CISO. And attorney-client privilege has been overruled lately too. What does this mean for corporate and for CISO risk?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our guest is Evan Wolff, partner at Crowell & Moring.

Thank to our episode sponsor, TrustMAPP.

TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you\\u2019re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs.

On this episode of\\xa0Defense in Depth, you\\u2019ll learn:

• We repeatedly joke about Davi Ottenheimer\'s comment that the CISO has held the moniker of "designated felon" in American risk mitigation.
• Big piece of advice that was repeated throughout the episode is to have an employment contract.
• In the employment contract you want an exit strategy that allows you to leave if you think a situation is not tenable or the company is asking you to do something that you believe to be unethical. It gives you an opportunity to leave without any blame assigned.
• The cc field is your friend. If you don\'t want to be seen as the only one "in the know" take advantage of making sure key people are also in the loop.
• We heard one unbelievable story of an employment contract where it was clear that the CISO would be the "designated felon" should there be any breach. This was put in place to protect the executive team. The contract offered financial security for two years post breach. We all agreed this was insane and had never heard of anything like that before.
• Be wary of being forced to take on personal ownership of security issues. A CISO is responsible, not accountable.

\\xa0

Listed in: Technology

XDR: Extended Detection and Response

Is XDR changing the investigative landscape for security professionals? The "X" in XDR extends traditional endpoint detection and response or EDR to also include network and cloud sensors. Having this full breadth, XDR can contextualize alerts to tell a more cogent story as to what\'s going on in your environment.

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our guest is Dave Bittner (@bittner), host, The CyberWire.

Thanks to our sponsor, Hunters.

Attackers always find new ways to bypass organizational defenses. While their traces hide in the data, they\\u2019re also extremely difficult to detect. Hunters.AI is a context-fueled XDR solution that harnesses top-tier threat hunting expertise and ML to autonomously detect, investigate and correlate attack findings across cloud, network, and endpoint.

On this episode of\\xa0Defense in Depth, you\\u2019ll learn:

• XDR extends traditional endpoint detection and response or EDR to also include network and cloud sensors.
• XDR is viewed as a comprehensive solution that rolls up all your critical feeds, sensors, and analytics.
• Having this full breadth, XDR can contextualize alerts to tell a more cogent story as to what\'s going on in your environment.
• If you\'ve got a greenfield security program (essentially it\'s non existent), XDR is a no-brainer. But for everyone else, which is most of us, rolling out XDR is not as clear cut a decision. How does it integrate with your existing tech stack?
• Lots of question as to why do you need a SIEM if you have XDR? But, most responded that the two technologies are complimentary. Where XDR becomes redundant is if you have SIEM + SOAR + XDR + NDR.
• XDR\'s real power is the ability to give you some of the investigative details rather than just telling you that somebody breached a certain endpoint. But it can connect the dots and explain that a certain breach also resulted in a certain action. This greatly reduces the time your SOC needs to spend investigating cases.
• Don\'t though be fooled with solutions that sell purely on reducing time and effort. You\'re only going to have that if you have useful integrations.

Listed in: Technology

Calling Users Stupid

Many cybersecurity professionals use derogatory terms towards their users, like calling them "dumb" because they fell for a phish or some type of online scam. It can be detrimental, even behind their back, and it doesn\'t foster a stronger security culture.

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our guest Dustin Wilcox, CISO, Anthem.

Thanks to our sponsor, Hunters.

Attackers always find new ways to bypass organizational defenses. While their traces hide in the data, they\\u2019re also extremely difficult to detect. Hunters.AI is a context-fueled XDR solution that harnesses top-tier threat hunting expertise and ML to autonomously detect, investigate and correlate attack findings across cloud, network, and endpoint.

On this episode of\\xa0Defense in Depth, you\\u2019ll learn:

• Security people have notoriously had a "better than them" attitude towards their users who they view as the ones causing all the problems and making their lives more difficult.
• Calling users stupid for making a "mistake of effort" even if it\'s behind their back does not foster a bond with the security team. It fosters the us vs. them attitude.
• Security professionals will have a lot more success if they understand why users do the things they do. Once there is that understanding, then cybersecurity will better be able to design systems that accommodate users.
• About a third of your users confidently believe they\'re following the right cybersecurity procedures. That discrepancy is not the fault of the users, it\'s the fault of cybersecurity\'s education of users.
• Security can always be more effective in offering up the right tools and the correct education.
• Security awareness must begin with good service and process design.
• Phishing tests are pointless to determine security effectiveness. That\'s because no matter how low your click rates go, someone can always create a more creative test that will send them soaring back up again.
• If your defense in depth strategy is so poorly designed that your company can be compromised by the simple click of a phish, then you\'ve got a poorly configured security stack.
• Security professionals\' jobs exist because of their users. If there was no organization and users, then there would be no need for security professionals.
• Quoting Albert Einstein: "If you judge a fish by his ability to climb a tree, he will live his whole life thinking he is stupid.\\u201d
• Look at user mistakes as an education moment, not an opportunity to put them down. If you educate them, they\'ll go onto educate others as well. Mistakes can actually be very beneficial.

Listed in: Technology

Is College Necessary for a Job in Cybersecurity?

Where is the best education for our cyber staff of the future? Where does college fit in or not fit in?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our guest Dan Walsh, CISO, Rally Health.

Thanks to our sponsor, Hunters.

Attackers always find new ways to bypass organizational defenses. While their traces hide in the data, they\\u2019re also extremely difficult to detect. Hunters.AI is a context-fueled XDR solution that harnesses top-tier threat hunting expertise and ML to autonomously detect, investigate and correlate attack findings across cloud, network, and endpoint.

On this episode of\\xa0Defense in Depth, you\\u2019ll learn:

• Years ago most would say a college degree is necessary, but it appears the ROI for exorbitant college education simply doesn\'t deliver like it used to.
• Tons of valuable online courseware can deliver a targeted education for individuals wanting to start a career in cybersecurity.
• If organizations believe these first two statements to be true, then why are they putting down a college degree as a requirement for jobs in cybersecurity?
• Is requiring a college degree a false and elitist narrative that doesn\'t drive better cybersecurity talent?
• With such a stringent requirement, it detracts many people, including women and minorities, who may not have college degrees to pursue cybersecurity roles.
• Most college courseware in computer science is often quickly outdated. But that doesn\'t speak to all colleges. Some that specialize in cybersecurity are doing their best to stay current.
• Those arguing the need for college explain it teaches critical thinking and the desire to always keep learning.
• Does the lack of having a college degree prevent an individual from moving up the ranks in cybersecurity leadership?
• The college degree requirement may be arbitrary or it may be there because of management\'s jealousy. They had to have a college degree when they joined so everyone else should as well.
• A college degree doesn\'t necessarily mean you\'ll be a great technician.

Listed in: Technology

When Red Teams Break Down

What happens when red team engagements go sideways? The idea of real world testing of your defenses sounds great, but how do you close the loop and what happens if it\'s not closed?

Check out\\xa0this post\\xa0for the basis for our conversation on this week\\u2019s episode which features me,\\xa0David Spark\\xa0(@dspark), producer of CISO Series, co-host\\xa0Allan Alford\\xa0(@allanalfordintx), and our sponsored guest, Dan DeCloss, founder and CEO, PlexTrac.

Thanks to this week\\u2019s podcast sponsor, PlexTrac.

PlexTrac\\xa0is a revolutionary, yet simple, cybersecurity platform that centralizes all security assessments, penetration test reports, audit findings, and vulnerabilities into a single location. PlexTrac vastly improves the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize important analytics, and collaborate on remediation in real-time.

On this episode of\\xa0Defense in Depth, you\\u2019ll learn:

• Don\'t make the mistake of red teaming too early. If you don\'t have your fundamental security program in place, you\'ll be testing out non-existing defenses.
• If you\'re just starting to build up your security program, conduct a vulnerability scan and do some basic patch management.
• A red team exercise exists to discover risks you didn\'t even know about and couldn\'t have predicted in your threat model exercises.
• Have a plan of what you\'re going to do after the red team exercise. Just discovering you\'ve got problems with no plan to remediate them will not only be a waste of money, but will also breed discontent.
• Don\'t red team just to fill out an audit report. You can do a vulnerability scan for that.
• Consider moving the red team to purple to actually help the blue team remediate the findings.
• If you don\'t have a plan for remediation you\'ll find yourself running the same red team and filling out the same report.
• Prioritize! The red (now purple) team can greatly help along with those who\'ve assessed business risks.
• First to remediate are the ones that are high impact and easy to execute. The rest is determined by an analysis of likelihood and impact.

Listed in: Technology

What Cyber Pro Are You Trying to Hire?

On this episode of Defense in Depth, you\\u2019ll learn:

• The poor focus of cybersecurity job listings often exposes either the poor understanding or lack of maturity of a company\'s information security program.
• We often see management cyber jobs asking for engineering skills and vice versa.
• Job listings can also portray the "last guy" syndrome. Those are the job listings that tack on desired skills the last person did not have.
• When you see too many requirements it comes off as a wish list. It\'s not what is required, it\'s more of a question as to how many boxes can a candidate check off.
• There can be serious harm to a company\'s ability to hire if they throw down too many requirements or even optional items. People who are truly required for the position you want may never apply because they\'ll be scared off by the other skills required or desired.
• CISOs are often hired by non security people and as a result they don\'t have a full understanding of what type of CISO they want. As a result it\'s often hard to find two similar CISO job listings.
• While CISO technical competencies are desired, it\'s clear that once hired a CISO will not be showing off their technical expertise. As a result, there\'s a lot of debate as to how much technical skill a CISO really needs. The job requires management, influencing, and communications.
• Many hiring teams have a hard time parsing out the types of security people they need to build out a security team. That\'s why you get a single job listing that appears to want to hire five different types of security people.
• If a CISO isn\'t given the budget and authority to hire a staff to fill all the necessary gaps for the company\'s security program, they will become fed up and leave. That starts the whole process again.
• Many debate that job titles in job listings are just there to massage the ego. But if compensation doesn\'t match the title, then they realize the title is just for show.

Listed in: Technology

Junior Cyber People

On this episode of Defense in Depth, you\\u2019ll learn:

• There are tons of newbies eager to work in cybersecurity. The shortcoming is not the available pipeline, but a lack of headcount and managers\' willingness to train and find appropriate assignments.
• Because headcount is often the limitation to hiring, leaders will opt to hire the most senior person they can get.
• Common feeling is hire one experienced person and stress them out rather than hire three junior people and train them. Problem with the former is if you stress that experienced person they will leave and tell others not to work there.
• There is plenty of good junior-level cybersecurity work, such as asset management cleanup, PII discovery, procedure documentation, filling out security questionnaires, scrubbing and tuning out false positives from alerting systems, reviewing vendor contracts, patch verification, following up on vulnerability management with other teams, launching and managing vulnerability scans, interviewing for shadow IT installations, working with help desk for user account remediation, and scanning logs for anomalies.

