The Great Security Debate

The Great Security Debate crew recorded a live episode at the GTS Security Summit in Detroit, Michigan with special guest, Zah Gonzalvo, SVP of Financial, Climate, and Operational Risk at Banco Popular. Tune in for a great discussion on risk, risk mitigation, risk prioritisation, and risk in context. Yep, it's all about risk!Takeaways: The evolution of security has shifted from a binary perspective to a more nuanced understanding of risk management, acknowledging the need for flexibility in addressing diverse security challenges. In contemporary discussions, it is increasingly evident that security must be integrated into business strategy, highlighting the imperative for security professionals to communicate effectively with stakeholders. The role of the Chief Information Security Officer (CISO) has transcended traditional technological boundaries, necessitating a comprehensive grasp of business risk and operational efficiency. Effective risk management within organizations requires a shared responsibility model, where every employee contributes to the overall security posture, thus reinforcing the concept that security is a collective endeavor. Scenario analysis is a potent tool in risk management, enabling organizations to anticipate potential threats and understand the implications of various risk scenarios on their operations. Engaging with business units to contextualize security risks in terms of operational impact and financial implications is vital for securing necessary budgets and resources for security initiatives.

In this episode of The Great Security Debate, Dan, Brian and Erik invent (and copyright) the idea of a Fantasy Hacker League then dig into more serious discussions on deception technology, asset discovery challenges, and resource management. The conversation also delves into the impact of budget constraints on security projects, the mental toll on cybersecurity professionals, and the evolving role of CISOs in digital transformation. Issues such as job stress, burnout, and role mismatches among security leaders are addressed, alongside strategic insights on integrating security within broader business operations.00:00 Introduction to the Great Security Debate00:39 Humorous Take on Hacker Recruitment03:16 Fantasy Hacker League Concept09:18 Microsoft's Honeypot Strategy22:58 Challenges in Security Budgets and Resources31:03 The Reality of Full-Time Positions31:31 Introverts vs. Extroverts in Leadership32:06 The Challenges of Being a CISO33:53 Work-Life Balance and Stress37:04 The Role of Security in Business39:36 The Future of Security Leadership41:00 Adapting to Economic Constraints59:28 The Importance of Enjoying Your Work01:00:26 Conclusion and Farewell

Welcome to the Great Security Debate! In this episode, experts take on a multifaceted discussion about the intricacies of technology and cybersecurity. The debate navigates through the recent incident involving CrowdStrike and Microsoft, dissecting the layers of technology, processes, and the roles of different entities in maintaining security. Emphasizing the lessons learned, the debate also explores the challenges of disaster recovery, business continuity, and balancing risk in an increasingly complex digital landscape. Tune in as the hosts delve into the ramifications of over-consolidation, the implications of vendor lock-in, and the importance of maintaining a culture of quality and robust testing.00:00 Introduction to the Great Security Debate00:37 Layers of Technology and Finger Pointing01:23 Disaster Recovery and Business Continuity02:34 Market Leaders and Single Points of Failure08:25 The Complexity of Software and Manufacturing Analogies14:27 Kernel Access and Security Implications23:29 BitLocker Keys and Recovery Challenges28:05 Daily Text File Sharing28:21 Transitioning BitLocker Management28:45 Risk Profiles and Encryption Decisions31:47 Team Collaboration and Lessons Learned33:38 CrowdStrike Incident Analysis36:18 The Importance of Response and Culture44:10 Balancing Speed and Safety in Software51:41 Closing Remarks and Future Plans

This episode of 'The Great Security Debate' delves into the complexities surrounding cyber insurance, discussing its impact on minimising business risks and ensuring compliance. Erik, Brian, and Dan talk about how connected systems and automation increase risks and integrates AI reliance concerns. Insurance policies, force majeure, and government regulations get some quality discussion and debate time, revealing fears and misconceptions about standardised security controls vs. adaptive security practices. And last up: the practicality and pitfalls of self-insurance, government intervention, and the need for standardised security terminology.Show Links:CISA Secure by Design Pledge | CISACISA Releases Guidance on Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: (SMBs) | CISAThe 118th Congress is the third oldest since 1789Book - The End of the World Is Just the BeginningSupreme Court's ‘Chevron' ruling means changes for writing laws - Roll CallInsurers Warn Standardizing Cyber Policies Could Limit Future CoverageCyberattacks Disrupt Car Sales by Dealers in U.S. and CanadaHelp support the podcast: https://ko-fi.com/distillingsecurityThanks for listening! We have got some exciting changes ahead including ways to support the podcast, some big announcements, new shows and conversations, and more! Thanks for listening!Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!00:00 Introduction to the Great Security Debate00:30 The Role of Cyber Insurance01:49 Manual Processes and Business Continuity03:09 Manufacturing and Supply Chain Challenges06:11 Insurance Policies and Cybersecurity08:00 Standardization and Government Involvement19:14 The Complexity of Cyber Warfare22:35 Globalization and Cybersecurity30:33 Leadership vs. Boss Mentality33:53 The Role of Communication in Crisis36:51 The Cost of Compliance40:30 Global Cybersecurity Challenges44:22 The Complexity of Online Trust47:56 Insurance and Cybersecurity53:07 The Future of Cyber Insurance01:00:15 Conclusion and Final ThoughtsMentioned in this episode:Michigan BBQ Meet-Up July 18, 2024 on Cass LakeJoin Distilling Security on July 18th in Cass Lake, Michigan for a BBQ, food, colleagues, and fun. Thanks to event sponsors: Material Security, Orca Security, Legit Security, and Cyberhaven! Full details and registration forms are on the Distilling Security website...

