POPULARITY
20 episodes with how cisos
4 episodes with how cisos
5 episodes with how cisos
4 episodes with how cisos
5 episodes with how cisos
2 episodes with how cisos
2 episodes with how cisos
In the leadership and communications section, How CISOs can talk cybersecurity so it makes sense to executives, Firms to spend more on GenAI than security in 2025, Europe leads shift from cyber security ‘headcount gap' to skills-based hiring, and more! Next, pre-recorded interviews from RSAC Conference 2025, including: This segment is sponsored by Fortinet. Visit https://securityweekly.com/fortinetrsac to learn more about them! Unpacking the latest annual report from Fortinet's FortiGuard Labs. We're talking with Derek Manky, Chief Security Strategist and Global VP Threat Intelligence, Fortinet's FortiGuard Labs, to get a snapshot of the active threat landscape and trends from 2024, including a comprehensive analysis across all tactics used in cyberattacks, as outlined in the MITRE ATT&CK framework. The report reveals that threat actors are increasingly harnessing automation, commoditized tools, and AI to systematically erode the traditional advantages held by defenders. Read the full report at https://securityweekly.com/fortinetrsac. This segment is sponsored by Cobalt. Visit https://securityweekly.com/cobaltrsac to learn more about them! In this interview, Gunter Ollmann, Chief Technology Officer at Cobalt, unpacks the findings from the State of Pentesting Report 2025, spotlighting both measurable security progress and the rising challenges introduced by generative AI (genAI). While the report shows that organizations are resolving vulnerabilities faster than ever, genAI systems stand out as a growing security blind spot: only 21% of serious genAI vulnerabilities identified during penetration testing are fixed, compared to over 75% for API flaws and 68% for cloud vulnerabilities. Nearly 32% of genAI-related findings were classified as high risk — more than double the average across other systems. And although 98% of organizations are adopting genAI-powered features, only 66% are running regular security assessments on those systems. Segment Resources: https://www.cobalt.io/blog/key-takeaways-state-of-pentesting-report-2025 https://resource.cobalt.io/state-of-pentesting-2025?gl=1*zwbjgz*gclaw*R0NMLjE3MzcwNTU5ODMuQ2owS0NRaUEtYUs4QmhDREFSSXNBTF8tSDltRlB0X2FmSVhnQnBzSjYxOHlRZ1dhcmRMQ0lHalo3eVgxcTh1cHVnWFVwV0todHFPSDFZZ2FBb0hNRUFMd193Y0I.*gcl_au*MTc4MjQwMTAwNC4xNzQ0NjM0MTgz Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-395
In the leadership and communications section, How CISOs can talk cybersecurity so it makes sense to executives, Firms to spend more on GenAI than security in 2025, Europe leads shift from cyber security ‘headcount gap' to skills-based hiring, and more! Next, pre-recorded interviews from RSAC Conference 2025, including: This segment is sponsored by Fortinet. Visit https://securityweekly.com/fortinetrsac to learn more about them! Unpacking the latest annual report from Fortinet's FortiGuard Labs. We're talking with Derek Manky, Chief Security Strategist and Global VP Threat Intelligence, Fortinet's FortiGuard Labs, to get a snapshot of the active threat landscape and trends from 2024, including a comprehensive analysis across all tactics used in cyberattacks, as outlined in the MITRE ATT&CK framework. The report reveals that threat actors are increasingly harnessing automation, commoditized tools, and AI to systematically erode the traditional advantages held by defenders. Read the full report at https://securityweekly.com/fortinetrsac. This segment is sponsored by Cobalt. Visit https://securityweekly.com/cobaltrsac to learn more about them! In this interview, Gunter Ollmann, Chief Technology Officer at Cobalt, unpacks the findings from the State of Pentesting Report 2025, spotlighting both measurable security progress and the rising challenges introduced by generative AI (genAI). While the report shows that organizations are resolving vulnerabilities faster than ever, genAI systems stand out as a growing security blind spot: only 21% of serious genAI vulnerabilities identified during penetration testing are fixed, compared to over 75% for API flaws and 68% for cloud vulnerabilities. Nearly 32% of genAI-related findings were classified as high risk — more than double the average across other systems. And although 98% of organizations are adopting genAI-powered features, only 66% are running regular security assessments on those systems. Segment Resources: https://www.cobalt.io/blog/key-takeaways-state-of-pentesting-report-2025 https://resource.cobalt.io/state-of-pentesting-2025?gl=1*zwbjgz*gclaw*R0NMLjE3MzcwNTU5ODMuQ2owS0NRaUEtYUs4QmhDREFSSXNBTF8tSDltRlB0X2FmSVhnQnBzSjYxOHlRZ1dhcmRMQ0lHalo3eVgxcTh1cHVnWFVwV0todHFPSDFZZ2FBb0hNRUFMd193Y0I.*gcl_au*MTc4MjQwMTAwNC4xNzQ0NjM0MTgz Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-395
In the leadership and communications section, How CISOs can talk cybersecurity so it makes sense to executives, Firms to spend more on GenAI than security in 2025, Europe leads shift from cyber security ‘headcount gap' to skills-based hiring, and more! Next, pre-recorded interviews from RSAC Conference 2025, including: This segment is sponsored by Fortinet. Visit https://securityweekly.com/fortinetrsac to learn more about them! Unpacking the latest annual report from Fortinet's FortiGuard Labs. We're talking with Derek Manky, Chief Security Strategist and Global VP Threat Intelligence, Fortinet's FortiGuard Labs, to get a snapshot of the active threat landscape and trends from 2024, including a comprehensive analysis across all tactics used in cyberattacks, as outlined in the MITRE ATT&CK framework. The report reveals that threat actors are increasingly harnessing automation, commoditized tools, and AI to systematically erode the traditional advantages held by defenders. Read the full report at https://securityweekly.com/fortinetrsac. This segment is sponsored by Cobalt. Visit https://securityweekly.com/cobaltrsac to learn more about them! In this interview, Gunter Ollmann, Chief Technology Officer at Cobalt, unpacks the findings from the State of Pentesting Report 2025, spotlighting both measurable security progress and the rising challenges introduced by generative AI (genAI). While the report shows that organizations are resolving vulnerabilities faster than ever, genAI systems stand out as a growing security blind spot: only 21% of serious genAI vulnerabilities identified during penetration testing are fixed, compared to over 75% for API flaws and 68% for cloud vulnerabilities. Nearly 32% of genAI-related findings were classified as high risk — more than double the average across other systems. And although 98% of organizations are adopting genAI-powered features, only 66% are running regular security assessments on those systems. Segment Resources: https://www.cobalt.io/blog/key-takeaways-state-of-pentesting-report-2025 https://resource.cobalt.io/state-of-pentesting-2025?gl=1*zwbjgz*gclaw*R0NMLjE3MzcwNTU5ODMuQ2owS0NRaUEtYUs4QmhDREFSSXNBTF8tSDltRlB0X2FmSVhnQnBzSjYxOHlRZ1dhcmRMQ0lHalo3eVgxcTh1cHVnWFVwV0todHFPSDFZZ2FBb0hNRUFMd193Y0I.*gcl_au*MTc4MjQwMTAwNC4xNzQ0NjM0MTgz Show Notes: https://securityweekly.com/bsw-395
Warm Start:• That breach cost HOW MUCH? How CISOs can talk effectively about a cyber incident's toll• Perspective: 25 Years of Evolving Information Sharing Into Actionable Intelligence, new from IT-ISAC Director Scott Algeier.• The Gate 15 Interview EP 56. Information Sharing, Cybersecurity Politics, Threats, and More & New Podcast – Information Sharing, Cybersecurity Politics, Threats, and More! The Gate 15 Interview will be released on all the usual channels later today. Catch this month's special crossover episode now via the Cybersecurity Advisors Network post and on YouTube!• Crypto ISAC at WSJ Tech Live: Exploring the Future of Blockchain & CybersecurityMain Topics:• If it can happen to them, it can happen to you, part one. Managing Communications: The Trump Administration Accidentally Texted Me Its War Plans. Considerations for businesses. • If it can happen to them, it can happen to you, part two. Phishing: A Sneaky Phish Just Grabbed my Mailchimp Mailing List. • Some thoughts on punishment, consistency, standards, and compassion.• White House - Achieving Efficiency Through State and Local Preparednesso Fact Sheet: President Donald J. Trump Achieves Efficiency Through State and Local Preparednesso Trump prioritizes infrastructure resilience against cyber attacks, rolls out National Resilience StrategyQuick Hits:• New Dates Added: Live Virtual Presentations on Targeted Violence Prevention. Live Virtual Presentations on Targeted Violence Prevention. The U.S. Secret Service National Threat Assessment Center (NTAC) is pleased to offer new opportunities to attend live virtual presentations on preventing targeted violence. In these presentations, our expert researchers will share findings and implications from decades of research on targeted violence and offer strategies for preventing acts of violence impacting the places where we work, learn, worship, and otherwise live our daily lives. This list of available virtual training events is regularly updated, and presentation topics change from month to month. To learn more about this series of live virtual presentations, or to register for one or more of these events, please follow the link below. Register here.• FBI PSA - Individuals Target Tesla Vehicles and Dealerships Nationwide with Arson, Gunfire, and Vandalism• Man drives car into protesters outside a Tesla dealership, nobody hurt, sheriff says• Attorney General Bondi Statement on Violent Attacks Against Tesla Property• Violent attacks on Tesla dealerships spike as Musk takes prominent role in Trump White House• Multiple cars set on fire at Tesla service center in Las Vegas in 'targeted attack'• Potential Terror Threat Targeted at Health Sector – AHA & Health-ISAC Joint Threat Bulletin• FBI, healthcare agencies warn of credible threat against hospitals, after multi-city social media terror plot alert• Exclusive: FBI scales back staffing and tracking of domestic terrorism probes• This AP map shows sabotage across Europe that has been blamed on Russia and its proxies• Spring Outlook: Dry in the West, milder than average in the South and East; Drought to develop or persist for Rocky Mountains, Southwest and southern Plains• Halcyon - Last Year in Ransomware: Overview, Developments and Vulnerabilities• Chairmen Green, Garbarino, Brecheen Conduct Oversight Of The Federal Government's Response To China-Backed “Typhoon” Intrusions Under Previous Administration• The Biggest Supply Chain Hack Of 2025: 6M Records Exfiltrated from Oracle Cloud affecting over 140k Tenants • Risky Bulletin: The looming epochalypse