Listed in: Technology

Trusting Security Vendor Claims

On this episode of Defense in Depth, you\\u2019ll learn:

• From those surveyed by Valimail survey, a third to a half didn\'t believe that vendors did a good job explaining what their product does, or that the product actually performed, or there was any way to actually measure that performance.
• Many questioned those numbers because they feel many security buyers still fall for security vendors\' boastful claims. Both can actually be true.
• Stunned behavior at a trade show is not the indicator of knowledge and susceptibility to vendor pitches.
• When you\'re under the gun as a security professional to produce results you often become victim to security vendor claims because you want to deliver on demands from the business.
• By nature, CISOs should be skeptical about vendor claims and information within their own environment.
• There\'s a battle between those vendors truly trying to deliver value and those who are using their marketing savvy to sway industry thinking.
• Don\'t place all the blame on the vendors. CISOs still have trouble understanding their requirements, risk, and priorities. Many are guilty of engaging in "random acts of security".
• Claims can often be more trustworthy if the vendor is willing to explain what they can\'t do.

Listed in: Technology

How Vendors Should Approach CISOs

Check out this post for the basis of our conversation on this week\\u2019s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest\\xa0Ian Amit (@iiamit), CSO, Cimpress.

Here also is my original article with Allan Alford when he first launched this engage with vendors campaign.

Thanks to this week\'s podcast sponsor, Sonrai Security.

Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an\\xa0enterprise cloud security platform\\xa0that identifies and monitors every possible relationship between identities and data that exists inside your public cloud.\\xa0

On this episode of Defense in Depth, you\\u2019ll learn:

• All CISOs are different so any advice we provide will vary from CISO to CISO. Plus, we have an entire other show, CISO/Security Vendor Relationship Podcast, dedicated to this very topic.
• We acknowledge that this is tough because to be really on target you need to know what the CISO has, what their mix of products are, and how your product could work in their current security maturity and mix of security products and processes. It\'s all a very tall order for a security vendor.
• Vendors must stop thinking of themselves as point solutions, but rather how they fit into the overall makeup of a security program. You\'re not coming in with a blank slate. How do you interoperate with what\'s existing?
• There\'s unfortunately the trend of the people who make the contact, then initiate a meeting, and hand off to someone else. CISOs do not welcome that kind of engagement, although it may be very cost effective for security vendors to hire junior people to make those contacts and hand offs.
• Lots of argument about the efficacy and the acceptance of cold calling. Those who claim they don\'t like it are often working at organizations that do it repeatedly to great success.
• The pushy salesperson who eventually gets through after repeated attempts even when they\'re told no may show success, but they don\'t calculate all the people they\'ve angered and the word-of-mouth negativity that has resulted from that behavior. If you push beyond a request to stop, the worse that can happen is your reputation will be destroyed.
• CISOs are more receptive to market pull into your organization. That can happen through traditional marketing, content marketing, podcasts, analyst reviews, and word-of-mouth. Problem is these techniques don\'t leave any room for salespeople to operate.

Listed in: Technology

Secure Access

On this episode of Defense in Depth, you\\u2019ll learn:

• Multiple technologies, such as VPN, split-tunnel VPN, VDI, SASE, EDR, and secure management, are used in attempts to insure secure access. But given that secure access isn\'t just about managing endpoints, but users, you also have to look at IAM.
• We look to conditional access to provide more support than just full VPN access.
• Argument that we are moving away from endpoints to identity as that\'s the new perimeter.
• SASE solution blocks by default, instead of allows by default, and requires permission for access. User is secured dynamically based on a combination of identity and device.
• Would be great if secure access solutions were universal, but they vary country by country based on costs, availability, and regulations.
• Secure access models must be user experience first. One possible play that works in this way is IAM + SASE + EDR + secure management.
• Another factor that prevents the one-size fits all model for secure access is the complexity of stacks.

Listed in: Technology

InfoSec Fatigue

On this episode of Defense in Depth, you\\u2019ll learn:

• Are we sliding in our effort to get ahead of security issues? There\'s a sense the tools and our ability isn\'t keeping up with the onslaught.
• Are we able to prove risk reduction to show that our efforts are successful?
• Those people who don\'t burn out are the ones who thrive on the technical and political challenges of cybersecurity.
• Disagreement on how you lead a discussion. Should it be story-based or data-based?
• Classic complaint about cybersecurity is success is measured by the absence of activity.
• Preventative security is not easily quantifiable as reactive security.
• CISOs have to step up and show evidence of security\'s success in the most understandable and digestible format. Suggested measures and metrics: likelihood and impact, business impact analysis, security program maturity curve, framework compliance, pen test results, and threat modeling.
• FUD (fear, uncertainty, and doubt) may be effective in the short run, but it\'s exhausting. It never works in the long term.
• Approach cybersecurity altruistically. If it benefits you and those around you, then it\'s worth doing.
• Lean on security vendors to help you show the value of their product. The business impact will be on the CISO\'s shoulder, but the vendor should help build the case.

Listed in: Technology

Securing a Cloud Migration

Check out this post for the basis of our conversation on this week\\u2019s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Sandy Bird, CTO and co-founder, Sonrai Security.

Sandy was the co-founder and CTO of Q1 Labs, which was acquired by IBM in 2011. At IBM, Sandy became the CTO for the global security business and worked closely with research, development, marketing, and sales to develop new and innovative solutions to help the IBM Security business grow to ~$2B in annual revenue.

Thanks to this week\'s podcast sponsor, Sonrai Security.

Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an\\xa0enterprise cloud security platform\\xa0that identifies and monitors every possible relationship between identities and data that exists inside your public cloud.\\xa0

On this episode of Defense in Depth, you\\u2019ll learn:

• You can\'t just migrate to public cloud and secure things like you secure your on-premise servers and applications. You have to think cloud-native in all security decisions.
• Cloud migrations intensify the focus between data and identity.
• "Security as an afterthought" is never a good plan. Those who succeed build security into the migration. Don\'t let IT broker a deal to migrate to cloud and then bring in cyber after the fact.
• In the cloud, knowing where your data is one step, securing the data is another.
• There\'s a multitude of variances with data. There are the API controls on data, who has access through those APIs, is the data cloned or cached, and how are permissions being adjusted to that data?
• Start by knowing who and what should access your data and build your controls from there.
• The people side of securing cloud migration is critical. If your staff is not properly trained, a single mistake can be extremely expensive.
• Speeds in the cloud, especially if you\'ve got a DevOps and CI/CD approach, can make problems move at lightening speed. There\'s a need for automation and to continuously monitor your controls and coverage. Get ahead of problems.
• DevOps learned the fail fast technique, but also the ability to recover quickly. If security wants to play as well, they have to develop the same strategy and tools.

Listed in: Technology

API Security

On this episode of Defense in Depth, you\\u2019ll learn:

• The skill set needed to secure APIs is different than web security.
• The move towards the cloud, DevOps, and the need to have security tools talk to each other has brought a lot more attention to the need for API security.
• Like in all areas of security, just knowing what you\'ve got is a struggle. Same is true with APIs.
• Just knowing what APIs you have is not enough. You must know their functionality. Map your APIs to the systems and the data their transmitting.
• How aware are your developers of the pitfalls of API misuse?
• There\'s a myriad of security options but start with strong authenticate using hash-based message authentication.
• Much of the advice we got was simply shrinking the API attack surface. This can be done by either limiting the functionality of the API or removing unused APIs.
• The "review the code" advice that we heard often is sadly not realistic. APIs are resistant to both automatic and manual code review.
• API security seems like a 300 or 400 level security effort. Smaller companies that don\'t have a security operations center (SOC) may simply not be able to handle it and will need to outsource their API security and SOC needs to a third party or managed security service.

Listed in: Technology

Shared Threat Intelligence

On this episode of Defense in Depth, you\\u2019ll learn:

• We all benefit from sharing threat intelligence, so why don\'t we do it?
• If threat data is public, is it useful? The argument is that if the good guys know about the threat intelligence, then all the bad guys know as well. But that\'s if it\'s in a public forum.
• If threat intelligence was shared in a more rapid, comprehensive, and secure manner it would have more utility.
• Sometimes the "intelligence" a company first gets is just a data feed.
• There has to be a greater discussion of the risks of sharing as compared to the upside. Often, it\'s so easy to shut the doors and not share with the benefit never calculated into the equation.
• When an organization is in the middle of their security maturity curve, they hold all their data as close to their chest as possible. As they continue on their journey and continue to learn lessons along they way, they begin to understand that collaboration will help the community as a whole - including themselves.
• Threat data is really not what professionals need. What they need is intelligence. And this requires a way to onboard and make sense of the data on its own and in aggregate and over time.
• Each of us are collecting different pieces of the threat landscape puzzle. If someone doesn\'t provide their piece, then we have an incomplete puzzle and there are now holes in our knowledge and ability to protect ourselves.
• Threat intelligence does not hold the same weight for every user. What\'s valuable to someone may not be of value to another. And you may be holding onto that data that you don\'t necessarily think is valuable.
• You want threat intel to be actionable, not necessarily responding automatically.
• We spoke of threat intel with the analogy of animals traveling in herds for protection. The attackers often pick off the weak ones, but when everyone is working together, the stronger animals can actually protect the weak.
• Even with everything we know and value with shared threat intel, there is still a ton of paranoia around sharing. While there is lots of discussion about data not being identifiable, most choose to opt out of sharing threat intel.

Listed in: Technology

Drudgery of Cybercrime

On this episode of Defense in Depth, you\\u2019ll learn:

• There\'s a dichotomy between how the press glorifies cybercrime as being "sophisticated" when the reality is much of cybercrime is drudgery.
• Most cybercrime is under a pay-for-hire or a web-based service model. Cybercriminals have to deal with many of the same business-related issues we all do, such as support, infrastructure, customer relations, and sales.
• Given that the cybercriminals are usually doing work for someone else, they have customers and those customers will often complain if they are not getting the expected service.
• There was question if cybercrime does pay. It seemed that if you had some basic technical talents then legitimate InfoSec was a far more lucrative field that would probably offer benefits that cybercrime couldn\'t offer.
• The paper states that low-skilled administrators often don\'t know much about the systems they maintain. This would lead one to believe they\'re also far removed from the criminal activity.
• Many of these claims of the boredom of cybercrime can be made of the InfoSec community as well.
• Once you understand that cybercrime is a business with a need for ROI like any other business, the goal in protecting oneself is to simply make it too costly and not financially attractive to be hacked.

Listed in: Technology

Security Budgets

On this episode of Defense in Depth, you\\u2019ll learn:

• The general consensus among the community is cybersecurity is a spend it now or spend more later decision.
• While everyone wants to find a metric to determine how much to spend on cybersecurity, there doesn\'t seem to be any that are useful.
• The CISO\'s job is to provide data about risks so the business can make the decision about cybersecurity spending.
• Most assume that after a breach there\'s more cybersecurity budget, but what you get first is cooperation.
• Look at security as a market differentiator. What if you could withstand a cyber attack but your competition couldn\'t? Or possibly you could deliver a higher level of reliability to your customers. How would your business be perceived by the market?
• A business impact analysis calculator can help understand your risk levels. Allan Alford has one his site.
• Many felt the biggest cost to a company suffering a breach isn\'t loss of data or the regulatory fines, but the damage to the company brand.
• The cost of proactive protection always beats the cost of suffering a data breach.
• One listener recommended that MBA programs should have a breach case study as part of their curriculum.