In this episode of the Great Security Debate, Brian, Erik, and Dan dive into the latest trends in ransomware including an uptick in attacks against the hypervisor. Speaking of VMWare, we also "discuss" the way that Broadcom has handled the VMWare acquisition and why it both make sense (to them) and doesn't (to many customers).The debate also heads into the impact of AI in cyber threats, and compare strategies for mitigating risk, such as prioritising vulnerabilities and understanding the attack landscape. Additionally, the conversation shifts to business practices in tech acquisitions and the potential future disruptions in the market and importance of balancing security measures with user experience, and the need for adaptive, short-term security roadmaps to stay ahead in an ever-changing environment. And break the big news about an upcoming Distilling Security in-person meet-up in Michigan in July!Help support the podcast: https://ko-fi.com/distillingsecurityShow Notes:episode-linksBroadcom execs say VMware price, subscription complaints are unwarranted | Ars TechnicaWhat happened with AI Overviews and next stepsBook - Titan: The Life of John D. Rockefeller, Sr.Thanks for listening! We have got some exciting changes ahead including ways to support the podcast, some big announcements, new shows and conversations, and more! Thanks for listening!Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Sorry about the audio on this one. We have got the tech back on track for the next episode. I promise!Join the Great Security Debate as Brian, Erik, and Dan delve into 'pig slaughtering,' a scam involving rapport building to swindle victims out of money. The discussion explores the intersections of security awareness, blockchain technology, and the ethical implications of digital tracking tools like chain analysis. Featuring real-world cases, including child exploitation traced through blockchain, and the broader debate on privacy versus legality in technology use. Are public blockchain transactions truly private? And how can we balance innovative tech with ethical concerns? Tune in to hear all about itHelp support the podcast: https://ko-fi.com/distillingsecurityShow Notes:Movie: OppenheimerAdobe has built a deepfake tool, but it doesn't know what to do with it - The VergeMovie: Defending Your LifeMicrosoft Edge May Import Your Chrome Tabs Without Your ConsentAdobe content analysis FAQHow the Federal Government Buys Our Cell Phone Location DataPublic By Default - Stories Found in Venmo CommentsChainalaysisBook: Tracers in the DarkPig Butchering Scams: Last Week Tonight with John Oliver7 Months Inside an Online Scam Labor CampThanks for listening!Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

Join Dan, Brian, and Erik in the latest episode of The Great Security Debate as they explore the impact and implications of the movie 'Leave the World Behind.' Delving into cyber security, societal impacts of technology, and philosophical elements, this discussion touches upon vulnerability management, risk management, and the effect of constant connectivity on modern life. Tune in to hear not only their analysis of the film but also personal reflections on communication, societal changes, and practical steps for improving individual security resilience. This episode also marks the exciting announcement of the Great Security Debate becoming a part of the Distilling Security network. Don't miss out!Help support the podcast: https://ko-fi.com/distillingsecurityShow Notes:episode-linksDistilling Security – Consumable security, privacy, and complianceHackers Remotely Kill a Jeep on the Highway—With Me in It | WIREDAugust 2023 Data Incident | U-M Public AffairsRecent power outages in Ann Arbor have multiple causes, DTE Energy saysWatch Leave the World Behind | Netflix Official SiteEditor note: This episode was recorded in the final days of 2023... but was lost to technology demons until now. One of those demons made it necessary to show the Zoom screen rather than our usual edited video cast. Sorry for the inconvenience and pain on your eyes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate and Distilling Security, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

It's an "all rounder" episode of The Great Security Debate. Brian watched a movie, Erik watched an advertisement, and Dan was overtly cynical. Just another day in the podcast booth for these three.A variety pack of topics ranging from recent security attacks, to AI in technology, to automotive manufacturing (go figure), to privacy, to sponsorship and vendor models at live events, and more.Links to everything we talked about are available in the show notes.Thanks for listening and welcome to 2024! We have got some exciting changes ahead this year including ways to support the podcast, some big announcements, new shows and conversations, and more! Thanks for listening!Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.

It's not easy to sell things. It's even harder to sell to security practitioners and leaders. The Great Security Debate this week covers some angles in security tools (and selling those tools to security teams) that have taken their toll on the trust that needs to exist between those who buy and those who make the products that we use. From the software providers to the VAR (resellers) in the middle to the people and techniques used to market and sell the solutions. Some of the key topics of the discussion include:The challenges of security tool consolidation by non-security vendorsSecurity is not a lock-in tool, and security is not an upsell toolPushing changes to products without telling the customers before they happen or letting those customers have control over the change (and if they take it or not)Security Selling with VARs & Deal Registration What are the motivators when a product is recommended to youYou can still buy direct (and why you might want to)The challenge of selling into the SMBThe power of the “vouch” that flies in the face of some sales methodsThe importance of being genuine in sales communications (aka knock off the programmatic drip campaigns that pretend to be personal)Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!

This week we are debating modern AI systems, especially the commercial ones on just about everyone's lips when talking about CVs, high school term papers, and interview answers.Large Language Models (LLMs), of which ChatGPT and Bard are two examples, are growing in prominence, but will they disrupt the technology world, or are they nothing more than just another blockchain fizzle?In this episode:Are these even actually "AI" models, or really just very fast processing of large data sets?What should I (and should I not) be putting into LLMs? How does the re-teaching based on data entered impact what you should put into public LLMs?What are some valid use cases for LLMs?Does depending on tools like LLMs (or calculators) bring us further from core understanding of how things work? Or should we be OK with the efficiency it brings?How does copyright fit into the LLM expectation and model, and does the legal licensing of training data dull the shine of LLMs?Are the analyses from LLMs skewed not only by the data they chose to use for training, but also by the userbase that uses that LLM?How are any of the "good practise" security and privacy requirements for LLM different from any other systems? Spoiler alert: not at all.Unrelated to AI, we also talk about what happens to all the "smart" things in your house when the internet goes out? What stops working? Way more than you might think...We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!Links:Is OpenAI almost bankrupt?: https://www.windowscentral.com/software-apps/chatgpts-fate-hangs-in-the-balance-as-openai-reportedly-edges-closer-to-bankruptcyMaybe not bankrupt, but has business problem: https://www.forbes.com/sites/lutzfinger/2023/08/18/is-openai-going-bankrupt-no-but-ai-models-dont-create-moats/?sh=3c8922845e22Gartner declares LLMs at the peak of inflated expectations: https://www.gartner.com/en/newsroom/press-releases/2023-08-16-gartner-places-generative-ai-on-the-peak-of-inflated-expectations-on-the-2023-hype-cycle-for-emerging-technologiesWhen ChatGPT goes Bad: https://sloanreview.mit.edu/article/from-chatgpt-to-hackgpt-meeting-the-cybersecurity-threat-of-generative-ai/https://venturebeat.com/security/how-fraudgpt-presages-the-future-of-weaponized-ai/The Circle (Movie): https://www.imdb.com/title/tt4287320/Amazon Sidewalk, and it's privacy issues: https://www.popsci.com/technology/amazon-sidewalks-privacy-concerns/Idiocracy (Movie): https://www.imdb.com/title/tt0387808/Moores law is dead:...

