Podcasts about ciso

All links and images for this episode can be found on CISO Series Knowing is only one-third the battle. Another third is responding. And the last third is responding quickly. It's not enough to just have the first two thirds. We need to be faster, but how? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Jason Elrod (@jasonelrod), CISO, MultiCare Health System. Thanks to our podcast sponsor, Eclypsium Eclypsium is the enterprise firmware security company. Our comprehensive, cloud-based platform identifies, verifies, and fortifies firmware and hardware in laptops, servers, network gear and devices. The Eclypsium platform secures against persistent and stealthy firmware attacks, provides continuous device integrity, delivers firmware patching at scale, and prevents ransomware and malicious implants. In this episode: What can we do as a pragmatic first step to make our cybersecurity teams quicker and more responsive? Would continuous authorization and real time emergency messaging help? Should we improve test automation? What about people - better teaching & work conditions?  

In this episode of the Virtual Coffee with Ashish edition, we spoke with Stu Hirst (Linkedin-Stu Hirst) is the Chief Information Security Officer (CISO) of Trustpilot (@Trustpilot). Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Fred Wilmot (@fewdisc) Podcast Twitter - Cloud Security Podcast (@CloudSecPod) If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our YouTube Channel: - Cloud Security News - Cloud Security Academy

In this week's episode of CISO's Secret, Cyber Security Evangelist Grant Asplund hosts Julie Talbot Hubbard, SVP, General Manager - Cyber Protection and Identity at OptivOptivSecurity, Inc. is a privately owned information security company based in Denver, Colorado. Optiv defines itself as a security solutions integrator that delivers end-to-end cybersecurity services globally. Optiv has served more than 7,500 clients across 70 countries worldwide Layer 8 Authorized Check Point training Layer 8 Training is a leading provider of Authorized Check Point training in North America. Get thRed Education Training & Certifications Global Specialist IT Training Company with Award-winning experienced Instructors.

All links and images for this episode can be found on CISO Series Automation was supposed to make cybersecurity professionals' lives simpler. And it was supposed to solve the talent shortage. Has any of that actually happened? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Brian Lozada (@brianl1775), CISO, HBOMax. Thanks to our podcast sponsor, deepwatch Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together. In this episode: Should we be disappointed with what automation has actually delivered? Is it a tools vs people thing? Should we be better at assessing the impact of automation? Should we change the way we hire to help with automation?

Ken Deitz, Chief Security Officer & Chief Information Security Officer at Secureworks, joins host Hillarie McClure to discuss how businesses can quantify cybersecurity risk in a way that guides investment decisions, how they can measure ROI, and more. Let's Talk SOC is a Cybercrime Magazine podcast series brought to you by Secureworks, a leader in cybersecurity, empowering Security and IT teams worldwide to accelerate effective security operations. To learn more about our sponsor, visit https://secureworks.com

Information is meant to be shared with others- others that is with a need to know. CISOs may find that their organization is sharing with other entities without proper procedures in place. What if there are 90 of these organizations? Join this podcast to learn from a healthcare CISO who tackled this dilemma and subsequently changed a government law!   To view the article from the CISO COMPASS Book that sparked this interview, please visit: https://securityweekly.com/wp-content/uploads/2021/10/CISOSTORIES_Samantha_Thomas_Article.pdf   Thomas, S. 2019. Privacy Hunger Games: Change the Rules. In CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, 1st Ed, pg 344. Fitzgerald, T. CRC Press, Boca Raton, Fl. www.amazon.com/author/toddfitzgerald   Show Notes: https://securityweekly.com/csp51 This segment is sponsored by Cybereason. Visit https://www.cybereason.com/cisostories to learn more about them!   Visit https://securityweekly.com/csp for all the latest episodes! Follow us on Twitter: https://www.twitter.com/cyberleaders Follow us on LinkedIn: https://www.linkedin.com/company/cybersecuritycollaborative/

