Podcasts about cisos

The Cybercrime Wire, hosted by Scott Schober, provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with a breaking news story we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Listen to the podcast daily and hear it every hour on WCYB. The Cybercrime Wire is sponsored by Deloitte Cyber. To learn more about our sponsor, visit https://deloitte.com/cyber • For more breaking news, visit https://cybercrimewire.com

Community Member Contributor: Frank KimCISO-in-Residence at YL Ventures [@ylventures] and Fellow and Curriculum Director at the SANS Institute [@SANSInstitute]On Twitter | https://twitter.com/fykimOn LinkedIn | https://www.linkedin.com/in/frank-kim/Host: Sean MartinOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin______________________Episode DescriptionAs businesses migrate more and more applications to the cloud and continue relying on SaaS applications, CISOs are under pressure to ensure every IT environment is secure. This requires a new paradigm in formulating cloud security strategies because the technologies differ from on-premises technologies, and the security aspects vary from one cloud provider to another.In this episode, Frank Kim—a Fellow and a Curriculum Director at the SANS Institute—examines the approach CISOs must take to secure multiple cloud and SaaS environments. Kim also discusses the importance of understanding the differences between on-premises security and the cloud and why the speed of the cloud requires a new security paradigm. Kim then presents why CISOs need to give business units and software developers security options (rather than locking them into one tool) while balancing a combination of governance and technical expertise.Understanding the criticality of protecting access credentials and the needs of all stakeholders is also key to a CISO's success in safeguarding multiple cloud environments.______________________For more podcasts from Crucial Conversations with The Blue Lava Community, visit: https://www.itspmagazine.com/crucial-conversations-podcastTo access the full collection of Blue Lava Community resources, visit: https://itspm.ag/blclog22To learn more about Blue Lava, visit: https://itspm.ag/blue-lava-w2qs______________________Are you interested in sponsoring an ITSPmagazine Channel?

This week we are joined by Ron Raether, co-lead of the Privacy + Cyber team at Troutman Pepper, and explore aspects of the recent criminal conviction of Uber's former CISO and fallout from Twitter's former CISO turning whistleblower. The “culture of fear” that has developed in CISO offices nationwide has dramatically increased risk for companies that have such a culture. Ron Raether discusses how organizations can better support their CISOs and how the general counsel and outside counsel can help influence change in organizations for better governance and cyber risk management. We also explore how CISOs can gain more C-suite visibility and board access.

The Cybercrime Wire, hosted by Scott Schober, provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with a breaking news story we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Listen to the podcast daily and hear it every hour on WCYB. The Cybercrime Wire is sponsored by Deloitte Cyber. To learn more about our sponsor, visit https://deloitte.com/cyber • For more breaking news, visit https://cybercrimewire.com

Charles Blauner, operating partner and CISO-in-residence at company-building venture group Team8, joins Ann on this week's episode of Afternoon Cyber Tea. Charles is an internationally recognized expert on cyber resiliency, information security risk management, and data privacy. He's had an incredible and prominent career in Security, including being a CISO and Information Security leader at companies like J.P. Morgan, Deutsche Bank, and Citi. Ann and Charles discuss the evolution of the CISO role, the qualities they believe all CISOs need to excel, and what the role of CISO will look like 5-10 years from now.   In This Episode You Will Learn:       A brief history and evolution of the CISO role  Qualities and skillsets all CISOs need to excel today  Advice for someone who is newly stepping into the role of CISO   Some Questions We Ask:      What were some of the critical paradigm shifts during the evolution of the CISO role?  What do you think makes a great CISO in today's digital world?  What advice do you have for CISOs making that transition to a key business partner?     Resources:     View Charles Blauner on LinkedIn  View Ann Johnson on LinkedIn       Related Microsoft Podcasts:                   Listen to: Uncovering Hidden Risks    Listen to: Security Unlocked     Listen to: Security Unlocked: CISO Series with Bret Arsenault       Discover and follow other Microsoft podcasts at microsoft.com/podcasts    Afternoon Cyber Tea with Ann Johnson is produced by Microsoft and distributed as part of The CyberWire Network.    

Today, Steve speaks with Tim Carmichael, Chief Data Officer of the Chalhoub Group, a luxury retailer based in Dubai, and former Chief Data Officer of the British Army. Tim and Steve talk about what can happen when leaders empower their people to act and consider how CDOs, like CISOs, can serve as interpreters for members of the Board. They also explore strategies for hiring and keeping the best talent in a competitive market. Mentioned in this episode: ISF Analyst Insight Podcast Read the transcript of this episode Subscribe to the ISF Podcast wherever you listen to podcasts Connect with us on LinkedIn and Twitter From the Information Security Forum, the leading authority on cyber, information security, and risk management

Todd Fitzgerald, author of CISO Compass and host of CISO Stories, joins BSW to share his top leadership lessons from the first 100 episodes of CISO Stories. Todd interviews CISOs and gains insights into their challenges and how they are solving them. Don't miss this recap!   In the leadership and communications section, The Sacrificial CISO heralds a new age for cybersecurity, To Coach Leaders, Ask the Right Questions, How to Handle Criticism Gracefully: 12 Pro Tips, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw286

In this episode of Phishy Business, we find out everything you may have wanted to ask your CISO or CIO but were too afraid to ask. Two very experienced information technology leaders delve deeper into the roles they play in keeping their organizations safe while balancing the nos and yesses they deal in every day. You'll learn a lot more about that it is like to be CISO or CIO and the challenges they face in their roles. Our special guests are Magnus Carling, CISO at Swedish shipping company Stena, and Andrew Pritchett, CIO at Grant Thornton Australia, a leading accounting and consultancy firm. Magnus runs the global information security program for shipping conglomerate Stena, which is made up of a number of companies. Andrew navigates the challenges of the CIO role to balance pleasing clients while at the same time keeping client and internal resources safe. Learn more about these two leaders and their real-world daily challenges. In ‘Risk, Risk, Risk…and Beer: What Keeps the Cyber C-Suite Up at Night', we discuss: What it is like being considered the department of no by colleagues. The challenges of balancing protecting the organization with the needs of team members. The crossroads of tech and people that occur every day at every organization. How the weakest link in security can be people – and how to get that point across to those very same people. The problems IT leaders face when the board don't speak cyber. How to bring cyber risk in earlier in the board's conversations. Conducting proper risk assessment before the big decisions instead of dealing with the fallout after an attack. Keeping cyber teams together and not burning them out. The difference between responsibility and accountability for CISOs in cyber breaches. Why the need for CISOs to have battle scars from previous breaches is so valuable. Beer as a stress relief strategy. Why cybersecurity is everyone's business. About Phishy Business Fed up with the same old cybersecurity stories? Come with us on a journey that explores the lesser-known side. Whether it's social engineering, taking criminals to court or the journalists hunting down hackers — our new podcast series, Phishy Business, looks for new ways to think about cybersecurity. Mimecast's very own Brian Pinnock and Alice Jeffery are joined by guests from a range of unique security specialisms. Each episode explores tales of risk, reward and just a dash of ridiculousness to learn how we can all improve in the fight to stay safe. For more tales of risk, reward and ridiculousness, subscribe to Phishy Business on iTunes, Spotify, Anchor or wherever you get your podcasts. www.mimecast.com

Todd Fitzgerald, author of CISO Compass and host of CISO Stories, joins BSW to share his top leadership lessons from the first 100 episodes of CISO Stories. Todd interviews CISOs and gains insights into their challenges and how they are solving them. Don't miss this recap!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw286

Todd Fitzgerald, author of CISO Compass and host of CISO Stories, joins BSW to share his top leadership lessons from the first 100 episodes of CISO Stories. Todd interviews CISOs and gains insights into their challenges and how they are solving them. Don't miss this recap!   In the leadership and communications section, The Sacrificial CISO heralds a new age for cybersecurity, To Coach Leaders, Ask the Right Questions, How to Handle Criticism Gracefully: 12 Pro Tips, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/bsw286

Gartner says, “Organizations who recognize the value of a security leader but can't afford a traditional CISO should consider virtual options. “With a current total cash compensation ranging from $208K to $337K, hiring a chief information security officer (CISO) may not be in the budget for small or midsize organizations, especially those that aren't heavily regulated. Join 2 CISOS that have taken the plunge into the world of being a vCISO, as they share their experiences. This segment is sponsored by Wiz. Visit https://securityweekly.com/wiz to learn more about them! Visit https://securityweekly.com/csp for all the latest episodes! Follow us on Twitter: https://www.twitter.com/cyberleaders Follow us on LinkedIn: https://www.linkedin.com/company/cybersecuritycollaborative/ Visit https://securityweekly.com/csp for all the latest episodes!  Show Notes: https://securityweekly.com/csp98

Are You Ready To Win Your First CISO role? Apply these techniques into your resume and interview process so both recruiters and hiring managers will offer you the job.  This show focuses on: Highlighting the Different Types of CISO Roles Showing how to progress from a Senior Director Role into a Fortune 100 CISO Resume Tricks and Tips that get you noticed by recruiters How to have a great interview with a recruiter What Hiring Managers want to see from CISOs during their interviews Please note the full show transcript can be found here Link

Cybercrime Magazine CISO Minute host Theresa Payton, Former White House CIO, goes over some of the mistakes that can hamper a CISOs ability to work effectively with the board, including trying to get too deep in the technical weeds. The CISO Minute is sponsored by https://knowbe4.com/ • For more on cybersecurity, visit us at https://cybersecurityventures.com/

In this episode of Life of a CISO, Dr. Eric Cole lists down techniques for brand new CISOs elevating in this field to look into when it comes to joining the C-level suite.