The last five weeks have seen a flurry of news on Artificial Intelligence, especially this last week. It started on December 17, 2024 when the Bipartisan House Task Force on Artificial Intelligence (AI) released a report on “[g]uiding principles, forward-looking recommendations, and policy proposals to ensure America continues to lead the world in responsible AI innovation.” Then a new administration, which: revoked more than 50 prior executive orders, including Executive Order 14110 of October 30, 2023 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence). announced a private-sector $500 billion investment in AI infrastructure tasked federal agencies with drafting a new AI action plan within 180 days signed an executive order on developing artificial intelligence ‘free from ideological bias' The Business Security Weekly crew tries to make sense of it all. In the leadership and communications segment, How CISOs can elevate cybersecurity in boardroom discussions, Nearly half of CISOs now report to CEOs, showing their rising influence, Steve Jobs Shared 1 Crystal Clear Way You'll Spot an Exceptional Leader, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-380
In the leadership and communications segment, How CISOs can elevate cybersecurity in boardroom discussions, Nearly half of CISOs now report to CEOs, showing their rising influence, Steve Jobs Shared 1 Crystal Clear Way You'll Spot an Exceptional Leader, and more! Show Notes: https://securityweekly.com/bsw-380
The last five weeks have seen a flurry of news on Artificial Intelligence, especially this last week. It started on December 17, 2024 when the Bipartisan House Task Force on Artificial Intelligence (AI) released a report on “[g]uiding principles, forward-looking recommendations, and policy proposals to ensure America continues to lead the world in responsible AI innovation.” Then a new administration, which: revoked more than 50 prior executive orders, including Executive Order 14110 of October 30, 2023 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence). announced a private-sector $500 billion investment in AI infrastructure tasked federal agencies with drafting a new AI action plan within 180 days signed an executive order on developing artificial intelligence ‘free from ideological bias' The Business Security Weekly crew tries to make sense of it all. In the leadership and communications segment, How CISOs can elevate cybersecurity in boardroom discussions, Nearly half of CISOs now report to CEOs, showing their rising influence, Steve Jobs Shared 1 Crystal Clear Way You'll Spot an Exceptional Leader, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-380
In the leadership and communications segment, How CISOs can elevate cybersecurity in boardroom discussions, Nearly half of CISOs now report to CEOs, showing their rising influence, Steve Jobs Shared 1 Crystal Clear Way You'll Spot an Exceptional Leader, and more! Show Notes: https://securityweekly.com/bsw-380
How CISOs sleep at night - aka Assurance: The final episode of our special series on risk. Matt, Tom and Toby discuss how you can assure your risks, ensuring your risk understanding and prioritisation is correct, and your mitigation work effectively. If you want any cyber security support please get in contact with the team by email info@clearcutcyber.com or visit the website clearcutcyber.com Music is Green Lights by Jahzzar from the Free Music Archive and used under CC BY-SA 4.0 license: creativecommons.org/licenses/by-sa/4.0/
Join Gartner experts Chris Mixter and Bart Willemsen for a conversation on the steps that CISOs must take to evolve their role in privacy from merely supporting compliance to improving cyber risk management.This episode of CISO Edge Podcast explores the role that privacy can play in accelerating cybersecurity's priorities: The five questions smart CISOs ask to focus their privacy efforts. (4:30)How to counteract “data hoarding” with a tool already at cybersecurity's disposal. (8:30)This month's obligatory GenAI-focused conversation. (12:10)How CISOs can use privacy legislation to their advantage. (17:10)Where to use privacy-enhancing technology to enhance cybersecurity. (25:20)Bart Willemsen is a Gartner VP Analyst with focus on privacy and related challenges in an international context, as well as on ethics, digital society, and the intersection of these disciplines with modern technology including AI. He has a broad, in-depth history of experience, and was among the earlier Fellows of Information Privacy (FIP), and has held accreditations like CIPP/E, CIPM, CISA, CISM, bringing proven and multidisciplinary best practices to our worldwide clients. Before Gartner, Bart held various roles as (chief) privacy and security officer where he implemented, audited and oversaw privacy and security and compliance program strategies for holding companies and their subsidiaries.
We've gained a lot of new listeners in the last two months. Thank you! So, here is a best of episode to catch up on key ideas and conversations you might have missed including: Advice for MSSPs How to remain your authentic self How CISOs can level up their security speak with leadership teams Advice for sales and marketing directly from a CISO How to chase the roles that provide you the most opportunity for growth and how to stand out in a crowded labor market And finally, how to flip the script on the traditional GTM playbook, and why it mattersWe'll be back to our regular programming next week.
CISOs today are taking on more responsibilities and doing so faster. However, this rapid expansion comes at the cost of stability and amorphous priorities. CISO Edge podcast host Chris Mixter talks to Gartner VP analyst Nader Henein about trust — who needs to trust CISOs, what trust means to each constituency, and how CISOs can build trust with each one.This episode explores :The connection between trust and the CISO's effectiveness in role. (02:00)What trust means to the C-suite and board in the context of cybersecurity (07:30)What trust means to the CISO's peers around the organization. (16:15)How CISOs should build and maintain trust with their direct reports. (23:00)How CISOs can support the development of trust from the organization's customers. (29:24)
Michael Piacente has been helping companies find Security Executives (CISO) for a long time for some household name companies like Lyft, Instacart, Airbnb and more . In episode we speak about his current passion for Cloud Native CISOs what they are and what kind of skills should they work on to become CISO in the Cloud native world most organizations are moving ahead with in full force. Thank you to Sagetap for sponsoring this episode, you can find out more about them on - https://www.sagetap.io/ Episode YouTube: Video Link Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Michael's Linkedin (Michael Piacente) Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Newsletter - Cloud Security BootCamp Spotify TimeStamp for Interview Question (00:00) Introduction (03:57) A bit about Michael Piacente (07:20) Why the focus on Cloud Native CISOs? (09:52) What is a Cloud Native CISO? (12:47) Different type of leadership roles in Security (18:30) How are CISOs compensated? (21:27) How CISOs can protect themselves? (25:31) Have the roles & responsibilities changed? (27:33) Importance of personal branding (34:48) Trajectory after becoming a CISO Link to participate in Hitch Partner's Annual Survey
Guest: Jeremiah Kung, Global Head of Information Security, AppLovin Topics: Before we dive into all of the awesome cloud migrations you've experienced and your learnings there, could we start with a topic of East vs West CISO mentality? We are talking to more and more CISOs who see the cloud as a net win for security. What's your take on whether the cloud improves security? We talked about doing some “big” cloud migrations, could you talk about what you learned back in 2015 about the “right” way to do a cloud migration and how you've applied those lessons since? How are you approaching securing clouds differently in 2023 (vs the dark past of 2015)? What advice would you give your peers to get out of the “saying no” mentality and into a better collaborative mode? On the topic of giving advice to people who haven't asked for it, what advice would you give to teams who are stuck in 1990s thinking when it comes to lift and shifting their security technology stack to cloud? Resources: EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen! EP129 How CISO Cloud Dreams and Realities Collide EP104 CISO Walks Into the Cloud: And The Magic Starts to Happen! EP11 Preparing for Cloud Migrations from a CISO Perspective, Part 2 “How CISOs need to adapt their mental models for cloud security” blog “Superforecasting” book “American Generalship” book
In the leadership and communications section, The SEC Let The Boardroom Off The Hook On Cybersecurity, Turns Up Heat On CISOs And CEOs, How CISOs can become board-ready, How to Be a Purpose-Driven Leader Without Burning Out, and more! Show Notes: https://securityweekly.com/bsw-314
On July 31st, 2023, the Biden administration released a national strategy addressing cyber workforce shortages, calling long-standing vacancies a national security imperative. The National Cyber Workforce and Education Strategy focuses on four major pillars: equipping every American with cyber skills, transforming cyber education, expanding and enhancing the national cyber workforce and strengthening the federal cyber workforce. The strategy relies heavily on non-governmental and private sector entities to provide funding, internship and apprenticeship programs to increase the number of workers with cybersecurity skills. One of those entities referenced in the strategy is Dakota State University. Dr. José-Marie Griffiths joins us to discuss education's role in the strategy, but offers other insights, including: - immigration policies and how it limits the current cyber workforce, - diversity, equity, and inclusion initiatives and the reduction of women in the cyber workforce, and - what can the cyber community do to help. Segment Resources: https://www.dsucyber27.com/ https://dsu.edu/programs/artificial-intelligence-bs.html https://dsu.edu/programs/computer-science-artificial-intelligence.html In the leadership and communications section, How CISOs can engage the C-suite and Board to manage and address cyber risk, CISOs Need Backing to Take Charge of Security, It's OK to Fail, but You Have to Do It Right, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-315
In the leadership and communications section, How CISOs can engage the C-suite and Board to manage and address cyber risk, CISOs Need Backing to Take Charge of Security, It's OK to Fail, but You Have to Do It Right, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-315