About EllEll, former SysAdmin, cloud builder, podcaster, and container advocate, has always been a security enthusiast. This enthusiasm and driven curiosity have helped her become an active member of the InfoSec community, leading her to explore the exciting world of Genetic Software Mapping at Intezer.Links: Intezer: https://www.intezer.com Twitter: https://twitter.com/Ell_o_Punk TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: It seems like there is a new security breach every day. Are you confident that an old SSH key, or a shared admin account, isn't going to come back and bite you? If not, check out Teleport. Teleport is the easiest, most secure way to access all of your infrastructure. The open source Teleport Access Plane consolidates everything you need for secure access to your Linux and Windows servers—and I assure you there is no third option there. Kubernetes clusters, databases, and internal applications like AWS Management Console, Yankins, GitLab, Grafana, Jupyter Notebooks, and more. Teleport's unique approach is not only more secure, it also improves developer productivity. To learn more visit: goteleport.com. And not, that is not me telling you to go away, it is: goteleport.com.Corey: This episode is sponsored by our friends at Oracle Cloud. Counting the pennies, but still dreaming of deploying apps instead of "Hello, World" demos? Allow me to introduce you to Oracle's Always Free tier. It provides over 20 free services and infrastructure, networking, databases, observability, management, and security. And—let me be clear here—it's actually free. There's no surprise billing until you intentionally and proactively upgrade your account. This means you can provision a virtual machine instance or spin up an autonomous database that manages itself all while gaining the networking load, balancing and storage resources that somehow never quite make it into most free tiers needed to support the application that you want to build. With Always Free, you can do things like run small scale applications or do proof-of-concept testing without spending a dime. You know that I always like to put asterisks next to the word free. This is actually free, no asterisk. Start now. Visit snark.cloud/oci-free that's snark.cloud/oci-free.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. If there's one thing we love doing in the world of cloud, it's forgetting security until the very end, going back and bolting it on as if we intended to do it that way all along. That's why AWS says security is job zero because they didn't want to remember all of their slides once they realized they forgot security. Here to talk with me about that today is Ell Marquez, security research advocate at Intezer. Ell, thank you for joining me.Ell: Of course.Corey: So, what does a security research advocate do, for lack of a better question, I suppose? Because honestly, you look at that, it's like, security research advocate, it seems, would advocate for doing security research. That seems like a good thing to do. I agree, but there's probably a bit more nuance to it, then I can pick up just by the [unintelligible 00:01:17] reading of the title.Ell: You know, we have all of these white papers that you end up getting, the pen test reports that are dropped on your desk that nobody ever gets to, they become low priority, my job is to actually advocate that you do something with the information that you get. And part of that just involves translating that into plain English, so anyone can go with it.Corey: I've got to say, if you want to give the secrets of the universe and make sure that no one ever reads them, make sure that it has a whole bunch of academic-style citations at the beginning, and ideally put it behind some academic paywall, and it feels like people will claim to have read it but never actually read the thing.Ell: Don't forget charts.Corey: Oh yes, with the charts. In varying shades of blue. Apparently that's the only color you're allowed to do some of these charts in; despite having a full universe of color palettes out there, we're just going to put it in varying shades of corporate blue and hope that people read it.Ell: Yep, that sounds about security there. [laugh].Corey: So, how much of, I guess, modern security research these days is coming out of academia versus coming out of industry?Ell: In my experience in, you know, research I've done in researching researchers, it all really revolves around actual practitioners these days, people who are on the front lines, you know, monitoring their honey pots, and actually reporting back on what they're seeing, not just theoretical.Corey: Which I guess brings us to the question of, I wind up watching all of the keynotes that all the big cloud providers put on and they simultaneously pat me on the head and tell me that their side of security is just fine with their shared responsibility model and the rest, whereas all of the breaches I'm ever going to deal with and the only way anyone can ever see my data is if I make a mistake in configuring something. And honestly, does that really sound like something I would do? Probably not, but let's face it, they claim that they are more or less infallible. How accurate is that?Ell: I wish that I could find the original person that said this, but I've heard it so many times. And it's actually the ‘cloud irresponsibility model.' We have this blind faith that if we're paying somebody for it, it's going to be done correctly. I think you may have seen this with billing. How many people are paying for redundant security services with a cloud provider?Corey: I've once—well, more than once have noticed that if you were to configure every AWS security service that they have and enable it in your account, that the resulting bill would be larger than the cost of the data breach it was preventing. So, on some level, there is a point at which it just becomes ridiculous and it's not necessarily worth pursuing further. I honestly used to think that the shared responsibility model story was a sales pitch, and then I grew ever more cynical. And now my position on it is that it's because if you get breached, it's your fault is what they're trying to say. But if you say it outright to someone who just got breached, they're probably not going to give you money anymore. So, you need to wrap that in this whole involved 45-minute presentation with slides, and charts, and images and the rest because people can't refute one of those quite the way that they can a—it's in a tweet sentence of, “It's your fault.”Ell: I kind of have to agree with them in the end that it is your fault. Like, the buck stops with you, regardless. You are the one that chose to trust that cloud provider was going to do everything because your security team might make a mistake, but the cloud provider is made up of humans as well who can make just as many mistakes. At the end of the day, I don't care what cloud provider you used; I care that my data was compromised.Corey: One of the things that irks me the most is when I read about a data breach from a vendor that I had either trusted knowingly with my data or worse, never trusted but they somehow scraped it somewhere and then lost it, and they said, “Oh, a third-party contractor that we hired.” It's, “Yeah, look, I'm doing business with you, ideally, not the people that you choose to do business with in turn. I didn't select that contractor. You did, you can pass out the work and delegate that. You cannot delegate the responsibility.” So no, Verizon, when you talk about having a third-party contractor have a data breach of customer data, you lost the data by not vetting your contractors appropriately.Ell: Let's go back in time to hopefully something everybody remembers: Target. Target being compromised because of their HVAC provider. Yet how many people—you know this is being recorded in the holiday season—are still shopping at Target right now? I don't know if people forget or they just don't care.Corey: A year later, their stock price was higher than it was before the breach. Sure they had a complete turnover of their C-suite at that point; their CSO and CEO were forced out as a result, but life went on. And they continue to remain a going concern despite quite literally having a bull's eye painted on the building. You'd think that would be a metaphor for security issues. But no, no, that is something they actually do.Ell: You know, when you talk about, you know, the CEO being let go or, you know, being run out, but what part did he honestly have to do with it? They're talking about, oh, well, they made the decisions and they were responsible. What because they got that, you know, list of just 8000 papers with the charts on it?Corey: As I take a look at a lot of the previous issues that we've seen with I've been doing my whole S3 Bucket Negligence Awards for a while, but once I actually had a bucket engraved and sent to a company years ago, the Pokémon Company, based upon a story that I read in the Wall Street Journal, how they declined to do business with a prospective vendor because going through their onboarding process, they noticed among other things, insufficient security controls around a whole bunch of things including S3 buckets, and it's holy crap, a company actually making a meaningful decision based upon security. And say what you will about the Pokémon Company, their audience is—at least theoretically—children and occasionally adults who believe they're children—great, not here to shame—but they understand that this is not something you can afford to be lax in and they kiboshed the entire deal. They didn't name the vendor, obviously, but that really took me aback. It was such a rarity to see that, and it's why I unfortunately haven't had to make a bucket like that since. I wish I did. I wish more companies did things like this. But no it's just a matter of, well, we claim to do the right thing, and we checked all the boxes and called it good, and oops, these things happen.Ell: Yes, but even when it goes that way, who actually remembers what happened, and did you ever follow up if there were any consequences to not going, “Okay, third-party. You screwed up, we're out. We're not using you.” I can't name a single time that happened.Corey: Over at The Duckbill Group, we have large enterprise customers. We have to be respectful and careful with their data, let's be very clear here. We have all of their AWS billing data going back for some fixed period of time. And it worries me what happens if that data gets breached. Now, sure, I've done the standard PR crisis comms thing, I have statements and actions prepared to go in the event that it happens, but I'm also taking great pains to make sure it doesn't.It's the idea of okay, let's make sure that we wind up keeping these things not just distinct from the outside world, but distinct from individual clients so we're not mixing and matching any of this stuff. It's one of those areas where if we wind up having a breach, it's not because we didn't follow the baseline building blocks of doing this right. It's something that goes far beyond what we would typically expect to see in an environment like this. This, of course, sets aside the fact that while a breach like that would be embarrassing, it isn't actually material to anyone's business. This is not to say that I'm not taking it seriously because we have contractual provisions that we will not disclose a lot of this stuff, but it does not mean the end of someone's business if this stuff were to go public in the same way that, for example, back when I worked at Grindr many years ago, in the event that someone's data had been leaked there, people could theoretically been killed. There's a spectrum of consequences here, but it still seems like you just do the basic block-and-tackling to make sure that this stuff isn't publicly exposed, then you start worrying about the more advanced stuff. But with all these breaches, it seems like people don't even do that.Ell: You have Tesla, right, who's working on going to Mars, sending people there who had their S3 buckets compromised. At that point, if we've got this technology, just giant there, I think we're safe to do that whole, “Hey, assume breach, assume compromise.” But when I say that, it drives me up the wall how many people just go, “Okay, well, there's nothing we can do. We should just assume that there's going to be an issue,” and just have this mentality where they give up. No, that gives you a starting point to work from, but that's not the way it's being seen.Corey: One of the things that I've started doing as I built up my new laptop recently has been all right, how do I work with this in such a way that I don't have credentials that are going to grant access to things in any long-lived way ever residing on disk? And so that meant with AWS, I started using SSO to log into a bunch of things. It goes through a website, and then it gives a token and the rest that lasts for 12 hours. Great.Okay, SSH keys, how do I handle that? Historically, I would have them encrypted with a passphrase, but then I found for Mac OS an app called Secretive that stores it in the Secure Enclave. I have to either type in a password or prove it with a biometric Touch ID nonsense every time something tries to access the key. It's slightly annoying when I'm checking out five or six Git repos at once, but it also means that nothing that I happen to have compromised in a browser or whatnot is going to be able to just grab the keys, send it off somewhere, and then I'll never realize that I've been compromised throughout. It's the idea of at least theoretically defense in depth because it's me, it's my personal electronics, in all likelihood, that are going to be compromised, more so than it is configured, locked-down S3 buckets, managed properly. And if not me, someone else in my company who has access to these things.Ell: I'm going to give you the best advice you're ever going to get, and people are going to go, “Duh,” but it's happening right now: Don't get complacent, don't get lazy, how many of us are, “Okay, we're just going to put the key over here for a second.” Or, “We're just going to do this for a minute,” and then we forget. I recently, you know, did some research into Emotet and—you know, the new virus and the group behind it—you know how they got caught? When they were raided, everything was in plain text. They forgot to use their VPN for a while, all the files that they'd gotten no encryption. These were the people that that's what they were looking for, but you get lazy.Corey: I've started treating at least the security credential side of doing weird things, even one off bash scripts, as if they were in production. I stuff the credentials into something like AWS's parameter store, and then just have a one line snippet of code that retrieves them at runtime to wind up retrieving those. Would it be easier to just slap it in there in the code? Absolutely, of course it would. But I also look at my newsletter production pipeline, and I count the number of DynamoDB tables that are in active use that are labeled Test or Dev, and I realized, huh, I'm actually kind of bad at taking something that was in Dev and getting it ready for production. Very often, I just throw a load at it and call it good. So, if I never get complacent around things like that, it's a lot harder for me to get yelled at for checking secrets into Git, for example.Ell: Probably not the first time that you've heard this but, Corey, I'm going to have to go with you're abnormal because that is not what we're seeing in a day-to-day production environment.Corey: Oh, of course not. And the reason I do this is because I was a grumpy old sysadmin for so long, and have gotten burned in so many weird ways of messing things up. And once it's in Git, it's eternal—we all know that—and I don't ever want to be in a scenario where I open-source something and surprise, surprise, come to find out in the first two days of doing something, I had something on disk. It's just better not to go down that path if at all possible.Ell: Being a former sysad as well, I must say, what you're able to do within your environment, your computer is almost impossible within a corporate environment. Because as a sysad, I'm looking at, “What did the devs do again? Oh, man, what's the security team going to do?” And you're stuck in the middle trying to figure out how to solve a problem and then manage it through that entire environment.Corey: I never really understood intrinsically the value of things like single-sign-on, until I wound up starting this company. Because first, it was just me for a few years. And yeah, I can manage my developer environments and my AWS environments in such a way that if they get compromised, it's not going to be through basic, “Oops, I forgot that's how computers work,” type of moment. It's going to be at least something a little bit more difficult, I would imagine. Because if you—all right, if you managed to wind up getting my keys and the passphrase, and in some cases, the MFA device, great, good, congratulations, you've done something novel and probably deserve the data.Whereas as soon as I started bringing other people in who themselves were engineers, I sort of still felt the same way. Okay, we're all responsible adults here, and by and large, since I wasn't working with junior people, that held true. And then I started bringing in people who did not come from a deeply computer-y technical background, doing things like finance, and doing things like sales, and doing things like marketing, all of which are themselves deeply technical in their own way, but data privacy and data security are not really something that aligns with that. So, it got into the weeds of, “How do I make sure that people are doing responsible things on their work computers like turning on disk encryption, and forcing a screensaver, and a password and the rest.” And forcing them to at least do some responsible things like having 1Password for everyone was great until I realized a couple people weren't even using it for something, and oh dear. It becomes a much more difficult problem at scale when you have to deal with people who, you know, have actual work to do rather than sitting around trying to defend the technology against any threat they can imagine.Ell: In what you just said though, there is one flaw is we tend to focus on, like you said, marketing and finance and all these organizations who—don't get phished, don't click on this link. But we kind of give the just the openness that your security team, your sysads, your developers, they're going to know best practices. And then we focus on Windows because that's what the researchers are doing. And then we focus on Windows because that's what marketing is using, that's what finance is using. So, what there's no way to compromise a Mac or Linux box? That's a huge, huge open area that you're allowing for attackers.Corey: Let's be very clear here. We don't have any Windows boxes—of which I'm aware—in the company. And yeah, the technical folk we have brought in, most of them I'd worked—or at least the early folks—I'd worked with previously. And we had a shared understanding of security. At least we all said the right things.But yeah, as you—right, as you grow, as you scale, this becomes a big deal. And it's, I also think there's something intrinsically flawed about a model where the entire instruction set is, it all falls on you to not click the link or you're going to doom us all. Maybe if someone can click a link and doom us all, the problem is not with them; it's the fact that we suck at building secure systems that respect defense in depth.Ell: Something that we do wrong, though, is we split it up. We have endpoint protection when we're talking about, you know, our Windows boxes, our Linux boxes, our Mac boxes. And then we have server-side and cloud security. Those connect. Think about, there's a piece of malware called EvilGNOME. You go in on a Linux box, you have access to my camera, keylogging, and watching exactly what I'm doing. I'm your sysad. I then cat out your SSH keys, I go into your box, they now have the password, but we don't look for that. We just assume that those two aren't really that connected, and if we monitor our network and we monitor these devices, we'll be fine. But we don't connect the two pieces.Corey: One thing that I did at a consulting client back in 2012, or so that really raised eyebrows whenever I told people about it was that we wound up going to some considerable trouble building a allow list within Squid—a proxy server that those of us in Linux-land are all too familiar with in some cases—so everything in production could only talk to the outside world via that proxy; it was not allowed to establish any outbound connections other than through that proxy. So, it was at that point only allowed to talk to specify update servers, specified third-party APIs and the rest, so at least in theory, I haven't checked back on them since, I don't imagine that the log4yay nonsense that we've seen recently would necessarily work there. I mean, sure, you have the arbitrary execution of code—that's bad—but reaching out to random endpoints on the internet would not have worked from within that environment. And I liked that model, but oh my God, was it a pain in the butt to set up properly because it turns out, even in 2012, just to update a Linux system reasonably, there's a fair number of things it needs to connect to, from time-to-time, once you have all the things like New Relic instrumentation in, and the app repository you're talking to, and whatever container source you're using, and, and, and. Then you wind up looking at challenges like, oh, I don't know, if you're looking at an AWS-style environment, like most modern things are, okay, we're only going to allow it to talk to AWS endpoints. Well, that's kind of the entire internet now. The goalposts move, the rules change, the game marches on.Ell: On an even simpler point, with that you're assuming only outbound traffic through those devices. Are they not connected to anything within the internal network? Is there no way for an attacker to pivot between systems? I pivot over to that, I get the information, and I make an outbound connection on something that's not configured that way.Corey: We had—you're allowed to talk outbound to the management subnet, which was on its own VLAN, and that could make established connections into other things, but nothing else was allowed to connect into that. There was some defense in depth and some thought put into this. I didn't come up with most of this to be clear, it was—this was smart people sitting around. And yeah, if I sit here and think about this for a while, of course there's going to be ways to do it. This was also back in the days of doing it in physical data centers, so you could have a pretty good idea of what was connect to the outside world just by looking at where the cables went. But there was also always the question of how does this–does this do what I think it's doing or what have I overlooked? Security's job is never done.Ell: Or what was misconfigured in the last update. It's an assumption that everything goes correctly.Corey: Oh, there is that. I want to talk though, about the things I had to worry about back then, it seems like in many cases get kicked upstairs to the cloud providers that we're using these days. But then we see things like Azurescape where security researchers were able to gain access to the Azure control plane where customers using Cosmos DB—Azure's managed database service, one of them—could suddenly have their data accessed by another customer. And Azure is doing its clam up thing and not talking about this publicly other than a brief disclosure, but how is this even possible from security architecture point of view? It makes me wonder if it hadn't been disclosed publicly by the researcher, would they have ever said something? Most assuredly not.Ell: I've worked with several researchers, in Intezer and outside of Intezer, and the amount of frustration that I see within reasonable disclosure, it just blows my mind. You have somebody threatening to sue the researcher if they bring it out. You have a company going, “Okay, well, we've only had six weeks. Give us three more weeks.” And next thing we know, it's six months.There is just this pushback about what we can actually bring out to the public on why they're vulnerable in organizations. So, we're put in this catch-22 as researchers. At what point is my responsibility to the public, and at what point is my responsibility to protect myself, to keep myself from getting sued personally, to keep my company from going down? How can we win when we have small research groups and these massive cloud providers?Corey: This episode is sponsored in part by something new. Cloud Academy is a training platform built on two primary goals. Having the highest quality content in tech and cloud skills, and building a good community the is rich and full of IT and engineering professionals. You wouldn't think those things go together, but sometimes they do. Its both useful for individuals and large enterprises, but here's what makes it new. I don't use that term lightly. Cloud Academy invites you to showcase just how good your AWS skills are. For the next four weeks you'll have a chance to prove yourself. Compete in four unique lab challenges, where they'll be awarding more than $2000 in cash and prizes. I'm not kidding, first place is a thousand bucks. Pre-register for the first challenge now, one that I picked out myself on Amazon SNS image resizing, by visiting cloudacademy.com/corey. C-O-R-E-Y. That's cloudacademy.com/corey. We're gonna have some fun with this one!Corey: For a while, I was relatively confident that we had things like Google's Project Zero, but then they started softening their disclosure timelines and the rest, and it was, we had the full disclosure security distribution list that has been shuttered to my understanding. Increasingly, it's become risky to—yourself—to wind up publishing something that has not been patched and blessed by the providers and the rest. For better or worse, I don't have those problems, just because I'm posting about funny implications of the bill. Yeah, worst case, AWS is temporarily embarrassed, and they can wind up giving credits to people who were affected and be mad at me for a while, but there's no lasting harm in the way that there is with well, people were just able to look at your data for six months, and that's our bad oops-a-doozy. Especially given the assertions that all of these providers have made to governments, to banks, to tax authorities, to all kinds of environments where security really, really matters.Ell: The last statistic that I heard, and it was earlier this year, that it takes over 200 days for compromise even to be detected. How long is it going to take for them to backtrack, figure out how it got in, have they already patched those systems and that vulnerability is gone, but they managed to establish persistence somehow, the layers that go into actually doing your digital forensics only delay the amount of time that any of that is going to come out where that they have some information to present to you. We keep going, “Oh, we found this vulnerability. We're working on patches. We have it fixed.” But does every single vendor already have it pitched? Do they know how it actually interacted within one customer's environment that allowed that breach to happen? It's just ridiculous to think that's actually occurring, and every company is now protected because that patch came out.Corey: As I take a look at how companies respond to these things, you're right, the number one concern most of them have is image control, if I'm being honest with you. It's the reputational management of we are still good at security, even though we've had a lapse here. Like, every breach notification starts out with, “Your security is important to us.” Well, clearly not that important because look at the email you had to send. And it's almost taken on aspects of a comedy piece where it [grips 00:23:10] with corporate insincerity. On some level, when you tell a company that they have a massive security vulnerability, their first questions are not about the data privacy; it's about how do we spend this to make ourselves come out of this with the least damage possible. And I understand it, but it's still crappy.Ell: Us tech folk talk to each other. When we have security and developers speaking to each other, we're a lot more honest than when we're talking to the public, right? We don't try to hold that PR umbrella over ourselves. I was recently on a panel speaking with developers, head SRE folk—what was there? I think there was a CISO on there—and one of the developers just honestly came out and said, “At the end, my job is to say, ‘How much is that breach going to cost, versus how much money will the company lose if I don't make that deployment?'” The first thing that you notice there is that whole how much money you'll lose? The second part is why is the developer the one looking at the breach?Corey: Yeah. The work flows downward. One of the most depressing aspects to me of the CISO role is that it seems like the job is to delegate everything, sign binding contracts in your name, and eventually get fired when there's a breach and your replacement comes in to sign different papers. All the work gets delegated, none of the responsibility does, ideally—unless you're SolarWinds and try and blame it on an intern; I mean, I wish I had an ablative intern or two around here to wind up a casting blame they don't deserve on them. But that's a separate argument—there is no responsibility-taking as I look at this. And that's really a depressing commentary on the state of the world.Ell: You say there's no responsibility taken, but there is a lot of blame assigned. I love the concept of post-mortems to why that breach happened, but the only people in the room are the security team because they had that much control over anything. Companies as a whole need a scapegoat, and more and more, security teams are being blamed for every single compromised as more and more responsibility, more and more privileges, and visibility into what's going on is being taken away from them. Those two just don't balance. And I think it's causing a lot of just complacency and almost giving up from our security teams.Corey: To be clear, when we talk about blameless post-mortems for things like this, I agree with it wholeheartedly within the walls of a company. However, externally as someone whose data has been taken in some of these breaches, oh, I absolutely blame the company. As I should, especially when it's something like well, we have inadvertently leaked your browsing history. Why were you collecting that in the first place? Is sort of the next logical question.I don't believe that my ISP needs that to serve me better. But now you have Verizon sending out emails recently—as of this recording—saying that unless anyone opts out, all the lines in our cell account are going to wind up being data mined effectively, so they can better target advertisements and understand us better. It's no, I absolutely do not want you to be doing that on my phone. Are you out of your mind? There are a few things in this world that we consider more private than our browsing histories. We ask the internet things we wouldn't ask our doctors in many cases, and that is no small thing as far as the level of trust that we place in our ISPs that they are now apparently playing fast and loose with.Ell: I'm going to take this step back because you do a lot of work with cloud providers. Do you think that we actually know what information is being collected about our companies and what we have configured internally and externally by the cloud provider?Corey: That's a good question. I've seen this before, where people will give me the PDF exploded view of last month's AWS bill, and they'll laugh because what information can I possibly get out of that. It just shows spend on services. But I could do that to start sketching out a pretty good idea of what their architecture looks like from that alone. There's an awful lot of value in the metadata.Now, I want to be clear, I do not believe on any provider—except possibly Azure because who knows at this point—that if you encrypt the data, using their encryption facilities—with AWS, I know it's KMS, for example—I do not believe that they can arbitrarily decrypt it and then scan for whatever it is they're looking for. I do not believe that they are doing that because as soon as something like that comes out, it puts the lie to a whole bunch of different audit attestations that they've made and brings the entire empire crumbling down. I don't think they're going to get any useful data from that. However, if I'm trying to build something like Amazon Prime Video, and I can just look at the bill from the Netflix account. Well, that tells me an awful lot about things that they might be doing internally; it's highly suggestive. Could that be used to give them an unfair advantage? Absolutely.I had a tweet a while back that I don't believe that Google's Gmail division is scanning inboxes for things that look like AWS invoices to target their sales teams, but I sure would feel better if they would assure me that was the case. No one was able to ever assure me of that. It's I don't mean to be sitting here slinging mud, but at the same time, it's given that when you don't explicitly say you're not doing something as a company, there's a great chance you might be doing it, that's the sort of stuff that worries me, it's a bunch of unfair dirty trick style stuff.Ell: Maybe I'm just cynical, or maybe I just focus on these topics too much, but after giving a presentation on cloud security, I had two groups, both, you know, from three letter government agencies, come up to me and say, “How do I have these conversations with the cloud provider?” In the conversation, they say, “We've contacted them several times; we want to look at this data; we want to see what they've collected, and we get ghosted, or we end up talking to attorneys. And despite over a year of communication, we've yet to be able to sit down with them.”Corey: Now, that's an interesting story. I would love to have someone come to me with that problem. I don't know how I would solve that yet. But I have a couple ideas.Ell: Hey, maybe they're listening, and they'll reach out to you. But—Corey: You know, if you're having that problem of trying to understand what your cloud provider is doing, please talk to me. I would love to go a little more in depth on that conversation, under an NDA or six.Ell: I was at a loss because the presentation that I was giving was literally about the compromise of managed service providers, whether that be an outsourced security group, whether that be your cloud provider, we're seeing attack groups going after these tar—think about how juicy they are. Why do I need to compromise your account or your company if I can compromise that managed service provider and have access to 15 companies?Corey: Oh, yeah. It's why would someone spend time trying to break into my NetApp when they could break into S3 and get access to everyone's data, theoretically? It's a centralization of security model risk.Ell: Yeah, it seems to so many people as just this crazy idea. It's so far out there. We don't need to worry about it. I mean, we've talked about how Azure Functions has been compromised. We talked about all of these cloud services that people are specifically going after and being able to make traction in these attacks.It's not just this crazy idea. It's something that's happening now, and with the progress that attackers are making, criminal groups are making, this is going to happen pretty soon.Corey: Sometimes when I'm out for a meal with someone who works with AWS in the security org, there'll be an appetizer where, “Oh, there's two of you. I'm going to bring three of them,” because I guess waitstaff love to watch people fight like that. And whenever I want the third one, all I have to do is say, “Can you imagine a day in which, just imagine hypothetically, IAM failed open and allowed every request to go through regardless of everything else?” Suddenly, they look sick, lose their appetite, and I get the third one. But it's at least reassuring to know that even the idea of that is that disgusting to them, and it's not the, “Oh, that happened three weeks ago, but don't tell anyone.” Like, there's none of that going on.I do believe that the people working on these systems at the cloud providers are doing amazingly good work. I believe they are doing far better than I would be able to do in trying to manage all those things myself, by a landslide. But nothing is ever perfect. And it makes me wonder that if and when there are vulnerabilities, as we've already seen—clearly—with Azure, how forthcoming and transparent would they really be? And that's the thing that keeps me up at night.Ell: I keep going back during this talk, but just the interaction with the people there and the crowd was just so eye-opening. And I don't want to be that person, but I keep getting to these moments of, “I told you so.” And I'm not going to go into SolarWinds. Lord, that has been covered, but shortly after that, we saw the same group going through and trying to—I'm not sure if they successfully did it, but they were targeting networks for cloud computing providers. How many companies focused outside of that compromise at that moment to see what it was going to build out to?Corey: That's the terrifying thing is if you can compromise a cloud service provider at this point, it's well, you could sell that exploit on the dark web to someone. Yeah, that is a—if you can get a remote code execution be able to look into any random Cloud account, there's almost no amount of money that is enough for something like that. You could think of the insider trading potential of just compromising Slack. A single company, but everyone talks about everything there, and Slack retains data in perpetuity. Think at the sheer M&A discussions you could come up with? Think of what you could figure out with a sort of a God's eye view of something like that, and then realize that they run on AWS, as do an awful lot of other companies. The damage would be incalculable.Ell: I am not an attacker, nor do I play one on TV, but let's just, kind of, build this out. If I was to compromise a cloud provider, the first thing I would do is lay low. I don't want them to know that I'm there. The next thing I would do is start getting into company environments and scanning them. That way I can see where the vulnerabilities are, I can compromise them that way, and not give out the fact that I came in through that cloud provider. Look, I'm just me sitting here. I'm not a nation state. I'm not somebody who is paid to do this from nine to five, I can only imagine what they would come up with.Corey: It really feels like this is no longer a concern just for those folks who manage have gotten on the bad side of some country's secret service. It seems like APTs, Advanced Persistent Threats, are now theoretically something almost anyone has to worry about.Ell: Let me just set the record straight right now on what I think we need to move away from: The whole APTs are nation states. Not anymore. And APT is anyone who has advanced tactics, anyone who's going to be persistent—because you know what, it's not that they're targeting you, it's that they know that they eventually can get in. And of course, they're a threat to you. When I was researching my work into Advanced Persistent Threats, we had a group named TNT that said, “Okay, you know what? We're done.”So, I contacted them and I said, “Here's what I'm presenting on you. Would you mind reviewing it and tell me if I'm right?” They came back and said, “You know what? We're not in APT because we target open Docker API ports. That's how easy it is.” So, these big attack groups are not even having to rely on advanced methods anymore. The line onto what that is just completely blurring.Corey: That's the scariest part to me is we take a look at this across the board. And the things I have to worry about are no longer things that are solely within my arena of control. They used to be, back when it was in my data center, but now increasingly, I have to extend trust to a whole bunch of different places. Because we're not building anything ourselves. We have all kinds of third-party dependencies, and we have to trust that they're doing the right things as they go, too, and making sure that they're bound so that the monitoring agent that I'm using can't compromise my entire environment. It's really a good time to be professionally paranoid.Ell: And who is actually responsible for all this? Did you know that 70% of the vulnerabilities on our systems right now are on the application level? Yet security teams have to protect it? That doesn't make sense to me at all. And yet, developers can pull in any third-party repository that they need in order to make that application work because hey, we're on a deadline. That function needs to come out.Corey: Ell, I want to thank you for taking the time to speak with me. If people want to learn more about how you see the world and what kind of security research you're advocating for, where can they find you?Ell: I live on Twitter to the point where I'm almost embarrassed to say, but you can find me at @Ell_o_Punk.Corey: Excellent. And we will wind up putting a link to that in the [show notes 00:35:37], as we always do. Thanks so much again for your time. I appreciate it.Ell: Always. I'd be happy to come again. [laugh].Corey: Ell Marquez, security research advocate at Intezer. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment that ends in a link that begs me to click it that somehow it looks simultaneously suspicious and frightening.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Katrina Biscay, CISO at University of Cincinnati, and Michael Coates, CEO and Co-Founder of Altitude Networks, discuss the unique security challenges of higher education, build security programs and staffing for the multitude of security responsibilities at a university, and universities can approach cloud and data security.