Marc Ashworth is a respected IT executive with over 30 years of experience in cyber and physical security, IT/security architecture, project management, is an author and a public speaker.  He is a board member of the St. Louis Chapter of InfraGard, Webster University Cyber Advisory board, Co-Founded the State of Cyber annual security conference, and a Lifetime member of FBI Citizens Academy, possessing security certifications in CISSP, CISM, CRISC, Security+ and other certifications.  As the Senior Vice President and Chief Information Security Officer at First Bank, Marc currently oversees First Bank's information security, fraud, physical security, and the network services departments. He is also the 2022 Cyber Defense Magazine winner of “Top 100 CISOs in the World.” [Nov 21st, 2022]    00:00 – Intro  00:49 – Intro Links:  Social-Engineer.com - http://www.social-engineer.com/  Managed Voice Phishing - https://www.social-engineer.com/services/vishing-service/  Managed Email Phishing - https://www.social-engineer.com/services/se-phishing-service/  Adversarial Simulations - https://www.social-engineer.com/services/social-engineering-penetration-test/  Social-Engineer channel on SLACK - https://social-engineering-hq.slack.com/ssb  CLUTCH - http://www.pro-rock.com/  innocentlivesfoundation.org - http://www.innocentlivesfoundation.org/  03:15 – Marc Ashworth Intro  05:17 – What was the path that led you to InfoSec?  07:41 – Cultivating good security practices  09:31 – Learning to "scale" your security  11:22 – The value of Strategic Thinking  13:40 – It's all in the presentation  15:25 – The importance of Customer Service  18:32 – The Art of Translation  21:32 – Small Wins  24:34 – Letters to a young CISO  26:20 – Don't avoid Pen Testing!  28:11 – Adopting a "Partnership" mindset  30:30 – Long line of influence  33:40 – Book Recommendations  We Are Legion (We Are Bob) – Dennis E. Taylor  Bad Blood: Secrets and Lies in a Silicon Valley Startup – John Carreyrou  The Goals Program – Zig Ziglar  The 7 Habits of Highly Effective People – Stephen Covey  36:14 – Find Marc Ashworth online  LinkedIn: www.linkedin.com/in/marcashworth/  38:36 – Wrap Up   38:56 – Outro  www.social-engineer.com  www.innocentlivesfoundation.org   

All links and images for this episode can be found on CISO Series. CISOs and other security leaders have a lot of stress. But so do other C-level employees. Why does a CISO's stress seem that much more powerful? Is it that their job is still in constant development, or is the "C" in their name just in title, but not authority? This week's episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Aman Sirohi (@amangolf), CISO, People.ai. Thanks to our podcast sponsor, AuditBoard CrossComply is AuditBoard's award-winning security compliance solution that allows organizations to build trust and scale their security compliance program with a connected risk platform that unifies SOC 2, ISO 2700x, NIST, CMMC, PCI DSS, and more across your organization. In this episode: Why does a CISO's stress seem that much more powerful? Is it that their job is still in constant development, or is the "C" in their name just in title, but not authority? What part of the supply chain security effort is truly building trust in your supplier and having ongoing reassurances that that trust is being maintained?