Listed in: Technology

Role of the BISO

On this episode of Defense in Depth, you\\u2019ll learn:

• A BISO becomes very valuable where they can be mapped to a specific business unit (by locale or business line).
• The BISO role has become important because practically all companies are reliant on data and technology.
• The BISO must have power to do their job. That requires autonomy and decision making ability.
• Another way to describe a BISO is as a senior business analyst with a security focus.
• From CISO to project manager, roles change often for a BISO.
• Geo-aligned positions for BISOs have become extremely valuable in light of different and growing territorial regulations.
• BISO is a good role for a wannabe CISO.
• Only large companies have room for a BISO.
• A BISO who can cozy up to a particular business units sales strategy is of enormous value.
• Make sure the BISO is actually bringing value and not just acting as a gatekeeper between security and the business.

Listed in: Technology

Shared Accounts

On this episode of Defense in Depth, you\\u2019ll learn:

• As much as it makes security professionals cringe, shared accounts are a business reality that can\'t be avoided.
• Certain business processes force shared accounts to exist, but that doesn\'t mean as a security professional you shouldn\'t grill to find out why the shared account exists and if there\'s a way you can remove that shared privilege.
• Get an inventory of your shared accounts. Also, you can do this with mapping credentials with location information.
• Time pressures in a physical environment often force shared accounts.
• You need to shine a light on shared accounts even if they\'re not going to go away. It\'s part of your GRC (governance, risk, and compliance) program.
• There are compensating controls one can put around shared accounts such as password rotation, monitoring usage, and alerts.
• Privileged access management (PAM) is the favorite solution for dealing with shared accounts. Often you don\'t need compensating controls if you have a dynamic PAM solution in place.
• The need for accountability is key here. If you don\'t have an equal understanding of its importance then those eventual issues are simply going to magnify.

Listed in: Technology

Bug Bounties

On this episode of Defense in Depth, you\\u2019ll learn:

• Like red teaming, you need outside eyes looking at your environment and vulnerabilities.
• There was much debate between internal, private, and public bug bounty programs. But it was agreed that if you do them, that you do them in that order.
• There was another concern regarding the cost of a bug bounty program. Whether you do them or not, you\'re still going to pay for coding errors and vulnerabilities one way or another. It\'s either upfront or later.
• Those new to bug bounty programs are not aware of the additional costs of management and engaging with the researchers and white hat hackers. That is a critical part of the bug bounty program.
• Before you begin, set up a system to manage the flow of problems reported. If not, you and your staff could very quickly be overwhelmed.
• Having a consistent and clear way you handle the findings is often more important than the findings.
• Have you allocated budget to remediate the findings? Are you going to need to make cases as each weakness is found?
• Keep in mind that companies don\'t go into bug bounty programs for the same reason. Some go into it for reasons of publicity or forming relationships with researchers.
• Communications between your engineers and the bug bounty researchers is critical. If your team is non-responsive, the bug bounty program could backfire.
• Most people are wary of public bug bounty programs because of the low signal-to-noise ratio. As there is a rush for attention and money, the whole effort may implode.

Listed in: Technology

Data Classification

On this episode of Defense in Depth, you\\u2019ll learn:

• Usable, user-friendly, viable-in-every-scenario data protection that is invisible, seamless, and always on does not exist, but could exist, and should exist.
• Classification tools that tout automation, really aren\'t. There is still a good amount of manual intervention.
• Another way to solve the data protection issue is to get rid of data. Our data protection problem amplifies as we find ourselves protecting more data. But a lot of data simply doesn\'t need to be protected. It could be classified for non-protection or just destroyed.
• Data is mostly unstructured and it needs to be structured to the sense that you know how data is flowing, and that is extremely difficult to do.
• We spend more time on hardware and networking diagrams but what we should be doing is diagramming data flow.
• Mandate retention limits on data. People don\'t like it, but it\'s going to make you a lot safer. Just mandate the lifespan of data. If it\'s not needed or accessed in a certain period of time, archive it or possibly kill it.
• People think holding onto data is costless, but reality is the more you hold onto it becomes very costly from a security perspective.
• Utility to you vs. utility to the bad guys is relative. For example, a bank statement from five years ago has little utility to you now, but if a bad guy is looking for information, that has the same value as a bank statement from today.
• The questions you need to be asking: Is your data sensitive, does it have open permissions, how long has it been since the data was accessed?
• Data with PII is both an asset and a liability.
• Classifying data also has a major problem with consistency. Often data can be put into multiple categories or classes.
• Security of data is usually not the factor many consider. We are often thinking about the security around data.

\\xa0

Listed in: Technology

Prevention vs. Detection and Containment

On this episode of Defense in Depth, you\\u2019ll learn:

• A recent Ponemon study notes that most security professionals agree that prevention is a better security strategy than detection and containment.
• Even with the acceptance that prevention is a better security posture, most security spending goes into detection and containment.
• By implementing firewalls, patching, and security training, many of us are already doing prevention, but may not classify it as such.
• Prevention is not nearly as expensive as creating a detect and respond security program.
• The two halves work in concert together. No prevention program can be perfect, and that\'s why you always need a detect and contain program as well.
• The reason you don\'t only go with detect and respond without prevention is that the flood of valid information will be too much for a security program to handle.
• There was a strong argument for detect and respond because it shows the products you spent money on are actually working. This is not just to humor the security professional, but also to give some "evidence" to the senior executives.
• A lot of prevention comes down to the individual. But since it\'s so tough to get people to change behavior, there\'s less friction to just purchase another prevention tool to protect people from their own behavior.
• Prevention tools won\'t stop the attackers who sit dormant on a network waiting to attack. Their behavior has to be spotted with the use of detection and containment.

Listed in: Technology

Asset Valuation

On this episode of Defense in Depth, you\\u2019ll learn:

• Allan revised the well known formula for risk (Risk = Likelihood x Impact) to reflect an asset\'s importance. So instead, Risk = Threat plus Vulnerability as aimed at an Asset.
• It\'s hard to get a stakeholder to tell you the value of their assets. Instead, ask them the reverse. Describe the absolute worst breach scenario. What\'s the second worse? And then on down until you have an understanding of the hierarchy of the assets.
• A business impact analysis (BIA) will also help uncover asset valuation. Allan Alford has a BIA calculator on his site.
• The simple question of "What are you defending?" is one that most business leaders struggle to answer. They need to be able to answer that question often.
• Once you know what to defend the question is how much to defend and then after that is there anything that doesn\'t need to be defended.
• You may actually not be able to start this process if you doing know what your asset inventory is. This should be managed with a discovery tool and multiple iterations of discovery.
• While you\'re valuing your own assets, try to make sense of what these assets mean to an attacker. That will help you answer the question of "how much to defend".

Listed in: Technology

DevSecOps

On this episode of Defense in Depth, you\\u2019ll learn:

• It\'s debatable whether the term "DevSecOps" should even exist as a term. The argument for the term is to just make sure that security is part of the discussion, but security people feel that\'s redundant.
• Security is not an additional process. It should be baked in. It\'s an essential ingredient.
• But should it really be seen as "embedding" or rather a partnership? Developers and operations operate as partners.
• Instead of dumping security tools on developers and just demanding "implement this" security needs to go through the same transition development had to go through to be part of "Ops".
• As DevOps looks forward to what\'s next, how can security do the same?
• Security is unfortunately seen as an afterthought, and that\'s antithetical to the DevOps philosophy.
• Security is an innate property that imbues quality in the entire DevOps effort.
• Security will slow down DevOps. It\'s unavoidable. Not everything can be automated. But, if you deliver the security bite-sized chunks you can get to an acceptable level of speed.
• Business needs to specify the security requirements since they were the ones who specified the speed requirements. That\'s how we got to DevOps in the first place.

Listed in: Technology

Fix Security Problems with What You've Got

On this episode of Defense in Depth, you\\u2019ll learn:

• It\'s very possible you\'re not using the tools you\'ve purchased to their full potential. What would happen if you completely stopped buying security products and tried to fix your problems with the tools you\'ve already purchased?
• The reason this is such a popular discussion is that as an industry we\'re still struggling with managing the fundamentals of security.
• Shelfware happens because we buy before we\'re ready. Purchase decisions should be made in conjunction with knowing if you have the staff and understand the integration points to implement the solution.
• Tooling for the few layers must be dealt with first. You don\'t need a solution selling a higher layer of security if you don\'t have the foundation built.
• Much of this argument is based on the messaging we hear from vendors. They\'re understandably in the business of selling product. Be cognizant of how you\'re absorbing information.
• We need to also focus on the people who unfortunately are fallible and can make non-malicious, but poor decisions.
• If there was going to be any additional spending, the argument was to invest in your people - from the entire staff to specific training for your security staff.

Listed in: Technology

Should Risk Lead GRC?

On this episode of Defense in Depth, you\\u2019ll learn:

• The model of risk = likelihood x impact doesn\'t take into account the value of assets. Assets have to be valued first before you calculate risk.
• Is the reason risk isn\'t used to lead governance, risk, and compliance (GRC) because it\'s so darn hard to calculate? Many CISOs say their toughest job starting out is trying to understand what the crown jewels are and what the board\'s risk tolerance is.
• Risk management allows the board to know when you have enough security. Some assets may require eight layers where others may only require one or two.
• Determining likelihood of an attack involves a good amount of guesswork. We\'ve discussed on a previous episode of CISO/Security Vendor Relationship Podcastthat we don\'t go back to see how good our risk predictions were. If you want to get better at it, you should. Otherwise, it will always be guesswork.
• Even if you can get someone to agree what their risk tolerance is, or what asset is of importance, trying to get agreement among a group can be a blocker. Keep in mind that each person is going to have a different viewpoint and concerns.
• Knowing risk appetite is critical. You can apply security controls without knowing it, but that\'s providing a unified security layer across all data, people, and applications when they are all not equal when it comes to asset valuation.

Listed in: Technology

Responsible Disclosure

On this episode of Defense in Depth, you\\u2019ll learn:

• Manufacturers, software companies, researchers, hackers, and journalists all play a role in responsible disclosure.
• Vulnerabilities will exist, they will be found, and how companies want to be alerted about those issues and inform their public are key elements in the process of responsible disclosure.
• While there are CERT guidelines for responsible disclosure, there are no real hard and fast rules. There will always be judgement calls involved. But like the doctor\'s Hippocratic Oath, the goal is to minimize harm.
• You can\'t announce a vulnerability without offering a fix. It\'s opening the door to the bad guys to come in and cause havoc.
• There is a long history of how vulnerabilities have been disclosed. It often was a surprise and malicious. The trend of responsible disclosure and bug bounties has given rise to the legitimacy of white hat hackers and the process of exposing vulnerabilities.
• One listener argued that the term "responsible disclosure" implies a moral judgement. He argued that it should be referred to as "coordinated disclosure."
• There is still frustration on multiple sides with how responsible disclosure should be handled. Researchers sometimes argue they\'re not getting recognized or paid. Companies often feel extorted by researchers who want answers on their timelines. And journalists have to weigh the importance and criticality of a vulnerability. Should they let people know about it even if there really isn\'t a good fix yet.