One of the most common questions that we get asked on CISO Tradecraft is what do I need to learn to be a good CISO?  After a lot of reflection, CISO Tradecraft has put together a Top 10 List of CISO knowledge domains that we believe are the core skills which produce really good CISOs.  This episode will go over just the first 5 knowledge areas with the remaining five on a future episode. Product Security focuses on ensuring developers write secure code Defensive Technologies focuses on creating multiple layers of defenses in an organization to protect against a multitude of attacks Detection & Response Capabilities is about creating mechanisms to identify how attackers might circumvent your organization's defensive technologies Laws, Regulations, & Oversight is about ensuring compliance with appropriate laws and regulations Enabling Technologies is about enabling businesses to create digital transformation https://github.com/cisotradecraft/podcast

Cybercrime Magazine CISO Minute host Theresa Payton, Former White House CIO, explains why cybersecurity enhances the user story for businesses and more. The CISO Minute is sponsored by https://www.knowbe4.com/ • For more on cybersecurity, visit us at https://cybersecurityventures.com/

On this episode of Life of a CISO, Dr. Eric Cole poses the question, “Is being a CISO your identity?” To have the mindset that you are a world-class CISO, you must see yourself as a world-class CISO. You have to view everything you do through the lens of a CISO if you want to make decisions that will lead you to succeed as one. Join Dr. Cole to learn about what that perspective change looks like for your life and career.