About AshishAshish has over 13+yrs experience in the Cybersecurity industry with the last 7 focusing primarily helping Enterprise with managing security risk at scale in cloud first world and was the CISO of a global Cloud First Tech company in his last role. Ashish is also a keynote speaker and host of the widely poplar Cloud Security Podcast, a SANS trainer for Cloud Security & DevSecOps. Ashish currently works at Snyk as a Principal Cloud Security Advocate. He is a frequent contributor on topics related to public cloud transformation, Cloud Security, DevSecOps, Security Leadership, future Tech and the associated security challenges for practitioners and CISOs.Links Referenced: Cloud Security Podcast: https://cloudsecuritypodcast.tv/ Personal website: https://www.ashishrajan.com/ LinkedIn: https://www.linkedin.com/in/ashishrajan/ Twitter: https://twitter.com/hashishrajan Cloud Security Podcast YouTube: https://www.youtube.com/c/CloudSecurityPodcast Cloud Security Podcast LinkedIn: https://www.linkedin.com/company/cloud-security-podcast/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at Thinkst Canary. Most folks find out way too late that they've been breached. Thinkst Canary changes this. Deploy canaries and canary tokens in minutes, and then forget about them. Attackers tip their hand by touching them, giving you one alert, when it matters. With zero administrative overhead to this and almost no false positives, Canaries are deployed and loved on all seven continents. Check out what people are saying at canary.love today. Corey: This episode is bought to you in part by our friends at Veeam. Do you care about backups? Of course you don't. Nobody cares about backups. Stop lying to yourselves! You care about restores, usually right after you didn't care enough about backups.  If you're tired of the vulnerabilities, costs and slow recoveries when using snapshots to restore your data, assuming you even have them at all living in AWS-land, there is an alternative for you. Check out Veeam, thats V-E-E-A-M for secure, zero-fuss AWS backup that won't leave you high and dry when it's time to restore. Stop taking chances with your data. Talk to Veeam. My thanks to them for sponsoring this ridiculous podcast.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. This promoted episode is brought to us once again by our friends at Snyk. Snyk does amazing things in the world of cloud security and terrible things with the English language because, despite raising a whole boatload of money, they still stubbornly refuse to buy a vowel in their name. I'm joined today by Principal Cloud Security Advocate from Snyk, Ashish Rajan. Ashish, thank you for joining me.Corey: Your history is fascinating to me because you've been around for a while on a podcast of your own, the Cloud Security Podcast. But until relatively recently, you were a CISO. As has become relatively accepted in the industry, the primary job of the CISO is to get themselves fired, and then, “Well, great. What's next?” Well, failing upward is really the way to go wherever possible, so now you are at Snyk, helping the rest of us fix our security. That's my headcanon on all of that anyway, which I'm sure bears scant, if any, resemblance to reality, what's your version?Ashish: [laugh]. Oh, well, fortunately, I wasn't fired. And I think I definitely find that it's a great way to look at the CISO job to walk towards the path where you're no longer required because then I think you've definitely done your job. I moved into the media space because we got an opportunity to go full-time. I spoke about this offline, but an incident inspired us to go full-time into the space, so that's what made me leave my CISO job and go full-time into democratizing cloud security as much as possible for anyone and everyone. So far, every day, almost now, so it's almost like I dream about cloud security as well now.Corey: Yeah, I dream of cloud security too, but my dreams are of a better world in which people didn't tell me how much they really care about security in emails that demonstrate how much they failed to care about security until it was too little too late. I was in security myself for a while and got out of it because I was tired of being miserable all the time. But I feel that there's a deep spiritual alignment between people who care about cost and people who care about security when it comes to cloud—or business in general—because you can spend infinite money on those things, but it doesn't really get your business further. It's like paying for fire insurance. It isn't going to get you to your next milestone, whereas shipping faster, being more effective at launching a feature into markets, that can multiply revenue. That's what companies are optimized around. It's, “Oh, right. We have to do the security stuff,” or, “We have to fix the AWS billing piece.” It feels, on some level, like it's a backburner project most of the time and it's certainly invested in that way. What's your take on that?Ashish: I tend to disagree with that, for a couple reasons.Corey: Excellent. I love arguments.Ashish: I feel this in a healthy way as well. A, I love the analogy of spiritual animals where they are cost optimization as well as the risk aversion as well. I think where I normally stand—and this is what I had to unlearn after doing years of cybersecurity—was that initially, we always used to be—when I say ‘we,' I mean cybersecurity folks—we always used to be like police officers. Is that every time there's an incident, it turns into a crime scene, and suddenly we're all like, “Pew, pew, pew,” with trying to get all the evidence together, let's make this isolated as much—as isolated as possible from the rest of the environment, and let's try and resolve this.I feel like in Cloud has asked people to become more collaborative, which is a good problem to have. It also encourages that, I don't know how many people know this, but the reason we have brakes in our cars is not because we can slow down the car; it's so that we can go faster. And I feel security is the same thing. The guardrails we talk about, the risks that you're trying to avert, the reason you're trying to have security is not to slow down but to go faster. Say for example in an ideal world, to quote what you were saying earlier if we were to do the right kind of encryption—I'm just going to use the most basic example—if we just do encryption, right, and just ensure that as a guardrail, the entire company needs to have encryption at rest, encryption in transit, period, nothing else, no one cares about anything else.But if you just lay that out as a framework and this is our guardrail, no one brakes this, and whoever does, hey we—you know, slap on the wrist and come back on to the actual track, but keep going forward. That just means any project that comes in that meets [unintelligible 00:04:58] criteria. Keeps going forward, as many times we want to go into production. Doesn't matter. So, that is the new world of security that we are being asked to move towards where Amazon re:Invent is coming in, there will be another, I don't know, three, four hundred services that will be released. How many people, irrespective of security, would actually know all of those services? They would not. So, [crosstalk 00:05:20]—Corey: Oh, we've long since passed the point where I can convincingly talk about AWS services that don't really exist and not get called out on it by Amazon employees. No one keeps them on their head. Except me because I'm sad.Ashish: Oh, no, but I think you're right, though. I can't remember who was it—maybe Andrew Vogel or someone—they didn't release a service which didn't exist, and became, like, a thing on Twitter. Everyone—Corey: Ah, AWS's Infinidash. I want to say that was Joe Nash out of Twilio at the time. I don't recall offhand if I'm right on that, but that's how it feels. Yeah, it was certainly not me. People said that was my idea. Nope, nope, I just basically amplified it to a huge audience.But yeah, it was a brilliant idea, just because it's a fake service so everyone could tell stories about it. And amazing product feedback, if you look at it through the right lens of how people view your company and your releases when they get this perfect, platonic ideal of what it is you might put out there, what do people say about it?Ashish: Yeah. I think that's to your point, I will use that as an example as well to talk about things that there will always be a service which we will be told about for the first time, which we will not know. So, going back to the unlearning part, as a security team, we just have to understand that we can't use the old ways of, hey, I want to have all the controls possible, cover all there is possible. I need to have a better understanding of all the cloud services because I've done, I don't know, 15 years of cloud, there is no one that has 10, 15 years of cloud unless you're I don't know someone from Amazon employee yourself. Most people these days still have five to six years experience and they're still learning.Even the cloud engineering folks or the DevOps folks, they're all still learning and the tooling is continuing to evolve. So yeah, I think I definitely find that the security in this cloud world a lot more collaborative and it's being looked at as the same function as a brake would have in car: to help you go faster, not to just slam the brake every time it's like, oh, my God, is the situation isolated and to police people.Corey: One of the points I find that is so aligned between security and cost—and you alluded to it a minute ago—is the idea of helping companies go faster safely. To that end, guardrails have to be at least as easy as just going off and doing it cow-person style. Because if it's not, it's more work in any way, shape, or form, people won't do it. People will not tag their resources by hand, people will not go through and use the dedicated account structure you've got that gets in their way and screams at them every time they try to use one of the native features built into the platform. It has to get out of their way and make things easier, not worse, or people fight it, they go around it, and you're never going to get buy-in.Ashish: Do you feel like cost is something that a lot more people pay a lot more attention to because, you know, that creeps into your budget? Like, as people who've been leaders before, and this was the conversation, they would just go, “Well, I only have, I don't know, 100,000 to spend this quarter,” or, “This year,” and they are the ones who—are some of them, I remember—I used to have this manager, once, a CTO would always be conscious about the spend. It's almost like if you overspend, where do you get the money from? There's no money to bring in extra. Like, no. There's a set money that people plan for any year for a budget. And to your point about if you're not keeping an eye on how are we spending this in the AWS context because very easy to spend the entire money in one day, or in the cloud context. So, I wonder if that is also a big driver for people to feel costs above security? Where do you stand on that?Corey: When it comes to cost, one of the nice things about it—and this is going to sound sarcastic, but I swear to you it's not—it's only money.Ashish: Mmm.Corey: Think about that for a second because it's true. Okay, we wound up screwing up and misconfiguring something and overspending. Well, there are ways around that. You can call AWS, you can get credits, you can get concessions made for mistakes, you can sign larger contracts and get a big pile of proof of concept credit et cetera, et cetera. There are ways to make that up, whereas with security, it's there are no do-overs on security breaches.Ashish: No, that's a good point. I mean, you can always get more money, use a credit card, worst case scenario, but you can't do the same for—there's a security breach and suddenly now—hopefully, you don't have to call New York Times and say, “Can you undo that article that you just have posted that told you it was a mistake. We rewinded what we did.”Corey: I'm curious to know what your take is these days on the state of the cloud security community. And the reason I bring that up is, well, I started about a year-and-a-half ago now doing a podcast every Thursday. Which is Last Week in AWS: Security Edition because everything else I found in the industry that when I went looking was aimed explicitly at either—driven by the InfoSec community, which is toxic and a whole bunch of assumed knowledge already built in that looks an awful lot like gatekeeping, which is the reason I got out of InfoSec in the first place, or alternately was completely vendor-captured, where, okay, great, we're going to go ahead and do a whole bunch of interesting content and it's all brought to you by this company and strangely, all of the content is directly align with doing some pretty weird things that you wouldn't do unless you're trying to build a business case for that company's product. And it just feels hopelessly compromised. I wanted to find something that was aimed at people who had to care about security but didn't have security as part of their job title. Think DevOps types and you're getting warmer.That's what I wound up setting out to build. And when all was said and done, I wasn't super thrilled with, honestly, how alone it still felt. You've been doing this for a while, and you're doing a great job at it, don't get me wrong, but there is the question that—and I understand they're sponsoring this episode, but the nice thing about promoted guest episodes is that they can buy my attention, not my opinion. How do you retain creative control of your podcast while working for a security vendor?Ashish: So, that's a good question. So, Snyk by themselves have not ever asked us to change any piece of content; we have been working with them for the past few months now. The reason we kind of came along with Snyk was the alignment. And we were talking about this earlier for I totally believe that DevSecOps and cloud security are ultimately going to come together one day. That may not be today, that may not be tomorrow, that may not be in 2022, or maybe 2023, but there will be a future where these two will sit together.And the developer-first security mentality that they had, in this context from cloud prospective—developers being the cloud engineers, the DevOps people as you called out, the reason you went in that direction, I definitely want to work with them. And ultimately, there would never be enough people in security to solve the problem. That is the harsh reality. There would never be enough people. So, whether it's cloud security or not, like, for people who were at AWS re:Inforce, the first 15 minutes by Steve Schmidt, CSO of Amazon, was get a security guardian program.So, I've been talking about it, everyone else is talking about right now, Amazon has become the first CSP to even talk about this publicly as well that we should have security guardians. Which by the way, I don't know why, but you can still call it—it is technically DevSecOps what you're trying to do—they spoke about a security champion program as part of the keynote that they were running. Nothing to do with cloud security, but the idea being how much of this workload can we share? We can raise, as a security team—for people who may be from a security background listening to this—how much elevation can we provide the risk in front of the right people who are a decision-maker? That is our role.We help them with the governance, we help with managing it, but we don't know how to solve the risk or close off a risk, or close off a vulnerability because you might be the best person because you work in that application every day, every—you know the bandages that are put in, you know all the holes that are there, so the best threat model can be performed by the person who works on a day-to-day, not a security person who spent, like, an hour with you once a week because that's the only time they could manage. So, going back to the Snyk part, that's the mission that we've had with the podcast; we want to democratize cloud security and build a community around neutral information. There is no biased information. And I agree with what you said as well, where a lot of the podcasts outside of what we were finding was more focused on, “Hey, this is how you use AWS. This is how you use Azure. This is how you use GCP.”But none of them were unbiased in the opinion. Because real life, let's just say even if I use the AWS example—because we are coming close to the AWS re:Invent—they don't have all the answers from a security perspective. They don't have all the answers from an infrastructure perspective or cloud-native perspective. So, there are some times—or even most times—people are making a call where they're going outside of it. So, unbiased information is definitely required and it is not there enough.So, I'm glad that at least people like yourself are joining, and you know, creating the world where more people are trying to be relatable to DevOps people as well as the security folks. Because it's hard for a security person to be a developer, but it's easy for a developer or an engineer to understand security. And the simplest example I use is when people walk out of their house, they lock the door. They're already doing security. This is the same thing we're asking when we talk about security in the cloud or in the [unintelligible 00:14:49] as well. Everyone is, it just it hasn't been pointed out in the right way.Corey: I'm curious as to what it is that gets you up in the morning. Now, I know you work in security, but you're also not a CISO anymore, so I'm not asking what gets you up at 2 a.m. because we know what happens in the security space, then. There's a reason that my area of business focus is strictly a business hours problem. But I'd love to know what it is about cloud security as a whole that gets you excited.Ashish: I think it's an opportunity for people to get into the space without the—you know, you said gatekeeper earlier, those gatekeepers who used to have that 25 years experience in cybersecurity, 15 years experience in cybersecurity, Cloud has challenged that norm. Now, none of that experience helps you do AWS services better. It definitely helps you with the foundational pieces, definitely helps you do identity, networking, all of that, but you still have to learn something completely new, a new way of working, which allows for a lot of people who earlier was struggling to get into cybersecurity, now they have an opening. That's what excites me about cloud security, that it has opened up a door which is beyond your CCNA, CISSP, and whatever else certification that people want to get. By the way, I don't have a CISSP, so I can totally throw CISSP under the bus.But I definitely find that cloud security excites me every morning because it has shown me light where, to what you said, it was always a gated community. Although that's a very huge generalization. There's a lot of nice people in cybersecurity who want to mentor and help people get in. But Cloud security has pushed through that door, made it even wider than it was before.Corey: I think there's a lot to be said for the concept of sending the elevator back down. I really have remarkably little patience for people who take the perspective of, “Well, I got mine so screw everyone else.” The next generation should have it easier than we did, figuring out where we land in the ecosystem, where we live in the space. And there are folks who do a tremendous job of this, but there are also areas where I think there is significant need for improvement. I'm curious to know what you see as lacking in the community ecosystem for folks who are just dipping their toes into the water of cloud security.Ashish: I think that one, there's misinformation as well. The first one being, if you have never done IT before you can get into cloud security, and you know, you will do a great job. I think that is definitely a mistake to just accept the fact if Amazon re:Invent tells you do all these certifications, or Azure does the same, or GCP does the same. If I'll be really honest—and I feel like I can be honest, this is a safe space—that for people who are listening in, if you're coming to the space for the first time, whether it's cloud or cloud security, if you haven't had much exposure to the foundational pieces of it, it would be a really hard call. You would know all the AWS services, you will know all the Azure services because you have your certification, but if I was to ask you, “Hey, help me build an application. What would be the architecture look like so it can scale?”