It's been a minute, but we are back with another Great Security Debate!Whether it is compliance, trust, questionnaires, we all sell something to someone and security is core to that process.In this episode, the focus is on how security integrates into the core of each of our businesses or organisations. From being part of strategic planning, the reminder that perfect being the enemy of progress, to the power in being a first mover on security and privacy topics:Compliance vs security: Is it pro forma? Do you check the SOC2 (and other) reports you get from your suppliers?You're not a special snowflake: Why won't more orgs use standard questionnaires on supplier assessments?There are multiple ways to solve a problem, and context is key. The process and environment may mean you don't need a technology control or a specific (prescribed) technology control."The business" is a term that should never be uttered again by security or technology practitioners and leaders.There is power and business value in governance and transparency in security and privacy; build trust in your brand.We need to move our programs a layer above the specific people. Risk is reduced by living at the process layer. Heroics are not scalable.How can preparing for a triathlon be used to describe adherence to targets that lead to good security (and the brand value that comes with it)Remember that you can't be "SOC2 Certified." And PFMEA is not always the answer to every question. Or is it?We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes.Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links.Thanks for listening!

Welcome to a very special Great Security Debate. If it is spring, it means that the annual Forrester “Top Recommendations For Your Security Program” report has come out, and we get to visit with one of the authors, Jess Burn. But this year, we get an added extra voice in that of Jess' Forrester colleague Jeff Pollard. Both Jess and Jeff share a ton of insight on topics from that report and a few others (see the links below for blog posts about most of them) In this episode we cover: * How (if) CISOs have been able to become “part of the business” and help colleagues understand that in 2023 security is business. * Board reporting by CISOs and CIOs and where/how we succeed and fail. * Talent shortages in infosec: a self-created nightmare? * Consolidation in times of austerity: right or wrong for security? Huge thanks to Jess and Jeff for joining (find their LinkedIn and Twitter in the links section). Even though Jess is legacy, we are pretty sure that Jeff will be welcomed back in 2024 with open arms. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for Listening! Special Guest: Jessica Burn.

This week, Brian, Erik, and Dan look into the security impacts of last week's Silicon Valley Bank closure, both from a direct security risk, but also what we can learn about risk from the events leading up to the incident that we can apply to our information security responsibilities. Brian kicks it off with a great description of how Silicon Valley Bank got here (based on what we knew on 12 March 2023 - subject to change as more becomes known after). And from that, we go some of the direct and indirect lessons and implications such as: Fraud attempts amongst a bevvy of legitimate bank account payment change requests from companies. Check from a known source before changing where you pay. Putting all your eggs into one (infosec or financial) basket can be risky. And risk can bring great rewards, or great resentment Evaluating vendors for where they bank as part of third party risk management (or not) Clear insight to tough choices that have to be made to keep small business and startups running - sometimes that's not “doing every thing of security” Business continuity planning requires a more realistic “yeah that could happen” when doing the review Remember that there is no such thing as no risk, just determining the right balance of (realistic) risk and downtime for your organisation If one vendor goes away suddenly, what happens? What about if 6 go away all at once? Diversity of suppliers vs. focusing on basics in the security stack Along with some strong recommendations (or maybe they are warnings) for our security vendor listeners on how not to use this incident as a sales tool (tl;dr: DON'T!), there are a few correlations to the automotive industry. And check out the book club recommendations in the show notes on our website www.greatsecuritydebate.net, too. Since we recorded another bank, Signature Bank, has also been closed and placed into receivership. On behalf of all of us at Great Security Debate, we wish all those affected either as companies of these banks or their customers good wishes and hope for good news ahead on the recovery of funds. Thanks for listening!

The Great Security Debate Book Club is in FULL force this week as we talk about life after you've gotten the job in information security and are looking for the growth and promotion that come as you grow your career. Check out the show notes on our website www.greatsecuritydebate.net/48 to get links to all the books, articles, and references we discuss up through the show. A mere appetiser sized sampling of the topics we cover in this hour include: What does it mean to “return to normal” in work in 2023? How do you grow in your role once you are in the Infosec field? The “old-man” perspective on entitlement in growing within jobs What approaches work (and don't work) when asking for promotions, raises, new roles, within your organisation Conversely, how to approach getting responsibilities added with out getting additional compensation Using the word “I” vs “We” when talking about a job and your team What to consider the factors and risks outside the office when looking at role and organisational growth The importance of knowing the difference between what you want to say vs how it will be received when read by the recipient What do you do when you find yourself as (or think you are) the smartest person in the room? What resources can people use to get ready for their next growth step at work? How can networking and mentoring be valuable to find the next position? Since it came up a few times in the show, remember that not every securty career path ends with becoming a CISO, or nor should we expect that everyone in infosec wants to become a CISO! We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening!

Insurance for information security is changing. Recently some reports came out that there were moves by insurance companies to leave the cybersecurity insurance market - that it was uninsurable. Dan, Brian, and Erik discuss on this week's Great Security Debate: What happens now that cybersecurity insurance is built into contracts and requirements by customers doing business with other companies? Are the carveouts such that it's easier to just pay and not inform insurance that you want them to pay for the incident? Does having “easy” insurance give too many orgs a pass on having to actually improve their security control sets? How do insurance “formularies” make companies less secure by not letting them buy the newer, better technologies? Conversely, how does the formulary of products help prevent from buying junk tech that calls itself “security”? How does the threat of nonpayment of expenses and losses by insurance companies after the fact affect organisational security decisions for or against the formulary? How is relying on insurance to determine tech standards the same as the EU demanding all chargers be USB-C? Does insurance go away altogether? Do we want it to go away? What is the law of the horse and how does it apply to insurance in information security? Can shifting downstream supplier risk into insurance really work to reduce risk? Is security a cost centre, a cost of doing business, or a potential profit centre for orgs? Should we shift from insurance mandate to “figure it out” How does the conscious decision not to patch because the patch causes worse issues affect the insurance coverage? How can we balance the expectation with our technology suppliers to maintain support longer, especially on IOT or high-cost, long life devices? Can a move toward clear, yet broad expectations on controls be enough to meet security expectations for insurance without prescriptive formularies of technology and process? We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening!

Welcome to the year-end 2022 episode of The Great Security Debate. In this hour, Brian, Erik, and Dan cover myriad ways hiring processes are failing job seekers and hiring organisations. It all kicked off with the impersonal nature of automated 1-way video interviews. It quickly jumped into the myriad of other ways we can do better on both sides, including (but not limited to): - Do video interviews encourage fraud? Multiple jobs for one person? A fake version of you applying for a job? - Why are hiring managers and HR using video interviews? Are there legitimate reasons? - Does the lack of ability to assess the candidate's response to the interviewer's response makes the interview less effective? - What is the impression left when a candidate is immediately rejected based on analytics and matching, not human interaction? - What's the value of using your network around a broken applicant system? What do we lose by only depending on our networks for hiring? - How do these recorded methods exclude introverts and others that may not be camera comfortable in their presentation skills? - Can and should there be roles for people at higher levels that don't include people management? - Is “AI” (term used in quotes on purpose) really the antithesis of diversity or inclusion? - How is connecting people to others and helping them expand their networks better than sending resumes to people you know? - In times of cash crunch, will hiring come from experienced people having been let go from roles, or hiring entry-level and ups killing them? You'll also get a few mentions of Buzzword Bingo; the shocking revelation that Brian works for a vendor; and Dan goes on a tirade about new software that does recording and analysis in Zoom meetings with and without permission. It's another great debate! We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening!