In this week's episode of CISO's Secrets, Head of Executive Briefing Center  Jeremy Kaye hosts Kirsten Davies, former SVP & Chief Information Security Officer at The Estée Lauder Companies Inc Business enabling and risk management focused, Davies has a unique and globally-experienced approach to Information Security, Data Privacy, IT, and Digital Transformation. Her hallmarks include transformative vision casting and strategy setting, operational and organizational excellence, and a risk-based approach to enterprise enablement. Having lived and worked on four continents, she is recognized as a thought leader in the transformation process, including refining enterprise-wide ways of working, re-envisioning and establishing organizational cadence and culture, designing and delivering dynamic talent development paths, and innovating and optimizing security processes and risk-mitigating controls. Davies has an established track record of guiding global teams, effectively working across a broad array of industries including manufacturing, finance, energy, telecoms, and media & entertainment.Business enabling and risk management focused, Davies has a unique and globally-experienced approach to Information Security, Data Privacy, IT, and Digital Transformation. Her hallmarks include transformative vision casting and strategy setting, operational and organizational excellence, and a risk-based approach to enterprise enablement. Having lived and worked on four continents, she is recognized as a thought leader in the transformation process, including refining enterprise-wide ways of working, re-envisioning and establishing organizational cadence and culture, designing and delivering dynamic talent development paths, and innovating and optimizing security processes and risk-mitigating controls. Davies has an established track record of guiding global teams, effectively working across a broad array of industries including manufacturing, finance, energy, telecoms, and media & entertainment.Red Education Training & Certifications Global Specialist IT Training Company with Award-winning experienced Instructors.Layer 8 Authorized Check Point training Layer 8 Training is a leading provider of Authorized Check Point training in North America. Get thCheck Point CISO Academy CISO Academy is a Global Education program tailored to C-Level Executives or those building up to it

In many organizations, the CISO will be looked at as the leading expert in incident response, but often has little involvement in the selection, planning, and training for the Enterprise Incident Management Program. Listen to Dawn-Marie, who has navigated organizations as a CISO during crisis and consultant to “play like you practice.”   To view the article from the CISO COMPASS Book that sparked this interview, please visit: https://securityweekly.com/wp-content/uploads/2021/10/CISOSTORIES_Dawn-Marie_Hutchinson_Article.pdf   Hutchinson, D. 2019. Server Room to War Room…Enterprise Incident Response. In CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, 1st Ed, pg 214-5. Fitzgerald, T. CRC Press, Boca Raton, Fl. www.amazon.com/author/toddfitzgerald   Show Notes: https://securityweekly.com/csp50 This segment is sponsored by Cybereason. Visit https://www.cybereason.com/cisostories to learn more about them!   Visit https://securityweekly.com/csp for all the latest episodes! Follow us on Twitter: https://www.twitter.com/cyberleaders Follow us on LinkedIn: https://www.linkedin.com/company/cybersecuritycollaborative/