On July 31st, 2023, the Biden administration released a national strategy addressing cyber workforce shortages, calling long-standing vacancies a national security imperative. The National Cyber Workforce and Education Strategy focuses on four major pillars: equipping every American with cyber skills, transforming cyber education, expanding and enhancing the national cyber workforce and strengthening the federal cyber workforce. The strategy relies heavily on non-governmental and private sector entities to provide funding, internship and apprenticeship programs to increase the number of workers with cybersecurity skills. One of those entities referenced in the strategy is Dakota State University. Dr. José-Marie Griffiths joins us to discuss education's role in the strategy, but offers other insights, including: - immigration policies and how it limits the current cyber workforce, - diversity, equity, and inclusion initiatives and the reduction of women in the cyber workforce, and - what can the cyber community do to help. Segment Resources: https://www.dsucyber27.com/ https://dsu.edu/programs/artificial-intelligence-bs.html https://dsu.edu/programs/computer-science-artificial-intelligence.html In the leadership and communications section, How CISOs can engage the C-suite and Board to manage and address cyber risk, CISOs Need Backing to Take Charge of Security, It's OK to Fail, but You Have to Do It Right, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-315
In the leadership and communications section, How CISOs can engage the C-suite and Board to manage and address cyber risk, CISOs Need Backing to Take Charge of Security, It's OK to Fail, but You Have to Do It Right, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-315
In the leadership and communications section, The SEC Let The Boardroom Off The Hook On Cybersecurity, Turns Up Heat On CISOs And CEOs, How CISOs can become board-ready, How to Be a Purpose-Driven Leader Without Burning Out, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-314
On this episode of The Six Five – On The Road, hosts Daniel Newman and Patrick Moorhead welcome Splunk's Ryan Kovar, Distinguished Security Strategist/SURGe Founder and Kirsty Paine, Field CTO, EMEA, live from .conf23 in Las Vegas. Their discussion covers: The top three security trends and issues that CISOs and security professionals are focusing on currently How CISOs can communicate more effectively with their board, as their roles have becoming increasingly more important in their organization What the hardest questions to answer are for security professionals What the biggest mistakes and the best wins they are seeing from CISOs
A recent Gartner report stated that companies that implement CTEM (continuous threat exposure management) will be three times less likely to suffer from a breach. With the objective of CTEM being the achievement of a consistent, actionable security posture, why should you bring that into your brand protection strategy? Should a proactive approach be prioritised over a reactive approach? And how can CISOs implement this while ensuring they're compliant with incoming regulations such as DORA?In this episode of the EM360 Podcast, Head of Content Matt Harris speaks to Jorge Montiel, Head of Pre-Sales EMEA at Red Sift, to discuss: Continuous threat exposure management How CISOs should approach compliance Proactive approach vs reactive approach
The American Data Privacy and Protection Act introduces oversight of how companies handle the data they collect and process from U.S. citizens, including AI algorithms used to uncover insights that can be monetized. Security professionals should prepare now for the legislation by understanding how to audit algorithms and implement compliance processes. Even if this version of privacy legislation doesn't pass, similar legislation will likely pass soon. Segment Resources: Forbes Tech Council article: Why You Need to Prepare Now for Privacy Legislation That May Not Pass https://www.senecaglobal.com/media-mentions/ftc-why-you-need-to-prepare-now-for-privacy-legislation-that-may-not-pass/ Enterprise Security Tech - American Data Privacy Protection Act: What, Who, How https://www.enterprisesecuritytech.com/post/american-data-privacy-protection-act-what-who-how Security Info Watch - What the American Data and Privacy Act means for businesses https://www.securityinfowatch.com/security-executives/article/21295869/what-the-american-data-and-privacy-act-means-for-businesses In the leadership and communications section, Cybersecurity Starts with the Board and C-Suite, How CISOs can achieve more with less during uncertain economic times, Why Authentic Leadership Is So Hard, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-308
In the leadership and communications section, Cybersecurity Starts with the Board and C-Suite, How CISOs can achieve more with less during uncertain economic times, Why Authentic Leadership Is So Hard, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-308
The American Data Privacy and Protection Act introduces oversight of how companies handle the data they collect and process from U.S. citizens, including AI algorithms used to uncover insights that can be monetized. Security professionals should prepare now for the legislation by understanding how to audit algorithms and implement compliance processes. Even if this version of privacy legislation doesn't pass, similar legislation will likely pass soon. Segment Resources: Forbes Tech Council article: Why You Need to Prepare Now for Privacy Legislation That May Not Pass https://www.senecaglobal.com/media-mentions/ftc-why-you-need-to-prepare-now-for-privacy-legislation-that-may-not-pass/ Enterprise Security Tech - American Data Privacy Protection Act: What, Who, How https://www.enterprisesecuritytech.com/post/american-data-privacy-protection-act-what-who-how Security Info Watch - What the American Data and Privacy Act means for businesses https://www.securityinfowatch.com/security-executives/article/21295869/what-the-american-data-and-privacy-act-means-for-businesses In the leadership and communications section, Cybersecurity Starts with the Board and C-Suite, How CISOs can achieve more with less during uncertain economic times, Why Authentic Leadership Is So Hard, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw-308
In the leadership and communications section, Cybersecurity Starts with the Board and C-Suite, How CISOs can achieve more with less during uncertain economic times, Why Authentic Leadership Is So Hard, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-308
Guest: Alicja Cade, Director for Financial Services, Office of the CISO, Google Cloud Topics: We are talking about your journey as a CISO migrating to the cloud. Could you give us the overview of … What triggered your organization's migration to the cloud? When did you and the security team get brought in? Did you take going to the cloud as an opportunity to change things beyond the tools you were using? As you got going into the cloud, what was the hardest part for your organization? If that was hardest, what was most surprising? Good surprise and bad surprise? How did you design security controls for the cloud? How do you validate and verify security controls in the cloud? How did you keep both security practitioners and the rest of your IT teams from lift-and-shift thinking? Did your data security practice change? Having covered all that tactical terrain, one final strategic question: is moving to the cloud a net risk reduction? Can it be? Resources: “CISO Walks Into the Cloud: Frustrations, Successes, Lessons ... And Does the Risk Change?” (ep80) “Visualizing Google Cloud: 101 Illustrated References for Cloud Engineers and Architects” by Priyanka Vergadia “Cyberpolitics in International Relations” book CSA CCM v4 Cyber Risk Institute “Modernize Data Security with Autonomic Data Security Approach” (ep79) and the paper on autonomic data security. "Preparing for Cloud Migrations from a CISO Perspective, Part 1" (ep5) "Preparing for Cloud Migrations from a CISO Perspective, Part 2" (ep11) “How CISOs need to adapt their mental models for cloud security” blog
In the leadership and communications section, How CISOs can prepare for new and unpredictable cyberthreats, 8 Leadership and Management Principles from Ex-Navy Seal, Practice Transparent Leadership, and more! IIoT infrastructure protection requires immediate attention. Barracuda just released key findings from a report titled "The state of industrial security in 2022," that covers the following: • The network breaches, ransomware attacks, and other security incidents businesses are facing • The current challenges related to infrastructure protection, remote access security, and digital transformation • The solutions and strategies decision makers are using to close security loopholes and boost the protection of IIoT infrastructure This segment is sponsored by Barracuda Networks. Visit https://securityweekly.com/barracuda to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw269
In the leadership and communications section, How CISOs can prepare for new and unpredictable cyberthreats, 8 Leadership and Management Principles from Ex-Navy Seal, Practice Transparent Leadership, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw269
In the leadership and communications section, How CISOs can prepare for new and unpredictable cyberthreats, 8 Leadership and Management Principles from Ex-Navy Seal, Practice Transparent Leadership, and more! IIoT infrastructure protection requires immediate attention. Barracuda just released key findings from a report titled "The state of industrial security in 2022," that covers the following: • The network breaches, ransomware attacks, and other security incidents businesses are facing • The current challenges related to infrastructure protection, remote access security, and digital transformation • The solutions and strategies decision makers are using to close security loopholes and boost the protection of IIoT infrastructure This segment is sponsored by Barracuda Networks. Visit https://securityweekly.com/barracuda to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/bsw269
In the leadership and communications section, How CISOs can prepare for new and unpredictable cyberthreats, 8 Leadership and Management Principles from Ex-Navy Seal, Practice Transparent Leadership, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw269
This Week, in the Leadership and Communications section: Boards rethink incident response playbook as ransomware surges, How CISOs and CIOs should share cybersecurity ownership, How CISOs are Building a Modern Cybersecurity Partnership, & more! Show Notes: https://securityweekly.com/bsw232 Visit https://www.securityweekly.com/bswfor all the latest episodes!