Recorded on Saturday 29 October 2022, at the tailgate before the University of Michigan vs Michigan State University (American) football game, Brian, Erik and Dan chat about the news of the day, with more than a few correlations back to football. And we had a special guest join us, too: Zah Gonzalvo Rodriguez (https://www.linkedin.com/in/zahira-zah-rodriguez-gonzalvo-1a97692/) There was an upcoming OpenSSL vulnerability hitting the world this week. How would Software Bill of Materials (SBOM) make the response easier? A reminder of our dependence on the stability and security of some very core tools (like OpenSSL) to run our businesses. Mot to mention the fact that such tools are often within the libraries we use and don't even realise it's there. Similarities between football and security in the need to adjust based on what the other team shows signs of throwing at you, and further based on what they actually bring to the line. How repeatable process and inventory help make the response to these vulnerability disclosures less like a firedrill and more like standard ops. Did you know that credit ratings are being affected by information security posture and breach response? Same thing with M&A and investment valuation… if you're not as mature in security and privacy you may see a discount taken on your value! How transparent should we be with the peer companies and the public world about our security posture (like incident response plans, and security controls in place)? And if you're curious, you can find out what team Dan (the lifelong Badger) was supporting in the game. Congratulations to the University of Michigan in later winning this game, and to both teams for keeping the rivalry alive and spicy. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening!

This week's debate comes amid a combo platter of increased analytics leading to near-immediate contact when visiting a product's website, along with more clarity from enforcement bodies about how they will approach their respective privacy legislation. One such fine was the Sephora CCPA matter in which California Attorney General levied a $1.2M fine on the company ([https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement]) Listen in to hear Dan, Brian and Erik talk about: * Are privacy and shareholder value at odds? How does protecting the privacy of the consumer help shareholder value? * A reminder that security and privacy can serve as a business differentiator * How to deal with the reputation of a company being set by misleading headlines (and people not reading the actual article/detail)? * Does better privacy practices in companies lead to reduced data for sale on the illicit market? * Does just “saying no to data collection” by companies make for a better privacy posture? * How long should (vs. how long do) you hold onto data? * How will companies be judged in the future by how they manage data today? * Are ads themselves the source of all our problems? * Why does the push for more advertising to reduce costs increases the push for more data collection? We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening!

We've all seen it (or been it): a new boss arrives at the company and quickly thereafter a bunch of their old colleagues get hired. It feels like they are getting the band back together at the new place. What does that say to the organisation about that leader? What does doing the opposite (pausing, growing from within) say differently? Brian, Dan and Erik discuss, debate and dissect this from a few angles, including some of the following: The power of threes: Three paths when you come in as a new leader: bring your own, nurture within, hire all new. And the three arcs of a company - startup/scrappy , growth/maturation, steady/run. Two critical skills we wish we were taught in school and earlier in work: communications and public speaking The impacts on culture on leadership and how they approach the staffing question, and how you bring people in will be the biggest impact on the culture of the organisation How can metrics hide the actual performance of the team? Are the CISO retention numbers as bad as the urban myth ? Are CISOs staying longer than we think they are? What organisational situations drive leaders to resort to bringing in the people they know and trust vs. Trusting those already there? How does growth by acquisition change the way we approach the listening and staffing of our teams and supporting our organisations? Approaches to finding people to provide new perspectives, without having already worked with them directly? How does geographic culture affect the decision on how to staff your team as a new leader in an organisation? We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links. Thanks for listening!

Are we getting subscription overload? The move to more and more subscriptions is good for those selling, but are they good for those buying, too? Do subscriptions offset by other non-cash costs (e.g. data collection, advertising) reduce subscription fatigue? How does that fit into the security product world? What are the risks of making security technology only for those that can't afford it? Why are the ad-supported versions more heavily marketed than the no-ad versions? How do subscriptions encourage continuous development of software and features? What about innovation? What's a persistent feature, and what can be revoked or shifted into a different subscription tier (take a look at Slack's recent move to make the free tier way less valuable and encourage the need to move to a paid tier) Do the combinatoric vastness of features that can go on and off based on the subscriptions you buy introduce an unnecessary or unsafe risk of not working well together in specific combos? What are the legalities of jailbreaking your software rather than paying to activate it by subscription? How does doing so affect the liability and effectiveness of the product? We also talk about some things unrelated to subscriptions (and cars)! * What is needed to adapt your communications (and subscription sales pitch) to VC/PE vs the CIO/CISO at a company? East coast vs west coast? Etc. * Tips for job candidates on looking for public info on what a company thinks is important from security and risk (hint: it's SEC filings like the 8-K and 10-K!) Tune in to delight as Dan rants in Yiddish and then mess up the name of some of the most popular movies of our time. Enjoy seeing (or hearing) Erik get on a soapbox stumping for Sig Sigma. Binge on Brian talking about automotive manufacturing (who knew) and for once not be broadcasting from a "train station". We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. If you're watching on YouTube, we are very sorry for the video sync issues this week! The sound is great, but one of our hosts does a very poor Milli Vanilli impression. We are writing up the root cause analysis documents and issuing CAPAs to keep it from happening agai Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links. Thanks for listening!

It's the dog days of summer here in the northern hemisphere, and we have some episodes to make the hot, muggy days go by faster (or the drive up to the cabin in the woods to escape it all). This week Dan, Brian and Erik talk about what it takes to be a Virtual or Fractional CISO. Does someone that calls themselves one need to have had in-house CISO experience to do the job? Or do the fresh perspectives of someone that doesn't come with history benefit the organisation in a different way? Risks, challenges, and talking to Boards of Directors definitely have a strong place in the debate (and we hit on all of them) We will be back with more episodes through August and then back to our usual bi-weekly pace as we hit the autumn. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. If you're watching on YouTube, we are very sorry for the video sync issues this week! The sound is great, but one of our hosts does a very poor Milli Vanilli impression. We are writing up the root cause analysis documents and issuing CAPAs to keep it from happening agai Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links. Thanks for listening!