“So, right now we are a small pizza-size ten-people team”—I'm going to use the Amazon term there—“But we want to grow into a Facebook tomorrow, so please build me an architecture that can scale.” And if you regurgitate what Amazon has told you, or Azure has told you, or GCP has told you, I can definitely see that you would struggle in the industry because that's not how, say every application is built. Because the cloud service provider would ask you to drink the Kool-Aid and say they can solve all your problems, even though they don't have all the servers in the world. So, that's the first misinformation.The other one too, for people who are transitioning, who used to be in IT or in cybersecurity and trying to get into the cloud security space, the challenge over there is that outside of Amazon, Google, and Microsoft, there is not a lot of formal education which is unbiased. It is a great way to learn AWS security on how amazing AWS is from AWS people, the same way Microsoft will be [unintelligible 00:19:10], however, when it comes down to actual formal education, like the kind that you and I are trying to provide through a podcast, me with the Cloud Security Podcast, you with Last Week in AWS in the Security Edition, that kind of unbiased formal education, like free education, like what you and I are doing does definitely exist and I guess I'm glad we have company, that you and I both exist in this space, but formal education is very limited. It's always behind, say an expensive paid wall sometimes, and rightly so because it's information that would be helpful. So yeah, those two things. Corey: This episode is sponsored in part by our friends at Uptycs. Attackers don't think in silos, so why would you have siloed solutions protecting cloud, containers, and laptops distinctly? Meet Uptycs - the first unified solution prioritizes risk across your modern attack surface—all from a single platform, UI, and data model. Stop by booth 3352 at AWS re:Invent in Las Vegas to see for yourself and visit uptycs.com. That's U-P-T-Y-C-S.com. Corey: One of the problems that I have with the way a lot of cloud security stuff is situated is that you need to have something running to care about the security of. Yeah, I can spin up a VM in the free tier of most of these environments, and okay, “How do I secure a single Linux box?” Okay, yes, there are a lot of things you can learn there, but it's very far from a holistic point of view. You need to have the infrastructure running at reasonable scale first, in order to really get an effective lab that isn't contrived.Now, Snyk is a security company. I absolutely understand and have no problem with the fact that you charge your customers money in order to get security outcomes that are better than they would have otherwise. I do not get why AWS and GCP charge extra for security. And I really don't get why Azure charges extra for security and then doesn't deliver security by dropping the ball on it, which is neither here nor there.Ashish: [laugh].Corey: It feels like there's an economic form of gatekeeping, where you must spend at least this much money—or work for someone who does—in order to get exposure to security the way that grownups think about it. Because otherwise, all right, I hit my own web server, I have ten lines in the logs. Now, how do I wind up doing an analysis run to figure out what happened? I pull it up on my screen and I look at it. You need a point of scale before anything that the modern world revolves around doesn't seem ludicrous.Ashish: That's a good point. Also because we don't talk about the responsibility that the cloud service provider has themselves for security, like the encryption example that I used earlier, as a guardrail, it doesn't take much for them to enable by default. But how many do that by default? I feel foolish sometimes to tell people that, “Hey, you should have encryption enabled on your storage which is addressed, or in transit.”It should be—like, we have services like Let's Encrypt and other services, which are trying to make this easily available to everyone so everyone can do SSL or HTTPS. And also, same goes for encryption. It's free and given the choice that you can go customer-based keys or your own key or whatever, but it should be something that should be default. We don't have to remind people, especially if you're the providers of the service. I agree with you on the, you know, very basic principle of why do I pay extra for security, when you should have already covered this for me as part of the service.Because hey, technically, aren't you also responsible in this conversation? But the way I see shared responsibility is that—someone on the podcast mentioned it and I think it's true—shared responsibility means no one's responsible. And this is the kind of world we're living in because of that.Corey: Shared responsibility has always been an odd concept to me because AWS is where I first encountered it and they, from my perspective, turn what fits into a tweet into a 45-minute dog-and-pony show around, “Ah, this is how it works. This is the part we're responsible for. This is the part where the customer responsibility is. Now, let's have a mind-numbingly boring conversation around it.” Whereas, yeah, there's a compression algorithm here. Basically, if the cloud gets breached, it is overwhelmingly likely that you misconfigured something on your end, not the provider doing it, unless it's Azure, which is neither here nor there, once again.The problem with that modeling, once you get a little bit more business sophistication than I had the first time I made the observation, is that you can't sit down with a CISO at a company that just suffered a data breach and have your conversation be, “Doesn't it suck to be you—[singing] duh, duh—because you messed up. That's it.” You need that dog-and-pony show of being able to go in-depth and nuance because otherwise, you're basically calling out your customer, which you can't really do. Which I feel occludes a lot of clarity for folks who are not in that position who want to understand these things a bit better.Ashish: You're right, Corey. I think definitely I don't want to be in a place where we're definitely just educating people on this, but I also want to call out that we are in a world where it is true that Amazon, Azure, Google Cloud, they all have vulnerabilities as well. Thanks to research by all these amazing people on the internet from different companies out there, they've identified that, hey, these are not pristine environments that you can go into. Azure, AWS, Google Cloud, they themselves have vulnerabilities, and sometimes some of those vulnerabilities cannot be fixed until the customer intervenes and upgrades their services. We do live in a world where there is not enough education about this as well, so I'm glad you brought this up because for people who are listening in, I mean, I was one of those people who would always say, “When was the last time you heard Amazon had a breach?” Or, “Microsoft had a breach?” Or, “Google Cloud had a breach?”That was the idea when people were just buying into the concept of cloud and did not trust cloud. Every cybersecurity person that I would talk to they're like, “Why would you trust cloud? Doesn't make sense.” But this is, like, seven, eight years ago. Fast-forward to today, it's almost default, “Why would you not go into cloud?”So, for people who tend to forget that part, I guess, there is definitely a journey that people came through. With the same example of multi-factor authentication, it was never a, “Hey, let's enable password and multi-factor authentication.” It took a few stages to get there. Same with this as well. We're at that stage where now cloud service providers are showing the kinks in the armor, and now people are questioning, “I should update my risk matrix for what if there's actually a breach in AWS?”Now, Capital One is a great example where the Amazon employee who was sentenced, she did something which has—never even [unintelligible 00:25:32] on before, opened up the door for that [unintelligible 00:25:36] CISO being potentially sentenced. There was another one. Because it became more primetime news, now people are starting to understand, oh, wait. This is not the same as it used to be. Cloud security breaches have evolved as well.And just sticking to the Uber point, when Uber has that recent breach where they were talking about, “Hey, so many data records were gone,” what a lot of people did not talk about in that same message, it also mentioned the fact that, hey, they also got access to the AWS console of Uber. Now, that to me, is my risk metrics has already gone higher than where it was before because it just not your data, but potentially your production, your pre-prod, any development work that you were doing for, I don't know, self-driving cars or whatever that Uber [unintelligible 00:26:18] is doing, all that is out on the internet. But who was talking about all of that? That's a much worse a breach than what was portrayed on the internet. I don't know, what do you think?Corey: When it comes to trusting providers, where I sit is that I think, given their scale, they need to be a lot more transparent than they have been historically. However, I also believe that if you do not trust that these companies are telling you the truth about what they're doing, how they're doing it, what their controls are, then you should not be using them as a customer, full stop. This idea of confidential computing drives me nuts because so much of it is, “Well, what if we assume our cloud provider is lying to us about all of these things?” Like, hypothetically there's nothing stopping them from building an exact clone of their entire control plane that they redirect your request to that do something completely different under the hood. “Oh, yeah, of course, we're encrypting it with that special KMS key.” No, they're not. For, “Yeah, sure we're going to put that into this region.” Nope, it goes right back to Virginia. If you believe that's what's going on and that they're willing to do that, you can't be in cloud.Ashish: Yeah, a hundred percent. I think foundational trust need to exist and I don't think the cloud service providers themselves do a great job of building that trust. And maybe that's where the drift comes in because the business has decided they're going to cloud. The cyber security people are trying to be more aware and asking the question, “Hey, why do we trust it so blindly? I don't have a pen test report from Amazon saying they have tested service.”Yes, I do have a certificate saying it's PCI compliant, but how do I know—to what you said—they haven't cloned our services? Fortunately, businesses are getting smarter. Like, Walmart would never have their resources in AWS because they don't trust them. It's a business risk if suddenly they decide to go into that space. But the other way around, Microsoft may decides tomorrow that they want to start their own Walmart. Then what do you do?So, I don't know how many people actually consider that as a real business risk, especially because there's a word that was floating around the internet called supercloud. And the idea behind this was—oh, I can already see your reaction [laugh].Corey: Yeah, don't get me started on that whole mess.Ashish: [laugh]. Oh no, I'm the same. I'm like, “What? What now?” Like, “What are you—” So, one thing I took away which I thought was still valuable was the fact that if you look at the cloud service providers, they're all like octopus, they all have tentacles everywhere.Like, if you look at the Amazon of the world, they not only a bookstore, they have a grocery store, they have delivery service. So, they are into a lot of industries, the same way Google Cloud, Microsoft, they're all in multiple industries. And they can still have enough money to choose to go into an industry that they had never been into before because of the access that they would get with all this information that they have, potentially—assuming that they [unintelligible 00:29:14] information. Now, “Shared responsibility,” quote-unquote, they should not do it, but there is nothing stopping them from actually starting a Walmart tomorrow if they wanted to.Corey: So, because a podcast and a day job aren't enough, what are you going to be doing in the near future given that, as we record this, re:Invent is nigh?Ashish: Yeah. So, podcasting and being in the YouTube space has definitely opened up the creative mindset for me. And I think for my producer as well. We're doing all these exciting projects. We have something called Cloud Security Villains that is coming up for AWS re:Invent, and it's going to be released on our YouTube channel as well as my social media.And we'll have merchandise for it across the re:Invent as well. And I'm just super excited about the possibility that media as a space provides for everyone. So, for people who are listening in and thinking that, I don't know, I don't want to write for a blog or email newsletter or whatever the thing may be, I just want to put it out there that I used to be excited about AWS re:Invent just to understand, hey, hopefully, they will release a new security service. Now, I get excited about these events because I get to meet community, help them, share what they have learned on the internet, and sound smarter [laugh] as a result of that as well, and get interviewed where people like yourself. But I definitely find that at the moment with AWS re:Invent coming in, a couple of things that are exciting for me is the release of the Cloud Security Villains, which I think would be an exciting project, especially—hint, hint—for people who are into comic books, you will definitely enjoy it, and I think your kids will as well. So, just in time for Christmas.Corey: We will definitely keep an eye out for that and put a link to that in the show notes. I really want to thank you for being so generous with your time. If people want to learn more about what you're up to, where's the best place for them to find you?Ashish: I think I'm fortunate enough to be at that stage where normally if people Google me—and it's simply Ashish Rajan—they will definitely find me [laugh]. I'll be really hard for them not find me on the internet. But if you are looking for a source of unbiased cloud security knowledge, you can definitely hit up cloudsecuritypodcast.tv or our YouTube and LinkedIn channel.We go live stream every week with a new guest talking about cloud security, which could be companies like LinkedIn, Twilio, to name a few that have come on the show already, and a lot more than have come in and been generous with their time and shared how they do what they do. And we're fortunate that we get ranked top 100 in America, US, UK, as well as Australia. I'm really fortunate for that. So, we're doing something right, so hopefully, you get some value out of it as well when you come and find me.Corey: And we will, of course, put links to all of that in the show notes. Thank you so much for being so generous with your time. I really appreciate it.Ashish: Thank you, Corey, for having me. I really appreciate this a lot. I enjoyed the conversation.Corey: As did I. Ashish Rajan, Principal Cloud Security Advocate at Snyk who is sponsoring this promoted guest episode. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an insulting comment pointing out that not every CISO gets fired; some of them successfully manage to blame the intern.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Debbie Gordon is the CEO at Cloud Range. In this episode of Cybercrime Radio, Debbie joins host Steve Morgan to discuss some of Cloud Range's most valuable content for CISOs and security leaders, including the Cloud Range Blog, FlexLabs, and more. To learn more about our sponsor, visit https://cloudrangecyber.com/ • For more on cybersecurity, visit us at https://cybersecurityventures.com/