Listed in: Technology

Internet of Things

On this episode of Defense in Depth, you\\u2019ll learn:

• For years, manufacturers didn\'t consider device security. As a result, attackers have used insecure devices like connected webcams to gain entry into a corporate network.
• If you\'re manufacturing devices, then make security and patches a top concern even after end of life support.
• Big gap between public trust and the reality. Almost all people trust manufacturers to secure their devices. The reality is most manufacturers aren\'t securing their devices.
• While we\'ve seen webcams used to launch distributed denial of service (DDoS) attacks, the greatest concern is of a similar style attack being launched against industrial IoT.
• The discussion of IoT security goes beyond security of devices. We know there are devices with zero security connected to our network. This is where a larger discussion of zero trust and defense in depth style security programming comes into play.
• We have a growing number of unmanaged devices. Devices that are just always on and connected to the Internet providing simple functions like reading their environment.
• How much responsibility do manufacturers have for the security of their devices after they\'ve been purchased and shipped? They can create updates and patches, but they can\'t enforce them.

Listed in: Technology

Is Governance the Most Important Part of GRC?

On this episode of Defense in Depth, you\\u2019ll learn:

• By leading with governance, how do you make a governance, risk, and compliance (GRC) program meaningful?
• Without the right governance it will be hard to accomplish the bigger picture.
• GRC requirements have to adhere to the three A\'s: actionable, accountable, and achievable.
• GRC programs require strong leaders. Without them, nobody will follow a governance effort.
• There was debate on whether risk or governance should lead the GRC effort. But everyone appeared to agree that leading with compliance is very dangerous.
• A list of rules, or governance, is completely pointless if it\'s not enforced. Enter risk, compliance, and a good leader and you\'ve got the opportunity for enforcement.
• Governance that\'s not tied to risk will probably be ignored and therefore useless.
• The argument to lead with risk is because it has applicability to the business where it\'s questionable with governance and compliance. But for the purpose of this episode\'s argument, we were making a case for governance leading the conversation.
• The main argument for governance over risk is that you can\'t truly understand the risk if there isn\'t some type of structure to understand what you\'re dealing with.

\\xa0

Listed in: Technology

Who Should the CISO Report To?

On this episode of Defense in Depth, you\\u2019ll learn:

• We\'re having this discussion because as Allison Berey, M:CALIBRATE explained, "Wrong reporting lines can mean poor decision-making."
• There is no definitive answers as to what the reporting line should be. The final answer on this this discussion was "it depends."
• A CISO\'s placement within an organization should depend on where a company derives its value.
• All companies say security is important. How they place the CISO within the reporting structure and the influence they have on the organization is very telling as to whether the company truly does value security.
• There was a lot of concern reporting to other C-level executives that are not the CEO as the CISO\'s concerns could play second fiddle to a CFO, CIO, or CRO\'s primary desires.
• Many felt the most desirable reporting line was CISO-to-CEO.
• But, assuming every department is dealing with some sort of business risk, don\'t they all have the right to report to the CISO? Where do you draw the line?

Listed in: Technology

Hybrid Cloud

On this episode of Defense in Depth, you\\u2019ll learn:

• Moving to the cloud, like any other technology initiative, is a business decision.
• What controls are you ceding over to the cloud provider? What service level agreements (SLAs) and performance measurements do you have for the provider?
• Be realistic about what\\u2019s going to be done if a service provider violates the SLA. You\\u2019re not going to all of a sudden dump the provider. You\\u2019re going to put some types of corrections in place. Make sure you know what those are and how that can be handled, realistically.
• Understand your shared responsibility in the cloud. According to a report by FireMon on hybrid cloud use and adoption, about one-third do not fully understand the shared responsibility model of the cloud.
• Start slow. While you may need to go with multiple cloud providers to fill distribution and requirements, begin with one and learn from that experience.
• Use cloud adoption as an excuse to join forces with your privacy team to understand where data is being placed and what control you have over it.
• Cloud providers are not interchangeable like a utility. Cloud providers are chosen based on the services they offer.

\\xa0

Listed in: Technology

CISO Tenure

On this episode of Defense in Depth, you\\u2019ll learn:

• There\'s a lot of confusion as to what a CISO needs to do. All job descriptions for CISOs are different.
• There are humans behind the data and as a result CISOs are tasked with protecting the humans.
• CISOs can improve their tenure if they seek out a business mentor to allow them to better support the business.
• CISOs who aren\'t able to communicate clearly will not last long.
• It\'s a CISO\'s job to communicate in the language of the business, not the other way around.
• Before the CISO ever arrives, there\'s a business culture. There\'s always going to be a natural push back from the business. "Why are you making us change?"
• A simple walkabout the office can solve a lot of uncertainty.
• If employees start asking questions about their personal security, that\'s a good sign the CISO has successfully inserted security into the business culture.
• Another huge factor that impacts CISO tenure are the increased opportunities. Regulations and privacy laws are pushing companies to get CISOs to provide much needed oversight.
• What does the reporting structure in your organization mean in regards to the CISO being heard at the executive and board level?

Listed in: Technology

Toxic Security Teams

On this episode of Defense in Depth, you\\u2019ll learn:

• Toxic security teams happen because of tribalism, not just within security, but across all departments.
• Security is seen as an expense and an IT problem and many don\'t think it\'s everyone\'s issue.
• One core issue is the lack of security culture and management simply not supporting the InfoSec team\'s efforts.
• There are many ways a security team\'s culture can become toxic. The issues are so numerous that it seems more of a challenge to prevent a team from its natural tendency to go sideways.
• The hero mentality of one individual, who thinks only he/she can solve the problem, can poison an entire group.
• It can be argued that it\'s an issue of ego, but many see it as insecurity. Often the individual needs to prove to themselves and others in order to maintain their cybersecurity rockstar status.
• A toxic security team will have a very hard time hiring new staff. People will leave and tell others you don\'t want to work there.
• If you have a diverse team and there\'s toxicity, the team won\'t last.
• There\'s an enormous cost to disengaged employees.

Listed in: Technology

Personality Tests in the Workplace

On this episode of Defense in Depth, you\\u2019ll learn:

• There is plenty of debate as to whether a security leader should use personality tests, such as Myers-Briggs, for hiring or managing employees.
• Almost universally, no one wanted to use the tests for hiring as it creates bias, but many saw value in using them for managing employees.
• About half of the people who participated in the discussion just wanted to steer clear of personality tests altogether, never wanting to force their employees to take them either.
• The tests reveal individuals\' preferred communication styles which can be helpful for customizing employee management. This is the main reason they\'re used.
• Don\'t mistake these tests as defining who you are in the future. It\'s a test to measure personality and communications in a moment in time. People are often asked to take these tests repeatedly and we often score differently with our personalities changing. Meyers-Briggs definitely has issues with validity and reliability.
• One significant value to any personality test is to see if you\'re getting a variety of thought patterns on your team. If you\'re not, then you may be building the wrong team.

Listed in: Technology

Lack of Diversity in Cybersecurity

On this episode of Defense in Depth, you\\u2019ll learn:

• Discussion is based on a quote by one PayPal co-founder, Max Levchin, who said, "The notion that diversity in an early team is important or good is completely wrong. You should try to make the early team as non-diverse as possible."
• There is diversity of people and there\'s diversity of opinions. Those two often go together, but they don\'t have to.
• While appalling, there is some truth to Levchin\'s statement. When everyone thinks the same you don\'t have conflict and can move quickly.
• But lack of diversity of opinion means you don\'t see the full picture and that can make you susceptible to unforeseen vulnerabilities.
• If you don\'t know what problems you\'re facing, you should want diversity.
• Minorities often face different and more struggles than those who never have to suffer diversity issues. They\'ve been hardened and that should make them an even more attractive candidate.
• Start building your diverse network now. When it comes time to hire diversity and you don\'t have that network already in place, you\'re going to have a very difficult time.
• For more, check out the (ISC)^2 study "Innovation Through Inclusion: The Multicultural Cybersecurity Workforce" and Computerworld article, "The next tech skillset is \\u2018differently-abled neuro-diverse\\u2019".

Listed in: Technology

When Are CISOs Responsible for Breaches?

Check out this post\\xa0for the discussion that is the basis of our conversation on this week\\u2019s episode co-hosted by me,\\xa0David Spark\\xa0(@dspark), the producer of\\xa0CISO Series\\xa0and\\xa0Allan Alford\\xa0(@AllanAlfordinTX).\\xa0Our guest is Norman Hunt (@normanhunt3), deputy CISO, GEICO.

On this episode of Defense in Depth, you\\u2019ll learn:

• On the onset, one may want to jump to finding liability. But a CISO\'s responsibility should not be isolated at the moment of the breach. There are more issues to consider, such as authority, accountability, efficacy, and expectations.
• Be wary of assigning accountability if the CISO didn\'t have the authority to actually carry out his/her intended plan.
• Often the CISO is seen as a necessary scapegoat when there is a breach. It shows an aggressive move by the company to make a change, but then they\'ll have to go ahead and hire another CISO, probably at a much higher salary (see last week\'s episode).
• When are you measuring the performance of the CISO? Is it as they build the security program, or is it only at the moment of the breach?
• How well does a CISO handle the breach when it happens and how well do his direct reports and the rest of the company handle it? That\'s a better measurement of the efficacy of the CISO.
• CISOs are held to a higher level of expectation to prevent a risky event from happening. CIOs, CEO, and CFOs are not held to the same standard.
• Even the best CISOs will suffer a breach. It\'s a single point in time. It sure is a very bad point in time, but what are the events that led up to this moment. Were they building out a security program and were there improvements or was staff education and leadership falling short?
• The best standard of measurement of a CISO is how well do they communicate and implement security and risk decisions?
• Failure may be at the definition of the role of the CISO. A CISO\'s role and its responsibilities are far from standardized.