Dan, Brian and Erik look at how the past informs our security future, and how things we have done in the past may not get us where we need to be in the future. Join us for a live podcast recording with live audience Q&A, direct from the MCWT Executive Connection Summit. In the live recording we covered a flurry of topics focused on changing ourselves, refreshing ourselves and renewing ourselves including: * The barriers to entry to get into the security field * Experience vs. education requirements in security hiring * Changes afoot in hiring appetite as recession looms * Reporting requirements by public companies on breach or security events * Security beyond just confidentiality * Improvements that can be made to the hiring process * And lots more! Huge thanks to the wonderful team at the Michigan Council on Women in Technology (https://mcwt.org) for asking us to be part of this great event bringing the Michigan technology community together to build connections. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availability or benefits from these affiliate links. Thanks for listening!

This week on The Great Security Debate we have arrived at one of our favourite episodes of the year (and what is and will be an annual thing!) when Forrester Senior Analyst, Jess Burn, returns to the show to share this years recommendations for security programs. An overarching theme of the report is to use the captital that the CISO has acquired over the past few years and build out your program to where it needs to be. AKA, “strike while the iron is hot” More detailed topics including: - Career paths and changes in comp methodology for security teams need to change - Security Awareness needs adjustment for work for anywhere - Minimum viable security - it's definitely not just “barely secure” And a reminder that Dan, Brian and Erik will be doing a live episode of the podcast at the upcoming Michigan Women in Technology ExecutiveManagement Conference on May 5 in Novi, Michigan. Tickets for the whole conference are now available (https://MCWT.org) and the agenda for the day is great. See you there If you want to listen to Jess's previous episode, check out Episode 20, “It All Comes Down To Relaltionships.” https://www.greatsecuritydebate.net/20 You can find Jess on LinkedIn (https://www.linkedin.com/in/jessburn), Twitter (https://twitter.com/jessburn) and at the Forrester blog (https://go.forrester.com/blogs/author/jess_burn/). Thanks for joining us, Jess! And thanks to you for listening and watching. Special Guest: Jessica Burn.

The Great Security Debate rolls on, this week looking at how governments, regulations and business values are and will shape the security posture of enterprises. Is attribution worth pursuing to the end? How can state and federal law enforcement help figure out who and what happened after an incident? Fast (agile) vs good (quality) vs cheap (cost) Are you chasing the right metrics in your organisation? Do they encourage the right behaviour? Is regulation required to make good security a greater market force? What will the regulations emerging in the US focus on? The “what”, the “why”, the “how”, or the “who”? How will they change when and how companies report material breaches? How does attribution of attack correlate to insurance coverage? How do IR firms fit into the equation? Erik, Dan and Brian also announce that the podcast is going LIVE and On the road. On May 5, Great Security Debate will be recording a live episode at the MCWT Executive Connection Summit in Novi, Michigan! More info and registration details are at https://mcwt.wildapricot.org/event-4630370. Ticket sales begin on 18 April 2022. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!

Recently, Brian, Dan and Erik had the great fortune to do a live version of the podcast at the monthly meeting of the SIM Detroit Chapter (https://chapter.simnet.org/detroit/home). At the close of that discussion, the comment was raised as to whether or not security should be used as a competitive advantage by businesses. The topic seemed perfect for The Great Security Debate, so here we are. In this episode, we cover: Can security be used as a business differentiator? SHOULD security be used as a business differentiator? If security is added too deeply into the sales cycle does it incentivise the wrong behaviours just to make a sale? How can we quantify the value of security in the purchasing process when it is not easily attributable to direct cost saving or value? How do closed systems compare to open systems with regard to security? How does the rise of customer trust as a key organisational focus indicate the use of security as a business differentiator? Do the fears that using security as a differentiator means that the collaborative nature and history of security will disappear? We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!

Current global events have led to increased focus on technology security. In this week's episode we debate to what extent this does or will confirm the rise of the information security roles within organisations. Our thoughts and good wishes go out to the people of Ukraine. Do current events confirm that the rise of the CISO organisation was warranted? How do CISOs sleep at night considering everything going on? How to reply to the question “what else should we be doing?” Are the attacks the primary objective or are they a smokescreen? How does the game of chess tie into to information security practises? What is the CISOs role in reducing FUD (fear, uncertainty, doubt)? Will current information it pay for acts of war? Does it raise our collective stature? Why is humility so important in the information security world? The underlying message is that while it is late in the process now to do all the steps to protect your organisation, it's never too late to get started! We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!

This week's episode was sparked by a recent TechCrunch article https://techcrunch.com/2022/02/01/free-agent-series-a/ asking whether tech workers should have agents to negotiate their salaries. We took up the debate on this and a few adjacent topics including: The Great Resignation's impact on working habits Should security practitioners and leaders be represented by “agents” to negotiate better compensation for roles? What are the ways that formal agents exacerbate bias and increase the gaps between levels? The importance of networks for getting advice to help you be your own “agent” Is it the Great Resignation or the Great Realisation? How do ethics and values play into staff's desire to go to or stay at a company? At different levels in one's career who can help be your agent of change?
We should not be afraid to talk about our salaries and numbers And yes, those are Pączki on Brian's hat. If you are not sure what this about, take a look at the video version on our YouTube channel https://www.youtube.com/watch?v=CAYRL1flZic We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!

We got a message from a listener asking for some discussion about putting the data first and securing it with that mind - the inside out, rather than looking at the perimeter and infrastructure and working back toward the data - outside in. And since we love our listeners and your feedback, we took the chance to cover this topic in depth. In the process we also covered: * Data Loss Prevention - Is it possible to improve this without the painful data classification, startup work or culture change? * When doing data analysis for attacks (or fraud) you have to account for the fraud already baked in the normal you know today * We can't meaningfully count on IP address for geography…thanks to security asking for more use of VPNs * The pros and cons and risks to ponder when securing data in on premise vs. cloud/SaaS arrangements * When is the right time to establish a security team in a growing company? And how bad will the data sprawl be when they arrive? * Will the CTO/CIO and the CISO merge into a single role? Will the CIO report to the CISO eventually? It depends, of course, on the people and the organisation * Controls today may not be the controls we need for tomorrow * We try to secure things, but there's also important value in good use of data to improve a business * Sunk cost fallacy and Security: when to burn it all down and start over * Audit is the best friend of the CISO: a new set of eyes and accountability partner makes all the difference Dan also goes on a small tirade over the way security professionals use the term “the business” as something distinct from the security team that is absolutely part of the business itself. Enjoy that soapbox moment. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you chose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you do use them. We do not make our recommendations based on the availabliity or benefits from these affiliate links. Thanks for listening!