The Cybercrime Wire, hosted by Scott Schober, provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with a breaking news story we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Listen to the podcast daily and hear it every hour on WCYB. The Cybercrime Wire is sponsored by Deloitte Cyber. To learn more about our sponsor, visit https://deloitte.com/cyber • For more breaking news, visit https://cybercrimewire.com

The Cybercrime Magazine Podcast brings you our weekly alert, which provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with the latest breaking news stories we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Airs weekly on WCYB and our podcast. For more on the latest cyberattacks, hacks, and breaches, visit https://cybercrimewire.com

Cybercrime Magazine CISO Minute host Theresa Payton, Former White House CIO, discusses some of the different ways in which CISOs defend against cyberattacks. The CISO Minute is sponsored by https://knowbe4.com/ • For more on cybersecurity, visit us at https://cybersecurityventures.com/

New ransomware encrypts files, then steals your Discord account Donald Trump returns to Twitter after Elon Musk's poll More than half of Black Friday spam emails are scams Thanks to today's episode sponsor, Compyl We all know that CISOs are overworked and stressed. CISOs made Compyl to reduce the noise, accelerate security maturity and let you and your team quickly make decisions that directly affect what's important to your business. Learn about Compyl at www.compyl.com. For the stories behind the headlines, head to CISOseries.com.

The Cybercrime Wire, hosted by Scott Schober, provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with a breaking news story we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Listen to the podcast daily and hear it every hour on WCYB. The Cybercrime Wire is sponsored by Deloitte Cyber. To learn more about our sponsor, visit https://deloitte.com/cyber • For more breaking news, visit https://cybercrimewire.com

In this episode Steve has a conversation with Jamil Farshchi and Timothy Held about top cyber risks, leadership, innovation in cybersecurity, standards, regulations, and thoughts on the threat landscape for 2023. Jamil joined Equifax in 2018 and led an unprecedented transformation of the company's security and technology capabilities. Today, Equifax is regarded as having one of the most advanced, effective, and transparent cybersecurity programs in business. Prior to Equifax, he was Chief Information Security Officer at The Home Depot, where he led the security turnaround for the Fortune 50 company following a high-profile data breach. Jamil serves as a Strategic Engagement Advisor for the FBI and serves on the Board of Directors for the National Technology Security Coalition. Tim joined US Bank in 2005 and leads a multidisciplinary information security team operating across the United States, Europe, and Asia, focusing on prevention, detection, and response. Tim is responsible for U.S. Bank's cybersecurity architecture, engineering, security operations, incident response, data loss prevention, vulnerability assessment services, online fraud detection, security monitoring, insider threat, and cyber threat intelligence. Tim sits on several external committees and is recognized by the Security 50 Organization as one of the top 50 CISOs in the world. CISOs are not only responsible for the security posture of their organization, they are guardians of the teams, employees, customers, and stakeholders they serve. They have a difficult job to perform, and I do not envy them one bit. But I am grateful for their contributions to society, and I am grateful for Jamil and Tim taking the time to talk with me for this epic episode on cybersecurity leadership.

The Cybercrime Wire, hosted by Scott Schober, provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with a breaking news story we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Listen to the podcast daily and hear it every hour on WCYB. The Cybercrime Wire is sponsored by Deloitte Cyber. To learn more about our sponsor, visit https://deloitte.com/cyber • For more breaking news, visit https://cybercrimewire.com