Listed in: Technology

Post Breach Desperation and Salary Negotiations

Listed in: Technology

Presenting to the Board

On this episode of Defense in Depth, you\\u2019ll learn:

• A conversation with the board begins with a discussion of what risk is. But getting that information out of the board is far from a simple task. Vague answers are not helpful.
• Metrics are of value to the board, but avoid offering up tactical metrics. Instead, utilize strategic metrics.
• Once risk appetite is understood and agreed upon, then it\'s appropriate to begin a discussion of the security program\'s maturity.
• Caplin recommends a four-slide presentation for the board:
  1. Where we were, problem areas identified per risk and maturity.
  2. What we spent and a bit of why we spent.
  3. Where we are now (metrics come into play here). Best to show how much progress you\'ve made in implementing security programs.
  4. Where we want to go next, and what the next ask is.
• If you\'re going to show a metric, it should answer a very specific question for the board.
• If you are going to show one metric, the most popular one is dwell time or the time between when an attack happens, when you discover it, and when it\'s remediated.
• The one metric of dwell time provides a lot of information as to the maturity of a CISO\'s security program as it coincides with its ability to respond to incidents.
• Some CISOs aim for a storytelling approach completely avoiding metrics because metrics have unfortunately led the board down the wrong path. It\'s either the wrong metrics, too detailed of a metric, or metrics not tied to business risk or to a maturity model.

Listed in: Technology

The Iran Cybersecurity Threat

On this episode of\\xa0Defense\\xa0in\\xa0Depth, you\\u2019ll learn:

• As we\'re seeing now, it often takes a scare like Iran, to get everyone to pay attention to their threat detection and response capabilities.
• if you believe you\'re a target for an APT (advanced persistent threat) you need to also assume it\'s going to be hidden.
• If and when you find an APT, also assume it\'s at the beginning of an attack chain. You\'re going to have to go deeper. Shutting it off at that moment won\'t let you understand what\'s happening.
• Iran may use the resources of China and Russia as they have hooks into other industries.
• There\'s a strong belief that cyber warfare is commingled with organized crime. The two groups need each other.
• Much of the "how to handle Iran" advice is to focus on foundations, not basics, because it\'s actually not easy, said Yaron Levi, CISO, Blue Cross/Blue Shield of Kansas City, we use these potential threats as an area of focus.
• If you are doing the fundamentals, and doing them well, you are doing what you can. You don\'t have the intelligence that the military has, and therefore, you don\'t have the ability to craft specific defenses.
• Beware of complacency and going in and out of "heightened alert". Eventually, people will forget about this perceived impending Iran threat. That\'s why threat intelligence needs to be handled consistently over time.

Listed in: Technology

Building a Fully Remote Security Team

On this episode of Defense in Depth, you\\u2019ll learn:

• A fully remote team is possible. Our guest was formerly the CISO of GitHub which is a fully remote organization so the concept of remote work was built into the company\'s DNA.
• Two of the most important factors to great remote success are each individual\'s willingness to over communicate and never be afraid to escalate an issue.
• Not surprisingly, remote work requires top-down support and it starts at the point of hiring.
• Trust is a two-way street in remote work.
• Under the umbrella of "over communicating" is documenting everything.
• Huge benefit of having a remote team is you are no longer competing with location-based hiring. There are talented people all over the world.
• With your staff living all over the world, you in effect create a 24/7 office network with everyone operating in different time zones.
• A fully virtual company is perfect for cloud native companies.
• It can be very costly to place a person physically on site.
• Saving money is a great side effect of remote staffing.
• Make sure to have in-person team building events. Kathy does one to two a year and tries to make sure one of them coincides with a big security event like DEFCON, RSA, or Black Hat.
• One unforeseen benefit of remote work is that you\'re always able to start meetings on time. Problem with in-person meetings is you\'re often waiting for another meeting to finish in a room so you can start your meeting.

Listed in: Technology

Account Takeover

On this episode of Defense in Depth, you\\u2019ll learn:

• Attack takeover (ATO) has a life cycle with multiple (6) steps. The first step is reconnaissance and you need to focus on that to stop the life cycle.
• There\'s plenty of talk about sharing OSINT (open source intelligence), but the reality is, and always been, that there are more consumers than contributors. Like any open source endeavor, it can only get better if more people contribute.
• Account takeover has at its root in stolen credentials, and as we know from sites like "Have I been pwned?" there are billions of stolen credentials floating out there that are consistently being used in credential stuffing attacks.
• What is your credential situation? How unique are they? Can they be learned?
• Start threat modeling your existing systems to determine what type of investment you\'ll need to make in account takeover.
• You can greatly reduce the risk of ATO by implementing multi-factor authentication (MFA) and privileged access management (PAM).
• The bad guys are playing the same game as we are and we essentially need to have better reconnaissance than them. Problem is they\'re sharing information freely and we\'re not.

Listed in: Technology

UX in Cybersecurity

On this episode of Defense in Depth, you\\u2019ll learn:

• There is the path to security you create and the path that your users take, or the desired path. As a security and UX professional you should plan to make those two the same path. If not, your users will take the simpler route and circumvent your security controls.
• Users will always choose the easier path which is not necessarily the most secure path.
• Security is an "ask." You\'re requesting users do something, but it\'s hard to get them to keep doing that "ask" if you don\'t give them feedback as to the reason or value of the ask.
• Error messages historically provide little to no information to the user and thus no guidance to solve the problem. We often have to go outside of the environment (a search engine) to find a solution.
• Security professionals need to take on the role of a UX designer which requires defining work processes by interviewing users, not deciding what you want those processes to be.
• Creating a simple process is far more difficult than creating a complex process. Secure processes don\'t require users to constantly turn functions on and off or go through additional unnecessary steps to get their job done.
• View your users as customers where you\'re trying to sell them on your process rather than dictating which will eventually be avoided.

Listed in: Technology

InfoSec Trends for 2020

On this episode of\\xa0Defense\\xa0in\\xa0Depth, you\\u2019ll learn:

• More large scale breaches is not a prediction. At this stage that\'s an inevitability.
• ML/AI/Blockchain will continue to be oversold and under-delivered.
• Most cloud breaches are configuration errors. They are not mastermind attacks. They can\'t be called a breach if they were never secured properly in the first place. Note that cyber insurance does not pay out unless proper protections were in place.
• "Better" cloud and Internet of Things (IoT) security is not possible given how far it\'s been mismanaged up to this point. There are so many insecure nodes out there that it appears an impossibility to create any type of patch protection. There was strong debate as to whether this was a true statement or not.
• Strongest prediction (and it\'s already in motion) is the convergence of privacy and security.
• Privacy will be driven by regulations and as a result more people will be instituting chief privacy officers to avoid being in violation.

Listed in: Technology

Cybersecurity Readiness as Hiring Criteria

On this episode of Defense in Depth, you\\u2019ll learn:

• For all candidates, whether in cybersecurity or not, gauge their current level of cybersecurity awareness.
• There was a time we put knowledge of Microsoft Word and Excel on our resumes. Now you never see it because it\'s common knowledge. Security knowledge is not common. At this stage it would be seen as a valuable bonus to have it on your resume.
• There are always small things that hiring managers look for to tip the scales in a candidates favor. Cybersecurity skills should be one of them.
• For candidates who would have the most to gain from cybersecurity awareness, bring in the CISO to ask one or two questions during the hiring process.
• Different departments bounce candidates off each other even if they\'re not going to be working in a specific department. They want to know how well a person will or won\'t interface with your department.
• There\'s a strong fear that adding cybersecurity into the hiring criteria will greatly slow down the hiring process which could damage business productivity.
• There was much debate around seemingly great candidates, such as an accountant with 20 years of experience, who fails miserably on cyber awareness. Would that raise a red flag?

\\xa0

Listed in: Technology

Cybersecurity and the Media

• Stop laying blame on the media for negative cybersecurity perceptions. They\'re acting as a reflection of ourselves, both good and bad.
• When done right, the media can bring about much needed attention to issues, most often to enlighten those not in the know.
• A good indicator of media\'s success in informing us is when our friends and family, who are not as cybersavvy, start asking us our thoughts on big security issues.
• Disturbing trend is the media referring to an attack as "sophisticated" when it\'s often a poorly secure server that was just waiting to be breached.
• Given this trend, many are eager for the media to demystify these supposedly "advanced" attacks demonstrating that the rest of us can protect ourselves even if we\'re not cyber-sophisticated.
• Social engineering demos are often done for the purpose of humor rather than showing how dangerous it can be when we let our guard down.
• Outside of someone like Bruce Schneier, the cybersecurity industry needs the equivalent of a high-profile expert who can speak to the lay person, \\xe0 la Bill Nye, The Science Guy.

\\xa0

Listed in: Technology

The Cloud and Shared Security

Check out this LinkedIn post for the basis of this show\'s conversation on shared responsibility of security with a digital transformation to the cloud.

This episode is co-hosted by me,\\xa0David Spark\\xa0(@dspark), the creator of\\xa0CISO Series\\xa0and\\xa0Allan Alford\\xa0(@AllanAlfordinTX).\\xa0Our sponsored guest for this episode is Paul Calatayud (@paulcatalayud), CSO for Americas, Palo Alto Networks.

Thanks to this week\\u2019s podcast sponsor, Palo Alto Networks.

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices.

On this episode of\\xa0Defense\\xa0in\\xa0Depth, you\\u2019ll learn:

• You have to have a business reason to go to the cloud. Usually it\'s done as a business imperative in order to stay competitive.
• Security is rarely the primary reason businesses move to the cloud. It\'s often an adjunct reason.
• Moving to the cloud may transfer risk, but it also introduces new risk.
• Security professionals have long avoided the cloud because they feel they give up perceived control. If I can\'t see or touch it, how can I secure it?
• One issue security people need to grapple with during digital transformation and a move to the cloud is what does it mean to manage risk when you don\'t own the program?
• Much of the online discussion was about getting your service license agreements (SLAs) in place. But if you\'re a small- to medium-sized businss (SMB) you\'re going to have a hard if not impossible time negotiating.
• Don\'t lean on SLAs to be your entire risk profile. It\'s like using insurance as your only means of security.
• Cloud security requires setting up automation guard rails.
• For cloud evolution you\'ll need a change in talent and it probably won\'t be your traditional network engineers.
• Because of performance, privacy, and data protection issues you\'re probably going to find your business moving apps in and out of the cloud.
• The Cloud Controls Matrix (CCM), from the Cloud Security Alliance (CSA) is a controls framework designed to help you assess the risk of a cloud security provider.

Listed in: Technology

Is Product Security Improving?

Check out this tweet and the ensuing discussion for the information on the study and the concerns people have about the history of poor security in consumer-grade networking products.

This episode is co-hosted by me,\\xa0David Spark\\xa0(@dspark), the creator of\\xa0CISO Series\\xa0and\\xa0Allan Alford\\xa0(@AllanAlfordinTX).\\xa0Our guest for this episode is Michael L. Woodson (@mlwoodson), CISO, MBTA.

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices.

On this episode of\\xa0Defense\\xa0in\\xa0Depth, you\\u2019ll learn:

• We focus our conversation mostly on consumer products, most notably networking, which was the focus of the relevant study.
• Some basic measurements of security such as stack guards and buffer overflow protection showed no noticeable improvement.
• Margins are so slim on consumer products that manufacturers are put in a bind. They can\'t overcharge and stay competitive, so they have to underdeliver, and often security protections are cut as a result.
• People accept the failures of cybersecurity products by just accepting the end user license agreement (EULA).
• Be very careful with these agreements. Often a vendor will make outrageous claims like saying they own the data.
• When we have security incidents companies are not blamed or liable.
• What type of pressure would need to be put on manufacturers to get them to improve security? Will it have to be standards, regulations, or government regulations?