Some say that Log4J is the gift that keeps on giving, much like the Jelly of the Month Club. After the initial surge of discussion a couple weeks ago there were mitigations, a vaccine and multiple iterations of official patches to keep the issue at bay and the new ones that cropped up afterwards. Brian, Dan and Erik discuss the log4j vulnerability as it relates to enterprise systems, supportability, balancing the risk of patching and the ways that open-source software are used within the enterprise. Join us this week as we cover: The Log4J vulnerability and saga in a nutshell The pros and cons of waiting to patch until there's a stable one vs. patching again with each iteration and risk my system's stability The critical need for system and application (and library) inventory and keeping up to date How best to react when the media and public discussion picks up on a vulnerability and causes a stir The challenges in the flurry of email and surveys from and to SaaS and service providers about their state on the vulnerability of the day What is the cost of "free" when it comes to running (and maintaining) open source software like Log4j How to make sure procurement departments are not just involved but include the risks of procurement decisions into the process Are the external capability assessments like SOC2 able to move beyond perfunctory review by those asking for them We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.

It's a sports analogy-filled episode of The Great Security Debate, but don't let that scare you away. This week, we cover a whole host of topics, primarily focused on the ideas of simple vs. complex and best-of-breed vs. tightly integrated when dealing with technology, change, process or securing your environment. Pace of change in security is ridiculous right now How does reducing complexity and technical debt improve security and technology? (Said differently: simplicity is the heart of good security) Tech is nothing without process or people (see Episode 29 - People Process and Product (https://www.greatsecuritydebate.net/29)) Can security vendors be everything to everyone? In what environments do "suites" give better security balance than "best of breed"? What are the risks and benefits of a set of suite technologies vs. best of breed? How does securing your organisation parallel with American Football? What's changing in how we buy technology (and security technology)? Shorter contracts, even if it means less "savings"? Should we invest in security technology heavily up front to win one battle at all costs, or plan for the long-term war? Note that all American Football references were to games that had not yet been played at the time of recording. Congratulations, University of Michigan Wolverines on winning the Big Ten championship later that evening. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.

In security (and elsewhere) the long game is often overlooked in lieu of short-term advances and accomplishments. From building security into the culture of an organisation to setting goals and objectives for leaders and staff, being strategic in your security approach is critical. In this episode we cover: * How to balance an organisation's drive to shareholder value over the short term with the need to invest strategically in security, privacy and compliance * What are we doing wrong by throwing technology alone at security problems (and not looking at the process or people issues along the way) * Does proceduralising security or training up staff reduce the efficiency of the organisation or set up the org for longer-term efficiency? * Degrees vs. experience? And the ever deteriorating definition of "entry level" * The impact and importance of building the time in to train entry-level staff vs. hiring "ready now" experienced people (if you can find them at all) We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.

Security has truly gone mainstream. From late night television jokes to state governors not knowing how technology works, as a profession and a vocation, we have arrived. Jimmy Fallon has jokes about security on his show What are the implications of out of date security laws that define what it is to “hack” systems? Keep in mind that some were written as much as 30+ years ago! Is it security's job to know all the tools in place? Or the business to approach security to help make their tools secure? Is viewing publicly available information or information pushed to your browser actually hacking, or is it legal/OK? Creating laws that stand the test of time is hard. And subject to lots of lobbying. CISO Liability and visibility based on the prominence of the role. Does this lead to targeting to discredit? (think: false social media profiles and deepfakes) Offensive techniques and what happens when companies go offensive against attackers? Prevention as a growing tactic by security teams - especially when life is on the line in the products we make SPAM: is it food or is it email? When is the right time to bring security into your startup? Weaving it in when it is young! We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.

In the adage "people, process, technology" the technology comes last in the list for a reason as it is only as good as the people and processes that surround and support it. In this week's Great Security Debate we cover a range of topics all focused on the importance (and impacts) of the people and the process as key to the success of security technology. Said differently we can throw all the tech in the world out there, and it does no good without the other two. Around the world, in some locations government drives commercial security innovation, and in others, commercial interests drive government security adoption. Where is that innovation coming from? The recent rumblings that security insurance policies may soon come with "buy lists". What impacts on the efficacy of controls come when the tech is chosen for you. And how do we guarantee the genuineness of how such a formulary was created. What can security learn and use to teach the wider business world about availability and resilience from the current supply chain impacts taking place in manufacturing or consumer goods after COVID-19? Tune in to this week's episde to learn all about these and more. Show links below have the details of articles, items we cover in the episode. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head over to https://bit.ly/gsdyoutube and watch, subscribe and "like" the episodes.

Over the past 18 months, the way we work has changed including within the security field. On this episode of The Great Security Debate, Dan, Brian and Erik dig into some of the long-term implications of working today and beyond. From remote work to in-person or hybrid : what works best? Does security have a talent shortage, and how is it exacerbated by leadership issues? Was innovation and productivity stifled during COVID by remote work? How to build strong remote teams and learning from the history of global remote teams? Does remote work help or hurt the chances for smaller orgs to get good talent? Is money the biggest driver for people in work? How does mission and team comfort play in? Can we change culture of long-standing in-person culture enough to support remote/hybrid work? Which is better to look at, certifications or experience? What role does influence play in leadership and innovation, especially in non-management roles? This episode is available in both audio and video formats. The video edition is on our YouTube channel along with a growing collection of video from previous episodes. https://youtu.be/p099pC4dh3A Get notified via email when each new episode is published, and find out about exciting new projects from The Great Security Debate team. Sign up here: https://newsletter.greatsecuritydebate.net Thanks for listening! Tell your friends and let us know your comments, feedback and ideas for future Great Security Debates.

A recent visit by US companies to the White House sparked a debate between Dan, Brian and Erik about how to improve security. Was the result useful to the cause, or useful to the marketing goals of the attendees? The risks are high, but are the responses going to move the needle? We discuss on this week's Great Security Debate. Leave some feedback, give a thumbs up, a star or whatever your favourite podcast app prefers, and tell your friends about the podcast. Thanks for being a listener!