In this episode of The New CISO, Steve is joined by Demetrios “Laz” Lazarikos, three-time CISO and Co-founder of Blue Lava Security.A naturally curious child, Laz became interested in technology early, prompting his life-long love of learning. Today, he shares how different lessons from childhood and the airforce led to his fulfilling CISO career. Listen to the episode to learn more about Laz's fascinating cybersecurity journey, the influence of his family, and how to become a more effective mentor.Listen to Steve and Laz discuss his approach to career development and how his passion for learning led to his success:Meet Laz (1:43)Host Steve Moore introduces our guest today, Laz Lazarikos. With over thirty years of security experience, Laz wanted to build a platform where security leaders could measure, optimize, and develop their security programs, which he accomplished with Blue Lava.As a child, Laz's mother encouraged his interest in technology. Passionate about solving tech problems at an early age, Laz credits his childhood interest as his cyber security start.Growing Up Greek (6:56)Laz shares what it was like growing up in a traditional Greek family, which he compares to the film My Big Fat Greek Wedding. From a family of entrepreneurs, Laz felt pressure to take over the family business but instead started a security career.At twelve years old, Laz's mother advised him to go to his uncle, a loan shark, for a loan to buy tech, which he paid back with interest. Laz appreciates the lessons he received from his mother and credits her for giving him valuable life experience.Meeting Carl Sagan (10:46)At ten years old, Laz heard Carl Sagan, of the original Cosmos fame, speak during a field trip. Much of Carl's speech resonated with Laz, including that anyone could do anything they wanted if their actions aligned with their goals. Going Into The Airforce (13:13)Steve asks Laz about his time in the airforce. While being recruited, Laz became interested in how systems and machines worked. Before he joined, the airforce promised he would get much training and education around security communications, which secured his interest.At seventeen, Laz's mother allowed him to emancipate, and he officially joined the airforce and learned foundational lessons for functioning in society.A Foundation Of Learning (18:30)Steve presses Laz on what he is doing today in his pursuit of education. Laz shares how his mother took him to the library every weekend as a kid and how his father had him complete writing exercises based on the newspaper.Today, Laz looks at education as something you can never lose and can apply to life and work. Still a lover of libraries, Laz has three library cards for three cities and looks to history to improve his efforts.Working Backward To Move Forward (22:32)In terms of mentorship, Laz recommends thinking about your goals and working backward. This approach has always worked for Laz and other CISOs as well.Laz puts thought into how he uses his time for personal growth and looks to the great CISOs of history to evaluate actions for success.MBA Or Side Hustle (30:00)Steve presses Laz on if CISOs should get an MBA or do a side hustle to build a security network. To make this decision, you should evaluate the cost and time investments required and determine if either opportunity is needed for your overarching goals. You have to make choices based on what's best for you.Advancing Through Mentorship (36:58)To Laz, your CISO career boils down to mentorship, and he acknowledges that his mentors were his family and, later, the airforce. With meaningful relationships, training, and...

The Cybercrime Wire, hosted by Scott Schober, provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with a breaking news story we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Listen to the podcast daily and hear it every hour on WCYB. The Cybercrime Wire is sponsored by Deloitte Cyber. To learn more about our sponsor, visit https://deloitte.com/cyber • For more breaking news, visit https://cybercrimewire.com

This week we are joined by Rachel Briggs and Richard Brinson from Savanti, a UK-based cybersecurity consulting entity. Richard Brinson is CEO of Savanti, has been CISO at several large corporations, including Unilever and Sainsbury's. He was named one of the top CISOs in the world and has over 20 years of experience in the field. Rachel Briggs is an Executive Adviser to Savanti and a leading expert on security and regularly advises large multinationals and governments. She is an Associate Fellow and Chatam House and was awarded the OBE in 2014. Richard and Rachel have just authored The Future of Cyber Security Leadership Series and their first publication is “Cyber Security Leadership is Broken: Here's how to fix it.”

The Cybercrime Wire, hosted by Scott Schober, provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with a breaking news story we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Listen to the podcast daily and hear it every hour on WCYB. The Cybercrime Wire is sponsored by Deloitte Cyber. To learn more about our sponsor, visit https://deloitte.com/cyber • For more breaking news, visit https://cybercrimewire.com

Kirsten Davies, chief information security officer at Unilever, joins Ann on this week's episode of Afternoon Cyber Tea. Kirsten is a recognized thought leader, serves on the Board of Governors for the New York Academy of Sciences, and is a Mentor for several non-profits and women's initiatives. The two discuss burnout and stress-related mental-health concerns in cyber, which are, unfortunately, on the rise. Now, security and business leaders alike are concerned that the pressure and responsibility of cyber roles–combined with the rise in cyber-attacks, reduction in resourcing, and other factors–is making cyber a less attractive career path. Ann and Kirsten discuss the importance of personal resilience, factors contributing to the cyber talent shortage, and strategies that leaders can adopt to improve their people's working conditions and well-being.      In This Episode You Will Learn:       Some of the unknown challenges that CISOs and cyber defenders are facing today  What can and should change to make cyber roles and work environments better  What organizations are addressing mental health and well-being best  Some Questions We Ask:      What are some of the factors that may impact our personal resilience?  How can future and current CEOs look to retain quality CISO and cyber defender talent?  What are some of the contributing factors to the cyber talent shortage?    Resources:     Visit Kirsten Davies on Twitter  View Kirsten Davies on LinkedIn  View Ann Johnson on LinkedIn       Related Microsoft Podcasts:                   Listen to: Uncovering Hidden Risks    Listen to: Security Unlocked     Listen to: Security Unlocked: CISO Series with Bret Arsenault       Discover and follow other Microsoft podcasts at microsoft.com/podcasts     Afternoon Cyber Tea with Ann Johnson is produced by Microsoft and distributed as part of The CyberWire Network.    

Information Security is often seen as a cost center and drain on the revenue of a company. It may be seen as necessary to protect the company, but the value is not always understood by leadership and peers to the CISO. Taken from personal experience, in this talk, we will explore some suggestions on how CISOs can bring and show value to their companies. Visit https://securityweekly.com/csp for all the latest episodes! Follow us on Twitter: https://www.twitter.com/cyberleaders Follow us on LinkedIn: https://www.linkedin.com/company/cybersecuritycollaborative/ Show Notes: https://securityweekly.com/csp96

Paul Connelly, Chief Security Officer at HCA Healthcare, joins host Alissa (Dr Jay) Abdullah, PhD, SVP & Deputy CSO at Mastercard, in this episode of the CISO 500. Connelly discusses how he got to where he is today, as well as his thoughts on some of the hottest topics for CISOs at the moment, and more. To learn more about our sponsor, Mastercard, visit https://mastercard.us/en-us.html • For more on cybersecurity, visit us at https://cybersecurityventures.com

The Cybercrime Wire, hosted by Scott Schober, provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with a breaking news story we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Listen to the podcast daily and hear it every hour on WCYB. The Cybercrime Wire is sponsored by Deloitte Cyber. To learn more about our sponsor, visit https://deloitte.com/cyber • For more breaking news, visit https://cybercrimewire.com