Listed in: Technology

Best Starting Security Framework

Check out this post\\xa0initiated by Sean Walls, vp, CISO of Visionworks, who asked, "If you were building a security program from scratch, would you align with ISO 27001, NIST CSF, or another framework, and why?"

That conversation sparked this week\\u2019s episode co-hosted by me,\\xa0David Spark\\xa0(@dspark), the creator of\\xa0CISO Series\\xa0and\\xa0Allan Alford\\xa0(@AllanAlfordinTX).\\xa0Our guest for this episode is Omar Khawaja (@smallersecurity), CISO, Highmark Health.

Thanks to this week\\u2019s podcast sponsor, Palo Alto Networks.

On this episode of\\xa0Defense\\xa0in\\xa0Depth, you\\u2019ll learn:

• When determining a starting security framework, always lead with the "Why?" What are you trying to accomplish and achieve?
• In some cases you\'re building a framework to build trust.
• Although most in security take a risk-based approach. That\'s not always necessary when picking a framework. Frameworks are often very regulatory driven.
• Framework decisions will be built on both internal and external pressures.
• If you don\'t have a specific security problem, a specific security solution makes no sense.
• The Secure Controls Framework is a free meta-framework that allows users to pick and choose elements from multiple frameworks.
• Check out Allan Alford\'s four-year mapping of NIST CSF, CIS CSC 20, and ISO 27001.
• While there are plenty of great frameworks out there, for someone who is truly starting from scratch, many security professionals pointed to the CIS top 20 because it maps to frameworks like NIST and ISO.

Listed in: Technology

Cyber Defense Matrix

On this episode of\\xa0Defense\\xa0in\\xa0Depth, you\\u2019ll learn:

First, just look at the darn thing and it\'ll start to make sense.

• The Cyber Defense Matrix\'s original purpose was to provide a visual way to see where your gaps are in your technology.
• Users have found lots more uses for the matrix, such as seeing those same gaps in people, processes, and trying to map out the vendor landscape.
• By visualizing, you can see also where you have too much and you can actually get rid of technologies.
• The matrix provides structural awareness of your vulnerabilities.
• The matrix admittedly gets a little wonky when cloud technologies are introduced. They often bleed across categories, not neatly fitting into any specific buckets.

Listed in: Technology

User-Centric Security

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• It\'s impossible to create a security system that removes the user from the equation. They are integral and they have to be part of your security program.
• Security is defined by the individual.
• The minimum expectation you can have of your users is that they\'ll operate in good faith.
• Avoid complexity because as soon as it\'s introduced it drives problems everywhere.
• Instead, keep asking yourself, how can I make security more usable?
• Individuals are suffering from alert fatigue. If you\'re going to send an alert to a user, make it relevant and actionable. And always be aware that your security alerts are not the only alert the user is seeing and deciding or not deciding to take action on.
• Think about all the alerts you completely ignore, like the confidentiality warning in a corporate email.
• One of the main problems with security is the party who suffers is not the one who has to act.
• The user often does not have any stake in the goods he/she is protecting.

Listed in: Technology

Securing the New Internet

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• Much of the advice on how to secure the Internet focused on just improving known protocols such as SMTP, IPv6, and TCP/IP. Is that limited thinking or not?
• Creating a new Internet has a lot of political and socioeconomic issues connected to it so you have to consider both relative (changing existing protocols) or absolute updates (reinventing and trashing existing protocols).
• One suggestion was dynamic port assignments which was an interesting tip, but it runs into the issue that at some point someone needs to know where you\'re communicating.
• Future of identity is that it\'s not controlled by one entity. But the solution is not blockchain. That\'s essentially a spreadsheet of information and banking on a spreadsheet or blockchain would not be wise.
• Another suggestion would be to create a data-centric approach to the Internet, but this would put a massive load on the endpoints.
• One core philosophy of securing the new Internet is creating a system where each individual can own their own data, put rights on it to others to use it, rather than being beholden to the rights others give us to manage our own data.
• Our favorite suggestion was about looking to biomimicry and our millions of years of evolution to help us build an Internet that could learn to evolve on its own. The issue is that history has given us tectonic shifts that come all at once and don\'t necessarily evolve gradually. Could a security system be built to adapt in that manner?

\\xa0

Creative Commons photo attribution to Joybot.

Listed in: Technology

Resiliency

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• Resiliency allows the business to perform in conjunction with risk.
• A conversation about resilience forces security to think about business processes and the criticality of each one to the business\' ability to sustain itself.
• We\'re forcing ourselves to think proactively when we have no choice but to react, hopefully automatically. Disaster recovery (DR) and business continuity planning (BCP) come into play here.
• There\'s a concern that of the CIA (confidentiality, integrity, and availability) triad, "integrity" doesn\'t have enough outside forces to insure its credibility.
• While security teams may just be coming up to speed, or are just thinking of resiliency, the business has been thinking about it since day one of becoming a business. If security begins thinking this way, they will be more in alignment with the business.

And here are some items Anne Marie mentioned at the end of the show:

• Cybersecurity Talent Initiative
• GCA Cybersecurity Toolkit

Listed in: Technology

Ransomware

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• The ability to exploit the stealing of data takes work. Ransomware requires no knowledge.
• Ransomware targets the lowest common denominator, just data in general. The attackers often don\'t need to know much about the data.
• Ransomware is extremely dangerous when it goes after shared data which probably isn\'t being monitored.
• The more savvy ransomware criminals can live dormant in a system, learn where the most valuable data is, and be able to know how much a company can pay.
• The solution to fighting back requires one to understand that ransomware targets people and files. It\'s the combination of the two that makes ransomware particularly dangerous. Your best bet to mitigate ransomware\'s damage is to limit users\' file access. Not all users need to be able to access everything at all times.
• Many security professionals believe the solution to ransomware is just good security hygiene and patching. While patching does narrow your attack surface, it doesn\'t make you immune to ransomware.
• Unlike most cybercrime, ransomware is noisy. The attackers want you to know that they\'re there so you\'ll pay up.

Listed in: Technology

Top CISO Communication Issues

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• Communications starts with engaging people where they work. CISOs can\'t have any long-term success selling fear, uncertainty, and doubt (AKA "FUD").
• CISOs need to focus on people skills. If a CISO is going to be rolling out a solution it\'s going to be in his/her hands to get others to adopt. Successful CISOs integrate the community into their thinking.
• While CISOs want to be proactive, you can\'t be purely proactive or reactive. It\'s always a blend.
• The best start for a CISO is to get the C-suite and board to listen and understand.
• Not only do CISOs need to have conversations about risk, they need to document it and revisit it.
• Look at where the company is making money by examining the 10-Q report. See where you can apply risk analysis to all of those revenue streams.
• Whenever a FUD-like headline appears, the C-suite and board will see it. Don\'t let them fall into the trap of absorbing the hype. CISOs need to show how they\'re handling such situations and how they would if something similar happened to them.
• Top issues for CISOs include having a clear understanding of who owns what risk. And more importantly, individual contributors should acknowledge their specific role in the overall security program.

Listed in: Technology

Cybersecurity Excuses

"I\'ve got all the security I need."

"I\'m not a target for hackers."

These are just a few of the many rationalizations companies make when they\'re in denial of cyberthreats. Why are these excuses still prevalent and how should a cyberprofessional respond?

Check out this post by Ian Murphy, co-founder of LMNTRIX, for the discussion that is the basis of our conversation on this week\\u2019s episode co-hosted by me,\\xa0David Spark\\xa0(@dspark), the creator of\\xa0CISO Series\\xa0and\\xa0Allan Alford\\xa0(@AllanAlfordinTX).\\xa0Our guest for this episode is Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers.

Thanks to this week\\u2019s podcast sponsor, Varonis.

The most powerful way to find, protect, and monitor sensitive data at scale. Get total control over your unstructured data in the cloud and on-premises. See it in action in a\\xa0live cyberattack simulation lab.

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• Security professionals must endure an endless string of excuses to not improve a security program. On this episode, the ones we saw fall into four categories: "What I\'ve got is good enough", "Denial", "False safety net", "Costs too much time/money".
• Never rest on what you\'ve got today. Today\'s configuration is tomorrow\'s vulnerability. Security is a process, not an end state.
• There are always issues because humans are involved.
• Small companies may not have a huge payout, but their defenses are usually weaker making them an easy score. A bunch of small companies add up to a big one.
• If you have not invested well in a good security program, you are already breached and don\'t know it.
• As this show title explains, you can\'t rely on a single layer of defense (e.g., firewall) to protect you.
• No CISO is complaining they\'re spending too much on security.
• A great security partner is awesome, but you don\'t hand off your security to someone else. It\'s a shared responsibility.
• Don\'t rely on cyber insurance in the same way you don\'t leave your front door unlocked even though you\'ve got home insurance.

Listed in: Technology

Employee Hacking

Listed in: Technology

100% Security

• Even though security people learned a long time ago that 100 percent security is not achievable if you can run a business, CEOs are still asking their security departments to deliver it.
• The most common response to the 100 percent security request is to point out that nothing in business is 100 percent. Everything is a type of a risk.
• Pointing out that everything is a risk doesn\'t necessarily endear a CISO to the security department. Instead, use empathy and try to understand what are they really asking when they make the 100 percent security request.
• It\'s often difficult for a CEO to initiate a discussion about risk.
• The question shouldn\'t be "how safe are we" but rather "how prepared are we". Should a breach happen, which seems inevitable these days, how quickly can the business respond and continue to function. A breach doesn\'t need to destroy a business.
• The best way to connect with the business on security risk is to correlate it to another risk decision that makes sense to them. For example, battling fraud. No business tries to eliminate 100 percent of fraud because at one point the cost to eliminate the remaining fraud far exceeds the cost of the remaining fraud.
• As a theoretical exercise, most agreed that if you truly did try to achieve 100 percent security, the business would cease to function.

Listed in: Technology

Proactive Security

Thanks to this week\\u2019s podcast sponsor, Anomali

Anomali harnesses threat data, information, and intelligence to drive effective cyber security decisions.

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• You can\'t start a threat intelligence until you understand your internal threat landscape and business mission.
• Sadly, very few organizations have a good answer to "What and where are your crown jewels, your high valued assets?" But if you can answer that question, your threat intelligence will be far more effective.
• It\'s possible to understand internal and external landscape in parallel. But you won\'t get great value of your intelligence until you understand your environment.
• How do we judge the value of intelligence? It\'s all about dealing with costs before the "boom" vs. afterwards. Because afterwards is far more expensive.
• The reason to invest in threat intelligence is because once you know your assets, and you know what your adversaries are after, you can adjust your defenses accordingly.
• If your goal is to harden everything, you\'re going to be very busy. It\'s not economically and physically possible.
• Make sure you\'re manning the threat intelligence and incident response teams properly. This is a common misstep that many shops make.
• If you don\'t have intelligence you\'re doing reactive security, which nobody wants, yet that\'s what many often end up doing.