If you want to check out the new video edition of the podcast, please go to: https://youtu.be/FBBmA9YDNfQ where you can subscribe, give thumbs up and ring bells like YouTubers have been asking you to do for years. You know the drill. Also, our apologies for the hum in the audio throughout the entire episode. The problem has been identified and the source (Dan) has been taken out back and schooled on the difference between mic-level and line-level audio feeds. He promises it won't happen again... often. Now, on to the show. This week, Dan, Brian and Erik tackle the recent changes announced by Apple regarding moves to protect children from online predators and from the passing of illegal material about children. The project has three parts, each with its own benefits and concerns. We cover them each individually: First, the scanning of messages inbound to minors (Under 18s) on a Apple Family Sharing account in which images are tested for inappropriateness, blurred and the child alerted that they may be about to look at something that they may want to reconsider. If they are under 13 and decide to view the image the parents are notified. This is an opt-in programme and parents decide whether or not to join for the family. Next comes the proactive scanning of iCloud Photo Library stored at Apple. For a long time many have wondered why end-to-end encryption had not been put into iCloud, and this is a likely factor. The photos are tested against the hashes of a set of known images containing child pornography and issues are raised to the authorities. This is and has been happening on other cloud photo services including Microsoft and Flickr for some time. Finally, and most controvertially from a privacy perspective, Apple is implementing a proactive test of the hashes ofphotos stored on customers' Apple devices against this same set of known images. In the US there is no law that prevents this but runs counter to the marketing emphasis Apple has placed on the privacy of data within their devices. The method is rather intricate and strives to prevent Apple from seeing anything unless it suspects there are systemic child pornography issues at bay. These technology approaches change the game for prosecutors and law enforcement, and they expose issues earlier. But what happens when this capability gets expanded, or brought into law as mandatory for use against its citizens who speak out politically, or is taken over by bad actors? Look at the link in the show notes regarding the keys the TSA made for physical locks at the airport - every hole is a potential future vulnerability. Does the end justify the means? We discuss in depth on this week's Great Security Debate! If you want to support the efforts of The Great Security Debate, please feel free to become a patron and get some cool benefits of supporting this independent show - https://www.patreon.com/securitydebate

Get notified in an email every time a new episode of The Great Security Debate drops, or when we announce in-person episode recordings (coming soon)! Sign up for our newsletter: https://newsletter.greatsecuritydebate.net Dan, Brian, and Erik find themselves debating whether or not the new up-to-$10M reward for information regarding ransomware and other attacks will make a material difference in the upward trend in technology as a weapon. What are some non-technical examples of ransomware (hint: it involves warm weather islands and boats and flags with skulls) How will the new ransomware bounty work? Will it work at all? Who sets the definition of "minimum viable security?" Who should and who can set that definition? Can we get beyond human nature to take advantage of a situation that is beneficial to them? What other economic impacts take place if we can eliminate bad actors (other than a lot of out-of-work security practitioners?) Tune in and enjoy this episode of The Great Security Debate. Please let us know your thoughts by leaving rating feedback in your podcast app, and/or sending us an email to feedback@greatsecuritydebate.net. Thanks for listening!

Recently a lot of newsworthy security incidents have taken place. A common thread through many is not that they were sophisticated or required lots of time to plan and execute, or even that the victim had not invested in a lot of whizbang security technology which led to them not noticing the attack. The common thread much more simple: that fundamental security measures were not being taken by the organisation. Things like turning off accounts when people left the organisation, removing disused technology from the network, and the reuse of passwords by staff amongst public-facing and internal systems. The fundamentals make it easy for attackers to get into networks and systems, both enterprise and personal, and are all things that we can each work on individually and within our organisations to improve and make the attacks that much harder for the bad actors to execute. This week's episode discusses those fundamentals and how to approach them. The "slide" that is often referenced in the episode comes from a talk that Dan gave to the National Information Standards Organisation (NISO) last week on why it was so important to maintain the security of their systems. The whole presentation deck is available at http://slideshare.net/secratic/security-is-an-enabler-not-securing-is-an-inhibitor-249421889 and the specific slide is on Slide 8. Thanks for listening. You can subscribe to the podcast on your favourite podcast application or by visiting our website https://www.greatsecuritydebate.net/subscribe. Please let us know what you think by leaving a comment in the podcast application's rating section or emailing us feedback@greatsecuritydebate.net

A wide range of cause and effect discussion in this week's episode. What happens when a cellphone gets compromised for one purpose and has unrelated, follow-on consequences? Will there be material impact from the recent decrees, executive orders and vocal support by President Biden that additional focus is required on information security, ransomware and corruption? What are the downstream impacts of paying, and not paying a ransom and what happens if they are prohibited by law? Is doing the mininum amount of security OK, or is the minimum not really the required minimum? And more on the security position on data lakes, too. Join Erik, Brian and Dan as they count their pieces of flair and determine if we are the right fit to keep working at Flingers.

The news of the week includes discussion about some changes to Amazon's home devices including Echo and Ring with the activation of their Sidewalk Network on all those devices by default and the potential for both ubiquitous connectivity for IoT devices, and the possibiity of abuse of the data that is seen . Brian, Erik and Dan also talk about the impact that the launch of the new Apple Application Tracking Transparency (ATT) program which asks users if they want to be tracked (spoiler alert: they very much do not). This will impact ads and apps that depends on ads pretty heartily, and we debate the pros and cons. Enter the data lakes (troves of data just waiting to be mined by companies to find "interesting things" (or targets for attackers). We really appreciate your feedback, both through subscribing and rating on your favourite podcast application, and by email to us at feedback@greatsecuritydebate.net Thanks for listening!

We got asked by a listener to help answer the question, "Why Does My CISO Hate Me?" While we may not be privy to the exact situation in play there, we are pretty sure that no one's CISO truly hates them (but they may not be fond of all the things that everyone does all the time). In the debate today, we talk about some of the things that challenge CISOs including: Security is more than just confidentiality... there's also integrity and availability Undocumented processes and changes make it hard to figure out where things go wrong Security is a bidirectional partnership, not an Q&A/task queue from the rest of the organisation, nor the acceptor of risks Please ask questions if you are concerned about something or want more info, or even if something sort of smells fishy (or phishy). There are no such thing as stupid questions, only unasked ones. We also highlight a number of the things that CISOs and security teams can improve on to build better and stronger relationships across the organisation, too, such as: * Better listening and asking good questions * Understanding the business through servant leadership * Helping to determine what is most important to the business (and what needs to be protected) We are all heading toward a common goal, so let's work together to accomplish it! Thanks for listening. Until next time...

We open season 2 with a new format: guests! Our first guest, Jessica Burn, has been working closely with CISOs and the security industry at Forrester where she is a Senior Analyst covering the role of the CISO, Incident Response, Zero Trust Strategy and Continuous Controls Monitoring. Dan, Erik, Brian and Jess use a new Forrester report about recommendations for security programs in 2021 as the basis for the discussion (and debate), including a few major themes: The impacts of the consolidation of technology, both in security and the wider tech arena Balancing the monitoring and the privacy when tracking employees as they work remotely as a result of the pandemic Securing what you sell both because you need to, but also because it is good for your business Where are our inventories and why do we still generally fail at knowing what systems we have Of course, third party risk management. It's a mandatory "slide 3" on every board presentation, of course. We still debate, we still discuss, we still shift the discussion to automotive and manufacturing from time to time, but now we have some additional voices to add to the debate, too. Thanks so much, Jess! Special Guest: Jessica Burn.