About DanDan is CISO and VP of Cybersecurity for Shipt, a Target subsidiary. He worked previously as a Distinguished Engineer on Target's cloud infrastructure. He served as CTO for Joe Biden's 2020 Presidential campaign. Prior to that Dan worked with the Hillary for America tech team through the Groundwork, and contributed as a founding developer on Spinnaker while at Netflix. Dan is an O'Reilly published author and avid public speaker.  Links: Shipt: https://www.shipt.com/ Twitter: https://twitter.com/danveloper LinkedIn: https://www.linkedin.com/in/danveloper TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: It seems like there is a new security breach every day. Are you confident that an old SSH key, or a shared admin account, isn't going to come back and bite you? If not, check out Teleport. Teleport is the easiest, most secure way to access all of your infrastructure. The open source Teleport Access Plane consolidates everything you need for secure access to your Linux and Windows servers—and I assure you there is no third option there. Kubernetes clusters, databases, and internal applications like AWS Management Console, Yankins, GitLab, Grafana, Jupyter Notebooks, and more. Teleport's unique approach is not only more secure, it also improves developer productivity. To learn more visit: goteleport.com. And not, that is not me telling you to go away, it is: goteleport.com.Corey: Writing ad copy to fit into a 30 second slot is hard, but if anyone can do it the folks at Quali can. Just like their Torque infrastructure automation platform can deliver complex application environments anytime, anywhere, in just seconds instead of hours, days or weeks. Visit Qtorque.io today and learn how you can spin up application environments in about the same amount of time it took you to listen to this ad.Corey: Welcome to Screaming in the Cloud, I'm Corey Quinn. Sometimes I talk to people who are involved in working on the nonprofit slash political side of the world. Other times I talk to folks who are deep in the throes of commercial businesses, and I obviously personally spend more of my time on one of those sides of the world than I do the other. But today's guest is a little bit different, Dan Woods is the CISO and VP of Cybersecurity at Shipt, a division of Target where he's worked for a fair number of years, but took some time off for his side project, the side hustle as the kids call it, as the CTO for the Biden campaign. Dan, thank you for joining me.Dan: Yeah. Thank you, Corey. Happy to be here.Corey: So, you have an interesting track record as far as your career goes, you've been at Target for a long time. You were a distinguished engineer—not to be confused with ‘extinguished engineer,' which is just someone who is finally—the fire has gone out. And from there you went from being a distinguished engineer to a VP slash CISO, which generally looks a lot less engineer-like, and a lot more, at least in my experience, of sitting in a whole lot of executive-level meetings, managing teams, et cetera. Was that, in fact, an individual contributor—or IC—move into a management track, or am I just misunderstanding this because these are commonly overloaded terms in our industry?Dan: Yeah, yeah, no, that's exactly right. So, IC to leadership, two distinct tracks, distinct career paths. It was something that I've spent a number of years thinking about and more or less working toward and making sure that it was the right path for me to go. The interesting thing about the break that I took in the middle of Target when I was CTO for the campaign is that that was a leadership role, right. I led the team. I managed the team.I did performance reviews and all of that kind of managerial stuff, but I also sat down and did a lot of tech. So, it was kind of like a mix of being a senior executive, but also still continuing to be a distinguished engineer. So, then the natural path out of that for me was to make a decision about do I continue to be an individual contributor or do I go into a leadership track? And I felt like for a number of reasons that my interests more aligned with being on the leadership side of the world, and so that's how I've ended up where I am.Corey: And correct me if I'm wrong because generally speaking political campaigns are not usually my target customers given the fact that they're turning the entire AWS environment off in a few months—win or lose—and yeah, that is, in fact, remains the best way to save money on your AWS bill; it's hard for me to beat that. But at that point most of the people you're working with are in large part volunteers I would imagine.So, managing in a traditional sense of, “Well, we're going to have your next quarterly review.” Well, your candidate might not be in the race then, and what we're going to put you on a PIP, and what exactly you're going to stop letting me volunteer here? You're going to dock them pay—you're not paying me for this. It becomes an interesting management challenge I would imagine just because the people you're working with are passionate and volunteering, and a lot of traditional management and career advice doesn't necessarily map one-to-one I would have to assume.Dan: That is the best way that I've heard it described yet. I try to explain this to folks sometimes and it's kind of difficult to get that message across that like there is sort of a base level organization that exists, right. There were full-time employees who were a part of the tech team, really great group of folks especially from very early on willing to join the campaign and be a part of what it was that we were doing.And then there was this whole ecosystem of folks who just wanted to volunteer, folks who wanted to be a part of it but didn't want to leave their 9:00 to 5:00 who wanted to come in. One of the most difficult things about—we rely on volunteers very heavily in the political space, and very grateful for all the folks who step up and volunteer with organizations that they feel passionate about. In fact, one of the best little tidbits of wisdom the President imparted to me at one point, we were having dinner at his house very early on in the campaign, and he said, “The greatest gift that you can give somebody is your time.” And I think that's so incredibly true. So, the folks who volunteer, it's really important, really grateful that they're all there.In particular, how it becomes difficult, is that you need somebody to manage the volunteers, right, who are there. You need somebody to come up with work and check in that work is getting done because while it's great that folks want to volunteer five, ten hours a week, or whatever it is that they can put in, we also have very real things that need to get done, and they need to get done in a timely manner.So, we had a lot of difficulty especially early on in the campaign utilizing the volunteers to the extent that we could because we were such a small and scrappy team and because everybody who was working on the campaign at the time had a lot of responsibilities that they needed to see through on their own. And so getting into this, it's quite literally a full-time job having to sit down and follow up with volunteers and make sure that they have the appropriate amount of work and make sure that we've set up our environment appropriately so that volunteers can come and go and all of that kind of stuff, so yeah.Corey: It's always an interesting joy looking at the swath of architectural decisions and how they came to be. I talked on a previous episode with Jackie Singh, who was, I believe, after your tenure as CISO, she was involved on the InfoSec side of things, and she was curious as to your thought process or rationale with a lot of the initial architectural decisions that she talked about on her episode which I'm sure she didn't intend it this way, but I am going to blatantly miscategorize as, “Justify yourself. What were you thinking?” Usually it takes years for that kind of, “I don't understand what's going on here so I'm playing data center archeologist or cloud spelunker.” This was a very short window. How did decisions get made architecturally as far as what you're going to run things on? It's been disclosed that you were on AWS, for example. Was that a hard decision?Dan: No, not at all. Not at all. We started out the campaign—I in particular I was one of the first employees hired onto the campaign and the idea all along was that we're not going to be clever, right? We're basically just going to develop what needs to be developed. And the idea with that was that a lot of the code that we were going to sit down and write or a lot of the infrastructure that we were going to build was going to be glue, it not AWS Glue, right, ideally, but just glue that would bind data streams together, right?So, data movement, vendor A produces a CSV file for you and it needs to end up in a bucket somewhere. So, somebody needs to write the code to make that happen, or you need to find a sufficient vendor who can make that happen. There's a lot more vendors today believe it or not than there were two years ago that are doing much better in that kind of space, but two years ago we had the constraints of time and money.Our idea was that the code that we were going to write was going to be for those purposes. What it actually turned into is that in other areas of the business—and I will call it a business because we had formalized roadmaps and different departments working on different things—but in other areas of the business where we didn't have enough money to purchase a solution, we had the ability to go and write software.The interesting thing about this group of technologists who came together especially early on in the campaign to build out the tech team most of them came from an enterprise software development background, right? So, we had the know-how of how to build things at scale and how to do continuous delivery and continuous deployment, and how to operate a cloud-native environment, and how to build applications for that world.So, we ended up doing things like writing an API for managing our donor vetting pipeline, right? And that turned into a complex system of Lambda functions and continuous delivery for a variety of different services that facilitated that pipeline. We also built an architecture for our mobile app which there were plenty of companies that wanted to sell us a mobile app and we just couldn't afford it so we ended up writing the mobile app ourselves.So, after some point in time, what we said was we actually have a fairly robust and complex software infrastructure. We have a number of microservices that are doing various things to facilitate the operation of the business, and something that we need to do is we need to spend a little bit of time and make sure that we're building this in a cohesive way, right? And what part of that means was that, for example, we had to take a step back and say, “Okay, we need to have a unified identity service.” We can't have a different identity—or we can't have every single individual service creating its own identity. We need to have—Corey: I really wish you could pass that lesson out on some of the AWS service teams.Dan: [laugh]. Yes, I know. I know. Yeah. So, we went through—Corey: So, there were some questionable choices you made in there, like you started that with the beginning of, “Well, we had no time which is fine and no budget. So, we chose AWS.” It's like, “Oh, that looks like the exact opposite direction of a great decision, given, you know, my view on it.” Stepping past that entirely, you are also dealing with challenges that I don't think map very well to things that exist in the corporate world. For example, you said you had to build a donor vetting pipeline.It's in the corporate world I didn't have it. It's one of those, “Why in the world would I get in the way of people trying to give me money?” And the obvious answer in your case is, federal law, and it turns out that the best outcome generally does not involve serving prison time. So, you have to address these things in ways that don't necessarily have a one-to-one analog in other spaces.Dan: That's true. That's true. Yes, correct to the federal law thing. Our more pressing reason to do this kind of thing was that we made a commitment very early on in the campaign that we wouldn't take money from executives of the gas and oil industry, for example. There were another bunch of other commitments that were made, but it was inconceivable for us to have enough people that could possibly go manually through those filings. So, for us to be able to build an automated system for doing that meant that we were literally saving thousands of human hours and still getting a beneficial result out of it.Corey: And everything you do is subject to intense scrutiny by folks who are willing to make hay out of anything. If it had leaked at the time, I would have absolutely done some ridiculous nonsense thing about, “Ah, clearly looking at this AWS bill. Joe Biden's supports managed NAT gateway data processing pricing.” And it's absolutely not, but that doesn't stop people from making hay about this because headlines are going to be headlines.And do you have to also deal with the interesting aspect—industrial espionage is always kind of a thing, but by and large most companies don't have to worry that effectively half of the population is diametrically opposed to the thing it is that they're trying to do to the point where they might very well try to get insiders there to start leaking things out. Everything you do has to be built with optics in mind, working under tight constraints, and it seems like an almost insurmountable challenge except for the fact where you actually pulled it off.Dan: Yeah. Yeah. Yeah. We kept saying that the tech was not the story, right, and we wanted to do everything within our power to keep the conversation on the candidate and not on emails or AWS bills or any of that kind of stuff. And so we were very intentional about a lot of the decisions that we ended up making with the idea that if the optics are bad, we pull away from the primary mission of what it is that we're trying to do.Corey: So, what was it that qualified you to be the CTO of a—at the time very fledgling and uncertain campaign, given that you were coming from a role where you were a distinguished engineer, which is not nothing, let's be clear, but it's an executive-level of role rather than a hands-on level of role as CTO. And then if we go back in time, you were one of the founding developers of Spinnaker over at Netflix.And I have a lot of thoughts about Netflix technology and a lot of thoughts about Spinnaker as well, and none of those thoughts are, “This seems like a reasonable architecture I should roll out for a presidential campaign.” So, please, don't take this as the insult that probably sounds like, but why were you the CTO that got tapped?Dan: Great question. And I think in some ways, right place, right time. But in other ways probably needs to speak a little bit to the journey of how I've gotten anywhere in my career. So, going back to Netflix, yeah, so I worked in Netflix. I had the opportunity to work with a lot of incredibly bright and talented folks there. One of the people in particular who I met there and became friends with was Corey Bertram who worked on the core SRE team.Corey left Netflix to go off and at the time he was just like, “I'm going to go do a political startup.” The interesting thing about Netflix at the time—this was 2013, so, this was just after the Obama for America '12 campaign. And a bunch of folks from OFA world came and worked at Netflix and a variety of other organizations in the Bay Area. Corey was not one of those people but we were very well-connected with folks in that world, and Corey said he was going off to do a political startup, and so after my non-mutual departure from Netflix, I was talking to Corey and he said, “Hey, why don't you come over and help us figure out how to do continuous delivery over on the political startup.” That political startup turned into the groundwork which turned into essentially the tech platform for the Hillary for America campaign.So, I had the opportunity working for the groundwork to work very closely with the folks in the technology organization at HFA. And that got me more exposure to what that world is and more connections into that space. And the groundwork was run by Corey, but was the CEO or head—I don't even know what he called himself, was Michael Slaby, who was President Obama's CTO in 2008 and had a bigger technical role in the 2012 campaign.And so, for his involvement in HFA '16 meant that he was a person who was very well connected for the 2020 campaign. And when we were out at a political conference in late 2018 and he said, “Hey, I think that Vice President Biden is going to run. Do you have any interest in talking with his team?” And I said, “Yes, absolutely. Please introduce me.”And I had a couple of conversations with Greg Schultz who was the campaign manager and we just hit it off. And it was a really great fit. Greg was an excellent leader. He was a real visionary, exactly the person that President Biden needed. And he brought me in to set up the tech operation and get everything to where we ultimately won the primary and won the election after that.Corey: And then, as all things do, it ended and the question then becomes, “Great, what's next?” And the answer for you was apparently, “Okay, I'm going to go back to Target-ish.” Although now you're the CISO of a Target subsidiary, Shipt and Target's relationship is—again, I imagine I have that correct as far as you are in fact a subsidiary of Target, so it wasn't exactly a new company, but rather a transition into the previous organization you were in a different role.Dan: Yeah, correct. Yeah, it's a different department inside of Target, but my paycheck still come from Target. [laugh].Corey: So, what was it that inspired you to go into the CISO role? Because obviously security is everyone's job, which is what everyone says, which is why we get away with treating it like it's nobody's job because shared responsibilities tend to work out that way.Dan: Yeah.Corey: And you've done an awful lot of stuff that was not historically deeply security-centric although there's always an element passing through it. Now, going into a CISO role as someone without a deep InfoSec background that I'm aware of, what drove that? How did that work?Dan: You know, I think the most correct answer is that security has always been in my blood. I think like most people who started out—Corey: There are medications for that now.Dan: Yeah, [laugh] good. I might need them. [laugh]. I think like most folks who are kind of my era who started seriously getting into software development and computer system administration in the late ‘90s, early thousands, cybersecurity it wasn't called cybersecurity at the time. It wasn't even called InfoSec, right, it was just called, I don't know, dabbling or something. But that was a gateway for getting into Linux system administration, network engineering, so forth and so on.And for a short period of time I became—when I was getting my RHCE certification way back in the day, I became pretty entrenched in network security and that was a really big focus area that I spent a lot of time on and I got whatever the supplemental network security certification from Red Hat was at the time. And then I realized pretty quickly that the world isn't going to need box operators for very long, and this was just before the DevOps revolution had really come around and more and more things were automated.So, we were still doing hand deployments. I was still dropping WAR files onto a file system and restarting Apache. That was our deployment process. And I saw the writing on the wall and I said, “If I don't dedicate myself to becoming first and foremost a software engineer, then I'm not going to have a very good time in technology here.” So, I jumped out of that and I got into software development, and so that's where my software engineering career evolved out of.So, when I was CTO for the campaign, I like to tell people that I was a hundred percent of CTO, I was a hundred percent a CIO, and I was a hundred percent of CISO for the first 514 days of the campaign or whatever it was. So, I was 300 percent doing all of the top-level technology jobs for the campaign, but cybersecurity was without a doubt the one that we would drop everything for every single time.And that was by necessity; we were constantly under attack on the campaign. And a lot of my headspace during that period of time was dedicated to how do we make sure that we're doing things in the most secure way? So, when I left—when I came back into Target and I came back in as a distinguished engineer there were some areas that they were hoping that I could contribute positively and help move a couple of things along.The idea always the whole time was going to be for me to jump into a leadership position. And I got a call one day from Rich Agostino who's the CISO for Target and he said, “Hey, Shipt needs a cybersecurity operation built out and you're looking for a leadership role. Would you be interested in doing this?” And believe it or not, I had missed the world of cybersecurity so much that when the opportunity came up I said, “Yes, absolutely. I'll dive in head first.” And so that was the path for getting there.Corey: This episode is sponsored by our friends at Oracle HeatWave is a new high-performance accelerator for the Oracle MySQL Database Service. Although I insist on calling it “my squirrel.” While MySQL has long been the worlds most popular open source database, shifting from transacting to analytics required way too much overhead and, ya know, work. With HeatWave you can run your OLTP and OLAP, don't ask me to ever say those acronyms again, workloads directly from your MySQL database and eliminate the time consuming data movement and integration work, while also performing 1100X faster than Amazon Aurora, and 2.5X faster than Amazon Redshift, at a third of the cost. My thanks again to Oracle Cloud for sponsoring this ridiculous nonsense.Corey: My take to cybersecurity space is, a little, I think, different than most people's journeys through it. The reason I started a Thursday edition of the Last Week in AWS newsletter is the security happenings in the AWS ecosystem for folks who don't have the word security in their job titles because I used to dabble in that space a fair bit. The problem I found is that is as you move up the ladder to executives that our directors, VPs, and CISOs, the language changes significantly.And it almost becomes a dialect of corporate-speak that I find borderline impenetrable, versus the real world terminology we're talking about when, “Okay, let's make sure that we rotate credentials on a reasonable expected basis where it makes sense,” et cetera et cetera. It almost becomes much more of a box-checking compliance exercise slash layering on as much as you possibly can that for plausible deniability for the inevitable breach that one day hits and instead of actually driving towards better outcomes.And I understand that's a cynical, strange perspective, but I started talking to people about this, and I'm very far from alone in that, which is why people are subscribing to that newsletter and that's the corner of the market I wanted to start speaking to. So, given that you've been an engineer practitioner trying to build things and now a security executive as well, is my assessment of the further higher up you go the entire messaging and purpose change, or is that just someone who's been in the trenches for too long and hasn't been on that side of the world, and I have a certain lack of perspective that would make this all very clear. Which I freely accept, if that's the case.Dan: No, I think that you're right for a lot of organizations. I think that that's a hundred percent true, and it is exactly as you described: a box-checking exercise for a lot of organizations. Something that's important to remember about Target is—Target was the subject of a data breach in 2012, and that was before there were data breaches every single day, right.Now, we look at a data breach and we say that's just going to happen, right, that's the cost of doing business. But back in 2012 it was really a very big story and it was a very big deal, and there was quite a bit of activity in the Target technology world after that breach. So, it reshaped the culture quite literally, new executives were brought in, but there's this whole world of folks inside of Target who have never forgotten that, right, and work day-in and day-out to make sure that we don't have another breach.So, security at Target is a main centrally thought about kind of thing. So, it's very much something that is a part of the way that people operate inside of Target. So, coming over to Shipt, obviously, Shipt is—it is a subsidiary. It is a part of Target, but it doesn't have that long history and hasn't had that same kind of experience. The biggest thing that we really needed at Shipt is first and foremost to get the program established, right. So, I'm three or four months onto the job now and we've tripled the team size. I've been—Corey: And you've stayed out of the headlines, which is basically the biggest and most accurate breach indicator I've found so far.Dan: So far so good. Well, but the thing that we want to do though is to be able to bring that same kind of focus of importance that Target has on cybersecurity into the world of engineering at Shipt. And it's not just a compliance game, and it's not just a thing where we're just trying to say that we have it. We're actually trying to make sure that as we go forward we've got all these best practices from an organization that's been through the bad stuff that we can adopt into our day-to-day and kind of get it done.When we talk about it at an executive level, obviously we're not talking about the penetration tests done by the red team the earlier day, right. We're not calling any of that stuff out in particular. But we do try to summarize it in a way that makes it clear that the thing that we're trying to do is build a security-minded culture and not just check some boxes and make sure that we have the appropriate titles in the appropriate places so that our insurance rates go down, right. We're actually trying to keep people safe.Corey: There's a lot to be said for that. With the Target breach back in—I want to say 2012, was it?Dan: 2012. Yep.Corey: Again, it was a wake-up call and the argument that I've always seen is that everyone is vulnerable—just depends on how much work it's going to take to get there. And for, credit where due, there was a complete rotation in the executive levels which whether that's fair or not, I—people have different opinions on it; my belief has always been you own the responsibility, regardless of who's doing the work.And there's no one as fanatical as a convert, on some level, and you've clearly been doing a lot of things in the right direction. The thing that always surprises me is that when I wind up seeing these surveys in the industry that—what is it? 65% of companies say that they would be vulnerable to a breach, and everybody said, “Oh, we should definitely look at those companies.” My argument is, “Hang on a sec. I want to talk to the 35% who say, ‘oh, we're impenetrable.'” because, spoiler, you are not.No one is. Just the question of how heavy is the lift and how much work is it going to take to get there? I do know that mouthing off in public about how perfect the security of anything is, is the best way to more or less climb to the top of a mountain during a thunderstorm, a hold up a giant metal rod, and curse the name of God. It doesn't lead to positive outcomes, basically ever. In turn, this also leads to companies not talking about security openly.I find that in many cases it is easier for me to get people to talk about their AWS bills than their InfoSec posture. And I do believe, incidentally, those two things are not entirely unrelated, but how do you view it? It was surprisingly easy to get Shipt's CISO to have a conversation with me here on this podcast. It is significantly more challenging in most other companies.Dan: Well, in fairness, you've been asking me for about two-and-a-half years pretty regularly [laugh] to come.Corey: And I always say I will stop bothering you if you want. You said, “No, no. Ask me again in a few months. Ask me again, after the election. Ask me again after—I don't know, like, the one-day delivery thing gets sorted out.” Whatever it happens to be. And that's fine. I follow up religiously, and eventually I can wear people down by being polite yet persistent.Dan: So, persistence on you is actually to credit here. No, I think to your question though, I think that there's a good balance. There's a good balance in being open about what it is that you're trying to do versus over-sharing areas that maybe you're less proficient in, right. So, it wouldn't make a lot of sense for me to come on here and tell you the areas that we need to develop into security. But on the other side of things, I am very happy to come in and talk to you about how our incident response plan is evolving, right, and what our plan looks like for doing all of that kind of stuff.Some of the best security practitioners who I've worked with in the world will tell you that you're not going to prevent a breach from a motivated attacker, and your job as CISO is to make sure that your response is appropriate, right, more so than anything. So, our incident response areas where today we're dedicating quite a bit of effort to build up our proficiency, and that's a very important aspect of the cybersecurity program that we're trying to build here.Corey: And unlike the early days of a campaign, you still have to be ultra-conscious about security, but now you have the luxury of actually being able to hire security staff because it turns out that, “Please come volunteer here,” is not presumably Shipt's hiring pitch.Dan: That's correct. Yeah, exactly. We have a lot of buy-in from the rest of leadership to build out this program. Shipt's history with cybersecurity is one where there were a couple of folks who did a remarkably good job for just being two or three of them for a really long period of time who ran the cybersecurity operation very much was not a part of the engineering culture at Shipt, but there still was coverage.Those folks left earlier in the year, all of them, simultaneously, unfortunately. And that's sort of how the position became open to me in the first place. But it also meant that I was quite literally starting with next to nothing, right. And from that standpoint it made it feel a lot like the early days of the campaign because I was having to build a team from scratch and having to get people motivated to come and work on this thing that had kind of an unknown future roadmap associated with it and all of that kind of stuff.But we've been very privileged to—because we have that leadership support we're able to pay market rates and actually hire qualified and capable and competent engineers and engineering leaders to help build out the aspects of this program that we need. And like I said, we've managed to—we weren't exactly at zero when I walked in the door. So, when I say we were able to quadruple the team, it doesn't mean that we just added four zeros there, [laugh] but we've got a little bit over a dozen people focusing on all areas of security for the business that we can think of. And that's just going to continue to grow. So, it's exciting; it's a challenge. But having the support of the entire organization behind something like this really, really helps a lot.Corey: I know we're running out of time for a lot of the interview, but one more question I want to ask you about is, when you're the CISO for a nationally known politician who is running for the highest office, the risk inherent to getting it wrong is massive. This is one of those mistakes will show indelibly for the rest of, well, one would argue US history, you could arguably say that there will be consequences that go that far out.On the other side of it, once you're done on the campaign you're now the CISO at Shipt. And I am not in any way insinuating that the security of your customers, and your partners, and your data across the board is important. But it does not seem to me from the outside that it has the same, “If we get this wrong there are repercussions that will extend into my grandchildren's time.” How do you find that your ability to care as deeply about this has changed, if it has?Dan: My stress levels are a lot lower I'll say that, but—Corey: You can always spot the veterans on an SRE team because—when I say veterans I mean veterans from the armed forces because, “No one's shooting at me. We can't serve ads right now. I'm really not going to run around and scream like, ‘My hair's on fire,' because this is nothing compared to what stress can look like.” And yeah there's always a worst stressor, but, on some level, it feels like it would be an asset. And again this is not to suggest you don't take security seriously. I want to be very clear on that point.Dan: Yeah, yeah, no. The important challenge of the role is building this out in a way that we have coverage over all the areas that we really need, right, and that is actually the kind of stuff that I enjoy quite a bit. I enjoy starting a program. I enjoy seeing a program come to fruition. I enjoy helping other people build their careers out, and so I have a number of folks who are at earlier at points in their career who I'm very happy that we have them on our team because I can see them grow and I can see them understand and set up what the next thing for them to do is.And so when I look at the day-to-day here, I was motivated on the campaign by that reality of like there is some quite literal life or death stuff that is going to happen here. And that's a really strong presser to make sure that you're doing all the right stuff at the right time. In this case, my motivation is different because I actually enjoy building this kind of stuff out and making sure that we're doing all the right stuff and not having the stress of, like, this could be the end of the world if we get this wrong.Means that I can spend time focusing on making sure that the program is coming together as it should, and getting joy from seeing the program come together is where a lot of that motivation is coming from today. So, it's just different, right? It's a different thing, but at the end of the day it's very rewarding and I'm enjoying it and can see this continuing on for quite some time.Corey: And I look forward to ideally getting you back in another two-and-a-half years after I began badgering you in two hours in order to come back on the show. If—Dan: [laugh].Corey: —people want to hear more about what you're up to, how you view about these things, potentially consider working with you, where can they find you?Dan: Best place although I've not been as active because it has been very busy the last couple of months, but find me on Twitter, @danveloper, find me on LinkedIn. Those—you know, I posted a couple of blog posts about the technology choices that we made on the campaign that I think folks find interesting, and periodically I'll share out my thoughts on Twitter about whatever the most current thing is, Kubernetes or AWS about to go down or something along those lines. So, yeah, that's the best way. And I tweet out all the jobs and post all the jobs that we're hiring for on LinkedIn and all of that kind of stuff. So, usual social channels. Just not Facebook.Corey: Amen to that. And I will of course include links to those things in the [show notes 00:37:29]. Thank you so much for taking the time to speak with me. I appreciate it.Dan: Thank you, Corey.Corey: Dan Woods, CISO and VP of Cybersecurity at Shipt, also formerly of the Biden campaign because wherever he goes he clearly paints a target on his back. I'm Cloud Economist, Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast please leave a five-star review on your podcast platform of choice along with an incoherent rant that is no doubt tied to either politics or the alternate form of politics: Spinnaker.Dan: [laugh].Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.   With 2021 coming to a close, Justin Smulison is once again joined by the RIMS Director of Publications and Risk Management Magazine's Editor-in-Chief, Morgan O'Rourke. Together, they discuss this year's edition of Risk Management Magazine's “Year in Risk.”   Morgan highlights key articles in the 2021 “Year in Risk” RM Magazine, discusses 2021's risk timeline, some of the unexpected positives from 2021, key points on innovation, and insight into how Morgan chose which events to feature in this year's recap.   For more information or to get your copy (available both digitally and in print), follow along at RMMagazine.com.   Key Takeaways: [:01] Do you want to reach risk professionals around the world? Here's how to sponsor RIMScast. [:24] About RIMS' Global Membership and RIMScast. [:36] About today's episode. [:44] Upcoming RIMS current virtual offerings. [1:28] About the upcoming two-day virtual event: 2022 RIMS RiskTech Forum. [2:07] More about today's episode with RIMS Publications Director Morgan O' Rourke. [2:38] Justin welcomes Morgan O'Rourke back to RIMScast! [3:16] Morgan shares about the RIMS Mobile App and what it took, behind-the-scenes, to launch it. [7:05] Where to get your hands on the latest Risk Management Magazine's “Year in Risk” 2021 edition. [8:00] Morgan discusses vaccine mandates in NYC for private companies and what risk management professionals need to take away from this information. [9:54] About the “Optimizing Politically-Exposed Persons Screening” article and why it is so critical to read. [11:59] Key points on innovation from the articles within the “Year in Risk” 2021 edition. [14:44] The timeline of creating the “Year in Risk” 2021. [16:04] Morgan shares the struggles of having to choose which events and people to highlight within the “Year in Risk.” [19:52] With businesses looking to expand their risk team(s) in order to handle the breadth of current-world calamities, is there an opportunity for risk managers more than ever before? [21:04] Morgan highlights some of the positives from the past year. [22:14] About the RIMS Mobile App, the RIMS Buyers Guide, and the RIMS 2022 RISKWORLD. [24:11] Morgan shares how he deals with isolation professionally as a Publications Director, as well as personally. [28:07] Morgan shares his excitement for the upcoming 2022 RISKWORLD event. [30:17] Justin and Morgan talk stage fright, overcoming nerves, and presenting in front of others. [34:55] As Morgan looks to 2022, what does he think the global risk management community should be thinking about? [37:21] Justin thanks Morgan O' Rourke for joining RIMScast once again and shares some of the links to look out for in this episode's show notes!   Mentioned in this Episode: RIMS Events, Education, and Services: TechRisk/RiskTech | RIMS Virtual Event Jan. 26‒27, 2022 — Register Today! RIMS 2022 RISKWORLD | April 10‒13 in San Francisco! — Register now for advance rate pricing! NEW FOR MEMBERS! RIMS Mobile App RIMS Buyers Guide Sponsored RIMScast Episodes: “Establishing the Right Assurance to Request From Business Partners” | Sponsored by HITRUST “Aon's 2021 Retail Industry Overview” | Sponsored by Aon “A Legacy of Resilience” | Sponsored by J.B. Boda Group “The Golden Era of Insurance” | Sponsored by The Hartford “Insurance Investigation Trends Happening Now” | Sponsored by Travelers “What Could a CRO Do for Your Business?” | Sponsored by Riskonnect “Hard Reality: A Look at Rising Rates in Property & Excess Casualty” | Sponsored by AXA XL “Property Valuation Deep Dive” | Sponsored by TÜV SÜD “Property Loss Control Engineering” | Sponsored by Prudent Insurance Brokers NEW RIMSCAST VIDEO: “Climate Change and Insurance: A Fireside Chat with Dev Bhutani and Deepak Madan” | Sponsored by Prudent Insurance Brokers Ltd. Webinars: Jan. 20, 2022 | “The CISO's Role in Driving Trust: Why it Matters, How to Define it, and What Success Looks Like” | Sponsored by OneTrust Feb. 2, 2022 | “Are You Prepared for the Changing Environmental Risk Landscape?” | Sponsored by Beazley Virtual Workshops: RIMS-CRMP Exam Prep (Date: January 11‒12, 2022) Start your RIMS-CRMP journey today at this interactive virtual prep workshop. You will learn about the exam domains, prepare with case studies and hands-on exercises, and tackle sample exam questions — Register here! Attend the RIMS-CRMP-FED Exam Prep Virtual Workshop presented with George Mason University, February 15‒17, 2022 — Register by Jan. 17 to save $200! Risk Appetite Management: This senior-level, virtual workshop teaches you how to navigate the complex and critical area of risk appetite management and how to develop a risk appetite framework that clarifies your company's position on risk-taking. January 18-19, 2022 — Register by Jan. 17! More About Major Risk Management Topics on RIMScast: “2020 in Review with Risk Management Magazine Editor-in-Chief, Morgan O'Rourke” “Climate Change, Business Interruption, and the 2021 Hurricane Season” “RIMS 2021 Risk Manager of the Year: Michael Harrington” Recent Risk Management Magazine coverage of Shipping and Supply Chain Risk: “Shipping Risks Strain Global Supply Chains” “Managing Supply Chain Disruption” “Managing Supply Chain Legal Risks” “Going Lo-Fi At Sea To Reduce Cyberrisk” RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops Upcoming RIMS Webinars On-Demand Webinars RIMS Advisory Services — Ask a Peer Risk Management Magazine Risk Management Monitor RIMS Coronavirus Information Center RIMS Risk Leaders Series — New interview with RIMS 2021 Risk Manager of the Year Michael Harrington! RIMS-Certified Risk Management Professional (RIMS-CRMP) RIMS-CRMP Stories — New interview featuring RIMS Treasurer Jennifer Santiago! Spencer Educational Foundation RIMS DEI Council   Want to Learn More? Keep up with the podcast on RIMS.org and listen on iTunes. Have a question or suggestion? Email: Content@rims.org.   Join the Conversation! Follow @RIMSorg on Facebook and Twitter, and LinkedIn.   Follow up with Our Guest: Morgan O'Rourke's LinkedIn   Tweetables (For Social Media Use):   “[Vaccine mandates in other areas is] one of those things that I think risk managers will do well to … pay attention to because you don't know if it's going to impact your specific operation at some point. And these days, everybody's got operations all over.” — Morgan O'Rourke   “The flip side of the coin on a lot of the bad stuff that happens is that it makes us more resilient if we handle it, react to it, and are aware of it.” — Morgan O'Rourke   “Trying to stay in communication with everyone is the best way to … head off that isolation effect. It's not going to be 100% perfect … but … trying to communicate — even if it's not your style or comfort zone —  … [is the most important thing]. ” — Morgan O'Rourke   “I think a lot of the things we need to look at when we're looking at risks are going to be not just the event, but … the broader impact of the event.” — Morgan O'Rourke  