This week, we welcome Tom Roeh, Director of Systems Engineering at ExtraHop, to discuss Accelerating 0-Trust Adoption W/ End2End Visibility & Increased Collaboration! In this episode, we discuss important considerations for planning, implementing, operating, and securing a Zero Trust deployment––more rapidly and with lower risk. This includes the vital role end-to-end visibility and frictionless collaboration between IT ops teams play across Zero Trust rollout phases. In the Leadership and Communications section: Boards rethink incident response playbook as ransomware surges, How CISOs and CIOs should share cybersecurity ownership, How CISOs are Building a Modern Cybersecurity Partnership, & more! Show Notes: https://securityweekly.com/bsw232 Segment Resources: Visit https://securityweekly.com/extrahopto learn more about them! Visit https://www.securityweekly.com/bswfor all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Tom Roeh, Director of Systems Engineering at ExtraHop, to discuss Accelerating 0-Trust Adoption W/ End2End Visibility & Increased Collaboration! In this episode, we discuss important considerations for planning, implementing, operating, and securing a Zero Trust deployment––more rapidly and with lower risk. This includes the vital role end-to-end visibility and frictionless collaboration between IT ops teams play across Zero Trust rollout phases. In the Leadership and Communications section: Boards rethink incident response playbook as ransomware surges, How CISOs and CIOs should share cybersecurity ownership, How CISOs are Building a Modern Cybersecurity Partnership, & more! Show Notes: https://securityweekly.com/bsw232 Segment Resources: Visit https://securityweekly.com/extrahop to learn more about them! Visit https://www.securityweekly.com/bsw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
This Week, in the Leadership and Communications section: Boards rethink incident response playbook as ransomware surges, How CISOs and CIOs should share cybersecurity ownership, How CISOs are Building a Modern Cybersecurity Partnership, & more! Show Notes: https://securityweekly.com/bsw232 Visit https://www.securityweekly.com/bsw for all the latest episodes!
In this episode we're joined by Kevin Storli and Phil Venables to look at the changing role of the chief information security officer (CISO). We discuss: 1. How they've seen the role of the CISO change over their careers. 2. How CISOs can mitigate security risks while enabling their organisation to achieve its goals. 3. Current areas of concern, including supply chain risk and securing the cloud. 4. What they look for when hiring and the skills CISOs need to recruit for over the next few years. Host: Abigail Wilson, Cyber Threat Operations Manager, PwC UK Guest: Kevin Storli, Global CTO and UK Chief Information Security Officer, PwC Guest: Phil Venables, Chief Information Security Officer, Google Cloud
In this episode we're joined by Kevin Storli and Phil Venables to look at the changing role of the chief information security officer (CISO). We discuss: 1. How they've seen the role of the CISO change over their careers. 2. How CISOs can mitigate security risks while enabling their organisation to achieve its goals. 3. Current areas of concern, including supply chain risk and securing the cloud. 4. What they look for when hiring and the skills CISOs need to recruit for over the next few years. Host: Abigail Wilson, Cyber Threat Operations Manager, PwC UK Guest: Kevin Storli, Global CTO and UK Chief Information Security Officer, PwC Guest: Phil Venables, Chief Information Security Officer, Google Cloud
All links and images for this episode can be found on CISO Series (https://cisoseries.com/request-a-demo-of-our-inability-to-post-a-demo/) It's really easy to include "Request a Demo" button on our site. But potential buyers would actually like to just watch a demo on our site. Should we actually expend just a little more effort to record a demo and upload it to our site? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Ross Young, CISO, Caterpillar Financial Services Corporation. Thanks to our sponsor, Kenna Security. With Kenna Security, companies efficiently manage the right level of risk for their business. Our Modern Vulnerability Management model eliminates the friction between Security and IT teams about what to patch, providing clear prioritization based on real-time threat intelligence and guidance applied to each customer’s unique environment across infrastructure, applications and IoT. On this week's episode Why is everybody talking about this now? Our guest posted about the 10+ daily product pitches he receives and he suggested that vendors place a product demo on their site. It just so happens, I also posted about this on LinkedIn. I am astonished that not every vendor spends their first marketing dollars on creating a product demo and posting that video. If a security practitioner is interested in a company, how do they begin their research? What do they look for? Do they watch product demo videos? Do they click the "request a demo" button? First 90 Days of a CISO Our guest shared a study from PWC that points out what management thinks are the most important roles for a CISO. Eighty four percent considered the ability to educate and collaborate across the business was critical making it the top most skill they look for in a CISO. At the same time, it appears investing in a talent management program for leadership was the least important with only 22 percent responding. What I read from this is management wants you to lead, and get the whole company on board, but do it alone. Plus, they expect you to be a perfect cybersecurity leader out of the box. Is that feasible? Is this why we're having so much burnout of CISOs? It's not just the pressure of protecting, but taking on all leadership responsibilities with no ongoing support? What's Worse?! How are you advertising for new hires? There’s got to be a better way to handle this Turns out half of employees are cutting corners on security when working from home. This includes using home computers for corporate work, emailing sensitive documents from personal accounts. It's not malicious, but the distractions of work from home life and demands to deliver quickly are forcing employees to take the less secure route. Also, being away from the watchful IT and security gives them the breathing room to be less careful. Tip of the hat to Gina Yacone of Agio for posting this article from ZDnet about Tessian's work from home study. How can security leaders stay in contact with employees so they don't stray? How CISOs are digesting the latest security news What makes a security podcast valuable? What elements does a cybersecurity podcast need to have for you to say to yourself, "I'm glad I spent the time listening to that"?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/best-condescending-techniques-to-placate-minority-groups/) We're casting for our diversity theater program on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Matt Conner, CISO, National Geospatial Intelligence Agency. Thanks to this week's podcast sponsor, PlexTrac PlexTrac is a revolutionary, yet simple, cybersecurity platform that centralizes all security assessments, penetration test reports, audit findings, and vulnerabilities into a single location. PlexTrac vastly improves the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize important analytics, and collaborate on remediation in real-time. How CISOs are digesting the latest security news If you thought tech firms were abysmal with diversity hiring, it appears venture capital firms are even worse. In a Washington Post article by Nitasha Tiku, just 1 percent of VC dollars went to black start-up founders in 2018, and that same year and percentage reflects the number of black decision-makers at VC firms as well. With the scrutiny turned up, small minority-focused funds have spurned, and there has been some cosmetic title inflation of minority employees at VC firms, but black tech entrepreneurs are brushing it off as diversity theater. What opportunities and money are VC firms leaving on the table by not taking diversity seriously? What should VC firms do to prove that their efforts are not diversity theater? We don’t have much time. What’s your decision? Interesting question on reddit by throwawaycostam who asks, "How do you create easy to memorize, yet relatively strong passwords?" A password manager is first and foremost recommended, but there are cases where you do have to remember a few passwords, like the one to get into your password manager and desktop screen lock. If you have to memorize five really good complex passwords, what technique do you recommend to create those passwords? What's Worse?! Is clueless better than not being engaged? It’s time for “Ask a CISO” On a previous episode, CISO, Dennis Leber, now with University of Tennessee Health Science Center, but previously with a state government agency said there's no perfect pitch a vendor could make to him that would facilitate a sale. Heck, he couldn't even write the perfect pitch to himself that would work. We know the government is a different beast when it comes to procurement. What are the stumbling blocks vendors need to concern themselves when pitching a government agency? We’ve got listeners and they’ve got questions Jesse Rosenbaum of Varonis brought a job posting to my attention that showed requests for extremely specific experiences with different applications. Jesse asks, does the listing the name of products or protocols you're using expose the company to additional security risks? Isn't this the reason so many customers of security vendors are not willing to give testimonials? But if they're putting these products and protocols in job descriptions, isn't this the same darn thing?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/nytimes-critic-called-our-security-theater-unconvincing/) We tried to pull off the Hamilton of security theater and we fell short. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Shawn Bowen (@smbowen), CISO, Restaurant Brands International which handles restaurants such as Burger King, Popeye's, Tim Hortons, and Louisiana Kitchen. Thanks to this week's podcast sponsor GitGuardian. GitGuardian empowers organizations to secure their secrets - such as API keys and other credentials - from being exposed in compromised places or leaked publicly. GitGuardian offers a threat intelligence solution focused on detecting secrets leaked on public GitHub and an automated secrets detection solution which tightly integrates with your DevOps pipeline. On this week's episode How CISOs are digesting the latest security news We recorded this episode on June 24th, just a five days after Trump's first rally in Oklahoma where purportedly TikTok fans en masse were able to register for Trump's rally and fool his entire staff into believing that 1 million people had registered and were planning to attend his rally. In the end, the arena was less than half full. We are all well aware that some cyber protests can cause serious damage, but does this one? Is this the kind of peaceful cyber protests that we should encourage or not encourage? Dan Lohrmann at Security Mentor posted this discussion and said no matter what political affiliation you're on this is a call for more cybersecurity because this will happen again. But is this the fault of Trump's cyber team or his social media team for not keeping an eye on TikTok? Why is everybody talking about this now? On AskNetSec on reddit, NoInterestingGuy, a college student starting his first internship at a security firm, posted he likes to participate in "extracurricular activities". He then asked, "If I were to get caught with a crime related to cyber security, would that impact my chances significantly of getting hired in the future for a security company?" The community almost resoundingly said, "Stop," but has Mike and our guest ever hired someone with a cybercrime past or caught an employee engaging in cybercrime? How did they handled it. Is there an "it depends" meter? We all do stupid stuff in college. What's Worse?! Is the unknowing always the worst? It's security awareness training time On CSO Online, J.M. Porup wrote a piece about five examples of security theater and how to spot them. Security theater refers to the practice having a show of implementing security where its effectiveness is in question. Some examples are purposefully complex passwords, checkbox compliance, and bad security awareness training. How do we spot security theater? Is there any value to security theater? What's the antidote? If it's in place, how do we eradicate it? What Is It and Why Do I Care? We played this game before and like the "What's Worse?!" game, the title pretty much explains it. I have three pitches from three different vendors who are all in the same category, Security Awareness Training. I have asked the reps to first, in 25 words or less, just explain their category. That’s the “What Is It?” and then for the “Why Do I Care?” I asked them to explain what differentiates their product or makes them unique also in 25 words or less. It is up to Mike and Shawn pick their favorite of each and explain why. I only reveal the winning contestants and their companies.