Exactly one year ago, most of the population of the US was given the word to begin to work from home. Security and technology teams were large parts of the preparation for this change, and were also largely able to move their operations to a home office for the duration of the last twelve months. The last year has been one of constant "on", whether due to changing technology requirements that need to be worked on, increasing incident and response, 10 hours per day in front of the camera on Zoom, and filling what used to be commutes with (wait for it) even more work. Dan, Brian and Erik cover a lot of topics, including security of remote work, the mental health impacts of prolonged working remotely, looking out for ourselves and those in our lives, and reconnecting with those that we may have lost contact with over the years. The guys also share positive and negative observations about work/life from the past year, too. Please subscribe and leave ratings or feedback in your favourite podcast application! It really helps the podcast out a lot when you do!

This week we look at the security organisation through the looking glass. From within the org, the leaders and the partners and product/service providers we work with, we dig into some of the ways that security works with the rest of the business and customers, and how the needs of each org changes over time and necessitates the need for different mindsets to support those needs from a security perspective. CISO tenure, churn and average age compared to other C-levels How security applies to business value (or sometimes not in the obvious ways) What's better on an RFP response? More detail, or just yes/no answers? CISOs (and all security professionals) as storytellers Relationships with security product vendors, VARs and others selling into organisations on how to build trust and transparency and turn from selling into true partnerships Also, Dan successfully makes an automotive analogy; you can't miss that! We name drop a few friends who have shared insights that led to our comments today. Check them out and give them wave and a thanks from us! John Bingham (https://www.linkedin.com/in/johnbingham/), Chief Operating Officer at Speak by Design (https://www.speakbydesign.com) Jeff Pollard (https://www.linkedin.com/in/jpollard96/), VP & Principal Analyst at Forrester - https://twitter.com/jeff_pollard2?s=20 Enjoy the episode.

It's Valentine's Day and you get presents. Dan, Brian and Erik discuss the books, people and tools that they each love and changed their lives. None are specifically security-related, so see what's been impactful on each of them in this episode. The links are an especially big part of the episode, so take a look in your podcast app or on the site (https://www.greatsecuritydebate.net/17) to see all the recommendations and get more info about the topics and items covered.

The time for job change happens and there are a lot of things go along with it including. We cover a ton of them in this week's episode: - The reasons to make a career change - Deciding the time is right to make a change (and how do you know) - Taking our own advice when it comes to our own career change - The importance of support of family to make more drastic changes - The power of self-reflection and the need to let go of the present to achieve the future - The importance of strong personal and community networking in career growth - Impostor syndrome - Certification overload in security and privacy - Letting someone you know that it may be time for them to make a change And the quote of the day is from The Great One, Wayne Gretsky - you miss 100% of the shots you don't take!

We are 9 months into a period in which many workers, including technology and security professionals, are still doing their jobs remotely. Some have moved away from their primary homes, often without letting their company know that this has happened. As business processes catch up with this change in approach, some companies are taking steps to a) formalise work from home as a more standard offering, b) determine how to pay people wherever they are in the country/world, c) decide if in-person culture is key to their ethos, and how to deal with the new focus on remote work. In this week's debate, Brian, Erik and Dan chat look at these topics from the pros and the cons, and what it could be like if everyone stays remote, the benefits and risks of geographically independent pay scales, and more. Please take a moment and subscribe to the podcast in your preferred podcast application, and while you are there give soime feedback, either via a rating, or a comment, or both! We want to hear your feedback and ideas, so you can also email us at feedback@greatsecuritydebate.net (mailto:feedback@greatsecuritydebate.net) or on Twitter at https://twitter.com/securitydebate

A few weeks ago, a company called SolarWinds was discovered to have had some bad actors in placing things in their technology (code) for a while. How did it happen? What does it mean to others? We don't know all the answers yet but we do know that it means we will have to make some changes to things like those universally hated security questionnaires, and how we manage our own source code to ensure better security. Along with a discussion about how cow stomachs relate to information security, and Brian's invoking of The Art of War, there's something for everyone in this epsiode. Propeller head warning - this one's a bit more security "inside baseball" than other episodes as we dig into the recent SolarWinds technology attack and some of the ways that the technology and security practitioners can address issues that have been identified. It's still a "for everyone" episode, but we do go a little more in depth that we usually do in some parts. Let us know what you think! Please take a moment and subscribe to the podcast in your preferred podcast application, and while you are there give soime feedback, either via a rating, or a comment, or both! We want to hear your feedback and ideas, so you can also email us at feedback@greatsecuritydebate.net (mailto:feedback@greatsecuritydebate.net) or on Twitter at https://twitter.com/securitydebate

One of the ways that companies have tried to improve education and awareness about the risks of phishing is the use of phishing tests to see if colleagues click on the link or open the suspect attachment in an unsuspecting yet controled environment. If they do, some instant education comes their way. There are those that think that this approach keeps the topic at the front of everyone's mind, and there are those that think that it can have the effect of chilling the relationship between IT/Security and the rest of the organisation. There are a lot of variables in the equation like how you respond when someone clicks on the phish, how you encourage reporting of potential phishing and more, so the answer is a resounding "it depends." We also cover some of the increased security challenges that come with the now more common "working remotely," and what happens when you walk into an empty castle after having gotten past the moat and door, but there is no one inside to defend it.

A regular complaint by those who consume and use technology is that security adds friction to their process, which often means they get frustrated at the control put in their path, curse technology in general, or abandon the activity altogether. In today's episode, Dan, Erik and Brian explore the balance necessary to understand when certain controls (and the friction they add) are necessary, or can be made smoother. Each decision on reduction of friction has the potential for knock-on effects to the security, privacy and performance of the system and should be considered before making any change to the control. In some cases the conscious addition of friction is the better approach, too, especially to support transparency with users and enable meaningful, informed choices.

When bad things happen to the computers in your organisation, who is the first person you call? IT, the FBI, your general counsel, the insurance company? Today, Erik, Dan and Brian cover attacks, response and middle people negotiating with the attackers on your behalf. Other topics discussed include: - The risk of cheap IoT devices and long term support (or lack thereof), - Whose insurance policy covers the tree on your neighbour's land that falls and hits your house, - The law of unintended consequences when creating things, and - The joy of reading fake Amazon reviews