Today's Headlines and the latest #cybernews from the desk of the #CISO: 4-Year-Old Microsoft Azure Zero-Day Exposes Web App Source Code DuckDuckGo Daily Search Queries Now Average More than 100 Million | 47% Increase in 2021 Simulated Phishing Tests Make Organizations Less Secure   Story Links: https://threatpost.com/microsoft-azure-zero-day-source-code/177270/ https://www.bleepingcomputer.com/news/technology/privacy-focused-search-engine-duckduckgo-grew-by-46-percent-in-2021/ https://www.securityweek.com/research-simulated-phishing-tests-make-organizations-less-secure   “The Microsoft Doctrine” by James Azar now on Substack https://jamesazar.substack.com/p/the-microsoft-doctrine   The Practitioner Brief is sponsored by: KnowBe4: https://info.knowbe4.com/phishing-security-test-cyberhub  **** Find James Azar Host of CyberHub Podcast, CISO Talk, Goodbye Privacy, Digital Debate, Other Side of Cyber James on Linkedin: https://www.linkedin.com/in/james-azar-a1655316/ James on Parler: @realjamesazar Telegram: CyberHub Podcast ****** Sign up for our newsletter with the best of CyberHub Podcast delivered to your inbox once a month: http://bit.ly/cyberhubengage-newsletter ****** Website: https://www.cyberhubpodcast.com Youtube: https://www.youtube.com/channel/UCPoU8iZfKFIsJ1gk0UrvGFw Facebook: https://www.facebook.com/CyberHubpodcast/ Linkedin: https://www.linkedin.com/company/cyberhubpodcast/ Twitter: https://twitter.com/cyberhubpodcast Instagram: https://www.instagram.com/cyberhubpodcast Listen here: https://linktr.ee/cyberhubpodcast   The Hub of the Infosec Community. Our mission is to provide substantive and quality content that's more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