All links and images for this episode can be found on CISO Series (https://cisoseries.com/i-have-the-perfect-job-for-you-but-probably-not/) You put those qualifications on your resume, and I queried. So don't blame me for getting your hopes up. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week Brandon Greenwood, vp, security, Overstock.com. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode How CISOs are digesting the latest security news Paul Martini of iboss asks, "What network weaknesses has the current pandemic revealed?" Close your eyes and visualize the perfect engagement As evidenced by a previous episode, security recruiters have a hard time getting some respect. Let's discuss this issue from the viewpoint of the candidate. On Peerlyst, David Froud of Concept Security felt that the recruiter approach of saying I have a perfect job for you was misguided. Mike and our guest talk about their early security careers and how welcome they were to approaches from security recruiters. What's Worse?! Crappy tools or crappy team? What's worse? I tell ya, CISOs get no respect On CSO Online, Neal Weinberg has a story about hard truths security professionals have to deal with. One item was the outright lack of respect, being misunderstood and underappreciated, from the board and your coworkers. I know the generic response is communications and listen, but I want to know what are ways to command leadership so those do pay attention to you and you do get that respect. We discuss specific turning points in security leadership careers that allowed Mike and our guest to do this. Vendors have questions. Our CISOs have answers Dennis Underwood of Cyber Crucible asks if you can you be a threat hunter if you have to sign NDAs. Are NDAs the cover up so companies don't have to reveal information about their failed defenses? And are NDAs a common occurrence in bug bounties?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/great-security-program-too-bad-we-cant-implement-it/) Security theory only goes so far. If you want your security program to work, everyone has to do their part. This week’s episode of CISO/Security Vendor Relationship Podcast features me, David Spark (@dspark), producer of CISO Series, and co-host Mike Johnson. Our sponsored guest is Scott McCormick, CISO, Reciprocity. Thanks to this week's podcast sponsor, Reciprocity. ZenGRC by Reciprocity is a cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more at reciprocitylabs.com. On this week's episode How CISOs are digesting the latest security news The Wall Street Journal has a story about cybersecurity budgets during the COVID-19 crisis. Many companies are dealing with budget cuts across the board. One issue mentioned was that the first items to go from the cybersecurity budget would probably be big projects that require a lot of integration. So as to avoid getting left on the cutting room floor, what would be your advice to vendors on how better to situate themselves, prepare, and prove to potential buyers that they can help with the ease of that integration? Also, for those security leaders, how do they best show compassion to the rest of the business and don't just fight for their slice of the budget pie? It’s time for “Ask a CISO” On reddit, countvonruckus states and then asks, "It's great to see CISOs giving back through mentorship. As a younger professional looking to become a CISO someday, it can be difficult to get a minute of a senior leader's time even for critical work decisions. How should someone looking to find a mentor or to benefit from the mentorship of a particular leader go about asking in a respectful but effective way? Is there anything a mentee can do to provide value in exchange that will make it more worthwhile for mentors?" It's time to play, "What's Worse?!" Two "What's Worse?!" scenarios nobody likes but many have faced especially now. Please, Enough. No, More. Operationalizing GRC. What have you heard enough about operationalizing GRC, and what would you like to hear a lot more? Looking down the security roadmap On Quora, the question was asked, "Do cloud providers implement governance, risk management and compliance (GRC) well?" I didn't know how one would define "well" and what we should expect from cloud providers to help with GRC efforts. This harkens back to our last segment, because we would hope that cloud providers could actually help us operationalize GRC. What are cloud providers doing to help in GRC efforts?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/say-it-loud-i-didnt-read-the-privacy-policy-and-im-proud/) If we don't understand the purpose of a privacy policy, why should we bother reading it? We're claiming the cyber ignorance defense on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Roger Hale (@haleroger), CISO in residence, YL Ventures. Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, Roger Hale, CISO in residence, YL Ventures, David Spark, producer, CISO Series. Thanks to this week's podcast sponsor Zix. Zix simplifies administration and reporting with a single management interface. Configuring, deploying, and monitoring email security and unified archiving services has never been easier – or faster. ZixSuite combines a cloud-based email threat protection, email encryption, and unified business communications archiving, all backed by Zix’s gold standard 24/7/365 support. On this week's episode How CISOs are digesting the latest security news We're blowing it with general cybersecurity education. According to a study by the Pew Internet Research Center, most Americans don't understand or can't identify basic cybersecurity concepts such as two-factor authentication, private browsing, or the purpose of a privacy policy. We talk a lot about the important of education and it appears we're not doing a good job. What are some creative ways we can dramatically improve these numbers? Hey, you're a CISO, what's your take on this? Cai Thomas, Tessian, has an article on TechRadar on the dangers of sending corporate work via personal email accounts. He outlines the issues. As per the previous story, chances are very high people are completely unaware of the risk their placing the company in by forwarding corporate email to personal accounts. No amount of education is going to solve this problem. What are the systems that companies can and should setup to give people a better alternative than sending emails to personal accounts? What's Worse?! How damaging can not having a seat on the board be? Ask a CISO Nick Sorensen, Whistic, asks, "What do you see the most proactive vendors doing to prepare for vendor security reviews from their customers?" “Your bank account has been frozen.” That’s now an old chestnut in the scamming world, but it thrives through increasingly sophisticated spoofing activities that include a banks’ real phone number and real-looking pop-up websites for password refresh requests. Even IT experts can get caught by these things occasionally, as some have even confessed on this very podcast series. This level of relentless innovation is worth keeping front of mind when considering the amounts of data that Internet of Things devices are creating but that organizations have no plan or space for. IBM, Forrester, and others have suggested that maybe 1 percent of data generated from IoT connectivity is being used, mostly for immediate learning or predictive activities. More available on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. First 90 days of a CISO Today is Roger's first official day as a CISO in residence at YL Ventures. What the heck does that mean, and how does that differ from being an operational CISO?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/wait-what-good-news-in-cybersecurity/) On this episode of CISO/Security Vendor Relationship Podcast, cybercrime fails and we brag about it. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Mike Johnson, co-host, CISO/Security Vendor Relationship Podcast, Geoff Belknap, CISO, LinkedIn, and David Spark, producer, CISO Series. Thanks to this week's podcast sponsor Trend Micro. On this week's episode How CISOs are digesting the latest security news We simply don't hear enough good news cybersecurity stories that make those involved proud. What are the cybersecurity stories that aren't being told publicly that should be? First 90 Days of a CISO Michael Farnum, Set Solutions, said, "If you come into the job and aren’t willing to critically review existing projects AND put a stop to the ones that are questionable, then you are going to cause yourself problems later. It might seem like an unwise political move when new to the company, but you have to be willing to swing the axe (or at least push the pause button) on anything that doesn’t make sense." Not so easy, but where's the line where you can actually push and say, "We're changing course"? It's time to play, "What's Worse?!" We've got a split decision! Hey, you're a CISO, what's your take on this? On a previous episode of Defense in Depth, we talked about employee hacking or getting the staff on the same page as the CISO and the security program. I quoted instructor Sarah Mancinho who said, "I am a firm believer that CISOs/CIOs should have their own dedicated IT strategic communications person(s) that report to them, and not any other office. Most comms roles I've seen...had to report to HR/PR/General Comms....none of whom really knew anything about technology/technical comms/infosec....and had little to no interaction with the IT/security team." My co-host, Allan Alford, loved this idea, never had it, but would love to have it. What value could a dedicated PR person bring to the security team? The devious new Android malware called Cerberus steals credentials by using a downloaded fake Adobe Flash player. That is not really innovative in itself, but what’s interesting is the way it seeks to avoid detection by using the phone’s accelerometer to confirm that the infected target is a real device and not on the screen of a security analyst. According to ESET researcher Lukas Stefanko, quoted in Forbes, the app actually counts a number of physical footsteps taken by the phone’s owner, and deploys once the required number has been reached. For more, check out the full tip on CISO Series. Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM. Why is everybody talking about this now? What's behind the cybersecurity skills shortage? In an article on the Forbes Council, Mark Aiello, president of cybersecurity recruiting firm CyberSN, pointed out some ugly truths as to why it's so difficult to hire cybersecurity talent. He pointed to low pay, the desire to find unicorns, poor job descriptions, training and growth. Is the core issue that the cybersecurity industry just does a very poor job welcoming new entrants? Today, what does a cybersecurity professional need walking in the door? And what are CISOs willing to accept no knowledge of, yet willing to train?