Listed in: Technology

ATT&CK Matrix

Check out this post and this post for the discussion that is the basis of our conversation on this week\\u2019s episode co-hosted by me,\\xa0David Spark\\xa0(@dspark), the creator of\\xa0CISO Series\\xa0and\\xa0Allan Alford\\xa0(@AllanAlfordinTX).\\xa0Our sponsored guest for this episode is Ian McShane (@ianmcshane), VP, product marketing, Endgame.

Thanks to this week\\u2019s podcast sponsor, Endgame

Endgame makes endpoint protection as simple as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss.\\xa0To learn more visit\\xa0www.endgame.com.

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• ATT&CK Matrix should be used both strategically and tactically.
• Use it strategically to understand gaps in your security program.
• As for tactics, it\'s great for blue team exercises. When you\'re being attacked, it helps you understand what\'s going to happen next.
• You can use ATT&CK framework even on 0 day viruses. It allows you to focus on the techniques in an attack rather that the specifics of an attack.
• When you\'re being attacked, be wary of getting conflicting information from your tools.
• If you have a tool that\'s constantly producing noise, you have two options: either fix it or dump it.
• The reason two seemingly similar tools are producing different results is because they\'re taking different paths. Once you understand the paths you\'ll understand the variances.
• The goal would be for industry standardization or maybe even a third party to come in and act as middleware to offer standardization. Is that even possible?

\\xa0

Listed in: Technology

Hacker Culture

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• Hacking\'s definitions are varied, but the one that speaks to all theories is that hacking is critical thinking.
• Hackers don\'t follow a manual. They look at systems with an open mind.
• Hackers nurture the sense of the inner rebel. They want to truly understand the inner workings of a system.
• Hackers aren\'t creating havoc, they\'re exposing problems that are already there. And they do it because it\'s the only way to get attention to the problem.
• Security professionals understand the value of finding existing problems, that\'s why they instituted and support bug bounty programs that provide a financial incentive to hack.
• Hackers are not afraid to be challenged.
• If cybersecurity students jump straight from schooling to the corporate world, and they don\'t have time to explore their desire to hack, they won\'t have the opportunity to create their own moral code when it comes to hacking.
• It\'s important for a hacker to discover their moral compass, because there are going to be situations where a hacker will have the opportunity to do bad things without getting caught. How will they handle it?

Listed in: Technology

Bad Best Practices

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• The response of "This is how we\'ve always done it", is not a reason to continue a "best" practice.
• One of the most universally bad "best" practices is counting the number of people who fall for a phishing test. Both Allan and Yaron told stories of phishing test reports that could swing wildly based on the type of email sent.
• CISOs argue that a better metric to track is the number of people who report the phishing email.
• Let employees know that you\'re going to test them. If you don\'t it can be seen as a means to discipline them, which you\'re not.
• Cybersecurity best practices don\'t stand the test of time. If a best practice seems off, challenge it by simply asking, "Why?"
• Awareness training should be measured by testing afterwards, not by the number of people who actually took it.

Listed in: Technology

Cyber Harassment

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• You can be public or anonymous in your effort to stop cyber harassment.
• If you are public about your efforts, you are putting yourself out there to be a target for harassment yourself. Our guest has received death threats and also been SWATted.
• Cyber harassment can be devastating to the one who is being attacked. The fear of it can stay with you for years even after it\'s been "resolved."
• Traditional response to cyber harassment is to stop, block, and tell.
• Ignoring is one technique, but it doesn\'t always work if they\'re trying to blackmail you.
• Cyber harassers can often just be bored. They\'re looking for something to do and sending death threats can be "fun."
• Cyber harassers are looking for attention. It could be a situation of an employee feeling they weren\'t given the promotion they wanted or a jilted lover who\'s looking for revenge.
• One best technique for prevention is early detection. Do regular Google searches of your name and all your online handles to see if someone is starting to mess with your online reputation.

Listed in: Technology

CISO Series One Year Review

Check out this post and this post for the basis of our conversation on this week\\u2019s episode co-hosted by me,\\xa0David Spark\\xa0(@dspark), the creator of\\xa0CISO Series\\xa0and\\xa0Allan Alford\\xa0(@AllanAlfordinTX).\\xa0Our guest for this episode is the co-host of the CISO/Security\\xa0Vendor\\xa0Relationship\\xa0Podcast, Mike Johnson.

Thanks to this week\\u2019s podcast sponsor, Trend\\xa0Micro

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• We provide the definitive story of how the CISO/Security Vendor Relationship Podcast started and how David, Allan, and Mike all connected.
• We\'ve been challenging many of the sales techniques that have essentially irked CISOs. The podcast has become a validation tool for sales people to show to their management and say, "We need to change direction."
• One of the critiques we\'ve heard is the desire to understand more of the sales process. We are actually very much in the dark as to the different levels of incentives are for sales staff. A security sale is often a long and involved process and we know the incentives are more involved than just a sales commission.
• We\'ve actually done webinars that take a look behind the scenes of sales and we plan to do more.
• Those who feel isolated with their company enjoy hearing the different viewpoints.
• There is actually a real return on investment to listening to our show. Sales people say that they\'ve changed their strategy based on advice on the show and it has proved to be fruitful.

Listed in: Technology

Economics of Data

Check out this post and discussion for the basis of our conversation on this week\\u2019s episode co-hosted by me,\\xa0David Spark\\xa0(@dspark), the creator of\\xa0CISO Series\\xa0and\\xa0Allan Alford\\xa0(@AllanAlfordinTX).\\xa0Our sponsored guest for this episode is Chip Witt (@rt_clik), head of product strategy for SpyCloud.

Thanks to this week\\u2019s podcast sponsor, SpyCloud

Learn more\\xa0about how you can protect employees and customers from account takeover with SpyCloud.

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• Understand what your crown jewels are and what is the most important data to protect. Many companies have a hard time answering that question and they end up trying to protect everything and that can get very costly.
• Be strategic about understanding what it costs to go after your data.
• Look for ways to auto protect your assets.
• Most people do not spend a lot of time understanding the underground economy.
• On average, your employees have 207 online accounts. Those seemingly innocuous sites (e.g., fantasy football) sites can often be used as opportunities to break into your network and as we know, most people use the same password on multiple accounts.
• Criminal enterprises operate like any other business. They\'re looking to generate ROI. Make it so there is no ROI or it\'s too difficult to achieve it.
• Focus on credential theft. Check your set of users for exposed credentials because people use weak credentials to access valuable credentials.
• As a business you also want to protect your employees\' personal accounts from account takeover.

\\xa0

Listed in: Technology

Tool Consolidation

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• The tools bloat problem does not happen overnight.
• Often you have no choice with tools bloat. It\'s a function of the industry that companies add new capabilities and they acquire companies so you start to get redundancy even if you didn\'t plan on it.
• You can run into the trap of having excellent independent tools, but then they cause overlap and because they\'re independent and not integrated you eventually fall on the side of going with the lesser tool because it has integration with other capabilities.
• Best of breed doesn\'t sit still. It starts to morph and doesn\'t necessarily become the best anymore.
• Even if you did a great job consolidating, you can\'t set it and forget it. Given the industry\'s behavioral morphs and your growing needs, you\'ll need to revisit the issue at least once or twice a year.
• You need to do a tools audit.
• A lot of political issues will come into play as people will defend the tools they love, built upon, and use. If you can\'t figure out a way to mediate, you\'ll need to hire a third party to do the audit and make the assessment.
• Integration is critical. If there aren\'t APIs and other ways for the tools to communicate, it doesn\'t matter how awesome it is, the tool will need to be dumped.

Listed in: Technology

Camry Security

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• CISOs have budgets and they simply can\'t purchase the most expensive and best option for every InfoSec need. Good enough is often exactly what they want.
• It\'s often not possible to take advantage of all the features on a Cadillac-type security product. So you end up paying for shelfware, or tools that never end up being used.
• The tool\'s complexity factors into the cost. This is often an argument against open source software which has been branded, most often by the proprietary software community, as "tough to use."
• Each tool creates a new demand on your staff in terms of time and complexity. What new costs are you introducing by acquiring and deploying a new tool?
• "Best of breed" everything can also turn into an integration nightmare.
• If you don\'t need everything a company is trying to offer, try to de-scope the requirements.
• Some companies are so big that they have no choice but to purchase the Cadillac for everything since so many departments will need access to the tool. It\'s far too complicated to create an RFP that takes into account everyone\'s needs. To speed access to the tool these large companies just get the product that "does everything" and then let all the departments "have at it" once it\'s available for use.

\\xa0

Listed in: Technology

Amplifying Your Security Posture

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• When you manage too many people you get to a point of saturation. Are you doing security or are you managing people?
• Core success comes from looking outside your immediate staff for security help. Most common programs are Security Champions and Security Prime. The first are just people outside of the InfoSec team who really want to learn about security, and the Prime players are actually implementing it.
• Look for ways to reduce overheard in terms of paperwork, meetings, and unnecessary programs. If what you\'re doing is not helping, stop doing it.
• Empower individuals to make their own decisions about security without the chain of command of approvals.
• Avoid giving orders, because once you do you\'ll always be called into a meeting on that topic.
• Use artificial intelligence (AI) to take work off of the security operations center (SOC) and incident response team.
• The "lazy" sysadmin who automates all his tasks is a highly productive member.
• Communicate to everyone that security requires the entire company\'s support, not just the security staff.

And here\'s Jan Schaumann\'s presentation at BsidesNYC 2016 entitled "Defense at Scale". Matt mentioned it on the show.

\\xa0

Listed in: Technology

ERP Security

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• The volume of log files are so overwhelming from an ERP system that most security groups just turn them off.
• The reason you want an ERP-specific security solution is that they handle a lot of the log management and customization for you. You\'ll still need to do plenty of customization on your part, but these tools take away a lot of the heavy lifting.
• Make sure you\'re on a first-name basis with all the key people whose departments are in the ERP system. You\'re going to need their support and knowledge to build out the effective ERP solution matrix.
• If you have ERP or SAP installed, move an ERP-specific security solution to the front of your security maturity program.

\\xa0

Listed in: Technology

Managing Obsolete (Yet Business Critical) Systems

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• This issue appears to affect every security and IT person. At one time they\'ve all had to deal with it.
• Obsolete technology should not be treated like any new technology. It needs to be isolated.
• Lots of great advice from the community regarding containing the outdated technology through firewalls, air gapping, segmenting, virtual machines, and a jump box.
• Constantly measure the risk of not just intrusion of the outdated technology, but the cost of keeping the thing running as you can\'t rely on outside support or updates.
• As you\'re reporting the risk, constantly push for solutions to end reliance on this outdated technology.
• The obsolete technology is often an expensive and critical piece of hardware that\'s difficult if not impossible to replace.
• The UK National Cyber Security Center has some great guidance on what to do with obsolete platforms.