After bad actors gain an initial foothold into an organization, they often use active directory attacks to gain administrative privileges.  On this episode of CISO Tradecraft, we discuss Active Directory.  You can learn what it is, how it works, common attacks used against it, and ways you can secure it.   References: Stealthbits Active Directory Attacks Wikipedia Active Directory Wikipedia Directory Service Wired Story on Not Petya CIS Hardened Images MS Domain Services  Mimikatz Kerberos Indeed Active Directory Job Listing

Cybercrime Magazine CISO Minute host Theresa Payton, Former White House CIO, shares some lessons learned by Greg Crabb during his time as CISO of the USPS. The CISO Minute is sponsored by https://www.knowbe4.com/ • For more on cybersecurity, visit us at https://cybersecurityventures.com/

The Chief Technology Officer of Inquest, Pedram Amini joins host George Rettas on Episode #192 of Task Force Radio to talk about the recent high profile ransomware attacks, why ransomware attacks are so successful, both from an attacker perspective and the practitioner's perspective, and he also breaks down what companies can do to harden then security postures against these types of the attacks. Amini also broke down the Trystero Project and his passion for research and development into the most recent malware tactics the bad guys are using. All this and much, much more on Episode #192 of Task Force 7 Radio.

Ben Brook's story started when he set out to find out what companies had collected his personal information - and he realized his data was nearly impossible to track, control, or reclaim.  Ben, who is now the founder and CEO of Transcend, raised 25M from Index Ventures and Accel, with participation from South Park Commons, Phil Venables (Board Member and former CISO, Goldman Sachs), and Dylan Field (CEO, Figma), just months after graduating from Harvard.  Since launching, Ben's company has successfully tapped into the swelling interest in data rights, privacy, consumer rights by helping customers such as Paetron, Indiegogo, etc., encode privacy across their tech stack. Ben had a great idea - give people the rights to their data by making it easy for companies to deliver. With GDPR, CCPA, and 40 different state-level bills in the US pending, this is a major issue for businesses and almost feels like perfect timing. Ben shares his startup story on Tech Talks Daily.  

Josh and Kurt start the show with the reading of a security themed Christmas poem. We then discuss some of the new happenings around Log4j. The basic theme is that even if we were over-investing in Log4j, it probably wouldn't have caught this. There are still a lot of things to unpack with this event, I'm sure we'll be talking about it well into the future. Log before Christmas poem 'Twas the night before Christmas, when all through the stack Not a scanner was scanning, not even a rack, The SBOMs were uploaded to the portal with care, In hopes that next year would be boring and bare The interns were nestled all snug at their beds; While visions of dashboards danced in their heads; The CISO in their 'kerchief, and I in my cap, Had just slept our laptops for a long winter's nap, When all of a sudden the pager went ack ack I sprang to my laptop with worries of attack Away to the browser I flew like a flash, Tore open the window and cleared out the cache The red of the dashboard the glow of the screen Gave a lustre of disaster my eyes rarely seen When what to my wondering eyes did we appear, But a new advisory and eight vulnerabilities to fear, Like a little old hacker all ready to play, I knew in a moment it must be Log4j More rapid than gigabit its coursers they came, And it whistled, and shouted, and called them by name: "Now, Log4Shell! now CVE! now ASF and NVD! On, CISA! on, LunaSec! on, GossiTheDog! To the top of the HackerNews! to the top of the wall! Now hack away! hack away! hack away all!" Like the bits that before the wild CDN fly by When they meet with a firewall, they mount to the sky; So up to the cloud like bastards they flew With tweets full of vulns, and Log4j too— And then, in a twinkling, I read in the slack The wailing and screaming of each analyst called back As I drew in my head, and was turning around, Down the network Log4j came with a bound. It was dressed in a hoodie, black and zipped tight, The clothes were all swag from a conference one night A bundle of vulns it had checked in its git And it looked like a pedler just being a twit The changelog—how it twinkled! its features, how merry! Its versions were like roses, its logo like a cherry! Its droll little mouth was drawn up like an at, And the beard on its chin made it look stupid and fat The stump of a diff it held tight in its teeth, And the bits, they encircled the repo like a wreath; It had a flashy readme an annoying little fad That shook when it downloaded, like a disk drive gone bad It was chubby and plump, an annoying old package, And I laughed when I saw it, in spite of the hackage A wink of its bits and a twist of its head Soon gave me to know I had everything to dread It spoke not a word, but went straight to its work, And pwnt all the servers; then turned with a jerk, And laying its patches aside of its nose, And giving a nod, up the network it rose; It sprang to its packet, to its team gave them more, And away they all fled leaving behind a back door But I heard it exclaim, ere it drove out of sight— “Merry Christmas you nerds, Log4j won tonight!”

How does building in the cloud make it easier to achieve positive security outcomes? What role does security culture play and how can the department of no become the department of yes? In this episode, Simon speaks with Paul Hawkins from the Office of the CISO at AWS, to answer these questions and share how customers can apply these principles to their own organizations. Read the blog - https://go.aws/3Epu6UL  Watch the video - https://bit.ly/3HbZE27  AWS Security Blog - https://go.aws/3Eql8XB Watch more - https://bit.ly/3FoVcg4

On today's episode, we are joined by Chris Wolski, the CISO of Port of Houston. He chats about job hunting, the aftermath of an attack and more.   Becoming a CISO A returning guest, the last time Chris was on the show, he was unemployed. From being let go to landing his current position, the process took Chris six months. He chats about what that was like and the normal CISO versus the “Rockstar” CISO. Despite his limited experience in maritime, Chris took a chance and was rewarded.   Socializing as a CISO Via events and even LinkedIn, Chris was able to expand his network. Through his connections, he was able to educate himself well enough in maritime transportation, laws and security to better understand his current job. Overall, Chris encourages you to do your homework on the industry, company and people when job searching.   The First CISO The first CISO at Port of Houston, Chris has faced unique challenges. In part, he's had to convince the port why cybersecurity is needed, and how it can impact cargo movement.   Attacks and Risks Recently, the port had an attack. Having a zero-day used against them, Chris found the experience eye-opening. Thankfully, Chris already had an action plan, as well as a risk metrics to guide him. Within 2 hours, the attack was contained and fully remediated after 10 hours.   The Aftermath of an Attack Although doubted initially, Chris found himself trusted, despite it being done after an incident. He documented everything and encourages other CISOs to do the same. As a result of his work, he was elevated within the organization and the maritime community. There was no doubt of Chris's ability and purpose within the organization. Within two hours, the port saw its ROI. After the incident, they shared what had happened in the hopes of opening up communication. By sharing, Chris can help others avoid what happened to Port Houston.   Getting Help    Due to the severity of the attack, Chris explains why the Coast Guard, FBI and other entities had to offer assistance. While it may be hard to juggle all those organizations, they have access to resources that Chris couldn't have had otherwise. Again, it came down to reaching out to connections.   Indifferent Insiders     Do you need to have a major incident in order for an entire organization to believe in the role of a CISO? Chris explains how equating cybersecurity to something others already know can help convince them of its importance so they can better understand. With Port Houston, Chris compared cybersecurity to physical security to put everyone at ease. Nowadays, cybersecurity impacts everyone. Any machinery, manufacturing and more has computer chips in their parts, which makes them susceptible to an attack. It's important to convey the severity of cybersecurity to others.   The New CISO To Chris, being a new CISO means doing your homework on your industry, company, and the people around you. Be willing to learn and you'll find success.   Links: Chris Wolski - LinkedIn Maritime Security Talk - YouTube Channel Exabeam Podcasts  

Join Dr. Eric Cole to learn about why you already have all of the skills necessary to become a World Class CISO but don't realize it yet. He gives a run down of all the things that make up a CISO and why the barrier for entry is a lot lower then most people have built up in their mind. This week's episode of Life of a CISO will help you find the confidence to take your next steps towards becoming a CISO today.

Author of "Why CISOs Fail" is joining us today to tell us about the success of his first book as well as introduce us to his forthcoming book, "Security Hippie. Barak is best known for pioneering the concept of the virtual (or fractional) CISO model nearly two decades ago. Over the twenty years since then he has applied that model and strategy to building, managing and counseling security departments across countless and diverse organizations, including MuleSoft, Amplitude Analytics, Livenation/Ticketmaster, StubHub, Barnes and Noble, bebe Stores and many others. The goal of his new book is to convey security concepts in the form of telling stories, so we hope to hear a few examples from him during the course of the interview.   To leave a heartfelt message for Hannah (Jeff's granddaughter): https://www.caringbridge.org/visit/hannahman   Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw99

Author of "Why CISOs Fail" is joining us today to tell us about the success of his first book as well as introduce us to his forthcoming book, "Security Hippie. Barak is best known for pioneering the concept of the virtual (or fractional) CISO model nearly two decades ago. Over the twenty years since then he has applied that model and strategy to building, managing and counseling security departments across countless and diverse organizations, including MuleSoft, Amplitude Analytics, Livenation/Ticketmaster, StubHub, Barnes and Noble, bebe Stores and many others. The goal of his new book is to convey security concepts in the form of telling stories, so we hope to hear a few examples from him during the course of the interview.   Show Notes: https://securityweekly.com/scw99 To leave a heartfelt message for Hannah (Jeff's granddaughter): https://www.caringbridge.org/visit/hannahman   Visit https://www.securityweekly.com/scw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Author of "Why CISOs Fail" is joining us today to tell us about the success of his first book as well as introduce us to his forthcoming book, "Security Hippie. Barak is best known for pioneering the concept of the virtual (or fractional) CISO model nearly two decades ago. Over the twenty years since then he has applied that model and strategy to building, managing and counseling security departments across countless and diverse organizations, including MuleSoft, Amplitude Analytics, Livenation/Ticketmaster, StubHub, Barnes and Noble, bebe Stores and many others. The goal of his new book is to convey security concepts in the form of telling stories, so we hope to hear a few examples from him during the course of the interview.   Show Notes: https://securityweekly.com/scw99 To leave a heartfelt message for Hannah (Jeff's granddaughter): https://www.caringbridge.org/visit/hannahman   Visit https://www.securityweekly.com/scw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Cyberheld 42 is Aart Jochem geworden. De man die 10 jaar geleden voor het Rijk de DigiNotar Crisis managede. Door adequaat optreden van hem en zijn team is Nederland een ramp bespaard gebleven. Sinds kort is hij Rijks CISO en is hij keihard bezig met het Log4J probleem.