Special Thanks to our podcast sponsor, Cymulate.  On this episode, Dave Klein stops by to discuss the 3 Digital Challenges that organizations face: Cyber threats evolve on a daily basis and this constant threat to our environment appears to be only accelerating The level of vulnerabilities today is 30x what it was 10 years ago.  We have more IT infrastructure, complexity, and developers in our current environment. In the pursuit of digital innovation, we are changing our IT infrastructure by the hour.  For Example: Infrastructure as Code capabilities (Chef, Puppet, Terraform, etc.) allow developers to deploy faster and create more opportunities for misconfigured code at scale.   Breach and Attack Simulation tooling address these 3 digital challenges by focusing on Breach Attack Simulation, Vulnerability Prioritization, & Threat Exposure Management.  This combined approach allows a cyber organization to ensure its security is fully optimized and its risk exposure is minimized.  Key benefits of adopting Breach and Attack Simulation software include: Managing organizational cyber-risk end to end Rationalizing security spend Prioritizing mitigations based on validated risks Protecting against the latest threats in near real-time Preventing environmental drift   Welcome back listeners and thank you for continuing your education in CISO Tradecraft.  Today we are excited to share with you a great episode focused on Breach and Attack Simulation software.  To begin we will provide a solid background on Breach and Attack Simulation then we are going to bring on our special guest Dave Klein who will give us the pro tips that help CISOs maximize the value from Breach and Attack Simulation Software.   Starting from the beginning.  What is Breach and Attack Simulation software and why is this needed?  At the end of the day most companies are not on an island.  They need to connect to clients, partners, and vendors.  They need the ability for employees to visit websites.  They need to host public facing websites to sell products and services.  Each of these activities result in creating organizational assets such as IT equipment that has internet connectivity.  Now internet connectivity isn't a bad thing.  Remember internet connectivity allows companies to generate income which allows the organization to exist.  This income goes to funding expenses like the cyber organization so that is a good thing.     If bad actors with the intent and capability to cause your company harm can find your company's internet connected assets which have vulnerabilities, then you have a risk to your organization.  So enter vulnerability assessment and penetration testing tools that companies can buy to identify and address this risk.  Now sometimes you will hear the terms Cyber Asset Attack Surface Management or (CAASM).  It's also commonly referred to as continuous threat exposure management.  Essentially these two categories of tools are the latest evolution of vulnerability management tooling that have the additional benefit of ingesting data from multiple sources.  Essentially they are designed to address key questions such as:  How do we get an inventory of what we have? How do we know our vulnerabilities? and  How do we know which vulnerabilities might be exploited by threat actors?     Now if you want to take this line of questioning one step further, then you should consider adopting Breach and Attack Simulation software.  Note Breach and Attack Simulation software overlaps with many of the CAASM capabilities, but it does something unique.  Breach and Attack Simulation software allows you to pose as bad actors on your network and perform red team exercises.  Essentially you learn how bad actors can bypass your cyber tooling and safeguards.  This means you go from knowing where you are vulnerable to actually seeing how well your incident response activities perform.  Example if I can take a normal user's laptop and spawn a Powershell Script or run a tool like MimiKatz to gain Domain Admin level privileges, then I want to know if the Cyber Security Incident Response team was alerted to that activity.  I also want to know if the Incident Response team blocked or disabled this account in a timely manner.  According to the 2022 Microsoft Digital Defense Report the median time it takes for an attacker to access your private data if you fall victim to a phishing email is 1 hour 12 minutes.  The report also stated that the median time for an attacker to begin moving laterally within your corporate network once a device is compromised is 1 hour 42 minutes.  Remember the difference to responding to these attacks in minutes vs hours can be the difference between how much files get encrypted when ransomware actors get into your environment.     Another thing that CISOs need to ensure is that vulnerabilities get fixed.  How do you test that?  You have to replay the attack.     You can think of fire drills as the comparison.  If an organization only did one fire drill every 24 months, then chances are the company's time to exit the building isn't going to decrease all that much.  It's likely to stay the same.  Now if an organization does 8-12 fire drills over the course of 24 months, then you would generally see a good decrease in departure times as people get familiar with knowing how to leave the building in a timely fashion.  The good thing on Breach and Attack Simulation tools is they have the ability to replay numerous attacks with the click of a button.  This can save your penetration testing team hours over manual exploitation activities which would have to be repeated to confirm successful patches and mitigations.   If we look at Breach and Attack Simulation software the tools have typically come in two flavors.  One is an agent based approach.  Example.  A company might install an attack agent on a laptop inside the corporate environment that runs Data Loss Protection software.  The attack agent might look at how much data it can exfiltrate which is not stopped by the DLP tool.  The attack agent could also run similar attacks with how much malware the Antivirus detects, how much sensitive email it send outside the company despite there being an email protection solution.  These attack agents can also be placed on servers to determine how effective web applications firewalls are at stopping attacks.   Essentially having an attack agent on the internal side of a trusted network and one on the outside allows an organization to evaluate the effectiveness of various cyber tools.  Now there's a few concerns with this type of approach.  One, companies don't want to add more agents across their network because it steals critical system resources and makes things slower.  Two, the time it takes to install and test agents means the value you can get out of these tools is delayed because cyber needs approvals from the desktop team, the network team, the firewall team, etc. before these solutions can be deployed.  Three, by having an agent you don't always truly simulate what an attacker would do since you don't have to live off the land and gain permissions the attacker did.  Your agent may not be know to antivirus or EDR tools, but using windows libraries to gain access does.    Now let's compare this with an agentless approach.  This approach is quite popular since labs where agents are run don't always look like a production environment.  Example they lack the amount of traffic, don't possess the same amount of production data, or contain last month's versions of software.     Here attacker software may start with the premise what happens if someone from the Accounting Team opens an Excel document containing a malicious macro.  Let's see how we can automate an attack after that initial compromise step occurs.  Then let's walk through every attack identified by the Mitre Attack Framework and see what gets caught and what doesn't.  The tooling can then look at the technical safeguards in the organization that should have been applied and provide recommendations on how to increase their effectiveness.  This might be something simple like adding a Windows Group Policy to stop an attack.  Also breach and attack simulation tools can provide alerting recommendations to the SIEM that help identify when an endpoint attack occurred.  Example: Instead of knowing that bad actors can run an attack, the Breach and Attack Simulation software actually gives you the Splunk Signature that your SOC team can leverage.  That's a great add to minimize the amount of time to improve your alerting capabilities.     Now when the breach and attack simulation software replays attacks each month, cyber leadership can look at how fast the Incident Response team detected and remediated the attack.  It might be as simple as we stopped this attack before it could happen by applying the new Windows Group Policy or it took the team 4 hours to determine XYZ account had been taken over.  These metrics allow you to know how well your Response plans work.  So you get the value of a penetration test with the automation & scaling of vulnerability management tools.     What's even more impressive is how these tools are evolving to meet the larger mission of cyber organizations.     Example: Most Financial and Health Care organizations have to demonstrate evidence that IT controls are working effectively.  Generally this is a manual process done in the Governance Risk and Compliance (GRC) team within a cyber organization.  GRC teams have to ask developers to provide evidence to various IT controls such as are you monitoring and alerting to privilege activity.  Now imagine if you had an automated tool that showed evidence that monitoring tools are installed on 99% of endpoints and these tools actually stopped various MITRE attacks immediately.  That evidence would minimize the data call which takes time from the developer teams.   

Cybercrime Magazine CISO Minute host Theresa Payton, Former White House CIO, goes over some of the hottest topics for new CISOs, including ransomware, malicious API calls, and more. The CISO Minute is sponsored by https://knowbe4.com/ • For more on cybersecurity, visit us at https://cybersecurityventures.com/

The Cybercrime Magazine Podcast brings you our weekly alert, which provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with the latest breaking news stories we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Airs weekly on WCYB and our podcast. For more on the latest cyberattacks, hacks, and breaches, visit https://cybercrimewire.com

The Cybercrime Wire, hosted by Scott Schober, provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with a breaking news story we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Listen to the podcast daily and hear it every hour on WCYB. The Cybercrime Wire is sponsored by Deloitte Cyber. To learn more about our sponsor, visit https://deloitte.com/cyber • For more breaking news, visit https://cybercrimewire.com

The Cybercrime Wire, hosted by Scott Schober, provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with a breaking news story we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Listen to the podcast daily and hear it every hour on WCYB. The Cybercrime Wire is sponsored by Deloitte Cyber. To learn more about our sponsor, visit https://deloitte.com/cyber • For more breaking news, visit https://cybercrimewire.com

In this continuation of the previous episode, Dr. Eric Cole sheds light on how to measure security with realistic metrics. Some areas to consider while applying for the CISO position would be: Why is it unfortunate for a CISO to work under the CIO? How can it limit their reach? Why should CISOs branch out after working for the CIO?

Michael Piacente, Managing Partner & Cofounder at Hitch Partners, answers the essential question on many cybersecurity professionals' minds: Where do CISOs find CISO jobs? As it turns out, Michael helps many cybersecurity teams find their perfect CISO match with the assistance of his own team at Hitch Partners. In this episode, Michael clarifies what the role of a CISO really is, explains the compensation and benefits, and reveals the many responsibilities a CISO may take on during their team in the role.   Timecoded Guide: [00:00] Defining the role of CISO & finding the right homes for each CISO [05:21] VCISO & fractional CISO as an alternative to a full-time CISO [11:49] CISO annual income, benefits, & non-monetary incentives [16:37] Explaining additional responsibilities & tasks taken on by the CISO [25:11] Giving advice to future CISOs looking for the next cyber executive opportunity   Sponsor Links: Thank you to our sponsor Axonius and NetSPIfor bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley In your own definition and experience, what is a CISO? Although there's many definitions of the role, Michael clarifies that defining CISO should always include being an executive. To have a CISO who makes a positive impact and fulfills an organization's needs, that CISO has to be properly placed, properly sponsored, and be in an environment where they have the proper reporting processes. Michael also believes the CISO should always be looking over their shoulder to be diligent of the next threat. “In my version of it, a CISO is the executive— and that's the key term here— that has been properly placed, properly sponsored to handle all of the business information and data risk policy execution and operations in the company.”   What is the difference between a fractional CISO and a VCISO? In Michael's opinion, a VCISO (virtual CISO) and fractional CISO can be used interchangeably in a situation where a company does not need a full-time CISO executive. Unless they're looking to support a strong security program, Michael understands that many companies don't need a full-time CISO in order to be successful. A VCISO makes an impact on an organization's security without being an overwhelming role in a smaller organization. “Bringing in your starter package to implement the baseline or foundational building blocks of what will become a security program, in the form of a consultant or consulting firm, is often a wiser choice than going in building a security program around a full-time CISO role.”   Are there different types of CISOs, and have those types changed over time? Previously, Michael defined 3 different types of CISOs in his search for CISOs with Hitch Partners. However, a fourth type has emerged in recent years: the BISO, or Field CISO. This fourth type joins the ranks alongside other impactful CISO types, including the client (or governance) facing CISO, highly technical CISO, the IT-focused CISO, and now, our fourth type, the BISO, who focuses on the business side of the risk. “It's amazing that all of our CISO searches contain all these different types of CISOs. The fun part of that we get to figure out is: What's the priority [for the role]? What's the order? What does everyone in the organization think the priority should be?”    How would you direct someone to take that first step after realizing they want to be a CISO? Discovering the CISO role exists and being the right person for the role is an important distinction, and Michael encourages potential CISOs to take some time to research the job before getting involved in a job search. However, once someone knows they want to be a CISO, Michael advises finding a CISO mentor and diving into a passion. Each type of CISO needs an expertise and passion to propel them into the superpower status needed to be a CISO.  “I think it's about finding a passion. I'm a big believer that you just have to know where your superpower is, or what your superpower wants to be. In other words, that thing that's passionate to you, that you probably know better than 99% of the population out there.” --------------- Links: Keep up with our guest Michael Piacente on LinkedIn Learn more about Hitch Partners on their website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