All images and links for this episode can be found on CISO Series (https://cisoseries.com/who-are-the-perfect-targets-for-ransomware/) If you've got lots of critical data, a massive insurance policy, and poor security infrastructure, you might be a perfect candidate to be hit with ransomware. This week and this week only, it's an extortion-free episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is Sean Walls (@sean_walls2000), vp, cybersecurity, Eurofins. Thanks to this week's podcast sponsor Core Security Assigning and managing entitlements rapidly to get employees the access they need is critical, but it can come at the cost of accuracy and security. Core Security’s identity governance and administration (IGA) solutions provide the intelligent, visual context needed to efficiently manage identity related security risks across any enterprise. On this week's episode How CISOs are digesting the latest security news An article in the NYTimes points to a new trend in ransomware that is specifically attacking small governments with weak computer protections and strong insurance policies. Payments from $400-$600K. Lake City, Florida, population 12K paid $460K to extortionists. They got some of their information back but they have been set back years of what will require rescanning of paper documents. Mike, I know your standard philosophy is to not pay the ransom, but after a ransomware attack against the city of Atlanta, the mayor refused to pay $51,000 in extortion demands, and so far it's cost the city $7.2 million. Probably more. These payments by the small cities must be incentivizing more attacks. Does this information change the way you're willing to approach ransomware. What can a small city with zero cybersecurity staff do to create a program to reduce their risk to such a ransomware attack? Ask a CISO Bindu Sundaresan, AT&T Consulting Solutions, asks a very simple question, "How is each security initiative supporting the right business outcome?" Do you find yourself selling security into the business this way? If not, would you be more successful selling security to the business if you did do this? What's Worse?! We've got a split decision on what information we prefer after a breach. Listen up, it’s security awareness training time Jon Sanders, Elevate Security, said, "Security awareness involves A LOT of selling… there’s no cookie cutter approach in security awareness or sales!" Is the reason security training is so tough because so many security people are not born salespeople? I've interviewed many and there's a lot of "just listen to me attitude," which really doesn't work in sales. Cloud Security Tip, sponsored by OpenVPN We talk a lot about penetration testing here, given that it remains a staple of proactive IT security. But not everyone feels it’s all it’s cracked up to be. Or should that be, all it’s hacked up to be?” More than one cybersecurity organization points out there are a few flaws in the pen testing concept that make it worth a second look. Pen testing often consists of a small collection of attacks performed within a set time period against a small sample of situations. Some experts doubt the efficacy of testing against a limited field of known vulnerabilities, without knowing what other weaknesses exist in plain sight, or merely invisible to jaded eyes. More on CISO Series... What do you think of this pitch? We have a pitch from Technium in which our CISOs question what exactly are they selling?
All links and images for this episode can be found on CISO Series (https://cisoseries.com/passwords-so-good-you-cant-help-but-reuse-them/) We've just fallen in love with our passwords we just want to use them again and again and again. Unfortunately, some companies more interested in security aren't letting us do that. We discuss on the latest episode of CISO/Security Vendor Relationship Podcast. This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is William Gregorian (@WillGregorian), CISO, Addepar. Thanks to this week's podcast sponsor Cyberint The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505's latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries. How CISOs are digesting the latest security news Chris Castaldo of 2U and a former guest on the show posted this great story of TripAdvisor invalidating user credentials if a member's email and password were found in publicly leaked data breach databases. Is this a great or bad move by TripAdvisor? Ask a CISO On LinkedIn, Chad Loder, CEO, Habitu8 posted an issue about the easy deployment and ubiquity of cloud applications. He argues it's no longer Shadow IT. It's just IT. And securing these cloud tools you don't manage nor know about requires a lot of education. Is Shadow IT inevitable. Should we lose the name? And is education the primary means of securing these services? It's time to play, "What's Worse?!" One of the toughest rounds of "What's Worse?!" we've ever had. Close your eyes. Breathe in. It's time for a little security philosophy. Mike posed a "What's Worse?!" scenario to the LinkedIn community and got a flurry of response. The question was "Would you rather have amazing, quality cybersecurity incident response in 24 hours or spotty, unreliable response in one hour?" I wanted to know what was Mike's initial response and did anyone say anything in the comments to make him change his mind? For quite a while, IT security experts have been touting the value of two factor authentication (2FA) as a better way to keep data safe than simply using passwords alone. We have even spoken about it here. In its most popular form, 2FA sends a confirmation code to your phone, which you must then enter into the appropriate log-in confirmation window within a short amount of time. This is like having a second key to the safe, like many bank vaults used to have. (more on the site) It’s time to measure the risk Chelsea Musante of Akamai asks, "What would you say to someone who thinks their risk for credential abuse / account takeover has decreased because they've implemented MFA (multi-factor authentication)?"
Find the full episode of this podcast (with links and images) on the CISO Series site right here: (https://cisoseries.com/im-humbled-to-tell-you-about-my-prestigious-award/) I'm not exactly sure what "humbling" means, but I'm going to use it to hopefully soften my braggadocio announcement. We discuss semantics and when it's OK to boast your accomplishments on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Will Lin (@WilliamLin), partner and co-founder, ForgePoint Capital. Thanks to this week's sponsor, Praetorian As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this week's episode How CISOs are digesting the latest security news In many industries we see VC investments following trends. This is hot and new, let's go and invest in it. A recent story on Forbes spotlights five trends in cybersecurity which comes off as catnip for VCs or at least those in those spaces looking for investments. Is trend hopping a lucrative way to succeed with cybersecurity investments? Why is everybody talking about this now? Peter Cohen, director at Countercept remarked on the hypocrisy of posting a photo of yourself on stage and referring to it as "humbling". People say this with zero idea of the definition. The use of humbled or humbling as a verb means that at one time you thought you were superior and now you realize you are not because essentially someone defeated you and put you in your place. I don't get the sense that's what people mean when they refer to an experience as "humbling." But do a search for the term on LinkedIn and you will see people use it ALL THE TIME. Some of the most popular posts on LinkedIn are achievement announcements. Where's the line between saying you're proud of something and would you honor it with me and coming off like a jackass? What's Worse?! We have two scenarios this week in honor of our VC guest. Hey, you're a CISO, what's your take on this? In a special VC edition of "Hey, you're a CISO, what's your take on this?" Much of what we talk about on this show is what we like and don't like about how security companies market themselves. In the news, the only role we hear VCs playing is financial. But given that VCs are seeing the inner workings of a startup, they can probably see firsthand why a company succeeds or fails. Given what VCs are privvy to that others of us are not, how can VCs help shape the way vendors market themselves? Ask a CISO Fernando Montenegro of 451 Research brought to my attention this tweet from Soldier of Fortran that caused a flurry of discussion. The tweet pointed out that many sites say they offer pricing, but when you go to the page it's just a lot of verbiage with a link to request a quote. Haroon Meer of Thinkst, producers of Canary deception devices and a former guest on this show, said they have pricing on their site even when experienced salesmen told them not to do it. Kyle Hanslovan of Huntress Labs, asked how he could provide transparent pricing when half of his clients are direct and the other half are distributors. Is there a happy medium here or is obfuscation the way to succeed with security selling?
Episode available on CISO Series blog (https://cisoseries.com/no-shirt-no-security-no-merger/) Sure, we'd like to merge with your company but geez, have you looked at your security posture lately? Uggh. I don't know if I could be seen in public with your kind let alone acquire your type. We're wary as to who wants to enter our digital home on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Mark Eggleston (@meggleston), vp, chief information security and privacy officer, Health Partners Plans. Thanks to this week's sponsor, Praetorian As a professional services company, Praetorian helps enterprise customers solve complex cybersecurity problems. We are the security experts. On this week's episode How CISOs are digesting the latest security news Good cybersecurity hygiene is critical not just to mitigate breaches but also the valuation of a company, especially during a merger or acquisition. Itzik Kotler, co-founder and CTO of Safe Breach, notes that back in 2016 the Verizon acquisition price of Yahoo was lowered nearly $350 million after Yahoo disclosed data breaches that had happened up to two years earlier. Kotler said, "The problem is cybersecurity risk from mergers and acquisitions perspective should not be about what has happened, but about what vulnerabilities are being introduced and what could happen as a result." Why is everybody talking about this now? An interesting question on Quora asked, "Do you regret working in cybersecurity?" Do our CISOs ever regret? Why do people regret? "What's Worse?!" We have a challenge that pits securing old and new technology. Ask a CISO Eric Rindo just graduated with his MS in Cybersecurity. He has a certification, but zero experience. He's looking for his first InfoSec opportunity. For a CISO, what's attractive about a candidate like Eric? What do you think of this pitch? What happens when you pitch something CISOs already have?