\\xa0

Listed in: Technology

Cybersecurity Hiring

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• Specialization also veers towards simplifying as Greg said, "A lot of middle of the road positions are being narrowed and dumbed down in a push towards commoditization."
• Is the collection of so many tools pushing us to more specialization? Have we created our own hiring problem?
• There are needs for specialists and generalists in cybersecurity. The issue is where do you find the balance from the creation of your toolset to your hiring?
• Too many open positions for security analysts which isn\'t a defined role. Sometimes there\'s an inherent laziness in hiring managers just wanting "a security person" and not understanding their environment as to what they really need.
• Greg notes that "you can often tell how broken an infosec organisation is just by looking at the job roles they\'re looking to fill and the job descriptions."
• If you\'re developing a tech stack and then looking for people to manage it, that is the reverse way you should be building a security program.
• Students are eager to learn, but degrees are useless when companies are hiring for specific tools.

Listed in: Technology

How CISOs Discover New Solutions

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• The two tactics of carpet bombing with marketing emails and cold calls are universally hated, but they must produce results and that\'s why they continue.
• If a CISO wants to discover new solutions, they must expose themselves somehow to what\'s out there. New solutions aren\'t magically going to land in your lap.
• Many CISOs rely on their networks of CISOs but that can limit your thinking if none of the CISOs are willing to venture outside of the group.
• Don\'t rely on your own discovery. Task your staff members to do it as well. Encourage and reward the showing of new ideas to the group which can and will foster disruption and innovation.
• You need a trusted partner, a reseller, or a vendor who can be your eyes and ears. Finding that trusted partner doesn\'t come easily, but when you find it, hold onto it because you\'re going to need them.
• Your trusted partner should be proactive about giving you quarterly updates.
• Large conferences and vendor emails act as touch points, but they don\'t act as a valuable source of information.
• Engage in smaller local conferences where you can meet and build trust with your local experts.
• If you do go to a large conference, and you walk the trade show floor, aim for the edges where you find the smaller companies.
• Best advice for CISOs was to create a form for vendors to fill out if they want the chance to meet with you.
• Yelp-like review sites have questionable credibility, but they are a touch point in tool discovery. Lean on podcasts and discussion groups, such as Slack.

Listed in: Technology

Is the Cybersecurity Industry Solving Our Problems?

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• Industry is just growing symptoms to core issues.
• The cybersecurity industry is motivated by marketplace which justifies investment. As one might expect many security solutions are just hyped rather than built on innovations.
• While many of our listeners are rather savvy, we expect most purchases are reactive rather proactive. And if this continues, then the profit-minded vendors will still deliver reactive-based solutions.
• We\'ve got a radical increase in problems. We\'re just chasing the problems by spending more money.
• Security people know that the solution is people, process, and technology, but far too often we\'re looking for a \'box\' to solve our problems. We don\'t look at the tougher challenge of people and processes.
• So much of the security market is reactive in its purchase decision. To improve your success rate in cybersecurity you need to be forward-thinking about building out your security program and your spend.
• One area of opportunity that not enough companies are taking advantage of is offering dramatically cheaper solutions than alternatives even though they don\'t perform as well. There is a definite market for those types of solutions.
• We always lean on security products to solve our problems rather looking internally at our people and processes.
• There is always a losing comparison between attackers and defenders. An attacker can come up with a new variant of attack in minutes to hours. Defenders in enterprises often take months to implement patches for known vulnerabilities.

Listed in: Technology

Vulnerability Management

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• As the CIS 20 concurs, vulnerability management is the first security measure you should take right after asset inventory.
• Vulnerability management needs to be everyone\'s issue and managed by all departments.
• Lots of discussion around vulnerability management being driven by culture which is a very hard concept to define. To get a "vulnerability management culture" look to a combination of awareness and risk management.
• Vulnerabilities don\'t get patched and managed without someone taking on ownership. Without that, people are just talking and not doing.
• Increased visibility across the life cycle of a vulnerability will allow all departments to see the associated risk.
• Who are the risk owners? Once you can answer that questions you\'ll be able to assign accountability and responsibility.

Listed in: Technology

Privileged Access Management

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• Privileged access management is designed to control lateral movement when an intruder gets legitimate access to your network.
• You can\'t protect what you don\'t know. A privileged access management program is ineffective without complete asset inventory and classification.
• Don\'t wait to begin instituting a PAM solution. It\'s unrealistic to believe you\'d have a complete inventory right away that you could begin PAM. You\'ll probably have to work with what you\'ve got. It\'s a moving target for all. It may be an incomplete target as well... at the beginning.
• Two-factor authentication (2FA) has a role. It can help with both initial intrusion and escalation. PAM\'s role is more refined with its ability to prevent escalation.
• One of the debated issues was how does PAM negatively affect the user experience. Concerns of pushback and productivity issues resulted in companies refusing to implement 2FA or PAM.

Listed in: Technology

Machine Learning Failures

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• Don\'t fall victim to believing that success and failure of machine learning is isolated to just garbage in/garbage out. It\'s far more nuanced than that. Some human actually has to determine what is considered garbage in and what is not.
• It only takes a very small amount of data to completely corrupt and ruin machine learning data.
• This knowledge of small infection can spread and corrupt all of the data and can have political and economic motivations to do just that.
• We have failures in human intervention. Machine learning can just magnify that at rapid rates.
• While there are many warning signs that machine learning can fail, and we have the examples to back it up, many argue that competitive environments don\'t allow us to ignore it. We\'re in a use it or lose it scenario. Even when you\'re aware of the pitfalls, you may have no choice but to utilize machine learning to accelerate development and/or innovation.

Listed in: Technology

Software Fixing Hardware Problems

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• The reason the Boeing 737 MAX airplane crashes are such a big story is airplanes don\'t usually crash because the airline industry is ingrained in a culture of safety.
• Even though safety culture is predominant in the airline industry , there were safety features (e.g., training for the pilots on this new software correcting feature) that were optional for airlines to purchase.
• Software is now in charge of everything. What company is not a digital company? We can\'t avoid the fact that we have software running our systems, even items that control our safety.
• The software industry does not operate in a safety culture like the airline industry.
• Is this just a data integrity issue? Is that the root cause of problems? How do we increase the integrity of data?
• Can we override software when we believe it\'s making a bad decision? Allan brought up one example of a friend who tried to swerve out of his lane to avoid something in the road. The self-driving car forced him back in his lane and he hit the thing he was trying to avoid. Fortunately, it was just a bag, but what if it was a child? The self-correcting software didn\'t let him takeover and avoid the object in the road.

Listed in: Technology

Tools for Managing 3rd Party Risk

Check out this post and discussion\\xa0for the basis of our conversation on this week\\u2019s episode co-hosted by me,\\xa0David Spark\\xa0(@dspark), the creator of\\xa0CISO Series\\xa0and\\xa0Allan Alford\\xa0(@AllanAlfordinTX), CISO at\\xa0Mitel.\\xa0Our guest for this episode is Eric Cowperthwaite, director of information security, Esterline.

Got feedback?\\xa0Join the conversation on LinkedIn.

Thanks to this week\\u2019s podcast sponsor, Praetorian

As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts.

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• We question if there\'s some type of pseudo-protection racket going on with auditors offering to increase vendors\' security scores if they go into business with them.
• The basic model is to help you identify issues and resolve them in order to reduce your risk and protect yourself from certain types of risk.
• While our risk changes on a daily basis, we\'re not measuring the risk other 3rd parties may be introducing at the same iteration level. Often it\'s only annual which doesn\'t coincide with how we measure our own risk.
• As a result, there\'s a desire for ongoing real-time assessment of third party risk. CISOs want the depth of an audit combined with real-time monitoring.
• Best of breed approach often introduces new risk at the lines of integration.

Listed in: Technology

CISO Burnout

On this episode of Defense\\xa0in\\xa0Depth, you\'ll learn:

• You have to come to an acceptance that a security program that\'s at 90 percent is good enough.
• Accept that you will never reach the end of the tunnel. You\'ll never have a perfect defense.
• The CISO\'s role is that of a change agent and depending on the depth of your relationship, you may get push back.
• Don\'t underestimate the impact you\'re trying to make on the business culture. Organizations can only change in increments. Stressing that will generate stress in you, the security professional.
• Since security touches every department and you need to engage with every department, you will deal with a lot of personalities.
• In addition to dealing with all the departments, you won\'t have authority over them, but you will be perceived as accountable for their security issues. The business needs to own security and its relevant risk.
• Don\'t fall into impostor syndrome where you chronically feel you\'re doing a bad job.
• Accept small wins. Break up huge projects into smaller chunks and celebrate those wins.

Listed in: Technology

RSA 2019: Success or Failure?

• Is RSAC for education or connecting? Does the value happen in the conference center or outside? This was the initial part of our debate and one argument is you need to graduate from RSAC to make it more of a "connecting outside of the event" type of event.
• The show floor is overwhelming. As David Gorton of OverwatchID noted, "The circus hides the serious of what we\'re trying to do."
• There were a lot of comments about people not having fear of missing out (FOMO), but you can\'t argue that RSAC has a gravitational force that brings tons of security-minded people to San Francisco for one week every year. There is enormous value in that.
• The marketing model for vendors during and after the show is starting to grate on practitioners. They\'re not enjoying the endless cold calls the following week.
• The expo hall is focused on leads and given that so many of these products are high ticket items, if just a few sales comes through, then the event pays for itself.
• It\'s impossible for small booths to compete for visibility with huge booths at the conference.

Listed in: Technology

Security IS the Business

On this episode of\\xa0Defense in Depth, you\\u2019ll learn:

• When a business becomes an idea, the only thing that matters is the perceived value by the owners.
• If you deem security is the business, then it no longer can take a consultative role. It must take the role of brand and value building.
• Explicit value is generating or saving money. Implicit value is what drives those two opposite ends of the spectrum.
• A security department shouldn\'t be focused on trying to get more budget for themselves. They should see where they are in the value chain and at any given point in time they must fully understand the business and see which department could generate the most business value.
• If you only lobby for the security department in terms of its importance for getting budget, and not lobby for the overall business then you will lose credibility with your partners within the business.

Listed in: Technology

Threat Intelligence

Listed in: Technology

Secure Controls Framework

On this episode of\\xa0Defense in Depth, you\\u2019ll learn:

• Purpose of the Secure Controls Framework is to have a single framework to address multiple requirements. It\'s a meta framework that takes into consideration the controls of all other frameworks.
• You only need to use the security controls that are important and relevant to you. For that reason, don\'t be daunted by the number of controls on SCF (currently 750).
• You can have security without privacy, but you can\'t have privacy without security. Integrating privacy and security is critical to SCF.

Listed in: Technology

Insider Threats

Listed in: Technology

Building an Information Security Council

Listed in: Technology

Privacy

Listed in: Technology

Security Metrics

Listed in: Technology

Welcome to Defense in Depth

Listed in: Technology