This is the audio-only version of our twice-weekly cyber security talk show, teissTalk.  Join us twice a week for free by visiting www.teiss.co.uk/teisstalkThe panel discussion is titledteissTalk: Get smart - How top CISOs are leveraging the dark web to gather pre-attack intelligenceMoving from reactive to proactive security - where to beginStart threat modelling using the dark web and non-traditional threat intelligenceMapping dark web threat intelligence to the MITRE ATT&CK frameworkThis episode is hosted by Jenny Radcliffehttps://www.linkedin.com/in/jenny-radcliffe-the-people-hacker-%F0%9F%8E%A4%F0%9F%8E%A7%F0%9F%A7%A0-85ba1611/Ben Muldoon, Senior Cyber Security Investigator, STORM Guidancehttps://www.linkedin.com/in/ben-m-769279b/Matt Gregory, Head of Security Operations,  Penguin Random House UKhttps://www.linkedin.com/in/matthew-gregory-08523019/?originalSubdomain=ukJB Benjamin, CEO/Founder, Kryotech Ltdhttps://www.linkedin.com/in/jbbenjamin/?originalSubdomain=ukGareth Owenson, Co-founder and CTO, Searchlighthttps://www.linkedin.com/in/gareth-owenson-a89aa5202/

The Cybercrime Wire, hosted by Scott Schober, provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with a breaking news story we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Listen to the podcast daily and hear it every hour on WCYB. The Cybercrime Wire is sponsored by Deloitte Cyber. To learn more about our sponsor, visit https://deloitte.com/cyber • For more breaking news, visit https://cybercrimewire.com

All links and images for this episode can be found on CISO Series Those reports on security procedures for the business are falling short. No one is reading them. What good are security controls if your staff doesn't know about them or adhere to them? Is it time to hire a marketing manager for the security team? Check out this post for the discussion that are the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Laura Deaner (@b3dwin), CISO, Northwestern Mutual. Thanks to our podcast sponsor, IANS Research CISOs, how does your compensation compare with your peers? Download IANS + Artico Search's 2022 CISO Compensation Benchmark Report. Find objective insights and comprehensive compensation data from over 500 CISOs across the U.S. and Canada. In this episode: What good are security controls if your staff doesn't know about them or adhere to them? Is it time to hire a marketing manager for the security team? Why does it make sense to think of who the stakeholder is and what's happening in their world? How to best build policies that don't get ignored?

The Cybercrime Wire, hosted by Scott Schober, provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with a breaking news story we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Listen to the podcast daily and hear it every hour on WCYB. The Cybercrime Wire is sponsored by Deloitte Cyber. To learn more about our sponsor, visit https://deloitte.com/cyber • For more breaking news, visit https://cybercrimewire.com

The Cybercrime Wire, hosted by Scott Schober, provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with a breaking news story we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Listen to the podcast daily and hear it every hour on WCYB. The Cybercrime Wire is sponsored by Deloitte Cyber. To learn more about our sponsor, visit https://deloitte.com/cyber • For more breaking news, visit https://cybercrimewire.com

Hacker Valley: On the Road is a curated collection of conversations that Chris and Ron have had during conferences and events around the globe. In this episode, Cloud Security Podcast's Ashish Rajan and Shilpi Bhattacharjee speak with the Hacker Valley team at AISA CyberCon in Melbourne, Australia. Ashish and Shilpi discuss their respective talks on supply chain security and zero trust technology, SBOMs, and keynote speakers at this year's Cybercon worth noting for the audience at home.   Timecoded Guide: [00:00] Connecting & conversing at a cyber conference post-COVID [06:50] Breaking down Shilpi's presentation on supply chain threats & attacks [11:45] Understanding the paradoxes & limitations of zero trust with Ashish's talk [26:13] Defining & explaining SBOM, or Software Bill of Materials  [33:16] Noticing key conversations & trends for those who didn't attend AISA Cybercon   Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley Shilpi, can you talk about the idea behind the talk you had at CyberCon?  The inspiration behind Shilpi's conference talk was supply chain issues. Titling her talk, “Who's Protecting Your Software in Supply Chain,” Shilpi hoped to further educate and advocate for security in the supply chain process. An estimated one in two companies will experience a supply chain attack in the coming years. Instead of fearing such a statistic, Shilpi hopes her talk inspired further security action to protect our supply chains.  “One staggering fact that I read is that one in every two companies is going to have some sort of a supply chain attack in the next three years. So, who's going to look after the supply chain? Is it going to be the organization? Is it going to be your third-party vendors?” —Shilpi   Ashish, what about your talk at Cybercon? In contrast, Ashish's talk was about the triple paradox of zero trust. When talking about and implementing zero trust, Ashish realized many companies don't implement the cultural changes needed for zero trust and/or only talk about zero trust as a technology process. Zero trust has numerous layers beyond technology, and requires time and major changes in culture and technology to implement in most companies.  “I feel bad for bashing on finance, marketing, and HR teams. They're all smart people, but if you're going to add four or five layers of security for them, they almost always say, ‘I just want to do my job. I don't really care about this. It's your job to do security.'” —Ashish   Where would you recommend starting when it comes to trying to implement the ideas in your respective talks? When push comes to shove about where cyber companies can start first with supply chain and zero trust, Ashish and Shilpi agree that companies have to discuss business priorities. When company leaders can take the opportunity to look at and understand their cyber hygiene, the next steps might look very different from another company's tactics. Knowing what a business has is the foundational piece that impacts any new process in cyber.  “If I were to go back to the first principle of what we do with cybersecurity professionals, one of the biggest assets that we're all trying to protect is data. You can't protect what you can't see, that's the foundational piece.” —Ashish   For anyone that wasn't able to make the conference, what is one thing that you would want to share with the audience at home?  There were a lot of conversations taking place at Cybercon this year. Ashish wants the audience at home to know that cloud native, zero trust, supply chain, and leadership positions like CISOs were the main themes in many talks, panels, and conversations. Shilpi wants those who couldn't attend to watch out for more talks and conversations about cyber from those outside of the industry to understand that the issues impacting cyber influence the world.  “I think there's that interest about cybersecurity being more than just a cybersecurity problem. Cybersecurity is not just a technical problem, it's a societal problem, a cultural problem. I very much agree, because a lot of the things that we're dealing with impacts everyone.” —Shilpi --------------- Links: Keep up with our guest Ashish Rajan on LinkedIn Keep up with our guest Shilpi Bhattacharjee on LinkedIn Listen to Ashish and Shilpi's Cloud Security Podcast Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

The large ratio gap in the availability of IT security professionals to open positions existed long before COVID-19. And that gap has grown even bigger thanks to the great resignation that has continued to take place in the IT industry since the pandemic. This has created a huge challenge for CISOs and other security leaders in their efforts to recruit and retain skilled security teams.In this episode, Megan McCann—CEO & Founder of the IT recruitment firm McCann Partners—presents creative approaches CISOs and hiring managers can apply to go beyond scanning resumes to finding prospects who can offer true value. McCann also discusses what CISOs can do to nurture their own careers._______________________Community Member Contributor: Megan McCannCEO & Founder at McCann Partners [@McCannPartners]On Twitter | https://twitter.com/meganpmccannOn LinkedIn | https://www.linkedin.com/in/meganpmccann/Hosts: Sean Martin and Marco CiappelliOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martinOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli______________________For more podcasts from Crucial Conversations with The Blue Lava Community, visit: https://www.itspmagazine.com/crucial-conversations-podcastTo access the full collection of Blue Lava Community resources, visit: https://itspm.ag/blclog22To learn more about Blue Lava, visit: https://itspm.ag/blue-lava-w2qs______________________Are you interested in sponsoring an ITSPmagazine Channel?

The Cybercrime Wire, hosted by Scott Schober, provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with a breaking news story we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Listen to the podcast daily and hear it every hour on WCYB. The Cybercrime Wire is sponsored by Deloitte Cyber. To learn more about our sponsor, visit https://deloitte.com/cyber • For more breaking news, visit https://cybercrimewire.com

The Cybercrime Magazine Podcast brings you our weekly alert, which provides boardroom and C-suite executives, CIOs, CSOs, CISOs, IT executives and cybersecurity professionals with the latest breaking news stories we're following. If there's a cyberattack, hack, or data breach you should know about, then we're on it. Airs weekly on WCYB and our podcast. For more on the latest cyberattacks, hacks, and breaches, visit https://cybercrimewire.com

All links and images for this episode can be found on CISO Series Cybersecurity budgets are increasing, by a lot. What's fueling the increase and where are those budgets being spent? Check out this post for the discussions that are the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest sponsored guest Nick Kakolowski, senior director of research at IANS Research. Thanks to our podcast sponsor, IANS Research CISOs, how does your compensation compare with your peers? Download IANS + Artico Search's 2022 CISO Compensation Benchmark Report. Find objective insights and comprehensive compensation data from over 500 CISOs across the U.S. and Canada. In this episode: What's fueling the increase in cybersecurity budgets and where are those budgets being spent? Do we understand where the money is being spent? Is it on new hires? More tooling? Does training new hires provide a good ROI for an increased budget? Should we equate the success of a security program with the size of the budget? Or not?