The direct link to this episode (https://cisoseries.com/all-aboard-the-5g-paranoia-train/) We're getting excited and stressed out about the impending 5G network that appears will control our lives and all our cities. Will it be as exciting, productive, and lacking of security protocols as we expect? We discuss that and more on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Bruce Schneier (@schneiersblog), book author, lecturer at Harvard Kennedy School, and prolific blogger at Schneider on Security. Thanks to this week's sponsor, Chronicle, makers of Backstory Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself. On this week's episode How CISOs are digesting the latest security news Marsh, an insurance broker, is working with other cyber insurers to identify products and services that will reduce your cyber risk. With their Cyber Catalyst program, they're offering what appears to be some type of Better Business Bureau stamp of approval on solutions that meet their cyber risk standards. What gets us excited and what sets off red flags when we see such an offering? Why is everybody talking about this now? Are you scared of 5G yet? You should be. Well, according to our government, we need to be wary of China and Huawei with their rollout of 5G because owning the next-gen network will conceivably own all of commerce, transportation, and heck anything else. In Schneier's new book, Click Here to Kill Everybody, he speaks to how to survive with all our hyper-connected devices. How aggressively is 5G going to exacerbate the issue of cyber-survival? What's Worse!? We have a split decision on a scenario that involves a time limit. Hey, you're a CISO, what's your take on this? On Schneier's blog, he shared a study that examined whether freelance programmers hired online would write secure code, whether prompted to do it or not. The coders were paid a small pittance and it was unclear if they knew anything about security and surprise. In the end they didn't write secure code. While there are questions about the validity of this study, this does bring up an interesting question: Using a marketplace like Upwork or Freelance.com, how does one go about hiring a freelance coder that can write secure code? Ask a CISO Mark Toney of CrowdStrike asked, after the purchase and use of a security tool, does a CISO or CTO do a post-mortem to see if they got what they paid for? Mark wants to know are you looking at what was improved, where it was improved, and by how much it was improved?
Direct link for episode on blog (https://cisoseries.com/do-you-know-the-secret-cybersecurity-handshake/) We get the feeling that as we're adding more solutions and requiring more certificates, we're just making the problem of security harder and harder. Has the problem of not enough talent become an issue that we created? We discuss that and more on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Taylor Lehmann (@BostonCyberGuy), CISO, Wellforce. Thanks to this week's sponsor, Chronicle, makers of Backstory Chronicle’s Backstory is a global security telemetry platform for investigation and threat hunting within your enterprise network. Backstory makes security analytics instant, easy, and cost-effective. Backstory is a specialized, cloud-native security analytics system, built on the core infrastructure that powers Google itself. On this week's episode How CISOs are digesting the latest security news The Hill reports, "A Democrat on the House Intelligence Committee introduced a bill on Wednesday that would require publicly traded companies to disclose to investors whether any members of their board of directors have cybersecurity expertise." The Cybersecurity Disclosure Act of 2019, would require the SEC to issue a new set of rules requiring U.S. companies to tell their investors whether they have someone who has cyber expertise on their board. If they don't, they must explain to their investors why this is the case." Will such a measure pass and if not, what is the best action here to insure some level of cybersecurity confidence? Why is everybody talking about this now? On a recent episode of the podcast we talked about swapping out the word "security" for "safety." Chris Roberts of Attivo Networks brought this topic up and he says if we change the conversation more people will care. How does the viewpoint of security change when you're talking about safety? How does behavior change? What's Worse?! I can't believe it's taken me this long to ask this question. Hey, you're a CISO, what's your take on this? Once you connect a device to the Internet and trade information, you're now a potential attack vector. And if your device is critical for maintaining life, like automobiles and medical devices, vulnerabilities no longer become a case of losing data, but of losing lives. Medical device manufacturers are rarely experts at software development, let alone cybersecurity. Vulnerabilities happen all the time. What is and isn't working with the reporting, alerting, and fixing of device vulnerabilities? Ask a CISO Could the talent gap be a self-fulfilling prophecy or at the very least an avoidable consequence of security’s red hot growth," asked Sam Curry, CSO at Cybereason, on Forbes. "What started as an esoteric field is becoming even more arcane as we grow." Curry offered some suggestions on where to improve situations to improve the complexity of security. Are fixing these issues harder than fixing security?
Direct link for episode on blog (https://cisoseries.com/if-at-first-you-dont-succeed-theres-always-blackmail/) We note that blackmail has become an option even in cybersecurity sales. It appears some vendors have become so desperate that they've resorted to borderline criminal activity. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Branden Newman, CISO for Adidas. Thanks to this week's sponsor, Logicgate LogicGate is an agile GRC process automation platform that combines powerful functionality with an intuitive design to enhance enterprise governance, risk, and compliance programs. With our prebuilt process templates, organizations quickly and efficiently operationalize their GRC activities without requiring support from consultants or corporate IT. On this week's episode How CISOs are digesting the latest security news CNBC published a piece about security vendors being so desperate for meetings with CISOs that they've resorted to blackmail. They see a breach, even if it's not holding any critical or personal data, and they threaten to take it to the press if the CISO doesn't meet with them and/or let them fix it. Has this happened to our CISOs and if so, what did they do? Why is everybody talking about this now? We talk about the basics a lot on this show, but I'm getting the sense that the industry is finally taking it seriously. We saw evidence at RSA with 60% of the content being focused on fundamentals. And CISOs at major companies not touting the latest threats, but getting back to basics. We've talked a lot about this issue on the show. How else can the industry turn the focus about getting back to basics? What's Worse?! I challenge the CISOs once again on what is probably the shortest What's Worse?! question. Hey, you're a CISO, what's your take on this?' The horror of the badge scanner. Chad Loder, CEO of Habitu8, posted that he never uses badge scanners because "There's nothing worse than talking to someone only to have them ask, 'Mind if I scan you?' - it reinforces the idea that the goal of this human interaction is to ensure you're added to a list." The goals of attendees (learning and valuable conversations) are not coinciding with the goals of vendors (more scans for follow up cold calls and marketing). What is the ideal booth experience for a security professional? BTW, I wrote a book on how to engage at a trade show entitled Three Feet from Seven Figures: One-on-One Engagement Techniques to Qualify More Leads at Trade Shows. Check it out at http://threefeetbook.com Ask a CISO Jeremiah Grossman, CEO of Bit Discovery, and a former guest, asked this question on Twiter which caused a flurry of discussion: "In InfoSec we often hear, 'Why don’t organizations just do or fix … X?' As a thought exercise, ask the opposite. 'Why should businesses do or fix… X?,' and do so in dollars and cents terms.It’s often surprisingly difficult." Is it possible to calculate this formula?
In today’s podcast, we hear that a terror attack against two New Zealand mosques is announced on Twitter and live-streamed on Facebook. A new, unobtrusive JavaScript sniffer infests some e-commerce sites in the UK and the US. Cryptojacking finds its way into the cloud. A look at the consequences of regulation, both good and bad. How CISOs will have to grapple with the increasingly pervasive Internet-of-things. And China’s National People’s Congress makes a gesture toward respecting IP, but the world remains skeptical. Craig Williams from Cisco Talos with an update of crypto miners. Guest is Nirmal John, author of the book, “Breach: Remarkable Stories of Espionage and Data Theft and the Fight to Keep Secrets Safe.” For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_15.html Support our show
CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We tip our hat to the much maligned "Department of No" for having the foresight to see that refusing service is probably the most efficient and secure response. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is April Wright (@AprilWright), CEO, ArchitectSecurity.org. Thanks to our sponsor, Endgame Endgame makes nation-state grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs – their people, processes and technology – with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. Endgame will be at RSA this year in booth 1827 in the south hall. On this episode How CISOs are digesting the latest security news In an effort to improve security before the 2020 Olympic games, the government of Japan will try to hack its own citizens by using default passwords on webcams, routers, and other Internet connected devices. If they break through they will alert the people that their devices are susceptible to attacks. How good or bad is this idea? Will this give way to easy phishing scams? Why is everybody talking about this now? Online, Mike brought up the subject of security rockstar culture and specifically pointed this comes from the security staff playing offense vs. the ones playing defense who really need a team behind them to be effective. We look at the difference between a healthy leading voice in security vs. “a look at me” security rockstar. It’s time to play, “What’s Worse?!” Two rounds and the first one Mike spends a lot of time debating. Ask a CISO Brad Green of ObserveIT asks, “Do CISOs pay attention to competitive market conditions of different vendors?” Are you aware of what’s going on and what impact do analysts have? What do you think of this pitch? Two pitches to critique. Lots of insight.
CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. Do you want a security vendor that’s good at protecting you from malware or a vendor that’s honest with you about their failure rates? Whatever happens you’ll take it on the latest episode of CISO/Security Vendor Relationship Podcast recorded live in NYC for the NY Information Security Meetup (@NYInfoSecurity). Thanks for hosting our recording! This super-sized special episode features drop-in co-host, John Prokap (@JProkap), CISO of HarperCollins Publishers, and our guest Johna Till Johnson (@JohnaTillJohnso), CEO of Nemertes Research. Check out all the awesome photos from the event. Context Information Security is a leading technical cyber security consultancy, with over 20 years of experience and offices worldwide. Through advanced adversary simulation and penetration testing, we help you answer the question – how effective is my current cyber security strategy against real world attacks? On this episode How CISOs are digesting the latest security news To Facebook, our data in aggregate is very valuable. But to each individual, they view it as essentially worthless as they're happy to give it away to Facebook for $20/month. I don't see this ever changing. Does an employees carelessness with their own privacy affect your corporation's privacy? Why is everybody talking about this now? Rich Mason, former CISO at Honeywell posted about the need to change the way we grade malware. He noted that touting 99 percent blocking of malware that allows for one percent failure and network infection is actually a 100 percent failure. It's the classic lying with statistics model. How should we be measuring the effectiveness of malware? What's Worse?! We play two rounds trying to determine the worst of bad security behavior. What's a CISO to do? A CISO can determine their budget by: 1: Meeting compliance issues or minimum security requirements 2: Being reactionary 3: Reducing business risk 4: Enabling the business Far too often, vendors have preyed on reactionary and compliance buyers. But the growing trend from most CISOs is the reduction of business risk. How does this change a CISO's budgeting? Let's dig a little deeper We bring up "do the basics" repeatedly on this show because it is often the basics, not the APTs, that are the cause of a breach or security failure. Why are the basics so darn hard and why are people failing at them? What do you think of this pitch? We've got two pitches for my co-host and guest to critique. And now this... We wrap up our live show with lots of questions from the audience.
CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We don't have to make our software any simpler to use. You just need to get smart enough to use it. We're all attitude on the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our sponsored guest this week is Mike Nichols (@hmikenichols), VP of product at Endgame. Endgame makes nation-state grade protection as easy as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit www.endgame.com. Endgame will be at RSA this year in booth 1827 in the south hall. On this episode How CISOs are digesting the latest security news Is this yet ANOTHER security breach? A massive document of usernames and passwords. These are all available in text files, pretty much for anyone to see. We're not sure, but this may be a collection of usernames and passwords from historical hacks, but it's not clear. Most of us have potentially more than a hundred usernames and passwords. How are we supposed to go through all our accounts and change them all? Can we slap 2FA on top of everything? What should be the best reaction to this kind of news? Hey, you're a CISO, what's your take on this?' In the area of user experience, B2B software seems neglected. All the wonderful usability goes to consumer apps, because everybody needs to be able to use them. But B2B software can cut corners and add extra layers for usability because heck, these people are experts, they're hired to do this job. They should know what they're doing. But that type of thinking is hurting the industry as a whole. What's Worse?! We've got a scenario of two CISOs with two different companies. Which one has the worst security posture? Please, Enough. No, More. Our topic is endpoint protection. We talk about we've heard enough about on endpoint protection, and what we'd like to hear a lot more. Endgame's machine learning engine, Ember, is open source. What's a CISO to do? Why is it so difficult to hire InfoSec professionals? Is there not enough skills, not enough people interested, tough to hire diversity, way too competitive environment, or is it the nature of the recruiting industry itself?
CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. Be afraid. Be very afraid of the latest episode of the CISO/Security Vendor Relationship Podcast where it's possible that 90 percent of your security breaches are coming from within your own company. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Leon Ravenna, CISO, KAR Auction Services. Synack provides crowdsourced security testing that provides more than older style penetration testing. Instead of using a few researchers who output a final report, Synack uses a globally-sourced crowd of researchers backed by a purpose-built hacking platform. This gives organizations access to security talent that is not available from any one company, and data and insights into the testing process. All Synack security testing is recorded, measured, and analyzed to not only output results like new vulnerabilities and compliance checks, but displays attack patterns and quantities in real-time. By using bug bounties as incentives, researchers are rewarded for the great finds that Synack verifies and shares with its customers. To find out more about the Hacker-Powered Security used by the Internal Revenue Service and many other organizations, go to synack.com. On this episode How CISOs are digesting the latest security news According to a new report from Kroll, "Human Error, Not Hackers, to Blame for Vast Majority of Data Breaches." They report that 2,124 incidents could be attributed to human error, compared to just 292 that were deliberate cyber incidents, They say that's a 75% increase over the past two years but that could be because reporting breaches wasn't mandatory before GDPR. One user commented, these numbers seem to conflict with what the Verizon Breach report says. According to this data it appears a security leader should be spending close to 90 percent of their budget and effort trying to prevent inside data leakage. How would your security plan change if that was your charge? Hey, you're a CISO, what's your take on this?' An article and video published last week on this site written and featuring Elliot Lewis, CEO of Encryptics, talks about the need to get cozy with your legal team because when a breach occurs, you're going to need to have possession, custody, and control of your data. If you can't answer those questions you're putting your legal team in a bind. Mike and our guest talk about being able to answer these questions and building relations with the legal team. It's time to play, "Um... What Do They Do?" It's a brand new game where I read copy from a vendor's website, and Mike and our guest try to guess, "What do they do?" What's a CISO to do? Kip Boyle, past guest, friend of the show, and author of a new book, "Fire Doesn't Innovate," which comes out today asks this question, "Could good cyber risk management be the basis for a competitive differentiator for your business? How?" Kip's book is available at firedoesntinnovate.com and for the first week it's out it's only $.99 via Kindle. Ask a CISO Thomas Torgerson of Blue Cross/Blue Shield of Alabama asks, "How do CISO's feel about presenting webinars or speaking at other events regarding products that they use in their environment?" Are there incentives promoting a vendor solution? Or is it too risky to let threat actors know your security toolsets?
No matter how much money we shove into security, it never seems to fill up. That's good for vendors. Not so good for buyers of security who don't have a bottomless pit of money to fill the bottomless pit of security. This week's episode is sponsored by Red Canary. Red Canary is a security operations ally to organizations of all sizes. They arm customers with outcome-focused solutions that can be deployed in minutes to quickly identify and shut down adversaries. Follow their blog for access to educational tools and other resources that can help you improve your security program. Got feedback? Join the conversation on LinkedIn On this episode How CISOs are digesting the latest security news Wayne Rash of eWEEK wrote a piece on what to expect in cybersecurity in 2019. Most of the stuff is more of the same, such as nation state attacks, ransomware, phishing, and assume you're going to get attacked. But, he did bring up some issues that don't get nearly as much discussion. One was cryptomining which is hijacking your cloud instances, encrypting ALL data, moving away from usernames/passwords, and getting a third-party audit. So what's on CISOs' radar in 2019 Why is everybody talking about this now? Dutch Schwartz of Forcepoint brought up the issue of collaboration. This is not a new topic and we all know that if we don't share information the attackers who do share information will always have leverage. There are obvious privacy and competitive reasons why companies don't share information, but I proposed that if the industry believes collaboration is so important, then it should be a requirement (think GDPR) or we should build incentives (think energy incentives) with a time limit. Is this the right approach? Is the collaboration we're doing already enough? What's Worse?! We play yet another round on an issue that really annoys my co-host. What's a CISO to do? Thom Langford, CISO of Publicis Groupe, said that cybersecurity should be seen as a long term campaign. And if you keep at it, you will see results. Think anti-smoking or seat belt campaigns. Yet we see more and more companies treating security as a one-off project and not looking at dealing with it in the long term. Could this be more a problem of how we view security in the media? Ask a CISO Brijesh Singh, Inspector General of Police, Cyber at Government of Maharashtra said, "A young student asked me a very basic question, isn’t Cybersecurity just a branch of IT? Why should it be treated separately?" It's an awesome question that resulted in a flurry of responses. Is there a difference? Got feedback? Join the conversation on LinkedIn
CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We're clawing each other's eyes out in the latest episode of the CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Darren Death (@darrendeath), VP of InfoSec, CISO, ASRC Federal. Special thanks to Virtru for sponsoring this episode. As a reader, I know you’re always worried about your data. That’s why Virtru is providing a free copy of Forrester’s 14-page report on the Future of Data Security and Privacy to readers for a limited time. Click here to grab your copy while it’s still available. On this episode: How CISOs are digesting the latest security news A nasty fight between two security vendors becomes public because one of the CEOs decides to expose the other CEO. But did he really? What's really going on? Thanks to Nathan Burke of Axonius for bringing this story to our attention. Why is everybody talking about this now? Is calling someone a "blocker" the most weaponized word in the tech industry? How can this be avoided and what are the scenarios this term comes up? What's Worse?! We've got a split decision on this week's question on trust. What's a CISO to do? Robert Samuel, CISO, Government of Nova Scotia asks our CISOs, "What does success look like?" How do CISOs define success? Ask a CISO Where should an SMB, that may have little to no security team, begin building out its security program?
Key Points From This Episode:Find out more about Scott and his background in the industry.Using newer technologies to mitigate risk issues.The importance of measuring vulnerability and patch programs.Speaking in business terms versus technical terms.Addressing patching and hardening caused performance issues.Resolving a CISO’s mandate versus the line of business mandate.What are the guiding principles of organization collaboration?Getting the business to realize that they are the brakes on the car.How do we define world class security?Why the best security is secure but transparent to the end user.Why CISOs have to start explaining problems in business terms.How a CISO can still stay relevant knowing that a threat is out there.Find out why CISOs need to start acknowledging their weaknesses.How CISOs can make the shift from tech heads to business leaders.Companies are realizing they need a more business minded CISO.Managing CISO fear and how to ensure a long-term position.The common trait that Scott sees in successful CISOs.Why unsuccessful CISOs don’t want to be the bearer of bad news.Are we really facing a cyber skills shortage?And much more!
© 2020-2025 Ivy Podcast Discovery LLC
