BROADCASTS.com

Published: Sept. 24, 2019, 12:30 p.m.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/wait-what-good-news-in-cybersecurity/)

On this episode of CISO/Security\xa0Vendor\xa0Relationship\xa0Podcast, cybercrime fails and we brag about it.

This episode is hosted by me,\xa0David Spark\xa0(@dspark), producer of CISO Series and founder of\xa0Spark Media Solutions\xa0and\xa0Mike Johnson. Our guest this week is Geoff Belknap (@geoffbelknap), CISO, LinkedIn.

Mike Johnson, co-host, CISO/Security\xa0Vendor\xa0Relationship\xa0Podcast, Geoff Belknap, CISO, LinkedIn, and David Spark, producer, CISO Series.

Thanks to this week's podcast sponsor Trend Micro.

On this week's episode

How CISOs are digesting the latest security news

We simply don't hear enough good news cybersecurity stories that make those involved proud. What are the cybersecurity stories that aren't being told publicly that should be?

First 90 Days of a CISO

Michael Farnum, Set Solutions, said, "If you come into the job and aren\u2019t willing to critically review existing projects AND put a stop to the ones that are questionable, then you are going to cause yourself problems later. It might seem like an unwise political move when new to the company, but you have to be willing to swing the axe (or at least push the pause button) on anything that doesn\u2019t make sense." Not so easy, but where's the line where you can actually push and say, "We're changing course"?

It's time to play, "What's Worse?!"

We've got a split decision!

Hey, you're a CISO, what's your take on this?

On a previous episode of Defense in Depth, we talked about employee hacking or getting the staff on the same page as the CISO and the security program. I quoted instructor Sarah Mancinho who said, "I am a firm believer that CISOs/CIOs should have their own dedicated IT strategic communications person(s) that report to them, and not any other office. Most comms roles I've seen...had to report to HR/PR/General Comms....none of whom really knew anything about technology/technical comms/infosec....and had little to no interaction with the IT/security team."

My co-host, Allan Alford, loved this idea, never had it, but would love to have it. What value could a dedicated PR person bring to the security team?

The devious new Android malware called Cerberus steals credentials by using a downloaded fake Adobe Flash player. That is not really innovative in itself, but what\u2019s interesting is the way it seeks to avoid detection by using the phone\u2019s accelerometer to confirm that the infected target is a real device and not on the screen of a security analyst. According to ESET researcher Lukas Stefanko, quoted in Forbes, the app actually counts a number of physical footsteps taken by the phone\u2019s owner, and deploys once the required number has been reached.\xa0

For more, check out the full tip on CISO Series.

Check out lots\xa0more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company\u2019s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

Why is everybody talking about this now?

What's behind the cybersecurity skills shortage? In an article on the Forbes Council, Mark Aiello, president of cybersecurity recruiting firm CyberSN, pointed out some ugly truths as to why it's so difficult to hire cybersecurity talent. He pointed to low pay, the desire to find unicorns, poor job descriptions, training and growth. Is the core issue that the cybersecurity industry just does a very poor job welcoming new entrants?

Today, what does a cybersecurity professional need walking in the door? And what are CISOs willing to accept no knowledge of, yet willing to train?