Throughout her career, Sandy Dunn has continued to mature and refine her skills. In the early days, she describes her job as a "hostage negotiator", constantly negotiating between the business teams and the security team. But as you mature, so does your approach to security. Now, Sandy talks about simplifying "knowledge management" to make it easy to understand security and becoming a "business listener" to make the right decisions. In the leadership and communications section, The Office of the CISO: A Framework for the CISO, America's Cyber-Reckoning, How to Include Cybersecurity Training in Employee Onboarding, and more!   Show Notes: https://securityweekly.com/bsw244 Visit https://www.securityweekly.com/bsw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Throughout her career, Sandy Dunn has continued to mature and refine her skills. In the early days, she describes her job as a "hostage negotiator", constantly negotiating between the business teams and the security team. But as you mature, so does your approach to security. Now, Sandy talks about simplifying "knowledge management" to make it easy to understand security and becoming a "business listener" to make the right decisions. In the leadership and communications section, The Office of the CISO: A Framework for the CISO, America's Cyber-Reckoning, How to Include Cybersecurity Training in Employee Onboarding, and more!   Show Notes: https://securityweekly.com/bsw244 Visit https://www.securityweekly.com/bsw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Author of "Why CISOs Fail" is joining us today to tell us about the success of his first book as well as introduce us to his forthcoming book, "Security Hippie. Barak is best known for pioneering the concept of the virtual (or fractional) CISO model nearly two decades ago. Over the twenty years since then he has applied that model and strategy to building, managing and counseling security departments across countless and diverse organizations, including MuleSoft, Amplitude Analytics, Livenation/Ticketmaster, StubHub, Barnes and Noble, bebe Stores and many others. The goal of his new book is to convey security concepts in the form of telling stories, so we hope to hear a few examples from him during the course of the interview.   To leave a heartfelt message for Hannah (Jeff's granddaughter): https://www.caringbridge.org/visit/hannahman   Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw99

More criminals exploit vulnerabilities in Log4j. The Five Eyes issue a joint advisory on Log4j-related vulnerabilities, as other government organizations look into defending themselves against Log4shell. Ransomware updates. Russo-Ukrainian tensions rise, as does the likelihood of Russian cyberattacks against its neighbor. Uganda and NSO Group's troubles. CISA issues six ICS advisories. Malek Ben Salem explains synthetic voices. Our guest is Dr. David Lanc from Ionburst on embracing Data Out protection. And some advice on how to be the family help desk and CISO during the holiday season. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/244

Michael Oberlaender, CISO at LogMeIn, and Wayne Sadin, a Board IT Advisor at Via Group Partners, talk about today's biggest threats in cybersecurity, risk management responsibility, preparing for a sophisticated digital world, and much more.---------“Cybersecurity is not going away. You cannot ignore it, shortcut it, or under fund it, and the moment you do that - you pay the price later. What has changed is the sophistication on the attacker's side, and response and preparation needs to take this into account. That is why it's key to invest in threat intelligence, threat modeling, and similar subjects.” - Michael Oberlaender“We've got to be building the ability to deliver whatever services the business wants, which means breaking down the monolithic stacks and breaking down the mindset that we have to do it in house…We've got to adapt the IT department, and the company, to the idea that we set a data architecture, a security architecture, a delivery architecture, and then move to a modular IT environment where we would be the stewards of the work, and not necessarily arms and legs of all of them.”- Wayne Sadin---------Time Stamps:* (1:41) The current state of cybersecurity * (2:42) Ensuring cybersecurity improves employee experience * (6:43) Avoiding a false sense of proper security hygiene * (10:18) Risk management responsibility and third-party analysis * (16:15) Prepping technology stacks for the future of cloud-based work* (23:52) Predictions for 2022 & adapting IT to the future of remote work * (33:39) Michael and Wayne share secrets they wish more executives knew * (34:43) Advice on asking for funding for preventative security measures--------SponsorThis podcast is brought to you by Asana. Asana is a leading work management platform that empowers teams to orchestrate their work — from daily tasks to big strategic initiatives — all in one place. By enabling the world's teams to work together effortlessly, Asana helps organizations of all sizes and industries achieve their goals, faster. Learn more at Asana.com.--------LinksConnect with Michael on LinkedinConnect with Wayne on LinkedinCheck out Michael's books:GLOBAL CISO - STRATEGY, TACTICS, & LEADERSHIP: How to Succeed in InfoSec and CyberSecurityC(I)SO - And Now What?: How to Successfully Build Security by DesignLearn more about LogMeIn and LastPassLearn  more about Via Group Partners

In the leadership and communications section, The Office of the CISO: A Framework for the CISO, America's Cyber-Reckoning, How to Include Cybersecurity Training in Employee Onboarding, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw244

If your malware problem is eclipsed by your adversary problem it's time for active defense. In this episode, guest Sahir Hidayatullah, VP, Active Defense at Zscaler, covers the latest strategies for marrying zero trust with active defense and how the Zscaler Zero Trust Exchange helps make it seamless. Listeners get a brief history of the origins of honeypots and intrusion deception, and a compelling case for baking fake attack surfaces into the architecture of zero trust to help supercharge security frameworks with protection, detection, and response.

This week we speak to Mike Gruen, CISO and CTO and Dr. Daniel Glaser, a neuroscientist, about how humour can help in learning. We talk about how to build effective cybersecurity awareness programmes, how to positively harness our innate fear of being judged, and that cyber resilience is everybody's responsibility. In ‘Cartoon eyes, and other cybersecurity awareness training techniques' we discuss: Why creativity is important in STEM subjects Cybersecurity is everyone's responsibility Eye movements are very telling in terms of learning and can show your level of expertise How humour helps learning because it is context dependent, so you remember the context the information was in Insider threat – moral decisions are not made in a vacuum but in social context and values The surprise effect of cartoon eyes on decision making as most people fear being judged Reward change behaviour more effectively that punishment, in parenting and in cybersecurity awareness training About Phishy Business Fed up with the same old cybersecurity stories? Come with us on a journey that explores the lesser-known side. Whether it's social engineering, taking criminals to court or the journalists hunting down hackers — our new podcast series, Phishy Business, looks for new ways to think about cybersecurity. Mimecast's very own Brian Pinnock and Alice Jeffery are joined by guests from a range of unique security specialisms. Each episode explores tales of risk, reward and just a dash of ridiculousness to learn how we can all improve in the fight to stay safe. For more tales of risk, reward and ridiculousness, subscribe to Phishy Business on iTunes, Spotify, Anchor or wherever you get your podcasts. www.mimecast.com

You just got the news that the Cyber Organization is going to be audited.  Do you know what an audit is, how best to prepare for it, and how to respond to audit findings?  On this episode of CISO Tradecraft, we help you understand key auditing concepts such as: Audit Subject Audit Objective Vulnerability Threat Risk & Impact Audit Scope with Goals & Objectives Audit Plan Audit Response

Cybercrime Magazine CISO Minute host Theresa Payton, Former White House CIO, shares the improvements that Kaseya is implementing after their recent ransomware attack. The CISO Minute is sponsored by https://www.knowbe4.com/ • For more on cybersecurity, visit us at https://cybersecurityventures.com/

Chief Executive Officer and Founder of TAG Cyber, Ed Amoroso, shares how he learned on the job and grew his career. In his words, Ed "went from my dad having an ARPANET connection and I'm learning Pascal, to Bell Labs, to CISO, to business, to quitting, to starting something new. And now I'm riding a new exponential up and it's a hell of a ride." Hear from Ed how he sees security as a side dish that you'll progress into naturally once you've paid your dues and mastered a skill like networking, software or databases. We thank Ed for sharing his story with us.

Chief Executive Officer and Founder of TAG Cyber, Ed Amoroso, shares how he learned on the job and grew his career. In his words, Ed "went from my dad having an ARPANET connection and I'm learning Pascal, to Bell Labs, to CISO, to business, to quitting, to starting something new. And now I'm riding a new exponential up and it's a hell of a ride." Hear from Ed how he sees security as a side dish that you'll progress into naturally once you've paid your dues and mastered a skill like networking, software or databases. We thank Ed for sharing his story with us.

December 17, 2021: Welcome to one of our End of Year Shows. Bill takes us through the team's favorite Newsday moments of 2021 including empathy through technology with Anne Weiler, CISO board topics with Drex DeFord, work, life, balance with Dr. Sanaz Cordes, the future of remote work with Sue Schade, maintaining company culture with Lee Milligan, Big Tech in healthcare with Dr. Eric Quniones and much much more. Hope you enjoy! Key Points: 00:00:00 - Intro 00:08:00 - Microsoft's new portal Microsoft Viva measures productivity but can it measure empathy? 00:10:30 - Mistakes health systems make that cause clinician frustration with the EHR 00:25:30 - What does perfect interoperability look like to a physician? 00:28:00 - CIO Lee Milligan talks building culture and connecting his IT team to the mission of the organization 00:30:30 - Study shows how ransomware impacts patient care

In this episode of Life of a CISO Dr. Eric Cole focuses on one of the most important skills to have as a CISO: Communication. As a CISO, you have to speak to executives in a language that they understand. This means not getting in the weeds with technical details and explaining your suggestions in a way they can easily follow. If you communicate well, you can improve any situation. Join Dr. Cole to learn how to understand the business and what it means to you as a World Class CISO.

In this week's episode of CISO's Secret, Cyber Security Evangelist Grant Asplund hosts Sadie Creese, Professor of Cybersecurity, University of OxfordCyber Security Oxford brings together the dynamic and vibrant community of researchers and experts working on Cyber Security at the University of Oxford. The network links the wide variety of research and education activities across the University, and provides an easy point of contact for engagement.Red Education Training & Certifications Global Specialist IT Training Company with Award-winning experienced Instructors.Layer 8 Authorized Check Point training Layer 8 Training is a leading provider of Authorized Check Point training in North America. Get th

All links and images for this episode can be found on CISO Series Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Josh Yavor (@schwascore), CISO, Tessian. Thanks to our podcast sponsor, Tessian 95% of breaches are caused by human error. But you can prevent them. Learn how Tessian can stop “OH SH*T!” moments before they happen, why Tessian has been recognized by analysts like Gartner and Forrester, and which world-renowned companies trust the platform to protect their data. In this episode: What do you do for the attacks your rule sets can't catch? Would it help if we eliminated email systems as the standard b2b toolset for communications? Are there any better ways to handle spearphishing? Are you ready to add BCC - Business communications compromise to your threat list?

Ben Carr will lead us in a discussion about the origins of the role of CISO, roles/responsibilities, and what it's like to be a CISO. We'll touch on qualifications, organizational structure, its place in security and compliance, what it's like to be hero or scapegoat. All this and more!   Show Notes: https://securityweekly.com/scw98 Visit https://www.securityweekly.com/scw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Ben Carr will lead us in a discussion about the origins of the role of CISO, roles/responsibilities, and what it's like to be a CISO. We'll touch on qualifications, organizational structure, its place in security and compliance, what it's like to be hero or scapegoat. All this and more!   Show Notes: https://securityweekly.com/scw98 Visit https://www.securityweekly.com/scw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Join us as DJ Fleming, IT Director at CopyPro, an award-winning network solutions provider, and Steve Cobb, CISO at One Source, discuss critical strategies around building an architecture that makes it possible for employees to work anywhere without operational disruptions while also protecting critical company data.

Chris - There's quite a push for Zero Trust in the Federal Government, with the Cyber EO and ZT publications from CISA. What do you see as some of the biggest impediments for the Government's adoption of ZT? What are some of the biggest opportunities?Nikki - One of your recent posts you mention the difference between zero trust being a concept vs being something to act on. What do you think the right way to implement a zero-trust architecture is?Nikki - Do you have any resources for practitioners who are looking to ensure they are meeting a zero trust architecture framework?Chris - You commented recently about Compliance NOT being Security. This is something that many of us who have been in the field long enough agree with. That said, the Government's approach to cybersecurity largely revolves around Compliance. Why is that, and how do we go about changing that to a focus on real security?Chris - You recently had some comments about the CISO reporting relationship, in the Federal space, reporting to the CIO. Do you want to share any thoughts on who you think the CISO should report to and how CISO's can help influence who they report to, to support their security initiatives?Nikki You mention a need for CIO/CISO partnership - can you expand on why that's so important in an organization? How can the organization benefit from this partnership?Chris - As you know, there's a big push for DevSecOps both in Government and Industry. What can Security teams learn from their Development peers and how do we successfully facilitate the push for DevSecOps?

#MillenniumLive welcomes Todd Carroll, CISO and Vice President of Cyber Operations at CybelAngel. We take a look at assessing digital risk and how best to manage it, how ransomware continues to be a major threat to many companies and the ways CybelAngel protect clients from ransomware and supply chain attacks.

This week, we had a chat with Jason Brown, currently the IT Security Manager at The Shyft Group, formerly the CISO at Merit. We immediately talked about the mindset you have to be in moving from a Service Provider model to the public and then to the private sector in terms of security and privacy. We also chatted on his definition of zero trust. We talked about a recent breach where hackers are getting smarter and finding playbooks and reading chat rooms before they strike. Lastly, we mocked Hollywood a bit, our favorite being the NCIS episode where 2 people used 1 keyboard at the same time to try to thwart an attack. Thanks for listening! (Yes, we know this episode and the previous episode are out of order—we had to do it for the gag and didn't want to delay releasing episode 420!)